.ORG DNSSEC Testbed Deployment - PowerPoint PPT Presentation

About This Presentation
Title:

.ORG DNSSEC Testbed Deployment

Description:

EPP 1.0 front end servers feed zone data to the name servers. EPP Front End ... where the bad guys send an email pretending to be legit, and the link actually ... – PowerPoint PPT presentation

Number of Views:36
Avg rating:3.0/5.0
Slides: 17
Provided by: apri5
Category:

less

Transcript and Presenter's Notes

Title: .ORG DNSSEC Testbed Deployment


1
.ORG DNSSECTestbedDeployment
  • Edmon Chung
  • Creative Director
  • Afilias
  • edmon_at_afilias.info
  • Perth, AU
  • 2 March, 2006

2
Overview
  • .ORG Testbed Implementation
  • Perception Problems
  • Risk vs. Return
  • What next?

3
.ORG Testbed Logistics and Topology
  • Launched on 31 October, 2005
  • DNSSEC-aware name servers
  • EPP 1.0 front end servers feed zone data to the
    name servers

4
EPP Front End
  • Only .ORG accredited registrars allowed access to
    the EPP servers
  • Want to keep out the cruft
  • Use same creds as .ORG OTE servers
  • New registrars added when added to OTE
  • Dedicated testbed servers
  • Runs on epp1.dnssec-testbed.pir.org
    epp2.dnssec-testbed.pir.org
  • Separate from .ORG Production servers!

5
DNS Back End
  • Running on dedicated BIND servers at the moment
  • Will cut over to UltraDNS in 2006
  • Isolated DNS systems
  • Query using dig ltsomenamegt.org _at_ltservergt
  • Where ltservergt is ns1.dnssec-testbed.pir.orgor
    ns2.dnssec-testbed.pir.org
  • Started with empty zone

6
Registrar Toolkit
  • Experimental toolkit (Not for Prime Time)
  • Dont use it for .ORG production
  • Availability
  • PIR website
  • SourceForge
  • EPP Transactions based on the -03 Hollenbeck
    draft

7
Policy Decisions
  • Running according to -bis specifications
  • Looking to showcase some pitfalls
  • May code NSEC3 in 2006 to run parallel
  • Same for roll-over drafts, as they flush out
  • Roll-over
  • Already rolled in November (did anyone notice?)
  • Will do an unannounced ZSK and KSK compromise
    scenario in 2006
  • Will publish a key roll-over schedule as well

8
Participation...
  • 3 Registrars logged in, 15 names in the zone, 12
    DS records (as of 23 Nov 2005)
  • 135 names in the zone as of now
  • What can we do to help you participate?
  • On the PIR side?
  • On the Afilias side?

9
Perception Problems
  • .CL (Chilean) survey
  • Many in the technological community in Chile do
    not know what DNSSEC is
  • Some thought it was all about confidentiality
  • Have not deployed DNSSEC because
  • Worry it will confuse the market (providers are
    not knowledgeable yet makes many promises to
    end-users)
  • Multiple providers to deal with (ISC, APNIC,
    RIPE, etc.)
  • Education and Testbed

10
What DNSSEC does NOT do
  • DNSSEC does NOT provide confidentiality of DNS
    responses
  • DNSSEC does NOT protect against DDOS attacks
  • DNSSEC is NOT about privacy
  • DNSSEC is NOT a PKI
  • DNSSEC does NOT protect against IP Spoofing

11
Why is DNSSEC important?
  • ROI vs. Return on Risk
  • Not about increased revenues, but about reduced
    risks
  • Reducing risks for your community / customers
  • High vulnerability, low awareness
  • High dependance on DNS
  • Trust is easy to lose difficult to re-gain

12
What Next?
  • Not without technical challenges (e.g. Key
    Rollovers)
  • Main Challenge is still awareness and adoption
    (i.e. demand driving)
  • Technologists tend to get over excited about
    technical details
  • Some disconnect with business managers
  • Not as high profile as worms, viruses and DDOS
    attacks
  • Even as security is highest priority

13
Man-in-the-middle Attacks
  • Stories to tell
  • Bank Account
  • Email from your bank telling you that, for
    security reasons, they need you to update your
    password
  • You know about these scams called phishing,
    where the bad guys send an email pretending to be
    legit, and the link actually goes to their
    website
  • Just to be safe, instead of clicking on your
    banks email link, you open up your browser, and
    type in the URL for your bank login page
  • On the front page is the request for password
    change.
  • You put in your old password, and your new
    password (twice)
  • Two hours later, your entire savings account is
    wiped clean.
  • Automated Systems compromised
  • Email being intercepted

14
IDN and DNSSEC
  • Many similarities
  • Requries Application (DNS Clients) updates
  • Requires Registries and DNS operator updates /
    deployment
  • Requires Root changes for complete experience
  • One major difference
  • Lack of explicit user demand

15
Awareness Participation
  • ccTLDs and gTLDs should implement DNSSEC testbeds
  • Application Providers
  • Browsers, MTAs
  • ISPs
  • Industry should help promote awareness
  • Must a catastrophe happen first?...
  • For more info and to participate
  • http//www.dnssec.net
  • http//www.dnssecdeployment.org

16
Thank You
  • Edmon Chung
  • edmon_at_afilias.info
Write a Comment
User Comments (0)
About PowerShow.com