WorkshopOutline – KENIC/NSRC DNSSEC Workshop

Goals of this workshop

- Promote awareness of DNSSEC at the commerce and policy level
- Build technical capacity on DNSSEC, allowing participants to
  understand DNSSEC technology, acquire hands-on experience, and
  plan for deployment

Target audience:

* Technical workshop:

- Technical Staff
- Registrars/ISPs, DNS administrators

* Awareness:

Internet Community:
- ISPs, Telcos, Network Operators
- Registry stakeholders, registrars
- Academic Institutions, Government Agencies
- Security Officers, CFOs

CONTENTS:

* Day 1, morning: DNSSEC Awareness

1. Problems with DNS
- DNS threats (poisoning, hijacking)
- What is DNSSEC, and what does it solve ?
- DNSSEC: part of a multi-layered defense (SSL, ...)
- Actors in a DNSSEC world (registries, registrars, users, administrators, ...)
- State of DNSSEC deployment, future directions

2.

* Day 1, afternoon:

1. DNSSEC tech tutorial (see abstract)

2. DNS refreshers/reminders
	- Zone reminders, record 
    - Query resolution
    - Resource Record Sets

3. Security weaknesses in the DNS
	- Kaminsky attack (more tech details)

4. What does DNSSEC solve / NOT solve
    - Authentication, not encryption
	- Other points of attack - garbage in, garbage out
		- Compromised registry, SQL injections...

5. What does it take to sign a zone
	- Fairly easy, in fact...
	- Demo signing, resolving


* Day 2:

1. Hands-on (using BIND, NSD, Unbound and OpenDNSSEC)

    Authoritative:

    - A signed zone
    - Key generation
    - Signing and re-signing
    - Child delegeation, DS
    - NSEC3, opt-out

    Validation:

    - Validation and trust anchors
    - What happens when data is altered ?
    - RFC5011

    Rollover:

    - KSK and ZSK rollovers
    - methods (pre-generate, double-sign, pre-publish)

    HSMs and security perception

2. Operational aspects

    - Key management, key rollover, and signature validity
    - Re-signing - DNS becomes fragile
    - Policies and risk assessment
    - DS management, R<->R interaction, (RFC 5910)
	- Redelegation of signed zones
    - Dependency on external parties

* Day 3:

- Integrating DNSSEC in the production chain

    - End-to-end production control
    - Sign: yes, but are we signing the right data ?

- Tips:
	- Consider incremental deployment (e.g.: DURZ)
	- Write a DNSSEC Policy/Practice Statement (DPS)

- DNSSEC and the last mile (stub resolvers, local validation), TSIG

- Q&A session, discuss participants' setups

- Interaction of DNSSEC validation on application
	- DNSSEC validated != secure
	- TLS, Domain Keys, DKIM, ...

Last modified 8 years ago Last modified on May 15, 2011, 2:46:33 AM