SlideShare une entreprise Scribd logo

ION Belfast - Why Implement DNSSEC? - Jim Galvin

Deploy360 Programme (Internet Society)
Deploy360 Programme (Internet Society)

Presentation during ION Belfast called "Why Implement DNSSEC" from Jim Galvin of Afilias. DNSSEC helps prevent attackers from subverting and modifying DNS messages and sending users to wrong (and potentially malicious) sites. So what needs to be done for DNSSEC to be deployed on a large scale? We’ll discuss the business reasons for, and financial implications of, deploying DNSSEC, from staying ahead of the technological curve, to staying ahead of your competition, to keeping your customers satisfied and secure on the Internet. We’ll also examine some of the challenges operators have faced and the opportunities to address those challenges and move deployment forward.

Technologie
1  sur  18
Télécharger pour lire hors ligne
Why DNSSEC? James Galvin, Ph.D. Afilias Limited 9 September 2014 ION Belfast © 2014 Afilias Limited 1
Afilias and DNSSEC • Afilias makes Internet addresses more accessible and useful through registry services, Managed DNS, and mobile Web services like goMobi® and DeviceAtlas®. – Second largest registry service provider – Have one of the largest DNS infrastructures • Started with DNSSEC in 2008 – Signed ORG in June 2009 – Found bug in DNSSEC extension to EPP – ORG offered signed delegaXons in June 2010 – Signed all TLDs and offered signed delegaXons soon aZer – Root signed in July 2010 © 2014 Afilias Limited 2
• DNSSEC Basics • Benefits of DNSSEC • Internet Future © 2014 Afilias Limited 3
DNSSEC -­‐ BASICS © 2014 Afilias Limited 4
What is DNSSEC? • DNSSEC provides an asserXon by a zone that a specific data element is bound to a domain name. • This is most oZen used to bind an IP address to a domain name, e.g., to find a web site. • The validaXon of the asserXon is possible independent of its source. • Features – CriXcal Infrastructure: everything uses the DNS – Hierarchical: delegate and distribute responsibility © 2014 Afilias Limited 5
DNS with DNSSEC Stub Resolver Local applica2on/service client SLD Authorita2ve NS Itera2ve Resolver TLD Authorita2ve NS ROOT SERVERS Local cache Local cache DNSSEC-­‐aware applicaXon/service 2 1 3 1 2 3 DNSSEC DNSSEC DNSSEC © 2014 Afilias Limited 6
Who are the Players? • Domain registraXon system – Registries: operate the TLDs – (Registrars): middleman between registry and registrant – Registrant: own, manage, and deploy domain names • Domain name system – Root system – Registries – DNS Operators (authoritaXve) • Community – ISPs – Users (maybe not) © 2014 Afilias Limited 7
BENEFITS OF DNSSEC © 2014 Afilias Limited 8
Why DNSSEC? • DNSSEC protects the DNS system from cache poisoning afacks, viz the “Kaminsky Bug” • DNS is a criXcal infrastructure system. Virtually everything depends on it. • DNSSEC is the next step in the evoluXon of the Internet, similar to the web back in 1993. • Deploying a safe and secure DNS is not just the right thing to do, it is the cornerstone of building the next generaXon Internet, a safe and secure Internet. © 2014 Afilias Limited 9
Without DNSSEC… When you visit a web site can you be sure you are communicaXng with the server that you think you are? © 2014 Afilias Limited 10
TLS/SSL and DNSSEC benefits TLS/SSL Channel Users from Signed DNS data tampered by DNS Data or originaXng from malicious actors Encryp2on DNSSEC DNSSEC Authen2ca2on Integrity DNS Data DNSSEC Guaranteed not tampered TLS Data !^^x<> Data Data DNSSEC protects… © 2014 Afilias Limited 11
INTERNET FUTURE © 2014 Afilias Limited 12
Building Trusted Domains • A domain name is just a label. Most commonly used to idenXfy hosts and services. – Web sites – ApplicaXon servers • DNSSEC ensures we have the correct service/address • TLS/SSL (hfps) gives us good confidence that we have a encrypted tunnel • Matching the domain in the TLS/ SSL cerXficate with the domain from DNSSEC offers greater assurance that you are communicaXng with the desired site/service © 2014 Afilias Limited 13
DNSSEC Challenges • Security increases the baseline experXse required • Key management becomes mainstream – Key rollover Xmings are subtle • DNS operators are visibly essenXal – DNS Operator and registrar/ registry relaXonship – Transfers are a process • Key rollover is required • Losing and gaining operator must overlap services © 2014 Afilias Limited 14
The demand for DNSSEC? • A mix of pioneers, early adopters and legislated compliance • In the early stages for registrant/user, applicaXon, and service awareness Barriers Incen2ves Signing TLDs New hw & sw soluXons Complexity Costs © 2014 Afilias Limited 15
What’s Next? • Centralize the complexity – Registrars – DNS operators – ApplicaXon service providers • Keep it simple for the registrant/user – Should be invisible • DNSSEC is about what we can do with it. It is an essenXal building block in a criXcal infrastructure system that will change the Internet in ways we can not yet imagine. © 2014 Afilias Limited 16
Pervasive Monitoring • IETF reaches broad consensus to improve the security of Internet protocols to respond to pervasive surveillance – hfp://www.iet.org/media/ 2013-­‐11-­‐07-­‐internet-­‐privacy-­‐ and-­‐security.html – hfp://tools.iet.org/html/ rfc7258 – DNS-­‐based AuthenXcaXon of Named EnXXes (DANE) © 2014 Afilias Limited 17
Thank You! James Galvin jgalvin “at” afilias.info +1-­‐215-­‐706-­‐5715 hfps://afilias.info/dnssec © 2014 Afilias Limited 18

