SlideShare a Scribd company logo

Deploy and secure your DNS with DNSSEC

Internet Society
Internet Society

This document discusses DNSSEC (Domain Name System Security Extensions), including how to deploy it and why it should be implemented. It notes that DNSSEC uses cryptographic keys and signatures published in the DNS to establish a chain of trust for DNS data without using encryption. It provides information on how to sign zones, serve signed zones, and configure caching operators and end users to support DNSSEC validation. The document argues that building a global public key infrastructure (PKI) based on DNSSEC is valuable as it promises the convenience of self-signed certificates with near real-time revocation without fees.

Technology
1 of 16
Download to read offline
DNSSEC How to deploy it, and why you should bother. joe.abley@icann.org
DNS What? •  DNSSEC. Pay attention. •  RFC 4033, RFC 4034, RFC 4035 •  Cryptographic keys and signatures published in the DNS •  Public, private key-pairs •  Allows a chain of trust to be established through the data published in the DNS •  No encryption, no transport security, no privacy measures •  Authenticity of Answers
Trust Follows Delegations Zone contains public keys. Resource Record Sets are signed with corresponding private keys. Secure delegations contain a hash of a child’s public Secure Delegation key. (NS, signed DS, glue) Parent Zone Child Zone Zone contains public keys. Resource Record Sets are signed with corresponding private keys.
How to Trust Lots of Stuff Trust Anchor Root Zone ORG COM NET ISOC.ORG
Deployment •  Zone Managers •  sign your zones •  publish trust anchors in parent zones •  provide mechanisms for children to publish trust anchors in your zone •  Cache Operators •  ensure your caches are DNSSEC-friendly •  turn on validation •  don’t be evil
Zone Signing •  Root zone was signed in 2011, with great fanfare •  Today, many TLDs are signed (83 out of 310) •  COM, NET, ORG, INFO, BIZ, others •  Growing number of ccTLDs •  ARPA •  Even in regions associated with ccTLDs that are signed, however, DNSSEC deployment is slow •  CZ doing particularly well in this regard
DNSSEC in TLDs
DNSSEC in ccTLDs
How to Sign Your Zones •  BIND makes this easy, from 9.8 onwards •  Good for people who already use and like BIND9 •  OpenDNSSEC makes this easy •  especially if you feel a need to use Hardware Security Modules •  PowerDNS makes this easy •  POWERDNS is now declared ready for production •  good for people who already use and like PowerDNS
How to Serve Signed Zones •  Probably, you just have to sign the zones •  i.e. do nothing in particular to your masters and slaves •  most DNS authority-only servers have had DNSSEC turned on by default for some time
Cache Operators •  Unless you’re being evil, your caches probably already pass through DNSSEC records to end users •  i.e. do nothing, and end-users can validate •  Turn on Validation •  if you want to avoid cache poisoning attacks •  there is a support overhead here •  the helpdesk phone might ring, sometimes
End Users •  Use a cache that is validating •  You won’t see signed records unless the signatures are good •  Use software that does validation for you •  Chrome •  FireFox with the NIC.CZ DNSSEC Validator module •  DNSSEC Trigger, by NLNet Labs
Why Bother? •  There is lots of response spoofing and cache poisoning going on •  so we hear •  problem is, it’s often hard to tell •  What we’re building is a global Public Key Infrastructure based on the DNS •  this is good •  we want this
Why is a Global PKI Good? •  Building a reliable PKI is hard •  have you ever tried to use PGP? •  ever heard of an X.509 Certificate Authority going bad? •  ever known a user to click “Continue” when a certificate warning pops up? •  Reliable PKIs are useful •  TLS (HTTPS, SMTP, IMAP, etc) •  Routing Security •  SSH key management
e.g. DANE •  DNS-based Authentication of Named Entities •  IETF Working Group •  Aims to use the DNS to distribute X.509 certificates •  Promises the convenience and price of self-signed certificates with near real-time revocation •  no need to e-mail bits of photoshopped letterhead round the place •  no fees •  set your own key roll schedules
Homework •  Sign some Zones •  Make sure your caches are nice and clean, and pass through DNSSEC records correctly •  don’t forget not to be evil •  Turn on Validation in your cache •  if you feel like it •  Install some client software that does DNSSEC validation

