Presentation is loading. Please wait.

Presentation is loading. Please wait.

OARC TAR Panel. La Brea Tar Pit What was originally intended to expedite the roll-out of DNSSEC seems to be bogging it down instead People who read press.

Published byCody Oliver Modified over 8 years ago

Similar presentations

Presentation on theme: "OARC TAR Panel. La Brea Tar Pit What was originally intended to expedite the roll-out of DNSSEC seems to be bogging it down instead People who read press."— Presentation transcript:

1 OARC TAR Panel

2 La Brea Tar Pit What was originally intended to expedite the roll-out of DNSSEC seems to be bogging it down instead People who read press articles or attend conferences where they get the impression that “DNSSEC won’t “really be ready for N years” (e.g. RSA conference in San Francisco) or “TARs don’t work” will naturally delay action on their own part to deploy DNSSEC, sign zones or enable validation.

3 Can we Simplify the Task for Administrators?

4 Yes, I manage trust anchors

5 Tar Paper If we roll this out a bit at a time, people will start to use it Constructive “baby steps”

6 Pragmatic First Steps ITAR for TLD’s solves first level of problem. But it would be helpful to automate the work for the administrator (who may have DNSSEC expertise from “none” to “some” to “expert”) Minimum: publish a cookbook to explain how to set up validation Or -- TAR “fetcher” program, coupled with TAR “updater” program  Distribute TAR list with system/products  3-file approach –Distribution defaults –Local over-rides to defaults (delete, modify) –Local trust anchors  Auto-trust and/or TrustMan to automate RFC 5011 changes to keys  Set and forget

7 Next Level Down Example: MyBank.NL wants to sign with DNSSEC after hearing about Brazil’s Banco Bradesco cache- poisoning attack But.NL is not signed, so:  Do nothing  There are benefits to signing, but what do I do with my SEP Key?

8 model Bank SEP Bank SEP Attacker Options: don’t sign sign, but don’t publish key Publish in: DLV.NL tar, if it existed Bank web site other? TAR Management Options: manual fetch DLV List of lists Key Scrapers with P2P consistency checks Producer Consumer ISP Validating Resolver : Some expertise Local Policy sets what is trusted, what is not trusted End User Resolver no expertise ?

9 Local Policy Example: The X-(Tar) Files

10 Local Policy 2: Security is a Trade-Off “Trust, but Verify”

11 Peer 2 Peer Local Policy can turn on/off or set how many friends must agree from how many places before trust begins to grow Policy could be set to  None  Check, but don’t set AD  Set AD if everybody agrees –Would anyone do this? More interestingly, “negative trust” can be inferred if a zone shows up with no key when a key is expected, or a different key than friends found earlier (but that doublecheck because a rollover may be happening)

12 Summary Don’t Shoot Ourselves in the foot; if you have something to say to the outside world, do it constructively Baby Steps Simplify & Automate Local Policy

Download ppt "OARC TAR Panel. La Brea Tar Pit What was originally intended to expedite the roll-out of DNSSEC seems to be bogging it down instead People who read press."

Similar presentations

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
Innovations in OSGi How to prevent patent applications.

Innovations in OSGi How to prevent patent applications.
Training Course: Task List. Agenda Overview of the Task List Screen Icons across the top Making Appointments Viewing Appointments & Filters Working Your.

Training Course: Task List. Agenda Overview of the Task List Screen Icons across the top Making Appointments Viewing Appointments & Filters Working Your.
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.

Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.
1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Www.vanschools.org Website Tutorial. www.vanschools.org Administration  Log on by clicking Login on the footer of almost any page  Your Username is.

Website Tutorial. Administration  Log on by clicking Login on the footer of almost any page  Your Username is.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

Similar presentations

Ads by Google