SlideShare a Scribd company logo

Webinar dnssec for cnrs - 20120209

ā€¢
ā€¢
SURFnet
SURFnet
TechnologyBusiness
1 of 62
DNSSEC webinar for CNRS February 9th 2012 Roland van Rijswijk roland.vanrijswijk@surfnet.nl
About SURFnet National Research and Education Network (NREN) - like RENATER Founded in 1986 >11000 km of ļ¬bre-optic cables for an ultra high-bandwidth network ā€˜Shared ICT innovation centreā€™ ā‰„ 160 connected institutions Ā±1 million end-users 2 SURFnet. We make innovation work cb
Agenda - Introduction - Vulnerabilities in DNS - What is DNSSEC and how does it work? - Deploying DNSSEC: where to start - Perils & pitfalls: what have we learned? - DNSSEC at SURFnet: what have we done? - Conclusion & questions 3 SURFnet. We make innovation work cb
DNS: TomTomā„¢ for the Internet 4 SURFnet. We make innovation work cb
Why attack DNS? - DNS is everywhere: - In your phone, in your laptop, in your PCā€¦ - But also in your car, in an ATM, in your elevator, ā€¦ - It is very hard to protect plain DNS against attacks - It is very easy to attack a lot of users SURFnet. We make innovation work cb
DNS attack vectors Zone ļ¬le Dy ies Primary na er m ic Qu up da Zone transfers te s Queries Stub resolver Qu Caching resolver e rie s Secondaries Man in the Cache Data Data Spoofed Corrupt data 6 SURFnet. We make innovation work middle poisoning modiļ¬cation modiļ¬cation updates cb
Cache poisoning 7 SURFnet. We make innovation work cb
Bad news... http://lambicpeach.ļ¬les.wordpress.com/2008/10/badnewspup.jpg 8 SURFnet. We make innovation work cb
Good news :-) 9 SURFnet. We make innovation work cb
What is DNSSEC? - DNSSEC was ļ¬rst devised in 1997 - We are at the third generation of the protocol - DNSSEC (ca. 2000) - DNSSECbis (2005) - NSEC3 (2008) - Some 20 (!) active RFCs - Thatā€™s excluding the ā€˜normalā€™ DNS RFCs - Protocol is mature - Changes are mainly new algorithms 10 SURFnet. We make innovation work cb
What is DNSSEC? - Digital Signatures guarantee authenticity of DNS records - Like a wax seal - Resolvers validate the signatures and discard records with bogus signatures - DNSSEC only provides authenticity - So no conļ¬dentiality - nor protection against DDoS - or typosquatting, phishing, etc. 11 SURFnet. We make innovation work cb Photo courtesy of UK National Archive cat. no. C202/194/8
DNS attack vectors revisited Zone ļ¬le Dy ies Primary na er m ic Qu up C C da Zone transfers te SE SE s S S Queries Stub resolver D N Qu D N Caching resolver e rie s C S SE N Secondaries D EC S S 12 Man in the SURFnet. We make innovation work middle Cache poisoning D N Data modiļ¬cation Data modiļ¬cation Spoofed updates Corrupt data cb
Deployment status - Root was signed on July 15th 2010 - Signed generic TLDs: .asia, .biz, .cat, .com, .edu, .gov, .info, .museum, .net, .org, .pro, .mil - Signed ccTLDs: 60 countries & counting - Includes .fr, .de, .uk, .nl - Registrars are starting to support DNSSEC e.g. 41 .org registrars, source: PIR, http://pir.org/get/registrars 13 SURFnet. We make innovation work cb
Validation rate - We measure validation on our resolvers: 14 SURFnet. We make innovation work cb
Operating a validating resolver 15 SURFnet. We make innovation work cb
Software - The majority of DNS resolvers support DNSSEC out-of-the box: Product DNSSEC RFC 5011 ISC BIND Yes Yes Unbound Yes Yes djbdns No n/a MaraDNS No n/a Microsoft DNS (W2K8 R2) Yes, but* No* Simple DNS Plus Yes No** Nominum Vantio Yes No** * Seriously limited -- DO NOT USE! ** Not speciļ¬ed in product documentation 16 SURFnet. We make innovation work cb
Chain of trust Root KSK public key trust anchor Root KSK private key nl nl zone signs Root ZSK public key root (.) root zone contains surfnet.nl DS record signs Root ZSK private key reference to contains nl DS record surfnet.nl KSK public key reference to surfnet.nl KSK private key nl KSK public key signs nl KSK private key surfnet.nl ZSK public key surfnet surfnet zone signs signs surfnet.nl ZSK private key nl ZSK public key contains nl nl zone www signed record for signs 'www.surfnet.nl' nl ZSK private key
Trust anchor conļ¬guration - You should seriously consider using a resolver that supports RFC 5011 - Check the validity of your trust anchor(s) at regular intervals - Validate a trust anchor before using it! . IN DS 19036 8 2 ! 49AAC11D7B6F6446702E54A160737160 ! ! ! ! ! ! ! 7A1A41855200FD2CE1CDDE32F24E8FB5 ! ! ! ! ! ! ! xidep-pybec-tyvak-zonag-kesud- ! ! ! ! ! ! ! vohip-cumul-fysuk-bivac-pubam- ! ! ! ! ! ! ! hugeb-buzud-symes-tylaf-dosog- ! ! ! ! ! ! ! vufor-huxax 18 SURFnet. We make innovation work cb
Setting up a validating resolver - HOWTO instructions for BIND: https://dnssec.surfnet.nl/?p=402 - HOWTO instructions for Unbound: https://dnssec.surfnet.nl/?p=212 - Shameless advert: use (or try) Unbound! http://unbound.net 19 SURFnet. We make innovation work cb
Checking your setup (1) - Perform a lookup of a record known to be signed, for instance: www.surfnet.nl $ dig +dnssec +noauth www.surfnet.nl @your-resolver ... ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6193 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 13 ... ;; ANSWER SECTION: www.surfnet.nl.! 3541! IN! A! 145.0.2.10 www.surfnet.nl.! 3541! IN! RRSIG! A 8 3 3600 20120209210255 20120202092011 65233 surfnet.nl. jBv79k4EvXt3bN6moWuY5Sr8KuUW4rDodso3SMMrbMgg9uBT7kdVRRzW veMF6vZBTxtaacefbMud41G... ... 20 SURFnet. We make innovation work cb
Checking your setup (2) - Visit one of the DNSSEC test sites such as: http://www.nic.cz/dnssec http://www.dnssec-failed.org http://test.dnssec-or-not.org/ <-- funny - And verify the result: source: nic.cz 21 SURFnet. We make innovation work cb
Dealing with validation failures - Validation failures will lead to the resolver returning SERVFAIL - Clients will try all conļ¬gured resolvers - If one of them doesnā€™t validate, the query will succeed and the user probably only notices a slight delay - In our experience, users donā€™t call the helpdesk - So no: ā€œThe Internet is brokenā€ - Nevertheless: if you see validation failures then try to alert the zone owner http://xkcd.com/386/ 22 SURFnet. We make innovation work cb
Impact on resource use - DNSSEC relies on public key cryptography - Crypto eats CPU cycles, right? - Weā€™ve been running with full validation enabled for almost 3 years - The impact on CPU load is negligible - Measuring doesnā€™t show a signiļ¬cant difference - Remember: DNS resolving is all about caching results 23
Troubleshooting - DNSSEC relies on the EDNS0 extension (RFC 2671) - For larger messages (signatures) - For the DO-bit (DNSSEC OK) - Some network hardware has problems with DNSSEC traffic - Firewalls are notorious for blocking: - UDP packets over 512 bytes in size - Fragmented UDP packets - TCP on port 53 - CPE/SOHO routers also cause trouble - Buggy DNS implementations that interfere with your traffic -- Nominet report: http://bit.ly/cfQBMu 24
UDP fragmentation issues - Late 2010 we experienced problems with a large ISP in The Netherlands - surfnet.nl had just gotten a DS in .nl - Colleagues started complaining that they could not log on to their mail from home - It turned out to be a ļ¬rewall at the ISP that discarded UDP fragments - Even though they did not do validation, they could not resolve our records! 25 SURFnet. We make innovation work cb
UDP fragmentation issues Authoritative Name Server āž€ āž min(MTU) = 1500 bytes Internet (somewhere in transit) āž‚ āž„ Firewall āžƒ āž… Recursive Caching Name Server 26 (resolver)
All is well that ends well? - We talked to their engineers - They could not replace the ļ¬rewall - Keep in mind: all modern resolvers (BIND, Unbound) have EDNS0 + DO=1 enabled by default - In the end, they lowered the EDNS0 buffer size on their resolver to 512 bytes - Problem solved, right? 27 SURFnet. We make innovation work cb
The saga continues - Everything worked well until in March 2011 we suddenly started getting complaints from some companies trying to e-mail us - Lo and behold, they were customers of this same ISP 28 SURFnet. We make innovation work cb
The ļ¬rewall strikes back - It turned out that only customers using the hosted MS Exchange service had issues - After talking to engineers at the ISP we discovered the problem - They had upgraded the dedicated resolvers in their hosted exchange environment to Windows 2008 R2 which does EDNS0 and sets DO=1 - Solution: tweak an arcane registry setting (see https://dnssec.surfnet.nl/?p=684) 29 SURFnet. We make innovation work cb
Maybe we should give the DNSSEC OK bit another name 30 SURFnet. We make innovation work cb
How many people validate? 31
Operating a signed zone 32 SURFnet. We make innovation work cb
Why sign your zone? - Because your website represents a valuable asset for your organisation - To prevent redirection of Internet traffic to your domain (think: VoIP, e-mail, etc.) - To protect your users - To leverage the trust that DNSSEC can establish Ho - DNSSEC is a PKI - store SSH ļ¬ngerprints in DNS (SSHFP record) ts - store SSL/TLS certiļ¬cates in DNS (DANE initiative) tuff - Because your competitor does it too :-) :-) 33
User study - We did a user study among our constituency - 169 persons asked to participate - 38 responded representing 37 organisations (academia, research institutions, teaching hospitals) - Two-thirds of users feel - > 75% plan to sign their DNSSEC is important: domain: ! ! 34 SURFnet. We make innovation work cb
When to sign your zone? - Your infrastructure should be ready - Remember the ļ¬rewall trouble mentioned when resolving was discussed - You should have a clear mandate - DNS affects everything on your network so DNSSEC does too - Think before you act :-) - The way back is harder than the way forward 35 SURFnet. We make innovation work cb
Advice for getting started - Make use of available tooling - OSS: OpenDNSSEC, BIND - Commercial signer solutions - Make sure you have good monitoring - Write down policies and procedures - Carefully think about your design - Make your usersā€™ life easy! - Check with your secondaries for DNSSEC support 36 SURFnet. We make innovation work cb
Signer software (1) - OpenDNSSEC - BIND 9.x - Key storage in the clear on disk - HSM support only through patched OpenSSL - No automated key rollover (scriptable though) - BIND 10 - Still heavily under development (5 year project) - Alpha versions have been released - PowerDNSSEC - Standard starting from PowerDNS 3.0 (July 1st 2011) - ZKT (Zone Key Tool) 37 SURFnet. We make innovation work cb
Signer software (2) - Secure64 DNS signer http://www.secure64.com - Xelerance DNS-X signer http://www.xelerance.com - IPAM vendors - Men & Mice - Infoblox - BlueCat networks - ... - Microsoft Windows Server 2008 R2* - *Severely broken, do not use! Wait for W8 Server 38 SURFnet. We make innovation work cb
Monitoring - Monitoring helps to detect problems early-on - When monitoring a signed zone, look for: - Signature expiry - MTU problems (ļ¬rewalls!) - Continuous validation - Also monitor from outside your own network - Many tools are available, for example: http://www.dnssecmonitor.org http://www.dnsviz.net 39 SURFnet. We make innovation work cb
How to sign your zone: case study SURFnet - SURFnet operates a managed DNS environment called ā€˜SURFdomeinenā€™ - We ran a project in 2010 from Q1 to Q3 to implement DNSSEC in SURFdomeinen - Our goals: - To make it easy for our connected institutions to operate signed zones - To make it easy for ourselves to operate signed zones - We enabled DNSSEC for surfnet.nl at the end of September 2010 40 SURFnet. We make innovation work cb
SURFdomeinen 41 SURFnet. We make innovation work cb
Requirements - DNSSEC should be a ā€˜box to tickā€™ - DNS is already considered to be complex by many users, something that doesnā€™t improve if you add DNSSEC - The integrity of zones should be guaranteed - SURFdomeinen should not be the ā€˜weakest linkā€™ in the attack chain - Monitoring is of great importance (more on that later) - Turning DNSSEC on or off should not take too long - Ideally less than 1 hour - Once DNSSEC is turned on, customers should not notice any difference 42 SURFnet. We make innovation work cb
Design decision: using HSMs - HSM = Hardware Security Module - Secure and robust way to store DNSSEC key material - We can never access the raw key material - Role separation - Standard API (PKCS #11) - Disadvantage: expensive 43 SURFnet. We make innovation work cb
Design decision: OpenDNSSEC - SURFnet participates in the project - Other partners are: IIS (.se), Nominet (.uk), Kirei, SIDN (.nl), NLnet Labs en Sinodun - Goal: push-the-button signing - Functions like a ā€˜bump-in-the-wireā€™ - Possibility to have different policies for different customers - Possibility to share keys (e.g. one set of keys per customer rather than per zone) 44 SURFnet. We make innovation work cb
Design decision: OpenDNSSEC - OpenDNSSEC 1.1 - Current version; used in production by a number of top-level domains and also for our deployment - Used - for instance - by .uk, .fr, .se and .nl - OpenDNSSEC 1.2 - Faster signer engine in C - Better support for ā€˜key-sharingā€™ - OpenDNSSEC 1.3 (Q3 2011) - Multi-threaded signer for better performance - Currently in release-candidate status - OpenDNSSEC 1.4 (Ā±Q1 2012) - Adapters for AXFR/IXFR & MySQL - OpenDNSSEC 1.5 (Ā±Q2 2012) 45 SURFnet. We make innovation work cb
OpenDNSSEC architecture 46 SURFnet. We make innovation work cb
Design: bump-in-the-wire DNS zone DNS transfer Internet Hidden primary Public primary ! DNS DNS zone zone DNS transfer DNS transfer Internet Hidden primary OpenDNSSEC Public primary ! 47 SURFnet. We make innovation work cb
Design: data ļ¬‚ow DNS DNS zone zone scp DNS transfer SURFdomeinen DNSSEC signer ns1.surfnet.nl DNS transfer ns2.surfnet.nl Internet DNS zone ns3.surfnet.nl ns1.zurich.surf.net 48 SURFnet. We make innovation work cb
Design: network security Colocation DNS VLAN HSM VLAN admin Network HSM Authoritative OpenDNSSEC DNS signer SSL HSM ļ¬rewall ļ¬rewall local router Admin VLAN Internet SURFnet WAN ļ¬rewall 49 SURFnet. We make innovation work SURFdomeinen cb server
Design: redundancy Signer: - Warm standby system in a different co-location - MySQL master-slave replication - Failover is a manual process (not time critical) HSM: - Two HSMs in two different locations - High-availability mode - Offline secure backup on a third location - Keys will only be used after a backup 50 SURFnet. We make innovation work cb
Enabling DNSSEC: user perspective - Push-the-button signing: - Unsigned to signed in 15 minutes 51 SURFnet. We make innovation work cb
When things go wrong... 52 Photo courtesy of jeffwilcox@FlickR
Admitting mistakes 53 Photo Ā© 2003 philg@mit.edu
AXFR bug in OpenDNSSEC - surfnet.nl was signed for the ļ¬rst time in September 2010 (on a Monday) - everything went smoothly until Thursday Quickly diagnose - then suddenly... the problem no more mail no more website no more VoIP I think youā€™ve got diarrhea... - Dā€™oh!!! - Garbage In == Garbage Out 54
Stories from the trenches... - .cz and .us became ā€˜bogusā€™ because of a mistake during an algorithm rollover - ISOC & .org nearly had a PR disaster at ICANN 38 in Brussels - .uk became ā€˜bogusā€™ because of a glitch during a signer failover - .be forgot to update critical signatures - mozilla.org and nasa.gov published a DS while their zone wasnā€™t signed yet 55 SURFnet. We make innovation work cb
If youā€™re lucky... - this is what users will see: 56 many thanks to Marco Davids of SIDN for the screenshot
But in most cases... - this is what users will see: 57 - (and this is better IMHO!)
Contacting domain owners is hard 58
Further reading http://bit.ly/sn-dnssec-2008 http://bit.ly/sn-dnssec-val http://bit.ly/sn-cryptoweb 59 SURFnet. We make innovation work cb
Online resources - http://dnssec.surfnet.nl - With lots of information about the choices we made while deploying DNSSEC - http://dnssec.net - Comprehensive and up-to-date links to information on DNSSEC - http://www.dnssec-deployment.org - Tracks DNSSEC deployment across the net - http://www.practicesafedns.org - PIR (.org) initiative with user stories 60 SURFnet. We make innovation work cb
Conclusions - DNSSEC deployment is in full swing - The ball is now in your court! - Seriously consider enabling validation on your resolver You should enable validation, thereā€™s really no excuse not to do it :-) - Start planning for signing - Once it works, you donā€™t notice itā€™s there 61 SURFnet. We make innovation work cb
roland.vanrijswijk@surfnet.nl Questions? Comments? nl.linkedin.com/in/rolandvanrijswijk @reseauxsansļ¬l