Recommandé

ION Toronto - Why Implement DNSSEC?
ION Toronto - Why Implement DNSSEC? ION Toronto - Why Implement DNSSEC?
ION Toronto - Why Implement DNSSEC? Deploy360 Programme (Internet Society)
 
ION Mumbai - Jitender Kumar: DNSSEC
ION Mumbai - Jitender Kumar: DNSSECION Mumbai - Jitender Kumar: DNSSEC
ION Mumbai - Jitender Kumar: DNSSECDeploy360 Programme (Internet Society)
 
Storage Provisioning for Enterprise Information Applications
Storage Provisioning for Enterprise Information ApplicationsStorage Provisioning for Enterprise Information Applications
Storage Provisioning for Enterprise Information ApplicationsAmbareesh Kulkarni
 
Top 5 Reasons to Use Serv-U MFT Server
Top 5 Reasons to Use Serv-U MFT ServerTop 5 Reasons to Use Serv-U MFT Server
Top 5 Reasons to Use Serv-U MFT ServerSolarWinds
 
Serv-U: Secure File Transfer from SolarWinds
Serv-U: Secure File Transfer from SolarWindsServ-U: Secure File Transfer from SolarWinds
Serv-U: Secure File Transfer from SolarWindsSolarWinds
 
ION Toronto - Deploying DNSSEC: A .CA Case Study
ION Toronto - Deploying DNSSEC: A .CA Case StudyION Toronto - Deploying DNSSEC: A .CA Case Study
ION Toronto - Deploying DNSSEC: A .CA Case StudyDeploy360 Programme (Internet Society)
 
Securing MySQL with a Focus on SSL
Securing MySQL with a Focus on SSLSecuring MySQL with a Focus on SSL
Securing MySQL with a Focus on SSLwolfSSL
 
IPv6 Summit Powerpoint
IPv6 Summit PowerpointIPv6 Summit Powerpoint
IPv6 Summit PowerpointTim Price
 

Recommandé

ION Toronto - Why Implement DNSSEC?
ION Toronto - Why Implement DNSSEC? ION Toronto - Why Implement DNSSEC?
ION Toronto - Why Implement DNSSEC? Deploy360 Programme (Internet Society)
 
