deploying new dnssec algorithms
play

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, - PowerPoint PPT Presentation

Mar 06, 2024 •303 likes •490 views

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

  1. Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360

  2. DNSSEC Algorithms • Used to generate keys for signing • DNSKEY • Used in DNSSEC signatures • RRSIG • Used for DS record for chain of trust • DS • Used in validation of DNSSEC records www.internetsociety.org/deploy360

  3. IANA Registry of DNSSEC Algorithm Numbers • http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml Number Description Mnemonic 0 Reserved 1 RSA/MD5 (deprecated ) RSAMD5 2 Diffie-Hellman DH 3 DSA/SHA1 DSA 4 Reserved 5 RSA/SHA-1 RSASHA1 6 DSA-NSEC3-SHA1 DSA-NSEC3-SHA1 7 RSASHA1-NSEC3-SHA1 RSASHA1-NSEC3-SHA1 8 RSA/SHA-256 RSASHA256 9 Reserved 10 RSA/SHA-512 RSASHA512 11 Reserved 12 GOST R 34.10-2001 ECC-GOST 13 ECDSA Curve P-256 wSHA-256 ECDSAP256SHA256 14 ECDSA Curve P-384 wSHA-384 ECDSAP384SHA384 15-122 Unassigned 123-251 Reserved 252 Reserved for Indirect Keys INDIRECT 253 private algorithm PRIVATEDNS 254 private algorithm OID PRIVATEOID 255 Reserved www.internetsociety.org/deploy360

  4. BUT... DNSSEC is an RSA world... (part 1) • Ed Lewis (ICANN) presenting at CENTR, June 2015 • Breakdown of DNSSEC names • https://centr.org/system/files/agenda/attachment/rd7-lewis-dnssec_cryptographic_demographics-20150603.pdf www.internetsociety.org/deploy360

  5. BUT... DNSSEC is an RSA world... (part 2) • Ed Lewis (ICANN) presenting at CENTR, June 2015 • Top algorithms (raw keys, not names) Non-RSA algorithms • https://centr.org/system/files/agenda/attachment/rd7-lewis-dnssec_cryptographic_demographics-20150603.pdf www.internetsociety.org/deploy360

  6. “Newer” DNSSEC Algorithms • ECDSA – RFC 6605 – April 2012 • GOST – RFC 5933 – July 2010 • Future: • Ed25519? • https://gitlab.labs.nic.cz/labs/ietf/blob/master/draft-sury-dnskey-ed25519.xml • ChaCha? (RFC 7539) www.internetsociety.org/deploy360

  7. Why Do We Care About Newer Algorithms? • Faster! • Signing • Validation • Smaller keys and signatures • Packet size (and avoiding fragmentation) • Minimizing potential reflection/DDoS attacks • Better cryptography • Move away from 1024-bit RSA www.internetsociety.org/deploy360

  8. Aspects of Deploying New Algorithms • Validation • Signing / DNS Hosting Operators • Registries • Registrars • Developers www.internetsociety.org/deploy360

  9. Validation • Resolvers performing validation need to be updated to accept and use the new algorithm. • Software needs to be updated • Can be an issue of getting the underlying libraries updated • Updates need to be deployed • Customer-premises equipment (CPE) • Problem – RFC 4035, section 5.2: “ If the resolver does not support any of the algorithms listed in an authenticated DS RRset, then the resolver will not be able to verify the authentication path to the child zone. In this case , the resolver SHOULD treat the child zone as if it were unsigned . ” www.internetsociety.org/deploy360

  10. Validation - measurement • Geoff Huston at IEPG at IETF 92 (March 2015): • http://blog.apnic.net/2015/03/23/ietf92-geoff-presents-on-ec-dsa-at-iepg/ • 1 in 5 validating resolvers would not support ECDSA • Pier Carlo Chiodi using RIPE Atlas probes (Jan 2015): • http://blog.pierky.com/dnssec-ecdsa-aware-resolvers-seen-by-ripe-atlas/ • “ 512 probes received an authenticated response for RSA-signed zone, 63 of those (12,3 %) missed the AD flag for the ECDSA- signed one. ” www.internetsociety.org/deploy360

