SlideShare a Scribd company logo

Technical and Business Considerations for DNSSEC Deployment

APNIC
APNIC

Presentation by Jim Reid at APRICOT 2017 on Tuesday, 28 February 2017.

Internet
1 of 38
Technical and Business Considerations for DNSSEC Depolyment Jim Reid jim@rfc1035.com
Objectives • Understanding the main technical & business impacts • Are these helping or hindering DNSSEC deployment? • What could or should be done to improve things?
TECHNICAL CONSIDERATIONS AND MYTHS Zone size CPU load Traffic levels, need for rate-limiting & traffic shaping Key rotation (rollover) Tooling & debugging Use cases
Zone & Cache Size • Signed zones are typically 5-10 times larger than unsigned ones • Approximately 4 times as many resource records • RRSIGs are big • So what? • Commodity RAM is cheap: ~$20 for 4GB of DDR3 • Disk space is cheap too: 1TB costs ~$50 • Name server’s RAM footprint might be an issue
CPU Load Considerations • 1024-bit RSASHA1 keys, 3GHz Xeon, 1 CPU • Signing: • ~1800 signatures/second • Validation: • ~24,000 validations/second • Off-the-shelf hardware & software should be good enough most (or all?) of the time
Network Considerations • DNSSEC requires EDNS0 • DO bit, larger payloads, etc. • Want to avoid truncation in both DNS response and the underlying MTU for packets/frames • Lots of broken stuff assumes DNS only goes over UDP and always has packets < 512 bytes • DNSSEC kills these false assumptions • Firewalls sometimes get misconfigured like this • CPE is notorious for getting this wrong too
DDoS Exposure • DNSSEC is a vector for DDoS amplification attacks • 50-60 byte query typically generates 1-2KB of response • Use Response Rate Limiting (RRL) • Provided in BIND9.10+ source distribution • Patches available for BIND9.9 • Also in recent versions of other DNS implementations • Traffic shaping might also help • Edge routers and/or kernels
Secure Hardware • Hardware Security Modules (HSMs) • Tamper-proof hardware for storing keys • Expensive and concerns about managing lots of keys • Largely a niche solution for very important security- critical zones • Security protocols for managing access tokens • HSM hardware isn’t really needed most of the time • HSM in software (OpenDNSSEC) might be good enough for a large registrar or small TLD registry
DNSSEC SIGNING CHOICES The main choices and trade-offs to consider when deploying Secure DNS include: Which versions of DNSSEC to use Crypto algorithms Managing keys & signatures Monitoring & reporting Tools & tooling What functionality & UIs should customers see?
Key Lengths - 1 • How large should the key signing keys (KSK) and zone signing keys (ZSK) be? • Obvious Goldilocks trade-offs: • Not too big or too small; just nice • Don’t assume large keys are “stronger” than small ones or vice versa • Could key size (or algorithms) be something to discuss with stakeholders? • Some might care (a lot), most probably won’t
Key Lengths - 2 • What’s the window for cryptanalysis of some key? • Some rules of thumb: • Short-lived keys don’t need to be big • Long-lived keys should be reasonably big • Suggestion: • Change a small ZSK once a week/month (maybe) • Change a large KSK once a year (maybe) • Whatever’s done for the.tld zone or at the root should be more than good enough for your zones
Signature Duration • Signature expiry intervals need careful thought too • Obvious Goldilocks trade-offs again: • Not too short or too long; just nice • Short expiry => more CPU cycles for validators • Long expiry => “stale” signatures may cause validation failures when something has to be changed in a hurry • Potential for cryptanalysis of long lived signatures? • Might be best to start off by following what the parent zone does and adjust in light of experience
Key Rollover - 1
Key Rollover - 2 • This should happen at regular, planned intervals • Might have to happen sooner in an emergency: ie when current key(s) are considered tainted/compromised • Hard to get the choreography right • Too many moving parts for KSK rollovers • Signing tools are getting a lot better at managing key rollovers and signing policies in general • Metadata in BIND’s K*.private files • OpenDNSSEC
Tooling • Early signing and validating tools were clunky • Much improved now but could be better still • Stronger focus on supporting local policies • Use obvious primitives that hide icky detail: • pdnssec secure-zone/add-zone-key in PowerDNS • Windows GUI-based DNS Manager • Essentially just click “Sign My Zone”
UI Considerations • Most end users and administrators won’t want or need to see DNSSEC • How best to “hide” DNSSEC operations on the control panel or web site? • Perhaps just add a “click here to sign” button? • Might be the end of the road for anyone managing DNS zone files with emacs or vi or perl • No user serviceable parts inside...
Monitoring & Reporting • Add DNSSEC elements to name server monitoring and reporting systems • Check that zones get signed when expected (or not) • Look out for zones with close-to-expiring signatures • Monitor key rollovers closely • Check that zone signing behaves as expected • Are KSK changes getting notified to the parent? • Does the parent’s DS match the child’s KSK? • Does the parent publish new DS records in good time?
Key Management for Customer & End User Zones • Who will generate/manage the keys for example.com, you or the customer? • Risks and benefits in both approaches • Who gets blamed if something breaks? • Is this an extra (chargeable?) service? • Who has responsibility for choosing the keys, rotating them, revoking them, etc? • What about customer support and helpdesk staff?
Validation Challenges • Switching on validation breaks response rewriting • RPZ, content filtering, anti-abuse protection measures, NXDOMAIN rewriting, parental controls, etc. • Government and law enforcement blacklists • IPR takedown/block requests • Clumsy workarounds • Forward “vanilla” queries to validating resolvers, send the dodgy ones elsewhere • Might be seen as needless extra complexity
What deployment barriers? • The software and tools work reasonably well • However it’s not always clear: • How to put them together and use/debug things • Define policies or understand the trade-offs • Where are the white papers, case studies and business justifications? • “We switched on DNSSEC and….” • Are experiences at the root or a TLD registry or a big ISP meaningful for example.com?