Recommended

Cloud Foundry for Java devs
Cloud Foundry for Java devsCloud Foundry for Java devs
Cloud Foundry for Java devsPeter Ledbrook
Ā 
Positioning seminar 2012
Positioning seminar 2012Positioning seminar 2012
Positioning seminar 2012Giuseppe Destino
Ā 
Dnssec
DnssecDnssec
Dnssecguest3131f85
Ā 
Understanding DNSSEC in Windows DNS Server
Understanding DNSSEC in Windows DNS Server Understanding DNSSEC in Windows DNS Server
Understanding DNSSEC in Windows DNS Server Kumar Ashutosh
Ā 
Hands On CloudFoundry
Hands On CloudFoundryHands On CloudFoundry
Hands On CloudFoundryEric Bottard
Ā 
Portrait of the developer as The Artist - SpringOne India 2012
Portrait of the developer as The Artist - SpringOne India 2012Portrait of the developer as The Artist - SpringOne India 2012
Portrait of the developer as The Artist - SpringOne India 2012Patrick Chanezon
Ā 
Cloud Foundry Architecture and Overview
Cloud Foundry Architecture and OverviewCloud Foundry Architecture and Overview
Cloud Foundry Architecture and Overviewrajdeep
Ā 
Breaking through the Clouds
Breaking through the CloudsBreaking through the Clouds
Breaking through the CloudsAndy Piper
Ā 

Recommended

Cloud Foundry for Java devs
Cloud Foundry for Java devsCloud Foundry for Java devs
Cloud Foundry for Java devsPeter Ledbrook
Ā 
Positioning seminar 2012
Positioning seminar 2012Positioning seminar 2012
Positioning seminar 2012Giuseppe Destino
Ā 
Dnssec
DnssecDnssec
Dnssecguest3131f85
Ā 
Understanding DNSSEC in Windows DNS Server
Understanding DNSSEC in Windows DNS Server Understanding DNSSEC in Windows DNS Server
Understanding DNSSEC in Windows DNS Server Kumar Ashutosh
Ā 
Hands On CloudFoundry
Hands On CloudFoundryHands On CloudFoundry
Hands On CloudFoundryEric Bottard
Ā 
Portrait of the developer as The Artist - SpringOne India 2012
Portrait of the developer as The Artist - SpringOne India 2012Portrait of the developer as The Artist - SpringOne India 2012
Portrait of the developer as The Artist - SpringOne India 2012Patrick Chanezon
Ā 
Cloud Foundry Architecture and Overview
Cloud Foundry Architecture and OverviewCloud Foundry Architecture and Overview
Cloud Foundry Architecture and Overviewrajdeep
Ā 
Breaking through the Clouds
Breaking through the CloudsBreaking through the Clouds
Breaking through the CloudsAndy Piper
Ā 
Cloud Foundry Introduction - Canada - October 2012
Cloud Foundry Introduction - Canada - October 2012Cloud Foundry Introduction - Canada - October 2012
Cloud Foundry Introduction - Canada - October 2012Patrick Chanezon
Ā 
PaaS Parade - Cloud Foundry
PaaS Parade - Cloud FoundryPaaS Parade - Cloud Foundry
PaaS Parade - Cloud Foundrymartinlippert
Ā 
Cloud Foundry bootcamp at ContributingCode
Cloud Foundry bootcamp at ContributingCodeCloud Foundry bootcamp at ContributingCode
Cloud Foundry bootcamp at ContributingCodeChris Richardson
Ā 
Migrating to CloudFoundry
Migrating to CloudFoundryMigrating to CloudFoundry
Migrating to CloudFoundryGR8Conf
Ā 
Visual Sorage Intelligenceā„¢ Product Guide
Visual Sorage Intelligenceā„¢ Product GuideVisual Sorage Intelligenceā„¢ Product Guide
Visual Sorage Intelligenceā„¢ Product GuideClear Technologies
Ā 
Spring Data and MongoDB
Spring Data and MongoDBSpring Data and MongoDB
Spring Data and MongoDBOliver Gierke
Ā 
Rorotika VAS products
Rorotika VAS productsRorotika VAS products
Rorotika VAS productsFrans_Joubert
Ā 
Rorotika VAS products
Rorotika VAS productsRorotika VAS products
Rorotika VAS productsRorotika Technologies (Pty) Ltd
Ā 
Spain Getting Ready For Cloud Computing
Spain Getting Ready For Cloud ComputingSpain Getting Ready For Cloud Computing
Spain Getting Ready For Cloud ComputingCarlos Domingo
Ā 
7-minute-speeches. Deel 3.
7-minute-speeches. Deel 3.7-minute-speeches. Deel 3.
7-minute-speeches. Deel 3.SURFnet
Ā 
The mobile evolution of the employee and student pass
The mobile evolution of the employee and student passThe mobile evolution of the employee and student pass
The mobile evolution of the employee and student passSURFnet
Ā 
Location-based services: van theorie naar praktijk. Deel 2
Location-based services: van theorie naar praktijk. Deel 2Location-based services: van theorie naar praktijk. Deel 2
Location-based services: van theorie naar praktijk. Deel 2SURFnet
Ā 
Automatisering en orkestratie: update en toekomstplannen
Automatisering en orkestratie: update en toekomstplannenAutomatisering en orkestratie: update en toekomstplannen
Automatisering en orkestratie: update en toekomstplannenSURFnet
Ā 
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 2
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 2Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 2
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 2SURFnet
Ā 
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 1
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 1Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 1
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 1SURFnet
Ā 
RUGnet, een service oriented internationaal netwerk van FryslĆ¢n tot China
RUGnet, een service oriented internationaal netwerk van FryslĆ¢n tot ChinaRUGnet, een service oriented internationaal netwerk van FryslĆ¢n tot China
RUGnet, een service oriented internationaal netwerk van FryslĆ¢n tot ChinaSURFnet
Ā 
Opening en netwerkvisie SURF
Opening en netwerkvisie SURFOpening en netwerkvisie SURF
Opening en netwerkvisie SURFSURFnet
Ā 
Trends in unwired communications
Trends in unwired communicationsTrends in unwired communications
Trends in unwired communicationsSURFnet
Ā 
Netwerkfunctievirtualisatie: proof-of-concept en demo
Netwerkfunctievirtualisatie: proof-of-concept en demoNetwerkfunctievirtualisatie: proof-of-concept en demo
Netwerkfunctievirtualisatie: proof-of-concept en demoSURFnet
Ā 
SURF-dienstenportfolio: draadvrije netwerk. Deel 4
SURF-dienstenportfolio: draadvrije netwerk. Deel 4SURF-dienstenportfolio: draadvrije netwerk. Deel 4
SURF-dienstenportfolio: draadvrije netwerk. Deel 4SURFnet
Ā 
SURF-dienstenportfolio: draadvrije netwerk. Deel 3
SURF-dienstenportfolio: draadvrije netwerk. Deel 3SURF-dienstenportfolio: draadvrije netwerk. Deel 3
SURF-dienstenportfolio: draadvrije netwerk. Deel 3SURFnet
Ā 
SURF-dienstenportfolio: draadvrije netwerk. Deel 2
SURF-dienstenportfolio: draadvrije netwerk. Deel 2SURF-dienstenportfolio: draadvrije netwerk. Deel 2
SURF-dienstenportfolio: draadvrije netwerk. Deel 2SURFnet
Ā 

