Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNSSEC: An Update on Global Activities

Published byRosalyn Lawrence Modified over 6 years ago

Similar presentations

Presentation on theme: "DNSSEC: An Update on Global Activities"— Presentation transcript:

1 DNSSEC: An Update on Global Activities
Dept. of Homeland Security Science & Technology Directorate DNSSEC: An Update on Global Activities EDUCAUSE Annual Mtg Tempe, AZ February 12, 2008 Douglas Maughan, Ph.D. Program Manager, CCI / 11/19/2018

2 National Strategy to Secure Cyberspace
The National Strategy to Secure Cyberspace (2003) recognized the DNS as a critical weakness NSSC called for the Department of Homeland Security to coordinate public-private partnerships to encourage the adoption of improved security protocols, such as DNS The security and continued functioning of the Internet will be greatly influenced by the success or failure of implementing more secure and more robust BGP and DNS. The Nation has a vital interest in ensuring that this work proceeds. The government should play a role when private efforts break down due to a need for coordination or a lack of proper incentives. 11/19/2018

3 Domain Name System Security (DNSSEC) Program
DNSSEC Program Objective “Carry forward to completion the recommendation from the National Strategy to Secure Cyberspace by engaging industry, government, and academia to enable all DNS-related traffic on the Internet to be DNSSEC compliant” Rationale / Background / Historical: DNS is a critical component of the Internet infrastructure and was not designed for security DNS vulnerabilities have been identified for over a decade and we are addressing these vulnerabilities End Goal: Greatly increase the security of the Internet (as critical infrastructure) by securing the DNS through the use of crypto signatures 11/19/2018

4 Performers Shinkuro, Washington, DC Sparta, Columbia, MD
Roadmap Development and Execution International partner participation Support Tool Development Sparta, Columbia, MD Software Development – Servers, resolvers, applications Internet Standards activities NIST, Gaithersburg, MD Measurement and Evaluation Tools Government and Standards activities Connections with GSA, FISMA, and OMB 11/19/2018

5 DNSSEC Initiative Activities
Roadmap published in February 2005; Revised March 2007 Multiple workshops held world-wide DNSSEC testbed developed by Involvement with numerous deployment pilots Formal publicity and awareness plan including newsletter Working with Civilian government (.gov) to develop policy and technical guidance for secure DNS operations and beginning deployment activities at all levels. Working with the operators of the “.us” and “.mil” zones towards DNSSEC deployment and compliance 11/19/2018

6 DNSSEC Roadmap Identifies the following activities:
Remaining R&D Issues (Lead: Shinkuro) Software Development (Lead: Sparta) Server Resolver Applications Operational Considerations (Lead: Shinkuro) Root Registries Registrants Measurement and Evaluation (Lead: NIST) Outreach and Training (Lead: Shinkuro) 11/19/2018

7 Incremental Deployment
Registries Work through various readiness levels Initial study -> Initial design -> Pilot -> Pre-deployment -> Operation Registrars Migrate to an EPP-based system Build extensions for existing non-EPP system ISPs Validation as a preferred service for some customers. Manage customized set of Trust Anchors for set of customers Detect key rollover events for known islands of trust Enterprise Internal deployment as part of corporate system integrity and protection Trading partners Distinguish between safe and questionable sites 11/19/2018

8 Leveraging Existing Efforts
ccTLDs with operational DNSSEC Services Sweden: Bulgaria: Brazil: Puerto Rico: RIPE-NCC Reverse zones that it manages and e164.arpa zone (ENUM) DNSSEC initiatives in .UK and .DE Strong advocates of DNSSEC, but waiting for NSEC3 for some zones and JPRS Working on integrating DNSSEC signing into existing workflow to maintain short update assurances 11/19/2018

9 Leveraging Existing Efforts (cont)
NIC Mexico Developing the infrastructure, procedures and technology for a future DNSSEC deployment in the .mx ccTLD .ORG testbed PIR has maintained the .ORG testbed to enable its registrars to test DNSSEC-capable systems SNIP testbed for .GOV Provide “distributed training ground” for .gov operators deploying DNSSEC IANA Testbed for signing zones that IANA controls Also has a prototype for ‘a’ signed copy of the Root zone 11/19/2018

10 FISMA Activities Intended to set the IT security policy for all USG systems, contractors, and data. Collection of documents produced by NIST FIPS, Special Publications (SP) series Goes into effect one year after publication of security controls publication (SP r1) Published Dec, > goes into effect Dec, 2007 NIST Special Pub A Guide for Assessing the Security Controls in Federal Information Systems Final publication scheduled Dec 2007 NIST SP Recommendations for Key Management 3-part companion guide to FISMA

11 The Big Picture – DNSSEC in .gov
Internet2 DNSSEC Pilot SNIP Core Infrastructure dnsops.gov. dnsops.biz esnet.doe.dnsops.gov. fda.dnsops.gov. zoneedit dhs.dnsops.gov. nist.dnsops.gov. ag1.dnsops.gov. ag2.dnsops.biz. DREN DNSSEC Pilot dns-outsource.com antd.nist.dnsops.gov. 11

12 NIST Effort - SNIP Secure Naming Infrastructure Pilot (SNIP)
Aiding deployment by: Providing a connected training ground Educational resources/guides Modeling infrastructures Testbed for systems Relying on user participation Aid in deployment, not a proof-of-concept experiment 11/19/2018

