Upload File

diversity in your dns infrastructure · dns infrastructure support for dnssec whatever mode of...

  • Home
  • Documents
  • diversity in your DNS infrastructure · DNS infrastructure Support for DNSSEC Whatever mode of operation you choose, ironDNS® fully supports DNSSEC. If you sign your zones yourself,
8
Service Specification diversity in your DNS infrastructure ..................................................................................................................................................................................................................................... ..................................................................................................................................................................................................................................... PREMIUM DNS INFRASTRUCTURE – STABLE, ROBUST AND SECURE

Upload: others

Post on 22-Jul-2020

6 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: diversity in your DNS infrastructure · DNS infrastructure Support for DNSSEC Whatever mode of operation you choose, ironDNS® fully supports DNSSEC. If you sign your zones yourself,

Service Specification

diversity in your DNS infrastructure..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

PREMIUM DNS INFRASTRUCTURE – STABLE, ROBUST AND SECURE

Page 2: diversity in your DNS infrastructure · DNS infrastructure Support for DNSSEC Whatever mode of operation you choose, ironDNS® fully supports DNSSEC. If you sign your zones yourself,

DNS infrastructure

Service SpecificationContent

© 2017 ironDNS® / Rev. 1.0.0 – March 2017 (subject to change) Page 2 / 8

PREMIUM DNS INFRASTRUCTURE – STABLE, ROBUST AND SECURE

.....................................................................................................................................................................................................................................

Service Specification

ABOUT ironDNS®

Overview ............................................................................ 3Diversity ............................................................................. 3Data Protection ................................................................. 3DNSSEC ............................................................................ 3Mixed Set-Up .................................................................... 3

PRODUCT SPECIFICATIONDesign Principles ............................................................. 4Features ............................................................................. 4Implemented RFC standards .......................................... 5Support for DNSSEC ....................................................... 6Information Security ........................................................ 6

.....................................................................................................................................................................................................................................

Page 3: diversity in your DNS infrastructure · DNS infrastructure Support for DNSSEC Whatever mode of operation you choose, ironDNS® fully supports DNSSEC. If you sign your zones yourself,

DNS infrastructure

Service SpecificationStandard Feature List

ABOUT ironDNS®

© 2017 ironDNS® / Rev. 1.0.0 – March 2017 (subject to change) Page 3 / 8

PREMIUM DNS INFRASTRUCTURE – STABLE, ROBUST AND SECURE

.....................................................................................................................................................................................................................................

Service Specification

OverviewironDNS® places special emphasis on stability, robustness and security. The high-availability platform relies on name server locations around the globe and offers Unicast and Anycast services. Of course, IPv4 and IPv6 are both supported.

Data ProtectionAs Knipp, the company providing ironDNS®, has its headquarters in Germany, ironDNS® is operated under the strict privacy policies of the European Union. In addition, Knipp holds a DIN ISO/IEC 27001:2015 certificate demonstrating its comprehensive security concepts.

Mixed Set-UpIn the mixed set-up, consisting of your own name servers and ironDNS® name servers, ironDNS® name servers can

either be secondary name servers receiving the master zone from one of your name servers; or your name servers can work as secondary name servers receiving the zone (including notifies) from ironDNS® name servers.

DNSSECironDNS® fully supports DNSSEC. Customers can choose either the active or passive mode depending on their individual needs. In the active mode, ironDNS® handles all necessary steps. In the passive mode, ironDNS® validates the zone without changing any DNSSEC-related resource records.

DiversitySoftware diversity is the basic protection against malfunction and attacks. ironDNS® is a name server software and service that is wholly independent of all other name server implementations.

ironDNS® provides diversity for your DNS infrastructure

.....................................................................................................................................................................................................................................

1

Page 4: diversity in your DNS infrastructure · DNS infrastructure Support for DNSSEC Whatever mode of operation you choose, ironDNS® fully supports DNSSEC. If you sign your zones yourself,

DNS infrastructure

PRODUCT SPECIFICATION

ironDNS® allows all Internet users world-wide to actually use domains. This is mainly done by converting human readable domain names into IPv4 and IPv6 addresses, which are used by the Internet communication protocols to address systems connected to the Internet.

Design Principles

Features

© 2017 ironDNS® / Rev. 1.0.0 – March 2017 (subject to change) Page 4 / 8

PREMIUM DNS INFRASTRUCTURE – STABLE, ROBUST AND SECURE

.....................................................................................................................................................................................................................................

Service Specification

ironDNS® is designed to fully support DNSSEC

2

• diversity in software (ironDNS® as proprietary solution and BIND as a fall-back solution)

• diversity in hardware• diversity in operation systems (HP-UX and Linux)

• Control Panel allowing extensive and easy zone management

• SOAP interface (for automatic high-volume zone provisioning)

• configurable E-Mail alerts in case of errors • use of Unicast nodes • use of Anycast networks • IPv4 and IPv6 support (dual stack) • all name servers are updated via a central manager

component using the push principle; the manager always knows exactly which zone version is available on which name server, allowing for better control

• full fledged DNSSEC support including automatic rollovers of ZSKs

• support for arbitrary DNS resource record types (including unknown types)

• extensive zone validation and automatic correction of minor faults (configurable)

• two factor authentication for highly secured zones • additional read-only accounts (e.g., for lower priviliged

support staff) • configurable DNS statistics

.....................................................................................................................................................................................................................................

