1 Tanenbaum, Computer Networks (extraits) Adaptation par J.Bétréma DNS The Domain Name System
2 RFC 1034 Network Working Group P. Mockapetris Request for Comments: 1034 ISI Obsoletes: RFCs 882, 883, 973 November 1987 DOMAIN NAMES - CONCEPTS AND FACILITIES 1. STATUS OF THIS MEMO This RFC is an introduction to the Domain Name System (DNS), and omits many details which can be found in a companion RFC, "Domain Names - Implementation and Specification" [RFC-1035]. That RFC assumes that the reader is familiar with the concepts discussed in this memo.
3 RFC 1034 (2) 2.2. DNS design goals The design goals of the DNS influence its structure. They are: - The primary goal is a consistent name space which will be used for referring to resources. In order to avoid the problems caused by ad hoc encodings, names should not be required to contain network identifiers, addresses, routes, or similar information as part of the name. - The sheer size of the database and frequency of updates suggest that it must be maintained in a distributed manner, with local caching to improve performance. Approaches that attempt to collect a consistent copy of the entire database will become more and more expensive and difficult, and hence should be avoided. The same principle holds for the structure of the name space, and in particular mechanisms for creating and deleting names; these should also be distributed. - etc.
4 RFC 1035 Network Working Group Request for Comments: 1035 Obsoletes: RFCs 882, 883, 973 P. Mockapetris ISI November 1987 DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION 1. STATUS OF THIS MEMO This RFC describes the details of the domain system and protocol, and assumes that the reader is familiar with the concepts discussed in a companion RFC, "Domain Names - Concepts and Facilities" [RFC-1034]. The domain system is a mixture of functions and data types which are an official protocol and functions and data types which are still experimental. Since the domain system is intentionally extensible, new data types and experimental behavior should always be expected in parts of the system beyond the official protocol. The official protocol parts include standard queries, responses and the Internet class RR data formats (e.g., host addresses). Since the previous RFC set, several definitions have changed, so some previous definitions are obsolete.
5 The DNS Name Space A portion of the Internet domain name space.
6 Resource Records The principal DNS resource records types.
7 Resource Records (2) A portion of a possible DNS database for cs.vu.nl.
8 Name Servers Chaque zone possède (au moins) un serveur délégué Part of the DNS name space showing the division into zones.
9 Name Servers (2) Requête récursive : un résolveur sur flits.cs.vu.nl cherche l adresse de linda.cs.yale.edu
10 Requête : exemple 1 nslookup > set norecurse > set debug > Server: donaser.labri.u-bordeaux.fr Address: Got answer: HEADER: opcode = QUERY, id = 2, rcode = NOERROR header flags: response, recursion avail. questions = 1, answers = 0, authority records = 4, additional = 4 QUESTIONS: type = A, class = IN
18 Secure Naming (a) Normal situation. (b) An attack based on breaking into DNS and modifying Bob's record.
19 Secure Naming (2) How Trudy spoofs Alice's ISP DNS Server.
20 Secure Naming (3) Explications : Trudy gère son propre serveur DNS (serveur délégué pour le domaine trudythe-intruder.com), appelons le T. Le message 1 engendre des messages 1a (requête) et 1b (réponse), entre F, le serveur DNS du FAI d Alice, et C, le serveur DNS du domaine «top level».com ; ces messages n apparaissent pas sur le schéma. La réponse 1b contient, en plus de la réponse proprement dite (adresse IP de foobar.trudy-the-intruder.com), le nom du serveur DNS du domaine (authority record) et son adresse IP (additional record). F garde en mémoire cache tous les enregistrements (RR) comosant la réponse B.
21 Secure Naming (4) Pour répondre à la requête 2, F interroge directement T (message 3), sans passer par C. F construit séquentiellement les identificateurs permettant d apparier requêtes et réponses : faute inadmissible, un nouvel identificateur doit être imprévisible. Noter aussi que Trudy peut envoyer des requêtes DNS (et même une réponse) au serveur F ; possible, sauf si ces requêtes sont bloquées par un NAT (cas où le FAI de Trudy n est pas celui d Alice), ou si la réponse est bloquée par un pare-feu sortant (qui détecte que Trudy émet un paquet avec une adresse IP source falsifiée).
