Document 7331032

Download Report

Transcript Document 7331032 

Security for the Internet’s
Domain Name System
DNSSEC Current State of Deployment
Prepared for Internet2 BoF
Amy Friedlander, Shinkuro, Inc.
Based on a presentation by Marcus Sachs (SRI) with contributions
by members of the DNSSEC Deployment Working Group
April 23, 2007
DNSSEC Current State: Protocols
 Core RFCs published:
 4033: DNS Security Introduction and Requirements
 4034: Resource Records for DNS Security Extensions
 4035: Protocol Modifications for the DNS Security
Extensions
 http://www.dnssec.net/rfc for the entire collection
 NSEC3 is in final stages.
 DNS Extensions (DNSEXT) Working Group is
discussing its future, including the option of self
dissolution.
Security for the Internet’s Domain Name System
The US Department of Homeland Security
DNSSEC Deployment Initiative Activities
 Coordination project: Shinkuro, Sparta, SRI and NIST
 Roadmap published in February 2005, updated March 2007 to include
extensive list of available software tools and guides
 http://www.dnssec-deployment.org/roadmap.php
 Multiple workshops held world-wide
 Monthly newsletter
 http://www.dnssec-deployment.org/news/dnssecthismonth
 DNSSEC testbed and testing tools developed by NIST
 http://www-x.antd.nist.gov/dnssec
 DNSSEC tools available at
 http://www.dnssec-tools.org
 DNSSEC-Deployment Working Group
 http://www.dnssec-deployment.org
 Internet2 Cross-Signing Pilot
 http://www.dnssec-deployment.org/internet2/
Security for the Internet’s Domain Name System
DNSSEC in the United States
 US Government
 US civilian government (.gov) developing policy and technical
guidance for secure DNS operations and beginning deployment
activities at all levels.
 The “.us” and “.mil” zones are also on track for DNSSEC
compliance
 New DNSSEC guidance included in FISMA, NIST 800-53r1
 http://www.csrc.nist.gov/publications/nistpubs
 Secure Domain Name System Deployment Guide
 http://csrc.nist.gov/publications/nistpubs/800-81/SP800-81.pdf
 Outside the US Government
 Public Internet Registry (PIR): plans for deploying DNSSEC in .org
 http://pir.org/Strengthening/DNSSec.aspx
Security for the Internet’s Domain Name System
DNSSEC in the Caribbean: Puerto Rico
 In July 2006 Puerto Rico’s top-level domain
(.pr) was the second ccTLD – country code
top level domain – to provide a DNSSECsigned zone
 Details: http://www.nic.pr
 Questions may be addressed to [email protected]
Security for the Internet’s Domain Name System
DNSSEC in Latin America: Mexico
and Brazil
 NIC Mexico is developing the infrastructure,
procedures and technology for a future DNSSEC
deployment in the .mx ccTLD
 DNSSEC testbed launched in May 2006
 Created a new SLD: test.mx where DNSSEC enabled
domain registrations can be made for free
 Testbed details: http://www.dnssec.org.mx
 DNSSEC verification tool:
http://www.dnssec.org.mx/checkdnssec.html
 Registro.br released DNSSEC extensions for EPP:
http://registro.br/epp/index-EN.html (RFC 4310)
Security for the Internet’s Domain Name System
DNSSEC in Europe: RIPE
 The European infrastructure services
provider, RIPE NCC, based in the
Netherlands, has deployed DNSSEC in the
reverse tree
 Details are at
https://www.ripe.net/rs/reverse/dnssec
 How-to guide (latest version) at
https://www.nlnetlabs.nl/ dnssec_howto
Security for the Internet’s Domain Name System
DNSSEC in Europe: Sweden
 In November 2005, the Swedish national registry
(.se) was the first ccTLD – country code top level
domain – to provide DNSSEC-capable service
 February 16, 2007, .se launched commercial
DNSSEC service
 Press release (launch):
http://www.iis.se/english/nyheter/news/2007-0216?lang=en
 More details, DNSSEC This Month (March 1, 2007)
http://www.dnssec-deployment.org/news/dnssecthismonth/200703dnssecthismonth/
Security for the Internet’s Domain Name System
DNSSEC in Europe: Bulgaria, Czech
Republic and Russia
 Bulgaria (.bg) has signed its zone.
 Czech Republic (.cz) is studying the idea of signing
its zone as a means of seeding DNSSEC deployment
in eastern Europe.
 R01 (http://www.r01.ru/), a Russian registrar, has a
signed copy of the .ru zone available on their name
server.
 ns.dnssec.ru (195.24.65.7)
 Registrants with a .ru domain using R01 as a registrar
can sign their own zones
 R01 will provide secure delegation in the signed copy
of the .ru zone
 Additional information on the signed zone and how it
can be used can be found at http://www.dnssec.ru
Security for the Internet’s Domain Name System
DNSSEC in Asia
 DNSSEC summit and workshop during
APRICOT 2005, Kyoto
 http://www.apricot.net/apricot2005/workshop
.html#ws5
 http://www.psg.com/~mankin/DNSSEC-Kyoto21Feb2005/DNSSEC05FebJP-Info.html
 We need more pilots and workshops in the
APNIC region!
Security for the Internet’s Domain Name System
Stages for Next Steps and
Discussion
 Risk (and cost) analysis
 Test and engineering
CRITICAL!
 Discussions with many communities, including
with the relevant Top Level Domain registries
 Production
 Including communication with zone providers,
registrars, governing agencies, and software
vendors
 Leadership in the private and public sectors
Security for the Internet’s Domain Name System
Background Information and
Contributors
 For lots of detailed information:
 www.dnssec-deployment.org
 www.dnssec-tools.org
 www.dnssec.net
 Authors of materials in this presentation (all from
dnssec-deployment working group)
 Amy Friedlander (Shinkuro)
 Allison Mankin (Shinkuro)
 Marcus Sachs (SRI)
 Ed Lewis (Neustar)
 Olaf Kolkman (Netlabs.nl)
 Russ Mundy (Sparta)
Security for the Internet’s Domain Name System