Contents
--------
Day 1 (Monday, October 23)
--------------------------
Morning:
* Intro
* DNSSEC Overview:
1. What problems are we trying to solve in the DNS
- DNS threats (poisoning, hijacking)
- Hijack for a selected set of users
- Kaminsky attack
- Illustrate points of vulnerability, responsibility
2. DNSSEC principles, terminology
- crypto refreshers, ZSK, KSK, SEP, rollover, chain of trust
3. DNSSEC: part of a multi-layered defense (SSL, ...)
- Actors in a DNSSEC world (registries, registrars, users,
administrators, ...)
- State of DNSSEC deployment, future directions
Afternoon:
* Introduction to the lab, network setup and private root
* Software overview (BIND, Unbound, NSD, OpenDNSSEC)
* Lab 1: DNS refreshers: RRSets, using dig, using tcpdump/wireshark
* Lab 2: Setup delegation, configure master & slave
* Lab 3: Logging, log management, and zone transfer security using TSIG
Day 2 (Tuesday, Oct 24)
-----------------------
Morning:
* DNSSEC signing: What does it take to sign a zone ?
- Walkthrough demo, followed by hands-on
* Lab 1: Zone signing and semi-automated management using BIND 9.7+
- Getting a zone signed, key generation, signing and re-signing
- Child delegation and DS records
- NSEC3, opt-out
- Setup NSD as secondary, setup Unbound as validator
- RFC5011, 4641
* DNSSEC signing considerations
- Choices: Key size, HSM or not, signing model, validation
- Key management, key rollover, and signature validity
* Lab 2: Using OpenDNSSEC: automated key management, signing
Afternoon:
* Lab 3: Using OpenDNSSEC: automated rollover
- KSK and ZSK rollovers & methods (pre-generate, double-sign, pre-publish)
- What happens when data is altered ?
Corrupting/tampering with data manually to illustrate what
DNSSEC protects against
Day 3 (Wednesday, Oct 25)
-------------------------
Morning:
* Operational aspects
- DS management, R<->R interaction, (RFC 5910)
- Redelegation of signed zones
* Impact of DNSSEC on policy
- DNSSEC is a statement of authenticity
- The DNSSEC Practice Statement (DPS)
* DNSSEC issues - what does DNSSEC NOT solve
- Authentication, not encryption
- DNSSEC *can* make your operations more fragile
- Other points of attack
- Compromised registry, SQL injections: garbage in, garbage out
- The importance of proper operations
- Protecting the "last mile" (stub resolvers)
Afternoon:
* Q&A roundtable
* New applications possible thanks to DNSSEC
- Extended certificate validation in SSL
- Publish signed information in the DNS
- DANE
* Deployment: setting up a testbed
- "Bump in the wire" deployment
- Signing & key management
- Milestones
- Remember the DPS!
Last modified 8 years ago
Last modified on Sep 22, 2011, 4:46:39 PM
