SlideShare ist ein Scribd-Unternehmen logo

ION Toronto - Why Implement DNSSEC?

Deploy360 Programme (Internet Society)
Deploy360 Programme (Internet Society)

ION Toronto, 11 November 2013: What is DNSSEC and why is it so important? We’ll discuss the business reasons for, and financial implications of, deploying DNSSEC, from staying ahead of the technological curve, to staying ahead of your competition, to keeping your customers satisfied and secure on the Internet.

Technologie
1 von 18
Downloaden Sie, um offline zu lesen
Why  DNSSEC?   James  Galvin,  Ph.D.   Afilias  Limited   11  November  2013   ION  Toronto   ©  2013  Afilias  Limited   1  
Afilias  and  DNSSEC   •  Afilias  makes  Internet  addresses   more  accessible  and  useful   through  registry  services,   Managed  DNS,  and  mobile  Web   services  like  goMobi®  and   DeviceAtlas®.   –  Operator  INFO  and  MOBI   –  Host  to  9  ccTLDs  and  7  gTLDs   –  Have  one  of  the  largest  DNS   infrastructures   •  Started  with  DNSSEC  in  2008   –  Signed  ORG  in  June  2009   –  ORG  offered  signed  delegaYons  in   June  2010   –  Root  signed  in  July  2010   –  Signed  all  TLDs  and  offered  signed   delegaYons  soon  aZer   ©  2013  Afilias  Limited   2  
•  DNSSEC  Basics   •  Benefits  of  DNSSEC   •  Internet  Future   ©  2013  Afilias  Limited   3  
DNSSEC  -­‐  BASICS   ©  2013  Afilias  Limited   4  
What  is  DNSSEC?   •  DNSSEC  provides  an  asserYon   by  a  zone  that  a  specific  data   element  is  bound  to  a  domain   name.   •  This  is  most  oZen  used  to  bind   an  IP  address  to  a  domain   name,  e.g.,  to  find  a  web  site.   •  The  validaYon  of  the  asserYon   is  possible  independent  of  its   source.   •  Benefits   –  CriYcal  Infrastructure:   everything  uses  the  DNS   –  Hierarchical:  delegate  and   distribute  responsibility   ©  2013  Afilias  Limited   5  
DNSSEC-­‐aware  applicaYons   DNS  with  DNSSEC   2   1   ROOT  SERVERS   DNSSEC   DNSSEC   TLD   Authorita;ve   NS   Local   cache   1   2   3   DNSSEC   Itera;ve   Resolver   Local   cache   3   SLD   Authorita;ve  NS     Stub  Resolver   USER  PC   ©  2013  Afilias  Limited   6  
Who  are  the  Players?   •  Domain  registraYon  system   –  Registries:  operate  the  TLDs   –  (Registrars):  middleman   between  registry  and   registrant   –  Registrant:  own,  manage,  and   deploy  domain  names   •  Domain  name  system   –  Root  system   –  Registries   –  DNS  Operators   •  Community   –  ISPs   –  Users   ©  2013  Afilias  Limited   7  
BENEFITS  OF  DNSSEC   ©  2013  Afilias  Limited   8  
Why  DNSSEC?   •  DNSSEC  protects  the  DNS  system   from  cache  poisoning  adacks,  viz   the  “Kaminsky  Bug”   •  DNSSEC  is  the  next  step  in  the   evoluYon  of  the  Internet,  similar   to  the  web  back  in  1993.   •  DNS  is  a  criYcal  infrastructure   system.    Virtually  everything   depends  on  it.   •  Deploying  a  safe  and  secure  DNS   is  not  just  the  right  thing  to  do,  it   is  the  cornerstone  of  building  the   next  generaYon  Internet,  a  safe   and  secure  Internet.   ©  2013  Afilias  Limited   9  