More Related Content

Similar to Webinar dnssec for cnrs - 20120209

Cloud Foundry Introduction - Canada - October 2012
Cloud Foundry Introduction - Canada - October 2012Cloud Foundry Introduction - Canada - October 2012
Cloud Foundry Introduction - Canada - October 2012Patrick Chanezon
Ā 
PaaS Parade - Cloud Foundry
PaaS Parade - Cloud FoundryPaaS Parade - Cloud Foundry
PaaS Parade - Cloud Foundrymartinlippert
Ā 
Cloud Foundry bootcamp at ContributingCode
Cloud Foundry bootcamp at ContributingCodeCloud Foundry bootcamp at ContributingCode
Cloud Foundry bootcamp at ContributingCodeChris Richardson
Ā 
Migrating to CloudFoundry
Migrating to CloudFoundryMigrating to CloudFoundry
Migrating to CloudFoundryGR8Conf
Ā 
Visual Sorage Intelligenceā„¢ Product Guide
Visual Sorage Intelligenceā„¢ Product GuideVisual Sorage Intelligenceā„¢ Product Guide
Visual Sorage Intelligenceā„¢ Product GuideClear Technologies
Ā 
Spring Data and MongoDB
Spring Data and MongoDBSpring Data and MongoDB
Spring Data and MongoDBOliver Gierke
Ā 
Rorotika VAS products
Rorotika VAS productsRorotika VAS products
Rorotika VAS productsFrans_Joubert
Ā 
Spain Getting Ready For Cloud Computing
Spain Getting Ready For Cloud ComputingSpain Getting Ready For Cloud Computing
Spain Getting Ready For Cloud ComputingCarlos Domingo
Ā 

Similar to Webinar dnssec for cnrs - 20120209 (9)

Cloud Foundry Introduction - Canada - October 2012
Cloud Foundry Introduction - Canada - October 2012Cloud Foundry Introduction - Canada - October 2012
Cloud Foundry Introduction - Canada - October 2012
Ā 
PaaS Parade - Cloud Foundry
PaaS Parade - Cloud FoundryPaaS Parade - Cloud Foundry
PaaS Parade - Cloud Foundry
Ā 
Cloud Foundry bootcamp at ContributingCode
Cloud Foundry bootcamp at ContributingCodeCloud Foundry bootcamp at ContributingCode
Cloud Foundry bootcamp at ContributingCode
Ā 
Migrating to CloudFoundry
Migrating to CloudFoundryMigrating to CloudFoundry
Migrating to CloudFoundry
Ā 
Visual Sorage Intelligenceā„¢ Product Guide
Visual Sorage Intelligenceā„¢ Product GuideVisual Sorage Intelligenceā„¢ Product Guide
Visual Sorage Intelligenceā„¢ Product Guide
Ā 
Spring Data and MongoDB
Spring Data and MongoDBSpring Data and MongoDB
Spring Data and MongoDB
Ā 
Rorotika VAS products
Rorotika VAS productsRorotika VAS products
Rorotika VAS products
Ā 
Rorotika VAS products
Rorotika VAS productsRorotika VAS products
Rorotika VAS products
Ā 
Spain Getting Ready For Cloud Computing
Spain Getting Ready For Cloud ComputingSpain Getting Ready For Cloud Computing
Spain Getting Ready For Cloud Computing
Ā 

