Internet2 DNSSEC Pilot
description
Transcript of Internet2 DNSSEC Pilot
Internet2 DNSSEC Pilot
Shumon Huque
University of Pennsylvania
ESCC/Internet2 Joint Techs Workshop
Minneapolis, Minnesota, U.S.A., Feb 14th 2007
2 Shumon Huque
Description of the Pilot
• http://www.dnssec-deployment.org/internet2/• Deploy DNSSEC• Gain Operational experience• Does it work (does it catch anything?)• Test DNSSEC aware applications
• Participants sign at least one of their zones• Exchange keys (trust anchors) that will allow
them to mutually validate DNS data
3 Shumon Huque
What is DNSSEC?
• A system to verify the authenticity of DNS “data”•RFC 4033, 4034, 4035
• Helps detect: spoofing, misdirection, cache poisoning
• Some secondary benefits appear:•You could store keying material in DNS•DKIM, SSHFP, IPSECKEY, etc
4 Shumon Huque
A little background ..
• Feb ‘06: DNSSEC Workshop held at Albuquerque Joint Techs
• Mar ‘06: dnssec@internet2 mailing list• Apr ‘06: Internet2 Spring Member meeting
•Advisory group formed and plans for a pilot project formulated
• May ‘06: Pilot group began•Bi-weekly conference calls and progress reports
5 Shumon Huque
Co-ordination
• Internet2
• Shinkuro シンクロ• Partner in DNSSEC Deployment
Initiative•http://www.dnssec-deployment.org/
• Some funding from US government
6 Shumon Huque
DNSSEC Deployment Efforts so far
• MAGPI GigaPoP•All zones: magpi.{net,org} & 15 reverse zones•https://rosetta.upenn.edu/magpi/dnssec.html
• MERIT• radb.net•nanog.org•http://www.merit.edu/networkresearch/dnssec.html
• NYSERNet - test zone•nyserlab.org
7 Shumon Huque
Others considering or planning deployment
• University of Pennsylvania
• University of California - Berkeley
• University of California - Los Angeles
• University of Massachusetts - Amherst
• Internet2
8 Shumon Huque
DLV (DNSSEC Lookaside Validation)
• A mechanism to securely locate DNSSEC trust anchors “off-path”
• An early deployment aid until top-down deployment of DNSSEC happens
• Pilot group is in talks to make use of ISC’s DLV registry•http://www.isc.org/index.pl?/ops/dlv/•More on this at a later date ..
9 Shumon Huque
More participants welcome!
• (participation not restricted to Internet2)
• Join mailing list
• Participate in conference calls
10 Shumon Huque
Thoughts on deployment obstacles (1)
• A Chicken & Egg problem•Marginal benefits, until much more deployment•Why should I go first?
• We had (have?) the same problem with other technologies (IPv6 etc)
• Some folks will need to take the lead, if there is hope for wider adoption
• Good way to find out how well it works
11 Shumon Huque
Thoughts on deployment obstacles (2)
• Operational stability•More complicated software infrastructure•New processes for:
• Zone changes• Secure delegations• Security (protection of crypto keys)• Key rollover and maintenance
• Integration w/ existing DNS management software
• What is the experience of the pilot?
12 Shumon Huque
Thoughts on deployment obstacles (3)
• Additional system requirements•Authoritative servers: memory•Resolvers: memory & CPU
• Memory use can be calculated•Probably not a big issue (unless you’re .COM!)
• CPU•Not too much of an issue today (dearth of signed
data that needs validation)•Caveat: some potential DoS attacks could hit CPU
13 Shumon Huque
Thoughts on deployment obstacles (4)
• Key distribution in islands of trust• Why is there no top down deployment?
• Work on signing root and (many) TLDs and in-addr.arpa is in progress• .SE, RIPE reverse done• .EDU work in motion
• Interim mechanisms like DLV exist• Manual key exchange (unscalable)
14 Shumon Huque
Thoughts on deployment obstacles (5)
• Stub resolver security (e2e security)
• An area of neglect in my opinion
• Push DNSSEC validation to endstations?
• Secure path from stub resolver to recursive resolver•Possibilities: SIG(0), TSIG, IPSEC
15 Shumon Huque
Thoughts on deployment obstacles (6)
• Application layer feedback
• Coming gradually•DNSSEC aware resolution APIs and applications
enhanced to use them•DNSSEC aware applications•See http://www.dnssec-tools.org/
• Note: some folks think it might be nice to protect DNSSEC oblivious applications silently as an interim step
16 Shumon Huque
Thoughts on deployment obstacles (7)
• Zone enumeration threat
• See NSEC3 record (spec almost done)•draft-ietf-dnsext-nsec3-09.txt
17 Shumon Huque
References
• Internet2 DNSSEC Pilot•http://www.dnssec-deployment.org/internet2/•http://rosetta.upenn.edu/magpi/dnssec.html
• Mailing list: [email protected]•https://mail.internet2.edu/wws/info/dnssec
• Internet2 DNSSEC Workshop•http://events.internet2.edu/2006/jt-albuquerque/
sessionDetails.cfm?session=2491&event=243
18 Shumon Huque
References (2)
• DNSSEC(bis) technical specs:•RFC 4033, 4034, 4035
• Related:•DNSSEC HOWTO:
• http://www.nlnetlabs.nl/dnssec_howto/
•Threat analysis of the DNS: RFC 3833•Operational practices: RFC 4641•NSEC3: draft-ietf-dnsext-nsec3-09•DLV: draft-weiler-dnssec-dlv-01•draft-hubert-dns-anti-spoofing-00
19 Shumon Huque
Questions?
• Shumon Huque•shuque -at- isc.upenn.edu