• Home

  • Documents

  • DNSSEC allocations DNSEXT chairs IETF-75 Stockholm 2009/07/29
8
DNSSEC allocations DNSEXT chairs IETF-75 Stockholm 2009/07/29

DNSSEC allocations DNSEXT chairs IETF-75 Stockholm 2009/07/29

Embed Size (px)

Citation preview

Page 1: DNSSEC allocations DNSEXT chairs IETF-75 Stockholm 2009/07/29

DNSSEC allocations

DNSEXT chairs

IETF-75

Stockholm 2009/07/29

Page 2: DNSSEC allocations DNSEXT chairs IETF-75 Stockholm 2009/07/29

Introduction

• DNSSEC has following registries where algorithms can be registered– DNSKEY/RRSIG/KEY algorithm

• 7 codes assigned out of 250– DS digest algorithm

• 2 out of 254– NSEC3 obfuscation function

• 1 out of 254 – TSIG hash function

• 8 names allocated

• Allocation for all these is currently “Standards action”

Page 3: DNSSEC allocations DNSEXT chairs IETF-75 Stockholm 2009/07/29

Issue: What is the appropriate action ?

• Standards action– WG and IESG must agree to the action.

• Experimental/Informational RFC– RFC published

• WG will loose veto power but might be able to influence outcome

• Expert Review – WG and IESG are out of the picture

• But WG and AD’s appoint the experts.

• Others: – FCFS not applicable – Close registry once we get unbreakable alg.

Page 4: DNSSEC allocations DNSEXT chairs IETF-75 Stockholm 2009/07/29

Required/Optional• Currently most DNSKEY algorithms are “required”

– The registry has a field saying if algorithm can sign a zone, RSA/MD5 and DH can not sign zones?

• http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml

• DS algorithms– Currently both required, envisioned required and retired– http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml

• NSEC3 new algorithms require protocol and implementation changes – Optional out of the question ? – http://www.iana.org/assignments/dnssec-nsec3-parameters/dnssec-nsec3-parameters.xhtml

• TSIG– WG will be adding the concept of optional and “not-recommended” to

the registry soon. – http://www.iana.org/assignments/tsig-algorithm-names

Page 5: DNSSEC allocations DNSEXT chairs IETF-75 Stockholm 2009/07/29

Possible Paths forward

• What is right in for one registry may not be the right action for a different one.

• Options:– Do nothing i.e. keep current state – Sponsor a document defining the new

“actions” – Examine the issues and make a decision later

Page 6: DNSSEC allocations DNSEXT chairs IETF-75 Stockholm 2009/07/29

BUT: • Following new algorithms have been proposed:

– DNSKEY RSA/SHA256– DNSKEY GOST R 34.10-2001– DNSKEY ECDSAP224SHA256– DNSKEY ECDSAP256SHA256– DNSKEY ECDSAP384SHA384– DNSKEY DSA2048SHA256– DS SHA384– DS GOST R 34.11-94

• After the NIST SHA-3 competition concludes expect more proposals.• Effort required to develop a new Public Key algorithm

– 1999: Quite difficult – 2009: Easy

• ECC curve + digest function • RSA + digest function• DSA + digest function

Page 7: DNSSEC allocations DNSEXT chairs IETF-75 Stockholm 2009/07/29

Goal

• We need concrete and fair criteria in evaluating new submissions– How to pick among “equivalent” submissions.

• We need statement from WG/IAB on the “harm” of adding new algorithms:– None, some, serious, ….

