DNS Mark Kosters Carlos Martínez ARIN - LACNIC
|
|
- Sybil Walters
- 6 years ago
- Views:
Transcription
1 DNS Mark Kosters Carlos Martínez ARIN - LACNIC
2 DNS Refresher and Intro to DNS Security Extension (DNSSEC)
3 Outline Introduction DNSSEC mechanisms to establish authenticity and integrity of data Quick overview New RRs Using public key cryptography to sign a single zone Delegating signing authority ; building chains of trust Key exchange and rollovers Conclusions
4 DNS Resolving Question: A A? root-servers Resolver A? Add to cache Caching forwarder (recursive) A? go ask net X.gtld-servers.net (+ glue) gtld-servers go ask ns1.arin.net (+ glue) 6 A? 10 TTL arin-server
5 DNS: Data Flow Zone administrator Zone file 1 master 4 Caching forwarder Dynamic updates slaves resolver
6 DNS Vulnerabilities Corrupting data Zone administrator 1 Zone file Impersonating master master 4 Caching forwarder Cache impersonation Dynamic updates slaves Unauthorized updates Cache pollution by Data spoofing resolver Server protection Data protection
7 DNS Protocol Vulnerability DNS data can be spoofed and corrupted on its way between server and resolver or forwarder The DNS protocol does not allow you to check the validity of DNS data Exploited by bugs in resolver implementation (predictable transaction ID) Corrupted DNS data might end up in caches and stay there for a long time (TTL) How does a slave (secondary) knows it is talking to the proper master (primary)?
8 Motivation for DNSSEC DNSSEC protects against data spoofing and corruption DNSSEC (TSIG) provides mechanisms to authenticate servers DNSSEC (KEY/SIG/NXT) provides mechanisms to establish authenticity and integrity of data A secure DNS will be used as a public key infrastructure (PKI)
9 Now for the Meat We will be talking now how to solve cache pollution and prevent forgeries The key (pun intended) is to introduce digital signatures and public keys in DNS responses We ll describe how to just do that
10 Overview We will talk about: The problems that DNSSEC addresses The protocol and implementations Things to take into account to deploy DNSSEC The practical problems tied to real-world deployment
11 Contents Scope of the problem DNS reminders Basics of DNSSEC Deployment & operations Issues (what isn't solved) & other aspects Status of DNSSEC today
12 So what are the issues? What's the problem? DNS Cache Poisoning Forgery: respond before the intended nameserver Redirection of a domain's nameserver Redirection of NS records to another target domain DNS Hijacking Response to non-existent domains Rogue DNS servers These have been spotted in the wild code IS available...
13 What's the problem? What risks? See Dan Kaminsky's slides for the extent of the risks - MANY case scenarios MX hijacking Entire domain redirection Take a large.com offline Complete spoofing of a bank's DNS info More fun stuff A great illustrated guide
14 Refresher
15 DNS reminders ISC BIND zone file format is commonly used, and we will use this notation here. zone. SOA nsx.zone. hostmaster.zone. ( ; serial 1d ; refresh 12h ; retry 1w ; expire 1h ) ; neg. TTL zone. zone. NS NS MX A ns.zone. ns.otherzone. 5 server.otherzone
16 DNS reminders Record structure: NAME [TTL] TYPE DATA (type specific) host.zone A sub.zone MX 5 server.otherzone.
17 DNS reminders Multiple resource records with same name and type are grouped into Resource Record Sets (RRsets): mail.zone. mail.zone. MX MX 5 server1.zone. 10 server2.zone. RRset server1.zone. server1.zone. server1.zone. A A A RRset server1.zone. server1.zone. AAAA 2001:123:456::1 AAAA 2001:123:456::2 RRset server2.zone. A RRset
18 DNSSEC concepts
19 DNSSEC quick summary Data authenticity and integrity by signing the Resource Records Sets with a private key Public DNSKEYs published, used to verify the RRSIGs Children sign their zones with their private key Authenticity of that key established by signature/checksum by the parent of the (DS) delegation signer record Repeat for parent... Not that difficult on paper Operationally, it is a bit more complicated
20 DNS SECurity extensions DNSSEC overview Concepts New Resource Records (DNSKEY, RRSIG, NSEC/NSEC3 and DS) New packet options (CD, AD, DO) Setting up a Secure Zone Delegating Signing Authority Key Rollovers
21 DNSSEC concepts Changes DNS trust model from one of open and trusting to one of verifiable Extensive use of public key cryptography to provide: Authentication of origin Data integrity Authenticated denial of existence No attempt to provide confidentiality DNSSEC does not place computational load on the authoritative servers (!= those signing the zone) No modifications to the core protocol Can coexist with today's infrastructure kind of (EDNS0)
22 DNSSEC concepts Build a chain of trust using the existing delegationbased model of distribution that is the DNS Don't sign the entire zone, sign a RRset. ORG NSRC Note: the parent DOES NOT sign the child zone. The parent signs a pointer (hash) to the key used to sign the data of child zone (important!) WS
23 New Resource Records
24 Implementing the Trust Chain New resource records RRSIG: resource record signatures DNSKEY: DNS public key DS: delegation signature NSEC: denial of existence
