Presentation is loading. Please wait.

Presentation is loading. Please wait.

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

Published byRandell Stevens Modified over 8 years ago

Similar presentations

Presentation on theme: "Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman"— Presentation transcript:

1

2 Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. http://www.ripe.net/disi DNSSEC An Update Olaf M. Kolkman olaf@ripe.net

3 Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. http://www.ripe.net/disi DNS: Data Flow master Caching forwarder resolver Zone administrator Zone file Dynamic updates 12 slaves 345 Registry/Registrar Provisioning

4 Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. http://www.ripe.net/disi DNS Vulnerabilities master Caching forwarder resolver Zone administrator Zone file Dynamic updates 12 slaves 345 Corrupting data Impersonating master Unauthorized updates Cache impersonation Cache pollution by Data spoofing Altered zone data Registry/Registrar Provisioning

5 Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. http://www.ripe.net/disi DNSSEC Provides Data Security master Caching forwarder resolver Zone administrator Zone file Dynamic updates slaves Registry/Registrar Provisioning example.com A 10.8.0.1

6 Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. http://www.ripe.net/disi DEPLOYMENT NOW DNS server infrastructure related ` APP STUB Protocol spec is clear on: Signing Serving Validating Implemented in Signer Authoritative servers Security aware recursive nameservers signing serving validating

7 Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. http://www.ripe.net/disi DNSSEC Implementations BIND 9.3. NSD 2. ( authoritative only) Net::DNS::SEC for scripting tools

8 Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. http://www.ripe.net/disi Main Improvement Areas “the last mile” Key management and key distribution NSEC walk

9 Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. http://www.ripe.net/disi The last mile ` APP STUB How to get validation results back to the user The user may want to make different decisions based on the validation result –Not secured –Time out –Crypto failure –Query failure From the recursive resolver to the stub resolver to the Application validating

10 Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. http://www.ripe.net/disi Problem Area ` APP STUB Key Management Keys need to propagate from the signer to the validating entity The validating entity will need to “trust” the key to “trust” the signature. Possibly many islands of security signing validating

11 Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. http://www.ripe.net/disi Secure Islands and key management net. money.net. kids.net. geerthe corp dev market dilbert unixmac marnick nt os.net. com..

12 Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. http://www.ripe.net/disi Secure Islands Server Side –Different key management policies for all these islands –Different rollover mechanisms and frequencies Client Side (Clients with a few to 10, 100 or more trust-anchors) –How to keep the configured trust anchors in sync with the rollover –Bootstrapping the trust relation

13 Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. http://www.ripe.net/disi NSEC walk The record for proving the non-existence of data allows for zone enumeration Providing privacy was not a requirement for DNSSEC Zone enumeration does provide a deployment barrier Work starting to study possible solutions –Requirements are gathered –If and when a solution is developed it will be co- existing with DNSSEC-BIS !!! –Until then on-line keys will do the trick.

14 Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. http://www.ripe.net/disi Conclusion DNSSEC Deployment can be started now. –.SE is preparing for deployment by end of this year Improvements will come, some work may take one or more years

15 Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. http://www.ripe.net/disi References Some links –www.dnssec.net –www.dnssec-deployment.org –www.ripe.net/disi/dnssec_howto –Apster number 12

Download ppt "Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman"

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.

A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:

© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.

1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Similar presentations

Ads by Google