DNS Security DNSSEC. *http://compsec101.antibo zo.net/papers/dnssec/dnss ec.html. IT352 Network Security Najwa AlGhamdi

Similar documents
Outline NET 412 NETWORK SECURITY PROTOCOLS. Reference: Lecture 7: DNS Security 3/28/2016

DNS Security. * pers/dnssec/dnssec.html. IT352 Network Security Najwa AlGhamdi

I certify that this DNS record set is correct Problem: how to certify a negative response, i.e. that a record doesn t exist?

3. The DNSSEC Primer. Data Integrity (hashes) Authenticated Denial of Existence (NSEC,

An Overview of DNSSEC. Cesar Diaz! lacnic.net!

DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION

Request for Comments: 2535 Obsoletes: 2065 March 1999 Updates: 2181, 1035, 1034 Category: Standards Track

Request for Comments: 3007 Updates: 2535, 2136 November 2000 Obsoletes: 2137 Category: Standards Track. Secure Domain Name System (DNS) Dynamic Update

Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder. System and Network Engineering July 2014

Updates: 2535 November 2003 Category: Standards Track

SECURITY SYSTEM FOR DNS USING CRYPTOGRAPHY. N.DEVI M.Sc., M.Ed., M.Phil., Assistant prof, Mangayarkarasi college of arts and science for women

Expires: October 2000 April 2000

Expires: November 15, 2004 VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST May 17, 2004

Network Working Group

DNSSEC Trust tree: (A) ---dnslab.org. (DS keytag: 9247 dig (DNSKEY keytag. ---org. (DS keytag: d

Algorithm for DNSSEC Trusted Key Rollover

DNS Mark Kosters Carlos Martínez ARIN - LACNIC

Network Working Group Request for Comments: 5702 Category: Standards Track October 2009

Iris Expires: 10 April October Domain Name System Security Extensions Status of This Document

Implementation Guide for Delivery Notification in Direct

Root Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail

A Look at RFC 8145 Trust Anchor Signaling for the 2017 KSK Rollover

BIG-IP DNS Services: Implementations. Version 12.1

Network Working Group. Category: Informational November 2007

12 DNS Security Extensions DNS resolution via recursive nameserver DNS request/response format Simple DNS cache poisoning The Dan Kaminsky DNS

A Security Evaluation of DNSSEC with NSEC Review

Domain Name System Security

By Paul Wouters

Expires: August 1998 February DNS Operational Security Considerations Status of This Document

RFC 2181 Ranking data and referrals/glue importance --- new resolver algorithm proposal ---

DNS Review Quiz. Match the term to the description: A. Transfer of authority for/to a subdomain. Domain name DNS zone Delegation C B A

Domain Name System Security

Expires: June 16, 2004 VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST December 17, 2003

Network Working Group. Category: Standards Track December 2001

Network Working Group. Category: Informational SPARTA, Inc. S. Crocker Shinkuro Inc. S. Krishnaswamy SPARTA, Inc. August 2007

Domain Name System Security

Web Security. Mahalingam Ramkumar

Protecting Privacy: The Evolution of DNS Security

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

Network Working Group Request for Comments: 5155 Category: Standards Track Nominet D. Blacka VeriSign, Inc. March 2008

The ISP Column A column on various things Internet. DNSSEC and DNS over TLS. August 2018 Geoff Huston

DNSSEC. CS 161: Computer Security Prof. David Wagner. April 11, 2016

ISACA CISA. ISACA CISA ( Certified Information Systems Auditor ) Download Full Version :

Toward Unspoofable Network Identifiers. CS 585 Fall 2009

DOMAIN NAME SECURITY EXTENSIONS

Ordinary DNS: A? k.root-servers.net. com. NS a.gtld-servers.net a.gtld-servers.net A Client's Resolver

DNSSEC Validators Requirements

Request for Comments: 3110 Obsoletes: 2537 May 2001 Category: Standards Track. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)

MAGPI: Advanced Services IPv6, Multicast, DNSSEC

BIG-IP DNS Services: Implementations. Version 12.0

DNS Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO

SecSpider: Distributed DNSSEC Monitoring and Key Learning

Less is More Cipher-Suite Negotiation for DNSSEC

CSC 574 Computer and Network Security. DNS Security

A Look Back at Security Problems in the TCP/IP Protocol Suite Review

Understanding the Dynamic Update Mechanism Tech Note

Request for Comments: 2537 Category: Standards Track March RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)

CS 356 Using Cryptographic Tools to Secure the Domain Name System (DNS) Spring 2017

Documentation. Name Server Predelegation Check

Gestion et sécurité des réseaux informatiques. Guy Leduc. Chapter 3: Securing applications. Chapter goals: security in practice:

Chapter 19. Domain Name System (DNS)

Interested in learning more about security? The Achilles Heal of DNS. Copyright SANS Institute Author Retains Full Rights

Chapter 3: Securing applications

Afilias DNSSEC Practice Statement (DPS) Version

More on DNS and DNSSEC

The State and Challenges of the DNSSEC Deployment. Eric Osterweil Michael Ryan Dan Massey Lixia Zhang

Overview. Last Lecture. This Lecture. Next Lecture. Scheduled tasks and log management. DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly

DNSSEC Why, how, why now? Olaf Kolkman (NLnet Labs)

Request for Comments: 4509 Category: Standards Track May Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)

DNS Resolver Software Change Planning. for Trust Anchor Key Management. Based on TAKREM

Keeping DNS parents and children in sync at Internet Speed! Ólafur Guðmundsson

ARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN

Some DNSSEC thoughts. DNSOPS.JP BOF Interop Japan Geoff Huston Chief Scientist, APNIC June 2007

RSA and ECDSA. Geoff Huston APNIC. #apricot2017

DNS SECurity Extensions technical overview

That KSK Roll. Geoff Huston APNIC Labs

Seamless transition of domain name system (DNS) authoritative servers

Learning Objectives. External confirmations procedures as per SA330 and SA 500 requirements

DNSSEC Basics, Risks and Benefits

Rolling the Root KSK. Geoff Huston. APNIC Labs. September 2017

International Standard on Auditing (Ireland) 505 External Confirmations

DNSSEC Basics, Risks and Benefits

Request for Comments: 2536 Category: Standards Track March DSA KEYs and SIGs in the Domain Name System (DNS)

GDS Resource Record: Generalization of the Delegation Signer Model

Securing Domain Name Resolution with DNSSEC

Measuring DNSSEC validation deployment with RIPE ATLAS. Willem Toorop (presenting) Nicolas Canceill.

