Internet 2 DNSSEC Pilot Shumon Huque University of
- Slides: 26
Internet 2 DNSSEC Pilot Shumon Huque University of Pennsylvania Sprint Internet 2 Member Meeting Arlington, Virginia, U. S. A. , Apr 23 rd 2007
• This is mostly a repeat of a presentation I gave at the Winter 2007 Joint Techs meeting, February 2007, Minneapolis, Minnesota, U. S. A. 2 Shumon Huque
Description of the Pilot • http: //www. dnssec-deployment. org/internet 2/ • Deploy DNSSEC • Gain Operational experience • Does it work (does it catch anything? ) • Test DNSSEC aware applications • Participants sign at least one of their zones • Exchange keys (trust anchors) that will allow them to mutually validate DNS data 3 Shumon Huque
What is DNSSEC? • A system to verify the authenticity of DNS “data” • RFC 4033, 4034, 4035 • Helps detect: spoofing, misdirection, cache poisoning • Some secondary benefits appear: • You could store keying material in DNS • DKIM, SSHFP, IPSECKEY, etc 4 Shumon Huque
A little background. . • Feb ‘ 06: DNSSEC Workshop held at Albuquerque Joint Techs • Mar ‘ 06: dnssec@internet 2 mailing list • Apr ‘ 06: Internet 2 Spring Member meeting • Advisory group formed and plans for a pilot project formulated • May ‘ 06: Pilot group began • Monthly conference calls and progress reports 5 Shumon Huque
Co-ordination • Internet 2 • Shinkuro シンクロ • Partner in DNSSEC Deployment Initiative • http: //www. dnssec-deployment. org/ • Some funding from US government 6 Shumon Huque
DNSSEC Deployment Efforts so far • MAGPI Giga. Po. P • All zones: magpi. {net, org} & 15 reverse zones • https: //rosetta. upenn. edu/magpi/dnssec. html • MERIT • radb. net • nanog. org • http: //www. merit. edu/networkresearch/dnssec. html • NYSERNet - test zone • nyserlab. org 7 Shumon Huque
Others considering or planning deployment • University of Pennsylvania • University of California - Berkeley • University of California - Los Angeles • University of Massachusetts - Amherst • Internet 2 8 Shumon Huque
DLV (DNSSEC Lookaside Validation) • A mechanism to securely locate DNSSEC trust anchors “off-path” • An early deployment aid until top-down deployment of DNSSEC happens • Pilot group is in talks to make use of ISC’s DLV registry • http: //www. isc. org/index. pl? /ops/dlv/ • More on this at a later date. . 9 Shumon Huque
More participants welcome! • (participation not restricted to Internet 2) • Join mailing list • Participate in conference calls 10 Shumon Huque
Thoughts on deployment obstacles (1) • A Chicken & Egg problem • Marginal benefits, until much more deployment • Why should I go first? • We had (have? ) the same problem with other technologies (IPv 6 etc) • Some folks will need to take the lead, if there is hope for wider adoption • Good way to find out how well it works 11 Shumon Huque
Thoughts on deployment obstacles (2) • Operational stability • More complicated software infrastructure • New processes for: • • Zone changes Secure delegations Security (protection of crypto keys) Key rollover and maintenance • Integration w/ existing DNS management software • What is the experience of the pilot? 12 Shumon Huque
Thoughts on deployment obstacles (3) • Additional system requirements • Authoritative servers: memory • Resolvers: memory & CPU • Memory use can be calculated • Probably not a big issue (unless you’re. COM!) • CPU • Not too much of an issue today (dearth of signed data that needs validation) • Caveat: some potential Do. S attacks could hit CPU 13 Shumon Huque
Thoughts on deployment obstacles (4) • Key distribution in islands of trust • Why is there no top down deployment? • Work on signing root and (many) TLDs and inaddr. arpa is in progress • . SE, RIPE reverse done • . EDU work in motion • Interim mechanisms like DLV exist • Manual key exchange (unscalable) 14 Shumon Huque
