Upload File

history of dnssec from .asia signing event

11
© Afilias Limited www.afilias.info The History and Value of Deploying DNSSEC Dr. Jim Galvin Director Afilias

Upload: hread

Post on 18-Nov-2014

902 views

Category:

Technology


1 download

Report

Tags:

DESCRIPTION

Afilias Dr. James Galvin gives an overview and history of DNSSEC at the .ASIA DNSSEC signing press announcement at the IETF meeting in Beijing on Nov 11, 2010

TRANSCRIPT

Page 1: History of DNSSEC from .ASIA signing event

© Afilias Limited www.afilias.info

The History and Value of Deploying DNSSECDr. Jim GalvinDirectorAfilias

Page 2: History of DNSSEC from .ASIA signing event

© Afilias Limited www.afilias.info

• 10 years of experience in critical Internet infrastructure

• Best known for domain name registry services in support of 17 million domains across 15 TLDs

• Diverse DNS Network handling billions of queries daily

• Largest DNSSEC deployment – more TLDs than any other provider

Who is Afilias?

.LC

Page 3: History of DNSSEC from .ASIA signing event

© Afilias Limited www.afilias.info

What problem does DNSSEC solve?

When you visit a website, or send an e-mail, can you be sure you are communicating with the server that you think you are?

(At least not with certainty)

ON

Page 4: History of DNSSEC from .ASIA signing event

© Afilias Limited www.afilias.info

ITERATIVE RESOLVER

AUTHORITATIVENAME SERVER

The risks without DNSSEC….

4

DOMAIN NAME SYSTEM

Cache Poisoning

UNAUTHORIZED SERVER

Authoritative Name Server Hijacking

WEB BROWSER

Page 5: History of DNSSEC from .ASIA signing event

© Afilias Limited www.afilias.info

When does site identity matter?

5

DNSSEC is designed to protect users from the consequences of forged DNS data inserted by

malicious actors

The DNS was originally build on a model of trust

As the Web has expanded, and new criminal exploits have grown more sophisticated, this is no longer an acceptable model for the future of applications and services that rely on the DNS

Page 6: History of DNSSEC from .ASIA signing event

© Afilias Limited www.afilias.info

CACHEtrustus.asia = 192.172.3.4

Cache poisoning risks

1. A DNS resolver sends a DNS query and accepts the first response it receives.

2. If a malicious actor were to send back an incorrect response, the resolver would use this address until its cache expired.

trustus.asia =

DOMAIN NAME SYSTEM

192.168.16.2

trustus.asiaSERVER

get trustus.asia

trustus.asia =192.172.3.4

192.172.3.4

Page 7: History of DNSSEC from .ASIA signing event

© Afilias Limited www.afilias.info

How can DNSSEC help?

• Domain Name System Security Extensions adds security to the Domain Name System

• With DNSSEC, users and servers can verify DNS responses for:• Data integrity• Origin authentication

• The data is protected. It does not matter what server or resolver provides the data.

trustus.asia ?

trustus.asia192.168.16.2

DOMAIN NAME SYSTEM

DNSSEC

ZONE SERVER

Page 8: History of DNSSEC from .ASIA signing event

© Afilias Limited www.afilias.info

DNSSEC Benefits by User

8

End –User Registrant Registrar Registry

Gain confidence of reaching the intended website

Fraud mitigation Comply with new industry standards

Meet new industry standards

Greater brand protection

Meet Registrant demands for increased domain security

Meet Registrar demands for increased security of their domains

Page 9: History of DNSSEC from .ASIA signing event

© Afilias Limited www.afilias.info

Afilias DNSSEC timeline

2008

June 2009:.ORG zone signed

2009 2010

PIR submitted a .ORG DNSSEC proposal

The proposal was approved by ICANN

1st Half 2010:.ORG signed delegations

July 2010:Root signing

2011

Project Safeguard: Afilias deploys DNSSEC across 13 more TLDs including .Asia

Page 10: History of DNSSEC from .ASIA signing event

© Afilias Limited www.afilias.info

Adoption timing is a challenge

R&D Pioneers Early

Adopters Mass

AdoptionMainstream

No

man

’s land

• Now requires ISPs and application providers to get on board to envision new services that can bring this security to the mainstream

DNSSEC adoption

Page 11: History of DNSSEC from .ASIA signing event

© Afilias Limited www.afilias.info

Thank you!


DNSSEC Industry Survey Results - PCN, Inc.23.235.200.57/~pcninc5/wp-content/.../DNSSEC-Industry-Survey-Resu… · DNSSEC. DNS administrators can provide secure responses to DNSSEC-validating

DNSSEC DPS 210616 - APNIC · DNSSEC Policy and Practice Statement Page 4 of 12 Introduction APNIC is the Regional Internet Registry for the Asia Pacific region, responsible for allocating

ABC DNSSEC Practice Statement (DPS) - ICANN · ABC DNSSEC Practice Statement (DPS) ... 2.2 Publication of key signing keys (KSK) ... 4.3.3 Training requirements

A quick review of DNSSEC Validation in today’s …2016/06/27  · The Bigger Picture • Much of the African continent and parts of Asia still show high DNSSEC validation rates due

Overview DNSSEC - ICANN€¦ · Overview DNSSEC Performance More… Support for Online Zone Signing. Sign/unsign/change DNSSEC settings on a live zone Add/remove records dynamically

