Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Improving the resilience of DNS ENISA – Athens Productive DNSSEC environments Lutz Donnerhacke IKS GmbH, Jena DNSSEC e164.arpa.

Published byGerald Hensley Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Improving the resilience of DNS ENISA – Athens Productive DNSSEC environments Lutz Donnerhacke IKS GmbH, Jena DNSSEC e164.arpa."— Presentation transcript:

1 1 Improving the resilience of DNS ENISA – Athens Productive DNSSEC environments Lutz Donnerhacke IKS GmbH, Jena DNSSEC 1.6.5.3.7.5.1.4.6.3.9.4.e164.arpa. OpenPGP 1C1C 6311 EF09 D819 E029 65BE BFB6 C9CB

2 2 Relevant company history DNSSEC activities ● Late adopter: Not developing the protocol ● Starting with a DLV, resulting in a survey ● Deploying DLV to ISP core and own company ● Introducing a signed root (on IANA zone data) ● Deploying signed root to customers ● Large scale tests: bgp.arpa.

3 3 Productive DNSSEC deployment Requirements ● Stable software ● Fully automatic key management ● Skilled customer support ● Upper management commitment ● Enthusiastic tech guys to solve obscure problems ● No sales activities: no customer expectations

4 4 Usage scenarios Signing ● Admins complain about broken (old) tool chains ● Zone different in various views (RFC1918/NAT) ● Automatic resigning requires additional daemons, additional monitoring, and additional alarm plans ● Signing while zone is modified: broken zone ● DNS appliance without DNSSEC capabilities ➔ Remote signing tools using hidden primary

5 5 Usage scenarios Verifying resolvers ● Turing on verification is useless ● Maintaining distributed trust anchors is hard ● Central maintaining is easier: DLV/signed root ● DLV caused software problems (mostly solved) ● Signed root misses important TLDs ● Security aware companies maintain own TARs

6 6 Usage scenarios Benefits or ROI ● Storage of public keys: Use DNS as PKI for SSH (automatic), OpenPGP and X.509 (manual) ● Securing ENUM ● Banks fear legal consequences if not all possible protection is offered ● Spam avoidance: Securing DKIM etc. pp. ● DNS as distributed database: bgp.arpa

7 7 Open discussion Who is really using DNSSEC? ● For which purpose? ● Which area of impact? LAN, company, or global? ● Does it work automatically? Out of the box? ● Which trust anchor management is used? ● Does it open new problems? Privacy? ● How was is done before/without DNSSEC? ● Is DNSSEC a product or plain (and free) infrastructure?

8 8 Productive DNSSEC Questions? Signed answers.

Download ppt "1 Improving the resilience of DNS ENISA – Athens Productive DNSSEC environments Lutz Donnerhacke IKS GmbH, Jena DNSSEC e164.arpa."

Similar presentations

1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
DNS Alphabet Soup. IPv6 Increases packet size Both transport and question/answer sections Preference: goes first Fragmentation done by end points (ICMPv6!)

DNS Alphabet Soup. IPv6 Increases packet size Both transport and question/answer sections Preference: goes first Fragmentation done by end points (ICMPv6!)
1 Storage Today Victor Hatridge – CIO Nashville Electric Service (615) 747-3735.

1 Storage Today Victor Hatridge – CIO Nashville Electric Service (615)
1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
1 Securing BGP Large scale trust to build an Internet again Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 Securing BGP Large scale trust to build an Internet again Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
X-Road (X-tee) A platform-independent secure standard interface between databases and information systems to connect databases and information systems.

X-Road (X-tee) A platform-independent secure standard interface between databases and information systems to connect databases and information systems.
Gabriela Contreras, Continental Airlines Yvan Hennecart, SDL

Gabriela Contreras, Continental Airlines Yvan Hennecart, SDL
1 DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec 1.6.5.3.7.5.1.4.6.3.9.4.e164.arpa. naptr.

1 DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec e164.arpa. naptr.
1 Introducing the next generation desktop application.

1 Introducing the next generation desktop application.
Rev 1.012010-06-03. Mats Dufberg TeliaSonera, Sweden Resolving DNSsec.

Rev Mats Dufberg TeliaSonera, Sweden Resolving DNSsec.
Translate tech terms into plain English. ?

Translate tech terms into plain English. ?
DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.

DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.
Cloud Computing Project By:Jessica, Fadiah, and Bill.

Cloud Computing Project By:Jessica, Fadiah, and Bill.
1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
Continous Integration & Continous Deployment - For the new nameserver infrastructures of DENIC eG 15/10/03 – Christian Petrasch

Continous Integration & Continous Deployment - For the new nameserver infrastructures of DENIC eG 15/10/03 – Christian Petrasch
Path Construction “It’s Easy!” Mark Davis. Current WP Scope u Applications that make use of public key certificates have to validate certificate paths.

Path Construction “It’s Easy!” Mark Davis. Current WP Scope u Applications that make use of public key certificates have to validate certificate paths.
OARC TAR Panel. La Brea Tar Pit What was originally intended to expedite the roll-out of DNSSEC seems to be bogging it down instead People who read press.

OARC TAR Panel. La Brea Tar Pit What was originally intended to expedite the roll-out of DNSSEC seems to be bogging it down instead People who read press.
Building Trust with Anchors Eric Osterweil Dan Massey Lixia Zhang 1.

Building Trust with Anchors Eric Osterweil Dan Massey Lixia Zhang 1.

Similar presentations

Ads by Google