Internet 2 DNSSEC Pilot Shumon Huque University of
- Slides: 26
Internet 2 DNSSEC Pilot Shumon Huque University of Pennsylvania Sprint Internet 2 Member Meeting Arlington, Virginia, U. S. A. , Apr 23 rd 2007
• This is mostly a repeat of a presentation I gave at the Winter 2007 Joint Techs meeting, February 2007, Minneapolis, Minnesota, U. S. A. 2 Shumon Huque
Description of the Pilot • http: //www. dnssec-deployment. org/internet 2/ • Deploy DNSSEC • Gain Operational experience • Does it work (does it catch anything? ) • Test DNSSEC aware applications • Participants sign at least one of their zones • Exchange keys (trust anchors) that will allow them to mutually validate DNS data 3 Shumon Huque
What is DNSSEC? • A system to verify the authenticity of DNS “data” • RFC 4033, 4034, 4035 • Helps detect: spoofing, misdirection, cache poisoning • Some secondary benefits appear: • You could store keying material in DNS • DKIM, SSHFP, IPSECKEY, etc 4 Shumon Huque
A little background. . • Feb ‘ 06: DNSSEC Workshop held at Albuquerque Joint Techs • Mar ‘ 06: dnssec@internet 2 mailing list • Apr ‘ 06: Internet 2 Spring Member meeting • Advisory group formed and plans for a pilot project formulated • May ‘ 06: Pilot group began • Monthly conference calls and progress reports 5 Shumon Huque
Co-ordination • Internet 2 • Shinkuro シンクロ • Partner in DNSSEC Deployment Initiative • http: //www. dnssec-deployment. org/ • Some funding from US government 6 Shumon Huque
DNSSEC Deployment Efforts so far • MAGPI Giga. Po. P • All zones: magpi. {net, org} & 15 reverse zones • https: //rosetta. upenn. edu/magpi/dnssec. html • MERIT • radb. net • nanog. org • http: //www. merit. edu/networkresearch/dnssec. html • NYSERNet - test zone • nyserlab. org 7 Shumon Huque
Others considering or planning deployment • University of Pennsylvania • University of California - Berkeley • University of California - Los Angeles • University of Massachusetts - Amherst • Internet 2 8 Shumon Huque
DLV (DNSSEC Lookaside Validation) • A mechanism to securely locate DNSSEC trust anchors “off-path” • An early deployment aid until top-down deployment of DNSSEC happens • Pilot group is in talks to make use of ISC’s DLV registry • http: //www. isc. org/index. pl? /ops/dlv/ • More on this at a later date. . 9 Shumon Huque
More participants welcome! • (participation not restricted to Internet 2) • Join mailing list • Participate in conference calls 10 Shumon Huque
Thoughts on deployment obstacles (1) • A Chicken & Egg problem • Marginal benefits, until much more deployment • Why should I go first? • We had (have? ) the same problem with other technologies (IPv 6 etc) • Some folks will need to take the lead, if there is hope for wider adoption • Good way to find out how well it works 11 Shumon Huque
Thoughts on deployment obstacles (2) • Operational stability • More complicated software infrastructure • New processes for: • • Zone changes Secure delegations Security (protection of crypto keys) Key rollover and maintenance • Integration w/ existing DNS management software • What is the experience of the pilot? 12 Shumon Huque
Thoughts on deployment obstacles (3) • Additional system requirements • Authoritative servers: memory • Resolvers: memory & CPU • Memory use can be calculated • Probably not a big issue (unless you’re. COM!) • CPU • Not too much of an issue today (dearth of signed data that needs validation) • Caveat: some potential Do. S attacks could hit CPU 13 Shumon Huque
Thoughts on deployment obstacles (4) • Key distribution in islands of trust • Why is there no top down deployment? • Work on signing root and (many) TLDs and inaddr. arpa is in progress • . SE, RIPE reverse done • . EDU work in motion • Interim mechanisms like DLV exist • Manual key exchange (unscalable) 14 Shumon Huque
