6
© Afilias Limited www.afilias.info SM Deploying DNSSEC Ram Mohan

Deploying DNSSEC

Embed Size (px)

DESCRIPTION

Deploying DNSSEC. Ram Mohan. Initial Setup (occurs once) Setup conf file with original zones and parameters Set serial to first value, and add in resource records Operations (Very Infrequently): Add to conf file when new zone comes online Make change to resource records and increment serial - PowerPoint PPT Presentation

Citation preview

Page 1: Deploying DNSSEC

© Afilias Limited www.afilias.info

SM

Deploying DNSSECDeploying DNSSEC

Ram Mohan

Page 2: Deploying DNSSEC

© Afilias Limited www.afilias.info

DNS Admin – Pre DNSSEC

• Initial Setup (occurs once)• Setup conf file with original zones and parameters• Set serial to first value, and add in resource records

• Operations (Very Infrequently):• Add to conf file when new zone comes online• Make change to resource records and increment serial

• Monitoring:• check that update made just happened and hit secondaries• check that DNS, NTP is running• check that transfers are working

Page 3: Deploying DNSSEC

© Afilias Limited www.afilias.info

DNS Admin – Post DNSSEC

• DNSSEC Setup (occurs once)• Decide on signing solution, signing frequency, signature

expiration, key rolls• Generate initial keys• Sign zone(s) initially• Make sure registrar supports DNSSEC• Generate initial DS records - and send to registrar

• DNSSEC operation (very infrequently)• Generate new keys• Generate new DS record (if rolling KSK), send to registrar• Begin signing with new keys• Deprecate old keys at appropriate time

Page 4: Deploying DNSSEC

© Afilias Limited www.afilias.info

DNSSEC Admin – Post DNSSEC continued

• DNSSEC operation (frequent)• Re-sign zone• Sign new records as they come into the zone

• Monitoring• Check signatures are valid• Check NSEC / NSEC3 records are valid• Check signatures will not expire before next zone re-sign• Check zone re-signs work and transfer• Check that new keys are valid• Check signature with new keys valid• Ensure DS in parent is in sync w/ DNSKEYs in apex

Page 5: Deploying DNSSEC

© Afilias Limited www.afilias.info

Current IANA process

Change request

Administrative contact

IANA

Technical contact

1

22

3 3

41 – Change request is sent to IANA

2 – IANA sends a request for acknowledgment to Admin and Tech contacts

3 – Admin and Tech contacts send acknowledgment of change to IANA

4 – IANA makes the requested changes

Page 6: Deploying DNSSEC

© Afilias Limited www.afilias.info

IANA process – ChallengesIANA process – Challenges

• The IANA process requires confirmation from BOTH admin and tech contacts for publication.• Contacts can change jobs• Contacts can change locations• Keeping IANA contact information current may not be top

priority for some TLD operators

• IANA will not approve changes which may affect stability/service for the TLD• Nameservers in in the TLDs apex NS Set must be

upgraded to "DNSSEC-Ready" versions


DNSSEC@AFRINICDNSSEC’within’the’RDNS’ o Root, .arpa, .in-addr.arpa, and .ip6.arpa have been signed and chain of trust built o Deploying DNSSEC within the RDNS enables some

DNSSEC@AFRINICDNSSEC’within’the’RDNS’ o Root, .arpa, .in-addr.arpa, and .ip6.arpa have been signed and chain of trust built o Deploying DNSSEC within the RDNS enables some

Documents
DNSSEC with BlueCat Networks - Internetdagarna · Challenges Deploying DNSSEC TLD and root zone signing - “.com” not until 2011! Products to validate and host DNSSEC records Key

DNSSEC with BlueCat Networks - Internetdagarna · Challenges Deploying DNSSEC TLD and root zone signing - “.com” not until 2011! Products to validate and host DNSSEC records Key

Documents
DNSSEC:’’Where’We’Are’(and’how’ …...Resolver’only’caches’validated’records’ =? DNS Resolver with DNSSEC = 1.2.3.4 DNS Server with DNSSEC 1.2.3.4 Get page

DNSSEC:’’Where’We’Are’(and’how’ …...Resolver’only’caches’validated’records’ =? DNS Resolver with DNSSEC = 1.2.3.4 DNS Server with DNSSEC 1.2.3.4 Get page

Documents
© Afilias Limited SM Deploying DNSSEC Ram Mohan

© Afilias Limited SM Deploying DNSSEC Ram Mohan

Documents
DNSSEC 101

DNSSEC 101

Documents
Deploying DNSSEC: A .ZA Case Study - ION Cape Town

Deploying DNSSEC: A .ZA Case Study - ION Cape Town

Technology
DNSSEC Industry Survey Results - PCN, Inc.23.235.200.57/~pcninc5/wp-content/.../DNSSEC-Industry-Survey-Resu… · DNSSEC. DNS administrators can provide secure responses to DNSSEC-validating

DNSSEC Industry Survey Results - PCN, Inc.23.235.200.57/~pcninc5/wp-content/.../DNSSEC-Industry-Survey-Resu… · DNSSEC. DNS administrators can provide secure responses to DNSSEC-validating

