Presentation is loading. Please wait.

Presentation is loading. Please wait.

Signed since September 2005 What’s it like 7 months later? Anne-Marie Eklund Löwinder,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Signed since September 2005 What’s it like 7 months later? Anne-Marie Eklund Löwinder,"— Presentation transcript:

1 www.iis.se.SE Signed since September 2005 What’s it like 7 months later? Anne-Marie Eklund Löwinder, amel@iis.se

2 www.iis.se What is.se? The Kingdom of Sweden TLD operated by II-stiftelsen ~ 442 446 domains (2006-04-25) A daily growth with ~500 domains 7 unicast servers + 2 anycast clusters

3 www.iis.se Why? Increase integrity of the DNS Increase security for.SE domain holders and their users. ‣ A countermeasure against pharming and other DNS MITM attacks. ‣ An infrastructure strengthening technique. ‣ A contemplated use of DNSSEC is for authenticated distribution of public keys for other security schemes. Called upon by the authorities (the Swedish Post and Telecom Agency, PTS). New applications ENUM

4 www.iis.se When? First workshop in February 1999 Testing since January 2003 Public testing since January 2004 RFC 4033, 4034 & 4035 (aka DNSSEC bis) were published in March 2005. September 13th 2005,.se started to distribute the signed.se zone. Signed delegations for early adopters from mid- November 2005. More extensive tests started February 1st, 2006.

5 www.iis.se Key Management Zonefile SignerKSK ZSKKSK ZSK

6 www.iis.se Behind the scenes

7 www.iis.se Distribution All.SE name servers has been DNSSEC enabled since June 2005. Servers are running BIND or NSD. Different platforms and operating systems: ‣ FreeBSD, NetBSD, Linux, Solaris ‣ Sparc, Alpha, x86

8 www.iis.se.SE Name Servers NetnodStockholm, Gothenburg, Sundsvall + Anycast Service Telia SoneraStockholm, Malmo KTH NocStockholm, Umea VerisignAnycast Service

9 www.iis.se Monitoring Nagios has been extended to perform basic DNSSEC checks –Warn for signatures soon to expire –Test for correct DNSSEC additional processing –Check the integrity of some signatures

10 www.iis.se Signing childs – secured delegations The domain must be a sub domain of.SE. The domain holder must sign a limitation of liability statement with IIS. The domain holder must provide IIS with a technical contact person. IIS must be able to authenticate the technical contact person using a certificate signed by a certificate authority trusted by.SE’s key management tool KEYMAN. The domain must be delegated to one or more name servers, all of them supporting DNSSEC according to RFC 4033, 4034 and 4035.

11 www.iis.se Child Key Management KEYMAN is used for early adopters New registry & registrar system with integrated DNSSEC planned for Q4 2006

12 www.iis.se New Registry Todays registry model in.se is “confusing” No clear relation between registrar and registrant New registry service will be EPP based, and have a purer Registry – Registrar relationship Registrars will handle DNSSEC through EPP Requirements for DNSSEC? (Probably some extra paragraphs in the registrar agreement) Authentication of registrants?

13 www.iis.se Certificate Authorities trusted by.SE Posten Sverige AB SIS ID CA v1 (The Swedish Post) Telia e-id CA CAcert.org Thawte Personal Freemail SwUPKI CA (Swedish Universities PKI CA) If someone think that their favourite CA is not in the list, they may contact us, and we will consider adding it.

14 www.iis.se Keyman Keyman is a prototype DNSSEC child key manager used to register keys with.SE – until the new EPP registry is in place Stores active keys in a database - fetch new keys via DNS User selects active keyset DS records generated from database Not scalable to big zones with a great number of delegations

15 www.iis.se Signing a zone

16 www.iis.se Lessons learned Stating the obvious…  You might be aware of this already  If not, you probably will be

17 www.iis.se Do not run BIND 8.

18 www.iis.se Make sure your firewall can handle EDNS.

19 www.iis.se Separate authoritative and recursive name servers.

20 www.iis.se DNSSEC capable software AuthoritativeRecursive ISC BIND Nominum ANSNominum CNS NSD

21 www.iis.se Performance - resolving We are measuring to get a picture of what DNSSEC does to performance in the DNS environment. A report will be published very soon. From what we experience there are no big differences running without DNSSEC or with DNSSEC enabled.

22 www.iis.se What is the performance hit on a typical ISP resolver if they would enable DNSSEC validadtion for.se today?

