SlideShare une entreprise Scribd logo

Internet2 DNSSEC Pilot

Télécharger en tant que PPT, PDF
Shumon Huque
Shumon Huque

Internet2 DNSSEC Pilot; Spring 2007 Internet2 Member Meeting; April 2007

Technologie
1  sur  26
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania Sprint Internet2 Member Meeting Arlington, Virginia, U.S.A., Apr 23rd 2007
2 Shumon Huque • This is mostly a repeat of a presentation I gave at the Winter 2007 Joint Techs meeting, February 2007, Minneapolis, Minnesota, U.S.A.
3 Shumon Huque Description of the Pilot • http://www.dnssec-deployment.org/internet2/ • Deploy DNSSEC • Gain Operational experience • Does it work (does it catch anything?) • Test DNSSEC aware applications • Participants sign at least one of their zones • Exchange keys (trust anchors) that will allow them to mutually validate DNS data
4 Shumon Huque What is DNSSEC? • A system to verify the authenticity of DNS “data” • RFC 4033, 4034, 4035 • Helps detect: spoofing, misdirection, cache poisoning • Some secondary benefits appear: • You could store keying material in DNS • DKIM, SSHFP, IPSECKEY, etc
5 Shumon Huque A little background .. • Feb ‘06: DNSSEC Workshop held at Albuquerque Joint Techs • Mar ‘06: dnssec@internet2 mailing list • Apr ‘06: Internet2 Spring Member meeting • Advisory group formed and plans for a pilot project formulated • May ‘06: Pilot group began • Monthly conference calls and progress reports
6 Shumon Huque Co-ordination • Internet2 • Shinkuro シンクロ • Partner in DNSSEC Deployment Initiative • http://www.dnssec-deployment.org/ • Some funding from US government
7 Shumon Huque DNSSEC Deployment Efforts so far • MAGPI GigaPoP • All zones: magpi.{net,org} & 15 reverse zones • https://rosetta.upenn.edu/magpi/dnssec.html • MERIT • radb.net • nanog.org • http://www.merit.edu/networkresearch/dnssec.html • NYSERNet - test zone • nyserlab.org
8 Shumon Huque Others considering or planning deployment • University of Pennsylvania • University of California - Berkeley • University of California - Los Angeles • University of Massachusetts - Amherst • Internet2
9 Shumon Huque DLV (DNSSEC Lookaside Validation) • A mechanism to securely locate DNSSEC trust anchors “off-path” • An early deployment aid until top-down deployment of DNSSEC happens • Pilot group is in talks to make use of ISC’s DLV registry • http://www.isc.org/index.pl?/ops/dlv/ • More on this at a later date ..
10 Shumon Huque More participants welcome! • (participation not restricted to Internet2) • Join mailing list • Participate in conference calls
11 Shumon Huque Thoughts on deployment obstacles (1) • A Chicken & Egg problem • Marginal benefits, until much more deployment • Why should I go first? • We had (have?) the same problem with other technologies (IPv6 etc) • Some folks will need to take the lead, if there is hope for wider adoption • Good way to find out how well it works
12 Shumon Huque Thoughts on deployment obstacles (2) • Operational stability • More complicated software infrastructure • New processes for: • Zone changes • Secure delegations • Security (protection of crypto keys) • Key rollover and maintenance • Integration w/ existing DNS management software • What is the experience of the pilot?
13 Shumon Huque Thoughts on deployment obstacles (3) • Additional system requirements • Authoritative servers: memory • Resolvers: memory & CPU • Memory use can be calculated • Probably not a big issue (unless you’re .COM!) • CPU • Not too much of an issue today (dearth of signed data that needs validation) • Caveat: some potential DoS attacks could hit CPU
