Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Secure Naming Infrastructure Pilot (SNIP) A .gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose NIST [email_address]
  2. 2. SNIP Goals <ul><li>DNSSEC is now a FISMA Requirement. </li></ul><ul><ul><li>NIST SP-800-53-r1 (Dec 2006) “ Recommended Security Controls for Federal Information Systems ” mandates the incremental deployment of DNSSEC technologies in Moderate and High Impact IT systems. </li></ul></ul><ul><ul><ul><li>Moderate Impact – must sign zones. </li></ul></ul></ul><ul><ul><ul><li>High Impact – must be prepared to validate signatures. </li></ul></ul></ul><ul><li>Need to facilitate technology insertion and adoption. </li></ul><ul><ul><li>Standards, implementations and policies don’t guarantee success. </li></ul></ul><ul><ul><li>Need for technical community resources and activities to foster early deployments, refine policies and plans, share information and expertise. </li></ul></ul>
  3. 3. SNIP Basics <ul><li>SNIP will build a USG DNS Ops community and shared pilot </li></ul><ul><ul><li>Provide “distributed training ground” for .gov operators deploying DNSSEC </li></ul></ul><ul><ul><li>Ability to pilot agency specific scenarios either locally or in SNIP-provided resources. </li></ul></ul><ul><ul><li>Create a community resource for DNS admins in the USG to share knowledge and to refine specifications, policies and plans. </li></ul></ul><ul><li>SNIP basis is a signed shadow zone under .gov (dnsops.gov) </li></ul><ul><ul><li>Will offer delegations and secure chaining to subzones </li></ul></ul><ul><ul><ul><li>example – NIST would participate as nist.dnsops.gov </li></ul></ul></ul><ul><ul><li>May offer limited hosting service as well </li></ul></ul><ul><ul><ul><li>Goal isn't to be a hosting service, but help bootstrap others to host their own zones. </li></ul></ul></ul>
  4. 4. SNIP as a Testbed <ul><li>Use SNIP tree to exercise DNSSEC operations </li></ul><ul><ul><li>Test deployment DNSSEC scenarios. </li></ul></ul><ul><ul><ul><li>Multi-vendor platforms for authoritative / caching servers, resolvers. </li></ul></ul></ul><ul><ul><ul><li>Zone structure / contents / distribution. </li></ul></ul></ul><ul><ul><li>Test DNSSEC operations described in SP800-81 </li></ul></ul><ul><ul><ul><li>Zone signing, key rollovers, zone transfers. </li></ul></ul></ul><ul><ul><li>Test DNSSEC administration tools (From NIST, Sparta and Shinkuro) </li></ul></ul><ul><ul><li>Test performance – in agency specific scenarios. </li></ul></ul><ul><li>Community hands-on participation </li></ul><ul><ul><li>Agency DNS operators can participate in NIST/SPARTA led exercise. </li></ul></ul><ul><ul><li>Results will be published for community </li></ul></ul>
  5. 5. What SNIP is Not <ul><li>Mandatory </li></ul><ul><li>Permanent </li></ul><ul><ul><li>Expected lifetime: 2-3 years </li></ul></ul><ul><ul><li>The community tools and email lists will remain after the testbed activities conclude.. </li></ul></ul><ul><li>100% Uptime </li></ul><ul><ul><li>This is a experimental testbed in which we will conduct disruptive experiments, load/stress test servers, etc. </li></ul></ul>
  6. 6. Levels of Participation <ul><li>Delegation only </li></ul><ul><ul><li>Participants use own testbed systems and perform all administration associated with setup / experimentation. </li></ul></ul><ul><li>Remote administration </li></ul><ul><ul><li>Participants use SNIP testbed equipment, but perform all administration. </li></ul></ul><ul><li>Hosted experiments </li></ul><ul><ul><li>NIST/SPARTA set up mirror of agency specific infrastructure, but using SNIP equipment and administration, for specific experiment. </li></ul></ul><ul><ul><li>For limited use in investigating specific deployment / technology issues. </li></ul></ul>
  7. 7. The Big Picture – DNSSEC in .gov Internet2 DNSSEC Pilot dnsops.gov. dhs.dnsops.gov. nist.dnsops.gov. antd.nist.dnsops.gov. fda.dnsops.gov. esnet.doe.dnsops.gov. zoneedit ag1.dnsops.gov. ag2.dnsops.gov. dns-outsource.com SNIP Core Infrastructure DREN DNSSEC Pilot
  8. 8. Testbed Technical Details <ul><li>Multiple authoritative server implementations </li></ul><ul><li>Internet2 connection (IPv6 testing) </li></ul><ul><li>May have alternate hosting capabilities (multiple servers) </li></ul><ul><ul><li>secondaries in other locations? </li></ul></ul><ul><li>Ability to host other zones (or servers) for delegations lacking equipment to participate fully. </li></ul><ul><ul><li>Zone data can be real (servers), or anonymized </li></ul></ul><ul><li>Will maintain and publish trust anchor for dnsops.gov. tree </li></ul>
