dnssec trust anchor repositories tar update
play

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair - PowerPoint PPT Presentation

Mar 28, 2024 •198 likes •375 views

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

  1. DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org

  2. DNSSEC Trust Anchors • Starting point for DNSSEC validation • Choice of trust anchors is a local decision – Bad choice of trust anchors can completely undermine value of DNSSEC • In the absence of a valid secure delegation from the parent zone to the child zone, a validator MUST have trust anchors for the child zone in order to be able to validate names from (and below) it. 24 June 2009 mundy@sparta.com 2 ICANN 35 - DNSSEC TAR Update

  3. Number of Trust Anchors Root Trust Anchor(s) Trust Anchors from Islands of Trust Ideal : Entire DNS Tree is Reality : DNS Name Space is signed fragmented into a (potentially large) number of “islands of trust”

  4. (very quick) Background DNSSEC Trust Anchor Repositories (TARs) • What are they? • Why would TARs be used? 24 June 2009 mundy@sparta.com 4 ICANN 35 - DNSSEC TAR Update

  5. (very quick) Background (Cont.) DNSSEC Trust Anchor Repositories (TARs) • What are they? – Way to get trust anchors to validators – Validator gets multiple trust anchors by using a single TAR 24 June 2009 mundy@sparta.com 5 ICANN 35 - DNSSEC TAR Update

  6. (very quick) Background (Cont.) DNSSEC Trust Anchor Repositories (TARs) • Why would TARs be used? – Facilitate DNSSEC Deployment by “filling holes in the hierarchy” – Used by ‘community of interest’ to provide their community needs (Not discussed further in this presentation) 24 June 2009 mundy@sparta.com 6 ICANN 35 - DNSSEC TAR Update

  7. Trust Anchor Repository (cont.) Trust Anchors from Islands of Trust TAR 24 June 2009 mundy@sparta.com 7 ICANN 35 - DNSSEC TAR Update

  8. Pros & Cons: Very High-level Summary • Pros: – “holes in the hierarchy” will persist for a long time – Provides method for any signed zone to be used by any validator – ... • Cons: – Diverts/detracts effort from dnssec deployment – Lowers motivation for getting parent zones signed – ... 24 June 2009 mundy@sparta.com 8 ICANN 35 - DNSSEC TAR Update

  9. TAR Discussion Venues • DNSSEC Deployment plenary telecons • DNSSEC Deployment mail list • ICANN meeting discussions • RIPE meetings • IETF meetings (note: NOT in conjunction with any working group) 24 June 2009 mundy@sparta.com 9 ICANN 35 - DNSSEC TAR Update

  10. TARs: Current Status • Limited consensus on TARs – What should & should not be considered a DNSSEC TAR – Whether or not one or more DNSSEC TAR(s) are needed 24 June 2009 mundy@sparta.com 10 ICANN 35 - DNSSEC TAR Update

  11. TARs: Current Status (Cont.) • By some definition for DNSSEC TAR, several exist today: – ICANN ITAR https://itar.iana.org/ – ISC DLV https://www.isc.org/solutions/dlv – SecSpider http://secspider.cs.ucla.edu/ – IKS Jena Survey http://www.iks-jena.de/leistungen/dnssec.php 24 June 2009 mundy@sparta.com 11 ICANN 35 - DNSSEC TAR Update

  12. TARs: Current Status (Cont.) • Some developing consensus on need for DNSSEC TARs of some sort – lack of consensus on what should - or should not - be considered a DNSSEC TAR • DNSSEC Deployment WG – Plan to develop Best Current Practice type of description for one or two ‘levels’ of DNSSEC TAR – Document the details 24 June 2009 mundy@sparta.com 12 ICANN 35 - DNSSEC TAR Update

  13. Some pointers to TAR material • TAR SONIC - Paper http://www.dnssec-deployment.org/tar/tarpaper.pdf presentation at ICANN 32 http://par.icann.org/files/paris/Mundy-tar-sonic.pdf • Challenges to DNSSEC Deployment (dnssec- deployment mail list archive) http://mail.shinkuro.com:8100/Lists/dnssec- deployment/Message/1565-02-02-B/dnssec- confront-barriers.pdf 24 June 2009 mundy@sparta.com 13 ICANN 35 - DNSSEC TAR Update

