1 / 11

Securing the Government’s DNS Infrastructure with DNSSEC

Securing the Government’s DNS Infrastructure with DNSSEC. April 3, 2012 Matt Larson – Verisign. The Importance of the Internet & DNSSEC. .GOV Domain Space Vital to Government & National Security DNS open to attack Millions of users rely on .GOV DNS Security Extensions

jalene
Download Presentation

Securing the Government’s DNS Infrastructure with DNSSEC

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing the Government’s DNS Infrastructure with DNSSEC • April 3, 2012 • Matt Larson – Verisign

  2. The Importance of the Internet & DNSSEC .GOV Domain Space • Vital to Government & National Security • DNS open to attack • Millions of users rely on .GOV DNS Security Extensions • Additional Security to the .GOV domain space • Securing .GOV domains with DNSSEC is a mandate from the OMB • DNSSEC has been “Road Tested”

  3. OMB Mandate – M0823 Mandate: Apply DNSSEC to 2nd level .gov names by Dec. 2009 • http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2008/m08-23.pdf • Approximately 60% compliance

  4. Signed USG Domains Reference: http://usgv6-deploymon.antd.nist.gov/cgi-bin/generate-gov

  5. DNSSEC Challenges • DNSSEC is a more rigid protocol • More complex • Management of DNSSEC key pairs • May require new equipment for your infrastructure • DS Records • Manual submission of DS records to parent registry

  6. Signing Service Product Overview • Product Functionality • Signing of domain name zones & management of associated key rollovers that DNSSEC requires • Cloud based service • Zone signing • Creates the necessary keys / Ongoing key management • Notifications for expiring signatures • What problems does this solve? • Reduces complexity for signing 2nd level domain names • Reduces the costs for additional equipment to sign and manage names • Incorporation of the DNSSEC Signing Service is optional • Use of the service does not exclude registrants from using other mechanisms to sign zones

  7. DNSSEC Signing Service Registrant Public DNS Publish Unsigned Zone Register Domain DNSSEC SignedZoneMaster UnsignedZoneMaster CreateUnsigned Zone PublishSignedZone RegistrarWeb Site Signed Zone Update EnableSigning VerisignDNSSECSigning Service

  8. DNSSEC Analyzer Tool Tool Available at: http://dnssec-debugger.verisignlabs.com Also a Mobile version: http://itunes.apple.com/us/app/dnssec-analyzer/id410032288?mt=8

  9. DNSSEC Analyzer

  10. Call to Action – Sign your .GOV name • Instruct your technical staff on the urgency of DNSSEC • Become compliant with the OMB Mandate • http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2008/m08-23.pdf • Signing has been made easier • Tools and services are easing the complexity • DNSSEC has been “Road Tested” • Large top level domains have been signed • For more information visit Verisign’s information resource http://verisign.com/dnssec

  11. Questions?

More Related