root zone dnssec deployment
play

RootZoneDNSSECDeployment ICANN39,Cartagena,Colombia - PowerPoint PPT Presentation

Feb 24, 2023 •178 likes •270 views

RootZoneDNSSECDeployment ICANN39,Cartagena,Colombia 8December2010 richard.lamb@icann.org ThisdesignistheresultofacooperaHon betweenICANN&VeriSignwith

  1. Root
Zone
DNSSEC
Deployment
 ICANN
39,
Cartagena,
Colombia
 8
December
2010
 richard.lamb@icann.org


  2. This
design
is
the
result
of
a
cooperaHon
 between
ICANN
&
VeriSign
with
 support
from
the
U.S.
Department
of
 Commerce
NTIA
and
NaHonal
InsHtute
of
 Standards
and
Technology
(NIST)


  3. High
Level
Design 
 • Trust
/
Integrity
 – Transparent
opera1ons
 – Direct
public
par1cipa1on
in
key
management
 – 3 rd 
party
Audit
 • Security
 – Crypto
 – Physical
 – ID
/
ACS
/
mul1‐person
access
and
control
 • Availability
 – Sufficient
1me
to
perform
opera1ons
 – Mirror
sites
 – Disaster
recovery
plan


  4. ImplementaHon
and
Roll‐out
 
 Publish
all
material
(film,
scripts,
s/w,
results..
hIp://www.iana.org/dnssec)
 • DNSSEC
Prac1ces
Statement
(DPS)
 • • 21
Trusted
Community
Representa1ves
(TCR)
 SysTrust
audit
by
PWC
 • 2048
KSK,
1024
ZSK
RSA
keys;
SHA256
hash
 • FIPS
140‐2
Level
4
HSM;
3‐of‐7
TCR
to
enable;
Good
RNG
 • Mul1ple
physical
1ers
/w
mul1‐person
an1‐passback
access
control
system
 • 9
gauge
stretched
metal
ceremony
room
construc1on;
Safes
cer1fied
to
20
hours
 • surrep11ous
entry
 • 24x7
monitoring:
mo1on,
seismic,
video,
guards
 
~60
day
window
to
perform
quarterly
opera1on;
15
day
signature
validity
 • periods
 Mirror
sites
in
Los
Angeles
and
Washington
DC;
2
HSMs
at
each
site
 • • Documented
Disaster
Recovery
(DR)
plans
 Incremental
deployment
with
DURZ
and
extensive
monitoring
 •

  5. Challenges 
 • Finding
out
what
are
“best
pracHces”
 • Embracing
an
audited
IT
security
mindset
 • Formalizing
documentaHon
of
policy
and
 procedures
 • Contractors!!
 • HSM/smartcards/PKCS11


  6. Lessons
Learned 
 • IdenHfy
your
“customer”
and
then
your
risks
first
 • Develop
and
document
policies
and
procedures,
e.g.,
key
 management,
DPS,
scripts,
DR
plan
–
and
insHtuHonalize
them 
 • Embrace
PKCS11
and
tamper
evident
bags
 • MulHple
compensaHng
controls
 • DNSSEC
deployment
does
not
have
to
be
expensive;
Learn
 from
those
on
this
panel
and
share
our
experiences.
 • This
is
not
staHc;
annual
review
and
incorporate
 improvements
from
community.


  7. Root
DNSSEC
Design
Team 
 Joe
Abley
 Mehmet
Akcin
 David
Blacka
 David
Conrad
 ..and so many Richard
Lamb
 others!! MaI
Larson
 Fredrik
Ljunggren
 Links:
 Dave
Knight
 hIp://www.root‐dnssec.org
 hIp://www.iana.org/dnssec
 Tomofumi
Okubo
 Jakob
Schlyter
 Duane
Wessels


  8. Thank
You.

Ques.ons?
(T)Ask
me!

