Presentation is loading. Please wait.

Presentation is loading. Please wait.

Higher Education Experiences With DNSSEC Signing Michael Lambert, Pittsburgh Supercomputing Center Dan Pritts, Internet2 Michael Sinatra, University of.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Higher Education Experiences With DNSSEC Signing Michael Lambert, Pittsburgh Supercomputing Center Dan Pritts, Internet2 Michael Sinatra, University of."— Presentation transcript:

1 Higher Education Experiences With DNSSEC Signing Michael Lambert, Pittsburgh Supercomputing Center Dan Pritts, Internet2 Michael Sinatra, University of California, Berkeley Joe St Sauver, Internet2/University of Oregon 4:30-5:30PM, Wed Nov 3, 2010, Ballroom 1 Fall 2010 Internet2 Member Meeting, Atlanta http://pages.uoregon.edu/joe/dnssec-signing-panel/

2 Problem Statement Doing DNSSEC involves two tasks: 1) Cryptographically signing authoritative DNS records, and 2) Validating those signatures on recursive resolvers. Unfortunately: There’s nothing to validate if people don’t sign A limited number of domains (including relatively few dot edu’s) have signed to-date. 2

3 24 Signed 2 nd Level Dot Edus (per UCLA SecSpider) Berkeley.edu Carnegiemellon.edu Cmu.edu Desales.edu Example.edu Fhsu.edu Indiana.edu Internet2.edu Iu.edu Iub.edu Iupui.edu K-state.edu Ksu.edu Lsu.edu Merit.edu Monmouth.edu Penn.edu Psc.edu Suu.edu Tbu.edu Ucaid.edu Upenn.edu Upf.edu Weber.edu 3

4 BUT, We’re At A DNSSEC Adoption Inflection Point 4

5 Three Panelists Who Have Signed Their 2 nd Level Zones Today we’re going to be hearing from representatives of three edus who have signed their production domains: -- Michael Lambert, Pittsburgh Supercomputing Center -- Dan Pritts, Internet2 -- Michael Sinatra, University of California, Berkeley What lessons can we learn from the experiences of these early adopters? 5

6 Some Discussion Questions 1)How long have you been signing your zone(s) now? 2)What motivated you to sign your zones? -- Concerns about DNS insecurity? -- Desire to experiment and get experience with DNSSEC? -- Management “encouragement?” -- Other? 3)What zone or zones did you begin with? -- A test/trial zone? -- More important production zone(s)? -- Have you also signed your inverse address (in-addr/ptr) zone? 6

7 Some Discussion Questions 4) What tool or product are you using to sign your zones? -- Has that tool or product worked well for you? Did you run into any issues? Any tips -- Did you try any other tools? What was good or bad about those alternatives? 5) Did you see any performance impacts when you signed your zone? Any increase in zone size? Any increase in server memory, CPU, I/O, or network usage? 6) Did you spend time thinking about what algorithms you wanted to use to sign your zones? What did you pick and why? How about the key length you selected? 7

8 Some Discussion Questions 7) DNSSEC signatures are valid for a specified period of time. What validity period are you using? Have you run into any issues when rolling over keys? 8) What TTLs are you using for your DNSSEC-related records? 9) Do you do dynamic DNS? Is that compatible with DNSSEC? 10) Have you run into any firewall-related issues? 11) Many sites in higher education have offsite secondary DNS servers. Have you encountered any problem with DNSSEC and the secondary DNS servers you may use? 8

9 Some Discussion Questions 12) How hard was it to get DNSSEC records added by the registry? 13) How are you protecting your private keys from being compromised? Do you think your organization understands how important those crypto keys are? 14) Are you monitoring your DNSSEC signed zone(s)? If so, what tool are you using to do that monitoring? 15) Do you have any emergency procedures in place to push a resigned zone if there are any unexpected issues? 9

Download ppt "Higher Education Experiences With DNSSEC Signing Michael Lambert, Pittsburgh Supercomputing Center Dan Pritts, Internet2 Michael Sinatra, University of."

Similar presentations

The Domain Name System Continuity of Operations Apricot 2008 Taipei TAIWAN 28feb2008.

The Domain Name System Continuity of Operations Apricot 2008 Taipei TAIWAN 28feb2008.
DNS46 for the IPv4/IPv6 Stateless Translator

DNS46 for the IPv4/IPv6 Stateless Translator
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.

RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
Nassau Community College

Nassau Community College
DNS DOMAIN NAME SYSTEM NAME SYSTEM By Lijo George.

DNS DOMAIN NAME SYSTEM NAME SYSTEM By Lijo George.
DNSSEC In Higher Education Joe St Sauver, Ph.D. Internet2 Nationwide Security Program Manager or AMSAC Call, 1PM Pacific,

DNSSEC In Higher Education Joe St Sauver, Ph.D. Internet2 Nationwide Security Program Manager or AMSAC Call, 1PM Pacific,
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
Survey of DNSSEC Lutz Donnerhacke DNSSEC Meeting (2008-01-16)

Survey of DNSSEC Lutz Donnerhacke DNSSEC Meeting ( )
1 DNSSEC BoF Internet2 Member Meeting October 15th, 2008 Noon, Napoleon A2

1 DNSSEC BoF Internet2 Member Meeting October 15th, 2008 Noon, Napoleon A2
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
DNS and DNSSec Eustace Asanghanwa Andrew Bates Shane Jahnke Brian Wilke.

DNS and DNSSec Eustace Asanghanwa Andrew Bates Shane Jahnke Brian Wilke.
© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:

© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.

Similar presentations

Ads by Google