Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.

Published byJared Gibson Modified over 8 years ago

Similar presentations

Presentation on theme: "DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose."— Presentation transcript:

1 DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose NIST scottr@nist.gov

2 DNSSEC-Deployment.org SNIP Goals DNSSEC is now a FISMA Requirement. –NIST SP-800-53-r1 (Dec 2006) “Recommended Security Controls for Federal Information Systems” mandates the incremental deployment of DNSSEC technologies in Moderate and High Impact IT systems. Moderate Impact – must sign zones. High Impact – must be prepared to validate signatures. Need to facilitate technology insertion and adoption. –Standards, implementations and policies don’t guarantee success. –Need for technical community resources and activities to foster early deployments, refine policies and plans, share information and expertise.

3 DNSSEC-Deployment.org SNIP Basics SNIP will build a USG DNS Ops community and shared pilot –Provide “distributed training ground” for.gov operators deploying DNSSEC –Ability to pilot agency specific scenarios either locally or in SNIP-provided resources. –Create a community resource for DNS admins in the USG to share knowledge and to refine specifications, policies and plans. SNIP basis is a signed shadow zone under.gov (dnsops.gov) –Will offer delegations and secure chaining to subzones example – NIST would participate as nist.dnsops.gov –May offer limited hosting service as well Goal isn't to be a hosting service, but help bootstrap others to host their own zones.

4 DNSSEC-Deployment.org SNIP as a Testbed Use SNIP tree to exercise DNSSEC operations –Test deployment DNSSEC scenarios. Multi-vendor platforms for authoritative / caching servers, resolvers. Zone structure / contents / distribution. –Test DNSSEC operations described in SP800-81 Zone signing, key rollovers, zone transfers. –Test DNSSEC administration tools (From NIST, Sparta and Shinkuro) –Test performance – in agency specific scenarios. Community hands-on participation –Agency DNS operators can participate in NIST/SPARTA led exercise. –Results will be published for community

5 DNSSEC-Deployment.org What SNIP is Not Mandatory Permanent –Expected lifetime: 2-3 years –The community tools and email lists will remain after the testbed activities conclude.. 100% Uptime –This is a experimental testbed in which we will conduct disruptive experiments, load/stress test servers, etc.

6 DNSSEC-Deployment.org Levels of Participation Delegation only –Participants use own testbed systems and perform all administration associated with setup / experimentation. Remote administration –Participants use SNIP testbed equipment, but perform all administration. Hosted experiments –NIST/SPARTA set up mirror of agency specific infrastructure, but using SNIP equipment and administration, for specific experiment. –For limited use in investigating specific deployment / technology issues.

7 DNSSEC-Deployment.org The Big Picture – DNSSEC in.gov Internet2 DNSSEC Pilot dnsops.gov. dhs.dnsops.gov. nist.dnsops.gov. antd.nist.dnsops.gov. fda.dnsops.gov. esnet.doe.dnsops.gov. zoneedit ag1.dnsops.gov. ag2.dnsops.gov. dns-outsource.com SNIP Core Infrastructure DREN DNSSEC Pilot

8 DNSSEC-Deployment.org Testbed Technical Details Multiple authoritative server implementations Internet2 connection (IPv6 testing) May have alternate hosting capabilities (multiple servers) –secondaries in other locations? Ability to host other zones (or servers) for delegations lacking equipment to participate fully. –Zone data can be real (servers), or anonymized Will maintain and publish trust anchor for dnsops.gov. tree

9 DNSSEC-Deployment.org SNIP Infrastructure Resources Primary Site – NIST / Gaithersburg MD. –Authoritative dnsops.gov. DNS servers Secondary Site – Sparta / Columbia MD –Geographic and network dispersion (sort of) –Zone transfers using TSIG for message authentication Reconfigurable Emulated wide area topology. –20+ node Emulab being deployed at NIST.

10 DNSSEC-Deployment.org Additional NIST Resources Other SNIP infrastructure –Web server and mail host for mailing lists –Test and measurement systems Signing Infrastructure – dnsops.gov. apex. –Done behind firewall –Private keys not stored on servers –Scheduled resigning done every month Also after updates as necessary

11 DNSSEC-Deployment.org Emulab Network Signing system SNIP Primary Auth Server SNIP Secondary Auth Server Internet /UUNet SNIP Topology NIST Network Internet2 /MAX Test and Measurement Systems

12 DNSSEC-Deployment.org SNIP Operational Overview Will use procedures outlined in SP800-81 –1024 bit RSA ZSK Rolled over every month –2048 bit RSA KSK Rolled over during experimentation published as pilot trust anchor ZSK rollover every 30 days –KSK on a less formal basis (experiment in trust anchor rollover) Using NSEC initially, may experiment signing with NSEC3

13 DNSSEC-Deployment.org DNS Administrator Resources Will remain active after SNIP zone shuts down Project Website –Links to guides, tools, and performance stats Mailing list –Useful for announcements and security bulletins Revision of NIST SP800-81 –using knowledge gained during SNIP operational lifetime –More examples of different server implementations –Information on how to interact with parent zones (GSA)

14 DNSSEC-Deployment.org SNIP Impact Stepping stone for operational use –USG DNS operators get experience running delegation under dnsops.gov before deploying in own agency Tool testing – Tech transfer / training on existing tool suites (NIST, SPARTA, Shinkuro, ISC, et al). Platform Testing –Multi-vendor environment Servers - ISC/BIND, NSD, Microsoft, Nominum(?) and more surprises Resolvers – Linux, BSD, Microsoft, OS X Applications – TBD. Procedure Testing –Refinement of procedure/policy guidance and reporting requirements

15 DNSSEC-Deployment.org Participation Will try to accommodate all –Non USG entities: dnsops.biz May try to get a presence in other TLD’s a well –Don’t want a delegation? How about a DNAME? –Tool developers Can run locally or have delegation/secondary/etc as necessary.

16 DNSSEC-Deployment.org Resources NIST Special Publications page http://www.csrc.nist.gov/ DNSSEC Project Page http://www.dnsops.gov http://www-x.antd.nist.gov/dnssec DNSSEC-Deployment Web page –Informal working group http://www.dnssec-deployment.org/ http://www.dnssec-deployment.org/news/dnssecthismonth/

Download ppt "DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose."

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
Active Directory Production Pilot Project Department of Administration Enterprise Technology Services (ETS) ETS is a customer based team that provides.

Active Directory Production Pilot Project Department of Administration Enterprise Technology Services (ETS) ETS is a customer based team that provides.
Communications Area Report German Valdez Communications Area Director.

Communications Area Report German Valdez Communications Area Director.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
1 Workshop 20: Teaching a Hands-on Undergraduate Grid Computing Course SIGCSE 2010 - The 41st ACM Technical Symposium on Computer Science Education Friday.

1 Workshop 20: Teaching a Hands-on Undergraduate Grid Computing Course SIGCSE The 41st ACM Technical Symposium on Computer Science Education Friday.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.

PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.
1 Disaster Recovery Planning & Cross-Border Backup of Data among AMEDA Members Vipin Mahabirsingh Managing Director, CDS Mauritius For Workgroup on Cross-Border.

1 Disaster Recovery Planning & Cross-Border Backup of Data among AMEDA Members Vipin Mahabirsingh Managing Director, CDS Mauritius For Workgroup on Cross-Border.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Evolved from ARPANET (Advanced Research Projects Agency of the U.S. Department of Defense) Was the first operational packet-switching network Began.

Evolved from ARPANET (Advanced Research Projects Agency of the U.S. Department of Defense) Was the first operational packet-switching network Began.
11.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,

11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Similar presentations

Ads by Google