14 Shumon Huque Thoughts on deployment obstacles (4) • Key distribution in islands of trust • Why is there no top down deployment? • Work on signing root and (many) TLDs and in- addr.arpa is in progress • .SE, RIPE reverse done • .EDU work in motion • Interim mechanisms like DLV exist • Manual key exchange (unscalable)
15 Shumon Huque Thoughts on deployment obstacles (5) • Stub resolver security (e2e security) • An area of neglect in my opinion • Push DNSSEC validation to endstations? • Secure path from stub resolver to recursive resolver • Possibilities: SIG(0), TSIG, IPSEC
16 Shumon Huque Thoughts on deployment obstacles (6) • Application layer feedback • Coming gradually • DNSSEC aware resolution APIs and applications enhanced to use them • DNSSEC aware applications • See http://www.dnssec-tools.org/ • Note: some folks think it might be nice to protect DNSSEC oblivious applications silently as an interim step
17 Shumon Huque Thoughts on deployment obstacles (7) • Zone enumeration threat • See NSEC3 record (spec almost done) • draft-ietf-dnsext-nsec3-09.txt • Hashed Authenticated Denial of Existence • Also provides “Opt-Out” (to allow spans of unsecured records in a signed zone)
18 Shumon Huque Additional BoF topics
19 Shumon Huque DLV participation procedures • See Joao Damas’ earlier presentation • ISC DLV registry • http://www.isc.org/index.pl?/ops/dlv/ • Policy and practice statement: • https://secure.isc.org/ops/dlv/dlv-pol-pract-v1.0.php
20 Shumon Huque edu Top-Level-Domain signing • Who’s involved: Educause, Verisign, US Dept of Commerce • What can Internet2 schools do to help make this a reality? • NSEC3 is not needed: • edu zone is small (< 8000 delegations) • Relatively static • No zone privacy requirements
21 Shumon Huque Securing last hop(s) • Most university threat models include untrustworthiness of the local network • ie. path between client and recursive resolver is NOT secure • Need stub resolvers capable of: • 1. Validating DNSSEC signatures, or • 2. Supporting channel protection mechanisms that allow them to authenticate response from recursive resolver • SIG(0), TSIG etc
22 Shumon Huque Securing last hop(s) cont .. • Which channel protection mechanism? • Simple symmetric key TSIG has problems • Can’t distribute same TSIG key to many clients - that allows any of them to forge DNS answers to others • Need per-client keys and thus additional key management infrastructure • SIG(0) may be more manageable • A public key signature of the response msg • Need to only distribute the public key
23 Shumon Huque Application feedback • DNSSEC aware resolution API/libraries • eg. • draft-hayatnagarkar-dnsext-validator-api-03 • Plus applications enhanced to use them
24 Shumon Huque References • Internet2 DNSSEC Pilot • http://www.dnssec-deployment.org/internet2/ • http://rosetta.upenn.edu/magpi/dnssec.html • Mailing list: dnssec@internet2.edu • https://mail.internet2.edu/wws/info/dnssec • Internet2 DNSSEC Workshop • http://events.internet2.edu/2006/jt- albuquerque/sessionDetails.cfm? session=2491&event=243
25 Shumon Huque References (2) • DNSSEC(bis) technical specs: • RFC 4033, 4034, 4035 • Related: • DNSSEC HOWTO: • http://www.nlnetlabs.nl/dnssec_howto/ • Threat analysis of the DNS: RFC 3833 • Operational practices: RFC 4641 • NSEC3: draft-ietf-dnsext-nsec3-09 • DLV: draft-weiler-dnssec-dlv-01 • draft-hubert-dns-anti-spoofing-00
26 Shumon Huque Questions? • Shumon Huque • shuque -at- isc.upenn.edu

