DNSSEC webinar for CNRS          February 9th 2012                             Roland van Rijswijk                    rola...
About SURFnet                                   National Research and Education                                   Network ...
Agenda    - Introduction    - Vulnerabilities in DNS    - What is DNSSEC and how does it work?    - Deploying DNSSEC: wher...
DNS: TomTom™ for the Internet4   SURFnet. We make innovation work   cb
Why attack DNS?- DNS is everywhere:  - In your phone, in your laptop, in your PC…  - But also in your car, in an ATM, in y...
DNS attack vectors                                                                                                        ...
Cache poisoning7   SURFnet. We make innovation work   cb
Bad news...    http://lambicpeach.files.wordpress.com/2008/10/badnewspup.jpg8        SURFnet. We make innovation work      ...
Good news :-)9   SURFnet. We make innovation work   cb
What is DNSSEC?     - DNSSEC was first devised in 1997     - We are at the third generation of the       protocol         -...
What is DNSSEC?     - Digital Signatures guarantee       authenticity of DNS records         - Like a wax seal     - Resol...
DNS attack vectors revisited                                                                                              ...
Deployment status     - Root was signed on July 15th 2010     - Signed generic TLDs:       .asia, .biz, .cat, .com, .edu, ...
Validation rate     - We measure validation on our resolvers:14   SURFnet. We make innovation work            cb
Operating a validating resolver15   SURFnet. We make innovation work   cb
Software         - The majority of DNS resolvers support DNSSEC           out-of-the box:     Product                     ...
Chain of trust                                            Root KSK public key           trust anchor                      ...
Trust anchor configuration       - You should seriously consider using a resolver         that supports RFC 5011       - Ch...
Setting up a validating resolver     - HOWTO instructions for BIND:       https://dnssec.surfnet.nl/?p=402     - HOWTO ins...
Checking your setup (1)       - Perform a lookup of a record known to be         signed, for instance: www.surfnet.nl$ dig...
Checking your setup (2)        - Visit one of the DNSSEC test sites such as:          http://www.nic.cz/dnssec          ht...
Dealing with validation failures     - Validation failures will lead to the resolver       returning SERVFAIL     - Client...
Impact on resource use     - DNSSEC relies on public key cryptography       - Crypto eats CPU cycles, right?     - We’ve b...
Troubleshooting     - DNSSEC relies on the EDNS0 extension (RFC       2671)       - For larger messages (signatures)      ...
UDP fragmentation issues     - Late 2010 we experienced problems with a large       ISP in The Netherlands     - surfnet.n...
UDP fragmentation issues            Authoritative            Name Server                             ➀         ➁          ...
All is well that ends well?     - We talked to their engineers     - They could not replace the firewall     - Keep in mind...
The saga continues     - Everything worked well until in March 2011 we       suddenly started getting complaints from some...
The firewall strikes back     - It turned out that only customers using the       hosted MS Exchange service had issues    ...
Maybe we should give the     DNSSEC OK bit another name30   SURFnet. We make innovation work   cb
How many people validate?31
Operating a signed zone32   SURFnet. We make innovation work   cb
Why sign your zone?     - Because your website represents a valuable       asset for your organisation     - To prevent re...
User study        - We did a user study among our constituency            - 169 persons asked to participate            - ...
When to sign your zone?     - Your infrastructure should be ready         - Remember the firewall trouble mentioned when re...
Advice for getting started     - Make use of available tooling         - OSS: OpenDNSSEC, BIND         - Commercial signer...
Signer software (1)     - OpenDNSSEC     - BIND 9.x         - Key storage in the clear on disk         - HSM support only ...
Signer software (2)     - Secure64 DNS signer       http://www.secure64.com     - Xelerance DNS-X signer       http://www....
Monitoring     - Monitoring helps to detect problems early-on     - When monitoring a signed zone, look for:         - Sig...
How to sign your zone:     case study SURFnet     - SURFnet operates a managed DNS environment       called ‘SURFdomeinen’...
SURFdomeinen41   SURFnet. We make innovation work   cb
Requirements     - DNSSEC should be a ‘box to tick’         - DNS is already considered to be complex by many users,      ...
Design decision: using HSMs     - HSM = Hardware Security Module     - Secure and robust way to store DNSSEC key       mat...