Recommended

IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentationjohnmcclure00
 
ION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECDeploy360 Programme (Internet Society)
 
DNS Security
DNS SecurityDNS Security
DNS Securityjohnmcclure00
 
Apache HDFS Extended Attributes and Transparent Encryption
Apache HDFS Extended Attributes and Transparent EncryptionApache HDFS Extended Attributes and Transparent Encryption
Apache HDFS Extended Attributes and Transparent EncryptionUma Maheswara Rao Gangumalla
 
AWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNSAWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNSJames Bromberger
 
OWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a ServiceOWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a ServiceToni de la Fuente
 
Resume
ResumeResume
Resumekalyan dandu
 
Bh eu 05-kaminsky
Bh eu 05-kaminskyBh eu 05-kaminsky
Bh eu 05-kaminskyDan Kaminsky
 

Recommended

IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentationjohnmcclure00
 
ION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECDeploy360 Programme (Internet Society)
 
DNS Security
DNS SecurityDNS Security
DNS Securityjohnmcclure00
 
Apache HDFS Extended Attributes and Transparent Encryption
Apache HDFS Extended Attributes and Transparent EncryptionApache HDFS Extended Attributes and Transparent Encryption
Apache HDFS Extended Attributes and Transparent EncryptionUma Maheswara Rao Gangumalla
 
AWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNSAWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNSJames Bromberger
 
OWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a ServiceOWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a ServiceToni de la Fuente
 
Resume
ResumeResume
Resumekalyan dandu
 
Bh eu 05-kaminsky
Bh eu 05-kaminskyBh eu 05-kaminsky
Bh eu 05-kaminskyDan Kaminsky
 
Kali linux os
Kali linux osKali linux os
Kali linux osSamantha Lawrence
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017Toni de la Fuente
 
RSA APJ Velociraptor Lab
RSA APJ Velociraptor LabRSA APJ Velociraptor Lab
RSA APJ Velociraptor LabVelocidex Enterprises
 
Kali Linux
Kali LinuxKali Linux
Kali LinuxSumit Singh
 
ION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryDeploy360 Programme (Internet Society)
 
Linux/Unix Night - (PEN) Testing Toolkits (English)
Linux/Unix Night - (PEN) Testing Toolkits (English)Linux/Unix Night - (PEN) Testing Toolkits (English)
Linux/Unix Night - (PEN) Testing Toolkits (English)Jelmer de Reus
 
Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014TGodfrey
 
Kali linux and some features [view in Full screen mode]
Kali linux and some features [view in Full screen mode]Kali linux and some features [view in Full screen mode]
Kali linux and some features [view in Full screen mode]abdou Bahassou
 
Kali linux
Kali linuxKali linux
Kali linuxAadhithyanPandian
 
kali linux
kali linux kali linux
kali linux Avinash Hanwate
 
どうしてもドメインがほしくなった訳
どうしてもドメインがほしくなった訳どうしてもドメインがほしくなった訳
どうしてもドメインがほしくなった訳Haruyuki Nakano
 
ION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSDeploy360 Programme (Internet Society)
 
Kali linux tutorial
Kali linux tutorialKali linux tutorial
Kali linux tutorialHarikaReddy115
 
Kali Linux
Kali LinuxKali Linux
Kali LinuxChanchal Dabriya
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Toni de la Fuente
 
kali linux.pptx
kali linux.pptxkali linux.pptx
kali linux.pptxanumeha bhatnagar
 
Kali linux
Kali linuxKali linux
Kali linuxfutaimbinlahej
 
Kali linux summarised
Kali linux summarisedKali linux summarised
Kali linux summarisedSanchit Srivastava
 
Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC PilotShumon Huque
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECCarlos Martinez Cagnazzo
 
DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Knowlaurenrprice
 

More Related Content

What's hot

TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017Toni de la Fuente
 
Linux/Unix Night - (PEN) Testing Toolkits (English)
Linux/Unix Night - (PEN) Testing Toolkits (English)Linux/Unix Night - (PEN) Testing Toolkits (English)
Linux/Unix Night - (PEN) Testing Toolkits (English)Jelmer de Reus
 
Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014TGodfrey
 
Kali linux and some features [view in Full screen mode]
Kali linux and some features [view in Full screen mode]Kali linux and some features [view in Full screen mode]
Kali linux and some features [view in Full screen mode]abdou Bahassou
 
どうしてもドメインがほしくなった訳
どうしてもドメインがほしくなった訳どうしてもドメインがほしくなった訳
どうしてもドメインがほしくなった訳Haruyuki Nakano
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Toni de la Fuente
 
Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC PilotShumon Huque
 

What's hot (19)

Kali linux os
Kali linux osKali linux os
Kali linux os
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017
 
RSA APJ Velociraptor Lab
RSA APJ Velociraptor LabRSA APJ Velociraptor Lab
RSA APJ Velociraptor Lab
 
Kali Linux
Kali LinuxKali Linux
Kali Linux
 
ION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain Registry
 
Linux/Unix Night - (PEN) Testing Toolkits (English)
Linux/Unix Night - (PEN) Testing Toolkits (English)Linux/Unix Night - (PEN) Testing Toolkits (English)
Linux/Unix Night - (PEN) Testing Toolkits (English)
 
Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014
 
Kali linux and some features [view in Full screen mode]
Kali linux and some features [view in Full screen mode]Kali linux and some features [view in Full screen mode]
Kali linux and some features [view in Full screen mode]
 
Kali linux
Kali linuxKali linux
Kali linux
 
kali linux
kali linux kali linux
kali linux
 
どうしてもドメインがほしくなった訳
どうしてもドメインがほしくなった訳どうしてもドメインがほしくなった訳
どうしてもドメインがほしくなった訳
 
ION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLS
 
Kali linux tutorial
Kali linux tutorialKali linux tutorial
Kali linux tutorial
 
Kali Linux
Kali LinuxKali Linux
Kali Linux
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017
 
kali linux.pptx
kali linux.pptxkali linux.pptx
kali linux.pptx
 
Kali linux
Kali linuxKali linux
Kali linux
 
Kali linux summarised
Kali linux summarisedKali linux summarised
Kali linux summarised
 
Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC Pilot
 

Similar to Deploy and secure your DNS with DNSSEC

Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECCarlos Martinez Cagnazzo
 
DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Knowlaurenrprice
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS OblivionAPNIC
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOHAPNIC
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view APNIC
 
RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?APNIC
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
Technical and Business Considerations for DNSSEC Deployment
Technical and Business Considerations for DNSSEC DeploymentTechnical and Business Considerations for DNSSEC Deployment
Technical and Business Considerations for DNSSEC DeploymentAPNIC
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsAPNIC
 
NANOG 74: That KSK Roll
NANOG 74: That KSK RollNANOG 74: That KSK Roll
NANOG 74: That KSK RollAPNIC
 
FOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedFOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedNeustar, Inc.
 
RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS EvolutionAPNIC
 
Ozone: Evolution of HDFS scalability & built-in GDPR compliance
Ozone: Evolution of HDFS scalability & built-in GDPR complianceOzone: Evolution of HDFS scalability & built-in GDPR compliance
Ozone: Evolution of HDFS scalability & built-in GDPR complianceDinesh Chitlangia
 
Ozone: Evolution of HDFS
Ozone: Evolution of HDFSOzone: Evolution of HDFS
Ozone: Evolution of HDFSajay yadav
 

Similar to Deploy and secure your DNS with DNSSEC (20)

Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSEC
 
DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Know
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOH
 
Session 4.1 Roy Arends
Session 4.1 Roy ArendsSession 4.1 Roy Arends
Session 4.1 Roy Arends
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view
 
RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & Afilias
 
DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?
 
