SlideShare une entreprise Scribd logo

Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)

Dan York
Dan York

In this talk to the IEPG session at IETF 93 in Prague on 19 July 2015, I outlined some of the challenges associated with deploying new crypto algorithms within DNSSEC and what we potentially need to do to address these challenges.

Technologie
1  sur  21
Télécharger pour lire hors ligne
www.internetsociety.org/deploy360 Deploying New DNSSEC Algorithms IEPG at IETF 93 19 July 2015 Prague, Czech Republic Dan York, Internet Society
www.internetsociety.org/deploy360 A Reminder of How DNSSEC Works Web Server Web Browser & Stub Resolver https://example.com/ web page DNS Resolver + Validation 10.1.1.123 DNSKEY RRSIGs 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 10.1.1.123 4 example.com NS DS .com NS DS example.com?
www.internetsociety.org/deploy360 The Two Parts of DNSSEC Signing Validating ISPs Enterprises Applications DNS Hosting Registrars Registries
www.internetsociety.org/deploy360 DNSSEC Algorithms •  Used to generate keys for signing •  DNSKEY •  Used in DNSSEC signatures •  RRSIG •  Used for DS record for chain of trust •  DS •  Used in validation of DNSSEC records •  DNS resolvers
www.internetsociety.org/deploy360 IANA Registry of DNSSEC Algorithm Numbers •  http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml Number Description Mnemonic 0 Reserved 1 RSA/MD5 (deprecated ) RSAMD5 2 Diffie-Hellman DH 3 DSA/SHA1 DSA 4 Reserved 5 RSA/SHA-1 RSASHA1 6 DSA-NSEC3-SHA1 DSA-NSEC3-SHA1 7 RSASHA1-NSEC3-SHA1 RSASHA1-NSEC3-SHA1 8 RSA/SHA-256 RSASHA256 9 Reserved 10 RSA/SHA-512 RSASHA512 11 Reserved 12 GOST R 34.10-2001 ECC-GOST 13 ECDSA Curve P-256 wSHA-256 ECDSAP256SHA256 14 ECDSA Curve P-384 wSHA-384 ECDSAP384SHA384 15-122 Unassigned 123-251 Reserved 252 Reserved for Indirect Keys INDIRECT 253 private algorithm PRIVATEDNS 254 private algorithm OID PRIVATEOID 255 Reserved
www.internetsociety.org/deploy360 BUT... DNSSEC is an RSA world... (part 1) •  Ed Lewis (ICANN) presenting at CENTR, June 2015 •  Breakdown of DNSSEC names •  https://centr.org/system/files/agenda/attachment/rd7-lewis-dnssec_cryptographic_demographics-20150603.pdf
www.internetsociety.org/deploy360 BUT... DNSSEC is an RSA world... (part 2) •  Ed Lewis (ICANN) presenting at CENTR, June 2015 •  Top algorithms (raw keys, not names) •  https://centr.org/system/files/agenda/attachment/rd7-lewis-dnssec_cryptographic_demographics-20150603.pdf Non-RSA algorithms
www.internetsociety.org/deploy360 “Newer” DNSSEC Algorithms •  ECDSA – RFC 6605 – April 2012 •  GOST – RFC 5933 – July 2010 •  Future: •  Ed25519? •  https://gitlab.labs.nic.cz/labs/ietf/blob/master/draft-sury-dnskey-ed25519.xml •  ChaCha? (RFC 7539) •  Others coming out of CFRG?
www.internetsociety.org/deploy360 Why Do We Care About Newer Algorithms? •  Smaller keys and signatures •  Packet size (and avoiding fragmentation) •  Minimizing potential reflection/DDoS attacks •  Enable large-scale deployment •  Ex. CDNs •  Better cryptography •  Move away from 1024-bit RSA
www.internetsociety.org/deploy360 Aspects of Deploying New Algorithms •  Validation •  Signing / DNS Hosting Operators •  Registries •  Registrars •  Developers
www.internetsociety.org/deploy360 Validation •  Resolvers performing validation need to be updated to accept and use the new algorithm. •  Software needs to be updated •  Can be an issue of getting the underlying libraries updated •  Updates need to be deployed •  Customer-premises equipment (CPE) •  Problem – RFC 4035, section 5.2: “If the resolver does not support any of the algorithms listed in an authenticated DS RRset, then the resolver will not be able to verify the authentication path to the child zone. In this case, the resolver SHOULD treat the child zone as if it were unsigned.”
