dnssec for the edu domain
Download
Skip this Video
Download Presentation
DNSSEC for the Domain

Loading in 2 Seconds...

play fullscreen
1 / 26

DNSSEC for the Domain - PowerPoint PPT Presentation


  • 175 Views
  • Uploaded on

DNSSEC for the .edu Domain. Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010. Agenda. Review DNS How DNSSEC augments DNS What DNSSEC doesn’t do Why DNSSEC matters to you DNSSEC Adoption Getting started: Between now and July 2010

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' DNSSEC for the Domain' - cirila


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
dnssec for the edu domain

DNSSEC for the .edu Domain

Becky Granger

Director, Information Technology

and Member Services

EDUCAUSE

April 29, 2010

agenda
Agenda
  • Review DNS
  • How DNSSEC augments DNS
  • What DNSSEC doesn’t do
  • Why DNSSEC matters to you
  • DNSSEC Adoption
  • Getting started: Between now and July 2010
  • Going live: Anticipated in July 2010
dns a review
DNS: A Review

Illustration courtesy of Niranjan Kunwar / Nirlog.com

dns caching
DNS Caching
  • DNS Servers cache data to improve performance
  • But…what happens if the cached data is wrong?
dns is fundamentally flawed
DNS is Fundamentally Flawed

More detailed explanation: http://www.iana.org/about/presentations/davies-cairo-vulnerability-081103.pdf

dns cache poisoning gets easier
DNS Cache Poisoning Gets Easier

Article explaining vulnerability: http://www.wired.com/techbiz/people/magazine/16-12/ff_kaminsky

Photo by Dave Bullock / eecue

dnssec dns security extensions
DNSSEC: DNS Security Extensions
  • Validate the origin of a DNS response
    • Trust that the data came from the expected source
  • Validate the integrityof a DNS response
    • Trust that the data itself is correct
  • Validate denial of existence
    • Trust a “no records to return” response
dns with dnssec implemented
DNS with DNSSEC implemented

Illustration courtesy of Niranjan Kunwar / Nirlog.com

dnssec augments dns
DNSSEC Augments DNS
  • Use public key cryptography to “sign” DNS data
  • New DNS resource records carry signatures
    • DNSKEY, RRSIG, NSEC, DS
  • Publish signatures to parent zone
    • Domain to namespace, namespace to root
  • DNS resolvers validate signature matches

Good explanation: http://ispcolumn.isoc.org/2006-08/dnssec.html

what dnssec doesn t do
What DNSSEC Doesn’t Do
  • Encrypt data – that’s SSL
  • Protect your servers from denial of service attacks
  • Keep you from visiting phishing sites
  • DNSSEC protects you from forged DNS data
adoption is critical
Adoption is Critical
  • Can’t require validation yet – would reject most internet traffic
  • In the interim, will need a browser warning for non-validated lookups (like SSL “lock” today)
  • Validation will likely be required at some point
adoption is increasing quickly
Adoption is Increasing Quickly

Data from SecSpider: http://secspider.cs.ucla.edu

Graph courtesy of Eric Osterweil

many top level domains are signing
Many Top Level Domains are Signing
  • Signed TLDs
    • bg, br, ch, cz, li, lk, na, nu, pm, pr, pt, se, th, tm, uk, us
    • arpa, gov, museum, org
  • Coming soon
    • edu anticipated in July 2010
    • net anticipated in late 2010
    • com anticipated in early 2011

TLD data courtesy of Shinkuro, Inc.

current dnssec adoption in edu
Current DNSSEC Adoption in .edu
  • 7 signed .edu domains
    • berkeley.edu, merit.edu, penn.edu, psc.edu, upenn.edu, internet2.edu, ucaid.edu
  • 64 signed .edu sub-domains
    • Many are computer science departments or DNS research projects

Data from SecSpider: http://secspider.cs.ucla.edu

Slide courtesy of Shumon Huque, University of Pennsylvania

if you are
If you are…
  • CIO or IT leader
    • Get DNSSEC on your staff’s radar now
    • Add DNSSEC to your summer maintenance schedule
  • Technical staff
    • If an ISP hosts your DNS
      • Ask the ISP when they will support DNSSEC
    • If you host your DNS
      • Learn about signing
      • Get DNSSEC-aware DNS software
      • Sign your zone
learn about signing
Learn About Signing
  • Study the RFCs
    • RFC 4033 – DNSSEC introduction and requirements
    • RFC 4034 – Resource records for DNSSEC
    • RFC 4641 – DNSSEC operational practices
  • NIST Secure DNS Deployment Guide
get dnssec aware dns software
Get DNSSEC-aware DNS Software
  • Need DNSSEC-aware software on published DNS servers and all intermediate resolvers
    • BIND 9.6 or greater
    • ZKT
    • OpenDNSSEC
    • Windows 2008 Server R2
    • Signing appliances
    • Many more…

Find these packages and more at http://www.dnssec.net/software

sign your zone
Sign Your Zone
  • Generate a KSK and one or more ZSKs
    • http://tools.ietf.org/html/rfc4641#section-3.1
  • Practice key rollovers & establish processes for managing keys
    • http://tools.ietf.org/html/rfc4641#section-4.2
chain of trust can be established
Chain of Trust Can Be Established

Original illustration courtesy of Niranjan Kunwar / Nirlog.com

publish your signatures to edu zone
Publish Your Signatures to .edu Zone
  • Enter DS record data into the .edu Domain Administration website

.edu Domain Administration website: http://www.educause.edu/edudomain

many resources available to help you
Many Resources Available to Help You
  • RFCs
    • http://tools.ietf.org/rfc/index
  • DNSSEC.NET website
    • http://www.dnssec.net/
  • Your .edu colleagues – subscribe to EDUCAUSE DNSSEC deployment listserv
    • http://listserv.educause.edu/archives/dnssec.html
ad