RootZoneDNSSECDeployment ICANN39,Cartagena,Colombia - - PowerPoint PPT Presentation

root zone dnssec deployment
SMART_READER_LITE
LIVE PREVIEW

RootZoneDNSSECDeployment ICANN39,Cartagena,Colombia - - PowerPoint PPT Presentation

Feb 24, 2023 178 likes •270 views

RootZoneDNSSECDeployment ICANN39,Cartagena,Colombia 8December2010 richard.lamb@icann.org ThisdesignistheresultofacooperaHon betweenICANN&VeriSignwith

slide-1
SLIDE 1

Root
Zone
DNSSEC
Deployment


ICANN
39,
Cartagena,
Colombia
 8
December
2010
 richard.lamb@icann.org


slide-2
SLIDE 2

This
design
is
the
result
of
a
cooperaHon
 between
ICANN
&
VeriSign
with
 support
from
the
U.S.
Department
of
 Commerce
NTIA
and
NaHonal
InsHtute
of
 Standards
and
Technology
(NIST)


slide-3
SLIDE 3

High
Level
Design 


  • Trust
/
Integrity


– Transparent
opera1ons
 – Direct
public
par1cipa1on
in
key
management
 – 3rd
party
Audit


  • Security


– Crypto
 – Physical
 – ID
/
ACS
/
mul1‐person
access
and
control


  • Availability


– Sufficient
1me
to
perform
opera1ons
 – Mirror
sites
 – Disaster
recovery
plan


slide-4
SLIDE 4

ImplementaHon
and
Roll‐out
 


  • Publish
all
material
(film,
scripts,
s/w,
results..
hIp://www.iana.org/dnssec)

  • DNSSEC
Prac1ces
Statement
(DPS)

  • 21
Trusted
Community
Representa1ves
(TCR)

  • SysTrust
audit
by
PWC

  • 2048
KSK,
1024
ZSK
RSA
keys;
SHA256
hash

  • FIPS
140‐2
Level
4
HSM;
3‐of‐7
TCR
to
enable;
Good
RNG

  • Mul1ple
physical
1ers
/w
mul1‐person
an1‐passback
access
control
system

  • 9
gauge
stretched
metal
ceremony
room
construc1on;
Safes
cer1fied
to
20
hours


surrep11ous
entry


  • 24x7
monitoring:
mo1on,
seismic,
video,
guards

  • 
~60
day
window
to
perform
quarterly
opera1on;
15
day
signature
validity


periods


  • Mirror
sites
in
Los
Angeles
and
Washington
DC;
2
HSMs
at
each
site

  • Documented
Disaster
Recovery
(DR)
plans

  • Incremental
deployment
with
DURZ
and
extensive
monitoring

slide-5
SLIDE 5

Challenges 


  • Finding
out
what
are
“best
pracHces”

  • Embracing
an
audited
IT
security
mindset

  • Formalizing
documentaHon
of
policy
and


procedures


  • Contractors!!

  • HSM/smartcards/PKCS11

slide-6
SLIDE 6

Lessons
Learned 


  • IdenHfy
your
“customer”
and
then
your
risks
first

  • Develop
and
document
policies
and
procedures,
e.g.,
key


management,
DPS,
scripts,
DR
plan
–
and
insHtuHonalize
them 


  • Embrace
PKCS11
and
tamper
evident
bags

  • MulHple
compensaHng
controls

  • DNSSEC
deployment
does
not
have
to
be
expensive;
Learn


from
those
on
this
panel
and
share
our
experiences.


  • This
is
not
staHc;
annual
review
and
incorporate


improvements
from
community.


slide-7
SLIDE 7

Root
DNSSEC
Design
Team 


Joe
Abley
 Mehmet
Akcin
 David
Blacka
 David
Conrad
 Richard
Lamb
 MaI
Larson
 Fredrik
Ljunggren
 Dave
Knight
 Tomofumi
Okubo
 Jakob
Schlyter
 Duane
Wessels
 ..and so many

  • thers!!

Links:
 hIp://www.root‐dnssec.org
 hIp://www.iana.org/dnssec


slide-8
SLIDE 8

Thank
You.

Ques.ons?
(T)Ask
me!

Its
my
job.
 richard.lamb@icann.org