View
216
Download
3
Category
Preview:
Citation preview
1
ESnet DNSSEC Update ESCC/Internet2 Joint Techs Workshop
February 14, 2007
R. Kevin Oberman Network Engineer
Lawrence Berkeley National Laboratory
2
Overview
• Why is ESnet implementing DNSSEC?
• What is required? UPDATED
• How will DNSSEC be implemented in ESnet?
o NIST SP800-81- Implementation recommendations
- http://csrc.nist.gov/publications/nistpubs/800-81/SP800-81.pdf
o NIST SP800-53 Rev. 1- FISMA Requirements
- http://csrc.nist.gov/publications/nistpubs/800-53-Rev1/800-53-rev1-final-clean-sz.pdf
3
What is Required?
• OMB mandate in NIST SP800-53 Rev. 1 o TSIG for zone transfers
- Has operational advantages beyond security enhancement
- Firewall rules may cause issues
- Required by SC-8 (Not obvious!)
o Signed data only required by medium and high impact systems
- Seems silly if it is not a general requirement
- In SC-20 through SC22
4
Where is ESnet ?
• TSIG authentication of all zone transferso Partly implemented
o Most larger sites are using it
o Some sites have old software lacking support
o Some sites have firewall rules which complicate issues
• Signing of all forward zoneso Test server is in service and working
o As expected, key management IS a pain
5
Status of Implementation
• TSIG is currently implemented for several siteso Mandatory for new sites
o PGP used for key distribution
• Signed datao Still not running on production servers
- Will be in a few weeks
o Our DNS management software does not support DNSSEC today (coming soon!)
o No implementation problems on BIND systems
o Still worried about key distribution and roll-over
o Still targeting full production by mid-2008
6
Summary
• Progress has been made
• Requirements are now knowno None (for ESnet)
• Hope for full implementation of TSIG by the end of the year
• Signed zones by the end of the year (ESnet zones)
• Still waiting on a final resolution to NSEC issueo Almost certainly NSEC3
o Will not ask sites to sign zones until resolved
o That does not mean that you can't sign
Recommended