security for the internet’s domain name system dnssec current state of deployment prepared for...

12
Security for the Internet’s Domain Name System DNSSEC Current State of Deployment Prepared for Internet2 BoF Amy Friedlander, Shinkuro, Inc. Based on a presentation by Marcus Sachs (SRI) with contributions by members of the DNSSEC Deployment Working Group April 23, 2007

Upload: grant-wright

Post on 27-Dec-2015

213 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: Security for the Internet’s Domain Name System DNSSEC Current State of Deployment Prepared for Internet2 BoF Amy Friedlander, Shinkuro, Inc. Based on a

Security for the Internet’s Domain Name SystemDNSSEC Current State of Deployment

Prepared for Internet2 BoFAmy Friedlander, Shinkuro, Inc.Based on a presentation by Marcus Sachs (SRI) with contributions by members of the DNSSEC Deployment Working Group

April 23, 2007

Page 2: Security for the Internet’s Domain Name System DNSSEC Current State of Deployment Prepared for Internet2 BoF Amy Friedlander, Shinkuro, Inc. Based on a

Security for the Internet’s Domain Name System

DNSSEC Current State: Protocols

Core RFCs published: 4033: DNS Security Introduction and Requirements 4034: Resource Records for DNS Security Extensions 4035: Protocol Modifications for the DNS Security

Extensions http://www.dnssec.net/rfc for the entire collection

NSEC3 is in final stages. DNS Extensions (DNSEXT) Working Group is

discussing its future, including the option of self dissolution.

Page 3: Security for the Internet’s Domain Name System DNSSEC Current State of Deployment Prepared for Internet2 BoF Amy Friedlander, Shinkuro, Inc. Based on a

Security for the Internet’s Domain Name System

The US Department of Homeland Security DNSSEC Deployment Initiative Activities Coordination project: Shinkuro, Sparta, SRI and NIST Roadmap published in February 2005, updated March 2007 to include

extensive list of available software tools and guides http://www.dnssec-deployment.org/roadmap.php

Multiple workshops held world-wide Monthly newsletter

http://www.dnssec-deployment.org/news/dnssecthismonth DNSSEC testbed and testing tools developed by NIST

http://www-x.antd.nist.gov/dnssec DNSSEC tools available at

http://www.dnssec-tools.org DNSSEC-Deployment Working Group

http://www.dnssec-deployment.org Internet2 Cross-Signing Pilot

http://www.dnssec-deployment.org/internet2/

Page 4: Security for the Internet’s Domain Name System DNSSEC Current State of Deployment Prepared for Internet2 BoF Amy Friedlander, Shinkuro, Inc. Based on a

Security for the Internet’s Domain Name System

DNSSEC in the United States

US Government US civilian government (.gov) developing policy and technical

guidance for secure DNS operations and beginning deployment activities at all levels.

The “.us” and “.mil” zones are also on track for DNSSEC compliance

New DNSSEC guidance included in FISMA, NIST 800-53r1 http://www.csrc.nist.gov/publications/nistpubs

Secure Domain Name System Deployment Guide

http://csrc.nist.gov/publications/nistpubs/800-81/SP800-81.pdf

Outside the US Government Public Internet Registry (PIR): plans for deploying DNSSEC in .org

http://pir.org/Strengthening/DNSSec.aspx

Page 5: Security for the Internet’s Domain Name System DNSSEC Current State of Deployment Prepared for Internet2 BoF Amy Friedlander, Shinkuro, Inc. Based on a

Security for the Internet’s Domain Name System

DNSSEC in the Caribbean: Puerto Rico

In July 2006 Puerto Rico’s top-level domain (.pr) was the second ccTLD – country code top level domain – to provide a DNSSEC-signed zone

Details: http://www.nic.pr Questions may be addressed to [email protected]

Page 6: Security for the Internet’s Domain Name System DNSSEC Current State of Deployment Prepared for Internet2 BoF Amy Friedlander, Shinkuro, Inc. Based on a

