FOSE 2011: DNSSEC and the Government, Lessons Learned

8
Lessons Learned Rodney Joffe SVP and Senior Technologist 07/20/2011 DNSSEC Deployment

description

At FOSE 2011, the panel discussion on the deployment of domain name system security extensions (DNSSEC) within government included Neustar VP and Senior Technologist, Rodney Joffe, who sat side-by-side with some of the industry’s best and discussed how federal IT managers can leverage private sector best practices to meet OMB and FISMA mandated DNSSEC requirements. Entitled “DNS-3: Private Sector Deployment in .com, .net, .org and Beyond,” the panel discussed lessons learned and how federal agencies that have yet to deploy DNSSEC can do so successfully. Visit http://www.ultradns.com for more information.

Transcript of FOSE 2011: DNSSEC and the Government, Lessons Learned

Page 1: FOSE 2011: DNSSEC and the Government, Lessons Learned

Lessons Learned

Rodney Joffe

SVP and Senior Technologist

07/20/2011

DNSSEC Deployment

Page 2: FOSE 2011: DNSSEC and the Government, Lessons Learned

© Neustar Inc. / Proprietary and Confidential

Neustar DNSSEC: Three Key Areas of Experience

» 1) Signed TLD zones for registries we operate - .us, .biz,

.co

» 2) Hosted (secondary) signed ccTLDs – .uk, .jp, .fi, .nu

» 3) Implemented a managed DNSSEC service using a code

base entirely separate from BIND

2

Page 3: FOSE 2011: DNSSEC and the Government, Lessons Learned

© Neustar Inc. / Proprietary and Confidential

Neustar ExperienceSigning TLD Zones

3

» Our three signed zones have 1-2 million names each

» We use NSEC negative answers and different DNSSEC

key algorithms

» We used a fairly straightforward deployment plan which

requires care but is not scary

Page 4: FOSE 2011: DNSSEC and the Government, Lessons Learned

© Neustar Inc. / Proprietary and Confidential

Neustar Experience: Hosting other signed TLDs

4

» We have seen the impact of transferring signed zones

» Different registries have used different approaches to DNSSEC

which has an impact on zone distribution

» Zones are larger

» Zones are changed more often

» Coordinating computing resources to handle the increased

pressure of the updates was harder than anticipated

Page 5: FOSE 2011: DNSSEC and the Government, Lessons Learned

© Neustar Inc. / Proprietary and Confidential

Neustar Experience: Managed DNSSEC Implementation

5

» Neustar has nearly 10 years of experience in DNSSEC development and operations» US and BIZ registries are DNSSEC signed, 7 years after our first test beds

» Participation in specification development

» Active participation in global network operations fora

» Other credentials relating to DNS» Pioneered anycast techniques

» DDoS mitigation work

» Experience in secure distributed database operations and operating Managed DNS services

» Neustar’s fully managed DNS and DNSSEC solution provides:» Resiliency and reliability thanks to a multi node footprint

» Automated, customizable key management

» Optional FIPS Level 3

Page 6: FOSE 2011: DNSSEC and the Government, Lessons Learned

© Neustar Inc. / Proprietary and Confidential

Lessons Learned from Neustar Registry Deployment

6

» Upfront effort to begin DNSSEC

» Upgrade (renovate) DNS infrastructure to support DNSSEC

» Institute key management functions. DNSSEC relies on solid key management

» Creating a key poorly may lead to someone guessing it

» Allowing keys to be seen by operators risks the secret

» Choice of algorithms and key size

» Timing of key operations, Signature lifetime, Key effectivity, and Key

supersession

» Ongoing effort to maintain DNSSEC

» Keep data "fresh", DNSSEC data can go stale

» Participation in more public meetings and mail lists

Page 7: FOSE 2011: DNSSEC and the Government, Lessons Learned

© Neustar Inc. / Proprietary and Confidential

Thank You!

7

Page 8: FOSE 2011: DNSSEC and the Government, Lessons Learned

DNSSEC Chain of Trust

Recursive

DNS

Root DNS

Authoritative DNS

(SLD)

Client / stub resolver

Authoritative DNS

(TLD)

.com.

domain.biz site.biz. ultradns.biz

.biz..gov.