Design decision: OpenDNSSEC     - SURFnet participates in the project         - Other partners are: IIS (.se), Nominet (.u...
Design decision: OpenDNSSEC     - OpenDNSSEC 1.1         - Current version; used in production by a number of top-level   ...
OpenDNSSEC architecture46   SURFnet. We make innovation work   cb
Design: bump-in-the-wire                                       DNS                                       zone             ...
Design: data flow               DNS                            DNS               zone                           zone       ...
Design: network security               Colocation                  DNS VLAN                                               ...
Design: redundancy        Signer:     - Warm standby system in a different co-location     - MySQL master-slave replicatio...
Enabling DNSSEC:     user perspective     - Push-the-button signing:     - Unsigned to signed in 15 minutes51   SURFnet. W...
When things go wrong...52                               Photo courtesy of jeffwilcox@FlickR
Admitting mistakes53                          Photo © 2003 philg@mit.edu
AXFR bug in OpenDNSSEC        - surfnet.nl was signed for the first time in          September 2010 (on a Monday)        - ...
Stories from the trenches...                  - .cz and .us became ‘bogus’ because of a                    mistake during ...
If you’re lucky...     - this is what users will see:56                    many thanks to Marco Davids of SIDN for the scr...
But in most cases...     - this is what users will see:57   - (and this is better IMHO!)
Contacting domain owners     is hard58
Further readinghttp://bit.ly/sn-dnssec-2008            http://bit.ly/sn-dnssec-val   http://bit.ly/sn-cryptoweb  59       ...
Online resources     - http://dnssec.surfnet.nl         - With lots of information about the choices we made while        ...
Conclusions     - DNSSEC deployment is in full swing     - The ball is now in your court!     - Seriously consider enablin...
roland.vanrijswijk@surfnet.nlQuestions? Comments?   nl.linkedin.com/in/rolandvanrijswijk                       @reseauxsan...
Upcoming SlideShare
Loading in …5
×

Webinar dnssec for cnrs - 20120209

728 views
563 views

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
728
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • We need DNS everywhere\n
  • \n
  • \n
  • \n
  • In 2008 this was bad news: how could you still trust the Internet?\n
  • Luckily, some folks at the IETF found a way to solve this issue: DNSSEC\n
  • Reference “after 10 years a protocol that hasn’t been picked up can be declared dead” of this morning\n
  • \n
  • \n
  • \n
  • \n
  • Q: How many of you here already operate a validating resolver?\n
  • \n
  • \n
  • Explain trust anchor concept (like a root certificate in SSL)\n
  • \n
  • ad = authenticated data\n
  • \n
  • \n
  • You want many servers rather than one big one and loadbalance them so you can scale up\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Name example: HSM sync problem last week\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Explain why this is better, SSL pop-ups\n
  • Hard to find zone owner (anon reg, SOA e-mail not working, cannot e-mail if MX record does not validate!) -- need to try nevertheless\n\nMention DNS health initiative?\n
  • \n
  • \n
  • \n
  • \n
  • Webinar dnssec for cnrs - 20120209

    1. 1. DNSSEC webinar for CNRS February 9th 2012 Roland van Rijswijk roland.vanrijswijk@surfnet.nl
    2. 2. About SURFnet National Research and Education Network (NREN) - like RENATER Founded in 1986 >11000 km of fibre-optic cables for an ultra high-bandwidth network ‘Shared ICT innovation centre’ ≥ 160 connected institutions ±1 million end-users2 SURFnet. We make innovation work cb
    3. 3. Agenda - Introduction - Vulnerabilities in DNS - What is DNSSEC and how does it work? - Deploying DNSSEC: where to start - Perils & pitfalls: what have we learned? - DNSSEC at SURFnet: what have we done? - Conclusion & questions3 SURFnet. We make innovation work cb
    4. 4. DNS: TomTom™ for the Internet4 SURFnet. We make innovation work cb
