NANOG DNS BoF. DNS DNSSEC IPv6 Tuesday, February 1, 2011 NATIONAL ENGINEERING & TECHNICAL OPERATIONS

Similar documents
DNSSEC - Why Network Operators Should Care And How To Accelerate Deployment

Use Domain Name System and IP Version 6

DNS and DHCP. 14 October 2008 University of Reading

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0

Where is Hong Kong in the secure Internet infrastructure development. Warren Kwok, CISSP Internet Society Hong Kong 12 August 2011

IPv6 and DNS. Secure64

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

Next Steps In Accelerating DNSSEC Deployment

Networking Domain Name System

Internet-Praktikum I Lab 3: DNS

Reverse DNS considerations for IPv6

20410: Installing and Configuring Windows Server 2012

Securing DNS Infrastructure Using DNSSEC

Monitoring the DNS. Gustavo Lozano Event Name XX XXXX 2015

IPv6 and DNS. Secure64

The Environment Surrounding DNS. 3.1 The Latest DNS Trends. 3. Technology Trends

Pre Delegation Testing (PDT) Frequently Asked Questions (FAQ)

Installing and Configuring Windows Server 2012 MOC 20410

Chapter 25 Domain Name System Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Computer Networks: Domain Name System

Networking Domain Name System

THE MASTER LIST OF DNS TERMINOLOGY. First Edition

Installing and Configuring Windows Server 2012

IPv6-Only. Now? Sites. Deutscher IPv6 Kongress June 6/7, 2013 Fr ankfur t /Ger many. Holger.Zuleger@hznet.de

Installing and Configuring Windows Server 2012

MS Installing and Configuring Windows Server 2012

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

DNS traffic analysis -- Issues of IPv6 and CDN --

Course Outline: Course Installing and Configuring Windows Server 2012

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System

IPv6 Support in the DNS. Workshop Name Workshop Location, Date

DNS Root NameServers

IPv6 for AT&T Broadband

Copyright

IANA Functions to cctlds Sofia, Bulgaria September 2008

Deploying DNSSEC: From End-Customer To Content

Deployment Guide A10 Networks/Infoblox Joint DNS64 and NAT64 Solution

DNS at NLnet Labs. Matthijs Mekking

DNSSEC. Introduction. Domain Name System Security Extensions. AFNIC s Issue Papers. 1 - Organisation and operation of the DNS

CSE/ISE 311: Systems Administra5on Networking 2

ECE 4321 Computer Networks. Network Programming

- Domain Name System -

Operational Problems in IPv6: Fallback and DNS issues

IPv6 support in the DNS

DNS Risks, DNSSEC. Olaf M. Kolkman and Allison Mankin. and 8 Feb 2006 Stichting NLnet Labs

The secret life of a DNS query. Igor Sviridov <sia@nest.org>

Designing a Windows Server 2008 Network Infrastructure

R4: Configuring Windows Server 2008 Network Infrastructure

FAQ (Frequently Asked Questions)

IPV6 SERVICES DEPLOYMENT

Module 1: Overview of Network Infrastructure Design This module describes the key components of network infrastructure design.

Copyright International Business Machines Corporation All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure

APNIC IPv6 Deployment

Planning the transition to IPv6

DNS. The Root Name Servers. DNS Hierarchy. Computer System Security and Management SMD139. Root name server. .se name server. .

Distributed Systems. 09. Naming. Paul Krzyzanowski. Rutgers University. Fall 2015

Implementing, Managing and Maintaining a Microsoft Windows Server 2003 Network Infrastructure: Network Services Course No.

Networking Domain Name System

Installing and Configuring Windows Server 2012

F-Root's DNSSEC Signing Plans. Keith Mitchell Internet Systems Consortium DNS-OARC NANOG48, Austin, 24 th Feb 2010

DNS & IPv6. Agenda 4/14/2009. MENOG4, 8-9 April Raed Al-Fayez SaudiNIC CITC rfayez@citc.gov.sa, DNS & IPv6.

F5 and Infoblox DNS Integrated Architecture Offering a Complete Scalable, Secure DNS Solution

LAN TCP/IP and DHCP Setup

Microsoft Windows Server 2008: MS-6435 Designing Network and Applications Infrastructure MCITP 6435

How to Add Domains and DNS Records

Akamai CDN, IPv6 and DNS security. Christian Kaufmann Akamai Technologies DENOG 5 14 th November 2013

Configuration Notes 0215

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

MS 6419 Configuring, Managing and Maintaining Windows Server 2008-based Servers

Module 5: Planning a DNS Strategy

DNS and BIND. David White

OVERVIEW OF THE DNS AND GLOSSARY OF TERMS

Module 2. Configuring and Troubleshooting DNS. Contents:

NOTE: Labs in this course are based on the General Availability release of Windows Server 2012 R2 and Windows 8.1.

