wiki:DNSSECTutorialEN

DNSSEC Tutorials

Sample Two Day: Hands on

Day One

  • DNSSEC overview
  • Signing demo + hands-on
  • Overview of software
  • DNS/DNSSEC hands-on
    • dig
    • delegation
    • Unbound
    • bind-logging
    • bind-xfer

Day Two

  • Hands-on continued
    • dnssec-signing
  • Rollover and key management
  • DNSSEC signing considerations
  • OpenDNSSEC

Sample 1/2 Day Tutorial

These topics are presented or discussed during longer, hands-on tutorials.

  • Problems with DNS:
    • DNS cache poisoning
    • Nameserver hijacking
  • The basics of DNSSEC, one solution available now.
    • New DNS Resource Records (DNSKEY, RRSIG, NSEC and NS).
    • Two new packet headers (CD, AD)
  • How to sign DNS data:
    • KSK and ZSK keys.
  • HSM Options
  • Operational Aspects:
    • Signing the root
    • Trust anchors
    • DLV and ITAR
    • Key management
    • Key rollover
    • Zone crawling issues
    • Available toolsets
  • Registry-registrar aspects:
    • EPP or other extensions to support DS records
    • Support for authenticated key updates.
    • Turning on/off DNSSEC and the impact
  • What isn't solved:
    • Man-in-the-middle attacks where everything is spoofed.
    • Need to trust the resolver
    • DoS attacks
    • Data is not encrypted
  • Application side:
    • Up-the-stack notification. How do we handle failures?
    • Need more info from the stub resolver
    • More than one protocol available.
  • Status today
    • Root signing discussion (NTIA NOI)
    • Signed TLDs
  • Summary
Last modified 6 years ago Last modified on Dec 28, 2011, 7:57:05 AM