Page 8: DNSSEC allocations DNSEXT chairs IETF-75 Stockholm 2009/07/29

Open mic


IETF64 DNSEXT

IETF64 DNSEXT

Documents
DNSSEC 101

DNSSEC 101

Documents
DNS Risks, DNSSEC - Internet2...2006/02/08  · DNSSEC evangineers of the day Allison: ¥Independent consultant ¥Member of the Internet2 Tech. Advisory Comm. ¥IETF Transport Area

DNS Risks, DNSSEC - Internet2...2006/02/08  · DNSSEC evangineers of the day Allison: ¥Independent consultant ¥Member of the Internet2 Tech. Advisory Comm. ¥IETF Transport Area

Documents
Deploying DNSSEC

Deploying DNSSEC

Documents
1 IETF Status at IETF 85 Russ Housley IETF Chair

1 IETF Status at IETF 85 Russ Housley IETF Chair

Documents
This is the DNSEXT Working Group (where the microphones are at Scandic hights)

This is the DNSEXT Working Group (where the microphones are at Scandic hights)

Documents
DNSSEC and Internet Development - Uppsala University€¦ · DNS-history 1983 Paul Mockapetris invents the DNS and implements the first server: Jeeves. 1986 Formal IETF Internet

DNSSEC and Internet Development - Uppsala University€¦ · DNS-history 1983 Paul Mockapetris invents the DNS and implements the first server: Jeeves. 1986 Formal IETF Internet

Documents
DNSSEC for the Root · PDF fileDNSSEC for the Root Zone – Update IETF 78, ... Nicolas Antoniello, UY ... Backup COs (RKSHs) Key Ceremonies • Ceremony #1: June 16, 2010, Culpeper,

DNSSEC for the Root · PDF fileDNSSEC for the Root Zone – Update IETF 78, ... Nicolas Antoniello, UY ... Backup COs (RKSHs) Key Ceremonies • Ceremony #1: June 16, 2010, Culpeper,

Documents
1 IETF Status at IETF 78 Russ Housley, IETF Chair

1 IETF Status at IETF 78 Russ Housley, IETF Chair

Documents
IETF65 DNSEXT

IETF65 DNSEXT

Documents
IETF Status at IETF 70

IETF Status at IETF 70

Documents
The IETF standards process & DNSSEC... page 3 NLnet Labs The IETF • Internet Engineering Task Force • Standard body for Internet technology • Formed in 1986

The IETF standards process & DNSSEC... page 3 NLnet Labs The IETF • Internet Engineering Task Force • Standard body for Internet technology • Formed in 1986

Documents
TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to

TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to

Documents
1 IETF Status at IETF 76 Russ Housley, IETF Chair

1 IETF Status at IETF 76 Russ Housley, IETF Chair

Documents
SE DNSSEC Practice Statement · A second draft: draft-ietf-dnsop-dnssec-dps-framework-01 Currently working on text for Definitions and Concepts. Then suggesting working group Last

SE DNSSEC Practice Statement · A second draft: draft-ietf-dnsop-dnssec-dps-framework-01 Currently working on text for Definitions and Concepts. Then suggesting working group Last

Documents
DNSSEC Workshop - ICANN GNSO...4. DNSSEC Lessons Learned: Roland van Rijswijk, SURFnet 5. DNSSEC Tool Development: • Open Source Tools, Russ Mundy, Co‐Chair, DNSSEC Deployment

DNSSEC Workshop - ICANN GNSO...4. DNSSEC Lessons Learned: Roland van Rijswijk, SURFnet 5. DNSSEC Tool Development: • Open Source Tools, Russ Mundy, Co‐Chair, DNSSEC Deployment

Documents
IETF Status at IETF 76

IETF Status at IETF 76

Documents
DNSSEC - uniba.sknew.dcs.fmph.uniba.sk/files/biti/l03-dnssec-2016.pdf · I DNSSEC Root Zone High Level Technical Architecture (Dra˝) I DNSSEC Practice Statement for the Root Zone

DNSSEC - uniba.sknew.dcs.fmph.uniba.sk/files/biti/l03-dnssec-2016.pdf · I DNSSEC Root Zone High Level Technical Architecture (Dra˝) I DNSSEC Practice Statement for the Root Zone

