FOSE 2011: DNSSEC and the Government, Lessons Learned
8
Lessons Learned Rodney Joffe SVP and Senior Technologist 07/20/2011 DNSSEC Deployment
-
Upload
neustar-inc -
Category
Technology
-
view
913 -
download
1
description
At FOSE 2011, the panel discussion on the deployment of domain name system security extensions (DNSSEC) within government included Neustar VP and Senior Technologist, Rodney Joffe, who sat side-by-side with some of the industry’s best and discussed how federal IT managers can leverage private sector best practices to meet OMB and FISMA mandated DNSSEC requirements. Entitled “DNS-3: Private Sector Deployment in .com, .net, .org and Beyond,” the panel discussed lessons learned and how federal agencies that have yet to deploy DNSSEC can do so successfully. Visit http://www.ultradns.com for more information.
Transcript of FOSE 2011: DNSSEC and the Government, Lessons Learned
Lessons Learned
Rodney Joffe
SVP and Senior Technologist
07/20/2011
DNSSEC Deployment
© Neustar Inc. / Proprietary and Confidential
Neustar DNSSEC: Three Key Areas of Experience
» 1) Signed TLD zones for registries we operate - .us, .biz,
.co
» 2) Hosted (secondary) signed ccTLDs – .uk, .jp, .fi, .nu
» 3) Implemented a managed DNSSEC service using a code
base entirely separate from BIND
2
© Neustar Inc. / Proprietary and Confidential
Neustar ExperienceSigning TLD Zones
3
» Our three signed zones have 1-2 million names each
» We use NSEC negative answers and different DNSSEC
key algorithms
» We used a fairly straightforward deployment plan which
requires care but is not scary
© Neustar Inc. / Proprietary and Confidential
Neustar Experience: Hosting other signed TLDs
4
» We have seen the impact of transferring signed zones
» Different registries have used different approaches to DNSSEC
which has an impact on zone distribution
» Zones are larger
» Zones are changed more often
» Coordinating computing resources to handle the increased
pressure of the updates was harder than anticipated
© Neustar Inc. / Proprietary and Confidential
Neustar Experience: Managed DNSSEC Implementation
5
» Neustar has nearly 10 years of experience in DNSSEC development and operations» US and BIZ registries are DNSSEC signed, 7 years after our first test beds
» Participation in specification development
» Active participation in global network operations fora
» Other credentials relating to DNS» Pioneered anycast techniques
» DDoS mitigation work
» Experience in secure distributed database operations and operating Managed DNS services
» Neustar’s fully managed DNS and DNSSEC solution provides:» Resiliency and reliability thanks to a multi node footprint
» Automated, customizable key management
» Optional FIPS Level 3
© Neustar Inc. / Proprietary and Confidential
Lessons Learned from Neustar Registry Deployment
6
» Upfront effort to begin DNSSEC
» Upgrade (renovate) DNS infrastructure to support DNSSEC
» Institute key management functions. DNSSEC relies on solid key management
» Creating a key poorly may lead to someone guessing it
» Allowing keys to be seen by operators risks the secret
» Choice of algorithms and key size
» Timing of key operations, Signature lifetime, Key effectivity, and Key
supersession
» Ongoing effort to maintain DNSSEC
» Keep data "fresh", DNSSEC data can go stale
» Participation in more public meetings and mail lists
© Neustar Inc. / Proprietary and Confidential
Thank You!
7
DNSSEC Chain of Trust
Recursive
DNS
Root DNS
Authoritative DNS
(SLD)
Client / stub resolver
Authoritative DNS
(TLD)
.com.
domain.biz site.biz. ultradns.biz
.biz..gov.
