Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania Sprint Internet2 Member Meeting Arlington, Virginia, U.S.A., Apr 23rd 2007.

Published byMelanie Gibbs Modified over 7 years ago

Similar presentations

Presentation on theme: "Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania Sprint Internet2 Member Meeting Arlington, Virginia, U.S.A., Apr 23rd 2007."— Presentation transcript:

1 Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania Sprint Internet2 Member Meeting Arlington, Virginia, U.S.A., Apr 23rd 2007

2 Shumon Huque2 This is mostly a repeat of a presentation I gave at the Winter 2007 Joint Techs meeting, February 2007, Minneapolis, Minnesota, U.S.A.

3 Shumon Huque3 Description of the Pilot http://www.dnssec-deployment.org/internet2/ Deploy DNSSEC Gain Operational experience Does it work (does it catch anything?) Test DNSSEC aware applications Participants sign at least one of their zones Exchange keys (trust anchors) that will allow them to mutually validate DNS data

4 Shumon Huque4 What is DNSSEC? A system to verify the authenticity of DNS “data” RFC 4033, 4034, 4035 Helps detect: spoofing, misdirection, cache poisoning Some secondary benefits appear: You could store keying material in DNS DKIM, SSHFP, IPSECKEY, etc

5 Shumon Huque5 A little background.. Feb ‘06: DNSSEC Workshop held at Albuquerque Joint Techs Mar ‘06: dnssec@internet2 mailing list Apr ‘06: Internet2 Spring Member meeting Advisory group formed and plans for a pilot project formulated May ‘06: Pilot group began Monthly conference calls and progress reports

6 Shumon Huque6 Co-ordination Internet2 Shinkuro シンクロ Partner in DNSSEC Deployment Initiative http://www.dnssec-deployment.org/ Some funding from US government

7 Shumon Huque7 DNSSEC Deployment Efforts so far MAGPI GigaPoP All zones: magpi.{net,org} & 15 reverse zones https://rosetta.upenn.edu/magpi/dnssec.html MERIT radb.net nanog.org http://www.merit.edu/networkresearch/dnssec.html NYSERNet - test zone nyserlab.org

8 Shumon Huque8 Others considering or planning deployment University of Pennsylvania University of California - Berkeley University of California - Los Angeles University of Massachusetts - Amherst Internet2

9 Shumon Huque9 DLV (DNSSEC Lookaside Validation) A mechanism to securely locate DNSSEC trust anchors “off-path” An early deployment aid until top-down deployment of DNSSEC happens Pilot group is in talks to make use of ISC’s DLV registry http://www.isc.org/index.pl?/ops/dlv/ More on this at a later date..

10 Shumon Huque10 More participants welcome! (participation not restricted to Internet2) Join mailing list Participate in conference calls

11 Shumon Huque11 Thoughts on deployment obstacles (1) A Chicken & Egg problem Marginal benefits, until much more deployment Why should I go first? We had (have?) the same problem with other technologies (IPv6 etc) Some folks will need to take the lead, if there is hope for wider adoption Good way to find out how well it works

12 Shumon Huque12 Thoughts on deployment obstacles (2) Operational stability More complicated software infrastructure New processes for: Zone changes Secure delegations Security (protection of crypto keys) Key rollover and maintenance Integration w/ existing DNS management software What is the experience of the pilot?

13 Shumon Huque13 Thoughts on deployment obstacles (3) Additional system requirements Authoritative servers: memory Resolvers: memory & CPU Memory use can be calculated Probably not a big issue (unless you’re.COM!) CPU Not too much of an issue today (dearth of signed data that needs validation) Caveat: some potential DoS attacks could hit CPU

14 Shumon Huque14 Thoughts on deployment obstacles (4) Key distribution in islands of trust Why is there no top down deployment? Work on signing root and (many) TLDs and in- addr.arpa is in progress.SE, RIPE reverse done.EDU work in motion Interim mechanisms like DLV exist Manual key exchange (unscalable)

15 Shumon Huque15 Thoughts on deployment obstacles (5) Stub resolver security (e2e security) An area of neglect in my opinion Push DNSSEC validation to endstations? Secure path from stub resolver to recursive resolver Possibilities: SIG(0), TSIG, IPSEC

16 Shumon Huque16 Thoughts on deployment obstacles (6) Application layer feedback Coming gradually DNSSEC aware resolution APIs and applications enhanced to use them DNSSEC aware applications See http://www.dnssec-tools.org/ Note: some folks think it might be nice to protect DNSSEC oblivious applications silently as an interim step

17 Shumon Huque17 Thoughts on deployment obstacles (7) Zone enumeration threat See NSEC3 record (spec almost done) draft-ietf-dnsext-nsec3-09.txt Hashed Authenticated Denial of Existence Also provides “Opt-Out” (to allow spans of unsecured records in a signed zone)

