dnssec in the reverse tree an arin prospective mark
play

DNSSEC In the Reverse Tree An ARIN Prospective Mark Kosters, CTO - PowerPoint PPT Presentation

Oct 18, 2022 •489 likes •600 views

DNSSEC In the Reverse Tree An ARIN Prospective Mark Kosters, CTO ARIN Initiatve ARINs board asked ARIN Staff to implement DNSSEC Turned out to be easy Lots of prior work to learn from and emulate Followed their work plus

  1. DNSSEC In the Reverse Tree – An ARIN Prospective Mark Kosters, CTO

  2. ARIN Initiatve • ARIN’s board asked ARIN Staff to implement DNSSEC • Turned out to be easy • Lots of prior work to learn from and emulate • Followed their work plus fixed tweaks to make it less operationally impactful 2

  3. Past Efforts • Many TLD’s have DNSSEC turned on – .SE, .BR, .ORG, etc • Lots of prior work to learn from and emulate • RIPE Turned on DNSSEC back in Q4 of 2005 via the DISI Project – Great description of their keying policies – Useful tools • .SE project – Again useful tools available – especially with key management 3

  4. ARIN’s Plan • Lots of prior work to learn from and emulate • Follow RIPE’s key procedures with some modifications on timing • Survey key management tools – Opendnssec – Secure64 – DISI Project (RIPE) – DNSSEC Zone Key Tool – others 4

  5. Principle of No Surprise • Documented the plan – took a lot from RIPE – http://www.ripe.net/rs/reverse/dnssec/ • Had a Consultation on arin-consult mailing list • Slow rollout – https://www.arin.net/about_us/dnssec/ 5

  6. Complications Trust anchors – Parents (root/arpa/in-adr.arpa) are not signed – Needs to be individually configured per recursive resolver – Available at: • https://www.arin.net/about_us/dnssec/trust_anchors.html (secured via https) • ftp://ftp.arin.net/pub/zones/trust_anchors.txt • ftp:/ftp.arin.net/pub/zones/trusted_keys.txt – OR – Aggregated Trust anchor Service (DLV) • https://dlv.isc.org/ 6

  7. Phase 1 DNSSEC Capability • Validate that VeriSign and ARIN servers are conformant • Got a green light for NSEC but not NSEC3 7

  8. Phase 2 – Signing the Zones • Turned on afternoon of July 1, 2009 • Both VeriSign and ARIN NOC Operations on high alert • Saw increase of outbound traffic z.arin.net: – Prior to DNSSEC, we were doing ~ 4.5 Mbps. – After DNSSEC, we jumped up to about 10.5 Mbps. – Currently 15–17 Mbps 8

  9. Obligatory Graph One instance in load-balanced site

  10. Phase 3 – Serving Signed Child Zones • Backend Schema is currently Insufficient – DNS records tied to Network Allocations – needs to be done per delegation – Large back-office effort 50% complete • Provisioning for this Service will be placed in ARIN Online – Consistent and higher security then existing templates – Integrated into a managed dns service • Expected to rollout in 2010 10

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

DNSSEC at ARIN Mark Kosters ARIN Chief Technology Officer 2 What do RIRs do? Allocates

DNSSEC at ARIN Mark Kosters ARIN Chief Technology Officer 2 What do RIRs do? Allocates

DNSSEC at ARIN Mark Kosters ARIN Chief Technology Officer 2 What do RIRs do? Allocates Internet Resources IP Addresses (v4 and V6) Autonomous Numbers Publishes Information Whois Resource Certification DNS 3 Reverse

482 views • 9 slides
DNSSEC in the Reverse Tree @LACNIC Carlos Martinez - @carlosm3011 Why

DNSSEC in the Reverse Tree @LACNIC Carlos Martinez - @carlosm3011 Why

DNSSEC in the Reverse Tree @LACNIC Carlos Martinez - @carlosm3011 Why DNSSEC ? Securing the DNS system is both necessary and, right now, doable Root signed since 2010 No

