DNSSEC Basics, Risks and Benefits

Similar documents
DNSSEC Basics, Risks and Benefits

DNS Related Activities at the RIPE NCC

DNSSEC All You Need To Know To Get Started

TWNIC DNS 網路安全研討會安全問題之解決對策 (DNSSEC) Why do we need DNSSEC? Many application depend on DNS DNS is not secure. There are known vulnerabilities

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

Risks and Security for the Domain Name System

Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder. System and Network Engineering July 2014

DNS Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO

Algorithm for DNSSEC Trusted Key Rollover

DNS Mark Kosters Carlos Martínez ARIN - LACNIC

Root Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail

DNS Activity at IETF65

A Security Evaluation of DNSSEC with NSEC Review

DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION

The State and Challenges of the DNSSEC Deployment. Eric Osterweil Michael Ryan Dan Massey Lixia Zhang

An Overview of DNSSEC. Cesar Diaz! lacnic.net!

Expires: November 15, 2004 VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST May 17, 2004

Protecting Privacy: The Evolution of DNS Security

12 DNS Security Extensions DNS resolution via recursive nameserver DNS request/response format Simple DNS cache poisoning The Dan Kaminsky DNS

Domain Name System Security

DNSSEC Why, how, why now? Olaf Kolkman (NLnet Labs)

Overview. Last Lecture. This Lecture. Next Lecture. Scheduled tasks and log management. DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly

CSC 574 Computer and Network Security. DNS Security

GDS Resource Record: Generalization of the Delegation Signer Model

DNSSEC Trust tree: (A) ---dnslab.org. (DS keytag: 9247 dig (DNSKEY keytag. ---org. (DS keytag: d

SecSpider: Distributed DNSSEC Monitoring and Key Learning

Expires: June 16, 2004 VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST December 17, 2003

Scott Rose, NIST Winter JointTechs Meeting Jan 30, 2011 Clemson University

Table of Contents. DNS security. Alternative DNS security mechanism. DNSSEC specification. The long (and winding) road to the DNSSEC specification

E. Lewis ARIN September 23, KEY RR Secure Entry Point Flag draft-ietf-dnsext-keyrr-key-signing-flag-09. Status of this Memo

Table of Contents. DNS security basics. What DNSSEC has to offer. In what sense is DNS insecure? Why DNS needs to be secured.

ARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN

Network Working Group

Stichting NLnet Labs NLnet Labs

3. The DNSSEC Primer. Data Integrity (hashes) Authenticated Denial of Existence (NSEC,

Toward Unspoofable Network Identifiers. CS 585 Fall 2009

Domain Name System Security

DISI Update. Olaf Kolkman, Henk Uijterwaal & Daniel Karrenberg. Olaf M. Kolkman. RIPE 46, Amsterdam, September

Some DNSSEC thoughts. DNSOPS.JP BOF Interop Japan Geoff Huston Chief Scientist, APNIC June 2007

Some Lessons Learned from Designing the Resource PKI

Domain Name System Security

How to get a trustworthy DNS Privacy enabling recursive resolver

Assessing and Improving the Quality of DNSSEC

DNS Security and DNSSEC in the root zone Luzern, Switzerland February 2010

The impact of DNSSEC on k.root-servers.net and ns-pri.ripe.net

DNS Security DNSSEC. * zo.net/papers/dnssec/dnss ec.html. IT352 Network Security Najwa AlGhamdi

DNSSEC Deployment Issues

By Paul Wouters

MAGPI: Advanced Services IPv6, Multicast, DNSSEC

DNS security. Karst Koymans & Niels Sijm. Tuesday, September 18, Informatics Institute University of Amsterdam

DNSSEC. Lutz Donnerhacke. db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec e164.arpa. naptr

DOMAIN NAME SECURITY EXTENSIONS

Understanding and Deploying DNSSEC. Champika Wijayatunga SANOG29 - Pakistan Jan 2017

ICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder

DNSSEC Validators Requirements

CSE Computer Security

DNSSEC for the Root Zone. NZNOG Hamilton, NZ January 2010

I certify that this DNS record set is correct Problem: how to certify a negative response, i.e. that a record doesn t exist?

Six Roles for Early Introduction of DNSSEC

DNSSEC for the Root Zone. IETF 76 Hiroshima November 2009

DNSSEC. CS 161: Computer Security Prof. David Wagner. April 11, 2016

DNSSEC for the Root Zone. IETF 76 8 November 2009

Internet Engineering Task Force (IETF) Request for Comments: Category: Best Current Practice ISSN: March 2017

Chapter 19. Domain Name System (DNS)

OFF-PATH ATTACKS AGAINST PUBLIC KEY INFRASTRUCTURES. Markus Brandt, Tianxiang Dai, Elias Heftrig, Amit Klein, Haya Shulman, Michael Waidner

A Look at RFC 8145 Trust Anchor Signaling for the 2017 KSK Rollover

Based on material produced by among others: Sanjay Pol, Ashok Ramaswami, Jim Fenton and Eric Allman

Security Impact of DNS Delegation Structure and Configuration Problems

ICS 351: Today's plan. HTTPS: SSL and TLS certificates cookies DNS reminder Simple Network Management Protocol

DNSSEC for the Root Zone. ICANN 37 Nairobi March 2010

ICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder

More on DNS and DNSSEC

Updates: 2535 November 2003 Category: Standards Track

CS System Security Mid-Semester Review

DNS Review Quiz. Match the term to the description: A. Transfer of authority for/to a subdomain. Domain name DNS zone Delegation C B A

Facilitating Secure Internet Infrastructure

DNSSEC deployment. Phil Regnauld Hervey Allen

Session J9: DNSSEC and DNS Security

Introduction to the DANE Protocol And Updates From IETF 88

Securing Domain Name Resolution with DNSSEC

UMSSIA DAY VI: ARE WE THERE YET?