Security for the Internet’s Domain Name System

DNSSEC in Latin America: Mexico and Brazil NIC Mexico is developing the infrastructure,

procedures and technology for a future DNSSEC deployment in the .mx ccTLD DNSSEC testbed launched in May 2006 Created a new SLD: test.mx where DNSSEC enabled

domain registrations can be made for free Testbed details: http://www.dnssec.org.mx DNSSEC verification tool:

http://www.dnssec.org.mx/checkdnssec.html  Registro.br released DNSSEC extensions for EPP:

http://registro.br/epp/index-EN.html (RFC 4310)

Page 7: Security for the Internet’s Domain Name System DNSSEC Current State of Deployment Prepared for Internet2 BoF Amy Friedlander, Shinkuro, Inc. Based on a

Security for the Internet’s Domain Name System

DNSSEC in Europe: RIPE

The European infrastructure services provider, RIPE NCC, based in the Netherlands, has deployed DNSSEC in the reverse tree

Details are at https://www.ripe.net/rs/reverse/dnssec

How-to guide (latest version) at https://www.nlnetlabs.nl/ dnssec_howto

Page 8: Security for the Internet’s Domain Name System DNSSEC Current State of Deployment Prepared for Internet2 BoF Amy Friedlander, Shinkuro, Inc. Based on a

Security for the Internet’s Domain Name System

DNSSEC in Europe: Sweden

In November 2005, the Swedish national registry (.se) was the first ccTLD – country code top level domain – to provide DNSSEC-capable service

February 16, 2007, .se launched commercial DNSSEC service

Press release (launch): http://www.iis.se/english/nyheter/news/2007-02-16?lang=en

More details, DNSSEC This Month (March 1, 2007)http://www.dnssec-deployment.org/news/dnssecthismonth/200703-

dnssecthismonth/

Page 9: Security for the Internet’s Domain Name System DNSSEC Current State of Deployment Prepared for Internet2 BoF Amy Friedlander, Shinkuro, Inc. Based on a

Security for the Internet’s Domain Name System

DNSSEC in Europe: Bulgaria, Czech Republic and Russia Bulgaria (.bg) has signed its zone. Czech Republic (.cz) is studying the idea of signing

its zone as a means of seeding DNSSEC deployment in eastern Europe.

R01 (http://www.r01.ru/), a Russian registrar, has a signed copy of the .ru zone available on their name server. ns.dnssec.ru (195.24.65.7) Registrants with a .ru domain using R01 as a registrar

can sign their own zones R01 will provide secure delegation in the signed copy

of the .ru zone Additional information on the signed zone and how it

can be used can be found at http://www.dnssec.ru

Page 10: Security for the Internet’s Domain Name System DNSSEC Current State of Deployment Prepared for Internet2 BoF Amy Friedlander, Shinkuro, Inc. Based on a

Security for the Internet’s Domain Name System

DNSSEC in Asia

DNSSEC summit and workshop during APRICOT 2005, Kyotohttp://www.apricot.net/apricot2005/workshop

.html#ws5http://www.psg.com/~mankin/DNSSEC-Kyoto-

21Feb2005/DNSSEC05FebJP-Info.html We need more pilots and workshops in the

APNIC region!

Page 11: Security for the Internet’s Domain Name System DNSSEC Current State of Deployment Prepared for Internet2 BoF Amy Friedlander, Shinkuro, Inc. Based on a

Security for the Internet’s Domain Name System

Stages for Next Steps and Discussion Risk (and cost) analysis CRITICAL! Test and engineering

Discussions with many communities, including with the relevant Top Level Domain registries

Production Including communication with zone providers,

registrars, governing agencies, and software vendors

Leadership in the private and public sectors

Page 12: Security for the Internet’s Domain Name System DNSSEC Current State of Deployment Prepared for Internet2 BoF Amy Friedlander, Shinkuro, Inc. Based on a

Security for the Internet’s Domain Name System

Background Information and Contributors For lots of detailed information:

www.dnssec-deployment.org www.dnssec-tools.org www.dnssec.net

Authors of materials in this presentation (all from dnssec-deployment working group) Amy Friedlander (Shinkuro) Allison Mankin (Shinkuro) Marcus Sachs (SRI) Ed Lewis (Neustar) Olaf Kolkman (Netlabs.nl) Russ Mundy (Sparta)