473 views • 10 slides
DNS Workshop @CaribNOG12 Mark Kosters Carlos Martnez {ARIN, LACNIC} CTO DNS Refresher and

DNS Workshop @CaribNOG12 Mark Kosters Carlos Martnez {ARIN, LACNIC} CTO DNS Refresher and

DNS Workshop @CaribNOG12 Mark Kosters Carlos Martnez {ARIN, LACNIC} CTO DNS Refresher and Intro to DNS Security Extension (DNSSEC) Outline Introduction DNSSEC mechanisms to establish authenticity and integrity of data

562 views • 39 slides
The Cut tree of the Brownian Continuum Random Tree and the Reverse Problem Minmin Wang Joint

The Cut tree of the Brownian Continuum Random Tree and the Reverse Problem Minmin Wang Joint

The Cut tree of the Brownian Continuum Random Tree and the Reverse Problem Minmin Wang Joint work with Nicolas Broutin Universit e de Pierre et Marie Curie, Paris, France 24 June 2014 Motivation Introduction to the Brownian CRT Let T n

689 views • 50 slides
Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins

Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins

Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins July 2013 ZSK - Zone Signing Keys ZSK - Zone Signing Keys Its a security key - use secure algorithms Create it to be flexible in use

255 views • 7 slides
.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
NATURE OF TRUE WORSHIP Mark 11:12-19 The Fig Tree MARK 11:12-14 The next day when they came out

NATURE OF TRUE WORSHIP Mark 11:12-19 The Fig Tree MARK 11:12-14 The next day when they came out

NATURE OF TRUE WORSHIP Mark 11:12-19 The Fig Tree MARK 11:12-14 The next day when they came out from Bethany, He was hungry. After seeing in the distance a fig tree with leaves, He went to find out if there was anything on it. When He came to

599 views • 32 slides
ARIN Policy Update Sean Hopkins ARIN Policy Analyst Recently Implemented Policies

ARIN Policy Update Sean Hopkins ARIN Policy Analyst Recently Implemented Policies

ARIN Policy Update Sean Hopkins ARIN Policy Analyst Recently Implemented Policies ARIN-2015-3: Remove 30 day u5liza5on requirement in end-user IPv4 policy ARIN-2015-11: Remove transfer language which only applied pre-exhaus5on of IPv4

261 views • 5 slides
Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing

Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing

Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing RPKI Statistics challenges IRR Status Do we have a Research solution? Opportunities Using ARINs RPKI components @

889 views • 51 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
ARIN Update Marc Crandall ARIN Advisory Council Policy Discussions Last Call Equitable

ARIN Update Marc Crandall ARIN Advisory Council Policy Discussions Last Call Equitable

ARIN Update Marc Crandall ARIN Advisory Council Policy Discussions Last Call Equitable IPv4 Run-Out When ARIN gets its last /8, instead of giving ISPs a 12-month supply of address space, they will get a 3-month supply. Policy

349 views • 9 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
Ready or notIPv6 is here 11 April 2013 New York Amateur Computer Club Tim Christensen ARIN

Ready or notIPv6 is here 11 April 2013 New York Amateur Computer Club Tim Christensen ARIN

Ready or notIPv6 is here 11 April 2013 New York Amateur Computer Club Tim Christensen ARIN Engineering 2 About ARIN As one of the five Regional Internet Registries (RIRs), ARIN is charged with managing distribution of Internet number

702 views • 22 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
ARIN Update Bill Woodcock ARIN Board of Trustees 2015 Focus Increased focus on customer

ARIN Update Bill Woodcock ARIN Board of Trustees 2015 Focus Increased focus on customer

ARIN Update Bill Woodcock ARIN Board of Trustees 2015 Focus Increased focus on customer service Based on feedback and survey Continued IPv4 to IPv6 Transition Awareness Targeting ISPs and Content Providers Continued