Advice Needed! • DNS administrators need guidance on DNSSEC deployment considerations and trade-offs: • Local policy choices on: key selection, signature duration, rollovers, negative trust anchors, etc. • NIST report 800-81-2 is wonderful • Tough reading for non-experts — 130+ pages! • Need something similar (and shorter) on business justifications • Convince the CEO that using DNSSEC is a Good Thing
Where’s the killer app? • Not much software uses or needs DNSSEC today • Proof of concept web plug-ins mostly • DANE could/should be the driver • Lookup certificates and other crypto material from the DNS • IETF’s ACME WG standards coming to browsers Real Soon Now • Let’s Encrypt certificates as an alternative to ones issued by conventional CAs • DANE support emerging in MTAs
Deployment Today - 1 • Most of the important TLDs are signed • Contractual requirement for new gTLDs • Some European ccTLDs have 70%+ signed delegations • Registrar discounts rather than DNSSEC enthusiasm • Very few of the busiest domain names are signed • Just paypal.com and nih.gov of the Alexa top 100 • The number of signed zones looks OK-ish quantitatively but not so good qualitatively
Deployment Today - 2 • Validation uptake is a lot healthier • Around 15% of users world-wide depend on a validating resolver • See https://stats.labs.apnic.net/dnssec • Much of this is attributed to just three providers: • Comcast, google’s 8.8.8.8 and TeliaSonera • This is great, but are they validating anything that actually matters? • What are the other big ISPs doing?
Externalities • For signers: • Why sign if almost nobody is thought to be validating? • What's the impact when/if someone else's validator fails? • For validators: • Why validate if hardly anyone important signs their zones? • When someone else's signer screws up, you end up taking the hit(s) for their mistake(s).What will the impact(s) be? • i.e.A rival ISP's customers have no problem getting to badlysigned.com because that ISP doesn't validate while your customers can't because we are validating
Customer Support • Training & education for helpdesk/support staff • Ditto for customers • DNSSEC troubleshooting • N-th level support staff will need training • How to tell the difference between a Secure DNS validation error SERVFAIL and a regular SERVFAIL • How to troubleshoot validation problems and fix or escalate them • Expired signatures, key mismatches, etc.
Documentation • Make sure everything gets properly documented: • Design/architecture, deployment plans & roadmap • Policies (e.g. key sizes, rotation, signing interval, audit, etc.) • Write a DNSSEC Policy/Practice Statement - DPS • RFC6841 is a good starting point • DPS for the root zone is an excellent template: •https://www.iana.org/dnssec/icann-dps.txt • Document DNSSEC tools and new processes • Produce white papers and use cases for stakeholders?
Training • How will your staff get trained? • Knowledge transfer from in-house and external experts • Commercial training courses, webinars, etc. • Not just for your DNS team • Network operations & system administrators • Developers & helpdesk • Customer relations & support staff • Upper management
The “Last Mile” Issue • AD header bit is set by the validating resolver • Vulnerable to spoofing by an attacker • Can the path between some stub resolver and its resolving server be trusted? • Windows uses IPsec to protect this • If the local net isn’t considered secure, run a validating resolver on the edge device itself • IETF’s DNS-over-TLS could be the answer
Validator Crunch Time! • Major test is just around the corner • First ever rollover of root zone’s KSK due Real Soon Now • Validators which don’t support or use RFC5011 key rollover will almost certainly break • BIND configurations with trusted-keys{} statements • Old/clunky/buggy DNSSEC implementations • IANA’s giving plenty of advance warning • Nothing important should fail • Famous last words….
Negative Trust Anchors • How to tell the validator that DNSSEC for some domain(s) are broken • Don't validate these domains for now, but carry on validating elsewhere • Provably insecure (and possibly bad) data might be better than nothing • Features in BIND and unbound to support this • A necessary evil - unfortunately • Workarounds for other people's mistakes
DNSSEC Troubleshooting • Can be very painful • Debugging vanilla DNS problems is hard enough • DNSSEC makes things even harder • Checking DNSSEC-related RRtypes, keeping track of key IDs & flags, algorithm numbers, etc. • Tools are getting better, but still far too difficult for many DNS administrators • Error messages should be clearer:“you forgot to re-sign”, “that signature has the wrong hash value”,“there's no DS record for this KSK”, etc.
drill • The best DNSSEC debugging tool by far • Also replicates dig’s commonly used functionality • Open source from NLnetLabs • Can illustrate validation in action • Shows which keys (algorithms & key lengths) are used • Work on a single signature or top-down from the root • Pinpoint stale keys & signatures • Identify DS record and KSK mismatches • drill -TD some-domain is just awesome!
delv • ISC's answer to drill • Distributed in BIND9.10+ • Command-line options almost identical to dig • Not as chatty as drill • Use the +vtrace option to see the validations
DNSVIZ • A web-based DNS visualisation tool • Draws nice pictures • Can display details of revoked keys • Visit dnsviz.net and type in your favourite signed domain name • Uses the web site's validating resolver, not yours • Doesn't check your validator's configuration • Can't check internal-only signed domains • Download DNSVIZ source code and run it locally?
DNSVIZ Example • Hover over elements to see details of the key, algorithm, TTL, key tags, etc • Shaded elements are the KSKs • Double circle around the trust anchor: the root's KSK
A Never Ending Task? • Keeping DNSSEC software and tools up-to-date • Can you rely on your vendor/supplier? • Crypto arms race • Changing DNSSEC keys regularly • Tweaking DNSSEC policies • Interactions with parent zone(s) • New operational problems and failure modes • Customer service/support and helpdesk issues
QUESTIONS?

