dnssec in the reverse tree an arin prospective mark
play

DNSSEC In the Reverse Tree An ARIN Prospective Mark Kosters, CTO - PowerPoint PPT Presentation

Oct 18, 2022 •489 likes •600 views

DNSSEC In the Reverse Tree An ARIN Prospective Mark Kosters, CTO ARIN Initiatve ARINs board asked ARIN Staff to implement DNSSEC Turned out to be easy Lots of prior work to learn from and emulate Followed their work plus

  1. DNSSEC In the Reverse Tree – An ARIN Prospective Mark Kosters, CTO

  2. ARIN Initiatve • ARIN’s board asked ARIN Staff to implement DNSSEC • Turned out to be easy • Lots of prior work to learn from and emulate • Followed their work plus fixed tweaks to make it less operationally impactful 2

  3. Past Efforts • Many TLD’s have DNSSEC turned on – .SE, .BR, .ORG, etc • Lots of prior work to learn from and emulate • RIPE Turned on DNSSEC back in Q4 of 2005 via the DISI Project – Great description of their keying policies – Useful tools • .SE project – Again useful tools available – especially with key management 3

  4. ARIN’s Plan • Lots of prior work to learn from and emulate • Follow RIPE’s key procedures with some modifications on timing • Survey key management tools – Opendnssec – Secure64 – DISI Project (RIPE) – DNSSEC Zone Key Tool – others 4

  5. Principle of No Surprise • Documented the plan – took a lot from RIPE – http://www.ripe.net/rs/reverse/dnssec/ • Had a Consultation on arin-consult mailing list • Slow rollout – https://www.arin.net/about_us/dnssec/ 5

  6. Complications Trust anchors – Parents (root/arpa/in-adr.arpa) are not signed – Needs to be individually configured per recursive resolver – Available at: • https://www.arin.net/about_us/dnssec/trust_anchors.html (secured via https) • ftp://ftp.arin.net/pub/zones/trust_anchors.txt • ftp:/ftp.arin.net/pub/zones/trusted_keys.txt – OR – Aggregated Trust anchor Service (DLV) • https://dlv.isc.org/ 6

  7. Phase 1 DNSSEC Capability • Validate that VeriSign and ARIN servers are conformant • Got a green light for NSEC but not NSEC3 7

  8. Phase 2 – Signing the Zones • Turned on afternoon of July 1, 2009 • Both VeriSign and ARIN NOC Operations on high alert • Saw increase of outbound traffic z.arin.net: – Prior to DNSSEC, we were doing ~ 4.5 Mbps. – After DNSSEC, we jumped up to about 10.5 Mbps. – Currently 15–17 Mbps 8

  9. Obligatory Graph One instance in load-balanced site

  10. Phase 3 – Serving Signed Child Zones • Backend Schema is currently Insufficient – DNS records tied to Network Allocations – needs to be done per delegation – Large back-office effort 50% complete • Provisioning for this Service will be placed in ARIN Online – Consistent and higher security then existing templates – Integrated into a managed dns service • Expected to rollout in 2010 10

Recommend

DNSSEC at ARIN Mark Kosters ARIN Chief Technology Officer 2 What do RIRs do? Allocates

DNSSEC at ARIN Mark Kosters ARIN Chief Technology Officer 2 What do RIRs do? Allocates

DNSSEC at ARIN Mark Kosters ARIN Chief Technology Officer 2 What do RIRs do? Allocates Internet Resources IP Addresses (v4 and V6) Autonomous Numbers Publishes Information Whois Resource Certification DNS 3 Reverse

482 views • 9 slides
DNSSEC in the Reverse Tree @LACNIC Carlos Martinez - @carlosm3011 Why

DNSSEC in the Reverse Tree @LACNIC Carlos Martinez - @carlosm3011 Why

DNSSEC in the Reverse Tree @LACNIC Carlos Martinez - @carlosm3011 Why DNSSEC ? Securing the DNS system is both necessary and, right now, doable Root signed since 2010 No

474 views • 10 slides
DNS Workshop @CaribNOG12 Mark Kosters Carlos Martnez {ARIN, LACNIC} CTO DNS Refresher and

DNS Workshop @CaribNOG12 Mark Kosters Carlos Martnez {ARIN, LACNIC} CTO DNS Refresher and

DNS Workshop @CaribNOG12 Mark Kosters Carlos Martnez {ARIN, LACNIC} CTO DNS Refresher and Intro to DNS Security Extension (DNSSEC) Outline Introduction DNSSEC mechanisms to establish authenticity and integrity of data

