Document 7331032
Download
Report
Transcript Document 7331032
Security for the Internet’s
Domain Name System
DNSSEC Current State of Deployment
Prepared for Internet2 BoF
Amy Friedlander, Shinkuro, Inc.
Based on a presentation by Marcus Sachs (SRI) with contributions
by members of the DNSSEC Deployment Working Group
April 23, 2007
DNSSEC Current State: Protocols
Core RFCs published:
4033: DNS Security Introduction and Requirements
4034: Resource Records for DNS Security Extensions
4035: Protocol Modifications for the DNS Security
Extensions
http://www.dnssec.net/rfc for the entire collection
NSEC3 is in final stages.
DNS Extensions (DNSEXT) Working Group is
discussing its future, including the option of self
dissolution.
Security for the Internet’s Domain Name System
The US Department of Homeland Security
DNSSEC Deployment Initiative Activities
Coordination project: Shinkuro, Sparta, SRI and NIST
Roadmap published in February 2005, updated March 2007 to include
extensive list of available software tools and guides
http://www.dnssec-deployment.org/roadmap.php
Multiple workshops held world-wide
Monthly newsletter
http://www.dnssec-deployment.org/news/dnssecthismonth
DNSSEC testbed and testing tools developed by NIST
http://www-x.antd.nist.gov/dnssec
DNSSEC tools available at
http://www.dnssec-tools.org
DNSSEC-Deployment Working Group
http://www.dnssec-deployment.org
Internet2 Cross-Signing Pilot
http://www.dnssec-deployment.org/internet2/
Security for the Internet’s Domain Name System
DNSSEC in the United States
US Government
US civilian government (.gov) developing policy and technical
guidance for secure DNS operations and beginning deployment
activities at all levels.
The “.us” and “.mil” zones are also on track for DNSSEC
compliance
New DNSSEC guidance included in FISMA, NIST 800-53r1
http://www.csrc.nist.gov/publications/nistpubs
Secure Domain Name System Deployment Guide
http://csrc.nist.gov/publications/nistpubs/800-81/SP800-81.pdf
Outside the US Government
Public Internet Registry (PIR): plans for deploying DNSSEC in .org
http://pir.org/Strengthening/DNSSec.aspx
Security for the Internet’s Domain Name System
DNSSEC in the Caribbean: Puerto Rico
In July 2006 Puerto Rico’s top-level domain
(.pr) was the second ccTLD – country code
top level domain – to provide a DNSSECsigned zone
Details: http://www.nic.pr
Questions may be addressed to [email protected]
Security for the Internet’s Domain Name System
DNSSEC in Latin America: Mexico
and Brazil
NIC Mexico is developing the infrastructure,
procedures and technology for a future DNSSEC
deployment in the .mx ccTLD
DNSSEC testbed launched in May 2006
Created a new SLD: test.mx where DNSSEC enabled
domain registrations can be made for free
Testbed details: http://www.dnssec.org.mx
DNSSEC verification tool:
http://www.dnssec.org.mx/checkdnssec.html
Registro.br released DNSSEC extensions for EPP:
http://registro.br/epp/index-EN.html (RFC 4310)
Security for the Internet’s Domain Name System
DNSSEC in Europe: RIPE
The European infrastructure services
provider, RIPE NCC, based in the
Netherlands, has deployed DNSSEC in the
reverse tree
Details are at
https://www.ripe.net/rs/reverse/dnssec
How-to guide (latest version) at
https://www.nlnetlabs.nl/ dnssec_howto
Security for the Internet’s Domain Name System
DNSSEC in Europe: Sweden
In November 2005, the Swedish national registry
(.se) was the first ccTLD – country code top level
domain – to provide DNSSEC-capable service
February 16, 2007, .se launched commercial
DNSSEC service
Press release (launch):
http://www.iis.se/english/nyheter/news/2007-0216?lang=en
More details, DNSSEC This Month (March 1, 2007)
http://www.dnssec-deployment.org/news/dnssecthismonth/200703dnssecthismonth/
Security for the Internet’s Domain Name System
DNSSEC in Europe: Bulgaria, Czech
Republic and Russia
Bulgaria (.bg) has signed its zone.
Czech Republic (.cz) is studying the idea of signing
its zone as a means of seeding DNSSEC deployment
in eastern Europe.
R01 (http://www.r01.ru/), a Russian registrar, has a
signed copy of the .ru zone available on their name
server.
ns.dnssec.ru (195.24.65.7)
Registrants with a .ru domain using R01 as a registrar
can sign their own zones
R01 will provide secure delegation in the signed copy
of the .ru zone
Additional information on the signed zone and how it
can be used can be found at http://www.dnssec.ru
Security for the Internet’s Domain Name System
DNSSEC in Asia
DNSSEC summit and workshop during
APRICOT 2005, Kyoto
http://www.apricot.net/apricot2005/workshop
.html#ws5
http://www.psg.com/~mankin/DNSSEC-Kyoto21Feb2005/DNSSEC05FebJP-Info.html
We need more pilots and workshops in the
APNIC region!
Security for the Internet’s Domain Name System
Stages for Next Steps and
Discussion
Risk (and cost) analysis
Test and engineering
CRITICAL!
Discussions with many communities, including
with the relevant Top Level Domain registries
Production
Including communication with zone providers,
registrars, governing agencies, and software
vendors
Leadership in the private and public sectors
Security for the Internet’s Domain Name System
Background Information and
Contributors
For lots of detailed information:
www.dnssec-deployment.org
www.dnssec-tools.org
www.dnssec.net
Authors of materials in this presentation (all from
dnssec-deployment working group)
Amy Friedlander (Shinkuro)
Allison Mankin (Shinkuro)
Marcus Sachs (SRI)
Ed Lewis (Neustar)
Olaf Kolkman (Netlabs.nl)
Russ Mundy (Sparta)
Security for the Internet’s Domain Name System