SlideShare a Scribd company logo

FOSE 2011: DNSSEC and the Government, Lessons Learned

Neustar, Inc.
Neustar, Inc.

At FOSE 2011, the panel discussion on the deployment of domain name system security extensions (DNSSEC) within government included Neustar VP and Senior Technologist, Rodney Joffe, who sat side-by-side with some of the industry’s best and discussed how federal IT managers can leverage private sector best practices to meet OMB and FISMA mandated DNSSEC requirements. Entitled “DNS-3: Private Sector Deployment in .com, .net, .org and Beyond,” the panel discussed lessons learned and how federal agencies that have yet to deploy DNSSEC can do so successfully. Visit http://www.ultradns.com for more information.

Technology
1 of 8
Download to read offline
DNSSEC Deployment Lessons Learned Rodney Joffe SVP and Senior Technologist 07/20/2011
Neustar DNSSEC: Three Key Areas of Experience » 1) Signed TLD zones for registries we operate - .us, .biz, .co » 2) Hosted (secondary) signed ccTLDs – .uk, .jp, .fi, .nu » 3) Implemented a managed DNSSEC service using a code base entirely separate from BIND © Neustar Inc. / Proprietary and Confidential 2
Neustar Experience Signing TLD Zones » Our three signed zones have 1-2 million names each » We use NSEC negative answers and different DNSSEC key algorithms » We used a fairly straightforward deployment plan which requires care but is not scary © Neustar Inc. / Proprietary and Confidential 3
Neustar Experience: Hosting other signed TLDs » We have seen the impact of transferring signed zones » Different registries have used different approaches to DNSSEC which has an impact on zone distribution » Zones are larger » Zones are changed more often » Coordinating computing resources to handle the increased pressure of the updates was harder than anticipated © Neustar Inc. / Proprietary and Confidential 4
Neustar Experience: Managed DNSSEC Implementation » Neustar has nearly 10 years of experience in DNSSEC development and operations » US and BIZ registries are DNSSEC signed, 7 years after our first test beds » Participation in specification development » Active participation in global network operations fora » Other credentials relating to DNS » Pioneered anycast techniques » DDoS mitigation work » Experience in secure distributed database operations and operating Managed DNS services » Neustar’s fully managed DNS and DNSSEC solution provides: » Resiliency and reliability thanks to a multi node footprint » Automated, customizable key management » Optional FIPS Level 3 © Neustar Inc. / Proprietary and Confidential 5
Lessons Learned from Neustar Registry Deployment » Upfront effort to begin DNSSEC » Upgrade (renovate) DNS infrastructure to support DNSSEC » Institute key management functions. DNSSEC relies on solid key management » Creating a key poorly may lead to someone guessing it » Allowing keys to be seen by operators risks the secret » Choice of algorithms and key size » Timing of key operations, Signature lifetime, Key effectivity, and Key supersession » Ongoing effort to maintain DNSSEC » Keep data "fresh", DNSSEC data can go stale » Participation in more public meetings and mail lists © Neustar Inc. / Proprietary and Confidential 6
Thank You! © Neustar Inc. / Proprietary and Confidential 7
DNSSEC Chain of Trust Root DNS Authoritative DNS .com. .gov. .biz. (TLD) Authoritative DNS domain.biz site.biz. ultradns.biz (SLD) Recursive DNS Client / stub resolver

Recommended

IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentationjohnmcclure00
 
DNS Security
DNS SecurityDNS Security
DNS Securityjohnmcclure00
 
Securededuplicationschemeforcloudstorage 141128075306-conversion-gate01
Securededuplicationschemeforcloudstorage 141128075306-conversion-gate01Securededuplicationschemeforcloudstorage 141128075306-conversion-gate01
Securededuplicationschemeforcloudstorage 141128075306-conversion-gate01
shobhiya kumar
 
Resume
ResumeResume
Resumekalyan dandu
 
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup BarcelonaImplementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Néstor Salceda
 
Cloud Security - Product Overview
Cloud Security - Product OverviewCloud Security - Product Overview
Cloud Security - Product OverviewKenneth Chiu
 
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
David Timothy Strauss
 
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
DevOpsDays Riga
 

Recommended

IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentationjohnmcclure00
 
DNS Security
DNS SecurityDNS Security
DNS Securityjohnmcclure00
 
Securededuplicationschemeforcloudstorage 141128075306-conversion-gate01
Securededuplicationschemeforcloudstorage 141128075306-conversion-gate01Securededuplicationschemeforcloudstorage 141128075306-conversion-gate01
Securededuplicationschemeforcloudstorage 141128075306-conversion-gate01
shobhiya kumar
 