Recommended

Disaster recovery. prepare.plan.perform.
Disaster recovery. prepare.plan.perform.Disaster recovery. prepare.plan.perform.
Disaster recovery. prepare.plan.perform.Dell Data Protection Software
 
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...RightScale
 
Is Your Data Secure
Is Your Data SecureIs Your Data Secure
Is Your Data SecureReal-Time Innovations (RTI)
 
Big Data for Security - DNS Analytics
Big Data for Security - DNS AnalyticsBig Data for Security - DNS Analytics
Big Data for Security - DNS AnalyticsMarco Casassa Mont
 
Talking LANDESK to Upper Management and Your Peers
Talking LANDESK to Upper Management and Your PeersTalking LANDESK to Upper Management and Your Peers
Talking LANDESK to Upper Management and Your PeersEric Garlepp
 
Big Data for Security
Big Data for SecurityBig Data for Security
Big Data for SecurityMarco Casassa Mont
 
Http 2: Should I care?
Http 2: Should I care?Http 2: Should I care?
Http 2: Should I care?LivePerson
 
System Revolution- How We Did It
System Revolution- How We Did It System Revolution- How We Did It
System Revolution- How We Did It LivePerson
 

Recommended

Disaster recovery. prepare.plan.perform.
Disaster recovery. prepare.plan.perform.Disaster recovery. prepare.plan.perform.
Disaster recovery. prepare.plan.perform.Dell Data Protection Software
 
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...RightScale
 
Is Your Data Secure
Is Your Data SecureIs Your Data Secure
Is Your Data SecureReal-Time Innovations (RTI)
 
Big Data for Security - DNS Analytics
Big Data for Security - DNS AnalyticsBig Data for Security - DNS Analytics
Big Data for Security - DNS AnalyticsMarco Casassa Mont
 
Talking LANDESK to Upper Management and Your Peers
Talking LANDESK to Upper Management and Your PeersTalking LANDESK to Upper Management and Your Peers
Talking LANDESK to Upper Management and Your PeersEric Garlepp
 
Big Data for Security
Big Data for SecurityBig Data for Security
Big Data for SecurityMarco Casassa Mont
 
Http 2: Should I care?
Http 2: Should I care?Http 2: Should I care?
Http 2: Should I care?LivePerson
 
System Revolution- How We Did It
System Revolution- How We Did It System Revolution- How We Did It
System Revolution- How We Did It LivePerson
 
GWAVACon 2013: Novell Service Desk Design, Deployment
GWAVACon 2013: Novell Service Desk Design, DeploymentGWAVACon 2013: Novell Service Desk Design, Deployment
GWAVACon 2013: Novell Service Desk Design, DeploymentGWAVA
 
Optimizing IT Infrastructure For Peak Database Performance
Optimizing IT Infrastructure For Peak Database Performance Optimizing IT Infrastructure For Peak Database Performance
Optimizing IT Infrastructure For Peak Database Performance Aventis Systems, Inc.
 
Developer To Architect
Developer To ArchitectDeveloper To Architect
Developer To ArchitectAnurag Yadav
 
Tpm cloud collaboration network security
Tpm cloud collaboration network securityTpm cloud collaboration network security
Tpm cloud collaboration network securityDavid Brunke
 
How Laserfiche Works For Lawyers
How Laserfiche Works For LawyersHow Laserfiche Works For Lawyers
How Laserfiche Works For Lawyerslwrightsolutions
 
Cyber-Security Product
Cyber-Security ProductCyber-Security Product
Cyber-Security ProductAli Hamieh
 
CD presentation march 12th, 2018
CD presentation march 12th, 2018CD presentation march 12th, 2018
CD presentation march 12th, 2018Ran Levy
 
Transactional Streaming: If you can compute it, you can probably stream it.
Transactional Streaming: If you can compute it, you can probably stream it.Transactional Streaming: If you can compute it, you can probably stream it.
Transactional Streaming: If you can compute it, you can probably stream it.jhugg
 
The road to clustered data ontap.
The road to clustered data ontap.The road to clustered data ontap.
The road to clustered data ontap.Scalar Decisions
 
Selling Disaster Recovery as a Service
Selling Disaster Recovery as a ServiceSelling Disaster Recovery as a Service
Selling Disaster Recovery as a ServiceServerCentral
 
MWLUG 2017 SA110
MWLUG 2017 SA110MWLUG 2017 SA110
MWLUG 2017 SA110Douglas Robinson
 
Survivor - Disaster Recovery Edition
Survivor - Disaster Recovery EditionSurvivor - Disaster Recovery Edition
Survivor - Disaster Recovery EditionVelocity Technology Solutions
 
Case Studies: TakNet
Case Studies: TakNetCase Studies: TakNet
Case Studies: TakNetAPNIC
 
DNSSEC/DANE/TLS Testing in Go6Lab
DNSSEC/DANE/TLS Testing in Go6LabDNSSEC/DANE/TLS Testing in Go6Lab
DNSSEC/DANE/TLS Testing in Go6LabAPNIC
 
Community Networks: An Alternative Paradigm for Developing Network Infrastruc...
Community Networks: An Alternative Paradigm for Developing Network Infrastruc...Community Networks: An Alternative Paradigm for Developing Network Infrastruc...
Community Networks: An Alternative Paradigm for Developing Network Infrastruc...APNIC
 
Korea IPv6 Measurement
Korea IPv6 MeasurementKorea IPv6 Measurement
Korea IPv6 MeasurementAPNIC
 
Japan IPv6 Measurement
Japan IPv6 MeasurementJapan IPv6 Measurement
Japan IPv6 MeasurementAPNIC
 
