DNSSEC: An Update on Global Activities

1. Dept. of Homeland Security Science & Technology Directorate DNSSEC: An Update on Global Activities EDUCAUSE Net@EDU Annual Mtg Tempe, AZ February 12, 2008 Douglas Maughan, Ph.D. Program Manager, CCI douglas.maughan@dhs.gov 202-254-6145 / 202-360-3170

2. National Strategy to Secure Cyberspace • The National Strategy to Secure Cyberspace (2003) recognized the DNS as a critical weakness • NSSC called for the Department of Homeland Security to coordinate public-private partnerships to encourage the adoption of improved security protocols, such as DNS • The security and continued functioning of the Internet will be greatly influenced by the success or failure of implementing more secure and more robust BGP and DNS. The Nation has a vital interest in ensuring that this work proceeds. The government should play a role when private efforts break down due to a need for coordination or a lack of proper incentives.

3. Domain Name System Security (DNSSEC) Program • DNSSEC Program Objective “Carry forward to completion the recommendation from the National Strategy to Secure Cyberspace by engaging industry, government, and academia to enable all DNS-related traffic on the Internet to be DNSSEC compliant” • Rationale / Background / Historical: • DNS is a critical component of the Internet infrastructure and was not designed for security • DNS vulnerabilities have been identified for over a decade and we are addressing these vulnerabilities End Goal: Greatly increase the security of the Internet (as critical infrastructure) by securing the DNS through the use of crypto signatures

4. Performers • Shinkuro, Washington, DC • Roadmap Development and Execution • International partner participation • Support Tool Development • Sparta, Columbia, MD • Software Development – Servers, resolvers, applications • Internet Standards activities • NIST, Gaithersburg, MD • Measurement and Evaluation Tools • Government and Standards activities • Connections with GSA, FISMA, and OMB

5. DNSSEC Initiative Activities • Roadmap published in February 2005; Revised March 2007 • http://www.dnssec-deployment.org/roadmap.php • Multiple workshops held world-wide • DNSSEC testbed developed by • http://www-x.antd.nist.gov/dnssec/ • Involvement with numerous deployment pilots • Formal publicity and awareness plan including newsletter • Working with Civilian government (.gov) to develop policy and technical guidance for secure DNS operations and beginning deployment activities at all levels. • Working with the operators of the “.us” and “.mil” zones towards DNSSEC deployment and compliance

6. DNSSEC Roadmap • Identifies the following activities: • Remaining R&D Issues (Lead: Shinkuro) • Software Development (Lead: Sparta) • Server • Resolver • Applications • Operational Considerations (Lead: Shinkuro) • Root • Registries • Registrants • Measurement and Evaluation (Lead: NIST) • Outreach and Training (Lead: Shinkuro)

7. Incremental Deployment • Registries • Work through various readiness levels • Initial study -> Initial design -> Pilot -> Pre-deployment -> Operation • Registrars • Migrate to an EPP-based system • Build extensions for existing non-EPP system • ISPs • Validation as a preferred service for some customers. Manage customized set of Trust Anchors for set of customers • Detect key rollover events for known islands of trust • Enterprise • Internal deployment as part of corporate system integrity and protection • Trading partners • Distinguish between safe and questionable sites

8. Leveraging Existing Efforts • ccTLDs with operational DNSSEC Services • Sweden: http://www.iis.se/products/sednssec2 • Bulgaria: https://www.register.bg/ • Brazil: https://www.registro.br • Puerto Rico: http://www.dnssec.nic.pr/ • RIPE-NCC • Reverse zones that it manages and e164.arpa zone (ENUM) • https://www.ripe.net/rs/ • DNSSEC initiatives in .UK and .DE • Strong advocates of DNSSEC, but waiting for NSEC3 for some zones • http://www.denic.de/en/domains/dnssec/index.html and http://www.nominet.org.uk/tech/dnssectest/ • JPRS • Working on integrating DNSSEC signing into existing workflow to maintain short update assurances • http://losangeles2007.icann.org/node/77

