SlideShare a Scribd company logo

Building Trust into DNS: Key Strategies

ā€¢
ā€¢
SafeNet
SafeNet

DNSSEC represents a vital means with which to address many security threats, including cache poisoning, man-in-themiddle attacks, and more. But the DNSSEC infrastructure is only as secure as the cryptographic keys used to protect DNS records. This paper reveals important strategies for maximizing DNSSEC security, outlining the key role HSMs play and the critical requirements for successful HSM implementations.

1 of 5
Download to read offline
B Building Trust into DNS: Key Strategies W WHITE PAPER Introduction Executive Summary For all the beneļ¬ts of an open Internet, there is a dangerous ļ¬‚ip side. Domain name system DNSSEC represents a vital (DNS) servers are a perfect case in point. With no inherent security, DNS servers at a host of means with which to address organizations have been repeatedly compromised to enable a host of malicious endeavors, many security threats, including including cache poisoning (injecting incorrect/fraudulent data into a name serverā€™s cache, cache poisoning, man-in-the- which then gets served to users), redirecting phone calls, man-in-the-middle attacks to steal middle attacks, and more. But passwords, rerouting email, denial of service attacks, and more. the DNSSEC infrastructure is only as secure as the To combat these threats, many organizations have implemented Domain Name Systems cryptographic keys used to Security Extensions (DNSSEC), the process of digitally signing DNS records in order to ensure protect DNS records. This paper that the messages received are the same as those that were sent. reveals important strategies By adopting DNSSEC, a range of organizations, including domain providers, online banks and for maximizing DNSSEC retailers, SaaS providers, and more, can realize a range of beneļ¬ts: security, outlining the key role HSMs play and the critical ā€¢ Boost security. DNSSEC can help guard against cache poisoning, redirected phone calls, requirements for successful HSM man-in-the-middle attacks, and more. implementations. ā€¢ Ensure compliance. DNSSEC can help address ICANN, NSEC, and other mandates and guidelines. ā€¢ Reduce costs. By safeguarding against a range of network based threats, organizations can reduce the time and cost associated with threat mitigation and post-attack forensics and reparation. Without Robust Security, DNSSEC Can Be Compromised In addition to several new concepts and operations for both the DNS server and the DNS client, DNSSEC introduces four new resource records (DNSKEY, RRSIG, NSEC, and DS) to DNS. What this means is that DNSSEC requires some new procedures such as key generation, signing, and key management. But, for all the potential DNSSEC beneļ¬ts outlined above, the intended gains arenā€™t guaranteed because the resource records introduced by DNSSEC are kept in an unencrypted ļ¬le. It is only when the entire DNSSEC infrastructure is fully and comprehensively secured that organizations can begin to fully enjoy DNSSECā€™s beneļ¬ts. To do so, they need capabilities to do the following: Building Trust into DNS: Key Strategies White Paper 1
ā€¢ Secure digital signatures. DNS messages need to be digitally signed in order to ensure the HSM Advantages validity of DNS services. ā€¢ Completeness ā€¢ Control access. Organizations need to ensure only authorized customers and internal staff ā€¢ Performance can access sensitive applications and data. ā€¢ Compliant and Secure ā€¢ Centralization of Key ā€¢ Maintain application integrity. All associated application code and processes need to be Management secured to ensure integrity and prohibit unauthorized application execution. ā€¢ Scale to accommodate high volume processing. Since DNS updates are very frequent, DNSSEC infrastructures need to deliver the performance and scalability required to ensure timely processing at all times. The Role of HSMs in DNSSEC As outlined above, it is only by ensuring security throughout the DNSSEC infrastructure that businesses can realize the beneļ¬ts of DNSSEC. To ensure the validity of DNS services, DNSSEC employs public key cryptography to digitally sign DNS messages. To realize the security required, robust protection of private signing keys is vital. If the keys and their corresponding digital certiļ¬cates are compromised, the chain of trust in the DNS hierarchy is broken, rendering the entire system obsolete. This is where hardware security modules (HSMs) come into play. HSMs are dedicated systems that physically and logically secure the cryptographic keys and cryptographic processing that are at the heart of digital signatures. HSMs support the following functions: ā€¢ Life-cycle management, including key generation, distribution, rotation, storage, termination, and archival. ā€¢ Cryptographic processing, which produces the dual beneļ¬ts of isolating and ofļ¬‚oading cryptographic processing from application servers. By storing cryptographic keys in a centralized, hardened device, HSMs can eliminate the risks associated with having these assets housed on disparate, poorly secured platforms. In addition, this centralization can signiļ¬cantly streamline security administration. DNS Root Server Cluster HSM Authoritative Server Cluster TLD Server Cluster *FIPS 140-2 Level 4 Validated Root zone records signed by private key in HSM 2 SafeNet HSM Enterprise level zone key signed by SafeNet HSM SafeNet HSM (www.mybank.com) SafeNet HSM stores the cryptographic TLD zone records signed by 3 4 keys that sign the DNS records: (DNSKEY, RRSIG, NSEC, and DS) private key in SafeNet HSM Recursive (Caching) Name Server 1 Client initiates query for www.mybank.com 5 ISP Caching name server starts recursive 2 search at root if no record found in cache. Recursive search referred to applicable 3 TLD by root. If record does not exist in TLD zone query referred to the Authoritative server. (Simplified example ā€“ additional 1 zone searches may be required to identify Authoritative Name Server.) Client-Side of the DNS DNS Query 4 Authoritative Server responds with signed DNS zone record Recursive server returns verified IP address 5 for ā€œmybank.comā€ to DNS client The diagram above depicts the steps involved in securing DNS messages through the use of HSMs. By safeguarding digital certiļ¬cates and cryptographic keys, organizations can maximize the security of their DNSSEC implementations. Building Trust into DNS: Key Strategies White Paper 2
The Advantages of HSMs SafeNet DNSSEC Beneļ¬ts Compared to the process of storing cryptographic keys in software residing on general purpose ā€¢ Enhance Security application servers, HSMs deliver several advantages: ā€¢ Ensure Compliance ā€¢ Optimize Operational Completeness Performance HSMs are fully contained solutions for cryptographic processing, key generation, and key storage. As purpose-built appliances, they automatically include the required hardware and ļ¬rmware (i.e., software) in an integrated package. Physical and logical protection of the appliance is supported by a tamper resistant/evident shell; and protection from logical threats, depending on the vendorā€™s products, is supported by integrated ļ¬rewall and intrusion prevention defenses. Some HSM vendors also include integrated support for two-factor authentication. Security certiļ¬cation is typically pursued by HSM vendors and positioned as a product feature. Software for these same functions is not a complete out-of-the-box solution. Server hardware is a separate purchase, unless unused servers are present, as is ļ¬rewall, intrusion prevention, and two-factor authentication. Being tamper resistant is not a trait typically associated with general- purpose servers. Security certiļ¬cation encompassing the combination of hardware platform and software would be the responsibility of the user organization and can be a lengthy and very costly activity, especially if involvement with certiļ¬cation bodies is not standard operating practice for the organization using the software. Performance Cryptography is a resource intensive process that will introduce latency to any application that depends on it. Depending on the application and organization involved, the objective could be to minimize the latency introduced by cryptography. HSMs have an advantage over software as they are designed to optimize the efļ¬ciency of cryptographic