APNIC Update - MMNOG 2017
APNIC Update - MMNOG 2017APNIC Update - MMNOG 2017
APNIC Update - MMNOG 2017APNIC
 
APIX Update
APIX UpdateAPIX Update
APIX UpdateAPNIC
 
Network Automation: Ansible 101
Network Automation: Ansible 101Network Automation: Ansible 101
Network Automation: Ansible 101APNIC
 
Evolving the network for 5G
Evolving the network for 5GEvolving the network for 5G
Evolving the network for 5GAPNIC
 
LPWA – Giving a Voice to Things
LPWA – Giving a Voice to ThingsLPWA – Giving a Voice to Things
LPWA – Giving a Voice to ThingsAPNIC
 

More Related Content

What's hot

GWAVACon 2013: Novell Service Desk Design, Deployment
GWAVACon 2013: Novell Service Desk Design, DeploymentGWAVACon 2013: Novell Service Desk Design, Deployment
GWAVACon 2013: Novell Service Desk Design, DeploymentGWAVA
 
Optimizing IT Infrastructure For Peak Database Performance
Optimizing IT Infrastructure For Peak Database Performance Optimizing IT Infrastructure For Peak Database Performance
Optimizing IT Infrastructure For Peak Database Performance Aventis Systems, Inc.
 
Developer To Architect
Developer To ArchitectDeveloper To Architect
Developer To ArchitectAnurag Yadav
 
Tpm cloud collaboration network security
Tpm cloud collaboration network securityTpm cloud collaboration network security
Tpm cloud collaboration network securityDavid Brunke
 
How Laserfiche Works For Lawyers
How Laserfiche Works For LawyersHow Laserfiche Works For Lawyers
How Laserfiche Works For Lawyerslwrightsolutions
 
Cyber-Security Product
Cyber-Security ProductCyber-Security Product
Cyber-Security ProductAli Hamieh
 
CD presentation march 12th, 2018
CD presentation march 12th, 2018CD presentation march 12th, 2018
CD presentation march 12th, 2018Ran Levy
 
Transactional Streaming: If you can compute it, you can probably stream it.
Transactional Streaming: If you can compute it, you can probably stream it.Transactional Streaming: If you can compute it, you can probably stream it.
Transactional Streaming: If you can compute it, you can probably stream it.jhugg
 
The road to clustered data ontap.
The road to clustered data ontap.The road to clustered data ontap.
The road to clustered data ontap.Scalar Decisions
 
Selling Disaster Recovery as a Service
Selling Disaster Recovery as a ServiceSelling Disaster Recovery as a Service
Selling Disaster Recovery as a ServiceServerCentral
 

What's hot (12)

GWAVACon 2013: Novell Service Desk Design, Deployment
GWAVACon 2013: Novell Service Desk Design, DeploymentGWAVACon 2013: Novell Service Desk Design, Deployment
GWAVACon 2013: Novell Service Desk Design, Deployment
 
Optimizing IT Infrastructure For Peak Database Performance
Optimizing IT Infrastructure For Peak Database Performance Optimizing IT Infrastructure For Peak Database Performance
Optimizing IT Infrastructure For Peak Database Performance
 
Developer To Architect
Developer To ArchitectDeveloper To Architect
Developer To Architect
 
Tpm cloud collaboration network security
Tpm cloud collaboration network securityTpm cloud collaboration network security
Tpm cloud collaboration network security
 
How Laserfiche Works For Lawyers
How Laserfiche Works For LawyersHow Laserfiche Works For Lawyers
How Laserfiche Works For Lawyers
 
Cyber-Security Product
Cyber-Security ProductCyber-Security Product
Cyber-Security Product
 
CD presentation march 12th, 2018
CD presentation march 12th, 2018CD presentation march 12th, 2018
CD presentation march 12th, 2018
 
Transactional Streaming: If you can compute it, you can probably stream it.
Transactional Streaming: If you can compute it, you can probably stream it.Transactional Streaming: If you can compute it, you can probably stream it.
Transactional Streaming: If you can compute it, you can probably stream it.
 
The road to clustered data ontap.
The road to clustered data ontap.The road to clustered data ontap.
The road to clustered data ontap.
 
Selling Disaster Recovery as a Service
Selling Disaster Recovery as a ServiceSelling Disaster Recovery as a Service
Selling Disaster Recovery as a Service
 
MWLUG 2017 SA110
MWLUG 2017 SA110MWLUG 2017 SA110
MWLUG 2017 SA110
 
Survivor - Disaster Recovery Edition
Survivor - Disaster Recovery EditionSurvivor - Disaster Recovery Edition
Survivor - Disaster Recovery Edition
 

Viewers also liked

Case Studies: TakNet
Case Studies: TakNetCase Studies: TakNet
Case Studies: TakNetAPNIC
 
DNSSEC/DANE/TLS Testing in Go6Lab
DNSSEC/DANE/TLS Testing in Go6LabDNSSEC/DANE/TLS Testing in Go6Lab
DNSSEC/DANE/TLS Testing in Go6LabAPNIC
 
Community Networks: An Alternative Paradigm for Developing Network Infrastruc...
Community Networks: An Alternative Paradigm for Developing Network Infrastruc...Community Networks: An Alternative Paradigm for Developing Network Infrastruc...
Community Networks: An Alternative Paradigm for Developing Network Infrastruc...APNIC
 
Korea IPv6 Measurement
Korea IPv6 MeasurementKorea IPv6 Measurement
Korea IPv6 MeasurementAPNIC
 
Japan IPv6 Measurement
Japan IPv6 MeasurementJapan IPv6 Measurement
Japan IPv6 MeasurementAPNIC
 
