software pieces
Suresh Krishnaswamy
suresh at tislabs.com
Wed Jan 19 11:06:26 EST 2005
Folks,
Here's a list of software pieces for DNSSEC-deployment that a few of us at
SPARTA have pulled together. This list can hopefully provide the
starting point for our discussion on the software parts in today's
meeting.
Suresh Krishnaswamy
SPARTA, Inc
-----------------------------------
I) Approaches for identifying software pieces
1. Look at the "big" picture
- Identify software based on immediate/short-term/long-term needs
- Focus on timeliness of software availability
2. Break the problem into parts
- Identify all operational pieces that interoperate
in order to make DNSSEC "work".
- For each operational piece identify all available
and missing pieces not only for software, but also
documentation, policy, training and roles
- Operational pieces can be enumerated by breaking
all the DNS operations into "procedural flows"
- "Procedural flows"was described in an earlier
version of the roadmap
- Slow progress in building the complete list
of procedural flows -- characteristics of some
flows are still being identified by the community
II) Software pieces using Approach 1
- Divided into the following categories
a. Essential Functionality
b. Proof-Of-Concept applications
c. Zone maintenance
d. Key Management
e. Tool Suites
f. Policy
g. Applications that thrive on DNSSEC
IIa) Essential Functionality
1. Validation module
- Would provide a better understanding of
the validation process in terms of the allowable
states, error values and configuration knobs
- Would form the basis of defining the API between
the application and the security aware resolver
- Would create heterogeneity in the available code
base for validation modules
- Would providing a useful test suite to test
correctness and interoperability between multiple
name server implementations
- Would provide the basis for a good end user
troubleshooting utility.
IIb) Proof-Of-Concept Applications
1. Mail Transfer Agent
- Signed SPF records to guard against spoofed values
- Terminate connections before spam is sent
2. Web Browser
- User interface for DNSSEC
- Obtain âbuy-inâfrom OS vendors
IIc) Zone Maintenance
1. Zone operation tools
- That assist operators in the day-to-day
operation of their zones, including operations
such as zone transfer, zone signing and
zone changes (static and dynamic).
2. Log-based tools
- That consume the log information generated
by various tools in order to allow the operator
to get a better sense of errors and abnormalities
in the DNS configuration.
3. Zonefile-based tools
- That allow the operator to check their zonefiles
for correctness. This might also include
enhancements to existing tools to make them more
DNSSEC-aware.
4. Query-based tools
- That allow the operator to perform additional
sanity checks on the DNS data, checking for
availability and security of their own domains from
different/external views for different for
different trusted keys.
5. Watchdog/Notification tools
- That can be used for tracking important events
(such as expiry of signatures). They would also
form the framework for a more comprehensive
incident detection and notification module.
IId) Key Management
1. Zone Owner tools
- For creating, storing and rolling over keys.
Also symmetric key management for zone transfers
2. Parent-child tools
- For managing the interaction between the parent
and child zones while creating and maintaining
signed delegations
3. Trusted-key tools
- For managing trusted keys at the end resolvers,
and at trusted key â"distribution points"
4. Last-hop security tools
- Secure-channel construction tools
5. Registry-Registrar-Registrant
- Software that implements EPP extensions
IIe) Tool-Suites
1. Zone Maintenance
- A configuration mechanism to define the
"operation profile" for DNSSEC.
- There will be multiple ways to manage the DNS.
- The operator should be given the flexibility of
choosing the manner in which each of the various
constituent operations are performed.
2. Visualization
- These tools would provide visual indicators for
the "health" of DNSSEC or even the
"security posture" of the enterprise with
respect to DNS.
3. Troubleshooting
- Aggregation of indicators and logs from various
tools to give a unified view of DNSSEC events.
- Being able to look at problems from multiple
looking glasses can assist in troubleshooting
operations.
 - This task would involve defining a unified
logging format for all components ability to
correlate notification/output from different
components
IIf) Policy
1. Key Management
- This tool would provide a consistent interface
for the definition of key-related parameters.
- Related tasks would be identifying typical
enterprise and registry policies for keys
2. Single Resolver
- This tool would provide a consistent interface
for specifying all the knobs that can be defined
for a validator.
- These knobs are sometimes explicit (such as
trust anchors) or might be implicitly defined
(unspecified or underspecified) in the DNSSEC
specification.
3. Enterprise
- This tool would provide a consolidated interface
for specifying enterprise-wide policy for DNSSEC.
Predefined "policy profiles" would include those
for "typical enterprises" and "typical registries".
- The tool would assist the operators in making
better choices for various parameters by providing
some kind of feedback on the implications of a
particular change.
- At the other end of the spectrum, a similar tool
would be used to check if some configuration
complies with "organizational policy".
IIg) Applications that thrive on DNSSEC
- In search for the killer app.
III) Software needs - Timeline
1. Immediate
- Essential Functionality
- Proof of concept applications
- Zone maintenance Tools
2. Short-term
- Zone maintenance toosl
- Key management tools
- Tool Suites
3. Long-term
- Tool Suites
- Policy
- Applications using DNSSEC
IV) Software pieces using Approach 2
- Break the DNSSEC process into a number of
procedural flows
- Nineteen flows had been identified earlier
- Lookup
- Registration
- Enterprise Delegation
- Trusted key configuration
- Zone Transfer
- Zone maintenance
- ZSK Roll-over
- KSK Roll-over
- Root Zone Setup/Signing
- Root Zone Signing Key Change
- Root Key Signing Key Change
- Registrant Change
- Registrar Change
- Registry Change
- TLD delegation cycle
- TLD zone maintenance
- TLD key rollover
- Inverse tree procedures
- Trust anchor distribution (inline, DLV etc)
- The above flows will change as our understanding
of the different organization types improves
(.arpa procedures, types of registries,
types of registrants, etc)
- Examples of some of the software pieces that can be
identified using this approach
- DNSSEC-aware applications
- Resolver library implementing the
resolver-application API
- Last-hop channel security: key management tools,
secure channel construction tools
- Validation module
- Recursive Name server functionality
- Authoritative name server functionality
- Name server maintenance tools
- Key-set/DS-set creation tools
- Tools for securely communicating zone information
to parent (or parent-like entity)
- Tools for verifying the correctness of delegation
information
- Tools that aid in trusted key roll-over
- Tools that aid in trusted key addition and deletion
- Zone transfer: functionality, secure channel
construction, key management
- Zone maintenance: Zone creation/modification,
zone update, zone checking tools
- Key generation tools: for zones, dynamic update,
last hop, online signing
- Key roll-over tools
- Dynamic update: functionality in name servers,
incremental signing of zones, tools that can
provide the interface for dynamic updates, secure
channel construction and key management for
dynamic updates
- Troubleshooting tools
- Watchdog and notification tools
- Incident detection and response tools
More information about the Dnssec-deployment
mailing list