Presentation is loading. Please wait.

Presentation is loading. Please wait.

Deploying DNSSEC. Pulling yourself up by your bootstraps João Damas ISC.

Published byBethanie Cole Modified over 7 years ago

Similar presentations

Presentation on theme: "Deploying DNSSEC. Pulling yourself up by your bootstraps João Damas ISC."— Presentation transcript:

1 Deploying DNSSEC. Pulling yourself up by your bootstraps João Damas ISC

2 DNSSEC status Standard is complete and usable Minor nits with regards to some privacy issues in some contexts (nsec3, online signing) There are at least 2 implementations of servers (BIND and NSD) There is at least 1 implementation of a DNSSEC aware resolver (BIND 9.3.2 and later)

3 Bootstrapping DNSSEC follows a hierarchical model for signatures Sign the root zone Get the root zone to delegation-sign TLDs Get TLDs to delegation-sign SLDs …..

4 Unsigned root and TLDs Today the root zone remains unsigned Likely this way for some time Very few TLDs have signed their zones and offer delegation signatures.se,.pr,.bg,.br

5 But I want my zone signed DNSSEC provides for local implementations to be able to insert local trust anchors, entry points into the secure system E.g. Trust-anchors clause in BIND Problem: If you have too many it becomes a nightmare to maintain, so it doesn’t get used

6 DLV Enter DLV, Domain Lookaside Validation Is an implementation feature, not a change to the protocol. A matter of local policy. It enables access to a remote, signed, repository of trust anchors, via the DNS Implemented in BIND’s resolver so far. More to follow?

7 DLV lookup A DLV enabled resolver will try to find a secure entry point using regular DNSSEC processes and IF IT FAILS, and has DLV configured, will issue a search on the specified DLV tree

8 Enabling DLV On the resolver (so far only BIND) – Add to named.conf In the options section: // DNSSEC configuration dnssec-enable yes; dnssec-lookaside. trust-anchor dlv.isc.org.; In BIND 9.4 add dnssec-validation yes; By itself trusted-keys { dlv.isc.org. 257 3 5 "BEAAAAPp1USu3BecNerrrd78zxJIslqFaJ9csRkxd9LCMzvk9Z0wFzoF kWAHMmMhWFpSLjPLX8UL6zDg85XE55hzqJKoKJndRqtncUwHkjh6zERN uymtKZSCZvkg5mG6Q9YORkcfkQD2GIRxGwx9BW7y3ZhyEf7ht/jEh01N ibG/uAhj4qkzBM6mgAhSGuaKdDdo40vMrwdv0CHJ74JYnYqU+vsTxEIw c/u+5VdA0+ZOA1+X3yk1qscxHC24ewPoiASE7XlzFqIyuKDlOcFySchT Ho/UhNyDra2uAYUH1onUa7ybtdtQclmYVavMplcay4aofVtjU9NqhCtv f/dbAtaWguDB"; }; Get the Key from ISC’s web (http://www.isc.org/ops/dlv)

9 Using DLV BIND debugging is a bit hellish and user unfriendly. Working on tools to automate checks and make life easier BEWARE: If you want your zone to be signed and available ALL of your zone’s nameservers must be DNSSEC enabled

10 Registering To make your DNSSEC information available you must register with the DLV registry. – In ISC’s case, go to http://www.isc.org/ops/dlv and follow the instructionshttp://www.isc.org/ops/dlv – Two authentication methods: Cookie exchange In person authentication

11 DLV registries ISC is operating a DLV registry free of charge for anyone who wants to secure their DNS. – See https://secure.isc.org/ops/dlv/ Have a look and use it!

12 Questions?

Download ppt "Deploying DNSSEC. Pulling yourself up by your bootstraps João Damas ISC."

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.

Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Survey of DNSSEC Lutz Donnerhacke DNSSEC Meeting (2008-01-16)

Survey of DNSSEC Lutz Donnerhacke DNSSEC Meeting ( )
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
11 CONFIGURE INTERNET EXPLORER Chapter 5. Chapter 5: Configure Internet Explorer2 CHAPTER OVERVIEW AND OBJECTIVES  Configuring Accessibility and Language.

11 CONFIGURE INTERNET EXPLORER Chapter 5. Chapter 5: Configure Internet Explorer2 CHAPTER OVERVIEW AND OBJECTIVES  Configuring Accessibility and Language.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman
Rev 1.012010-06-03. Mats Dufberg TeliaSonera, Sweden Resolving DNSsec.

Rev Mats Dufberg TeliaSonera, Sweden Resolving DNSsec.
© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested
Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for.

Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for.
Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman
Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Bibliography.

Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Bibliography.
1 Windows 2008 Configuring Server Roles and Services.

1 Windows 2008 Configuring Server Roles and Services.
DNSSEC deployment in NZ Andy Linton

DNSSEC deployment in NZ Andy Linton

Similar presentations

Ads by Google