More from SURFnet

7-minute-speeches. Deel 3.
7-minute-speeches. Deel 3.7-minute-speeches. Deel 3.
7-minute-speeches. Deel 3.SURFnet
Ā 
The mobile evolution of the employee and student pass
The mobile evolution of the employee and student passThe mobile evolution of the employee and student pass
The mobile evolution of the employee and student passSURFnet
Ā 
Location-based services: van theorie naar praktijk. Deel 2
Location-based services: van theorie naar praktijk. Deel 2Location-based services: van theorie naar praktijk. Deel 2
Location-based services: van theorie naar praktijk. Deel 2SURFnet
Ā 
Automatisering en orkestratie: update en toekomstplannen
Automatisering en orkestratie: update en toekomstplannenAutomatisering en orkestratie: update en toekomstplannen
Automatisering en orkestratie: update en toekomstplannenSURFnet
Ā 
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 2
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 2Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 2
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 2SURFnet
Ā 
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 1
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 1Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 1
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 1SURFnet
Ā 
RUGnet, een service oriented internationaal netwerk van FryslĆ¢n tot China
RUGnet, een service oriented internationaal netwerk van FryslĆ¢n tot ChinaRUGnet, een service oriented internationaal netwerk van FryslĆ¢n tot China
RUGnet, een service oriented internationaal netwerk van FryslĆ¢n tot ChinaSURFnet
Ā 
Opening en netwerkvisie SURF
Opening en netwerkvisie SURFOpening en netwerkvisie SURF
Opening en netwerkvisie SURFSURFnet
Ā 
Trends in unwired communications
Trends in unwired communicationsTrends in unwired communications
Trends in unwired communicationsSURFnet
Ā 
Netwerkfunctievirtualisatie: proof-of-concept en demo
Netwerkfunctievirtualisatie: proof-of-concept en demoNetwerkfunctievirtualisatie: proof-of-concept en demo
Netwerkfunctievirtualisatie: proof-of-concept en demoSURFnet
Ā 
SURF-dienstenportfolio: draadvrije netwerk. Deel 4
SURF-dienstenportfolio: draadvrije netwerk. Deel 4SURF-dienstenportfolio: draadvrije netwerk. Deel 4
SURF-dienstenportfolio: draadvrije netwerk. Deel 4SURFnet
Ā 
SURF-dienstenportfolio: draadvrije netwerk. Deel 3
SURF-dienstenportfolio: draadvrije netwerk. Deel 3SURF-dienstenportfolio: draadvrije netwerk. Deel 3
SURF-dienstenportfolio: draadvrije netwerk. Deel 3SURFnet
Ā 
SURF-dienstenportfolio: draadvrije netwerk. Deel 2
SURF-dienstenportfolio: draadvrije netwerk. Deel 2SURF-dienstenportfolio: draadvrije netwerk. Deel 2
SURF-dienstenportfolio: draadvrije netwerk. Deel 2SURFnet
Ā 
SURF-dienstenportfolio: draadvrije netwerk. Deel 1
SURF-dienstenportfolio: draadvrije netwerk. Deel 1SURF-dienstenportfolio: draadvrije netwerk. Deel 1
SURF-dienstenportfolio: draadvrije netwerk. Deel 1SURFnet
Ā 
De toekomst van netwerkinfrastructuur op de campus: in gesprek!
De toekomst van netwerkinfrastructuur op de campus: in gesprek!De toekomst van netwerkinfrastructuur op de campus: in gesprek!
De toekomst van netwerkinfrastructuur op de campus: in gesprek!SURFnet
Ā 
Research data zone: veilige en geoptimaliseerde netwerkomgeving voor onderzoe...
Research data zone: veilige en geoptimaliseerde netwerkomgeving voor onderzoe...Research data zone: veilige en geoptimaliseerde netwerkomgeving voor onderzoe...
Research data zone: veilige en geoptimaliseerde netwerkomgeving voor onderzoe...SURFnet
Ā 
7-minute-speeches. Deel 2
7-minute-speeches. Deel 27-minute-speeches. Deel 2
7-minute-speeches. Deel 2SURFnet
Ā 
Nieuwe mogelijkheden van het SURFnet-netwerk Dashboard
Nieuwe mogelijkheden van het SURFnet-netwerk DashboardNieuwe mogelijkheden van het SURFnet-netwerk Dashboard
Nieuwe mogelijkheden van het SURFnet-netwerk DashboardSURFnet
Ā 
7-minute-speeches
7-minute-speeches7-minute-speeches
7-minute-speechesSURFnet
Ā 
Winnende voorstellen location-based services - deel 2
Winnende voorstellen location-based services - deel 2Winnende voorstellen location-based services - deel 2
Winnende voorstellen location-based services - deel 2SURFnet
Ā 

More from SURFnet (20)

7-minute-speeches. Deel 3.
7-minute-speeches. Deel 3.7-minute-speeches. Deel 3.
7-minute-speeches. Deel 3.
Ā 
The mobile evolution of the employee and student pass
The mobile evolution of the employee and student passThe mobile evolution of the employee and student pass
The mobile evolution of the employee and student pass
Ā 
Location-based services: van theorie naar praktijk. Deel 2
Location-based services: van theorie naar praktijk. Deel 2Location-based services: van theorie naar praktijk. Deel 2
Location-based services: van theorie naar praktijk. Deel 2
Ā 
Automatisering en orkestratie: update en toekomstplannen
Automatisering en orkestratie: update en toekomstplannenAutomatisering en orkestratie: update en toekomstplannen
Automatisering en orkestratie: update en toekomstplannen
Ā 
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 2
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 2Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 2
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 2
Ā 
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 1
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 1Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 1
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 1
Ā 
RUGnet, een service oriented internationaal netwerk van FryslĆ¢n tot China
RUGnet, een service oriented internationaal netwerk van FryslĆ¢n tot ChinaRUGnet, een service oriented internationaal netwerk van FryslĆ¢n tot China
RUGnet, een service oriented internationaal netwerk van FryslĆ¢n tot China
Ā 
Opening en netwerkvisie SURF
Opening en netwerkvisie SURFOpening en netwerkvisie SURF
Opening en netwerkvisie SURF
Ā 
Trends in unwired communications
Trends in unwired communicationsTrends in unwired communications
Trends in unwired communications
Ā 
Netwerkfunctievirtualisatie: proof-of-concept en demo
Netwerkfunctievirtualisatie: proof-of-concept en demoNetwerkfunctievirtualisatie: proof-of-concept en demo
Netwerkfunctievirtualisatie: proof-of-concept en demo
Ā 
SURF-dienstenportfolio: draadvrije netwerk. Deel 4
SURF-dienstenportfolio: draadvrije netwerk. Deel 4SURF-dienstenportfolio: draadvrije netwerk. Deel 4
SURF-dienstenportfolio: draadvrije netwerk. Deel 4
Ā 
SURF-dienstenportfolio: draadvrije netwerk. Deel 3
SURF-dienstenportfolio: draadvrije netwerk. Deel 3SURF-dienstenportfolio: draadvrije netwerk. Deel 3
SURF-dienstenportfolio: draadvrije netwerk. Deel 3
Ā 
SURF-dienstenportfolio: draadvrije netwerk. Deel 2
SURF-dienstenportfolio: draadvrije netwerk. Deel 2SURF-dienstenportfolio: draadvrije netwerk. Deel 2
SURF-dienstenportfolio: draadvrije netwerk. Deel 2
Ā 
SURF-dienstenportfolio: draadvrije netwerk. Deel 1
SURF-dienstenportfolio: draadvrije netwerk. Deel 1SURF-dienstenportfolio: draadvrije netwerk. Deel 1
SURF-dienstenportfolio: draadvrije netwerk. Deel 1
Ā 
De toekomst van netwerkinfrastructuur op de campus: in gesprek!
De toekomst van netwerkinfrastructuur op de campus: in gesprek!De toekomst van netwerkinfrastructuur op de campus: in gesprek!
De toekomst van netwerkinfrastructuur op de campus: in gesprek!
Ā 
Research data zone: veilige en geoptimaliseerde netwerkomgeving voor onderzoe...
Research data zone: veilige en geoptimaliseerde netwerkomgeving voor onderzoe...Research data zone: veilige en geoptimaliseerde netwerkomgeving voor onderzoe...
Research data zone: veilige en geoptimaliseerde netwerkomgeving voor onderzoe...
Ā 
7-minute-speeches. Deel 2
7-minute-speeches. Deel 27-minute-speeches. Deel 2
7-minute-speeches. Deel 2
Ā 
Nieuwe mogelijkheden van het SURFnet-netwerk Dashboard
Nieuwe mogelijkheden van het SURFnet-netwerk DashboardNieuwe mogelijkheden van het SURFnet-netwerk Dashboard
Nieuwe mogelijkheden van het SURFnet-netwerk Dashboard
Ā 
7-minute-speeches
7-minute-speeches7-minute-speeches
7-minute-speeches
Ā 
Winnende voorstellen location-based services - deel 2
Winnende voorstellen location-based services - deel 2Winnende voorstellen location-based services - deel 2
Winnende voorstellen location-based services - deel 2
Ā 