www.internetsociety.org/deploy360 Validation - measurement •  Geoff Huston at IEPG at IETF 92 (March 2015): •  http://blog.apnic.net/2015/03/23/ietf92-geoff-presents-on-ec-dsa-at-iepg/ •  1 in 5 validating resolvers would not support ECDSA •  Pier Carlo Chiodi using RIPE Atlas probes (Jan 2015): •  http://blog.pierky.com/dnssec-ecdsa-aware-resolvers-seen-by-ripe-atlas/ •  “512 probes received an authenticated response for RSA-signed zone, 63 of those (12,3 %) missed the AD flag for the ECDSA- signed one.”
www.internetsociety.org/deploy360 Signing •  Software for authoritative DNS servers need updates •  Updated software needs to be deployed to signing servers •  DNS Hosting Operators (which could be Registrars) need to offer new algorithm to customers •  New key with new algorithm needs to co-exist with existing key for some period of time •  Size impact
www.internetsociety.org/deploy360 Registries •  Some registries are only accepting DS records with certain algorithms •  Not accepting new algorithms •  No way to know what algorithms registries accept •  Update EPP feed to indicate what algorithms are accepted? •  Question: Why do registries need to check algorithm type?
www.internetsociety.org/deploy360 Registrars •  When adding DS records, some registrars only accept certain algorithms in web interface •  Example – BEFORE someone asked for ECDSA:
www.internetsociety.org/deploy360 Registrars •  Good news! – AFTER someone asked for ECDSA: •  But this requires someone asking registrars to support new algorithms... and the registrars making the appropriate updates.
www.internetsociety.org/deploy360 Registrars •  Question: why do registrars need to check the algorithm type? •  Is this attempting to protect users from themselves? Minimize support calls? •  What is the harm in advertising an “unknown” algorithm type? •  Answer: Stop restricting and just accept all DS records. •  Does this come down to a user interface issue?
www.internetsociety.org/deploy360 Developers •  Give developers a list, they will check it! •  Sooo... IANA DNSSEC algorithm list: •  http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml •  But... in this case bounds-checking is not necessary (if we accept idea that registrars/registries should accept all algorithms). •  Need to modify software to allow all algorithms •  or simply not check algorithm type •  or check IANA registry on some periodic interval
www.internetsociety.org/deploy360 Next Steps •  Help people understand value and need to support new algorithms •  Document these steps in a form that can be distributed (ex. Internet-draft) •  Identify and act on actions. Examples: •  Understand implications of registrars/registries simply NOT doing any checking on algorithm types. •  Survey registries to find out which restrict algorithms in DS records •  Explore idea of communicating accepted algorithms in EPP •  Encourage registrars to accept wider range of algorithms (or to stop checking) •  Encourage developers to accept all IANA-listed algorithms (or to stop checking)
www.internetsociety.org/deploy360 Draft IAB Statement on Crypto Algorithm Agility •  https://tools.ietf.org/html/draft-iab-crypto-alg-agility Many IETF protocols use cryptographic algorithms to provide confidentiality, integrity, authentication or digital signature. Communicating peers must support a common set of cryptographic algorithms for these mechanisms to work properly. This memo provides guidelines to ensure that protocols have the ability to migrate from one mandatory-to- implement algorithm suite to another over time.
www.internetsociety.org/deploy360 york@isoc.org Dan York Senior Content Strategist Internet Society Thank You!

