Presentation is loading. Please wait.

Presentation is loading. Please wait.

OpenDNSSEC Deployment Tianyi Xing. Roadmap By mid-term – Establish a DNSSEC server within the mobicloud system (Hopfully be done by next week) Successfully.

Published bySilvester Long Modified over 8 years ago

Similar presentations

Presentation on theme: "OpenDNSSEC Deployment Tianyi Xing. Roadmap By mid-term – Establish a DNSSEC server within the mobicloud system (Hopfully be done by next week) Successfully."— Presentation transcript:

1 OpenDNSSEC Deployment Tianyi Xing

2 Roadmap By mid-term – Establish a DNSSEC server within the mobicloud system (Hopfully be done by next week) Successfully installed at configuration stage – Configure the network to make sure DNSSEC server serve the right purpose in the mobicloud system (within 3 days) By Final – Perfect its function Dynamically cooperate with the user ID and IP address Dynamically update the ip(ID) and domain pair – Documentation

3 OpenDNSSEC Working Flow OpenDNSSEC is a complete DNSSEC solution Completely automates the process of keeping track of keys and the signing of zones.

4 Components (contd.) HSM – the key storage component (Usually in Hardware) – Performs cryptographic operations – Private keys will never appear outside the HSM – It can perform 1-14,000 signature per second SoftHSM – SoftHSM is an implementation of a cryptographic store accessible through a PKCS#11 interface. – Uses Botan for its cryptographic operations and SQLite to store its key material.

5 Components (contd.) KASP – Decides when zones are resigned – Decides when keys are rolled – Decides which keys are used Signer Engine – Sort Rrsets – Sign RRSets – Keeps the RRSIGs up to day

6 Components Enforcer – Deal with key rollover and key generation – Conf.xml Signer – Construct signature records to include in to the zone file – Conf.xml

7 Components Auditor – Check a signed zone against the policy and the unsigned zone – Conf.xml

8 OpenDNSSEC installation Hardware – Dell Server Software – Xenserver – Ubuntu 10.10

9 Compile the OpenDNSSEC Dependency – libxml2-dev – libldns-dev Version must be later than 1.6.7 Install the ldns 1.6.8 – Needs OpenSSl 1.0 – sqLite3 – libsqlite3-dev – rubygems – dnsruby

10 Configuration Conf.xml – Overall configuration of the system Kasp.xml – Define the Policy of signing Zonelint.xml – List all the zones that you are going to sign Zonefetch.xml (optional) – Zone transfers

11 Conf.xml /etc/opendnssec/conf.xml Overall configuration of OpenDNSSEC – Logging facilities (syslog only so far) – System paths – Key repositories – Privileges – Database (all key and zone info is stored)

12 Kasp.xml /etc/opendnssec/kasp.xml Information included – security parameters used for signing zones – timing parameters used for signing zones

13 Zonelist.xml /etc/opendnssec/kasp.xml The zonelist.xml file is used when first setting up the system, but also used by the ods- signerd when signing zones Information – the zone’s DNS name – the policy from kasp.xml used to sign the zone – how to obtain the zone – how to publish the zone

14 Zonefetch.xml Configuration about signing zones received from transfer (AXFR). Information included – where to fetch zone data from – protection mechanisms to be used

15 SoftHSM installation Dependency – Botan 1.8.5 later version – Don’t use yum, apt-get or any auto online installation. – Do download from here and install the botan http://botan.randombit.net/download.html

16 SoftHSM configuration Add the tokens to the slots: /etc/softhsm.conf – The token databases does not exist at this stage. The given paths are just an indication to SoftHSM on where it should store the information for each token. Each token are now treated as uninitialized. Initialize your tokens – Softhsm tool or PKCS#11 interface Link to this library and use the PKCS#11 interface

17 Error during Start ods-ksmutil setup ods-control start – enforcer start fail – Signer start fail

18 Next Step work Make the signer and enforcer successfully run Cooperate with the DHCP Server to automatically add the zone and sign the zone with specific policy and key.

Download ppt "OpenDNSSEC Deployment Tianyi Xing. Roadmap By mid-term – Establish a DNSSEC server within the mobicloud system (Hopfully be done by next week) Successfully."

Similar presentations

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
Www.opendaylight.org Secure Network Bootstrapping Infrastructure May 15, 2014.

Secure Network Bootstrapping Infrastructure May 15, 2014.
An Open Source Google Apps Integration (Bboogle) Patricia Goldweic, Sr. Software Engineer, Northwestern University.

An Open Source Google Apps Integration (Bboogle) Patricia Goldweic, Sr. Software Engineer, Northwestern University.
Managing Your Network Environment © 2004 Cisco Systems, Inc. All rights reserved. Managing Cisco IOS Devices INTRO v2.0—9-1.

Managing Your Network Environment © 2004 Cisco Systems, Inc. All rights reserved. Managing Cisco IOS Devices INTRO v2.0—9-1.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
System Center Configuration Manager Push Software By, Teresa Behm.

System Center Configuration Manager Push Software By, Teresa Behm.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Rational Unified Process Workflows. The Rational Unified Process.

Rational Unified Process Workflows. The Rational Unified Process.
Physical design. Stage 6 - Physical Design Retrieve the target physical environment Create physical data design Create function component implementation.

Physical design. Stage 6 - Physical Design Retrieve the target physical environment Create physical data design Create function component implementation.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
Installing a New Windows Server 2008 Domain Controller in a New Windows Server 2008 R2.

Installing a New Windows Server 2008 Domain Controller in a New Windows Server 2008 R2.
PacNOG 6: Nadi, Fiji Installing Ubuntu Server 9.04 Hervey Allen Network Startup Resource Center.

PacNOG 6: Nadi, Fiji Installing Ubuntu Server 9.04 Hervey Allen Network Startup Resource Center.
Windows Server 2008 Chapter 8 Last Update 2012.05.31 1.0.0.

Windows Server 2008 Chapter 8 Last Update
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.

Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.

Similar presentations

Ads by Google