260 likes | 268 Views
This presentation explores the importance of DNSSEC for the .edu domain, its adoption by various top-level domains, and the steps to implement DNSSEC. It covers the fundamental flaws of DNS, the security extensions provided by DNSSEC, and what DNSSEC does and does not do. The presentation also provides resources and guidance for getting started with DNSSEC implementation.
E N D
DNSSEC for the .edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010
Agenda • Review DNS • How DNSSEC augments DNS • What DNSSEC doesn’t do • Why DNSSEC matters to you • DNSSEC Adoption • Getting started: Between now and July 2010 • Going live: Anticipated in July 2010
DNS: A Review Illustration courtesy of Niranjan Kunwar / Nirlog.com
DNS Caching • DNS Servers cache data to improve performance • But…what happens if the cached data is wrong?
DNS is Fundamentally Flawed More detailed explanation: http://www.iana.org/about/presentations/davies-cairo-vulnerability-081103.pdf
DNS Cache Poisoning Gets Easier Article explaining vulnerability: http://www.wired.com/techbiz/people/magazine/16-12/ff_kaminsky Photo by Dave Bullock / eecue
DNSSEC: DNS Security Extensions • Validate the origin of a DNS response • Trust that the data came from the expected source • Validate the integrityof a DNS response • Trust that the data itself is correct • Validate denial of existence • Trust a “no records to return” response
DNS with DNSSEC implemented Illustration courtesy of Niranjan Kunwar / Nirlog.com
DNSSEC Augments DNS • Use public key cryptography to “sign” DNS data • New DNS resource records carry signatures • DNSKEY, RRSIG, NSEC, DS • Publish signatures to parent zone • Domain to namespace, namespace to root • DNS resolvers validate signature matches Good explanation: http://ispcolumn.isoc.org/2006-08/dnssec.html
What DNSSEC Doesn’t Do • Encrypt data – that’s SSL • Protect your servers from denial of service attacks • Keep you from visiting phishing sites • DNSSEC protects you from forged DNS data
Why You Care: Hypothetical Case Study Photo by Bart Everson
Adoption is Critical • Can’t require validation yet – would reject most internet traffic • In the interim, will need a browser warning for non-validated lookups (like SSL “lock” today) • Validation will likely be required at some point
Adoption is Increasing Quickly Data from SecSpider: http://secspider.cs.ucla.edu Graph courtesy of Eric Osterweil
Many Top Level Domains are Signing • Signed TLDs • bg, br, ch, cz, li, lk, na, nu, pm, pr, pt, se, th, tm, uk, us • arpa, gov, museum, org • Coming soon • edu anticipated in July 2010 • net anticipated in late 2010 • com anticipated in early 2011 TLD data courtesy of Shinkuro, Inc.
Current DNSSEC Adoption in .edu • 7 signed .edu domains • berkeley.edu, merit.edu, penn.edu, psc.edu, upenn.edu, internet2.edu, ucaid.edu • 64 signed .edu sub-domains • Many are computer science departments or DNS research projects Data from SecSpider: http://secspider.cs.ucla.edu Slide courtesy of Shumon Huque, University of Pennsylvania
If you are… • CIO or IT leader • Get DNSSEC on your staff’s radar now • Add DNSSEC to your summer maintenance schedule • Technical staff • If an ISP hosts your DNS • Ask the ISP when they will support DNSSEC • If you host your DNS • Learn about signing • Get DNSSEC-aware DNS software • Sign your zone
Learn About Signing • Study the RFCs • RFC 4033 – DNSSEC introduction and requirements • RFC 4034 – Resource records for DNSSEC • RFC 4641 – DNSSEC operational practices • NIST Secure DNS Deployment Guide
Get DNSSEC-aware DNS Software • Need DNSSEC-aware software on published DNS servers and all intermediate resolvers • BIND 9.6 or greater • ZKT • OpenDNSSEC • Windows 2008 Server R2 • Signing appliances • Many more… Find these packages and more at http://www.dnssec.net/software
Sign Your Zone • Generate a KSK and one or more ZSKs • http://tools.ietf.org/html/rfc4641#section-3.1 • Practice key rollovers & establish processes for managing keys • http://tools.ietf.org/html/rfc4641#section-4.2
Chain of Trust Can Be Established Original illustration courtesy of Niranjan Kunwar / Nirlog.com
Publish Your Signatures to .edu Zone • Enter DS record data into the .edu Domain Administration website .edu Domain Administration website: http://www.educause.edu/edudomain
Many Resources Available to Help You • RFCs • http://tools.ietf.org/rfc/index • DNSSEC.NET website • http://www.dnssec.net/ • Your .edu colleagues – subscribe to EDUCAUSE DNSSEC deployment listserv • http://listserv.educause.edu/archives/dnssec.html