John Schnizlein

1
State of DNSSEC deployment ISOC Advisory Council

• John Schnizlein
• 2009 July 31

2
Improving security on the Internet

• We know we need to add security not designed in.
• DNSSEC demonstrates
• The Internet Model supports developing security
• Deployment of security is hard
• Other security efforts, such as securing routing
  information are also being pursued.

3
Technical Background

• DNS epitome of successful Internet application
• Each domain manages its own names (servers)
• Domains can delegate authority
• Source defines records Time To Live (TTL)
• Separately managed resolvers
• follow references
• Cache results for specified TTL
• DNSSEC exploits these features
• Public-key signatures authenticate Record sets
• Resolvers empowered to validate signature
• Chain of trust through the delegation hierarchy

4
History

• First specification (RFC 2065) in 1997
• Oops determined not deployable
• New design (RFC 4033, 4034, 4035) in 2005
• Separated functions between child and parent
• record (zone) signing from delegation signing
• Privacy concerns addressed (RFC 5155) in 2008
• NSEC3 sequences hashes rather than names
• Preventing walking all the zones records
• Note that deployment began during design

5
Deployment timeline

• 2005 October .SE (Sweden) signed TLD
• 2006 August .PR (Puerto Rico) signed TLD
• 2007 January BG (Bulgaria) signed TLD
• 2007 June BR (Brazil) signed TLD
• 2008 September .CZ (Czech Republic) signed TLD
• 2008 September .MUSEUM signed TLD
• 2009 February .GOV (U.S. government) signed TLD
• 2009 March .TH (Thailand) signed TLD
• 2009 June .ORG (unrestricted use) signed TLD
• Maybe (checking) .NA (Namibia) signed TLD

6
Deployment timeline

• 2005 October .SE (Sweden) signed TLD
• 2006 August .PR (Puerto Rico) signed TLD
• 2007 January BG (Bulgaria) signed TLD
• 2007 June BR (Brazil) signed TLD
• 2008 September .CZ (Czech Republic) signed TLD
• 2008 September .MUSEUM signed TLD
• 2009 February .GOV (U.S. government) signed TLD
• 2009 March .TH (Thailand) signed TLD
• 2009 June .ORG (unrestricted use) signed TLD

• 10 lt
• 5 lt
• 5 lt
• 3 lt
• 0 lt
• 5 lt
• 1 lt
• 3 lt
• Months between

7
Tests and Plans

• Production Root
• 2007 June IANA made a test signed root available
• Workarounds deployed
• 2006 March DNSSEC Look-aside Validation (DLV)
• 2007 June Interim Trust Anchor Repository (ITAR)
• 2008 October NTIA requested views on signing the
  root
• 2009 May announced plan to sign root by end of
  2009
• .JP (Japan) plans to sign by end of 2010
• Nominet is working on signing .UK using
  opendnssec.se
• Verisign plans to sign
• .NET by the end of 2010
• .COM early in 2011

8
Current Hot Issues

• What if the root really is signed? (June
  symposium)
• Many recursive resolvers got ahead of root
  signing
• What happens now when the root gets signed?
• Distributing trust anchors to validating
  resolvers
• Use TARs?
• Use software upgrade?
• Need to accommodate rolling the root key

9
DiscussionMarket Niches of DNSSEC value
10
Market Drivers

• Security is not just the right thing to do.
• Avoiding catastrophe insufficient motivation
• Separate management demands cooperation
• Chicken or Egg problem (neither works w/o other)
• Who can benefit from validity-checked names?
• Not rhetorical question really need advice
• Brainstorming begin..

11
InternetSociety.org info_at_InternetSociety.org