Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNSSec.TLD is signed! What next? V.Dolmatov November 2011.

Published byJody Fitzgerald Modified over 8 years ago

Similar presentations

Presentation on theme: "DNSSec.TLD is signed! What next? V.Dolmatov November 2011."— Presentation transcript:

1 DNSSec.TLD is signed! What next? V.Dolmatov November 2011

2 Topics DNSSec now (Nov.2011) Cryptography in DNSSec DNSSec caveats and pitfalls

3 DNSSec at glance (managerial view) 15 years of development (!) Finally, root zone is signed and deployed Some (84 of 310 ) TLDs are signed Some (78 of 84) of signed TLDs are linked with the root by DS-records Some (few!) registrars are DNSSEC- aware, more to come

4 DNS at glance (Technical view) NS A, MX, etc. Root -..tld.domain.tld.TLD Registry Root operator.TLD Registrar DNS administrator Domain administrator User DNS caching resolver named.r oot

5 DNSSec at glance (Technical view) DNSKEY RRSIG DS DNSKEY RRSIG DS DNSKEY RRSIG Root -..tld.domain.tld.TLD Registry Root operator.TLD Registrar DNS administrator Domain administrator User DNS caching resolver Trust anchor

6 Cryptic cryptos Cryptography is a sensitive field Cryptography has a lot of specifics Cryptography is monitored and controlled by governments There are different specific laws and rules in different countries which should be followed simultaneously

7 GOST cryptography ГОСТ 28147-89, ГОСТ Р 34.10-2001, ГОСТ Р 34.11-94 (open and proved to be reliable and stable) RFCs 5830, 5831, 5832 Open and not limited usage in the world Certified implementations should be used for public services and/or personal data handling in Russia

8 GOST in DNSSEC RFC 5933 – Standard Track RRSIG algorithm code – 12 DS algorithm code – 3 Fully featured DNSSEC set of GOST algorithms

9 GOST implementation OpenSSL 1.0.0a and later (implemented by Cryptocom) Unbound 1.4.6 – included by default Bind 9.8.0 – included by default

10 DNSSEC with GOST in the wild. (root is RSA signed) TLD.org (is RSA signed) dnssec-with-gost.org (is GOST signed) gost.dnssec-with-gost.org (is GOST signed) rsa.dnssec-with-gost.org (is RSA signed)

11 RSA-GOST chain – OK!

12 RSA-GOST-RSA chain – OK!

13 How to switch it on? Unbound 1.4.6 + ldns – ready now! bind 9.8.0 - ready now! Cryptography Open version – OpenSSL 1.0.0a Certified version – “MagPro DNS” by Cryptocom OpenDNSSEC (support moved to 2.x version)

14 DNSSEC in Russia All main DNSSEC services are GOST- capable Certified GOST DNSSEC is also available Waiting for DNSSEC GOST-capable support in.RU,.SU and.РФ TLDs Usage in other TLDs is not restricted

15 DNSSec Caveats and pitfalls Wrong feeling of «security» («using cryptography makes everything secure») Generating keys and switching DNSSec «on» in given zone does NOT mean automatic increase in the security of this zone Signing TLD zone and linking it to the root does NOT mean «DNSSec implementation» in this zone DNSSec demands a LOT of changes in DNS operations and procedures in TLD

16 DNSSec at glance (Operational view) DNSKEY RRSIG DS DNSKEY RRSIG DS DNSKEY RRSIG Root -..tld.domain.tld.TLD Registry Root operator.TLD Registrar DNS administrator Domain administrator User DNS caching resolver Trust anchor

17 DNSSec Caveats and pitfalls (Cont.) Wrong feeling of «authenticity» («using DNSSec makes everything authentic») DNSSec was designed to solve particular DNS operation problems Signed DNS-record does NOT add any trust to the resource it points to (Hello, JANE, EFF and other «initiatives» ) Huge problems with random data sources

18 Questions? v.dolmatov@hostcomm.ru

Download ppt "DNSSec.TLD is signed! What next? V.Dolmatov November 2011."

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. /disi Steps towards a secured DNS Olaf M. Kolkman, Henk Uijterwaal, Daniel.

Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. /disi Steps towards a secured DNS Olaf M. Kolkman, Henk Uijterwaal, Daniel.
DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.

DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.
Identity Management and DNS Services Tianyi XING.

Identity Management and DNS Services Tianyi XING.
Distributed Systems. Outline  Services: DNSSEC  Architecture Models: Grid  Network Protocols: IPv6  Design Issues: Security  The Future: World Community.

Distributed Systems. Outline  Services: DNSSEC  Architecture Models: Grid  Network Protocols: IPv6  Design Issues: Security  The Future: World Community.
1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.

1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.
Introduction to DNSSEC AROC Bamako, Mali, 2010. What is DNSSEC?

Introduction to DNSSEC AROC Bamako, Mali, What is DNSSEC?
Rev 1.012010-06-03. Mats Dufberg TeliaSonera, Sweden Resolving DNSsec.

Rev Mats Dufberg TeliaSonera, Sweden Resolving DNSsec.
DNS Security Pacific IT Pros Nov. 5, 2013. Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.

DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Internet Corporation for Assigned Names & Numbers Update on ITAR Elise Gerich Vice President, IANA.

Internet Corporation for Assigned Names & Numbers Update on ITAR Elise Gerich Vice President, IANA.
DNSSEC deployment in NZ Andy Linton

DNSSEC deployment in NZ Andy Linton
1 DNSSEC Deployment: Big Steps Forward; Several Steps to Go NANOG 32 Deployment D N S S E C Rob Austein Steve Crocker

1 DNSSEC Deployment: Big Steps Forward; Several Steps to Go NANOG 32 Deployment D N S S E C Rob Austein Steve Crocker
1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

Similar presentations

Ads by Google