have a strategy in place for unexpected dnssec events wes
play

Have a Strategy in Place For Unexpected DNSSEC Events Wes Hardaker - PowerPoint PPT Presentation

Feb 07, 2023 •162 likes •356 views

Have a Strategy in Place For Unexpected DNSSEC Events Wes Hardaker <wes.hardaker@parsons.com> Overview Your Operational Panic Binder DNS Failure Strategies DNSSEC Failure Strategies Documenting Lessons Learned Your

  1. Have a Strategy in Place For Unexpected DNSSEC Events Wes Hardaker <wes.hardaker@parsons.com>

  2. Overview ● Your Operational Panic Binder ● DNS Failure Strategies ● DNSSEC Failure Strategies ● Documenting Lessons Learned

  3. Your Operational Panic Binder ● Good operators – Document Procedures – Document How-To – Document What-Ifs – Document Recoveries – Document Everything

  4. Your Operational Panic Binder ● Good operators – Document Procedures – Document How-To – Document What-Ifs – Document Recoveries – Document Everything ● Bad operators...

  5. Your Operational Panic Binder ● Good operators – Document Procedures – Document How-To – Document What-Ifs – Document Recoveries – Document Everything ● Bad operators – Panic Panic

  6. Your Operational Panic Binder ● Good operators – Document Procedures – Document How-To – Document What-Ifs – Document Recoveries – Document Everything ● Bad operators – Panic Panic (created by LOVETEESMUGS on Zazzle)

  7. Your Operational DNS Panic Binder ● What goes in it? ● What problems can you foresee? ● What problems have you had?

  8. Your Operational DNS Panic Binder ● Problems with your servers – One goes down – One is out of sync ● Problems with your network – A critical link goes down – A routing problem ● Problems with your parents – Out of sync data ● Problems with your children – They're under a DDOS attack

  9. Your Operational DNS Panic Binder ● An example page: A slave server is out of sync 1) SSH to slave.myzone.com using 192.0.2.5 2) Run “rndc reload” as root 3) dig @localhost myzone.com SOA 4) Does it match the master? If yes, stop 5) Run “service restart named” 6) Dig @localhost myzone.com SOA 7) Does it match the master? If yes, stop 8) SSH to master.myzone.com using 192.0.2.1 9) Run “service restart named” 10) ...

  10. Your Panic Binder With DNSSEC ● You should have a Panic Binder! – If you do, does it contain potential DNSSEC problems? ● What does DNSSEC add to your binder? – A number of new things – Probably less than your binder already contains – Increases time-related problems – Increases the need for contact information ● To Parents ● To Children – Do you have canned responses for support staff?

  11. DNSSEC Binder Materials ● DNSSEC Signature Expiration – How can you resign? fast? – How can you push out updates? fast? – Same as needing to update an A record fast – How long until all the caches are flushed? ● How long are the TTLs? ● Are you testing for this failure?

  12. DNSSEC Binder Materials ● Missing DS record – How to create a DS record – How to publish it to your parent com ● Website? ● Admin request? DS ● Submit via a DS key or a DNSKEY – How to get it from your client ● Are you testing for this? example.com – Would you know if there is a problem?

  13. DNSSEC Binder Materials ● DNSSEC Key Compromise – How do you generate new keys? – How do you put them in place? – How do you resign using the new ones? – How do you inform your parent of the new DS? ● Do you have contact info? – How long will it take to propagate, given TTLs? – Is anyone using your key as a trust anchor? ● How do you update their notion of your key? – Similar to a fast NS record change! ● Are you testing for mistake key changes?

  14. DNSSEC Binder Materials ● Algorithm Issues – Unknown Algorithm with an important validator ● Explain they need to upgrade? ● Publish an additional DS record? – Algorithm Broken ● What if ECDSA is broken?