Verisign DNSSEC Practice Statement for TLD/GTLD Zone€¦ · TLD/GTLD Zone's Key Signing Key (KSK) and signing the TLD/GTLD keyset using the KSK. The TLD/GTLD Zone Key Signing Key

Sessão de Divulgação de DNSSEC - …...Portuguesa para a adopção de DNSSEC Objectivos •Promover a implementação de DNSSEC •Facilitar a adopção de DNSSEC •Fornecer documentação

K-Root DNSSEC Signing Plans

DNSSEC Deployment: A Tutorial - APRICOT · 2017-02-06 · Overview We will be talking about DNSSEC We plan to do a live zone signing demonstration and we will have instructions and

Dominic Stahl Infoblox DNSSEC Solution - DENIC eG: Wir ... · Infoblox DNSSEC Solution simple, secure and reliable Infoblox DNSSEC Solution ... Infoblox DNSSEC Offering:

Track 2 Workshop at PacNOG7: DNSSec Overview · 3. Signing the zone Sign your zone # dnssec-signzone myzone dnssec-signzone will be run with all defaults for signature duration, the

DNSSEC: Where We Are (and how we get to where we want to be) DNSSEC ASIA SUMMIT 2012 29-31 August 2012 [email protected]

Rolling the Root Zone DNSSEC Key Signing Key · DNSSEC Key Management in the Root Zone ¤ DNSSEC key management is divided into: o Key Signing Key (KSK), self-signs the key set o

DNSSEC - säkerhetsdeklaration · DNSSEC keys, for signing the relevant data and for registering and maintaining corresponding DS records through a Registrar. It is also the Registrants

Cricket Liu VP Product Management and Architecture, Infoblox · Maintenance of a DNSSEC-Signed Zone Signing a zone – Click “Sign Zone” Re-signing a zone (after modifying zone

DNSSEC - Red Hat · DNSSEC . Topics DNSSEC theory in 7 screen shots DNSSEC software: validating, signing Converting applications to use DNSSEC Using DNSSEC for non-DNS purposes TLSA,

DNSSEC with BlueCat Networks - Internetdagarna · Challenges Deploying DNSSEC TLD and root zone signing - “.com” not until 2011! Products to validate and host DNSSEC records Key

Rolling the Root Zone DNSSEC Key Signing Key · • DNSSEC has three kinds of records that, in some loose definition, hold cryptographic key data. The records exist because of the

DNSSEC for the Root Zone · DNSSEC Practice Statement • States the practices and provisions that are employed in root zone signing and zone distribution services ‣ Issuing, managing,

Measuring DNSSEC Validation: A Brief Update on DNSSEC Validation numbers, with an Asia Focus Geoff Huston APNIC Labs January 2015

DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas ([email protected]) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

DNSSEC in Practice: Using DNSSEC- Tools to Deploy DNSSEC · DNSSEC in Practice: Using DNSSEC-Tools to Deploy DNSSEC Wes Hardaker. Russ Mundy. Suresh Krishnaswamy {hardaker,mundy,suresh}@sparta.com

Verisign DNSSEC Practice Statement for TLD/GTLD Zone · The TLD/GTLD Zone Key Signing Key Operator is Verisign performing the function of generating the TLD/GTLD Zone's Key Signing

DNSSEC Practice Statement (DPS) · 3.2. Activation of DNSSEC for Registrant Zone When a DS record corresponding to a signing key used in a given Registrant zone is published in the

LDplayer: DNS Experimentation at Scale (abstract with poster) · Impact of Change in DNSSEC Key Size: Longer Zone Signing Key (ZSK) and more queries DNSSEC enabled (DO bit set) will

DNS Security - PacNOG · DNS Security : DNSSEC ... • Quick overview • New RRs • Using public key cryptography to sign a single zone • Delegating signing authority ; building

Brünig DNSSEC Field - DENIC eG: Wir sind .de · Infoblox is authoritative ... DNS Response OR TMOS Solution: Real-time DNSSEC Signing ... 2010/01/11/secure-dns-with-big-ip-v10.1-

Commercial DNSSEC - TERENA€¦ · DNS!Server! Controller DNS!Server DNSSEC Zone!Signing &! Key!Management OpenDNSSEC Secure64!Signer DNSSEC!ZKT! BIND!9.7.x+ Windows!2008R2 DNS!Management!

DNSSEC in your · DNSSEC deployment tasks • Key maintenance policies and tools • Private Key use and protection • Public key distribution • Zone signing and integration into

Placeholder for DNSSEC Validation - CANTO · 2016-08-06 · The Root Zone DNSSEC Key Signing Key “KSK” is the top most cryptographic key in the DNSSEC hierarchy The KSK is a cryptographic

DNSSEC for the Root Zone · DPS DNSSEC Policy & Practice Statement • States the practices and provisions that are employed in root zone signing and zone distribution services ‣

Rolling the Root Zone DNSSEC Key Signing Key - Eland Syssm/KSK_Roll_Plan_LewisAFRINIC25.pdf · Rolling the Root Zone DNSSEC Key Signing Key Edward Lewis ... and a trust anchor •

DNSSEC Exposed - Deploying DNSSEC in Real Life Presentation

DNSSEC Deployment Activity in Japan - Introduction of ... › wp-content › uploads › 2012 › 01 › ... · •What is DNSSEC •Introduction of DNSSEC Japan •DNSSEC Japan's