SlideShare une entreprise Scribd logo

Perspectives on securing DNS with DNSSEC

Deploy360 Programme (Internet Society)
Deploy360 Programme (Internet Society)
Technologie
1  sur  40
Télécharger pour lire hors ligne
Perspectives on Deploying DNSSEC ION Sao Paulo December 5, 2012 www.internetsociety.org/deploy360/
Panelists •  Dan York, Internet Society •  Frederico Neves, NIC.BR •  Robert Martin-Legene, Packet Clearing House www.internetsociety.org/deploy360/
Internet Society Deploy360 Programme Providing real-world deployment info for IPv6, DNSSEC and other Internet technologies: •  Case Studies •  Tutorials •  Videos •  Whitepapers •  News, information English content, initially, but will www.internetsociety.org/deploy360/ be translated into other languages. www.internetsociety.org/deploy360/ 12/5/12
What Problem Is DNSSEC Trying To Solve? DNSSEC = "DNS Security Extensions" •  Defined in RFCs 4033, 4034, 4035 •  Operational Practices: RFC 4641 Ensures that the information entered into DNS by the domain name holder is the SAME information retrieved from DNS by an end user. Let's walk through an example to explain… www.internetsociety.org/deploy360/
A Normal DNS Interaction Web Server example.com? Resolver checks its local cache. If it has the 3 DNS answer, it sends it back. 1 https://example.com/ Resolver example.com 10.1.1.123 4 If not… web page Web Browser 2 10.1.1.123 www.internetsociety.org/deploy360/
A Normal DNS Interaction DNS Svr root .com NS DNS Svr .com Web example.com NS Server example.com? 5 DNS 2 https://example.com/ 1 Resolver DNS Svr example.com 3 6 10.1.1.123 web page Web Browser 4 10.1.1.123 www.internetsociety.org/deploy360/
DNS Works On Speed •  First result received by a DNS resolver is treated as the correct answer. •  Opportunity is there for an attacker to be the first one to get an answer to the DNS resolver, either by: •  Getting to the correct point in the network to provide faster responses; •  Blocking the responses from the legitimate servers (ex. executing a Denial of Service attack against the legitimate servers to slow their responses) www.internetsociety.org/deploy360/
Attacking DNS DNS Svr root .com NS DNS Svr .com Web example.com NS Server example.com? 5 DNS 2 https://example.com/ 1 Resolver DNS Svr example.com 10.1.1.123 6 web page Web 3 Browser 4 192.168.2.2 Attacking 192.168.2.2 DNS Svr example.com www.internetsociety.org/deploy360/
A Poisoned Cache Web Server example.com? Resolver cache now has wrong data: 3 DNS 1 example.com 192.168.2.2 https://example.com/ Resolver 4 This stays in the cache until the web page Web Time-To-Live (TTL) expires! Browser 2 192.168.2.2 www.internetsociety.org/deploy360/
How Does DNSSEC Help? •  DNSSEC introduces new DNS records for a domain: •  RRSIG – a signature ("hash") of a set of DNS records •  DNSKEY – a public key that a resolver can use to validate RRSIG •  A DNSSEC-validating DNS resolver: •  Uses DNSKEY to perform a hash calculation on received DNS records •  Compares result with RRSIG records. If results match, records are the same as those transmitted. If the results do NOT match, they were potentially changed during the travel from the DNS server. www.internetsociety.org/deploy360/ 12/5/12
A DNSSEC Interaction DNS Svr root DNS Svr .com Web Server example.com? 5 DNS 2 https://example.com/ 1 Resolver DNS Svr example.com 3 6 10.1.1.123 web page Web DNSKEY RRSIGs Browser 4 10.1.1.123 www.internetsociety.org/deploy360/
But Can DNSSEC Be Spoofed? •  But why can't an attacker simply insert DNSKEY and RRSIG records? What prevents DNSSEC from being spoofed? •  An additional was introduced, the "Delegation Signer (DS)" record •  It is a fingerprint of the DNSKEY record that is sent to the TLD registry •  Provides a global "chain of trust" from the root of DNS down to the domain •  Attackers would have to compromise the registry www.internetsociety.org/deploy360/ 12/5/12
A DNSSEC Interaction DNS Svr root .com NS DS DNS Svr .com Web example.com NS Server DS example.com? 5 DNS 2 https://example.com/ 1 Resolver DNS Svr example.com 3 6 10.1.1.123 web page Web DNSKEY RRSIGs Browser 4 10.1.1.123 www.internetsociety.org/deploy360/
The Global Chain of Trust DNS Svr root .com NS DS DNS Svr .com Web example.com NS Server DS example.com? 5 DNS 2 https://example.com/ 1 Resolver DNS Svr example.com 3 6 10.1.1.123 web page Web DNSKEY RRSIGs Browser 4 10.1.1.123 www.internetsociety.org/deploy360/
Attempting to Spoof DNS DNS Svr root .com NS DS DNS Svr .com Web example.com NS Server DS example.com? 5 DNS 2 https://example.com/ 1 Resolver DNS Svr example.com 10.1.1.123 6 DNSKEY RRSIGs web page Web 3 Browser Attacking 192.168.2.2 DNS Svr DNSKEY example.com RRSIGs www.internetsociety.org/deploy360/
Attempting to Spoof DNS DNS Svr root .com NS DS DNS Svr .com Web example.com NS Server DS example.com? 5 DNS 2 https://example.com/ 1 Resolver DNS Svr example.com 10.1.1.123 6 DNSKEY RRSIGs web page Web 3 Browser 4 SERVFAIL Attacking 192.168.2.2 DNS Svr DNSKEY example.com RRSIGs www.internetsociety.org/deploy360/
What DNSSEC Proves: •  "These ARE the IP addresses you are looking for." (or they are not) •  Ensures that information entered into DNS by the domain name holder (or the operator of the DNS hosting service for the domain) is the SAME information that is received by the end user. www.internetsociety.org/deploy360/ 12/5/12
The Two Parts of DNSSEC Signing Validating Registries Applications Registrars Enterprises DNS Hosting ISPs www.internetsociety.org/deploy360/
DNSSEC Signing - The Individual Steps •  Signs TLD Registry •  Accepts DS records •  Publishes/signs records •  Accepts DS records Registrar •  Sends DS to registry •  Provides UI for mgmt •  Signs zones DNS Hosting Provider •  Publishes all records •  Provides UI for mgmt Domain Name •  Enables DNSSEC Registrant (unless automatic) www.internetsociety.org/deploy360/
DNSSEC and SSL www.internetsociety.org/deploy360/