ION Mumbai - Jitender Kumar: DNSSEC
ION Mumbai - Jitender Kumar: DNSSECION Mumbai - Jitender Kumar: DNSSEC
ION Mumbai - Jitender Kumar: DNSSECDeploy360 Programme (Internet Society)
 
Storage Provisioning for Enterprise Information Applications
Storage Provisioning for Enterprise Information ApplicationsStorage Provisioning for Enterprise Information Applications
Storage Provisioning for Enterprise Information ApplicationsAmbareesh Kulkarni
 
Top 5 Reasons to Use Serv-U MFT Server
Top 5 Reasons to Use Serv-U MFT ServerTop 5 Reasons to Use Serv-U MFT Server
Top 5 Reasons to Use Serv-U MFT ServerSolarWinds
 
Serv-U: Secure File Transfer from SolarWinds
Serv-U: Secure File Transfer from SolarWindsServ-U: Secure File Transfer from SolarWinds
Serv-U: Secure File Transfer from SolarWindsSolarWinds
 
ION Toronto - Deploying DNSSEC: A .CA Case Study
ION Toronto - Deploying DNSSEC: A .CA Case StudyION Toronto - Deploying DNSSEC: A .CA Case Study
ION Toronto - Deploying DNSSEC: A .CA Case StudyDeploy360 Programme (Internet Society)
 
Securing MySQL with a Focus on SSL
Securing MySQL with a Focus on SSLSecuring MySQL with a Focus on SSL
Securing MySQL with a Focus on SSLwolfSSL
 
IPv6 Summit Powerpoint
IPv6 Summit PowerpointIPv6 Summit Powerpoint
IPv6 Summit PowerpointTim Price
 
ION Ljubljana - Benjamin Zwittnig: DNSSEC in .SI
ION Ljubljana - Benjamin Zwittnig: DNSSEC in .SIION Ljubljana - Benjamin Zwittnig: DNSSEC in .SI
ION Ljubljana - Benjamin Zwittnig: DNSSEC in .SIDeploy360 Programme (Internet Society)
 
wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013wolfSSL
 
Web hosting
Web hostingWeb hosting
Web hostingaudace82
 
Marco Hogewoning -XS4all
Marco Hogewoning -XS4allMarco Hogewoning -XS4all
Marco Hogewoning -XS4allIPv6 Summit 2010
 
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSesSSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSesTiago Mendo
 
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSesSSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSesTiago Mendo
 
ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?Deploy360 Programme (Internet Society)
 
History of DNSSEC from .ASIA signing event
History of DNSSEC from .ASIA signing eventHistory of DNSSEC from .ASIA signing event
History of DNSSEC from .ASIA signing eventhread
 
DNS Made Easy Sales Brochure
DNS Made Easy Sales BrochureDNS Made Easy Sales Brochure
DNS Made Easy Sales BrochureDNS Made Easy
 
Intelligent DNS Scale
Intelligent DNS ScaleIntelligent DNS Scale
Intelligent DNS ScalePeter Silva
 
FOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedFOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedNeustar, Inc.
 
Best DNS Servers To Use Buy Server Memory Clearance.pptx
Best DNS Servers To Use Buy Server Memory Clearance.pptxBest DNS Servers To Use Buy Server Memory Clearance.pptx
Best DNS Servers To Use Buy Server Memory Clearance.pptxMemory Clearance
 
DNS Security
DNS SecurityDNS Security
DNS Securityjohnmcclure00
 
RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS EvolutionAPNIC
 
F5's Dynamic DNS Services
F5's Dynamic DNS ServicesF5's Dynamic DNS Services
F5's Dynamic DNS ServicesF5 Networks
 
The DNS of Things
The DNS of ThingsThe DNS of Things
The DNS of ThingsF5 Networks
 
DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasORG, The Public Interest Registry
 
Dnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnDnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnErol Dizdar
 
