DNSSEC for Everybody: A Beginner s Guide

Similar documents
DNSSec Operation Manual for the.cz and e164.arpa Registers

American International Group, Inc. DNS Practice Statement for the AIG Zone. Version 0.2

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

DNSSEC - Why Network Operators Should Care And How To Accelerate Deployment

DNSSEC and DNS Proxying

DNSSEC. Introduction. Domain Name System Security Extensions. AFNIC s Issue Papers. 1 - Organisation and operation of the DNS

Overview of DNSSEC deployment worldwide

DNSSEC in your workflow

DNSSEC Policy Statement Version Introduction Overview Document Name and Identification Community and Applicability

WHITE PAPER. Best Practices DNSSEC Zone Management on the Infoblox Grid

Deploying DNSSEC: From End-Customer To Content

DNSSEC Practice Statement (DPS)

DNSSEC: A Vision. Anil Sagar. Additional Director Indian Computer Emergency Response Team (CERT-In)

DNSSEC Applying cryptography to the Domain Name System

DNS at NLnet Labs. Matthijs Mekking

The Domain Name System (DNS) A Brief Overview and Management Guide

DNSSEC Root Zone. High Level Technical Architecture

Computer Networks: Domain Name System

Secure Domain Name System (DNS) Deployment Guide

The Impact of DNSSEC. Matthäus Wander. on the Internet Landscape. Duisburg, June 19, 2015

DNSSEC Deployment a case study

DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks

Presented by Greg Lindsay Technical Writer Windows Server Information Experience. Presented at: Seattle Windows Networking User Group April 7, 2010

Secure Domain Name System (DNS) Deployment Guide

Next Steps In Accelerating DNSSEC Deployment

Verisign DNSSEC Practice Statement for TLD/GTLD Zone

Decoding DNS data. Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs

Monitoring the DNS. Gustavo Lozano Event Name XX XXXX 2015

KSRegistry DNSSEC Policy Statement

Internet-Praktikum I Lab 3: DNS

Verisign DNSSEC Practice Statement for EDU Zone

Prepared by: National Institute of Standards and Technology SPARTA, Inc. Shinkuro, Inc.

F5 and Infoblox DNS Integrated Architecture Offering a Complete Scalable, Secure DNS Solution

SAC 049 SSAC Report on DNS Zone Risk Assessment and Management

The Graph Name System: pathnames and petnames in a rootless DNS

Unbound a caching, validating DNSSEC resolver. Do you trust your name server? Configuration. Unbound as a DNS cache (SEC-less)

DNSSEC. What is DNSSEC? Why is DNSSEC necessary? Ensuring a secure Internet

DNS and BIND. David White

Networking Domain Name System

A Step-by-Step guide for implementing DANE with a Proof of Concept

DNSSEC. Introduction Principles Deployment

DNS security: poisoning, attacks and mitigation

DNSSEC - SECURE DNS FOR GOVERNMENT. Whitepaper

BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE

Root Zone KSK: The Road Ahead. Edward Lewis DNS-OARC & RIPE DNSWG May 2015 edward.lewis@icann.org

Securing DNS Infrastructure Using DNSSEC

DNSSEC Practice Statement.OVH

DNS & IPv6. Agenda 4/14/2009. MENOG4, 8-9 April Raed Al-Fayez SaudiNIC CITC rfayez@citc.gov.sa, DNS & IPv6.

New gtld Basics New Internet Extensions

Introduction to the DANE Protocol

3SECTION B SUPPLIES OR SERVICES AND PRICES/COSTS. This is a no cost, $0.00 time and material contract. B.2 COST/PRICE

Security in the Network Infrastructure - DNS, DDoS,, etc.

DOMAIN NAME SECURITY EXTENSIONS

DNSSEC Misconfigurations: How incorrectly configured security leads to unreachability

Analyzing DANE's Response to Known DNSsec Vulnerabilities

ARP and DNS. ARP entries are cached by network devices to save time, these cached entries make up a table

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System

A Security Evaluation of DNSSEC with NSEC3

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

The Domain Name System from a security point of view

Distributed Systems. 09. Naming. Paul Krzyzanowski. Rutgers University. Fall 2015

Resilient Networking. Overview of DNS Known attacks on DNS Denial-of-Service Cache Poisoning. Securing DNS Split-Split-DNS DNSSEC.

THE MASTER LIST OF DNS TERMINOLOGY. First Edition

A Best Practices Architecture for DNSSEC

A Review of Administrative Tools for DNSSEC Spring 2010

5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep)

HTG XROADS NETWORKS. Network Appliance How To Guide: EdgeDNS. How To Guide

Web Security. Mahalingam Ramkumar

First version of the document.