Recommandé

Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC PilotShumon Huque
 
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewSecurity, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewKaiwan Billimoria
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud HackNotSoSecure Global Services
 
ION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECDeploy360 Programme (Internet Society)
 
CNIT 152 12. Investigating Windows Systems (Part 3)
CNIT 152 12. Investigating Windows Systems (Part 3)CNIT 152 12. Investigating Windows Systems (Part 3)
CNIT 152 12. Investigating Windows Systems (Part 3)Sam Bowne
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat Security Conference
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 

Recommandé

Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC PilotShumon Huque
 
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewSecurity, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewKaiwan Billimoria
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud HackNotSoSecure Global Services
 
ION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECDeploy360 Programme (Internet Society)
 
CNIT 152 12. Investigating Windows Systems (Part 3)
CNIT 152 12. Investigating Windows Systems (Part 3)CNIT 152 12. Investigating Windows Systems (Part 3)
CNIT 152 12. Investigating Windows Systems (Part 3)Sam Bowne
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat Security Conference
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
Hack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingHack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingSteve Phillips
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group
 
Linux Security, from Concept to Tooling
Linux Security, from Concept to ToolingLinux Security, from Concept to Tooling
Linux Security, from Concept to ToolingMichael Boelen
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinuxRene Cunningham
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
Kali presentation
Kali presentationKali presentation
Kali presentationZain Ul abadin
 
Share winter 2016 encryption
Share winter 2016 encryptionShare winter 2016 encryption
Share winter 2016 encryptionbigendiansmalls
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence Sam Bowne
 
Kali Linux
Kali LinuxKali Linux
Kali LinuxSumit Singh
 
Tools kali
Tools kaliTools kali
Tools kaliketban0702
 
CNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationCNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationSam Bowne
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingNetSPI
 
Linux/Unix Night - (PEN) Testing Toolkits (English)
Linux/Unix Night - (PEN) Testing Toolkits (English)Linux/Unix Night - (PEN) Testing Toolkits (English)
Linux/Unix Night - (PEN) Testing Toolkits (English)Jelmer de Reus
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsSam Bowne
 
DNS Security
DNS SecurityDNS Security
DNS Securityjohnmcclure00
 
Web Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoWeb Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoGene Gotimer
 
SELinux basics
SELinux basicsSELinux basics
SELinux basicsLubomir Rintel
 
IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentationjohnmcclure00
 
penetration test using Kali linux ppt
penetration test using Kali linux pptpenetration test using Kali linux ppt
penetration test using Kali linux pptAbhayNaik8
 
Tas
TasTas
TasCashlessWay (present at Money2020 Las Vegas 25,28 october 2015)
 
Young Kim_Resume_2016
Young Kim_Resume_2016Young Kim_Resume_2016
Young Kim_Resume_2016Young Kim
 

Contenu connexe

Tendances

Hack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingHack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingSteve Phillips
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group
 
Linux Security, from Concept to Tooling
Linux Security, from Concept to ToolingLinux Security, from Concept to Tooling
Linux Security, from Concept to ToolingMichael Boelen
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
Share winter 2016 encryption
Share winter 2016 encryptionShare winter 2016 encryption
Share winter 2016 encryptionbigendiansmalls
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence Sam Bowne
 
CNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationCNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationSam Bowne
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingNetSPI
 
Linux/Unix Night - (PEN) Testing Toolkits (English)
Linux/Unix Night - (PEN) Testing Toolkits (English)Linux/Unix Night - (PEN) Testing Toolkits (English)
Linux/Unix Night - (PEN) Testing Toolkits (English)Jelmer de Reus
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsSam Bowne
 
Web Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoWeb Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoGene Gotimer
 
IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentationjohnmcclure00
 
penetration test using Kali linux ppt
penetration test using Kali linux pptpenetration test using Kali linux ppt
penetration test using Kali linux pptAbhayNaik8
 

Tendances (20)

Hack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingHack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration Testing
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
 
Linux Security, from Concept to Tooling
Linux Security, from Concept to ToolingLinux Security, from Concept to Tooling
Linux Security, from Concept to Tooling
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinux
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
Kali presentation
Kali presentationKali presentation
Kali presentation
 
Share winter 2016 encryption
Share winter 2016 encryptionShare winter 2016 encryption
Share winter 2016 encryption
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
 
Kali Linux
Kali LinuxKali Linux
Kali Linux
 
Tools kali
Tools kaliTools kali
Tools kali
 
CNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationCNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident Preparation
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox Testing
 
Linux/Unix Night - (PEN) Testing Toolkits (English)
Linux/Unix Night - (PEN) Testing Toolkits (English)Linux/Unix Night - (PEN) Testing Toolkits (English)
Linux/Unix Night - (PEN) Testing Toolkits (English)
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World Incidents
 
DNS Security
DNS SecurityDNS Security
DNS Security
 
Web Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoWeb Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to Go
 
SELinux basics
SELinux basicsSELinux basics
SELinux basics
 
IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentation
 
penetration test using Kali linux ppt
penetration test using Kali linux pptpenetration test using Kali linux ppt
penetration test using Kali linux ppt
 

En vedette

Young Kim_Resume_2016
Young Kim_Resume_2016Young Kim_Resume_2016
Young Kim_Resume_2016Young Kim
 
