OARC TAR Panel. La Brea Tar Pit What was originally intended to expedite the roll-out of DNSSEC seems to be bogging it down instead People who read press.

Slides:



Advertisements
Similar presentations
MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
Advertisements

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
Innovations in OSGi How to prevent patent applications.
Training Course: Task List. Agenda Overview of the Task List Screen Icons across the top Making Appointments Viewing Appointments & Filters Working Your.
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.
1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Website Tutorial. Administration  Log on by clicking Login on the footer of almost any page  Your Username is.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 12: Deploying and Managing Software with Group Policy.
1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.
1 San Diego, California 25 February Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer.
Week #7 Objectives: Secure Windows 7 Desktop
Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.
Internet Browsing the world. Browse Internet Course contents Overview: Browsing the world Lesson 1: Internet Explorer Lesson 2: Save a link for future.
11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.
Rev Mats Dufberg TeliaSonera, Sweden Resolving DNSsec.
© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested
Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.
Module 7 Configure User and Computer Environments By Using Group Policy.
Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Bibliography.
ISOC.NL SIP © 15 March 2007 Stichting NLnet Labs DNSSEC and ENUM Olaf M. Kolkman
Module 5: Configuring Internet Explorer and Supporting Applications.
DNSSEC deployment in NZ Andy Linton
DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.
1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
What is Web Site Administration Tool ? WAT Allow you to Configure Web Site With Simple Interface –Manage Users –Manage Roles –Manage Access Rules.
Module 6: Deploying and Managing Software by Using Group Policy.
© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
1 Internet2 Joint Techs DNSSEC BOF July 19, DNSSEC BOF Larry J. Blunk, Merit Network Internet2 Joint Techs Workshop Madison, WI July 19, 2006.
AT&T Privacy Bird Screen Shots For more information see
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
DNSSEC – Issues and Achievements Geoff Huston APNIC Labs.
Linux Operations and Administration
Understand Click Once Deployment Windows Development Fundamentals LESSON 5.1B.
By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.
Building Trust with Anchors Eric Osterweil Dan Massey Lixia Zhang 1.
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania ESCC/Internet2 Joint Techs Workshop Madison, Wisconsin, U.S.A., July 19 th 2006.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
SubmissionJoe Kwak, InterDigital1 Simplified 11k Security Joe Kwak InterDigital Communications Corporation doc: IEEE /552r0May 2004.
Developing a DNSSEC Policy The Compulsory Zone Distribution Which DNSSEC Protocol Keys – and Managing them Managing the Children Using DNSSEC Mark Elkins.
What's so hard about DNSSEC? Paul Ebersman – May 2016 RIPE72 – Copenhagen 1.
Deploying DNSSEC. Pulling yourself up by your bootstraps João Damas ISC.
1 Improving the resilience of DNS ENISA – Athens Productive DNSSEC environments Lutz Donnerhacke IKS GmbH, Jena DNSSEC e164.arpa.
Packaging and Deploying Windows Applications
Security Issues with Domain Name Systems
KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting
State of DNSSEC deployment ISOC Advisory Council
Root Zone KSK Rollover: delay and next steps
Geoff Huston APNIC Labs September 2017
Root Zone KSK Rollover Update
SELinux in 20 Minutes LCA Miniconf Jan. 28th, Canberra AU
Distributed Peer-to-peer Name Resolution
DNSSEC Status Update in UA
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
The Curious Case of the Crippling DS record
Trust Anchor Signals from Custom Applications
Presentation transcript:

OARC TAR Panel

La Brea Tar Pit What was originally intended to expedite the roll-out of DNSSEC seems to be bogging it down instead People who read press articles or attend conferences where they get the impression that “DNSSEC won’t “really be ready for N years” (e.g. RSA conference in San Francisco) or “TARs don’t work” will naturally delay action on their own part to deploy DNSSEC, sign zones or enable validation.

Can we Simplify the Task for Administrators?

Yes, I manage trust anchors

Tar Paper If we roll this out a bit at a time, people will start to use it Constructive “baby steps”

Pragmatic First Steps ITAR for TLD’s solves first level of problem. But it would be helpful to automate the work for the administrator (who may have DNSSEC expertise from “none” to “some” to “expert”) Minimum: publish a cookbook to explain how to set up validation Or -- TAR “fetcher” program, coupled with TAR “updater” program  Distribute TAR list with system/products  3-file approach –Distribution defaults –Local over-rides to defaults (delete, modify) –Local trust anchors  Auto-trust and/or TrustMan to automate RFC 5011 changes to keys  Set and forget

Next Level Down Example: MyBank.NL wants to sign with DNSSEC after hearing about Brazil’s Banco Bradesco cache- poisoning attack But.NL is not signed, so:  Do nothing  There are benefits to signing, but what do I do with my SEP Key?

model Bank SEP Bank SEP Attacker Options: don’t sign sign, but don’t publish key Publish in: DLV.NL tar, if it existed Bank web site other? TAR Management Options: manual fetch DLV List of lists Key Scrapers with P2P consistency checks Producer Consumer ISP Validating Resolver : Some expertise Local Policy sets what is trusted, what is not trusted End User Resolver no expertise ?

Local Policy Example: The X-(Tar) Files

Local Policy 2: Security is a Trade-Off “Trust, but Verify”

Peer 2 Peer Local Policy can turn on/off or set how many friends must agree from how many places before trust begins to grow Policy could be set to  None  Check, but don’t set AD  Set AD if everybody agrees –Would anyone do this? More interestingly, “negative trust” can be inferred if a zone shows up with no key when a key is expected, or a different key than friends found earlier (but that doublecheck because a rollover may be happening)

Summary Don’t Shoot Ourselves in the foot; if you have something to say to the outside world, do it constructively Baby Steps Simplify & Automate Local Policy

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.