18 Shumon Huque18 Additional BoF topics

19 Shumon Huque19 DLV participation procedures See Joao Damas’ earlier presentation ISC DLV registry http://www.isc.org/index.pl?/ops/dlv/ Policy and practice statement: https://secure.isc.org/ops/dlv/dlv-pol-pract-v1.0.php

20 Shumon Huque20 edu Top-Level-Domain signing Who’s involved: Educause, Verisign, US Dept of Commerce What can Internet2 schools do to help make this a reality? NSEC3 is not needed: edu zone is small (< 8000 delegations) Relatively static No zone privacy requirements

21 Shumon Huque21 Securing last hop(s) Most university threat models include untrustworthiness of the local network ie. path between client and recursive resolver is NOT secure Need stub resolvers capable of: 1. Validating DNSSEC signatures, or 2. Supporting channel protection mechanisms that allow them to authenticate response from recursive resolver SIG(0), TSIG etc

22 Shumon Huque22 Securing last hop(s) cont.. Which channel protection mechanism? Simple symmetric key TSIG has problems Can’t distribute same TSIG key to many clients - that allows any of them to forge DNS answers to others Need per-client keys and thus additional key management infrastructure SIG(0) may be more manageable A public key signature of the response msg Need to only distribute the public key

23 Shumon Huque23 Application feedback DNSSEC aware resolution API/libraries eg. draft-hayatnagarkar-dnsext-validator-api-03 Plus applications enhanced to use them

24 Shumon Huque24 References Internet2 DNSSEC Pilot http://www.dnssec-deployment.org/internet2/ http://rosetta.upenn.edu/magpi/dnssec.html Mailing list: dnssec@internet2.edudnssec@internet2.edu https://mail.internet2.edu/wws/info/dnssec Internet2 DNSSEC Workshop http://events.internet2.edu/2006/jt- albuquerque/sessionDetails.cfm?session=2491&ev ent=243

25 Shumon Huque25 References (2) DNSSEC(bis) technical specs: RFC 4033, 4034, 4035 Related: DNSSEC HOWTO: http://www.nlnetlabs.nl/dnssec_howto/ Threat analysis of the DNS: RFC 3833 Operational practices: RFC 4641 NSEC3: draft-ietf-dnsext-nsec3-09 DLV: draft-weiler-dnssec-dlv-01 draft-hubert-dns-anti-spoofing-00

26 Shumon Huque26 Questions? Shumon Huque shuque -at- isc.upenn.edu

Download ppt "Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania Sprint Internet2 Member Meeting Arlington, Virginia, U.S.A., Apr 23rd 2007."

Similar presentations

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Data You Can Trust: The Key to Information Security Dr. Burt Kaliski, Jr. Senior Vice President and CTO, Verisign 25 th HP Information Security Colloquium.

Data You Can Trust: The Key to Information Security Dr. Burt Kaliski, Jr. Senior Vice President and CTO, Verisign 25 th HP Information Security Colloquium.
Deploying Security for the Domain Name System Securing the Infrastructure Panel Allison Mankin, Amy Friedlander Shinkuro, Inc

Deploying Security for the Domain Name System Securing the Infrastructure Panel Allison Mankin, Amy Friedlander Shinkuro, Inc
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.

1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.
Software Pieces for the DNSSEC-deployment roadmap SPARTA, Inc. 01/21/05.

Software Pieces for the DNSSEC-deployment roadmap SPARTA, Inc. 01/21/05.
Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman
Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman
Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Bibliography.

Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Bibliography.
ISOC.NL SIP © 15 March 2007 Stichting NLnet Labs DNSSEC and ENUM Olaf M. Kolkman

ISOC.NL SIP © 15 March 2007 Stichting NLnet Labs DNSSEC and ENUM Olaf M. Kolkman
1 ESnet DNSSEC Update ESCC/Internet2 Joint Techs Workshop February 14, 2007 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

1 ESnet DNSSEC Update ESCC/Internet2 Joint Techs Workshop February 14, 2007 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
DNSSEC Deployment Initiative: Roadmap Version 2.0 Suresh Krishnaswamy, SPARTA Steve Crocker, Shinkuro, Inc.

DNSSEC Deployment Initiative: Roadmap Version 2.0 Suresh Krishnaswamy, SPARTA Steve Crocker, Shinkuro, Inc.
1 DNSSEC Deployment: Big Steps Forward; Several Steps to Go NANOG 32 Deployment D N S S E C Rob Austein Steve Crocker

1 DNSSEC Deployment: Big Steps Forward; Several Steps to Go NANOG 32 Deployment D N S S E C Rob Austein Steve Crocker
DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.

DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.

Similar presentations

Ads by Google