dnssec in the reverse tree lacnic
play

DNSSEC in the Reverse Tree @LACNIC Carlos Martinez - @carlosm3011 - PowerPoint PPT Presentation

Apr 06, 2023 •352 likes •473 views

DNSSEC in the Reverse Tree @LACNIC Carlos Martinez - @carlosm3011 Why DNSSEC ? Securing the DNS system is both necessary and, right now, doable Root signed since 2010 No

  1. DNSSEC ¡in ¡the ¡Reverse ¡Tree ¡ @LACNIC Carlos ¡Martinez ¡-­‑ @carlosm3011

  2. Why ¡DNSSEC ¡? ¡ • Securing ¡the ¡DNS ¡system ¡is ¡both ¡necessary ¡ and, ¡right ¡now, ¡doable – Root ¡signed ¡since ¡2010 – No ¡excuses! • A ¡signed ¡DNS ¡tree ¡can ¡also ¡be ¡an ¡ enabler for ¡ new ¡applications – DANE ¡WG • DNSSEC ¡does ¡not ¡solve ¡ every problem ¡in ¡the ¡ DNS ¡system – But ¡it ¡certainly ¡helps ¡a ¡lot

  3. DNSSEC ¡@LACNIC: ¡Timeline • 4Q ¡2010 ¡– 2Q ¡2011 – Training, ¡study, ¡tool ¡testing • 3Q ¡2011 ¡– 1Q ¡2012 – Experimental ¡zone ¡signing ¡ • <lacnic>.ip6.arpa • A ¡few ¡forward ¡zones – Trial ¡key ¡rollovers ¡and ¡technical ¡definitions • 4Q ¡2012 ¡– 1Q ¡2013 – Reverse ¡zones ¡signed ¡in ¡production

  4. DNSSEC ¡@LACNIC: ¡Status • Status ¡of ¡DNSSEC ¡in ¡the ¡reverse ¡tree ¡ @LACNIC: – Reverse ¡zones ¡for ¡IANA-­‑allocated ¡LACNIC ¡space ¡ signed • ERX ¡/ ¡Legacy ¡depending ¡on ¡majority ¡holder – DS ¡records ¡from ¡members • Currently ¡we ¡can ¡insert ¡DS ¡records ¡manually, ¡for ¡testing ¡ purposes • Please ¡do ¡

  5. Signer ¡Architecture • Hidden ¡signer ¡plus ¡public ¡masters

  6. DNSSEC ¡on ¡the ¡Cheap • Unless ¡your ¡zones ¡are ¡extremely ¡large, ¡you ¡ don’t ¡need ¡a ¡huge ¡investment ¡to ¡use ¡DNSSEC • Software – BIND ¡9.9 – OpenDNSSEC – … ¡others ¡as ¡well • Hardware – Almost ¡any ¡Linux ¡server ¡will ¡do ¡

  7. DNSSEC ¡on ¡the ¡Cheap ¡(II) • A ¡‘hidden ¡signer’ ¡setup ¡provides ¡a ¡reasonably ¡ secure ¡setup ¡without ¡huge ¡investments dns1.isp.net dnssec-hs1 dns2.isp.net

  8. DNSSEC ¡on ¡the ¡Cheap • DNSSEC ¡Signing ¡in ¡the ¡Cloud With ¡the ¡availability ¡of ¡not-­‑so-­‑expensive ¡cloud ¡ servers, ¡DNSSEC ¡signing ¡in ¡the ¡cloud ¡is ¡an ¡option • Example ¡setup – Example ¡domain ¡“secure.xt6.us” – DNS ¡Servers: ¡ns2.he.net, ¡ns3.he.net ¡(thanks ¡ @HurricaneElectric!) – Hidden ¡signer: ¡“stratus.labs.lacnic.net”, ¡a ¡virtual ¡ server ¡hosted ¡@Rackspace

  9. Final ¡Remarks • The ¡root ¡is ¡signed! ¡Make ¡good ¡use ¡of ¡it! – No ¡need ¡for ¡static, ¡out-­‑of-­‑band ¡trust ¡anchors – Making ¡the ¡DNS ¡more ¡secure ¡is ¡our ¡duty ¡as ¡ technical ¡community • Useful ¡signing ¡performance ¡is ¡possible ¡even ¡ with ¡commodity ¡hardware – Unless ¡your ¡zones ¡are ¡really ¡huge • NSEC ¡vs NSEC3 ¡in ¡the ¡reverse ¡space? ¡ – NSEC3 ¡doesn’t ¡seem ¡to ¡make ¡a ¡lot ¡of ¡sense ¡here

  10. THANK YOU!

Recommend

2017 DNSSEC KSK Rollover Carlos Martnez | LACNIC | LACNIC 27, Foz Do Iguass Purpose of this

2017 DNSSEC KSK Rollover Carlos Martnez | LACNIC | LACNIC 27, Foz Do Iguass Purpose of this

2017 DNSSEC KSK Rollover Carlos Martnez | LACNIC | LACNIC 27, Foz Do Iguass Purpose of this Talk 2 1 3 Provide status, Provide helpful To publicize the upcoming events, resources on new Root Zone and contact the KSK roll DNSSEC KSK

384 views • 21 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

609 views • 34 slides
DNSSEC In the Reverse Tree An ARIN Prospective Mark Kosters, CTO ARIN Initiatve ARINs

DNSSEC In the Reverse Tree An ARIN Prospective Mark Kosters, CTO ARIN Initiatve ARINs