  11. Signing • Software for authoritative DNS servers need updates • Updated software needs to be deployed to signing servers • DNS Hosting Operators (which could be Registrars) need to offer new algorithm to customers • New key with new algorithm needs to co-exist with existing key for some period of time • Size impact www.internetsociety.org/deploy360

  12. Registries • Some registries are only accepting DS records with certain algorithms • Not accepting new algorithms • No way to know what algorithms registries accept • Update EPP feed to indicate what algorithms are accepted? • Question: Why do registries need to check algorithm type? www.internetsociety.org/deploy360

  13. Registrars • When adding DS records, some registrars only accept certain algorithms in web interface • Example – BEFORE someone asked for ECDSA: www.internetsociety.org/deploy360

  14. Registrars • Good news! – AFTER someone asked for ECDSA: • But this requires someone asking registrars to support new algorithms... and the registrars making the appropriate updates. www.internetsociety.org/deploy360

  15. Registrars • Question: why do registrars need to check the algorithm type? • What is the harm in advertising an “unknown” algorithm type? • Answer: Stop restricting and just accept all DS records. • Does this come down to a user interface issue? www.internetsociety.org/deploy360

  16. Developers • Give developers a list, they will check it! • Sooo... IANA DNSSEC algorithm list: • http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml • But... in this case bounds-checking is not necessary (if we accept idea that registrars/registries should accept all algorithms). • Need to modify software to allow all algorithms (or simply not check algorithm type). www.internetsociety.org/deploy360

  17. Next Steps • Help people understand value and need to support new algorithms • Document these steps in a form that can be distributed (ex. Internet-draft) • Identify and act on actions. Examples: • Understand implications of registrars/registries simply NOT doing any checking on algorithm types. • Survey registries to find out which restrict algorithms in DS records • Explore idea of communicating accepted algorithms in EPP • Encourage registrars to accept wider range of algorithms (or to stop checking) • Encourage developers to accept all IANA-listed algorithms (or to stop checking) www.internetsociety.org/deploy360

  18. Dan York Senior Content Strategist Internet Society york@isoc.org Thank You! www.internetsociety.org/deploy360

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
Deploying DNSSEC: From End-Customer To Content March 28, 2013 www.internetsociety.org Our Panel

Deploying DNSSEC: From End-Customer To Content March 28, 2013 www.internetsociety.org Our Panel

Deploying DNSSEC: From End-Customer To Content March 28, 2013 www.internetsociety.org Our Panel Moderator: Dan York, Senior Content Strategist, Internet Society Panelists: Sanjeev Gupta, Principal Technical Architect, DCS1 Pte

432 views • 40 slides
Adding new DNSSEC algorithms: reality check lafur Gu mundsson olafur at CloudFlare dot com

Adding new DNSSEC algorithms: reality check lafur Gu mundsson olafur at CloudFlare dot com

Adding new DNSSEC algorithms: reality check lafur Gu mundsson olafur at CloudFlare dot com Disclaimer: we have done this First major DNSSEC user of ECDSA P256 Working on getting others to support it ICANN Registration model is

981 views • 9 slides
.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins

Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins

Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins July 2013 ZSK - Zone Signing Keys ZSK - Zone Signing Keys Its a security key - use secure algorithms Create it to be flexible in use

255 views • 7 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

609 views • 34 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry experienced 30th April 2015-- Longest mornings I have ever had. Day started as usual but takes a turn at 9:30am Great day turns to a

449 views • 11 slides
DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010 Sara Monteiro Technical Infrastructure Service of DNS.PT Agenda ! About us ! Scope ! Goals ! Initiatives and Support ! Developments on .pt ! Next Steps

468 views • 11 slides
13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff Team Cymru 1 Where is the DNSSEC? We make no endorsement of DNSSEC here We offer no repudiation of DNSSEC here The considerations herein

543 views • 31 slides
DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes Hardaker <wes.hardaker@parsons.com> Overview Business Model Changes Relationship Requirements Relationship with your DNS parent

407 views • 25 slides
DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek petr.spacek@nic.cz 2019-02-03 1w Redraw max 1y 6m 3m 1m 5d 1h 1d 30 ~ 19 % DNSSEC? Who cares? DNSSEC Validation Capability Metrics