GDS Resource Record: Generalization of the Delegation Signer Model

The Future of DNS. Johan Ihrén Netnod. October 15,

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0

DNSSEC in stats. GC-SEC Global Cyber Security Center. Andrea Rigoni. CENTR Bruxelles, 7th October Global Cyber Security Center Director General

Step-by-Step DNSSEC-Tools Operator Guidance Document

Computer Networks & Security 2014/2015

Applications & Application-Layer Protocols: The Domain Name System and Peerto-Peer

Global Service Loadbalancing & DNSSEC. Ralf Brünig Field Systems Engineer r.bruenig@f5.com DNSSEC

Domain Name Servers. Domain Types WWW host names. Internet Names. COMP476 Networked Computer Systems. Domain Name Servers

STATE OF DNS AVAILABILITY REPORT

DNS Risks, DNSSEC. Olaf M. Kolkman and Allison Mankin. and 8 Feb 2006 Stichting NLnet Labs

Transcription:

DNSSEC for Everybody: A Beginner s Guide San Francisco, California 14 March 2011 4:00 to 5:00 p.m. Colonial Room

The Schedule 2

This is Ugwina. She lives in a cave on the edge of the Grand Canyon...

This is Og. He lives in a cave on the other side of the Grand Canyon...

It s a long way down and a long way round. Ugwina and Og don t get to talk much...

On one of their rare visits, they notice the smoke coming from Og s fire

...and soon they are chatting regularly using smoke signals

until one day, mischievous caveman Kaminsky moves in next door to Ug and starts sending smoke signals too...

Now Ugwina is really confused. She doesn t know which smoke to believe...

So Ugwina sets off down the canyon to try and sort out the mess...

Ugwina and Og consult the wise village elders. Caveman Diffie thinks that he might have a cunning idea...

And in a flash, jumps up and runs into Ug s cave...!

Right at the back, he finds a pile of strangely coloured sand that has only ever been found in Ug s cave...

And with a skip, he rushes out and throws some of the sand onto the fire. The smoke turns a magnificent blue...

Now Ugwina and Og can chat happily again, safe in the knowledge that nobody can interfere with their conversation

DNSSEC Basics and How it Works Matt Larson, VeriSign

The Name Space " " cc tv com net org name info verisign cnn hp www www money www corp hpl holmes winnie www

Domain Names: www.cnn.com " " cc tv com net org name info verisign Name servers cnn hp Mail servers IP address www www money www corp hpl IP address IP address holmes winnie www

Domains: hp.com " " cc tv com net org name info verisign cnn hp www www money www corp hpl holmes winnie www

Zones " " cc tv com net org name info verisign cnn hp www www money www corp hpl holmes winnie www

Name Servers Root Name Servers root-servers.net " " a b c d e f g h i j k l m cc tv com net org name info verisign cnn hp.com Name Servers gtld-servers.net a b c d e f g h i j k l m www www money www corp hpl holmes winnie www cnn.com Name Servers cnn.com n s 1 n s 2 n s 3 n s 4

Name Resolution Root Name Servers root-servers.net a b c d e f g h i j k l m www.cnn.com IP?.com/.net Name Servers gtld-servers.net.com name servers www.cnn.com IP? a b c d e f g h i j k l m cnn.com Name Servers cnn.com cnn.com name servers www.cnn.com IP? Recursive Name Server www.cnn.com IP www.cnn.com IP n s 1 n s 2 n s 3 n s 4 www.cnn.com IP HTTP request Internet User HTTP response cnn.com Web Site www.cnn.com

DNS Security DNS has no security One packet for query, one packet for response Must rely on source IP based authen?ca?on Easily spoofed Clever resolvers help a lot But we need something beger

What DNSSEC Does DNSSEC uses public key cryptography and digital signatures to provide: Data origin authentication Did this DNS response really come from the.com zone? Data integrity Did an attacker (e.g., a man-in-the-middle) modify the data in this response since it was signed? Bottom line: DNSSEC offers protection against spoofing of DNS data

What DNSSEC Doesn t Do DNSSEC does not: Provide any confidentiality for DNS data I.e., no encryption The data in the DNS is public, after all Address attacks against the name server itself Denial of service, Packets of death, etc.

Key Pairs In DNSSEC, each zone has a public/ private key pair The zone s public key is stored in the new DNSKEY record The zone s private key is kept safe Stored offline (ideally) Perhaps held in an HSM (Hardware Security Module)

Digital Signatures A zone s private key signs each piece of DNS data in a zone Each digital signature is stored in an RRSIG record

Chain of Trust There are no certificates in DNSSEC The trust model is rigid The chain of trust flows from parent zone to child zone Only a zone s parent can vouch for its keys identity

Types of Keys Signed zone has DNSKEY records at its apex Usually multiple keys One or more key-signing keys (KSKs) One or more zone-signing keys (ZSKs) KSK Signs only the DNSKEY records ZSK Signs the rest of the zone

Delegation Signer (DS) Records The Delegation Signer (DS) record specifies a child zone s key A zone s DS records only appear in its parent zone DS records are signed by the parent zone

Trust Anchors You have to trust somebody DNSSEC validators need a list of trust anchors A trust anchor is a key that is implicitly trusted Analogous to list of certificate authorities (CAs) in web browsers

