Survey of DNSSEC Lutz Donnerhacke DNSSEC Meeting (2008-01-16)

Slides:

Advertisements

Similar presentations

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

Advertisements

1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

Internet Identity For All.my ccTLD IPv6 Update By Lai Heng Choong Head of Application, Database and Security.my DOMAIN REGISTRY APTLD Member Meeting, 1.

Sweeping lame DNS reverse delegations APNIC16 – DNS Operations SIG Seoul, Korea, 20 August 2003.

Web Server Administration

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

Web Server Administration Chapter 4 Name Resolution.

Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.

20101 The Application Layer Domain Name System Chapter 7.

1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

DOMAIN NAME SYSTEM. Domain Name System Hostname Resolution DNS Name Lookup with DNS Domain Name Servers DNS Database Reverse Lookups.

Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Peter Janssen, EURid.eu Ljubljana, RIPE 64, April

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

1 Naming with the Domain Name System. 2 Internet Applications Domain Name System Electronic mail IP telephony Remote login File transfer All use client-server.

Chapter 16 – DNS. DNS Domain Name Service This service allows client machines to resolve computer names (domain names) to IP addresses DNS works at the.

IIT Indore © Neminath Hubballi

What Is the Internet? A network of networks, joining many government, university and private computers together and providing an infrastructure for the.

Test cases for domain checks – a step towards a best practice Mats Dufberg,.SE Sandoche Balakrichenan, AFNIC.

1 San Diego, California 25 February Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer.

DNSEXT-63 Next steps in Trust Anchor Management for DNSSEC Ólafur Guðmundsson

1 DNS: Domain Name System People: many identifiers: m SSN, name, Passport # Internet hosts, routers: m IP address (32 bit) - used for addressing datagrams.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.

Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.

Chapter 29 Domain Name System (DNS) Allows users to reference computer names via symbolic names translates symbolic host names into associated IP addresses.

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

CITA 310 Section 1 Name Resolution (Textbook Chapter 4)

© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.

Krit Witwiyaruj Thai Name Server Co., Ltd.th DNSSEC Implementation.

Internet Corporation for Assigned Names & Numbers Update on ITAR Elise Gerich Vice President, IANA.

Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.

Status report on Lame Delegations (work in progress) George Michaelson DB SIG APNIC17/APRICOT 2004 Feb KL, Malaysia.

Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Bibliography.

DNS Dynamic Update Performance Study The Purpose Dynamic update and XFR is key approach to perform zone data replication and synchronization,

Naming March 8, Networks What is naming?  Associations between some elements in a set of names and some elements in a set of values  Binding.

Windows 2000 Certificate Authority By Saunders Roesser.

Domain Name System (DNS). DNS Server Service Overview of Domain Name System What Is a Domain Namespace? Standards for DNS Naming.

1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

AU, March 2, DNSSEC, APNIC, & how EPP might play a Role Ed Lewis DNS SIG APNIC 21.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

Lawrence Snyder University of Washington, Seattle © Lawrence Snyder 2004 Relating the “logical” with the “physical”

Publishing zone scan data using an open data portal Sebastian Castro OARC Workshop Montreal – Oct 2015.

DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

Internet Essentials. The History of the Internet The Internet started when the Advanced Research Projects Agency (ARPA) of the United States Defense Department.

Linux Operations and Administration

Presented by Mark Minasi 1 SESSION CODE: WSV333.

Web Server Administration Chapter 4 Name Resolution.

1. Internet hosts:  IP address (32 bit) - used for addressing datagrams  “name”, e.g., ww.yahoo.com - used by humans DNS: provides translation between.

OPTION section It is the first section of the named.conf User can use only one option statement and many option-value pair under the section. Syntax is.

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

Root Zone KSK Maintenance Jaap Akkerhuis | ENOG -10 | October 2015.

Internet Naming Service: DNS* Chapter 5. The Name Space The name space is the structure of the DNS database –An inverted tree with the root node at the.

Root Zone KSK: After 5 years Elise Gerich | APNIC 40 | September 2015.

APNIC DNSSEC deployment considerations APNIC 23, Bali George Michaelson R&D Officer APNIC.

Basics of the Domain Name System (DNS) By : AMMY- DRISS Mohamed Amine KADDARI Zakaria MAHMOUDI Soufiane Oujda Med I University National College of Applied.

Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average

管理心理学管理心理学主讲教师张国民. 个人简介张国民, 山西闻喜人, 先后毕业于山西农业大学、首都师范大学、中国人民大学，获农学和法学第二学士学位、法学硕士学位。现为全国大学心理学专业委员会委员山西省伦理学会常务理事山西农业大学学报（社科版）编委山西农业大学硕士研究生导师.

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

Deploying DNSSEC. Pulling yourself up by your bootstraps João Damas ISC.

Understand Names Resolution

A longitudinal, End-to-End View of the DNSSEC Ecosystem

NET 536 Network Security Lecture 8: DNS Security

DNSSEC Status Update in UA

Trust Anchor Signals from Custom Applications

Presentation transcript:

Survey of DNSSEC Lutz Donnerhacke DNSSEC Meeting ( )

DNSSEC related actions Run DNSSEC in productive enviroments (currently using a signed root) Gather as much signed domains as possible. Include all entry points into a DLV and keep this list up to date.

How to gather domains grep all zones listed at SecSpider grep the known web key repositories (like RIPE) retry all zones a came across in the last years try to fill all holes in the DNS hierarchy try AXFR on the known signed zones or - if this fails - collect a few hundred entries by zone walking (that's even true for DLVs, I came across) make reverse lookups of IPs near the IPs listed in signed zones try all zones of TLDs, I have access to: AT, FR, RU, COM, NET... (preferably with written contract)  All is run on a weekly or monthly basis

Running the signed root obtain the data from ICANN and RIPE check each modification personally collect the DNSKEY entries using validating resolvers and update the keysets if necessary modify them to point to my servers and sign them distribute it to a set of servers

Monthly statistics based on a website snapshot remove test hierarchies summarize in different categories Category „unreachable“ is NOT signed „unreachable“ times out, if no DNSKEY and no DS

Biyearly mailing send to the SOA mname each category has a special text defensive hints about misconfiguration (learned the hard way) weak keys category refined to <1024 bits