.ORG DNSSEC Testbed Deployment
Download
Report
Transcript .ORG DNSSEC Testbed Deployment
.ORG DNSSEC
Testbed
Deployment
Edmon Chung
Creative Director
Afilias
[email protected]
Perth, AU
2 March, 2006
1
Overview
.ORG Testbed Implementation
Perception Problems
Risk vs. Return
What next?
2
.ORG Testbed Logistics and Topology
Launched on 31 October, 2005
DNSSEC-aware name servers
EPP 1.0 front end servers feed zone data to the
name servers
3
EPP Front End
Only .ORG accredited registrars allowed
access to the EPP servers
Want to keep out the cruft
Use same creds as .ORG OT&E servers
New registrars added when added to OT&E
Dedicated testbed servers
Runs on epp1.dnssec-testbed.pir.org &
epp2.dnssec-testbed.pir.org
Separate from .ORG Production servers!
4
DNS Back End
Running on dedicated BIND servers at the
moment
Will cut over to UltraDNS in 2006
Isolated DNS systems
Query using dig <somename>.org @<server>
Where <server> is: ns1.dnssec-testbed.pir.org
or ns2.dnssec-testbed.pir.org
Started with “empty” zone
5
Registrar Toolkit
Experimental toolkit (Not for Prime Time)
Don’t use it for .ORG production
Availability:
PIR website
SourceForge
EPP Transactions based on the -03
Hollenbeck draft
6
Policy Decisions
Running according to -bis specifications
Looking to showcase some pitfalls
May code NSEC3 in 2006 to run parallel
Same for roll-over drafts, as they flush out
Roll-over
Already rolled in November (did anyone notice?)
Will do an unannounced ZSK and KSK
“compromise scenario” in 2006
Will publish a key roll-over schedule as well
7
Participation...
3 Registrars logged in, 15 names in the zone,
12 DS records (as of 23 Nov 2005)
135 names in the zone as of now
What can we do to help you participate?
On the PIR side?
On the Afilias side?
8
Perception Problems
.CL (Chilean) survey
Many in the technological community in Chile do not know
what DNSSEC is
Some thought it was “all about confidentiality”
Have not deployed DNSSEC because:
Worry it will confuse the market (providers are not
knowledgeable yet makes many promises to endusers)
Multiple providers to deal with (ISC, APNIC, RIPE, etc.)
Education and Testbed
9
What DNSSEC does NOT do
DNSSEC does NOT provide confidentiality
of DNS responses
DNSSEC does NOT protect against DDOS
attacks
DNSSEC is NOT about privacy
DNSSEC is NOT a PKI
DNSSEC does NOT protect against IP
Spoofing
10
Why is DNSSEC important?
ROI vs. Return on Risk
Not about increased revenues, but about
reduced risks
Reducing risks for your community / customers
High vulnerability, low awareness
High dependance on DNS
Trust is easy to lose difficult to re-gain
11
What Next?
Not without technical challenges (e.g. Key
Rollovers)
Main Challenge is still awareness and adoption (i.e.
demand driving)
Technologists tend to get over excited about
technical details
Some disconnect with business managers
Not as high profile as worms, viruses and DDOS attacks
Even as security is highest priority
12
Man-in-the-middle Attacks
Stories to tell:
Bank Account
Email from your bank telling you that, for security reasons, they need
you to update your password
You know about these scams called ‘phishing’, where the bad guys
send an email pretending to be legit, and the link actually goes to
their website
Just to be safe, instead of clicking on your bank’s email link, you
open up your browser, and type in the URL for your bank login page
On the front page is the request for password change.
You put in your ‘old’ password, and your ‘new’ password (twice)
Two hours later, your entire savings account is wiped clean.
Automated Systems compromised
Email being intercepted
13
IDN and DNSSEC
Many similarities
Requries Application (DNS Clients) updates
Requires Registries and DNS operator updates /
deployment
Requires Root changes for complete experience
One major difference:
Lack of explicit user demand
14
Awareness & Participation
ccTLDs and gTLDs should implement DNSSEC testbeds
Application Providers
Browsers, MTAs
ISPs
Industry should help promote awareness
Must a catastrophe happen first?...
For more info and to participate:
http://www.dnssec.net
http://www.dnssecdeployment.org
15
Thank You
Edmon Chung
[email protected]
16