Upload File

internet2 dnssec pilot

11
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania ESCC/Internet2 Joint Techs Workshop Madison, Wisconsin, U.S.A., July 19 th 2006

Upload: macey-vaughan

Post on 31-Dec-2015

13 views

Category:

Documents


1 download

Report

DESCRIPTION

Internet2 DNSSEC Pilot. Shumon Huque University of Pennsylvania ESCC/Internet2 Joint Techs Workshop Madison, Wisconsin, U.S.A., July 19 th 2006. Description of the Pilot. Goal: Deploy DNSSEC and gain operational experience Participants sign at least one of their zones - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Internet2 DNSSEC Pilot

Internet2 DNSSEC Pilot

Shumon Huque

University of Pennsylvania

ESCC/Internet2 Joint Techs Workshop

Madison, Wisconsin, U.S.A., July 19th 2006

Page 2: Internet2 DNSSEC Pilot

2 Shumon Huque

Description of the Pilot

• Goal: Deploy DNSSEC and gain operational experience

• Participants sign at least one of their zones• Exchange keys (trust anchors) that will allow

them to mutually validate DNS data• Setup security-aware resolvers• configured with the trust anchors

Page 3: Internet2 DNSSEC Pilot

3 Shumon Huque

A little background ..

• Feb ‘06: DNSSEC Workshop held at Albuquerque Joint Techs

• Mar ‘06: dnssec@internet2 mailing list• Apr ‘06: Internet2 Spring Member meeting• Advisory group formed and plans for a pilot project

formulated

• May ‘06: Pilot group began• Bi-weekly conference calls and progress reports

Page 4: Internet2 DNSSEC Pilot

4 Shumon Huque

Co-ordination

• Internet2 and Shinkuro

• Partner in DNSSEC Deployment Initiative• http://www.dnssec-deployment.org/

• Some funding from US government

Page 5: Internet2 DNSSEC Pilot

5 Shumon Huque

DNSSEC Deployment Efforts so far

• MAGPI GigaPoP• All zones: magpi.{net,org} & 15 reverse zones• https://rosetta.upenn.edu/magpi/dnssec.html

• MERIT• radb.net• nanog.org

• NYSERNet - test zone• nyserlab.org

Page 6: Internet2 DNSSEC Pilot

6 Shumon Huque

Deployments in the pipeline ..

• University of Pennsylvania

• University of California - Berkeley

• University of California - Los Angeles

• University of Massachusetts - Amherst

• Internet2

Page 7: Internet2 DNSSEC Pilot

7 Shumon Huque

Ongoing work & discussion

• To DLV or not? (and if so, which registry?)

• “DNSSEC Lookaside Validation”

• Deploy NSEC3 or not?

• Stub resolver security

• Key maintenance & rollover policies

• Secure delegations from parents• .edu, .net, .org, .in-addr.arpa

Page 8: Internet2 DNSSEC Pilot

8 Shumon Huque

More participants welcome!

• (participation not restricted to Internet2)

• Join mailing list

• Participate in con calls

• DNSSEC BoF @ lunchtime today

Page 9: Internet2 DNSSEC Pilot

9 Shumon Huque

References

• Internet2 DNSSEC Pilot• http://www.dnssec-deployment.org/internet2/• http://rosetta.upenn.edu/magpi/dnssec.html

• Mailing list: [email protected]• https://mail.internet2.edu/wws/info/dnssec

• Internet2 DNSSEC Workshop• http://events.internet2.edu/2006/jt-albuquerque/

sessionDetails.cfm?session=2491&event=243

Page 10: Internet2 DNSSEC Pilot

10 Shumon Huque

References (2)

• DNSSEC(bis) technical specs:• RFC 4033, 4034, 4035

• Related:• Threat analysis of the DNS: RFC 3833• Operational practices

• draft-ietf-dnsop-dnssec-operational-practices-08

• NSEC3: draft-ietf-dnsext-nsec3-05• DLV: draft-weiler-dnssec-dlv-01• ISC DLV registry:

• http://www.isc.org/index.pl?/ops/dlv/

Page 11: Internet2 DNSSEC Pilot

11 Shumon Huque

Questions?

