dns and dnssec management and monitoring changes required
play

DNS and DNSSEC Management and Monitoring Changes Required During A - PowerPoint PPT Presentation

Nov 04, 2022 •156 likes •407 views

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes Hardaker <wes.hardaker@parsons.com> Overview Business Model Changes Relationship Requirements Relationship with your DNS parent

  1. DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes Hardaker <wes.hardaker@parsons.com>

  2. Overview ● Business Model Changes ● Relationship Requirements – Relationship with your DNS parent – Relationships with your children ● Timeline Changes

  3. Business Model Changes Creating a New Domain root ● With DNS NS A – Purchase your name, win an auction, ... AAAA – Use recent compliant DNS software com – Attach to your parent ● Business or other relationship NS A – TLD → ICANN / IANA AAAA – Enterprise, etc → Registrar ● Use their interface to update your NS/Glue example.com

  4. Business Model Changes Creating a New Domain root ● With DNS NS A – Purchase your name, win an auction, ... AAAA DS – Attach to your parent com ● Business relationship or contract – TLD → ICANN / IANA NS – Enterprise, etc → Registrar A ● Use their interface to update your NS/Glue AAAA DS ● DNSSEC Adds example.com – Need to update DS records – Parent and interface must be DNSSEC compliant! ● This may affect your buying and attachment decision

  5. Relationship Changes Relationships: With Your Parent ● With DNS – Maintain data synchronization with your parent ● NS com ● Glue (A and AAAA) – Frequently while changing infrastructure NS ● Likely the only time your parent data changes A AAAA ● Make sure to tell your parent – New or removed NS records example.com – Changing A and AAAA records ● People tend to “know” these are important – Because they're rare! – IETF's CSYNC draft automates this

  6. Business Model Changes Relationships: With Your Parent ● DNSSEC adds: – Maintain data synchronization with your parent ● DS Records com – When your key changes ● When you roll your keys: tell your parent! NS ● If you plan on a regular schedule A AAAA – Make sure it's in the todo list! DS – People forget things that are periodic example.com – IETF's RFC7344 (CDS) automates this

  7. Relationship Changes Maintaining a Domain: Testing! ● With DNS – Do your parent and your NS/glue records match? – What tools are you using? ● Monitoring service? ● Software? ● Self-monitoring scripts? – EG: “ dig example.com NS” vs “dig @parent example.com NS” – Are you going to monitor this frequently?

  8. Relationship Changes Maintaining a Domain: Testing! ● With DNS – Do your parent and your NS/glue records match? – What tools are you using? ● Monitoring service? ● Software? ● Self-monitoring scripts? – EG: “ dig example.com NS” vs “dig @parent example.com NS” – Are you going to monitor this frequently? ● DNSSEC Additions – Monitor the DS record too ● Does your monitoring service or tool support it?

  9. Relationship Changes Quiz!!! Maintaining a Domain: Testing! ● Example DS record checking using “getds” --- DS records generated from querying example.com: EXAMPLE.COM. 3600 IN DS 51605 8 2 (918... EXAMPLE.COM. 3600 IN DS 51605 8 1 (E74... EXAMPLE.COM. 3600 IN DS 31589 8 2 (CDE... EXAMPLE.COM. 3600 IN DS 31589 8 1 (349... --- DS records pulled from the parent of example.com: EXAMPLE.COM. 86400 IN DS 31589 8 2 (CD0... EXAMPLE.COM. 86400 IN DS 31589 8 1 (349...

  10. Relationship Changes Quiz!!! Maintaining a Domain: Testing! ● Example DS record checking using “getds” --- DS records generated from querying example.com: EXAMPLE.COM. 3600 IN DS 51605 8 2 (918... EXAMPLE.COM. 3600 IN DS 51605 8 1 (E74... EXAMPLE.COM. 3600 IN DS 31589 8 2 (CDE... EXAMPLE.COM. 3600 IN DS 31589 8 1 (349... --- DS records pulled from the parent of example.com: EXAMPLE.COM. 86400 IN DS 31589 8 2 (CD0... EXAMPLE.COM. 86400 IN DS 31589 8 1 (349... ERRORS (2): 1) The following DS record is not published in parent: EXAMPLE.COM. 3600 IN DS 51605 8 1 (E74... 2) The following DS record is not published in parent: EXAMPLE.COM. 3600 IN DS 51605 8 2 (918...