Without  DNSSEC…   When  you  visit  a  web  site   can  you  be  sure  you  are  communicaYng  with  the   server  that  you  think  you  are?         ©  2013  Afilias  Limited   10  
TLS/SSL  and  DNSSEC  benefits   TLS   DNSSEC   Data   !^^x<>        TLS/SSL   Channel   DNS  Data   DNS  Data   DNSSEC   DNSSEC Data   Data   Signed   Guaranteed  not  tampered   Encryp;on   Authen;ca;on   Integrity   DNSSEC  protects…   Users  from  DNS  data  tampered  by     or  originaYng  from  malicious  actors     ©  2013  Afilias  Limited   11  
INTERNET  FUTURE   ©  2013  Afilias  Limited   12  
Building  Trusted  Domains   •  A  domain  name  is  just  a  label.     Most  commonly  used  to  idenYfy   hosts  and  services.   –  Web  sites   –  ApplicaYon  servers   •  DNSSEC  ensures  we  have  the   correct  service/address   •  TLS/SSL  (hdps)  gives  us  good   confidence  that  we  have  a   encrypted  tunnel   •  Matching  the  domain  in  the  TLS/ SSL  cerYficate  with  the  domain   from  DNSSEC  offers  greater   assurance  that  you  are   communicaYng  with  the  desired   site/service   ©  2013  Afilias  Limited   13  
DNSSEC  Challenges   •  Security  increases  the   baseline  experYse  required   •  Key  management  becomes   mainstream   –  Key  rollover  Ymings  are   subtle   •  DNS  operators  are  visibly   essenYal   –  Transfers  are  a  process   •  Key  rollover  is  required   •  Losing  and  gaining  operator   must  overlap  services   •  New  relaYonship   –  DNS  Operator  and  registrar/ registry   ©  2013  Afilias  Limited   14  
The  demand  for  DNSSEC?   •  A  mix  of  pioneers,  early   adopters  and  legislated   compliance   •  In  the  early  stages  for   registrant/user   awareness   Barriers   Incen;ves   Complexity   Signing  TLDs   Costs   New  hw  &   sw  soluYons   ©  2013  Afilias  Limited   15  
What’s  Next?   •  Centralize  the  complexity   –  Registrars   –  DNS  operators   –  ApplicaYon  service  providers   •  Keep  it  simple  for  the   registrant/user   –  Should  be  invisible   •  DNSSEC  is  about  what  we  can   do  with  it.    It  is  an  essenYal   building  block  in  a  criYcal   infrastructure  system  that  will   change  the  Internet  in  ways   we  can  not  yet  imagine.   ©  2013  Afilias  Limited   16  
IETF  and  Pervasive  Monitoring   •  Last  week  leading   engineers  agreed  that   pervasive  monitoring  is   a  threat  to  the  Internet   –  hdp://www.iet.org/ media/2013-­‐11-­‐07-­‐ internet-­‐privacy-­‐and-­‐ security.html   ©  2013  Afilias  Limited   17  
Thank  You!   James  Galvin   jgalvin    “at”    afilias.info   +1-­‐215-­‐706-­‐5715     hdp://afilias.info/dnssec   ©  2013  Afilias  Limited   18  

