Presentation on theme: "Securing the Government’s DNS Infrastructure with DNSSEC"— Presentation transcript:
1 Securing the Government’s DNS Infrastructure with DNSSEC April 3, 2012 Matt Larson – Verisign1
2 The Importance of the Internet & DNSSEC .GOV Domain SpaceVital to Government & National SecurityDNS open to attackMillions of users rely on .GOVDNS Security ExtensionsAdditional Security to the .GOV domain spaceSecuring .GOV domains with DNSSEC is a mandate from the OMBDNSSEC has been “Road Tested”Implementing DNSSEC technology will provide domain name holders in the .gov space with additional security, eliminating an insidious attack vector known as “cache poisoning”.DNSSEC has been “road tested”. Verisign has been involved in many test beds, we have engaged the community on this topic, and we have implemented DNSSEC in some of the largest zones on the Internet. We are also working to make it easier for the community to adopt and working to remove some of the complexities and costs associated with signing the 2nd level .gov zones.3. Timeline of activities for DNSSEC in .govOMB Mandate – August 2008Signed .gov registry - January 2009DNSSEC enabled .GOV registry transitioned to Verisign in January 2011Verisign com/net TLDs signed¼ of the TLDs are now signed – according to ICANN statsJan 20, 2012 reference:DNSSEC validating resolvers – comcast has announced that they have turned on validating resolversDNSSEC is a requirement in new gTLDs
3 Apply DNSSEC to 2nd level .gov names by Dec. 2009 OMB Mandate – M0823Mandate:Apply DNSSEC to 2nd level .gov names by Dec. 2009Approximately 60% complianceDNSSEC is mandated by the government. The mandates stipulates that:1. The top level .gov zone will be signed by January of 2009… - CompleteAll Federal agencies possessing a .gov name will need to secure their systems with DNSSEC by the year end 2009.a. Memo indicates that agency plans should be submitted to the OMBb. Follow recommendations from NIST special publication , titled “Secure Domain Name System Deployment Guide”.c. the target for completion was that 2nd level names should have been signed by December 2009.GCN article identified while that some 2nd level names have been signed, there is still more work to do with approximately 50% of the sites are not in compliance.We want to draw attention to this fact and that the Internet community has had many advancements in DNSSEC over the past two years. The topic and technology have now had some operational experience and we are working to reduce the complexity and costs of signing your zones.
5 DNSSEC Challenges DNSSEC is a more rigid protocol DS Records More complexManagement of DNSSEC key pairsMay require new equipment for your infrastructureDS RecordsManual submission of DS records to parent registryA couple of thoughts on why the uptake is slower than we would wantDNSSEC is a more rigid protocol and it is more complex than traditional DNSRequires a way to sign / may require hardwareexpiring signatures and key rollovers – it requires more managementLastly there are a new set of records to upload to the registry
6 Signing Service Product Overview Product FunctionalitySigning of domain name zones & management of associated key rollovers that DNSSEC requiresCloud based serviceZone signingCreates the necessary keys / Ongoing key managementNotifications for expiring signaturesWhat problems does this solve?Reduces complexity for signing 2nd level domain namesReduces the costs for additional equipment to sign and manage namesIncorporation of the DNSSEC Signing Service is optionalUse of the service does not exclude registrants from using other mechanisms to sign zonesIntroduce the Signing service as an additional and OPTIONAL service to .gov registrants. (If asked about cost, it is included as a part of the registry service)Verisign has built this service for the registrar community in an effort to ease the complexity of DNSSEC and lower the costs to adoptionIt’s an “in the cloud” solution, where our service conducts the initial signing and ongoing resigning of the 2nd level zonesThe features are:* zone signing for second level zones* resigning of the zones prior to expiration* ongoing key management, handling the necessary key rollovers.Also, we alert administrators at important times at signature expirations and key rollover periodsOur thought is to make this an optional service but make it part of the registry to ease the complexity for DNSSEC adoption.
7 DNSSEC Signing Service RegistrantPublic DNSRegister Domain DNSSECPublish Unsigned ZoneRegistrar Web SiteUnsigned Zone MasterSigned Zone MasterPublish Signed ZoneCreate Unsigned ZoneSigned Zone UpdateCloud Signing Service acts as slave to customer Unsigned zones. (unsigned master Nameserver sends notify to DNSSEC Signing service and we AXFR the zone.)After zonesigning we notify customers unsigned zone NameServer (which is configured as Slave to DNSSEC signingService).We allow upto 2 unsigned Masters and 4 signed destination NameserversWe require TSIG key for security.Enable SigningVerisign DNSSEC Signing Service7
8 DNSSEC Analyzer Tool Tool Available at: Also a Mobile version:Main intent of this slide is to identify that this is an additional Verisign tool that the community can use in a DNSSEC enabled world.Verisign Labs has developed this useful tool to help the community understand how a name is secured throughout the chain of trust.We envision that the tool will be used by community members either to:Confirm at a glance that the name is signed and DNSSEC enabled throughout the DNS hierarchyAnd orhelp diagnose where the name is not secured throughout the chain and where the troubleshooting may need to begin.We forsee that this will be useful for the everyday user, technical administrator and also customer service personnel who are asked to help confirm or diagnose concerns with a signed name.You see that in the example here, OMB.gov is signed throughout the chain of trust.You can see that the (.) or the root is signed without issue;The .gov zone is also signed without issue,The second level omb.gov is also signed properlyThe tool provides“at a glance” information of what is signed and its DNSSEC statusand it also provides technical hints on what to do to have the name signed all the way through the chain
10 Call to Action – Sign your .GOV name Instruct your technical staff on the urgency of DNSSECBecome compliant with the OMB MandateSigning has been made easierTools and services are easing the complexityDNSSEC has been “Road Tested”Large top level domains have been signedFor more information visit Verisign’s information resourceMatt - Thanks for the technical detail.To sum up and emphasize our points. If your agency has not yet signed its zone, we encourage you toBecome familiar with the problem set of the security concern and the mandate.provide direction to your technical staff to sign the zones that they manage.Signing the names is now easier. There are products, services and tools in the IT community that make it easier.Lastly, understand that DNSSEC has operational experience. It has been “road tested” and adoption is ongoing.. Verisign has significant experience in DNSSEC and is interested in helping the community adopt this security protocol. … I have enclosed a url on the bottom of this slide for your reference.