562 views • 39 slides
The Cut tree of the Brownian Continuum Random Tree and the Reverse Problem Minmin Wang Joint

The Cut tree of the Brownian Continuum Random Tree and the Reverse Problem Minmin Wang Joint

The Cut tree of the Brownian Continuum Random Tree and the Reverse Problem Minmin Wang Joint work with Nicolas Broutin Universit e de Pierre et Marie Curie, Paris, France 24 June 2014 Motivation Introduction to the Brownian CRT Let T n

689 views • 50 slides
Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins

Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins

Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins July 2013 ZSK - Zone Signing Keys ZSK - Zone Signing Keys Its a security key - use secure algorithms Create it to be flexible in use

255 views • 7 slides
.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
NATURE OF TRUE WORSHIP Mark 11:12-19 The Fig Tree MARK 11:12-14 The next day when they came out

NATURE OF TRUE WORSHIP Mark 11:12-19 The Fig Tree MARK 11:12-14 The next day when they came out

NATURE OF TRUE WORSHIP Mark 11:12-19 The Fig Tree MARK 11:12-14 The next day when they came out from Bethany, He was hungry. After seeing in the distance a fig tree with leaves, He went to find out if there was anything on it. When He came to

600 views • 32 slides
ARIN Policy Update Sean Hopkins ARIN Policy Analyst Recently Implemented Policies

ARIN Policy Update Sean Hopkins ARIN Policy Analyst Recently Implemented Policies

ARIN Policy Update Sean Hopkins ARIN Policy Analyst Recently Implemented Policies ARIN-2015-3: Remove 30 day u5liza5on requirement in end-user IPv4 policy ARIN-2015-11: Remove transfer language which only applied pre-exhaus5on of IPv4

261 views • 5 slides
Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing

Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing

Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing RPKI Statistics challenges IRR Status Do we have a Research solution? Opportunities Using ARINs RPKI components @

890 views • 51 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
ARIN Update Marc Crandall ARIN Advisory Council Policy Discussions Last Call Equitable

ARIN Update Marc Crandall ARIN Advisory Council Policy Discussions Last Call Equitable

ARIN Update Marc Crandall ARIN Advisory Council Policy Discussions Last Call Equitable IPv4 Run-Out When ARIN gets its last /8, instead of giving ISPs a 12-month supply of address space, they will get a 3-month supply. Policy

349 views • 9 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
Ready or notIPv6 is here 11 April 2013 New York Amateur Computer Club Tim Christensen ARIN

Ready or notIPv6 is here 11 April 2013 New York Amateur Computer Club Tim Christensen ARIN

Ready or notIPv6 is here 11 April 2013 New York Amateur Computer Club Tim Christensen ARIN Engineering 2 About ARIN As one of the five Regional Internet Registries (RIRs), ARIN is charged with managing distribution of Internet number

702 views • 22 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
ARIN Update Bill Woodcock ARIN Board of Trustees 2015 Focus Increased focus on customer

ARIN Update Bill Woodcock ARIN Board of Trustees 2015 Focus Increased focus on customer

ARIN Update Bill Woodcock ARIN Board of Trustees 2015 Focus Increased focus on customer service Based on feedback and survey Continued IPv4 to IPv6 Transition Awareness Targeting ISPs and Content Providers Continued

502 views • 8 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
DNSSEC and DNS Proxying DNS is hard at scale when you are a huge target 2 CloudFlare

DNSSEC and DNS Proxying DNS is hard at scale when you are a huge target 2 CloudFlare

DNSSEC and DNS Proxying DNS is hard at scale when you are a huge target 2 CloudFlare DNS is big 3 CloudFlare DNS is fast 4 CloudFlare DNS is always under attack 5 CloudFlare A secure reverse proxy for http(s)

538 views • 25 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

610 views • 34 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry experienced 30th April 2015-- Longest mornings I have ever had. Day started as usual but takes a turn at 9:30am Great day turns to a

449 views • 11 slides
DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010 Sara Monteiro Technical Infrastructure Service of DNS.PT Agenda ! About us ! Scope ! Goals ! Initiatives and Support ! Developments on .pt ! Next Steps

468 views • 11 slides
13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff Team Cymru 1 Where is the DNSSEC? We make no endorsement of DNSSEC here We offer no repudiation of DNSSEC here The considerations herein

543 views • 31 slides

More recommend