DNSSEC DeploymentLessons LearnedRodney JoffeSVP and Senior Technologist07/20/2011
Neustar DNSSEC:Three Key Areas of Experience    » 1) Signed TLD zones for registries we operate - .us, .biz,      .co    »...
Neustar Experience    Signing TLD Zones    » Our three signed zones have 1-2 million names each    » We use NSEC negative ...
Neustar Experience:    Hosting other signed TLDs    » We have seen the impact of transferring signed zones    » Different ...
Neustar Experience:    Managed DNSSEC Implementation» Neustar has nearly 10 years of experience in DNSSEC development and ...
Lessons Learned from Neustar    Registry Deployment» Upfront effort to begin DNSSEC     »   Upgrade (renovate) DNS infrast...
Thank You!    © Neustar Inc. / Proprietary and Confidential7
DNSSECChain of Trust            Root DNS    Authoritative DNS    .com.                .gov.               .biz.           ...
Upcoming SlideShare
Loading in...5
×

FOSE 2011: DNSSEC and the Government, Lessons Learned

973

Published on

At FOSE 2011, the panel discussion on the deployment of domain name system security extensions (DNSSEC) within government included Neustar VP and Senior Technologist, Rodney Joffe, who sat side-by-side with some of the industry’s best and discussed how federal IT managers can leverage private sector best practices to meet OMB and FISMA mandated DNSSEC requirements. Entitled “DNS-3: Private Sector Deployment in .com, .net, .org and Beyond,” the panel discussed lessons learned and how federal agencies that have yet to deploy DNSSEC can do so successfully. Visit http://www.ultradns.com for more information.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
973
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

FOSE 2011: DNSSEC and the Government, Lessons Learned

  1. 1. DNSSEC DeploymentLessons LearnedRodney JoffeSVP and Senior Technologist07/20/2011
  2. 2. Neustar DNSSEC:Three Key Areas of Experience » 1) Signed TLD zones for registries we operate - .us, .biz, .co » 2) Hosted (secondary) signed ccTLDs – .uk, .jp, .fi, .nu » 3) Implemented a managed DNSSEC service using a code base entirely separate from BIND © Neustar Inc. / Proprietary and Confidential2
  3. 3. Neustar Experience Signing TLD Zones » Our three signed zones have 1-2 million names each » We use NSEC negative answers and different DNSSEC key algorithms » We used a fairly straightforward deployment plan which requires care but is not scary © Neustar Inc. / Proprietary and Confidential3
  4. 4. Neustar Experience: Hosting other signed TLDs » We have seen the impact of transferring signed zones » Different registries have used different approaches to DNSSEC which has an impact on zone distribution » Zones are larger » Zones are changed more often » Coordinating computing resources to handle the increased pressure of the updates was harder than anticipated © Neustar Inc. / Proprietary and Confidential4
  5. 5. Neustar Experience: Managed DNSSEC Implementation» Neustar has nearly 10 years of experience in DNSSEC development and operations » US and BIZ registries are DNSSEC signed, 7 years after our first test beds » Participation in specification development » Active participation in global network operations fora» Other credentials relating to DNS » Pioneered anycast techniques » DDoS mitigation work» Experience in secure distributed database operations and operating Managed DNS services» Neustar’s fully managed DNS and DNSSEC solution provides: » Resiliency and reliability thanks to a multi node footprint » Automated, customizable key management » Optional FIPS Level 3 © Neustar Inc. / Proprietary and Confidential5
  6. 6. Lessons Learned from Neustar Registry Deployment» Upfront effort to begin DNSSEC » Upgrade (renovate) DNS infrastructure to support DNSSEC» Institute key management functions. DNSSEC relies on solid key management » Creating a key poorly may lead to someone guessing it » Allowing keys to be seen by operators risks the secret » Choice of algorithms and key size » Timing of key operations, Signature lifetime, Key effectivity, and Key supersession» Ongoing effort to maintain DNSSEC » Keep data "fresh", DNSSEC data can go stale » Participation in more public meetings and mail lists © Neustar Inc. / Proprietary and Confidential6
  7. 7. Thank You! © Neustar Inc. / Proprietary and Confidential7
  8. 8. DNSSECChain of Trust Root DNS Authoritative DNS .com. .gov. .biz. (TLD) Authoritative DNS domain.biz site.biz. ultradns.biz (SLD) Recursive DNSClient / stub resolver
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×