Anne-Marie Eklund Löwinder Chief Information Security Officer Twitter: amelsec Thank’s to Fredrik Ljunggren, Kirei & Mehmet.

Slides:



Advertisements
Similar presentations
Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
Advertisements

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
ICANN’s Preparedness for Signing the Root September 24, 2008 DNS OARC Meeting, Ottawa, CA
DNSSEC Sample Implementation MENOG 10 Workshop 22 April 2012, Dubai
DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
IANA Status Update ARIN XXVI meeting, Atlanta Barbara Roseman October 2010.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Signed since September 2005 What’s it like 7 months later? Anne-Marie Eklund Löwinder,
1.ORG DNSSEC Testbed Deployment Edmon Chung Creative Director Afilias Perth, AU 2 March, 2006.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
1 DNSSEC BoF Internet2 Member Meeting October 15th, 2008 Noon, Napoleon A2
© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.
Domain Name System Security Extensions (DNSSEC) Hackers 2.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. /disi Steps towards a secured DNS Olaf M. Kolkman, Henk Uijterwaal, Daniel.
IANA Activities Update RIPE 68 Warsaw, Poland May 2014.
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
Distributed Systems. Outline  Services: DNSSEC  Architecture Models: Grid  Network Protocols: IPv6  Design Issues: Security  The Future: World Community.
Security for the Internet’s Domain Name System DNSSEC Current State of Deployment Prepared for Internet2 BoF Amy Friedlander, Shinkuro, Inc. Based on a.
1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.
1 San Diego, California 25 February Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer.
DNSEXT-63 Next steps in Trust Anchor Management for DNSSEC Ólafur Guðmundsson
Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman
Introduction to DNSSEC AROC Bamako, Mali, What is DNSSEC?
Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.
Andreas Steffen, , 12-DNSSEC.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.
Security and Stability of Root Name Server System Jun Murai (From the panel on Nov. 13 th by Paul Vixie, Mark Kosters, Lars-Johan Liman and Jun Murai)
Rev Mats Dufberg TeliaSonera, Sweden Resolving DNSsec.
© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Internet Corporation for Assigned Names & Numbers Update on ITAR Elise Gerich Vice President, IANA.
Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman
Technical Area Report Byron Ellacott Technical Area Manager.
Root Zone KSK: The Road Ahead Edward Lewis | DNS-OARC & RIPE DNSWG | May 2015
TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)
Rolling the Keys of the DNS Root Zone Geoff Huston APNIC Labs.
ISOC.NL SIP © 15 March 2007 Stichting NLnet Labs DNSSEC and ENUM Olaf M. Kolkman
DNSSEC deployment in NZ Andy Linton
DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.
1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
Olaf M. Kolkman. IETF58, Minneapolis, November DNSSEC Operational Practices draft-ietf-dnsop-dnssec-operational-practices-00.txt.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
Root Zone KSK Maintenance Jaap Akkerhuis | ENOG -10 | October 2015.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
Developing a DNSSEC Policy The Compulsory Zone Distribution Which DNSSEC Protocol Keys – and Managing them Managing the Children Using DNSSEC Mark Elkins.
Root Zone KSK: After 5 years Elise Gerich | APNIC 40 | September 2015.
DNSSEC Practices Statement Module 2 CaribNOG 3 12 June 2012, Port of Spain, Trinidad
Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Status “Today”
Rolling the Root Zone DNSSEC Key Signing Key
KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting
DNS Team IETF 99 Hackathon.
DNS Security.
DNS Security Issues SeongHo Cho DPNM Lab., POSTECH
State of DNSSEC deployment ISOC Advisory Council
DNS security.
Root KSK Roll Update DNS-OARC 27 Matt Larson, VP of Research
What DNSSEC Provides Cryptographic signatures in the DNS
DNSSEC & KSK Rollover Patrick Jones Middle East DNS Forum & APTLD 75
DNSSEC Status Update in UA
DNSSEC Tutorial: Status “Today”
The Curious Case of the Crippling DS record
Presentation transcript:

Anne-Marie Eklund Löwinder Chief Information Security Officer Twitter: amelsec Thank’s to Fredrik Ljunggren, Kirei & Mehmet Akcin, ICANN Signing the root with DNSSEC

How did it all begin? Walking down Memory Lane!

1983 Paul Mockapetris invents the DNS and implements the first server: Jeeves.

1986 Formal IETF Internet Standard. Two RFC's describes DNS: 1034 and 1035.

1990 Steven Bellovin describes cache poisoning for the first time, but the report is held back until 1995.

1997 RFC2065 first version of the DNSSEC standard is published.

1999 RFC2535 is published, updating RFC2065. The DNSSEC protocol seems to be finally finished. BIND9 is developed to be the first DNSSEC capable implementation.

1999 Sequential transaction ID: Problems persisted. Multiple name server implementations used sequential transaction ID’s, trivial to guess. (March)

2001 Experiments show that the key handling in RFC2535 is causing operational problems that would make deployment difficult, if not impossible. Redesigning is initiated.

2002 Multiple queries (November): Problems persisted in multiple implementations. An attacker could generate several outstanding queries for the same data. Enabled spoofing through the birthday attack.

