DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.

Slides:



Advertisements
Similar presentations
DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Advertisements

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
Active Directory Production Pilot Project Department of Administration Enterprise Technology Services (ETS) ETS is a customer based team that provides.
Communications Area Report German Valdez Communications Area Director.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
1 Workshop 20: Teaching a Hands-on Undergraduate Grid Computing Course SIGCSE The 41st ACM Technical Symposium on Computer Science Education Friday.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.
1 Disaster Recovery Planning & Cross-Border Backup of Data among AMEDA Members Vipin Mahabirsingh Managing Director, CDS Mauritius For Workgroup on Cross-Border.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Evolved from ARPANET (Advanced Research Projects Agency of the U.S. Department of Defense) Was the first operational packet-switching network Began.
11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Complying With The Federal Information Security Act (FISMA)
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.
Supporting Internet Development Philip Smith, Learning and Development Director.
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
IIT Indore © Neminath Hubballi
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Security for the Internet’s Domain Name System DNSSEC Current State of Deployment Prepared for Internet2 BoF Amy Friedlander, Shinkuro, Inc. Based on a.
1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.
Current Job Components Information Technology Department Network Systems Administration Telecommunications Database Design and Administration.
Software Pieces for the DNSSEC-deployment roadmap SPARTA, Inc. 01/21/05.
Module 5: Planning a DNS Strategy. Overview Planning DNS Servers Planning a Namespace Planning Zones Planning Zone Replication and Delegation Integrating.
Module 2 Designing Microsoft® Exchange Server 2010 Integration with the Current Infrastructure.
U.S. Department of Agriculture eGovernment Program August 14, 2003 eAuthentication Agency Application Pre-Design Meeting eGovernment Program.
© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested
© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.
Krit Witwiyaruj Thai Name Server Co., Ltd.th DNSSEC Implementation.
Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman
U.S. Department of Agriculture eGovernment Program July 15, 2003 eAuthentication Initiative Pre-Implementation Status eGovernment Program.
Kenya Network Information Centre (KENIC). Introduction KENIC is the registry for the.KE ccTLD. Local and non-profit organization Mandate is to Manage.
1 ESnet DNSSEC Update ESCC/Internet2 Joint Techs Workshop February 14, 2007 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
1 DNSSEC Deployment: Big Steps Forward; Several Steps to Go NANOG 32 Deployment D N S S E C Rob Austein Steve Crocker
© 2010 VMware Inc. All rights reserved vSphere 4.1: Install, Configure, Manage.
1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
Joint Techs, Albuquerque Feb © 8 Feb 2006 Stichting NLnet Labs DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin
2.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 2: Examining.
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
Connect. Communicate. Collaborate Click to edit Master title style PERT OPERATIONS.
Leo vegoda. APNIC 14, 3–6 Sept. 2002, Kitakyushu, Japan. 1 RIPE NCC Status Report at APNIC 14 Looking forward to winter…
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
Security Environment Assessment. Outline  Overview  Key Sources and Participants  General Findings  Policy / Procedures  Host Systems  Network Components.
Globus and PlanetLab Resource Management Solutions Compared M. Ripeanu, M. Bowman, J. Chase, I. Foster, M. Milenkovic Presented by Dionysis Logothetis.
Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.
Introduction to Active Directory
By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania ESCC/Internet2 Joint Techs Workshop Madison, Wisconsin, U.S.A., July 19 th 2006.
Olaf M. Kolkman. IETF58, Minneapolis, November DNSSEC Operational Practices draft-ietf-dnsop-dnssec-operational-practices-00.txt.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
Developing a DNSSEC Policy The Compulsory Zone Distribution Which DNSSEC Protocol Keys – and Managing them Managing the Children Using DNSSEC Mark Elkins.
DRAFT STEP-BY-STEP DNS SECURITY ILLUSTRATIVE GUIDE Version 0.2 Sparta, Inc Samuel Morse Dr. Columbia MD Ph:
Workshop Overview & Registry Model Model by Jaap Akkerhuis Related by Daniel Karrenberg.
DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, ISOC/Go6 Institute, Slovenia
KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting
KSK Rollover Update David Conrad, CTO ICANN 59 – GAC 29 June 2017.
Cryptography and Network Security
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania
SUBMITTED BY: NAIMISHYA ATRI(7TH SEM) IT BRANCH
DNSSEC: An Update on Global Activities
What DNSSEC Provides Cryptographic signatures in the DNS
Continuity Guidance Circular Webinar
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania
Presentation transcript:

DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose NIST

DNSSEC-Deployment.org SNIP Goals DNSSEC is now a FISMA Requirement. –NIST SP r1 (Dec 2006) “Recommended Security Controls for Federal Information Systems” mandates the incremental deployment of DNSSEC technologies in Moderate and High Impact IT systems. Moderate Impact – must sign zones. High Impact – must be prepared to validate signatures. Need to facilitate technology insertion and adoption. –Standards, implementations and policies don’t guarantee success. –Need for technical community resources and activities to foster early deployments, refine policies and plans, share information and expertise.