Resume
ResumeResume
Resumekalyan dandu
 
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup BarcelonaImplementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Néstor Salceda
 
Cloud Security - Product Overview
Cloud Security - Product OverviewCloud Security - Product Overview
Cloud Security - Product OverviewKenneth Chiu
 
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
David Timothy Strauss
 
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
DevOpsDays Riga
 
Windows most important server questions for l1 level
Windows most important server questions for l1 levelWindows most important server questions for l1 level
Windows most important server questions for l1 level
IICT Chromepet
 
Securing MySQL with a Focus on SSL
Securing MySQL with a Focus on SSLSecuring MySQL with a Focus on SSL
Securing MySQL with a Focus on SSL
wolfSSL
 
Sia report
Sia reportSia report
Sia report
William Lin
 
OpenStack Backup, Restore, DR (Freezer)
OpenStack Backup, Restore, DR (Freezer)OpenStack Backup, Restore, DR (Freezer)
OpenStack Backup, Restore, DR (Freezer)
Saad Zaher
 
Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC Pilot
Shumon Huque
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view
APNIC
 
Securing memcache
Securing memcacheSecuring memcache
Securing memcache
wolfSSL
 
Puzzle Lock
Puzzle LockPuzzle Lock
Puzzle LockSenad Aruc
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit - wolfSSL
 
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software CraftersImplementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
Néstor Salceda
 
DDoS Mitigation on the Front Line with RedShield
DDoS Mitigation on the Front Line with RedShieldDDoS Mitigation on the Front Line with RedShield
DDoS Mitigation on the Front Line with RedShield
Sam Pickles
 
Webinar: What Your Object Storage Vendor Isn’t Telling You About NFS Support
Webinar: What Your Object Storage Vendor Isn’t Telling You About NFS SupportWebinar: What Your Object Storage Vendor Isn’t Telling You About NFS Support
Webinar: What Your Object Storage Vendor Isn’t Telling You About NFS Support
Storage Switzerland
 
Securing your Kubernetes applications
Securing your Kubernetes applicationsSecuring your Kubernetes applications
Securing your Kubernetes applications
Néstor Salceda
 
Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC Pilot
Shumon Huque
 
perl
perlperl
perltutorialsruby
 
PCCNews0609
PCCNews0609PCCNews0609
PCCNews0609tutorialsruby
 
IntroTestMore
IntroTestMoreIntroTestMore
IntroTestMoretutorialsruby
 
perl_tk_tutorial
perl_tk_tutorialperl_tk_tutorial
perl_tk_tutorialtutorialsruby
 
Presentatie alpe d_huzes_twinfield
Presentatie alpe d_huzes_twinfieldPresentatie alpe d_huzes_twinfield
Presentatie alpe d_huzes_twinfield
Twinfield International, a Wolters Kluwer business
 
perltut
perltutperltut
perltuttutorialsruby
 
My Presentacion Oral.Pptx
My Presentacion Oral.PptxMy Presentacion Oral.Pptx
My Presentacion Oral.Pptxestefania
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
DNS Entrepreneurship Center
 

More Related Content

What's hot

Windows most important server questions for l1 level
Windows most important server questions for l1 levelWindows most important server questions for l1 level
Windows most important server questions for l1 level
IICT Chromepet
 
Securing MySQL with a Focus on SSL
Securing MySQL with a Focus on SSLSecuring MySQL with a Focus on SSL
Securing MySQL with a Focus on SSL
wolfSSL
 
Sia report
Sia reportSia report
Sia report
William Lin
 
OpenStack Backup, Restore, DR (Freezer)
OpenStack Backup, Restore, DR (Freezer)OpenStack Backup, Restore, DR (Freezer)
OpenStack Backup, Restore, DR (Freezer)
Saad Zaher
 
Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC Pilot
Shumon Huque
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view
APNIC
 
Securing memcache
Securing memcacheSecuring memcache
Securing memcache
wolfSSL
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit - wolfSSL
 
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software CraftersImplementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
Néstor Salceda
 
DDoS Mitigation on the Front Line with RedShield
DDoS Mitigation on the Front Line with RedShieldDDoS Mitigation on the Front Line with RedShield
DDoS Mitigation on the Front Line with RedShield
Sam Pickles
 