  11. Relationship Changes Maintaining a Domain: Testing! ● Example DS record checking using “getds” --- DS records generated from querying example.com: EXAMPLE.COM. 3600 IN DS 51605 8 2 (918... EXAMPLE.COM. 3600 IN DS 51605 8 1 (E74... EXAMPLE.COM. 3600 IN DS 31589 8 2 (CDE... EXAMPLE.COM. 3600 IN DS 31589 8 1 (349... --- DS records pulled from the parent of example.com: EXAMPLE.COM. 86400 IN DS 31589 8 2 (CD0... EXAMPLE.COM. 86400 IN DS 31589 8 1 (349... ERRORS (2): 1) The following DS record is not published in parent: EXAMPLE.COM. 3600 IN DS 51605 8 1 (E74... 2) The following DS record is not published in parent: EXAMPLE.COM. 3600 IN DS 51605 8 2 (918...

  12. Relationship Changes Maintaining a Domain: Testing! ● Example DS record checking using “getds” New? --- DS records generated from querying example.com: EXAMPLE.COM. 3600 IN DS 51605 8 2 (918... EXAMPLE.COM. 3600 IN DS 51605 8 1 (E74... Old? EXAMPLE.COM. 3600 IN DS 31589 8 2 (CDE... EXAMPLE.COM. 3600 IN DS 31589 8 1 (349... --- DS records pulled from the parent of example.com: EXAMPLE.COM. 86400 IN DS 31589 8 2 (CD0... EXAMPLE.COM. 86400 IN DS 31589 8 1 (349... ERRORS (2): 1) The following DS record is not published in parent: EXAMPLE.COM. 3600 IN DS 51605 8 1 (E74... 2) The following DS record is not published in parent: EXAMPLE.COM. 3600 IN DS 51605 8 2 (918...

  13. Relationship Changes Relationships: With Your Parent – Testing ● Testing DNS – Does your parent mirror your real data? ● How often do you check? ● Testing DNSSEC – Is your parent's published DS for you correct? ● How often do you check? – Are you testing end-to-end validation? ● How often?

  14. Relationship Changes Relationships: With Your Children ● A parent is clearly the inverse of being a child ● A few important points though...

  15. Relationship Changes Relationships: With Your Children ● With DNS (if you're a parent or registrar) – You likely have an API for children to use ● Unless you have a very small number of children – Lets them: ● Add and remove NS records ● Add and remove A glue records ● Add and remove AAAA records – Possibly perform transfers – Advertise support for and use CSYNC?

  16. Relationship Changes Relationships: With Your Children ● DNSSEC Adds: – API: ● Add and remove DS records – How to transfer the new data? ● Paste an entire DS record? ● Fill-in form with DS parameters? ● Paste an entire DNSKEY? ● Fill-in form with DNSKEY record parts? ● Who picks the DS algorithms used? – Advertise support for and use CDS? ● ADVERTISE YOUR SUPPORT!!!

  17. Timeline Changes ● With DNS: Add A record Change MX record – Data is frequently static ● Addresses, mail records, etc – Sometimes it is automated: ● Round robin records ● Load based records ● Generated records – Client or child based records – DNS blacklists – Etc ● All of these are “Fire and Forget” – Once served or running, little maintenance needed

  18. Timeline Changes ● With DNSSEC: – Signature records have a life time – DNSKEYs may require periodic rotation ● No longer “Fire and Forget” – Operational procedures must change! – Every X period of time: resign! – Every Y period of time: roll keys ● Which itself is a long process, typically months

  19. Timeline Changes Add A record Change MX record Previous Data Changes

  20. Timeline Changes Resign and Republish ... Add A record Change MX record Previous Data Changes (Now with resigning too)

  21. Timeline Changes Rekeying events Resign and Republish d l w O e e N p ... t e a d l w d e A S D Add A record Change MX record Previous Data Changes (Now with resigning too)

  22. Timeline Changes Signature Periods ● How often to resign? – Depends on signature length – Good rule of thumb: at least every: length / 2 – 1 month signature → at least every 1/2 month ● Provide room for slippage ● Test and monitor your infrastructure! ● If you fail to resign, will you notice? ● Grace periods don't help if you don't check

  23. Timeline Changes Key Rolling Periods ● What are the reasons for rolling keys? – Key strengths – Good operational practice – Tests parent/child relationships ● So, how often should you roll keys? – Very situation dependent – Common guidances heard: ● Roll zone-signing-keys every 3 months ● Roll the key-signing-key annually ● Do you have a plan in place?

  24. Timeline Changes DANE TLS Record Changes ● Are you using DANE to secure? – SMTP – SIP – XMPP – HTTPS ● When your TLS certificate changes: – Will you remember to change your TLSA record? – Will you notice if you forget and they don't match?

  25. Questions? Wes Hardaker <wes.hardaker@parsons.com> ICANN 52 ICANN 52 Los Angeles Los Angeles

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Monitoring DNSSEC Martin Leucht &lt;martin.leucht@os3.nl&gt; Julien Nyczak

Monitoring DNSSEC Martin Leucht &lt;martin.leucht@os3.nl&gt; Julien Nyczak

Monitoring DNSSEC Martin Leucht &lt;martin.leucht@os3.nl&gt; Julien Nyczak &lt;julien.nyczak@os3.nl&gt; Supervisor: Rick van Rein System and Network Engineering 2015 Introduction DNSSEC becomes more and more popular Expired RRSIG RR

468 views • 18 slides
.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
Regulation update Monitoring and Compliance 2016 Statement of Compliance Evidence required

Regulation update Monitoring and Compliance 2016 Statement of Compliance Evidence required

Regulation update Monitoring and Compliance 2016 Statement of Compliance Evidence required for Conditions: A6 Risk management A7, B3 Event management and notification A1.3 Activity in Wales I3.1 Certificate design

340 views • 17 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
Telephone Monitoring and Management Software Telephone Monitoring and Management Software

Telephone Monitoring and Management Software Telephone Monitoring and Management Software

Telephone Monitoring and Management Software Telephone Monitoring and Management Software TELECHECK is a PC based call monitoring system, adds utility to your customer by capturing and managing outgoing telephone calls data. It speedily provides

184 views • 16 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
Towards Set and Forget DNSSEC The beginning of the end of key management? (The Poor Mans HSM

Towards Set and Forget DNSSEC The beginning of the end of key management? (The Poor Mans HSM

Towards Set and Forget DNSSEC The beginning of the end of key management? (The Poor Mans HSM Part 2) ccNSO Tech Day, 15 July 2013, Durban, ZA, Richard Lamb, slamb@xtcn.com Typical Signer (I am not a graphic artist!) time signer zone

463 views • 19 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

609 views • 34 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
The Missing Piece: On Namespace Management in NDN and How DNSSEC Might Help Pouyan Fotouhi Tehrani

The Missing Piece: On Namespace Management in NDN and How DNSSEC Might Help Pouyan Fotouhi Tehrani

The Missing Piece: On Namespace Management in NDN and How DNSSEC Might Help Pouyan Fotouhi Tehrani 1 , Eric Osterweil 2 , Jochen Schiller 3 , Thomas C. Schmidt 4 , Mathias W ahlisch 3 1 Weizenbaum Institut / Fraunhofer FOKUS 2 George Mason

1.2k views • 56 slides
A brief about online monitoring system By Ajit Joshi &amp; Amol Malode Regulatory Regime PCB

A brief about online monitoring system By Ajit Joshi &amp; Amol Malode Regulatory Regime PCB

A brief about online monitoring system By Ajit Joshi &amp; Amol Malode Regulatory Regime PCB Guidelines WHY IS REAL TIME MONITORING SYSTEM REQUIRED? Self Monitoring mechanism within the industries Increased management responsibility for