Ecsecc workingpaper 5
Ecsecc workingpaper 5Ecsecc workingpaper 5
Ecsecc workingpaper 5stratmen
 
QA Ninja - Testes e Sistemas legados #quemNunca - ONLINE/2016
QA Ninja - Testes e Sistemas legados #quemNunca - ONLINE/2016QA Ninja - Testes e Sistemas legados #quemNunca - ONLINE/2016
QA Ninja - Testes e Sistemas legados #quemNunca - ONLINE/2016Fernando Santiago
 
Presentazione Italia Startup
Presentazione Italia Startup Presentazione Italia Startup
Presentazione Italia Startup Gloria Martignoni
 
Affective utilization of syllabus books
Affective utilization of syllabus booksAffective utilization of syllabus books
Affective utilization of syllabus booksKhunsa Aslam
 
Osservatorio startup innovative 2016
Osservatorio startup innovative 2016Osservatorio startup innovative 2016
Osservatorio startup innovative 2016Daniele Mondello
 
Rohit Kumar_Web Developer_CV
Rohit Kumar_Web Developer_CVRohit Kumar_Web Developer_CV
Rohit Kumar_Web Developer_CVRohit Kumar
 
Ag id progetto pagopa_bari del 21-ott_v2_giovannini
Ag id progetto pagopa_bari del 21-ott_v2_giovanniniAg id progetto pagopa_bari del 21-ott_v2_giovannini
Ag id progetto pagopa_bari del 21-ott_v2_giovanniniRedazione InnovaPuglia
 
SensorStudio FireFly ICM-30670 for sports, wearables (IDC 2016)
SensorStudio FireFly ICM-30670 for sports, wearables (IDC 2016)SensorStudio FireFly ICM-30670 for sports, wearables (IDC 2016)
SensorStudio FireFly ICM-30670 for sports, wearables (IDC 2016)Herve Blanc
 
Slide RPL- Routing Protocol for Loossy and Low-power LLNs
Slide RPL- Routing Protocol for Loossy and Low-power LLNsSlide RPL- Routing Protocol for Loossy and Low-power LLNs
Slide RPL- Routing Protocol for Loossy and Low-power LLNsQuang Do
 
Comparative Strategic Analysis of Tim Hortons And Starbucks
Comparative Strategic Analysis of Tim Hortons And StarbucksComparative Strategic Analysis of Tim Hortons And Starbucks
Comparative Strategic Analysis of Tim Hortons And StarbucksAnkit Balyan MBA, B.Tech.
 

En vedette (14)

Tas
TasTas
Tas
 
Young Kim_Resume_2016
Young Kim_Resume_2016Young Kim_Resume_2016
Young Kim_Resume_2016
 
Ecsecc workingpaper 5
Ecsecc workingpaper 5Ecsecc workingpaper 5
Ecsecc workingpaper 5
 
QA Ninja - Testes e Sistemas legados #quemNunca - ONLINE/2016
QA Ninja - Testes e Sistemas legados #quemNunca - ONLINE/2016QA Ninja - Testes e Sistemas legados #quemNunca - ONLINE/2016
QA Ninja - Testes e Sistemas legados #quemNunca - ONLINE/2016
 
No Cash Day 2011 - Comunicato stampa
No Cash Day 2011 - Comunicato stampaNo Cash Day 2011 - Comunicato stampa
No Cash Day 2011 - Comunicato stampa
 
Presentazione Italia Startup
Presentazione Italia Startup Presentazione Italia Startup
Presentazione Italia Startup
 
Affective utilization of syllabus books
Affective utilization of syllabus booksAffective utilization of syllabus books
Affective utilization of syllabus books
 
Osservatorio startup innovative 2016
Osservatorio startup innovative 2016Osservatorio startup innovative 2016
Osservatorio startup innovative 2016
 
Rohit Kumar_Web Developer_CV
Rohit Kumar_Web Developer_CVRohit Kumar_Web Developer_CV
Rohit Kumar_Web Developer_CV
 
Ag id progetto pagopa_bari del 21-ott_v2_giovannini
Ag id progetto pagopa_bari del 21-ott_v2_giovanniniAg id progetto pagopa_bari del 21-ott_v2_giovannini
Ag id progetto pagopa_bari del 21-ott_v2_giovannini
 