  9. 9. SNIP Infrastructure Resources <ul><li>Primary Site – NIST / Gaithersburg MD. </li></ul><ul><ul><li>Authoritative dnsops.gov. DNS servers </li></ul></ul><ul><li>Secondary Site – Sparta / Columbia MD </li></ul><ul><ul><li>Geographic and network dispersion (sort of) </li></ul></ul><ul><ul><li>Zone transfers using TSIG for message authentication </li></ul></ul><ul><li>Reconfigurable Emulated wide area topology. </li></ul><ul><ul><li>20+ node Emulab being deployed at NIST. </li></ul></ul>
  10. 10. Additional NIST Resources <ul><li>Other SNIP infrastructure </li></ul><ul><ul><li>Web server and mail host for mailing lists </li></ul></ul><ul><ul><li>Test and measurement systems </li></ul></ul><ul><li>Signing Infrastructure – dnsops.gov. apex. </li></ul><ul><ul><li>Done behind firewall </li></ul></ul><ul><ul><li>Private keys not stored on servers </li></ul></ul><ul><ul><li>Scheduled resigning done every month </li></ul></ul><ul><ul><ul><li>Also after updates as necessary </li></ul></ul></ul>
  11. 11. Emulab Network Signing system SNIP Secondary Auth Server Internet /UUNet SNIP Topology NIST Network Internet2 /MAX Test and Measurement Systems SNIP Primary Auth Server
  12. 12. SNIP Operational Overview <ul><li>Will use procedures outlined in SP800-81 </li></ul><ul><ul><li>1024 bit RSA ZSK </li></ul></ul><ul><ul><ul><li>Rolled over every month </li></ul></ul></ul><ul><ul><li>2048 bit RSA KSK </li></ul></ul><ul><ul><ul><li>Rolled over during experimentation </li></ul></ul></ul><ul><ul><ul><li>published as pilot trust anchor </li></ul></ul></ul><ul><li>ZSK rollover every 30 days </li></ul><ul><ul><li>KSK on a less formal basis (experiment in trust anchor rollover) </li></ul></ul><ul><li>Using NSEC initially, may experiment signing with NSEC3 </li></ul>
  13. 13. DNS Administrator Resources <ul><li>Will remain active after SNIP zone shuts down </li></ul><ul><li>Project Website </li></ul><ul><ul><li>Links to guides, tools, and performance stats </li></ul></ul><ul><li>Mailing list </li></ul><ul><ul><li>Useful for announcements and security bulletins </li></ul></ul><ul><li>Revision of NIST SP800-81 </li></ul><ul><ul><li>using knowledge gained during SNIP operational lifetime </li></ul></ul><ul><ul><li>More examples of different server implementations </li></ul></ul><ul><ul><li>Information on how to interact with parent zones (GSA) </li></ul></ul>
  14. 14. SNIP Impact <ul><li>Stepping stone for operational use </li></ul><ul><ul><li>USG DNS operators get experience running delegation under dnsops.gov before deploying in own agency </li></ul></ul><ul><li>Tool testing </li></ul><ul><ul><li>Tech transfer / training on existing tool suites (NIST, SPARTA, Shinkuro, ISC, et al). </li></ul></ul><ul><li>Platform Testing </li></ul><ul><ul><li>Multi-vendor environment </li></ul></ul><ul><ul><ul><li>Servers - ISC/BIND, NSD, Microsoft, Nominum(?) and more surprises </li></ul></ul></ul><ul><ul><ul><li>Resolvers – Linux, BSD, Microsoft, OS X </li></ul></ul></ul><ul><ul><ul><li>Applications – TBD. </li></ul></ul></ul><ul><li>Procedure Testing </li></ul><ul><ul><li>Refinement of procedure/policy guidance and reporting requirements </li></ul></ul>
  15. 15. Participation <ul><li>Will try to accommodate all </li></ul><ul><ul><li>Non USG entities: dnsops.biz </li></ul></ul><ul><ul><ul><li>May try to get a presence in other TLD’s a well </li></ul></ul></ul><ul><ul><li>Don’t want a delegation? </li></ul></ul><ul><ul><ul><li>How about a DNAME? </li></ul></ul></ul><ul><ul><li>Tool developers </li></ul></ul><ul><ul><ul><li>Can run locally or have delegation/secondary/etc as necessary. </li></ul></ul></ul>
  16. 16. Resources <ul><li>NIST Special Publications page </li></ul><ul><ul><li>http://www.csrc.nist.gov/ </li></ul></ul><ul><li>DNSSEC Project Page </li></ul><ul><ul><li>http://www.dnsops.gov </li></ul></ul><ul><ul><li>http://www-x.antd.nist.gov/dnssec </li></ul></ul><ul><li>DNSSEC-Deployment Web page </li></ul><ul><ul><li>Informal working group </li></ul></ul><ul><ul><li>http://www.dnssec-deployment.org/ </li></ul></ul><ul><ul><li>http://www.dnssec-deployment.org/news/dnssecthismonth/ </li></ul></ul>