Why Do I Need DNSSEC If I Have SSL? •  A common question: why do I need DNSSEC if I already have a SSL certificate? (or an "EV-SSL" certificate?) •  SSL (more formerly known today as Transport Layer Security (TLS)) solves a different issue – it provides encryption and protection of the communication between the browser and the web server www.internetsociety.org/deploy360/
The Typical TLS (SSL) Web Interaction DNS Svr root Web Server DNS Svr .com 5 https://example.com/ DNS Svr 6 example.com TLS-encrypted web page 2 example.com? 3 1 10.1.1.123 DNS Resolver Web Browser 4 10.1.1.123 www.internetsociety.org/deploy360/
The Typical TLS (SSL) Web Interaction DNS Svr root Web Server DNS Svr .com 5 https://example.com/ DNS Svr 6 example.com TLS-encrypted web page 2 example.com? 3 1 10.1.1.123 DNS Resolver Is this encrypted with the Web CORRECT Browser 4 certificate? 10.1.1.123 www.internetsociety.org/deploy360/
What About This? DNS Web Server https://www.example.com/ Server www.example.com? Firewall https://www.example.com/ TLS-encrypted web page (or 1 with CORRECT certificate attacker) 1.2.3.4 2 Web TLS-encrypted web page Browser with NEW certificate (re-signed by firewall) www.internetsociety.org/deploy360/
Problems? DNS Web Server https://www.example.com/ Server www.example.com? https://www.example.com/ TLS-encrypted web page Firewall 1 with CORRECT certificate 1.2.3.4 2 Web TLS-encrypted web page Browser with NEW certificate (re-signed by firewall) www.internetsociety.org/deploy360/
Problems? DNS Web Server https://www.example.com/ Server www.example.com? https://www.example.com/ TLS-encrypted web page Firewall 1 with CORRECT certificate 1.2.3.4 2 Web TLS-encrypted web page Browser with NEW certificate Log files (re-signed by firewall) or other servers Potentially including personal information www.internetsociety.org/deploy360/
Issues A Certificate Authority (CA) can sign ANY domain. Now over 1,500 CAs – there have been compromises where valid certs were issued for domains. Middle-boxes such as firewalls can re-sign sessions. www.internetsociety.org/deploy360/
A Powerful Combination •  TLS = encryption + limited integrity protection •  DNSSEC = strong integrity protection •  How to get encryption + strong integrity protection? •  TLS + DNSSEC = DANE www.internetsociety.org/deploy360/ 12/5/12
DNS-Based Authentication of Named Entities (DANE) •  Q: How do you know if the TLS (SSL) certificate is the correct one the site wants you to use? •  A: Store the certificate (or fingerprint) in DNS (new TLSA record) and sign them with DNSSEC. A browser that understand DNSSEC and DANE will then know when the required certificate is NOT being used. Certificate stored in DNS is controlled by the domain name holder. It could be a certificate signed by a CA – or a self- signed certificate. www.internetsociety.org/deploy360/
DANE DNS Web Server https://example.com/ Server example.com? 2 Firewall https://example.com/ TLS-encrypted web page (or 1 with CORRECT certificate attacker) 10.1.1.123 DNSKEY RRSIGs TLSA Web TLS-encrypted web page Browser with NEW certificate w/DANE Log files (re-signed by firewall) or other servers DANE-equipped browser compares TLS certificate with what DNS / DNSSEC says it should be. www.internetsociety.org/deploy360/
DANE – Not Just For The Web •  DANE defines protocol for storing TLS certificates in DNS •  Securing Web transactions is the obvious use case •  Other uses also possible: •  Email via S/MIME •  VoIP •  Jabber/XMPP •  ? www.internetsociety.org/deploy360/ 12/5/12
DANE Resources DANE Overview and Resources: •  http://www.internetsociety.org/deploy360/resources/dane/ IETF Journal article explaining DANE: •  http://bit.ly/dane-dnssec RFC 6394 - DANE Use Cases: •  http://tools.ietf.org/html/rfc6394 RFC 6698 – DANE Protocol: •  http://tools.ietf.org/html/rfc6698 www.internetsociety.org/deploy360/
How Do We Get DANE Deployed? Developers: •  Add DANE support into applications (see list of libraries) DNS Hosting Providers: •  Provide a way that customers can enter a “TLSA” record into DNS as defined in RFC 6698 ( http://tools.ietf.org/html/rfc6698 ) •  This will start getting TLS certificates into DNS so that when browsers support DANE they will be able to do so. •  [More tools are needed to help create TLSA records – ex. hashslinger ] Network Operators / Enterprises / Governments: •  Start talking about need for DANE •  Express desire for DANE to app vendors (especially browsers) www.internetsociety.org/deploy360/
Opportunities •  DANE is just one example of new opportunities brought about by DNSSEC •  Developers and others already exploring new ideas www.internetsociety.org/deploy360/ 12/5/12
Getting DNSSEC Deployed www.internetsociety.org/deploy360/
Three Steps TLD Operators Can Take: 1.  Sign your TLD! •  Tools and services available to help automate process 2.  Accept DS records •  Make it as easy as possible (and accept multiple records) 3.  Work with your registrars •  Help them make it easy for DNS hosting providers and registrants 4.  Help With Statistics •  Can you help by providing statistics? Implement DNSSEC and make your TLD more secure! www.internetsociety.org/deploy360/
Three Requests For Network Operators 1.  Deploy DNSSEC-validating DNS resolvers 2.  Sign your own domains where possible 3.  Help promote support of DANE protocol •  Allow usage of TLSA record. Let browser vendors and others know you want to use DANE. Help raise awareness of how DANE and DNSSEC can make the Internet more secure. www.internetsociety.org/deploy360/
Internet Society Deploy360 Programme Can You Help Us With: •  Case Studies? •  Tutorials? •  Videos? How Can We Help You? www.internetsociety.org/deploy360/ www.internetsociety.org/deploy360/ 12/5/12
Dan York, CISSP Senior Content Strategist, Internet Society york@isoc.org www.internetsociety.org/deploy360/ Thank You! www.internetsociety.org/deploy360/
Download A DNSSEC Whitepaper “Challenges and Opportunities in Deploying DNSSEC” http://bit.ly/isoc-satin2012 www.internetsociety.org/deploy360/

