Presentation is loading. Please wait.

Presentation is loading. Please wait.

R. Kevin Oberman ESnet February 5, 2009

Published byHadi Sutedja Modified over 6 years ago

Similar presentations

Presentation on theme: "R. Kevin Oberman ESnet February 5, 2009"— Presentation transcript:

1 R. Kevin Oberman ESnet February 5, 2009
DNSSEC Update R. Kevin Oberman ESnet February 5, 2009

2 .gov Now Signed! .gov formally signed Feb. 1
Not yet accepting delegated keys Will start doing so in a few days

3 Time to sign With signed .gov, it is time for those in .gov space to start signing Be sure that you are ready Don’t rush Test before officially signing

4 How to Sign http://www.dnssec-tools.org Signing appliance
Work done by Sparta under contract to the US Government Tools are open source and free Allow fairly easy implementation of most DNSSEC requirements Signing appliance Easiest operation Least likely to fail

5 Use BIND-9.6.0-P1 or later Supports NSEC3
NSEC3 prevents zone enumeration Required to ‘hide’ zone data Prevents effective zone transfer Supports ‘automatic’ key update to parent Greatly simplifies key management

6 Key Issues Two ‘types’ of keys
Zone signing keys (ZSKs) sign RRsets in zone files Key signing keys (KSKs) sign the ZSKs All keys use symmetric public keys much like ssh Data may be signed by multiple keys

7 Key Management Zone signing key must be changed monthly
Key signing keys must be changed annually Valid public key must ALWAYS be available for current and cached data Watch TTLs—long cache life complicates emergency key changes TTLs should probably be no longer than a few hours

8 Three Key Shuffle Keys A, B, and C Data signed with A and B
To roll keys: Generate new key pair (C) Sign data with B and C Keeps each key active for two cycles All cached data always signed with active key

9 No Room for Error! Data not signed by valid key will not validate
Queries for your data will fail on validating servers Your zone will ‘disappear’ from the Internet Your users will be very unhappy!

10 No Key Revocation! Keys may be withdrawn, but not revoked
New key can be put in place very quickly Cached data will not be valid if no valid key is in place Keep TTLs short

11 The Clock is Ticking OMB requires that zones immediately under .gov be signed by the end of 2009 You need to start working on a signing solution NOW!

Download ppt "R. Kevin Oberman ESnet February 5, 2009"

Similar presentations

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.

DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Measuring DNSSEC validation i.e. how to do it Ólafur Guðmundsson Steve Crocker ogud, steve at shinkuro.com.

Measuring DNSSEC validation i.e. how to do it Ólafur Guðmundsson Steve Crocker ogud, steve at shinkuro.com.
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.

1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, 2013 1 Jelte Jansen, Antoin Verschuren.

DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, Jelte Jansen, Antoin Verschuren.
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.

DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.
Rev 1.012010-06-03. Mats Dufberg TeliaSonera, Sweden Resolving DNSsec.

Rev Mats Dufberg TeliaSonera, Sweden Resolving DNSsec.
© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested
© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.

© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.
Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman
1 ESnet DNSSEC Update ESCC/Internet2 Joint Techs Workshop February 14, 2007 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

1 ESnet DNSSEC Update ESCC/Internet2 Joint Techs Workshop February 14, 2007 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
DNSSEC deployment in NZ Andy Linton

DNSSEC deployment in NZ Andy Linton

Similar presentations

Ads by Google