Technical and Business Considerations for DNSSEC Deployment
Technical and Business Considerations for DNSSEC DeploymentTechnical and Business Considerations for DNSSEC Deployment
Technical and Business Considerations for DNSSEC Deployment
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
Black opspki 2
Black opspki 2Black opspki 2
Black opspki 2
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
 
NANOG 74: That KSK Roll
NANOG 74: That KSK RollNANOG 74: That KSK Roll
NANOG 74: That KSK Roll
 
FOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedFOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons Learned
 
RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS Evolution
 
Ozone: Evolution of HDFS scalability & built-in GDPR compliance
Ozone: Evolution of HDFS scalability & built-in GDPR complianceOzone: Evolution of HDFS scalability & built-in GDPR compliance
Ozone: Evolution of HDFS scalability & built-in GDPR compliance
 
Ozone: Evolution of HDFS
Ozone: Evolution of HDFSOzone: Evolution of HDFS
Ozone: Evolution of HDFS
 

More from Internet Society

IXP growth challenges in West Africa: The Ghana Experience
IXP growth challenges in West Africa: The Ghana ExperienceIXP growth challenges in West Africa: The Ghana Experience
IXP growth challenges in West Africa: The Ghana ExperienceInternet Society
 
IXP growth challenges in Central Africa
IXP growth challenges in Central AfricaIXP growth challenges in Central Africa
IXP growth challenges in Central AfricaInternet Society
 
IXP growth challenges in Côte D’Ivoire
IXP growth challenges in Côte D’IvoireIXP growth challenges in Côte D’Ivoire
IXP growth challenges in Côte D’IvoireInternet Society
 
Keynote Presentation : “80/20 by 2020”
Keynote Presentation : “80/20 by 2020”Keynote Presentation : “80/20 by 2020”
Keynote Presentation : “80/20 by 2020”Internet Society
 
International Bandwidth and Pricing Trends in Sub-Sahara Africa
International Bandwidth and Pricing Trends in Sub-Sahara Africa International Bandwidth and Pricing Trends in Sub-Sahara Africa
International Bandwidth and Pricing Trends in Sub-Sahara Africa Internet Society
 
In Search of Low Cost Bandwidth
In Search of Low Cost BandwidthIn Search of Low Cost Bandwidth
In Search of Low Cost BandwidthInternet Society
 
“BIG” IXP Jedi and TraceMON: RIPE Atlas tools in Africa
“BIG” IXP Jedi and TraceMON: RIPE Atlas tools in Africa“BIG” IXP Jedi and TraceMON: RIPE Atlas tools in Africa
“BIG” IXP Jedi and TraceMON: RIPE Atlas tools in AfricaInternet Society
 
Looking for Latency Clusters in Africa's internet
Looking for Latency Clusters in Africa's internetLooking for Latency Clusters in Africa's internet
Looking for Latency Clusters in Africa's internetInternet Society
 
Fantsuam: Ideas for the sustainability of Community Networks
Fantsuam: Ideas for the sustainability of Community NetworksFantsuam: Ideas for the sustainability of Community Networks
Fantsuam: Ideas for the sustainability of Community NetworksInternet Society
 
Mawingu: Ideas for the sustainability of Community Networks
Mawingu: Ideas for the sustainability of Community NetworksMawingu: Ideas for the sustainability of Community Networks
Mawingu: Ideas for the sustainability of Community NetworksInternet Society
 
Zenzeleni Networks Update Report
Zenzeleni Networks Update ReportZenzeleni Networks Update Report
Zenzeleni Networks Update ReportInternet Society
 
