.ORG DNSSEC Testbed Deployment PowerPoint PPT Presentation

presentation player overlay
About This Presentation
Transcript and Presenter's Notes

Title: .ORG DNSSEC Testbed Deployment


1
.ORG DNSSECTestbedDeployment
  • Edmon Chung
  • Creative Director
  • Afilias
  • edmon_at_afilias.info
  • Perth, AU
  • 2 March, 2006

2
Overview
  • .ORG Testbed Implementation
  • Perception Problems
  • Risk vs. Return
  • What next?

3
.ORG Testbed Logistics and Topology
  • Launched on 31 October, 2005
  • DNSSEC-aware name servers
  • EPP 1.0 front end servers feed zone data to the
    name servers

4
EPP Front End
  • Only .ORG accredited registrars allowed access to
    the EPP servers
  • Want to keep out the cruft
  • Use same creds as .ORG OTE servers
  • New registrars added when added to OTE
  • Dedicated testbed servers
  • Runs on epp1.dnssec-testbed.pir.org
    epp2.dnssec-testbed.pir.org
  • Separate from .ORG Production servers!

5
DNS Back End
  • Running on dedicated BIND servers at the moment
  • Will cut over to UltraDNS in 2006
  • Isolated DNS systems
  • Query using dig ltsomenamegt.org _at_ltservergt
  • Where ltservergt is ns1.dnssec-testbed.pir.orgor
    ns2.dnssec-testbed.pir.org
  • Started with empty zone

6
Registrar Toolkit
  • Experimental toolkit (Not for Prime Time)
  • Dont use it for .ORG production
  • Availability
  • PIR website
  • SourceForge
  • EPP Transactions based on the -03 Hollenbeck
    draft

7
Policy Decisions
  • Running according to -bis specifications
  • Looking to showcase some pitfalls
  • May code NSEC3 in 2006 to run parallel
  • Same for roll-over drafts, as they flush out
  • Roll-over
  • Already rolled in November (did anyone notice?)
  • Will do an unannounced ZSK and KSK compromise
    scenario in 2006
  • Will publish a key roll-over schedule as well

8
Participation...
  • 3 Registrars logged in, 15 names in the zone, 12
    DS records (as of 23 Nov 2005)
  • 135 names in the zone as of now
  • What can we do to help you participate?
  • On the PIR side?
  • On the Afilias side?

9
Perception Problems
  • .CL (Chilean) survey
  • Many in the technological community in Chile do
    not know what DNSSEC is
  • Some thought it was all about confidentiality
  • Have not deployed DNSSEC because
  • Worry it will confuse the market (providers are
    not knowledgeable yet makes many promises to
    end-users)
  • Multiple providers to deal with (ISC, APNIC,
    RIPE, etc.)
  • Education and Testbed

10
What DNSSEC does NOT do
  • DNSSEC does NOT provide confidentiality of DNS
    responses
  • DNSSEC does NOT protect against DDOS attacks
  • DNSSEC is NOT about privacy
  • DNSSEC is NOT a PKI
  • DNSSEC does NOT protect against IP Spoofing

11
Why is DNSSEC important?
  • ROI vs. Return on Risk
  • Not about increased revenues, but about reduced
    risks
  • Reducing risks for your community / customers
  • High vulnerability, low awareness
  • High dependance on DNS
  • Trust is easy to lose difficult to re-gain

12
What Next?
  • Not without technical challenges (e.g. Key
    Rollovers)
  • Main Challenge is still awareness and adoption
    (i.e. demand driving)
  • Technologists tend to get over excited about
    technical details
  • Some disconnect with business managers
  • Not as high profile as worms, viruses and DDOS
    attacks
  • Even as security is highest priority

13
Man-in-the-middle Attacks
  • Stories to tell
  • Bank Account
  • Email from your bank telling you that, for
    security reasons, they need you to update your
    password
  • You know about these scams called phishing,
    where the bad guys send an email pretending to be
    legit, and the link actually goes to their
    website
  • Just to be safe, instead of clicking on your
    banks email link, you open up your browser, and
    type in the URL for your bank login page
  • On the front page is the request for password
    change.
  • You put in your old password, and your new
    password (twice)
  • Two hours later, your entire savings account is
    wiped clean.
  • Automated Systems compromised
  • Email being intercepted

14
IDN and DNSSEC
  • Many similarities
  • Requries Application (DNS Clients) updates
  • Requires Registries and DNS operator updates /
    deployment
  • Requires Root changes for complete experience
  • One major difference
  • Lack of explicit user demand

15
Awareness Participation
  • ccTLDs and gTLDs should implement DNSSEC testbeds
  • Application Providers
  • Browsers, MTAs
  • ISPs
  • Industry should help promote awareness
  • Must a catastrophe happen first?...
  • For more info and to participate
  • http//www.dnssec.net
  • http//www.dnssecdeployment.org

16
Thank You
  • Edmon Chung
  • edmon_at_afilias.info
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2026 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The : ".ORG DNSSEC Testbed Deployment" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!