processing. Compared to software running on general purpose servers, HSMs will accelerate processing; an outcome of being purpose-built. Compliant and Secure Frequently, cryptography is used to meet compliance mandates. Cryptography use, however, does not guarantee that information is secure. Further, there are no security guarantees (i.e., promises of no security instances ever) with any security solution so the objective becomes one of managing risk by reducing the number of vulnerabilities and the likelihood of vulnerabilities being exploited. The aforementioned completeness attributes of HSMs allow organizations that deploy HSMs to take efļ¬cient and simultaneous steps toward compliance and security. Centralization of Key Management An attribute of software is its portability; software can be installed on several servers. Consequently, cryptographic keys have greater likelihood to reside in several locations/software hosts. This multi-location characteristic will add to administrative complexity and potential lapses in the life-cycle management of cryptographic keys (e.g., rotation and revocation). In addition, if consistency in the protective layer of the software host (e.g., ļ¬rewall, intrusion prevention, and access control) cannot be ensured, the risk of keys being compromised increases. With HSMs, the tendency is to store keys in a single unit. Not only does this streamline administration and reduce the potential for management lapses but it also supports a consistent layer of key protection. Building Trust into DNS: Key Strategies White Paper 3
By leveraging HSMs, organization The Beneļ¬ts of DNSSEC with SafeNet can enjoy the utmost in security SafeNet offers a broad set of HSMs that are ideally suited to the demands of securing private of the cryptographic keys and signing keys. By employing SafeNet HSMs, organizations can realize a range of beneļ¬ts: digital certiļ¬cates that underpin Enhance Security the DNSSEC infrastructure. SafeNet HSMs deliver sophisticated security capabilities that enable businesses to enjoy maximum security of DNSSEC. SafeNet HSMs ensure the most rigorous control over keys and their corresponding digital certiļ¬cate. As a result, organizations can eliminate the threats of DNS exploits, and the damage they can wreak. Ensure Compliance The Internet Engineering Task Force has published a comprehensive set of guidelines for ensuring DNSSEC security. For example, RFC 5011 outlines extensive standards for securing various points in the DNS tree, referred to as trust points. Each trust point must be validated by at least one associated public key. In addition, the guidelines specify a host of efforts for securely adding keys, rotating keys, and removing keys. With their robust encryption and policy management support, SafeNet HSMs enable organizations to ensure compliance with these guidelines. Further, ICANN DNSSEC requirements state that private keys must be generated and stored on FIPS 140-2 validated HSMs. Many SafeNet HSMs meet these demanding FIPS requirements and many are also Common Criteria certiļ¬ed. Optimize Operational Performance By leveraging SafeNetā€™s secure HSMs, organizations can realize signiļ¬cant gains in operational performance: ā€¢ Improve staff efļ¬ciency. By centralizing keys and policy administration on a central, comprehensive platform, security teams can signiļ¬cantly streamline administrative efforts. Further, with an appliance that supports XML, SafeNet enables easier up-front HSM integration. ā€¢ Ensure high performance. By managing cryptographic processing on purpose-built appliances, SafeNet HSMs deliver scalable, responsive performance, ensuring the timely, reliable response required in DNSSEC environments. ā€¢ Optimize key storage. With its support for the Elliptic Curve Digital Signature Algorithm (ECDSA), SafeNet enables more efļ¬cient storage of cryptographic keys. ā€¢ Enhance customer service and loyalty. SafeNet HSMs safeguard the DNS infrastructure, so organizations can eliminate the DNS exploits that put customers at risk. By ensuring high levels of security, organizations can foster greater trust and loyalty among their customer base. SafeNetā€™s Breadth of HSM Offerings SafeNet HSMs provide reliable protection for applications, transactions, and information assets by safeguarding the cryptographic keys that are at the heart of any encryption-based security solution. SafeNet HSMs are the fastest, most secure, and easiest to integrate application security solution for enterprise and government organizations to ensure regulatory compliance, reduce the risk of legal liability, and improve proļ¬tability. SafeNet offers these HSM products: General Purpose HSMs, Network Attached ā€¢ Luna SA. Luna SA offers award-winning application protection through powerful cryptographic processing and hardware key management. Luna PCI for Luna SA 4.1 has received Common Criteria EAL4+ certiļ¬cation. Building Trust into DNS: Key Strategies White Paper 4
ā€¢ Luna SP. The SafeNet Luna SP allows developers to securely deploy Web applications, Web By adopting DNSSEC services, and other Java applications in a protected, hardened security appliance. organizations can realize a range of beneļ¬ts including: ā€¢ Luna XML. SafeNet Luna XML is designed to secure next-generation XML Web services ā€¢ Boost security and service-oriented architectures (SOAs). Other HSMs take months to integrate with ā€¢ Ensure compliance new applications due to complex security APIs. Luna XML has zero footprint on the host application server, providing for rapid, independent, ļ¬‚exible, and highly scalable ā€¢ Reduce costs deployments. ā€¢ ProtectServer External. The SafeNet ProtectServer External is a network-attached HSM that connects via TCP/IP to a single machine or complete network (LAN) to function as a central cryptographic subsystem that delivers symmetric and asymmetric cryptographic services. All operations that would otherwise be performed on insecure servers are securely processed within the HSM, ensuring that sensitive keys are always protected from compromise. ā€¢ Luna SX. The SafeNet Luna SX is a central management console for rapid HSM setup and easy remote administration for the SafeNet Luna SA and Luna SP. Using a simple GUI, SafeNet HSMs can be managed remotely and securely. General Purpose HSMs, Embedded ā€¢ Luna CA4 HSM. The SafeNet Luna CA4 offers a complete hardware security solution for the protection of sensitive root keys belonging to certiļ¬cate authorities used in public key infrastructures (PKI). ā€¢ Luna PCI. SafeNet Luna PCI is designed to protect cryptographic keys and accelerate sensitive cryptographic operations across a wide range of security applications. ā€¢ Luna PCM. SafeNet Luna PCM is a low-cost family of compact HSMs, offering hardware- based key management and hardware-accelerated cryptographic performance within a compact PCMCIA card. ā€¢ ProtectServer HSMs. For server systems and support applications that require high performance symmetric and asymmetric cryptographic operations, ProtectServer Gold and ProtectServer Internal-Express provide tamper-protected hardware security. Conclusion Today, DNSSEC represents a critical approach for guarding against a range of threats to Internet- based communications. By leveraging HSMs, organization can enjoy the utmost in security of the cryptographic keys and digital certiļ¬cates that underpin the DNSSEC infrastructure. Today, SafeNet offers a broad range of HSMs, solutions that accommodate the needs of a range of deployments, and ensure organizations enjoy maximum security in their DNSSEC environments. About SafeNet, Inc. Founded in 1983, SafeNet is a global leader in information security. SafeNet protects its customersā€™ most valuable assets, including identities, transactions, communications, data and software licensing, throughout the data lifecycle. More than 25,000 customers across both commercial enterprises and government agencies and in over 100 countries trust their information security needs to SafeNet. Contact Us: For all ofļ¬ce locations and contact information, please visit www.safenet-inc.com Follow Us: www.safenet-inc.com/connected Ā©2010 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet. All other product names are trademarks of their respective owners. WP (EN)-11.29.10 Building Trust into DNS: Key Strategies White Paper 5

Recommended

IT Infrastrucutre Security
IT Infrastrucutre SecurityIT Infrastrucutre Security
IT Infrastrucutre Security
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
Ā 
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid ThemInfoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Jennifer Nichols
Ā 
Cloudshield_DNS Tips_032014
Cloudshield_DNS Tips_032014Cloudshield_DNS Tips_032014
Cloudshield_DNS Tips_032014
Laura L. Adams
Ā 
OMG DDS Security Standard
OMG DDS Security StandardOMG DDS Security Standard
OMG DDS Security Standard
Gerardo Pardo-Castellote
Ā 
CDW Security Practice
CDW Security PracticeCDW Security Practice
CDW Security Practice
timmay0220
Ā 
Protecting Your Key Asset ā€“ Data Protection Best Practices V2.0 Final
Protecting Your Key Asset ā€“ Data Protection Best Practices V2.0 FinalProtecting Your Key Asset ā€“ Data Protection Best Practices V2.0 Final
Protecting Your Key Asset ā€“ Data Protection Best Practices V2.0 Final
Vinod Kumar
Ā 
More (Mis)adventures in Non-profit Web Design
More (Mis)adventures in Non-profit Web DesignMore (Mis)adventures in Non-profit Web Design
More (Mis)adventures in Non-profit Web Design
Melodie Laylor
Ā 
Amphibians ppt 1-1 10-3 mila satchansky lewbina
Amphibians ppt 1-1 10-3 mila satchansky lewbinaAmphibians ppt 1-1 10-3 mila satchansky lewbina
Amphibians ppt 1-1 10-3 mila satchansky lewbina
MrJewett
Ā 