APNIC Update - MMNOG 2017
APNIC Update - MMNOG 2017APNIC Update - MMNOG 2017
APNIC Update - MMNOG 2017APNIC
 
APIX Update
APIX UpdateAPIX Update
APIX UpdateAPNIC
 
Network Automation: Ansible 101
Network Automation: Ansible 101Network Automation: Ansible 101
Network Automation: Ansible 101APNIC
 
Evolving the network for 5G
Evolving the network for 5GEvolving the network for 5G
Evolving the network for 5GAPNIC
 
LPWA – Giving a Voice to Things
LPWA – Giving a Voice to ThingsLPWA – Giving a Voice to Things
LPWA – Giving a Voice to ThingsAPNIC
 
Network Automation: Ansible 102
Network Automation: Ansible 102Network Automation: Ansible 102
Network Automation: Ansible 102APNIC
 
20 years of the Internet in Vietnam: Think about the I in the Internet
20 years of the Internet in Vietnam: Think about the I in the Internet20 years of the Internet in Vietnam: Think about the I in the Internet
20 years of the Internet in Vietnam: Think about the I in the InternetAPNIC
 
Improve your supply chain with Acctivate & B2BGateway | B2BGateway co-hosted ...
Improve your supply chain with Acctivate & B2BGateway | B2BGateway co-hosted ...Improve your supply chain with Acctivate & B2BGateway | B2BGateway co-hosted ...
Improve your supply chain with Acctivate & B2BGateway | B2BGateway co-hosted ...Agnieszka (Aggie) Grabowska
 
BCOP BoF
BCOP BoFBCOP BoF
BCOP BoFAPNIC
 
The Death of Transit and Beyond
The Death of Transit and BeyondThe Death of Transit and Beyond
The Death of Transit and BeyondAPNIC
 
Running a Local Copy of the DNS Root Zone
Running a Local Copy of the DNS Root ZoneRunning a Local Copy of the DNS Root Zone
Running a Local Copy of the DNS Root ZoneAPNIC
 
Addressing 2016
Addressing 2016Addressing 2016
Addressing 2016APNIC
 
Trafficshifting: Avoiding Disasters & Improving Performance at Scale
Trafficshifting: Avoiding Disasters & Improving Performance at ScaleTrafficshifting: Avoiding Disasters & Improving Performance at Scale
Trafficshifting: Avoiding Disasters & Improving Performance at ScaleAPNIC
 
prop-117: Returned IPv4 address management and Final /8 exhaustion
prop-117: Returned IPv4 address management and Final /8 exhaustionprop-117: Returned IPv4 address management and Final /8 exhaustion
prop-117: Returned IPv4 address management and Final /8 exhaustionAPNIC
 
Minimum Viable FIB
Minimum Viable FIBMinimum Viable FIB
Minimum Viable FIBAPNIC
 

Viewers also liked (20)

Case Studies: TakNet
Case Studies: TakNetCase Studies: TakNet
Case Studies: TakNet
 
DNSSEC/DANE/TLS Testing in Go6Lab
DNSSEC/DANE/TLS Testing in Go6LabDNSSEC/DANE/TLS Testing in Go6Lab
DNSSEC/DANE/TLS Testing in Go6Lab
 
Community Networks: An Alternative Paradigm for Developing Network Infrastruc...
Community Networks: An Alternative Paradigm for Developing Network Infrastruc...Community Networks: An Alternative Paradigm for Developing Network Infrastruc...
Community Networks: An Alternative Paradigm for Developing Network Infrastruc...
 
Korea IPv6 Measurement
Korea IPv6 MeasurementKorea IPv6 Measurement
Korea IPv6 Measurement
 
Japan IPv6 Measurement
Japan IPv6 MeasurementJapan IPv6 Measurement
Japan IPv6 Measurement
 
APNIC Update - MMNOG 2017
APNIC Update - MMNOG 2017APNIC Update - MMNOG 2017
APNIC Update - MMNOG 2017
 
APIX Update
APIX UpdateAPIX Update
APIX Update
 
Network Automation: Ansible 101
Network Automation: Ansible 101Network Automation: Ansible 101
Network Automation: Ansible 101
 
Evolving the network for 5G
Evolving the network for 5GEvolving the network for 5G
Evolving the network for 5G
 
LPWA – Giving a Voice to Things
LPWA – Giving a Voice to ThingsLPWA – Giving a Voice to Things
LPWA – Giving a Voice to Things
 
Network Automation: Ansible 102
Network Automation: Ansible 102Network Automation: Ansible 102
Network Automation: Ansible 102
 
20 years of the Internet in Vietnam: Think about the I in the Internet
20 years of the Internet in Vietnam: Think about the I in the Internet20 years of the Internet in Vietnam: Think about the I in the Internet
20 years of the Internet in Vietnam: Think about the I in the Internet
 
Improve your supply chain with Acctivate & B2BGateway | B2BGateway co-hosted ...
Improve your supply chain with Acctivate & B2BGateway | B2BGateway co-hosted ...Improve your supply chain with Acctivate & B2BGateway | B2BGateway co-hosted ...
Improve your supply chain with Acctivate & B2BGateway | B2BGateway co-hosted ...
 