9. Leveraging Existing Efforts (cont) • NIC Mexico • Developing the infrastructure, procedures and technology for a future DNSSEC deployment in the .mx ccTLD • http://www.dnssec.org.mx • .ORG testbed • PIR has maintained the .ORG testbed to enable its registrars to test DNSSEC-capable systems • http://www.pir.org/RegistrarResources/DNSSecurityTestbed.aspx • SNIP testbed for .GOV • Provide “distributed training ground” for .gov operators deploying DNSSEC • http://www.dnsops.gov • IANA • Testbed for signing zones that IANA controls • Also has a prototype for ‘a’ signed copy of the Root zone • https://ns.iana.org/dnssec/status.html

10. FISMA Activities • Intended to set the IT security policy for all USG systems, contractors, and data. • Collection of documents produced by NIST • FIPS, Special Publications (SP) series • Goes into effect one year after publication of security controls publication (SP 800-53r1) • Published Dec, 2006 -> goes into effect Dec, 2007 • NIST Special Pub 800-53A Guide for Assessing the Security Controls in Federal Information Systems • Final publication scheduled Dec 2007 • NIST SP800-57 Recommendations for Key Management • 3-part companion guide to FISMA

11. The Big Picture – DNSSEC in .gov Internet2 DNSSEC Pilot SNIP Core Infrastructure dnsops.gov. dnsops.biz esnet.doe.dnsops.gov. fda.dnsops.gov. zoneedit dhs.dnsops.gov. nist.dnsops.gov. ag1.dnsops.gov. ag2.dnsops.biz. dns-outsource.com DREN DNSSEC Pilot antd.nist.dnsops.gov.

12. NIST Effort - SNIP • Secure Naming Infrastructure Pilot (SNIP) • Aiding deployment by: • Providing a connected training ground • Educational resources/guides • Modeling infrastructures • Testbed for systems • Relying on user participation • Aid in deployment, not a proof-of-concept experiment

13. SNIP Overview • Agencies get delegations to run a secure “shadow-zone” • nist.gov becomes nist.dnsops.gov • Contractors become “contractor.dnsops.biz” • Administrators use dnsops.gov/biz delegation to practice DNSSEC operations • Infrastructure modeling • Attempts to model an agency’s current DNS in NIST/Sparta labs • Testbed for systems • Authoritative servers, caches, and DNSSEC administrator tools

14. Need for Signing the Root Zone • Root Zone is at the top of the DNS hierarchy • Signing the Root Zone will allow DNSSEC-capable resolvers to perform the data integrity and origin authenticity checks using the Root Zone Public Key(s) as the common trust point(s). • A signed Root Zone and a widely deployed DNS system that supports DNSSEC will be a major step forward in the ongoing effort to secure the Internet

15. Root Zone Requirements • Full operation of DNSSEC at the Root level requires several component capabilities • Generation and Maintenance of Keys • Accepting “secure delegation” from TLDs • Signing the Root Zone and handling of private key material • Distribution and the subsequent “serving” of the signed Root Zone by Root Name Server Operators • Publication of the Root Zone Public Keys

16. Future Activities • Pilot deployments of DNSSEC on .us and .gov networks • Continue getting all the necessary government players • Working with OMB, DHS, DOC on rollout strategy • Outreach, communication and training • Preparation of root servers • Testing of end user software • gTLD and ccTLD testbeds • Community-based identification of existing software • Candidate operational policies and procedures

17. Summary and Challenge • Lots of progress over the past 24 months • More to come in 2008 • USG taking a leadership role • Working with other parts of Internet infrastructure • Working with vendors • Providing resources to help others • Challenge: What’s keeping you from securing your DNS infrastructure?

18. Douglas Maughan, Ph.D. Program Manager, CCI douglas.maughan@dhs.gov 202-254-6145 / 202-360-3170 For more information, visithttp://www.cyber.st.dhs.gov