DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department of Homeland Security Office of the CIO Scott Rose National Institute of Standards and Technology
Homeland Security Technology Background DNSSEC Overview OMB M-08-23 “Securing the Federal Government's Domain Name System Infrastructure”. All agencies must deploy DNSSEC by December 2009. Internet Systems Consortium: DNSSEC “only full solution” to DNS attacks Considered more viable long-term solution Cryptographic signatures over DNS data (not messages) Assures integrity of results returned from DNS queries Users can validate source authenticity and data integrity Checks chain of signatures up to root Protects against tampering in caches, during transmission Email Validation overview Detects and Blocks spoofed/forged mail Sender Policy Framework (SPF) for domains that do not send email “Path Based” - Senders publish acceptable message paths (IP) for domain Near-zero deployment requirements for senders DNS records only, no change to outbound servers Domain Keys Identified Mail (DKIM) for domains authorized to send mail “Signature based” - Senders insert digital cryptographic signature in emails for domain Requires cryptographic operation by sender and receiver’s gateway infrastructure
Cyber and Network Security Program The “Kaminsky Bug” Rapid, widespread and resilient Reduces time required to poison recursive name server's cache All known name server implementations are affected –Some more than others (took < 10s to poison the cache) –Most implementations patched; now as easy/difficult to poison as any other implementation Even patched software vulnerable –cache poisoning attempt possible in < 10 hours
Cyber and Network Security Program What DNSSEC Provides Cryptographic signatures over DNS data (not messages) Assures integrity of results returned from DNS queries: –Users can validate source authenticity and data integrity Checks chain of signatures up to root –Chain completely contained within DNS (no PKI or X.509 certs needed) –Protects against tampering in caches, during transmission Not provided: message encryption, security for denial-of-service attacks
Cyber and Network Security Program DNSSEC Chain of Trust Data ZSK KSK Data ZSK KSK ZSK KSK KSKs ZSK KSK ZSK KSK KSKs ZSK KSK KSK’s often serve as the “anchor” of authentication chain. The higher up in the tree, the more useful the trust anchor Trust Anchors installed on client resolvers. “.” – DNS root. gov. opm.gov. nist.gov. se.
Homeland Security FNS Tiger Team: DNSSEC and E-Mail Validation Network and Infrastructure Security Subcommittee, ISIMC, Federal CIO Council 7 FY11 FISMA Metrics for DNSSEC and Email Validation: Network Security Protocols: DNSSEC: % of external-facing second-level DNS Names signed; % of external-facing DNS hierarchies with all sub-domains (second-level and below) signed Boundary Protection: Email Validation: % of agency email systems that implement sender verification (anti-spoofing) technologies when sending messages from/to government agencies or the public such as S/MIME, DKIM, and SPF.
Office of the Chief Information Officer8 UNCLASSIFIED/FOR OFFICIAL USE ONLY Current Federal DNSSEC Status