DNSSEC Overview

Document Sample
DNSSEC Overview Powered By Docstoc
					    Security for the Internet’s
    Domain Name System
    DNSSEC Current State of Deployment

Prepared for Internet2 BoF
Amy Friedlander, Shinkuro, Inc.
Based on a presentation by Marcus Sachs (SRI) with contributions
by members of the DNSSEC Deployment Working Group

April 23, 2007
      DNSSEC Current State: Protocols
       Core RFCs published:
           4033: DNS Security Introduction and Requirements
           4034: Resource Records for DNS Security Extensions
           4035: Protocol Modifications for the DNS Security
            Extensions
           http://www.dnssec.net/rfc for the entire collection
       NSEC3 is in final stages.
       DNS Extensions (DNSEXT) Working Group is
        discussing its future, including the option of self
        dissolution.


Security for the Internet’s Domain Name System
      The US Department of Homeland Security
      DNSSEC Deployment Initiative Activities
       Coordination project: Shinkuro, Sparta, SRI and NIST
       Roadmap published in February 2005, updated March 2007 to include
        extensive list of available software tools and guides
           http://www.dnssec-deployment.org/roadmap.php
       Multiple workshops held world-wide
       Monthly newsletter
           http://www.dnssec-deployment.org/news/dnssecthismonth
       DNSSEC testbed and testing tools developed by NIST
           http://www-x.antd.nist.gov/dnssec
       DNSSEC tools available at
           http://www.dnssec-tools.org
       DNSSEC-Deployment Working Group
           http://www.dnssec-deployment.org
       Internet2 Cross-Signing Pilot
           http://www.dnssec-deployment.org/internet2/



Security for the Internet’s Domain Name System
      DNSSEC in the United States
       US Government
           US civilian government (.gov) developing policy and technical
            guidance for secure DNS operations and beginning deployment
            activities at all levels.
           The “.us” and “.mil” zones are also on track for DNSSEC
            compliance
           New DNSSEC guidance included in FISMA, NIST 800-53r1
              http://www.csrc.nist.gov/publications/nistpubs
           Secure Domain Name System Deployment Guide
               http://csrc.nist.gov/publications/nistpubs/800-81/SP800-81.pdf
       Outside the US Government
           Public Internet Registry (PIR): plans for deploying DNSSEC in .org
              http://pir.org/Strengthening/DNSSec.aspx

Security for the Internet’s Domain Name System
      DNSSEC in the Caribbean: Puerto Rico

       In July 2006 Puerto Rico’s top-level domain
        (.pr) was the second ccTLD – country code
        top level domain – to provide a DNSSEC-
        signed zone
       Details: http://www.nic.pr
       Questions may be addressed to info@nic.pr




Security for the Internet’s Domain Name System
      DNSSEC in Latin America: Mexico
      and Brazil
       NIC Mexico is developing the infrastructure,
        procedures and technology for a future DNSSEC
        deployment in the .mx ccTLD
           DNSSEC testbed launched in May 2006
           Created a new SLD: test.mx where DNSSEC enabled
            domain registrations can be made for free
       Testbed details: http://www.dnssec.org.mx
       DNSSEC verification tool:
        http://www.dnssec.org.mx/checkdnssec.html
       Registro.br released DNSSEC extensions for EPP:
        http://registro.br/epp/index-EN.html (RFC 4310)

Security for the Internet’s Domain Name System
      DNSSEC in Europe: RIPE
       The European infrastructure services
        provider, RIPE NCC, based in the
        Netherlands, has deployed DNSSEC in the
        reverse tree
       Details are at
        https://www.ripe.net/rs/reverse/dnssec
       How-to guide (latest version) at
        https://www.nlnetlabs.nl/ dnssec_howto



Security for the Internet’s Domain Name System
      DNSSEC in Europe: Sweden
       In November 2005, the Swedish national registry
        (.se) was the first ccTLD – country code top level
        domain – to provide DNSSEC-capable service
       February 16, 2007, .se launched commercial
        DNSSEC service
       Press release (launch):
        http://www.iis.se/english/nyheter/news/2007-02-
        16?lang=en
       More details, DNSSEC This Month (March 1, 2007)
          http://www.dnssec-deployment.org/news/dnssecthismonth/200703-
             dnssecthismonth/


Security for the Internet’s Domain Name System
      DNSSEC in Europe: Bulgaria, Czech
      Republic and Russia
       Bulgaria (.bg) has signed its zone.
       Czech Republic (.cz) is studying the idea of signing
        its zone as a means of seeding DNSSEC deployment
        in eastern Europe.
       R01 (http://www.r01.ru/), a Russian registrar, has a
        signed copy of the .ru zone available on their name
        server.
           ns.dnssec.ru (195.24.65.7)
           Registrants with a .ru domain using R01 as a registrar
            can sign their own zones
           R01 will provide secure delegation in the signed copy
            of the .ru zone
           Additional information on the signed zone and how it
            can be used can be found at http://www.dnssec.ru

Security for the Internet’s Domain Name System
      DNSSEC in Asia
       DNSSEC summit and workshop during
        APRICOT 2005, Kyoto
           http://www.apricot.net/apricot2005/workshop
            .html#ws5
           http://www.psg.com/~mankin/DNSSEC-Kyoto-
            21Feb2005/DNSSEC05FebJP-Info.html
       We need more pilots and workshops in the
        APNIC region!



Security for the Internet’s Domain Name System
      Stages for Next Steps and
      Discussion
       Risk (and cost) analysis                 CRITICAL!
       Test and engineering
           Discussions with many communities, including
            with the relevant Top Level Domain registries
       Production
           Including communication with zone providers,
            registrars, governing agencies, and software
            vendors
       Leadership in the private and public sectors


Security for the Internet’s Domain Name System
      Background Information and
      Contributors
       For lots of detailed information:
           www.dnssec-deployment.org
           www.dnssec-tools.org
           www.dnssec.net
       Authors of materials in this presentation (all from
        dnssec-deployment working group)
           Amy Friedlander (Shinkuro)
           Allison Mankin (Shinkuro)
           Marcus Sachs (SRI)
           Ed Lewis (Neustar)
           Olaf Kolkman (Netlabs.nl)
           Russ Mundy (Sparta)


Security for the Internet’s Domain Name System

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:7
posted:9/11/2012
language:English
pages:12