Presentation is loading. Please wait.

Presentation is loading. Please wait.

Olaf M. Kolkman. IETF58, Minneapolis, November 2003. DNSSEC Operational Practices draft-ietf-dnsop-dnssec-operational-practices-00.txt.

Published byPhyllis Cobb Modified over 9 years ago

Similar presentations

Presentation on theme: "Olaf M. Kolkman. IETF58, Minneapolis, November 2003. DNSSEC Operational Practices draft-ietf-dnsop-dnssec-operational-practices-00.txt."— Presentation transcript:

1 Olaf M. Kolkman. IETF58, Minneapolis, November 2003. http://www.ripe.net/disi DNSSEC Operational Practices draft-ietf-dnsop-dnssec-operational-practices-00.txt Olaf M. Kolkman (RIPE NCC) & Miek Gieben (NLnet Labs)

2 Olaf M. Kolkman. IETF58, Minneapolis, November 2003. http://www.ripe.net/disi What ‘s this about Capturing first operational experience with DNSSEC Mainly workshops and experiments Identifying operational differences with “plain” DNS. Giving some basic recommendations; To be published as ‘Informational’

3 Olaf M. Kolkman. IETF58, Minneapolis, November 2003. http://www.ripe.net/disi Content Document is about –TIME –DNSKEY –Parental Policies How do RR sets propagate through the system. New: Behavior depended on two RR sets propagating through the system.

4 Olaf M. Kolkman. IETF58, Minneapolis, November 2003. http://www.ripe.net/disi TIME issues Time: DNSSEC introduces absolute times. Main problem: cached data expires at RRSIG expiry –The ‘Maximum zone TT’L of your zone data should be a fraction of SIG validity period –Push out new signatures at least 1 times TTL before RRSIGs expire. Problem related to authoritative servers: –SOA expiration doesn’t know about DNSSEC.

5 Olaf M. Kolkman. IETF58, Minneapolis, November 2003. http://www.ripe.net/disi DNSKEY issues Key size recommendations. –Based on a “Journal of Cryptology’ publication by Lenstra and Verheul. Key Rollover Scenarios –Caches may have DNSKEYs and RRSIGs from different versions of a zone.

6 Olaf M. Kolkman. IETF58, Minneapolis, November 2003. http://www.ripe.net/disi Key rollover scenarios About making sure that there is always a DNSKEY in the cache to verify the RRSIG that came directly from an authoritative server ZSK rollovers –Double signatures rollover (large zone files) –Pre-published key rollover (more steps hence more administration, cryptanalysis)

7 Olaf M. Kolkman. IETF58, Minneapolis, November 2003. http://www.ripe.net/disi Key rollover scenarios (cntnd) KSK rollovers –Double signature rollover. Only one DS RR at the parent at all times. Loose coupling, most actions are done by the child. –Needs to wait for the parent to publish the new DS RR. –Different from Mike St Johns proposal Needs two DS RRs at the parent and multiple interactions Is automated (will need to be described in this doc too)

8 Olaf M. Kolkman. IETF58, Minneapolis, November 2003. http://www.ripe.net/disi Other Issues covered Planning for emergency rollovers Some parental policy considerations –DNSKEY exchange and storage –Preventing “security lameness” –DS validity

9 Olaf M. Kolkman. IETF58, Minneapolis, November 2003. http://www.ripe.net/disi WG input. Yes please, the document is yours now. Test the described procedures Editorial nits to Kolkman or Gieben, content discussion on the list.

Download ppt "Olaf M. Kolkman. IETF58, Minneapolis, November 2003. DNSSEC Operational Practices draft-ietf-dnsop-dnssec-operational-practices-00.txt."

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman
Reverse DNS SIG Summary Report APNIC Annual Member Meeting Bangkok, March 7 2002.

Reverse DNS SIG Summary Report APNIC Annual Member Meeting Bangkok, March
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.

RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.
DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.

DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
Measuring DNSSEC validation i.e. how to do it Ólafur Guðmundsson Steve Crocker ogud, steve at shinkuro.com.

Measuring DNSSEC validation i.e. how to do it Ólafur Guðmundsson Steve Crocker ogud, steve at shinkuro.com.
DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.

DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
High-Level Awareness of DNSSEC KENIC/NSRC Workshop, Nairobi, May 2011 Phil Regnauld Joe Abley

High-Level Awareness of DNSSEC KENIC/NSRC Workshop, Nairobi, May 2011 Phil Regnauld Joe Abley
February 2003slideset 1 Writing Zone Files Olaf M. Kolkman

February 2003slideset 1 Writing Zone Files Olaf M. Kolkman
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.

1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.
Phil Regnauld Hervey Allen June 2009 Papeete, Tahiti DNSSEC overview.

Phil Regnauld Hervey Allen June 2009 Papeete, Tahiti DNSSEC overview.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Module 10 Advanced Topics. DNS and DHCP DHCP can be configured to auto- update (using DDNS) the forward and reverse map zones Can be secured using allow-update.

Module 10 Advanced Topics. DNS and DHCP DHCP can be configured to auto- update (using DDNS) the forward and reverse map zones Can be secured using allow-update.

Similar presentations

Ads by Google