04/19/23 1

DNSSEC: An Update on Global Activities

EDUCAUSE Net@EDU Annual MtgTempe, AZFebruary 12, 2008

Dept. of Homeland Security Science & Technology Directorate

Douglas Maughan, Ph.D.

Program Manager, CCI

douglas.maughan@dhs.gov

202-254-6145 / 202-360-3170

04/19/23 2

National Strategy to Secure CyberspaceThe National Strategy to Secure Cyberspace

(2003) recognized the DNS as a critical weakness NSSC called for the Department of Homeland Security

to coordinate public-private partnerships to encourage the adoption of improved security protocols, such as DNS

The security and continued functioning of the Internet will be greatly influenced by the success or failure of implementing more secure and more robust BGP and DNS. The Nation has a vital interest in ensuring that this work proceeds. The government should play a role when private efforts break down due to a need for coordination or a lack of proper incentives.

04/19/23 3

Domain Name System Security (DNSSEC) Program DNSSEC Program Objective

“Carry forward to completion the recommendation from the National Strategy to Secure Cyberspace by engaging industry, government, and academia to enable all DNS-related traffic on the Internet to be DNSSEC compliant”

Rationale / Background / Historical: DNS is a critical component of the Internet infrastructure and was not

designed for security DNS vulnerabilities have been identified for over a decade and we are

addressing these vulnerabilities

End Goal: Greatly increase the security of the Internet (as critical infrastructure) by securing the DNS through the use of crypto signatures

End Goal: Greatly increase the security of the Internet (as critical infrastructure) by securing the DNS through the use of crypto signatures

04/19/23 4

PerformersShinkuro, Washington, DC

Roadmap Development and Execution International partner participation

Support Tool Development

Sparta, Columbia, MD Software Development – Servers, resolvers,

applications Internet Standards activities

NIST, Gaithersburg, MD Measurement and Evaluation Tools Government and Standards activities

Connections with GSA, FISMA, and OMB

04/19/23 5

DNSSEC Initiative Activities Roadmap published in February 2005; Revised March 2007

http://www.dnssec-deployment.org/roadmap.php Multiple workshops held world-wide DNSSEC testbed developed by

http://www-x.antd.nist.gov/dnssec/ Involvement with numerous deployment pilots Formal publicity and awareness plan including newsletter Working with Civilian government (.gov) to develop policy

and technical guidance for secure DNS operations and beginning deployment activities at all levels.

Working with the operators of the “.us” and “.mil” zones towards DNSSEC deployment and compliance

04/19/23 6

DNSSEC Roadmap

Identifies the following activities: Remaining R&D Issues (Lead: Shinkuro) Software Development (Lead: Sparta)

Server Resolver Applications

Operational Considerations (Lead: Shinkuro) Root Registries Registrants

Measurement and Evaluation (Lead: NIST) Outreach and Training (Lead: Shinkuro)

04/19/23 7

Incremental Deployment Registries

Work through various readiness levels Initial study -> Initial design -> Pilot -> Pre-deployment -> Operation

Registrars Migrate to an EPP-based system Build extensions for existing non-EPP system

ISPs Validation as a preferred service for some customers. Manage customized

set of Trust Anchors for set of customers Detect key rollover events for known islands of trust

Enterprise Internal deployment as part of corporate system integrity and protection Trading partners Distinguish between safe and questionable sites

04/19/23 8

Leveraging Existing Efforts ccTLDs with operational DNSSEC Services

Sweden: http://www.iis.se/products/sednssec2 Bulgaria: https://www.register.bg/ Brazil: https://www.registro.br Puerto Rico: http://www.dnssec.nic.pr/

RIPE-NCC Reverse zones that it manages and e164.arpa zone (ENUM) https://www.ripe.net/rs/