Documents
Good practices guide for deploying DNSSEC

Good practices guide for deploying DNSSEC

Documents
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325

Documents
DNSSEC MANAGEMENT - efficientip.com€¦ · DNSSEC Principles An important point to underline is that DNSSEC (DNS Security Extensions) does not modify DNS protocol. DNSSEC is an extension

DNSSEC MANAGEMENT - efficientip.com€¦ · DNSSEC Principles An important point to underline is that DNSSEC (DNS Security Extensions) does not modify DNS protocol. DNSSEC is an extension

Documents
Deploying DNSSEC - STALLION DNSSEC.pdf · How DNSSEC works – some details – DNSSEC adds source authentication and integrity checking to DNS Using digital signatures (asymmetric

Deploying DNSSEC - STALLION DNSSEC.pdf · How DNSSEC works – some details – DNSSEC adds source authentication and integrity checking to DNS Using digital signatures (asymmetric

Documents
Modeling Systemic Dependencies through Attack Surface ...netsec.cs.uoregon.edu/npsec2014/slides/defininig.a... · • Just deploying DNSSEC reduced attack surfaces by up to a factor

Modeling Systemic Dependencies through Attack Surface ...netsec.cs.uoregon.edu/npsec2014/slides/defininig.a... · • Just deploying DNSSEC reduced attack surfaces by up to a factor

Documents
DNSSEC - uniba.sknew.dcs.fmph.uniba.sk/files/biti/l03-dnssec-2016.pdf · I DNSSEC Root Zone High Level Technical Architecture (Dra˝) I DNSSEC Practice Statement for the Root Zone

DNSSEC - uniba.sknew.dcs.fmph.uniba.sk/files/biti/l03-dnssec-2016.pdf · I DNSSEC Root Zone High Level Technical Architecture (Dra˝) I DNSSEC Practice Statement for the Root Zone

Documents
Deploying the BIG-IP GTM for DNSSEC - F5 Networks · DNSSEC is a extension to the Domain Name Service (DNS) that ensures the integrity of data returned by domain name lookups by incorporating

Deploying the BIG-IP GTM for DNSSEC - F5 Networks · DNSSEC is a extension to the Domain Name Service (DNS) that ensures the integrity of data returned by domain name lookups by incorporating

Documents
Deploying DNSSEC: what, how and where ?

Deploying DNSSEC: what, how and where ?

Technology
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)

Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)

Technology
DNSSEC MANAGEMENT - efficientip.com · DNSSEC Principles An important point to underline is that DNSSEC (DNS Security Extensions) does not modify DNS protocol. DNSSEC is an extension

DNSSEC MANAGEMENT - efficientip.com · DNSSEC Principles An important point to underline is that DNSSEC (DNS Security Extensions) does not modify DNS protocol. DNSSEC is an extension

Documents
DNSSEC Exposed - Deploying DNSSEC in Real Life Presentation

DNSSEC Exposed - Deploying DNSSEC in Real Life Presentation

Documents
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment

Documents
ION Toronto - Deploying DNSSEC: A .CA Case Study

ION Toronto - Deploying DNSSEC: A .CA Case Study

Technology
Introduction to DNSSEC AROC Bamako, Mali, 2010. What is DNSSEC?

Introduction to DNSSEC AROC Bamako, Mali, 2010. What is DNSSEC?

Documents
Lamb dnssec

Lamb dnssec

Education
DNSSEC FIRST

DNSSEC FIRST

Technology
DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC

DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC

Documents
Deploying the BIG-IP GTM v11 with Infoblox Grid Servers ... · Deploying the BIG-IP GTM v11 with Infoblox Grid Servers for DNSSEC ... optional ways to secure your DNS implementation,

Deploying the BIG-IP GTM v11 with Infoblox Grid Servers ... · Deploying the BIG-IP GTM v11 with Infoblox Grid Servers for DNSSEC ... optional ways to secure your DNS implementation,

Documents
Deploying DNSSEC v1.2-2 - SURF · How to configure Unbound DNSSEC validation ... The Domain Name System ... Deploying DNSSEC 9/30 3 DNS architecture

Deploying DNSSEC v1.2-2 - SURF · How to configure Unbound DNSSEC validation ... The Domain Name System ... Deploying DNSSEC 9/30 3 DNS architecture

Documents
Understanding and Deploying DNSSEC - APNIC · • DNSSEC works fine with a single key pair • Problem with using a single key: – Every time the key is updated, the DS record must

Understanding and Deploying DNSSEC - APNIC · • DNSSEC works fine with a single key pair • Problem with using a single key: – Every time the key is updated, the DS record must

Documents
DNSSEC 101

DNSSEC 101

Documents
Challenges To Deploying New DNSSEC Cryptographic Algorithms

Challenges To Deploying New DNSSEC Cryptographic Algorithms

Technology
DNSSEC Workshop - ICANN GNSO...4. DNSSEC Lessons Learned: Roland van Rijswijk, SURFnet 5. DNSSEC Tool Development: • Open Source Tools, Russ Mundy, Co‐Chair, DNSSEC Deployment

DNSSEC Workshop - ICANN GNSO...4. DNSSEC Lessons Learned: Roland van Rijswijk, SURFnet 5. DNSSEC Tool Development: • Open Source Tools, Russ Mundy, Co‐Chair, DNSSEC Deployment

Documents