    5. 5. Why attack DNS?- DNS is everywhere: - In your phone, in your laptop, in your PC… - But also in your car, in an ATM, in your elevator, …- It is very hard to protect plain DNS against attacks- It is very easy to attack a lot of users SURFnet. We make innovation work cb
    6. 6. DNS attack vectors Zone file Dy ies Primary na er m ic Qu up da Zone transfers te s QueriesStub resolver Qu Caching resolver e rie s Secondaries Man in the Cache Data Data Spoofed Corrupt data 6 SURFnet. We make innovation work middle poisoning modification modification updates cb
    7. 7. Cache poisoning7 SURFnet. We make innovation work cb
    8. 8. Bad news... http://lambicpeach.files.wordpress.com/2008/10/badnewspup.jpg8 SURFnet. We make innovation work cb
    9. 9. Good news :-)9 SURFnet. We make innovation work cb
    10. 10. What is DNSSEC? - DNSSEC was first devised in 1997 - We are at the third generation of the protocol - DNSSEC (ca. 2000) - DNSSECbis (2005) - NSEC3 (2008) - Some 20 (!) active RFCs - That’s excluding the ‘normal’ DNS RFCs - Protocol is mature - Changes are mainly new algorithms10 SURFnet. We make innovation work cb
    11. 11. What is DNSSEC? - Digital Signatures guarantee authenticity of DNS records - Like a wax seal - Resolvers validate the signatures and discard records with bogus signatures - DNSSEC only provides authenticity - So no confidentiality - nor protection against DDoS - or typosquatting, phishing, etc.11 SURFnet. We make innovation work cb Photo courtesy of UK National Archive cat. no. C202/194/8
    12. 12. DNS attack vectors revisited Zone file Dy ies Primary na er m ic Qu up C C da Zone transfers te SE SE s S S QueriesStub resolver D N Qu D N Caching resolver e rie s C S SE N Secondaries D EC S S 12 Man in the SURFnet. We make innovation work middle Cache poisoning D N Data modification Data modification Spoofed updates Corrupt data cb
    13. 13. Deployment status - Root was signed on July 15th 2010 - Signed generic TLDs: .asia, .biz, .cat, .com, .edu, .gov, .info, .museum, .net, .org, .pro, .mil - Signed ccTLDs: 60 countries & counting - Includes .fr, .de, .uk, .nl - Registrars are starting to support DNSSEC e.g. 41 .org registrars, source: PIR, http://pir.org/get/registrars13 SURFnet. We make innovation work cb
    14. 14. Validation rate - We measure validation on our resolvers:14 SURFnet. We make innovation work cb
    15. 15. Operating a validating resolver15 SURFnet. We make innovation work cb
    16. 16. Software - The majority of DNS resolvers support DNSSEC out-of-the box: Product DNSSEC RFC 5011 ISC BIND Yes Yes Unbound Yes Yes djbdns No n/a MaraDNS No n/a Microsoft DNS (W2K8 R2) Yes, but* No* Simple DNS Plus Yes No** Nominum Vantio Yes No** * Seriously limited -- DO NOT USE! ** Not specified in product documentation16 SURFnet. We make innovation work cb
    17. 17. Chain of trust Root KSK public key trust anchor Root KSK private key nl nl zone signs Root ZSK public keyroot (.) root zone contains surfnet.nl DS record signs Root ZSK private key reference to contains nl DS record surfnet.nl KSK public key reference to surfnet.nl KSK private key nl KSK public key signs nl KSK private key surfnet.nl ZSK public key surfnet surfnet zone signs signs surfnet.nl ZSK private key nl ZSK public key contains nl nl zone www signed record for signs www.surfnet.nl nl ZSK private key
    18. 18. Trust anchor configuration - You should seriously consider using a resolver that supports RFC 5011 - Check the validity of your trust anchor(s) at regular intervals - Validate a trust anchor before using it!. IN DS 19036 8 2 ! 49AAC11D7B6F6446702E54A160737160! ! ! ! ! ! ! 7A1A41855200FD2CE1CDDE32F24E8FB5! ! ! ! ! ! ! xidep-pybec-tyvak-zonag-kesud-! ! ! ! ! ! ! vohip-cumul-fysuk-bivac-pubam-! ! ! ! ! ! ! hugeb-buzud-symes-tylaf-dosog-! ! ! ! ! ! ! vufor-huxax 18 SURFnet. We make innovation work cb
    19. 19. Setting up a validating resolver - HOWTO instructions for BIND: https://dnssec.surfnet.nl/?p=402 - HOWTO instructions for Unbound: https://dnssec.surfnet.nl/?p=212 - Shameless advert: use (or try) Unbound! http://unbound.net19 SURFnet. We make innovation work cb
