Internet2 DNSSEC Pilot

Shumon Huque

University of Pennsylvania

ESCC/Internet2 Joint Techs Workshop

Minneapolis, Minnesota, U.S.A., Feb 14th 2007

2 Shumon Huque

Description of the Pilot

• http://www.dnssec-deployment.org/internet2/• Deploy DNSSEC• Gain Operational experience• Does it work (does it catch anything?)• Test DNSSEC aware applications

• Participants sign at least one of their zones• Exchange keys (trust anchors) that will allow

them to mutually validate DNS data

3 Shumon Huque

What is DNSSEC?

• A system to verify the authenticity of DNS “data”•RFC 4033, 4034, 4035

• Helps detect: spoofing, misdirection, cache poisoning

• Some secondary benefits appear:•You could store keying material in DNS•DKIM, SSHFP, IPSECKEY, etc

4 Shumon Huque

A little background ..

• Feb ‘06: DNSSEC Workshop held at Albuquerque Joint Techs

• Mar ‘06: dnssec@internet2 mailing list• Apr ‘06: Internet2 Spring Member meeting

•Advisory group formed and plans for a pilot project formulated

• May ‘06: Pilot group began•Bi-weekly conference calls and progress reports

5 Shumon Huque

Co-ordination

• Internet2

• Shinkuro シンクロ• Partner in DNSSEC Deployment

Initiative•http://www.dnssec-deployment.org/

• Some funding from US government

6 Shumon Huque

DNSSEC Deployment Efforts so far

• MAGPI GigaPoP•All zones: magpi.{net,org} & 15 reverse zones•https://rosetta.upenn.edu/magpi/dnssec.html

• MERIT• radb.net•nanog.org•http://www.merit.edu/networkresearch/dnssec.html

• NYSERNet - test zone•nyserlab.org

7 Shumon Huque

Others considering or planning deployment

• University of Pennsylvania

• University of California - Berkeley

• University of California - Los Angeles

• University of Massachusetts - Amherst

• Internet2

8 Shumon Huque

DLV (DNSSEC Lookaside Validation)

• A mechanism to securely locate DNSSEC trust anchors “off-path”

• An early deployment aid until top-down deployment of DNSSEC happens

• Pilot group is in talks to make use of ISC’s DLV registry•http://www.isc.org/index.pl?/ops/dlv/•More on this at a later date ..

9 Shumon Huque

More participants welcome!

• (participation not restricted to Internet2)

• Join mailing list

• Participate in conference calls

10 Shumon Huque

Thoughts on deployment obstacles (1)

• A Chicken & Egg problem•Marginal benefits, until much more deployment•Why should I go first?

• We had (have?) the same problem with other technologies (IPv6 etc)

• Some folks will need to take the lead, if there is hope for wider adoption

• Good way to find out how well it works

11 Shumon Huque

Thoughts on deployment obstacles (2)

• Operational stability•More complicated software infrastructure•New processes for:

• Zone changes• Secure delegations• Security (protection of crypto keys)• Key rollover and maintenance

• Integration w/ existing DNS management software

• What is the experience of the pilot?

12 Shumon Huque

Thoughts on deployment obstacles (3)

• Additional system requirements•Authoritative servers: memory•Resolvers: memory & CPU

• Memory use can be calculated•Probably not a big issue (unless you’re .COM!)

• CPU•Not too much of an issue today (dearth of signed

data that needs validation)•Caveat: some potential DoS attacks could hit CPU

13 Shumon Huque

Thoughts on deployment obstacles (4)

• Key distribution in islands of trust• Why is there no top down deployment?

• Work on signing root and (many) TLDs and in-addr.arpa is in progress• .SE, RIPE reverse done• .EDU work in motion

• Interim mechanisms like DLV exist• Manual key exchange (unscalable)

14 Shumon Huque

Thoughts on deployment obstacles (5)

• Stub resolver security (e2e security)

• An area of neglect in my opinion

• Push DNSSEC validation to endstations?

• Secure path from stub resolver to recursive resolver•Possibilities: SIG(0), TSIG, IPSEC

15 Shumon Huque

Thoughts on deployment obstacles (6)

• Application layer feedback

• Coming gradually•DNSSEC aware resolution APIs and applications

enhanced to use them•DNSSEC aware applications•See http://www.dnssec-tools.org/

• Note: some folks think it might be nice to protect DNSSEC oblivious applications silently as an interim step

16 Shumon Huque

Thoughts on deployment obstacles (7)

• Zone enumeration threat

• See NSEC3 record (spec almost done)•draft-ietf-dnsext-nsec3-09.txt

17 Shumon Huque

References

• Internet2 DNSSEC Pilot•http://www.dnssec-deployment.org/internet2/•http://rosetta.upenn.edu/magpi/dnssec.html

• Mailing list: dnssec@internet2.edu•https://mail.internet2.edu/wws/info/dnssec

• Internet2 DNSSEC Workshop•http://events.internet2.edu/2006/jt-albuquerque/

sessionDetails.cfm?session=2491&event=243

18 Shumon Huque

References (2)

• DNSSEC(bis) technical specs:•RFC 4033, 4034, 4035

• Related:•DNSSEC HOWTO:

• http://www.nlnetlabs.nl/dnssec_howto/

•Threat analysis of the DNS: RFC 3833•Operational practices: RFC 4641•NSEC3: draft-ietf-dnsext-nsec3-09•DLV: draft-weiler-dnssec-dlv-01•draft-hubert-dns-anti-spoofing-00

19 Shumon Huque

Questions?

• Shumon Huque•shuque -at- isc.upenn.edu