2002 Brains are working on it…

2003 Brains are working on it…

2004 Brains are working on it…

2005 Eureka! The current RFC's are published: RFC4033, RFC4034, RFC4035

2005 Sweden (.SE) deploys DNSSEC..SE is the first TLD to adopt.

2006 Others are *thinking* about deploying DNSSEC…

2007 Others are *thinking* about deploying DNSSEC…

2007 Predictable RNG (July): Problems persisted, weaknesses in the PRNG’s (pseudo-random number generators) made guessing through statistical analysis feasible. Multiple implementations.

2008 Yet another flaw in the DNS protocol: The Kaminsky bug! Targeting sibling names of a zone enabled infinite number of retries for cache poisoning.

2009 The Domain Name System desperately needs DNSSEC! Mending and patching obviously didn't do it… Others *are* deploying DNSSEC.

2010 The Root is signed since July 15, 2010!. IN DS AAC11D7B6F E54A A1A FD2CE1CDDE32F24E8FB5 DNSSEC in the root ties it all together and is an enabler for so much more.

Approach to DNSSEC in the root zone and protection of the KSK

Design The guiding principle behind the design is that the result must be trustworthy.

Audited Processes and procedures should be audited against industry standards e.g. ISO/IEC 27002:2005

High security Root system should meet all NIST SP technical security controls required by a HIGH IMPACT system.

Community involvement Trusted representatives from the community are invited to take an active role in the key management process.

Terramark Data Center, Culpeper, VA

Physical security

Physical Security

More photos on

Physical Security Enforced Dual Occupancy. Separation of Duties. External Monitoring. Video Surveillance. Motion, Seismic other Sensors …and more.

ICANN staff roles related to KSK ceremonies Ceremony Administrator (CA) is the staff member who runs the ceremony. Internal Witness (IW) is the ICANN staff witnessing and recording the ceremony and exceptions if any. System Administrator (SA) is technical staff members responsible of IT needs. Safe Security Controllers (SSC) are the ICANN staff who operates the safe.

DPS – DNSSEC Practice Statement States the practices and provisions that are employed in root zone signing and zone distribution services. Issuing, managing, changing and distributing DNS keys in accordance with the specific requirements of the U.S. DoC NTIA. Comparable to a certificate practice statement (CPS) from an X.509 certification authority (CA). Compliant with (as a number of other TLD’s are).

Auditing & Transparency Third-party auditors check that ICANN operates as described in the DPS. Other external witness may also attend the key ceremonies. Systrust audit performed annualy.

Trusted Community Representatives (TCR) Have an active role in the management of the KSK: as Crypto Officers needed to activate the KSK. as Recovery Key Share Holders protecting shares of the symmetric key that encrypts the backup copy of the KSK.

Crypto Officer (CO) Have physical keys to safe deposit boxes holding smartcards that activate the HSM. ICANN cannot generate new keys or sign ZSK without 3-of-7 COs. Able to travel up to 4 times a year to US. So far the same people as from the start.

Recovery Key Share Holder (RKSH) Have smartcards holding pieces (M-of-N) of the key used to encrypt the KSK inside the HSM. If both key management facilities fall into the ocean, 5-of-7 RKSH smartcards and an encrypted KSK smartcard can reconstitute KSK in a new HSM. Backup KSK encrypted on smartcard held by ICANN. Able to travel on relatively short notice to US. Hopefully never. Annual inventory.

Community Representatives CO – East Coast Alain Aina, BJ Anne-Marie Eklund Löwinder, SE Frederico Neves, BR Gaurab Upadhaya, NP Olaf Kolkman, NL Robert Seastrom, US Vinton Cerf, US CO – West Coast Andy Linton, NZ Carlos Martinez, UY Dmitry Burkov, RU Edward Lewis, US João Luis Silva Damas, PT Masato Minda, JP Subramanian Moonesamy, MU CO Backup Christopher Griffiths, US Fabian Arbogast, TZ John Curran, US Nicolas Antoniello, UY Rudolph Daniel, UK Sarmad Hussain, PK Ólafur Guðmundsson, IS RKSH Bevil Wooding, TT Dan Kaminsky, US Jiankang Yao, CN Moussa Guebre, BF Norm Ritchie, CA Ondřej Surý, CZ Paul Kane, UK (6 BKP)

I’ve got the key to the Internet!

Split keys Zone Signing Key (ZSK) used to sign the zone. Key Signing Key (KSK) used to sign the ZSK. Not required by the protocol

Key Signing Key (KSK) KSK is 2048-bit RSA. Rolled as required. RFC 5011 for automatic key rollovers. Signatures made using SHA-256.

Zone Signing Key (ZSK) ZSK is 1024-bit RSA. Rolled once a quarter (four times per year). Zone signed with NSEC. Signatures made using SHA-256.

Key Ceremonies Key Generation. Generation of new KSK. Processing of ZSK Signing Request (KSR). Signing ZSK for the next upcoming quarter. Quarterly.

DNSSEC is now part of standard operations.

Next key ceremony XI The next ceremony will take place in Culpeper, VA on 2013 May 2-3. Detailed schedule can be found at ceremonies/cer13/ ceremonies/cer13/ Watch the HD Live Stream at

Stats 317 TLD’s in the root zone in total. 111 TLD’s are signed. 102 TLD’s have trust anchors published as DS records in the root zone. 2 TLD’s have trust anchors published in the ISC DLV Repository. html

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.