FOSE 2011: DNSSEC and the Government, Lessons Learned
-
Upload
neustar-inc -
Category
Technology
-
view
913 -
download
1
description
Transcript of FOSE 2011: DNSSEC and the Government, Lessons Learned
Lessons Learned
Rodney Joffe
SVP and Senior Technologist
07/20/2011
DNSSEC Deployment
© Neustar Inc. / Proprietary and Confidential
Neustar DNSSEC: Three Key Areas of Experience
» 1) Signed TLD zones for registries we operate - .us, .biz,
.co
» 2) Hosted (secondary) signed ccTLDs – .uk, .jp, .fi, .nu
» 3) Implemented a managed DNSSEC service using a code
base entirely separate from BIND
2
© Neustar Inc. / Proprietary and Confidential
Neustar ExperienceSigning TLD Zones
3
» Our three signed zones have 1-2 million names each
» We use NSEC negative answers and different DNSSEC
key algorithms
» We used a fairly straightforward deployment plan which
requires care but is not scary
© Neustar Inc. / Proprietary and Confidential
Neustar Experience: Hosting other signed TLDs
4
» We have seen the impact of transferring signed zones
» Different registries have used different approaches to DNSSEC
which has an impact on zone distribution
» Zones are larger
» Zones are changed more often
» Coordinating computing resources to handle the increased
pressure of the updates was harder than anticipated
© Neustar Inc. / Proprietary and Confidential
Neustar Experience: Managed DNSSEC Implementation
5
» Neustar has nearly 10 years of experience in DNSSEC development and operations» US and BIZ registries are DNSSEC signed, 7 years after our first test beds
» Participation in specification development
» Active participation in global network operations fora
» Other credentials relating to DNS» Pioneered anycast techniques
» DDoS mitigation work
» Experience in secure distributed database operations and operating Managed DNS services
» Neustar’s fully managed DNS and DNSSEC solution provides:» Resiliency and reliability thanks to a multi node footprint
» Automated, customizable key management
» Optional FIPS Level 3
© Neustar Inc. / Proprietary and Confidential
Lessons Learned from Neustar Registry Deployment
6
» Upfront effort to begin DNSSEC
» Upgrade (renovate) DNS infrastructure to support DNSSEC
» Institute key management functions. DNSSEC relies on solid key management
» Creating a key poorly may lead to someone guessing it
» Allowing keys to be seen by operators risks the secret
» Choice of algorithms and key size
» Timing of key operations, Signature lifetime, Key effectivity, and Key
supersession
» Ongoing effort to maintain DNSSEC
» Keep data "fresh", DNSSEC data can go stale
» Participation in more public meetings and mail lists
© Neustar Inc. / Proprietary and Confidential
Thank You!
7
DNSSEC Chain of Trust
Recursive
DNS
Root DNS
Authoritative DNS
(SLD)
Client / stub resolver
Authoritative DNS
(TLD)
.com.
domain.biz site.biz. ultradns.biz
.biz..gov.