Embed Size (px)
Citation preview
1
DNSSEC for the .edu Domain
Becky GrangerDirector, Information Technology
and Member ServicesEDUCAUSE
April 29, 2010
2
Agenda
Review DNS How DNSSEC augments DNS What DNSSEC doesn’t do Why DNSSEC matters to you DNSSEC Adoption Getting started: Between now and July 2010 Going live: Anticipated in July 2010
3
DNS: A Review
Illustration courtesy of Niranjan Kunwar / Nirlog.com
4
DNS Caching
DNS Servers cache data to improve performance
But…what happens if the cached data is wrong?
5
DNS is Fundamentally Flawed
More detailed explanation: http://www.iana.org/about/presentations/davies-cairo-vulnerability-081103.pdf
6
DNS Cache Poisoning Gets Easier
Article explaining vulnerability: http://www.wired.com/techbiz/people/magazine/16-12/ff_kaminsky Photo by Dave Bullock / eecue
7
DNSSEC: DNS Security Extensions
Validate the origin of a DNS response Trust that the data came from the expected source
Validate the integrity of a DNS response Trust that the data itself is correct
Validate denial of existence Trust a “no records to return” response
8
DNS with DNSSEC implemented
Illustration courtesy of Niranjan Kunwar / Nirlog.com
9
DNSSEC Augments DNS
Use public key cryptography to “sign” DNS data
New DNS resource records carry signatures DNSKEY, RRSIG, NSEC, DS
Publish signatures to parent zone Domain to namespace, namespace to root
DNS resolvers validate signature matches
Good explanation: http://ispcolumn.isoc.org/2006-08/dnssec.html
10
What DNSSEC Doesn’t Do
Encrypt data – that’s SSL Protect your servers from denial of service attacks Keep you from visiting phishing sites
DNSSEC protects you from forged DNS data
11
Why You Care: Hypothetical Case Study
Photo by Bart Everson
12
DNSSEC Adoption
13
Adoption is Critical
Can’t require validation yet – would reject most internet traffic
In the interim, will need a browser warning for non-validated lookups (like SSL “lock” today)
Validation will likely be required at some point
14
Adoption is Increasing Quickly
Data from SecSpider: http://secspider.cs.ucla.edu Graph courtesy of Eric Osterweil
15
Many Top Level Domains are Signing
Signed TLDs bg, br, ch, cz, li, lk, na, nu, pm, pr, pt, se, th, tm, uk, us arpa, gov, museum, org
Coming soon edu anticipated in July 2010 net anticipated in late 2010 com anticipated in early 2011
TLD data courtesy of Shinkuro, Inc.
16
Current DNSSEC Adoption in .edu
7 signed .edu domains berkeley.edu, merit.edu, penn.edu, psc.edu, upenn.edu,
internet2.edu, ucaid.edu
64 signed .edu sub-domains Many are computer science departments or DNS
research projects
Data from SecSpider: http://secspider.cs.ucla.edu Slide courtesy of Shumon Huque, University of Pennsylvania
17
Getting Started: Between now and July 1, 2010
18
If you are…
CIO or IT leader Get DNSSEC on your staff’s radar now Add DNSSEC to your summer maintenance schedule
Technical staff If an ISP hosts your DNS
Ask the ISP when they will support DNSSEC
If you host your DNS Learn about signing Get DNSSEC-aware DNS software Sign your zone
19
Learn About Signing
Study the RFCs RFC 4033 – DNSSEC introduction and requirements RFC 4034 – Resource records for DNSSEC RFC 4641 – DNSSEC operational practices
NIST Secure DNS Deployment Guide
20
Get DNSSEC-aware DNS Software
Need DNSSEC-aware software on published DNS servers and all intermediate resolvers BIND 9.6 or greater ZKT OpenDNSSEC Windows 2008 Server R2 Signing appliances Many more…
Find these packages and more at http://www.dnssec.net/software
21
Sign Your Zone
Generate a KSK and one or more ZSKs http://tools.ietf.org/html/rfc4641#section-3.1
Practice key rollovers & establish processes for managing keys http://tools.ietf.org/html/rfc4641#section-4.2
22
Going Live: July 2010 (anticipated)
23
Chain of Trust Can Be Established
Original illustration courtesy of Niranjan Kunwar / Nirlog.com
24
Publish Your Signatures to .edu Zone
Enter DS record data into the .edu Domain Administration website
.edu Domain Administration website: http://www.educause.edu/edudomain
25
Many Resources Available to Help You
RFCs http://tools.ietf.org/rfc/index
DNSSEC.NET website http://www.dnssec.net/
Your .edu colleagues – subscribe to EDUCAUSE DNSSEC deployment listserv http://listserv.educause.edu/archives/dnssec.html
26
Questions?
