dnssec impact on registries
play

DNSSEC Impact on Registries Edward Lewis, Neustar Jakob Schlyter, - PowerPoint PPT Presentation

Nov 09, 2022 •134 likes •898 views

DNSSEC Impact on Registries Edward Lewis, Neustar Jakob Schlyter, .SE February 22, 2005 APRICOT Tutorial T11-3 1 Agenda What is a Registry, how is it run? Steps Towards Internal DNSSEC Steps Towards External DNSSEC Tough

  1. DNSSEC Impact on Registries Edward Lewis, Neustar Jakob Schlyter, .SE February 22, 2005 APRICOT Tutorial T11-3 1

  2. Agenda • What is a Registry, how is it run? • Steps Towards Internal DNSSEC • Steps Towards External DNSSEC • Tough Issues February 22, 2005 APRICOT Tutorial T11-3 2

  3. Registries & DNSSEC • Why cover this topic? • DNSSEC needs a hierarchy of public keys – Root covers TLD – TLD covers next level, … – downward to data • Registries enable building the hierarchy February 22, 2005 APRICOT Tutorial T11-3 3

  4. DNS tree and DNSSEC DS "points to" DNSKEY Root zone "." SOA, DNSKEY JP zone jp. NS, DS jp SOA, DNSKEY ad.jp NS, DS JP Admin Zone ad.jp SOA DNSKEY wide.ad.jp NS, DS WIDE Project zone JPRS wide.ad.jp SOA, DNSKEY February 22, 2005 APRICOT Tutorial T11-3 4

  5. What is a Registry? Registries come in many forms: • Name Registry, e.g., .edu, .jp, .kr, .cn, .tw • Number Registry, e.g., APNIC • Routing Registry, e.g., RADB • Non-Internet Registries too • We will stay with name registries and number registries (“Internet registries”) February 22, 2005 APRICOT Tutorial T11-3 5

  6. Others Involved • Registrant = Whoever gets the name or address space • DNS Operator = Whoever runs the DNS for the Registrant (sometimes the same) • Registrar = A “retailer” for some Registries February 22, 2005 APRICOT Tutorial T11-3 6

  7. Registry Environment • The job of a registry is to relate resource (domain) to a user (registrant) • Registries get requests – Directly from Registrants (and/or) – Indirectly via Registrars • Registries supply publication services – WhoIs, IRIS, DNS, sometimes routing February 22, 2005 APRICOT Tutorial T11-3 7

  8. Registry Context Registrar (or NIR) and/or Registry Interface Registry Functions DNS Slave Registry Database WhoIs DNS Slave WhoIs DNS Master DNS Slave IRIS Registry IRIS DNS Slave Registrants - Internet - DNS Operators February 22, 2005 APRICOT Tutorial T11-3 8

  9. Components of a Registry • Registration Service • Information Service • DNS Service • The “unseen” Database – “heart” of a registry February 22, 2005 APRICOT Tutorial T11-3 9

  10. Registry Internals Registry Interface Registry Functions Registry Database DNS Slave WhoIs DNS Master DNS Slave WhoIs DNS Slave IRIS IRIS Registry February 22, 2005 APRICOT Tutorial T11-3 10

  11. Registration Interface • Getting Data Into a Registry • The “Front Office” • Important to DNSSEC – This is how DNSSEC data will enter February 22, 2005 APRICOT Tutorial T11-3 11

  12. Registry Functions • Registries have business rules – Billing for actions • Is there money in an account? – Checks on registered data • Is the registration authentic? Authorized? • Are there 2-13 name servers? • Is the requested name appropriate? February 22, 2005 APRICOT Tutorial T11-3 12

  13. Registration Database • Tracks all data registered – Besides names, there is billing information, contact information, DNS servers, and more – Will need to store DNSSEC data too February 22, 2005 APRICOT Tutorial T11-3 13

