Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNSSEC Sample Implementation MENOG 10 Workshop 22 April 2012, Dubai

Published byBriana Dollard Modified over 9 years ago

Similar presentations

Presentation on theme: "DNSSEC Sample Implementation MENOG 10 Workshop 22 April 2012, Dubai"— Presentation transcript:

1 DNSSEC Sample Implementation MENOG 10 Workshop 22 April 2012, Dubai richard.lamb@icann.org

2 Demo Implementation Key lengths – KSK:2048 RSA ZSK:1024 RSA Rollover – KSK:as needed ZSK:90 days RSASHA256 NSEC3 Physical – HSM/smartcards inside Safe inside Rack inside Cage inside Commercial Data Center Logical – Separation of roles: cage access, safe combination, HSM/smartcard activation across three roles Crypto – use FIPS certified smartcards as HSM and RNG – Generate KSK and ZSK offline using RNG – KSK use off-line – ZSK use off-net

3 Off-Line Key generator and KSK Signer KSK+RNG smartcards KSK+RNG readerlaptop Live O/S DVD KSK signed DNSKEYs Encrypted ZSKs Flash Drive SAFE RACK CAGE DATA CENTER

4 Off-Net Signer KSK signed DNSKEYs Encrypted ZSKs Flash Drive RACK CAGE DATA CENTER signerfirewall zonefile hidden master nameserver

5 Key Management Offline Laptop Online/off-net DNSSEC Signer and Encrypted ZSKs Sign ZSKs with KSK Transport KSK signed DNSKEY RRsets Sign zones with ZSK signed zone unsigned zone Secure Key Generation and Signing Environment Generate KSK KSK Generate ZSKs

6 Key Management Offline Laptop Online/off-net DNSSEC Signer Generate ZSKs Transport public half of ZSKs Generate KSK Sign ZSKs with KSK Transport KSK signed DNSKEY RRsets Sign zones with ZSK signed zone unsigned zone ZSKs KSK Secure Key Generation and Signing Environment

Download ppt "DNSSEC Sample Implementation MENOG 10 Workshop 22 April 2012, Dubai"

Similar presentations

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.

RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.
DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.

DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
ICANN’s Preparedness for Signing the Root September 24, 2008 DNS OARC Meeting, Ottawa, CA

ICANN’s Preparedness for Signing the Root September 24, 2008 DNS OARC Meeting, Ottawa, CA
DNSSEC Sample Implementation Module 1 DNSSEC ASIA SUMMIT 2012 29-31 August 2012, Hong Kong

DNSSEC Sample Implementation Module 1 DNSSEC ASIA SUMMIT August 2012, Hong Kong
DNSSEC Sample Implementation Module 1 LACNIC 18 28 October 2012, Montevideo

DNSSEC Sample Implementation Module 1 LACNIC October 2012, Montevideo
Measuring DNSSEC validation i.e. how to do it Ólafur Guðmundsson Steve Crocker ogud, steve at shinkuro.com.

Measuring DNSSEC validation i.e. how to do it Ólafur Guðmundsson Steve Crocker ogud, steve at shinkuro.com.
DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.

DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.
High-Level Awareness of DNSSEC KENIC/NSRC Workshop, Nairobi, May 2011 Phil Regnauld Joe Abley

High-Level Awareness of DNSSEC KENIC/NSRC Workshop, Nairobi, May 2011 Phil Regnauld Joe Abley
DNSSEC Deployment: Where We Are (and where we need to be) MENOG 10, Dubai 30 April 2012

DNSSEC Deployment: Where We Are (and where we need to be) MENOG 10, Dubai 30 April 2012
DNSSEC: Where We Are (and how we get to where we want to be) APNIC 34, Phnom Penh, Cambodia August 2012

DNSSEC: Where We Are (and how we get to where we want to be) APNIC 34, Phnom Penh, Cambodia August 2012
Anne-Marie Eklund Löwinder Chief Information Security Officer Twitter: amelsec Thank’s to Fredrik Ljunggren, Kirei & Mehmet.

Anne-Marie Eklund Löwinder Chief Information Security Officer Twitter: amelsec Thank’s to Fredrik Ljunggren, Kirei & Mehmet.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
Phil Regnauld Hervey Allen June 2009 Papeete, Tahiti DNSSEC overview.

Phil Regnauld Hervey Allen June 2009 Papeete, Tahiti DNSSEC overview.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.

DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.
Identity Management and DNS Services Tianyi XING.

Identity Management and DNS Services Tianyi XING.

Similar presentations

Ads by Google