1 / 16

Secure Naming Infrastructure Pilot (SNIP)

A .gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose NIST scottr@nist.gov. Secure Naming Infrastructure Pilot (SNIP). SNIP Goals. DNSSEC is now a FISMA Requirement.

hua
Download Presentation

Secure Naming Infrastructure Pilot (SNIP)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A .gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose NIST scottr@nist.gov Secure Naming Infrastructure Pilot (SNIP)

  2. SNIP Goals • DNSSEC is now a FISMA Requirement. • NIST SP-800-53-r1 (Dec 2006) “Recommended Security Controls for Federal Information Systems” mandates the incremental deployment of DNSSEC technologies in Moderate and High Impact IT systems. • Moderate Impact – must sign zones. • High Impact – must be prepared to validate signatures. • Need to facilitate technology insertion and adoption. • Standards, implementations and policies don’t guarantee success. • Need for technical community resources and activities to foster early deployments, refine policies and plans, share information and expertise.

  3. SNIP Basics • SNIP will build a USG DNS Ops community and shared pilot • Provide “distributed training ground” for .gov operators deploying DNSSEC • Ability to pilot agency specific scenarios either locally or in SNIP-provided resources. • Create a community resource for DNS admins in the USG to share knowledge and to refine specifications, policies and plans. • SNIP basis is a signed shadow zone under .gov (dnsops.gov) • Will offer delegations and secure chaining to subzones • example – NIST would participate as nist.dnsops.gov • May offer limited hosting service as well • Goal isn't to be a hosting service, but help bootstrap others to host their own zones.

  4. SNIP as a Testbed • Use SNIP tree to exercise DNSSEC operations • Test deployment DNSSEC scenarios. • Multi-vendor platforms for authoritative / caching servers, resolvers. • Zone structure / contents / distribution. • Test DNSSEC operations described in SP800-81 • Zone signing, key rollovers, zone transfers. • Test DNSSEC administration tools (From NIST, Sparta and Shinkuro) • Test performance – in agency specific scenarios. • Community hands-on participation • Agency DNS operators can participate in NIST/SPARTA led exercise. • Results will be published for community

  5. What SNIP is Not • Mandatory • Permanent • Expected lifetime: 2-3 years • The community tools and email lists will remain after the testbed activities conclude.. • 100% Uptime • This is a experimental testbed in which we will conduct disruptive experiments, load/stress test servers, etc.

  6. Levels of Participation • Delegation only • Participants use own testbed systems and perform all administration associated with setup / experimentation. • Remote administration • Participants use SNIP testbed equipment, but perform all administration. • Hosted experiments • NIST/SPARTA set up mirror of agency specific infrastructure, but using SNIP equipment and administration, for specific experiment. • For limited use in investigating specific deployment / technology issues.

  7. The Big Picture – DNSSEC in .gov Internet2 DNSSEC Pilot SNIP Core Infrastructure dnsops.gov. esnet.doe.dnsops.gov. fda.dnsops.gov. zoneedit dhs.dnsops.gov. nist.dnsops.gov. ag1.dnsops.gov. ag2.dnsops.gov. dns-outsource.com DREN DNSSEC Pilot antd.nist.dnsops.gov.

  8. Testbed Technical Details • Multiple authoritative server implementations • Internet2 connection (IPv6 testing) • May have alternate hosting capabilities (multiple servers) • secondaries in other locations? • Ability to host other zones (or servers) for delegations lacking equipment to participate fully. • Zone data can be real (servers), or anonymized • Will maintain and publish trust anchor for dnsops.gov. tree

  9. SNIP Infrastructure Resources • Primary Site – NIST / Gaithersburg MD. • Authoritative dnsops.gov. DNS servers • Secondary Site – Sparta / Columbia MD • Geographic and network dispersion (sort of) • Zone transfers using TSIG for message authentication • Reconfigurable Emulated wide area topology. • 20+ node Emulab being deployed at NIST.

  10. Additional NIST Resources • Other SNIP infrastructure • Web server and mail host for mailing lists • Test and measurement systems • Signing Infrastructure – dnsops.gov. apex. • Done behind firewall • Private keys not stored on servers • Scheduled resigning done every month • Also after updates as necessary

  11. SNIP Primary Auth Server SNIP Topology NIST Network Emulab Network Internet /UUNet Internet2 /MAX Test and Measurement Systems SNIP Secondary Auth Server Signing system

  12. SNIP Operational Overview • Will use procedures outlined in SP800-81 • 1024 bit RSA ZSK • Rolled over every month • 2048 bit RSA KSK • Rolled over during experimentation • published as pilot trust anchor • ZSK rollover every 30 days • KSK on a less formal basis (experiment in trust anchor rollover) • Using NSEC initially, may experiment signing with NSEC3

  13. DNS Administrator Resources • Will remain active after SNIP zone shuts down • Project Website • Links to guides, tools, and performance stats • Mailing list • Useful for announcements and security bulletins • Revision of NIST SP800-81 • using knowledge gained during SNIP operational lifetime • More examples of different server implementations • Information on how to interact with parent zones (GSA)

  14. SNIP Impact • Stepping stone for operational use • USG DNS operators get experience running delegation under dnsops.gov before deploying in own agency • Tool testing • Tech transfer / training on existing tool suites (NIST, SPARTA, Shinkuro, ISC, et al). • Platform Testing • Multi-vendor environment • Servers - ISC/BIND, NSD, Microsoft, Nominum(?) and more surprises • Resolvers – Linux, BSD, Microsoft, OS X • Applications – TBD. • Procedure Testing • Refinement of procedure/policy guidance and reporting requirements

  15. Participation • Will try to accommodate all • Non USG entities: dnsops.biz • May try to get a presence in other TLD’s a well • Don’t want a delegation? • How about a DNAME? • Tool developers • Can run locally or have delegation/secondary/etc as necessary.

  16. Resources • NIST Special Publications page http://www.csrc.nist.gov/ • DNSSEC Project Page http://www.dnsops.gov http://www-x.antd.nist.gov/dnssec • DNSSEC-Deployment Web page • Informal working group http://www.dnssec-deployment.org/ http://www.dnssec-deployment.org/news/dnssecthismonth/

More Related