DNSSEC-Deployment.org SNIP Basics SNIP will build a USG DNS Ops community and shared pilot –Provide “distributed training ground” for.gov operators deploying DNSSEC –Ability to pilot agency specific scenarios either locally or in SNIP-provided resources. –Create a community resource for DNS admins in the USG to share knowledge and to refine specifications, policies and plans. SNIP basis is a signed shadow zone under.gov (dnsops.gov) –Will offer delegations and secure chaining to subzones example – NIST would participate as nist.dnsops.gov –May offer limited hosting service as well Goal isn't to be a hosting service, but help bootstrap others to host their own zones.

DNSSEC-Deployment.org SNIP as a Testbed Use SNIP tree to exercise DNSSEC operations –Test deployment DNSSEC scenarios. Multi-vendor platforms for authoritative / caching servers, resolvers. Zone structure / contents / distribution. –Test DNSSEC operations described in SP Zone signing, key rollovers, zone transfers. –Test DNSSEC administration tools (From NIST, Sparta and Shinkuro) –Test performance – in agency specific scenarios. Community hands-on participation –Agency DNS operators can participate in NIST/SPARTA led exercise. –Results will be published for community

DNSSEC-Deployment.org What SNIP is Not Mandatory Permanent –Expected lifetime: 2-3 years –The community tools and lists will remain after the testbed activities conclude.. 100% Uptime –This is a experimental testbed in which we will conduct disruptive experiments, load/stress test servers, etc.

DNSSEC-Deployment.org Levels of Participation Delegation only –Participants use own testbed systems and perform all administration associated with setup / experimentation. Remote administration –Participants use SNIP testbed equipment, but perform all administration. Hosted experiments –NIST/SPARTA set up mirror of agency specific infrastructure, but using SNIP equipment and administration, for specific experiment. –For limited use in investigating specific deployment / technology issues.

DNSSEC-Deployment.org The Big Picture – DNSSEC in.gov Internet2 DNSSEC Pilot dnsops.gov. dhs.dnsops.gov. nist.dnsops.gov. antd.nist.dnsops.gov. fda.dnsops.gov. esnet.doe.dnsops.gov. zoneedit ag1.dnsops.gov. ag2.dnsops.gov. dns-outsource.com SNIP Core Infrastructure DREN DNSSEC Pilot

DNSSEC-Deployment.org Testbed Technical Details Multiple authoritative server implementations Internet2 connection (IPv6 testing) May have alternate hosting capabilities (multiple servers) –secondaries in other locations? Ability to host other zones (or servers) for delegations lacking equipment to participate fully. –Zone data can be real (servers), or anonymized Will maintain and publish trust anchor for dnsops.gov. tree

DNSSEC-Deployment.org SNIP Infrastructure Resources Primary Site – NIST / Gaithersburg MD. –Authoritative dnsops.gov. DNS servers Secondary Site – Sparta / Columbia MD –Geographic and network dispersion (sort of) –Zone transfers using TSIG for message authentication Reconfigurable Emulated wide area topology. –20+ node Emulab being deployed at NIST.

DNSSEC-Deployment.org Additional NIST Resources Other SNIP infrastructure –Web server and mail host for mailing lists –Test and measurement systems Signing Infrastructure – dnsops.gov. apex. –Done behind firewall –Private keys not stored on servers –Scheduled resigning done every month Also after updates as necessary

DNSSEC-Deployment.org Emulab Network Signing system SNIP Primary Auth Server SNIP Secondary Auth Server Internet /UUNet SNIP Topology NIST Network Internet2 /MAX Test and Measurement Systems

DNSSEC-Deployment.org SNIP Operational Overview Will use procedures outlined in SP –1024 bit RSA ZSK Rolled over every month –2048 bit RSA KSK Rolled over during experimentation published as pilot trust anchor ZSK rollover every 30 days –KSK on a less formal basis (experiment in trust anchor rollover) Using NSEC initially, may experiment signing with NSEC3

DNSSEC-Deployment.org DNS Administrator Resources Will remain active after SNIP zone shuts down Project Website –Links to guides, tools, and performance stats Mailing list –Useful for announcements and security bulletins Revision of NIST SP –using knowledge gained during SNIP operational lifetime –More examples of different server implementations –Information on how to interact with parent zones (GSA)

DNSSEC-Deployment.org SNIP Impact Stepping stone for operational use –USG DNS operators get experience running delegation under dnsops.gov before deploying in own agency Tool testing – Tech transfer / training on existing tool suites (NIST, SPARTA, Shinkuro, ISC, et al). Platform Testing –Multi-vendor environment Servers - ISC/BIND, NSD, Microsoft, Nominum(?) and more surprises Resolvers – Linux, BSD, Microsoft, OS X Applications – TBD. Procedure Testing –Refinement of procedure/policy guidance and reporting requirements

DNSSEC-Deployment.org Participation Will try to accommodate all –Non USG entities: dnsops.biz May try to get a presence in other TLD’s a well –Don’t want a delegation? How about a DNAME? –Tool developers Can run locally or have delegation/secondary/etc as necessary.

DNSSEC-Deployment.org Resources NIST Special Publications page DNSSEC Project Page DNSSEC-Deployment Web page –Informal working group