25 New Resource Record: RRSIG Example: ~ carlosm$ dig +dnssec ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1 ;; ANSWER SECTION: 60 IN A IN RRSIG A nic.se. HeeUZ5h5iExK5uU1SuNRIf2Dbmh2/aWV8FkjmzixUzTAVrHv39PfmfnG DHdHoZxoz85hqqYiWb+t9EZh5+iqxQk8AxRDic9Nn6WxifOoWeS+IUKQ rvyqxf1ntkzvu1a325vwa8obtbevgvkhqg6bdijkyehixjlq4crofcew Izk= ;; AUTHORITY SECTION: nic.se IN NS ns3.nic.se. nic.se IN NS ns2.nic.se. nic.se IN NS ns.nic.se. nic.se IN RRSIG NS nic.se. GSzAUC3SC3D0G/iesCOPnVux8WkQx1dGbw491RatXz53b7SY0pQuyT1W eb063z62rtx7etynncjwpklytg9fembdced9af3kztjhxq6b+tpmmxyk FoKAVaV0cHTcGUXSObFquGr5/03G79C/YHJmXw0bHun5ER5yrOtOLegU IAU= 25
26 New Resource Record: DNSKEY Example: aruba:~ carlos$ DNSKEY lacnic.net. ;; Truncated, retrying in TCP mode. ;; QUESTION SECTION: ;lacnic.net. IN DNSKEY ;; ANSWER SECTION: lacnic.net IN DNSKEY AwEAAb6YDZrhzHo3gu48uNvxFpvQ/I0TvaqGlYFE9VkplBkexiXwMHfm BVZF4SU7zSBcdX23jnotHmJd6Jicbhpk0ZVXS5szwbuC2TXaifx6bTOj fd0z8/zsk62tpvgdroqvgotunkmb1ozamx2vm4q58ofxqkkzm21sceur 6KhZo+pDkUWlDgI/gPLj1MFiorN9EWjUWbfHnnwVAldD6ftZ6KmhWlxm 7ynJ4Q3Glu5BX8ySh6l5JdFNyoVltfPXrwXJ4nqEaAEmPo8Vic++V3l5 2aQIgUnLmZ6mdfOxCT/YGcMIqUaiXRA0CpOMUr+K7GIvJIVyacOzIfe0 FKV/MreaVOk= 26
27 Trust Chains How do clients verify a zone's RRSets? It queries for the corresponding DNSKEY The necessary computations are carried out and then compared with the signature in the RRSIG If they match the signatures are valid But, how can we trust the DNSKEY? It listed on the same zone we want to verify! We need to validate the trust chain 27
28 Trust Chains (ii) DS Record Delegation Signature DS records "sign" the keys in their child zones In this way one can also verify the DNSKEY as it is signed when the parent zone is signed DS records contain a hash of the public key That is a hash of the DNSKEY's record content DS records in the parent zone are signed with the keys of the parent zone To complete the full trust chain we also need the root of the DNS to be signed 28
29 New Resource Record: DS Example: ; <<>> DiG P1 DS lacnic.net. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 68 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;lacnic.net. IN DS ;; ANSWER SECTION: lacnic.net IN DS B BD70481CACDDB1D21E5B0DBC
30 Denial of Existence What happens when you ask DNS about something that does not exist? NXDOMAIN! However, in an NXDOMAIN response the ANSWER section is empty, there is nothing to sign Remember: negative answer are also cached, so they can be a DoS vector
31 Negative Responses Sample NXDOMAIN response: ; <<>> DiG P1 A holy-molly.lacnic.net. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6541 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;holy-molly.lacnic.net. IN A ;; AUTHORITY SECTION: lacnic.net IN SOA NS.lacnic.net. Hostmaster.lacnic.net
32 Signed Negative Responses Sample signed NXDOMAIN response: aruba:~ carlos$ dig A holy-molly.lacnic.net. ; <<>> DiG P1 <<>> A holy-molly.lacnic.net. ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;holy-molly.lacnic.net. IN A ;; AUTHORITY SECTION: lacnic.net IN SOA NS.lacnic.net. Hostmaster.lacnic.net lacnic.net IN RRSIG SOA lacnic.net. EMkejVSEa3CvVzA2e3ap1n7QlgVUEPonIeBH4vcWjk..(snip) lacnic.net IN NSEC 18.lacnic.net. A NS SOA MX AAAA RRSIG NSEC DNSKEY TYPE
33 Using DNSSEC
34 Response Validation Signing zones is just half of the picture For DNSSEC to be actually useful, responses need to be validated This is the job of the recursive DNS servers Validation is usually just a configuration switch Need to make sure the root zone key is installed
35 Security Status of Data (RFC ) Secure Resolver is able to build a chain of signed DNSKEY and DS RRs from a trusted security anchor to the RRset Insecure Resolver knows that it has no chain of signed DNSKEY and DS RRs from any trusted starting point to the RRset Bogus Resolver believes that it ought to be able to establish a chain of trust but for which it is unable to do so May indicate an attack but may also indicate a configuration error or some form of data corruption Indeterminate Resolver is not able to determine whether the RRset should be signed
36 DNSSEC: new fields Updates DNS protocol at the packet level Non-compliant DNS recursive servers should ignore these: CD: Checking Disabled (ask recursing server to not perform validation, even if DNSSEC signatures are available and verifiable, i.e.: a Secure Entry Point can be found) AD: Authenticated Data, set on the answer by the validating server if the answer could be validated, and the client requested validation A new EDNS0 option DO: DNSSEC OK (EDNS0 OPT header) to indicate client support for DNSSEC options
37 Thank You
38 Signing a zone...
39 Enabling DNSSEC Multiple systems involved Stub resolvers Nothing to be done... but more on that later Caching resolvers (recursive) Enable DNSSEC validation Configure trust anchors manually, or use DLV Authoritative servers Enable DNSSEC logic (if required) Signing & serving need not be performed on same machine Signing system can be offline
40 Signing the zone 1. Generate keypairs 2. Include public DNSKEYs in zone file 3. Sign the zone using the secret key ZSK 4. Publishing the zone 5. Push DS record up to your parent 6. Wait...