13 SNIP Overview Agencies get delegations to run a secure “shadow-zone”
nist.gov becomes nist.dnsops.gov Contractors become “contractor.dnsops.biz” Administrators use dnsops.gov/biz delegation to practice DNSSEC operations Infrastructure modeling Attempts to model an agency’s current DNS in NIST/Sparta labs Testbed for systems Authoritative servers, caches, and DNSSEC administrator tools 11/19/2018

14 Need for Signing the Root Zone
Root Zone is at the top of the DNS hierarchy Signing the Root Zone will allow DNSSEC-capable resolvers to perform the data integrity and origin authenticity checks using the Root Zone Public Key(s) as the common trust point(s). A signed Root Zone and a widely deployed DNS system that supports DNSSEC will be a major step forward in the ongoing effort to secure the Internet 11/19/2018

15 Root Zone Requirements
Full operation of DNSSEC at the Root level requires several component capabilities Generation and Maintenance of Keys Accepting “secure delegation” from TLDs Signing the Root Zone and handling of private key material Distribution and the subsequent “serving” of the signed Root Zone by Root Name Server Operators Publication of the Root Zone Public Keys 11/19/2018

16 Future Activities Pilot deployments of DNSSEC on .us and .gov networks
Continue getting all the necessary government players Working with OMB, DHS, DOC on rollout strategy Outreach, communication and training Preparation of root servers Testing of end user software gTLD and ccTLD testbeds Community-based identification of existing software Candidate operational policies and procedures 11/19/2018

17 Summary and Challenge Lots of progress over the past 24 months
More to come in 2008 USG taking a leadership role Working with other parts of Internet infrastructure Working with vendors Providing resources to help others Challenge: What’s keeping you from securing your DNS infrastructure? 11/19/2018

18 For more information, visit http://www.cyber.st.dhs.gov
Douglas Maughan, Ph.D. Program Manager, CCI / For more information, visit 11/19/2018

Download ppt "DNSSEC: An Update on Global Activities"

Similar presentations

Get ready! New-gTLD Preparedness Project Thoughts August, 2013 © Mikey OConnor (just attribution is fine) version 0.3.

Get ready! New-gTLD Preparedness Project Thoughts August, 2013 © Mikey OConnor (just attribution is fine) version 0.3.
INDIANAUNIVERSITYINDIANAUNIVERSITY GENI Global Environment for Network Innovation James Williams Director – International Networking Director – Operational.

INDIANAUNIVERSITYINDIANAUNIVERSITY GENI Global Environment for Network Innovation James Williams Director – International Networking Director – Operational.
ICANN Plan for Enhancing Internet Security, Stability and Resiliency.

ICANN Plan for Enhancing Internet Security, Stability and Resiliency.
International Telecommunication Union ENUM Issues and Solutions Houlin Zhao Director Telecommunication Standardization Bureau International Telecommunication.

International Telecommunication Union ENUM Issues and Solutions Houlin Zhao Director Telecommunication Standardization Bureau International Telecommunication.
PRINCIPLES OF A CALIBRATION MANAGEMENT SYSTEM

PRINCIPLES OF A CALIBRATION MANAGEMENT SYSTEM
Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
Microsoft ® System Center Configuration Manager 2007 R3 and Forefront ® Endpoint Protection Infrastructure Planning and Design Published: October 2008.

Microsoft ® System Center Configuration Manager 2007 R3 and Forefront ® Endpoint Protection Infrastructure Planning and Design Published: October 2008.
Internet Identity For All.my ccTLD IPv6 Update By Lai Heng Choong Head of Application, Database and Security.my DOMAIN REGISTRY APTLD Member Meeting, 1.

Internet Identity For All.my ccTLD IPv6 Update By Lai Heng Choong Head of Application, Database and Security.my DOMAIN REGISTRY APTLD Member Meeting, 1.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Module 3 Develop the Plan Planning for Emergencies – For Small Business –

Module 3 Develop the Plan Planning for Emergencies – For Small Business –
Security for the Internet’s Domain Name System DNSSEC Current State of Deployment Prepared for Internet2 BoF Amy Friedlander, Shinkuro, Inc. Based on a.

Security for the Internet’s Domain Name System DNSSEC Current State of Deployment Prepared for Internet2 BoF Amy Friedlander, Shinkuro, Inc. Based on a.
1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.

1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.
Chapter 6 of the Executive Guide manual Technology.

Chapter 6 of the Executive Guide manual Technology.
1 EAP and EAI Alignment: FiXs Pilot Project December 14, 2005 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

1 EAP and EAI Alignment: FiXs Pilot Project December 14, 2005 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
Update on IPv6 Transition U.S. Federal IPv6 Task Force Jane Coffin Co-Chair of the U.S. Federal IPv6 Task Force August 2011 – CITEL PCC.I, Mar del Plata,

Update on IPv6 Transition U.S. Federal IPv6 Task Force Jane Coffin Co-Chair of the U.S. Federal IPv6 Task Force August 2011 – CITEL PCC.I, Mar del Plata,
U.S. Department of Agriculture eGovernment Program July 15, 2003 eAuthentication Initiative Pre-Implementation Status eGovernment Program.

U.S. Department of Agriculture eGovernment Program July 15, 2003 eAuthentication Initiative Pre-Implementation Status eGovernment Program.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.

1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.

Similar presentations

Ads by Google