DNSSEC In the Reverse Tree An ARIN Prospective Mark Kosters, CTO ARIN Initiatve ARINs board asked ARIN Staff to implement DNSSEC Turned out to be easy Lots of prior work to learn from and emulate Followed their work plus

600 views • 10 slides
2017 DNSSEC KSK Rollover Guillermo Cicileo | LACNIC | March 22, 2017 Purpose of this Talk 1 2 3

2017 DNSSEC KSK Rollover Guillermo Cicileo | LACNIC | March 22, 2017 Purpose of this Talk 1 2 3

2017 DNSSEC KSK Rollover Guillermo Cicileo | LACNIC | March 22, 2017 Purpose of this Talk 1 2 3 Provide status, Provide helpful To publicize the upcoming events, resources on new Root Zone and contact the KSK roll DNSSEC KSK information

720 views • 36 slides
DNS Workshop @CaribNOG12 Mark Kosters Carlos Martnez {ARIN, LACNIC} CTO DNS Refresher and

DNS Workshop @CaribNOG12 Mark Kosters Carlos Martnez {ARIN, LACNIC} CTO DNS Refresher and

DNS Workshop @CaribNOG12 Mark Kosters Carlos Martnez {ARIN, LACNIC} CTO DNS Refresher and Intro to DNS Security Extension (DNSSEC) Outline Introduction DNSSEC mechanisms to establish authenticity and integrity of data

562 views • 39 slides
Services Sergio Rojas sergio@lacnic.net About LACNIC LACNIC, the Latin American and

Services Sergio Rojas sergio@lacnic.net About LACNIC LACNIC, the Latin American and

Membership and Registration Services Sergio Rojas sergio@lacnic.net About LACNIC LACNIC, the Latin American and Caribbean Internet Addresses Registry, is an international non- government organization established in Uruguay in 2002.

468 views • 17 slides
The Cut tree of the Brownian Continuum Random Tree and the Reverse Problem Minmin Wang Joint

The Cut tree of the Brownian Continuum Random Tree and the Reverse Problem Minmin Wang Joint

The Cut tree of the Brownian Continuum Random Tree and the Reverse Problem Minmin Wang Joint work with Nicolas Broutin Universit e de Pierre et Marie Curie, Paris, France 24 June 2014 Motivation Introduction to the Brownian CRT Let T n

689 views • 50 slides
.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
LACNIC Network Security and Stability Ini7a7ves Carlos M.

LACNIC Network Security and Stability Ini7a7ves Carlos M.

LACNIC Network Security and Stability Ini7a7ves Carlos M. Mar7nez carlos @ lacnic.net @carlosm3011 LACNIC Internet Resources Management LACNICs main

283 views • 10 slides
LACNIC Report LACNIC We are still growing in number of resources being allocated

LACNIC Report LACNIC We are still growing in number of resources being allocated

LACNIC Report LACNIC We are still growing in number of resources being allocated Membership number, also growing. Reached 1000 members! Staff increasing every year (22 at the moment) Membership evolution Registration Services Data.

477 views • 16 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
LACNIC LACNIC Regional Registry at your services Regional Registry at your services

LACNIC LACNIC Regional Registry at your services Regional Registry at your services

LACNIC LACNIC Regional Registry at your services Regional Registry at your services Sergio Rojas. Sergio Rojas. sergio@lacnic.net sergio@lacnic.net How the Internet work? Is a network of connected devices The

617 views • 16 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
LACNIC Regional Registry at your services Sergio Rojas. sergio@lacnic.net How the Internet

LACNIC Regional Registry at your services Sergio Rojas. sergio@lacnic.net How the Internet

LACNIC Regional Registry at your services Sergio Rojas. sergio@lacnic.net How the Internet work? Is a network of connected devices The goal, move information from one point to another point 2 What is an IP address. ? They are the

306 views • 17 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
DNSSEC at ARIN Mark Kosters ARIN Chief Technology Officer 2 What do RIRs do? Allocates

DNSSEC at ARIN Mark Kosters ARIN Chief Technology Officer 2 What do RIRs do? Allocates

DNSSEC at ARIN Mark Kosters ARIN Chief Technology Officer 2 What do RIRs do? Allocates Internet Resources IP Addresses (v4 and V6) Autonomous Numbers Publishes Information Whois Resource Certification DNS 3 Reverse

482 views • 9 slides
DNSSEC and DNS Proxying DNS is hard at scale when you are a huge target 2 CloudFlare

DNSSEC and DNS Proxying DNS is hard at scale when you are a huge target 2 CloudFlare

DNSSEC and DNS Proxying DNS is hard at scale when you are a huge target 2 CloudFlare DNS is big 3 CloudFlare DNS is fast 4 CloudFlare DNS is always under attack 5 CloudFlare A secure reverse proxy for http(s)

538 views • 25 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry experienced 30th April 2015-- Longest mornings I have ever had. Day started as usual but takes a turn at 9:30am Great day turns to a

449 views • 11 slides
DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010 Sara Monteiro Technical Infrastructure Service of DNS.PT Agenda ! About us ! Scope ! Goals ! Initiatives and Support ! Developments on .pt ! Next Steps

468 views • 11 slides
13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff Team Cymru 1 Where is the DNSSEC? We make no endorsement of DNSSEC here We offer no repudiation of DNSSEC here The considerations herein

543 views • 31 slides

More recommend