Internet2 dnssec pilot
This presentation is the property of its rightful owner.
Sponsored Links
1 / 19

Internet2 DNSSEC Pilot PowerPoint PPT Presentation


  • 80 Views
  • Uploaded on
  • Presentation posted in: General

Internet2 DNSSEC Pilot. Shumon Huque University of Pennsylvania ESCC/Internet2 Joint Techs Workshop Minneapolis, Minnesota, U.S.A., Feb 14 th 2007. Description of the Pilot. http://www.dnssec-deployment.org/internet2/ Deploy DNSSEC Gain Operational experience

Download Presentation

Internet2 DNSSEC Pilot

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Internet2 dnssec pilot

Internet2 DNSSEC Pilot

Shumon Huque

University of Pennsylvania

ESCC/Internet2 Joint Techs Workshop

Minneapolis, Minnesota, U.S.A., Feb 14th 2007


Description of the pilot

Description of the Pilot

  • http://www.dnssec-deployment.org/internet2/

  • Deploy DNSSEC

  • Gain Operational experience

  • Does it work (does it catch anything?)

  • Test DNSSEC aware applications

  • Participants sign at least one of their zones

  • Exchange keys (trust anchors) that will allow them to mutually validate DNS data


What is dnssec

What is DNSSEC?

  • A system to verify the authenticity of DNS “data”

    • RFC 4033, 4034, 4035

  • Helps detect: spoofing, misdirection, cache poisoning

  • Some secondary benefits appear:

    • You could store keying material in DNS

    • DKIM, SSHFP, IPSECKEY, etc


A little background

A little background ..

  • Feb ‘06: DNSSEC Workshop held at Albuquerque Joint Techs

  • Mar ‘06: [email protected] mailing list

  • Apr ‘06: Internet2 Spring Member meeting

    • Advisory group formed and plans for a pilot project formulated

  • May ‘06: Pilot group began

    • Bi-weekly conference calls and progress reports


Co ordination

Co-ordination

  • Internet2

  • Shinkuro シンクロ

  • Partner in DNSSEC Deployment Initiative

    • http://www.dnssec-deployment.org/

  • Some funding from US government


Dnssec deployment efforts so far

DNSSEC Deployment Efforts so far

  • MAGPI GigaPoP

    • All zones: magpi.{net,org} & 15 reverse zones

    • https://rosetta.upenn.edu/magpi/dnssec.html

  • MERIT

    • radb.net

    • nanog.org

    • http://www.merit.edu/networkresearch/dnssec.html

  • NYSERNet - test zone

    • nyserlab.org


Others considering or planning deployment

Others considering or planning deployment

  • University of Pennsylvania

  • University of California - Berkeley

  • University of California - Los Angeles

  • University of Massachusetts - Amherst

  • Internet2


Dlv dnssec lookaside validation

DLV (DNSSEC Lookaside Validation)

  • A mechanism to securely locate DNSSEC trust anchors “off-path”

  • An early deployment aid until top-down deployment of DNSSEC happens

  • Pilot group is in talks to make use of ISC’s DLV registry

    • http://www.isc.org/index.pl?/ops/dlv/

    • More on this at a later date ..


More participants welcome

More participants welcome!

  • (participation not restricted to Internet2)

  • Join mailing list

  • Participate in conference calls


Thoughts on deployment obstacles 1

Thoughts on deployment obstacles (1)

  • A Chicken & Egg problem

    • Marginal benefits, until much more deployment

    • Why should I go first?

  • We had (have?) the same problem with other technologies (IPv6 etc)

  • Some folks will need to take the lead, if there is hope for wider adoption

  • Good way to find out how well it works


Thoughts on deployment obstacles 2

Thoughts on deployment obstacles (2)

  • Operational stability

    • More complicated software infrastructure

    • New processes for:

      • Zone changes

      • Secure delegations

      • Security (protection of crypto keys)

      • Key rollover and maintenance

    • Integration w/ existing DNS management software

  • What is the experience of the pilot?


Thoughts on deployment obstacles 3

Thoughts on deployment obstacles (3)

  • Additional system requirements

    • Authoritative servers: memory

    • Resolvers: memory & CPU

  • Memory use can be calculated

    • Probably not a big issue (unless you’re .COM!)

  • CPU

    • Not too much of an issue today (dearth of signed data that needs validation)

    • Caveat: some potential DoS attacks could hit CPU


Thoughts on deployment obstacles 4

Thoughts on deployment obstacles (4)

  • Key distribution in islands of trust

  • Why is there no top down deployment?

  • Work on signing root and (many) TLDs and in-addr.arpa is in progress

    • .SE, RIPE reverse done

    • .EDU work in motion

  • Interim mechanisms like DLV exist

  • Manual key exchange (unscalable)


Thoughts on deployment obstacles 5

Thoughts on deployment obstacles (5)

  • Stub resolver security (e2e security)

  • An area of neglect in my opinion

  • Push DNSSEC validation to endstations?

  • Secure path from stub resolver to recursive resolver

    • Possibilities: SIG(0), TSIG, IPSEC


Thoughts on deployment obstacles 6

Thoughts on deployment obstacles (6)

  • Application layer feedback

  • Coming gradually

    • DNSSEC aware resolution APIs and applications enhanced to use them

    • DNSSEC aware applications

    • See http://www.dnssec-tools.org/

  • Note: some folks think it might be nice to protect DNSSEC oblivious applications silently as an interim step


Thoughts on deployment obstacles 7

Thoughts on deployment obstacles (7)

  • Zone enumeration threat

  • See NSEC3 record (spec almost done)

    • draft-ietf-dnsext-nsec3-09.txt


References

References

  • Internet2 DNSSEC Pilot

    • http://www.dnssec-deployment.org/internet2/

    • http://rosetta.upenn.edu/magpi/dnssec.html

  • Mailing list: [email protected]

    • https://mail.internet2.edu/wws/info/dnssec

  • Internet2 DNSSEC Workshop

    • http://events.internet2.edu/2006/jt-albuquerque/sessionDetails.cfm?session=2491&event=243


References 2

References (2)

  • DNSSEC(bis) technical specs:

    • RFC 4033, 4034, 4035

  • Related:

    • DNSSEC HOWTO:

      • http://www.nlnetlabs.nl/dnssec_howto/

    • Threat analysis of the DNS: RFC 3833

    • Operational practices: RFC 4641

    • NSEC3: draft-ietf-dnsext-nsec3-09

    • DLV: draft-weiler-dnssec-dlv-01

    • draft-hubert-dns-anti-spoofing-00


Questions

Questions?

  • Shumon Huque

    • shuque -at- isc.upenn.edu


  • Login