    20. 20. Checking your setup (1) - Perform a lookup of a record known to be signed, for instance: www.surfnet.nl$ dig +dnssec +noauth www.surfnet.nl @your-resolver...;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6193;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 6,ADDITIONAL: 13...;; ANSWER SECTION:www.surfnet.nl.! 3541! IN! A! 145.0.2.10www.surfnet.nl.! 3541! IN! RRSIG! A 8 3 360020120209210255 20120202092011 65233 surfnet.nl.jBv79k4EvXt3bN6moWuY5Sr8KuUW4rDodso3SMMrbMgg9uBT7kdVRRzWveMF6vZBTxtaacefbMud41G...... 20 SURFnet. We make innovation work cb
    21. 21. Checking your setup (2) - Visit one of the DNSSEC test sites such as: http://www.nic.cz/dnssec http://www.dnssec-failed.org http://test.dnssec-or-not.org/ <-- funny - And verify the result: source: nic.cz21 SURFnet. We make innovation work cb
    22. 22. Dealing with validation failures - Validation failures will lead to the resolver returning SERVFAIL - Clients will try all configured resolvers - If one of them doesn’t validate, the query will succeed and the user probably only notices a slight delay - In our experience, users don’t call the helpdesk - So no: “The Internet is broken” - Nevertheless: if you see validation failures then try to alert the zone owner http://xkcd.com/386/22 SURFnet. We make innovation work cb
    23. 23. Impact on resource use - DNSSEC relies on public key cryptography - Crypto eats CPU cycles, right? - We’ve been running with full validation enabled for almost 3 years - The impact on CPU load is negligible - Measuring doesn’t show a significant difference - Remember: DNS resolving is all about caching results23
    24. 24. Troubleshooting - DNSSEC relies on the EDNS0 extension (RFC 2671) - For larger messages (signatures) - For the DO-bit (DNSSEC OK) - Some network hardware has problems with DNSSEC traffic - Firewalls are notorious for blocking: - UDP packets over 512 bytes in size - Fragmented UDP packets - TCP on port 53 - CPE/SOHO routers also cause trouble - Buggy DNS implementations that interfere with your traffic -- Nominet report: http://bit.ly/cfQBMu24
    25. 25. UDP fragmentation issues - Late 2010 we experienced problems with a large ISP in The Netherlands - surfnet.nl had just gotten a DS in .nl - Colleagues started complaining that they could not log on to their mail from home - It turned out to be a firewall at the ISP that discarded UDP fragments - Even though they did not do validation, they could not resolve our records!25 SURFnet. We make innovation work cb
    26. 26. UDP fragmentation issues Authoritative Name Server ➀ ➁ min(MTU) = 1500 bytes Internet (somewhere in transit) ➂ ➄ Firewall ➃ ➅ Recursive Caching Name Server26 (resolver)
    27. 27. All is well that ends well? - We talked to their engineers - They could not replace the firewall - Keep in mind: all modern resolvers (BIND, Unbound) have EDNS0 + DO=1 enabled by default - In the end, they lowered the EDNS0 buffer size on their resolver to 512 bytes - Problem solved, right?27 SURFnet. We make innovation work cb
    28. 28. The saga continues - Everything worked well until in March 2011 we suddenly started getting complaints from some companies trying to e-mail us - Lo and behold, they were customers of this same ISP28 SURFnet. We make innovation work cb
    29. 29. The firewall strikes back - It turned out that only customers using the hosted MS Exchange service had issues - After talking to engineers at the ISP we discovered the problem - They had upgraded the dedicated resolvers in their hosted exchange environment to Windows 2008 R2 which does EDNS0 and sets DO=1 - Solution: tweak an arcane registry setting (see https://dnssec.surfnet.nl/?p=684)29 SURFnet. We make innovation work cb
    30. 30. Maybe we should give the DNSSEC OK bit another name30 SURFnet. We make innovation work cb
    31. 31. How many people validate?31
    32. 32. Operating a signed zone32 SURFnet. We make innovation work cb
