internet2 dnssec pilot
Download
Skip this Video
Download Presentation
Internet2 DNSSEC Pilot

Loading in 2 Seconds...

play fullscreen
1 / 19

Internet2 DNSSEC Pilot - PowerPoint PPT Presentation


  • 81 Views
  • Uploaded on

Internet2 DNSSEC Pilot. Shumon Huque University of Pennsylvania ESCC/Internet2 Joint Techs Workshop Minneapolis, Minnesota, U.S.A., Feb 14 th 2007. Description of the Pilot. http://www.dnssec-deployment.org/internet2/ Deploy DNSSEC Gain Operational experience

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Internet2 DNSSEC Pilot' - asis


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
internet2 dnssec pilot

Internet2 DNSSEC Pilot

Shumon Huque

University of Pennsylvania

ESCC/Internet2 Joint Techs Workshop

Minneapolis, Minnesota, U.S.A., Feb 14th 2007

description of the pilot
Description of the Pilot
  • http://www.dnssec-deployment.org/internet2/
  • Deploy DNSSEC
  • Gain Operational experience
  • Does it work (does it catch anything?)
  • Test DNSSEC aware applications
  • Participants sign at least one of their zones
  • Exchange keys (trust anchors) that will allow them to mutually validate DNS data
what is dnssec
What is DNSSEC?
  • A system to verify the authenticity of DNS “data”
    • RFC 4033, 4034, 4035
  • Helps detect: spoofing, misdirection, cache poisoning
  • Some secondary benefits appear:
    • You could store keying material in DNS
    • DKIM, SSHFP, IPSECKEY, etc
a little background
A little background ..
  • Feb ‘06: DNSSEC Workshop held at Albuquerque Joint Techs
  • Mar ‘06: [email protected] mailing list
  • Apr ‘06: Internet2 Spring Member meeting
    • Advisory group formed and plans for a pilot project formulated
  • May ‘06: Pilot group began
    • Bi-weekly conference calls and progress reports
co ordination
Co-ordination
  • Internet2
  • Shinkuro シンクロ
  • Partner in DNSSEC Deployment Initiative
    • http://www.dnssec-deployment.org/
  • Some funding from US government
dnssec deployment efforts so far
DNSSEC Deployment Efforts so far
  • MAGPI GigaPoP
    • All zones: magpi.{net,org} & 15 reverse zones
    • https://rosetta.upenn.edu/magpi/dnssec.html
  • MERIT
    • radb.net
    • nanog.org
    • http://www.merit.edu/networkresearch/dnssec.html
  • NYSERNet - test zone
    • nyserlab.org
others considering or planning deployment
Others considering or planning deployment
  • University of Pennsylvania
  • University of California - Berkeley
  • University of California - Los Angeles
  • University of Massachusetts - Amherst
  • Internet2
dlv dnssec lookaside validation
DLV (DNSSEC Lookaside Validation)
  • A mechanism to securely locate DNSSEC trust anchors “off-path”
  • An early deployment aid until top-down deployment of DNSSEC happens
  • Pilot group is in talks to make use of ISC’s DLV registry
    • http://www.isc.org/index.pl?/ops/dlv/
    • More on this at a later date ..
more participants welcome
More participants welcome!
  • (participation not restricted to Internet2)
  • Join mailing list
  • Participate in conference calls
thoughts on deployment obstacles 1
Thoughts on deployment obstacles (1)
  • A Chicken & Egg problem
    • Marginal benefits, until much more deployment
    • Why should I go first?
  • We had (have?) the same problem with other technologies (IPv6 etc)
  • Some folks will need to take the lead, if there is hope for wider adoption
  • Good way to find out how well it works
thoughts on deployment obstacles 2
Thoughts on deployment obstacles (2)
  • Operational stability
    • More complicated software infrastructure
    • New processes for:
      • Zone changes
      • Secure delegations
      • Security (protection of crypto keys)
      • Key rollover and maintenance
    • Integration w/ existing DNS management software
  • What is the experience of the pilot?
thoughts on deployment obstacles 3
Thoughts on deployment obstacles (3)
  • Additional system requirements
    • Authoritative servers: memory
    • Resolvers: memory & CPU
  • Memory use can be calculated
    • Probably not a big issue (unless you’re .COM!)
  • CPU
    • Not too much of an issue today (dearth of signed data that needs validation)
    • Caveat: some potential DoS attacks could hit CPU
thoughts on deployment obstacles 4
Thoughts on deployment obstacles (4)
  • Key distribution in islands of trust
  • Why is there no top down deployment?
  • Work on signing root and (many) TLDs and in-addr.arpa is in progress
    • .SE, RIPE reverse done
    • .EDU work in motion
  • Interim mechanisms like DLV exist
  • Manual key exchange (unscalable)
thoughts on deployment obstacles 5
Thoughts on deployment obstacles (5)
  • Stub resolver security (e2e security)
  • An area of neglect in my opinion
  • Push DNSSEC validation to endstations?
  • Secure path from stub resolver to recursive resolver
    • Possibilities: SIG(0), TSIG, IPSEC
thoughts on deployment obstacles 6
Thoughts on deployment obstacles (6)
  • Application layer feedback
  • Coming gradually
    • DNSSEC aware resolution APIs and applications enhanced to use them
    • DNSSEC aware applications
    • See http://www.dnssec-tools.org/
  • Note: some folks think it might be nice to protect DNSSEC oblivious applications silently as an interim step
thoughts on deployment obstacles 7
Thoughts on deployment obstacles (7)
  • Zone enumeration threat
  • See NSEC3 record (spec almost done)
    • draft-ietf-dnsext-nsec3-09.txt
references
References
  • Internet2 DNSSEC Pilot
    • http://www.dnssec-deployment.org/internet2/
    • http://rosetta.upenn.edu/magpi/dnssec.html
  • Mailing list: [email protected]
    • https://mail.internet2.edu/wws/info/dnssec
  • Internet2 DNSSEC Workshop
    • http://events.internet2.edu/2006/jt-albuquerque/sessionDetails.cfm?session=2491&event=243
references 2
References (2)
  • DNSSEC(bis) technical specs:
    • RFC 4033, 4034, 4035
  • Related:
    • DNSSEC HOWTO:
      • http://www.nlnetlabs.nl/dnssec_howto/
    • Threat analysis of the DNS: RFC 3833
    • Operational practices: RFC 4641
    • NSEC3: draft-ietf-dnsext-nsec3-09
    • DLV: draft-weiler-dnssec-dlv-01
    • draft-hubert-dns-anti-spoofing-00
questions
Questions?
  • Shumon Huque
    • shuque -at- isc.upenn.edu
ad