Presentation is loading. Please wait.

Presentation is loading. Please wait.

State of DNSSEC deployment ISOC Advisory Council

Published byTerence McDowell Modified over 6 years ago

Similar presentations

Presentation on theme: "State of DNSSEC deployment ISOC Advisory Council"— Presentation transcript:

1 State of DNSSEC deployment ISOC Advisory Council
John Schnizlein 2009 July 31

2 Improving security on the Internet
We know we need to add security not designed in. DNSSEC demonstrates The Internet Model supports developing security Deployment of security is hard Other security efforts, such as securing routing information are also being pursued.

3 Technical Background DNS – epitome of successful Internet application
Each domain manages its own names (servers) Domains can delegate authority Source defines records Time To Live (TTL) Separately managed resolvers follow references Cache results for specified TTL DNSSEC exploits these features Public-key signatures authenticate Record sets Resolvers empowered to validate signature Chain of trust through the delegation hierarchy

4 History First specification (RFC 2065) in 1997
Oops – determined not deployable New design (RFC 4033, 4034, 4035) in 2005 Separated functions between child and parent record (zone) signing from delegation signing Privacy concerns addressed (RFC 5155) in 2008 NSEC3 sequences hashes rather than names Preventing “walking” all the zone’s records Note that deployment began during design

5 Deployment timeline 2005 October .SE (Sweden) signed TLD
2006 August .PR (Puerto Rico) signed TLD 2007 January BG (Bulgaria) signed TLD 2007 June BR (Brazil) signed TLD 2008 September .CZ (Czech Republic) signed TLD 2008 September .MUSEUM signed TLD 2009 February .GOV (U.S. government) signed TLD 2009 March .TH (Thailand) signed TLD 2009 June .ORG (unrestricted use) signed TLD Maybe (checking) .NA (Namibia) signed TLD

6 Deployment timeline 2005 October .SE (Sweden) signed TLD
2006 August .PR (Puerto Rico) signed TLD 2007 January BG (Bulgaria) signed TLD 2007 June BR (Brazil) signed TLD 2008 September .CZ (Czech Republic) signed TLD 2008 September .MUSEUM signed TLD 2009 February .GOV (U.S. government) signed TLD 2009 March .TH (Thailand) signed TLD 2009 June .ORG (unrestricted use) signed TLD 10 < 5 < 3 < 0 < 1 < Months between

7 Tests and Plans Production Root
2007 June IANA made a test signed root available Workarounds deployed 2006 March DNSSEC Look-aside Validation (DLV) 2007 June Interim Trust Anchor Repository (ITAR) 2008 October NTIA requested views on signing the root 2009 May announced plan to sign root by end of 2009 .JP (Japan) plans to sign by end of 2010 Nominet is working on signing .UK using opendnssec.se Verisign plans to sign .NET by the end of 2010 .COM early in 2011

8 Current Hot Issues What if the root really is signed? (June symposium)
Many recursive resolvers got ahead of root signing What happens now when the root gets signed? Distributing trust anchors to validating resolvers Use TARs? Use software upgrade? Need to accommodate “rolling” the root key

9 Discussion: Market Niches of DNSSEC value

10 Market Drivers Security is not just the right thing to do.
Avoiding catastrophe: insufficient motivation Separate management demands cooperation Chicken or Egg problem (neither works w/o other) Who can benefit from validity-checked names? Not rhetorical question – really need advice Brainstorming begin..

11 InternetSociety.org

Download ppt "State of DNSSEC deployment ISOC Advisory Council"

Similar presentations

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
1 DNSSEC BoF Internet2 Member Meeting October 15th, 2008 Noon, Napoleon A2

1 DNSSEC BoF Internet2 Member Meeting October 15th, 2008 Noon, Napoleon A2
© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:

© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Security for the Internet’s Domain Name System DNSSEC Current State of Deployment Prepared for Internet2 BoF Amy Friedlander, Shinkuro, Inc. Based on a.

Security for the Internet’s Domain Name System DNSSEC Current State of Deployment Prepared for Internet2 BoF Amy Friedlander, Shinkuro, Inc. Based on a.
1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.

1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.
Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman
Introduction to DNSSEC AROC Bamako, Mali, 2010. What is DNSSEC?

Introduction to DNSSEC AROC Bamako, Mali, What is DNSSEC?
Andreas Steffen, 28.11.2011, 12-DNSSEC.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.

Andreas Steffen, , 12-DNSSEC.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.
© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested
Internet Corporation for Assigned Names & Numbers Update on ITAR Elise Gerich Vice President, IANA.

Internet Corporation for Assigned Names & Numbers Update on ITAR Elise Gerich Vice President, IANA.
Root Zone KSK: The Road Ahead Edward Lewis | DNS-OARC & RIPE DNSWG | May 2015

Root Zone KSK: The Road Ahead Edward Lewis | DNS-OARC & RIPE DNSWG | May 2015
Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Bibliography.

Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Bibliography.
1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

Similar presentations

Ads by Google