Presentation is loading. Please wait.

Presentation is loading. Please wait.

What DNSSEC Provides Cryptographic signatures in the DNS

Published byYuliani Tanuwidjaja Modified over 6 years ago

Similar presentations

Presentation on theme: "What DNSSEC Provides Cryptographic signatures in the DNS"— Presentation transcript:

1 What DNSSEC Provides Cryptographic signatures in the DNS
Integrates with existing server infrastructure and user clients Assures integrity of results returned from DNS queries: Users can validate source authenticity and data integrity Checks chain of signatures up to root Protects against tampering in caches, during transmission Not provided: message encryption, security for denial-of-service attacks

2 Trust Anchors installed on client resolvers.
DNSSEC Chain of Trust “.” – DNS root. Trust Anchors installed on client resolvers. KSK ZSK KSK KSK se. gov. KSK KSK KSK ZSK ZSK ZSK KSKs KSKs KSK KSK opm.gov. nist.gov. KSK’s often serve as the “anchor” of authentication chain. The higher up in the tree, the more useful the trust anchor KSK KSK ZSK ZSK Data Data

3 Deployment in .gov Policy Drivers: OMB Memo, FISMA
Docs and tools: NIST SP (r1), NIST SP Part 3, SNIP Testbed. Two big deadlines OMB Memo: External authoritative zones by Dec 2009 FISMA: 12 months after publication of Controls document (SP ), August/Sept 2010 – all Federal systems. Progress so far: ~70 signed delegations, another signed but not chained.

4 Lessons Learned from Early Deployments
Deployment is really a content management exercise, not just a security exercise FISMA, other drivers lead to centralization of many network operations How is the data handled will help how best to deploy Signing is easy, key management is hard HSM’s vs. offline storage key rollover/resigning Communication more important than strong crypto Knowing who to contact (parent zone and subzones) important.

5 More Lessons Learned Upgrade vs. new purchases
Majority of agencies may not need investment in new equipment – upgrades may be enough, but it depends on current plans May choose to for other reasons, but DNSSEC may not be the driver Invest the same importance in the keys as you do the data There is such a thing as overkill Consider information leakage as well Do not need to wait on anybody to deploy first Majority of work is internal operations, interface to parent zone will be in a standard form Practice makes perfect - SNIP

Download ppt "What DNSSEC Provides Cryptographic signatures in the DNS"

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
PKI Implementation in the Real World

PKI Implementation in the Real World
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
Security and Information Assurance for the DNS Dan Massey USC/ISI.

Security and Information Assurance for the DNS Dan Massey USC/ISI.
© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:

© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam

Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
Introduction to DNSSEC AROC Bamako, Mali, 2010. What is DNSSEC?

Introduction to DNSSEC AROC Bamako, Mali, What is DNSSEC?
Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman
DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.

DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.
1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

Similar presentations

Ads by Google