Security for the Internet

1
Security for the Internets Domain Name
SystemDNSSEC Current State of Deployment
Prepared for Internet2 BoFAmy Friedlander,
Shinkuro, Inc.Based on a presentation by Marcus
Sachs (SRI) with contributions by members of the
DNSSEC Deployment Working Group
April 23, 2007
2
DNSSEC Current State Protocols

• Core RFCs published
• 4033 DNS Security Introduction and Requirements
• 4034 Resource Records for DNS Security
  Extensions
• 4035 Protocol Modifications for the DNS Security
  Extensions
• http//www.dnssec.net/rfc for the entire
  collection
• NSEC3 is in final stages.
• DNS Extensions (DNSEXT) Working Group is
  discussing its future, including the option of
  self dissolution.

3
The US Department of Homeland Security DNSSEC
Deployment Initiative Activities

• Coordination project Shinkuro, Sparta, SRI and
  NIST
• Roadmap published in February 2005, updated March
  2007 to include extensive list of available
  software tools and guides
• http//www.dnssec-deployment.org/roadmap.php
• Multiple workshops held world-wide
• Monthly newsletter
• http//www.dnssec-deployment.org/news/dnssecthism
  onth
• DNSSEC testbed and testing tools developed by
  NIST
• http//www-x.antd.nist.gov/dnssec
• DNSSEC tools available at
• http//www.dnssec-tools.org
• DNSSEC-Deployment Working Group
• http//www.dnssec-deployment.org
• Internet2 Cross-Signing Pilot
• http//www.dnssec-deployment.org/internet2/

4
DNSSEC in the United States

• US Government
• US civilian government (.gov) developing policy
  and technical guidance for secure DNS operations
  and beginning deployment activities at all
  levels.
• The .us and .mil zones are also on track for
  DNSSEC compliance
• New DNSSEC guidance included in FISMA, NIST
  800-53r1
• http//www.csrc.nist.gov/publications/nistpubs
• Secure Domain Name System Deployment Guide
• http//csrc.nist.gov/publications/nistpubs/800-81/
  SP800-81.pdf
• Outside the US Government
• Public Internet Registry (PIR) plans for
  deploying DNSSEC in .org
• http//pir.org/Strengthening/DNSSec.aspx

5
DNSSEC in the Caribbean Puerto Rico

• In July 2006 Puerto Ricos top-level domain (.pr)
  was the second ccTLD country code top level
  domain to provide a DNSSEC-signed zone
• Details http//www.nic.pr
• Questions may be addressed to info_at_nic.pr

6
DNSSEC in Latin America Mexico and Brazil

• NIC Mexico is developing the infrastructure,
  procedures and technology for a future DNSSEC
  deployment in the .mx ccTLD
• DNSSEC testbed launched in May 2006
• Created a new SLD test.mx where DNSSEC enabled
  domain registrations can be made for free
• Testbed details http//www.dnssec.org.mx
• DNSSEC verification tool http//www.dnssec.org.mx
  /checkdnssec.html 
• Registro.br released DNSSEC extensions for EPP
  http//registro.br/epp/index-EN.html (RFC 4310)

7
DNSSEC in Europe RIPE

• The European infrastructure services provider,
  RIPE NCC, based in the Netherlands, has deployed
  DNSSEC in the reverse tree
• Details are at https//www.ripe.net/rs/reverse/dns
  sec
• How-to guide (latest version) at
  https//www.nlnetlabs.nl/ dnssec_howto

8
DNSSEC in Europe Sweden

• In November 2005, the Swedish national registry
  (.se) was the first ccTLD country code top
  level domain to provide DNSSEC-capable service
• February 16, 2007, .se launched commercial DNSSEC
  service
• Press release (launch) http//www.iis.se/english
  /nyheter/news/2007-02-16?langen
• More details, DNSSEC This Month (March 1, 2007)
• http//www.dnssec-deployment.org/news/dnssecthismo
  nth/200703-dnssecthismonth/

9
DNSSEC in Europe Bulgaria, Czech Republic and
Russia

• Bulgaria (.bg) has signed its zone.
• Czech Republic (.cz) is studying the idea of
  signing its zone as a means of seeding DNSSEC
  deployment in eastern Europe.
• R01 (http//www.r01.ru/), a Russian registrar,
  has a signed copy of the .ru zone available on
  their name server.
• ns.dnssec.ru (195.24.65.7)
• Registrants with a .ru domain using R01 as a
  registrar can sign their own zones
• R01 will provide secure delegation in the signed
  copy of the .ru zone
• Additional information on the signed zone and how
  it can be used can be found at http//www.dnssec.r
  u

10
DNSSEC in Asia

• DNSSEC summit and workshop during APRICOT 2005,
  Kyoto
• http//www.apricot.net/apricot2005/workshop
  .htmlws5
• http//www.psg.com/mankin/DNSSEC-Kyoto-21Feb2005/
  DNSSEC05FebJP-Info.html
• We need more pilots and workshops in the APNIC
  region!

11
Stages for Next Steps and Discussion

• Risk (and cost) analysis CRITICAL!
• Test and engineering
• Discussions with many communities, including with
  the relevant Top Level Domain registries
• Production
• Including communication with zone providers,
  registrars, governing agencies, and software
  vendors
• Leadership in the private and public sectors

12
Background Information and Contributors

• For lots of detailed information
• www.dnssec-deployment.org
• www.dnssec-tools.org
• www.dnssec.net
• Authors of materials in this presentation (all
  from dnssec-deployment working group)
• Amy Friedlander (Shinkuro)
• Allison Mankin (Shinkuro)
• Marcus Sachs (SRI)
• Ed Lewis (Neustar)
• Olaf Kolkman (Netlabs.nl)
• Russ Mundy (Sparta)