APNIC DNSSEC deployment considerations APNIC 23, Bali George Michaelson R&D Officer APNIC.

Slides:

Advertisements

Similar presentations

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman

Advertisements

The Domain Name System Continuity of Operations Apricot 2008 Taipei TAIWAN 28feb2008.

Reverse DNS SIG Summary Report APNIC Annual Member Meeting Bangkok, March

Early Registration Transfer (ERX) Update George Michaelson DNS SIG APNIC17/APRICOT 2004 Feb KL, Malaysia.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

Managing IP addresses for your private clouds 2013 ASEAN CAS Summit Bangkok, Thailand 7 February 2013 George Kuo Member Services Manager.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Akamai DNS Offerings RSA © Conference ©2013 AKAMAI | FASTER FORWARD TM Akamai DNS Solutions Enhanced DNS (eDNS) Scalable, outsourced, DNS solution.

Sweeping lame DNS reverse delegations APNIC16 – DNS Operations SIG Seoul, Korea, 20 August 2003.

IANA Status Update ARIN XXVI meeting, Atlanta Barbara Roseman October 2010.

IANA Update APNIC 31, Hong Kong February Agenda 2 Addressing DNSSEC Root management Continuity Exercise Business Excellence.

The new APNIC DNS generation system. Previous System Direct access to backend whois.db files – Constructed radix tree in memory from domain objects –

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

Services Area Report Sanjaya Services Area Director.

© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

APNIC Update IPv4 Exhaustion Reached “Final /8” on 15 April /8 New allocation policy activated Up to /22 per member From 15 April.

Reverse DNS. Overview Principles Creating reverse zones Setting up nameservers Reverse delegation procedures.

Technical Area Report Bryon Ellacott, Technical Area Manager APNIC 28.

11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,

Norman SecureSurf Protect your users when surfing the Internet.

Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. /disi Steps towards a secured DNS Olaf M. Kolkman, Henk Uijterwaal, Daniel.

IANA Activities Update RIPE 68 Warsaw, Poland May 2014.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Network Abuse Handling in CNNIC and JPNIC Terence Zhang, CNNIC Izumi Okutani, JPNIC.

Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

Distributed Systems. Outline  Services: DNSSEC  Architecture Models: Grid  Network Protocols: IPv6  Design Issues: Security  The Future: World Community.

Technical Area Report Byron Ellacott Technical Area Manager.

Security for the Internet’s Domain Name System DNSSEC Current State of Deployment Prepared for Internet2 BoF Amy Friedlander, Shinkuro, Inc. Based on a.

APNIC Update Paul Wilson Director General. APNIC RIR for Asia Pacific –IP address allocation and management –Open policy development Support for Internet.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

Module 5: Planning a DNS Strategy. Overview Planning DNS Servers Planning a Namespace Planning Zones Planning Zone Replication and Delegation Integrating.

Technical Area Report Siamak Hadinia, Infrastructure Service Manager 1.

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

APNIC Update Paul Wilson Director General Operational Plan Key Outcomes Delivering Value Supporting Internet Development Collaborating and Communicating.

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

Technical Area Report Byron Ellacott Technical Area Manager.

Status report on Lame Delegations (work in progress) George Michaelson DB SIG APNIC17/APRICOT 2004 Feb KL, Malaysia.

Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Bibliography.

1 ESnet DNSSEC Update ESCC/Internet2 Joint Techs Workshop February 14, 2007 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

1 DNSSEC Deployment: Big Steps Forward; Several Steps to Go NANOG 32 Deployment D N S S E C Rob Austein Steve Crocker

RIPE NCC DNS Update Anand Buddhdev RIPE NCC. Presenter Name, Date 2 The GII Team.

Configuring Name Resolution and Additional Services Lesson 12.

Module 6: Designing Name Resolution. Module Overview Collecting Information for a Name Resolution Design Designing a DNS Server Strategy Designing a DNS.

Sweeping Lame DNS Delegations A Proposal DNS OPS SIG APNIC 15, Taipei, Taiwan 26 February 2003.

1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

AU, March 2, DNSSEC, APNIC, & how EPP might play a Role Ed Lewis DNS SIG APNIC 21.

1 Discussion of the new DNS generation system DNS Operations SIG APNIC 18 2nd September 2004, Fiji.

DNS DNS overview DNS operation DNS zones. DNS Overview Name to IP address lookup service based on Domain Names Some DNS servers hold name and address.