DNSSEC initiatives in .UK and .DE Strong advocates of DNSSEC, but waiting for NSEC3 for some zones http://www.denic.de/en/domains/dnssec/index.html and

http://www.nominet.org.uk/tech/dnssectest/ JPRS

Working on integrating DNSSEC signing into existing workflow to maintain short update assurances

http://losangeles2007.icann.org/node/77

04/19/23 9

Leveraging Existing Efforts (cont) NIC Mexico

Developing the infrastructure, procedures and technology for a future DNSSEC deployment in the .mx ccTLD

http://www.dnssec.org.mx .ORG testbed

PIR has maintained the .ORG testbed to enable its registrars to test DNSSEC-capable systems

http://www.pir.org/RegistrarResources/DNSSecurityTestbed.aspx SNIP testbed for .GOV

Provide “distributed training ground” for .gov operators deploying DNSSEC

http://www.dnsops.gov IANA

Testbed for signing zones that IANA controls Also has a prototype for ‘a’ signed copy of the Root zone https://ns.iana.org/dnssec/status.html

04/19/23For Official Use Only

FISMA Activities Intended to set the IT security policy for all USG systems,

contractors, and data. Collection of documents produced by NIST

FIPS, Special Publications (SP) series

Goes into effect one year after publication of security controls publication (SP 800-53r1)

Published Dec, 2006 -> goes into effect Dec, 2007

NIST Special Pub 800-53A Guide for Assessing the Security Controls in Federal Information Systems

Final publication scheduled Dec 2007

NIST SP800-57 Recommendations for Key Management 3-part companion guide to FISMA

04/19/23For Official Use Only

The Big Picture – DNSSEC in .gov

Internet2DNSSEC

Pilotdnsops.gov.dnsops.biz

dhs.dnsops.gov.

nist.dnsops.gov.

antd.nist.dnsops.gov.

fda.dnsops.gov.esnet.doe.dnsops.gov.

zoneedit

ag1.dnsops.gov.ag2.dnsops.biz.

dns-outsource.com

SNIP Core Infrastructure

DRENDNSSEC

Pilot

04/19/23 12

NIST Effort - SNIP

Secure Naming Infrastructure Pilot (SNIP)

Aiding deployment by: Providing a connected training ground

Educational resources/guides

Modeling infrastructures

Testbed for systems

Relying on user participation Aid in deployment, not a proof-of-concept experiment

04/19/23 13

SNIP Overview Agencies get delegations to run a secure “shadow-

zone” nist.gov becomes nist.dnsops.gov Contractors become “contractor.dnsops.biz” Administrators use dnsops.gov/biz delegation to practice

DNSSEC operations Infrastructure modeling

Attempts to model an agency’s current DNS in NIST/Sparta labs

Testbed for systems Authoritative servers, caches, and DNSSEC administrator

tools

04/19/23 14

Need for Signing the Root Zone Root Zone is at the top of the DNS hierarchy Signing the Root Zone will allow DNSSEC-capable

resolvers to perform the data integrity and origin authenticity checks using the Root Zone Public Key(s) as the common trust point(s).

A signed Root Zone and a widely deployed DNS system that supports DNSSEC will be a major step forward in the ongoing effort to secure the Internet

04/19/23 15

Root Zone Requirements Full operation of DNSSEC at the Root level requires

several component capabilities Generation and Maintenance of Keys Accepting “secure delegation” from TLDs Signing the Root Zone and handling of private key material Distribution and the subsequent “serving” of the signed

Root Zone by Root Name Server Operators Publication of the Root Zone Public Keys

04/19/23 16

Future Activities Pilot deployments of DNSSEC on .us and .gov

networks Continue getting all the necessary government players

Working with OMB, DHS, DOC on rollout strategy

Outreach, communication and training Preparation of root servers Testing of end user software gTLD and ccTLD testbeds Community-based identification of existing software Candidate operational policies and procedures

04/19/23 17

Summary and Challenge

Lots of progress over the past 24 months More to come in 2008

USG taking a leadership role Working with other parts of Internet infrastructure Working with vendors Providing resources to help others

Challenge: What’s keeping you from securing your DNS infrastructure?

04/19/23 18

Douglas Maughan, Ph.D.

Program Manager, CCI

douglas.maughan@dhs.gov

202-254-6145 / 202-360-3170

For more information, visithttp://www.cyber.st.dhs.gov