• Shumon Huque• shuque -at- isc.upenn.edu


DNSSEC MANAGEMENT - efficientip.com · DNSSEC Principles An important point to underline is that DNSSEC (DNS Security Extensions) does not modify DNS protocol. DNSSEC is an extension

DNSSEC:’’Where’We’Are’(and’how’ …...Resolver’only’caches’validated’records’ =? DNS Resolver with DNSSEC = 1.2.3.4 DNS Server with DNSSEC 1.2.3.4 Get page

Internet2 DNSSEC Pilot

DNSSEC FIRST

DNSSEC Exposed - Deploying DNSSEC in Real Life Presentation

DNSSEC - Red Hat · DNSSEC . Topics DNSSEC theory in 7 screen shots DNSSEC software: validating, signing Converting applications to use DNSSEC Using DNSSEC for non-DNS purposes TLSA,

DNSSEC MANAGEMENT - efficientip.com€¦ · DNSSEC Principles An important point to underline is that DNSSEC (DNS Security Extensions) does not modify DNS protocol. DNSSEC is an extension

Internet2 Security Initiatives DICE Meeting Joe St Sauver, Ph.D. ([email protected] or [email protected]) Manager, Internet2 Security Programs Internet2

Deploying DNSSEC

Health Activities and Internet2 Mike McGill, Director, Internet2 Health Sciences, [email protected] Heather Boyles, Director, Internet2 International

1 DNSSEC BoF Internet2 Member Meeting October 15th, 2008 Noon, Napoleon A2 joe/dnssec-bof-fall-2008

Www.internet2.edu. Internet2 Internet2 y Ecuador Heather Boyles [email protected] Ana Preston apreston@internet2 ESPOL Guayaquil, Ecuador Marzo 26

2 February 2010 Eric Boyd, Internet2 Deputy CTO...2010/02/02  · • The Internet2 DNSSEC advisory group was formed in cooperaon with Shinkuro, focused on the R&E community. Group

Chris Heermann, Internet2 [email protected]

Schools and Internet2 - TERENA · Schools and Internet2 SchoolNet BoF TERENA conference Poznan, Poland Heather Boyles Schools and Internet2 …

EDU DNSSEC Testbed€¦ · EDU DNSSEC Testbed Shumon Huque, University of Pennsylvania Larry Blunk, MERIT Network Internet2 Joint Techs Conference Salt Lake City, Utah ... penn.edu

DNSSEC - uniba.sknew.dcs.fmph.uniba.sk/files/biti/l03-dnssec-2016.pdf · I DNSSEC Root Zone High Level Technical Architecture (Dra˝) I DNSSEC Practice Statement for the Root Zone

Lamb dnssec

DNSSEC Workshop - ICANN GNSO...4. DNSSEC Lessons Learned: Roland van Rijswijk, SURFnet 5. DNSSEC Tool Development: • Open Source Tools, Russ Mundy, Co‐Chair, DNSSEC Deployment

Internet2 - A survey of DNSSEC deployment in the …2012/07/16  · A survey of DNSSEC deployment in the U.S. R&E community Shumon Huque; University of Pennsylvania Bill Owens; NySERNET

Chris Heermann, Internet2 chris.heermann@internet2

Large Scale International IPv6 Pilot Network (6NET) - 6NET... · 2008-06-16 · Large Scale International IPv6 Pilot Network (6NET) Athanassios Liakopoulos ([email protected]) ... Internet2

DANE & Application Uses of DNSSEC - Internet2 · Verisign Public! DNSSEC at a glance! • Original DNS protocol wasn’t built with security in mind! • No way to verify the authenticity

Security Topics Update - internet2.edu · •Internet2/EDUCAUSE Security Task Force •Current Salsa activities •Working group updates •CSI2, DR, FWNA, DNSsec •REN-ISAC. Salsa

Tutorial Dnssec

DNSSEC Industry Survey Results - PCN, Inc.23.235.200.57/~pcninc5/wp-content/.../DNSSEC-Industry-Survey-Resu… · DNSSEC. DNS administrators can provide secure responses to DNSSEC-validating

E-Texts or Bust: Observations from the Internet2/EDUCAUSE E-Text Pilot (166234386)

Dominic Stahl Infoblox DNSSEC Solution - DENIC eG: Wir ... · Infoblox DNSSEC Solution simple, secure and reliable Infoblox DNSSEC Solution ... Infoblox DNSSEC Offering:

– 04/29/13, © 2012 Internet2 CommIT Pilot: Project Update CommIT Product Team September 18, 2014 Tim Cameron, Project Manager, Internet2

DNSSEC 101

Internet2. Internet2: Antecedentes y definiciones

 · 2008-06-25 · DNSSec Internet2 Pilot. 21 Cyberinfrastructure Architectures Cyberinfrastructure Architectures, Security and Advanced Applications - Joe St Sauver Algumas práticas

Internet2 R&D Update · • Moving towards roll-out of DCN pilot (focus on operations) by July, 2009 • Open Issues ... • SNMP on MAX, Internet2 Backbone (via perfSONAR of

Internet2 Technology Update Rick Summerhill Chief Technology Officer, Internet2 [email protected] Internet2 Fall Member Meeting 9 October 2007 San Diego,

MMOMENTUMOMENTUM - Louisiana State University · 2017-10-03 · • Expanding a Research Network. Internet2 Hopkins, Allie • Helping Secure the Internet with DNSSEC, EDUCAUSE Quarterly,