Recently uploaded

Kalyanpur ) Call Girls in Lucknow Finest Escorts Service šŸø 8923113531 šŸŽ° Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service šŸø 8923113531 šŸŽ° Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service šŸø 8923113531 šŸŽ° Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service šŸø 8923113531 šŸŽ° Avail...gurkirankumar98700
Ā 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
Ā 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
Ā 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
Ā 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
Ā 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
Ā 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
Ā 
šŸ¬ The future of MySQL is Postgres šŸ˜
šŸ¬ The future of MySQL is Postgres šŸ˜šŸ¬ The future of MySQL is Postgres šŸ˜
šŸ¬ The future of MySQL is Postgres šŸ˜RTylerCroy
Ā 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
Ā 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
Ā 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
Ā 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
Ā 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
Ā 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel AraĆŗjo
Ā 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
Ā 
Scaling API-first ā€“ The story of a global engineering organization
Scaling API-first ā€“ The story of a global engineering organizationScaling API-first ā€“ The story of a global engineering organization
Scaling API-first ā€“ The story of a global engineering organizationRadu Cotescu
Ā 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
Ā 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
Ā 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
Ā 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
Ā 

Recently uploaded (20)

Kalyanpur ) Call Girls in Lucknow Finest Escorts Service šŸø 8923113531 šŸŽ° Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service šŸø 8923113531 šŸŽ° Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service šŸø 8923113531 šŸŽ° Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service šŸø 8923113531 šŸŽ° Avail...
Ā 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Ā 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Ā 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Ā 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Ā 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Ā 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
Ā 
šŸ¬ The future of MySQL is Postgres šŸ˜
šŸ¬ The future of MySQL is Postgres šŸ˜šŸ¬ The future of MySQL is Postgres šŸ˜
šŸ¬ The future of MySQL is Postgres šŸ˜
Ā 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
Ā 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Ā 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
Ā 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
Ā 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Ā 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Ā 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Ā 
Scaling API-first ā€“ The story of a global engineering organization
Scaling API-first ā€“ The story of a global engineering organizationScaling API-first ā€“ The story of a global engineering organization
Scaling API-first ā€“ The story of a global engineering organization
Ā 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
Ā 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Ā 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
Ā 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Ā 