  14. Information Service • WhoIs (now), IRIS coming/may come • Displays information about a registration – Gives the contact for a domain name – Gives the contact for an IP address • Might display DNSSEC data February 22, 2005 APRICOT Tutorial T11-3 14

  15. Domain Name Service • For a “name registry” this is the most vital operational service • Usually - hidden master, publicly accessible slave servers • DNSSEC will add new record types – DNSKEY, RRSIG, NSEC, and DS February 22, 2005 APRICOT Tutorial T11-3 15

  16. Modes of Operation • Direct or Indirect Relationships – Registrars? • Registration Style and Protocol – Interactive or batch? • DNS Update Frequency – Immediate or, say, daily updates? February 22, 2005 APRICOT Tutorial T11-3 16

  17. Environment • Registries may interact with the public directly (for registrations) • Some registries follow a “shared registry model” – Registrars provide interface • RIRs and NIRs are a mixture of both February 22, 2005 APRICOT Tutorial T11-3 17

  18. Direct Interface • A registrant (“buyer of a name”) will contact the registry • This is an “open to all” arrangement • This is the original style of Internet registries • Impact to DNSSEC – Direct contact between registry and registrant February 22, 2005 APRICOT Tutorial T11-3 18

  19. Registrars • “Retailers” of domain names • Registrars will handle DNSSEC data – Need to add DNSSEC to registration requests – Will increase number of requests • Registrars may bundle services, including DNS operations February 22, 2005 APRICOT Tutorial T11-3 19

  20. Registration Interface • How is it transferred? • What is "it"? – DNSKEY appears in Registrant's zone – DS appears in Registry – What gets passed? February 22, 2005 APRICOT Tutorial T11-3 20

  21. DNSKEY vs DS • A DS RR is made from a DNSKEY – DS RR holds a hash of the DNSKEY • Who performs the hash function? – Registrant/Registrar? – Registry? • This is a significant design choice – Will address this on EPP slide February 22, 2005 APRICOT Tutorial T11-3 21

  22. Asynchronous (Email) • Some registries use formal template messages sent via SMTP • Work flow is managed in mail folders • Interface is "store and forward" not interactive • This kind of interface is hindered by spam volume February 22, 2005 APRICOT Tutorial T11-3 22

  23. Client-Server • These interfaces consist of client software to send messages to a server • Registries using this need to distribute software to registrants or registrars (more common) • Security arrangements are usually pre- determined (certificates) February 22, 2005 APRICOT Tutorial T11-3 23

  24. RRP, others • Registry-Registrar Protocol • Developed by Verisign • Used in .com and .net • Led to the development of the IETF standard EPP • Other protocols are in use, not as widespread (e.g., Payload 2.0 SRS) February 22, 2005 APRICOT Tutorial T11-3 24

  25. Web-based • Like mail, sometimes layered on mail • Because web clients are anonymous these make use of certificates for identification and authentication • This makes them behave less like mail interfaces and more like client-server – There is a prearranged agreement in place February 22, 2005 APRICOT Tutorial T11-3 25

  26. EPP • Extensible Provisioning Protocol • IETF Proposed Standard, documented in 2004 – RFC numbers 3730 thru 3735 • XML based, runs over TLS • Written in context of a shared registry model (registrars) February 22, 2005 APRICOT Tutorial T11-3 26

  27. EPP and DNSSEC • EPP is extensible • IETF draft document for inclusion of DNSSEC – draft-hollenbeck-epp-secdns-06.txt – http://www.ietf.org/internet-drafts/ – "-06" will increment from time to time • Tests are being conducted with this definition February 22, 2005 APRICOT Tutorial T11-3 27

  28. EPP on "DNSKEY vs DS" • EPP is leaning towards the transmission of the DS as the primary means of registering DNSSEC data • The rationale is – Simplifies the registry, core functions • DNSKEY is an optional feature of DS – In case a registry wants to collect it February 22, 2005 APRICOT Tutorial T11-3 28