BCOP BoF
BCOP BoFBCOP BoF
BCOP BoF
 
The Death of Transit and Beyond
The Death of Transit and BeyondThe Death of Transit and Beyond
The Death of Transit and Beyond
 
Running a Local Copy of the DNS Root Zone
Running a Local Copy of the DNS Root ZoneRunning a Local Copy of the DNS Root Zone
Running a Local Copy of the DNS Root Zone
 
Addressing 2016
Addressing 2016Addressing 2016
Addressing 2016
 
Trafficshifting: Avoiding Disasters & Improving Performance at Scale
Trafficshifting: Avoiding Disasters & Improving Performance at ScaleTrafficshifting: Avoiding Disasters & Improving Performance at Scale
Trafficshifting: Avoiding Disasters & Improving Performance at Scale
 
prop-117: Returned IPv4 address management and Final /8 exhaustion
prop-117: Returned IPv4 address management and Final /8 exhaustionprop-117: Returned IPv4 address management and Final /8 exhaustion
prop-117: Returned IPv4 address management and Final /8 exhaustion
 
Minimum Viable FIB
Minimum Viable FIBMinimum Viable FIB
Minimum Viable FIB
 

Similar to Technical and Business Considerations for DNSSEC Deployment

Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?APNIC
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsAPNIC
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS EvolutionAPNIC
 
DNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and ResponseDNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and Responsepm123008
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS OblivionAPNIC
 
Design Reviews for Operations - Velocity Europe 2014
Design Reviews for Operations - Velocity Europe 2014Design Reviews for Operations - Velocity Europe 2014
Design Reviews for Operations - Velocity Europe 2014Mandi Walls
 
Moving Oracle Applications to the Cloud - Which Cloud is Right for Me?
Moving Oracle Applications to the Cloud - Which Cloud is Right for Me? Moving Oracle Applications to the Cloud - Which Cloud is Right for Me?
Moving Oracle Applications to the Cloud - Which Cloud is Right for Me?Datavail
 
Scaling apps for the big time
Scaling apps for the big timeScaling apps for the big time
Scaling apps for the big timeproitconsult
 
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision ProblemUsing ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision ProblemAPNIC
 
Design Review Best Practices - SREcon 2014
Design Review Best Practices - SREcon 2014Design Review Best Practices - SREcon 2014
Design Review Best Practices - SREcon 2014Mandi Walls
 
Global Software Development powered by Perforce
Global Software Development powered by PerforceGlobal Software Development powered by Perforce
Global Software Development powered by PerforcePerforce
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECCarlos Martinez Cagnazzo
 
RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS EvolutionAPNIC
 
Big Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityBig Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityPaul Morse
 
Kafka Summit SF 2017 - Running Kafka for Maximum Pain
Kafka Summit SF 2017 - Running Kafka for Maximum PainKafka Summit SF 2017 - Running Kafka for Maximum Pain
Kafka Summit SF 2017 - Running Kafka for Maximum Painconfluent
 
Dbops, DevOps & Ops, by Eduardo Piairo
Dbops, DevOps & Ops, by Eduardo PiairoDbops, DevOps & Ops, by Eduardo Piairo
Dbops, DevOps & Ops, by Eduardo PiairoAgile Connect®
 

Similar to Technical and Business Considerations for DNSSEC Deployment (20)

Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
 
RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS Evolution
 
DNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and ResponseDNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and Response
 
Challenges To Deploying New DNSSEC Cryptographic Algorithms
Challenges To Deploying New DNSSEC Cryptographic AlgorithmsChallenges To Deploying New DNSSEC Cryptographic Algorithms
Challenges To Deploying New DNSSEC Cryptographic Algorithms
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
 
Design Reviews for Operations - Velocity Europe 2014
Design Reviews for Operations - Velocity Europe 2014Design Reviews for Operations - Velocity Europe 2014
Design Reviews for Operations - Velocity Europe 2014
 
Moving Oracle Applications to the Cloud - Which Cloud is Right for Me?
Moving Oracle Applications to the Cloud - Which Cloud is Right for Me? Moving Oracle Applications to the Cloud - Which Cloud is Right for Me?
Moving Oracle Applications to the Cloud - Which Cloud is Right for Me?
 
Scaling apps for the big time
Scaling apps for the big timeScaling apps for the big time
Scaling apps for the big time
 
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision ProblemUsing ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
 
Design Review Best Practices - SREcon 2014
Design Review Best Practices - SREcon 2014Design Review Best Practices - SREcon 2014
Design Review Best Practices - SREcon 2014
 
Global Software Development powered by Perforce
Global Software Development powered by PerforceGlobal Software Development powered by Perforce
Global Software Development powered by Perforce
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSEC
 
RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS Evolution
 
Big Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityBig Data Approaches to Cloud Security
Big Data Approaches to Cloud Security
 
Kafka Summit SF 2017 - Running Kafka for Maximum Pain
Kafka Summit SF 2017 - Running Kafka for Maximum PainKafka Summit SF 2017 - Running Kafka for Maximum Pain
Kafka Summit SF 2017 - Running Kafka for Maximum Pain
 
1 - Introduction.ppt
1 - Introduction.ppt1 - Introduction.ppt
1 - Introduction.ppt
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
Dbops, DevOps & Ops, by Eduardo Piairo
Dbops, DevOps & Ops, by Eduardo PiairoDbops, DevOps & Ops, by Eduardo Piairo
Dbops, DevOps & Ops, by Eduardo Piairo
 

More from APNIC

IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6APNIC
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!APNIC
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023APNIC
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAPNIC
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAPNIC
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAPNIC
 
AFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAPNIC
 
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAfghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAPNIC
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsAPNIC
 
IDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemIDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemAPNIC
 

More from APNIC (20)

IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressing
 
AFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & Development
 
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAfghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerations
 
IDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemIDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry System
 

Recently uploaded

PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Intellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxIntellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxBipin Adhikari
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 

Recently uploaded (20)

PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Intellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxIntellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptx
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 

