Contents -------- Day 1 (Monday, October 23) -------------------------- Morning: * Intro * DNSSEC Overview: 1. What problems are we trying to solve in the DNS - DNS threats (poisoning, hijacking) - Hijack for a selected set of users - Kaminsky attack - Illustrate points of vulnerability, responsibility 2. DNSSEC principles, terminology - crypto refreshers, ZSK, KSK, SEP, rollover, chain of trust 3. DNSSEC: part of a multi-layered defense (SSL, ...) - Actors in a DNSSEC world (registries, registrars, users, administrators, ...) - State of DNSSEC deployment, future directions Afternoon: * Introduction to the lab, network setup and private root * Software overview (BIND, Unbound, NSD, OpenDNSSEC) * Lab 1: DNS refreshers: RRSets, using dig, using tcpdump/wireshark * Lab 2: Setup delegation, configure master & slave * Lab 3: Logging, log management, and zone transfer security using TSIG Day 2 (Tuesday, Oct 24) ----------------------- Morning: * DNSSEC signing: What does it take to sign a zone ? - Walkthrough demo, followed by hands-on * Lab 1: Zone signing and semi-automated management using BIND 9.7+ - Getting a zone signed, key generation, signing and re-signing - Child delegation and DS records - NSEC3, opt-out - Setup NSD as secondary, setup Unbound as validator - RFC5011, 4641 * DNSSEC signing considerations - Choices: Key size, HSM or not, signing model, validation - Key management, key rollover, and signature validity * Lab 2: Using OpenDNSSEC: automated key management, signing Afternoon: * Lab 3: Using OpenDNSSEC: automated rollover - KSK and ZSK rollovers & methods (pre-generate, double-sign, pre-publish) - What happens when data is altered ? Corrupting/tampering with data manually to illustrate what DNSSEC protects against Day 3 (Wednesday, Oct 25) ------------------------- Morning: * Operational aspects - DS management, R<->R interaction, (RFC 5910) - Redelegation of signed zones * Impact of DNSSEC on policy - DNSSEC is a statement of authenticity - The DNSSEC Practice Statement (DPS) * DNSSEC issues - what does DNSSEC NOT solve - Authentication, not encryption - DNSSEC *can* make your operations more fragile - Other points of attack - Compromised registry, SQL injections: garbage in, garbage out - The importance of proper operations - Protecting the "last mile" (stub resolvers) Afternoon: * Q&A roundtable * New applications possible thanks to DNSSEC - Extended certificate validation in SSL - Publish signed information in the DNS - DANE * Deployment: setting up a testbed - "Bump in the wire" deployment - Signing & key management - Milestones - Remember the DPS!
Last modified 8 years ago
Last modified on Sep 22, 2011, 4:46:39 PM