1 / 9

Developing a DNSSEC Policy

The Compulsory Zone Distribution Which DNSSEC Protocol Keys – and Managing them Managing the Children Using DNSSEC. Developing a DNSSEC Policy. Mark Elkins - mje@posix.co.za. The Compulsory. The Certain Time NTP The Uncertain Entropy havenged. Zone Distribution. TSIG

rowan-mcmillan
Download Presentation

Developing a DNSSEC Policy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Compulsory Zone Distribution Which DNSSEC Protocol Keys – and Managing them Managing the Children Using DNSSEC Developing a DNSSEC Policy Mark Elkins - mje@posix.co.za

  2. The Compulsory • The Certain • Time • NTP • The Uncertain • Entropy • havenged

  3. Zone Distribution • TSIG • Signing the path between Master and Slave • Using a shared secret means there is confidence on the receiving side that the data came from the sender and was not altered in transit • Pass-phrases need to be renewed - once a year • Out of Band Key Management

  4. Which DNSSEC Protocol? • NSEC - Original method • Everything is signed • Light Weight • No privacy • Walk the Zone • NSEC3 - Designed for ccTLD's • Can not Walk the Zone • Opt-Out – only core secure delegations signed • Reduces the increase in signed zone size • NSEC3 Options • Opt-out • Seeding • Hash cycles

  5. Keys – and management • Asymmetrical keys – One part Secret, One part Public • KSK - Key Signing keys • Used to sign ZSK's • Longish live cycle – default is one year • Potentially difficult to roll • Generate with RSASHAR256 with 2048 bits • Hash present in Parent (DS Record) • ZSK - Zone Signing keys • Used to sign the data in a zone • Shortish life cycle - default is one month • Simple to Roll • Generate with RSASHAR256 with 1024 bits

  6. Keys – and management • Hardware Security Module - HSM • Multiple, redundant, tamper proof devices • "Soft" HSM (incorporating with BIND is difficult) • On the File system • Stripped down server • Limited access (no direct Internet access)

  7. Managing the Children • Need to Populate parent with DS Records • Out of Band • Paper • Secure Web Site • Via EPP extension • Via “in-band” methods • What do you record? KSK/DS • Emergency “Roll-over”

  8. Using DNSSEC • Making a Resolver “DNSSEC” aware • RFC5011 • Howto: http://dnssec.co.za & http://dnssec.na • Scripts available at: http://posixafrica.com • “DNSSEC Validator” and get the Green-Key

  9. Ready to run DNSSEC Use TSIG For Zone distribution Need: NTP Havenged NSEC3 ? NSEC Opt In/Out Seed Hash KSK 1 year Signing ZSK 1 month Done

More Related