41 # Generate ZSK 1. Generating the keys dnssec-keygen -a rsasha1 -b n ZONE myzone # Generate KSK dnssec-keygen -a rsasha1 -b n ZONE -f KSK myzone This generates 4 files: Kmyzone.+005+id_of_zsk.key Kmyzone.+005+id_of_zsk.private Kmyzone.+005+id_of_ksk.key Kmyzone.+005+id_of_ksk.private
42 2. Including the keys into the zone Include the DNSKEY records for the ZSK and KSK into the zone, to be signed with the rest of the data: cat Kmyzone*key >>myzone or add to the end of the zone file: $INCLUDE Kmyzone.+005+id_of_zsk.key $INCLUDE Kmyzone.+005+id_of_ksk.key
43 Sign your zone 3. Signing the zone # dnssec-signzone myzone dnssec-signzone will be run with all defaults for signature duration, the serial will not be incremented by default, and the private keys to use for signing will be automatically determined. Signing will: Sort the zone (lexicographically) Insert: NSEC records RRSIG records (signature of each RRset) DS records from child keyset files (for parent) Generate key-set and DS-set files, to be communicated to the parent
44 3. Signing the zone (2) Since version 9.7.0, BIND can automatically sign/re-sign your zone Makes life much easier Key generation, management & rollover still needs to be done separately
45 4. Publishing the signed zone Publish signed zone by reconfiguring the nameserver to load the signed zonefile.... but you still need to communicate the DS RRset in a secure fashion to your parent, otherwise no one will know you use DNSSEC
46 5. Pushing DS record to parent Need to securely communicate the KSK derived DS record set to the parent RFCs 4310, but what if your parent isn't DNSSEC-enabled?
47 Enabling DNSSEC in the resolver Configure forwarding resolver to validate DNSSEC not strictly necessary, but useful if only to verify that your zone works Test... Remember, validation is only done in the resolver.
48 Summary Generating keys Signing and publishing the zone Resolver configuration Testing the secure zone Questions so far?
49 DATA So, what does DNSSEC protect? MASTER zone file (text, DB) STUB resolver caching resolver (recursive) Zone Transfer dynamic updates SLAVES ATTACK VECTORS man in the middle cache poisoning modified data spoofing master (routing/dos) spoofed updates corrupted data (TSIG) PROTECTION BY DNSSEC
50 What doesn't it protect? Confidentiality The data is not encrypted Communication between the stub resolver (i.e: your OS/desktop) and the caching resolver. For this, you would have to use TSIG, SIG(0), or you will have to trust your resolver It performs all validation on your behalf
51 Why the long timeframe? Many different reasons... It's complicated. Not much best practice. More and more tools are appearing. Operational experience is the keyword. Risks of failure (failure to sign, failure to update) which will result in your zone disappearing Specification has changed several times since the 90s NSEC Allows for zone enumeration. Until Kaminsky, DNSSEC looked like a solution looking for a problem Delay in getting the root signed (politics)
52 Thank You
53 Thank you!
DNS Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO
DNS Workshop @CaribNOG12 Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO DNS Refresher and Intro to DNS Security Extension (DNSSEC) Outline Introduction DNSSEC mechanisms to establish authenticity and
More informationDNSSEC deployment. Phil Regnauld Hervey Allen
DNSSEC deployment Phil Regnauld Hervey Allen Overview We will talk about: the problems that DNSSEC addresses the protocol and implementations the practical problems tied to real-world deployment We will
More informationAn Overview of DNSSEC. Cesar Diaz! lacnic.net!
An Overview of DNSSEC Cesar Diaz! cesar@ lacnic.net! 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that
More informationRoot Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail
What is DNS? Systems to convert domain names into ip addresses: For an instance; www.tashicell.com 118.103.136.66 Reverse: 118.103.136.66 www.tashicell.com DNS Hierarchy Root Servers The top of the DNS
More informationDNSSEC All You Need To Know To Get Started
DNSSEC All You Need To Know To Get Started Olaf M. Kolkman RIPE NCC A Semi Technical Introduction Why do we need DNSSEC What does DNSSEC provide How does DNSSEC work Question: www.ripe.net A Reminder:
More informationScott Rose, NIST Winter JointTechs Meeting Jan 30, 2011 Clemson University
Scott Rose, NIST scottr@nist.gov 2011 Winter JointTechs Meeting Jan 30, 2011 Clemson University Special Thanks to RIPE NCC who provided the base slides for this tutorial. DNS is not secure Known vulnerabilities
More informationDNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific
DNS/DNSSEC Workshop In Collaboration with APNIC and HKIRC Hong Kong Champika Wijayatunga Regional Security Engagement Manager Asia Pacific 22-24 January 2018 1 DNSSEC 2 2 DNS: Data Flow Zone administrator
More informationLab 6 Implementing DNSSEC
Lab 6 Implementing DNSSEC Objective: Deploy DNSSEC-signed zones. Background DNSSEC (or DNS Security Extensions) provide security to the zone files. Note: In the steps below, we are using myzone.net - our
More informationDNSSEC Trust tree: (A) ---dnslab.org. (DS keytag: 9247 dig (DNSKEY keytag. ---org. (DS keytag: d
DNSSEC Trust tree: www.dnslab.org. (A) ---dnslab.org. (DNSKEY keytag: 7308 alg ---dnslab.org. (DNSKEY keytag: 9247 ---dnslab.org. (DS keytag: 9247 dig DNSSEC ---org. (DNSKEY keytag: 24209 a Domain Name
More informationHoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder. System and Network Engineering July 2014
Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder System and Network Engineering July 2014 DNS Main Components Server Side: Authoritative Servers Resolvers (Recursive Resolvers, cache) Client
More informationBy Paul Wouters
By Paul Wouters Overview presentation Theory of DNSSEC Using bind with DNSSEC Securing Ò.nlÓ with SECREG Securing Ò.orgÓ with VerisignLabs Deploying DNSSEC on large scale Audience participation
More informationDNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION
DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION Peter R. Egli 1/10 Contents 1. Security Problems of DNS 2. Solutions for securing DNS 3. Security with DNSSEC
More informationARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN
ARIN Support for DNSSEC and ION San Diego 11 December 2012 Pete Toscano, ARIN 2 DNS and BGP They have been around for a long time. DNS: 1982 BGP: 1989 They are not very secure. Methods for securing them
More informationImplementing DNSSEC with DynDNS and GoDaddy
Implementing DNSSEC with DynDNS and GoDaddy Lawrence E. Hughes Sixscape Communications 27 December 2017 DNSSEC is an IETF standard for adding security to the DNS system, by digitally signing every resource
More informationTable of Contents. DNS security. Alternative DNS security mechanism. DNSSEC specification. The long (and winding) road to the DNSSEC specification
Table of Contents DNS security Karst Koymans Informatics Institute University of Amsterdam (version 1.19, 2011/09/27 14:18:11) Friday, September 23, 2011 The long (and winding) road to the DNSSEC specification
More informationUnderstanding and Deploying DNSSEC. Champika Wijayatunga SANOG29 - Pakistan Jan 2017
Understanding and Deploying DNSSEC Champika Wijayatunga SANOG29 - Pakistan Jan 2017 Agenda 1 2 3 Background Why DNSSEC? How it Works? 4 5 Signatures and Key Rollovers DNSSEC Demo 2 3 Background DNS in
More informationDNS security. Karst Koymans & Niels Sijm. Tuesday, September 18, Informatics Institute University of Amsterdam
DNS security Karst Koymans & Niels Sijm Informatics Institute University of Amsterdam Tuesday, September 18, 2012 Karst Koymans & Niels Sijm (UvA) DNS security Tuesday, September 18, 2012 1 / 38 1 Chain
More informationDNSSEC. Lutz Donnerhacke. db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec e164.arpa. naptr
DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec 1.6.5.3.7.5.1.4.6.3.9.4.e164.arpa. naptr 1 A protocol from better times An ancient protocol People were friendly and
More informationAssessing and Improving the Quality of DNSSEC
Assessing and Improving the Quality of DNSSEC Deployment Casey Deccio, Ph.D. Sandia National Laboratories AIMS-4 CAIDA, SDSC, San Diego, CA Feb 9, 2012 Sandia is a multiprogram laboratory operated by Sandia
More informationToward Unspoofable Network Identifiers. CS 585 Fall 2009
Toward Unspoofable Network Identifiers CS 585 Fall 2009 The Problem DNS Spoofing Attacks (e.g., Kaminsky) At link (Ethernet) and IP layers, either: Software sets the source address in the packet, or Software
More informationDNSSEC operational experiences and recommendations. Antti Ristimäki, CSC/Funet
DNSSEC operational experiences and recommendations Antti Ristimäki, CSC/Funet Agenda Funet DNSSEC status A short DNSSEC tutorial Zone signing considerations Private key security Network layer impacts Monitoring
More informationBIND-USERS and Other Debugging Experiences. Mark Andrews Internet Systems Consortium
BIND-USERS and Other Debugging Experiences Mark Andrews Internet Systems Consortium Mark_Andrews@isc.org http://isc.org BIND-USERS and Other Debugging Experiences We will look at some typical debugging
More informationDNSSEC in Switzerland 2 nd DENIC Testbed Meeting
DNSSEC in Switzerland 2 nd DENIC Testbed Meeting Frankfurt, 26. January 2010 Samuel Benz samuel.benz@switch.ch About SWITCH The SWITCH foundation operates the national research network since 1987 SWITCH
More informationSome DNSSEC thoughts. DNSOPS.JP BOF Interop Japan Geoff Huston Chief Scientist, APNIC June 2007
Some DNSSEC thoughts DNSOPS.JP BOF Interop Japan 2007 Geoff Huston Chief Scientist, APNIC June 2007 The DNS is a miracle! You send out a question into the net And an answer comes back! Somehow But WHO
More informationNetwork Working Group
Network Working Group R. Arends Request for Comments: 4035 Telematica Instituut Obsoletes: 2535, 3008, 3090, 3445, 3655, 3658, R. Austein 3755, 3757, 3845 ISC Updates: 1034, 1035, 2136, 2181, 2308, 3225,
More informationRSA and ECDSA. Geoff Huston APNIC. #apricot2017
RSA and ECDSA Geoff Huston APNIC It s all about Cryptography Why use Cryptography? Public key cryptography can be used in a number of ways: protecting a session from third party eavesdroppers Encryption
More informationA Security Evaluation of DNSSEC with NSEC Review
A Security Evaluation of DNSSEC with NSEC Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka November 16, 2011 1 Introduction to the topic and the reason for the topic being
More informationThis time. Digging into. Networking. Protocols. Naming DNS & DHCP
This time Digging into Networking Protocols Naming DNS & DHCP Naming IP addresses allow global connectivity But they re pretty useless for humans! Can t be expected to pick their own IP address Can t be
More informationDNS SECurity Extensions technical overview
The EURid Insights series aims to analyse specific aspects of the domainname environment. The reports are based on surveys, studies and research developed by EURid in cooperation with industry experts
More information12 DNS Security Extensions DNS resolution via recursive nameserver DNS request/response format Simple DNS cache poisoning The Dan Kaminsky DNS
12 DNS Security Extensions DNS resolution via recursive nameserver DNS request/response format Simple DNS cache poisoning The Dan Kaminsky DNS vulnerability DNS root servers DNSSEC chain of trust DNSSEC
More informationExpires: November 15, 2004 VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST May 17, 2004
DNS Extensions Internet-Draft Expires: November 15, 2004 R. Arends Telematica Instituut M. Larson VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST May 17, 2004 Protocol Modifications for the DNS
More informationTable of Contents. DNS security basics. What DNSSEC has to offer. In what sense is DNS insecure? Why DNS needs to be secured.
