Root Zone DNSSEC Deployment - ICANN...

8
Root Zone DNSSEC Deployment ICANN 39, Cartagena, Colombia 8 December 2010 [email protected]

Transcript of Root Zone DNSSEC Deployment - ICANN...

Page 1: Root Zone DNSSEC Deployment - ICANN GNSOgnso.icann.org/.../presentation-root-zone-dnssec-deployment-08dec10-en.pdfRoot Zone DNSSEC Deployment ICANN 39, Cartagena, Colombia 8 December

RootZoneDNSSECDeploymentICANN39,Cartagena,Colombia

[email protected]

Page 2: Root Zone DNSSEC Deployment - ICANN GNSOgnso.icann.org/.../presentation-root-zone-dnssec-deployment-08dec10-en.pdfRoot Zone DNSSEC Deployment ICANN 39, Cartagena, Colombia 8 December

ThisdesignistheresultofacooperaHonbetweenICANN&VeriSignwith

supportfromtheU.S.DepartmentofCommerceNTIAandNaHonalInsHtuteof

StandardsandTechnology(NIST)

Page 3: Root Zone DNSSEC Deployment - ICANN GNSOgnso.icann.org/.../presentation-root-zone-dnssec-deployment-08dec10-en.pdfRoot Zone DNSSEC Deployment ICANN 39, Cartagena, Colombia 8 December

HighLevelDesign•  Trust/Integrity

–  Transparentopera1ons–  Directpublicpar1cipa1oninkeymanagement

–  3rdpartyAudit•  Security

–  Crypto–  Physical–  ID/ACS/mul1‐personaccessandcontrol

•  Availability–  Sufficient1metoperformopera1ons

– Mirrorsites–  Disasterrecoveryplan

Page 4: Root Zone DNSSEC Deployment - ICANN GNSOgnso.icann.org/.../presentation-root-zone-dnssec-deployment-08dec10-en.pdfRoot Zone DNSSEC Deployment ICANN 39, Cartagena, Colombia 8 December

ImplementaHonandRoll‐out•  Publishallmaterial(film,scripts,s/w,results..hIp://www.iana.org/dnssec)

•  DNSSECPrac1cesStatement(DPS)

•  21TrustedCommunityRepresenta1ves(TCR)•  SysTrustauditbyPWC

•  2048KSK,1024ZSKRSAkeys;SHA256hash

•  FIPS140‐2Level4HSM;3‐of‐7TCRtoenable;GoodRNG

•  Mul1plephysical1ers/wmul1‐personan1‐passbackaccesscontrolsystem

•  9gaugestretchedmetalceremonyroomconstruc1on;Safescer1fiedto20hourssurrep11ousentry

•  24x7monitoring:mo1on,seismic,video,guards

•  ~60daywindowtoperformquarterlyopera1on;15daysignaturevalidityperiods

•  MirrorsitesinLosAngelesandWashingtonDC;2HSMsateachsite

•  DocumentedDisasterRecovery(DR)plans

•  IncrementaldeploymentwithDURZandextensivemonitoring

Page 5: Root Zone DNSSEC Deployment - ICANN GNSOgnso.icann.org/.../presentation-root-zone-dnssec-deployment-08dec10-en.pdfRoot Zone DNSSEC Deployment ICANN 39, Cartagena, Colombia 8 December

Challenges

•  Findingoutwhatare“bestpracHces”•  EmbracinganauditedITsecuritymindset

•  FormalizingdocumentaHonofpolicyandprocedures

•  Contractors!!•  HSM/smartcards/PKCS11

Page 6: Root Zone DNSSEC Deployment - ICANN GNSOgnso.icann.org/.../presentation-root-zone-dnssec-deployment-08dec10-en.pdfRoot Zone DNSSEC Deployment ICANN 39, Cartagena, Colombia 8 December

LessonsLearned

•  IdenHfyyour“customer”andthenyourrisksfirst

•  Developanddocumentpoliciesandprocedures,e.g.,keymanagement,DPS,scripts,DRplan–andinsHtuHonalizethem

•  EmbracePKCS11andtamperevidentbags

•  MulHplecompensaHngcontrols•  DNSSECdeploymentdoesnothavetobeexpensive;Learn

fromthoseonthispanelandshareourexperiences.

•  ThisisnotstaHc;annualreviewandincorporateimprovementsfromcommunity.

Page 7: Root Zone DNSSEC Deployment - ICANN GNSOgnso.icann.org/.../presentation-root-zone-dnssec-deployment-08dec10-en.pdfRoot Zone DNSSEC Deployment ICANN 39, Cartagena, Colombia 8 December

RootDNSSECDesignTeam

JoeAbleyMehmetAkcinDavidBlackaDavidConradRichardLambMaILarsonFredrikLjunggrenDaveKnightTomofumiOkuboJakobSchlyterDuaneWessels

..and so many others!!

Links:hIp://www.root‐dnssec.orghIp://www.iana.org/dnssec

Page 8: Root Zone DNSSEC Deployment - ICANN GNSOgnso.icann.org/.../presentation-root-zone-dnssec-deployment-08dec10-en.pdfRoot Zone DNSSEC Deployment ICANN 39, Cartagena, Colombia 8 December

ThankYou.Ques.ons?(T)Askme!Itsmyjob.