Its
my
job.
 richard.lamb@icann.org


Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Rolling the Root Zone DNSSEC Key Signing Key Presented by Carlos Martnez, on behalf of ICANN |

Rolling the Root Zone DNSSEC Key Signing Key Presented by Carlos Martnez, on behalf of ICANN |

Rolling the Root Zone DNSSEC Key Signing Key Presented by Carlos Martnez, on behalf of ICANN | 1 Motivation for the Talk ICANN is about to change an important configuration parameter in DNSSEC For a network DNS operator, this may

377 views • 21 slides
Rolling Rolling the the Root Root Geoff Huston APNIC Use Use of of DNSSEC DNSSEC in in

Rolling Rolling the the Root Root Geoff Huston APNIC Use Use of of DNSSEC DNSSEC in in

Rolling Rolling the the Root Root Geoff Huston APNIC Use Use of of DNSSEC DNSSEC in in Todays Todays Internet Internet Why Why is is this this relevant? relevant? Because Because the root zone managers are preparing

788 views • 43 slides
DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC

DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC

DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC history Defined by RFCs 4033-4035 March 2005 Root zone signed July 2010 March 2011 the biggest zone .com signed New GTLD

811 views • 32 slides
Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions

Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions

COBHAM Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions (aka: SPARTA, Inc. ) 08 December 2010 COBHAM Simple Illustration I need to have a of DNS Components WWW record Zone Administrator

979 views • 62 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010 Sara Monteiro Technical Infrastructure Service of DNS.PT Agenda ! About us ! Scope ! Goals ! Initiatives and Support ! Developments on .pt ! Next Steps

468 views • 11 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
2017 DNSSEC KSK Rollover Carlos Martnez | LACNIC | LACNIC 27, Foz Do Iguass Purpose of this

2017 DNSSEC KSK Rollover Carlos Martnez | LACNIC | LACNIC 27, Foz Do Iguass Purpose of this

2017 DNSSEC KSK Rollover Carlos Martnez | LACNIC | LACNIC 27, Foz Do Iguass Purpose of this Talk 2 1 3 Provide status, Provide helpful To publicize the upcoming events, resources on new Root Zone and contact the KSK roll DNSSEC KSK

384 views • 21 slides
.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
2017 DNSSEC KSK Rollover Guillermo Cicileo | LACNIC | March 22, 2017 Purpose of this Talk 1 2 3

2017 DNSSEC KSK Rollover Guillermo Cicileo | LACNIC | March 22, 2017 Purpose of this Talk 1 2 3

2017 DNSSEC KSK Rollover Guillermo Cicileo | LACNIC | March 22, 2017 Purpose of this Talk 1 2 3 Provide status, Provide helpful To publicize the upcoming events, resources on new Root Zone and contact the KSK roll DNSSEC KSK information

720 views • 36 slides
Assessing and Improving the Quality of DNSSEC Deployment Deployment Casey Deccio, Ph.D. Sandia

Assessing and Improving the Quality of DNSSEC Deployment Deployment Casey Deccio, Ph.D. Sandia

Assessing and Improving the Quality of DNSSEC Deployment Deployment Casey Deccio, Ph.D. Sandia National Laboratories AIMS-4 CAIDA, SDSC, San Diego, CA Feb 9, 2012 Sandia is a multiprogram laboratory operated by Sandia Corporation, a

913 views • 37 slides
Root zone scalability model Bart Gijsen October 28, 2009 Root zone scalability model

Root zone scalability model Bart Gijsen October 28, 2009 Root zone scalability model

Root zone scalability model Bart Gijsen October 28, 2009 Root zone scalability model Introduction Development of the model by TNO as part of the Root Scalability Study Team Why quantify? Scalability is a quantitative topic

674 views • 18 slides
Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van

Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van

Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van Rijswijk-Deij, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Christo Wilson 1 DNSSEC 101 example.com's Authoritative DNS Resolver DNS

1.54k views • 119 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
DNSSEC Update 27 Aug 2010 Tokyo, Japan DNSSEC Update Signed root published 15 July, 2010

DNSSEC Update 27 Aug 2010 Tokyo, Japan DNSSEC Update Signed root published 15 July, 2010

DNSSEC Update 27 Aug 2010 Tokyo, Japan DNSSEC Update Signed root published 15 July, 2010 .bg .biz .br .cat .cz .dk .edu .lk .museum .na .org .tm .uk .us already in root. more coming (.se .ch .gov .li .my .nu .pr .th) 8 out of

836 views • 30 slides
Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins

Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins

Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins July 2013 ZSK - Zone Signing Keys ZSK - Zone Signing Keys Its a security key - use secure algorithms Create it to be flexible in use

255 views • 7 slides
The ELT Site Control System Nick Kornweibel Control System Project Manager RTI Connext

The ELT Site Control System Nick Kornweibel Control System Project Manager RTI Connext

The ELT Site Control System Nick Kornweibel Control System Project Manager RTI Connext Conference 9 th May 2017 Site Armazones Peak 3050 m. high. & 25 km from Paranal Armazones Paranal Selection criteria: impact on science,

556 views • 17 slides
Advanced Tuning and Operation guide for Block Storage using Ceph 1 Whos Here John Han

Advanced Tuning and Operation guide for Block Storage using Ceph 1 Whos Here John Han

Advanced Tuning and Operation guide for Block Storage using Ceph 1 Whos Here John Han (sjhan@netmarble.com) Netmarble Jaesang Lee (jaesang_lee@sk.com) Byungsu Park (bspark8@sk.com) SK Telecom 2 Network IT Convergence R&D Center

1.34k views • 92 slides
Q1-2016 results A tough quarter in a polarized environment May 4 th , 2016 (Limited examination

Q1-2016 results A tough quarter in a polarized environment May 4 th , 2016 (Limited examination

Q1-2016 results A tough quarter in a polarized environment May 4 th , 2016 (Limited examination by Statutory Auditors) Important legal information IMPORTANT NOTICE: This presentation has been prepared exclusively for the purpose of the disclosure

769 views • 31 slides
Connect www.Kinect-IQ.com Regus Business Centre-4 th Floor, Golf Course Road-Augusta Point ,

Connect www.Kinect-IQ.com Regus Business Centre-4 th Floor, Golf Course Road-Augusta Point ,

Smart Way to Connect www.Kinect-IQ.com Regus Business Centre-4 th Floor, Golf Course Road-Augusta Point , Sector-53 Gurgaon-Haryana Tel. +91-8054010314 Sales- Sales@motrex.in ANYTIME ANY WHERE ANYDEVICE What is provides KinectIQ is the

466 views • 4 slides
"Don't Be the Quality Gatekeeper: Just Hold Up the Mirror" Presented by: Mfundo Nkosi

"Don't Be the Quality Gatekeeper: Just Hold Up the Mirror" Presented by: Mfundo Nkosi

T7 Track 9/30/2010 11:15 AM "Don't Be the Quality Gatekeeper: Just Hold Up the Mirror" Presented by: Mfundo Nkosi Micro to Mainframe Brought to you by: 330 Corporate Way, Suite 300, Orange Park, FL 32073 888 268 8770 904

436 views • 14 slides
Alexandria City Council Retreat November 10, 2018 Agenda 9:00 Welcome & Opening Remarks

Alexandria City Council Retreat November 10, 2018 Agenda 9:00 Welcome & Opening Remarks

Alexandria City Council Retreat November 10, 2018 Agenda 9:00 Welcome & Opening Remarks 9:10 FY 2020 General Fund Operating Budget Planning a) Early Revenue Forecast b) Expenditure Pressures and Projections c) City Employee Compensation

1.06k views • 85 slides
CEPH DATA SERVICES IN A MULTI- AND HYBRID CLOUD WORLD Sage Weil - Red Hat 1 OpenStack Summit -

CEPH DATA SERVICES IN A MULTI- AND HYBRID CLOUD WORLD Sage Weil - Red Hat 1 OpenStack Summit -

CEPH DATA SERVICES IN A MULTI- AND HYBRID CLOUD WORLD Sage Weil - Red Hat 1 OpenStack Summit - 2018.11.15 OUTLINE Ceph Data services Block File Object Edge Future 2 UNIFIED STORAGE PLATFORM OBJECT

868 views • 52 slides
Title 1 Presentation Jefferson Elementary School October 19, 2018 What is Title 1? Title 1

Title 1 Presentation Jefferson Elementary School October 19, 2018 What is Title 1? Title 1

Title 1 Presentation Jefferson Elementary School October 19, 2018 What is Title 1? Title 1 is a component of the Elementary and Secondary Education Act of 1965. Title 1 focuses on improving the academic achievement of economically

499 views • 10 slides

More recommend