DNS Security. Wolfgang Nagele DNS Group Manager

Seamless transition of domain name system (DNS) authoritative servers

Web Security. Mahalingam Ramkumar

Internet Engineering Task Force (IETF) Category: Informational October 2011 ISSN:

Security Using Digital Signatures & Encryption

DNS and cctld Management. Save Vocea and Champika Wijayatunga Apia Samoa July 2015

2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008

Network Working Group. Category: Informational November 2007

6 March 2012

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Some Internet exploits target name resolution servers. DNSSEC uses cryptography to protect the name resolution

CS System Security 2nd-Half Semester Review

DANE, why we need it. Daniel Stirnimann Bern, 29. March SWITCH 1

DNS Security. Wolfgang Nagele DNS Services Manager

Outline NET 412 NETWORK SECURITY PROTOCOLS. Reference: Lecture 7: DNS Security 3/28/2016

COURSE OUTLINE MOC : PLANNING AND ADMINISTERING SHAREPOINT 2016

Public-Key Infrastructure NETS E2008

The ISP Column A column on various things Internet. DNSSEC and DNS over TLS. August 2018 Geoff Huston

Transcription:

DNSSEC Basics, Risks and Benefits Olaf M. Kolkman olaf@ripe.net

This presentation About DNS and its vulnerabilities DNSSEC status DNSSEC near term future

DNS: Data Flow Registry/Registrar Provisioning Zone administrator Zone file 1 master 4 Caching forwarder Dynamic updates 2 3 slaves 5 resolver

DNS Vulnerabilities Registry/Registrar Provisioning Zone administrator Zone file 1 Impersonating master master 4 Caching forwarder Cache impersonation Corrupting data 2 Dynamic updates 3 slaves Unauthorized updates Cache pollution by Data spoofing Altered zone data 5 resolver

DNS exploit example Mail gets delivered to the MTA listed in the MX RR. Man in the middle attack. Resolver MX RR Blackhat MTA MX RR? MX RR Sending MTA Receiving MTA

Mail man in the middle Ouch that mail contained stock sensitive information Who per default encrypts all their mails? We ll notice when that happens, we have log files You have to match address to MTA for each logline.

Other possible DNS targets SPF, DomainKey and family Technologies that use the DNS to mitigate spam and phishing: $$$ value for the black hats StockTickers, RSS feeds Usually no source authentication but supplying false stock information via a stockticker and via a news feed can have $$$ value ENUM Mapping telephone numbers to services in the DNS As soon as there is some incentive

signing DEPLOYMENT NOW DNS server infrastructure related APP STUB Protocol spec is clear on: Signing Serving Validating serving validating Implemented in Signer Authoritative servers Security aware recursive nameservers

improvement Main Problem Areas the last mile Key management and key distribution NSEC walk

The last mile validating APP STUB How to get validation results back to the user The user may want to make different decisions based on the validation result Not secured Time out Crypto failure Query failure From the recursive resolver to the stub resolver to the Application

Problem Area signing validating APP STUB Key Management Keys need to propagate from the signer to the validating entity The validating entity will need to trust the key to trust the signature. Possibly many islands of security

Secure Islands and key management. money.net. net. kids.net. com. os.net. corp dev market dilbert geerthe marnick mac unix nt

Secure Islands Server Side Different key management policies for all these islands Different rollover mechanisms and frequencies Client Side (Clients with a few to 10, 100 or more trust-anchors) How to keep the configured trust anchors in sync with the rollover Bootstrapping the trust relation

NSEC walk The record for proving the non-existence of data allows for zone enumeration Providing privacy was not a requirement for DNSSEC Zone enumeration does provide a deployment barrier Work starting to study possible solutions Requirements are gathered If and when a solution is developed it will be coexisting with DNSSEC-BIS!!! Until then on-line keys will do the trick.

Current work in the IETF (a selection based on what fits on one slide) Last Mile draft-gieben-resolver-application-interface Key Rollover draft-ietf-dnsext-dnssec-trustupdate-timers draft-ietf-dnsext-dnssec-trustupdate-treshold Operations draft-ietf-dnsop-dnssec-operations NSEC++ draft-arends-dnsnr draft-ietf-dnsext-nsec3 draft-ietf-dnsext-trans

Questions??? or send questions and feedback to olaf@ripe.net

Questions??? Can t one mitigate those threads you mentioned using SSL? or send questions and feedback to olaf@ripe.net

Mitigate by deploying SSL? Claim: SSL is not the magic bullet (Neither is DNSSEC) Problem: Users are offered a choice happens to often users are not surprised but annoyed Not the technology but the implementation and use makes SSL vulnerable Examples follow

Example 1: mismatched CN www.robecoadvies.nl www.robecodirect.nl

Example 2: Unknown CA Unknown Certificate Authority

Confused?

How does DNSSEC come into this picture DNSSEC secures the name to address mapping before the certificates are needed DNSSEC provides an independent trust path. The person administering https is most probably a different from person from the one that does DNSSEC The chains of trust are most probably different See acmqueue.org article: Is Hierarchical Public- Key Certification the Next Target for Hackers?

References and Acknowledgements Some links www.dnssec.net www.dnssec-deployment.org www.ripe.net/disi/dnssec_howto Is Hierarchical Public-Key Certification the Next Target for Hackers can be found at: http://www.acmqueue.org/modules.php?name=content&pa=sho wpage&pid=181 The participants in the dnssec-deployment working group provided useful feedback used in this presentation.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback