Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 DNSSEC Deployment: Big Steps Forward; Several Steps to Go NANOG 32 Deployment D N S S E C Rob Austein Steve Crocker

Published byIsabella Tyler Modified over 8 years ago

Similar presentations

Presentation on theme: "1 DNSSEC Deployment: Big Steps Forward; Several Steps to Go NANOG 32 Deployment D N S S E C Rob Austein Steve Crocker"— Presentation transcript:

1 1 DNSSEC Deployment: Big Steps Forward; Several Steps to Go NANOG 32 Deployment D N S S E C Rob Austein (sra@isc.org) Steve Crocker (steve@shinkuro.com) Suresh Krishnaswamy (suresh@tislabs.com) Russ Mundy (russ@tislabs.com)

2 2 REAL threats Email dropboxes on servers operated by some random hosting company –Do you trust those MX records? Ops procedures depending on reverse lookups (e.g. Traceroute, SMTP logs) Bogus NAPTRs reroute VoIP Anti-spam data in the DNS

3 3 Why now? DNSSEC protocol specifications are finally(!) complete* Big strides taken to make DNSSEC operationally viable Considerable time spent in making the specs robust Coordinated global effort to grow the deployed base * "This time for sure!" -- Bullwinkle J. Moose

4 4 DNSSEC Services Protocol Extensions to DNS provide –Data Integrity –Origin Authentication of DNS data –Authenticated Denial of Existence Meta-protocol elements (TSIG, SIG(0)) provide channel security –Secure zone transfer –“Last Hop” security DNSSEC does not provide confidentiality of data DNSSEC does not protect against DoS attacks

5 5 End-to-End protection signs this com. example.com sub.example.com Trusted DS DNSKEY A x.sub.example.com signs this refs

6 6 Typical DNS operations Child zoneParent zone Unsigned Parent Zone File (containing delegation to child) Unsigned child Zone File Wait for the correct NS to appear Reload the parent zone Reload the child zone Exchange of the delegation information NS/ glue information

7 7 Typical DNSSEC operations Child zoneParent zone Keyset File (from child) Secure Exchange of Keyset Unsigned Parent Zone File (containing delegation to child) Reload the parent zone Wait for the correct DS to appear Reload the child zone Unsigned child Zone File Gen keys DSset Signed Zone File) Keyset File Zone Signing operation Zone Signing Operation Signed Zone File (with child’s DS) Keyset File DSset File Generate keys

8 8 Registrant-Registrar-Registry Setup Registr ant Registry Wait for DS Keyset File (from child) DSset Signed Zone File Keyset File Sign Zone Signed Zone File Keyset File DSset File Reload child zone Unsigned child Zone File Reload parent zone Unsigned Parent Zone File Keyset File (from child) Secure Exchange of Keyset Registrar Gen keys

9 9 Registrant (Enterprise) view – What is different? Key gen and Key mgmt Zone signing operations Nameserver provisioning Need to securely transmit DNSSEC-related info to registrar Security from validating resolvers to non- validating stubs Incident handling

10 10 Registrar view – What is different? Need to securely receive DNSSEC-related information from the registrant Need to securely transmit DNSSEC-related info to registry Incident handling

11 11 Registry view – What is different? Need to securely receive DNSSEC-related information from the registrar Need to create the secure delegation in the parent zone Key generation and Key management operations Zone signing operations Nameserver provisioning –Size of zone data increases because of signatures –More computational power needed (crypto operations can take time) –Synchronized time (signatures have temporal dependency) Incident handling

12 12 Summary of existing DNSSEC tools Key generation tools Zone signing tools Zone checking tools Authoritative name server implementations Security-aware recursive (SAR) name server implementations

13 13 Tools – present and missing RegistrantRegistry Wait for the correct DS to appear Keyset File DSset Signed Zone File) Zone Signing operation Unsigned child Zone File Zone Signing Operation Signed Zone File (with child’s DS) Keyset File DSset File Unsigned Parent Zone File (containing delegation to child) Keyset File (from child) Registrar Reload the parent zone Reload the child zone EPP Extensions Generate keys Zone signing/ checking tools Key Generation tools Authoritative Nameserver SAR Nameserver Out of band

14 14 Various Ongoing Work Creation of tools, especially for troubleshooting and key management Development of policy and procedure guidance documents Creation of DNSSEC-aware end systems and applications –Need to define requirements and policies –Solving “last-hop” issues Trust anchor key rollover and distribution Prevention of zone walking

15 15 Enterprise-wide Experiments “Shadow” deployment efforts are ongoing –Mirroring DNSSEC operations in a non- production namespace to evaluate operational impact Workshops conducted for operators to gain familiarity and build faith in existing set of tools and procedures Some sites are already running signed DNSSEC zones

16 16 EPP extensions for DNSSEC EPP allows registrars with different operational models to access multiple registries via the same protocol Provisioning of DNS security extensions (DNSKEY, RRSIG, DS) Work In Progress

17 17 Registry-level Experiments NLnet (.nl) – Netherlands –http://www.nlnetlabs.nl/dnssec/http://www.nlnetlabs.nl/dnssec/ NIC-SE (.se) – Sweden –http://dnssec.nic-se.se/http://dnssec.nic-se.se/ JPRS (.jp) – Japan –DNSSEC field test in conjunction with ENUM trial (http://jprs.jp/en/)http://jprs.jp/en/ Verisign (.net DNSSEC pilot) – U.S. –http://www.dnssec-net.verisignlabs.com/http://www.dnssec-net.verisignlabs.com/ Verisign DLV (.com/.net) – U.S. –http://www.dlv.verisignlabs.com/http://www.dlv.verisignlabs.com/

18 18 Application-level Experiments SSH –Out-of-band verification of server public keys by looking up the fingerprint in the SSHFP resource record in DNS (http://www.ietf.org/internet-drafts/draft-ietf-secsh-dns-05.txt)http://www.ietf.org/internet-drafts/draft-ietf-secsh-dns-05.txt –Implementation in openSSH IPsec –Using the IPSECKEY RR to store data such as the public key and the gateway information for creation of IPsec tunnels (http://www.ietf.org/internet-drafts/draft-ietf-ipseckey-rr-11.txt)http://www.ietf.org/internet-drafts/draft-ietf-ipseckey-rr-11.txt –ipseckey patch for BIND-9.3.0

19 19 Hard(er) Problems Privacy – Not originally a goal Root key – Politically charged Killer app – Will DNSSEC be a “must have” Too many “trust anchors” until tree is filled in

20 20 DNSSEC Resources The DNSSEC deployment Working Group home page – http://www.dnssec-deployment.orghttp://www.dnssec-deployment.org Comprehensive DNSSEC resource page –http://www.dnssec.orghttp://www.dnssec.org Software –BIND 9.3.0 (http://www.isc.org)http://www.isc.org –NSD (http://www.nlnetlabs.nl/nsd/)http://www.nlnetlabs.nl/nsd/ –Net::DNS::Sec (http://www.ripe.net/disi/)http://www.ripe.net/disi/

Download ppt "1 DNSSEC Deployment: Big Steps Forward; Several Steps to Go NANOG 32 Deployment D N S S E C Rob Austein Steve Crocker"

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.

DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. /disi Steps towards a secured DNS Olaf M. Kolkman, Henk Uijterwaal, Daniel.

Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. /disi Steps towards a secured DNS Olaf M. Kolkman, Henk Uijterwaal, Daniel.
DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, 2013 1 Jelte Jansen, Antoin Verschuren.

DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, Jelte Jansen, Antoin Verschuren.

Similar presentations

Ads by Google