Canadian Victory Garden: Overview of an Off Grid Solution
Canadian Victory Garden: Overview of an Off Grid SolutionCanadian Victory Garden: Overview of an Off Grid Solution
Canadian Victory Garden: Overview of an Off Grid SolutionInternet Society
 

More from Internet Society (20)

IXP growth challenges in West Africa: The Ghana Experience
IXP growth challenges in West Africa: The Ghana ExperienceIXP growth challenges in West Africa: The Ghana Experience
IXP growth challenges in West Africa: The Ghana Experience
 
IXP growth challenges in Central Africa
IXP growth challenges in Central AfricaIXP growth challenges in Central Africa
IXP growth challenges in Central Africa
 
Benin IX: 3 Years After!
Benin IX: 3 Years After!Benin IX: 3 Years After!
Benin IX: 3 Years After!
 
IXP growth challenges in Côte D’Ivoire
IXP growth challenges in Côte D’IvoireIXP growth challenges in Côte D’Ivoire
IXP growth challenges in Côte D’Ivoire
 
IXP Masterclass
IXP MasterclassIXP Masterclass
IXP Masterclass
 
PeeringDB Updates
PeeringDB UpdatesPeeringDB Updates
PeeringDB Updates
 
Peering Personals #2
Peering Personals #2Peering Personals #2
Peering Personals #2
 
Keynote Presentation : “80/20 by 2020”
Keynote Presentation : “80/20 by 2020”Keynote Presentation : “80/20 by 2020”
Keynote Presentation : “80/20 by 2020”
 
International Bandwidth and Pricing Trends in Sub-Sahara Africa
International Bandwidth and Pricing Trends in Sub-Sahara Africa International Bandwidth and Pricing Trends in Sub-Sahara Africa
International Bandwidth and Pricing Trends in Sub-Sahara Africa
 
In Search of Low Cost Bandwidth
In Search of Low Cost BandwidthIn Search of Low Cost Bandwidth
In Search of Low Cost Bandwidth
 
IPv6 @ Cloudflare
IPv6 @ CloudflareIPv6 @ Cloudflare
IPv6 @ Cloudflare
 
Interconnection Evolution
Interconnection EvolutionInterconnection Evolution
Interconnection Evolution
 
Peering Personals #1
Peering Personals #1Peering Personals #1
Peering Personals #1
 
“BIG” IXP Jedi and TraceMON: RIPE Atlas tools in Africa
“BIG” IXP Jedi and TraceMON: RIPE Atlas tools in Africa“BIG” IXP Jedi and TraceMON: RIPE Atlas tools in Africa
“BIG” IXP Jedi and TraceMON: RIPE Atlas tools in Africa
 
Looking for Latency Clusters in Africa's internet
Looking for Latency Clusters in Africa's internetLooking for Latency Clusters in Africa's internet
Looking for Latency Clusters in Africa's internet
 
Fantsuam: Ideas for the sustainability of Community Networks
Fantsuam: Ideas for the sustainability of Community NetworksFantsuam: Ideas for the sustainability of Community Networks
Fantsuam: Ideas for the sustainability of Community Networks
 
Mawingu: Ideas for the sustainability of Community Networks
Mawingu: Ideas for the sustainability of Community NetworksMawingu: Ideas for the sustainability of Community Networks
Mawingu: Ideas for the sustainability of Community Networks
 
Zenzeleni Networks Update Report
Zenzeleni Networks Update ReportZenzeleni Networks Update Report
Zenzeleni Networks Update Report
 
Canadian Victory Garden: Overview of an Off Grid Solution
Canadian Victory Garden: Overview of an Off Grid SolutionCanadian Victory Garden: Overview of an Off Grid Solution
Canadian Victory Garden: Overview of an Off Grid Solution
 
TVWS use case in Kenya
TVWS use case in KenyaTVWS use case in Kenya
TVWS use case in Kenya
 

