Higher Education Experiences With DNSSEC Signing Michael Lambert, Pittsburgh Supercomputing Center Dan Pritts, Internet2 Michael Sinatra, University of.

Slides:

Advertisements

Similar presentations

The Domain Name System Continuity of Operations Apricot 2008 Taipei TAIWAN 28feb2008.

Advertisements

DNS46 for the IPv4/IPv6 Stateless Translator

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

Nassau Community College

DNS DOMAIN NAME SYSTEM NAME SYSTEM By Lijo George.

DNSSEC In Higher Education Joe St Sauver, Ph.D. Internet2 Nationwide Security Program Manager or AMSAC Call, 1PM Pacific,

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

Survey of DNSSEC Lutz Donnerhacke DNSSEC Meeting ( )

1 DNSSEC BoF Internet2 Member Meeting October 15th, 2008 Noon, Napoleon A2

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

DNS and DNSSec Eustace Asanghanwa Andrew Bates Shane Jahnke Brian Wilke.

© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name Services Oakton Community College CIS 238.

Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.

Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Module 10 Advanced Topics. DNS and DHCP DHCP can be configured to auto- update (using DDNS) the forward and reverse map zones Can be secured using allow-update.

Module 8: Designing Active Directory Disaster Recovery in Windows Server 2008.

DUKE UNIVERSITY DNSSEC 101 Kevin Miller.

Identity Management and DNS Services Tianyi XING.

1 Internet2 Security Update: Some Excerpts From the 2nd Data Driven Collaborative Security Workshop and Some Timely Strategic Security Area You Should.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

Name Resolution Domain Name System.

IIT Indore © Neminath Hubballi

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 17 Domain Name System (DNS)

1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.

Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.

Chapter 13 Microsoft DNS Server n DNS server: A Microsoft service that resolves computer names to IP addresses, such as resolving the computer name Brown.

TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.

Rev Mats Dufberg TeliaSonera, Sweden Resolving DNSsec.

DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone.

Security Through Publicity Eric Osterweil Dan Massey Batsukh Tsendjav Beichuan Zhang Lixia Zhang.

© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

The ProactiveWatch Monitoring Service. Are These Problems For You? Your business gets disrupted when your IT environment has issues Your employee and.

1 ESnet DNSSEC Update ESCC/Internet2 Joint Techs Workshop February 14, 2007 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

1 Kyung Hee University Chapter 18 Domain Name System.

FCC CSRIC III Working Group 5 DNSSEC Implementation Practices Steve Crocker CEO, Shinkuro, Inc. March 6, 2013 Working Group 5: DNSSEC.

DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.

.LV today and tomorrow Katrīna Sataki, NIC.LV Riga, 19 April 2013.

1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

Troubleshooting Security Issues Lesson 6. Skills Matrix Technology SkillObjective Domain SkillDomain # Monitoring and Troubleshooting with Event Viewer.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

1 Discussion of the new DNS generation system DNS Operations SIG APNIC 18 2nd September 2004, Fiji.

* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.

DNS Session 5 Additional Topics Joe Abley AfNOG 2006, Nairobi, Kenya.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

Publishing zone scan data using an open data portal Sebastian Castro OARC Workshop Montreal – Oct 2015.

OpenDNSSEC Deployment Tianyi Xing. Roadmap By mid-term – Establish a DNSSEC server within the mobicloud system (Hopfully be done by next week) Successfully.

What if Everyone Did It? Geoff Huston APNIC Labs.

Presented by Mark Minasi 1 SESSION CODE: WSV333.

By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

1 Is an Internet PKI the Right Approach? Eric Osterweil Join work with: Dan Massey and Lixia Zhang.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

DNSSEC Practices Statement Module 2 CaribNOG 3 12 June 2012, Port of Spain, Trinidad

1) The size of the Domain name system. 2) The main components of the Domain Naming System operation. 3) The function of the Domain Naming System. 4)Legislation.

Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia

Security Issues with Domain Name Systems

KSK Rollover Update David Conrad, CTO ICANN 59 – GAC 29 June 2017.

.edu DNSSEC Testbed Lessons Learned

What DNSSEC Provides Cryptographic signatures in the DNS

Presentation transcript:

Higher Education Experiences With DNSSEC Signing Michael Lambert, Pittsburgh Supercomputing Center Dan Pritts, Internet2 Michael Sinatra, University of California, Berkeley Joe St Sauver, Internet2/University of Oregon 4:30-5:30PM, Wed Nov 3, 2010, Ballroom 1 Fall 2010 Internet2 Member Meeting, Atlanta

Problem Statement Doing DNSSEC involves two tasks: 1) Cryptographically signing authoritative DNS records, and 2) Validating those signatures on recursive resolvers. Unfortunately: There’s nothing to validate if people don’t sign A limited number of domains (including relatively few dot edu’s) have signed to-date. 2

24 Signed 2 nd Level Dot Edus (per UCLA SecSpider) Berkeley.edu Carnegiemellon.edu Cmu.edu Desales.edu Example.edu Fhsu.edu Indiana.edu Internet2.edu Iu.edu Iub.edu Iupui.edu K-state.edu Ksu.edu Lsu.edu Merit.edu Monmouth.edu Penn.edu Psc.edu Suu.edu Tbu.edu Ucaid.edu Upenn.edu Upf.edu Weber.edu 3

BUT, We’re At A DNSSEC Adoption Inflection Point 4

Three Panelists Who Have Signed Their 2 nd Level Zones Today we’re going to be hearing from representatives of three edus who have signed their production domains: -- Michael Lambert, Pittsburgh Supercomputing Center -- Dan Pritts, Internet2 -- Michael Sinatra, University of California, Berkeley What lessons can we learn from the experiences of these early adopters? 5

Some Discussion Questions 1)How long have you been signing your zone(s) now? 2)What motivated you to sign your zones? -- Concerns about DNS insecurity? -- Desire to experiment and get experience with DNSSEC? -- Management “encouragement?” -- Other? 3)What zone or zones did you begin with? -- A test/trial zone? -- More important production zone(s)? -- Have you also signed your inverse address (in-addr/ptr) zone? 6

Some Discussion Questions 4) What tool or product are you using to sign your zones? -- Has that tool or product worked well for you? Did you run into any issues? Any tips -- Did you try any other tools? What was good or bad about those alternatives? 5) Did you see any performance impacts when you signed your zone? Any increase in zone size? Any increase in server memory, CPU, I/O, or network usage? 6) Did you spend time thinking about what algorithms you wanted to use to sign your zones? What did you pick and why? How about the key length you selected? 7

Some Discussion Questions 7) DNSSEC signatures are valid for a specified period of time. What validity period are you using? Have you run into any issues when rolling over keys? 8) What TTLs are you using for your DNSSEC-related records? 9) Do you do dynamic DNS? Is that compatible with DNSSEC? 10) Have you run into any firewall-related issues? 11) Many sites in higher education have offsite secondary DNS servers. Have you encountered any problem with DNSSEC and the secondary DNS servers you may use? 8

Some Discussion Questions 12) How hard was it to get DNSSEC records added by the registry? 13) How are you protecting your private keys from being compromised? Do you think your organization understands how important those crypto keys are? 14) Are you monitoring your DNSSEC signed zone(s)? If so, what tool are you using to do that monitoring? 15) Do you have any emergency procedures in place to push a resigned zone if there are any unexpected issues? 9