Webinar dnssec for cnrs - 20120209

  • 1. DNSSEC webinar for CNRS February 9th 2012 Roland van Rijswijk roland.vanrijswijk@surfnet.nl
  • 2. About SURFnet National Research and Education Network (NREN) - like RENATER Founded in 1986 >11000 km of ļ¬bre-optic cables for an ultra high-bandwidth network ā€˜Shared ICT innovation centreā€™ ā‰„ 160 connected institutions Ā±1 million end-users 2 SURFnet. We make innovation work cb
  • 3. Agenda - Introduction - Vulnerabilities in DNS - What is DNSSEC and how does it work? - Deploying DNSSEC: where to start - Perils & pitfalls: what have we learned? - DNSSEC at SURFnet: what have we done? - Conclusion & questions 3 SURFnet. We make innovation work cb
  • 4. DNS: TomTomā„¢ for the Internet 4 SURFnet. We make innovation work cb
  • 5. Why attack DNS? - DNS is everywhere: - In your phone, in your laptop, in your PCā€¦ - But also in your car, in an ATM, in your elevator, ā€¦ - It is very hard to protect plain DNS against attacks - It is very easy to attack a lot of users SURFnet. We make innovation work cb
  • 6. DNS attack vectors Zone ļ¬le Dy ies Primary na er m ic Qu up da Zone transfers te s Queries Stub resolver Qu Caching resolver e rie s Secondaries Man in the Cache Data Data Spoofed Corrupt data 6 SURFnet. We make innovation work middle poisoning modiļ¬cation modiļ¬cation updates cb
  • 7. Cache poisoning 7 SURFnet. We make innovation work cb
  • 8. Bad news... http://lambicpeach.ļ¬les.wordpress.com/2008/10/badnewspup.jpg 8 SURFnet. We make innovation work cb
  • 9. Good news :-) 9 SURFnet. We make innovation work cb
  • 10. What is DNSSEC? - DNSSEC was ļ¬rst devised in 1997 - We are at the third generation of the protocol - DNSSEC (ca. 2000) - DNSSECbis (2005) - NSEC3 (2008) - Some 20 (!) active RFCs - Thatā€™s excluding the ā€˜normalā€™ DNS RFCs - Protocol is mature - Changes are mainly new algorithms 10 SURFnet. We make innovation work cb
  • 11. What is DNSSEC? - Digital Signatures guarantee authenticity of DNS records - Like a wax seal - Resolvers validate the signatures and discard records with bogus signatures - DNSSEC only provides authenticity - So no conļ¬dentiality - nor protection against DDoS - or typosquatting, phishing, etc. 11 SURFnet. We make innovation work cb Photo courtesy of UK National Archive cat. no. C202/194/8
  • 12. DNS attack vectors revisited Zone ļ¬le Dy ies Primary na er m ic Qu up C C da Zone transfers te SE SE s S S Queries Stub resolver D N Qu D N Caching resolver e rie s C S SE N Secondaries D EC S S 12 Man in the SURFnet. We make innovation work middle Cache poisoning D N Data modiļ¬cation Data modiļ¬cation Spoofed updates Corrupt data cb
  • 13. Deployment status - Root was signed on July 15th 2010 - Signed generic TLDs: .asia, .biz, .cat, .com, .edu, .gov, .info, .museum, .net, .org, .pro, .mil - Signed ccTLDs: 60 countries & counting - Includes .fr, .de, .uk, .nl - Registrars are starting to support DNSSEC e.g. 41 .org registrars, source: PIR, http://pir.org/get/registrars 13 SURFnet. We make innovation work cb
  • 14. Validation rate - We measure validation on our resolvers: 14 SURFnet. We make innovation work cb
  • 15. Operating a validating resolver 15 SURFnet. We make innovation work cb
  • 16. Software - The majority of DNS resolvers support DNSSEC out-of-the box: Product DNSSEC RFC 5011 ISC BIND Yes Yes Unbound Yes Yes djbdns No n/a MaraDNS No n/a Microsoft DNS (W2K8 R2) Yes, but* No* Simple DNS Plus Yes No** Nominum Vantio Yes No** * Seriously limited -- DO NOT USE! ** Not speciļ¬ed in product documentation 16 SURFnet. We make innovation work cb
  • 17. Chain of trust Root KSK public key trust anchor Root KSK private key nl nl zone signs Root ZSK public key root (.) root zone contains surfnet.nl DS record signs Root ZSK private key reference to contains nl DS record surfnet.nl KSK public key reference to surfnet.nl KSK private key nl KSK public key signs nl KSK private key surfnet.nl ZSK public key surfnet surfnet zone signs signs surfnet.nl ZSK private key nl ZSK public key contains nl nl zone www signed record for signs 'www.surfnet.nl' nl ZSK private key
  • 18. Trust anchor conļ¬guration - You should seriously consider using a resolver that supports RFC 5011 - Check the validity of your trust anchor(s) at regular intervals - Validate a trust anchor before using it! . IN DS 19036 8 2 ! 49AAC11D7B6F6446702E54A160737160 ! ! ! ! ! ! ! 7A1A41855200FD2CE1CDDE32F24E8FB5 ! ! ! ! ! ! ! xidep-pybec-tyvak-zonag-kesud- ! ! ! ! ! ! ! vohip-cumul-fysuk-bivac-pubam- ! ! ! ! ! ! ! hugeb-buzud-symes-tylaf-dosog- ! ! ! ! ! ! ! vufor-huxax 18 SURFnet. We make innovation work cb
  • 19. Setting up a validating resolver - HOWTO instructions for BIND: https://dnssec.surfnet.nl/?p=402 - HOWTO instructions for Unbound: https://dnssec.surfnet.nl/?p=212 - Shameless advert: use (or try) Unbound! http://unbound.net 19 SURFnet. We make innovation work cb
  • 20. Checking your setup (1) - Perform a lookup of a record known to be signed, for instance: www.surfnet.nl $ dig +dnssec +noauth www.surfnet.nl @your-resolver ... ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6193 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 13 ... ;; ANSWER SECTION: www.surfnet.nl.! 3541! IN! A! 145.0.2.10 www.surfnet.nl.! 3541! IN! RRSIG! A 8 3 3600 20120209210255 20120202092011 65233 surfnet.nl. jBv79k4EvXt3bN6moWuY5Sr8KuUW4rDodso3SMMrbMgg9uBT7kdVRRzW veMF6vZBTxtaacefbMud41G... ... 20 SURFnet. We make innovation work cb
  • 21. Checking your setup (2) - Visit one of the DNSSEC test sites such as: http://www.nic.cz/dnssec http://www.dnssec-failed.org http://test.dnssec-or-not.org/ <-- funny - And verify the result: source: nic.cz 21 SURFnet. We make innovation work cb
  • 22. Dealing with validation failures - Validation failures will lead to the resolver returning SERVFAIL - Clients will try all conļ¬gured resolvers - If one of them doesnā€™t validate, the query will succeed and the user probably only notices a slight delay - In our experience, users donā€™t call the helpdesk - So no: ā€œThe Internet is brokenā€ - Nevertheless: if you see validation failures then try to alert the zone owner http://xkcd.com/386/ 22 SURFnet. We make innovation work cb
  • 23. Impact on resource use - DNSSEC relies on public key cryptography - Crypto eats CPU cycles, right? - Weā€™ve been running with full validation enabled for almost 3 years - The impact on CPU load is negligible - Measuring doesnā€™t show a signiļ¬cant difference - Remember: DNS resolving is all about caching results 23
  • 24. Troubleshooting - DNSSEC relies on the EDNS0 extension (RFC 2671) - For larger messages (signatures) - For the DO-bit (DNSSEC OK) - Some network hardware has problems with DNSSEC traffic - Firewalls are notorious for blocking: - UDP packets over 512 bytes in size - Fragmented UDP packets - TCP on port 53 - CPE/SOHO routers also cause trouble - Buggy DNS implementations that interfere with your traffic -- Nominet report: http://bit.ly/cfQBMu 24
  • 25. UDP fragmentation issues - Late 2010 we experienced problems with a large ISP in The Netherlands - surfnet.nl had just gotten a DS in .nl - Colleagues started complaining that they could not log on to their mail from home - It turned out to be a ļ¬rewall at the ISP that discarded UDP fragments - Even though they did not do validation, they could not resolve our records! 25 SURFnet. We make innovation work cb
  • 26. UDP fragmentation issues Authoritative Name Server āž€ āž min(MTU) = 1500 bytes Internet (somewhere in transit) āž‚ āž„ Firewall āžƒ āž… Recursive Caching Name Server 26 (resolver)
  • 27. All is well that ends well? - We talked to their engineers - They could not replace the ļ¬rewall - Keep in mind: all modern resolvers (BIND, Unbound) have EDNS0 + DO=1 enabled by default - In the end, they lowered the EDNS0 buffer size on their resolver to 512 bytes - Problem solved, right? 27 SURFnet. We make innovation work cb
  • 28. The saga continues - Everything worked well until in March 2011 we suddenly started getting complaints from some companies trying to e-mail us - Lo and behold, they were customers of this same ISP 28 SURFnet. We make innovation work cb
  • 29. The ļ¬rewall strikes back - It turned out that only customers using the hosted MS Exchange service had issues - After talking to engineers at the ISP we discovered the problem - They had upgraded the dedicated resolvers in their hosted exchange environment to Windows 2008 R2 which does EDNS0 and sets DO=1 - Solution: tweak an arcane registry setting (see https://dnssec.surfnet.nl/?p=684) 29 SURFnet. We make innovation work cb