Recommandé

DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013
Shumon Huque
 
Dns
DnsDns
Dns
Intekhab Alam Khan
 
Dns
DnsDns
Dns
ARYA TM
 
Domain Name System (DNS)
Domain Name System (DNS)Domain Name System (DNS)
Domain Name System (DNS)
Venkatesh Jambulingam
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul Islam
MyNOG
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
APNIC
 
DNS Security
DNS SecurityDNS Security
DNS Security
inbroker
 
Understanding the DNS & DNSSEC
Understanding the DNS & DNSSECUnderstanding the DNS & DNSSEC
Understanding the DNS & DNSSEC
ICANN
 

Recommandé

DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013
Shumon Huque
 
Dns
DnsDns
Dns
Intekhab Alam Khan
 
Dns
DnsDns
Dns
ARYA TM
 
Domain Name System (DNS)
Domain Name System (DNS)Domain Name System (DNS)
Domain Name System (DNS)
Venkatesh Jambulingam
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul Islam
MyNOG
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
APNIC
 
DNS Security
DNS SecurityDNS Security
DNS Security
inbroker
 
Understanding the DNS & DNSSEC
Understanding the DNS & DNSSECUnderstanding the DNS & DNSSEC
Understanding the DNS & DNSSEC
ICANN
 
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAILDNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
Utah Networxs Consultoria e Treinamento
 
Dns
DnsDns
Dns
Patruni Chidananda Sastry
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
Alex Mayrhofer
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
Michael Earls
 
DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
Himanshu Prabhakar
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
AFRINIC
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSEC
Men and Mice
 
Dns security
Dns securityDns security
Dns security
Dhaval Kapil
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
Peter R. Egli
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
FindWhitePapers
 
DNS Security
DNS SecurityDNS Security
DNS Security
johnmcclure00
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
DNS Entrepreneurship Center
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSEC
APNIC
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNI
Jisc
 
An Overview of DNSSEC
An Overview of DNSSECAn Overview of DNSSEC
An Overview of DNSSEC
Carlos Martinez Cagnazzo
 
7 technical-dns-workshop-day3
7 technical-dns-workshop-day37 technical-dns-workshop-day3
7 technical-dns-workshop-day3
DNS Entrepreneurship Center
 
Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)
Yen-Kuan Wu
 
Hands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentHands-on DNSSEC Deployment
Hands-on DNSSEC Deployment
Bangladesh Network Operators Group
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
Glenn McKnight
 
CNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureCNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and Architecture
Sam Bowne
 
ION Toronto - Why Implement DNSSEC?
ION Toronto - Why Implement DNSSEC? ION Toronto - Why Implement DNSSEC?
ION Toronto - Why Implement DNSSEC?
Deploy360 Programme (Internet Society)
 
AEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSECAEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSEC
Chin Wan Lim
 

Contenu connexe

Tendances

Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
Michael Earls
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
Peter R. Egli
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
DNS Entrepreneurship Center
 
7 technical-dns-workshop-day3
7 technical-dns-workshop-day37 technical-dns-workshop-day3
7 technical-dns-workshop-day3
DNS Entrepreneurship Center
 

Tendances (20)

DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAILDNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
 
Dns
DnsDns
Dns
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
 
DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSEC
 
Dns security
Dns securityDns security
Dns security
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
 
DNS Security
DNS SecurityDNS Security
DNS Security
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSEC
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNI
 
An Overview of DNSSEC
An Overview of DNSSECAn Overview of DNSSEC
An Overview of DNSSEC
 
7 technical-dns-workshop-day3
7 technical-dns-workshop-day37 technical-dns-workshop-day3
7 technical-dns-workshop-day3
 
Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)
 
Hands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentHands-on DNSSEC Deployment
Hands-on DNSSEC Deployment
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
 
CNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureCNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and Architecture
 

En vedette

En vedette (10)

ION Toronto - Why Implement DNSSEC?
ION Toronto - Why Implement DNSSEC? ION Toronto - Why Implement DNSSEC?
ION Toronto - Why Implement DNSSEC?
 
AEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSECAEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSEC
 
DNSSEC FIRST
DNSSEC FIRSTDNSSEC FIRST
DNSSEC FIRST
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
 
MCSA 70-412 Chapter 01
MCSA 70-412 Chapter 01MCSA 70-412 Chapter 01
MCSA 70-412 Chapter 01
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyond
 
Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC Pilot
 
DNSSEC at Penn
DNSSEC at PennDNSSEC at Penn
DNSSEC at Penn
 
DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Know
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
 

Similaire à Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)

Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017
Demi Ben-Ari
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
Robert Conti Jr.
 

Similaire à Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015) (20)

Challenges To Deploying New DNSSEC Cryptographic Algorithms
Challenges To Deploying New DNSSEC Cryptographic AlgorithmsChallenges To Deploying New DNSSEC Cryptographic Algorithms
Challenges To Deploying New DNSSEC Cryptographic Algorithms
 
ION Krakow - DNSSEC Panel Introduction
ION Krakow - DNSSEC Panel IntroductionION Krakow - DNSSEC Panel Introduction
ION Krakow - DNSSEC Panel Introduction
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
DNSSEC and DANE Deployment: Trends, Tools and Challenges
DNSSEC and DANE Deployment: Trends, Tools and ChallengesDNSSEC and DANE Deployment: Trends, Tools and Challenges
DNSSEC and DANE Deployment: Trends, Tools and Challenges
 
ION Durban - NAT64/DNS64 Experiments and the NAT64Check Tool
ION Durban - NAT64/DNS64 Experiments and the NAT64Check ToolION Durban - NAT64/DNS64 Experiments and the NAT64Check Tool
ION Durban - NAT64/DNS64 Experiments and the NAT64Check Tool
 
Monitoring federation open stack infrastructure
Monitoring federation open stack infrastructureMonitoring federation open stack infrastructure
Monitoring federation open stack infrastructure
 
IETF Update: Making the Internet Work Better
IETF Update: Making the Internet Work BetterIETF Update: Making the Internet Work Better
IETF Update: Making the Internet Work Better
 
NAT64/DNS64 experiments, warnings and one useful tool
NAT64/DNS64 experiments, warnings and one useful toolNAT64/DNS64 experiments, warnings and one useful tool
NAT64/DNS64 experiments, warnings and one useful tool
 
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 HackathonDNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
 
ION Bangladesh - IETF Update
ION Bangladesh - IETF UpdateION Bangladesh - IETF Update
ION Bangladesh - IETF Update
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017
 
FIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container DeploymentFIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container Deployment
 
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
 
MAGPI: Advanced Services: IPv6, Multicast, DNSSEC
MAGPI: Advanced Services: IPv6, Multicast, DNSSECMAGPI: Advanced Services: IPv6, Multicast, DNSSEC
MAGPI: Advanced Services: IPv6, Multicast, DNSSEC
 
Oracle_Patching_Untold_Story_Final_Part2.pdf
Oracle_Patching_Untold_Story_Final_Part2.pdfOracle_Patching_Untold_Story_Final_Part2.pdf
Oracle_Patching_Untold_Story_Final_Part2.pdf
 
2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover
 
VA Smalltalk Update
VA Smalltalk UpdateVA Smalltalk Update
VA Smalltalk Update
 
Replay Solutions CFD
Replay Solutions CFDReplay Solutions CFD
Replay Solutions CFD
 

Plus de Dan York

Yes, IPv6 is Real! How To Make Your Apps Work (And Be As Fast As Possible)
Yes, IPv6 is Real! How To Make Your Apps Work (And Be As Fast As Possible) Yes, IPv6 is Real! How To Make Your Apps Work (And Be As Fast As Possible)
Yes, IPv6 is Real! How To Make Your Apps Work (And Be As Fast As Possible)
Dan York
 
Open Source and The Global Disruption Of Telecom: What Choices Will We Make?
Open Source and The Global Disruption Of Telecom: What Choices Will We Make?Open Source and The Global Disruption Of Telecom: What Choices Will We Make?
Open Source and The Global Disruption Of Telecom: What Choices Will We Make?
Dan York
 
How IPv6 Will Kill Telecom - And What We Need To Do About It
How IPv6 Will Kill Telecom - And What We Need To Do About ItHow IPv6 Will Kill Telecom - And What We Need To Do About It
How IPv6 Will Kill Telecom - And What We Need To Do About It
Dan York
 

