future dns update - terena...- bouncing a dane idea around - dnssec signing-as-a-service 2 surfnet....
TRANSCRIPT
Roland van [email protected] b
Future DNS updateTF-MNM, November 9th 2011, Bologna
SURFnet. We make innovation work c b
Topics
- Research at SURFnet
- Bouncing a DANE idea around
- DNSSEC signing-as-a-service
2
SURFnet. We make innovation work c b
Research at SURFnet
- End of last year and in March this year we had “issues” with a large ISP in The Netherlands
- Customers of the ISP were unable to resolve names in surfnet.nl
- The cause turned out to be an issue with the ISP’s firewall
3
Research at SURFnet
4
Recursive CachingName Server
(resolver)
AuthoritativeName Server
Firewall
min(MTU) = 1500 bytes(somewhere in transit)
! "
#
$
%
&
Internet
SURFnet. We make innovation work c b
Research at SURFnet
- Short student assignment to confirm the problemhttp://bit.ly/dnssec-frags
- Currently: MSc. student working on problem mitigation options and better detection
- Request: can we get traces from the NREN crowd for signed top-level domains or academic subdomains (.ac.*)
5
SURFnet. We make innovation work c b
Bouncing a DANE idea around- DANE =
DNS-based Authentication of Named Entities
- Draft RFCs bouncing around the IETF
- Seen by many as an alternative to CA-based PKIs for TLS certificates
- Problem 1: trust framework in DNSSEC not (as) well defined
- Problem 2: lack of control/trust over all links in the chain of trust
6
SURFnet. We make innovation work c b
Traditional trust chain
7
root (.)
org
eduroam
Secure Delegation
Secure Delegation
nl
Secure Delegation
RADIUS certificate
DNSSEC policy
DNSSEC policy
DNSSEC policy
SURFnet. We make innovation work c b
Out-of-chain TTP
8
root (.)
org
eduroam
Secure Delegation
Secure Delegation
nl
Secure Delegation
RADIUS certificate
DNSSEC policy
DNSSEC policy
DNSSEC policy
TTPSecure Delegation
TTP referenceTrust anchor
repository
SURFnet. We make innovation work c b
Scaling to multiple TTPs
9
root (.)
org
eduroam
Secure Delegation
Secure Delegation
nl
Secure Delegation
RADIUS certificate
DNSSEC policy
DNSSEC policy
DNSSEC policy
TTP 2
Trust anchorrepository
TTP n
Trust anchorrepository
TTP 3
Trust anchorrepository
TTP 1
Trust anchorrepository
SURFnet. We make innovation work c b
Technical elements- It is possible to re-use existing DNS(SEC)
technologies:- DLV- Secure Delegation- DNSSEC signing policy framework
- Requires a means to reference a TTP
- Requires a validation framework
- Has similarities to Convergence (see convergence.io) but re-uses DNS(SEC) rather than establishing a whole new framework
10
SURFnet. We make innovation work c b
DNSSEC uptake...- DNSSEC uptake is still very slow (or has more
or less ground to a halt)
- DNSSEC is complex; there is a willingness but a lack of understanding/know-how
11
SURFnet. We make innovation work c b
DNSSEC signing-as-a-service
- Interesting market development: DNSSEC signing-as-a-service
- Registries starting to offer it (e.g. Nominet)
- Independent vendors also offering it
- Why not tender for such a service with the NREN community? (like we did with TCS)
12
SURFnet. We make innovation work c b
DNSSEC signing-as-a-service
- Is there an interest in such a service?
- If so: what are requirements?
- How to tender for such a service? How to consider contract duration for instance?
- What can we learn from the market?
13
c b
nl.linkedin.com/in/rolandvanrijswijk
@reseauxsansfil
[email protected]? Comments?
Please contact me!