Technical and Business Considerations for DNSSEC Deployment

  • 1. Technical and Business Considerations for DNSSEC Depolyment Jim Reid jim@rfc1035.com
  • 2. Objectives • Understanding the main technical & business impacts • Are these helping or hindering DNSSEC deployment? • What could or should be done to improve things?
  • 3. TECHNICAL CONSIDERATIONS AND MYTHS Zone size CPU load Traffic levels, need for rate-limiting & traffic shaping Key rotation (rollover) Tooling & debugging Use cases
  • 4. Zone & Cache Size • Signed zones are typically 5-10 times larger than unsigned ones • Approximately 4 times as many resource records • RRSIGs are big • So what? • Commodity RAM is cheap: ~$20 for 4GB of DDR3 • Disk space is cheap too: 1TB costs ~$50 • Name server’s RAM footprint might be an issue
  • 5. CPU Load Considerations • 1024-bit RSASHA1 keys, 3GHz Xeon, 1 CPU • Signing: • ~1800 signatures/second • Validation: • ~24,000 validations/second • Off-the-shelf hardware & software should be good enough most (or all?) of the time
  • 6. Network Considerations • DNSSEC requires EDNS0 • DO bit, larger payloads, etc. • Want to avoid truncation in both DNS response and the underlying MTU for packets/frames • Lots of broken stuff assumes DNS only goes over UDP and always has packets < 512 bytes • DNSSEC kills these false assumptions • Firewalls sometimes get misconfigured like this • CPE is notorious for getting this wrong too
  • 7. DDoS Exposure • DNSSEC is a vector for DDoS amplification attacks • 50-60 byte query typically generates 1-2KB of response • Use Response Rate Limiting (RRL) • Provided in BIND9.10+ source distribution • Patches available for BIND9.9 • Also in recent versions of other DNS implementations • Traffic shaping might also help • Edge routers and/or kernels
  • 8. Secure Hardware • Hardware Security Modules (HSMs) • Tamper-proof hardware for storing keys • Expensive and concerns about managing lots of keys • Largely a niche solution for very important security- critical zones • Security protocols for managing access tokens • HSM hardware isn’t really needed most of the time • HSM in software (OpenDNSSEC) might be good enough for a large registrar or small TLD registry
  • 9. DNSSEC SIGNING CHOICES The main choices and trade-offs to consider when deploying Secure DNS include: Which versions of DNSSEC to use Crypto algorithms Managing keys & signatures Monitoring & reporting Tools & tooling What functionality & UIs should customers see?
  • 10. Key Lengths - 1 • How large should the key signing keys (KSK) and zone signing keys (ZSK) be? • Obvious Goldilocks trade-offs: • Not too big or too small; just nice • Don’t assume large keys are “stronger” than small ones or vice versa • Could key size (or algorithms) be something to discuss with stakeholders? • Some might care (a lot), most probably won’t
  • 11. Key Lengths - 2 • What’s the window for cryptanalysis of some key? • Some rules of thumb: • Short-lived keys don’t need to be big • Long-lived keys should be reasonably big • Suggestion: • Change a small ZSK once a week/month (maybe) • Change a large KSK once a year (maybe) • Whatever’s done for the.tld zone or at the root should be more than good enough for your zones
  • 12. Signature Duration • Signature expiry intervals need careful thought too • Obvious Goldilocks trade-offs again: • Not too short or too long; just nice • Short expiry => more CPU cycles for validators • Long expiry => “stale” signatures may cause validation failures when something has to be changed in a hurry • Potential for cryptanalysis of long lived signatures? • Might be best to start off by following what the parent zone does and adjust in light of experience
  • 14. Key Rollover - 2 • This should happen at regular, planned intervals • Might have to happen sooner in an emergency: ie when current key(s) are considered tainted/compromised • Hard to get the choreography right • Too many moving parts for KSK rollovers • Signing tools are getting a lot better at managing key rollovers and signing policies in general • Metadata in BIND’s K*.private files • OpenDNSSEC
  • 15. Tooling • Early signing and validating tools were clunky • Much improved now but could be better still • Stronger focus on supporting local policies • Use obvious primitives that hide icky detail: • pdnssec secure-zone/add-zone-key in PowerDNS • Windows GUI-based DNS Manager • Essentially just click “Sign My Zone”
  • 16. UI Considerations • Most end users and administrators won’t want or need to see DNSSEC • How best to “hide” DNSSEC operations on the control panel or web site? • Perhaps just add a “click here to sign” button? • Might be the end of the road for anyone managing DNS zone files with emacs or vi or perl • No user serviceable parts inside...
  • 17. Monitoring & Reporting • Add DNSSEC elements to name server monitoring and reporting systems • Check that zones get signed when expected (or not) • Look out for zones with close-to-expiring signatures • Monitor key rollovers closely • Check that zone signing behaves as expected • Are KSK changes getting notified to the parent? • Does the parent’s DS match the child’s KSK? • Does the parent publish new DS records in good time?
  • 18. Key Management for Customer & End User Zones • Who will generate/manage the keys for example.com, you or the customer? • Risks and benefits in both approaches • Who gets blamed if something breaks? • Is this an extra (chargeable?) service? • Who has responsibility for choosing the keys, rotating them, revoking them, etc? • What about customer support and helpdesk staff?
  • 19. Validation Challenges • Switching on validation breaks response rewriting • RPZ, content filtering, anti-abuse protection measures, NXDOMAIN rewriting, parental controls, etc. • Government and law enforcement blacklists • IPR takedown/block requests • Clumsy workarounds • Forward “vanilla” queries to validating resolvers, send the dodgy ones elsewhere • Might be seen as needless extra complexity
  • 20. What deployment barriers? • The software and tools work reasonably well • However it’s not always clear: • How to put them together and use/debug things • Define policies or understand the trade-offs • Where are the white papers, case studies and business justifications? • “We switched on DNSSEC and….” • Are experiences at the root or a TLD registry or a big ISP meaningful for example.com?