Dnssec proposal-09oct08-en
Dnssec proposal-09oct08-enDnssec proposal-09oct08-en
Dnssec proposal-09oct08-enguest3131f85
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarMen and Mice
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS EvolutionAPNIC
 
The DNS of Things
The DNS of ThingsThe DNS of Things
The DNS of ThingsPeter Silva
 

Contenu connexe

Tendances

wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013wolfSSL
 
Web hosting
Web hostingWeb hosting
Web hostingaudace82
 
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSesSSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSesTiago Mendo
 
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSesSSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSesTiago Mendo
 

Tendances (6)

ION Ljubljana - Benjamin Zwittnig: DNSSEC in .SI
ION Ljubljana - Benjamin Zwittnig: DNSSEC in .SIION Ljubljana - Benjamin Zwittnig: DNSSEC in .SI
ION Ljubljana - Benjamin Zwittnig: DNSSEC in .SI
 
wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013
 
Web hosting
Web hostingWeb hosting
Web hosting
 
Marco Hogewoning -XS4all
Marco Hogewoning -XS4allMarco Hogewoning -XS4all
Marco Hogewoning -XS4all
 
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSesSSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
 
SSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSesSSL, HSTS and other stuff with two eSSes
SSL, HSTS and other stuff with two eSSes
 

Similaire à ION Belfast - Why Implement DNSSEC? - Jim Galvin

History of DNSSEC from .ASIA signing event
History of DNSSEC from .ASIA signing eventHistory of DNSSEC from .ASIA signing event
History of DNSSEC from .ASIA signing eventhread
 
DNS Made Easy Sales Brochure
DNS Made Easy Sales BrochureDNS Made Easy Sales Brochure
DNS Made Easy Sales BrochureDNS Made Easy
 
Intelligent DNS Scale
Intelligent DNS ScaleIntelligent DNS Scale
Intelligent DNS ScalePeter Silva
 
FOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedFOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedNeustar, Inc.
 
Best DNS Servers To Use Buy Server Memory Clearance.pptx
Best DNS Servers To Use Buy Server Memory Clearance.pptxBest DNS Servers To Use Buy Server Memory Clearance.pptx
Best DNS Servers To Use Buy Server Memory Clearance.pptxMemory Clearance
 
RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS EvolutionAPNIC
 
F5's Dynamic DNS Services
F5's Dynamic DNS ServicesF5's Dynamic DNS Services
F5's Dynamic DNS ServicesF5 Networks
 
The DNS of Things
The DNS of ThingsThe DNS of Things
The DNS of ThingsF5 Networks
 
Dnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnDnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnErol Dizdar
 
Dnssec proposal-09oct08-en
Dnssec proposal-09oct08-enDnssec proposal-09oct08-en
Dnssec proposal-09oct08-enguest3131f85
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarMen and Mice
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS EvolutionAPNIC
 
The DNS of Things
The DNS of ThingsThe DNS of Things
The DNS of ThingsPeter Silva
 
Verisign's Regional Internet Resolution Service by Ryan Donnelly [APRICOT 2015]
Verisign's Regional Internet Resolution Service by Ryan Donnelly [APRICOT 2015]Verisign's Regional Internet Resolution Service by Ryan Donnelly [APRICOT 2015]
Verisign's Regional Internet Resolution Service by Ryan Donnelly [APRICOT 2015]APNIC
 
11 Reasons To Select A Dedicated Server.pdf
11 Reasons To Select A Dedicated Server.pdf11 Reasons To Select A Dedicated Server.pdf
11 Reasons To Select A Dedicated Server.pdfHost It Smart
 
Domain Name System (DNS) - Domain Registration and Website Hosting Basics
Domain Name System (DNS) - Domain Registration and Website Hosting BasicsDomain Name System (DNS) - Domain Registration and Website Hosting Basics
Domain Name System (DNS) - Domain Registration and Website Hosting BasicsAsif Shahzad
 

Similaire à ION Belfast - Why Implement DNSSEC? - Jim Galvin (20)

ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?
 
