1 / 11

DNSSEC Update

DNSSEC Update. R. Kevin Oberman ESnet February 5, 2009. .gov Now Signed!. .gov formally signed Feb. 1 Not yet accepting delegated keys Will start doing so in a few days. Time to sign. With signed .gov, it is time for those in .gov space to start signing Be sure that you are ready

carver
Download Presentation

DNSSEC Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. DNSSEC Update R. Kevin ObermanESnet February 5, 2009

  2. .gov Now Signed! • .gov formally signed Feb. 1 • Not yet accepting delegated keys • Will start doing so in a few days

  3. Time to sign • With signed .gov, it is time for those in .gov space to start signing • Be sure that you are ready • Don’t rush • Test before officially signing

  4. How to Sign • http://www.dnssec-tools.org • Work done by Sparta under contract to the US Government • Tools are open source and free • Allow fairly easy implementation of most DNSSEC requirements • Signing appliance • Easiest operation • Least likely to fail

  5. Use BIND-9.6.0-P1 or later • Supports NSEC3 • NSEC3 prevents zone enumeration • Required to ‘hide’ zone data • Prevents effective zone transfer • Supports ‘automatic’ key update to parent • Greatly simplifies key management

  6. Key Issues • Two ‘types’ of keys • Zone signing keys (ZSKs) sign RRsets in zone files • Key signing keys (KSKs) sign the ZSKs • All keys use symmetric public keys much like ssh • Data may be signed by multiple keys

  7. Key Management • Zone signing key must be changed monthly • Key signing keys must be changed annually • Valid public key must ALWAYS be available for current and cached data • Watch TTLs—long cache life complicates emergency key changes • TTLs should probably be no longer than a few hours

  8. Three Key Shuffle • Keys A, B, and C • Data signed with A and B • To roll keys: • Generate new key pair (C) • Sign data with B and C • Keeps each key active for two cycles • All cached data always signed with active key

  9. No Room for Error! • Data not signed by valid key will not validate • Queries for your data will fail on validating servers • Your zone will ‘disappear’ from the Internet • Your users will be very unhappy!

  10. No Key Revocation! • Keys may be withdrawn, but not revoked • New key can be put in place very quickly • Cached data will not be valid if no valid key is in place • Keep TTLs short

  11. The Clock is Ticking • OMB requires that zones immediately under .gov be signed by the end of 2009 • You need to start working on a signing solution NOW!

More Related