Empfohlen

ION Belfast - Why Implement DNSSEC? - Jim Galvin
ION Belfast - Why Implement DNSSEC? - Jim GalvinION Belfast - Why Implement DNSSEC? - Jim Galvin
ION Belfast - Why Implement DNSSEC? - Jim GalvinDeploy360 Programme (Internet Society)
 
ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?Deploy360 Programme (Internet Society)
 
ION Toronto - Deploying DNSSEC: A .CA Case Study
ION Toronto - Deploying DNSSEC: A .CA Case StudyION Toronto - Deploying DNSSEC: A .CA Case Study
ION Toronto - Deploying DNSSEC: A .CA Case StudyDeploy360 Programme (Internet Society)
 
ION Ljubljana - Benjamin Zwittnig: DNSSEC in .SI
ION Ljubljana - Benjamin Zwittnig: DNSSEC in .SIION Ljubljana - Benjamin Zwittnig: DNSSEC in .SI
ION Ljubljana - Benjamin Zwittnig: DNSSEC in .SIDeploy360 Programme (Internet Society)
 
Secure Communication: Usability and Necessity of SSL/TLS
Secure Communication: Usability and Necessity of SSL/TLSSecure Communication: Usability and Necessity of SSL/TLS
Secure Communication: Usability and Necessity of SSL/TLSwolfSSL
 
Securing MySQL with a Focus on SSL
Securing MySQL with a Focus on SSLSecuring MySQL with a Focus on SSL
Securing MySQL with a Focus on SSLwolfSSL
 
wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013wolfSSL
 
DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Knowlaurenrprice
 

Empfohlen

ION Belfast - Why Implement DNSSEC? - Jim Galvin
ION Belfast - Why Implement DNSSEC? - Jim GalvinION Belfast - Why Implement DNSSEC? - Jim Galvin
ION Belfast - Why Implement DNSSEC? - Jim GalvinDeploy360 Programme (Internet Society)
 
ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?Deploy360 Programme (Internet Society)
 
ION Toronto - Deploying DNSSEC: A .CA Case Study
ION Toronto - Deploying DNSSEC: A .CA Case StudyION Toronto - Deploying DNSSEC: A .CA Case Study
ION Toronto - Deploying DNSSEC: A .CA Case StudyDeploy360 Programme (Internet Society)
 
ION Ljubljana - Benjamin Zwittnig: DNSSEC in .SI
ION Ljubljana - Benjamin Zwittnig: DNSSEC in .SIION Ljubljana - Benjamin Zwittnig: DNSSEC in .SI
ION Ljubljana - Benjamin Zwittnig: DNSSEC in .SIDeploy360 Programme (Internet Society)
 
Secure Communication: Usability and Necessity of SSL/TLS
Secure Communication: Usability and Necessity of SSL/TLSSecure Communication: Usability and Necessity of SSL/TLS
Secure Communication: Usability and Necessity of SSL/TLSwolfSSL
 
Securing MySQL with a Focus on SSL
Securing MySQL with a Focus on SSLSecuring MySQL with a Focus on SSL
Securing MySQL with a Focus on SSLwolfSSL
 
wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013wolfSSL
 
DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Knowlaurenrprice
 
AEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSECAEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSECChin Wan Lim
 
DNSSEC FIRST
DNSSEC FIRSTDNSSEC FIRST
DNSSEC FIRSTVictor Ramiro
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Dan York
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsPeter R. Egli
 
DNSSEC at Penn
DNSSEC at PennDNSSEC at Penn
DNSSEC at PennShumon Huque
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?Deploy360 Programme (Internet Society)
 
MCSA 70-412 Chapter 01
MCSA 70-412 Chapter 01MCSA 70-412 Chapter 01
MCSA 70-412 Chapter 01Computer Networking
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondSam Bowne
 
Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC PilotShumon Huque
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECShumon Huque
 
DNS Made Easy Sales Brochure
DNS Made Easy Sales BrochureDNS Made Easy Sales Brochure
DNS Made Easy Sales BrochureDNS Made Easy
 
DNS Security
DNS SecurityDNS Security
DNS Securityjohnmcclure00
 
History of DNSSEC from .ASIA signing event
History of DNSSEC from .ASIA signing eventHistory of DNSSEC from .ASIA signing event
History of DNSSEC from .ASIA signing eventhread
 
Best DNS Servers To Use Buy Server Memory Clearance.pptx
Best DNS Servers To Use Buy Server Memory Clearance.pptxBest DNS Servers To Use Buy Server Memory Clearance.pptx
Best DNS Servers To Use Buy Server Memory Clearance.pptxMemory Clearance
 
ION Mumbai - Jitender Kumar: DNSSEC
ION Mumbai - Jitender Kumar: DNSSECION Mumbai - Jitender Kumar: DNSSEC
ION Mumbai - Jitender Kumar: DNSSECDeploy360 Programme (Internet Society)
 
Intelligent DNS Scale
Intelligent DNS ScaleIntelligent DNS Scale
Intelligent DNS ScalePeter Silva
 
FOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedFOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedNeustar, Inc.
 