Recommended

IT Infrastrucutre Security
IT Infrastrucutre SecurityIT Infrastrucutre Security
IT Infrastrucutre Security
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
Ā 
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid ThemInfoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Jennifer Nichols
Ā 
Cloudshield_DNS Tips_032014
Cloudshield_DNS Tips_032014Cloudshield_DNS Tips_032014
Cloudshield_DNS Tips_032014
Laura L. Adams
Ā 
OMG DDS Security Standard
OMG DDS Security StandardOMG DDS Security Standard
OMG DDS Security Standard
Gerardo Pardo-Castellote
Ā 
CDW Security Practice
CDW Security PracticeCDW Security Practice
CDW Security Practice
timmay0220
Ā 
Protecting Your Key Asset ā€“ Data Protection Best Practices V2.0 Final
Protecting Your Key Asset ā€“ Data Protection Best Practices V2.0 FinalProtecting Your Key Asset ā€“ Data Protection Best Practices V2.0 Final
Protecting Your Key Asset ā€“ Data Protection Best Practices V2.0 Final
Vinod Kumar
Ā 
More (Mis)adventures in Non-profit Web Design
More (Mis)adventures in Non-profit Web DesignMore (Mis)adventures in Non-profit Web Design
More (Mis)adventures in Non-profit Web Design
Melodie Laylor
Ā 
Amphibians ppt 1-1 10-3 mila satchansky lewbina
Amphibians ppt 1-1 10-3 mila satchansky lewbinaAmphibians ppt 1-1 10-3 mila satchansky lewbina
Amphibians ppt 1-1 10-3 mila satchansky lewbina
MrJewett
Ā 
DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Know
laurenrprice
Ā 
dnssec_networking_improvement_for_security.pptx
dnssec_networking_improvement_for_security.pptxdnssec_networking_improvement_for_security.pptx
dnssec_networking_improvement_for_security.pptx
pipopopo3
Ā 
DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & Afilias
ORG, The Public Interest Registry
Ā 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
AFRINIC
Ā 
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSECION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
Deploy360 Programme (Internet Society)
Ā 
Securing Digital Identities and Transactions in the Cloud Security Guide
Securing Digital Identities and Transactions in the Cloud Security GuideSecuring Digital Identities and Transactions in the Cloud Security Guide
Securing Digital Identities and Transactions in the Cloud Security Guide
SafeNet
Ā 
Dnssec proposal-09oct08-en
Dnssec proposal-09oct08-enDnssec proposal-09oct08-en
Dnssec proposal-09oct08-en
guest3131f85
Ā 
Dnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnDnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 En
Erol Dizdar
Ā 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
Peter R. Egli
Ā 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
Deploy360 Programme (Internet Society)
Ā 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
Deploy360 Programme (Internet Society)
Ā 
SafeNet - Data Protection Company
SafeNet - Data Protection CompanySafeNet - Data Protection Company
SafeNet - Data Protection Company
ASBIS SK
Ā 
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
Digital Transformation EXPO Event Series
Ā 
Windows most important server questions for l1 level
Windows most important server questions for l1 levelWindows most important server questions for l1 level
Windows most important server questions for l1 level
IICT Chromepet
Ā 
Cloudshield-DNS_Defender-Data-Sheet
Cloudshield-DNS_Defender-Data-SheetCloudshield-DNS_Defender-Data-Sheet
Cloudshield-DNS_Defender-Data-Sheet
Chad Krantz
Ā 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
DNS Entrepreneurship Center
Ā 
FOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedFOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons Learned
Neustar, Inc.
Ā 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
Great Wide Open
Ā 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
Rommel Garcia
Ā 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial
Men and Mice
Ā 
eIDAS Reference Guide
eIDAS Reference GuideeIDAS Reference Guide
eIDAS Reference Guide
SafeNet
Ā 
Whose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudWhose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the Cloud
SafeNet
Ā 

More Related Content

Similar to Building Trust into DNS: Key Strategies

DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Know
laurenrprice
Ā 
dnssec_networking_improvement_for_security.pptx
dnssec_networking_improvement_for_security.pptxdnssec_networking_improvement_for_security.pptx
dnssec_networking_improvement_for_security.pptx
pipopopo3
Ā 
DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & Afilias
ORG, The Public Interest Registry
Ā 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
AFRINIC
Ā 
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSECION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
Deploy360 Programme (Internet Society)
Ā 
Securing Digital Identities and Transactions in the Cloud Security Guide
Securing Digital Identities and Transactions in the Cloud Security GuideSecuring Digital Identities and Transactions in the Cloud Security Guide
Securing Digital Identities and Transactions in the Cloud Security Guide
SafeNet
Ā 
Dnssec proposal-09oct08-en
Dnssec proposal-09oct08-enDnssec proposal-09oct08-en
Dnssec proposal-09oct08-en
guest3131f85
Ā 
Dnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnDnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 En
Erol Dizdar
Ā 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
Peter R. Egli
Ā 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
Deploy360 Programme (Internet Society)
Ā 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
Deploy360 Programme (Internet Society)
Ā 
SafeNet - Data Protection Company
SafeNet - Data Protection CompanySafeNet - Data Protection Company
SafeNet - Data Protection Company
ASBIS SK
Ā 
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
Digital Transformation EXPO Event Series
Ā 
Windows most important server questions for l1 level
Windows most important server questions for l1 levelWindows most important server questions for l1 level
Windows most important server questions for l1 level
IICT Chromepet
Ā 
Cloudshield-DNS_Defender-Data-Sheet
Cloudshield-DNS_Defender-Data-SheetCloudshield-DNS_Defender-Data-Sheet
Cloudshield-DNS_Defender-Data-Sheet
Chad Krantz
Ā 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
DNS Entrepreneurship Center
Ā 
FOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedFOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons Learned
Neustar, Inc.
Ā 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
Great Wide Open
Ā 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
Rommel Garcia
Ā 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial
Men and Mice
Ā 

