DRAFT STEP-BY-STEP DNS SECURITY ILLUSTRATIVE GUIDE Version 0.2 Sparta, Inc. 7075 Samuel Morse Dr. Columbia MD 21046 Ph: 410.872.1515

Slides:

Advertisements

Similar presentations

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

Advertisements

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Securing the Government’s DNS Infrastructure with DNSSEC

ICANN’s Preparedness for Signing the Root September 24, 2008 DNS OARC Meeting, Ottawa, CA

DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.

DNSSEC Sample Implementation MENOG 10 Workshop 22 April 2012, Dubai

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

Efficient fault-tolerant scheme based on the RSA system Author: N.-Y. Lee and W.-L. Tsai IEE Proceedings Presented by 詹益誌 2004/03/02.

Automated private key recovery for DNSSEC Colorado State University, CS 681 John Tesch.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

Lecture 12 Security. Summary  PEM  secure  PGP  S/MIME.

Phil Regnauld Hervey Allen June 2009 Papeete, Tahiti DNSSEC overview.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.

1 DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec e164.arpa. naptr.

1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.

Software Pieces for the DNSSEC-deployment roadmap SPARTA, Inc. 01/21/05.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Troubleshooting.

Introduction to DNSSEC AROC Bamako, Mali, What is DNSSEC?

Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.

DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.

Andreas Steffen, , 12-DNSSEC.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for.

© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.

Krit Witwiyaruj Thai Name Server Co., Ltd.th DNSSEC Implementation.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License The details.

Root Zone KSK: The Road Ahead Edward Lewis | DNS-OARC & RIPE DNSWG | May 2015

Rolling the Keys of the DNS Root Zone Geoff Huston APNIC Labs.

DNSSEC deployment in NZ Andy Linton

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Practicalities.

1 DNSSEC Deployment: Big Steps Forward; Several Steps to Go NANOG 32 Deployment D N S S E C Rob Austein Steve Crocker

DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.

1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 Network Security Lecture 7 Overview of Authentication Systems Waleed Ejaz

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

OpenDNSSEC Deployment Tianyi Xing. Roadmap By mid-term – Establish a DNSSEC server within the mobicloud system (Hopfully be done by next week) Successfully.

DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

© 2008 The McGraw-Hill Companies, Inc. All rights reserved. EXCEL 2007 THE PROFESSIONAL APPROACH S E R I E S M I C R O S O F T ® O F F I C E Lesson 15.

Olaf M. Kolkman. IETF58, Minneapolis, November DNSSEC Operational Practices draft-ietf-dnsop-dnssec-operational-practices-00.txt.

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

Developing a DNSSEC Policy The Compulsory Zone Distribution Which DNSSEC Protocol Keys – and Managing them Managing the Children Using DNSSEC Mark Elkins.

Root Zone KSK: After 5 years Elise Gerich | APNIC 40 | September 2015.

DNSSEC Practices Statement Module 2 CaribNOG 3 12 June 2012, Port of Spain, Trinidad

Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average

Deploying DNSSEC without Losing Your Mind Summer ESNET Conference July 2009.

What's so hard about DNSSEC? Paul Ebersman – May 2016 RIPE72 – Copenhagen 1.

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

SaudiNIC Experience in Deploying DNSSec AbdulRahman Al-Ghadir SaudiNIC - CITC MENOG 16.

A Logo for DNSSEC Wrapping DNSSEC into marketing Lutz Donnerhacke

DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.

KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting

Agenda DNSSEC automation overview How to implement it in FRED

Lecture 20 DNS Sec Slides adapted from Olag Kampman

In collaboration with HKCERT and HKIRC July 2016

KSK Rollover Update David Conrad, CTO ICANN 59 – GAC 29 June 2017.