Recommandé

ION San Diego - DNSSEC Deployment Panel Introductory Slides
ION San Diego - DNSSEC Deployment Panel Introductory SlidesION San Diego - DNSSEC Deployment Panel Introductory Slides
ION San Diego - DNSSEC Deployment Panel Introductory SlidesDeploy360 Programme (Internet Society)
 
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC IntroductionION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC IntroductionDeploy360 Programme (Internet Society)
 
Wintel
WintelWintel
WintelAnandharaj007
 
いろいろ引き出し作って見ました
いろいろ引き出し作って見ましたいろいろ引き出し作って見ました
いろいろ引き出し作って見ましたMutsumi IWAISHI
 
DNS Security
DNS SecurityDNS Security
DNS Securityinbroker
 
Stephen McHenry - Chanecellor of Site Reliability Engineering, Google
Stephen McHenry - Chanecellor of Site Reliability Engineering, GoogleStephen McHenry - Chanecellor of Site Reliability Engineering, Google
Stephen McHenry - Chanecellor of Site Reliability Engineering, GoogleIE Group
 
Dns security
Dns securityDns security
Dns securityDhaval Kapil
 
LISA 2011 Presentation
LISA 2011 PresentationLISA 2011 Presentation
LISA 2011 PresentationDeploy360 Programme (Internet Society)
 

Recommandé

ION San Diego - DNSSEC Deployment Panel Introductory Slides
ION San Diego - DNSSEC Deployment Panel Introductory SlidesION San Diego - DNSSEC Deployment Panel Introductory Slides
ION San Diego - DNSSEC Deployment Panel Introductory SlidesDeploy360 Programme (Internet Society)
 
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC IntroductionION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC IntroductionDeploy360 Programme (Internet Society)
 
