1

.ORG DNSSECTestbed

Deployment

Edmon Chung

Creative Director

Afilias

edmon@afilias.info

Perth, AU

2 March, 2006

2

Overview

.ORG Testbed Implementation

Perception Problems

Risk vs. Return

What next?

3

.ORG Testbed Logistics and Topology

Launched on 31 October, 2005

DNSSEC-aware name servers

EPP 1.0 front end servers feed zone data to the name servers

4

EPP Front End

Only .ORG accredited registrars allowed access to the EPP servers

Want to keep out the cruft

Use same creds as .ORG OT&E servers

New registrars added when added to OT&E

Dedicated testbed serversRuns on epp1.dnssec-testbed.pir.org &epp2.dnssec-testbed.pir.org

Separate from .ORG Production servers!

5

DNS Back End

Running on dedicated BIND servers at the moment

Will cut over to UltraDNS in 2006

Isolated DNS systemsQuery using dig <somename>.org @<server>

Where <server> is: ns1.dnssec-testbed.pir.orgor ns2.dnssec-testbed.pir.org

Started with “empty” zone

6

Registrar Toolkit

Experimental toolkit (Not for Prime Time)Don’t use it for .ORG production

Availability:PIR website

SourceForge

EPP Transactions based on the -03 Hollenbeck draft

7

Policy Decisions

Running according to -bis specificationsLooking to showcase some pitfalls

May code NSEC3 in 2006 to run parallel

Same for roll-over drafts, as they flush out

Roll-overAlready rolled in November (did anyone notice?)

Will do an unannounced ZSK and KSK “compromise scenario” in 2006

Will publish a key roll-over schedule as well

8

Participation...

3 Registrars logged in, 15 names in the zone, 12 DS records (as of 23 Nov 2005)

135 names in the zone as of now

What can we do to help you participate?On the PIR side?

On the Afilias side?

9

Perception Problems

.CL (Chilean) survey

Many in the technological community in Chile do not know what DNSSEC is

Some thought it was “all about confidentiality”

Have not deployed DNSSEC because:

Worry it will confuse the market (providers are not knowledgeable yet makes many promises to end-users)

Multiple providers to deal with (ISC, APNIC, RIPE, etc.)

Education and Testbed

10

What DNSSEC does NOT do

DNSSEC does NOT provide confidentiality of DNS responses

DNSSEC does NOT protect against DDOS attacks

DNSSEC is NOT about privacy

DNSSEC is NOT a PKI

DNSSEC does NOT protect against IP Spoofing

11

Why is DNSSEC important?

ROI vs. Return on RiskNot about increased revenues, but about reduced risks

Reducing risks for your community / customers

High vulnerability, low awareness

High dependance on DNS

Trust is easy to lose difficult to re-gain

12

What Next?

Not without technical challenges (e.g. Key Rollovers)

Main Challenge is still awareness and adoption (i.e. demand driving)

Technologists tend to get over excited about technical details

Some disconnect with business managers

Not as high profile as worms, viruses and DDOS attacks

Even as security is highest priority

13

Man-in-the-middle Attacks

Stories to tell:

Bank Account

Email from your bank telling you that, for security reasons, they need you to update your password

You know about these scams called ‘phishing’, where the bad guys send an email pretending to be legit, and the link actually goes to their website

Just to be safe, instead of clicking on your bank’s email link, you open up your browser, and type in the URL for your bank login page

On the front page is the request for password change.

You put in your ‘old’ password, and your ‘new’ password (twice)

Two hours later, your entire savings account is wiped clean.

Automated Systems compromised

Email being intercepted

14

IDN and DNSSEC

Many similarities

Requries Application (DNS Clients) updates

Requires Registries and DNS operator updates / deployment

Requires Root changes for complete experience

One major difference:

Lack of explicit user demand

15

Awareness & Participation

ccTLDs and gTLDs should implement DNSSEC testbeds

Application Providers

Browsers, MTAs

ISPs

Industry should help promote awareness

Must a catastrophe happen first?...

For more info and to participate:

http://www.dnssec.net

http://www.dnssecdeployment.org

16

Thank You

Edmon Chung

edmon@afilias.info