SensorStudio FireFly ICM-30670 for sports, wearables (IDC 2016)
SensorStudio FireFly ICM-30670 for sports, wearables (IDC 2016)SensorStudio FireFly ICM-30670 for sports, wearables (IDC 2016)
SensorStudio FireFly ICM-30670 for sports, wearables (IDC 2016)
 
Slide RPL- Routing Protocol for Loossy and Low-power LLNs
Slide RPL- Routing Protocol for Loossy and Low-power LLNsSlide RPL- Routing Protocol for Loossy and Low-power LLNs
Slide RPL- Routing Protocol for Loossy and Low-power LLNs
 
Rpl2016
Rpl2016Rpl2016
Rpl2016
 
Comparative Strategic Analysis of Tim Hortons And Starbucks
Comparative Strategic Analysis of Tim Hortons And StarbucksComparative Strategic Analysis of Tim Hortons And Starbucks
Comparative Strategic Analysis of Tim Hortons And Starbucks
 

Similaire à Internet2 DNSSEC Pilot

Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)Gabriella Davis
 
20-security.ppt
20-security.ppt20-security.ppt
20-security.pptajajkhan16
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Technical and Business Considerations for DNSSEC Deployment
Technical and Business Considerations for DNSSEC DeploymentTechnical and Business Considerations for DNSSEC Deployment
Technical and Business Considerations for DNSSEC DeploymentAPNIC
 
CNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesCNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesSam Bowne
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingNetSPI
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesSam Bowne
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS VulnerabilitiesCNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS VulnerabilitiesSam Bowne
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)NCC Group
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsAPNIC
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?Nathan Van Gheem
 
Scaling Systems: Architectures that grow
Scaling Systems: Architectures that growScaling Systems: Architectures that grow
Scaling Systems: Architectures that growGibraltar Software
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Scott Sutherland
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
 
Bit_Bucket_x31_Final
Bit_Bucket_x31_FinalBit_Bucket_x31_Final
Bit_Bucket_x31_FinalSam Knutson
 

Similaire à Internet2 DNSSEC Pilot (20)

Outsourced database
Outsourced databaseOutsourced database
Outsourced database
 
Outsourced database
Outsourced databaseOutsourced database
Outsourced database
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
 
20-security.ppt
20-security.ppt20-security.ppt
20-security.ppt
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Technical and Business Considerations for DNSSEC Deployment
Technical and Business Considerations for DNSSEC DeploymentTechnical and Business Considerations for DNSSEC Deployment
Technical and Business Considerations for DNSSEC Deployment
 
CNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesCNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS Vulnerabilities
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS VulnerabilitiesCNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS Vulnerabilities
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
 
Scaling Systems: Architectures that grow
Scaling Systems: Architectures that growScaling Systems: Architectures that grow
Scaling Systems: Architectures that grow
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
Bit_Bucket_x31_Final
Bit_Bucket_x31_FinalBit_Bucket_x31_Final
Bit_Bucket_x31_Final
 

Plus de Shumon Huque

DANE and DNSSEC Authentication Chain Extension for TLS
DANE and DNSSEC Authentication Chain Extension for TLSDANE and DNSSEC Authentication Chain Extension for TLS
DANE and DNSSEC Authentication Chain Extension for TLSShumon Huque
 
Client Certificates in DANE TLSA Records
Client Certificates in DANE TLSA RecordsClient Certificates in DANE TLSA Records
Client Certificates in DANE TLSA RecordsShumon Huque
 
Query-name Minimization and Authoritative Server Behavior
Query-name Minimization and Authoritative Server BehaviorQuery-name Minimization and Authoritative Server Behavior
Query-name Minimization and Authoritative Server BehaviorShumon Huque
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECShumon Huque
 
Hands-on getdns Tutorial
Hands-on getdns TutorialHands-on getdns Tutorial
Hands-on getdns TutorialShumon Huque
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECShumon Huque
 
IPv6 Tutorial; USENIX LISA 2013
IPv6 Tutorial; USENIX LISA 2013IPv6 Tutorial; USENIX LISA 2013
IPv6 Tutorial; USENIX LISA 2013Shumon Huque
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013Shumon Huque
 