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesInternet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesAPNIC
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolJisc
 
RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS EvolutionAPNIC
 
DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasORG, The Public Interest Registry
 
The DNS of Things
The DNS of ThingsThe DNS of Things
The DNS of ThingsF5 Networks
 

Weitere ähnliche Inhalte

Andere mochten auch

AEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSECAEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSECChin Wan Lim
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Dan York
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsPeter R. Egli
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondSam Bowne
 
Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC PilotShumon Huque
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECShumon Huque
 

Andere mochten auch (10)

AEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSECAEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSEC
 
DNSSEC FIRST
DNSSEC FIRSTDNSSEC FIRST
DNSSEC FIRST
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
 
DNSSEC at Penn
DNSSEC at PennDNSSEC at Penn
DNSSEC at Penn
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
 
MCSA 70-412 Chapter 01
MCSA 70-412 Chapter 01MCSA 70-412 Chapter 01
MCSA 70-412 Chapter 01
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyond
 
Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC Pilot
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
 

Ähnlich wie ION Toronto - Why Implement DNSSEC?

DNS Made Easy Sales Brochure
DNS Made Easy Sales BrochureDNS Made Easy Sales Brochure
DNS Made Easy Sales BrochureDNS Made Easy
 
History of DNSSEC from .ASIA signing event
History of DNSSEC from .ASIA signing eventHistory of DNSSEC from .ASIA signing event
History of DNSSEC from .ASIA signing eventhread
 
Best DNS Servers To Use Buy Server Memory Clearance.pptx
Best DNS Servers To Use Buy Server Memory Clearance.pptxBest DNS Servers To Use Buy Server Memory Clearance.pptx
Best DNS Servers To Use Buy Server Memory Clearance.pptxMemory Clearance
 
Intelligent DNS Scale
Intelligent DNS ScaleIntelligent DNS Scale
Intelligent DNS ScalePeter Silva
 
FOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedFOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedNeustar, Inc.
 
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesInternet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesAPNIC
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolJisc
 
RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS EvolutionAPNIC
 
The DNS of Things
The DNS of ThingsThe DNS of Things
The DNS of ThingsF5 Networks
 
The DNS of Things
The DNS of ThingsThe DNS of Things
The DNS of ThingsPeter Silva
 
Domain Name System
Domain Name SystemDomain Name System
Domain Name SystemWhoisXML API
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorPositive Hack Days
 
Building Resilient Applications with Cloudflare DNS
Building Resilient Applications with Cloudflare DNSBuilding Resilient Applications with Cloudflare DNS
Building Resilient Applications with Cloudflare DNSDevOps.com
 

Ähnlich wie ION Toronto - Why Implement DNSSEC? (20)

DNS Made Easy Sales Brochure
DNS Made Easy Sales BrochureDNS Made Easy Sales Brochure
DNS Made Easy Sales Brochure
 
DNS Security
DNS SecurityDNS Security
DNS Security
 
History of DNSSEC from .ASIA signing event
History of DNSSEC from .ASIA signing eventHistory of DNSSEC from .ASIA signing event
History of DNSSEC from .ASIA signing event
 
Best DNS Servers To Use Buy Server Memory Clearance.pptx
Best DNS Servers To Use Buy Server Memory Clearance.pptxBest DNS Servers To Use Buy Server Memory Clearance.pptx
Best DNS Servers To Use Buy Server Memory Clearance.pptx
 
