DNSSEC Tutorials
Sample Two Day: Hands on
Day One
- DNSSEC overview
- Signing demo + hands-on
- Overview of software
- DNS/DNSSEC hands-on
- dig
- delegation
- Unbound
- bind-logging
- bind-xfer
Day Two
- Hands-on continued
- dnssec-signing
- Rollover and key management
- DNSSEC signing considerations
- OpenDNSSEC
Sample 1/2 Day Tutorial
These topics are presented or discussed during longer, hands-on tutorials.
- Problems with DNS:
- DNS cache poisoning
- Nameserver hijacking
- The basics of DNSSEC, one solution available now.
- New DNS Resource Records (DNSKEY, RRSIG, NSEC and NS).
- Two new packet headers (CD, AD)
- How to sign DNS data:
- KSK and ZSK keys.
- HSM Options
- Operational Aspects:
- Signing the root
- Trust anchors
- DLV and ITAR
- Key management
- Key rollover
- Zone crawling issues
- Available toolsets
- Registry-registrar aspects:
- EPP or other extensions to support DS records
- Support for authenticated key updates.
- Turning on/off DNSSEC and the impact
- What isn't solved:
- Man-in-the-middle attacks where everything is spoofed.
- Need to trust the resolver
- DoS attacks
- Data is not encrypted
- Application side:
- Up-the-stack notification. How do we handle failures?
- Need more info from the stub resolver
- More than one protocol available.
- Status today
- Root signing discussion (NTIA NOI)
- Signed TLDs
- Summary
Last modified 10 years ago
Last modified on Dec 28, 2011, 3:57:05 PM