Thoughts on deployment obstacles (5) • Stub resolver security (e 2 e security) • An area of neglect in my opinion • Push DNSSEC validation to endstations? • Secure path from stub resolver to recursive resolver • Possibilities: SIG(0), TSIG, IPSEC 15 Shumon Huque
Thoughts on deployment obstacles (6) • Application layer feedback • Coming gradually • DNSSEC aware resolution APIs and applications enhanced to use them • DNSSEC aware applications • See http: //www. dnssec-tools. org/ • Note: some folks think it might be nice to protect DNSSEC oblivious applications silently as an interim step 16 Shumon Huque
Thoughts on deployment obstacles (7) • Zone enumeration threat • See NSEC 3 record (spec almost done) • draft-ietf-dnsext-nsec 3 -09. txt • Hashed Authenticated Denial of Existence • Also provides “Opt-Out” (to allow spans of unsecured records in a signed zone) 17 Shumon Huque
Additional Bo. F topics 18 Shumon Huque
DLV participation procedures • See Joao Damas’ earlier presentation • ISC DLV registry • http: //www. isc. org/index. pl? /ops/dlv/ • Policy and practice statement: • https: //secure. isc. org/ops/dlv-pol-pract-v 1. 0. php 19 Shumon Huque
edu Top-Level-Domain signing • Who’s involved: Educause, Verisign, US Dept of Commerce • What can Internet 2 schools do to help make this a reality? • NSEC 3 is not needed: • edu zone is small (< 8000 delegations) • Relatively static • No zone privacy requirements 20 Shumon Huque
Securing last hop(s) • Most university threat models include untrustworthiness of the local network • ie. path between client and recursive resolver is NOT secure • Need stub resolvers capable of: • 1. Validating DNSSEC signatures, or • 2. Supporting channel protection mechanisms that allow them to authenticate response from recursive resolver • SIG(0), TSIG etc 21 Shumon Huque
Securing last hop(s) cont. . • Which channel protection mechanism? • Simple symmetric key TSIG has problems • Can’t distribute same TSIG key to many clients that allows any of them to forge DNS answers to others • Need per-client keys and thus additional key management infrastructure • SIG(0) may be more manageable • A public key signature of the response msg • Need to only distribute the public key 22 Shumon Huque
Application feedback • DNSSEC aware resolution API/libraries • eg. • draft-hayatnagarkar-dnsext-validator-api-03 • Plus applications enhanced to use them 23 Shumon Huque
References • Internet 2 DNSSEC Pilot • http: //www. dnssec-deployment. org/internet 2/ • http: //rosetta. upenn. edu/magpi/dnssec. html • Mailing list: dnssec@internet 2. edu • https: //mail. internet 2. edu/wws/info/dnssec • Internet 2 DNSSEC Workshop • http: //events. internet 2. edu/2006/jtalbuquerque/session. Details. cfm? session=2491&ev ent=243 24 Shumon Huque
References (2) • DNSSEC(bis) technical specs: • RFC 4033, 4034, 4035 • Related: • DNSSEC HOWTO: • http: //www. nlnetlabs. nl/dnssec_howto/ • • • 25 Threat analysis of the DNS: RFC 3833 Operational practices: RFC 4641 NSEC 3: draft-ietf-dnsext-nsec 3 -09 DLV: draft-weiler-dnssec-dlv-01 draft-hubert-dns-anti-spoofing-00 Shumon Huque
Questions? • Shumon Huque • shuque -at- isc. upenn. edu 26 Shumon Huque
Dnssec analyzer
Internet or internet
"university of maryland university college"
Md mizanur rahman pilot
Pilot proficiency award program
Orleanna price
Direct changeover
What is pilot conversion
Plural of pilot
Landos co pilot
Pilot scale fermentation
Pilot csöves áramlásmérő
A roller coaster moves 85m horizontally
Dieter eppler pilot
Pilot study meaning
Pilot study adalah
La pilot
Pilot club international logo
Nellie zabel willhite
Six sigma project presentation
Sepragen corporation
Pilot in the plane principle
Jetblue pilot salary
Hydraulic flow meter symbol
Pixel pilot
Husky air pilot angels
Bso uti pilot
