Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.

Published byKelley Phelps Modified over 9 years ago

Similar presentations

Presentation on theme: "1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010."— Presentation transcript:

1 1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010

2 2 Agenda  Review DNS  How DNSSEC augments DNS  What DNSSEC doesn’t do  Why DNSSEC matters to you  DNSSEC Adoption  Getting started: Between now and July 2010  Going live: Anticipated in July 2010

3 3 DNS: A Review Illustration courtesy of Niranjan Kunwar / Nirlog.comNiranjan Kunwar / Nirlog.com

4 4 DNS Caching  DNS Servers cache data to improve performance  But…what happens if the cached data is wrong?

5 5 DNS is Fundamentally Flawed More detailed explanation: http://www.iana.org/about/presentations/davies-cairo-vulnerability-081103.pdfhttp://www.iana.org/about/presentations/davies-cairo-vulnerability-081103.pdf

6 6 DNS Cache Poisoning Gets Easier Article explaining vulnerability: http://www.wired.com/techbiz/people/magazine/16-12/ff_kaminskyhttp://www.wired.com/techbiz/people/magazine/16-12/ff_kaminskyPhoto by Dave Bullock / eecueDave Bullock / eecue

7 7 DNSSEC: DNS Security Extensions  Validate the origin of a DNS response  Trust that the data came from the expected source  Validate the integrity of a DNS response  Trust that the data itself is correct  Validate denial of existence  Trust a “no records to return” response

8 8 DNS with DNSSEC implemented Illustration courtesy of Niranjan Kunwar / Nirlog.comNiranjan Kunwar / Nirlog.com

9 9 DNSSEC Augments DNS  Use public key cryptography to “sign” DNS data  New DNS resource records carry signatures  DNSKEY, RRSIG, NSEC, DS  Publish signatures to parent zone  Domain to namespace, namespace to root  DNS resolvers validate signature matches Good explanation: http://ispcolumn.isoc.org/2006-08/dnssec.htmlhttp://ispcolumn.isoc.org/2006-08/dnssec.html

10 10 What DNSSEC Doesn’t Do  Encrypt data – that’s SSL  Protect your servers from denial of service attacks  Keep you from visiting phishing sites  DNSSEC protects you from forged DNS data

11 11 Why You Care: Hypothetical Case Study Photo by Bart EversonBart Everson

12 12 DNSSEC Adoption

13 13 Adoption is Critical  Can’t require validation yet – would reject most internet traffic  In the interim, will need a browser warning for non-validated lookups (like SSL “lock” today)  Validation will likely be required at some point

14 14 Adoption is Increasing Quickly Data from SecSpider: http://secspider.cs.ucla.eduhttp://secspider.cs.ucla.eduGraph courtesy of Eric Osterweil

15 15 Many Top Level Domains are Signing  Signed TLDs  bg, br, ch, cz, li, lk, na, nu, pm, pr, pt, se, th, tm, uk, us  arpa, gov, museum, org  Coming soon  edu anticipated in July 2010  net anticipated in late 2010  com anticipated in early 2011 TLD data courtesy of Shinkuro, Inc.Shinkuro, Inc.

16 16 Current DNSSEC Adoption in.edu  7 signed.edu domains  berkeley.edu, merit.edu, penn.edu, psc.edu, upenn.edu, internet2.edu, ucaid.edu  64 signed.edu sub-domains  Many are computer science departments or DNS research projects Data from SecSpider: http://secspider.cs.ucla.eduhttp://secspider.cs.ucla.eduSlide courtesy of Shumon Huque, University of Pennsylvania

17 17 Getting Started: Between now and July 1, 2010

18 18 If you are…  CIO or IT leader  Get DNSSEC on your staff’s radar now  Add DNSSEC to your summer maintenance schedule  Technical staff  If an ISP hosts your DNS  Ask the ISP when they will support DNSSEC  If you host your DNS  Learn about signing  Get DNSSEC-aware DNS software  Sign your zone

19 19 Learn About Signing  Study the RFCs  RFC 4033 – DNSSEC introduction and requirements RFC 4033  RFC 4034 – Resource records for DNSSEC RFC 4034  RFC 4641 – DNSSEC operational practices RFC 4641  NIST Secure DNS Deployment GuideSecure DNS Deployment Guide

20 20 Get DNSSEC-aware DNS Software  Need DNSSEC-aware software on published DNS servers and all intermediate resolvers  BIND 9.6 or greater  ZKT  OpenDNSSEC  Windows 2008 Server R2  Signing appliances  Many more… Find these packages and more at http://www.dnssec.net/softwarehttp://www.dnssec.net/software

21 21 Sign Your Zone  Generate a KSK and one or more ZSKs  http://tools.ietf.org/html/rfc4641#section-3.1 http://tools.ietf.org/html/rfc4641#section-3.1  Practice key rollovers & establish processes for managing keys  http://tools.ietf.org/html/rfc4641#section-4.2 http://tools.ietf.org/html/rfc4641#section-4.2

22 22 Going Live: July 2010 (anticipated)

23 23 Chain of Trust Can Be Established Original illustration courtesy of Niranjan Kunwar / Nirlog.comNiranjan Kunwar / Nirlog.com

24 24 Publish Your Signatures to.edu Zone  Enter DS record data into the.edu Domain Administration website.edu Domain Administration website: http://www.educause.edu/edudomainhttp://www.educause.edu/edudomain

25 25 Many Resources Available to Help You  RFCs  http://tools.ietf.org/rfc/index http://tools.ietf.org/rfc/index  DNSSEC.NET website  http://www.dnssec.net/ http://www.dnssec.net/  Your.edu colleagues – subscribe to EDUCAUSE DNSSEC deployment listserv  http://listserv.educause.edu/archives/dnssec.html http://listserv.educause.edu/archives/dnssec.html

26 26 Questions?

Download ppt "1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010."

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.

DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.

DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
High-Level Awareness of DNSSEC KENIC/NSRC Workshop, Nairobi, May 2011 Phil Regnauld Joe Abley

High-Level Awareness of DNSSEC KENIC/NSRC Workshop, Nairobi, May 2011 Phil Regnauld Joe Abley
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
1 DNSSEC BoF Internet2 Member Meeting October 15th, 2008 Noon, Napoleon A2

1 DNSSEC BoF Internet2 Member Meeting October 15th, 2008 Noon, Napoleon A2
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.

1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.
Higher Education Experiences With DNSSEC Signing Michael Lambert, Pittsburgh Supercomputing Center Dan Pritts, Internet2 Michael Sinatra, University of.

Higher Education Experiences With DNSSEC Signing Michael Lambert, Pittsburgh Supercomputing Center Dan Pritts, Internet2 Michael Sinatra, University of.
© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:

© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

Similar presentations

Ads by Google