FOSE 2011: DNSSEC and the Government, Lessons Learned


Published on

At FOSE 2011, the panel discussion on the deployment of domain name system security extensions (DNSSEC) within government included Neustar VP and Senior Technologist, Rodney Joffe, who sat side-by-side with some of the industry’s best and discussed how federal IT managers can leverage private sector best practices to meet OMB and FISMA mandated DNSSEC requirements. Entitled “DNS-3: Private Sector Deployment in .com, .net, .org and Beyond,” the panel discussed lessons learned and how federal agencies that have yet to deploy DNSSEC can do so successfully. Visit for more information.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

FOSE 2011: DNSSEC and the Government, Lessons Learned

  1. 1. DNSSEC DeploymentLessons LearnedRodney JoffeSVP and Senior Technologist07/20/2011
  2. 2. Neustar DNSSEC:Three Key Areas of Experience » 1) Signed TLD zones for registries we operate - .us, .biz, .co » 2) Hosted (secondary) signed ccTLDs – .uk, .jp, .fi, .nu » 3) Implemented a managed DNSSEC service using a code base entirely separate from BIND © Neustar Inc. / Proprietary and Confidential2
  3. 3. Neustar Experience Signing TLD Zones » Our three signed zones have 1-2 million names each » We use NSEC negative answers and different DNSSEC key algorithms » We used a fairly straightforward deployment plan which requires care but is not scary © Neustar Inc. / Proprietary and Confidential3
  4. 4. Neustar Experience: Hosting other signed TLDs » We have seen the impact of transferring signed zones » Different registries have used different approaches to DNSSEC which has an impact on zone distribution » Zones are larger » Zones are changed more often » Coordinating computing resources to handle the increased pressure of the updates was harder than anticipated © Neustar Inc. / Proprietary and Confidential4
  5. 5. Neustar Experience: Managed DNSSEC Implementation» Neustar has nearly 10 years of experience in DNSSEC development and operations » US and BIZ registries are DNSSEC signed, 7 years after our first test beds » Participation in specification development » Active participation in global network operations fora» Other credentials relating to DNS » Pioneered anycast techniques » DDoS mitigation work» Experience in secure distributed database operations and operating Managed DNS services» Neustar’s fully managed DNS and DNSSEC solution provides: » Resiliency and reliability thanks to a multi node footprint » Automated, customizable key management » Optional FIPS Level 3 © Neustar Inc. / Proprietary and Confidential5
  6. 6. Lessons Learned from Neustar Registry Deployment» Upfront effort to begin DNSSEC » Upgrade (renovate) DNS infrastructure to support DNSSEC» Institute key management functions. DNSSEC relies on solid key management » Creating a key poorly may lead to someone guessing it » Allowing keys to be seen by operators risks the secret » Choice of algorithms and key size » Timing of key operations, Signature lifetime, Key effectivity, and Key supersession» Ongoing effort to maintain DNSSEC » Keep data "fresh", DNSSEC data can go stale » Participation in more public meetings and mail lists © Neustar Inc. / Proprietary and Confidential6
  7. 7. Thank You! © Neustar Inc. / Proprietary and Confidential7
  8. 8. DNSSECChain of Trust Root DNS Authoritative DNS .com. .gov. .biz. (TLD) Authoritative DNS (SLD) Recursive DNSClient / stub resolver