Documents
Internet Engineering Task Force (IETF) O. Kolkman DNSSEC ...RFC 6781 DNSSEC Operational Practices, Version 2 December 2012 The procedures herein are focused on the maintenance of signed

Internet Engineering Task Force (IETF) O. Kolkman DNSSEC ...RFC 6781 DNSSEC Operational Practices, Version 2 December 2012 The procedures herein are focused on the maintenance of signed

Documents
DNSSEC Deployment Activity in Japan - Introduction of ... › wp-content › uploads › 2012 › 01 › ... · •What is DNSSEC •Introduction of DNSSEC Japan •DNSSEC Japan's

DNSSEC Deployment Activity in Japan - Introduction of ... › wp-content › uploads › 2012 › 01 › ... · •What is DNSSEC •Introduction of DNSSEC Japan •DNSSEC Japan's

Documents
This is the DNSEXT Working Group

This is the DNSEXT Working Group

Documents
DNSSEC Industry Survey Results - PCN, Inc.23.235.200.57/~pcninc5/wp-content/.../DNSSEC-Industry-Survey-Resu… · DNSSEC. DNS administrators can provide secure responses to DNSSEC-validating

DNSSEC Industry Survey Results - PCN, Inc.23.235.200.57/~pcninc5/wp-content/.../DNSSEC-Industry-Survey-Resu… · DNSSEC. DNS administrators can provide secure responses to DNSSEC-validating

Documents
DNSSEC MANAGEMENT - efficientip.com€¦ · DNSSEC Principles An important point to underline is that DNSSEC (DNS Security Extensions) does not modify DNS protocol. DNSSEC is an extension

DNSSEC MANAGEMENT - efficientip.com€¦ · DNSSEC Principles An important point to underline is that DNSSEC (DNS Security Extensions) does not modify DNS protocol. DNSSEC is an extension

Documents
IETF 112 - IETF LLC Briefing

IETF 112 - IETF LLC Briefing

Documents
DNSSEC - Red Hat · DNSSEC . Topics DNSSEC theory in 7 screen shots DNSSEC software: validating, signing Converting applications to use DNSSEC Using DNSSEC for non-DNS purposes TLSA,

DNSSEC - Red Hat · DNSSEC . Topics DNSSEC theory in 7 screen shots DNSSEC software: validating, signing Converting applications to use DNSSEC Using DNSSEC for non-DNS purposes TLSA,

Documents
DNSSEC MANAGEMENT - efficientip.com · DNSSEC Principles An important point to underline is that DNSSEC (DNS Security Extensions) does not modify DNS protocol. DNSSEC is an extension

DNSSEC MANAGEMENT - efficientip.com · DNSSEC Principles An important point to underline is that DNSSEC (DNS Security Extensions) does not modify DNS protocol. DNSSEC is an extension

Documents
DNSSEC FIRST

DNSSEC FIRST

Technology
Tutorial Dnssec

Tutorial Dnssec

Documents
DNSSEC:’’Where’We’Are’(and’how’ …...Resolver’only’caches’validated’records’ =? DNS Resolver with DNSSEC = 1.2.3.4 DNS Server with DNSSEC 1.2.3.4 Get page

DNSSEC:’’Where’We’Are’(and’how’ …...Resolver’only’caches’validated’records’ =? DNS Resolver with DNSSEC = 1.2.3.4 DNS Server with DNSSEC 1.2.3.4 Get page

Documents
DNSSEC in Practice: Using DNSSEC- Tools to Deploy DNSSEC · DNSSEC in Practice: Using DNSSEC-Tools to Deploy DNSSEC Wes Hardaker. Russ Mundy. Suresh Krishnaswamy {hardaker,mundy,suresh}@sparta.com

DNSSEC in Practice: Using DNSSEC- Tools to Deploy DNSSEC · DNSSEC in Practice: Using DNSSEC-Tools to Deploy DNSSEC Wes Hardaker. Russ Mundy. Suresh Krishnaswamy {hardaker,mundy,suresh}@sparta.com

Documents