Plus de Dan York (16)

Yes, IPv6 is Real! How To Make Your Apps Work (And Be As Fast As Possible)
Yes, IPv6 is Real! How To Make Your Apps Work (And Be As Fast As Possible) Yes, IPv6 is Real! How To Make Your Apps Work (And Be As Fast As Possible)
Yes, IPv6 is Real! How To Make Your Apps Work (And Be As Fast As Possible)
 
SIPNOC 2014 - Is It Time For TLS for SIP?
SIPNOC 2014 - Is It Time For TLS for SIP?SIPNOC 2014 - Is It Time For TLS for SIP?
SIPNOC 2014 - Is It Time For TLS for SIP?
 
A Choice Of Internet Futures: Will Nonprofits Be Stuck In The Slow Lane?
A Choice Of Internet Futures: Will Nonprofits Be Stuck In The Slow Lane?A Choice Of Internet Futures: Will Nonprofits Be Stuck In The Slow Lane?
A Choice Of Internet Futures: Will Nonprofits Be Stuck In The Slow Lane?
 
Open Source and The Global Disruption Of Telecom: What Choices Will We Make?
Open Source and The Global Disruption Of Telecom: What Choices Will We Make?Open Source and The Global Disruption Of Telecom: What Choices Will We Make?
Open Source and The Global Disruption Of Telecom: What Choices Will We Make?
 
The State of VoIP Security, a.k.a. “Does Anyone Really Give A _____ About VoI...
The State of VoIP Security, a.k.a. “Does Anyone Really Give A _____ About VoI...The State of VoIP Security, a.k.a. “Does Anyone Really Give A _____ About VoI...
The State of VoIP Security, a.k.a. “Does Anyone Really Give A _____ About VoI...
 
How IPv6 Will Kill Telecom - And What We Need To Do About It
How IPv6 Will Kill Telecom - And What We Need To Do About ItHow IPv6 Will Kill Telecom - And What We Need To Do About It
How IPv6 Will Kill Telecom - And What We Need To Do About It
 
SIP, Unified Communications (UC) and Security
SIP, Unified Communications (UC) and SecuritySIP, Unified Communications (UC) and Security
SIP, Unified Communications (UC) and Security
 
ClueCon2009: The Security Saga of SysAdmin Steve
ClueCon2009: The Security Saga of SysAdmin SteveClueCon2009: The Security Saga of SysAdmin Steve
ClueCon2009: The Security Saga of SysAdmin Steve
 
SIP Trunking & Security in an Enterprise Network
SIP Trunking & Security in an Enterprise NetworkSIP Trunking & Security in an Enterprise Network
SIP Trunking & Security in an Enterprise Network
 
OSCON 2008: Mashing Up Voice and the Web Using Open Source and XML
OSCON 2008: Mashing Up Voice and the Web Using Open Source and XMLOSCON 2008: Mashing Up Voice and the Web Using Open Source and XML
OSCON 2008: Mashing Up Voice and the Web Using Open Source and XML
 
IP Telephony Security 101
IP Telephony Security 101IP Telephony Security 101
IP Telephony Security 101
 
Recording Remote Hosts/Interviews with VoIP/Skype
Recording Remote Hosts/Interviews with VoIP/SkypeRecording Remote Hosts/Interviews with VoIP/Skype
Recording Remote Hosts/Interviews with VoIP/Skype
 
Hacking and Attacking VoIP Systems - What You Need To Know
Hacking and Attacking VoIP Systems - What You Need To KnowHacking and Attacking VoIP Systems - What You Need To Know
Hacking and Attacking VoIP Systems - What You Need To Know
 
E Tel2007 Black Bag Session - VoIP Security Threats, Tools and Best Practices
E Tel2007 Black Bag Session - VoIP Security Threats, Tools and Best PracticesE Tel2007 Black Bag Session - VoIP Security Threats, Tools and Best Practices
E Tel2007 Black Bag Session - VoIP Security Threats, Tools and Best Practices
 
