Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania

Published byVeronika Irawan Modified over 5 years ago

Similar presentations

Presentation on theme: "Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania"— Presentation transcript:

1 Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania
ESCC/Internet2 Joint Techs Workshop Minneapolis, Minnesota, U.S.A., Feb 14th 2007 Title Slide

2 Description of the Pilot
Deploy DNSSEC Gain Operational experience Does it work (does it catch anything?) Test DNSSEC aware applications Participants sign at least one of their zones Exchange keys (trust anchors) that will allow them to mutually validate DNS data

3 What is DNSSEC? A system to verify the authenticity of DNS “data”
RFC 4033, 4034, 4035 Helps detect: spoofing, misdirection, cache poisoning Some secondary benefits appear: You could store keying material in DNS DKIM, SSHFP, IPSECKEY, etc

4 A little background .. Feb ‘06: DNSSEC Workshop held at Albuquerque Joint Techs Mar ‘06: mailing list Apr ‘06: Internet2 Spring Member meeting Advisory group formed and plans for a pilot project formulated May ‘06: Pilot group began Bi-weekly conference calls and progress reports

5 Partner in DNSSEC Deployment Initiative
Co-ordination Internet2 Shinkuro シンクロ Partner in DNSSEC Deployment Initiative Some funding from US government

6 DNSSEC Deployment Efforts so far
MAGPI GigaPoP All zones: magpi.{net,org} & 15 reverse zones MERIT radb.net nanog.org NYSERNet - test zone nyserlab.org

7 Others considering or planning deployment
University of Pennsylvania University of California - Berkeley University of California - Los Angeles University of Massachusetts - Amherst Internet2

8 DLV (DNSSEC Lookaside Validation)
A mechanism to securely locate DNSSEC trust anchors “off-path” An early deployment aid until top-down deployment of DNSSEC happens Pilot group is in talks to make use of ISC’s DLV registry More on this at a later date ..

9 More participants welcome!
(participation not restricted to Internet2) Join mailing list Participate in conference calls

10 Thoughts on deployment obstacles (1)
A Chicken & Egg problem Marginal benefits, until much more deployment Why should I go first? We had (have?) the same problem with other technologies (IPv6 etc) Some folks will need to take the lead, if there is hope for wider adoption Good way to find out how well it works

11 Thoughts on deployment obstacles (2)
Operational stability More complicated software infrastructure New processes for: Zone changes Secure delegations Security (protection of crypto keys) Key rollover and maintenance Integration w/ existing DNS management software What is the experience of the pilot?

12 Thoughts on deployment obstacles (3)
Additional system requirements Authoritative servers: memory Resolvers: memory & CPU Memory use can be calculated Probably not a big issue (unless you’re .COM!) CPU Not too much of an issue today (dearth of signed data that needs validation) Caveat: some potential DoS attacks could hit CPU

13 Thoughts on deployment obstacles (4)
Key distribution in islands of trust Why is there no top down deployment? Work on signing root and (many) TLDs and in-addr.arpa is in progress .SE, RIPE reverse done .EDU work in motion Interim mechanisms like DLV exist Manual key exchange (unscalable)

14 Thoughts on deployment obstacles (5)
Stub resolver security (e2e security) An area of neglect in my opinion Push DNSSEC validation to endstations? Secure path from stub resolver to recursive resolver Possibilities: SIG(0), TSIG, IPSEC

15 Thoughts on deployment obstacles (6)
Application layer feedback Coming gradually DNSSEC aware resolution APIs and applications enhanced to use them DNSSEC aware applications See Note: some folks think it might be nice to protect DNSSEC oblivious applications silently as an interim step

16 Thoughts on deployment obstacles (7)
Zone enumeration threat See NSEC3 record (spec almost done) draft-ietf-dnsext-nsec3-09.txt

17 References Internet2 DNSSEC Pilot Mailing list: dnssec@internet2.edu
Mailing list: Internet2 DNSSEC Workshop

18 References (2) DNSSEC(bis) technical specs: Related:
RFC 4033, 4034, 4035 Related: DNSSEC HOWTO: Threat analysis of the DNS: RFC 3833 Operational practices: RFC 4641 NSEC3: draft-ietf-dnsext-nsec3-09 DLV: draft-weiler-dnssec-dlv-01 draft-hubert-dns-anti-spoofing-00

19 Questions? Shumon Huque shuque -at- isc.upenn.edu

Download ppt "Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania"

Similar presentations

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.

PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.
1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.

1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. /disi Steps towards a secured DNS Olaf M. Kolkman, Henk Uijterwaal, Daniel.

Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. /disi Steps towards a secured DNS Olaf M. Kolkman, Henk Uijterwaal, Daniel.
Data You Can Trust: The Key to Information Security Dr. Burt Kaliski, Jr. Senior Vice President and CTO, Verisign 25 th HP Information Security Colloquium.

Data You Can Trust: The Key to Information Security Dr. Burt Kaliski, Jr. Senior Vice President and CTO, Verisign 25 th HP Information Security Colloquium.
Deploying Security for the Domain Name System Securing the Infrastructure Panel Allison Mankin, Amy Friedlander Shinkuro, Inc

Deploying Security for the Domain Name System Securing the Infrastructure Panel Allison Mankin, Amy Friedlander Shinkuro, Inc
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.

1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.
Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman
© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested
Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman
Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Bibliography.

Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Bibliography.
ISOC.NL SIP © 15 March 2007 Stichting NLnet Labs DNSSEC and ENUM Olaf M. Kolkman

ISOC.NL SIP © 15 March 2007 Stichting NLnet Labs DNSSEC and ENUM Olaf M. Kolkman
1 ESnet DNSSEC Update ESCC/Internet2 Joint Techs Workshop February 14, 2007 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

1 ESnet DNSSEC Update ESCC/Internet2 Joint Techs Workshop February 14, 2007 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

Similar presentations

Ads by Google