Wintel
WintelWintel
WintelAnandharaj007
 
いろいろ引き出し作って見ました
いろいろ引き出し作って見ましたいろいろ引き出し作って見ました
いろいろ引き出し作って見ましたMutsumi IWAISHI
 
DNS Security
DNS SecurityDNS Security
DNS Securityinbroker
 
Stephen McHenry - Chanecellor of Site Reliability Engineering, Google
Stephen McHenry - Chanecellor of Site Reliability Engineering, GoogleStephen McHenry - Chanecellor of Site Reliability Engineering, Google
Stephen McHenry - Chanecellor of Site Reliability Engineering, GoogleIE Group
 
Dns security
Dns securityDns security
Dns securityDhaval Kapil
 
LISA 2011 Presentation
LISA 2011 PresentationLISA 2011 Presentation
LISA 2011 PresentationDeploy360 Programme (Internet Society)
 
ION Santiago: What's Happening at the IETF? Internet Standards and How to Get...
ION Santiago: What's Happening at the IETF? Internet Standards and How to Get...ION Santiago: What's Happening at the IETF? Internet Standards and How to Get...
ION Santiago: What's Happening at the IETF? Internet Standards and How to Get...Deploy360 Programme (Internet Society)
 
ION Mumbai - Richard Lamb: Why DNSSEC?
ION Mumbai - Richard Lamb: Why DNSSEC?ION Mumbai - Richard Lamb: Why DNSSEC?
ION Mumbai - Richard Lamb: Why DNSSEC?Deploy360 Programme (Internet Society)
 
ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC
ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSECION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC
ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSECDeploy360 Programme (Internet Society)
 
ION Djibouti: IETF Update
ION Djibouti: IETF UpdateION Djibouti: IETF Update
ION Djibouti: IETF UpdateDeploy360 Programme (Internet Society)
 
ION Tokyo - Closing Slides - Chris Grundemann
ION Tokyo - Closing Slides - Chris GrundemannION Tokyo - Closing Slides - Chris Grundemann
ION Tokyo - Closing Slides - Chris GrundemannDeploy360 Programme (Internet Society)
 
ION Santiago: Lock It Up: TLS for Network Operators
ION Santiago: Lock It Up: TLS for Network OperatorsION Santiago: Lock It Up: TLS for Network Operators
ION Santiago: Lock It Up: TLS for Network OperatorsDeploy360 Programme (Internet Society)
 
ION Cape Town - IETF, Operational Experience, and Africa
ION Cape Town - IETF, Operational Experience, and AfricaION Cape Town - IETF, Operational Experience, and Africa
ION Cape Town - IETF, Operational Experience, and AfricaDeploy360 Programme (Internet Society)
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksFindWhitePapers
 
DNS Attacks
DNS AttacksDNS Attacks
DNS AttacksHimanshu Prabhakar
 
HKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC cachingHKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC cachingAPNIC
 
Hands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentHands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentBangladesh Network Operators Group
 
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan YorkION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan YorkDeploy360 Programme (Internet Society)
 
BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"
BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"
BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"Barry Greene
 
How DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An IntroductionHow DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An Introductionyasithbagya1
 
Monitoring DNS Records and Servers
Monitoring DNS Records and ServersMonitoring DNS Records and Servers
Monitoring DNS Records and ServersThousandEyes
 
Domain name system
Domain name systemDomain name system
Domain name systemmahakant sharma
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningChristopher Grayson
 
Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Bangladesh Network Operators Group
 
understanding-dns-essential
understanding-dns-essentialunderstanding-dns-essential
understanding-dns-essentialwael eshag eshag
 
Re-Engineering the Root of the DNS
Re-Engineering the Root of the DNSRe-Engineering the Root of the DNS
Re-Engineering the Root of the DNSAPNIC
 
Intro to DNS
Intro to DNSIntro to DNS
Intro to DNSThousandEyes
 

Contenu connexe

En vedette

ION Santiago: What's Happening at the IETF? Internet Standards and How to Get...
ION Santiago: What's Happening at the IETF? Internet Standards and How to Get...ION Santiago: What's Happening at the IETF? Internet Standards and How to Get...
ION Santiago: What's Happening at the IETF? Internet Standards and How to Get...Deploy360 Programme (Internet Society)
 
ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC
ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSECION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC
ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSECDeploy360 Programme (Internet Society)
 

En vedette (7)

ION Santiago: What's Happening at the IETF? Internet Standards and How to Get...
ION Santiago: What's Happening at the IETF? Internet Standards and How to Get...ION Santiago: What's Happening at the IETF? Internet Standards and How to Get...
ION Santiago: What's Happening at the IETF? Internet Standards and How to Get...
 
ION Mumbai - Richard Lamb: Why DNSSEC?
ION Mumbai - Richard Lamb: Why DNSSEC?ION Mumbai - Richard Lamb: Why DNSSEC?
ION Mumbai - Richard Lamb: Why DNSSEC?
 
ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC
ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSECION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC
ION Singapore - Geoff Huston/Dan York: Business Cases for IPv6 & DNSSEC
 
ION Djibouti: IETF Update
ION Djibouti: IETF UpdateION Djibouti: IETF Update
ION Djibouti: IETF Update
 
ION Tokyo - Closing Slides - Chris Grundemann
ION Tokyo - Closing Slides - Chris GrundemannION Tokyo - Closing Slides - Chris Grundemann
ION Tokyo - Closing Slides - Chris Grundemann
 
ION Santiago: Lock It Up: TLS for Network Operators
ION Santiago: Lock It Up: TLS for Network OperatorsION Santiago: Lock It Up: TLS for Network Operators
ION Santiago: Lock It Up: TLS for Network Operators
 
ION Cape Town - IETF, Operational Experience, and Africa
ION Cape Town - IETF, Operational Experience, and AfricaION Cape Town - IETF, Operational Experience, and Africa
ION Cape Town - IETF, Operational Experience, and Africa
 

Similaire à Perspectives on securing DNS with DNSSEC

DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksFindWhitePapers
 
HKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC cachingHKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC cachingAPNIC
 
BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"
BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"
BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"Barry Greene
 
How DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An IntroductionHow DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An Introductionyasithbagya1
 
Monitoring DNS Records and Servers
Monitoring DNS Records and ServersMonitoring DNS Records and Servers
Monitoring DNS Records and ServersThousandEyes
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
 
understanding-dns-essential
understanding-dns-essentialunderstanding-dns-essential
understanding-dns-essentialwael eshag eshag
 
Re-Engineering the Root of the DNS
Re-Engineering the Root of the DNSRe-Engineering the Root of the DNS
Re-Engineering the Root of the DNSAPNIC
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timeAPNIC
 
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...JosephTesta9
 

Similaire à Perspectives on securing DNS with DNSSEC (20)

DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
 
DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
 
HKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC cachingHKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC caching
 
Hands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentHands-on DNSSEC Deployment
Hands-on DNSSEC Deployment
 
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan YorkION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
 
BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"
BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"
BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"
 
How DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An IntroductionHow DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An Introduction
 
Monitoring DNS Records and Servers
Monitoring DNS Records and ServersMonitoring DNS Records and Servers
Monitoring DNS Records and Servers
 
Domain name system
Domain name systemDomain name system
Domain name system
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
 
Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time
 
understanding-dns-essential
understanding-dns-essentialunderstanding-dns-essential
understanding-dns-essential
 
Re-Engineering the Root of the DNS
Re-Engineering the Root of the DNSRe-Engineering the Root of the DNS
Re-Engineering the Root of the DNS
 
Intro to DNS
Intro to DNSIntro to DNS
Intro to DNS
 
Domain Name System
Domain Name SystemDomain Name System
Domain Name System
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a time
 
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
 
geoDNS
geoDNSgeoDNS
geoDNS
 
DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?
 

Plus de Deploy360 Programme (Internet Society)

Plus de Deploy360 Programme (Internet Society) (20)

ION Belgrade - Jordi Palet Martinez IPv6 Success Stories
ION Belgrade - Jordi Palet Martinez IPv6 Success StoriesION Belgrade - Jordi Palet Martinez IPv6 Success Stories
ION Belgrade - Jordi Palet Martinez IPv6 Success Stories
 
ION Belgrade - ISOC Serbia Belgrade Chapter Presentation
ION Belgrade - ISOC Serbia Belgrade Chapter PresentationION Belgrade - ISOC Serbia Belgrade Chapter Presentation
ION Belgrade - ISOC Serbia Belgrade Chapter Presentation
 
ION Belgrade - IETF Update
ION Belgrade - IETF UpdateION Belgrade - IETF Update
ION Belgrade - IETF Update
 
ION Belgrade - Opening Slides
ION Belgrade - Opening SlidesION Belgrade - Opening Slides
ION Belgrade - Opening Slides
 
ION Belgrade - MANRS by Serbian Open eXchange (SOX)
ION Belgrade - MANRS by Serbian Open eXchange (SOX)ION Belgrade - MANRS by Serbian Open eXchange (SOX)
ION Belgrade - MANRS by Serbian Open eXchange (SOX)
 
ION Belgrade - Closing Slides
ION Belgrade - Closing SlidesION Belgrade - Closing Slides
ION Belgrade - Closing Slides
 
AusNOG - Two Years of Good MANRS
AusNOG - Two Years of Good MANRSAusNOG - Two Years of Good MANRS
AusNOG - Two Years of Good MANRS
 
ION Malta - IETF Update
ION Malta - IETF UpdateION Malta - IETF Update
ION Malta - IETF Update
 
ION Malta - MANRS Introduction
ION Malta - MANRS IntroductionION Malta - MANRS Introduction
ION Malta - MANRS Introduction
 
ION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSECION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSEC
 
ION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLSION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLS
 
ION Malta - IANA Transition Roles & Accountability
ION Malta - IANA Transition Roles & AccountabilityION Malta - IANA Transition Roles & Accountability
ION Malta - IANA Transition Roles & Accountability
 