  • 21. Advice Needed! • DNS administrators need guidance on DNSSEC deployment considerations and trade-offs: • Local policy choices on: key selection, signature duration, rollovers, negative trust anchors, etc. • NIST report 800-81-2 is wonderful • Tough reading for non-experts — 130+ pages! • Need something similar (and shorter) on business justifications • Convince the CEO that using DNSSEC is a Good Thing
  • 22. Where’s the killer app? • Not much software uses or needs DNSSEC today • Proof of concept web plug-ins mostly • DANE could/should be the driver • Lookup certificates and other crypto material from the DNS • IETF’s ACME WG standards coming to browsers Real Soon Now • Let’s Encrypt certificates as an alternative to ones issued by conventional CAs • DANE support emerging in MTAs
  • 23. Deployment Today - 1 • Most of the important TLDs are signed • Contractual requirement for new gTLDs • Some European ccTLDs have 70%+ signed delegations • Registrar discounts rather than DNSSEC enthusiasm • Very few of the busiest domain names are signed • Just paypal.com and nih.gov of the Alexa top 100 • The number of signed zones looks OK-ish quantitatively but not so good qualitatively
  • 24. Deployment Today - 2 • Validation uptake is a lot healthier • Around 15% of users world-wide depend on a validating resolver • See https://stats.labs.apnic.net/dnssec • Much of this is attributed to just three providers: • Comcast, google’s 8.8.8.8 and TeliaSonera • This is great, but are they validating anything that actually matters? • What are the other big ISPs doing?
  • 25. Externalities • For signers: • Why sign if almost nobody is thought to be validating? • What's the impact when/if someone else's validator fails? • For validators: • Why validate if hardly anyone important signs their zones? • When someone else's signer screws up, you end up taking the hit(s) for their mistake(s).What will the impact(s) be? • i.e.A rival ISP's customers have no problem getting to badlysigned.com because that ISP doesn't validate while your customers can't because we are validating
  • 26. Customer Support • Training & education for helpdesk/support staff • Ditto for customers • DNSSEC troubleshooting • N-th level support staff will need training • How to tell the difference between a Secure DNS validation error SERVFAIL and a regular SERVFAIL • How to troubleshoot validation problems and fix or escalate them • Expired signatures, key mismatches, etc.
  • 27. Documentation • Make sure everything gets properly documented: • Design/architecture, deployment plans & roadmap • Policies (e.g. key sizes, rotation, signing interval, audit, etc.) • Write a DNSSEC Policy/Practice Statement - DPS • RFC6841 is a good starting point • DPS for the root zone is an excellent template: •https://www.iana.org/dnssec/icann-dps.txt • Document DNSSEC tools and new processes • Produce white papers and use cases for stakeholders?
  • 28. Training • How will your staff get trained? • Knowledge transfer from in-house and external experts • Commercial training courses, webinars, etc. • Not just for your DNS team • Network operations & system administrators • Developers & helpdesk • Customer relations & support staff • Upper management
  • 29. The “Last Mile” Issue • AD header bit is set by the validating resolver • Vulnerable to spoofing by an attacker • Can the path between some stub resolver and its resolving server be trusted? • Windows uses IPsec to protect this • If the local net isn’t considered secure, run a validating resolver on the edge device itself • IETF’s DNS-over-TLS could be the answer
  • 30. Validator Crunch Time! • Major test is just around the corner • First ever rollover of root zone’s KSK due Real Soon Now • Validators which don’t support or use RFC5011 key rollover will almost certainly break • BIND configurations with trusted-keys{} statements • Old/clunky/buggy DNSSEC implementations • IANA’s giving plenty of advance warning • Nothing important should fail • Famous last words….
  • 31. Negative Trust Anchors • How to tell the validator that DNSSEC for some domain(s) are broken • Don't validate these domains for now, but carry on validating elsewhere • Provably insecure (and possibly bad) data might be better than nothing • Features in BIND and unbound to support this • A necessary evil - unfortunately • Workarounds for other people's mistakes
  • 32. DNSSEC Troubleshooting • Can be very painful • Debugging vanilla DNS problems is hard enough • DNSSEC makes things even harder • Checking DNSSEC-related RRtypes, keeping track of key IDs & flags, algorithm numbers, etc. • Tools are getting better, but still far too difficult for many DNS administrators • Error messages should be clearer:“you forgot to re-sign”, “that signature has the wrong hash value”,“there's no DS record for this KSK”, etc.
  • 33. drill • The best DNSSEC debugging tool by far • Also replicates dig’s commonly used functionality • Open source from NLnetLabs • Can illustrate validation in action • Shows which keys (algorithms & key lengths) are used • Work on a single signature or top-down from the root • Pinpoint stale keys & signatures • Identify DS record and KSK mismatches • drill -TD some-domain is just awesome!
  • 34. delv • ISC's answer to drill • Distributed in BIND9.10+ • Command-line options almost identical to dig • Not as chatty as drill • Use the +vtrace option to see the validations
  • 35. DNSVIZ • A web-based DNS visualisation tool • Draws nice pictures • Can display details of revoked keys • Visit dnsviz.net and type in your favourite signed domain name • Uses the web site's validating resolver, not yours • Doesn't check your validator's configuration • Can't check internal-only signed domains • Download DNSVIZ source code and run it locally?
  • 36. DNSVIZ Example • Hover over elements to see details of the key, algorithm, TTL, key tags, etc • Shaded elements are the KSKs • Double circle around the trust anchor: the root's KSK
  • 37. A Never Ending Task? • Keeping DNSSEC software and tools up-to-date • Can you rely on your vendor/supplier? • Crypto arms race • Changing DNSSEC keys regularly • Tweaking DNSSEC policies • Interactions with parent zone(s) • New operational problems and failure modes • Customer service/support and helpdesk issues