  15. DNSSEC/DANE Binder Materials (Top 10 DANE/SMTP issues seen) 1) DANE and DNSSEC as a fashion statement 2) Failure to automate signing 3) Failure to update TLSA RRs before updating cert 4) Using DANE-TA(2) but not sending the CA in inside TLS 5) Unsupported certificate asage (using PKIX-TA or PKIX-EE) 6) Incorrect TLSA selector https://dane.sys4.de/ 7) Incorrect TLSA digest 8) Selective availability of STARTTLS 9) Firewalls that filter out TLSA queries 10) Broken nameservers 11)Partial Implementation

  16. DNSSEC Binder Materials ● Contact Information – Parent or parent registar's contact information ● Website ● Phone number ● Support email – Client information ● Client DNS administrator information ● Client Nameservers

  17. DNSSEC Binder Materials Discussion! What else?? (created by LOVETEESMUGS on Zazzle)

  18. Questions? Wes Hardaker <wes.hardaker@parsons.com> ICANN 52 ICANN 52 Los Angeles Los Angeles

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Exceptions and Interrupts Unexpected events that change the control flow Exceptions: events

Exceptions and Interrupts Unexpected events that change the control flow Exceptions: events

Exceptions and Interrupts Unexpected events that change the control flow Exceptions: events that occur within the CPU Arithmetic overflow Invalid instruction Interrupts: events caused by external sources I/O device

177 views • 7 slides
.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
Whats new with OpenDNSSEC Berry van Halderen Nlnet Labs / OpenNetLabs Place of OpenDNSSEC

Whats new with OpenDNSSEC Berry van Halderen Nlnet Labs / OpenNetLabs Place of OpenDNSSEC

Whats new with OpenDNSSEC Berry van Halderen Nlnet Labs / OpenNetLabs Place of OpenDNSSEC DNSSEC adds a new dimension to DNS; Zone files do no longer sit statically in your nameserver; DNSSEC requires constant resigning, key management

361 views • 8 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
February 2019 Prosperously navigating unexpected events with great skill and agility 2 WHO WE

February 2019 Prosperously navigating unexpected events with great skill and agility 2 WHO WE

February 2019 Prosperously navigating unexpected events with great skill and agility 2 WHO WE ARE PORTFOLIO MANAGEMENT EXPERIENCE TECHNOLOGY EXPERTISE Unique insight Portfolio Manager with 30 years of from entrepreneurs leading

270 views • 24 slides
2017 DNSSEC KSK Rollover Carlos Martnez | LACNIC | LACNIC 27, Foz Do Iguass Purpose of this

2017 DNSSEC KSK Rollover Carlos Martnez | LACNIC | LACNIC 27, Foz Do Iguass Purpose of this

2017 DNSSEC KSK Rollover Carlos Martnez | LACNIC | LACNIC 27, Foz Do Iguass Purpose of this Talk 2 1 3 Provide status, Provide helpful To publicize the upcoming events, resources on new Root Zone and contact the KSK roll DNSSEC KSK

384 views • 21 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
2017 DNSSEC KSK Rollover Guillermo Cicileo | LACNIC | March 22, 2017 Purpose of this Talk 1 2 3

2017 DNSSEC KSK Rollover Guillermo Cicileo | LACNIC | March 22, 2017 Purpose of this Talk 1 2 3

2017 DNSSEC KSK Rollover Guillermo Cicileo | LACNIC | March 22, 2017 Purpose of this Talk 1 2 3 Provide status, Provide helpful To publicize the upcoming events, resources on new Root Zone and contact the KSK roll DNSSEC KSK information

720 views • 36 slides
M arch 31, 2020 Prosperously navigating unexpected events with great skill and agility 2

M arch 31, 2020 Prosperously navigating unexpected events with great skill and agility 2

M arch 31, 2020 Prosperously navigating unexpected events with great skill and agility 2 AGENDA Who We Are Investment Methodology Performance by sectors Risk Management Current Opportunity and Investment pipeline Performance Summary

592 views • 20 slides
September 2018 Prosperously navigating unexpected events with great skill and agility 2 AGENDA

September 2018 Prosperously navigating unexpected events with great skill and agility 2 AGENDA

September 2018 Prosperously navigating unexpected events with great skill and agility 2 AGENDA Who We Are Investment Methodology Performance Current Opportunity and Investment pipeline GAMING &amp; ESPORTS Summary 3 WHO WE ARE

496 views • 27 slides
May 18, 2018 Prosperously navigating unexpected events with great skill and agility 2 AGENDA

May 18, 2018 Prosperously navigating unexpected events with great skill and agility 2 AGENDA

May 18, 2018 Prosperously navigating unexpected events with great skill and agility 2 AGENDA Who We Are Investment Methodology Performance by sectors Risk Management Current Opportunity and Investment pipeline Performance Summary 3 WHO

392 views • 27 slides
So you want to do DNSSEC... v 2.01 Dr Eberhard W Lisse Namibian Network Information Centre (cc)

So you want to do DNSSEC... v 2.01 Dr Eberhard W Lisse Namibian Network Information Centre (cc)

