Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing the Government’s DNS Infrastructure with DNSSEC

Similar presentations

Presentation on theme: "Securing the Government’s DNS Infrastructure with DNSSEC"— Presentation transcript:

1 Securing the Government’s DNS Infrastructure with DNSSEC
April 3, 2012 Matt Larson – Verisign 1

2 The Importance of the Internet & DNSSEC
.GOV Domain Space Vital to Government & National Security DNS open to attack Millions of users rely on .GOV DNS Security Extensions Additional Security to the .GOV domain space Securing .GOV domains with DNSSEC is a mandate from the OMB DNSSEC has been “Road Tested” Implementing DNSSEC technology will provide domain name holders in the .gov space with additional security, eliminating an insidious attack vector known as “cache poisoning”. DNSSEC has been “road tested”. Verisign has been involved in many test beds, we have engaged the community on this topic, and we have implemented DNSSEC in some of the largest zones on the Internet. We are also working to make it easier for the community to adopt and working to remove some of the complexities and costs associated with signing the 2nd level .gov zones. 3. Timeline of activities for DNSSEC in .gov OMB Mandate – August 2008 Signed .gov registry - January 2009 DNSSEC enabled .GOV registry transitioned to Verisign in January 2011 Verisign com/net TLDs signed ¼ of the TLDs are now signed – according to ICANN stats Jan 20, 2012 reference: DNSSEC validating resolvers – comcast has announced that they have turned on validating resolvers DNSSEC is a requirement in new gTLDs

3 Apply DNSSEC to 2nd level .gov names by Dec. 2009
OMB Mandate – M0823 Mandate: Apply DNSSEC to 2nd level .gov names by Dec. 2009 Approximately 60% compliance DNSSEC is mandated by the government. The mandates stipulates that: 1. The top level .gov zone will be signed by January of 2009… - Complete All Federal agencies possessing a .gov name will need to secure their systems with DNSSEC by the year end 2009. a. Memo indicates that agency plans should be submitted to the OMB b. Follow recommendations from NIST special publication , titled “Secure Domain Name System Deployment Guide”. c. the target for completion was that 2nd level names should have been signed by December 2009. GCN article identified while that some 2nd level names have been signed, there is still more work to do with approximately 50% of the sites are not in compliance. We want to draw attention to this fact and that the Internet community has had many advancements in DNSSEC over the past two years. The topic and technology have now had some operational experience and we are working to reduce the complexity and costs of signing your zones.

4 Signed USG Domains Reference:

5 DNSSEC Challenges DNSSEC is a more rigid protocol DS Records
More complex Management of DNSSEC key pairs May require new equipment for your infrastructure DS Records Manual submission of DS records to parent registry A couple of thoughts on why the uptake is slower than we would want DNSSEC is a more rigid protocol and it is more complex than traditional DNS Requires a way to sign / may require hardware expiring signatures and key rollovers – it requires more management Lastly there are a new set of records to upload to the registry

6 Signing Service Product Overview
Product Functionality Signing of domain name zones & management of associated key rollovers that DNSSEC requires Cloud based service Zone signing Creates the necessary keys / Ongoing key management Notifications for expiring signatures What problems does this solve? Reduces complexity for signing 2nd level domain names Reduces the costs for additional equipment to sign and manage names Incorporation of the DNSSEC Signing Service is optional Use of the service does not exclude registrants from using other mechanisms to sign zones Introduce the Signing service as an additional and OPTIONAL service to .gov registrants. (If asked about cost, it is included as a part of the registry service) Verisign has built this service for the registrar community in an effort to ease the complexity of DNSSEC and lower the costs to adoption It’s an “in the cloud” solution, where our service conducts the initial signing and ongoing resigning of the 2nd level zones The features are: * zone signing for second level zones * resigning of the zones prior to expiration * ongoing key management, handling the necessary key rollovers. Also, we alert administrators at important times at signature expirations and key rollover periods Our thought is to make this an optional service but make it part of the registry to ease the complexity for DNSSEC adoption.

7 DNSSEC Signing Service
Registrant Public DNS Register Domain DNSSEC Publish Unsigned Zone Registrar Web Site Unsigned Zone Master Signed Zone Master Publish Signed Zone Create Unsigned Zone Signed Zone Update Cloud Signing Service acts as slave to customer Unsigned zones. (unsigned master Nameserver sends notify to DNSSEC Signing service and we AXFR the zone.) After zonesigning we notify customers unsigned zone NameServer (which is configured as Slave to DNSSEC signingService). We allow upto 2 unsigned Masters and 4 signed destination Nameservers We require TSIG key for security. Enable Signing Verisign DNSSEC Signing Service 7

8 DNSSEC Analyzer Tool Tool Available at:
Also a Mobile version: Main intent of this slide is to identify that this is an additional Verisign tool that the community can use in a DNSSEC enabled world. Verisign Labs has developed this useful tool to help the community understand how a name is secured throughout the chain of trust. We envision that the tool will be used by community members either to: Confirm at a glance that the name is signed and DNSSEC enabled throughout the DNS hierarchy And or help diagnose where the name is not secured throughout the chain and where the troubleshooting may need to begin. We forsee that this will be useful for the everyday user, technical administrator and also customer service personnel who are asked to help confirm or diagnose concerns with a signed name. You see that in the example here, is signed throughout the chain of trust. You can see that the (.) or the root is signed without issue; The .gov zone is also signed without issue, The second level is also signed properly The tool provides “at a glance” information of what is signed and its DNSSEC status and it also provides technical hints on what to do to have the name signed all the way through the chain

9 DNSSEC Analyzer

10 Call to Action – Sign your .GOV name
Instruct your technical staff on the urgency of DNSSEC Become compliant with the OMB Mandate Signing has been made easier Tools and services are easing the complexity DNSSEC has been “Road Tested” Large top level domains have been signed For more information visit Verisign’s information resource Matt - Thanks for the technical detail. To sum up and emphasize our points. If your agency has not yet signed its zone, we encourage you to Become familiar with the problem set of the security concern and the mandate. provide direction to your technical staff to sign the zones that they manage. Signing the names is now easier. There are products, services and tools in the IT community that make it easier. Lastly, understand that DNSSEC has operational experience. It has been “road tested” and adoption is ongoing.. Verisign has significant experience in DNSSEC and is interested in helping the community adopt this security protocol. … I have enclosed a url on the bottom of this slide for your reference.

11 Questions?

Download ppt "Securing the Government’s DNS Infrastructure with DNSSEC"

Similar presentations

Ads by Google