Table of Contents DNS security basics The basics Karst Koymans (with Niels Sijm) Informatics Institute University of Amsterdam (version 2.3, 2013/09/13 11:46:36) Tuesday, Sep 17, 2013 Why DNS needs to
More informationAuthoritative-only server & TSIG
Authoritative-only server & TSIG cctld workshop Apia, Samoa,20 23 June 2006 Andy Linton (Materials by Alain Aina) Different type of servers Several types of name servers Authoritative servers master (primary)
More informationHands-on DNSSEC with DNSViz. Casey Deccio, Verisign Labs RIPE 72, Copenhagen May 23, 2016
Hands-on DNSSEC with DNSViz Casey Deccio, Verisign Labs RIPE 72, Copenhagen May 23, 2016 Preparation Demo and exercises available at: http://dnsviz.net/demo/ Includes links to the following: VirtualBox
More informationTWNIC DNS 網路安全研討會安全問題之解決對策 (DNSSEC) Why do we need DNSSEC? Many application depend on DNS DNS is not secure. There are known vulnerabilities
TWNIC DNS 網路安全研討會安全問題之解決對策 (DNSSEC) TWCERT/CC 陳宗裕 Why do we need DNSSEC? Many application depend on DNS DNS is not secure There are known vulnerabilities DNSSEC protect against data spoofing and corruptions
More informationSecuring Domain Name Resolution with DNSSEC
White Paper Securing Domain Name Resolution with DNSSEC diamondip.com by Timothy Rooney Product management director BT Diamond IP Resolution with DNSSEC Introduction By Tim Rooney, Director, Product Management
More informationDomain Name System Security
Slide title 70 pt APITALS Domain Name System Security e subtitle um 30 pt Bengt Sahlin Ericsson Research NomadicLab Bengt.Sahlin@ericsson.com Objectives Provide DNS basics, essential for understanding
More informationDomain Name System Security
Domain Name System Security T-110.4100 Tietokoneverkot September 2010 Bengt Sahlin 2011/09/27 Bengt Sahlin 1 Objectives Provide DNS basics, essential for understanding DNS security
More informationSession J9: DNSSEC and DNS Security
Session J9 and Security InfoSec World 2008 Session J9: and Security Steve Pinkham, Maven Security Consulting What is? slide 2 Easy answer: Stands for Domain Name System System for converting names to/from
More informationCSC 574 Computer and Network Security. DNS Security
CSC 574 Computer and Network Security DNS Security Alexandros Kapravelos kapravelos@ncsu.edu (Derived from slides by Will Enck and Micah Sherr) A primer on routing Routing Problem: How do Alice s messages
More informationSome Internet exploits target name resolution servers. DNSSEC uses cryptography to protect the name resolution
SYSADMIN DNSSEC Sergey Ilin, Fotolia Trusted name resolution with DNSSEC CHAIN OF TRUST Some Internet exploits target name resolution servers. DNSSEC uses cryptography to protect the name resolution service.
More informationDNSSEC Basics, Risks and Benefits
DNSSEC Basics, Risks and Benefits Olaf M. Kolkman olaf@ripe.net This presentation About DNS and its vulnerabilities DNSSEC status DNSSEC near term future DNS: Data Flow Registry/Registrar Provisioning
More informationExpires: June 16, 2004 VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST December 17, 2003
DNS Extensions Internet-Draft Expires: June 16, 2004 R. Arends Telematica Instituut M. Larson VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST December 17, 2003 Protocol Modifications for the DNS
More information2017 DNSSEC KSK Rollover. DSSEC KSK Rollover
2017 DNSSEC KSK Rollover 2017 Edward Lewis DSSEC KSK Rollover APNIC 44 Edward.Lewis@icann.org FIRST TC September 11, 2017 13 September 2017 DNSSEC Signing vs. Validation DNS Security Extensions Digital
More informationThe State and Challenges of the DNSSEC Deployment. Eric Osterweil Michael Ryan Dan Massey Lixia Zhang
The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang 1 Monitoring Shows What s Working and What needs Work DNS operations must already deal with widespread
More informationDNSSECbis Lookaside Validation. Peter Losher Internet Systems Consortium (November 2006)
DNSSECbis Lookaside Validation Peter Losher Internet Systems Consortium (November 2006) Topics Introduction DNS Delegation and Resolution DNSSECbis Data and Traversal DLV Overview
More informationDNS Security. APNIC42 Colombo Sri Lanka 01 October 2016 Champika Wijayatunga
DNS Security APNIC42 Colombo Sri Lanka 01 October 2016 Champika Wijayatunga 2 Brief Overview of DNS What is the Domain Name System? A distributed database primarily used to obtain
More informationDNSSEC HOWTO. A Tutorial in Disguise. Olaf Kolkman, RIPE NCC Published September, $Revision: $
DNSSEC HOWTO A Tutorial in Disguise. Olaf Kolkman, RIPE NCC Published September, 2004 $Revision: 1.4.4.8 $ For review only, do not redistribute. DNSSEC HOWTO A Tutorial in Disguise. This
More informationDNSSEC Basics, Risks and Benefits
DNSSEC Basics, Risks and Benefits Olaf M. Kolkman olaf@ripe.net This presentation About DNS and its vulnerabilities DNSSEC status DNSSEC near term future DNS: Data Flow Registry/Registrar Provisioning
More informationDNSSEC at ORNL. Paige Stafford Joint Techs Conference, Fairbanks July 2011
DNSSEC at ORNL Paige Stafford Joint Techs Conference, Fairbanks July 2011 Outline Background Brief review of DNSSEC ORNL before DNSSEC was implemented Implementation experience Signer appliance Validation
More informationTHE BRUTAL WORLD OF DNSSEC
THE BRUTAL WORLD OF DNSSEC Patrik Fältström Head of Technology Netnod 1 Security Issues with DNS Zone Administrator Bad Data False Master Caching Resolver Zonefile Master Slave slave slave False Cache
More informationAlgorithm for DNSSEC Trusted Key Rollover
Algorithm for DNSSEC Trusted Key Rollover Gilles Guette, Bernard Cousin, and David Fort IRISA, Campus de Beaulieu, 35042 Rennes CEDEX, FRANCE {gilles.guette, bernard.cousin, david.fort}@irisa.fr Abstract.