Message Authentication and Hash function

Assessing and Improving the Quality of DNSSEC

INTERNATIONAL STANDARD ON AUDITING 505 EXTERNAL CONFIRMATIONS CONTENTS

TWNIC DNS 網路安全研討會安全問題之解決對策 (DNSSEC) Why do we need DNSSEC? Many application depend on DNS DNS is not secure. There are known vulnerabilities

Pretty Good Privacy (PGP

Network Working Group Request for Comments: Category: Best Current Practice October 2008

DISI Update. Olaf Kolkman, Henk Uijterwaal & Daniel Karrenberg. Olaf M. Kolkman. RIPE 46, Amsterdam, September

DANE Demonstration! Duane Wessels, Verisign! ICANN 49 DNSSEC Workshop! March 26, 2014!

IT443 Network Security Administration Spring Gabriel Ghinita University of Massachusetts at Boston

EXTERNAL CONFIRMATIONS SRI LANKA AUDITING STANDARD 505 EXTERNAL CONFIRMATIONS

DNS Security. Abstract. 1. Introduction

This time. Digging into. Networking. Protocols. Naming DNS & DHCP

A Cache Management Strategy for Shortening DNSSEC Name Resolution Time

Expiration Date: July 1997 Randy Bush RGnet, Inc. January Clarifications to the DNS Specification. draft-ietf-dnsind-clarify-04.

Transcription:

DNS Security DNSSEC *http://compsec101.antibo zo.net/papers/dnssec/dnss ec.html 1 IT352 Network Security Najwa AlGhamdi

Introduction DNSSEC is a security extensions to the DNS protocol in response to the security issues surrounding the DNS. a new set of RRs are defined to hold the security information that provides strong security to DNS zones wishing to implement DNSSEC. These new RR types are used in conjunction with existing types of RRs. This allows answers to queries for DNS security information belonging to a zone that is protected by DNSSEC to be supported through non-security aware DNS servers.

DNSSEC Objective To assure authentication and integrity to DNS services. However: DNSSEC doesn t provide access control and confidentiality services Authentication and integrity of information held within DNS zones is provided by using digital signature. Although DNSSEC doesn't provide confidentiality to DNS transactions, it supports confidentiality as a worldwide public key distribution mechanism.

DNSSEC Scope DNSSEC provides three services: 1. key distribution 2. data origin authentication 3. transaction and request authentication. 4 IT352 Network Security Najwa AlGhamdi

DNSSEC Scope : Key Distribution 1.The retrieval of the public key of a DNS name to verify the authenticity of the DNS zone data. 2.Provides a mechanism through which any key associated with a DNS name can be used for purposes other than DNS. 3.The public key distribution service supports several different types of keys and several different types of key algorithms.

DNSSEC Scope : Data Origin Authentication Data origin authentication is the core of the design of DNSSEC. It mitigates such threats as cache poisoning and zone data compromise on a DNS server. The RRSets within a zone are signed to assert to resolvers and servers that the data just received can be trusted. The digital signature contains the encrypted hash of the RRSet. The hash is signed using a private key usually belonging to the corresponding zone. The recipient of the RRSet can then check the digital signature against the data in the RRSet just received.

DNSSEC Scope :DNS Transaction and Request Authentication Service 1: It provides the ability to authenticate DNS requests and DNS message headers. This guarantees that 1. the answer is in response to the original query 2. the response came from the server for which the query was intended. To assure this 1. Part of the information, returned in a response to a query from a security aware server, is a signature. 2. This signature is produced from the concatenation of the query and the response. This allows a security aware resolver to perform any necessary verification concerning the transaction.

DNSSEC Scope :DNS Transaction and Request Authentication Service 2 : DNS Dynamic Updates. Without DNSSEC DNS Dynamic Update does not provide a mechanism that stop any system with access to a DNS authoritative server from updating zone information. With DNSSEC Secure DNS Dynamic provides strong authentication for systems allowed to dynamically manipulate DNS zone information on the primary server

DNSSEC Resource Records Introduces new RR types: KEY: used for storing a public key that is associated with a DNS name. SIG: Digital signature. The SIG RR provides authentication for a RRSet and the signature s validity time.

DNSSEC Resource Records Introduces new RR types: NXT: NXT RRs are used to indicate a range of DNS names that are unavailable or a range of RR types that are unavailable for an existing DNS name. WHY? The DNS provides the ability to cache negative responses. A negative response means that a corresponding RRSet does not exist for the query. DNSSEC provides signatures for these nonexistent RRSets so that their nonexistence in a zone can be authenticated.

How DNSSEC works: Each RRSet has an associated SIG RR which is a digital signature of the RRSet using the private key of the zone. If a security aware resolver reliably learns a public key of the zone, it can authenticate signed data read from that zone. A security aware server will attempt to return, with RRs retrieved, the corresponding SIGs. 11 IT352 Network Security Najwa AlGhamdi

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback