© Men & Mice http://menandmice,com
Commercial DNSSECManagement Solutions
1Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
From Iceland...
2Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
comes more than fire and ice!
3Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
Of Men & Mice
•Icelandic company founded in 1990, privately held
•Specialist in DNS, DHCP and IP address management products and services
‣ 30 people
‣ 7 Service/support engineers
‣ 3 support locations (USA, Iceland, Germany)
•Long history of innovation and success
4Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
Long history of innovation and success…
5Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
Long history of innovation and success…
1998DNS Analyzing Tool
1995DNS server for Mac
2000GUI for BIND
2003DNS Traffic Analyzer
2005DNS, DHCP Management for AD
2008GUI Management for ISC DHCP
2009Support forUnbound/NSD
5Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
More than 10.000 customers
6Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
The Men & Mice System
7Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
Men & Mice Suite – 3 tier architecture
8Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
Integration Layer of existing services
9Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
DNSSEC workflow
DNS Server
DNS Management Team
10Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
DNSSEC workflow
DNS Server
DNS Management Team
Zone changes
10Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
DNSSEC workflow
GUIManagement
DNS Server
DNS Management Team
Zone changes
10Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
DNSSEC workflow
GUIManagement
DNS Server
DNS Management Team
Zone changes
10Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
DNSSEC workflow
GUIManagement
Men & Mice Central
DNS Server
DNS Management Team
Zone changes
10Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
DNSSEC workflow
GUIManagement
Men & Mice Central
DNS Server
DNS Management Team
Zone changes
unsigned Zone
10Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
DNSSEC workflow
GUIManagement
Men & Mice Central
DNS Server
DNSSECZone Signing
& Key Management
DNS Management Team
Zone changes
unsigned Zone
10Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
DNSSEC workflow
GUIManagement
Men & Mice Central
DNS Server
DNSSECZone Signing
& Key Management
DNS Management Team
Zone changes
unsigned Zone
signedZone
10Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
DNSSEC workflow
GUIManagement
Men & Mice Central
DNS Server Controller
DNS Server
DNSSECZone Signing
& Key Management
DNS Management Team
Zone changes
unsigned Zone
signedZone
10Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
DNSSEC workflow
GUIManagement
Men & Mice Central
DNS Server Controller
DNS Server
DNSSECZone Signing
& Key Management
OpenDNSSECSecure64 Signer
DNSSEC ZKT BIND 9.7.x+
Windows 2008R2
DNS Management Team
Zone changes
unsigned Zone
signedZone
10Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
Secure64 Integration
11Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
What is Secure64?
•DNSSEC Signer Hardware Appliance build by Secure64 Software Corporation
•Secure64 DNS Signer is a fully automated DNSSEC signing engine.
•Complies with DNSSEC RFCs 4033, 4034, 4035, 5011, and 5155
12Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
What is Secure64?
•Automates bulk zone signing, resigning, and key rollover
•Supports parent-child synchronization of chains of trust and coordinates with key rollover
•Provides best practice defaults, with optional configurable values for key lengths, signing intervals, and rollover techniques
13Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
What is Secure64?
•Uses a hardware crypto chip (TPM) to generate and maintain private encryption keys that never leave the chip itself
•Keeps the DNSSEC private signing keys safe by never storing them in the clear on disk or in backup keys stores
•Supports secure backup and recovery of signing keys and system keys for disaster recovery
•Provides certification to FIPS 140-2 level 3 (pending)
14Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
Architecture
•The Secure64 Signer acts as an “signer-in-the-middle” system
•The Men & Mice DNS Module takes care of all necessary configuration
•on the signer
•on the hidden master
•on the authoritative slave servers
15Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
Architecture
hidden primary DNS
Men & Mice Central
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
DMZ
16Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
creating a zone
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
DMZ
Men & Mice Central
17Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
creating a zone
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
Zone creation request
DMZ
Men & Mice Central
17Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
creating a zone
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
DMZ
Men & Mice Central
17Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
creating a zone
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
DMZ
Men & Mice Central
18Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
creating a zone
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
creates plain DNS
Zone
DMZ
Men & Mice Central
18Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
creating a zone
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
DMZ
Men & Mice Central
18Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
creating a zone
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
DMZ
Men & Mice Central
19Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
creating a zone
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
configures Secure64 signer
to sign new zone
DMZ
Men & Mice Central
19Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
creating a zone
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
DMZ
Men & Mice Central
19Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
creating a zone
DMZ
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
Men & Mice Central
20Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
creating a zone
DMZ
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
configures slave DNS to load
DNSSEC zone from signer
Men & Mice Central
20Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
creating a zone
DMZ
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
Men & Mice Central
20Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
creating a zone
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
DMZ
Men & Mice Central
21Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
creating a zone
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
DNS Zone Transfer
DMZ
Men & Mice Central
21Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
creating a zone
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
DMZ
Men & Mice Central
21Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
creating a zone
DMZ
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
Men & Mice Central
22Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
creating a zone
DMZ
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
DNS Notify message after zone has been
signed
Men & Mice Central
22Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
creating a zone
DMZ
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
Men & Mice Central
22Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
creating a zone
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
DMZ
Men & Mice Central
23Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
creating a zone
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
DNS Zone Transfer
DMZ
Men & Mice Central
23Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
creating a zone
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
DMZ
Men & Mice Central
23Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
zone update
hidden primary DNS
Men & Mice
Central DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
DMZ
24Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
zone update
hidden primary DNS
Men & Mice
Central DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
Zone update request
DMZ
24Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
zone update
hidden primary DNS
Men & Mice
Central DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
DMZ
24Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
zone update
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
DMZ
Men & Mice Central
25Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
zone update
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
send DNS update
DMZ
Men & Mice Central
25Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
zone update
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
DMZ
Men & Mice Central
25Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
zone update
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
DMZ
Men & Mice Central
26Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
zone update
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
DNS notify
DMZ
Men & Mice Central
26Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
zone update
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
DMZ
Men & Mice Central
26Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
zone update
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
DMZ
Men & Mice Central
27Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
zone update
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
DNS Zone Transfer
DMZ
Men & Mice Central
27Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
zone update
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
DMZ
Men & Mice Central
DNS Zone get signed
27Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
zone update
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
DMZ
Men & Mice Central
27Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
zone update
DMZ
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
Men & Mice Central
28Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
zone update
DMZ
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
DNS Notify message after zone has been
signed
Men & Mice Central
28Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
zone update
DMZ
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
Men & Mice Central
28Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
zone update
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
DMZ
Men & Mice Central
29Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
zone update
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
DNS Zone Transfer
DMZ
Men & Mice Central
29Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
zone update
hidden primary DNS
DNS Admin workstation
Secure64signer
authoritative DNS
(slave)
authoritative DNS
(slave)
Men & Mice protocol
SSH protocol
DNS protocol
DMZ
Men & Mice Central
29Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
OpenDNSSEC Integration
30Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
OpenDNSSEC
unsigned Zone
signer engine
KASPauditor
KASPenforcer
security module
key and signing policy
31Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
OpenDNSSEC
unsigned Zone
signedZone
signer engine
KASPauditor
KASPenforcer
security module
key and signing policy
31Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
OpenDNSSEC + Men & Mice
unsigned Zone
signedZone
signer engine
KASPauditor
KASPenforcer
security module
key and signing policy
Men & Mice Central
DNS Server Controller
DNS Server
32Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
OpenDNSSEC + Men & Mice
unsigned Zone
signedZone
signer engine
KASPauditor
KASPenforcer
security module
key and signing policy
Men & Mice Central
DNS Server Controller
DNS Server
verifies and writes unsigned zone
32Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
OpenDNSSEC + Men & Mice
unsigned Zone
signedZone
signer engine
KASPauditor
KASPenforcer
security module
key and signing policy
Men & Mice Central
DNS Server Controller
DNS Server
verifies and writes unsigned zone
selects policy
for zone
32Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
OpenDNSSEC + Men & Mice
unsigned Zone
signedZone
signer engine
KASPauditor
KASPenforcer
security module
key and signing policy
Men & Mice Central
DNS Server Controller
DNS Serverdeploys Zone to
Server
verifies and writes unsigned zone
selects policy
for zone
32Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
Zone List
33Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
enable DNSSEC and select
34Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
zone with DNSSEC records
35Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
zone with DNSSEC records
36Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
DNS Expert checks for DNSSEC zones
37Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
Benefits of the Men & Mice Solution
•free choice of
•DNSSEC signer
•policy management
•and DNS Server engine
38Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
Benefits of the Men & Mice Solution
•supports DNSSEC with
•OpenDNSSEC
•Secure64
•BIND 9.7.x DNS Server
•Windows 2008R2 DNS Server
39Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
Benefits of the Men & Mice Solution
•Fine grained access control
•Detailed history trail
•Sanity checks prevent DNS outage due to human error
•Integration into IP Address Management and DHCP Management
•Non-intrusive approach
40Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
Finis ...
•Questions?
41Wednesday, June 2, 2010
© Men & Mice http://menandmice,com
42Wednesday, June 2, 2010