Men and Mice

3 day DNSSEC Technical Workshop - Implementation and Deployment

---

Syllabus:

This 3-Day workshop is a mixture of Lecture and Hands-on Lab environment. This course is recommended for System Administrators and Network Engineers who want to be ready to deploy DNSSEC.
Note: Students are expected to be familiar with the UNIX environment (file structure, basic utilities) and with text editing in UNIX (vi or nano editor). A basic knowledge of TCP/IP addressing is also helpful but not required.

• DNS Fundamentals 101
  • A quick recap of DNS Fundamentals
  • DNS Namespace
  • Delegation
  • Nameserver
  • DNS Message Format
  • Name Resolution
  • Caching
  • DNS Practice
  • Resource Records
• DNSSEC Theory and History
• DNS Threats
  • What is wrong with the good old DNS?
  • Spoofing
  • Man in the Middle Attacks
  • Betrayal of a trusted name server
  • Attack on authoritative data
  • The danger of Denial of Service Attacks
• DNSSEC Introduction
  • DNS and DNSSEC History
  • TSIG and DNSSEC
  • Basics of Public Key Cryptography
  • DNSSEC Technical Overview
  • DNSSEC Record Types
    • DNSKEY (DNS Key Material)
    • RRSIG (Resource Record Signature)
    • NSEC (Next Secure)
    • DS (Delegation Signer)
  • Zone Signing Key (ZSK) and Key Signing Key (KSK)
  • the DNSSEC chain of trust
• DNSSEC Infrastructure Requirements
• Signing tools
  • Authoritative DNS Servers
  • Caching/Resolving DNS Servers
  • Middleboxes (Firewalls, Load-Balancer, NAT ...)
  • Application Requirements
• DNSSEC Deployment
  • DNSSEC signing with BIND 9.6-ESV
  • creating keys
  • Adding keys to a zone
  • Signing a zone
  • Test the setup
  • Getting DS record in the parent zone
  • Resigning a zone
  • Maintenance: Signature Expiration
  • Lab: DNSSEC zone signing
• DNSSEC with BIND 9.7
  • Managing key timing values
  • DNSSEC automation
  • Dynamic zones and DNSSEC
  • Managing zone content with nsupdate
  • Lab: DNSSEC with BIND 9.7
• DNSSEC Validation
  • DNSSEC in DNS Messages
  • The AD and CD flags
  • DNSSEC Name resolution
  • DNSSEC Lookaside Validation (DLV)
  • Validating DNSSEC in the Internet
  • DNSSEC validation in Web-Browsers (Firefox, IE, Chrome)
• A validating caching only configuration for BIND 9
  • BIND as a caching server
  • Named.conf setup (ACL, rndc, statistics channel)
  • Getting the root-anchor
  • Verifying the root zones key
  • DNSSEC validation setup (BIND 9.6-ESV)
  • DNSSEC validation setup (BIND 9.7.0+)
  • Lab: DNSSEC validation with BIND
• Signing zones with NSEC3
  • The NSEC3 Record
  • NSEC3 zone signing
  • Salt and Iterations
  • NSEC3 opt-out
• DNSSEC Key rollover
  • The need of key rollover
  • Key rollover with pre-publication
  • Key rollover with double-signing
  • Emergency key rollovers
  • Algorithm Rollover
  • Switching DNS Operators
    • Operator rollover (cooperative)
    • Operator rollover (non-cooperative)
  • Lab: ZSK and KSK rollover
• DNSSEC tools and troubleshooting
  • DNSSEC troubleshooting with ‚ÄúDIG‚Äù
  • Lab: find the cause of DNSSEC lookup failures
  • Other DNSSEC tools (drill, unbound-host, dnssec-tools, zonecheck, OpenDNSSEC)
  • DNSSEC monitoring tools
• DNSSEC in BIND 9.8 and 9.9
• Hardware Security Modules (HSM)
  • The role of a HSM
  • Selection criteria for HSM
  • SoftHSM - an HSM Emulator
  • Using BIND with SoftHSM

If you would like to be notified quarterly about upcoming trainings, please subscribe to the Training Mailing List for future training information.
 

Course Name	Dates	Location	Price	Status
3-day DNSSEC Workshop (group training)	2012	on-site at your office	on request	contact us
3-day DNSSEC Implementation and Deployment Workshop	August 7 -9, 2012	Los Angeles (CA), USA	US$ 2295	Register
3-day DNSSEC Implementation and Deployment Workshop	October 24 - 26, 2012	London, UK	US$ 2295	Register