History of DNSSEC from .ASIA signing event
History of DNSSEC from .ASIA signing eventHistory of DNSSEC from .ASIA signing event
History of DNSSEC from .ASIA signing event
 
DNS Made Easy Sales Brochure
DNS Made Easy Sales BrochureDNS Made Easy Sales Brochure
DNS Made Easy Sales Brochure
 
Intelligent DNS Scale
Intelligent DNS ScaleIntelligent DNS Scale
Intelligent DNS Scale
 
FOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedFOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons Learned
 
Best DNS Servers To Use Buy Server Memory Clearance.pptx
Best DNS Servers To Use Buy Server Memory Clearance.pptxBest DNS Servers To Use Buy Server Memory Clearance.pptx
Best DNS Servers To Use Buy Server Memory Clearance.pptx
 
DNS Security
DNS SecurityDNS Security
DNS Security
 
RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS Evolution
 
F5's Dynamic DNS Services
F5's Dynamic DNS ServicesF5's Dynamic DNS Services
F5's Dynamic DNS Services
 
The DNS of Things
The DNS of ThingsThe DNS of Things
The DNS of Things
 
DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & Afilias
 
Dnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnDnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 En
 
Dnssec proposal-09oct08-en
Dnssec proposal-09oct08-enDnssec proposal-09oct08-en
Dnssec proposal-09oct08-en
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinar
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS Evolution
 
The DNS of Things
The DNS of ThingsThe DNS of Things
The DNS of Things
 
Dead Men Walking: IPv6 and DNSSEC
Dead Men Walking: IPv6 and DNSSECDead Men Walking: IPv6 and DNSSEC
Dead Men Walking: IPv6 and DNSSEC
 
Verisign's Regional Internet Resolution Service by Ryan Donnelly [APRICOT 2015]
Verisign's Regional Internet Resolution Service by Ryan Donnelly [APRICOT 2015]Verisign's Regional Internet Resolution Service by Ryan Donnelly [APRICOT 2015]
Verisign's Regional Internet Resolution Service by Ryan Donnelly [APRICOT 2015]
 
11 Reasons To Select A Dedicated Server.pdf
11 Reasons To Select A Dedicated Server.pdf11 Reasons To Select A Dedicated Server.pdf
11 Reasons To Select A Dedicated Server.pdf
 
Domain Name System (DNS) - Domain Registration and Website Hosting Basics
Domain Name System (DNS) - Domain Registration and Website Hosting BasicsDomain Name System (DNS) - Domain Registration and Website Hosting Basics
Domain Name System (DNS) - Domain Registration and Website Hosting Basics
 

Plus de Deploy360 Programme (Internet Society)

Plus de Deploy360 Programme (Internet Society) (20)

ION Belgrade - Jordi Palet Martinez IPv6 Success Stories
ION Belgrade - Jordi Palet Martinez IPv6 Success StoriesION Belgrade - Jordi Palet Martinez IPv6 Success Stories
ION Belgrade - Jordi Palet Martinez IPv6 Success Stories
 
ION Belgrade - ISOC Serbia Belgrade Chapter Presentation
ION Belgrade - ISOC Serbia Belgrade Chapter PresentationION Belgrade - ISOC Serbia Belgrade Chapter Presentation
ION Belgrade - ISOC Serbia Belgrade Chapter Presentation
 
ION Belgrade - IETF Update
ION Belgrade - IETF UpdateION Belgrade - IETF Update
ION Belgrade - IETF Update
 
ION Belgrade - Opening Slides
ION Belgrade - Opening SlidesION Belgrade - Opening Slides
ION Belgrade - Opening Slides
 
ION Belgrade - MANRS by Serbian Open eXchange (SOX)
ION Belgrade - MANRS by Serbian Open eXchange (SOX)ION Belgrade - MANRS by Serbian Open eXchange (SOX)
ION Belgrade - MANRS by Serbian Open eXchange (SOX)
 