  • 30. Maybe we should give the DNSSEC OK bit another name 30 SURFnet. We make innovation work cb
  • 31. How many people validate? 31
  • 32. Operating a signed zone 32 SURFnet. We make innovation work cb
  • 33. Why sign your zone? - Because your website represents a valuable asset for your organisation - To prevent redirection of Internet traffic to your domain (think: VoIP, e-mail, etc.) - To protect your users - To leverage the trust that DNSSEC can establish Ho - DNSSEC is a PKI - store SSH ļ¬ngerprints in DNS (SSHFP record) ts - store SSL/TLS certiļ¬cates in DNS (DANE initiative) tuff - Because your competitor does it too :-) :-) 33
  • 34. User study - We did a user study among our constituency - 169 persons asked to participate - 38 responded representing 37 organisations (academia, research institutions, teaching hospitals) - Two-thirds of users feel - > 75% plan to sign their DNSSEC is important: domain: ! ! 34 SURFnet. We make innovation work cb
  • 35. When to sign your zone? - Your infrastructure should be ready - Remember the ļ¬rewall trouble mentioned when resolving was discussed - You should have a clear mandate - DNS affects everything on your network so DNSSEC does too - Think before you act :-) - The way back is harder than the way forward 35 SURFnet. We make innovation work cb
  • 36. Advice for getting started - Make use of available tooling - OSS: OpenDNSSEC, BIND - Commercial signer solutions - Make sure you have good monitoring - Write down policies and procedures - Carefully think about your design - Make your usersā€™ life easy! - Check with your secondaries for DNSSEC support 36 SURFnet. We make innovation work cb
  • 37. Signer software (1) - OpenDNSSEC - BIND 9.x - Key storage in the clear on disk - HSM support only through patched OpenSSL - No automated key rollover (scriptable though) - BIND 10 - Still heavily under development (5 year project) - Alpha versions have been released - PowerDNSSEC - Standard starting from PowerDNS 3.0 (July 1st 2011) - ZKT (Zone Key Tool) 37 SURFnet. We make innovation work cb
  • 38. Signer software (2) - Secure64 DNS signer http://www.secure64.com - Xelerance DNS-X signer http://www.xelerance.com - IPAM vendors - Men & Mice - Infoblox - BlueCat networks - ... - Microsoft Windows Server 2008 R2* - *Severely broken, do not use! Wait for W8 Server 38 SURFnet. We make innovation work cb
  • 39. Monitoring - Monitoring helps to detect problems early-on - When monitoring a signed zone, look for: - Signature expiry - MTU problems (ļ¬rewalls!) - Continuous validation - Also monitor from outside your own network - Many tools are available, for example: http://www.dnssecmonitor.org http://www.dnsviz.net 39 SURFnet. We make innovation work cb
  • 40. How to sign your zone: case study SURFnet - SURFnet operates a managed DNS environment called ā€˜SURFdomeinenā€™ - We ran a project in 2010 from Q1 to Q3 to implement DNSSEC in SURFdomeinen - Our goals: - To make it easy for our connected institutions to operate signed zones - To make it easy for ourselves to operate signed zones - We enabled DNSSEC for surfnet.nl at the end of September 2010 40 SURFnet. We make innovation work cb
  • 41. SURFdomeinen 41 SURFnet. We make innovation work cb
  • 42. Requirements - DNSSEC should be a ā€˜box to tickā€™ - DNS is already considered to be complex by many users, something that doesnā€™t improve if you add DNSSEC - The integrity of zones should be guaranteed - SURFdomeinen should not be the ā€˜weakest linkā€™ in the attack chain - Monitoring is of great importance (more on that later) - Turning DNSSEC on or off should not take too long - Ideally less than 1 hour - Once DNSSEC is turned on, customers should not notice any difference 42 SURFnet. We make innovation work cb
  • 43. Design decision: using HSMs - HSM = Hardware Security Module - Secure and robust way to store DNSSEC key material - We can never access the raw key material - Role separation - Standard API (PKCS #11) - Disadvantage: expensive 43 SURFnet. We make innovation work cb
  • 44. Design decision: OpenDNSSEC - SURFnet participates in the project - Other partners are: IIS (.se), Nominet (.uk), Kirei, SIDN (.nl), NLnet Labs en Sinodun - Goal: push-the-button signing - Functions like a ā€˜bump-in-the-wireā€™ - Possibility to have different policies for different customers - Possibility to share keys (e.g. one set of keys per customer rather than per zone) 44 SURFnet. We make innovation work cb
  • 45. Design decision: OpenDNSSEC - OpenDNSSEC 1.1 - Current version; used in production by a number of top-level domains and also for our deployment - Used - for instance - by .uk, .fr, .se and .nl - OpenDNSSEC 1.2 - Faster signer engine in C - Better support for ā€˜key-sharingā€™ - OpenDNSSEC 1.3 (Q3 2011) - Multi-threaded signer for better performance - Currently in release-candidate status - OpenDNSSEC 1.4 (Ā±Q1 2012) - Adapters for AXFR/IXFR & MySQL - OpenDNSSEC 1.5 (Ā±Q2 2012) 45 SURFnet. We make innovation work cb
  • 46. OpenDNSSEC architecture 46 SURFnet. We make innovation work cb
  • 47. Design: bump-in-the-wire DNS zone DNS transfer Internet Hidden primary Public primary ! DNS DNS zone zone DNS transfer DNS transfer Internet Hidden primary OpenDNSSEC Public primary ! 47 SURFnet. We make innovation work cb
  • 48. Design: data ļ¬‚ow DNS DNS zone zone scp DNS transfer SURFdomeinen DNSSEC signer ns1.surfnet.nl DNS transfer ns2.surfnet.nl Internet DNS zone ns3.surfnet.nl ns1.zurich.surf.net 48 SURFnet. We make innovation work cb
  • 49. Design: network security Colocation DNS VLAN HSM VLAN admin Network HSM Authoritative OpenDNSSEC DNS signer SSL HSM ļ¬rewall ļ¬rewall local router Admin VLAN Internet SURFnet WAN ļ¬rewall 49 SURFnet. We make innovation work SURFdomeinen cb server
  • 50. Design: redundancy Signer: - Warm standby system in a different co-location - MySQL master-slave replication - Failover is a manual process (not time critical) HSM: - Two HSMs in two different locations - High-availability mode - Offline secure backup on a third location - Keys will only be used after a backup 50 SURFnet. We make innovation work cb
  • 51. Enabling DNSSEC: user perspective - Push-the-button signing: - Unsigned to signed in 15 minutes 51 SURFnet. We make innovation work cb
  • 52. When things go wrong... 52 Photo courtesy of jeffwilcox@FlickR
  • 53. Admitting mistakes 53 Photo Ā© 2003 philg@mit.edu
  • 54. AXFR bug in OpenDNSSEC - surfnet.nl was signed for the ļ¬rst time in September 2010 (on a Monday) - everything went smoothly until Thursday Quickly diagnose - then suddenly... the problem no more mail no more website no more VoIP I think youā€™ve got diarrhea... - Dā€™oh!!! - Garbage In == Garbage Out 54
  • 55. Stories from the trenches... - .cz and .us became ā€˜bogusā€™ because of a mistake during an algorithm rollover - ISOC & .org nearly had a PR disaster at ICANN 38 in Brussels - .uk became ā€˜bogusā€™ because of a glitch during a signer failover - .be forgot to update critical signatures - mozilla.org and nasa.gov published a DS while their zone wasnā€™t signed yet 55 SURFnet. We make innovation work cb
  • 56. If youā€™re lucky... - this is what users will see: 56 many thanks to Marco Davids of SIDN for the screenshot
  • 57. But in most cases... - this is what users will see: 57 - (and this is better IMHO!)
  • 59. Further reading http://bit.ly/sn-dnssec-2008 http://bit.ly/sn-dnssec-val http://bit.ly/sn-cryptoweb 59 SURFnet. We make innovation work cb
  • 60. Online resources - http://dnssec.surfnet.nl - With lots of information about the choices we made while deploying DNSSEC - http://dnssec.net - Comprehensive and up-to-date links to information on DNSSEC - http://www.dnssec-deployment.org - Tracks DNSSEC deployment across the net - http://www.practicesafedns.org - PIR (.org) initiative with user stories 60 SURFnet. We make innovation work cb
  • 61. Conclusions - DNSSEC deployment is in full swing - The ball is now in your court! - Seriously consider enabling validation on your resolver You should enable validation, thereā€™s really no excuse not to do it :-) - Start planning for signing - Once it works, you donā€™t notice itā€™s there 61 SURFnet. We make innovation work cb
  • 62. roland.vanrijswijk@surfnet.nl Questions? Comments? nl.linkedin.com/in/rolandvanrijswijk @reseauxsansļ¬l

