Internet2 DNSSEC Pilot

1
Internet2 DNSSEC Pilot

• Shumon Huque
• University of Pennsylvania
• ESCC/Internet2 Joint Techs Workshop
• Minneapolis, Minnesota, U.S.A., Feb 14th 2007

2
Description of the Pilot

• http//www.dnssec-deployment.org/internet2/
• Deploy DNSSEC
• Gain Operational experience
• Does it work (does it catch anything?)
• Test DNSSEC aware applications
• Participants sign at least one of their zones
• Exchange keys (trust anchors) that will allow
  them to mutually validate DNS data

3
What is DNSSEC?

• A system to verify the authenticity of DNS data
• RFC 4033, 4034, 4035
• Helps detect spoofing, misdirection, cache
  poisoning
• Some secondary benefits appear
• You could store keying material in DNS
• DKIM, SSHFP, IPSECKEY, etc

4
A little background ..

• Feb 06 DNSSEC Workshop held at Albuquerque
  Joint Techs
• Mar 06 dnssec_at_internet2 mailing list
• Apr 06 Internet2 Spring Member meeting
• Advisory group formed and plans for a pilot
  project formulated
• May 06 Pilot group began
• Bi-weekly conference calls and progress reports

5
Co-ordination

• Internet2
• Shinkuro ????
• Partner in DNSSEC Deployment Initiative
• http//www.dnssec-deployment.org/
• Some funding from US government

6
DNSSEC Deployment Efforts so far

• MAGPI GigaPoP
• All zones magpi.net,org 15 reverse zones
• https//rosetta.upenn.edu/magpi/dnssec.html
• MERIT
• radb.net
• nanog.org
• http//www.merit.edu/networkresearch/dnssec.html
• NYSERNet - test zone
• nyserlab.org

7
Others considering or planning deployment

• University of Pennsylvania
• University of California - Berkeley
• University of California - Los Angeles
• University of Massachusetts - Amherst
• Internet2

8
DLV (DNSSEC Lookaside Validation)

• A mechanism to securely locate DNSSEC trust
  anchors off-path
• An early deployment aid until top-down deployment
  of DNSSEC happens
• Pilot group is in talks to make use of ISCs DLV
  registry
• http//www.isc.org/index.pl?/ops/dlv/
• More on this at a later date ..

9
More participants welcome!

• (participation not restricted to Internet2)
• Join mailing list
• Participate in conference calls

10
Thoughts on deployment obstacles (1)

• A Chicken Egg problem
• Marginal benefits, until much more deployment
• Why should I go first?
• We had (have?) the same problem with other
  technologies (IPv6 etc)
• Some folks will need to take the lead, if there
  is hope for wider adoption
• Good way to find out how well it works

11
Thoughts on deployment obstacles (2)

• Operational stability
• More complicated software infrastructure
• New processes for
• Zone changes
• Secure delegations
• Security (protection of crypto keys)
• Key rollover and maintenance
• Integration w/ existing DNS management software
• What is the experience of the pilot?

12
Thoughts on deployment obstacles (3)

• Additional system requirements
• Authoritative servers memory
• Resolvers memory CPU
• Memory use can be calculated
• Probably not a big issue (unless youre .COM!)
• CPU
• Not too much of an issue today (dearth of signed
  data that needs validation)
• Caveat some potential DoS attacks could hit CPU

13
Thoughts on deployment obstacles (4)

• Key distribution in islands of trust
• Why is there no top down deployment?
• Work on signing root and (many) TLDs and
  in-addr.arpa is in progress
• .SE, RIPE reverse done
• .EDU work in motion
• Interim mechanisms like DLV exist
• Manual key exchange (unscalable)

14
Thoughts on deployment obstacles (5)

• Stub resolver security (e2e security)
• An area of neglect in my opinion
• Push DNSSEC validation to endstations?
• Secure path from stub resolver to recursive
  resolver
• Possibilities SIG(0), TSIG, IPSEC

15
Thoughts on deployment obstacles (6)

• Application layer feedback
• Coming gradually
• DNSSEC aware resolution APIs and applications
  enhanced to use them
• DNSSEC aware applications
• See http//www.dnssec-tools.org/
• Note some folks think it might be nice to
  protect DNSSEC oblivious applications silently as
  an interim step

16
Thoughts on deployment obstacles (7)

• Zone enumeration threat
• See NSEC3 record (spec almost done)
• draft-ietf-dnsext-nsec3-09.txt

17
References

• Internet2 DNSSEC Pilot
• http//www.dnssec-deployment.org/internet2/
• http//rosetta.upenn.edu/magpi/dnssec.html
• Mailing list dnssec_at_internet2.edu
• https//mail.internet2.edu/wws/info/dnssec
• Internet2 DNSSEC Workshop
• http//events.internet2.edu/2006/jt-albuquerque/se
  ssionDetails.cfm?session2491event243

18
References (2)

• DNSSEC(bis) technical specs
• RFC 4033, 4034, 4035
• Related
• DNSSEC HOWTO
• http//www.nlnetlabs.nl/dnssec_howto/
• Threat analysis of the DNS RFC 3833
• Operational practices RFC 4641
• NSEC3 draft-ietf-dnsext-nsec3-09
• DLV draft-weiler-dnssec-dlv-01
• draft-hubert-dns-anti-spoofing-00

19
Questions?

• Shumon Huque
• shuque -at- isc.upenn.edu