    33. 33. Why sign your zone? - Because your website represents a valuable asset for your organisation - To prevent redirection of Internet traffic to your domain (think: VoIP, e-mail, etc.) - To protect your users - To leverage the trust that DNSSEC can establish Ho - DNSSEC is a PKI - store SSH fingerprints in DNS (SSHFP record) ts - store SSL/TLS certificates in DNS (DANE initiative) tuff - Because your competitor does it too :-) :-)33
    34. 34. User study - We did a user study among our constituency - 169 persons asked to participate - 38 responded representing 37 organisations (academia, research institutions, teaching hospitals)- Two-thirds of users feel - > 75% plan to sign their DNSSEC is important: domain: ! ! 34 SURFnet. We make innovation work cb
    35. 35. When to sign your zone? - Your infrastructure should be ready - Remember the firewall trouble mentioned when resolving was discussed - You should have a clear mandate - DNS affects everything on your network so DNSSEC does too - Think before you act :-) - The way back is harder than the way forward35 SURFnet. We make innovation work cb
    36. 36. Advice for getting started - Make use of available tooling - OSS: OpenDNSSEC, BIND - Commercial signer solutions - Make sure you have good monitoring - Write down policies and procedures - Carefully think about your design - Make your users’ life easy! - Check with your secondaries for DNSSEC support36 SURFnet. We make innovation work cb
    37. 37. Signer software (1) - OpenDNSSEC - BIND 9.x - Key storage in the clear on disk - HSM support only through patched OpenSSL - No automated key rollover (scriptable though) - BIND 10 - Still heavily under development (5 year project) - Alpha versions have been released - PowerDNSSEC - Standard starting from PowerDNS 3.0 (July 1st 2011) - ZKT (Zone Key Tool)37 SURFnet. We make innovation work cb
    38. 38. Signer software (2) - Secure64 DNS signer http://www.secure64.com - Xelerance DNS-X signer http://www.xelerance.com - IPAM vendors - Men & Mice - Infoblox - BlueCat networks - ... - Microsoft Windows Server 2008 R2* - *Severely broken, do not use! Wait for W8 Server38 SURFnet. We make innovation work cb
    39. 39. Monitoring - Monitoring helps to detect problems early-on - When monitoring a signed zone, look for: - Signature expiry - MTU problems (firewalls!) - Continuous validation - Also monitor from outside your own network - Many tools are available, for example: http://www.dnssecmonitor.org http://www.dnsviz.net39 SURFnet. We make innovation work cb
    40. 40. How to sign your zone: case study SURFnet - SURFnet operates a managed DNS environment called ‘SURFdomeinen’ - We ran a project in 2010 from Q1 to Q3 to implement DNSSEC in SURFdomeinen - Our goals: - To make it easy for our connected institutions to operate signed zones - To make it easy for ourselves to operate signed zones - We enabled DNSSEC for surfnet.nl at the end of September 201040 SURFnet. We make innovation work cb
    41. 41. SURFdomeinen41 SURFnet. We make innovation work cb
    42. 42. Requirements - DNSSEC should be a ‘box to tick’ - DNS is already considered to be complex by many users, something that doesn’t improve if you add DNSSEC - The integrity of zones should be guaranteed - SURFdomeinen should not be the ‘weakest link’ in the attack chain - Monitoring is of great importance (more on that later) - Turning DNSSEC on or off should not take too long - Ideally less than 1 hour - Once DNSSEC is turned on, customers should not notice any difference42 SURFnet. We make innovation work cb
    43. 43. Design decision: using HSMs - HSM = Hardware Security Module - Secure and robust way to store DNSSEC key material - We can never access the raw key material - Role separation - Standard API (PKCS #11) - Disadvantage: expensive43 SURFnet. We make innovation work cb
    44. 44. Design decision: OpenDNSSEC - SURFnet participates in the project - Other partners are: IIS (.se), Nominet (.uk), Kirei, SIDN (.nl), NLnet Labs en Sinodun - Goal: push-the-button signing - Functions like a ‘bump-in-the-wire’ - Possibility to have different policies for different customers - Possibility to share keys (e.g. one set of keys per customer rather than per zone)44 SURFnet. We make innovation work cb