ION Mumbai - Jitender Kumar: DNSSEC
ION Mumbai - Jitender Kumar: DNSSECION Mumbai - Jitender Kumar: DNSSEC
ION Mumbai - Jitender Kumar: DNSSEC
 
Intelligent DNS Scale
Intelligent DNS ScaleIntelligent DNS Scale
Intelligent DNS Scale
 
FOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedFOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons Learned
 
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesInternet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security tool
 
RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS Evolution
 
DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & Afilias
 
The DNS of Things
The DNS of ThingsThe DNS of Things
The DNS of Things
 
ION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLS
 
The DNS of Things
The DNS of ThingsThe DNS of Things
The DNS of Things
 
Domain Name System
Domain Name SystemDomain Name System
Domain Name System
 
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSECION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
 
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
 
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense Vector
 
Building Resilient Applications with Cloudflare DNS
Building Resilient Applications with Cloudflare DNSBuilding Resilient Applications with Cloudflare DNS
Building Resilient Applications with Cloudflare DNS
 

Mehr von Deploy360 Programme (Internet Society)

Mehr von Deploy360 Programme (Internet Society) (20)

ION Belgrade - Jordi Palet Martinez IPv6 Success Stories
ION Belgrade - Jordi Palet Martinez IPv6 Success StoriesION Belgrade - Jordi Palet Martinez IPv6 Success Stories
ION Belgrade - Jordi Palet Martinez IPv6 Success Stories
 
ION Belgrade - ISOC Serbia Belgrade Chapter Presentation
ION Belgrade - ISOC Serbia Belgrade Chapter PresentationION Belgrade - ISOC Serbia Belgrade Chapter Presentation
ION Belgrade - ISOC Serbia Belgrade Chapter Presentation
 
ION Belgrade - IETF Update
ION Belgrade - IETF UpdateION Belgrade - IETF Update
ION Belgrade - IETF Update
 
ION Belgrade - Opening Slides
ION Belgrade - Opening SlidesION Belgrade - Opening Slides
ION Belgrade - Opening Slides
 
ION Belgrade - MANRS by Serbian Open eXchange (SOX)
ION Belgrade - MANRS by Serbian Open eXchange (SOX)ION Belgrade - MANRS by Serbian Open eXchange (SOX)
ION Belgrade - MANRS by Serbian Open eXchange (SOX)
 
ION Belgrade - Closing Slides
ION Belgrade - Closing SlidesION Belgrade - Closing Slides
ION Belgrade - Closing Slides
 
AusNOG - Two Years of Good MANRS
AusNOG - Two Years of Good MANRSAusNOG - Two Years of Good MANRS
AusNOG - Two Years of Good MANRS
 
ION Malta - IETF Update
ION Malta - IETF UpdateION Malta - IETF Update
ION Malta - IETF Update
 
ION Malta - MANRS Introduction
ION Malta - MANRS IntroductionION Malta - MANRS Introduction
ION Malta - MANRS Introduction
 
ION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSECION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSEC
 
ION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLSION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLS
 
ION Malta - IANA Transition Roles & Accountability
ION Malta - IANA Transition Roles & AccountabilityION Malta - IANA Transition Roles & Accountability
ION Malta - IANA Transition Roles & Accountability
 
ION Malta - IPv6 Case Study: Finland
ION Malta - IPv6 Case Study: FinlandION Malta - IPv6 Case Study: Finland
ION Malta - IPv6 Case Study: Finland
 
ION Malta - Seeweb Thoughts on IPv6 Transition
ION Malta - Seeweb Thoughts on IPv6 TransitionION Malta - Seeweb Thoughts on IPv6 Transition
ION Malta - Seeweb Thoughts on IPv6 Transition
 
ION Malta - Seeweb Why MANRS is good for you
ION Malta - Seeweb Why MANRS is good for youION Malta - Seeweb Why MANRS is good for you
ION Malta - Seeweb Why MANRS is good for you
 
