Key Aspects Reviewed During Each Stage of Licensing a Linear Accelerator
After this section, students should understand the key aspects reviewed during each stage of licensing a linear accelerator. Regulators should know where and when linear accelerators are installed, what training users have, what they are used for, how they are maintained, and how quality is managed for patient treatments. Each location must be authorized to possess and use a linear accelerator, and a policy should dictate the minimum information required for approval. An authorization is defined as granting permission for specified activities, and basic safety standards stipulate registration criteria.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
DNSSEC Operations in .gov High Assurance Domain Project Scott Rose, NIST 27thDNS-OARC Workshop San Jose CA
Topics Covered Signing algorithm usage Including algorithm rollovers DS Hash algorithms in use NSEC/NSEC3 Usage NSEC3 parameter choices and changes High Assurance Domain Project Question: Is DNSSEC being used properly in .gov? If not, what needs to be improved?
DNSSEC Deployment in .gov Holding steady at ~84% for federal, ~20% overall High Assurance Domain Project
Algorithms used in .gov 2015* 2016 2017 None RSA/SHA-1 (5) RSA/SHA-1 NSEC3 (7) RSA/SHA-256 RSA/SHA-512 ECDSAP-256** Totals 226 3919 2936 63 76 83 510 521 456 High Assurance Domain Project 525 618 603 1 5 6 0 1 1 1325 5140 4085 *Monitored list contained only federal .gov domains until 2016, when a larger list including state and local .gov delegations was published. **ECDSA with Curve P=256 was only recently allowed for upload to .gov registrar
Algorithm rollover 2015-2017 From->To 5 7 5 8 7 5 5 0 7 10 7 8 8 5 2015->2016 3 4 0 0 0 22 0 2016->2017 1 7 9 1 1 51 2 High Assurance Domain Project
DS RR Hashes Used Hash Algorithm Used Neither SHA-1 only SHA-256 only Both Number of Zones 23 114 93 915 High Assurance Domain Project (June, 2017) Technically, SHA-1 is still allowed for use in DS RRs due to the fact that the security in the DS RR is in the RRSIG over the DS RRset, not the DS RR itself. The hash in the DS RR is there to identify the DNSKEY RR in the child delegation.
NSEC3 Parameters Iterations Number of Zones per Iteration Value 600 500 Number of Zones 400 High Assurance Domain Project 300 200 100 0 1 2 5 8 10 12 15 25 50 100 Iteration Value Note: From RFC 5155 (Sec 10.4) the Iterations value SHOULD be below 500.
NSEC3 Parameters Salt Length Number of Zones for a Given Salt Value 350 300 250 Number of Zones High Assurance Domain Project 200 150 100 50 0 0 2 4 5 6 8 10 12 14 16 18 20 22 24 26 28 Salt Length
NSEC3 Usage: Changes to Salt/Iterations Changes in Salt Values and/or Number of Iterations in .gov Delegations that use NSEC3 (June 2017 Aug 2017, 968 zones monitored). NSEC3 Parameter Changes High Assurance Domain Project Operation Changed Salt Changed Iterations Num. Zones 553 20 Change Salt Change Both Change Neither Of those zones, 18 zones changed both during this period Every zone also rotated keys (even those that did not change parameter values) so it isn t always synced with ZSK rollovers Change Iter
What Should be Done? Nothing (i.e. not a problem)? Get automated NSEC3 parameter changes built into appliances? Promote best common practices? High Assurance Domain Project