  29. EPP-SECDNS Field Test • A short-term trial conducted in November 2004 • Registrar-Registry – Alice's Registry <-> NeuStar – dnssectrial.us was the test zone • Worked, comments supplied were fed into the current draft February 22, 2005 APRICOT Tutorial T11-3 29

  30. Frequency of DNS Updates • DNSSEC is defined to allow the signing process to be off-line • This was done when updates were done once or twice a day – Time enough to transfer files over "air-gap" • Modern registries update DNS in minutes of a name's registration February 22, 2005 APRICOT Tutorial T11-3 30

  31. Batch Updates • If a zone is updated only a few times a day – "Dump" the zone file from the database – Sign the zone file, off-line – Push the zone file to DNS servers • The major decision is whether the whole zone is signed or are signatures "recycled" February 22, 2005 APRICOT Tutorial T11-3 31

  32. Off-line, batch signing Private Key DNS Signer Registry Database DNS Slave DNS Master DNS Slave AXFR DNS Slave February 22, 2005 APRICOT Tutorial T11-3 32

  33. Incremental Updates • Quickly-refreshed, large zones need to make use of incremental updates – If one name is added to a million name zone, you'd rather ship the new name around, not the million + one names • DNS has two incremental updates – Dynamic Update – Incremental Zone Transfer February 22, 2005 APRICOT Tutorial T11-3 33

  34. Dynamic Signing Registry Database DNS Slave Private Key DNS Master DNS Slave IXFR DNS Slave February 22, 2005 APRICOT Tutorial T11-3 34

  35. Steps Towards DNSSEC • Internal Deployment – Setting up key management procedures – Signing the zone like a registrant would • Opening for Registration – Accept DS or DNSKEY records – Sign those into the zone – A new "service" February 22, 2005 APRICOT Tutorial T11-3 35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based

Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based

Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based on current DNSSEC deployments in .com, .net and .org Introduction DNSSEC deployment has taken off, but there are still operational issues

408 views • 16 slides
.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
Mouhamet Diop is the CEO of NEXT SA, an innovative

Mouhamet Diop is the CEO of NEXT SA, an innovative

DNSSEC Activities in Africa ISPs, Registries, and Registrars Wilson Abigaba Wilson is the IT Projects Manager at Orange Uganda. He led IPv6

47 views • 4 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
The future of registries Jay Daley Dec 2006 1 The future of registries Only the start of the

The future of registries Jay Daley Dec 2006 1 The future of registries Only the start of the

The future of registries Jay Daley Dec 2006 1 The future of registries Only the start of the journey Change is coming New technologies all the time Always a registry opportunity Some will embrace this Some will be left

344 views • 23 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
ICANN61, ccNSO Members Meeting, 14 March 2018 Legal Session: impact of GDPR on ccTLD registries 2

ICANN61, ccNSO Members Meeting, 14 March 2018 Legal Session: impact of GDPR on ccTLD registries 2

ICANN61, ccNSO Members Meeting, 14 March 2018 Legal Session: impact of GDPR on ccTLD registries 2 General overview GDPR entry in force: 25 May 2018 Impact goes far beyond EU! Organisations outside EU/EEA but with offer for EU

490 views • 14 slides
June 28, 2010 Hankje Escher USA registries European registries Longterm registry

June 28, 2010 Hankje Escher USA registries European registries Longterm registry

June 28, 2010 Hankje Escher USA registries European registries Longterm registry (Centocor) Pediatric IBD consortium (Heyman) Start 2000: prevalent and incident cases, 1600 patients 6 sites: San Francisco,

439 views • 17 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
Registries and Trial Readiness Hanns Lochmller Patient Registries Standardized genetic and

Registries and Trial Readiness Hanns Lochmller Patient Registries Standardized genetic and

Registries and Trial Readiness Hanns Lochmller Patient Registries Standardized genetic and clinical data necessary for trial recruitment Many benefits to registered patients Feedback on standards of care and new research

581 views • 17 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

609 views • 34 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry experienced 30th April 2015-- Longest mornings I have ever had. Day started as usual but takes a turn at 9:30am Great day turns to a