  14. More pointers to TAR material • SecSpider Presentation (dnssec-deployment mail list archive) http://mail.shinkuro.com:8100/Lists/dnssec- deployment/Message/1262-01-02- B/SecSpider-final-2008-04-02.pdf • TAR meeting notes from 25 Mar 09 (dnssec- deployment mail list archive) http://mail.shinkuro.com:8100/Lists/dnssec- deployment/Message/2039.html?Language= 24 June 2009 mundy@sparta.com 14 ICANN 35 - DNSSEC TAR Update

  15. Closing Thoughts • Folks who have thought about DNSSEC TARs often think they know exactly what a TAR is (or is not) and are surprised when other people don't view TARs the same way! • Details of a TAR are important – many people have different views of what the details of a DNSSEC TAR should be 24 June 2009 mundy@sparta.com 15 ICANN 35 - DNSSEC TAR Update

  16. Contributions Welcome • Questions & Comments Today (Time permitting) • Participate in the DNSSEC Deployment mail list and plenary meetings http://www.dnssec-deployment.org/ 24 June 2009 mundy@sparta.com 16 ICANN 35 - DNSSEC TAR Update

Recommend

The Trust Anchor Key Renewal Method Applied to DNS Security Presentation by Thierry Moreau,

The Trust Anchor Key Renewal Method Applied to DNS Security Presentation by Thierry Moreau,

The Trust Anchor Key Renewal Method Applied to DNS Security Presentation by Thierry Moreau, CONNOTECH DNSSEC mission: DNS data origin authentication integrity assurance authenticated negative answers DNSSEC omissions, missing and wanted at

395 views • 8 slides
.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry experienced 30th April 2015-- Longest mornings I have ever had. Day started as usual but takes a turn at 9:30am Great day turns to a

449 views • 11 slides
DNS Operator Role Bootstrapping DNSSEC Chain of Trust Update since ICANN53 Buenos Aires ICANN54

DNS Operator Role Bootstrapping DNSSEC Chain of Trust Update since ICANN53 Buenos Aires ICANN54

DNS Operator Role Bootstrapping DNSSEC Chain of Trust Update since ICANN53 Buenos Aires ICANN54 Dublin DNSSEC Workshop Latour - October 21, 2015 Last update ICANN53 DNSSEC Workshop June 24, 2015

442 views • 11 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
DNSSEC Update 27 Aug 2010 Tokyo, Japan DNSSEC Update Signed root published 15 July, 2010

DNSSEC Update 27 Aug 2010 Tokyo, Japan DNSSEC Update Signed root published 15 July, 2010

DNSSEC Update 27 Aug 2010 Tokyo, Japan DNSSEC Update Signed root published 15 July, 2010 .bg .biz .br .cat .cz .dk .edu .lk .museum .na .org .tm .uk .us already in root. more coming (.se .ch .gov .li .my .nu .pr .th) 8 out of

836 views • 30 slides
Putting the Trust into Trusted Data Repositories: A Federated Solution for the Australian National

Putting the Trust into Trusted Data Repositories: A Federated Solution for the Australian National

Putting the Trust into Trusted Data Repositories: A Federated Solution for the Australian National Imaging Facility Andrew Mehnert * Joint NIF and Microscopy Australia Informatics Fellow Senior Lecturer Data Management, Analysis and

629 views • 34 slides
Trust Anchor Management Requirements Carl Wallace cwallace@cygnacom.com Background Initial

Trust Anchor Management Requirements Carl Wallace cwallace@cygnacom.com Background Initial

Trust Anchor Management Requirements Carl Wallace cwallace@cygnacom.com Background Initial work was done for the TAM BOF held during Chicago meeting last summer BOF did not yield a new working group Work was moved to PKIX New

367 views • 14 slides
DNSSEC update TF MNM, Lyon Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl February 16 th

DNSSEC update TF MNM, Lyon Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl February 16 th

DNSSEC update TF MNM, Lyon Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl February 16 th 2011 DNSSEC validation - Validation rate not rising very much - Interesting to see what will happen after .com signing 2 SURFnet. We make