IPv6 Transition in Research & Education
IPv6 Transition in Research & EducationIPv6 Transition in Research & Education
IPv6 Transition in Research & EducationShumon Huque
 
Authorization at Penn
Authorization at PennAuthorization at Penn
Authorization at PennShumon Huque
 
IPv6 Deployment Panel
IPv6 Deployment PanelIPv6 Deployment Panel
IPv6 Deployment PanelShumon Huque
 
A survey of DNSSEC Deployment in the US R&E Community
A survey of DNSSEC Deployment in the US R&E CommunityA survey of DNSSEC Deployment in the US R&E Community
A survey of DNSSEC Deployment in the US R&E CommunityShumon Huque
 
World IPv6 Launch at Penn
World IPv6 Launch at PennWorld IPv6 Launch at Penn
World IPv6 Launch at PennShumon Huque
 
IPv6 Security Panel (U of Penn)
IPv6 Security Panel (U of Penn)IPv6 Security Panel (U of Penn)
IPv6 Security Panel (U of Penn)Shumon Huque
 
Open Source VoIP at Penn
Open Source VoIP at PennOpen Source VoIP at Penn
Open Source VoIP at PennShumon Huque
 
Kerberos at Penn (MIT Kerberos Consortium)
Kerberos at Penn (MIT Kerberos Consortium)Kerberos at Penn (MIT Kerberos Consortium)
Kerberos at Penn (MIT Kerberos Consortium)Shumon Huque
 
.EDU DNSSEC Testbed - Lessons Learned
.EDU DNSSEC Testbed - Lessons Learned.EDU DNSSEC Testbed - Lessons Learned
.EDU DNSSEC Testbed - Lessons LearnedShumon Huque
 
IPv6 Campus Deployment Panel
IPv6 Campus Deployment PanelIPv6 Campus Deployment Panel
IPv6 Campus Deployment PanelShumon Huque
 
.EDU DNSSEC Testbed
.EDU DNSSEC Testbed.EDU DNSSEC Testbed
.EDU DNSSEC TestbedShumon Huque
 

Plus de Shumon Huque (20)

DANE and DNSSEC Authentication Chain Extension for TLS
DANE and DNSSEC Authentication Chain Extension for TLSDANE and DNSSEC Authentication Chain Extension for TLS
DANE and DNSSEC Authentication Chain Extension for TLS
 
Client Certificates in DANE TLSA Records
Client Certificates in DANE TLSA RecordsClient Certificates in DANE TLSA Records
Client Certificates in DANE TLSA Records
 
Query-name Minimization and Authoritative Server Behavior
Query-name Minimization and Authoritative Server BehaviorQuery-name Minimization and Authoritative Server Behavior
Query-name Minimization and Authoritative Server Behavior
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
 
Hands-on getdns Tutorial
Hands-on getdns TutorialHands-on getdns Tutorial
Hands-on getdns Tutorial
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
 
IPv6 Tutorial; USENIX LISA 2013
IPv6 Tutorial; USENIX LISA 2013IPv6 Tutorial; USENIX LISA 2013
IPv6 Tutorial; USENIX LISA 2013
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013
 
IPv6 Transition in Research & Education
IPv6 Transition in Research & EducationIPv6 Transition in Research & Education
IPv6 Transition in Research & Education
 
Authorization at Penn
Authorization at PennAuthorization at Penn
Authorization at Penn
 
IPv6 Deployment Panel
IPv6 Deployment PanelIPv6 Deployment Panel
IPv6 Deployment Panel
 
A survey of DNSSEC Deployment in the US R&E Community
A survey of DNSSEC Deployment in the US R&E CommunityA survey of DNSSEC Deployment in the US R&E Community
A survey of DNSSEC Deployment in the US R&E Community
 
World IPv6 Launch at Penn
World IPv6 Launch at PennWorld IPv6 Launch at Penn
World IPv6 Launch at Penn
 
IPv6 Security Panel (U of Penn)
IPv6 Security Panel (U of Penn)IPv6 Security Panel (U of Penn)
IPv6 Security Panel (U of Penn)
 
Open Source VoIP at Penn
Open Source VoIP at PennOpen Source VoIP at Penn
Open Source VoIP at Penn
 
