DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION

Similar documents
Root Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

An Overview of DNSSEC. Cesar Diaz! lacnic.net!

Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder. System and Network Engineering July 2014

DNSSEC Trust tree: (A) ---dnslab.org. (DS keytag: 9247 dig (DNSKEY keytag. ---org. (DS keytag: d

A Security Evaluation of DNSSEC with NSEC Review

DNS SECurity Extensions technical overview

Domain Name System Security

DNS Mark Kosters Carlos Martínez ARIN - LACNIC

Domain Name System Security

Outline NET 412 NETWORK SECURITY PROTOCOLS. Reference: Lecture 7: DNS Security 3/28/2016

DNS Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO

Domain Name System Security

Toward Unspoofable Network Identifiers. CS 585 Fall 2009

Some DNSSEC thoughts. DNSOPS.JP BOF Interop Japan Geoff Huston Chief Scientist, APNIC June 2007

Table of Contents. DNS security basics. What DNSSEC has to offer. In what sense is DNS insecure? Why DNS needs to be secured.

Applicability Statement: DNS Security (DNSSEC) DNSKEY Algorithm Implementation Status

Internet Engineering Task Force (IETF) Request for Comments: 6725 Category: Standards Track August 2012 ISSN:

Algorithm for DNSSEC Trusted Key Rollover

The State and Challenges of the DNSSEC Deployment. Eric Osterweil Michael Ryan Dan Massey Lixia Zhang

This time. Digging into. Networking. Protocols. Naming DNS & DHCP

12 DNS Security Extensions DNS resolution via recursive nameserver DNS request/response format Simple DNS cache poisoning The Dan Kaminsky DNS

MAGPI: Advanced Services IPv6, Multicast, DNSSEC

I certify that this DNS record set is correct Problem: how to certify a negative response, i.e. that a record doesn t exist?

DNSSEC All You Need To Know To Get Started

Understanding and Deploying DNSSEC. Champika Wijayatunga SANOG29 - Pakistan Jan 2017

DNS Security DNSSEC. * zo.net/papers/dnssec/dnss ec.html. IT352 Network Security Najwa AlGhamdi

Securing Domain Name Resolution with DNSSEC

Implementing DNSSEC with DynDNS and GoDaddy

Domain Name System (DNS)

Deploying New DNSSEC Algorithms

DNSSEC Why, how, why now? Olaf Kolkman (NLnet Labs)

DNSSEC in Switzerland 2 nd DENIC Testbed Meeting

Root Zone DNSSEC KSK Rollover

ARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN

SecSpider: Distributed DNSSEC Monitoring and Key Learning

CS 356 Using Cryptographic Tools to Secure the Domain Name System (DNS) Spring 2017

Less is More Cipher-Suite Negotiation for DNSSEC

By Paul Wouters

Expires: June 16, 2004 VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST December 17, 2003

Overview. Last Lecture. This Lecture. Next Lecture. Scheduled tasks and log management. DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly

Table of Contents. DNS security. Alternative DNS security mechanism. DNSSEC specification. The long (and winding) road to the DNSSEC specification

Documentation. Name Server Predelegation Check

Web Security. Mahalingam Ramkumar

THE BRUTAL WORLD OF DNSSEC

Session J9: DNSSEC and DNS Security

Scott Rose, NIST Winter JointTechs Meeting Jan 30, 2011 Clemson University

DNS Security. * pers/dnssec/dnssec.html. IT352 Network Security Najwa AlGhamdi

RSA and ECDSA. Geoff Huston APNIC. #apricot2017

Development of DNS security, attacks and countermeasures

Keeping DNS parents and children in sync at Internet Speed! Ólafur Guðmundsson

DNSSEC. Lutz Donnerhacke. db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec e164.arpa. naptr

DOMAIN NAME SECURITY EXTENSIONS

DNSSEC deployment. Phil Regnauld Hervey Allen

DNSSEC operational experiences and recommendations. Antti Ristimäki, CSC/Funet

3. The DNSSEC Primer. Data Integrity (hashes) Authenticated Denial of Existence (NSEC,

DNS security. Karst Koymans & Niels Sijm. Tuesday, September 18, Informatics Institute University of Amsterdam

GDS Resource Record: Generalization of the Delegation Signer Model

Assessing and Improving the Quality of DNSSEC

DNSSEC. CS 161: Computer Security Prof. David Wagner. April 11, 2016

DS TTL shortening experience in.jp

DNS Security. APNIC42 Colombo Sri Lanka 01 October 2016 Champika Wijayatunga

Network Working Group Request for Comments: 5702 Category: Standards Track October 2009