449 views • 11 slides
Self-Care in the Era of COVID-19 Webinar developed and facilitated by Dyane Lewis Carrere,

Self-Care in the Era of COVID-19 Webinar developed and facilitated by Dyane Lewis Carrere,

4/7/20 Self-Care in the Era of COVID-19 Webinar developed and facilitated by Dyane Lewis Carrere, M.Ed. Author of The Re-Set Process: Trauma-Informed Behavior Strategies Dyane Lewis Carrere, M.Ed. 1 We Webinar Tips Close any applications

353 views • 7 slides
DNS/DNSSEC/DPRIVE IETF 96 Hackathon Problem Solved DNS security and

DNS/DNSSEC/DPRIVE IETF 96 Hackathon Problem Solved DNS security and

DNS/DNSSEC/DPRIVE IETF 96 Hackathon Problem Solved DNS security and privacy enhancements and interoperabilty Method of Solution multiple user stories, multiple open source prototypes Highlight 1: DNSSEC

246 views • 12 slides
Multi-level Lax Logic Edwin Lewis-Kelham Mike Stannett Department of Computer Science,

Multi-level Lax Logic Edwin Lewis-Kelham Mike Stannett Department of Computer Science,

Multi-level Lax Logic Edwin Lewis-Kelham Mike Stannett Department of Computer Science, University of Sheffield Regent Court, 211 Portobello Street, Sheffield S1 4DP, UK. Correspondence: M.Stannett@dcs.shef.ac.uk Many thanks to the EPSRC for

559 views • 28 slides
Peanut Butter and Jelly Ed Lewis January 31, 2016 Matthew 22:36-40 Teacher, which is the

Peanut Butter and Jelly Ed Lewis January 31, 2016 Matthew 22:36-40 Teacher, which is the

Peanut Butter and Jelly Ed Lewis January 31, 2016 Matthew 22:36-40 Teacher, which is the greatest commandment in the Law? Jesus replied: Love the Lord your God with all your heart and with all your soul and with all your mind.

388 views • 10 slides
Recursion Mason Vail, Boise State University Computer Science Examples from Java Foundations, 3rd

Recursion Mason Vail, Boise State University Computer Science Examples from Java Foundations, 3rd

Recursion Mason Vail, Boise State University Computer Science Examples from Java Foundations, 3rd Ed., by Lewis, DePasquale, and Chase Recursive Definition 24, 88, 40, 37 A LIST is a: number or number comma LIST Infinite Recursion Base Case

255 views • 12 slides
Delivering Work-Based Learning in Rural Schools Opportunities and Options Douglas Gagnon,

Delivering Work-Based Learning in Rural Schools Opportunities and Options Douglas Gagnon,

Delivering Work-Based Learning in Rural Schools Opportunities and Options Douglas Gagnon, Douglas Van Dine, Steve Klein, Neal Wolf, Sarah Bird RELCentral@marzanoresearch.com COLORADO KANSAS MISSOURI NEBRASKA NORTH DAKOTA SOUTH DAKOTA

583 views • 43 slides
Tradability and the Labor-Market Impact of Immigration: Theory and Evidence from the United States

Tradability and the Labor-Market Impact of Immigration: Theory and Evidence from the United States

Tradability and the Labor-Market Impact of Immigration: Theory and Evidence from the United States Ariel Burstein, Gordon Hanson, Lin Tian, Jonathan Vogel July 2017 Impact of immigration on domestic labor market outcomes What is impact of

1.26k views • 100 slides
In Jesus This weeks message: Im OK In Jesus Toward a Biblical Anthropology Q. What

In Jesus This weeks message: Im OK In Jesus Toward a Biblical Anthropology Q. What

This weeks message: Im OK In Jesus This weeks message: Im OK In Jesus Toward a Biblical Anthropology Q. What is the chief end of man? A. Man's chief end is to glorify God, and to enjoy him forever. ~ The Westminster

1.66k views • 70 slides

More recommend