Kerberos at Penn (MIT Kerberos Consortium)
Kerberos at Penn (MIT Kerberos Consortium)Kerberos at Penn (MIT Kerberos Consortium)
Kerberos at Penn (MIT Kerberos Consortium)
 
.EDU DNSSEC Testbed - Lessons Learned
.EDU DNSSEC Testbed - Lessons Learned.EDU DNSSEC Testbed - Lessons Learned
.EDU DNSSEC Testbed - Lessons Learned
 
IPv6 Campus Deployment Panel
IPv6 Campus Deployment PanelIPv6 Campus Deployment Panel
IPv6 Campus Deployment Panel
 
.EDU DNSSEC Testbed
.EDU DNSSEC Testbed.EDU DNSSEC Testbed
.EDU DNSSEC Testbed
 
DNSSEC at Penn
DNSSEC at PennDNSSEC at Penn
DNSSEC at Penn
 

Dernier

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Dernier (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

Internet2 DNSSEC Pilot

  • 1. Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania Sprint Internet2 Member Meeting Arlington, Virginia, U.S.A., Apr 23rd 2007
  • 2. 2 Shumon Huque • This is mostly a repeat of a presentation I gave at the Winter 2007 Joint Techs meeting, February 2007, Minneapolis, Minnesota, U.S.A.
  • 3. 3 Shumon Huque Description of the Pilot • http://www.dnssec-deployment.org/internet2/ • Deploy DNSSEC • Gain Operational experience • Does it work (does it catch anything?) • Test DNSSEC aware applications • Participants sign at least one of their zones • Exchange keys (trust anchors) that will allow them to mutually validate DNS data
  • 4. 4 Shumon Huque What is DNSSEC? • A system to verify the authenticity of DNS “data” • RFC 4033, 4034, 4035 • Helps detect: spoofing, misdirection, cache poisoning • Some secondary benefits appear: • You could store keying material in DNS • DKIM, SSHFP, IPSECKEY, etc
  • 5. 5 Shumon Huque A little background .. • Feb ‘06: DNSSEC Workshop held at Albuquerque Joint Techs • Mar ‘06: dnssec@internet2 mailing list • Apr ‘06: Internet2 Spring Member meeting • Advisory group formed and plans for a pilot project formulated • May ‘06: Pilot group began • Monthly conference calls and progress reports
  • 6. 6 Shumon Huque Co-ordination • Internet2 • Shinkuro シンクロ • Partner in DNSSEC Deployment Initiative • http://www.dnssec-deployment.org/ • Some funding from US government
  • 7. 7 Shumon Huque DNSSEC Deployment Efforts so far • MAGPI GigaPoP • All zones: magpi.{net,org} & 15 reverse zones • https://rosetta.upenn.edu/magpi/dnssec.html • MERIT • radb.net • nanog.org • http://www.merit.edu/networkresearch/dnssec.html • NYSERNet - test zone • nyserlab.org
  • 8. 8 Shumon Huque Others considering or planning deployment • University of Pennsylvania • University of California - Berkeley • University of California - Los Angeles • University of Massachusetts - Amherst • Internet2
  • 9. 9 Shumon Huque DLV (DNSSEC Lookaside Validation) • A mechanism to securely locate DNSSEC trust anchors “off-path” • An early deployment aid until top-down deployment of DNSSEC happens • Pilot group is in talks to make use of ISC’s DLV registry • http://www.isc.org/index.pl?/ops/dlv/ • More on this at a later date ..
  • 10. 10 Shumon Huque More participants welcome! • (participation not restricted to Internet2) • Join mailing list • Participate in conference calls
  • 11. 11 Shumon Huque Thoughts on deployment obstacles (1) • A Chicken & Egg problem • Marginal benefits, until much more deployment • Why should I go first? • We had (have?) the same problem with other technologies (IPv6 etc) • Some folks will need to take the lead, if there is hope for wider adoption • Good way to find out how well it works
  • 12. 12 Shumon Huque Thoughts on deployment obstacles (2) • Operational stability • More complicated software infrastructure • New processes for: • Zone changes • Secure delegations • Security (protection of crypto keys) • Key rollover and maintenance • Integration w/ existing DNS management software • What is the experience of the pilot?