Page 5: diversity in your DNS infrastructure · DNS infrastructure Support for DNSSEC Whatever mode of operation you choose, ironDNS® fully supports DNSSEC. If you sign your zones yourself,

DNS infrastructure

Implemented RFC standards

Adherence to and implementation of the following standards (among others):

© 2017 ironDNS® / Rev. 1.0.0 – March 2017 (subject to change) Page 5 / 8

PREMIUM DNS INFRASTRUCTURE – STABLE, ROBUST AND SECURE

.....................................................................................................................................................................................................................................

Service Specification

• RFC 1034 Domain Names — Concepts and Facilities• RFC 1035 Domain Names — Implementation and

Specification• RFC 1982 Serial Number Arithmetic• RFC 1995 Incremental Zone Transfer in DNS• RFC 1996 A Mechanism for Prompt Notification of

Zone Changes• RFC 2181 Clarifications to the DNS Specification• RFC 2182 Selection and Operation of Secondary DNS

Servers• RFC 2671 Extension Mechanisms for DNS (EDNS0)• RFC 2845 Secret Key Transaction Authentication for

DNS (TSIG)• RFC 3007 Secure Domain Name System (DNS)

Dynamic Update• RFC 3225 Indicating Resolver Support of DNSSEC• RFC 3596 DNS Extensions to Support IP Version 6 • RFC 3597 Handling of Unknown DNS Resource Record

(RR) Types • RFC 3901 DNS IPv6 Transport Operational Guidelines

(BCP 91)• RFC 4033 DNS Security Introduction and

Requirements• RFC 4034 Resource Records for the DNS Security

Extensions

• RFC 4035 Protocol Modifications for the DNS Security Extensions

• RFC 4343 Domain Name System (DNS) Case Insensitivity Clarification

• RFC 4472 Operational Considerations and Issues with IPv6 DNS

• RFC 4509 Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)

• RFC 4592 The Role of Wildcards in the Domain Name System

• RFC 5155 DNS Security (DNSSEC) Hashed Authenticated Denial of Existence

• RFC 5702 Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC

• RFC 6604 xNAME RCODE and Status Bits Clarification • RFC 6672 DNAME Redirection in the DNS • RFC 6781 DNSSEC Operational Practices, Version 2 • RFC 6895 Domain Name System (DNS) IANA

Considerations • RFC 7766 DNS Transport over TCP - Implementation

Requirements • RFC 7929 DNS-Based Authentication of Named

Entities (DANE) Bindings for OpenPGP

ironDNS® is compliant with standards

3

.....................................................................................................................................................................................................................................

Usage Scenarios

1. Replace your DNS infrastructure; all your visible name servers are run by ironDNS®.

2. Enhance your DNS infrastructure by adding one ore more ironDNS® name servers seamlessly to your own name servers.

In both of the above cases you can • enter and manage your zone file comfortably via the Control Panel. • run a (hidden) primary name server. The zones are transferred via IXFR/AXFR. • update your zones automatically via our SOAP interface.

Page 6: diversity in your DNS infrastructure · DNS infrastructure Support for DNSSEC Whatever mode of operation you choose, ironDNS® fully supports DNSSEC. If you sign your zones yourself,

DNS infrastructure

Support for DNSSEC

Whatever mode of operation you choose, ironDNS® fully supports DNSSEC. If you sign your zones yourself, ironDNS® will simply use all DNSSEC-related resource records as provided and publish them on ironDNS® name servers. Alternatively, you can have ironDNS® sign your zone. In that case you can also use your name servers as secondaries by obtaining the signed zone from ironDNS. In the latter case ironDNS® will take care of the ZSK rollover autonomously and inform you (via Control Panel or SOAP poll message) about a due KSK rollover. Whenever it may be necessary you can always force a key rollover at your convenience.

Information Security

Knipp Medien und Kommunikation GmbH, the company providing ironDNS®, has its headquarters in Germany. Therefore, ironDNS® is operated under the strict privacy policies of the European Union. In addition, Knipp holds a DIN ISO/IEC 27001:2015 certificate demonstrating its comprehensive security concepts.

© 2017 ironDNS® / Rev. 1.0.0 – March 2017 (subject to change) Page 6 / 8

PREMIUM DNS INFRASTRUCTURE – STABLE, ROBUST AND SECURE

.....................................................................................................................................................................................................................................

Service Specification

.....................................................................................................................................................................................................................................

Page 7: diversity in your DNS infrastructure · DNS infrastructure Support for DNSSEC Whatever mode of operation you choose, ironDNS® fully supports DNSSEC. If you sign your zones yourself,

DNS infrastructure

© 2017 ironDNS® / Rev. 1.0.0 – March 2017 (subject to change) Page 7 / 8

PREMIUM DNS INFRASTRUCTURE – STABLE, ROBUST AND SECURE

.....................................................................................................................................................................................................................................

