dnssec: an update on global activities
DESCRIPTION
Dept. of Homeland Security Science & Technology Directorate. DNSSEC: An Update on Global Activities. EDUCAUSE Net@EDU Annual Mtg Tempe, AZ February 12, 2008. Douglas Maughan, Ph.D. Program Manager, CCI [email protected] 202-254-6145 / 202-360-3170. - PowerPoint PPT PresentationTRANSCRIPT
04/19/23 1
DNSSEC: An Update on Global Activities
EDUCAUSE Net@EDU Annual MtgTempe, AZFebruary 12, 2008
Dept. of Homeland Security Science & Technology Directorate
Douglas Maughan, Ph.D.
Program Manager, CCI
202-254-6145 / 202-360-3170
04/19/23 2
National Strategy to Secure CyberspaceThe National Strategy to Secure Cyberspace
(2003) recognized the DNS as a critical weakness NSSC called for the Department of Homeland Security
to coordinate public-private partnerships to encourage the adoption of improved security protocols, such as DNS
The security and continued functioning of the Internet will be greatly influenced by the success or failure of implementing more secure and more robust BGP and DNS. The Nation has a vital interest in ensuring that this work proceeds. The government should play a role when private efforts break down due to a need for coordination or a lack of proper incentives.
04/19/23 3
Domain Name System Security (DNSSEC) Program DNSSEC Program Objective
“Carry forward to completion the recommendation from the National Strategy to Secure Cyberspace by engaging industry, government, and academia to enable all DNS-related traffic on the Internet to be DNSSEC compliant”
Rationale / Background / Historical: DNS is a critical component of the Internet infrastructure and was not
designed for security DNS vulnerabilities have been identified for over a decade and we are
addressing these vulnerabilities
End Goal: Greatly increase the security of the Internet (as critical infrastructure) by securing the DNS through the use of crypto signatures
End Goal: Greatly increase the security of the Internet (as critical infrastructure) by securing the DNS through the use of crypto signatures
04/19/23 4
PerformersShinkuro, Washington, DC
Roadmap Development and Execution International partner participation
Support Tool Development
Sparta, Columbia, MD Software Development – Servers, resolvers,
applications Internet Standards activities
NIST, Gaithersburg, MD Measurement and Evaluation Tools Government and Standards activities
Connections with GSA, FISMA, and OMB
04/19/23 5
DNSSEC Initiative Activities Roadmap published in February 2005; Revised March 2007
http://www.dnssec-deployment.org/roadmap.php Multiple workshops held world-wide DNSSEC testbed developed by
http://www-x.antd.nist.gov/dnssec/ Involvement with numerous deployment pilots Formal publicity and awareness plan including newsletter Working with Civilian government (.gov) to develop policy
and technical guidance for secure DNS operations and beginning deployment activities at all levels.
Working with the operators of the “.us” and “.mil” zones towards DNSSEC deployment and compliance
04/19/23 6
DNSSEC Roadmap
Identifies the following activities: Remaining R&D Issues (Lead: Shinkuro) Software Development (Lead: Sparta)
Server Resolver Applications
Operational Considerations (Lead: Shinkuro) Root Registries Registrants
Measurement and Evaluation (Lead: NIST) Outreach and Training (Lead: Shinkuro)
04/19/23 7
Incremental Deployment Registries
Work through various readiness levels Initial study -> Initial design -> Pilot -> Pre-deployment -> Operation
Registrars Migrate to an EPP-based system Build extensions for existing non-EPP system
ISPs Validation as a preferred service for some customers. Manage customized
set of Trust Anchors for set of customers Detect key rollover events for known islands of trust
Enterprise Internal deployment as part of corporate system integrity and protection Trading partners Distinguish between safe and questionable sites
04/19/23 8
Leveraging Existing Efforts ccTLDs with operational DNSSEC Services
Sweden: http://www.iis.se/products/sednssec2 Bulgaria: https://www.register.bg/ Brazil: https://www.registro.br Puerto Rico: http://www.dnssec.nic.pr/
RIPE-NCC Reverse zones that it manages and e164.arpa zone (ENUM) https://www.ripe.net/rs/
DNSSEC initiatives in .UK and .DE Strong advocates of DNSSEC, but waiting for NSEC3 for some zones http://www.denic.de/en/domains/dnssec/index.html and
http://www.nominet.org.uk/tech/dnssectest/ JPRS
Working on integrating DNSSEC signing into existing workflow to maintain short update assurances
http://losangeles2007.icann.org/node/77
04/19/23 9
Leveraging Existing Efforts (cont) NIC Mexico
Developing the infrastructure, procedures and technology for a future DNSSEC deployment in the .mx ccTLD
http://www.dnssec.org.mx .ORG testbed
PIR has maintained the .ORG testbed to enable its registrars to test DNSSEC-capable systems
http://www.pir.org/RegistrarResources/DNSSecurityTestbed.aspx SNIP testbed for .GOV
Provide “distributed training ground” for .gov operators deploying DNSSEC
http://www.dnsops.gov IANA
Testbed for signing zones that IANA controls Also has a prototype for ‘a’ signed copy of the Root zone https://ns.iana.org/dnssec/status.html
04/19/23For Official Use Only
FISMA Activities Intended to set the IT security policy for all USG systems,
contractors, and data. Collection of documents produced by NIST
FIPS, Special Publications (SP) series
Goes into effect one year after publication of security controls publication (SP 800-53r1)
Published Dec, 2006 -> goes into effect Dec, 2007
NIST Special Pub 800-53A Guide for Assessing the Security Controls in Federal Information Systems
Final publication scheduled Dec 2007
NIST SP800-57 Recommendations for Key Management 3-part companion guide to FISMA
04/19/23For Official Use Only
The Big Picture – DNSSEC in .gov
Internet2DNSSEC
Pilotdnsops.gov.dnsops.biz
dhs.dnsops.gov.
nist.dnsops.gov.
antd.nist.dnsops.gov.
fda.dnsops.gov.esnet.doe.dnsops.gov.
zoneedit
ag1.dnsops.gov.ag2.dnsops.biz.
dns-outsource.com
SNIP Core Infrastructure
DRENDNSSEC
Pilot
04/19/23 12
NIST Effort - SNIP
Secure Naming Infrastructure Pilot (SNIP)
Aiding deployment by: Providing a connected training ground
Educational resources/guides
Modeling infrastructures
Testbed for systems
Relying on user participation Aid in deployment, not a proof-of-concept experiment
04/19/23 13
SNIP Overview Agencies get delegations to run a secure “shadow-
zone” nist.gov becomes nist.dnsops.gov Contractors become “contractor.dnsops.biz” Administrators use dnsops.gov/biz delegation to practice
DNSSEC operations Infrastructure modeling
Attempts to model an agency’s current DNS in NIST/Sparta labs
Testbed for systems Authoritative servers, caches, and DNSSEC administrator
tools
04/19/23 14
Need for Signing the Root Zone Root Zone is at the top of the DNS hierarchy Signing the Root Zone will allow DNSSEC-capable
resolvers to perform the data integrity and origin authenticity checks using the Root Zone Public Key(s) as the common trust point(s).
A signed Root Zone and a widely deployed DNS system that supports DNSSEC will be a major step forward in the ongoing effort to secure the Internet
04/19/23 15
Root Zone Requirements Full operation of DNSSEC at the Root level requires
several component capabilities Generation and Maintenance of Keys Accepting “secure delegation” from TLDs Signing the Root Zone and handling of private key material Distribution and the subsequent “serving” of the signed
Root Zone by Root Name Server Operators Publication of the Root Zone Public Keys
04/19/23 16
Future Activities Pilot deployments of DNSSEC on .us and .gov
networks Continue getting all the necessary government players
Working with OMB, DHS, DOC on rollout strategy
Outreach, communication and training Preparation of root servers Testing of end user software gTLD and ccTLD testbeds Community-based identification of existing software Candidate operational policies and procedures
04/19/23 17
Summary and Challenge
Lots of progress over the past 24 months More to come in 2008
USG taking a leadership role Working with other parts of Internet infrastructure Working with vendors Providing resources to help others
Challenge: What’s keeping you from securing your DNS infrastructure?
04/19/23 18
Douglas Maughan, Ph.D.
Program Manager, CCI
202-254-6145 / 202-360-3170
For more information, visithttp://www.cyber.st.dhs.gov