DNSSEC Operations in .gov

A Longitudinal, End-to-End View of the DNSSEC Ecosystem

R. Kevin Oberman ESnet February 5, 2009

Managing Name Resolution

What DNSSEC Provides Cryptographic signatures in the DNS

DNS operator transfers with DNSSEC

The Curious Case of the Crippling DS record

.uk DNSSEC Status update

Presentation transcript:

DRAFT STEP-BY-STEP DNS SECURITY ILLUSTRATIVE GUIDE Version 0.2 Sparta, Inc Samuel Morse Dr. Columbia MD Ph:

DRAFT Zone Signing Key (ZSK) Generation ZSK (public) ZSK (private) Key Signing Key (KSK) Generation 3 KSK (public) KSK (private) 2 Key Generation Store safely and at different locations

DRAFT Zone Signing Key (ZSK) Generation 2 Key Signing Key (KSK) Generation 3 Unsigned Zone File PublicPrivate ZSK KSK Zone Signing with absent or “unsecured” child delegations Zone Signing operation Checked Zone File (with keys) 4 Check Zone for errors Include public keys in zone file Command line arguments to dnssec_signzone Signed Zone File Keyset File DSset File

DRAFT Zone Signing Key (ZSK) Generation 2 Key Signing Key (KSK) Generation 3 Zone Signing operation Unsigned Zone File Checked Zone File (with keys) 5 Check Zone for errors PublicPrivate ZSK KSK Keyset File Keyset File (from child) Secure Exchange of the keyset file Zone Signing with secured child delegations Child Zone Value or location is given as command line arguments to dnssec_signzone Include public keys in zone file Signed Zone File (with child’s DS) Keyset File DSset File

DRAFT Keyset File Secure Exchange of the keyset file named process Create Delegation at parent 8 Wait for the correct DS to appear Securing Delegations – Child zone activity 7.3 Parent Zone 7.2 DSset Zone Signing operation 4.5 or 5.5

DRAFT Keyset File Child Zone Keyset File (from child) Secure Exchange of the keyset file Securing Delegations – Parent zone activity Zone Signing Operation 8.4 Signed Zone File (with child’s DS) Keyset File DSset File Reload the parent zone 8.5 named process Unsigned Parent Zone File (containing delegation to child) Public keys at parent (ZSK and KSK) 8.1

DRAFT Public keys - - Old ZSK and KSK Old ZSK (private) Zone Signing Operation 9.4 Reload the zone 9.5 Wait one max zone TTL 9.6 Zone Signing Operation 9.7 Reload the zone 9.8 Wait one max zone TTL 9.9 Zone Signing Key (ZSK) Generation 9.2 Unsigned Zone File Zone Signing Operation 9.11 Reload the zone 9.12 public private ZSK Rollover – Pre-publish scheme Signed zone DS setKeyset Signed zone DS setKeyset Signed zone DS set Keyset Start End KSK (private)

DRAFT Key Signing Key (KSK) Generation 10.2 public private KSK Rollover – Double Signature Scheme Zone Signing Operation 10.4 Old KSK (private) DS setKeyset Signed zone Reload the zone 10.5 Wait one max zone TTL 10.6 Zone Signing Operation 10.8 Unsigned Zone File ZSK (private) Public keys - - ZSK and old KSK Only include the ZSK Start DS set Signed zone End Reload the zone Keyset 10.9 Wait for the correct DS to appear Secure delegation – parent zone activity named process Secure Exchange of the keyset file Parent Zone

DRAFT Zone Signing Key (ZSK) Generation 11.1 public private Zone Signing Operation 11.3 DS setKeyset Signed zone Reload the zone 11.4 KSK (private) KSK public key Start Unsigned Zone File Emergency ZSK Rollover End

DRAFT Key Signing Key (KSK) Generation 12.1 Zone Signing Operation 12.3 DS set Signed zone Reload the zone 12.7 ZSK (private) Start Emergency KSK Rollover Keyset 12.4 Wait for the correct DS to appear 7.3 public private ZSK public key Unsigned Zone File End 8 Secure delegation – parent zone activity named process Secure Exchange of the keyset file Parent Zone