Service Specification

.....................................................................................................................................................................................................................................

Page 8: diversity in your DNS infrastructure · DNS infrastructure Support for DNSSEC Whatever mode of operation you choose, ironDNS® fully supports DNSSEC. If you sign your zones yourself,

DNS infrastructure

© 2017 ironDNS® / Rev. 1.0.0 – March 2017 (subject to change) Page 8 / 8

PREMIUM DNS INFRASTRUCTURE – STABLE, ROBUST AND SECURE

.....................................................................................................................................................................................................................................

Service Specification

.....................................................................................................................................................................................................................................

ironDNS® is a product of

Knipp Medien und Kommunikation GmbHTechnologieparkMartin-Schmeißer-Weg 944227 DortmundGermany

[email protected]


DNSSEC - Red Hatpeople.redhat.com/pwouters/LinuxCon2012-DNSSEC.pdf · DNSSEC capable DNS resolvers unbound (preferred for on the fly reconfiguration) bind (named) DNSSEC capable DNS

DNS 安全防護傘 - DNSSEC

15 essential DNS and DNSSEC monitoring tests

DNS Risks, DNSSEC

Secure DNS with Unbound and DNSSEC-Trigger · •Unbound!validating!DNS! Server

Security in DNS(DNSSEC)

DNSSEC ROLLING KEYS - dns-school.org

Introducao DNS Dnssec

Multi-Signer DNSSEC Models - DNS-OARC

DNS / DNSSEC Workshop - start [APNIC TRAINING WIKI]€¦ · DNS / DNSSEC Workshop Generic slides 03 November 2015 2.0-draft4. Overview • DNS Overview • BIND DNS Configuration

DNSSECTutorial& - APNIC Conferences – APNIC · Security3Extensions3(DNSSEC)3 =? DNS Resolver with DNSSEC = 1.2.3.4 DNS Server with DNSSEC 1.2.3.4 Get page webserver www @ 1.2.3.4

DNSSEC Infrastructure Audit Framework - NLnet Labsnlnetlabs.nl/downloads/publications/dns-audit-framework-1.0.pdf · T be 1 Introduction A DNSSEC audit is the process of structural

DNS & DNSSEC Security 2008

DNSSEC: Security Extensions for DNS · DNSSEC: Security extensions for DNS Mauricio Vergara Ereche LACNIC30 & LACNOG 2018 Sep 2018 Let’s start with some DNS and DNSSEC theory

Understanding the DNS & DNSSEC

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment

DNSSEC DNS - IIS · reason, DNSSEC (DNS Security Extensions) have been developed. With DNSSEC, the DNS is secured from abuse by introducing electronic signatures into the DNS data

DNSSEC for Everybody: A Beginner s Guide...DNSSEC Implementation Samples • DNSSEC implementation depends upon & is mostly driven by an activity’s DNS functions – DNS is made

DNS Transfers in DNSSEC world

DNSSEC:’’Where’We’Are’(and’how’ …...Resolver’only’caches’validated’records’ =? DNS Resolver with DNSSEC = 1.2.3.4 DNS Server with DNSSEC 1.2.3.4 Get page

DNSSEC Implementation Approaches - ICANN GNSO · DNSSEC Implementation Approaches . The DLV infrastructure zone • DLV is a DNS-based deployment aid for early DNSSEC deployment –allows

A New Approach to DNS Security (DNSSEC)

DNSSEC : les extensions de sécurité du DNS

DNS and DNSSEC - econinfosec.org · DNS and DNSSEC Samuel Weiler ... Domain Name System (DNS) ... – DNS Resolver Software BIND and Unbound (java), both open source

DNS,DNSSEC and Best Practices

DNS and DNSSEC tutorial

labs.lacnic.net site sites_default_files_050-dns-dnssec-lacnic-01_0

Step-by-Step DNSSEC-Tools Operator Guidance Document › docs › step-by-step-dnssec-tools › sbs-dt.pdf · Introduction DNS Security (DNSSEC) helps protect against DNS-spoofing

Securing DNS Infrastructure Using DNSSEC - ICANN · 2015-09-17 · Securing DNS Infrastructure Using DNSSEC Ram Mohan Executive Vice President, Afilias rmohan@afilias.info February

Overview - TWNIC · Overview • DNS Protocol Overview • DNS Security • DNS Transactions – TSIG and Lab • DNS Security Extensions (DNSSec) – DNSSEC Lab . 21/06/16 2 DNS

Threats to DNS DNSSEC overview/history DNSSEC in … · Threats to DNS DNSSEC overview/history DNSSEC today ... signed.infoblox.com. 3600 IN RRSIG NS 5 3 3600 20080410205926 20080311205926

Educause Security Professionals DNS/DNSSEC Tutorial

DNSSEC MANAGEMENT - efficientip.com · DNSSEC Principles An important point to underline is that DNSSEC (DNS Security Extensions) does not modify DNS protocol. DNSSEC is an extension

Understanding DNSSEC in Windows DNS Server

Domain Name Basics - DNS, DNSSEC and DANE