DNSSEC represents a vital means with which to address many security threats, including cache poisoning, man-in-themiddle attacks, and more. But the DNSSEC infrastructure is only as secure as the cryptographic keys used to protect DNS records. This paper reveals important strategies for maximizing DNSSEC security, outlining the key role HSMs play and the critical requirements for successful HSM implementations.
1. B
Building Trust into DNS: Key Strategies
W
WHITE PAPER
Introduction
Executive Summary For all the benefits of an open Internet, there is a dangerous flip side. Domain name system
DNSSEC represents a vital (DNS) servers are a perfect case in point. With no inherent security, DNS servers at a host of
means with which to address organizations have been repeatedly compromised to enable a host of malicious endeavors,
many security threats, including including cache poisoning (injecting incorrect/fraudulent data into a name server’s cache,
cache poisoning, man-in-the- which then gets served to users), redirecting phone calls, man-in-the-middle attacks to steal
middle attacks, and more. But passwords, rerouting email, denial of service attacks, and more.
the DNSSEC infrastructure
is only as secure as the To combat these threats, many organizations have implemented Domain Name Systems
cryptographic keys used to Security Extensions (DNSSEC), the process of digitally signing DNS records in order to ensure
protect DNS records. This paper that the messages received are the same as those that were sent.
reveals important strategies By adopting DNSSEC, a range of organizations, including domain providers, online banks and
for maximizing DNSSEC retailers, SaaS providers, and more, can realize a range of benefits:
security, outlining the key role
HSMs play and the critical • Boost security. DNSSEC can help guard against cache poisoning, redirected phone calls,
requirements for successful HSM man-in-the-middle attacks, and more.
implementations. • Ensure compliance. DNSSEC can help address ICANN, NSEC, and other mandates and
guidelines.
• Reduce costs. By safeguarding against a range of network based threats, organizations
can reduce the time and cost associated with threat mitigation and post-attack forensics
and reparation.
Without Robust Security, DNSSEC Can Be Compromised
In addition to several new concepts and operations for both the DNS server and the DNS
client, DNSSEC introduces four new resource records (DNSKEY, RRSIG, NSEC, and DS) to
DNS. What this means is that DNSSEC requires some new procedures such as key generation,
signing, and key management. But, for all the potential DNSSEC benefits outlined above,
the intended gains aren’t guaranteed because the resource records introduced by DNSSEC
are kept in an unencrypted file. It is only when the entire DNSSEC infrastructure is fully and
comprehensively secured that organizations can begin to fully enjoy DNSSEC’s benefits. To do
so, they need capabilities to do the following:
Building Trust into DNS: Key Strategies White Paper 1
2. • Secure digital signatures. DNS messages need to be digitally signed in order to ensure the
HSM Advantages validity of DNS services.
• Completeness
• Control access. Organizations need to ensure only authorized customers and internal staff
• Performance
can access sensitive applications and data.
• Compliant and Secure
• Centralization of Key • Maintain application integrity. All associated application code and processes need to be
Management secured to ensure integrity and prohibit unauthorized application execution.
• Scale to accommodate high volume processing. Since DNS updates are very frequent,
DNSSEC infrastructures need to deliver the performance and scalability required to ensure
timely processing at all times.
The Role of HSMs in DNSSEC
As outlined above, it is only by ensuring security throughout the DNSSEC infrastructure that
businesses can realize the benefits of DNSSEC. To ensure the validity of DNS services, DNSSEC
employs public key cryptography to digitally sign DNS messages.
To realize the security required, robust protection of private signing keys is vital. If the keys and
their corresponding digital certificates are compromised, the chain of trust in the DNS hierarchy
is broken, rendering the entire system obsolete. This is where hardware security modules (HSMs)
come into play.
HSMs are dedicated systems that physically and logically secure the cryptographic keys and
cryptographic processing that are at the heart of digital signatures. HSMs support the following
functions:
• Life-cycle management, including key generation, distribution, rotation, storage,
termination, and archival.
• Cryptographic processing, which produces the dual benefits of isolating and offloading
cryptographic processing from application servers.
By storing cryptographic keys in a centralized, hardened device, HSMs can eliminate the risks
associated with having these assets housed on disparate, poorly secured platforms. In addition,
this centralization can significantly streamline security administration.
DNS Root Server Cluster
HSM Authoritative Server Cluster
TLD Server Cluster *FIPS 140-2 Level 4 Validated
Root zone records signed by
private key in HSM
2 SafeNet HSM
Enterprise level zone key signed by
SafeNet HSM SafeNet HSM (www.mybank.com)
SafeNet HSM stores the cryptographic
TLD zone records signed by 3 4 keys that sign the DNS records:
(DNSKEY, RRSIG, NSEC, and DS)
private key in SafeNet HSM
Recursive (Caching) Name Server
1 Client initiates query for www.mybank.com
5
ISP Caching name server starts recursive
2 search at root if no record found in cache.
Recursive search referred to applicable
3 TLD by root. If record does not exist in TLD
zone query referred to the Authoritative
server. (Simplified example – additional 1
zone searches may be required to identify
Authoritative Name Server.) Client-Side
of the DNS DNS Query
4 Authoritative Server responds with signed
DNS zone record
Recursive server returns verified IP address
5 for “mybank.com” to DNS client
The diagram above depicts the steps involved in securing DNS messages through the use of HSMs. By
safeguarding digital certificates and cryptographic keys, organizations can maximize the security of their DNSSEC
implementations.
Building Trust into DNS: Key Strategies White Paper 2
3. The Advantages of HSMs
SafeNet DNSSEC Benefits Compared to the process of storing cryptographic keys in software residing on general purpose
• Enhance Security
application servers, HSMs deliver several advantages:
• Ensure Compliance
• Optimize Operational Completeness
Performance HSMs are fully contained solutions for cryptographic processing, key generation, and key
storage. As purpose-built appliances, they automatically include the required hardware
and firmware (i.e., software) in an integrated package. Physical and logical protection of the
appliance is supported by a tamper resistant/evident shell; and protection from logical threats,
depending on the vendor’s products, is supported by integrated firewall and intrusion prevention
defenses. Some HSM vendors also include integrated support for two-factor authentication.
Security certification is typically pursued by HSM vendors and positioned as a product feature.
Software for these same functions is not a complete out-of-the-box solution. Server hardware is
a separate purchase, unless unused servers are present, as is firewall, intrusion prevention, and
two-factor authentication. Being tamper resistant is not a trait typically associated with general-
purpose servers. Security certification encompassing the combination of hardware platform
and software would be the responsibility of the user organization and can be a lengthy and
very costly activity, especially if involvement with certification bodies is not standard operating
practice for the organization using the software.
Performance
Cryptography is a resource intensive process that will introduce latency to any application that
depends on it. Depending on the application and organization involved, the objective could be
to minimize the latency introduced by cryptography. HSMs have an advantage over software as
they are designed to optimize the efficiency of cryptographic processing. Compared to software
running on general purpose servers, HSMs will accelerate processing; an outcome of being
purpose-built.
Compliant and Secure
Frequently, cryptography is used to meet compliance mandates. Cryptography use, however,
does not guarantee that information is secure. Further, there are no security guarantees (i.e.,
promises of no security instances ever) with any security solution so the objective becomes one
of managing risk by reducing the number of vulnerabilities and the likelihood of vulnerabilities
being exploited. The aforementioned completeness attributes of HSMs allow organizations that
deploy HSMs to take efficient and simultaneous steps toward compliance and security.
Centralization of Key Management
An attribute of software is its portability; software can be installed on several servers.
Consequently, cryptographic keys have greater likelihood to reside in several locations/software
hosts. This multi-location characteristic will add to administrative complexity and potential
lapses in the life-cycle management of cryptographic keys (e.g., rotation and revocation). In
addition, if consistency in the protective layer of the software host (e.g., firewall, intrusion
prevention, and access control) cannot be ensured, the risk of keys being compromised
increases. With HSMs, the tendency is to store keys in a single unit. Not only does this streamline
administration and reduce the potential for management lapses but it also supports a
consistent layer of key protection.
Building Trust into DNS: Key Strategies White Paper 3
4. By leveraging HSMs, organization The Benefits of DNSSEC with SafeNet
can enjoy the utmost in security SafeNet offers a broad set of HSMs that are ideally suited to the demands of securing private
of the cryptographic keys and signing keys. By employing SafeNet HSMs, organizations can realize a range of benefits:
digital certificates that underpin
Enhance Security
the DNSSEC infrastructure.
SafeNet HSMs deliver sophisticated security capabilities that enable businesses to enjoy
maximum security of DNSSEC. SafeNet HSMs ensure the most rigorous control over keys and
their corresponding digital certificate. As a result, organizations can eliminate the threats of
DNS exploits, and the damage they can wreak.
Ensure Compliance
The Internet Engineering Task Force has published a comprehensive set of guidelines for
ensuring DNSSEC security. For example, RFC 5011 outlines extensive standards for securing
various points in the DNS tree, referred to as trust points. Each trust point must be validated
by at least one associated public key. In addition, the guidelines specify a host of efforts for
securely adding keys, rotating keys, and removing keys. With their robust encryption and policy
management support, SafeNet HSMs enable organizations to ensure compliance with these
guidelines.
Further, ICANN DNSSEC requirements state that private keys must be generated and stored on
FIPS 140-2 validated HSMs. Many SafeNet HSMs meet these demanding FIPS requirements and
many are also Common Criteria certified.
Optimize Operational Performance
By leveraging SafeNet’s secure HSMs, organizations can realize significant gains in operational
performance:
• Improve staff efficiency. By centralizing keys and policy administration on a central,
comprehensive platform, security teams can significantly streamline administrative efforts.
Further, with an appliance that supports XML, SafeNet enables easier up-front HSM
integration.
• Ensure high performance. By managing cryptographic processing on purpose-built
appliances, SafeNet HSMs deliver scalable, responsive performance, ensuring the timely,
reliable response required in DNSSEC environments.
• Optimize key storage. With its support for the Elliptic Curve Digital Signature Algorithm
(ECDSA), SafeNet enables more efficient storage of cryptographic keys.
• Enhance customer service and loyalty. SafeNet HSMs safeguard the DNS infrastructure, so
organizations can eliminate the DNS exploits that put customers at risk. By ensuring high
levels of security, organizations can foster greater trust and loyalty among their customer
base.
SafeNet’s Breadth of HSM Offerings
SafeNet HSMs provide reliable protection for applications, transactions, and information assets
by safeguarding the cryptographic keys that are at the heart of any encryption-based security
solution. SafeNet HSMs are the fastest, most secure, and easiest to integrate application
security solution for enterprise and government organizations to ensure regulatory compliance,
reduce the risk of legal liability, and improve profitability.
SafeNet offers these HSM products:
General Purpose HSMs, Network Attached
• Luna SA. Luna SA offers award-winning application protection through powerful
cryptographic processing and hardware key management. Luna PCI for Luna SA 4.1 has
received Common Criteria EAL4+ certification.
Building Trust into DNS: Key Strategies White Paper 4