ION Belgrade - Closing Slides
ION Belgrade - Closing SlidesION Belgrade - Closing Slides
ION Belgrade - Closing Slides
 
AusNOG - Two Years of Good MANRS
AusNOG - Two Years of Good MANRSAusNOG - Two Years of Good MANRS
AusNOG - Two Years of Good MANRS
 
ION Malta - IETF Update
ION Malta - IETF UpdateION Malta - IETF Update
ION Malta - IETF Update
 
ION Malta - MANRS Introduction
ION Malta - MANRS IntroductionION Malta - MANRS Introduction
ION Malta - MANRS Introduction
 
ION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSECION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSEC
 
ION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLSION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLS
 
ION Malta - IANA Transition Roles & Accountability
ION Malta - IANA Transition Roles & AccountabilityION Malta - IANA Transition Roles & Accountability
ION Malta - IANA Transition Roles & Accountability
 
ION Malta - IPv6 Case Study: Finland
ION Malta - IPv6 Case Study: FinlandION Malta - IPv6 Case Study: Finland
ION Malta - IPv6 Case Study: Finland
 
ION Malta - Seeweb Thoughts on IPv6 Transition
ION Malta - Seeweb Thoughts on IPv6 TransitionION Malta - Seeweb Thoughts on IPv6 Transition
ION Malta - Seeweb Thoughts on IPv6 Transition
 
ION Malta - Seeweb Why MANRS is good for you
ION Malta - Seeweb Why MANRS is good for youION Malta - Seeweb Why MANRS is good for you
ION Malta - Seeweb Why MANRS is good for you
 
ION Malta - Opening Slides
ION Malta - Opening SlidesION Malta - Opening Slides
ION Malta - Opening Slides
 
ION Malta - Closing Slides
ION Malta - Closing SlidesION Malta - Closing Slides
ION Malta - Closing Slides
 
ION Durban - How peering behaviour affects growth of the internet
ION Durban - How peering behaviour affects growth of the internetION Durban - How peering behaviour affects growth of the internet
ION Durban - How peering behaviour affects growth of the internet
 
ION Durban - Introduction to ISOC Gauteng Chapter
ION Durban - Introduction to ISOC Gauteng ChapterION Durban - Introduction to ISOC Gauteng Chapter
ION Durban - Introduction to ISOC Gauteng Chapter
 
ION Durban - What's Happening at the IETF?
ION Durban - What's Happening at the IETF?ION Durban - What's Happening at the IETF?
ION Durban - What's Happening at the IETF?
 

Dernier

FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 

Dernier (20)

FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 

ION Belfast - Why Implement DNSSEC? - Jim Galvin

  • 1. Why DNSSEC? James Galvin, Ph.D. Afilias Limited 9 September 2014 ION Belfast © 2014 Afilias Limited 1
  • 2. Afilias and DNSSEC • Afilias makes Internet addresses more accessible and useful through registry services, Managed DNS, and mobile Web services like goMobi® and DeviceAtlas®. – Second largest registry service provider – Have one of the largest DNS infrastructures • Started with DNSSEC in 2008 – Signed ORG in June 2009 – Found bug in DNSSEC extension to EPP – ORG offered signed delegaXons in June 2010 – Signed all TLDs and offered signed delegaXons soon aZer – Root signed in July 2010 © 2014 Afilias Limited 2
  • 3. • DNSSEC Basics • Benefits of DNSSEC • Internet Future © 2014 Afilias Limited 3
  • 4. DNSSEC -­‐ BASICS © 2014 Afilias Limited 4
  • 5. What is DNSSEC? • DNSSEC provides an asserXon by a zone that a specific data element is bound to a domain name. • This is most oZen used to bind an IP address to a domain name, e.g., to find a web site. • The validaXon of the asserXon is possible independent of its source. • Features – CriXcal Infrastructure: everything uses the DNS – Hierarchical: delegate and distribute responsibility © 2014 Afilias Limited 5
  • 6. DNS with DNSSEC Stub Resolver Local applica2on/service client SLD Authorita2ve NS Itera2ve Resolver TLD Authorita2ve NS ROOT SERVERS Local cache Local cache DNSSEC-­‐aware applicaXon/service 2 1 3 1 2 3 DNSSEC DNSSEC DNSSEC © 2014 Afilias Limited 6
  • 7. Who are the Players? • Domain registraXon system – Registries: operate the TLDs – (Registrars): middleman between registry and registrant – Registrant: own, manage, and deploy domain names • Domain name system – Root system – Registries – DNS Operators (authoritaXve) • Community – ISPs – Users (maybe not) © 2014 Afilias Limited 7
  • 8. BENEFITS OF DNSSEC © 2014 Afilias Limited 8
  • 9. Why DNSSEC? • DNSSEC protects the DNS system from cache poisoning afacks, viz the “Kaminsky Bug” • DNS is a criXcal infrastructure system. Virtually everything depends on it. • DNSSEC is the next step in the evoluXon of the Internet, similar to the web back in 1993. • Deploying a safe and secure DNS is not just the right thing to do, it is the cornerstone of building the next generaXon Internet, a safe and secure Internet. © 2014 Afilias Limited 9
  • 10. Without DNSSEC… When you visit a web site can you be sure you are communicaXng with the server that you think you are? © 2014 Afilias Limited 10
  • 11. TLS/SSL and DNSSEC benefits TLS/SSL Channel Users from Signed DNS data tampered by DNS Data or originaXng from malicious actors Encryp2on DNSSEC DNSSEC Authen2ca2on Integrity DNS Data DNSSEC Guaranteed not tampered TLS Data !^^x<> Data Data DNSSEC protects… © 2014 Afilias Limited 11
  • 12. INTERNET FUTURE © 2014 Afilias Limited 12
  • 13. Building Trusted Domains • A domain name is just a label. Most commonly used to idenXfy hosts and services. – Web sites – ApplicaXon servers • DNSSEC ensures we have the correct service/address • TLS/SSL (hfps) gives us good confidence that we have a encrypted tunnel • Matching the domain in the TLS/ SSL cerXficate with the domain from DNSSEC offers greater assurance that you are communicaXng with the desired site/service © 2014 Afilias Limited 13
  • 14. DNSSEC Challenges • Security increases the baseline experXse required • Key management becomes mainstream – Key rollover Xmings are subtle • DNS operators are visibly essenXal – DNS Operator and registrar/ registry relaXonship – Transfers are a process • Key rollover is required • Losing and gaining operator must overlap services © 2014 Afilias Limited 14
  • 15. The demand for DNSSEC? • A mix of pioneers, early adopters and legislated compliance • In the early stages for registrant/user, applicaXon, and service awareness Barriers Incen2ves Signing TLDs New hw & sw soluXons Complexity Costs © 2014 Afilias Limited 15
  • 16. What’s Next? • Centralize the complexity – Registrars – DNS operators – ApplicaXon service providers • Keep it simple for the registrant/user – Should be invisible • DNSSEC is about what we can do with it. It is an essenXal building block in a criXcal infrastructure system that will change the Internet in ways we can not yet imagine. © 2014 Afilias Limited 16
  • 17. Pervasive Monitoring • IETF reaches broad consensus to improve the security of Internet protocols to respond to pervasive surveillance – hfp://www.iet.org/media/ 2013-­‐11-­‐07-­‐internet-­‐privacy-­‐ and-­‐security.html – hfp://tools.iet.org/html/ rfc7258 – DNS-­‐based AuthenXcaXon of Named EnXXes (DANE) © 2014 Afilias Limited 17
  • 18. Thank You! James Galvin jgalvin “at” afilias.info +1-­‐215-­‐706-­‐5715 hfps://afilias.info/dnssec © 2014 Afilias Limited 18