Recently uploaded

Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 

Recently uploaded (20)

Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 

Deploy and secure your DNS with DNSSEC

  • 1. DNSSEC How to deploy it, and why you should bother. joe.abley@icann.org
  • 2. DNS What? •  DNSSEC. Pay attention. •  RFC 4033, RFC 4034, RFC 4035 •  Cryptographic keys and signatures published in the DNS •  Public, private key-pairs •  Allows a chain of trust to be established through the data published in the DNS •  No encryption, no transport security, no privacy measures •  Authenticity of Answers
  • 3. Trust Follows Delegations Zone contains public keys. Resource Record Sets are signed with corresponding private keys. Secure delegations contain a hash of a child’s public Secure Delegation key. (NS, signed DS, glue) Parent Zone Child Zone Zone contains public keys. Resource Record Sets are signed with corresponding private keys.
  • 4. How to Trust Lots of Stuff Trust Anchor Root Zone ORG COM NET ISOC.ORG
  • 5. Deployment •  Zone Managers •  sign your zones •  publish trust anchors in parent zones •  provide mechanisms for children to publish trust anchors in your zone •  Cache Operators •  ensure your caches are DNSSEC-friendly •  turn on validation •  don’t be evil
  • 6. Zone Signing •  Root zone was signed in 2011, with great fanfare •  Today, many TLDs are signed (83 out of 310) •  COM, NET, ORG, INFO, BIZ, others •  Growing number of ccTLDs •  ARPA •  Even in regions associated with ccTLDs that are signed, however, DNSSEC deployment is slow •  CZ doing particularly well in this regard
  • 9. How to Sign Your Zones •  BIND makes this easy, from 9.8 onwards •  Good for people who already use and like BIND9 •  OpenDNSSEC makes this easy •  especially if you feel a need to use Hardware Security Modules •  PowerDNS makes this easy •  POWERDNS is now declared ready for production •  good for people who already use and like PowerDNS
  • 10. How to Serve Signed Zones •  Probably, you just have to sign the zones •  i.e. do nothing in particular to your masters and slaves •  most DNS authority-only servers have had DNSSEC turned on by default for some time
  • 11. Cache Operators •  Unless you’re being evil, your caches probably already pass through DNSSEC records to end users •  i.e. do nothing, and end-users can validate •  Turn on Validation •  if you want to avoid cache poisoning attacks •  there is a support overhead here •  the helpdesk phone might ring, sometimes
  • 12. End Users •  Use a cache that is validating •  You won’t see signed records unless the signatures are good •  Use software that does validation for you •  Chrome •  FireFox with the NIC.CZ DNSSEC Validator module •  DNSSEC Trigger, by NLNet Labs
  • 13. Why Bother? •  There is lots of response spoofing and cache poisoning going on •  so we hear •  problem is, it’s often hard to tell •  What we’re building is a global Public Key Infrastructure based on the DNS •  this is good •  we want this
  • 14. Why is a Global PKI Good? •  Building a reliable PKI is hard •  have you ever tried to use PGP? •  ever heard of an X.509 Certificate Authority going bad? •  ever known a user to click “Continue” when a certificate warning pops up? •  Reliable PKIs are useful •  TLS (HTTPS, SMTP, IMAP, etc) •  Routing Security •  SSH key management
  • 15. e.g. DANE •  DNS-based Authentication of Named Entities •  IETF Working Group •  Aims to use the DNS to distribute X.509 certificates •  Promises the convenience and price of self-signed certificates with near real-time revocation •  no need to e-mail bits of photoshopped letterhead round the place •  no fees •  set your own key roll schedules
  • 16. Homework •  Sign some Zones •  Make sure your caches are nice and clean, and pass through DNSSEC records correctly •  don’t forget not to be evil •  Turn on Validation in your cache •  if you feel like it •  Install some client software that does DNSSEC validation