BLISS Problem Statement and Motivation
BLISS Problem Statement and MotivationBLISS Problem Statement and Motivation
BLISS Problem Statement and Motivation
 
ETel2007: The Black Bag Security Review (VoIP Security)
ETel2007: The Black Bag Security Review (VoIP Security)ETel2007: The Black Bag Security Review (VoIP Security)
ETel2007: The Black Bag Security Review (VoIP Security)
 

Dernier

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Dernier (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 

Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)

  • 1. www.internetsociety.org/deploy360 Deploying New DNSSEC Algorithms IEPG at IETF 93 19 July 2015 Prague, Czech Republic Dan York, Internet Society
  • 2. www.internetsociety.org/deploy360 A Reminder of How DNSSEC Works Web Server Web Browser & Stub Resolver https://example.com/ web page DNS Resolver + Validation 10.1.1.123 DNSKEY RRSIGs 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 10.1.1.123 4 example.com NS DS .com NS DS example.com?
  • 3. www.internetsociety.org/deploy360 The Two Parts of DNSSEC Signing Validating ISPs Enterprises Applications DNS Hosting Registrars Registries
  • 4. www.internetsociety.org/deploy360 DNSSEC Algorithms •  Used to generate keys for signing •  DNSKEY •  Used in DNSSEC signatures •  RRSIG •  Used for DS record for chain of trust •  DS •  Used in validation of DNSSEC records •  DNS resolvers
  • 5. www.internetsociety.org/deploy360 IANA Registry of DNSSEC Algorithm Numbers •  http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml Number Description Mnemonic 0 Reserved 1 RSA/MD5 (deprecated ) RSAMD5 2 Diffie-Hellman DH 3 DSA/SHA1 DSA 4 Reserved 5 RSA/SHA-1 RSASHA1 6 DSA-NSEC3-SHA1 DSA-NSEC3-SHA1 7 RSASHA1-NSEC3-SHA1 RSASHA1-NSEC3-SHA1 8 RSA/SHA-256 RSASHA256 9 Reserved 10 RSA/SHA-512 RSASHA512 11 Reserved 12 GOST R 34.10-2001 ECC-GOST 13 ECDSA Curve P-256 wSHA-256 ECDSAP256SHA256 14 ECDSA Curve P-384 wSHA-384 ECDSAP384SHA384 15-122 Unassigned 123-251 Reserved 252 Reserved for Indirect Keys INDIRECT 253 private algorithm PRIVATEDNS 254 private algorithm OID PRIVATEOID 255 Reserved
  • 6. www.internetsociety.org/deploy360 BUT... DNSSEC is an RSA world... (part 1) •  Ed Lewis (ICANN) presenting at CENTR, June 2015 •  Breakdown of DNSSEC names •  https://centr.org/system/files/agenda/attachment/rd7-lewis-dnssec_cryptographic_demographics-20150603.pdf
  • 7. www.internetsociety.org/deploy360 BUT... DNSSEC is an RSA world... (part 2) •  Ed Lewis (ICANN) presenting at CENTR, June 2015 •  Top algorithms (raw keys, not names) •  https://centr.org/system/files/agenda/attachment/rd7-lewis-dnssec_cryptographic_demographics-20150603.pdf Non-RSA algorithms
  • 8. www.internetsociety.org/deploy360 “Newer” DNSSEC Algorithms •  ECDSA – RFC 6605 – April 2012 •  GOST – RFC 5933 – July 2010 •  Future: •  Ed25519? •  https://gitlab.labs.nic.cz/labs/ietf/blob/master/draft-sury-dnskey-ed25519.xml •  ChaCha? (RFC 7539) •  Others coming out of CFRG?
  • 9. www.internetsociety.org/deploy360 Why Do We Care About Newer Algorithms? •  Smaller keys and signatures •  Packet size (and avoiding fragmentation) •  Minimizing potential reflection/DDoS attacks •  Enable large-scale deployment •  Ex. CDNs •  Better cryptography •  Move away from 1024-bit RSA
  • 10. www.internetsociety.org/deploy360 Aspects of Deploying New Algorithms •  Validation •  Signing / DNS Hosting Operators •  Registries •  Registrars •  Developers
  • 11. www.internetsociety.org/deploy360 Validation •  Resolvers performing validation need to be updated to accept and use the new algorithm. •  Software needs to be updated •  Can be an issue of getting the underlying libraries updated •  Updates need to be deployed •  Customer-premises equipment (CPE) •  Problem – RFC 4035, section 5.2: “If the resolver does not support any of the algorithms listed in an authenticated DS RRset, then the resolver will not be able to verify the authentication path to the child zone. In this case, the resolver SHOULD treat the child zone as if it were unsigned.”