[email protected]


Observations from the DNSSEC Deployment

Observations from the DNSSEC Deployment

DNSSEC in your · DNSSEC deployment tasks • Key maintenance policies and tools • Private Key use and protection • Public key distribution • Zone signing and integration into

DNSSEC in your · DNSSEC deployment tasks • Key maintenance policies and tools • Private Key use and protection • Public key distribution • Zone signing and integration into

Update on DNSSEC for the Root Zone

Update on DNSSEC for the Root Zone

DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of

DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of

DNSSEC Deployment in - ICANN...• Key rolling cycle and RRSIG period KeyType Period Roll Overlap RRSIG(Period ZSK 100 ... Zone Signing " An independent hidden master system for DNSSEC

DNSSEC Deployment in - ICANN...• Key rolling cycle and RRSIG period KeyType Period Roll Overlap RRSIG(Period ZSK 100 ... Zone Signing " An independent hidden master system for DNSSEC

DNSSEC Deployment at the RIPE NCC

DNSSEC Deployment at the RIPE NCC

Rolling the Root Zone DNSSEC Key Signing Key

Rolling the Root Zone DNSSEC Key Signing Key

DNSSEC Deployment Guidebook for ccTLDs

DNSSEC Deployment Guidebook for ccTLDs

Understanding the Role of Registrars in DNSSEC Deployment · Understanding the Role of Registrars in DNSSEC Deployment IMC ’17, November 1–3, 2017, London, United Kingdom DNS

Understanding the Role of Registrars in DNSSEC Deployment · Understanding the Role of Registrars in DNSSEC Deployment IMC ’17, November 1–3, 2017, London, United Kingdom DNS

ION San Diego - DNSSEC Deployment Panel Introductory Slides

ION San Diego - DNSSEC Deployment Panel Introductory Slides

DNSSEC Zone Management with ZKT - H Z N E T Startseite · DNSSEC Zone Management with ZKT ... —ZKT without BIND name server ... • FreeBSD and OpenBSD ports available

DNSSEC Zone Management with ZKT - H Z N E T Startseite · DNSSEC Zone Management with ZKT ... —ZKT without BIND name server ... • FreeBSD and OpenBSD ports available

Domain Name Server Security (DNSSEC) Protocol ... › FA8750-10-C-0020 › DNSSEC Protocol...Domain Name Server Security (DNSSEC) Protocol Deployment Final Technical Report November

Domain Name Server Security (DNSSEC) Protocol ... › FA8750-10-C-0020 › DNSSEC Protocol...Domain Name Server Security (DNSSEC) Protocol Deployment Final Technical Report November

Availability Problems in the DNSSEC Deployment

Availability Problems in the DNSSEC Deployment

DNSSEC Deployment · DNSSEC Deployment: Where Is It & What Are the Issues Russ Mundy Principal Networking Scientist mundy@sparta.com mundy@tislabs.com 410-430-8063

DNSSEC Deployment · DNSSEC Deployment: Where Is It & What Are the Issues Russ Mundy Principal Networking Scientist [email protected] [email protected] 410-430-8063

DNSSEC Deployment: A Tutorial - Apricotapricot.net/apricot2009/images/lecture_files/dnssec... · 2017-02-06 · DNSSEC: new RRs Adds four new DNS Resource Records*: 1DNSKEY: Public

DNSSEC Deployment: A Tutorial - Apricotapricot.net/apricot2009/images/lecture_files/dnssec... · 2017-02-06 · DNSSEC: new RRs Adds four new DNS Resource Records*: 1DNSKEY: Public

Deployment of DNSSEC in the Root Zone: Impact Analysis · Deployment of DNSSEC in the Root Zone: Impact Analysis ... This report examines the impact of the deployment of DNSSEC in

Deployment of DNSSEC in the Root Zone: Impact Analysis · Deployment of DNSSEC in the Root Zone: Impact Analysis ... This report examines the impact of the deployment of DNSSEC in

DNSSEC for the Root Zone · DPS DNSSEC Policy & Practice Statement • States the practices and provisions that are employed in root zone signing and zone distribution services ‣

DNSSEC for the Root Zone · DPS DNSSEC Policy & Practice Statement • States the practices and provisions that are employed in root zone signing and zone distribution services ‣

DNSSEC Workshop - ICANN GNSO...4. DNSSEC Lessons Learned: Roland van Rijswijk, SURFnet 5. DNSSEC Tool Development: • Open Source Tools, Russ Mundy, Co‐Chair, DNSSEC Deployment

DNSSEC Workshop - ICANN GNSO...4. DNSSEC Lessons Learned: Roland van Rijswijk, SURFnet 5. DNSSEC Tool Development: • Open Source Tools, Russ Mundy, Co‐Chair, DNSSEC Deployment

ISC & BIND Update - ICANN...Easier DNSSEC deployment (9.7) Built-in trust anchor for root DNS64 2011 Prefetch, Map zone, zone sharing between views Statistics: JSON, udp/tcp 2008 2013

ISC & BIND Update - ICANN...Easier DNSSEC deployment (9.7) Built-in trust anchor for root DNS64 2011 Prefetch, Map zone, zone sharing between views Statistics: JSON, udp/tcp 2008 2013

Overview DNSSEC - ICANN€¦ · Overview DNSSEC Performance More… Support for Online Zone Signing. Sign/unsign/change DNSSEC settings on a live zone Add/remove records dynamically

Overview DNSSEC - ICANN€¦ · Overview DNSSEC Performance More… Support for Online Zone Signing. Sign/unsign/change DNSSEC settings on a live zone Add/remove records dynamically