1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.

Slides:



Advertisements
Similar presentations
DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Advertisements

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
Review iClickers. Ch 1: The Importance of DNS Security.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.
DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
High-Level Awareness of DNSSEC KENIC/NSRC Workshop, Nairobi, May 2011 Phil Regnauld Joe Abley
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
1 DNSSEC BoF Internet2 Member Meeting October 15th, 2008 Noon, Napoleon A2
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.
Higher Education Experiences With DNSSEC Signing Michael Lambert, Pittsburgh Supercomputing Center Dan Pritts, Internet2 Michael Sinatra, University of.
© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.
1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.
Domain Name System Security Extensions (DNSSEC) Hackers 2.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Data You Can Trust: The Key to Information Security Dr. Burt Kaliski, Jr. Senior Vice President and CTO, Verisign 25 th HP Information Security Colloquium.
Deploying Security for the Domain Name System Securing the Infrastructure Panel Allison Mankin, Amy Friedlander Shinkuro, Inc
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Distributed Systems. Outline  Services: DNSSEC  Architecture Models: Grid  Network Protocols: IPv6  Design Issues: Security  The Future: World Community.
IIT Indore © Neminath Hubballi
Security for the Internet’s Domain Name System DNSSEC Current State of Deployment Prepared for Internet2 BoF Amy Friedlander, Shinkuro, Inc. Based on a.
Introduction to DNSSEC AROC Bamako, Mali, What is DNSSEC?
Andreas Steffen, , 12-DNSSEC.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
Rev Mats Dufberg TeliaSonera, Sweden Resolving DNSsec.
September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:
© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.
FCC CSRIC III Working Group 5 DNSSEC Implementation Practices Steve Crocker CEO, Shinkuro, Inc. March 6, 2013 Working Group 5: DNSSEC.
1 DNSSEC Deployment: Big Steps Forward; Several Steps to Go NANOG 32 Deployment D N S S E C Rob Austein Steve Crocker
DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.
Joint Techs, Albuquerque Feb © 8 Feb 2006 Stichting NLnet Labs DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin
AU, March 2, DNSSEC, APNIC, & how EPP might play a Role Ed Lewis DNS SIG APNIC 21.
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
Presented by Mark Minasi 1 SESSION CODE: WSV333.
Lecture 18 Page 1 CS 236, Spring 2008 DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania ESCC/Internet2 Joint Techs Workshop Madison, Wisconsin, U.S.A., July 19 th 2006.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Status “Today”
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
Security Issues with Domain Name Systems
A longitudinal, End-to-End View of the DNSSEC Ecosystem
DNS Security Advanced Network Security Peter Reiher August, 2014
State of DNSSEC deployment ISOC Advisory Council
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
DNSSEC Iván González Montemayor A
A Longitudinal, End-to-End View of the DNSSEC Ecosystem
DNS security.
.edu DNSSEC Testbed Lessons Learned
What DNSSEC Provides Cryptographic signatures in the DNS
NET 536 Network Security Lecture 8: DNS Security
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania
DNSSEC Tutorial: Status “Today”
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
Presentation transcript:

1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010

2 Agenda  Review DNS  How DNSSEC augments DNS  What DNSSEC doesn’t do  Why DNSSEC matters to you  DNSSEC Adoption  Getting started: Between now and July 2010  Going live: Anticipated in July 2010

3 DNS: A Review Illustration courtesy of Niranjan Kunwar / Nirlog.comNiranjan Kunwar / Nirlog.com

4 DNS Caching  DNS Servers cache data to improve performance  But…what happens if the cached data is wrong?

5 DNS is Fundamentally Flawed More detailed explanation:

6 DNS Cache Poisoning Gets Easier Article explaining vulnerability: by Dave Bullock / eecueDave Bullock / eecue

7 DNSSEC: DNS Security Extensions  Validate the origin of a DNS response  Trust that the data came from the expected source  Validate the integrity of a DNS response  Trust that the data itself is correct  Validate denial of existence  Trust a “no records to return” response

8 DNS with DNSSEC implemented Illustration courtesy of Niranjan Kunwar / Nirlog.comNiranjan Kunwar / Nirlog.com

9 DNSSEC Augments DNS  Use public key cryptography to “sign” DNS data  New DNS resource records carry signatures  DNSKEY, RRSIG, NSEC, DS  Publish signatures to parent zone  Domain to namespace, namespace to root  DNS resolvers validate signature matches Good explanation:

10 What DNSSEC Doesn’t Do  Encrypt data – that’s SSL  Protect your servers from denial of service attacks  Keep you from visiting phishing sites  DNSSEC protects you from forged DNS data

11 Why You Care: Hypothetical Case Study Photo by Bart EversonBart Everson

12 DNSSEC Adoption

13 Adoption is Critical  Can’t require validation yet – would reject most internet traffic  In the interim, will need a browser warning for non-validated lookups (like SSL “lock” today)  Validation will likely be required at some point

14 Adoption is Increasing Quickly Data from SecSpider: courtesy of Eric Osterweil

15 Many Top Level Domains are Signing  Signed TLDs  bg, br, ch, cz, li, lk, na, nu, pm, pr, pt, se, th, tm, uk, us  arpa, gov, museum, org  Coming soon  edu anticipated in July 2010  net anticipated in late 2010  com anticipated in early 2011 TLD data courtesy of Shinkuro, Inc.Shinkuro, Inc.

16 Current DNSSEC Adoption in.edu  7 signed.edu domains  berkeley.edu, merit.edu, penn.edu, psc.edu, upenn.edu, internet2.edu, ucaid.edu  64 signed.edu sub-domains  Many are computer science departments or DNS research projects Data from SecSpider: courtesy of Shumon Huque, University of Pennsylvania

17 Getting Started: Between now and July 1, 2010

18 If you are…  CIO or IT leader  Get DNSSEC on your staff’s radar now  Add DNSSEC to your summer maintenance schedule  Technical staff  If an ISP hosts your DNS  Ask the ISP when they will support DNSSEC  If you host your DNS  Learn about signing  Get DNSSEC-aware DNS software  Sign your zone

19 Learn About Signing  Study the RFCs  RFC 4033 – DNSSEC introduction and requirements RFC 4033  RFC 4034 – Resource records for DNSSEC RFC 4034  RFC 4641 – DNSSEC operational practices RFC 4641  NIST Secure DNS Deployment GuideSecure DNS Deployment Guide

20 Get DNSSEC-aware DNS Software  Need DNSSEC-aware software on published DNS servers and all intermediate resolvers  BIND 9.6 or greater  ZKT  OpenDNSSEC  Windows 2008 Server R2  Signing appliances  Many more… Find these packages and more at

21 Sign Your Zone  Generate a KSK and one or more ZSKs   Practice key rollovers & establish processes for managing keys 

22 Going Live: July 2010 (anticipated)

23 Chain of Trust Can Be Established Original illustration courtesy of Niranjan Kunwar / Nirlog.comNiranjan Kunwar / Nirlog.com

24 Publish Your Signatures to.edu Zone  Enter DS record data into the.edu Domain Administration website.edu Domain Administration website:

25 Many Resources Available to Help You  RFCs   DNSSEC.NET website   Your.edu colleagues – subscribe to EDUCAUSE DNSSEC deployment listserv 

26 Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.