Olaf M. Kolkman. IETF58, Minneapolis, November 2003. DNSSEC Operational Practices draft-ietf-dnsop-dnssec-operational-practices-00.txt.

Slides:



Advertisements
Similar presentations
DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Advertisements

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman
Reverse DNS SIG Summary Report APNIC Annual Member Meeting Bangkok, March
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.
DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
Measuring DNSSEC validation i.e. how to do it Ólafur Guðmundsson Steve Crocker ogud, steve at shinkuro.com.
DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.
DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
High-Level Awareness of DNSSEC KENIC/NSRC Workshop, Nairobi, May 2011 Phil Regnauld Joe Abley
February 2003slideset 1 Writing Zone Files Olaf M. Kolkman
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.
Phil Regnauld Hervey Allen June 2009 Papeete, Tahiti DNSSEC overview.
Domain Name System Security Extensions (DNSSEC) Hackers 2.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Module 10 Advanced Topics. DNS and DHCP DHCP can be configured to auto- update (using DDNS) the forward and reverse map zones Can be secured using allow-update.
Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. /disi Steps towards a secured DNS Olaf M. Kolkman, Henk Uijterwaal, Daniel.
DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.
Geoff Huston APNIC Labs
Test cases for domain checks – a step towards a best practice Mats Dufberg,.SE Sandoche Balakrichenan, AFNIC.
DNSEXT-63 Next steps in Trust Anchor Management for DNSSEC Ólafur Guðmundsson
Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Troubleshooting.
Introduction to DNSSEC AROC Bamako, Mali, What is DNSSEC?
Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.
DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.
Andreas Steffen, , 12-DNSSEC.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.
Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for.
© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.
Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License The details.
Root Zone KSK: The Road Ahead Edward Lewis | DNS-OARC & RIPE DNSWG | May 2015
ISOC.NL SIP © 15 March 2007 Stichting NLnet Labs DNSSEC and ENUM Olaf M. Kolkman
DNSSEC deployment in NZ Andy Linton
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Practicalities.
1 DNSSEC Deployment: Big Steps Forward; Several Steps to Go NANOG 32 Deployment D N S S E C Rob Austein Steve Crocker
DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.
Joint Techs, Albuquerque Feb © 8 Feb 2006 Stichting NLnet Labs DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin
AU, March 2, DNSSEC, APNIC, & how EPP might play a Role Ed Lewis DNS SIG APNIC 21.
1 Discussion of the new DNS generation system DNS Operations SIG APNIC 18 2nd September 2004, Fiji.
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. 1 key-signing key flag [1] & wildcard-optimization [2] Olaf Kolkman [1] with.
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
RIPE 43, September 2002, Ρόδος. nsd a Name Service Daemon Alexis Yushin, Daniel Karrenberg, Olaf Kolkman,
Building Trust with Anchors Eric Osterweil Dan Massey Lixia Zhang 1.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
The Design and Implementation of a Next Generation Name Service for the Internet V. Ramasubramanian, E. Gun Sirer Cornell Univ. SIGCOMM 2004 Ciprian Tutu.
Developing a DNSSEC Policy The Compulsory Zone Distribution Which DNSSEC Protocol Keys – and Managing them Managing the Children Using DNSSEC Mark Elkins.
Root Zone KSK: After 5 years Elise Gerich | APNIC 40 | September 2015.
DRAFT STEP-BY-STEP DNS SECURITY ILLUSTRATIVE GUIDE Version 0.2 Sparta, Inc Samuel Morse Dr. Columbia MD Ph:
Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average
What's so hard about DNSSEC? Paul Ebersman – May 2016 RIPE72 – Copenhagen 1.
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
SaudiNIC Experience in Deploying DNSSec AbdulRahman Al-Ghadir SaudiNIC - CITC MENOG 16.
In collaboration with HKCERT and HKIRC July 2016
DNSSEC Operations in .gov
A Longitudinal, End-to-End View of the DNSSEC Ecosystem
R. Kevin Oberman ESnet February 5, 2009
nsd a Name Service Daemon
Managing Name Resolution
What DNSSEC Provides Cryptographic signatures in the DNS
DNS operator transfers with DNSSEC
The Curious Case of the Crippling DS record
Presentation transcript:

Olaf M. Kolkman. IETF58, Minneapolis, November DNSSEC Operational Practices draft-ietf-dnsop-dnssec-operational-practices-00.txt Olaf M. Kolkman (RIPE NCC) & Miek Gieben (NLnet Labs)

Olaf M. Kolkman. IETF58, Minneapolis, November What ‘s this about Capturing first operational experience with DNSSEC Mainly workshops and experiments Identifying operational differences with “plain” DNS. Giving some basic recommendations; To be published as ‘Informational’

Olaf M. Kolkman. IETF58, Minneapolis, November Content Document is about –TIME –DNSKEY –Parental Policies How do RR sets propagate through the system. New: Behavior depended on two RR sets propagating through the system.

Olaf M. Kolkman. IETF58, Minneapolis, November TIME issues Time: DNSSEC introduces absolute times. Main problem: cached data expires at RRSIG expiry –The ‘Maximum zone TT’L of your zone data should be a fraction of SIG validity period –Push out new signatures at least 1 times TTL before RRSIGs expire. Problem related to authoritative servers: –SOA expiration doesn’t know about DNSSEC.

Olaf M. Kolkman. IETF58, Minneapolis, November DNSKEY issues Key size recommendations. –Based on a “Journal of Cryptology’ publication by Lenstra and Verheul. Key Rollover Scenarios –Caches may have DNSKEYs and RRSIGs from different versions of a zone.

Olaf M. Kolkman. IETF58, Minneapolis, November Key rollover scenarios About making sure that there is always a DNSKEY in the cache to verify the RRSIG that came directly from an authoritative server ZSK rollovers –Double signatures rollover (large zone files) –Pre-published key rollover (more steps hence more administration, cryptanalysis)

Olaf M. Kolkman. IETF58, Minneapolis, November Key rollover scenarios (cntnd) KSK rollovers –Double signature rollover. Only one DS RR at the parent at all times. Loose coupling, most actions are done by the child. –Needs to wait for the parent to publish the new DS RR. –Different from Mike St Johns proposal Needs two DS RRs at the parent and multiple interactions Is automated (will need to be described in this doc too)

Olaf M. Kolkman. IETF58, Minneapolis, November Other Issues covered Planning for emergency rollovers Some parental policy considerations –DNSKEY exchange and storage –Preventing “security lameness” –DS validity

Olaf M. Kolkman. IETF58, Minneapolis, November WG input. Yes please, the document is yours now. Test the described procedures Editorial nits to Kolkman or Gieben, content discussion on the list.