Presentation is loading. Please wait.

Presentation is loading. Please wait.

Joint Techs, Albuquerque Feb 2006 © 8 Feb 2006 Stichting NLnet Labs DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin

Published byDeirdre Gibbs Modified over 8 years ago

Similar presentations

Presentation on theme: "Joint Techs, Albuquerque Feb 2006 © 8 Feb 2006 Stichting NLnet Labs DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin"— Presentation transcript:

1 Joint Techs, Albuquerque Feb 2006 http://www.nlnetlabs.nl/ © 8 Feb 2006 Stichting NLnet Labs DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin olaf@nlnetlabs.nl and mankin@psg.com

2 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/ DNSSEC evangineers of the day Allison: Independent consultant Member of the Internet2 Tech. Advisory Comm. IETF Transport Area Director Member of ICANN’s SSAC Olaf: NLnet Labs (www.nlnetlabs.nl) –DNS and DNSSEC research Protocol and software development (such as NSD, a lean and mean authoritative nameserver) Co-Chair of the IETF DNSEXT working group (Shinkuro is acknowledged for sponsoring our trip)

3 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/ Why DNSSEC Good security is multi-layered –Multiple defense rings in physical secured systems

4 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/ Bourtange, source Wikipedia

5 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/ Why DNSSEC Good security is multi-layered –Multiple defense rings in physical secured systems –Multiple ‘layers’ in the networking world DNS infrastructure –Providing DNSSEC to raise the barrier for DNS based attacks –Provides a security ‘ring’ around many systems and applications

6 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/ The Problem DNS data published by the registry is being replaced on its path between the “server” and the “client”. This can happen in multiple places in the DNS architecture –Some places are more vulnerable to attacks then others –Vulnerabilities in DNS software make attacks easier (and there will always be software vulnerabilities)

7 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/ Solution a Metaphor Compare DNSSEC to a sealed transparent envelope. The seal is applied by whoever closes the envelope Anybody can read the message The seal is applied to the envelope, not to the message

8 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/ edu institution as ISP edu as ‘friend’ edu as DNS provider DNS Architecture Registry DB primary secondary Cache server Registrars/ Registrants client DNS ProtocolProvisioning secondary

9 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/ DNS Architecture Registry DB Server compromise Registrars Registrants DNS ProtocolProvisioning Inter-server communication Cache Poisoning

10 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/ DNSSEC protection Registry DB Registrars Registrants DNS ProtocolProvisioning ‘envelope sealed’‘Seal checked’

11 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/ Astrophysics Mail Server Example: Unauthorized mail scanning DNS Central Admin Mail Server Central Admin Mail Server Where? There! Subject: tenure

12 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/ Astrophysics Mail Server Example: Unauthorized mail scanning DNS Central Admin Mail Server Central Admin Mail Server Where? Elsewhere Bad Guy Subject: tenure

13 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/ Where Does DNSSEC Come In? DNSSEC secures the name to address mapping –Tranport and Application security are just other layers.

14 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/ DNSSEC secondary benefits DNSSEC provides an “independent” trust path –The person administering “https” is most probably a different from person from the one that does “DNSSEC” –The chains of trust are most probably different –See acmqueue.org article: “Is Hierarchical Public-Key Certification the Next Target for Hackers?”

15 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/ More benefits? With reasonable confidence perform opportunistic key exchanges –SSHFP and IPSECKEY Resource Records With DNSSEC one could use the DNS for a priori negotiation of security requirements. –“You can only access this service over a secure channel”

16 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/ DNSSEC properties DNSSEC provides message authentication and integrity verification through cryptographic signatures –Authentic DNS source –No modifications between signing and validation It does not provide authorization It does not provide confidentiality

17 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/ DNSSEC deployment practicalities RIPE NCC deployed DNSSEC on the reverse tree –202.in-addr.arpa etc are now signed and you can get secure delegations –We followed the architecture to plan the changes to our system You may want to follow the same steps when planning for local DNSSEC deployment

18 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/ DNSSEC Architecture modifications Primary DNS Secondary DNS Customer interfaces Zone signer DNSSEC aware servers DNS and input checks Provisioning DB Zone Creation DNSSEC aware provisioning

19 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/ Server Infrastructure Part of keeping up to date –Your most recent version of BIND and NSD run DNSSEC Memory might be an issue –Predictable (see RIPE352) Coordination with secondaries

20 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/ Provisioning Realize that interaction with child is not drastically different. –DS and NS have the same security properties –You may need to respond a bit different to ‘child’ emergency cases Thinking “security” will make you notice “security”

21 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/ Key Mastering and Signing Key management and signing needs to be reliable –Failure will lead to loss of service Cost factors: –Automation and Education

22 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/ How about the ‘client’ side Set up your caching nameserver to perform validation and the infrastructure behind it is protected DNSSEC has not yet been pushed to the host or application Costs are in maintaining trust anchors –There is no standard to automate against.

23 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/ What’s keeping folk New technology; chicken and egg Zone walking possibility –Is this really an issue in your environment? –Solutions are being engineered Automated key rollover and distribution

24 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/ Why would you be a(n) (early) player Keeping the commons clean –EDU and international research nets are important parts of the commons –Significant ‘hot spots’ of delegation –EDU networks have ‘interesting’ properties for the black hats.

25 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/ Early players Demonstrate the ability to self-regulate –Before the guys up the hill force it down your throat –Before a bad thing happens and you are woken up at 2 am Lead by example –Break the egg

26 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/ What you can do Deploy in your own domain –www.dnssec.net contains a myriad of information resources.www.dnssec.net Ask your registry and your registrar? –Educause, ARIN, Verisign, CC-TLD registries,.gov etc. Ask your OS and network equipment and application vendors –Microsoft, Cisco, Firewalls vendors, etc

27 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/ This Week Get involved in an Internet2 pilot –Charles Yun, Internet2 Security Program Director, organizing now –Talk to him this week Get to our workshop –http://dnssec-nm.secret-wg.org Talk to your colleagues for bilateral pilots Talk to us.

28 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/ Next Week Deploying locally provides immediate security benefits –Sign your own zone and configure your keys

29 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

30 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

31 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

32 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

33 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/ Mitigate by Deploying SSL? Claim: SSL is not the magic bullet –(Neither is DNSSEC) Problem: Users are offered a choice –Far too often –Users are annoyed Implementation and use make SSL vulnerable –Not the technology

34 Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/ Confused?

Download ppt "Joint Techs, Albuquerque Feb 2006 © 8 Feb 2006 Stichting NLnet Labs DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin"

Similar presentations

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman
The Domain Name System Continuity of Operations Apricot 2008 Taipei TAIWAN 28feb2008.

The Domain Name System Continuity of Operations Apricot 2008 Taipei TAIWAN 28feb2008.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Introduction.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Introduction.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Managing IP addresses for your private clouds 2013 ASEAN CAS Summit Bangkok, Thailand 7 February 2013 George Kuo Member Services Manager.

Managing IP addresses for your private clouds 2013 ASEAN CAS Summit Bangkok, Thailand 7 February 2013 George Kuo Member Services Manager.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.

Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
Secure Communications … or, the usability of PKI.

Secure Communications … or, the usability of PKI.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
1 DNS,NFS & RPC Rizwan Rehman, CCS, DU. Netprog: DNS and name lookups 2 Hostnames IP Addresses are great for computers –IP address includes information.

1 DNS,NFS & RPC Rizwan Rehman, CCS, DU. Netprog: DNS and name lookups 2 Hostnames IP Addresses are great for computers –IP address includes information.

Similar presentations

Ads by Google