© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

Slides:



Advertisements
Similar presentations
Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
Advertisements

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.
1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Cairo 2 November Agenda  Guidebook overview  Supporting and explanatory materials  Guidebook Module detail  Probable timelines 2.
IANA Status Update ARIN XXVI meeting, Atlanta Barbara Roseman October 2010.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
1.ORG DNSSEC Testbed Deployment Edmon Chung Creative Director Afilias Perth, AU 2 March, 2006.
Survey of DNSSEC Lutz Donnerhacke DNSSEC Meeting ( )
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
DNS-centric PKI Sean Turner Russ Housley Tim Polk.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
IANA Activities Update RIPE 68 Warsaw, Poland May 2014.
DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
CSUF Chapter 6 1. Computer Networks: Domain Name System 2.
1 San Diego, California 25 February Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer.
DNSEXT-63 Next steps in Trust Anchor Management for DNSSEC Ólafur Guðmundsson
Introduction to DNSSEC AROC Bamako, Mali, What is DNSSEC?
Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.
Andreas Steffen, , 12-DNSSEC.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.
CcTLD/ICANN Contract for Services (Draft Agreements) A Comparison.
ICANN Update: What Next for Trademark Owners? 22 nd Annual Fordham Int’l IP Law & Policy Conference 25 April 2014.
Rev Mats Dufberg TeliaSonera, Sweden Resolving DNSsec.
IETF 531 DNS Discovery Update draft-ietf-ipv6-dns-discovery-04.txt Dave Thaler
© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.
Internet Corporation for Assigned Names & Numbers Update on ITAR Elise Gerich Vice President, IANA.
Root Zone KSK: The Road Ahead Edward Lewis | DNS-OARC & RIPE DNSWG | May 2015
Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Bibliography.
DNSSEC deployment in NZ Andy Linton
DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.
1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.
© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested
AU, March 2, DNSSEC, APNIC, & how EPP might play a Role Ed Lewis DNS SIG APNIC 21.
1 Internet2 Joint Techs DNSSEC BOF July 19, DNSSEC BOF Larry J. Blunk, Merit Network Internet2 Joint Techs Workshop Madison, WI July 19, 2006.
OARC TAR Panel. La Brea Tar Pit What was originally intended to expedite the roll-out of DNSSEC seems to be bogging it down instead People who read press.
New Top Level Domains Geoff Huston IAHC. Top Level Domain Names l Country-code name spaces.au.jp.sg.de l Special purpose name spaces.in-addr.arpa.int.mil.
Securing Future Growth: Getting Ready for IPv6 NOW! ccTLD Workshop, 8 th April 2011 Noumea, New Caledonia Miwa Fujii, Senior IPv6 Program Specialist, APNIC.
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania ESCC/Internet2 Joint Techs Workshop Madison, Wisconsin, U.S.A., July 19 th 2006.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
Root Zone KSK Maintenance Jaap Akkerhuis | ENOG -10 | October 2015.
Root Zone KSK: After 5 years Elise Gerich | APNIC 40 | September 2015.
APNIC DNSSEC deployment considerations APNIC 23, Bali George Michaelson R&D Officer APNIC.
1 Internationalized Domain Names Paul Twomey 7 April 2008.
What's so hard about DNSSEC? Paul Ebersman – May 2016 RIPE72 – Copenhagen 1.
A Logo for DNSSEC Wrapping DNSSEC into marketing Lutz Donnerhacke
Deploying DNSSEC. Pulling yourself up by your bootstraps João Damas ISC.
Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Status “Today”
KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting
Agenda DNSSEC automation overview How to implement it in FRED
KSK Rollover Update David Conrad, CTO ICANN 59 – GAC 29 June 2017.
State of DNSSEC deployment ISOC Advisory Council
CZ.NIC in a nutshell Domain, DNSSEC, Turris Project and others
IDN Variant TLDs Program Update
A Longitudinal, End-to-End View of the DNSSEC Ecosystem
R. Kevin Oberman ESnet February 5, 2009
What DNSSEC Provides Cryptographic signatures in the DNS
Geoff Huston APNIC Labs
DNS operator transfers with DNSSEC
DNSSEC & KSK Rollover Patrick Jones Middle East DNS Forum & APTLD 75
DNSSEC Status Update in UA
DNSSEC Tutorial: Status “Today”
The Curious Case of the Crippling DS record
.uk DNSSEC Status update
Presentation transcript:

© 2015 ISC November 2013 Sunset for the DLV?