DNSSEC for ISPs workshop.! João Damas

CSC 574 Computer and Network Security. DNS Security

Request for Comments: 3007 Updates: 2535, 2136 November 2000 Obsoletes: 2137 Category: Standards Track. Secure Domain Name System (DNS) Dynamic Update

Ordinary DNS: A? k.root-servers.net. com. NS a.gtld-servers.net a.gtld-servers.net A Client's Resolver

Expires: November 15, 2004 VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST May 17, 2004

Network Working Group

DNS. dr. C. P. J. Koymans. September 16, Informatics Institute University of Amsterdam. dr. C. P. J. Koymans (UvA) DNS September 16, / 46

2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008

Internet Engineering Task Force (IETF) Request for Comments: Category: Best Current Practice ISSN: March 2017

That KSK Roll. Geoff Huston APNIC Labs

RIPE Network Coordination Centre. K-root and DNSSEC. Wolfgang Nagele RIPE NCC.

BIND-USERS and Other Debugging Experiences. Mark Andrews Internet Systems Consortium

SOFTWARE USER MANUAL (SUM): TRAINING, PROCEDURAL, AND DEVELOPMENT DOCUMENTATION

DNS Review Quiz. Match the term to the description: A. Transfer of authority for/to a subdomain. Domain name DNS zone Delegation C B A

DNSSEC for ISPs workshop João Damas

DNSSEC Basics, Risks and Benefits

The ISP Column A column on various things Internet. DNSSEC and DNS over TLS. August 2018 Geoff Huston

The Performance of ECC Algorithms in DNSSEC: A Model-based Approach

Computer Security CS 426

Ad-hoc trust associations with Trust Anchor Repositories

Network Working Group. Category: Informational November 2007

More on DNS and DNSSEC

Seamless transition of domain name system (DNS) authoritative servers

Ebook: DNS FUNDAMENTALS. From a Technical Dow Street, Manchester, NH USA

DNSSEC the.se way: Overview, deployment and lessons learned. Anne-Marie Eklund Löwinder Quality & Security Manager

New Challenges and Dangers for the DNS. Jim Reid ORIGIN TIS-INS

Hands-on DNSSEC with DNSViz. Casey Deccio, Verisign Labs RIPE 72, Copenhagen May 23, 2016

Lab 6 Implementing DNSSEC

CNT Computer and Network Security: DNS Security

DENIC DNSSEC Testbed Software support for DNSSEC Ralf Weber

A paper on DNSSEC - NSEC3 with Opt-Out

DNSSEC Basics, Risks and Benefits

DNSSEC at ORNL. Paige Stafford Joint Techs Conference, Fairbanks July 2011

DNSSEC Policy and Practice Statement. Anne-Marie Eklund Löwinder Quality and Security Manager

Network Security Part 3 Domain Name System

CIRA DNSSEC PRACTICE STATEMENT

Facilitating Secure Internet Infrastructure

Transcription:

DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION Peter R. Egli 1/10

Contents 1. Security Problems of DNS 2. Solutions for securing DNS 3. Security with DNSSEC 4. How to find the signer's public DNS key 5. DNS lookup: Recursive name servers 6. DNSSEC deployment 2/10

1. Security problems of DNS (1/3) DNS is vulnerable to a number of attacks. The attacks are usually targeted at misdirecting a client to a malicious server under the control of the attacker. Some attacks are now difficult to conduct since DNS servers like BIND fixed the software. Still, DNS is too important thus warranting the need for cryptographic protection against poisoning and spoofing. Unrelated data attack DNS cache poisoning Related data attack Client misdirection DNS spoofing DNS ID hacking Can be done by... 3/10

1. Security problems of DNS (2/3) DNS Cache Poisoning: Inject false information into a DNS server's or a client's DNS cache. DNS spoofing: In a DNS spoofing attack, an attacker pretends to be a real DNS server and sends a spoofed DNS answer back to the requestor (either a DNS server or a DNS client). The spoofed answer contains a false mapping of the requested name to IP address. DNS ID hacking: Spoofing requires to match the DNS answer ID with the DNS request ID (DNS transaction ID). Thus the attacker must either intercept the DNS request message or "estimate" the DNS transaction ID in the spoofed response (e.g. in Windows XP the DNS ID is monotonically increasing!). DNS Client Attacker DNS Server DNS request, DNS ID = 0x0044 Spoofed response, DNS ID = 0x0044 Legitimate response, DNS ID = 0x0044 4/10