482 views • 16 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
Academic Preservation Trust Open Repositories 2013 Scott Turnbull @streamweaver - APTrust Robert

Academic Preservation Trust Open Repositories 2013 Scott Turnbull @streamweaver - APTrust Robert

Academic Preservation Trust Open Repositories 2013 Scott Turnbull @streamweaver - APTrust Robert Cartolano - Columbia University On Twitter: @aptrust Tweet using: #aptrust Mission The Academic Preservation Trust (APTrust) consortium is

367 views • 25 slides
COIC A LTERNATIVES A NALYSIS Greg McLaughlin, Washington Water Trust Dave Rice, Anchor QEA

COIC A LTERNATIVES A NALYSIS Greg McLaughlin, Washington Water Trust Dave Rice, Anchor QEA

COIC A LTERNATIVES A NALYSIS Greg McLaughlin, Washington Water Trust Dave Rice, Anchor QEA Icicle Work Group, December 3, 2015 Purpose of Alternatives Analysis This analysis aims to identify opportunities and constraints of alternatives for

467 views • 17 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
Mining Software Repositories What is MSR? Mining Software Repositories (MSR) uses data

Mining Software Repositories What is MSR? Mining Software Repositories (MSR) uses data

Mining Software Repositories What is MSR? Mining Software Repositories (MSR) uses data available in repositories to support development activities For example, defect assignment, software validation, evolution and planning Increased

215 views • 9 slides
Anchor-Based Strategies Best Practices Summer Conference, June 22, 2017 Agenda Anchor

Anchor-Based Strategies Best Practices Summer Conference, June 22, 2017 Agenda Anchor

Anchor-Based Strategies Best Practices Summer Conference, June 22, 2017 Agenda Anchor Institutions Concept The Shared-Value Proposition Anchor-Based Development Application to Small & Mid-Sized Cities Strategies and

1.27k views • 61 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
Update on .GOV Matt Larson, VP, Office of the CTO, Verisign DNSSEC Workshop, ICANN 45,

Update on .GOV Matt Larson, VP, Office of the CTO, Verisign DNSSEC Workshop, ICANN 45,

Update on .GOV Matt Larson, VP, Office of the CTO, Verisign DNSSEC Workshop, ICANN 45, 17 October 2012 Background .GOV used by U.S. federal, state and local governments Verisign operates .GOV registry on

223 views • 7 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

609 views • 34 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010 Sara Monteiro Technical Infrastructure Service of DNS.PT Agenda ! About us ! Scope ! Goals ! Initiatives and Support ! Developments on .pt ! Next Steps

468 views • 11 slides
CUPE EWBT Update February 24, 2020 1 Todays agenda Trust update Benefit plan review

CUPE EWBT Update February 24, 2020 1 Todays agenda Trust update Benefit plan review

CUPE EWBT Update February 24, 2020 1 Todays agenda Trust update Benefit plan review OTIP update Canada Life update Questions? 2 Trust update Overview of recent developments 3 Impact of negotiations Memorandum of

884 views • 50 slides
ADSC: Anchor and Micropile Installation School (AMPIS) AMPIS: Anchor and Micropile Installation

ADSC: Anchor and Micropile Installation School (AMPIS) AMPIS: Anchor and Micropile Installation

ADSC: Anchor and Micropile Installation School (AMPIS) AMPIS: Anchor and Micropile Installation School Classroom training for students AMPIS TRACK DRILL TIEBACK OR ANCHOR INSTALLATION In all phases of tieback or anchor installation, the

315 views • 5 slides
TABLE OF CONTENTS ABOUT ANCHOR BAR HISTORY MENU ANCHOR BAR SAUCE LOCATIONS

TABLE OF CONTENTS ABOUT ANCHOR BAR HISTORY MENU ANCHOR BAR SAUCE LOCATIONS

TABLE OF CONTENTS ABOUT ANCHOR BAR HISTORY MENU ANCHOR BAR SAUCE LOCATIONS BENEFITS INDUSTRY STATISTICS FAMOUS VISITORS MORE FAMOUS VISITORS FREQUENTLY ASKED QUESTIONS FINANCIAL INFORMATION OUR PROCESS

692 views • 16 slides

More recommend