DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose NIST
DNSSEC-Deployment.org SNIP Goals DNSSEC is now a FISMA Requirement. –NIST SP r1 (Dec 2006) “Recommended Security Controls for Federal Information Systems” mandates the incremental deployment of DNSSEC technologies in Moderate and High Impact IT systems. Moderate Impact – must sign zones. High Impact – must be prepared to validate signatures. Need to facilitate technology insertion and adoption. –Standards, implementations and policies don’t guarantee success. –Need for technical community resources and activities to foster early deployments, refine policies and plans, share information and expertise.
DNSSEC-Deployment.org SNIP Basics SNIP will build a USG DNS Ops community and shared pilot –Provide “distributed training ground” for.gov operators deploying DNSSEC –Ability to pilot agency specific scenarios either locally or in SNIP-provided resources. –Create a community resource for DNS admins in the USG to share knowledge and to refine specifications, policies and plans. SNIP basis is a signed shadow zone under.gov (dnsops.gov) –Will offer delegations and secure chaining to subzones example – NIST would participate as nist.dnsops.gov –May offer limited hosting service as well Goal isn't to be a hosting service, but help bootstrap others to host their own zones.
DNSSEC-Deployment.org SNIP as a Testbed Use SNIP tree to exercise DNSSEC operations –Test deployment DNSSEC scenarios. Multi-vendor platforms for authoritative / caching servers, resolvers. Zone structure / contents / distribution. –Test DNSSEC operations described in SP Zone signing, key rollovers, zone transfers. –Test DNSSEC administration tools (From NIST, Sparta and Shinkuro) –Test performance – in agency specific scenarios. Community hands-on participation –Agency DNS operators can participate in NIST/SPARTA led exercise. –Results will be published for community
DNSSEC-Deployment.org What SNIP is Not Mandatory Permanent –Expected lifetime: 2-3 years –The community tools and lists will remain after the testbed activities conclude.. 100% Uptime –This is a experimental testbed in which we will conduct disruptive experiments, load/stress test servers, etc.
DNSSEC-Deployment.org Levels of Participation Delegation only –Participants use own testbed systems and perform all administration associated with setup / experimentation. Remote administration –Participants use SNIP testbed equipment, but perform all administration. Hosted experiments –NIST/SPARTA set up mirror of agency specific infrastructure, but using SNIP equipment and administration, for specific experiment. –For limited use in investigating specific deployment / technology issues.
DNSSEC-Deployment.org The Big Picture – DNSSEC in.gov Internet2 DNSSEC Pilot dnsops.gov. dhs.dnsops.gov. nist.dnsops.gov. antd.nist.dnsops.gov. fda.dnsops.gov. esnet.doe.dnsops.gov. zoneedit ag1.dnsops.gov. ag2.dnsops.gov. dns-outsource.com SNIP Core Infrastructure DREN DNSSEC Pilot
DNSSEC-Deployment.org Testbed Technical Details Multiple authoritative server implementations Internet2 connection (IPv6 testing) May have alternate hosting capabilities (multiple servers) –secondaries in other locations? Ability to host other zones (or servers) for delegations lacking equipment to participate fully. –Zone data can be real (servers), or anonymized Will maintain and publish trust anchor for dnsops.gov. tree
DNSSEC-Deployment.org SNIP Infrastructure Resources Primary Site – NIST / Gaithersburg MD. –Authoritative dnsops.gov. DNS servers Secondary Site – Sparta / Columbia MD –Geographic and network dispersion (sort of) –Zone transfers using TSIG for message authentication Reconfigurable Emulated wide area topology. –20+ node Emulab being deployed at NIST.
DNSSEC-Deployment.org Additional NIST Resources Other SNIP infrastructure –Web server and mail host for mailing lists –Test and measurement systems Signing Infrastructure – dnsops.gov. apex. –Done behind firewall –Private keys not stored on servers –Scheduled resigning done every month Also after updates as necessary
DNSSEC-Deployment.org Emulab Network Signing system SNIP Primary Auth Server SNIP Secondary Auth Server Internet /UUNet SNIP Topology NIST Network Internet2 /MAX Test and Measurement Systems
DNSSEC-Deployment.org SNIP Operational Overview Will use procedures outlined in SP –1024 bit RSA ZSK Rolled over every month –2048 bit RSA KSK Rolled over during experimentation published as pilot trust anchor ZSK rollover every 30 days –KSK on a less formal basis (experiment in trust anchor rollover) Using NSEC initially, may experiment signing with NSEC3
DNSSEC-Deployment.org DNS Administrator Resources Will remain active after SNIP zone shuts down Project Website –Links to guides, tools, and performance stats Mailing list –Useful for announcements and security bulletins Revision of NIST SP –using knowledge gained during SNIP operational lifetime –More examples of different server implementations –Information on how to interact with parent zones (GSA)
DNSSEC-Deployment.org SNIP Impact Stepping stone for operational use –USG DNS operators get experience running delegation under dnsops.gov before deploying in own agency Tool testing – Tech transfer / training on existing tool suites (NIST, SPARTA, Shinkuro, ISC, et al). Platform Testing –Multi-vendor environment Servers - ISC/BIND, NSD, Microsoft, Nominum(?) and more surprises Resolvers – Linux, BSD, Microsoft, OS X Applications – TBD. Procedure Testing –Refinement of procedure/policy guidance and reporting requirements
DNSSEC-Deployment.org Participation Will try to accommodate all –Non USG entities: dnsops.biz May try to get a presence in other TLD’s a well –Don’t want a delegation? How about a DNAME? –Tool developers Can run locally or have delegation/secondary/etc as necessary.
DNSSEC-Deployment.org Resources NIST Special Publications page DNSSEC Project Page DNSSEC-Deployment Web page –Informal working group