More informationDENIC DNSSEC Testbed Software support for DNSSEC Ralf Weber
DENIC DNSSEC Testbed Software support for DNSSEC Ralf Weber (ralf.weber@nominum.com) Who is Nominum? Mission Product Leadership Industry Expertise Deliver the Trusted Internet Experience Strategic Partners:
More informationCS 356 Using Cryptographic Tools to Secure the Domain Name System (DNS) Spring 2017
CS 356 Using Cryptographic Tools to Secure the Domain Name System (DNS) Spring 2017 Background Motivation Overview Network Infrastructure Security DNS and DNS Vulnerabilities The DNS Security Extensions
More informationTroubleshooting DNSSEC Visually
Troubleshooting DNSSEC Visually Sandia National Laboratories is a multi-program laboratory operated by Sandia Corporation, a wholly owned subsidiary of Lockheed Martin company, for the U.S. Department
More informationDocumentation. Name Server Predelegation Check
Name Server Predelegation Check Doc. version: 1.4.1 Doc. status: Final Doc. date: 01.12.2015 Doc. name: Name Server Predelegation Check- -DNS Services-V1.4.1-2015-12-01 Copyright 2015 DENIC eg Imprint
More informationDNSSEC for ISPs workshop João Damas
DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Outline of workshop Brief intro to DNSSEC Overview of zone signing DNSSEC validation trust anchors validation impact of enabling validation debugging
More informationOutline NET 412 NETWORK SECURITY PROTOCOLS. Reference: Lecture 7: DNS Security 3/28/2016
Networks and Communication Department NET 412 NETWORK SECURITY PROTOCOLS Lecture 7: DNS Security 2 Outline Part I: DNS Overview of DNS DNS Components DNS Transactions Attack on DNS Part II: DNS Security
More informationPacket Traces from a Simulated Signed Root
Packet Traces from a Simulated Signed Root Duane Wessels DNS-OARC DNS-OARC Workshop Beijing, China November 2009 Background We know from active measurements that some DNS resolvers cannot receive large
More informationDomain Name System Security
Domain Name System Security T-110.4100 Tietokoneverkot October 2008 Bengt Sahlin 2008/10/02 Bengt Sahlin 1 Objectives Provide DNS basics, essential for understanding DNS security
More informationDNSSEC at Penn. Shumon Huque University of Pennsylvania ESCC/Internet2 Joint Techs Conference July 20th 2009
DNSSEC at Penn Shumon Huque University of Pennsylvania ESCC/Internet2 Joint Techs Conference July 20th 2009 1 DNSSEC at a glance DNS Security Extensions A system to verify the authenticity of DNS data
More informationMAGPI: Advanced Services IPv6, Multicast, DNSSEC
MAGPI: Advanced Services IPv6, Multicast, DNSSEC Shumon Huque MAGPI GigaPoP & Univ. of Pennsylvania MAGPI Technical Meeting April 19th 2006, Philadelphia, PA 1 Outline A description of advanced services
More informationDomain Name System (DNS) Session-1: Fundamentals. Joe Abley AfNOG Workshop, AIS 2017, Nairobi
Domain Name System (DNS) Session-1: Fundamentals Joe Abley AfNOG Workshop, AIS 2017, Nairobi Computers use IP addresses. Why do we need names? Names are easier for people to remember Computers may be moved
More informationpage 1 Plain Old DNS WACREN, DNS/DNSSEC Regional Workshop Ouagadougou, October 2016
page 1 Plain Old DNS WACREN, DNS/DNSSEC Regional Workshop Ouagadougou, 10-14 October 2016 page 2 IP: Identifiers on the Internet The fundamental identifier on the internet is an IP address. Each host connected
More informationIs your DNS server up-to-date? Pieter Lexis Senior PowerDNS Engineer April 22 nd 2018
lieter_ PowerDNS pieterlexis PowerDNS Is your DNS server up-to-date? Pieter Lexis Senior PowerDNS Engineer April 22 nd 2018 1 What s all this about? A DNS recap What is EDNS? Issues with EDNS on the internet
More informationSecSpider: Distributed DNSSEC Monitoring and Key Learning
SecSpider: Distributed DNSSEC Monitoring and Key Learning Eric Osterweil UCLA Joint work with Dan Massey and Lixia Zhang Colorado State University & UCLA 1 Who is Deploying DNSSEC? Monitoring Started From
More informationManaging Authoritative DNS Server
This chapter explains how to set the Authoritative DNS server parameters. Before you proceed with the tasks in this chapter, read Managing Zones which explains how to set up the basic properties of a primary
More informationSOFTWARE USER MANUAL (SUM): TRAINING, PROCEDURAL, AND DEVELOPMENT DOCUMENTATION
SOFTWARE USER MANUAL (SUM): TRAINING, PROCEDURAL, AND DEVELOPMENT DOCUMENTATION Step-by-Step DNS Security Operator Guidance Document (Version 1.0) [Using the BIND-9.3.0 (or later) distribution] 1 December
More informationDNS. Introduction To. everything you never wanted to know about IP directory services
Introduction To DNS everything you never wanted to know about IP directory services Linux Users Victoria, April 3 rd 2007 what is the domain name system anyway? it's like a phone book...kinda DNS is (1)
More informationDNS Security DNSSEC. *http://compsec101.antibo zo.net/papers/dnssec/dnss ec.html. IT352 Network Security Najwa AlGhamdi
DNS Security DNSSEC *http://compsec101.antibo zo.net/papers/dnssec/dnss ec.html 1 IT352 Network Security Najwa AlGhamdi Introduction DNSSEC is a security extensions to the DNS protocol in response to the
