have a strategy in place for unexpected dnssec events wes
play

Have a Strategy in Place For Unexpected DNSSEC Events Wes Hardaker - PowerPoint PPT Presentation

Feb 07, 2023 •162 likes •356 views

Have a Strategy in Place For Unexpected DNSSEC Events Wes Hardaker <wes.hardaker@parsons.com> Overview Your Operational Panic Binder DNS Failure Strategies DNSSEC Failure Strategies Documenting Lessons Learned Your

  1. Have a Strategy in Place For Unexpected DNSSEC Events Wes Hardaker <wes.hardaker@parsons.com>

  2. Overview ● Your Operational Panic Binder ● DNS Failure Strategies ● DNSSEC Failure Strategies ● Documenting Lessons Learned

  3. Your Operational Panic Binder ● Good operators – Document Procedures – Document How-To – Document What-Ifs – Document Recoveries – Document Everything

  4. Your Operational Panic Binder ● Good operators – Document Procedures – Document How-To – Document What-Ifs – Document Recoveries – Document Everything ● Bad operators...

  5. Your Operational Panic Binder ● Good operators – Document Procedures – Document How-To – Document What-Ifs – Document Recoveries – Document Everything ● Bad operators – Panic Panic

  6. Your Operational Panic Binder ● Good operators – Document Procedures – Document How-To – Document What-Ifs – Document Recoveries – Document Everything ● Bad operators – Panic Panic (created by LOVETEESMUGS on Zazzle)

  7. Your Operational DNS Panic Binder ● What goes in it? ● What problems can you foresee? ● What problems have you had?

  8. Your Operational DNS Panic Binder ● Problems with your servers – One goes down – One is out of sync ● Problems with your network – A critical link goes down – A routing problem ● Problems with your parents – Out of sync data ● Problems with your children – They're under a DDOS attack

  9. Your Operational DNS Panic Binder ● An example page: A slave server is out of sync 1) SSH to slave.myzone.com using 192.0.2.5 2) Run “rndc reload” as root 3) dig @localhost myzone.com SOA 4) Does it match the master? If yes, stop 5) Run “service restart named” 6) Dig @localhost myzone.com SOA 7) Does it match the master? If yes, stop 8) SSH to master.myzone.com using 192.0.2.1 9) Run “service restart named” 10) ...

  10. Your Panic Binder With DNSSEC ● You should have a Panic Binder! – If you do, does it contain potential DNSSEC problems? ● What does DNSSEC add to your binder? – A number of new things – Probably less than your binder already contains – Increases time-related problems – Increases the need for contact information ● To Parents ● To Children – Do you have canned responses for support staff?

  11. DNSSEC Binder Materials ● DNSSEC Signature Expiration – How can you resign? fast? – How can you push out updates? fast? – Same as needing to update an A record fast – How long until all the caches are flushed? ● How long are the TTLs? ● Are you testing for this failure?

  12. DNSSEC Binder Materials ● Missing DS record – How to create a DS record – How to publish it to your parent com ● Website? ● Admin request? DS ● Submit via a DS key or a DNSKEY – How to get it from your client ● Are you testing for this? example.com – Would you know if there is a problem?

  13. DNSSEC Binder Materials ● DNSSEC Key Compromise – How do you generate new keys? – How do you put them in place? – How do you resign using the new ones? – How do you inform your parent of the new DS? ● Do you have contact info? – How long will it take to propagate, given TTLs? – Is anyone using your key as a trust anchor? ● How do you update their notion of your key? – Similar to a fast NS record change! ● Are you testing for mistake key changes?

  14. DNSSEC Binder Materials ● Algorithm Issues – Unknown Algorithm with an important validator ● Explain they need to upgrade? ● Publish an additional DS record? – Algorithm Broken ● What if ECDSA is broken?

  15. DNSSEC/DANE Binder Materials (Top 10 DANE/SMTP issues seen) 1) DANE and DNSSEC as a fashion statement 2) Failure to automate signing 3) Failure to update TLSA RRs before updating cert 4) Using DANE-TA(2) but not sending the CA in inside TLS 5) Unsupported certificate asage (using PKIX-TA or PKIX-EE) 6) Incorrect TLSA selector https://dane.sys4.de/ 7) Incorrect TLSA digest 8) Selective availability of STARTTLS 9) Firewalls that filter out TLSA queries 10) Broken nameservers 11)Partial Implementation

  16. DNSSEC Binder Materials ● Contact Information – Parent or parent registar's contact information ● Website ● Phone number ● Support email – Client information ● Client DNS administrator information ● Client Nameservers

  17. DNSSEC Binder Materials Discussion! What else?? (created by LOVETEESMUGS on Zazzle)

  18. Questions? Wes Hardaker <wes.hardaker@parsons.com> ICANN 52 ICANN 52 Los Angeles Los Angeles

Recommend

Exceptions and Interrupts Unexpected events that change the control flow Exceptions: events

Exceptions and Interrupts Unexpected events that change the control flow Exceptions: events

Exceptions and Interrupts Unexpected events that change the control flow Exceptions: events that occur within the CPU Arithmetic overflow Invalid instruction Interrupts: events caused by external sources I/O device

177 views • 7 slides
.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
Whats new with OpenDNSSEC Berry van Halderen Nlnet Labs / OpenNetLabs Place of OpenDNSSEC

Whats new with OpenDNSSEC Berry van Halderen Nlnet Labs / OpenNetLabs Place of OpenDNSSEC

Whats new with OpenDNSSEC Berry van Halderen Nlnet Labs / OpenNetLabs Place of OpenDNSSEC DNSSEC adds a new dimension to DNS; Zone files do no longer sit statically in your nameserver; DNSSEC requires constant resigning, key management

361 views • 8 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
February 2019 Prosperously navigating unexpected events with great skill and agility 2 WHO WE

February 2019 Prosperously navigating unexpected events with great skill and agility 2 WHO WE

February 2019 Prosperously navigating unexpected events with great skill and agility 2 WHO WE ARE PORTFOLIO MANAGEMENT EXPERIENCE TECHNOLOGY EXPERTISE Unique insight Portfolio Manager with 30 years of from entrepreneurs leading

270 views • 24 slides
2017 DNSSEC KSK Rollover Carlos Martnez | LACNIC | LACNIC 27, Foz Do Iguass Purpose of this

2017 DNSSEC KSK Rollover Carlos Martnez | LACNIC | LACNIC 27, Foz Do Iguass Purpose of this

2017 DNSSEC KSK Rollover Carlos Martnez | LACNIC | LACNIC 27, Foz Do Iguass Purpose of this Talk 2 1 3 Provide status, Provide helpful To publicize the upcoming events, resources on new Root Zone and contact the KSK roll DNSSEC KSK

384 views • 21 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
2017 DNSSEC KSK Rollover Guillermo Cicileo | LACNIC | March 22, 2017 Purpose of this Talk 1 2 3

2017 DNSSEC KSK Rollover Guillermo Cicileo | LACNIC | March 22, 2017 Purpose of this Talk 1 2 3

2017 DNSSEC KSK Rollover Guillermo Cicileo | LACNIC | March 22, 2017 Purpose of this Talk 1 2 3 Provide status, Provide helpful To publicize the upcoming events, resources on new Root Zone and contact the KSK roll DNSSEC KSK information

720 views • 36 slides
M arch 31, 2020 Prosperously navigating unexpected events with great skill and agility 2

M arch 31, 2020 Prosperously navigating unexpected events with great skill and agility 2

M arch 31, 2020 Prosperously navigating unexpected events with great skill and agility 2 AGENDA Who We Are Investment Methodology Performance by sectors Risk Management Current Opportunity and Investment pipeline Performance Summary

592 views • 20 slides
September 2018 Prosperously navigating unexpected events with great skill and agility 2 AGENDA

September 2018 Prosperously navigating unexpected events with great skill and agility 2 AGENDA

September 2018 Prosperously navigating unexpected events with great skill and agility 2 AGENDA Who We Are Investment Methodology Performance Current Opportunity and Investment pipeline GAMING &amp; ESPORTS Summary 3 WHO WE ARE

496 views • 27 slides
May 18, 2018 Prosperously navigating unexpected events with great skill and agility 2 AGENDA

May 18, 2018 Prosperously navigating unexpected events with great skill and agility 2 AGENDA

May 18, 2018 Prosperously navigating unexpected events with great skill and agility 2 AGENDA Who We Are Investment Methodology Performance by sectors Risk Management Current Opportunity and Investment pipeline Performance Summary 3 WHO

392 views • 27 slides
So you want to do DNSSEC... v 2.01 Dr Eberhard W Lisse Namibian Network Information Centre (cc)

So you want to do DNSSEC... v 2.01 Dr Eberhard W Lisse Namibian Network Information Centre (cc)

So you want to do DNSSEC... v 2.01 Dr Eberhard W Lisse Namibian Network Information Centre (cc) ICANN 55, Marrakesh Dr EW Lisse (NA-NiC) So you want to do DNSSEC... ICANN 55, Marrakesh 1 / 8 ICANN Africa Strategy Version 2.0 DNSSEC R

105 views • 8 slides
June 2018 Prosperously navigating unexpected events with great skill and agility 2 AGENDA Who

June 2018 Prosperously navigating unexpected events with great skill and agility 2 AGENDA Who

June 2018 Prosperously navigating unexpected events with great skill and agility 2 AGENDA Who We Are Investment Methodology Performance Top 10 Strategic Tech Trends for 2018-2020 Current Opportunity and Investment pipeline - GAMING

469 views • 31 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

609 views • 34 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry experienced 30th April 2015-- Longest mornings I have ever had. Day started as usual but takes a turn at 9:30am Great day turns to a

449 views • 11 slides
2020 LFN Event Strategy: Technical Events Support and execute 4 LFN technical events 2,

2020 LFN Event Strategy: Technical Events Support and execute 4 LFN technical events 2,

2020 LFN Event Strategy: Technical Events Support and execute 4 LFN technical events 2, 4-day LFN Developer &amp; Testing Forum events (DDF/Plugfest/CNTT) 2, 2-day LFN Technical Meetings co-located with ONES (DDFs, Hackfests, other

152 views • 4 slides
Emergency Stress: Improving Pilot performance during unexpected critical events Wayne Martin

Emergency Stress: Improving Pilot performance during unexpected critical events Wayne Martin

Emergency Stress: Improving Pilot performance during unexpected critical events Wayne Martin Griffith University Aerospace Safety Centre, Brisbane, Australia Griffith Aviation Safety Through Education and Research Griffith Aerospace

590 views • 22 slides
DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010 Sara Monteiro Technical Infrastructure Service of DNS.PT Agenda ! About us ! Scope ! Goals ! Initiatives and Support ! Developments on .pt ! Next Steps

468 views • 11 slides
13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff Team Cymru 1 Where is the DNSSEC? We make no endorsement of DNSSEC here We offer no repudiation of DNSSEC here The considerations herein

543 views • 31 slides

More recommend