    45. 45. Design decision: OpenDNSSEC - OpenDNSSEC 1.1 - Current version; used in production by a number of top-level domains and also for our deployment - Used - for instance - by .uk, .fr, .se and .nl - OpenDNSSEC 1.2 - Faster signer engine in C - Better support for ‘key-sharing’ - OpenDNSSEC 1.3 (Q3 2011) - Multi-threaded signer for better performance - Currently in release-candidate status - OpenDNSSEC 1.4 (±Q1 2012) - Adapters for AXFR/IXFR & MySQL - OpenDNSSEC 1.5 (±Q2 2012)45 SURFnet. We make innovation work cb
    46. 46. OpenDNSSEC architecture46 SURFnet. We make innovation work cb
    47. 47. Design: bump-in-the-wire DNS zone DNS transfer Internet Hidden primary Public primary ! DNS DNS zone zone DNS transfer DNS transfer Internet Hidden primary OpenDNSSEC Public primary !47 SURFnet. We make innovation work cb
    48. 48. Design: data flow DNS DNS zone zone scp DNS transferSURFdomeinen DNSSEC signer ns1.surfnet.nl DNS transfer ns2.surfnet.nl Internet DNS zone ns3.surfnet.nl ns1.zurich.surf.net 48 SURFnet. We make innovation work cb
    49. 49. Design: network security Colocation DNS VLAN HSM VLAN admin Network HSM Authoritative OpenDNSSEC DNS signer SSL HSM firewall firewall local router Admin VLAN Internet SURFnet WAN firewall49 SURFnet. We make innovation work SURFdomeinen cb server
    50. 50. Design: redundancy Signer: - Warm standby system in a different co-location - MySQL master-slave replication - Failover is a manual process (not time critical) HSM: - Two HSMs in two different locations - High-availability mode - Offline secure backup on a third location - Keys will only be used after a backup50 SURFnet. We make innovation work cb
    51. 51. Enabling DNSSEC: user perspective - Push-the-button signing: - Unsigned to signed in 15 minutes51 SURFnet. We make innovation work cb
    52. 52. When things go wrong...52 Photo courtesy of jeffwilcox@FlickR
    53. 53. Admitting mistakes53 Photo © 2003 philg@mit.edu
    54. 54. AXFR bug in OpenDNSSEC - surfnet.nl was signed for the first time in September 2010 (on a Monday) - everything went smoothly until Thursday Quickly diagnose - then suddenly... the problem no more mail no more website no more VoIP I think you’ve got diarrhea... - D’oh!!! - Garbage In == Garbage Out54
    55. 55. Stories from the trenches... - .cz and .us became ‘bogus’ because of a mistake during an algorithm rollover - ISOC & .org nearly had a PR disaster at ICANN 38 in Brussels - .uk became ‘bogus’ because of a glitch during a signer failover - .be forgot to update critical signatures - mozilla.org and nasa.gov published a DS while their zone wasn’t signed yet55 SURFnet. We make innovation work cb
    56. 56. If you’re lucky... - this is what users will see:56 many thanks to Marco Davids of SIDN for the screenshot
    57. 57. But in most cases... - this is what users will see:57 - (and this is better IMHO!)
    58. 58. Contacting domain owners is hard58
    59. 59. Further readinghttp://bit.ly/sn-dnssec-2008 http://bit.ly/sn-dnssec-val http://bit.ly/sn-cryptoweb 59 SURFnet. We make innovation work cb
    60. 60. Online resources - http://dnssec.surfnet.nl - With lots of information about the choices we made while deploying DNSSEC - http://dnssec.net - Comprehensive and up-to-date links to information on DNSSEC - http://www.dnssec-deployment.org - Tracks DNSSEC deployment across the net - http://www.practicesafedns.org - PIR (.org) initiative with user stories60 SURFnet. We make innovation work cb
    61. 61. Conclusions - DNSSEC deployment is in full swing - The ball is now in your court! - Seriously consider enabling validation on your resolver You should enable validation, there’s really no excuse not to do it :-) - Start planning for signing - Once it works, you don’t notice it’s there61 SURFnet. We make innovation work cb
    62. 62. roland.vanrijswijk@surfnet.nlQuestions? Comments? nl.linkedin.com/in/rolandvanrijswijk @reseauxsansfil

    ×