More informationGoal of this session
DNS refresher Overview Goal of this session What is DNS? How is DNS built and how does it work? How does a query work? Record types Caching and Authoritative Delegation: domains vs zones Finding the error:
More informationOverview. Last Lecture. This Lecture. Next Lecture. Scheduled tasks and log management. DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly
Last Lecture Overview Scheduled tasks and log management This Lecture DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly Next Lecture Address assignment (DHCP) TELE 301 Lecture 11: DNS 1 TELE
More informationRoot Zone DNSSEC KSK Rollover. DSSEC KSK Rollover
Root Zone DNSSEC KSK Rollover 2017 Edward Lewis DSSEC KSK Rollover ENOG 15 Edward.Lewis@icann.org FIRST TC September 11, 2017 5 June 2018 The Basics This talk is related to the Domain Name System, in particular,
More informationDNS. dr. C. P. J. Koymans. September 16, Informatics Institute University of Amsterdam. dr. C. P. J. Koymans (UvA) DNS September 16, / 46
DNS dr. C. P. J. Koymans Informatics Institute University of Amsterdam September 16, 2008 dr. C. P. J. Koymans (UvA) DNS September 16, 2008 1 / 46 DNS and BIND DNS (Domain Name System) concepts theory
More informationInternet Engineering Task Force (IETF) Request for Comments: Category: Best Current Practice ISSN: March 2017
Internet Engineering Task Force (IETF) Request for Comments: 8109 BCP: 209 Category: Best Current Practice ISSN: 2070-1721 P. Koch DENIC eg M. Larson P. Hoffman ICANN March 2017 Initializing a DNS Resolver
More informationDNSSEC. Training Course
DNSSEC Training Course Training Services RIPE NCC March 2017 Schedule 09:00-09:30 11:00-11:15 13:00-14:00 15:30-15:45 17:30 Coffee, Tea Break Lunch Break End 2 Introduction Name Number on the list Experience
More informationTable of Contents DNS. Short history of DNS (1) DNS and BIND. Specification and implementation. A short history of DNS.
Table of Contents Specification and implementation DNS dr. C. P. J. Koymans Informatics Institute University of Amsterdam September 14, 2009 A short history of DNS Root servers Basic concepts Delegation
More information3. The DNSSEC Primer. Data Integrity (hashes) Authenticated Denial of Existence (NSEC,
3. The DNSSEC Primer Authentication (keys, signatures) Data Integrity (hashes) Chain of Trust (root zone, when signed) Authenticated Denial of Existence (NSEC, NSEC3) DNS Authoritative ROOT SERVERS TLD
More informationDNSSEC Operational HOWTO. Contents. Olaf M. Kolkman. RIPE NCC November 12, 2002 Revision : 1.3. I DNSSEC Tutorial 4
DNSSEC Operational HOWTO. Olaf M. RIPE NCC November 12, 2002 Revision : 1.3 Contents 1 Introduction 3 1.1 On this document.......................... 3 1.2 State of DNSSEC........................... 4 I
More informationKeeping DNS parents and children in sync at Internet Speed! Ólafur Guðmundsson
Keeping DNS parents and children in sync at Internet Speed! Ólafur Guðmundsson olafur@cloudflare.com How long does it take to? Post a new selfie on Facebook and all your friends to be notified few seconds
More informationDNS. Karst Koymans & Niels Sijm. Friday, September 14, Informatics Institute University of Amsterdam
DNS Karst Koymans & Niels Sijm Informatics Institute University of Amsterdam Friday, September 14, 2012 Karst Koymans & Niels Sijm (UvA) DNS Friday, September 14, 2012 1 / 32 1 DNS on the wire 2 Zone transfers
More informationSecured Dynamic Updates
Secured Dynamic Updates Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 Snapshot code is available for this BIND 9.2 can perform most of the dynamic update
More informationDEPLOY A DNS SERVER IN A SECURE WAY
DEPLOY A DNS SERVER IN A SECURE WAY BIND (Berkeley Internet Name Domain) is one of the more widely used DNS servers. This article guides readers on how to deploy a BIND DNS server in a secure way by implementing
More information1 Release Notes for BIND Version b1
1 Release Notes for BIND Version 9.12.0b1 1.1 Introduction BIND 9.12.0 is a new feature release of BIND, still under development. This document summarizes new features and functional changes that have
More informationCIRA DNSSEC PRACTICE STATEMENT
CIRA DNSSEC PRACTICE STATEMENT 1. Introduction This DNSSEC Practice Statement ( DPS ) is a statement of security practices and provisions made by the Canadian Internet Registration Authority (CIRA). These
More informationRoot Zone DNSSEC KSK Rollover
Root Zone DNSSEC KSK Rollover 51 51 KSK Rollover: An Overview ICANN is in the process of performing a Root Zone DNS Security Extensions (DNSSEC) Key Signing Key (KSK) rollover The Root Zone DNSSEC Key
More informationInternet Engineering Task Force (IETF) Request for Comments: Category: Best Current Practice. Parsons November 2016
Internet Engineering Task Force (IETF) Request for Comments: 8027 BCP: 207 Category: Best Current Practice ISSN: 2070-1721 W. Hardaker USC/ISI O. Gudmundsson CloudFlare S. Krishnaswamy Parsons November
More informationI certify that this DNS record set is correct Problem: how to certify a negative response, i.e. that a record doesn t exist?