  • 13. 13 Shumon Huque Thoughts on deployment obstacles (3) • Additional system requirements • Authoritative servers: memory • Resolvers: memory & CPU • Memory use can be calculated • Probably not a big issue (unless you’re .COM!) • CPU • Not too much of an issue today (dearth of signed data that needs validation) • Caveat: some potential DoS attacks could hit CPU
  • 14. 14 Shumon Huque Thoughts on deployment obstacles (4) • Key distribution in islands of trust • Why is there no top down deployment? • Work on signing root and (many) TLDs and in- addr.arpa is in progress • .SE, RIPE reverse done • .EDU work in motion • Interim mechanisms like DLV exist • Manual key exchange (unscalable)
  • 15. 15 Shumon Huque Thoughts on deployment obstacles (5) • Stub resolver security (e2e security) • An area of neglect in my opinion • Push DNSSEC validation to endstations? • Secure path from stub resolver to recursive resolver • Possibilities: SIG(0), TSIG, IPSEC
  • 16. 16 Shumon Huque Thoughts on deployment obstacles (6) • Application layer feedback • Coming gradually • DNSSEC aware resolution APIs and applications enhanced to use them • DNSSEC aware applications • See http://www.dnssec-tools.org/ • Note: some folks think it might be nice to protect DNSSEC oblivious applications silently as an interim step
  • 17. 17 Shumon Huque Thoughts on deployment obstacles (7) • Zone enumeration threat • See NSEC3 record (spec almost done) • draft-ietf-dnsext-nsec3-09.txt • Hashed Authenticated Denial of Existence • Also provides “Opt-Out” (to allow spans of unsecured records in a signed zone)
  • 19. 19 Shumon Huque DLV participation procedures • See Joao Damas’ earlier presentation • ISC DLV registry • http://www.isc.org/index.pl?/ops/dlv/ • Policy and practice statement: • https://secure.isc.org/ops/dlv/dlv-pol-pract-v1.0.php
  • 20. 20 Shumon Huque edu Top-Level-Domain signing • Who’s involved: Educause, Verisign, US Dept of Commerce • What can Internet2 schools do to help make this a reality? • NSEC3 is not needed: • edu zone is small (< 8000 delegations) • Relatively static • No zone privacy requirements
  • 21. 21 Shumon Huque Securing last hop(s) • Most university threat models include untrustworthiness of the local network • ie. path between client and recursive resolver is NOT secure • Need stub resolvers capable of: • 1. Validating DNSSEC signatures, or • 2. Supporting channel protection mechanisms that allow them to authenticate response from recursive resolver • SIG(0), TSIG etc
  • 22. 22 Shumon Huque Securing last hop(s) cont .. • Which channel protection mechanism? • Simple symmetric key TSIG has problems • Can’t distribute same TSIG key to many clients - that allows any of them to forge DNS answers to others • Need per-client keys and thus additional key management infrastructure • SIG(0) may be more manageable • A public key signature of the response msg • Need to only distribute the public key
  • 23. 23 Shumon Huque Application feedback • DNSSEC aware resolution API/libraries • eg. • draft-hayatnagarkar-dnsext-validator-api-03 • Plus applications enhanced to use them
  • 24. 24 Shumon Huque References • Internet2 DNSSEC Pilot • http://www.dnssec-deployment.org/internet2/ • http://rosetta.upenn.edu/magpi/dnssec.html • Mailing list: dnssec@internet2.edu • https://mail.internet2.edu/wws/info/dnssec • Internet2 DNSSEC Workshop • http://events.internet2.edu/2006/jt- albuquerque/sessionDetails.cfm? session=2491&event=243
  • 25. 25 Shumon Huque References (2) • DNSSEC(bis) technical specs: • RFC 4033, 4034, 4035 • Related: • DNSSEC HOWTO: • http://www.nlnetlabs.nl/dnssec_howto/ • Threat analysis of the DNS: RFC 3833 • Operational practices: RFC 4641 • NSEC3: draft-ietf-dnsext-nsec3-09 • DLV: draft-weiler-dnssec-dlv-01 • draft-hubert-dns-anti-spoofing-00
  • 26. 26 Shumon Huque Questions? • Shumon Huque • shuque -at- isc.upenn.edu

Notes de l'éditeur

  1. Title Slide