ION Malta - IPv6 Case Study: Finland
ION Malta - IPv6 Case Study: FinlandION Malta - IPv6 Case Study: Finland
ION Malta - IPv6 Case Study: Finland
 
ION Malta - Seeweb Thoughts on IPv6 Transition
ION Malta - Seeweb Thoughts on IPv6 TransitionION Malta - Seeweb Thoughts on IPv6 Transition
ION Malta - Seeweb Thoughts on IPv6 Transition
 
ION Malta - Seeweb Why MANRS is good for you
ION Malta - Seeweb Why MANRS is good for youION Malta - Seeweb Why MANRS is good for you
ION Malta - Seeweb Why MANRS is good for you
 
ION Malta - Opening Slides
ION Malta - Opening SlidesION Malta - Opening Slides
ION Malta - Opening Slides
 
ION Malta - Closing Slides
ION Malta - Closing SlidesION Malta - Closing Slides
ION Malta - Closing Slides
 
ION Durban - How peering behaviour affects growth of the internet
ION Durban - How peering behaviour affects growth of the internetION Durban - How peering behaviour affects growth of the internet
ION Durban - How peering behaviour affects growth of the internet
 
ION Durban - Introduction to ISOC Gauteng Chapter
ION Durban - Introduction to ISOC Gauteng ChapterION Durban - Introduction to ISOC Gauteng Chapter
ION Durban - Introduction to ISOC Gauteng Chapter
 
ION Durban - What's Happening at the IETF?
ION Durban - What's Happening at the IETF?ION Durban - What's Happening at the IETF?
ION Durban - What's Happening at the IETF?
 

Dernier

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 

Dernier (20)

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 

Perspectives on securing DNS with DNSSEC

  • 1. Perspectives on Deploying DNSSEC ION Sao Paulo December 5, 2012 www.internetsociety.org/deploy360/
  • 2. Panelists •  Dan York, Internet Society •  Frederico Neves, NIC.BR •  Robert Martin-Legene, Packet Clearing House www.internetsociety.org/deploy360/
  • 3. Internet Society Deploy360 Programme Providing real-world deployment info for IPv6, DNSSEC and other Internet technologies: •  Case Studies •  Tutorials •  Videos •  Whitepapers •  News, information English content, initially, but will www.internetsociety.org/deploy360/ be translated into other languages. www.internetsociety.org/deploy360/ 12/5/12
  • 4. What Problem Is DNSSEC Trying To Solve? DNSSEC = "DNS Security Extensions" •  Defined in RFCs 4033, 4034, 4035 •  Operational Practices: RFC 4641 Ensures that the information entered into DNS by the domain name holder is the SAME information retrieved from DNS by an end user. Let's walk through an example to explain… www.internetsociety.org/deploy360/
  • 5. A Normal DNS Interaction Web Server example.com? Resolver checks its local cache. If it has the 3 DNS answer, it sends it back. 1 https://example.com/ Resolver example.com 10.1.1.123 4 If not… web page Web Browser 2 10.1.1.123 www.internetsociety.org/deploy360/
  • 6. A Normal DNS Interaction DNS Svr root .com NS DNS Svr .com Web example.com NS Server example.com? 5 DNS 2 https://example.com/ 1 Resolver DNS Svr example.com 3 6 10.1.1.123 web page Web Browser 4 10.1.1.123 www.internetsociety.org/deploy360/
  • 7. DNS Works On Speed •  First result received by a DNS resolver is treated as the correct answer. •  Opportunity is there for an attacker to be the first one to get an answer to the DNS resolver, either by: •  Getting to the correct point in the network to provide faster responses; •  Blocking the responses from the legitimate servers (ex. executing a Denial of Service attack against the legitimate servers to slow their responses) www.internetsociety.org/deploy360/
  • 8. Attacking DNS DNS Svr root .com NS DNS Svr .com Web example.com NS Server example.com? 5 DNS 2 https://example.com/ 1 Resolver DNS Svr example.com 10.1.1.123 6 web page Web 3 Browser 4 192.168.2.2 Attacking 192.168.2.2 DNS Svr example.com www.internetsociety.org/deploy360/
  • 9. A Poisoned Cache Web Server example.com? Resolver cache now has wrong data: 3 DNS 1 example.com 192.168.2.2 https://example.com/ Resolver 4 This stays in the cache until the web page Web Time-To-Live (TTL) expires! Browser 2 192.168.2.2 www.internetsociety.org/deploy360/
  • 10. How Does DNSSEC Help? •  DNSSEC introduces new DNS records for a domain: •  RRSIG – a signature ("hash") of a set of DNS records •  DNSKEY – a public key that a resolver can use to validate RRSIG •  A DNSSEC-validating DNS resolver: •  Uses DNSKEY to perform a hash calculation on received DNS records •  Compares result with RRSIG records. If results match, records are the same as those transmitted. If the results do NOT match, they were potentially changed during the travel from the DNS server. www.internetsociety.org/deploy360/ 12/5/12
  • 11. A DNSSEC Interaction DNS Svr root DNS Svr .com Web Server example.com? 5 DNS 2 https://example.com/ 1 Resolver DNS Svr example.com 3 6 10.1.1.123 web page Web DNSKEY RRSIGs Browser 4 10.1.1.123 www.internetsociety.org/deploy360/
  • 12. But Can DNSSEC Be Spoofed? •  But why can't an attacker simply insert DNSKEY and RRSIG records? What prevents DNSSEC from being spoofed? •  An additional was introduced, the "Delegation Signer (DS)" record •  It is a fingerprint of the DNSKEY record that is sent to the TLD registry •  Provides a global "chain of trust" from the root of DNS down to the domain •  Attackers would have to compromise the registry www.internetsociety.org/deploy360/ 12/5/12
  • 13. A DNSSEC Interaction DNS Svr root .com NS DS DNS Svr .com Web example.com NS Server DS example.com? 5 DNS 2 https://example.com/ 1 Resolver DNS Svr example.com 3 6 10.1.1.123 web page Web DNSKEY RRSIGs Browser 4 10.1.1.123 www.internetsociety.org/deploy360/
  • 14. The Global Chain of Trust DNS Svr root .com NS DS DNS Svr .com Web example.com NS Server DS example.com? 5 DNS 2 https://example.com/ 1 Resolver DNS Svr example.com 3 6 10.1.1.123 web page Web DNSKEY RRSIGs Browser 4 10.1.1.123 www.internetsociety.org/deploy360/
  • 15. Attempting to Spoof DNS DNS Svr root .com NS DS DNS Svr .com Web example.com NS Server DS example.com? 5 DNS 2 https://example.com/ 1 Resolver DNS Svr example.com 10.1.1.123 6 DNSKEY RRSIGs web page Web 3 Browser Attacking 192.168.2.2 DNS Svr DNSKEY example.com RRSIGs www.internetsociety.org/deploy360/
  • 16. Attempting to Spoof DNS DNS Svr root .com NS DS DNS Svr .com Web example.com NS Server DS example.com? 5 DNS 2 https://example.com/ 1 Resolver DNS Svr example.com 10.1.1.123 6 DNSKEY RRSIGs web page Web 3 Browser 4 SERVFAIL Attacking 192.168.2.2 DNS Svr DNSKEY example.com RRSIGs www.internetsociety.org/deploy360/
  • 17. What DNSSEC Proves: •  "These ARE the IP addresses you are looking for." (or they are not) •  Ensures that information entered into DNS by the domain name holder (or the operator of the DNS hosting service for the domain) is the SAME information that is received by the end user. www.internetsociety.org/deploy360/ 12/5/12
  • 18. The Two Parts of DNSSEC Signing Validating Registries Applications Registrars Enterprises DNS Hosting ISPs www.internetsociety.org/deploy360/
  • 19. DNSSEC Signing - The Individual Steps •  Signs TLD Registry •  Accepts DS records •  Publishes/signs records •  Accepts DS records Registrar •  Sends DS to registry •  Provides UI for mgmt •  Signs zones DNS Hosting Provider •  Publishes all records •  Provides UI for mgmt Domain Name •  Enables DNSSEC Registrant (unless automatic) www.internetsociety.org/deploy360/