Similar to Building Trust into DNS: Key Strategies (20)

DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Know
Ā 
dnssec_networking_improvement_for_security.pptx
dnssec_networking_improvement_for_security.pptxdnssec_networking_improvement_for_security.pptx
dnssec_networking_improvement_for_security.pptx
Ā 
DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & Afilias
Ā 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
Ā 
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSECION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
Ā 
Securing Digital Identities and Transactions in the Cloud Security Guide
Securing Digital Identities and Transactions in the Cloud Security GuideSecuring Digital Identities and Transactions in the Cloud Security Guide
Securing Digital Identities and Transactions in the Cloud Security Guide
Ā 
Dnssec proposal-09oct08-en
Dnssec proposal-09oct08-enDnssec proposal-09oct08-en
Dnssec proposal-09oct08-en
Ā 
Dnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnDnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 En
Ā 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
Ā 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
Ā 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
Ā 
SafeNet - Data Protection Company
SafeNet - Data Protection CompanySafeNet - Data Protection Company
SafeNet - Data Protection Company
Ā 
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
Ā 
Windows most important server questions for l1 level
Windows most important server questions for l1 levelWindows most important server questions for l1 level
Windows most important server questions for l1 level
Ā 
Cloudshield-DNS_Defender-Data-Sheet
Cloudshield-DNS_Defender-Data-SheetCloudshield-DNS_Defender-Data-Sheet
Cloudshield-DNS_Defender-Data-Sheet
Ā 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
Ā 
FOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedFOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons Learned
Ā 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
Ā 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
Ā 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial
Ā 

More from SafeNet

eIDAS Reference Guide
eIDAS Reference GuideeIDAS Reference Guide
eIDAS Reference Guide
SafeNet
Ā 
Whose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudWhose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the Cloud
SafeNet
Ā 
Whose Cloud Is It Anyway: Exploring Data Security Ownership and Control
Whose Cloud Is It Anyway: Exploring Data Security Ownership and ControlWhose Cloud Is It Anyway: Exploring Data Security Ownership and Control
Whose Cloud Is It Anyway: Exploring Data Security Ownership and Control
SafeNet
Ā 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative World
SafeNet
Ā 
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilityNot Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
SafeNet
Ā 
ProtectV - Data Security for the Cloud
ProtectV - Data Security for the CloudProtectV - Data Security for the Cloud
ProtectV - Data Security for the Cloud
SafeNet
Ā 
Cloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business Model
Cloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business ModelCloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business Model
Cloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business Model
SafeNet
Ā 
SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...
SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...
SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...
SafeNet
Ā 
A Single Strong Authentication Platform for Cloud and On-Premise Applications
A Single Strong Authentication Platform for Cloud and On-Premise ApplicationsA Single Strong Authentication Platform for Cloud and On-Premise Applications
A Single Strong Authentication Platform for Cloud and On-Premise Applications
SafeNet
Ā 
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
SafeNet
Ā 
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
SafeNet
Ā 
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...
SafeNet
Ā 
Hardware Security Modules: Critical to Information Risk Management
Hardware Security Modules: Critical to Information Risk ManagementHardware Security Modules: Critical to Information Risk Management
Hardware Security Modules: Critical to Information Risk Management
SafeNet
Ā 
Strong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling BusinessStrong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling Business
SafeNet
Ā 
Building Trust into eInvoicing: Key Requirements and Strategies
Building Trust into eInvoicing: Key Requirements and StrategiesBuilding Trust into eInvoicing: Key Requirements and Strategies
Building Trust into eInvoicing: Key Requirements and Strategies
SafeNet
Ā 
A Question of Trust: How Service Providers Can Attract More Customers by Deli...
A Question of Trust: How Service Providers Can Attract More Customers by Deli...A Question of Trust: How Service Providers Can Attract More Customers by Deli...
A Question of Trust: How Service Providers Can Attract More Customers by Deli...
SafeNet
Ā 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
SafeNet
Ā 
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
SafeNet
Ā 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet
Ā 
Charting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key ManagementCharting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key Management
SafeNet
Ā 

More from SafeNet (20)