Webinar: What Your Object Storage Vendor Isn’t Telling You About NFS Support
Webinar: What Your Object Storage Vendor Isn’t Telling You About NFS SupportWebinar: What Your Object Storage Vendor Isn’t Telling You About NFS Support
Webinar: What Your Object Storage Vendor Isn’t Telling You About NFS Support
Storage Switzerland
 
Securing your Kubernetes applications
Securing your Kubernetes applicationsSecuring your Kubernetes applications
Securing your Kubernetes applications
Néstor Salceda
 
Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC Pilot
Shumon Huque
 

What's hot (14)

Windows most important server questions for l1 level
Windows most important server questions for l1 levelWindows most important server questions for l1 level
Windows most important server questions for l1 level
 
Securing MySQL with a Focus on SSL
Securing MySQL with a Focus on SSLSecuring MySQL with a Focus on SSL
Securing MySQL with a Focus on SSL
 
Sia report
Sia reportSia report
Sia report
 
OpenStack Backup, Restore, DR (Freezer)
OpenStack Backup, Restore, DR (Freezer)OpenStack Backup, Restore, DR (Freezer)
OpenStack Backup, Restore, DR (Freezer)
 
Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC Pilot
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view
 
Securing memcache
Securing memcacheSecuring memcache
Securing memcache
 
Puzzle Lock
Puzzle LockPuzzle Lock
Puzzle Lock
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit -
 
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software CraftersImplementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
 
DDoS Mitigation on the Front Line with RedShield
DDoS Mitigation on the Front Line with RedShieldDDoS Mitigation on the Front Line with RedShield
DDoS Mitigation on the Front Line with RedShield
 
Webinar: What Your Object Storage Vendor Isn’t Telling You About NFS Support
Webinar: What Your Object Storage Vendor Isn’t Telling You About NFS SupportWebinar: What Your Object Storage Vendor Isn’t Telling You About NFS Support
Webinar: What Your Object Storage Vendor Isn’t Telling You About NFS Support
 
Securing your Kubernetes applications
Securing your Kubernetes applicationsSecuring your Kubernetes applications
Securing your Kubernetes applications
 
Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC Pilot
 

Viewers also liked

Presentatie alpe d_huzes_twinfield
Presentatie alpe d_huzes_twinfieldPresentatie alpe d_huzes_twinfield
Presentatie alpe d_huzes_twinfield
Twinfield International, a Wolters Kluwer business
 
My Presentacion Oral.Pptx
My Presentacion Oral.PptxMy Presentacion Oral.Pptx
My Presentacion Oral.Pptxestefania
 

Viewers also liked (7)

perl
perlperl
perl
 
PCCNews0609
PCCNews0609PCCNews0609
PCCNews0609
 
IntroTestMore
IntroTestMoreIntroTestMore
IntroTestMore
 
perl_tk_tutorial
perl_tk_tutorialperl_tk_tutorial
perl_tk_tutorial
 
Presentatie alpe d_huzes_twinfield
Presentatie alpe d_huzes_twinfieldPresentatie alpe d_huzes_twinfield
Presentatie alpe d_huzes_twinfield
 
perltut
perltutperltut
perltut
 
My Presentacion Oral.Pptx
My Presentacion Oral.PptxMy Presentacion Oral.Pptx
My Presentacion Oral.Pptx
 

Similar to FOSE 2011: DNSSEC and the Government, Lessons Learned

8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
DNS Entrepreneurship Center
 
DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Know
laurenrprice
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
AFRINIC
 
Best Practices for Monitoring DNS
Best Practices for Monitoring DNSBest Practices for Monitoring DNS
Best Practices for Monitoring DNS
ThousandEyes
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
Deploy360 Programme (Internet Society)
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
Deploy360 Programme (Internet Society)
 
ION Belfast - Why Implement DNSSEC? - Jim Galvin
ION Belfast - Why Implement DNSSEC? - Jim GalvinION Belfast - Why Implement DNSSEC? - Jim Galvin
ION Belfast - Why Implement DNSSEC? - Jim Galvin
Deploy360 Programme (Internet Society)
 
F5's Dynamic DNS Services
F5's Dynamic DNS ServicesF5's Dynamic DNS Services
F5's Dynamic DNS Services
F5 Networks
 
DNS Security Strategy
DNS Security StrategyDNS Security Strategy
DNS Security Strategy
Andreas Taudte
 
DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & Afilias
ORG, The Public Interest Registry
 
