Presentation is loading. Please wait.

Presentation is loading. Please wait.

DRAFT STEP-BY-STEP DNS SECURITY ILLUSTRATIVE GUIDE Version 0.2 Sparta, Inc. 7075 Samuel Morse Dr. Columbia MD 21046 Ph: 410.872.1515

Published byClement Simon Modified over 8 years ago

Similar presentations

Presentation on theme: "DRAFT STEP-BY-STEP DNS SECURITY ILLUSTRATIVE GUIDE Version 0.2 Sparta, Inc. 7075 Samuel Morse Dr. Columbia MD 21046 Ph: 410.872.1515"— Presentation transcript:

1 DRAFT STEP-BY-STEP DNS SECURITY ILLUSTRATIVE GUIDE Version 0.2 Sparta, Inc. 7075 Samuel Morse Dr. Columbia MD 21046 Ph: 410.872.1515 sparta-dnssec@tislabs.com

2 DRAFT Zone Signing Key (ZSK) Generation ZSK (public) ZSK (private) Key Signing Key (KSK) Generation 3 KSK (public) KSK (private) 2 Key Generation Store safely and at different locations

3 DRAFT Zone Signing Key (ZSK) Generation 2 Key Signing Key (KSK) Generation 3 Unsigned Zone File PublicPrivate ZSK KSK Zone Signing with absent or “unsecured” child delegations Zone Signing operation Checked Zone File (with keys) 4 Check Zone for errors 4.2 4.5 Include public keys in zone file Command line arguments to dnssec_signzone Signed Zone File Keyset File DSset File

4 DRAFT Zone Signing Key (ZSK) Generation 2 Key Signing Key (KSK) Generation 3 Zone Signing operation Unsigned Zone File Checked Zone File (with keys) 5 Check Zone for errors 5.2 5.5 PublicPrivate ZSK KSK Keyset File Keyset File (from child) Secure Exchange of the keyset file Zone Signing with secured child delegations Child Zone Value or location is given as command line arguments to dnssec_signzone Include public keys in zone file Signed Zone File (with child’s DS) Keyset File DSset File

5 DRAFT Keyset File Secure Exchange of the keyset file named process Create Delegation at parent 8 Wait for the correct DS to appear Securing Delegations – Child zone activity 7.3 Parent Zone 7.2 DSset Zone Signing operation 4.5 or 5.5

6 DRAFT Keyset File Child Zone Keyset File (from child) Secure Exchange of the keyset file Securing Delegations – Parent zone activity Zone Signing Operation 8.4 Signed Zone File (with child’s DS) Keyset File DSset File Reload the parent zone 8.5 named process Unsigned Parent Zone File (containing delegation to child) Public keys at parent (ZSK and KSK) 8.1

7 DRAFT Public keys - - Old ZSK and KSK Old ZSK (private) Zone Signing Operation 9.4 Reload the zone 9.5 Wait one max zone TTL 9.6 Zone Signing Operation 9.7 Reload the zone 9.8 Wait one max zone TTL 9.9 Zone Signing Key (ZSK) Generation 9.2 Unsigned Zone File Zone Signing Operation 9.11 Reload the zone 9.12 public private ZSK Rollover – Pre-publish scheme Signed zone DS setKeyset Signed zone DS setKeyset Signed zone DS set Keyset Start End KSK (private)

8 DRAFT Key Signing Key (KSK) Generation 10.2 public private KSK Rollover – Double Signature Scheme Zone Signing Operation 10.4 Old KSK (private) DS setKeyset Signed zone Reload the zone 10.5 Wait one max zone TTL 10.6 Zone Signing Operation 10.8 Unsigned Zone File ZSK (private) Public keys - - ZSK and old KSK Only include the ZSK Start DS set Signed zone End Reload the zone 10.10 Keyset 10.9 Wait for the correct DS to appear 7.3 8 Secure delegation – parent zone activity named process Secure Exchange of the keyset file Parent Zone

9 DRAFT Zone Signing Key (ZSK) Generation 11.1 public private Zone Signing Operation 11.3 DS setKeyset Signed zone Reload the zone 11.4 KSK (private) KSK public key Start Unsigned Zone File Emergency ZSK Rollover End

10 DRAFT Key Signing Key (KSK) Generation 12.1 Zone Signing Operation 12.3 DS set Signed zone Reload the zone 12.7 ZSK (private) Start Emergency KSK Rollover Keyset 12.4 Wait for the correct DS to appear 7.3 public private ZSK public key Unsigned Zone File End 8 Secure delegation – parent zone activity named process Secure Exchange of the keyset file Parent Zone

Download ppt "DRAFT STEP-BY-STEP DNS SECURITY ILLUSTRATIVE GUIDE Version 0.2 Sparta, Inc. 7075 Samuel Morse Dr. Columbia MD 21046 Ph: 410.872.1515"

Similar presentations

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.

DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Securing the Government’s DNS Infrastructure with DNSSEC

Securing the Government’s DNS Infrastructure with DNSSEC
ICANN’s Preparedness for Signing the Root September 24, 2008 DNS OARC Meeting, Ottawa, CA

ICANN’s Preparedness for Signing the Root September 24, 2008 DNS OARC Meeting, Ottawa, CA
DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.

DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.
DNSSEC Sample Implementation MENOG 10 Workshop 22 April 2012, Dubai

DNSSEC Sample Implementation MENOG 10 Workshop 22 April 2012, Dubai
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
Efficient fault-tolerant scheme based on the RSA system Author: N.-Y. Lee and W.-L. Tsai IEE Proceedings Presented by 詹益誌 2004/03/02.

Efficient fault-tolerant scheme based on the RSA system Author: N.-Y. Lee and W.-L. Tsai IEE Proceedings Presented by 詹益誌 2004/03/02.
Automated private key recovery for DNSSEC Colorado State University, CS 681 John Tesch.

Automated private key recovery for DNSSEC Colorado State University, CS 681 John Tesch.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
Lecture 12 e-mail Security. Summary  PEM  secure email  PGP  S/MIME.

Lecture 12 Security. Summary  PEM  secure  PGP  S/MIME.
Phil Regnauld Hervey Allen June 2009 Papeete, Tahiti DNSSEC overview.

Phil Regnauld Hervey Allen June 2009 Papeete, Tahiti DNSSEC overview.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.

DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.
1 DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec 1.6.5.3.7.5.1.4.6.3.9.4.e164.arpa. naptr.

1 DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec e164.arpa. naptr.

Similar presentations

Ads by Google