Thoughts on deployment obstacles (5) • Stub resolver security (e 2 e security) • An area of neglect in my opinion • Push DNSSEC validation to endstations? • Secure path from stub resolver to recursive resolver • Possibilities: SIG(0), TSIG, IPSEC 15 Shumon Huque
Thoughts on deployment obstacles (6) • Application layer feedback • Coming gradually • DNSSEC aware resolution APIs and applications enhanced to use them • DNSSEC aware applications • See http: //www. dnssec-tools. org/ • Note: some folks think it might be nice to protect DNSSEC oblivious applications silently as an interim step 16 Shumon Huque
Thoughts on deployment obstacles (7) • Zone enumeration threat • See NSEC 3 record (spec almost done) • draft-ietf-dnsext-nsec 3 -09. txt • Hashed Authenticated Denial of Existence • Also provides “Opt-Out” (to allow spans of unsecured records in a signed zone) 17 Shumon Huque
Additional Bo. F topics 18 Shumon Huque
DLV participation procedures • See Joao Damas’ earlier presentation • ISC DLV registry • http: //www. isc. org/index. pl? /ops/dlv/ • Policy and practice statement: • https: //secure. isc. org/ops/dlv-pol-pract-v 1. 0. php 19 Shumon Huque
edu Top-Level-Domain signing • Who’s involved: Educause, Verisign, US Dept of Commerce • What can Internet 2 schools do to help make this a reality? • NSEC 3 is not needed: • edu zone is small (< 8000 delegations) • Relatively static • No zone privacy requirements 20 Shumon Huque
Securing last hop(s) • Most university threat models include untrustworthiness of the local network • ie. path between client and recursive resolver is NOT secure • Need stub resolvers capable of: • 1. Validating DNSSEC signatures, or • 2. Supporting channel protection mechanisms that allow them to authenticate response from recursive resolver • SIG(0), TSIG etc 21 Shumon Huque
Securing last hop(s) cont. . • Which channel protection mechanism? • Simple symmetric key TSIG has problems • Can’t distribute same TSIG key to many clients that allows any of them to forge DNS answers to others • Need per-client keys and thus additional key management infrastructure • SIG(0) may be more manageable • A public key signature of the response msg • Need to only distribute the public key 22 Shumon Huque
Application feedback • DNSSEC aware resolution API/libraries • eg. • draft-hayatnagarkar-dnsext-validator-api-03 • Plus applications enhanced to use them 23 Shumon Huque
References • Internet 2 DNSSEC Pilot • http: //www. dnssec-deployment. org/internet 2/ • http: //rosetta. upenn. edu/magpi/dnssec. html • Mailing list: dnssec@internet 2. edu • https: //mail. internet 2. edu/wws/info/dnssec • Internet 2 DNSSEC Workshop • http: //events. internet 2. edu/2006/jtalbuquerque/session. Details. cfm? session=2491&ev ent=243 24 Shumon Huque
References (2) • DNSSEC(bis) technical specs: • RFC 4033, 4034, 4035 • Related: • DNSSEC HOWTO: • http: //www. nlnetlabs. nl/dnssec_howto/ • • • 25 Threat analysis of the DNS: RFC 3833 Operational practices: RFC 4641 NSEC 3: draft-ietf-dnsext-nsec 3 -09 DLV: draft-weiler-dnssec-dlv-01 draft-hubert-dns-anti-spoofing-00 Shumon Huque
Questions? • Shumon Huque • shuque -at- isc. upenn. edu 26 Shumon Huque
- Dnssec analyzer
- Internet or internet
- "university of maryland university college"
- Md mizanur rahman pilot
- Pilot proficiency award program
- Orleanna price
- Direct changeover
- What is pilot conversion
- Plural of pilot
- Landos co pilot
- Pilot scale fermentation
- Pilot csöves áramlásmérő
- A roller coaster moves 85m horizontally
- Dieter eppler pilot
- Pilot study meaning
- Pilot study adalah
- La pilot
- Pilot club international logo
- Nellie zabel willhite
- Six sigma project presentation
- Sepragen corporation
- Pilot in the plane principle
- Jetblue pilot salary
- Hydraulic flow meter symbol
- Pixel pilot
- Husky air pilot angels
- Bso uti pilot