Dnssec for the edu domain
This presentation is the property of its rightful owner.
Sponsored Links
1 / 26

DNSSEC for the Domain PowerPoint PPT Presentation


  • 110 Views
  • Uploaded on
  • Presentation posted in: General

DNSSEC for the .edu Domain. Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010. Agenda. Review DNS How DNSSEC augments DNS What DNSSEC doesn’t do Why DNSSEC matters to you DNSSEC Adoption Getting started: Between now and July 2010

Download Presentation

DNSSEC for the Domain

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Dnssec for the edu domain

DNSSEC for the .edu Domain

Becky Granger

Director, Information Technology

and Member Services

EDUCAUSE

April 29, 2010


Agenda

Agenda

  • Review DNS

  • How DNSSEC augments DNS

  • What DNSSEC doesn’t do

  • Why DNSSEC matters to you

  • DNSSEC Adoption

  • Getting started: Between now and July 2010

  • Going live: Anticipated in July 2010


Dns a review

DNS: A Review

Illustration courtesy of Niranjan Kunwar / Nirlog.com


Dns caching

DNS Caching

  • DNS Servers cache data to improve performance

  • But…what happens if the cached data is wrong?


Dns is fundamentally flawed

DNS is Fundamentally Flawed

More detailed explanation: http://www.iana.org/about/presentations/davies-cairo-vulnerability-081103.pdf


Dns cache poisoning gets easier

DNS Cache Poisoning Gets Easier

Article explaining vulnerability: http://www.wired.com/techbiz/people/magazine/16-12/ff_kaminsky

Photo by Dave Bullock / eecue


Dnssec dns security extensions

DNSSEC: DNS Security Extensions

  • Validate the origin of a DNS response

    • Trust that the data came from the expected source

  • Validate the integrityof a DNS response

    • Trust that the data itself is correct

  • Validate denial of existence

    • Trust a “no records to return” response


Dns with dnssec implemented

DNS with DNSSEC implemented

Illustration courtesy of Niranjan Kunwar / Nirlog.com


Dnssec augments dns

DNSSEC Augments DNS

  • Use public key cryptography to “sign” DNS data

  • New DNS resource records carry signatures

    • DNSKEY, RRSIG, NSEC, DS

  • Publish signatures to parent zone

    • Domain to namespace, namespace to root

  • DNS resolvers validate signature matches

Good explanation: http://ispcolumn.isoc.org/2006-08/dnssec.html


What dnssec doesn t do

What DNSSEC Doesn’t Do

  • Encrypt data – that’s SSL

  • Protect your servers from denial of service attacks

  • Keep you from visiting phishing sites

  • DNSSEC protects you from forged DNS data


Why you care hypothetical case study

Why You Care: Hypothetical Case Study

Photo by Bart Everson


Dnssec adoption

DNSSEC Adoption


Adoption is critical

Adoption is Critical

  • Can’t require validation yet – would reject most internet traffic

  • In the interim, will need a browser warning for non-validated lookups (like SSL “lock” today)

  • Validation will likely be required at some point


Adoption is increasing quickly

Adoption is Increasing Quickly

Data from SecSpider: http://secspider.cs.ucla.edu

Graph courtesy of Eric Osterweil


Many top level domains are signing

Many Top Level Domains are Signing

  • Signed TLDs

    • bg, br, ch, cz, li, lk, na, nu, pm, pr, pt, se, th, tm, uk, us

    • arpa, gov, museum, org

  • Coming soon

    • edu anticipated in July 2010

    • net anticipated in late 2010

    • com anticipated in early 2011

TLD data courtesy of Shinkuro, Inc.


Current dnssec adoption in edu

Current DNSSEC Adoption in .edu

  • 7 signed .edu domains

    • berkeley.edu, merit.edu, penn.edu, psc.edu, upenn.edu, internet2.edu, ucaid.edu

  • 64 signed .edu sub-domains

    • Many are computer science departments or DNS research projects

Data from SecSpider: http://secspider.cs.ucla.edu

Slide courtesy of Shumon Huque, University of Pennsylvania


Getting started between now and july 1 2010

Getting Started: Between now and July 1, 2010


If you are

If you are…

  • CIO or IT leader

    • Get DNSSEC on your staff’s radar now

    • Add DNSSEC to your summer maintenance schedule

  • Technical staff

    • If an ISP hosts your DNS

      • Ask the ISP when they will support DNSSEC

    • If you host your DNS

      • Learn about signing

      • Get DNSSEC-aware DNS software

      • Sign your zone


Learn about signing

Learn About Signing

  • Study the RFCs

    • RFC 4033 – DNSSEC introduction and requirements

    • RFC 4034 – Resource records for DNSSEC

    • RFC 4641 – DNSSEC operational practices

  • NIST Secure DNS Deployment Guide


Get dnssec aware dns software

Get DNSSEC-aware DNS Software

  • Need DNSSEC-aware software on published DNS servers and all intermediate resolvers

    • BIND 9.6 or greater

    • ZKT

    • OpenDNSSEC

    • Windows 2008 Server R2

    • Signing appliances

    • Many more…

Find these packages and more at http://www.dnssec.net/software


Sign your zone

Sign Your Zone

  • Generate a KSK and one or more ZSKs

    • http://tools.ietf.org/html/rfc4641#section-3.1

  • Practice key rollovers & establish processes for managing keys

    • http://tools.ietf.org/html/rfc4641#section-4.2


Going live july 2010 anticipated

Going Live: July 2010 (anticipated)


Chain of trust can be established

Chain of Trust Can Be Established

Original illustration courtesy of Niranjan Kunwar / Nirlog.com


Publish your signatures to edu zone

Publish Your Signatures to .edu Zone

  • Enter DS record data into the .edu Domain Administration website

.edu Domain Administration website: http://www.educause.edu/edudomain


Many resources available to help you

Many Resources Available to Help You

  • RFCs

    • http://tools.ietf.org/rfc/index

  • DNSSEC.NET website

    • http://www.dnssec.net/

  • Your .edu colleagues – subscribe to EDUCAUSE DNSSEC deployment listserv

    • http://listserv.educause.edu/archives/dnssec.html


Questions

Questions?


  • Login