eIDAS Reference Guide
eIDAS Reference GuideeIDAS Reference Guide
eIDAS Reference Guide
Ā 
Whose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudWhose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the Cloud
Ā 
Whose Cloud Is It Anyway: Exploring Data Security Ownership and Control
Whose Cloud Is It Anyway: Exploring Data Security Ownership and ControlWhose Cloud Is It Anyway: Exploring Data Security Ownership and Control
Whose Cloud Is It Anyway: Exploring Data Security Ownership and Control
Ā 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative World
Ā 
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilityNot Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Ā 
ProtectV - Data Security for the Cloud
ProtectV - Data Security for the CloudProtectV - Data Security for the Cloud
ProtectV - Data Security for the Cloud
Ā 
Cloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business Model
Cloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business ModelCloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business Model
Cloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business Model
Ā 
SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...
SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...
SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...
Ā 
A Single Strong Authentication Platform for Cloud and On-Premise Applications
A Single Strong Authentication Platform for Cloud and On-Premise ApplicationsA Single Strong Authentication Platform for Cloud and On-Premise Applications
A Single Strong Authentication Platform for Cloud and On-Premise Applications
Ā 
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
Ā 
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
Ā 
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...
Ā 
Hardware Security Modules: Critical to Information Risk Management
Hardware Security Modules: Critical to Information Risk ManagementHardware Security Modules: Critical to Information Risk Management
Hardware Security Modules: Critical to Information Risk Management
Ā 
Strong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling BusinessStrong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling Business
Ā 
Building Trust into eInvoicing: Key Requirements and Strategies
Building Trust into eInvoicing: Key Requirements and StrategiesBuilding Trust into eInvoicing: Key Requirements and Strategies
Building Trust into eInvoicing: Key Requirements and Strategies
Ā 
A Question of Trust: How Service Providers Can Attract More Customers by Deli...
A Question of Trust: How Service Providers Can Attract More Customers by Deli...A Question of Trust: How Service Providers Can Attract More Customers by Deli...
A Question of Trust: How Service Providers Can Attract More Customers by Deli...
Ā 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Ā 
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
Ā 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server Encryption
Ā 
Charting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key ManagementCharting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key Management
Ā 

Recently uploaded

Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
Ā 
Operating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptxOperating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptx
Pravash Chandra Das
Ā 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
Ā 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
Ā 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Postman
Ā 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
Ā 
Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!
GDSC PJATK
Ā 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
SitimaJohn
Ā 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
Ā 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
Ā 
dbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdfdbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
Shinana2
Ā 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
Ā 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
Ā 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
Ā 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
Ā 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
Dinusha Kumarasiri
Ā 
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
alexjohnson7307
Ā 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
Ā 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
Ā 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
Ā 

Recently uploaded (20)

Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Ā 
Operating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptxOperating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptx
Ā 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Ā 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
Ā 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Ā 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
Ā 
Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!
Ā 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ā 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Ā 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Ā 
dbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdfdbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
Ā 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
Ā 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Ā 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Ā 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Ā 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
Ā 
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
Ā 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Ā 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Ā 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Ā 