  • 12. www.internetsociety.org/deploy360 Validation - measurement •  Geoff Huston at IEPG at IETF 92 (March 2015): •  http://blog.apnic.net/2015/03/23/ietf92-geoff-presents-on-ec-dsa-at-iepg/ •  1 in 5 validating resolvers would not support ECDSA •  Pier Carlo Chiodi using RIPE Atlas probes (Jan 2015): •  http://blog.pierky.com/dnssec-ecdsa-aware-resolvers-seen-by-ripe-atlas/ •  “512 probes received an authenticated response for RSA-signed zone, 63 of those (12,3 %) missed the AD flag for the ECDSA- signed one.”
  • 13. www.internetsociety.org/deploy360 Signing •  Software for authoritative DNS servers need updates •  Updated software needs to be deployed to signing servers •  DNS Hosting Operators (which could be Registrars) need to offer new algorithm to customers •  New key with new algorithm needs to co-exist with existing key for some period of time •  Size impact
  • 14. www.internetsociety.org/deploy360 Registries •  Some registries are only accepting DS records with certain algorithms •  Not accepting new algorithms •  No way to know what algorithms registries accept •  Update EPP feed to indicate what algorithms are accepted? •  Question: Why do registries need to check algorithm type?
  • 15. www.internetsociety.org/deploy360 Registrars •  When adding DS records, some registrars only accept certain algorithms in web interface •  Example – BEFORE someone asked for ECDSA:
  • 16. www.internetsociety.org/deploy360 Registrars •  Good news! – AFTER someone asked for ECDSA: •  But this requires someone asking registrars to support new algorithms... and the registrars making the appropriate updates.
  • 17. www.internetsociety.org/deploy360 Registrars •  Question: why do registrars need to check the algorithm type? •  Is this attempting to protect users from themselves? Minimize support calls? •  What is the harm in advertising an “unknown” algorithm type? •  Answer: Stop restricting and just accept all DS records. •  Does this come down to a user interface issue?
  • 18. www.internetsociety.org/deploy360 Developers •  Give developers a list, they will check it! •  Sooo... IANA DNSSEC algorithm list: •  http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml •  But... in this case bounds-checking is not necessary (if we accept idea that registrars/registries should accept all algorithms). •  Need to modify software to allow all algorithms •  or simply not check algorithm type •  or check IANA registry on some periodic interval
  • 19. www.internetsociety.org/deploy360 Next Steps •  Help people understand value and need to support new algorithms •  Document these steps in a form that can be distributed (ex. Internet-draft) •  Identify and act on actions. Examples: •  Understand implications of registrars/registries simply NOT doing any checking on algorithm types. •  Survey registries to find out which restrict algorithms in DS records •  Explore idea of communicating accepted algorithms in EPP •  Encourage registrars to accept wider range of algorithms (or to stop checking) •  Encourage developers to accept all IANA-listed algorithms (or to stop checking)
  • 20. www.internetsociety.org/deploy360 Draft IAB Statement on Crypto Algorithm Agility •  https://tools.ietf.org/html/draft-iab-crypto-alg-agility Many IETF protocols use cryptographic algorithms to provide confidentiality, integrity, authentication or digital signature. Communicating peers must support a common set of cryptographic algorithms for these mechanisms to work properly. This memo provides guidelines to ensure that protocols have the ability to migrate from one mandatory-to- implement algorithm suite to another over time.