Black Hat USA Training 2006
Caesars Palace Las Vegas • July 29-30 and July 31-August 1

Overview
This course will teach you about all the intricacies of DNSSEC.

1. Learn what DNSSEC can and cannot protect you against.
2. How to use DNSSEC to secure your domains. The course teaches you how to add DNSSEC to your own domains.
3. Managing DNSSEC for large operations and how to automate the entire DNSSEC process and all the cryptographic operations involved.
4. Enhancing your own caching nameservers to take advantage of DNSSECprotecteddomains.
5. DNSSEC integration with Registrars that support DNSSEC, such as RIPE, the Swedish CC:TLD and Verisign’s DNSSEC Lookaside Verification for .com and .net.
6. Practical use of DNSSEC. An overview of applications and protocols that gain security by DNSSEC

Who Should Take This Class:
Individuals interested in deploying DNS SECurity as part of their security infrastructure and people with a general interest in DNSSEC, and those contemplating whether or not to deploy DNSSEC in their organization.

What You Will Learn:

The theory of DNSSEC and its new record types (eg DS, KEY, RRSIG and NSEC).

Understanding the relationship between zones and their parents for secure delegations.

Building and installing DNSSEC software such as Bind9, nsd, ldns, and the Net-DNS-SEC maintenance tools. Deploying and DNSSEC secured zone files, and using the new properties of DNSSEC zones on the client side.

Learn about real world DNSSEC deployments, such as in Sweden, the reverse DNS zone with RIPE-NCC, and using DLV for the the Verisign maintained “.com” and “.net” zones.

Objectives

1. Understanding the threats that DNSSEC protects against
2. Theory of DNSSEC: survey of new record types
3. Practicalities: Delegation issues with DNSSEC
4. Working with the current DNSSEC software
5. Creating, signing and publishing DNSSEC enhanced domains
6. The caching nameserver: secure recursive resolvers
7. The dns client extensions: the AD and CD bit
8. Registries: communicating to ccTLDs (eg “.se” and “.com”) and gTLDs (eg “RIPE”’s Reverse tree (“inaddr. arpa”)
9. Key Management: rollover of keys
10. Distributing root keys
11. DNSSEC Lookaside Verification in the “.com” and “.net” domain
12. Transaction security
13. RFC2535bis TypeCodeRollover
14. Applications that can use and gain security by using DNSSEC (eg “SSH”, “IPsec”0, and various email / DNS functions such as “SPF” and anti-spoofing techniques)

All actual work will be done on a Linux Xen server hosting a virtual Linux server per student.

Michael Richardson has been involved with network security systems since 1988. Michael was a founding employee at Milkyway Networks in 1994, and Solidum Systems Corporation in 1998. While at Milkyway Networks, Michael was responsible for developing the VPN components of the BlackHole firewall, and later worked on several IPsec implementations. Solidum designed and sold hardware - IPsec being an important target. Michael is a system software designer and protocol designer. Michael is involved on a daily basis with the IETF. He is an author on RFC3586, and numerous drafts "in progress".

Michael was the lead architect on the Linux FreeS/WAN project, a Linux IPsec stack that aims to bring Opportunistic Encryption to everyone. Michael is now a principle at Xelerance Corporation, the open source security specialists.

Michael received a B.Sc. Physics from Carleton University in Ottawa, Canada.

Paul Wouters has been involved with Linux networking and security since he co-founded the Dutch ISP Xtended Internet back in 1996, where he started working with FreeS/WAN IPsec in 1999 and with DNSSEC for the .nl domain in 2001.

He has been writing since 1997, when his first article about network security was published in LinuxJournal in 1997. Since then, he has written mostly for the Dutch spin-off of the German "c't magazine", focusing on Linux, networking and the impact of the digital world on society. Paul is the main author of the book "Building and Integrating Virtual Private Networks with Openswan", published by Packt Publishing.

Paul has presented papers at SANS, OSA, CCC, HAL, Blackhat and Defcon, and several other smaller conferences.

He started working for Xelerance in 2003, focusing on IPsec, DNSSEC, Radius and delivering trainings.

Paul received a B.Ed Chemistry and Biology from the Noordelijke Hogeschool Leeuwarden in The Netherlands.

Patrick Naubert has been involved with network security since 1992 when he founded Resudox Online Services, one of the first ISP in Ottawa, Canada.   Patrick also co-founded Milkyway Networks in 1994, and founded Tyger Team Consultants in 1997.  As part of Milkway Networks, Patrick installed and configured hundreds of firewall systems. Patrick trained and was responsible for the support of most of Milkway Networks' clients. As the head of Tyger Team Consultants, Patrick was continually involved in clients' vulnerability assessments and network architecture reviews.

Patrick has now joined Xelerance Corporation as their Chief Executive Officer and strives to keep the company on the straight and narrow. In his spare time, Patrick is a CISSP trainer and also teaches Windows Vulnerability Countermeasures.

Patrick graduated from Universite de Sherbrooke in Canada in 1990, Bachelor of Computer Science with a Business minor.  Patrick is delighted to have no criminal record at this time.