  • 21. Why Do I Need DNSSEC If I Have SSL? •  A common question: why do I need DNSSEC if I already have a SSL certificate? (or an "EV-SSL" certificate?) •  SSL (more formerly known today as Transport Layer Security (TLS)) solves a different issue – it provides encryption and protection of the communication between the browser and the web server www.internetsociety.org/deploy360/
  • 22. The Typical TLS (SSL) Web Interaction DNS Svr root Web Server DNS Svr .com 5 https://example.com/ DNS Svr 6 example.com TLS-encrypted web page 2 example.com? 3 1 10.1.1.123 DNS Resolver Web Browser 4 10.1.1.123 www.internetsociety.org/deploy360/
  • 23. The Typical TLS (SSL) Web Interaction DNS Svr root Web Server DNS Svr .com 5 https://example.com/ DNS Svr 6 example.com TLS-encrypted web page 2 example.com? 3 1 10.1.1.123 DNS Resolver Is this encrypted with the Web CORRECT Browser 4 certificate? 10.1.1.123 www.internetsociety.org/deploy360/
  • 24. What About This? DNS Web Server https://www.example.com/ Server www.example.com? Firewall https://www.example.com/ TLS-encrypted web page (or 1 with CORRECT certificate attacker) 1.2.3.4 2 Web TLS-encrypted web page Browser with NEW certificate (re-signed by firewall) www.internetsociety.org/deploy360/
  • 25. Problems? DNS Web Server https://www.example.com/ Server www.example.com? https://www.example.com/ TLS-encrypted web page Firewall 1 with CORRECT certificate 1.2.3.4 2 Web TLS-encrypted web page Browser with NEW certificate (re-signed by firewall) www.internetsociety.org/deploy360/
  • 26. Problems? DNS Web Server https://www.example.com/ Server www.example.com? https://www.example.com/ TLS-encrypted web page Firewall 1 with CORRECT certificate 1.2.3.4 2 Web TLS-encrypted web page Browser with NEW certificate Log files (re-signed by firewall) or other servers Potentially including personal information www.internetsociety.org/deploy360/
  • 27. Issues A Certificate Authority (CA) can sign ANY domain. Now over 1,500 CAs – there have been compromises where valid certs were issued for domains. Middle-boxes such as firewalls can re-sign sessions. www.internetsociety.org/deploy360/
  • 28. A Powerful Combination •  TLS = encryption + limited integrity protection •  DNSSEC = strong integrity protection •  How to get encryption + strong integrity protection? •  TLS + DNSSEC = DANE www.internetsociety.org/deploy360/ 12/5/12
  • 29. DNS-Based Authentication of Named Entities (DANE) •  Q: How do you know if the TLS (SSL) certificate is the correct one the site wants you to use? •  A: Store the certificate (or fingerprint) in DNS (new TLSA record) and sign them with DNSSEC. A browser that understand DNSSEC and DANE will then know when the required certificate is NOT being used. Certificate stored in DNS is controlled by the domain name holder. It could be a certificate signed by a CA – or a self- signed certificate. www.internetsociety.org/deploy360/
  • 30. DANE DNS Web Server https://example.com/ Server example.com? 2 Firewall https://example.com/ TLS-encrypted web page (or 1 with CORRECT certificate attacker) 10.1.1.123 DNSKEY RRSIGs TLSA Web TLS-encrypted web page Browser with NEW certificate w/DANE Log files (re-signed by firewall) or other servers DANE-equipped browser compares TLS certificate with what DNS / DNSSEC says it should be. www.internetsociety.org/deploy360/
  • 31. DANE – Not Just For The Web •  DANE defines protocol for storing TLS certificates in DNS •  Securing Web transactions is the obvious use case •  Other uses also possible: •  Email via S/MIME •  VoIP •  Jabber/XMPP •  ? www.internetsociety.org/deploy360/ 12/5/12
  • 32. DANE Resources DANE Overview and Resources: •  http://www.internetsociety.org/deploy360/resources/dane/ IETF Journal article explaining DANE: •  http://bit.ly/dane-dnssec RFC 6394 - DANE Use Cases: •  http://tools.ietf.org/html/rfc6394 RFC 6698 – DANE Protocol: •  http://tools.ietf.org/html/rfc6698 www.internetsociety.org/deploy360/
  • 33. How Do We Get DANE Deployed? Developers: •  Add DANE support into applications (see list of libraries) DNS Hosting Providers: •  Provide a way that customers can enter a “TLSA” record into DNS as defined in RFC 6698 ( http://tools.ietf.org/html/rfc6698 ) •  This will start getting TLS certificates into DNS so that when browsers support DANE they will be able to do so. •  [More tools are needed to help create TLSA records – ex. hashslinger ] Network Operators / Enterprises / Governments: •  Start talking about need for DANE •  Express desire for DANE to app vendors (especially browsers) www.internetsociety.org/deploy360/
  • 34. Opportunities •  DANE is just one example of new opportunities brought about by DNSSEC •  Developers and others already exploring new ideas www.internetsociety.org/deploy360/ 12/5/12
  • 36. Three Steps TLD Operators Can Take: 1.  Sign your TLD! •  Tools and services available to help automate process 2.  Accept DS records •  Make it as easy as possible (and accept multiple records) 3.  Work with your registrars •  Help them make it easy for DNS hosting providers and registrants 4.  Help With Statistics •  Can you help by providing statistics? Implement DNSSEC and make your TLD more secure! www.internetsociety.org/deploy360/
  • 37. Three Requests For Network Operators 1.  Deploy DNSSEC-validating DNS resolvers 2.  Sign your own domains where possible 3.  Help promote support of DANE protocol •  Allow usage of TLSA record. Let browser vendors and others know you want to use DANE. Help raise awareness of how DANE and DNSSEC can make the Internet more secure. www.internetsociety.org/deploy360/
  • 38. Internet Society Deploy360 Programme Can You Help Us With: •  Case Studies? •  Tutorials? •  Videos? How Can We Help You? www.internetsociety.org/deploy360/ www.internetsociety.org/deploy360/ 12/5/12
  • 39. Dan York, CISSP Senior Content Strategist, Internet Society york@isoc.org www.internetsociety.org/deploy360/ Thank You! www.internetsociety.org/deploy360/
  • 40. Download A DNSSEC Whitepaper “Challenges and Opportunities in Deploying DNSSEC” http://bit.ly/isoc-satin2012 www.internetsociety.org/deploy360/