Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Internet2 DNSSEC Pilot Project Overview
1. Internet2 DNSSEC Pilot
Shumon Huque
University of Pennsylvania
ESCC/Internet2 Joint Techs Workshop
Minneapolis, Minnesota, U.S.A., Feb 14th
2007
2. 2 Shumon Huque
Description of the Pilot
• http://www.dnssec-deployment.org/internet2/
• Deploy DNSSEC
• Gain Operational experience
• Does it work (does it catch anything?)
• Test DNSSEC aware applications
• Participants sign at least one of their zones
• Exchange keys (trust anchors) that will allow
them to mutually validate DNS data
3. 3 Shumon Huque
What is DNSSEC?
• A system to verify the authenticity of DNS
“data”
• RFC 4033, 4034, 4035
• Helps detect: spoofing, misdirection, cache
poisoning
• Some secondary benefits appear:
• You could store keying material in DNS
• DKIM, SSHFP, IPSECKEY, etc
4. 4 Shumon Huque
A little background ..
• Feb ‘06: DNSSEC Workshop held at
Albuquerque Joint Techs
• Mar ‘06: dnssec@internet2 mailing list
• Apr ‘06: Internet2 Spring Member meeting
• Advisory group formed and plans for a pilot project
formulated
• May ‘06: Pilot group began
• Bi-weekly conference calls and progress reports
5. 5 Shumon Huque
Co-ordination
• Internet2
• Shinkuro シンクロ
• Partner in DNSSEC Deployment
Initiative
• http://www.dnssec-deployment.org/
• Some funding from US government
6. 6 Shumon Huque
DNSSEC Deployment Efforts so far
• MAGPI GigaPoP
• All zones: magpi.{net,org} & 15 reverse zones
• https://rosetta.upenn.edu/magpi/dnssec.html
• MERIT
• radb.net
• nanog.org
• http://www.merit.edu/networkresearch/dnssec.html
• NYSERNet - test zone
• nyserlab.org
7. 7 Shumon Huque
Others considering or planning
deployment
• University of Pennsylvania
• University of California - Berkeley
• University of California - Los Angeles
• University of Massachusetts - Amherst
• Internet2
8. 8 Shumon Huque
DLV (DNSSEC Lookaside Validation)
• A mechanism to securely locate DNSSEC trust
anchors “off-path”
• An early deployment aid until top-down
deployment of DNSSEC happens
• Pilot group is in talks to make use of ISC’s
DLV registry
• http://www.isc.org/index.pl?/ops/dlv/
• More on this at a later date ..
9. 9 Shumon Huque
More participants welcome!
• (participation not restricted to Internet2)
• Join mailing list
• Participate in conference calls
10. 10 Shumon Huque
Thoughts on deployment obstacles (1)
• A Chicken & Egg problem
• Marginal benefits, until much more deployment
• Why should I go first?
• We had (have?) the same problem with other
technologies (IPv6 etc)
• Some folks will need to take the lead, if there is
hope for wider adoption
• Good way to find out how well it works
11. 11 Shumon Huque
Thoughts on deployment obstacles (2)
• Operational stability
• More complicated software infrastructure
• New processes for:
• Zone changes
• Secure delegations
• Security (protection of crypto keys)
• Key rollover and maintenance
• Integration w/ existing DNS management software
• What is the experience of the pilot?
12. 12 Shumon Huque
Thoughts on deployment obstacles (3)
• Additional system requirements
• Authoritative servers: memory
• Resolvers: memory & CPU
• Memory use can be calculated
• Probably not a big issue (unless you’re .COM!)
• CPU
• Not too much of an issue today (dearth of signed
data that needs validation)
• Caveat: some potential DoS attacks could hit CPU
13. 13 Shumon Huque
Thoughts on deployment obstacles (4)
• Key distribution in islands of trust
• Why is there no top down deployment?
• Work on signing root and (many) TLDs and in-
addr.arpa is in progress
• .SE, RIPE reverse done
• .EDU work in motion
• Interim mechanisms like DLV exist
• Manual key exchange (unscalable)
14. 14 Shumon Huque
Thoughts on deployment obstacles (5)
• Stub resolver security (e2e security)
• An area of neglect in my opinion
• Push DNSSEC validation to
endstations?
• Secure path from stub resolver to
recursive resolver
• Possibilities: SIG(0), TSIG, IPSEC
15. 15 Shumon Huque
Thoughts on deployment obstacles (6)
• Application layer feedback
• Coming gradually
• DNSSEC aware resolution APIs and applications
enhanced to use them
• DNSSEC aware applications
• See http://www.dnssec-tools.org/
• Note: some folks think it might be nice to protect DNSSEC
oblivious applications silently as an interim step
16. 16 Shumon Huque
Thoughts on deployment obstacles (7)
• Zone enumeration threat
• See NSEC3 record (spec almost done)
• draft-ietf-dnsext-nsec3-09.txt