Building Trust into DNS: Key Strategies

  • 1. B Building Trust into DNS: Key Strategies W WHITE PAPER Introduction Executive Summary For all the beneļ¬ts of an open Internet, there is a dangerous ļ¬‚ip side. Domain name system DNSSEC represents a vital (DNS) servers are a perfect case in point. With no inherent security, DNS servers at a host of means with which to address organizations have been repeatedly compromised to enable a host of malicious endeavors, many security threats, including including cache poisoning (injecting incorrect/fraudulent data into a name serverā€™s cache, cache poisoning, man-in-the- which then gets served to users), redirecting phone calls, man-in-the-middle attacks to steal middle attacks, and more. But passwords, rerouting email, denial of service attacks, and more. the DNSSEC infrastructure is only as secure as the To combat these threats, many organizations have implemented Domain Name Systems cryptographic keys used to Security Extensions (DNSSEC), the process of digitally signing DNS records in order to ensure protect DNS records. This paper that the messages received are the same as those that were sent. reveals important strategies By adopting DNSSEC, a range of organizations, including domain providers, online banks and for maximizing DNSSEC retailers, SaaS providers, and more, can realize a range of beneļ¬ts: security, outlining the key role HSMs play and the critical ā€¢ Boost security. DNSSEC can help guard against cache poisoning, redirected phone calls, requirements for successful HSM man-in-the-middle attacks, and more. implementations. ā€¢ Ensure compliance. DNSSEC can help address ICANN, NSEC, and other mandates and guidelines. ā€¢ Reduce costs. By safeguarding against a range of network based threats, organizations can reduce the time and cost associated with threat mitigation and post-attack forensics and reparation. Without Robust Security, DNSSEC Can Be Compromised In addition to several new concepts and operations for both the DNS server and the DNS client, DNSSEC introduces four new resource records (DNSKEY, RRSIG, NSEC, and DS) to DNS. What this means is that DNSSEC requires some new procedures such as key generation, signing, and key management. But, for all the potential DNSSEC beneļ¬ts outlined above, the intended gains arenā€™t guaranteed because the resource records introduced by DNSSEC are kept in an unencrypted ļ¬le. It is only when the entire DNSSEC infrastructure is fully and comprehensively secured that organizations can begin to fully enjoy DNSSECā€™s beneļ¬ts. To do so, they need capabilities to do the following: Building Trust into DNS: Key Strategies White Paper 1
  • 2. ā€¢ Secure digital signatures. DNS messages need to be digitally signed in order to ensure the HSM Advantages validity of DNS services. ā€¢ Completeness ā€¢ Control access. Organizations need to ensure only authorized customers and internal staff ā€¢ Performance can access sensitive applications and data. ā€¢ Compliant and Secure ā€¢ Centralization of Key ā€¢ Maintain application integrity. All associated application code and processes need to be Management secured to ensure integrity and prohibit unauthorized application execution. ā€¢ Scale to accommodate high volume processing. Since DNS updates are very frequent, DNSSEC infrastructures need to deliver the performance and scalability required to ensure timely processing at all times. The Role of HSMs in DNSSEC As outlined above, it is only by ensuring security throughout the DNSSEC infrastructure that businesses can realize the beneļ¬ts of DNSSEC. To ensure the validity of DNS services, DNSSEC employs public key cryptography to digitally sign DNS messages. To realize the security required, robust protection of private signing keys is vital. If the keys and their corresponding digital certiļ¬cates are compromised, the chain of trust in the DNS hierarchy is broken, rendering the entire system obsolete. This is where hardware security modules (HSMs) come into play. HSMs are dedicated systems that physically and logically secure the cryptographic keys and cryptographic processing that are at the heart of digital signatures. HSMs support the following functions: ā€¢ Life-cycle management, including key generation, distribution, rotation, storage, termination, and archival. ā€¢ Cryptographic processing, which produces the dual beneļ¬ts of isolating and ofļ¬‚oading cryptographic processing from application servers. By storing cryptographic keys in a centralized, hardened device, HSMs can eliminate the risks associated with having these assets housed on disparate, poorly secured platforms. In addition, this centralization can signiļ¬cantly streamline security administration. DNS Root Server Cluster HSM Authoritative Server Cluster TLD Server Cluster *FIPS 140-2 Level 4 Validated Root zone records signed by private key in HSM 2 SafeNet HSM Enterprise level zone key signed by SafeNet HSM SafeNet HSM (www.mybank.com) SafeNet HSM stores the cryptographic TLD zone records signed by 3 4 keys that sign the DNS records: (DNSKEY, RRSIG, NSEC, and DS) private key in SafeNet HSM Recursive (Caching) Name Server 1 Client initiates query for www.mybank.com 5 ISP Caching name server starts recursive 2 search at root if no record found in cache. Recursive search referred to applicable 3 TLD by root. If record does not exist in TLD zone query referred to the Authoritative server. (Simplified example ā€“ additional 1 zone searches may be required to identify Authoritative Name Server.) Client-Side of the DNS DNS Query 4 Authoritative Server responds with signed DNS zone record Recursive server returns verified IP address 5 for ā€œmybank.comā€ to DNS client The diagram above depicts the steps involved in securing DNS messages through the use of HSMs. By safeguarding digital certiļ¬cates and cryptographic keys, organizations can maximize the security of their DNSSEC implementations. Building Trust into DNS: Key Strategies White Paper 2
  • 3. The Advantages of HSMs SafeNet DNSSEC Beneļ¬ts Compared to the process of storing cryptographic keys in software residing on general purpose ā€¢ Enhance Security application servers, HSMs deliver several advantages: ā€¢ Ensure Compliance ā€¢ Optimize Operational Completeness Performance HSMs are fully contained solutions for cryptographic processing, key generation, and key storage. As purpose-built appliances, they automatically include the required hardware and ļ¬rmware (i.e., software) in an integrated package. Physical and logical protection of the appliance is supported by a tamper resistant/evident shell; and protection from logical threats, depending on the vendorā€™s products, is supported by integrated ļ¬rewall and intrusion prevention defenses. Some HSM vendors also include integrated support for two-factor authentication. Security certiļ¬cation is typically pursued by HSM vendors and positioned as a product feature. Software for these same functions is not a complete out-of-the-box solution. Server hardware is a separate purchase, unless unused servers are present, as is ļ¬rewall, intrusion prevention, and two-factor authentication. Being tamper resistant is not a trait typically associated with general- purpose servers. Security certiļ¬cation encompassing the combination of hardware platform and software would be the responsibility of the user organization and can be a lengthy and very costly activity, especially if involvement with certiļ¬cation bodies is not standard operating practice for the organization using the software. Performance Cryptography is a resource intensive process that will introduce latency to any application that depends on it. Depending on the application and organization involved, the objective could be to minimize the latency introduced by cryptography. HSMs have an advantage over software as they are designed to optimize the efļ¬ciency of cryptographic processing. Compared to software running on general purpose servers, HSMs will accelerate processing; an outcome of being purpose-built. Compliant and Secure Frequently, cryptography is used to meet compliance mandates. Cryptography