dnssec for the domain
DESCRIPTION
DNSSEC for the .edu Domain. Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010. Agenda. Review DNS How DNSSEC augments DNS What DNSSEC doesn’t do Why DNSSEC matters to you DNSSEC Adoption Getting started: Between now and July 2010 - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: DNSSEC for the Domain](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b3f550346895da4143a/html5/thumbnails/1.jpg)
1
DNSSEC for the .edu Domain
Becky GrangerDirector, Information Technology
and Member ServicesEDUCAUSE
April 29, 2010
![Page 2: DNSSEC for the Domain](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b3f550346895da4143a/html5/thumbnails/2.jpg)
2
Agenda
Review DNS How DNSSEC augments DNS What DNSSEC doesn’t do Why DNSSEC matters to you DNSSEC Adoption Getting started: Between now and July 2010 Going live: Anticipated in July 2010
![Page 3: DNSSEC for the Domain](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b3f550346895da4143a/html5/thumbnails/3.jpg)
3
DNS: A Review
Illustration courtesy of Niranjan Kunwar / Nirlog.com
![Page 4: DNSSEC for the Domain](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b3f550346895da4143a/html5/thumbnails/4.jpg)
4
DNS Caching
DNS Servers cache data to improve performance
But…what happens if the cached data is wrong?
![Page 5: DNSSEC for the Domain](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b3f550346895da4143a/html5/thumbnails/5.jpg)
5
DNS is Fundamentally Flawed
More detailed explanation: http://www.iana.org/about/presentations/davies-cairo-vulnerability-081103.pdf
![Page 6: DNSSEC for the Domain](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b3f550346895da4143a/html5/thumbnails/6.jpg)
6
DNS Cache Poisoning Gets Easier
Article explaining vulnerability: http://www.wired.com/techbiz/people/magazine/16-12/ff_kaminsky Photo by Dave Bullock / eecue
![Page 7: DNSSEC for the Domain](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b3f550346895da4143a/html5/thumbnails/7.jpg)
7
DNSSEC: DNS Security Extensions
Validate the origin of a DNS response Trust that the data came from the expected source
Validate the integrity of a DNS response Trust that the data itself is correct
Validate denial of existence Trust a “no records to return” response
![Page 8: DNSSEC for the Domain](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b3f550346895da4143a/html5/thumbnails/8.jpg)
8
DNS with DNSSEC implemented
Illustration courtesy of Niranjan Kunwar / Nirlog.com
![Page 9: DNSSEC for the Domain](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b3f550346895da4143a/html5/thumbnails/9.jpg)
9
DNSSEC Augments DNS
Use public key cryptography to “sign” DNS data
New DNS resource records carry signatures DNSKEY, RRSIG, NSEC, DS
Publish signatures to parent zone Domain to namespace, namespace to root
DNS resolvers validate signature matches
Good explanation: http://ispcolumn.isoc.org/2006-08/dnssec.html
![Page 10: DNSSEC for the Domain](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b3f550346895da4143a/html5/thumbnails/10.jpg)
10
What DNSSEC Doesn’t Do
Encrypt data – that’s SSL Protect your servers from denial of service attacks Keep you from visiting phishing sites
DNSSEC protects you from forged DNS data
![Page 11: DNSSEC for the Domain](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b3f550346895da4143a/html5/thumbnails/11.jpg)
11
Why You Care: Hypothetical Case Study
Photo by Bart Everson
![Page 12: DNSSEC for the Domain](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b3f550346895da4143a/html5/thumbnails/12.jpg)
12
DNSSEC Adoption
![Page 13: DNSSEC for the Domain](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b3f550346895da4143a/html5/thumbnails/13.jpg)
13
Adoption is Critical
Can’t require validation yet – would reject most internet traffic
In the interim, will need a browser warning for non-validated lookups (like SSL “lock” today)
Validation will likely be required at some point
![Page 14: DNSSEC for the Domain](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b3f550346895da4143a/html5/thumbnails/14.jpg)
14
Adoption is Increasing Quickly
Data from SecSpider: http://secspider.cs.ucla.edu Graph courtesy of Eric Osterweil
![Page 15: DNSSEC for the Domain](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b3f550346895da4143a/html5/thumbnails/15.jpg)
15
Many Top Level Domains are Signing
Signed TLDs bg, br, ch, cz, li, lk, na, nu, pm, pr, pt, se, th, tm, uk, us arpa, gov, museum, org
Coming soon edu anticipated in July 2010 net anticipated in late 2010 com anticipated in early 2011
TLD data courtesy of Shinkuro, Inc.