502 views • 8 slides
Company Profile Bharat Aluminum Co. Ltd. (BALCO) was incorporated in the year 1965 as a Public

Company Profile Bharat Aluminum Co. Ltd. (BALCO) was incorporated in the year 1965 as a Public

BHARAT ALUMINIUM CO. LTD. KORBA , CHHATTISGARH Specific Energy Consumption reduction drive 4/29/2015 1 Company Profile Bharat Aluminum Co. Ltd. (BALCO) was incorporated in the year 1965 as a Public Sector Undertaking (PSU).In the year

388 views • 15 slides
Comprehensive Transportation Plan / Master Path Plan Draft Recommendations By: Phil Mallon,

Comprehensive Transportation Plan / Master Path Plan Draft Recommendations By: Phil Mallon,

Comprehensive Transportation Plan / Master Path Plan Draft Recommendations By: Phil Mallon, Fayette County Public Works To: Brooks Town Council Date: October 15 ,2018 Life of a Transportation Project 1. Need & Purpose 2. Funding 3. Concept

680 views • 35 slides
Competence fair to long standing doctors? L Mehdizadeh, A Sturrock, J Dacre Presented by Dr

Competence fair to long standing doctors? L Mehdizadeh, A Sturrock, J Dacre Presented by Dr

Are the GMCs Tests of Competence fair to long standing doctors? L Mehdizadeh, A Sturrock, J Dacre Presented by Dr Leila Mehdizadeh Research Associate UCL Medical School l.mehdizadeh@ucl.ac.uk Academic Centre for Medical Education

497 views • 20 slides
Availability of an adequate supply of electricity at a Availability of an adequate

Availability of an adequate supply of electricity at a Availability of an adequate

Criteria for a Successful Shore Power Project Criteria for a Successful Shore Power Project Availability of an adequate supply of electricity at a Availability of an adequate supply of electricity at a reasonable cost. reasonable

496 views • 21 slides
Zer ero Net D o Net Def efor oresta estation tion Stakeholder Engagement Presentation

Zer ero Net D o Net Def efor oresta estation tion Stakeholder Engagement Presentation

Zer ero Net D o Net Def efor oresta estation tion Stakeholder Engagement Presentation June 2010 2 The Clim he Climate e is is Ch Changing anging in in B B.C. .C. relative to 1961-1990 baseline Rodenhuis, D.; K.E.

561 views • 28 slides
FTP-SIS Resilience Subcommittee Meeting Web Conference Three presented to presented by

FTP-SIS Resilience Subcommittee Meeting Web Conference Three presented to presented by

FTP-SIS Resilience Subcommittee Meeting Web Conference Three presented to presented by Resilience Subcommittee Jennifer Carver, FDOT and friends Jim Wood, Kimley-Horn February 5, 2020 Welcome and Introductions Jennifer Carver, FDOT 2

623 views • 21 slides
Planning District Commissions VHDA Created in1972 by the Virginia General Assembly Help

Planning District Commissions VHDA Created in1972 by the Virginia General Assembly Help

Virginia Association of Planning District Commissions VHDA Created in1972 by the Virginia General Assembly Help Virginians attain quality, affordable housing through public-private partnerships with local governments, community service

660 views • 17 slides
Mitigate FL 3 rd Quarter Meeting Tuesday, October 10, 2017 Audio Information Kelley Training

Mitigate FL 3 rd Quarter Meeting Tuesday, October 10, 2017 Audio Information Kelley Training

Mitigate FL 3 rd Quarter Meeting Tuesday, October 10, 2017 Audio Information Kelley Training Room Number: 1-888-670-3525 1:00-2:00 pm Passcode: 18886032254 THE FLORIDA DIVISION OF EMERGENCY MANAGEMENT Introductions Name Agency For

360 views • 24 slides

More recommend