160 likes | 328 Views
Edmon Chung Creative Director Afilias edmon@afilias.info Perth, AU 2 March, 2006. .ORG DNSSEC Testbed Deployment. Overview. .ORG Testbed Implementation Perception Problems Risk vs. Return What next?. .ORG Testbed Logistics and Topology. Launched on 31 October, 2005
E N D
Edmon Chung Creative Director Afilias edmon@afilias.info Perth, AU 2 March, 2006 .ORG DNSSECTestbedDeployment
Overview • .ORG Testbed Implementation • Perception Problems • Risk vs. Return • What next?
.ORG Testbed Logistics and Topology • Launched on 31 October, 2005 • DNSSEC-aware name servers • EPP 1.0 front end servers feed zone data to the name servers
EPP Front End Only .ORG accredited registrars allowed access to the EPP servers Want to keep out the cruft Use same creds as .ORG OT&E servers New registrars added when added to OT&E Dedicated testbed servers Runs on epp1.dnssec-testbed.pir.org &epp2.dnssec-testbed.pir.org Separate from .ORG Production servers!
DNS Back End Running on dedicated BIND servers at the moment Will cut over to UltraDNS in 2006 Isolated DNS systems Query using dig <somename>.org @<server> Where <server> is: ns1.dnssec-testbed.pir.orgor ns2.dnssec-testbed.pir.org Started with “empty” zone
Registrar Toolkit Experimental toolkit (Not for Prime Time) Don’t use it for .ORG production Availability: PIR website SourceForge EPP Transactions based on the -03 Hollenbeck draft
Policy Decisions Running according to -bis specifications Looking to showcase some pitfalls May code NSEC3 in 2006 to run parallel Same for roll-over drafts, as they flush out Roll-over Already rolled in November (did anyone notice?) Will do an unannounced ZSK and KSK “compromise scenario” in 2006 Will publish a key roll-over schedule as well
Participation... 3 Registrars logged in, 15 names in the zone, 12 DS records (as of 23 Nov 2005) 135 names in the zone as of now What can we do to help you participate? On the PIR side? On the Afilias side?
Perception Problems • .CL (Chilean) survey • Many in the technological community in Chile do not know what DNSSEC is • Some thought it was “all about confidentiality” • Have not deployed DNSSEC because: • Worry it will confuse the market (providers are not knowledgeable yet makes many promises to end-users) • Multiple providers to deal with (ISC, APNIC, RIPE, etc.) • Education and Testbed
What DNSSEC does NOT do • DNSSEC does NOT provide confidentiality of DNS responses • DNSSEC does NOT protect against DDOS attacks • DNSSEC is NOT about privacy • DNSSEC is NOT a PKI • DNSSEC does NOT protect against IP Spoofing
Why is DNSSEC important? • ROI vs. Return on Risk • Not about increased revenues, but about reduced risks • Reducing risks for your community / customers • High vulnerability, low awareness • High dependance on DNS • Trust is easy to lose difficult to re-gain
What Next? • Not without technical challenges (e.g. Key Rollovers) • Main Challenge is still awareness and adoption (i.e. demand driving) • Technologists tend to get over excited about technical details • Some disconnect with business managers • Not as high profile as worms, viruses and DDOS attacks • Even as security is highest priority
Man-in-the-middle Attacks • Stories to tell: • Bank Account • Email from your bank telling you that, for security reasons, they need you to update your password • You know about these scams called ‘phishing’, where the bad guys send an email pretending to be legit, and the link actually goes to their website • Just to be safe, instead of clicking on your bank’s email link, you open up your browser, and type in the URL for your bank login page • On the front page is the request for password change. • You put in your ‘old’ password, and your ‘new’ password (twice) • Two hours later, your entire savings account is wiped clean. • Automated Systems compromised • Email being intercepted
IDN and DNSSEC • Many similarities • Requries Application (DNS Clients) updates • Requires Registries and DNS operator updates / deployment • Requires Root changes for complete experience • One major difference: • Lack of explicit user demand
Awareness & Participation • ccTLDs and gTLDs should implement DNSSEC testbeds • Application Providers • Browsers, MTAs • ISPs • Industry should help promote awareness • Must a catastrophe happen first?... • For more info and to participate: • http://www.dnssec.net • http://www.dnssecdeployment.org
Thank You • Edmon Chung • edmon@afilias.info