1 / 16

.ORG DNSSEC Testbed Deployment

Edmon Chung Creative Director Afilias edmon@afilias.info Perth, AU 2 March, 2006. .ORG DNSSEC Testbed Deployment. Overview. .ORG Testbed Implementation Perception Problems Risk vs. Return What next?. .ORG Testbed Logistics and Topology. Launched on 31 October, 2005

azriel
Download Presentation

.ORG DNSSEC Testbed Deployment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Edmon Chung Creative Director Afilias edmon@afilias.info Perth, AU 2 March, 2006 .ORG DNSSECTestbedDeployment

  2. Overview • .ORG Testbed Implementation • Perception Problems • Risk vs. Return • What next?

  3. .ORG Testbed Logistics and Topology • Launched on 31 October, 2005 • DNSSEC-aware name servers • EPP 1.0 front end servers feed zone data to the name servers

  4. EPP Front End Only .ORG accredited registrars allowed access to the EPP servers Want to keep out the cruft Use same creds as .ORG OT&E servers New registrars added when added to OT&E Dedicated testbed servers Runs on epp1.dnssec-testbed.pir.org &epp2.dnssec-testbed.pir.org Separate from .ORG Production servers!

  5. DNS Back End Running on dedicated BIND servers at the moment Will cut over to UltraDNS in 2006 Isolated DNS systems Query using dig <somename>.org @<server> Where <server> is: ns1.dnssec-testbed.pir.orgor ns2.dnssec-testbed.pir.org Started with “empty” zone

  6. Registrar Toolkit Experimental toolkit (Not for Prime Time) Don’t use it for .ORG production Availability: PIR website SourceForge EPP Transactions based on the -03 Hollenbeck draft

  7. Policy Decisions Running according to -bis specifications Looking to showcase some pitfalls May code NSEC3 in 2006 to run parallel Same for roll-over drafts, as they flush out Roll-over Already rolled in November (did anyone notice?) Will do an unannounced ZSK and KSK “compromise scenario” in 2006 Will publish a key roll-over schedule as well

  8. Participation... 3 Registrars logged in, 15 names in the zone, 12 DS records (as of 23 Nov 2005) 135 names in the zone as of now What can we do to help you participate? On the PIR side? On the Afilias side?

  9. Perception Problems • .CL (Chilean) survey • Many in the technological community in Chile do not know what DNSSEC is • Some thought it was “all about confidentiality” • Have not deployed DNSSEC because: • Worry it will confuse the market (providers are not knowledgeable yet makes many promises to end-users) • Multiple providers to deal with (ISC, APNIC, RIPE, etc.) • Education and Testbed

  10. What DNSSEC does NOT do • DNSSEC does NOT provide confidentiality of DNS responses • DNSSEC does NOT protect against DDOS attacks • DNSSEC is NOT about privacy • DNSSEC is NOT a PKI • DNSSEC does NOT protect against IP Spoofing

  11. Why is DNSSEC important? • ROI vs. Return on Risk • Not about increased revenues, but about reduced risks • Reducing risks for your community / customers • High vulnerability, low awareness • High dependance on DNS • Trust is easy to lose difficult to re-gain

  12. What Next? • Not without technical challenges (e.g. Key Rollovers) • Main Challenge is still awareness and adoption (i.e. demand driving) • Technologists tend to get over excited about technical details • Some disconnect with business managers • Not as high profile as worms, viruses and DDOS attacks • Even as security is highest priority

  13. Man-in-the-middle Attacks • Stories to tell: • Bank Account • Email from your bank telling you that, for security reasons, they need you to update your password • You know about these scams called ‘phishing’, where the bad guys send an email pretending to be legit, and the link actually goes to their website • Just to be safe, instead of clicking on your bank’s email link, you open up your browser, and type in the URL for your bank login page • On the front page is the request for password change. • You put in your ‘old’ password, and your ‘new’ password (twice) • Two hours later, your entire savings account is wiped clean. • Automated Systems compromised • Email being intercepted

  14. IDN and DNSSEC • Many similarities • Requries Application (DNS Clients) updates • Requires Registries and DNS operator updates / deployment • Requires Root changes for complete experience • One major difference: • Lack of explicit user demand

  15. Awareness & Participation • ccTLDs and gTLDs should implement DNSSEC testbeds • Application Providers • Browsers, MTAs • ISPs • Industry should help promote awareness • Must a catastrophe happen first?... • For more info and to participate: • http://www.dnssec.net • http://www.dnssecdeployment.org

  16. Thank You • Edmon Chung • edmon@afilias.info

More Related