23 www.iis.se Query Test Data 1 hour (15.00-16.00 MET) quries from customers of a large Swedish ISP Queries recorded via tcpdump and anonymized using tcpreplay Average query load 966 qps

24 www.iis.se Measurement Queries per seconds measured Name server CPU time usage measured Queries / cpusec used as comparison

25 www.iis.se Public resolvers.SE provides public resolvers for testing purposes: ‣ bind.dnssec.se ‣ cns.dnssec.se http://dnssec.nic.se/recursive/

26 www.iis.se Server configuration The DNS operator are strongly recommended to always check the current key - not only copy and paste without verification. The.SE Key Signing Key (KSK) will be changed from time to time. If anyone configure this key into their resolver, we strongly recommend them to subscribe to the dnssec-announce@lists.nic.se mailing list where we will notify key rollovers.

27 www.iis.se Tests - Phase 1 Friendly users 18 zones and 11 different domain holders Short period of time Some test participants failed to update their signatures before expiration date No other problems reported

28 www.iis.se Tests phase 2 Extended test population New agreement on Limitation of Liability Running for 12 months Now 27 zones and 20 different domain holders Planning to send out a survey to get some idea about the participants experiences so far

29 www.iis.se Zone walking What about it ? The whois service for.se only shows registration status and delegation information Extended information on domain names are only available via web interface and protected by CAPTCHA. We’ve noticed some - but no alarming –activity Working very actively with the development of NSEC3

30 www.iis.se Costs? 2004 –Project budget 350.000 SEK (appr. 35.000 Euros) 2005 –Project budget 950.000 SEK (appr. 95.000 Euros) 2006 –Project budget appr. 100.000 Euros

31 www.iis.se To do list - 2006 Tests Phase 2 –Extended tests with more users ending in January 2007 Enable DNSSEC validation at ISP’s - Information –Conference co-arranged with PTS. Try to reach ISP:s to convince them to enable DNSSEC on resolvers for their broadband customers. Sign important DNS infrastructure - Education –1 ½ day sponsored ”hands on” tutorial, participants from registrars, DNS service providers for banks, government agencies, large media companies, ISP:s. Sharing the.se model - Documentation –”DPS”, technical descriptions, code distribution, administrative routines.

32 www.iis.se Documentation & Policy DNSSEC Policy and Practice Statement DNSSEC Limitation of Liability DNSSEC Environment description Deployment information for other TLDs Internal technical and administrative documentation

33 www.iis.se Thank you! Questions? dnssec-info@iis.se http://dnssec.iis.se/

Download ppt "Signed since September 2005 What’s it like 7 months later? Anne-Marie Eklund Löwinder,"

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
International Telecommunication Union ENUM Issues and Solutions Houlin Zhao Director Telecommunication Standardization Bureau International Telecommunication.

International Telecommunication Union ENUM Issues and Solutions Houlin Zhao Director Telecommunication Standardization Bureau International Telecommunication.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Internet Identity For All.my ccTLD IPv6 Update By Lai Heng Choong Head of Application, Database and Security.my DOMAIN REGISTRY APTLD Member Meeting, 1.

Internet Identity For All.my ccTLD IPv6 Update By Lai Heng Choong Head of Application, Database and Security.my DOMAIN REGISTRY APTLD Member Meeting, 1.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
© 2003 Public Interest Registry Whois Workshop Introduction to Registry/Registrar Issues Presented by Bruce W. Beckwith VP, Operations June 23, 2003 Serving.

© 2003 Public Interest Registry Whois Workshop Introduction to Registry/Registrar Issues Presented by Bruce W. Beckwith VP, Operations June 23, 2003 Serving.
Sonnenglanz Consulting BV 28 September 20101 CPA Management Idea’s for large-scale deployments E.J. Van Nigtevecht Sonnenglanz Consulting BV.

Sonnenglanz Consulting BV 28 September CPA Management Idea’s for large-scale deployments E.J. Van Nigtevecht Sonnenglanz Consulting BV.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
IANA Status Update ARIN XXVI meeting, Atlanta Barbara Roseman October 2010.

IANA Status Update ARIN XXVI meeting, Atlanta Barbara Roseman October 2010.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
1.ORG DNSSEC Testbed Deployment Edmon Chung Creative Director Afilias Perth, AU 2 March, 2006.

1.ORG DNSSEC Testbed Deployment Edmon Chung Creative Director Afilias Perth, AU 2 March, 2006.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:

© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
CAMP - June 4-6, 2003 1 Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin 2003. This work is the intellectual property of the authors.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.

Similar presentations

Ads by Google