© 2015 ISC Background (c) Interested

© 2015 ISC root DS.org,.com.org isc.org ksk dlv.isc.org dlv.isc.org ksk acme.ISPZZ.com.com DS ISPzz.com ISPzz.com DS acme.ISPzz.com acme.ISPzz.com ksk acme.ISPZZ.com.az BillsBanjos.au Design DNSSEC Validation Validate The design calls for a chain of trust from child to parent, all the way back to the root.

© 2015 ISC DLV = alternate path to trust anchor root.org isc.org dlv.isc.org DS acme.ISPZZ.com.com ISPzz.com acme.ISPzz.com ksk zcme.ISPZZ.com Validate Before the planned chain of trust was available, the DLV provided a substitute.

© 2015 ISC.com zone signed IANA ITAR decommissioned IANA ITAR decommissioned A lot has changed since 2006 DLV IETF Draft DLV IETF Draft DLV.isc.org Root zone signed Root zone signed ICANN requires new GTLDs sign NSEC3 IETF Draft NSEC3 IETF Draft DNSSEC bis IETF Drafts DNSSEC bis IETF Drafts IANA ITAR ITAR records removed Over 100 ccTLDs are signed ISC begins decommissioning DLV.isc.org? ISC begins decommissioning DLV.isc.org?.edu,.net signed Google, Comcast verify DNSSEC 642 TLDs are signed

© 2015 ISC Is DLV now DELAYING deployment? Benefits  Allows a signed zone to be validated even if the parent is not signed  Accepts DS records from anyone  Free service Disadvantages  Reduces pressure on parent to get signed  Reduces pressure on registrars to accept DS records  Validator has to perform an additional query to the DLV when validating

© 2015 ISC Who Needs the DLV?  Entities with signed zones under unsigned parent zones (i.e., signed 2nd level domains under unsigned parents)  Entities that Registrars that don't accept DS records.  Signed zones moving from one registrar to a new registrar may benefit from temporary coverage by DLV, esp if first registrar is uncooperative in the move

© 2015 ISC ‭DNSSEC Deployed on 586 out of 771 TLDs‬ 76% 10/2014

© 2015 ISC Registrar Support  Registrar support for DS records is available but not universal –The 2013 ICANN Registrar Accreditation Agreement requires support  Some DLV users will have to switch registrars, putting appropriate pressure on registrars to support DS records Registrars that support end user ‭ DNSSEC ‬ management, including entry of DS records loyment en Last updated: 15 December 2014 Updates to:

© 2015 ISC Ready to Sunset DLV? Root signed TLDs signed (79%) TLDs have trust anchors in root Registrars supporting DNSSEC validation records for child domains Announcing sunset plan for DLV will encourage this  Remaining gap with registrar transitions

© 2015 ISC 1 st Step = Clean Up the Zones 4568 zones configured  2867 fully configured/working zones –only 397 are in an unsigned parent  ~20% fully validate from the root  Notify, and Remove unnecessarily delegated zones  Stop adding new zones  Eventually, remove all zones dlv.isc.org delegation records

© 2015 ISC 2015 | 2016|2017| Request owner remove the zone if: 1.If the zone already has DNSSEC records in the parent, and can be validated to the root outside of DLV. 2.The zone could be properly signed (i.e. all of the parent zones are signed up to the root), but for some reason isn't. Request owner remove the zone if: 1.If the zone already has DNSSEC records in the parent, and can be validated to the root outside of DLV. 2.The zone could be properly signed (i.e. all of the parent zones are signed up to the root), but for some reason isn't. 3. No more new registrations for zones that could validate outside of DLV 4. No new users or zones registered with DLV. 5. Existing zones that could be validated outside of DLV will be purged (~1 year notice) 4. No new users or zones registered with DLV. 5. Existing zones that could be validated outside of DLV will be purged (~1 year notice) 6. Remaining DLV records will be removed (~1-2 yrs notice) Proposed timeline for shrinking the DLV zone list

© 2015 ISC Communications Plan  Discuss with participants at ICANN, DNS-OARC, RIPE, operator meetings – to DNS tech discussion lists  Notify current DLV users  Discuss with validating resolver publishers (incl OS packagers)

© 2015 ISC root ksk.org,.com.org ksk isc.org isc.org ksk dlv.isc.org dlv.isc.org ksk acme.ISPZZ.com.com ksk ISPzz.com ISPzz.com ksk acme.ISPZZ.com acme.ISPzz.com zsk zcme.ISPZZ.com.az BillsBanjos.au Goal: DNSSEC Validation DNSSEC 2017

© 2015 ISC

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.