548 views • 41 slides
.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry experienced 30th April 2015-- Longest mornings I have ever had. Day started as usual but takes a turn at 9:30am Great day turns to a

449 views • 11 slides
FAA Research on Pavement Design and Materials for New Generation Aircraft Presented to: Airport

FAA Research on Pavement Design and Materials for New Generation Aircraft Presented to: Airport

Federal Aviation Administration FAA Research on Pavement Design and Materials for New Generation Aircraft Presented to: Airport Engineering Seminar A UNC Charlotte Professional Development Program, Charlotte, N.C. By: Navneet Garg, Ph.D.

636 views • 53 slides
Shift Left Principle Key enabler for First Time Right Dr Ramesh K Tumuluru 10 June 2013 TCS

Shift Left Principle Key enabler for First Time Right Dr Ramesh K Tumuluru 10 June 2013 TCS

Shift Left Principle Key enabler for First Time Right Dr Ramesh K Tumuluru 10 June 2013 TCS Public Structure 1 Context Setting 2 Shift Left What is it? 3 How to make it Work ? 4 Case Study - 2 - 10 June 2013 Context Setting

392 views • 35 slides
Improving autonomous orchard vehicle trajectory tracking performance via slippage compensation

Improving autonomous orchard vehicle trajectory tracking performance via slippage compensation

Improving autonomous orchard vehicle trajectory tracking performance via slippage compensation Dr. Gokhan BAYAR Mechanical Engineering Department of Bulent Ecevit University Zonguldak, Turkey This study was conducted under the Supervision of

444 views • 43 slides
Provisional Patent #2015900745 HAYKA Engineering 2015 1 H&amp;E Engineering 2015 2 HAYKA

Provisional Patent #2015900745 HAYKA Engineering 2015 1 H&amp;E Engineering 2015 2 HAYKA

Provisional Patent #2015900745 HAYKA Engineering 2015 1 H&amp;E Engineering 2015 2 HAYKA Engineering 2015 3 When manually handling cable 3-4 men are required, 1 men to operate the LHD and 2-3 men to loop &amp; feed the cable into the

217 views • 18 slides
recovery rates, net present values and internal rates of return, timing for the commencement of

recovery rates, net present values and internal rates of return, timing for the commencement of

Certain information contained in this presentation constitutes forward looking information. This information may relate to future events or the Companys future performance. All information other than information of historical fact is forward

582 views • 41 slides
FY17 Half Year Results Presentation 20 February 2017 Disclaimer The presentation has been

FY17 Half Year Results Presentation 20 February 2017 Disclaimer The presentation has been

FY17 Half Year Results Presentation 20 February 2017 Disclaimer The presentation has been prepared by Monash IVF Group Limited (ACN 169 302 309) (MVF) (including its subsidiaries, affiliates and associated companies) and provides general

526 views • 24 slides
the Importance of Soil Bill Hunt, Ph.D., PE, D.WRE Associate Professor &amp; Extension Specialist

the Importance of Soil Bill Hunt, Ph.D., PE, D.WRE Associate Professor &amp; Extension Specialist

MN Clean Water Summit UMN Arboretum, MN 13Sep12 Low Impact Development and the Importance of Soil Bill Hunt, Ph.D., PE, D.WRE Associate Professor &amp; Extension Specialist North Carolina State University www.bae.ncsu.edu/stormwater

1.25k views • 83 slides
ON THE METHOD OF ADDING-REMOVING KNOTS FOR SOLVING THE SMOOTHING PROBLEM WITH OBSTACLES Evely

ON THE METHOD OF ADDING-REMOVING KNOTS FOR SOLVING THE SMOOTHING PROBLEM WITH OBSTACLES Evely

ON THE METHOD OF ADDING-REMOVING KNOTS FOR SOLVING THE SMOOTHING PROBLEM WITH OBSTACLES Evely Leetma, Peeter Oja Let x i , i = 0 , . . . , N , be given points on the interval [ a, b ] and f i , i = 0 , . . . , N , measured values at knots x i .

357 views • 15 slides

More recommend