Dnssec proposal-09oct08-en
Dnssec proposal-09oct08-enDnssec proposal-09oct08-en
Dnssec proposal-09oct08-enguest3131f85
 
Dnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnDnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnErol Dizdar
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyond
Sam Bowne
 
ION Toronto - Why Implement DNSSEC?
ION Toronto - Why Implement DNSSEC? ION Toronto - Why Implement DNSSEC?
ION Toronto - Why Implement DNSSEC?
Deploy360 Programme (Internet Society)
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
APNIC
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
APNIC
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
APNIC
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 

Similar to FOSE 2011: DNSSEC and the Government, Lessons Learned (20)

8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Know
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
 
Best Practices for Monitoring DNS
Best Practices for Monitoring DNSBest Practices for Monitoring DNS
Best Practices for Monitoring DNS
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
 
ION Belfast - Why Implement DNSSEC? - Jim Galvin
ION Belfast - Why Implement DNSSEC? - Jim GalvinION Belfast - Why Implement DNSSEC? - Jim Galvin
ION Belfast - Why Implement DNSSEC? - Jim Galvin
 
F5's Dynamic DNS Services
F5's Dynamic DNS ServicesF5's Dynamic DNS Services
F5's Dynamic DNS Services
 
DNS Security Strategy
DNS Security StrategyDNS Security Strategy
DNS Security Strategy
 
DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & Afilias
 
Dnssec proposal-09oct08-en
Dnssec proposal-09oct08-enDnssec proposal-09oct08-en
Dnssec proposal-09oct08-en
 
Dnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnDnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 En
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyond
 
ION Toronto - Why Implement DNSSEC?
ION Toronto - Why Implement DNSSEC? ION Toronto - Why Implement DNSSEC?
ION Toronto - Why Implement DNSSEC?
 
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSECION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 

More from Neustar, Inc.

Vacation Traveler Insights
Vacation Traveler InsightsVacation Traveler Insights
Vacation Traveler Insights
Neustar, Inc.
 
Game of Screens: Tech kingdoms creating the omni-channel experience
Game of Screens: Tech kingdoms creating the omni-channel experienceGame of Screens: Tech kingdoms creating the omni-channel experience
Game of Screens: Tech kingdoms creating the omni-channel experience
Neustar, Inc.
 
The Truth About Cross-Device Marketing & Millennials
The Truth About Cross-Device Marketing & MillennialsThe Truth About Cross-Device Marketing & Millennials
The Truth About Cross-Device Marketing & Millennials
Neustar, Inc.
 
A Responder's Guide to DDoS Attacks: Seeing Clearly Through the Smoke
A Responder's Guide to DDoS Attacks: Seeing Clearly Through the SmokeA Responder's Guide to DDoS Attacks: Seeing Clearly Through the Smoke
A Responder's Guide to DDoS Attacks: Seeing Clearly Through the Smoke
Neustar, Inc.
 
Hi-Def Marketing
Hi-Def MarketingHi-Def Marketing
Hi-Def Marketing
Neustar, Inc.
 
Trends Shaping Local Search in 2014
Trends Shaping Local Search in 2014Trends Shaping Local Search in 2014
Trends Shaping Local Search in 2014Neustar, Inc.
 
Neustar Cassandra Experience
Neustar Cassandra ExperienceNeustar Cassandra Experience
Neustar Cassandra ExperienceNeustar, Inc.
 
What We are Learning About DNS Security: DNSSEC and Much More..
What We are Learning About DNS Security: DNSSEC and Much More..What We are Learning About DNS Security: DNSSEC and Much More..
What We are Learning About DNS Security: DNSSEC and Much More..
Neustar, Inc.
 
How To Trust The Cloud
How To Trust The CloudHow To Trust The Cloud
How To Trust The Cloud
Neustar, Inc.
 
The Future of the Internet: Open Research Topics
The Future of the Internet: Open Research TopicsThe Future of the Internet: Open Research Topics
The Future of the Internet: Open Research Topics
Neustar, Inc.
 