OpenDNSSEC Deployment Tianyi Xing. Roadmap By mid-term – Establish a DNSSEC server within the mobicloud system (Hopfully be done by next week) Successfully.

Engineering Report Mark Kosters. Staffing Operations – 7 operations engineers + 2 managers (AT FULL STRENGTH) Development – 8 programmers + manager (AT.

1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.

Early Registration Record Transfers Richard Jimmerson Director of Operations APNIC 11Kuala Lumpur.

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

APNIC IPv6 Allocation Update IPv6 SIG APNIC 14, Kitakyushu, Japan 4 September 2002.

Services Area Report Sanjaya Services Area Director.

&. & DNS and IPv6 IPv6 Summit, Canberra 31st October & 1 st November 2005 Chris Wright, Chief Technology Officer &

Aug 2008 KRNIC of NIDA KRNIC Updates.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

APNIC Update Elly Tawhai Senior Internet Resource Analyst/Liaison Officer, Pacific, APNIC AusNOG

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

1 DNS Operations SIG Report Joe Abley, ISC APNIC 18 Nadi, Fiji, September 2004.

Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania

ICANN/IANA Update at APNIC 29

Presentation transcript:

APNIC DNSSEC deployment considerations APNIC 23, Bali George Michaelson R&D Officer APNIC

Overview DNSSEC benefits What we have done What needs to be done? What does APNIC need to do? Let’s set some DNSSEC goals!

DNSSEC benefits Trustable DNS lookup –Forward and reverse Signed delegations –Positive and negative confirmations Some additional protections against phishing and related attacks on the DNS

What has been done Extensive testing of DNSSEC –For resolving parties –For domain managers Systems provisioning on some APNIC name servers Initial design discussions –Systems capacity planning –DNS management system

What needs to be done? Motivations: time to take a position! Address resolver-side issues Address server-side issues Deployment planning

Motivations DNSSEC standards now 10+ years in the making – No clear driver from APNIC community APNIC to research requirements and promote DNSSEC –Implement support in deployed servers –Update APNIC RMS to handle DNSSEC delegations –Join RIPE NCC in deploying DNSSEC in reverse-DNS

Resolver-side issues No date for signed root –Would have to distribute out of band, as RIPE NCC do 512 byte packet filtering considerations –Resolver, firewall upgrades –This is not only a problem for DNS APNIC services must work regardless of DNSSEC –Wish to avoid 'fate sharing' problems DNSSEC outage affecting APNIC services -(we provision other peoples DNS) Need cleaner functional separation of servers -Much of this already done APNIC no different to any DNS consumer

Server-side issues RIPE NCC deployment in in-addr.arpa –Revealed problems with APNIC secondary Lack of CPU, memory Software configuration issues Now resolved with new hardware and software Some increases in network traffic Key management problem –Managed rollovers, distribution No insurmountable problems –APNIC ready to deploy DNSSEC enabled servers in 2007 (in planning)

APNIC resource management changes APNIC needs a way to get “DS” info –The APNIC zone production process has to create a signed state over the collected DS of all sub-zones it delegates to –...and generate the NSEC records to cover the ‘gaps’ in signing Design work needed for APNIC resource management system –Should aim to include DS support in 2008

Issues: shared zones Mechanisms for managing DNSSEC in shared zones –APNIC sub-zone shares with NIR Solved in APNIC RMS work –Inter-RIR shared zones (ERX) Requires inter-RIR changes -NRO engineering coordination group would need to coordinate

What does APNIC need to do? Upgrade deployed name servers –Done. Will be ready in 2007 Upgrade RMS –DS support –Zone signing in DNS zone production engine Requires spec work, can be ready 2008 Progress shared zone issues –Discuss with key stakeholders (NIR/RIR) May not be fully resolved in 2008

Lets set some DNSSEC goals! APNIC DNSSEC 'ready' in 2008 Full support in RMS, zone production OOB TA distribution until root signed APNIC DNSSEC promoting 2007/8 Ongoing experiments, measurements and testing Training/documentation S/W & systems development Active promotion of DNSSEC - support/assist signed root planning Full DNNSEC in reverse-DNS in 2008 –Inter RIR, inter NIR. Requires coordination

Goals for 2007 Systems deployment (already planned) Server upgrades, software upgrades in progress NRO & NIR coordination –Focus on shared zone improvements –Plan for DS support in 2008 Present detailed plan at APNIC 24 –For deployment in 2008

Discussion