So you want to do DNSSEC... v 2.01 Dr Eberhard W Lisse Namibian Network Information Centre (cc) ICANN 55, Marrakesh Dr EW Lisse (NA-NiC) So you want to do DNSSEC... ICANN 55, Marrakesh 1 / 8 ICANN Africa Strategy Version 2.0 DNSSEC R

105 views • 8 slides
June 2018 Prosperously navigating unexpected events with great skill and agility 2 AGENDA Who

June 2018 Prosperously navigating unexpected events with great skill and agility 2 AGENDA Who

June 2018 Prosperously navigating unexpected events with great skill and agility 2 AGENDA Who We Are Investment Methodology Performance Top 10 Strategic Tech Trends for 2018-2020 Current Opportunity and Investment pipeline - GAMING

469 views • 31 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
Backpack Presentation PTA Meeting 2/6/19 Background Concern of backpacks and the

Backpack Presentation PTA Meeting 2/6/19 Background Concern of backpacks and the

Backpack Presentation PTA Meeting 2/6/19 Background Concern of backpacks and the excessive weight raised by multiple stakeholders Ed Panel- 2015 Student Advisory- 2017 Administration and Teachers Theory of Action

309 views • 9 slides
A dvancement V ia I ndividual D etermination Overview for Copper Ridge &amp; Hohokam/Yavapai

A dvancement V ia I ndividual D etermination Overview for Copper Ridge &amp; Hohokam/Yavapai

A dvancement V ia I ndividual D etermination Overview for Copper Ridge &amp; Hohokam/Yavapai May 5, 2020 Tim Eyerman, Copper Ridge Principal Chuck Rantala, Hohokam/Yavapai Principal Jacqueline Tolkinen, AVID District Coordinator Dr. Ibi

288 views • 26 slides
1 Review agenda Different focus; more visuals; back to basics; more engaging (we hope!)

1 Review agenda Different focus; more visuals; back to basics; more engaging (we hope!)

1 Review agenda Different focus; more visuals; back to basics; more engaging (we hope!) Introductions Everyone; welcome to the newbies 2 3 4 Note online lists are often open after the phone lines close; direct clients to check. 5

824 views • 81 slides
Binder-Grade Bumping and High Binder Content to Improve Performance of RAP-RAS Mixtures Erdem

Binder-Grade Bumping and High Binder Content to Improve Performance of RAP-RAS Mixtures Erdem

Binder-Grade Bumping and High Binder Content to Improve Performance of RAP-RAS Mixtures Erdem Coleri Shashwath Sreedhar, Sogol Haddadi, Matthew Haynes, and Sunny Lewis Other contribut Other butor ors TAC members: Larry Ilg ODOT

712 views • 34 slides
Malmos Math Class Tips to Know Daily Schedule Bell Rings to begin class in seats doing

Malmos Math Class Tips to Know Daily Schedule Bell Rings to begin class in seats doing

Malmos Math Class Tips to Know Daily Schedule Bell Rings to begin class in seats doing Bellwork Previous Nights HW Questions New Lesson Quiz Bell Rings I will dismiss you from your seats we do NOT line up at

230 views • 18 slides
Retention, Promotion and Tenure (RPT) Overview California State University, Stanislaus Candidate

Retention, Promotion and Tenure (RPT) Overview California State University, Stanislaus Candidate

Retention, Promotion and Tenure (RPT) Overview California State University, Stanislaus Candidate The Review submits file to Process DRPTC DRPTC and department Candidate and DRPTC discuss DRPTC writes chair reviews file and draft letter;

538 views • 20 slides
PI P assessm ent procedure Presented by: Emilie Desfontaine Scientific Administrator/ European

PI P assessm ent procedure Presented by: Emilie Desfontaine Scientific Administrator/ European

PI P assessm ent procedure Presented by: Emilie Desfontaine Scientific Administrator/ European Medicines Agency 08Nov2011 An agency of the European Union Objectives of the EU Paediatric Regulation Improve the health of children

451 views • 31 slides
Between Unilateral and Multilateral Climate Policy: Priorities for a Future Climate Policy

Between Unilateral and Multilateral Climate Policy: Priorities for a Future Climate Policy

www.ecologic.eu Between Unilateral and Multilateral Climate Policy: Priorities for a Future Climate Policy Architecture Michael Mehling Ecologic Institute Coping with Complexity in the Evolving International Climate Policy Institutional

937 views • 14 slides

More recommend