More from Neustar, Inc. (11)

Vacation Traveler Insights
Vacation Traveler InsightsVacation Traveler Insights
Vacation Traveler Insights
 
Game of Screens: Tech kingdoms creating the omni-channel experience
Game of Screens: Tech kingdoms creating the omni-channel experienceGame of Screens: Tech kingdoms creating the omni-channel experience
Game of Screens: Tech kingdoms creating the omni-channel experience
 
The Truth About Cross-Device Marketing & Millennials
The Truth About Cross-Device Marketing & MillennialsThe Truth About Cross-Device Marketing & Millennials
The Truth About Cross-Device Marketing & Millennials
 
A Responder's Guide to DDoS Attacks: Seeing Clearly Through the Smoke
A Responder's Guide to DDoS Attacks: Seeing Clearly Through the SmokeA Responder's Guide to DDoS Attacks: Seeing Clearly Through the Smoke
A Responder's Guide to DDoS Attacks: Seeing Clearly Through the Smoke
 
Hi-Def Marketing
Hi-Def MarketingHi-Def Marketing
Hi-Def Marketing
 
Adweek and Neustar
Adweek and NeustarAdweek and Neustar
Adweek and Neustar
 
Trends Shaping Local Search in 2014
Trends Shaping Local Search in 2014Trends Shaping Local Search in 2014
Trends Shaping Local Search in 2014
 
Neustar Cassandra Experience
Neustar Cassandra ExperienceNeustar Cassandra Experience
Neustar Cassandra Experience
 
What We are Learning About DNS Security: DNSSEC and Much More..
What We are Learning About DNS Security: DNSSEC and Much More..What We are Learning About DNS Security: DNSSEC and Much More..
What We are Learning About DNS Security: DNSSEC and Much More..
 
How To Trust The Cloud
How To Trust The CloudHow To Trust The Cloud
How To Trust The Cloud
 
The Future of the Internet: Open Research Topics
The Future of the Internet: Open Research TopicsThe Future of the Internet: Open Research Topics
The Future of the Internet: Open Research Topics
 

Recently uploaded

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
UiPathCommunity
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
ViralQR
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 

FOSE 2011: DNSSEC and the Government, Lessons Learned

  • 1. DNSSEC Deployment Lessons Learned Rodney Joffe SVP and Senior Technologist 07/20/2011
  • 2. Neustar DNSSEC: Three Key Areas of Experience » 1) Signed TLD zones for registries we operate - .us, .biz, .co » 2) Hosted (secondary) signed ccTLDs – .uk, .jp, .fi, .nu » 3) Implemented a managed DNSSEC service using a code base entirely separate from BIND © Neustar Inc. / Proprietary and Confidential 2
  • 3. Neustar Experience Signing TLD Zones » Our three signed zones have 1-2 million names each » We use NSEC negative answers and different DNSSEC key algorithms » We used a fairly straightforward deployment plan which requires care but is not scary © Neustar Inc. / Proprietary and Confidential 3
  • 4. Neustar Experience: Hosting other signed TLDs » We have seen the impact of transferring signed zones » Different registries have used different approaches to DNSSEC which has an impact on zone distribution » Zones are larger » Zones are changed more often » Coordinating computing resources to handle the increased pressure of the updates was harder than anticipated © Neustar Inc. / Proprietary and Confidential 4
  • 5. Neustar Experience: Managed DNSSEC Implementation » Neustar has nearly 10 years of experience in DNSSEC development and operations » US and BIZ registries are DNSSEC signed, 7 years after our first test beds » Participation in specification development » Active participation in global network operations fora » Other credentials relating to DNS » Pioneered anycast techniques » DDoS mitigation work » Experience in secure distributed database operations and operating Managed DNS services » Neustar’s fully managed DNS and DNSSEC solution provides: » Resiliency and reliability thanks to a multi node footprint » Automated, customizable key management » Optional FIPS Level 3 © Neustar Inc. / Proprietary and Confidential 5
  • 6. Lessons Learned from Neustar Registry Deployment » Upfront effort to begin DNSSEC » Upgrade (renovate) DNS infrastructure to support DNSSEC » Institute key management functions. DNSSEC relies on solid key management » Creating a key poorly may lead to someone guessing it » Allowing keys to be seen by operators risks the secret » Choice of algorithms and key size » Timing of key operations, Signature lifetime, Key effectivity, and Key supersession » Ongoing effort to maintain DNSSEC » Keep data "fresh", DNSSEC data can go stale » Participation in more public meetings and mail lists © Neustar Inc. / Proprietary and Confidential 6
  • 7. Thank You! © Neustar Inc. / Proprietary and Confidential 7
  • 8. DNSSEC Chain of Trust Root DNS Authoritative DNS .com. .gov. .biz. (TLD) Authoritative DNS domain.biz site.biz. ultradns.biz (SLD) Recursive DNS Client / stub resolver