![Page 16: DNSSEC for the Domain](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b3f550346895da4143a/html5/thumbnails/16.jpg)
16
Current DNSSEC Adoption in .edu
7 signed .edu domains berkeley.edu, merit.edu, penn.edu, psc.edu, upenn.edu,
internet2.edu, ucaid.edu
64 signed .edu sub-domains Many are computer science departments or DNS
research projects
Data from SecSpider: http://secspider.cs.ucla.edu Slide courtesy of Shumon Huque, University of Pennsylvania
![Page 17: DNSSEC for the Domain](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b3f550346895da4143a/html5/thumbnails/17.jpg)
17
Getting Started: Between now and July 1, 2010
![Page 18: DNSSEC for the Domain](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b3f550346895da4143a/html5/thumbnails/18.jpg)
18
If you are…
CIO or IT leader Get DNSSEC on your staff’s radar now Add DNSSEC to your summer maintenance schedule
Technical staff If an ISP hosts your DNS
Ask the ISP when they will support DNSSEC
If you host your DNS Learn about signing Get DNSSEC-aware DNS software Sign your zone
![Page 19: DNSSEC for the Domain](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b3f550346895da4143a/html5/thumbnails/19.jpg)
19
Learn About Signing
Study the RFCs RFC 4033 – DNSSEC introduction and requirements RFC 4034 – Resource records for DNSSEC RFC 4641 – DNSSEC operational practices
NIST Secure DNS Deployment Guide
![Page 20: DNSSEC for the Domain](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b3f550346895da4143a/html5/thumbnails/20.jpg)
20
Get DNSSEC-aware DNS Software
Need DNSSEC-aware software on published DNS servers and all intermediate resolvers BIND 9.6 or greater ZKT OpenDNSSEC Windows 2008 Server R2 Signing appliances Many more…
Find these packages and more at http://www.dnssec.net/software
![Page 21: DNSSEC for the Domain](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b3f550346895da4143a/html5/thumbnails/21.jpg)
21
Sign Your Zone
Generate a KSK and one or more ZSKs http://tools.ietf.org/html/rfc4641#section-3.1
Practice key rollovers & establish processes for managing keys http://tools.ietf.org/html/rfc4641#section-4.2
![Page 22: DNSSEC for the Domain](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b3f550346895da4143a/html5/thumbnails/22.jpg)
22
Going Live: July 2010 (anticipated)
![Page 23: DNSSEC for the Domain](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b3f550346895da4143a/html5/thumbnails/23.jpg)
23
Chain of Trust Can Be Established
Original illustration courtesy of Niranjan Kunwar / Nirlog.com
![Page 24: DNSSEC for the Domain](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b3f550346895da4143a/html5/thumbnails/24.jpg)
24
Publish Your Signatures to .edu Zone
Enter DS record data into the .edu Domain Administration website
.edu Domain Administration website: http://www.educause.edu/edudomain
![Page 25: DNSSEC for the Domain](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b3f550346895da4143a/html5/thumbnails/25.jpg)
25
Many Resources Available to Help You
RFCs http://tools.ietf.org/rfc/index
DNSSEC.NET website http://www.dnssec.net/
Your .edu colleagues – subscribe to EDUCAUSE DNSSEC deployment listserv http://listserv.educause.edu/archives/dnssec.html
![Page 26: DNSSEC for the Domain](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b3f550346895da4143a/html5/thumbnails/26.jpg)
26
Questions?