Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 ESnet DNSSEC Update ESCC/Internet2 Joint Techs Workshop February 14, 2007 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

Published byLesley Pitts Modified over 8 years ago

Similar presentations

Presentation on theme: "1 ESnet DNSSEC Update ESCC/Internet2 Joint Techs Workshop February 14, 2007 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory."— Presentation transcript:

1 1 ESnet DNSSEC Update ESCC/Internet2 Joint Techs Workshop February 14, 2007 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory

2 2 Overview Why is ESnet implementing DNSSEC? What is required? UPDATED How will DNSSEC be implemented in ESnet? o NIST SP800-81 -Implementation recommendations -http://csrc.nist.gov/publications/nistpubs/800-81/SP800-81.pdfhttp://csrc.nist.gov/publications/nistpubs/800-81/SP800-81.pdf o NIST SP800-53 Rev. 1 -FISMA Requirements - http://csrc.nist.gov/publications/nistpubs/800-53-Rev1/800-53-rev1-final-clean-sz.pdf http://csrc.nist.gov/publications/nistpubs/800-53-Rev1/800-53-rev1-final-clean-sz.pdf

3 3 What is Required? OMB mandate in NIST SP800-53 Rev. 1 o TSIG for zone transfers -Has operational advantages beyond security enhancement -Firewall rules may cause issues -Required by SC-8 (Not obvious!) o Signed data only required by medium and high impact systems -Seems silly if it is not a general requirement -In SC-20 through SC22

4 4 Where is ESnet ? TSIG authentication of all zone transfers o Partly implemented o Most larger sites are using it o Some sites have old software lacking support o Some sites have firewall rules which complicate issues Signing of all forward zones o Test server is in service and working o As expected, key management IS a pain

5 5 Status of Implementation TSIG is currently implemented for several sites o Mandatory for new sites o PGP used for key distribution Signed data o Still not running on production servers -Will be in a few weeks o Our DNS management software does not support DNSSEC today (coming soon!) o No implementation problems on BIND systems o Still worried about key distribution and roll-over o Still targeting full production by mid-2008

6 6 Summary Progress has been made Requirements are now known o None (for ESnet) Hope for full implementation of TSIG by the end of the year Signed zones by the end of the year (ESnet zones) Still waiting on a final resolution to NSEC issue o Almost certainly NSEC3 o Will not ask sites to sign zones until resolved o That does not mean that you can't sign

Download ppt "1 ESnet DNSSEC Update ESCC/Internet2 Joint Techs Workshop February 14, 2007 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory."

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Reverse DNS SIG Summary Report APNIC Annual Member Meeting Bangkok, March 7 2002.

Reverse DNS SIG Summary Report APNIC Annual Member Meeting Bangkok, March
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
1 ICD10 Project Status January 31, 2012. 2 Current Timelines and Status - ICD10 Detailed Project Planning is progressing Key internal project milestones.

1 ICD10 Project Status January 31, Current Timelines and Status - ICD10 Detailed Project Planning is progressing Key internal project milestones.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Akamai DNS Offerings RSA © Conference 2013. ©2013 AKAMAI | FASTER FORWARD TM Akamai DNS Solutions Enhanced DNS (eDNS) Scalable, outsourced, DNS solution.

Akamai DNS Offerings RSA © Conference ©2013 AKAMAI | FASTER FORWARD TM Akamai DNS Solutions Enhanced DNS (eDNS) Scalable, outsourced, DNS solution.
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
ProjectWise Overview – Part 1 V8 XM Edition

ProjectWise Overview – Part 1 V8 XM Edition
© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:

© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:
Enhanced Secure Dynamic DNS Update with Indirect Route David Wilkinson, C. Edward Chow, Yu Cai 06/11/2004 University of Colorado at Colorado Springs IEEE.

Enhanced Secure Dynamic DNS Update with Indirect Route David Wilkinson, C. Edward Chow, Yu Cai 06/11/2004 University of Colorado at Colorado Springs IEEE.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.

1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
CD FY08 Tactical Plan Status FY08 Tactical Plan Status Report for Network Infrastructure Upgrades Rick Finnegan April 22, 2008.

CD FY08 Tactical Plan Status FY08 Tactical Plan Status Report for Network Infrastructure Upgrades Rick Finnegan April 22, 2008.

Similar presentations

Ads by Google