ION Malta - Opening Slides
ION Malta - Opening SlidesION Malta - Opening Slides
ION Malta - Opening Slides
 
ION Malta - Closing Slides
ION Malta - Closing SlidesION Malta - Closing Slides
ION Malta - Closing Slides
 
ION Durban - How peering behaviour affects growth of the internet
ION Durban - How peering behaviour affects growth of the internetION Durban - How peering behaviour affects growth of the internet
ION Durban - How peering behaviour affects growth of the internet
 
ION Durban - Introduction to ISOC Gauteng Chapter
ION Durban - Introduction to ISOC Gauteng ChapterION Durban - Introduction to ISOC Gauteng Chapter
ION Durban - Introduction to ISOC Gauteng Chapter
 
ION Durban - What's Happening at the IETF?
ION Durban - What's Happening at the IETF?ION Durban - What's Happening at the IETF?
ION Durban - What's Happening at the IETF?
 

Kürzlich hochgeladen

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 

Kürzlich hochgeladen (20)

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 

ION Toronto - Why Implement DNSSEC?

  • 1. Why  DNSSEC?   James  Galvin,  Ph.D.   Afilias  Limited   11  November  2013   ION  Toronto   ©  2013  Afilias  Limited   1  
  • 2. Afilias  and  DNSSEC   •  Afilias  makes  Internet  addresses   more  accessible  and  useful   through  registry  services,   Managed  DNS,  and  mobile  Web   services  like  goMobi®  and   DeviceAtlas®.   –  Operator  INFO  and  MOBI   –  Host  to  9  ccTLDs  and  7  gTLDs   –  Have  one  of  the  largest  DNS   infrastructures   •  Started  with  DNSSEC  in  2008   –  Signed  ORG  in  June  2009   –  ORG  offered  signed  delegaYons  in   June  2010   –  Root  signed  in  July  2010   –  Signed  all  TLDs  and  offered  signed   delegaYons  soon  aZer   ©  2013  Afilias  Limited   2  
  • 3. •  DNSSEC  Basics   •  Benefits  of  DNSSEC   •  Internet  Future   ©  2013  Afilias  Limited   3  
  • 4. DNSSEC  -­‐  BASICS   ©  2013  Afilias  Limited   4  
  • 5. What  is  DNSSEC?   •  DNSSEC  provides  an  asserYon   by  a  zone  that  a  specific  data   element  is  bound  to  a  domain   name.   •  This  is  most  oZen  used  to  bind   an  IP  address  to  a  domain   name,  e.g.,  to  find  a  web  site.   •  The  validaYon  of  the  asserYon   is  possible  independent  of  its   source.   •  Benefits   –  CriYcal  Infrastructure:   everything  uses  the  DNS   –  Hierarchical:  delegate  and   distribute  responsibility   ©  2013  Afilias  Limited   5  
  • 6. DNSSEC-­‐aware  applicaYons   DNS  with  DNSSEC   2   1   ROOT  SERVERS   DNSSEC   DNSSEC   TLD   Authorita;ve   NS   Local   cache   1   2   3   DNSSEC   Itera;ve   Resolver   Local   cache   3   SLD   Authorita;ve  NS     Stub  Resolver   USER  PC   ©  2013  Afilias  Limited   6  
  • 7. Who  are  the  Players?   •  Domain  registraYon  system   –  Registries:  operate  the  TLDs   –  (Registrars):  middleman   between  registry  and   registrant   –  Registrant:  own,  manage,  and   deploy  domain  names   •  Domain  name  system   –  Root  system   –  Registries   –  DNS  Operators   •  Community   –  ISPs   –  Users   ©  2013  Afilias  Limited   7  
  • 8. BENEFITS  OF  DNSSEC   ©  2013  Afilias  Limited   8  