An Introduction to the Domain Name System

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

Domain Name Industry. Comparing ZA with the rest

Designing and Implementing a Server Infrastructure

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure: Network Services (5 days)

Fundamentals of Windows Server 2008 Network and Applications Infrastructure

SKV PROPOSAL TO CLT FOR ACTIVE DIRECTORY AND DNS IMPLEMENTATION

Understand Names Resolution

Installing and Configuring Windows Server 2012 (20410) H4D00S

Installing and Configuring Windows Server 2012

Transcription:

NANOG DNS BoF DNS DNSSEC IPv6 Tuesday, February 1, 2011 NATIONAL ENGINEERING & TECHNICAL OPERATIONS

The Role Of An ISP In DNSSEC Valida;on ISPs act in two different DNSSEC roles, both signing and valida;ng Signing: authorita;ve infrastructure domains & customer domains Valida)ng: recursive resolvers opera;ng across the ISP network ISPs operate the majority of resolvers that end users query It is rela;vely rare for most residen;al end users to operate their own DNS, or to change their DNS sefngs to use a third- party DNS In most cases, ISPs can automa;cally update DNS server IP addresses, such as via DHCP lease updates As such, good DNSSEC adop;on by end users hinges on ISP adop;on of DNSSEC Comcast publicly announced our plans for DNSSEC in February 2010 Other ISPs need a similar plan Begin with documen;ng and valida;ng your DNS opera;onal processes Put together a small trial, one server or several in a lab and/or produc;on Talk to your vendors and make sure they can meet your requirements 2

Lessons Learned ISPs have many opera;onal processes that may need to be adjusted to support DNSSEC valida;on Authorita;ve infrastructure may need to be augmented to support signing your zones Zone signing can be resource intensive Chaining your zones to parents at the TLD as well as subzones can be tricky and require planning and coordina;on with your registry. Recursive resolvers may need to be updated to sowware that supports valida;on Deploying a configura;on that scales to meet your customers needs 3

Lessons Learned Con;nued Upstream routers and firewalls may need to be addressed to support larger DNSSEC traffic for both Authorita;ve and Caching DNS servers Customer edge devices like routers and home gateways may also impact the ability to deploy DNSSEC in the long term as DNS services move closer to the customer There is currently standards work happening to help define how home gateways and routers should work with DNSSEC and IPv6 Choose your Registrar wisely Make sure they support DNSSEC on the TLDs you have domains, and that they can handle DS record inser;on for you Validate that they can support 24/7/365 support for key rollovers 4

Some Addi;onal Thoughts Global Services Load Balancing and Content Delivery Networks How to balance responses in different regions and how to deal with services that are slaved to remote systems? How to respond with different signed records in different regions? Dealing with delega;on zones How do you get DS records up and down the tree with automa;on? End user valida;on How do we get valida;on closer to the customer? 5

Resources There are many resources on the Internet to learn about DNSSEC and help prepare for a deployment hdps://www.dnssec- deployment.org/ hdp://www.dnssec.net/projects hdps://www.dns- oarc.net/ hdps://data.iana.org/root- anchors/draw- icann- dnssec- trust- anchor.html hdp://www.nlnetlabs.nl/publica;ons/dnssec_howto/ Tes;ng hdps://addons.mozilla.org/en- US/firefox/addon/64247/ hdp://dnsviz.net/ hdps://www.dns- oarc.net/oarc/services/replysizetest hdps://www.dns- oarc.net/oarc/services/odvr hdp://www.bortzmeyer.org/tests- dns.html Tools hdps://www.dnssec- tools.org/ hdp://www.kirei.se/xfiles/dnssec/ta- tool.pl hdp://www.opendnssec.org hdp://www.isc.org/sowware/bind/dnssec 6

IPv6 and DNS Transi;on to end user dual- stack IPv6 environments will drive the need for deployment of dual- stack on DNS servers Begin turning up IPv6 on caching and authorita;ve DNS servers Deployment strategies Audit end to end IPv6 connec;vity to and from DNS plagorms Verify opera;ons tools will func;on with IPv6 Use of Anycast for IPv6 address Test and deploy AAAA records for Authorita;ve data No more pre- popula;ng PTR records! Its just simply not possible DDNS and wildcards can be used instead We have found the need to s;ll deploy empty PTR zones delegated from ARIN Some tools like ssh performs DNS lookups which will cause long delays if no message is returned like an NXDOMAIN ISOC World IPv6 day is a great opportunity to test connec;vity so start planning now 7

Thank You! For more information on the Comcast DNSSEC and IPv6 deployments: http://www.dnssec.comcast.net http://www.comcast6.net Chris Griffiths chris_griffiths@cable.comcast.com NATIONAL ENGINEERING & TECHNICAL OPERATIONS

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information