use, however, does not guarantee that information is secure. Further, there are no security guarantees (i.e., promises of no security instances ever) with any security solution so the objective becomes one of managing risk by reducing the number of vulnerabilities and the likelihood of vulnerabilities being exploited. The aforementioned completeness attributes of HSMs allow organizations that deploy HSMs to take efļ¬cient and simultaneous steps toward compliance and security. Centralization of Key Management An attribute of software is its portability; software can be installed on several servers. Consequently, cryptographic keys have greater likelihood to reside in several locations/software hosts. This multi-location characteristic will add to administrative complexity and potential lapses in the life-cycle management of cryptographic keys (e.g., rotation and revocation). In addition, if consistency in the protective layer of the software host (e.g., ļ¬rewall, intrusion prevention, and access control) cannot be ensured, the risk of keys being compromised increases. With HSMs, the tendency is to store keys in a single unit. Not only does this streamline administration and reduce the potential for management lapses but it also supports a consistent layer of key protection. Building Trust into DNS: Key Strategies White Paper 3
  • 4. By leveraging HSMs, organization The Beneļ¬ts of DNSSEC with SafeNet can enjoy the utmost in security SafeNet offers a broad set of HSMs that are ideally suited to the demands of securing private of the cryptographic keys and signing keys. By employing SafeNet HSMs, organizations can realize a range of beneļ¬ts: digital certiļ¬cates that underpin Enhance Security the DNSSEC infrastructure. SafeNet HSMs deliver sophisticated security capabilities that enable businesses to enjoy maximum security of DNSSEC. SafeNet HSMs ensure the most rigorous control over keys and their corresponding digital certiļ¬cate. As a result, organizations can eliminate the threats of DNS exploits, and the damage they can wreak. Ensure Compliance The Internet Engineering Task Force has published a comprehensive set of guidelines for ensuring DNSSEC security. For example, RFC 5011 outlines extensive standards for securing various points in the DNS tree, referred to as trust points. Each trust point must be validated by at least one associated public key. In addition, the guidelines specify a host of efforts for securely adding keys, rotating keys, and removing keys. With their robust encryption and policy management support, SafeNet HSMs enable organizations to ensure compliance with these guidelines. Further, ICANN DNSSEC requirements state that private keys must be generated and stored on FIPS 140-2 validated HSMs. Many SafeNet HSMs meet these demanding FIPS requirements and many are also Common Criteria certiļ¬ed. Optimize Operational Performance By leveraging SafeNetā€™s secure HSMs, organizations can realize signiļ¬cant gains in operational performance: ā€¢ Improve staff efļ¬ciency. By centralizing keys and policy administration on a central, comprehensive platform, security teams can signiļ¬cantly streamline administrative efforts. Further, with an appliance that supports XML, SafeNet enables easier up-front HSM integration. ā€¢ Ensure high performance. By managing cryptographic processing on purpose-built appliances, SafeNet HSMs deliver scalable, responsive performance, ensuring the timely, reliable response required in DNSSEC environments. ā€¢ Optimize key storage. With its support for the Elliptic Curve Digital Signature Algorithm (ECDSA), SafeNet enables more efļ¬cient storage of cryptographic keys. ā€¢ Enhance customer service and loyalty. SafeNet HSMs safeguard the DNS infrastructure, so organizations can eliminate the DNS exploits that put customers at risk. By ensuring high levels of security, organizations can foster greater trust and loyalty among their customer base. SafeNetā€™s Breadth of HSM Offerings SafeNet HSMs provide reliable protection for applications, transactions, and information assets by safeguarding the cryptographic keys that are at the heart of any encryption-based security solution. SafeNet HSMs are the fastest, most secure, and easiest to integrate application security solution for enterprise and government organizations to ensure regulatory compliance, reduce the risk of legal liability, and improve proļ¬tability. SafeNet offers these HSM products: General Purpose HSMs, Network Attached ā€¢ Luna SA. Luna SA offers award-winning application protection through powerful cryptographic processing and hardware key management. Luna PCI for Luna SA 4.1 has received Common Criteria EAL4+ certiļ¬cation. Building Trust into DNS: Key Strategies White Paper 4
  • 5. ā€¢ Luna SP. The SafeNet Luna SP allows developers to securely deploy Web applications, Web By adopting DNSSEC services, and other Java applications in a protected, hardened security appliance. organizations can realize a range of beneļ¬ts including: ā€¢ Luna XML. SafeNet Luna XML is designed to secure next-generation XML Web services ā€¢ Boost security and service-oriented architectures (SOAs). Other HSMs take months to integrate with ā€¢ Ensure compliance new applications due to complex security APIs. Luna XML has zero footprint on the host application server, providing for rapid, independent, ļ¬‚exible, and highly scalable ā€¢ Reduce costs deployments. ā€¢ ProtectServer External. The SafeNet ProtectServer External is a network-attached HSM that connects via TCP/IP to a single machine or complete network (LAN) to function as a central cryptographic subsystem that delivers symmetric and asymmetric cryptographic services. All operations that would otherwise be performed on insecure servers are securely processed within the HSM, ensuring that sensitive keys are always protected from compromise. ā€¢ Luna SX. The SafeNet Luna SX is a central management console for rapid HSM setup and easy remote administration for the SafeNet Luna SA and Luna SP. Using a simple GUI, SafeNet HSMs can be managed remotely and securely. General Purpose HSMs, Embedded ā€¢ Luna CA4 HSM. The SafeNet Luna CA4 offers a complete hardware security solution for the protection of sensitive root keys belonging to certiļ¬cate authorities used in public key infrastructures (PKI). ā€¢ Luna PCI. SafeNet Luna PCI is designed to protect cryptographic keys and accelerate sensitive cryptographic operations across a wide range of security applications. ā€¢ Luna PCM. SafeNet Luna PCM is a low-cost family of compact HSMs, offering hardware- based key management and hardware-accelerated cryptographic performance within a compact PCMCIA card. ā€¢ ProtectServer HSMs. For server systems and support applications that require high performance symmetric and asymmetric cryptographic operations, ProtectServer Gold and ProtectServer Internal-Express provide tamper-protected hardware security. Conclusion Today, DNSSEC represents a critical approach for guarding against a range of threats to Internet- based communications. By leveraging HSMs, organization can enjoy the utmost in security of the cryptographic keys and digital certiļ¬cates that underpin the DNSSEC infrastructure. Today, SafeNet offers a broad range of HSMs, solutions that accommodate the needs of a range of deployments, and ensure organizations enjoy maximum security in their DNSSEC environments. About SafeNet, Inc. Founded in 1983, SafeNet is a global leader in information security. SafeNet protects its customersā€™ most valuable assets, including identities, transactions, communications, data and software licensing, throughout the data lifecycle. More than 25,000 customers across both commercial enterprises and government agencies and in over 100 countries trust their information security needs to SafeNet. Contact Us: For all ofļ¬ce locations and contact information, please visit www.safenet-inc.com Follow Us: www.safenet-inc.com/connected Ā©2010 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet. All other product names are trademarks of their respective owners. WP (EN)-11.29.10 Building Trust into DNS: Key Strategies White Paper 5