1 / 13

OpenDNSSEC: A Free Open Source DNSSEC Signer for Enhanced Internet Security

OpenDNSSEC aims to provide a comprehensive open-source solution for DNSSEC implementation, making it easier for those with basic DNS knowledge to manage signed zones. The importance of OpenDNSSEC lies in its ability to automate complex DNSSEC workflows, which have traditionally been challenging without either expensive commercial tools or insufficient open-source options. This presentation, delivered by Roland van Rijswijk at TNC 2010, also outlines SURFnet's contributions, future plans for ongoing development, and the adoption of OpenDNSSEC across various ccTLDs.

gyda
Télécharger la présentation

OpenDNSSEC: A Free Open Source DNSSEC Signer for Enhanced Internet Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OpenDNSSECDeveloping a free open source DNSSEC signerRoland van Rijswijkroland.vanrijswijk [at] surfnet.nl June 2nd 2010, TNC2010, Vilnius

  2. Overview • What is OpenDNSSEC? • Why is OpenDNSSEC important? • Who contributes to OpenDNSSEC? • SURFnet’s contribution to OpenDNSSEC • What we have learned • Our plans for the future SURFnet. We make innovation work

  3. DNSSEC?! • I’m not going to tell you what DNSSEC is :-) • For more information on that, please come to the DNSSEC event • Thursday June 3rd (tomorrow)12:30h - 17:30h (includes lunch)In the “Zeta” room • Please register via http://tnc2010.dnssec.nu SURFnet. We make innovation work

  4. What is OpenDNSSEC? • The intention of OpenDNSSEC is to be“an open source turn-key solution for DNSSEC” • To put it differently:Push-the-button DNSSEC • It should enable peoplewith a working know-ledge of DNS to administer a DNSSEC signed zone SURFnet. We make innovation work

  5. Why OpenDNSSEC is important • DNSSEC is complex -- way too complex to do by hand • No open source tools which could automate the complete DNSSEC workflow • Only (expensive) closed commercial solutions • We believe it is important that key internet infrastructure components should have free open source implementations (think: Sendmail, BIND, Unbound, NSD, Apache, ...) SURFnet. We make innovation work

  6. Status of OpenDNSSEC • OpenDNSSEC 1.0 the first version • Packages for distributions available • Is a real “first release”, i.e. your mileage may vary (it works but there’s room for improvement) • Used by .uk and .se to sign their zones • OpenDNSSEC 1.1 has been released • Performance improvements • EPP plugin • Changes to auditing process • OpenDNSSEC 1.2 (±August 2010) • Signer engine in C instead of Python • OpenDNSSEC 2.0 • Lot’s of new features (IXFR, web interface, continuous signing, ...) SURFnet. We make innovation work

  7. SoftHSM • OpenDNSSEC uses Hardware Security Modules (HSMs) for key storage • HSMs are expensive • We needed a free alternative • HSMs use the PKCS #11 interface • SoftHSM is a “soft token” that implements PKCS #11 • SoftHSM is now a spin-off of OpenDNSSEC SURFnet. We make innovation work

  8. Contributors SURFnet. We make innovation work

  9. SURFnet’s contribution • Knowledge • PKCS #11 • HSMs • Documentation • Requirements • User documentation, manual pages • HSM buyer’s guide • Testing • SURFnet has a different perspective than TLDs • HSMbully • Code • SoftHSM v2 design + code SURFnet. We make innovation work

  10. What we have learned • It is hard to enter a running project • We have now found our niche • Open source projects are hard to plan • Lot’s of enthusiasm gets you far • There clearly is a need for this kind of project SURFnet. We make innovation work

  11. Uptake of OpenDNSSEC • Commercial vendors have adopted OpenDNSSEC • Several ccTLDs already use OpenDNSSEC for their zones (.se, .uk) or are going to use it (.nl) • 75% of ccTLDs in Europe adopting DNSSEC plan to use OpenDNSSEC • SURFnet uses OpenDNSSEC as a basis for integration of DNSSEC in its managed DNS system SURFnet. We make innovation work

  12. Future plans • Continue contributing to OpenDNSSEC • SoftHSM v2 to be released this summer (hopefully :-) ) • Work on open source monitoring solution for DNSSEC • Investigate the possibility of developing an open source signer appliance (live CD/USB) based on OpenDNSSEC for our constituency • Involve TERENA community in this work through TF Mobility work item DNSSEC SURFnet. We make innovation work

  13. That’s all folks... Questions? ? Thank you for your attention! Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl Presentation released under Creative Commons(http://creativecommons.org/licenses/by-nc-sa/3.0/nl/deed.en) SURFnet. We make innovation work

More Related