433 views • 25 slides
CDAR Continuous Data-driven Analysis of Root Stability March 8, 2016 ICANN55, Marrakech Benno

CDAR Continuous Data-driven Analysis of Root Stability March 8, 2016 ICANN55, Marrakech Benno

CDAR Continuous Data-driven Analysis of Root Stability March 8, 2016 ICANN55, Marrakech Benno Overeinder (NLnet Labs) Cristian Hesselman (SIDN) Objective Analyze technical impact of the New gTLD Program on stability of the root server

440 views • 10 slides
IEEE 802.15.4 transceiver for the 868/915 MHz band using Software De fi ned Radio Rafik Zitouni

IEEE 802.15.4 transceiver for the 868/915 MHz band using Software De fi ned Radio Rafik Zitouni

SDR'1 2 -W I nnCom m -Europe 2 7 june 2 0 1 2 IEEE 802.15.4 transceiver for the 868/915 MHz band using Software De fi ned Radio Rafik Zitouni zitouni@ece.fr Rafik Zitouni, Stefan Ataman, Marie Mathian and Laurent George ECE Paris-LACSC

296 views • 17 slides
Implementation of Revised IEEE Standard 1547 Presentation to ISO-TO Operations Committee David

Implementation of Revised IEEE Standard 1547 Presentation to ISO-TO Operations Committee David

M A Y 3 1 , 2 0 1 7 | H O L Y O K E , M A S S A C H U S E T T S Implementation of Revised IEEE Standard 1547 Presentation to ISO-TO Operations Committee David Forrest ISO-NE PUBLIC Key Points As New England adds significant amounts

331 views • 17 slides
March Seventh General Meeting Month in Review IEEE and Lane Dept Apparel Codename SWE/Merit

March Seventh General Meeting Month in Review IEEE and Lane Dept Apparel Codename SWE/Merit

March Seventh General Meeting Month in Review IEEE and Lane Dept Apparel Codename SWE/Merit Badge University + Volunteering Dont Forget About Our Projects! Reminders If you havent done so already. Sign up to be a member on our

520 views • 19 slides
THE ILO AND THE COOPERATIVE MOVEMENT: A HISTORICAL PERSPECTIVE MARI RIEKE EKE LOUI UIS, S,

THE ILO AND THE COOPERATIVE MOVEMENT: A HISTORICAL PERSPECTIVE MARI RIEKE EKE LOUI UIS, S,

THE ILO AND THE COOPERATIVE MOVEMENT: A HISTORICAL PERSPECTIVE MARI RIEKE EKE LOUI UIS, S, SCIENCES IENCES PO GRENO ENOBL BLE, E, MARIE ARIEKE. KE.LO LOUIS@IE IS@IEPG.FR G.FR ILO LO COOP OOP CENTE NTENA NARY RY LA LAUNCH NCH

651 views • 3 slides
Project and Process Tailoring For Success 1 Key Learning Objectives Demonstrate how

Project and Process Tailoring For Success 1 Key Learning Objectives Demonstrate how

Project and Process Tailoring For Success 1 Key Learning Objectives Demonstrate how project/process tailoring can decrease cost by aligning process intensity with project risk and complexity Provide a roadmap for implementing tailoring

618 views • 47 slides
extended INCident Handling Working Group (INCH) 13:00 15:00 Wednesday, November 9. 2005

extended INCident Handling Working Group (INCH) 13:00 15:00 Wednesday, November 9. 2005

extended INCident Handling Working Group (INCH) 13:00 15:00 Wednesday, November 9. 2005 IETF 64, Vancouver, Canada URL: http://www.cert.org/ietf/inch/ http://www.cert.org/ietf/inch/ietf64/ slides:

254 views • 6 slides
Extended INCident Handling Working Group (INCH)

Extended INCident Handling Working Group (INCH)

Internet Engineering Task Force Extended INCident Handling Working Group (INCH) http://www.cert.org/ietf/inch/inch_interim_2004.html 12:00 16:00 Sunday, June 13 2004 Interim Meeting Budapest, Hungary Roman Danyliw, <rdd@cert.org>

396 views • 16 slides

More recommend