Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Last Link in the DNSSEC Chain of Trust

Published bySibyl Kelly Modified over 5 years ago

Similar presentations

Presentation on theme: "The Last Link in the DNSSEC Chain of Trust"— Presentation transcript:

1 The Last Link in the DNSSEC Chain of Trust
Stub Resolver or ISP cache? Andrew White / Charter Communications DNS OARC 25 Dallas, TX 16 Oct 2016

2 Is DNSSEC practical? DNSSEC provably makes DNS reflection attacks worse Stub resolvers today generally do not validate DNSSEC responses Stub resolver’s failure validate responses allows potentially undesirable behavior such as NXDOMAIN redirection from the ISP DNSSEC does not solve privacy issues with DNS even with stub resolver validation No motivation for implementation until DANE is adopted by ISP caching servicers and stub resolvers

3 Potential Solutions Adoption of DANE and RFC5934 for management of DNS-sourced trust anchors Stub resolvers could validate DNS responses if root trust anchors were preloaded like C.A. certs are with browsers Ditch DNSSEC for DNS over TLS (RFC 7858) Other options include DNSCurve, DNSCrypt, Confidential DNS, IPSECA, DNSoD Caveat with all: Adoption only likely if popular apps (browsers) or operating systems provide it out of the box. Users are not generally interested in privacy (unfortunately).

4 Two non-sequiturs Please support the RIPE Atlas project -- get probes in your network! Please find me if you have interested in discussing the problems of IPv6 synthetic response (RFC-1912 recommendations)

Download ppt "The Last Link in the DNSSEC Chain of Trust"

Similar presentations

Sep 2008ALAC Webinar 1 DNS Response Modification David Piscitello Senior Security Technologist ICANN.

Sep 2008ALAC Webinar 1 DNS Response Modification David Piscitello Senior Security Technologist ICANN.
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
FCC CSRIC III Working Group 4 Network Security Best Practices Rodney Joffe SVP and Senior Technologist, Neustar, Inc.

FCC CSRIC III Working Group 4 Network Security Best Practices Rodney Joffe SVP and Senior Technologist, Neustar, Inc.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
What’s Next: DNSSEC & RPKI Mark Kosters. Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised.

What’s Next: DNSSEC & RPKI Mark Kosters. Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised.
1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
Technical Question Technical Question

Technical Question Technical Question
Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.

Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman
Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman
FCC CSRIC III Working Group 5 DNSSEC Implementation Practices Steve Crocker CEO, Shinkuro, Inc. March 6, 2013 Working Group 5: DNSSEC.

FCC CSRIC III Working Group 5 DNSSEC Implementation Practices Steve Crocker CEO, Shinkuro, Inc. March 6, 2013 Working Group 5: DNSSEC.
1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
OARC TAR Panel. La Brea Tar Pit What was originally intended to expedite the roll-out of DNSSEC seems to be bogging it down instead People who read press.

OARC TAR Panel. La Brea Tar Pit What was originally intended to expedite the roll-out of DNSSEC seems to be bogging it down instead People who read press.
EMU and DANE Jim Schaad August Cellars. EMU TLS Issues Trust Anchor Matching PKIX cert to EMU Server Name Certificate Revocation Checking – CRLs – OCSP.

EMU and DANE Jim Schaad August Cellars. EMU TLS Issues Trust Anchor Matching PKIX cert to EMU Server Name Certificate Revocation Checking – CRLs – OCSP.
Draft-wing-v6ops-happy-eyeballs-ipv6 Happy Eyeballs: Trending Towards Success with Dual-Stack Hosts Dan Wing Andrew Yourtchenko {dwing,

Draft-wing-v6ops-happy-eyeballs-ipv6 Happy Eyeballs: Trending Towards Success with Dual-Stack Hosts Dan Wing Andrew Yourtchenko {dwing,
DNSSec.TLD is signed! What next? V.Dolmatov November 2011.

DNSSec.TLD is signed! What next? V.Dolmatov November 2011.
An information sharing and analysis centre for the global DNS. DNS OARC.

An information sharing and analysis centre for the global DNS. DNS OARC.
GRE.

GRE.

Similar presentations

Ads by Google