Presentation is loading. Please wait.

Presentation is loading. Please wait.

Developing a DNSSEC Policy The Compulsory Zone Distribution Which DNSSEC Protocol Keys – and Managing them Managing the Children Using DNSSEC Mark Elkins.

Published byAshlyn Watson Modified over 9 years ago

Similar presentations

Presentation on theme: "Developing a DNSSEC Policy The Compulsory Zone Distribution Which DNSSEC Protocol Keys – and Managing them Managing the Children Using DNSSEC Mark Elkins."— Presentation transcript:

1 Developing a DNSSEC Policy The Compulsory Zone Distribution Which DNSSEC Protocol Keys – and Managing them Managing the Children Using DNSSEC Mark Elkins - mje@posix.co.za

2 The Compulsory The Certain  Time NTP The Uncertain  Entropy havenged

3 Zone Distribution TSIG  Signing the path between Master and Slave Using a shared secret means there is confidence on the receiving side that the data came from the sender and was not altered in transit Pass-phrases need to be renewed - once a year Out of Band Key Management

4 Which DNSSEC Protocol? NSEC - Original method  Everything is signed  Light Weight  No privacy Walk the Zone NSEC3 - Designed for ccTLD's  Can not Walk the Zone  Opt-Out – only core secure delegations signed Reduces the increase in signed zone size  NSEC3 Options Opt-out Seeding Hash cycles

5 Keys – and management Asymmetrical keys – One part Secret, One part Public KSK - Key Signing keys  Used to sign ZSK's  Longish live cycle – default is one year  Potentially difficult to roll  Generate with RSASHAR256 with 2048 bits  Hash present in Parent (DS Record) ZSK - Zone Signing keys  Used to sign the data in a zone  Shortish life cycle - default is one month  Simple to Roll  Generate with RSASHAR256 with 1024 bits

6 Keys – and management Hardware Security Module - HSM  Multiple, redundant, tamper proof devices "Soft" HSM (incorporating with BIND is difficult) On the File system  Stripped down server  Limited access (no direct Internet access)

7 Managing the Children Need to Populate parent with DS Records  Out of Band Paper Secure Web Site Via EPP extension Via “in-band” methods What do you record? KSK/DS Emergency “Roll-over”

8 Using DNSSEC Making a Resolver “DNSSEC” aware  RFC5011  Howto: http://dnssec.co.za & http://dnssec.nahttp://dnssec.co.zahttp://dnssec.na Scripts available at: http://posixafrica.comhttp://posixafrica.com “DNSSEC Validator” and get the Green-Key

9 Ready to run DNSSEC Need: NTP Havenged Use TSIG For Zone distribution NSEC3 ? NSEC Opt In/Out Seed Hash Signing Done KSK 1 year ZSK 1 month

Download ppt "Developing a DNSSEC Policy The Compulsory Zone Distribution Which DNSSEC Protocol Keys – and Managing them Managing the Children Using DNSSEC Mark Elkins."

Similar presentations

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
ICANN’s Preparedness for Signing the Root September 24, 2008 DNS OARC Meeting, Ottawa, CA

ICANN’s Preparedness for Signing the Root September 24, 2008 DNS OARC Meeting, Ottawa, CA
DNSSEC Sample Implementation MENOG 10 Workshop 22 April 2012, Dubai

DNSSEC Sample Implementation MENOG 10 Workshop 22 April 2012, Dubai
Vaibhav Rastogi and Yi Yang.  Web 2.0 – rich applications  A website hosts content it may not be responsible for  Third party gadgets  Third party.

Vaibhav Rastogi and Yi Yang.  Web 2.0 – rich applications  A website hosts content it may not be responsible for  Third party gadgets  Third party.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
RNDC & TSIG. What is RNDC? Remote Name Daemon Controller Command-line control of named daemon Usually on same host, can be across hosts –Locally or remotely.

RNDC & TSIG. What is RNDC? Remote Name Daemon Controller Command-line control of named daemon Usually on same host, can be across hosts –Locally or remotely.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. /disi Steps towards a secured DNS Olaf M. Kolkman, Henk Uijterwaal, Daniel.

Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. /disi Steps towards a secured DNS Olaf M. Kolkman, Henk Uijterwaal, Daniel.
Tony Kombol ITIS 3110. www.teacherstalk.com Who knows this? Who controls this? DNS!

Tony Kombol ITIS Who knows this? Who controls this? DNS!
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
1 DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec 1.6.5.3.7.5.1.4.6.3.9.4.e164.arpa. naptr.

1 DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec e164.arpa. naptr.
1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.

1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.
Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman
Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.

Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.

Similar presentations

Ads by Google