Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

Slides:



Advertisements
Similar presentations
DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Advertisements

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.
Domain Name System Security Extensions (DNSSEC) Hackers 2.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Peter Janssen, EURid.eu Ljubljana, RIPE 64, April
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. /disi Steps towards a secured DNS Olaf M. Kolkman, Henk Uijterwaal, Daniel.
Tony Kombol ITIS Who knows this? Who controls this? DNS!
Advanced Module 3 Stealth Configurations.
DNSSEC Introduction to Concepts Bill Manning
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 17 Domain Name System (DNS)
Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman
DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Security Through Publicity Eric Osterweil Dan Massey Batsukh Tsendjav Beichuan Zhang Lixia Zhang.
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License The details.
ISOC.NL SIP © 15 March 2007 Stichting NLnet Labs DNSSEC and ENUM Olaf M. Kolkman
1 ESnet DNSSEC Update ESCC/Internet2 Joint Techs Workshop February 14, 2007 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
Tony Kombol ITIS DNS! overview history features architecture records name server resolver dnssec.
1 DNSSEC Deployment: Big Steps Forward; Several Steps to Go NANOG 32 Deployment D N S S E C Rob Austein Steve Crocker
1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.
Joint Techs, Albuquerque Feb © 8 Feb 2006 Stichting NLnet Labs DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin
How to use DNS during the evolution of ICN? Zhiwei Yan.
* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.
DNS Session 5 Additional Topics Joe Abley AfNOG 2006, Nairobi, Kenya.
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
OpenDNSSEC Deployment Tianyi Xing. Roadmap By mid-term – Establish a DNSSEC server within the mobicloud system (Hopfully be done by next week) Successfully.
Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. 1 key-signing key flag [1] & wildcard-optimization [2] Olaf Kolkman [1] with.
RIPE 43, September 2002, Ρόδος. nsd a Name Service Daemon Alexis Yushin, Daniel Karrenberg, Olaf Kolkman,
Sample DNS configurations. Example 1: Master 'master' DNS and is authoritative for this zone for example.com provides 'caching' services for all other.
By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.
Building Trust with Anchors Eric Osterweil Dan Massey Lixia Zhang 1.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
Developing a DNSSEC Policy The Compulsory Zone Distribution Which DNSSEC Protocol Keys – and Managing them Managing the Children Using DNSSEC Mark Elkins.
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania Sprint Internet2 Member Meeting Arlington, Virginia, U.S.A., Apr 23rd 2007.
DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.
Deploying DNSSEC. Pulling yourself up by your bootstraps João Damas ISC.
DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin
Security Issues with Domain Name Systems
DNS Security Advanced Network Security Peter Reiher August, 2014
Lecture 20 DNS Sec Slides adapted from Olag Kampman
Living on the Edge: (Re)focus DNS Efforts on the End-Points
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania
DNSSEC Basics, Risks and Benefits
nsd a Name Service Daemon
What DNSSEC Provides Cryptographic signatures in the DNS
A New Approach to DNS Security (DNSSEC)
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania
Presentation transcript:

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNS: Data Flow master Caching forwarder resolver Zone administrator Zone file Dynamic updates 12 slaves 345 Registry/Registrar Provisioning

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNS Vulnerabilities master Caching forwarder resolver Zone administrator Zone file Dynamic updates 12 slaves 345 Corrupting data Impersonating master Unauthorized updates Cache impersonation Cache pollution by Data spoofing Altered zone data Registry/Registrar Provisioning

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC Provides Data Security master Caching forwarder resolver Zone administrator Zone file Dynamic updates slaves Registry/Registrar Provisioning example.com A

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DEPLOYMENT NOW DNS server infrastructure related ` APP STUB Protocol spec is clear on: Signing Serving Validating Implemented in Signer Authoritative servers Security aware recursive nameservers signing serving validating

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC Implementations BIND 9.3. NSD 2. ( authoritative only) Net::DNS::SEC for scripting tools

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. Main Improvement Areas “the last mile” Key management and key distribution NSEC walk

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. The last mile ` APP STUB How to get validation results back to the user The user may want to make different decisions based on the validation result –Not secured –Time out –Crypto failure –Query failure From the recursive resolver to the stub resolver to the Application validating

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. Problem Area ` APP STUB Key Management Keys need to propagate from the signer to the validating entity The validating entity will need to “trust” the key to “trust” the signature. Possibly many islands of security signing validating

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. Secure Islands and key management net. money.net. kids.net. geerthe corp dev market dilbert unixmac marnick nt os.net. com..

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. Secure Islands Server Side –Different key management policies for all these islands –Different rollover mechanisms and frequencies Client Side (Clients with a few to 10, 100 or more trust-anchors) –How to keep the configured trust anchors in sync with the rollover –Bootstrapping the trust relation

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. NSEC walk The record for proving the non-existence of data allows for zone enumeration Providing privacy was not a requirement for DNSSEC Zone enumeration does provide a deployment barrier Work starting to study possible solutions –Requirements are gathered –If and when a solution is developed it will be co- existing with DNSSEC-BIS !!! –Until then on-line keys will do the trick.

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. Conclusion DNSSEC Deployment can be started now. –.SE is preparing for deployment by end of this year Improvements will come, some work may take one or more years

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. References Some links – – – –Apster number 12

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.