RRSIG: I certify that this DNS record set is correct Problem: how to certify a negative response, i.e. that a record doesn t exist? NSEC: I certify that there are no DNS records (of type X) whose record
More informationDNS Review Quiz. Match the term to the description: A. Transfer of authority for/to a subdomain. Domain name DNS zone Delegation C B A
DNS Review Quiz Match the term to the description: C B A Level: Domain name DNS zone Delegation Descriptions: A. Transfer of authority for/to a subdomain B. A set of names under the same authority (ie.com
More informationThe impact of DNSSEC on k.root-servers.net and ns-pri.ripe.net
The impact of DNSSEC on k.root-servers.net and ns-pri.ripe.net Olaf M. Kolkman Question What would be the immediate and initial effect on memory, CPU and bandwidth resources if we were to deploy DNSSEC
More informationDNSSEC for Humans and BIND 10. Paul Vixie Internet Systems Consortium June 9, 2011
DNSSEC for Humans and BIND 10 Paul Vixie Internet Systems Consortium June 9, 2011 Agenda BIND and DNSSEC Why do I want DNSSEC? Why DNSSEC for Humans? BIND 9.7 Features More DNSSEC for Humans Why BIND 10?
More informationDNS. Some advanced topics. Karst Koymans. Informatics Institute University of Amsterdam. (version 17.2, 2017/09/25 12:41:57)
DNS Some advanced topics Karst Koymans Informatics Institute University of Amsterdam (version 17.2, 2017/09/25 12:41:57) Friday, September 22, 2017 Karst Koymans (UvA) DNS Friday, September 22, 2017 1
More informationAPNIC DNSSEC APNIC DNSSEC. Policy and Practice Statement. DNSSEC Policy and Practice Statement Page 1 of 12
APNIC DNSSEC Policy and Practice Statement DNSSEC Policy and Practice Statement Page 1 of 12 Table of Contents Overview 4 Document name and identification 4 Community and applicability 4 Specification
More informationRolling the Root KSK. Geoff Huston. APNIC Labs. September 2017
Rolling the Root KSK Geoff Huston APNIC Labs September 2017 Will this break the Internet? Why? If we stuff up this trust anchor key roll then resolvers that perform DNSSEC validation will fail to provide
More informationGDS Resource Record: Generalization of the Delegation Signer Model
GDS Resource Record: Generalization of the Delegation Signer Model Gilles Guette, Bernard Cousin, and David Fort IRISA, Campus de Beaulieu, 35042 Rennes CEDEX, France {gilles.guette, bernard.cousin, david.fort}@irisa.fr
More informationDefeating DNS Amplification Attacks. UKNOF Manchester Central, UK January Ralf Weber Senior Infrastructure Architect
Defeating DNS Amplification Attacks UKNOF Manchester Central, UK January 21 2014 Ralf Weber Senior Infrastructure Architect History of DNS Amplification DNS amplification attacks aren't new Periodically
More informationSome advanced topics. Karst Koymans. Tuesday, September 16, 2014
DNS Some advanced topics Karst Koymans Informatics Institute University of Amsterdam (version 44, 2014/09/15 08:39:47) Tuesday, September 16, 2014 Karst Koymans (UvA) DNS Tuesday, September 16, 2014 1
More informationTable of Contents DNS. Short history of DNS (1) DNS and BIND. Specification and implementation. A short history of DNS. Root servers.
Table of Contents Specification and implementation DNS Karst Koymans Informatics Institute University of Amsterdam (version 1.11, 2010/10/04 10:03:37) Tuesday, September 14, 2010 A short history of DNS
More informationDOMAIN NAME SECURITY EXTENSIONS
DOMAIN NAME SECURITY EXTENSIONS The aim of this paper is to provide information with regards to the current status of Domain Name System (DNS) and its evolution into Domain Name System Security Extensions
More informationA paper on DNSSEC - NSEC3 with Opt-Out
A paper on DNSSEC - NSEC3 with Opt-Out DNSSEC A Way Forward for TLD Registries Method for faster adoption of DNSSEC Providing greater security with minimal impact on customers, registries and Zone Management
More information