Presentation is loading. Please wait.

Presentation is loading. Please wait.

Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. /disi Steps towards a secured DNS Olaf M. Kolkman, Henk Uijterwaal, Daniel.

Published byJared Rodgers Modified over 9 years ago

Similar presentations

Presentation on theme: "Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. /disi Steps towards a secured DNS Olaf M. Kolkman, Henk Uijterwaal, Daniel."— Presentation transcript:

1 Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. http://www.ripe.net /disi Steps towards a secured DNS Olaf M. Kolkman, Henk Uijterwaal, Daniel Karrenberg and Jürgen Pfleger

2 Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. http://www.ripe.net/disi Who, why and what RIPE NCC DISI project –RIPE NCC’s mission –DISI project Deployment of Internet Security Infrastrucure Identify, Implement and raise awareness of security infrastructure to improve quality of Internet in the RIPE region Focus on DNSSEC Goal of the presentation –This presentation is on steps one need to take to deploy DNSSEC in an organization. Serves as DISI status report

3 Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. http://www.ripe.net/disi DNSSEC in a nutshell Security is provided by signing RR sets using public key crypto Keys are published in the DNS Key infrastructure is build by delegating signing authority from parent to child. RR sets are signed by zone signing keys, key RR sets are are signed by key-signing keys, ‘pointers’ to the key-signing keys (DS) are signed by the parent

4 Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. http://www.ripe.net/disi $ORIGIN net. net. KEY (…) q3dEw… (7834) KEY (…) 5TQ3s… (5612) SIG KEY (…) 7834 net. cMaso3Ud... ripe.net. DS 4252 3 1ab15… SIG DS (…) net. 5612 Chain of trust, Animated $ORIGIN ripe.net. www.ripe.net. A 193.0.0.202 SIG A (…) 1234 ripe.net. a3Ud... ripe.net. KEY (…) sovP242… (1234) KEY (…) rwx002… (4252) SIG KEY (…) 4252 ripe.net. 5tUcwU... $ORIGIN.. KEY (…) lasE5… (2983) KEY (…) 5TQ3s… (8907) SIG KEY (…) 8907. 69Hw9.. net. DS 7834 3 1ab15… SIG DS (…). 2983 Locally configured Trusted key:. 8907 Zone signing key Key signing key

5 Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. http://www.ripe.net/disi Steps to secure the DNS 1. Protocol and Software 2. Appropriate DNS infrastructure 3. Signing Locally 4. Becoming part of chain of trust 5. Delegating signing authority A. Obtaining and configuring keys in applications Client infrastructure Server infrastructure

6 Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. http://www.ripe.net/disi Step 1: Protocol and Software DNSSEC specs still not finished. –DS identified corner cases that are being addressed –OPT-IN is being tested –Wildcard handling may need some clarification Most people agree these are no show stoppers –Try not to add new protocol features to DNSSEC –Bind9 snapshot reflects current state –Production quality in about 6 months from now (?!)

7 Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. http://www.ripe.net/disi Step 1: Protocol and Software @RIPE NCC We have been actively involved in the IETF process –Cooperated and hosted workshops for software and protocol tests (January 21-23, tests of OPT-IN and tests of possible solutions to current problems) –Published 2 drafts drafr-ietf-dnsext-keyrr-key-signing-flag draft-olaf-dnsext-dnssec-wildcard-optimization Continued work on Net::DNS::SEC –Perl module that adds DNSSEC support to Net::DNS –Turned out to be very handy for writing little support scripts Collaborate with NLnet Labs on development of DNSSEC aware NSD. –Version 1.2 will have DNSSEC support

8 Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. http://www.ripe.net/disi Intermezzo: Shameless NSD plug Name Server Daemon –Authoritative only high performance name server Order 30000 queries per second… K.root-servers.net runs NSD. –Fully RFC conformant –Regression tested against the bind implementation Version 1.0.2 available and more info at http://www.nlnetlabs.nl/nsd http://www.nlnetlabs.nl/nsd

9 Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. http://www.ripe.net/disi Step 2: Appropriate DNSSEC infrastructure All authoritative servers for a zone will need to be DNSSEC aware –Either bind9 or, in the near future NSD Be aware: Zone sizes will grow by factor 5-10 –Memory and disk usage on your servers –Network traffic will increase Contact your ‘slaves’ as soon as possible –If one of your slaves is not DNSSEC aware this will cause lameness problems –Same considerations with respect to hardware Consider DNSSEC if you plan an upgrade of your infrastructure in the near future!

10 Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. http://www.ripe.net/disi Step 2: Appropriate DNSSEC infrastructure @RIPE NCC Operations department is aware of requirements –We currently run Bind 9.2, DNSSEC is not enabled We’ll be contacting secondaries to make an inventory of possibilities. –Awareness of DNSSEC? –Architectural considerations at secondary? –The requirement of all slaves being DNSSEC aware may well be the most delaying factor in deployment of DNSSEC

11 Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. http://www.ripe.net/disi Step 3: Signing Locally Design and document policies –Consider: Key length, zone vs key signing keys, algorithm, signing frequency, key storage, emergency (compromise) procedure. Design and implement a key maintenance system –Based on above policies Set up the procedures and cron jobs to resign –Forgetting to sign causes problems.