1. Security problems of DNS (3/3) Unrelated data attack: In an unrelated data attack, the attacker sends back an answer to the query question, but adds additional and unrelated IP name mappings to misdirect the client to a malicious site. DNS Client Attacker DNS request, question: www.indigoo.com Answer 1: www.indigoo.com=85.10.192.4 Answer 2: www.mybank.com=1.2.3.4 (unrelated to request question) Related data attack: A related data attack is similar to an unrelated attack with the difference that the attacker sends extra information related to the query question such as spoofed MX, NS or CNAME records. Example question: www.indigoo.com Spoofed response with unrelated data: www.indigoo.com. 1D IN NS www.attacker.com www.attacker.com. 1D IN A 1.2.3.4 5/10

2. Solutions for securing DNS TSIG and SIG(0) are older solutions for securing DNS. DNSSEC is a comprehensive approach for securing DNS (secure DNS database as well as DNS queries). It is expected that DNSSEC will become the standard solution for securing DNS. Protocol RFC Protection of transfer of DNS record Protection of DNS database Built-in PKI (automated key distribution) Hash algorithms Comment TSIG RFC2845 Yes No No, but TKEY (RFC2930) adds Diffie- Helman to TSIG RSAMD5 RSASHA1 RSASHA256 SIG(0) RFC2931 Yes No No RSAMD5 RSASHA1 RSASHA256 DNSSEC RFC4033 RFC4034 RFC4035 Yes Yes Yes RSAMD5 DH ECC RSASHA1 Based on MAC (Message Authentication Code). Used for protecting zone transfers (widely used). No levels of authority (every host with the secret key may update a DNS record). Not widely used. Uses digital signature instead of MAC. Used to secure DNS transactions as well as the DNS database. 6/10

3. Security with DNSSEC DNSSEC adds a digital signature to the answer records. Answer records RRSIG Answer records (A, AAAA, NS, MX etc.) RRSIG (Resource Record Signature) that verifies the answer records DNS answer packet DNS server signing process: DNS resolver verification: Answer records Hash function Hash 101011... Answer records Hash function Hash 101011... RRSIG Additional info (expiry date etc.) Signer's private key Encryption function Signature 110010... RRSIG Decryption function Hash 101011... Signer's public key? = 7/10

4. How to find the signer's public DNS key An authentication chain leads from root to leaf-domain. Each level contains DS records that reference / point to DNSKEY records in a subdomain. N.B.: The parent domain is authoritative for its subdomains. The starting point of the chain of trust is an anchor point (known good public key = trust anchor). Resolver's "built-in" public key of domain root Verifies Verifies DS record DNSKEY record DS record Domain root Designated Signer (or Delegation Signer) Record References and verifies a DNSKEY record in the delegated zone (verification through hashing function). Subdomain, e.g..ch Designated Signer Record References and verifies a DNSKEY record in the delegated zone (verification through hashing function). Verifies DNSKEY record DS record Subdomain, e.g. hsz-t.ch Designated Signer Record 8/10

5. DNS lookup: Recursive name servers Standard setup where only name servers (e.g. ISP name servers) are security-aware. DNS clients are not security aware (simpler deployment, no trust anchors required in client). TLD: NS: DO: Top Level Domain Name Server "DNSSEC OK" flag Security aware DNS Client ISP NS hsz-t.ch NS.ch NS Root NS resolver DNS query for www.hsz-t.com Request.ch-DS record, DO=1.ch-DS record +.ch-ns record Verify.ch-DS record with "built-in" public root key Request hsz-t.ch-ds + hsz-t.ch-dnskey hsz-t.ch-ds + hsz-t.ch-dnskey + hsz-t.ch-ns Verify hsz-t.ch-dnskey with.ch-ds, verify hsz-t.ch-ds with hsz-t.ch-dnskey Request www.hsz-t.ch www.hsz-t.ch answer with RRSIG record DNS answer: www.hsz-t.ch = 193.5.54.123 Verify RRSIG record with hsz-t.ch-dnskey, verify answer with RRSIG record 9/10

6. DNSSEC deployment As of 2013 DNSSEC is not (yet) widely deployed, but since the root zone has been signed in 2010, DNSSEC deployment is gradually picking up speed. Deployment see https://labs.ripe.net/members/wnagele/dnssec-deployment-today Problems that prevent fast deployment: 1. "Bootstrap" problem: DNSSEC requires a certain level of deployment to deliver an increase in security. But as long this level is not reached, people will not see a benefit and thus not deploy DNSSEC ("chicken and egg problem"). 2. Complexity: DNSSEC is (as many security protocols) rather complex (defined in multiple RFCs). 3. DNS server load: DNSSEC puts additional load on DNS servers (hashing, encryption / decryption). 10/10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback