DKIM DNSSEC Deployment 2008-11-16

1,433 views

Published on

An short presentation on DKIM with support for DNSSEC

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,433
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

DKIM DNSSEC Deployment 2008-11-16

  1. 1. DNSSEC and DKIM Deployment in .SE Patrik Wallström Project Manager, R&D
  2. 2. History of DNSSEC in .SE Procect start 1999 - 2005 Dry run 2006 Commercial deployment - .SE DNSSEC 2007 -
  3. 3. DNSSEC with Applications End-user applications - Web browsers - MUA - SIP - IM Server applications - MTA - OpenSSH - PGP - SSL - XMPP
  4. 4. Why DKIM? ‣ Already using DNS as key storage ‣ Validation occurs normally in the MTA ‣ Thus running in a controlled server environment ‣ Not an already widely deployed standard
  5. 5. SMTP Overview
  6. 6. SOHO Routers Tests of Consumer Broadband Routers Joakim Åhlund & Patrik Wallström February 2008 Test Report: DNSSEC Impact on Broadband Routers and Firewalls Ray Bellis, Nominet UK & Lisa Phifer, Core Competence September 2008
  7. 7. DKIM-Milter 2.8.0 beta Initial patch for DKIM-Milter 2.6.0 by John Dickinson Patch uses libunbound to use DNSSEC - retrieve a DKIM key from DNS - acquire a domain's policy record using DNS queries Published on opensource.iis.se and sent to DKIM-Milter maintainer http://sourceforge.net/projects/dkim-milter/
  8. 8. More work? Murray S. Kucherawy announced 2.8.0 with a comment about writing a new draft, “dkim-sec” ... The result for any DNSSEC-aware query basically comes down to one of these four: - evaluation not completed (quot;unknownquot;) - signer not using DNSSEC (quot;insecurequot;) - signer using DNSSEC, successful (quot;securequot;) - signer using DNSSEC, unsuccessful (quot;bogusquot;)
  9. 9. More work? Therefore, I believe we need four new configuration settings.  In particular (with invented names so far): InsecureKey - specifies what to do with insecure keys - possible values: - ignore (no action; default) - neutral (degrade a quot;passquot; to quot;neutralquot;) - fail (degrade a quot;passquot; to quot;failquot;) BogusKey - specifies what to do with bogus keys - possible values: - ignore - neutral - fail (default) InsecureADSP - specifies what to do with insecure keys - possible values: - apply (default) - ignore BogusADSP - specifies what to do with bogus ADSP records - possible values: - apply - ignore (default)
  10. 10. Statistics Ham Spam
  11. 11. Report on using DKIM with DNSSEC Work for .SE done by Rickard Bondesson To be published as his Final Thesis at Linköping University: Deployment and analysis of DKIM with DNSSEC ISRN LIU-IDA/LITH-EX-A--08/055--SE
  12. 12. Thank you patrik.wallstrom@iis.se

×