110 likes | 223 Views
Securing the Government’s DNS Infrastructure with DNSSEC. April 3, 2012 Matt Larson – Verisign. The Importance of the Internet & DNSSEC. .GOV Domain Space Vital to Government & National Security DNS open to attack Millions of users rely on .GOV DNS Security Extensions
E N D
Securing the Government’s DNS Infrastructure with DNSSEC • April 3, 2012 • Matt Larson – Verisign
The Importance of the Internet & DNSSEC .GOV Domain Space • Vital to Government & National Security • DNS open to attack • Millions of users rely on .GOV DNS Security Extensions • Additional Security to the .GOV domain space • Securing .GOV domains with DNSSEC is a mandate from the OMB • DNSSEC has been “Road Tested”
OMB Mandate – M0823 Mandate: Apply DNSSEC to 2nd level .gov names by Dec. 2009 • http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2008/m08-23.pdf • Approximately 60% compliance
Signed USG Domains Reference: http://usgv6-deploymon.antd.nist.gov/cgi-bin/generate-gov
DNSSEC Challenges • DNSSEC is a more rigid protocol • More complex • Management of DNSSEC key pairs • May require new equipment for your infrastructure • DS Records • Manual submission of DS records to parent registry
Signing Service Product Overview • Product Functionality • Signing of domain name zones & management of associated key rollovers that DNSSEC requires • Cloud based service • Zone signing • Creates the necessary keys / Ongoing key management • Notifications for expiring signatures • What problems does this solve? • Reduces complexity for signing 2nd level domain names • Reduces the costs for additional equipment to sign and manage names • Incorporation of the DNSSEC Signing Service is optional • Use of the service does not exclude registrants from using other mechanisms to sign zones
DNSSEC Signing Service Registrant Public DNS Publish Unsigned Zone Register Domain DNSSEC SignedZoneMaster UnsignedZoneMaster CreateUnsigned Zone PublishSignedZone RegistrarWeb Site Signed Zone Update EnableSigning VerisignDNSSECSigning Service
DNSSEC Analyzer Tool Tool Available at: http://dnssec-debugger.verisignlabs.com Also a Mobile version: http://itunes.apple.com/us/app/dnssec-analyzer/id410032288?mt=8
Call to Action – Sign your .GOV name • Instruct your technical staff on the urgency of DNSSEC • Become compliant with the OMB Mandate • http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2008/m08-23.pdf • Signing has been made easier • Tools and services are easing the complexity • DNSSEC has been “Road Tested” • Large top level domains have been signed • For more information visit Verisign’s information resource http://verisign.com/dnssec