Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNSSEC Operations in .gov

Published byLora Lambert Modified over 5 years ago

Similar presentations

Presentation on theme: "DNSSEC Operations in .gov"— Presentation transcript:

1 DNSSEC Operations in .gov
Scott Rose, NIST 27th DNS-OARC Workshop San Jose CA

2 Topics Covered Signing algorithm usage DS Hash algorithms in use
Including algorithm rollovers DS Hash algorithms in use NSEC/NSEC3 Usage NSEC3 parameter choices and changes Question: Is DNSSEC being used properly in .gov? If not, what needs to be improved?

3 DNSSEC Deployment in .gov
Holding steady at ~84% for federal, ~20% overall

4 Algorithms used in .gov 2015* 2016 2017 None 226 3919 2936
RSA/SHA-1 (5) 63 76 83 RSA/SHA-1 NSEC3 (7) 510 521 456 RSA/SHA-256 525 618 603 RSA/SHA-512 1 5 6 ECDSA P-256** Totals 1325 5140 4085 *Monitored list contained only federal .gov domains until 2016, when a larger list including state and local .gov delegations was published. **ECDSA with Curve P=256 was only recently allowed for upload to .gov registrar

5 Algorithm rollover 2015-2017 From->To 2015->2016 2016->2017
5 ➢ 7 3 1 5 ➢ 8 4 7 7 ➢ 5 9 5 ➢ 0 7 ➢ 10 7 ➢ 8 22 51 8 ➢ 5 2

6 DS RR Hashes Used Hash Algorithm Used Number of Zones Neither 23
SHA-1 only 114 SHA-256 only 93 Both 915 (June, 2017) Technically, SHA-1 is still allowed for use in DS RRs due to the fact that the security in the DS RR is in the RRSIG over the DS RRset, not the DS RR itself. The hash in the DS RR is there to identify the DNSKEY RR in the child delegation.

7 NSEC3 Parameters – Iterations
Note: From RFC 5155 (Sec 10.4) the Iterations value SHOULD be below 500.

8 NSEC3 Parameters – Salt Length

9 NSEC3 Usage: Changes to Salt/Iterations
Changes in Salt Values and/or Number of Iterations in .gov Delegations that use NSEC3 (June 2017 – Aug 2017, 968 zones monitored). Operation Num. Zones Changed Salt 553 Changed Iterations 20 Of those zones, 18 zones changed both during this period Every zone also rotated keys (even those that did not change parameter values) – so it isn’t always synced with ZSK rollovers

10 What Should be Done? Nothing (i.e. not a problem)?
Get automated NSEC3 parameter changes built into appliances? Promote best common practices?

Download ppt "DNSSEC Operations in .gov"

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.

DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.
DNSSEC Sample Implementation MENOG 10 Workshop 22 April 2012, Dubai

DNSSEC Sample Implementation MENOG 10 Workshop 22 April 2012, Dubai
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
Phil Regnauld Hervey Allen June 2009 Papeete, Tahiti DNSSEC overview.

Phil Regnauld Hervey Allen June 2009 Papeete, Tahiti DNSSEC overview.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, 2013 1 Jelte Jansen, Antoin Verschuren.

DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, Jelte Jansen, Antoin Verschuren.
DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.

DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.

1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.
Introduction to DNSSEC AROC Bamako, Mali, 2010. What is DNSSEC?

Introduction to DNSSEC AROC Bamako, Mali, What is DNSSEC?
Andreas Steffen, 28.11.2011, 12-DNSSEC.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.

Andreas Steffen, , 12-DNSSEC.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.
© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested
NSEC3 Status and Issues IETF 65 21 March 2006 Geoffrey Sisson Ben Laurie Roy Arends.

NSEC3 Status and Issues IETF March 2006 Geoffrey Sisson Ben Laurie Roy Arends.
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License The details.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License The details.
1 ESnet DNSSEC Update ESCC/Internet2 Joint Techs Workshop February 14, 2007 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

1 ESnet DNSSEC Update ESCC/Internet2 Joint Techs Workshop February 14, 2007 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

Similar presentations

Ads by Google