22 Format Messages DNS Mockapetris [Page 25] RFC 1035 Domain Implementation and Specification November MESSAGES 4.1. Format All communications inside of the domain protocol are carried in a single format called a message. The top level format of message is divided into 5 sections (some of which are empty in certain cases) shown below: Header Question the question for the name server Answer RRs answering the question Authority RRs pointing toward an authority Additional RRs holding additional information
23 Format Messages DNS (2) Header section format ID QR Opcode AA TC RD RA Z RCODE QDCOUNT ANCOUNT NSCOUNT ARCOUNT ID A 16 bit identifier assigned by the program that generates any kind of query. This identifier is copied into the corresponding reply and can be used by the requester to match up replies to outstanding queries.
24 RFC 2535 Network Working Group D. Eastlake Request for Comments: 2535 IBM Obsoletes: 2065 March 1999 Updates: 2181, 1035, 1034 Category: Standards Track Domain Name System Security Extensions Extensions to the Domain Name System (DNS) are described that provide data integrity and authentication to security aware resolvers and applications through the use of cryptographic digital signatures. These digital signatures are included in secured zones as resource records.
25 DNS Security Extensions The extensions provide for the storage of authenticated public keys in the DNS. This storage of keys can support general public key distribution services as well as DNS security. The stored keys enable security aware resolvers to learn the authenticating key of zones in addition to those for which they are initially configured. Keys associated with DNS names can be retrieved to support other protocols. Provision is made for a variety of key types and algorithms.
26 Example An example RRSet for bob.com. The KEY record is Bob's public key. The SIG record is the top-level com server's signed hash of the A and KEY records to verify their authenticity.
27 Key RR The KEY resource record (RR) is used to store a public key that is associated with a Domain Name System (DNS) name. This can be the public key of a zone, a user, or a host or other end entity. A KEY RR is, like any other RR, authenticated by a SIG RR. KEY RRs must be signed by a zone level key.
28 Key RR (2) The public key in a KEY RR is for the object named in the owner name. A DNS name may refer to three different categories of things. For example, foo.host.example could be (1) a zone, (2) a host or other end entity, or (3) the mapping into a DNS name of the user or account Thus, there are flag bits in the KEY RR to indicate with which of these roles the owner name and public key are associated. Note that an appropriate zone KEY RR MUST occur at the apex node of a secure zone and zone KEY RRs occur only at delegation points.
29 Key RDATA KEY RDATA format : flags protocol algorithm / / public key / / /
30 Protocol 1 is reserved for use in connection with TLS. 2 is reserved for use in connection with . 3 is used for DNS security. 4 is reserved to refer to the Oakley/IPSEC [RFC 2401] protocol and indicates that this key is valid for use in conjunction with that security standard.
31 Algorithm RSA/MD5 [RFC 2537] - recommended Diffie-Hellman [RFC 2539] - optional, key only DSA [RFC 2536] - MANDATORY reserved for elliptic curve crypto 254 private - OID : the public key area for the KEY RR and the signature begin with an unsigned length byte followed by a BER encoded Object Identifier (ISO OID) of that length. The OID indicates the private algorithm in use and the remainder of the area is whatever is required by that algorithm. Entities should only use OIDs they control to designate their private algorithms.
32 Sig RR The SIG or "signature" resource record (RR) is the fundamental way that data is authenticated in the secure Domain Name System (DNS). As such it is the heart of the security provided. The SIG RR unforgably authenticates an RRset of a particular type, class, and name and binds it to a time interval and the signer's domain name. This is done using cryptographic techniques and the signer's private key. The signer is frequently the owner of the zone from which the RR originated.
33 Sig RDATA type covered algorithm labels original TTL signature expiration signature inception key tag signer's name + / / / / / signature / / /
Special Publication 800-81 Sponsored by the Department of Homeland Security Secure Domain Name System (DNS) Deployment Guide Recommendations of the National Institute of Standards and Technology Ramaswamy
DNS at NLnet Labs Matthijs Mekking Topics NLnet Labs DNS DNSSEC Recent events NLnet Internet Provider until 1997 The first internet backbone in Holland Funding research and software projects that aid the
DNS Some advanced topics Karst Koymans (with Niels Sijm) Informatics Institute University of Amsterdam (version 2.6, 2013/09/19 10:55:30) Friday, September 13, 2013 Karst Koymans (with Niels Sijm) (UvA)
SHAPING DNS SECURITY WITH CURVES A COMPARATIVE SECURITY ANALYSIS OF DNSSEC AND DNSCURVE Master Thesis Coding Theory and Cryptology Department of Mathematics and Computer Science Eindhoven University of
accepted for publication in Computer Networks and ISDN Systems Journal Internet Security Architecture Refik Molva Institut Eurécom 2229, route des Crêtes F-06904 Sophia-Antipolis firstname.lastname@example.org Abstract
Domain Name System for PeerHosting Arnav Aggarwal, B.Tech A dissertation submitted to the University of Dublin, in partial fulfilment of the requirements for degree of Master of Science in Computer Science
Network Working Group S. Kent Request for Comments: 4301 K. Seo Obsoletes: 2401 BBN Technologies Category: Standards Track December 2005 Status of This Memo Security Architecture for the Internet Protocol
WS_FTP Professional 12 Security Guide Contents CHAPTER 1 Secure File Transfer Selecting a Secure Transfer Method...1 About SSL...1 About SSH...2 About OpenPGP...2 Using FIPS 140-2 Validated Cryptography...2
ii Copyright 2006 Comcast Communications, Inc. All Rights Reserved. Comcast is a registered trademark of Comcast Corporation. Comcast Business IP Gateway is a trademark of Comcast Corporation. The Comcast
Page de signatures électroniques / Electronic Signatures Page Information Documentaire / Document Information Titre / Title : Auteur / Author : Reference : This document has been digitally signed and timestamped.
SYMANTEC ADVANCED THREAT RESEARCH The Teredo Protocol: Tunneling Past Network Security and Other Security Implications Dr. James Hoagland Principal Security Researcher Symantec Advanced Threat Research
page 2 Rough Outline An introduction to DNSSEC Olaf Kolkman 21 September 2006 Stichting (www.nlnetlabs.nl) Introduction Why DNSSEC DNSSEC Theory Famous last words page 3 DNSSEC evangineers of the day Olaf:
[Previous] [Next] Chapter 12 Supporting Network Address Translation (NAT) About This Chapter Network address translation (NAT) is a protocol that allows a network with private addresses to access information
To learn more about this book, visit Microsoft Learning at http://www.microsoft.com/mspress/books/11160.aspx Table of Contents Acknowledgments........................................................ xxiii
NIST Special Publication 800-52 Revision 1 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations Tim Polk Kerry McKay Santosh Chokhani http://dx.doi.org/10.6028/nist.sp.800-52r1
SonicWALL Email Security Appliance Administrator Guide Version 7.3 SonicWALL, Inc. 2001 Logic Drive San Jose, CA 95124-3452 Phone: +1.408.745.9600 Fax: +1.408.745.9300 E-mail: email@example.com Part Number:
Best Practices for Integrating Kerberos into Your Application This paper describes best practices for application developers who wish to add support for the Kerberos Network Authentication System to their
Wireless Fusion Enterprise Mobility Suite User Guide for Version 2.55 Wireless Fusion Enterprise Mobility Suite User Guide for Version 2.55 72E-107170-01 Rev. A November 2007 ii Wireless Fusion Enterprise
BSR/ASHRAE Addendum g to ANSI/ASHRAE Standard 135-2004 Public Review Draft ASHRAE Standard Proposed Addendum g to Standard 135-2004, BACnet A Data Communication Protocol for Building Automation and Control
Message Containers and API Framework Notices Copyright 2009-2010 Motion Picture Laboratories, Inc. This work is licensed under the Creative Commons Attribution-No Derivative Works 3.0 United States License.
ImageNow Administrator Getting Started Guide Version: 6.6.x Written by: Product Documentation, R&D Date: June 2011 ImageNow and CaptureNow are registered trademarks of Perceptive Software, Inc. All other
7 Microsoft Network Operating Systems After studying this chapter, you will be able to: Identify the major differences between a Microsoft peer-to-peer network and a Microsoft client/server network. Discuss
Table of Contents About Toshiba Strata CIX and Broadvox SIP Trunking... 1 Requirements... 2 Purpose, Scope and Audience... 3 What is SIP Trunking?... 4 Business Advantages of SIP Trunking... 4 Technical