1 / 26

DNSSEC for the Domain

DNSSEC for the .edu Domain. Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010. Agenda. Review DNS How DNSSEC augments DNS What DNSSEC doesn’t do Why DNSSEC matters to you DNSSEC Adoption Getting started: Between now and July 2010

cirila
Download Presentation

DNSSEC for the Domain

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. DNSSEC for the .edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010

  2. Agenda • Review DNS • How DNSSEC augments DNS • What DNSSEC doesn’t do • Why DNSSEC matters to you • DNSSEC Adoption • Getting started: Between now and July 2010 • Going live: Anticipated in July 2010

  3. DNS: A Review Illustration courtesy of Niranjan Kunwar / Nirlog.com

  4. DNS Caching • DNS Servers cache data to improve performance • But…what happens if the cached data is wrong?

  5. DNS is Fundamentally Flawed More detailed explanation: http://www.iana.org/about/presentations/davies-cairo-vulnerability-081103.pdf

  6. DNS Cache Poisoning Gets Easier Article explaining vulnerability: http://www.wired.com/techbiz/people/magazine/16-12/ff_kaminsky Photo by Dave Bullock / eecue

  7. DNSSEC: DNS Security Extensions • Validate the origin of a DNS response • Trust that the data came from the expected source • Validate the integrityof a DNS response • Trust that the data itself is correct • Validate denial of existence • Trust a “no records to return” response

  8. DNS with DNSSEC implemented Illustration courtesy of Niranjan Kunwar / Nirlog.com

  9. DNSSEC Augments DNS • Use public key cryptography to “sign” DNS data • New DNS resource records carry signatures • DNSKEY, RRSIG, NSEC, DS • Publish signatures to parent zone • Domain to namespace, namespace to root • DNS resolvers validate signature matches Good explanation: http://ispcolumn.isoc.org/2006-08/dnssec.html

  10. What DNSSEC Doesn’t Do • Encrypt data – that’s SSL • Protect your servers from denial of service attacks • Keep you from visiting phishing sites • DNSSEC protects you from forged DNS data

  11. Why You Care: Hypothetical Case Study Photo by Bart Everson

  12. DNSSEC Adoption

  13. Adoption is Critical • Can’t require validation yet – would reject most internet traffic • In the interim, will need a browser warning for non-validated lookups (like SSL “lock” today) • Validation will likely be required at some point

  14. Adoption is Increasing Quickly Data from SecSpider: http://secspider.cs.ucla.edu Graph courtesy of Eric Osterweil

  15. Many Top Level Domains are Signing • Signed TLDs • bg, br, ch, cz, li, lk, na, nu, pm, pr, pt, se, th, tm, uk, us • arpa, gov, museum, org • Coming soon • edu anticipated in July 2010 • net anticipated in late 2010 • com anticipated in early 2011 TLD data courtesy of Shinkuro, Inc.

  16. Current DNSSEC Adoption in .edu • 7 signed .edu domains • berkeley.edu, merit.edu, penn.edu, psc.edu, upenn.edu, internet2.edu, ucaid.edu • 64 signed .edu sub-domains • Many are computer science departments or DNS research projects Data from SecSpider: http://secspider.cs.ucla.edu Slide courtesy of Shumon Huque, University of Pennsylvania

  17. Getting Started: Between now and July 1, 2010

  18. If you are… • CIO or IT leader • Get DNSSEC on your staff’s radar now • Add DNSSEC to your summer maintenance schedule • Technical staff • If an ISP hosts your DNS • Ask the ISP when they will support DNSSEC • If you host your DNS • Learn about signing • Get DNSSEC-aware DNS software • Sign your zone

  19. Learn About Signing • Study the RFCs • RFC 4033 – DNSSEC introduction and requirements • RFC 4034 – Resource records for DNSSEC • RFC 4641 – DNSSEC operational practices • NIST Secure DNS Deployment Guide

  20. Get DNSSEC-aware DNS Software • Need DNSSEC-aware software on published DNS servers and all intermediate resolvers • BIND 9.6 or greater • ZKT • OpenDNSSEC • Windows 2008 Server R2 • Signing appliances • Many more… Find these packages and more at http://www.dnssec.net/software

  21. Sign Your Zone • Generate a KSK and one or more ZSKs • http://tools.ietf.org/html/rfc4641#section-3.1 • Practice key rollovers & establish processes for managing keys • http://tools.ietf.org/html/rfc4641#section-4.2

  22. Going Live: July 2010 (anticipated)

  23. Chain of Trust Can Be Established Original illustration courtesy of Niranjan Kunwar / Nirlog.com

  24. Publish Your Signatures to .edu Zone • Enter DS record data into the .edu Domain Administration website .edu Domain Administration website: http://www.educause.edu/edudomain

  25. Many Resources Available to Help You • RFCs • http://tools.ietf.org/rfc/index • DNSSEC.NET website • http://www.dnssec.net/ • Your .edu colleagues – subscribe to EDUCAUSE DNSSEC deployment listserv • http://listserv.educause.edu/archives/dnssec.html

  26. Questions?

More Related