State of DNSSEC deployment ISOC Advisory Council

Slides:



Advertisements
Similar presentations
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Advertisements

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
1 DNSSEC BoF Internet2 Member Meeting October 15th, 2008 Noon, Napoleon A2
© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Security for the Internet’s Domain Name System DNSSEC Current State of Deployment Prepared for Internet2 BoF Amy Friedlander, Shinkuro, Inc. Based on a.
1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.
Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman
Introduction to DNSSEC AROC Bamako, Mali, What is DNSSEC?
Andreas Steffen, , 12-DNSSEC.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.
© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested
Internet Corporation for Assigned Names & Numbers Update on ITAR Elise Gerich Vice President, IANA.
Root Zone KSK: The Road Ahead Edward Lewis | DNS-OARC & RIPE DNSWG | May 2015
Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Bibliography.
1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
WORD JUMBLE. Months of the year Word in jumbled form e r r f b u y a Word in jumbled form e r r f b u y a february Click for the answer Next Question.
© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
2011 Calendar Important Dates/Events/Homework. SunSatFriThursWedTuesMon January
By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
Root Zone KSK Maintenance Jaap Akkerhuis | ENOG -10 | October 2015.
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania Sprint Internet2 Member Meeting Arlington, Virginia, U.S.A., Apr 23rd 2007.
Deploying DNSSEC. Pulling yourself up by your bootstraps João Damas ISC.
Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Status “Today”
1 Improving the resilience of DNS ENISA – Athens Productive DNSSEC environments Lutz Donnerhacke IKS GmbH, Jena DNSSEC e164.arpa.
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin
Security Issues with Domain Name Systems
Rolling the Root Zone DNSSEC Key Signing Key
DNS Security Advanced Network Security Peter Reiher August, 2014
DNS Team IETF 99 Hackathon.
DNS Security.
Domain Name System Tony Kombol ITIS 3110.
Principles of Computer Security
Living on the Edge: (Re)focus DNS Efforts on the End-Points
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania
DNS Session 5 Additional Topics
DNS Cache Poisoning Attack
CZ.NIC in a nutshell Domain, DNSSEC, Turris Project and others
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
DNSSEC Basics, Risks and Benefits
Binxing Fang Xiaohua Chen June,2015
Dictation practice 2nd Form Ms. Micaela-Ms. Verónica.
TRA, UAE May 2017 DNSSEC Introduction TRA, UAE May 2017
TIMELINES PHOTOS This is an example text
TIMELINES PHOTOS This is an example text
DNSSEC: An Update on Global Activities
McDonald’s Kalender 2009.
McDonald’s Kalender 2009.
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania
What DNSSEC Provides Cryptographic signatures in the DNS
McDonald’s Kalender 2009.
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania
McDonald’s calendar 2007.
DNSSEC & KSK Rollover Patrick Jones Middle East DNS Forum & APTLD 75
Computer Networks Primary, Secondary and Root Servers
DNSSEC Tutorial: Status “Today”
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
The Curious Case of the Crippling DS record
McDonald’s calendar 2007.
.uk DNSSEC Status update
2015 January February March April May June July August September
Presentation transcript:

State of DNSSEC deployment ISOC Advisory Council John Schnizlein 2009 July 31

Improving security on the Internet We know we need to add security not designed in. DNSSEC demonstrates The Internet Model supports developing security Deployment of security is hard Other security efforts, such as securing routing information are also being pursued.

Technical Background DNS – epitome of successful Internet application Each domain manages its own names (servers) Domains can delegate authority Source defines records Time To Live (TTL) Separately managed resolvers follow references Cache results for specified TTL DNSSEC exploits these features Public-key signatures authenticate Record sets Resolvers empowered to validate signature Chain of trust through the delegation hierarchy

History First specification (RFC 2065) in 1997 Oops – determined not deployable New design (RFC 4033, 4034, 4035) in 2005 Separated functions between child and parent record (zone) signing from delegation signing Privacy concerns addressed (RFC 5155) in 2008 NSEC3 sequences hashes rather than names Preventing “walking” all the zone’s records Note that deployment began during design

Deployment timeline 2005 October .SE (Sweden) signed TLD 2006 August .PR (Puerto Rico) signed TLD 2007 January BG (Bulgaria) signed TLD 2007 June BR (Brazil) signed TLD 2008 September .CZ (Czech Republic) signed TLD 2008 September .MUSEUM signed TLD 2009 February .GOV (U.S. government) signed TLD 2009 March .TH (Thailand) signed TLD 2009 June .ORG (unrestricted use) signed TLD Maybe (checking) .NA (Namibia) signed TLD

Deployment timeline 2005 October .SE (Sweden) signed TLD 2006 August .PR (Puerto Rico) signed TLD 2007 January BG (Bulgaria) signed TLD 2007 June BR (Brazil) signed TLD 2008 September .CZ (Czech Republic) signed TLD 2008 September .MUSEUM signed TLD 2009 February .GOV (U.S. government) signed TLD 2009 March .TH (Thailand) signed TLD 2009 June .ORG (unrestricted use) signed TLD 10 < 5 < 3 < 0 < 1 < Months between

Tests and Plans Production Root 2007 June IANA made a test signed root available Workarounds deployed 2006 March DNSSEC Look-aside Validation (DLV) 2007 June Interim Trust Anchor Repository (ITAR) 2008 October NTIA requested views on signing the root 2009 May announced plan to sign root by end of 2009 .JP (Japan) plans to sign by end of 2010 Nominet is working on signing .UK using opendnssec.se Verisign plans to sign .NET by the end of 2010 .COM early in 2011

Current Hot Issues What if the root really is signed? (June symposium) Many recursive resolvers got ahead of root signing What happens now when the root gets signed? Distributing trust anchors to validating resolvers Use TARs? Use software upgrade? Need to accommodate “rolling” the root key

Discussion: Market Niches of DNSSEC value

Market Drivers Security is not just the right thing to do. Avoiding catastrophe: insufficient motivation Separate management demands cooperation Chicken or Egg problem (neither works w/o other) Who can benefit from validity-checked names? Not rhetorical question – really need advice Brainstorming begin..

InternetSociety.org info@InternetSociety.org

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.