root zone dnssec deployment - icann...
TRANSCRIPT
RootZoneDNSSECDeploymentICANN39,Cartagena,Colombia
ThisdesignistheresultofacooperaHonbetweenICANN&VeriSignwith
supportfromtheU.S.DepartmentofCommerceNTIAandNaHonalInsHtuteof
StandardsandTechnology(NIST)
HighLevelDesign• Trust/Integrity
– Transparentopera1ons– Directpublicpar1cipa1oninkeymanagement
– 3rdpartyAudit• Security
– Crypto– Physical– ID/ACS/mul1‐personaccessandcontrol
• Availability– Sufficient1metoperformopera1ons
– Mirrorsites– Disasterrecoveryplan
ImplementaHonandRoll‐out• Publishallmaterial(film,scripts,s/w,results..hIp://www.iana.org/dnssec)
• DNSSECPrac1cesStatement(DPS)
• 21TrustedCommunityRepresenta1ves(TCR)• SysTrustauditbyPWC
• 2048KSK,1024ZSKRSAkeys;SHA256hash
• FIPS140‐2Level4HSM;3‐of‐7TCRtoenable;GoodRNG
• Mul1plephysical1ers/wmul1‐personan1‐passbackaccesscontrolsystem
• 9gaugestretchedmetalceremonyroomconstruc1on;Safescer1fiedto20hourssurrep11ousentry
• 24x7monitoring:mo1on,seismic,video,guards
• ~60daywindowtoperformquarterlyopera1on;15daysignaturevalidityperiods
• MirrorsitesinLosAngelesandWashingtonDC;2HSMsateachsite
• DocumentedDisasterRecovery(DR)plans
• IncrementaldeploymentwithDURZandextensivemonitoring
Challenges
• Findingoutwhatare“bestpracHces”• EmbracinganauditedITsecuritymindset
• FormalizingdocumentaHonofpolicyandprocedures
• Contractors!!• HSM/smartcards/PKCS11
LessonsLearned
• IdenHfyyour“customer”andthenyourrisksfirst
• Developanddocumentpoliciesandprocedures,e.g.,keymanagement,DPS,scripts,DRplan–andinsHtuHonalizethem
• EmbracePKCS11andtamperevidentbags
• MulHplecompensaHngcontrols• DNSSECdeploymentdoesnothavetobeexpensive;Learn
fromthoseonthispanelandshareourexperiences.
• ThisisnotstaHc;annualreviewandincorporateimprovementsfromcommunity.
RootDNSSECDesignTeam
JoeAbleyMehmetAkcinDavidBlackaDavidConradRichardLambMaILarsonFredrikLjunggrenDaveKnightTomofumiOkuboJakobSchlyterDuaneWessels
..and so many others!!
Links:hIp://www.root‐dnssec.orghIp://www.iana.org/dnssec
ThankYou.Ques.ons?(T)Askme!Itsmyjob.