Transcription
Infoblox DNSSEC Solutionsimple, secure and reliable4.4. DNSSEC-Testbed-MeetingDNSSEC-Testbed-Meeting 24.11.201024.11.2010DominicDominic StahlStahldstahl@infoblox.comdstahl@infoblox.com 2010 Infoblox Inc. All Rights Reserved.
The Infoblox DNSSEC Solution Makes the process of deployingand managing DNSSEC as simpleas possible– Transparent to the end user– Single-click configuration– Automatic and on-the-fly keygeneration and management Uses the latest technology andprotocol features– BIND 9.7.0 with NSEC3 support HSM Module planed for futurerelease 2010 Infoblox Inc. All Rights Reserved.
Infoblox Appliances AutomateCore Network ServicesDNSDHCPIPAMFTP/TFTP/HTTPNTPMORE Integrated core network services on hardened appliances Centralized visibility & control of appliances, protocols and dataSIMPLE 2010 Infoblox Inc. All Rights Reserved.SECURERELIABLE
IPAM and DNSSEC One central ManagementInterface to all your DNS andeven IPAM Data API for automation Easy to upgrade Easy to monitor/ auditMemberGrid MasterMemberInfobloxGridMember 2010 Infoblox Inc. All Rights Reserved.Member
Example zone w/o DNSSEC 2010 Infoblox Inc. All Rights Reserved.
Example zone with DNSSEC 2010 Infoblox Inc. All Rights Reserved.
Easy Access to All Global DNSSECConfiguration Parameters Central configuration of allDNSSEC parameters Enforce standards byconfiguring DNSSECparameters at a Grid level– Default key type, size andvalidity period Defaults based on NIST800-81 and RFC 4641standards NSEC and NSEC3 supportincluded 2010 Infoblox Inc. All Rights Reserved.
One-Click Zone Signing and Automated ZoneMaintenance Any zone can be signed with asingle click” by using the “SignZone” toolbar button– Keys are generated on the flyand records are automaticallysigned– Auto-creation of all associatedDNSSEC records Automatic maintenance ofsigned zones– All key expiration and resigningare handled automatically– DNSSEC zones automaticallyresigned when new records areadded 2010 Infoblox Inc. All Rights Reserved.
More useful tasks 2010 Infoblox Inc. All Rights Reserved.
Automating DNSSEC – No Hassles! Signed zones are easilyidentified with the DNSSECicon– The following record types aresupported: DNSKEY, RRSIG,DS, NSEC, NSEC3,NSEC3PARAM New Zone Signing Keys areautomatically generatedbefore the current keys expire– Key rollover is transparent tothe admin– Admins are automaticallynotified in the GUI before keysexpire 2010 Infoblox Inc. All Rights Reserved.
Comparison to “command line” BINDconfiguration of DNSSECThe Infoblox way– One click The BIND way– The NIST guidelines for signing a single zone withstandard BIND tools are 16 pages long– Typical steps required to sign a zone: Generate a key pair for the Key Signing Key usingthe command line tool dnssec-keygen Generate a key pair for the Zone Signing Key usingthe command line tool dnssec-keygen. E.g.,dnssec-keygen –a RSASHA1 –b 1024 –n ZONE foo.com Add the output of the KSK and the ZSK public key tothe zone db file Use the dnssec-signzone command line tool to signthe zone using the private key pair. E.g.,dnssec-signzone –o foo.com –k Kfoo.com. 005 67829.key/var/named/zonedb.foo.com Kfoo.com. 005 45798.key– The zone must be re-signed every time there is achange in the contents– Manual process is error prone and can take hours– Tool development requires significant expertise 2010 Infoblox Inc. All Rights Reserved.
Even more also integrates NCCMVisibilityApplicationsCloud ceWebInfobloxDDIERPIPAM/DDIProvide DDI serviceDNSDetect ationInfobloxNCCMNetwork InfrastructureCheck InfrastructureRecognize changeRouting, Switching, Firewalls, etc. 2010 Infoblox Inc. All Rights Reserved.
ReferencesFor More InfoDNS Security y.cfmInfoblox DNSSEC nologysolutions/dnssec.htmlInfoblox general:http://www.infoblox.comCricket Liu:http://www.ask-mrdns.com 2010 Infoblox Inc. All Rights Reserved.
2010 Infoblox Inc. All Rights Reserved. IPAM/DDI DNS DHCP NTP IPAM Even more also integrates NCCM Network Infrastructure Applications MSFT AD Web CRM