Trust anchor root KSK root ZSK com DS " " Signature DNSSEC Validators com KSK com ZSK cnn.com DS com Signature cnn.com KSK cnn.com ZSK www.cnn.com A record cnn www money Signature IP address

DNSSEC Chain of Trust Norm Richie, ISC

A Sample DNSSEC Implementation & Audience Interaction Russ Mundy, Cobham Solutions

DNSSEC Implementation Samples DNSSEC implementation depends upon & is mostly driven by an activity s DNS functions DNS is made up of many parts, e.g., name server operators, applications users, name holders ( owners ), DNS provisioning Activities with large, complex DNS functions are more likely to have more complex DNSSEC implementation activities Also more likely to have DNS knowledgeable staff

DNSSEC Implementation Samples, Continued DNS size and complexity examples: Registry responsible for a large TLD operation, e.g.,.com Substantial enterprise with many components with many geographic locations, e.g., hp.com Internet-based businesses with a number of business critical zones, e.g., www.verisign.com Activities with non-critical DNS zones, e.g., netsnmp.org Proverbial Internet end users (all of us here)

Zones " " cc tv com net org name info verisign cnn hp www www money www corp hpl holmes winnie www

General Principle: If an activity does a lot with their DNS functions and operations then they probably will want to do a lot with the associated DNSSEC pieces; If an activity does little or nothing with their DNS functions and operations then they probably will want to do little or nothing with the associated DNSSEC pieces.

DNS Zone Content Flow (for example, www.icann.org or www.cnn.com) Registries Zone Name Servers Provisioning Area Publica5on Area Content Input Registrars DNS Content Picture DNS Resolvers Content Output Content Starts Here Content Used Here Registrants User Applica5ons russ.mundy@cobham.com 40

I need to have a WWW record Simple Illustration of DNS Components Add Zone Administrator Zone Data publish Authoritative Server Administrator Authoritative Server 3. www is 1.2.3.4 2. Request www End User Recursive Server 1. Request www 4. www is 1.2.3.4 Client russ.mundy@cobham.com Recursive Server Administrator 41

Name Resolution Root Name Servers root servers.net a b c d e f g h i j k l m www.cnn.com IP?.com/.net Name Servers gtld servers.net.com name servers www.cnn.com IP? a b c d e f g h i j k l m cnn.com Name Servers cnn.com cnn.com name servers www.cnn.com IP? Recursive Name Server www.cnn.com IP www.cnn.com IP n s 1 n s 2 n s 3 n s 4 www.cnn.com IP HTTP request Internet User HTTP response cnn.com Web Site www.cnn.com

1 Webpage = Multiple DNS Name Resolutions russ.mundy@cobham.com 43

www.cnn.com

DNS Basic Functions DNS provides the translation from names to network addresses Get the right DNS content to Internet users IT S DNS CONTENT THAT MATTERS! russ.mundy@cobham.com 45

How Does DNSSEC Fit? DNSSEC required to thwart attacks on DNS CONTENT DNS attacks used to attack Internet users applications Protect DNS CONTENT as much as (or more than) any DNSSEC information Including DNSSEC private keys!! russ.mundy@cobham.com 46

DNS Zone Content Flow (for example, www.icann.org or www.cnn.com) DNSSEC specs HERE Registries Zone Name Servers Provisioning Area Publica5on Area Content Input Registrars DNS Content Picture DNS Resolvers Content Output Content Starts Here Content Used Here Registrants User Applica5ons russ.mundy@cobham.com 47

I need to have a signed WWW record Simple Addition of DNSSEC ( this (there are both much more and less complex setups than Add Zone Administrator Zone Data sign Signed Data publish Authoritative Server Administrator Authoritative Server new 3. www is 1.2.3.4 2. Request www End User Validating Recursive Server 1. Request www 4. www is 1.2.3.4 Client russ.mundy@cobham.com Recursive Server Administrator 48

Implementation Samples In general, try to do DNSSEC in the same way that you are doing DNS

Implementation Samples If you re running much or all of your DNS functions and operations, DNSSEC implementation could be based on: Extend DNS operation to incorporate DNSSEC; Use open source DNSSEC tools (e.g., from www.dnssec-tools.org or opendnssec.org); Use commercial DNSSEC products; Mix elements from all of the above

Implementation Samples If DNS functions and operations are being done with one (or several) software & hardware products, find out if the product providers have (or will) incorporate DNSSEC to support your DNS functions and operations. If not, push them for adding DNSSEC to their products; or Examine additional or different products or services that will provide DNSSEC, e.g., emerging DNSSEC signing services.

Implementation Samples If you are the holder ( owner ) of names but out-source DNS functions and operations, e.g., to your registrar, then determine if the out-source offers DNSSEC capability. If not, push on them to develop and offer DNSSEC capability Consider using a different out-source DNS service Consider developing in-house DNS (and DNSSEC) capabilities

Audience Interaction and Participation

Summary Simon McCalla, Nominet UK

Thank You and Questions

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information