Deploying DNSSEC. Pulling yourself up by your bootstraps João Damas ISC.

Slides:

Advertisements

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

Advertisements

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Survey of DNSSEC Lutz Donnerhacke DNSSEC Meeting ( )

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

11 CONFIGURE INTERNET EXPLORER Chapter 5. Chapter 5: Configure Internet Explorer2 CHAPTER OVERVIEW AND OBJECTIVES  Configuring Accessibility and Language.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

Rev Mats Dufberg TeliaSonera, Sweden Resolving DNSsec.

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for.

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Bibliography.

1 Windows 2008 Configuring Server Roles and Services.

DNSSEC deployment in NZ Andy Linton

1 DNSSEC Deployment: Big Steps Forward; Several Steps to Go NANOG 32 Deployment D N S S E C Rob Austein Steve Crocker

DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

1 Internet2 Joint Techs DNSSEC BOF July 19, DNSSEC BOF Larry J. Blunk, Merit Network Internet2 Joint Techs Workshop Madison, WI July 19, 2006.

Web Server Administration Chapter 4 Name Resolution.

Lecture 18 Page 1 CS 236, Spring 2008 DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania ESCC/Internet2 Joint Techs Workshop Madison, Wisconsin, U.S.A., July 19 th 2006.

What's so hard about DNSSEC? Paul Ebersman – May 2016 RIPE72 – Copenhagen 1.

DNSSec.TLD is signed! What next? V.Dolmatov November 2011.

Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania Sprint Internet2 Member Meeting Arlington, Virginia, U.S.A., Apr 23rd 2007.

1 FRED – open source registry system CZ.NIC, z.s.p.o. Jaromír Talíř

BIND 10 DNS Project Status + DNS Resolver Status/Plans Shane Kerr 23 January 2013.

1 Improving the resilience of DNS ENISA – Athens Productive DNSSEC environments Lutz Donnerhacke IKS GmbH, Jena DNSSEC e164.arpa.

DNS and Inbound Load Balancing

Migrating to LDAP What is LDAP? Fedora Directory Server LdapImport

Understand Names Resolution

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin

Security Issues with Domain Name Systems

KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting

DNS Security Advanced Network Security Peter Reiher August, 2014

Agenda DNSSEC automation overview How to implement it in FRED

Geoff Huston APNIC March 2017

What are they? The Package Repository Client is a set of Tcl scripts that are capable of locating, downloading, and installing packages for both Tcl and.

Department of Computer Science

State of DNSSEC deployment ISOC Advisory Council

IT443 – Network Security Administration Instructor: Bo Sheng

Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania

Geoff Huston APNIC Labs September 2017

DNS Session 5 Additional Topics

draft-huston-kskroll-sentinel

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

Lame DNS Server Sweeping

DNSSEC Basics, Risks and Benefits

DHCP, DNS, Client Connection, Assignment 1 1.3

Distributed Peer-to-peer Name Resolution

Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania

What DNSSEC Provides Cryptographic signatures in the DNS

Measuring KSK Roll Readiness

Geoff Huston APNIC Labs

Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania

Measuring KSK Roll Readiness

DNSSEC & KSK Rollover Patrick Jones Middle East DNS Forum & APTLD 75

Managing a Distributed Environment

Defining the scope of the ccNSO

DNSSEC Status Update in UA

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

Presentation transcript:

Deploying DNSSEC. Pulling yourself up by your bootstraps João Damas ISC

DNSSEC status Standard is complete and usable Minor nits with regards to some privacy issues in some contexts (nsec3, online signing) There are at least 2 implementations of servers (BIND and NSD) There is at least 1 implementation of a DNSSEC aware resolver (BIND and later)

Bootstrapping DNSSEC follows a hierarchical model for signatures Sign the root zone Get the root zone to delegation-sign TLDs Get TLDs to delegation-sign SLDs …..

Unsigned root and TLDs Today the root zone remains unsigned Likely this way for some time Very few TLDs have signed their zones and offer delegation signatures.se,.pr,.bg,.br

But I want my zone signed DNSSEC provides for local implementations to be able to insert local trust anchors, entry points into the secure system E.g. Trust-anchors clause in BIND Problem: If you have too many it becomes a nightmare to maintain, so it doesn’t get used

DLV Enter DLV, Domain Lookaside Validation Is an implementation feature, not a change to the protocol. A matter of local policy. It enables access to a remote, signed, repository of trust anchors, via the DNS Implemented in BIND’s resolver so far. More to follow?

DLV lookup A DLV enabled resolver will try to find a secure entry point using regular DNSSEC processes and IF IT FAILS, and has DLV configured, will issue a search on the specified DLV tree

Enabling DLV On the resolver (so far only BIND) – Add to named.conf In the options section: // DNSSEC configuration dnssec-enable yes; dnssec-lookaside. trust-anchor dlv.isc.org.; In BIND 9.4 add dnssec-validation yes; By itself trusted-keys { dlv.isc.org "BEAAAAPp1USu3BecNerrrd78zxJIslqFaJ9csRkxd9LCMzvk9Z0wFzoF kWAHMmMhWFpSLjPLX8UL6zDg85XE55hzqJKoKJndRqtncUwHkjh6zERN uymtKZSCZvkg5mG6Q9YORkcfkQD2GIRxGwx9BW7y3ZhyEf7ht/jEh01N ibG/uAhj4qkzBM6mgAhSGuaKdDdo40vMrwdv0CHJ74JYnYqU+vsTxEIw c/u+5VdA0+ZOA1+X3yk1qscxHC24ewPoiASE7XlzFqIyuKDlOcFySchT Ho/UhNyDra2uAYUH1onUa7ybtdtQclmYVavMplcay4aofVtjU9NqhCtv f/dbAtaWguDB"; }; Get the Key from ISC’s web (

Using DLV BIND debugging is a bit hellish and user unfriendly. Working on tools to automate checks and make life easier BEWARE: If you want your zone to be signed and available ALL of your zone’s nameservers must be DNSSEC enabled

Registering To make your DNSSEC information available you must register with the DLV registry. – In ISC’s case, go to and follow the instructionshttp:// – Two authentication methods: Cookie exchange In person authentication

DLV registries ISC is operating a DLV registry free of charge for anyone who wants to secure their DNS. – See Have a look and use it!

Questions?