12 Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. http://www.ripe.net/disi Step 3: Signing Locally @RIPE NCC Detailed procedures have not yet crystallized. A key maintenance tool that allows for easy key creation, rollover etc is in alpha stage. –Front end to the bind tools –Will be available to the community Mail olaf@ripe.net if you want to do alpha testingolaf@ripe.net Some ‘non-production’ zones are signed and resigned using the tools. –dig secret-wg.org SOA +dnssec (assuming your dig is dnssec aware)

13 Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. http://www.ripe.net/disi Contact your parent, and upload your key. –Adapt your key management to their policies Step 4: Becoming part of chain of trust

14 Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. http://www.ripe.net/disi Step 4: Becoming part of chain of trust @RIPE NCC RIPE NCC participates in on-line experiments –Signed disi.nl, for details of the experiment: http://secreg.nlnetlabs.nl/index.html Most of our zones are below in-addr.arpa –Signing in-addr.arpa has similar problems as signing root. –Also see draft-ihren-dnsop-interim-signed-root-01.txt –Brainstorming about possible requirements and solutions in RIR context The before mentioned key maintenance tool is used for maintenance of disi.nl –Automatic resigning of the zone –Occasional key-rollover

15 Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. http://www.ripe.net/disi Step 5: Delegating signing authority Adapt your registry system to allow for key- upload Design procedures for initial key exchange –How do establish that the public key you obtained came from the child zones. –Document procedures

16 Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. http://www.ripe.net/disi Step 5: Delegating signing authority @RIPE NCC Requirements for signing the in-addr.arpa namespace Technical –make key exchange procedure independent of other registry procedure –Light weight and flexible –Allow for future incorporation into tools and policies Start has been made writing software libraries –Needs most work –Prototype registry build by ISI/EAST based on that Procedures and policies that that do not put a large burden on the ‘client’ and that are, if possible, consistent over the 4 regions –First brainstorm meeting with the RIRs on steps forward during IETF55

17 Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. http://www.ripe.net/disi Step a: Configuring Client Applications Clients need to configure ‘secure entry points’ –Need to obtain keys Application available: –bind9: caching forwarder and LWRES library –Central caches running DNSSEC would secure a large customer base against DNSSEC spoofs. Chicken and egg problem. –Without infrastructure few applications will develop –API will need more work

18 Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. http://www.ripe.net/disi Step a: Configuring Client Applications @RIPE NCC Little we can do in this arena. Net::DNS::SEC may be used to put DNSSEC support into your perl code e.g. for troubleshooting tools

19 Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. http://www.ripe.net/disi Other DISI efforts w.r.t. DNSSEC Important aspects of DISI is raising awareness DNSSEC trainings have moved from New Projects to the training dept. –About 10-12 trainings per year –Constantly updated with new developments –Goal: Awareness with technology, be ready to deploy as soon as production code servers are available Training material such as slides and examples are available through the website and on request

20 Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. http://www.ripe.net/disi Questions??? Slides will be available from http://www.ripe.net/disi DNSSEC resources: –http://www.nlnetlabs.nl/dnssec/http://www.nlnetlabs.nl/dnssec/ –http://www.dnssec.org/ (portal)http://www.dnssec.org/ Questions: okolkman@ripe.net

Download ppt "Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. /disi Steps towards a secured DNS Olaf M. Kolkman, Henk Uijterwaal, Daniel."

Similar presentations

Axel Pawlik. LACNIC IV, 25 April 2003, Santiago. 1 Update from the RIPE NCC.

Axel Pawlik. LACNIC IV, 25 April 2003, Santiago. 1 Update from the RIPE NCC.
Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman
Reverse DNS SIG Summary Report APNIC Annual Member Meeting Bangkok, March 7 2002.

Reverse DNS SIG Summary Report APNIC Annual Member Meeting Bangkok, March
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
IPv6: Paving the way for next generation networks Tuesday, 16 July 2013 Nate Davis Chief Operating Officer, ARIN.

IPv6: Paving the way for next generation networks Tuesday, 16 July 2013 Nate Davis Chief Operating Officer, ARIN.
Managing IP addresses for your private clouds 2013 ASEAN CAS Summit Bangkok, Thailand 7 February 2013 George Kuo Member Services Manager.

Managing IP addresses for your private clouds 2013 ASEAN CAS Summit Bangkok, Thailand 7 February 2013 George Kuo Member Services Manager.
Akamai DNS Offerings RSA © Conference 2013. ©2013 AKAMAI | FASTER FORWARD TM Akamai DNS Solutions Enhanced DNS (eDNS) Scalable, outsourced, DNS solution.

Akamai DNS Offerings RSA © Conference ©2013 AKAMAI | FASTER FORWARD TM Akamai DNS Solutions Enhanced DNS (eDNS) Scalable, outsourced, DNS solution.
Database Update Johan Åhlén Assistant Manager and Denis Walker Business Analyst.

Database Update Johan Åhlén Assistant Manager and Denis Walker Business Analyst.
Sweeping lame DNS reverse delegations APNIC16 – DNS Operations SIG Seoul, Korea, 20 August 2003.

Sweeping lame DNS reverse delegations APNIC16 – DNS Operations SIG Seoul, Korea, 20 August 2003.
February 2003slideset 1 Writing Zone Files Olaf M. Kolkman

February 2003slideset 1 Writing Zone Files Olaf M. Kolkman
February 2003slideset 1 Introduction to the DNS system Olaf M. Kolkman

February 2003slideset 1 Introduction to the DNS system Olaf M. Kolkman
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.

1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.
IPv4 Depletion and IPv6 Adoption Today Community Use Slide Deck Courtesy of ARIN May 2014.

IPv4 Depletion and IPv6 Adoption Today Community Use Slide Deck Courtesy of ARIN May 2014.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
IANA Activities Update Jean-Jacques Sahel | RIPE 70 Amsterdam| 15 May 2015.

IANA Activities Update Jean-Jacques Sahel | RIPE 70 Amsterdam| 15 May 2015.
Technical Area Report Bryon Ellacott, Technical Area Manager APNIC 28.

Technical Area Report Bryon Ellacott, Technical Area Manager APNIC 28.
11.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,

11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Similar presentations

Ads by Google