security for the internet’s domain name system dnssec current state of deployment prepared for...
TRANSCRIPT
Security for the Internet’s Domain Name SystemDNSSEC Current State of Deployment
Prepared for Internet2 BoFAmy Friedlander, Shinkuro, Inc.Based on a presentation by Marcus Sachs (SRI) with contributions by members of the DNSSEC Deployment Working Group
April 23, 2007
Security for the Internet’s Domain Name System
DNSSEC Current State: Protocols
Core RFCs published: 4033: DNS Security Introduction and Requirements 4034: Resource Records for DNS Security Extensions 4035: Protocol Modifications for the DNS Security
Extensions http://www.dnssec.net/rfc for the entire collection
NSEC3 is in final stages. DNS Extensions (DNSEXT) Working Group is
discussing its future, including the option of self dissolution.
Security for the Internet’s Domain Name System
The US Department of Homeland Security DNSSEC Deployment Initiative Activities Coordination project: Shinkuro, Sparta, SRI and NIST Roadmap published in February 2005, updated March 2007 to include
extensive list of available software tools and guides http://www.dnssec-deployment.org/roadmap.php
Multiple workshops held world-wide Monthly newsletter
http://www.dnssec-deployment.org/news/dnssecthismonth DNSSEC testbed and testing tools developed by NIST
http://www-x.antd.nist.gov/dnssec DNSSEC tools available at
http://www.dnssec-tools.org DNSSEC-Deployment Working Group
http://www.dnssec-deployment.org Internet2 Cross-Signing Pilot
http://www.dnssec-deployment.org/internet2/
Security for the Internet’s Domain Name System
DNSSEC in the United States
US Government US civilian government (.gov) developing policy and technical
guidance for secure DNS operations and beginning deployment activities at all levels.
The “.us” and “.mil” zones are also on track for DNSSEC compliance
New DNSSEC guidance included in FISMA, NIST 800-53r1 http://www.csrc.nist.gov/publications/nistpubs
Secure Domain Name System Deployment Guide
http://csrc.nist.gov/publications/nistpubs/800-81/SP800-81.pdf
Outside the US Government Public Internet Registry (PIR): plans for deploying DNSSEC in .org
http://pir.org/Strengthening/DNSSec.aspx
Security for the Internet’s Domain Name System
DNSSEC in the Caribbean: Puerto Rico
In July 2006 Puerto Rico’s top-level domain (.pr) was the second ccTLD – country code top level domain – to provide a DNSSEC-signed zone
Details: http://www.nic.pr Questions may be addressed to [email protected]
Security for the Internet’s Domain Name System
DNSSEC in Latin America: Mexico and Brazil NIC Mexico is developing the infrastructure,
procedures and technology for a future DNSSEC deployment in the .mx ccTLD DNSSEC testbed launched in May 2006 Created a new SLD: test.mx where DNSSEC enabled
domain registrations can be made for free Testbed details: http://www.dnssec.org.mx DNSSEC verification tool:
http://www.dnssec.org.mx/checkdnssec.html Registro.br released DNSSEC extensions for EPP:
http://registro.br/epp/index-EN.html (RFC 4310)
Security for the Internet’s Domain Name System
DNSSEC in Europe: RIPE
The European infrastructure services provider, RIPE NCC, based in the Netherlands, has deployed DNSSEC in the reverse tree
Details are at https://www.ripe.net/rs/reverse/dnssec
How-to guide (latest version) at https://www.nlnetlabs.nl/ dnssec_howto
Security for the Internet’s Domain Name System
DNSSEC in Europe: Sweden
In November 2005, the Swedish national registry (.se) was the first ccTLD – country code top level domain – to provide DNSSEC-capable service
February 16, 2007, .se launched commercial DNSSEC service
Press release (launch): http://www.iis.se/english/nyheter/news/2007-02-16?lang=en
More details, DNSSEC This Month (March 1, 2007)http://www.dnssec-deployment.org/news/dnssecthismonth/200703-
dnssecthismonth/
Security for the Internet’s Domain Name System
DNSSEC in Europe: Bulgaria, Czech Republic and Russia Bulgaria (.bg) has signed its zone. Czech Republic (.cz) is studying the idea of signing
its zone as a means of seeding DNSSEC deployment in eastern Europe.
R01 (http://www.r01.ru/), a Russian registrar, has a signed copy of the .ru zone available on their name server. ns.dnssec.ru (195.24.65.7) Registrants with a .ru domain using R01 as a registrar
can sign their own zones R01 will provide secure delegation in the signed copy
of the .ru zone Additional information on the signed zone and how it
can be used can be found at http://www.dnssec.ru
Security for the Internet’s Domain Name System
DNSSEC in Asia
DNSSEC summit and workshop during APRICOT 2005, Kyotohttp://www.apricot.net/apricot2005/workshop
.html#ws5http://www.psg.com/~mankin/DNSSEC-Kyoto-
21Feb2005/DNSSEC05FebJP-Info.html We need more pilots and workshops in the
APNIC region!
Security for the Internet’s Domain Name System
Stages for Next Steps and Discussion Risk (and cost) analysis CRITICAL! Test and engineering
Discussions with many communities, including with the relevant Top Level Domain registries
Production Including communication with zone providers,
registrars, governing agencies, and software vendors
Leadership in the private and public sectors
Security for the Internet’s Domain Name System
Background Information and Contributors For lots of detailed information:
www.dnssec-deployment.org www.dnssec-tools.org www.dnssec.net
Authors of materials in this presentation (all from dnssec-deployment working group) Amy Friedlander (Shinkuro) Allison Mankin (Shinkuro) Marcus Sachs (SRI) Ed Lewis (Neustar) Olaf Kolkman (Netlabs.nl) Russ Mundy (Sparta)