  • 9. Why  DNSSEC?   •  DNSSEC  protects  the  DNS  system   from  cache  poisoning  adacks,  viz   the  “Kaminsky  Bug”   •  DNSSEC  is  the  next  step  in  the   evoluYon  of  the  Internet,  similar   to  the  web  back  in  1993.   •  DNS  is  a  criYcal  infrastructure   system.    Virtually  everything   depends  on  it.   •  Deploying  a  safe  and  secure  DNS   is  not  just  the  right  thing  to  do,  it   is  the  cornerstone  of  building  the   next  generaYon  Internet,  a  safe   and  secure  Internet.   ©  2013  Afilias  Limited   9  
  • 10. Without  DNSSEC…   When  you  visit  a  web  site   can  you  be  sure  you  are  communicaYng  with  the   server  that  you  think  you  are?         ©  2013  Afilias  Limited   10  
  • 11. TLS/SSL  and  DNSSEC  benefits   TLS   DNSSEC   Data   !^^x<>        TLS/SSL   Channel   DNS  Data   DNS  Data   DNSSEC   DNSSEC Data   Data   Signed   Guaranteed  not  tampered   Encryp;on   Authen;ca;on   Integrity   DNSSEC  protects…   Users  from  DNS  data  tampered  by     or  originaYng  from  malicious  actors     ©  2013  Afilias  Limited   11  
  • 12. INTERNET  FUTURE   ©  2013  Afilias  Limited   12  
  • 13. Building  Trusted  Domains   •  A  domain  name  is  just  a  label.     Most  commonly  used  to  idenYfy   hosts  and  services.   –  Web  sites   –  ApplicaYon  servers   •  DNSSEC  ensures  we  have  the   correct  service/address   •  TLS/SSL  (hdps)  gives  us  good   confidence  that  we  have  a   encrypted  tunnel   •  Matching  the  domain  in  the  TLS/ SSL  cerYficate  with  the  domain   from  DNSSEC  offers  greater   assurance  that  you  are   communicaYng  with  the  desired   site/service   ©  2013  Afilias  Limited   13  
  • 14. DNSSEC  Challenges   •  Security  increases  the   baseline  experYse  required   •  Key  management  becomes   mainstream   –  Key  rollover  Ymings  are   subtle   •  DNS  operators  are  visibly   essenYal   –  Transfers  are  a  process   •  Key  rollover  is  required   •  Losing  and  gaining  operator   must  overlap  services   •  New  relaYonship   –  DNS  Operator  and  registrar/ registry   ©  2013  Afilias  Limited   14  
  • 15. The  demand  for  DNSSEC?   •  A  mix  of  pioneers,  early   adopters  and  legislated   compliance   •  In  the  early  stages  for   registrant/user   awareness   Barriers   Incen;ves   Complexity   Signing  TLDs   Costs   New  hw  &   sw  soluYons   ©  2013  Afilias  Limited   15  
  • 16. What’s  Next?   •  Centralize  the  complexity   –  Registrars   –  DNS  operators   –  ApplicaYon  service  providers   •  Keep  it  simple  for  the   registrant/user   –  Should  be  invisible   •  DNSSEC  is  about  what  we  can   do  with  it.    It  is  an  essenYal   building  block  in  a  criYcal   infrastructure  system  that  will   change  the  Internet  in  ways   we  can  not  yet  imagine.   ©  2013  Afilias  Limited   16  
  • 17. IETF  and  Pervasive  Monitoring   •  Last  week  leading   engineers  agreed  that   pervasive  monitoring  is   a  threat  to  the  Internet   –  hdp://www.iet.org/ media/2013-­‐11-­‐07-­‐ internet-­‐privacy-­‐and-­‐ security.html   ©  2013  Afilias  Limited   17  
  • 18. Thank  You!   James  Galvin   jgalvin    “at”    afilias.info   +1-­‐215-­‐706-­‐5715     hdp://afilias.info/dnssec   ©  2013  Afilias  Limited   18