190 likes | 343 Views
Internet2 DNSSEC Pilot. Shumon Huque University of Pennsylvania ESCC/Internet2 Joint Techs Workshop Minneapolis, Minnesota, U.S.A., Feb 14 th 2007. Description of the Pilot. http://www.dnssec-deployment.org/internet2/ Deploy DNSSEC Gain Operational experience
E N D
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania ESCC/Internet2 Joint Techs Workshop Minneapolis, Minnesota, U.S.A., Feb 14th 2007
Description of the Pilot • http://www.dnssec-deployment.org/internet2/ • Deploy DNSSEC • Gain Operational experience • Does it work (does it catch anything?) • Test DNSSEC aware applications • Participants sign at least one of their zones • Exchange keys (trust anchors) that will allow them to mutually validate DNS data
What is DNSSEC? • A system to verify the authenticity of DNS “data” • RFC 4033, 4034, 4035 • Helps detect: spoofing, misdirection, cache poisoning • Some secondary benefits appear: • You could store keying material in DNS • DKIM, SSHFP, IPSECKEY, etc
A little background .. • Feb ‘06: DNSSEC Workshop held at Albuquerque Joint Techs • Mar ‘06: dnssec@internet2 mailing list • Apr ‘06: Internet2 Spring Member meeting • Advisory group formed and plans for a pilot project formulated • May ‘06: Pilot group began • Bi-weekly conference calls and progress reports
Co-ordination • Internet2 • Shinkuro シンクロ • Partner in DNSSEC Deployment Initiative • http://www.dnssec-deployment.org/ • Some funding from US government
DNSSEC Deployment Efforts so far • MAGPI GigaPoP • All zones: magpi.{net,org} & 15 reverse zones • https://rosetta.upenn.edu/magpi/dnssec.html • MERIT • radb.net • nanog.org • http://www.merit.edu/networkresearch/dnssec.html • NYSERNet - test zone • nyserlab.org
Others considering or planning deployment • University of Pennsylvania • University of California - Berkeley • University of California - Los Angeles • University of Massachusetts - Amherst • Internet2
DLV (DNSSEC Lookaside Validation) • A mechanism to securely locate DNSSEC trust anchors “off-path” • An early deployment aid until top-down deployment of DNSSEC happens • Pilot group is in talks to make use of ISC’s DLV registry • http://www.isc.org/index.pl?/ops/dlv/ • More on this at a later date ..
More participants welcome! • (participation not restricted to Internet2) • Join mailing list • Participate in conference calls
Thoughts on deployment obstacles (1) • A Chicken & Egg problem • Marginal benefits, until much more deployment • Why should I go first? • We had (have?) the same problem with other technologies (IPv6 etc) • Some folks will need to take the lead, if there is hope for wider adoption • Good way to find out how well it works
Thoughts on deployment obstacles (2) • Operational stability • More complicated software infrastructure • New processes for: • Zone changes • Secure delegations • Security (protection of crypto keys) • Key rollover and maintenance • Integration w/ existing DNS management software • What is the experience of the pilot?
Thoughts on deployment obstacles (3) • Additional system requirements • Authoritative servers: memory • Resolvers: memory & CPU • Memory use can be calculated • Probably not a big issue (unless you’re .COM!) • CPU • Not too much of an issue today (dearth of signed data that needs validation) • Caveat: some potential DoS attacks could hit CPU
Thoughts on deployment obstacles (4) • Key distribution in islands of trust • Why is there no top down deployment? • Work on signing root and (many) TLDs and in-addr.arpa is in progress • .SE, RIPE reverse done • .EDU work in motion • Interim mechanisms like DLV exist • Manual key exchange (unscalable)
Thoughts on deployment obstacles (5) • Stub resolver security (e2e security) • An area of neglect in my opinion • Push DNSSEC validation to endstations? • Secure path from stub resolver to recursive resolver • Possibilities: SIG(0), TSIG, IPSEC
Thoughts on deployment obstacles (6) • Application layer feedback • Coming gradually • DNSSEC aware resolution APIs and applications enhanced to use them • DNSSEC aware applications • See http://www.dnssec-tools.org/ • Note: some folks think it might be nice to protect DNSSEC oblivious applications silently as an interim step
Thoughts on deployment obstacles (7) • Zone enumeration threat • See NSEC3 record (spec almost done) • draft-ietf-dnsext-nsec3-09.txt
References • Internet2 DNSSEC Pilot • http://www.dnssec-deployment.org/internet2/ • http://rosetta.upenn.edu/magpi/dnssec.html • Mailing list: dnssec@internet2.edu • https://mail.internet2.edu/wws/info/dnssec • Internet2 DNSSEC Workshop • http://events.internet2.edu/2006/jt-albuquerque/sessionDetails.cfm?session=2491&event=243
References (2) • DNSSEC(bis) technical specs: • RFC 4033, 4034, 4035 • Related: • DNSSEC HOWTO: • http://www.nlnetlabs.nl/dnssec_howto/ • Threat analysis of the DNS: RFC 3833 • Operational practices: RFC 4641 • NSEC3: draft-ietf-dnsext-nsec3-09 • DLV: draft-weiler-dnssec-dlv-01 • draft-hubert-dns-anti-spoofing-00
Questions? • Shumon Huque • shuque -at- isc.upenn.edu