Editor's Notes

  1. \n
  2. \n
  3. \n
  4. We need DNS everywhere\n
  5. \n
  6. \n
  7. \n
  8. In 2008 this was bad news: how could you still trust the Internet?\n
  9. Luckily, some folks at the IETF found a way to solve this issue: DNSSEC\n
  10. Reference &amp;#x201C;after 10 years a protocol that hasn&amp;#x2019;t been picked up can be declared dead&amp;#x201D; of this morning\n
  11. \n
  12. \n
  13. \n
  14. \n
  15. Q: How many of you here already operate a validating resolver?\n
  16. \n
  17. \n
  18. Explain trust anchor concept (like a root certificate in SSL)\n
  19. \n
  20. ad = authenticated data\n
  21. \n
  22. \n
  23. You want many servers rather than one big one and loadbalance them so you can scale up\n
  24. \n
  25. \n
  26. \n
  27. \n
  28. \n
  29. \n
  30. \n
  31. \n
  32. \n
  33. \n
  34. \n
  35. \n
  36. \n
  37. \n
  38. \n
  39. Name example: HSM sync problem last week\n
  40. \n
  41. \n
  42. \n
  43. \n
  44. \n
  45. \n
  46. \n
  47. \n
  48. \n
  49. \n
  50. \n
  51. \n
  52. \n
  53. \n
  54. \n
  55. \n
  56. \n
  57. Explain why this is better, SSL pop-ups\n
  58. Hard to find zone owner (anon reg, SOA e-mail not working, cannot e-mail if MX record does not validate!) -- need to try nevertheless\n\nMention DNS health initiative?\n
  59. \n
  60. \n
  61. \n
  62. \n