Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Longitudinal, End-to-End View of the DNSSEC Ecosystem

Published byLeo Tucker Modified over 5 years ago

Similar presentations

Presentation on theme: "A Longitudinal, End-to-End View of the DNSSEC Ecosystem"— Presentation transcript:

1 A Longitudinal, End-to-End View of the DNSSEC Ecosystem
Chung, Taejoong and van Rijswijk-Deij, Roland and Chandrasekaran, Balakrishnan and Choffnes, David and Levin, Dave and Maggs, Bruce M and Mislove, Alan and Wilson, Christo, 2017 Presented by – Kalyan

2 Motivation Even after 20 years, DNSSEC remains misconfigured in most of the zones. Complexity of the infrastructure Security compliance, Improved Automation, Auditing of DNSSEC Management. Re-examine the validation of the queries to the server logs from the authoritative nameservers, which is used to study DNSSEC enabled resolver behaviour.

3 Introduction DNS DNSSEC How is it different ? CNAME, MX, NS, A
DS, DNSKEY, RRsigs How is it different ? Provides Authentication and Integrity

4 Paper Summary 1 Study of DNSSEC deployment from root zone to the child zone and validation by the resolver 2 Study on KSKs and ZSKs – PKI Infrastructure 3 RRsigs, DNSKEY, DS [Other resource records include NSEC, NSEC3 CDNSKEY, AND CDS] 4 Active Measurements – 59K Resolvers, 150K Domains Key Rollover 6 Daily, Hourly Dataset – TTL of the cached records

5 DNSSEC Cache poisoning
An old idea which hasn’t been incorporated completely, improper Key Mismanagement. Most of them are incoherently managed

6 Resolver And Root Do Bit – 1, 0
DNSSEC Aware Resolvers – request and validate DNSSEC Aware – Root Zone – Authoritative Name Servers – Resolvers Publishing the DNSKEY to the parent domain, as a DS record, which contains the hashed DNSKEY KSK. Luminati HTTP/S Proxy Service – 400k end hosts – 59k Resolvers

7 Findings TTL of cached records. <= 1 Hour, => 1 Hour
Key Rollover DNSKEY- DS Records Weak Key Length of Keys – 1024 bits is not adequate

8 Findings [Cont..] SOA Records – Cannot be validated
No SOA records being signed DS Records - Incorrect Does not match the KSKs

9 Criticism Active measurements could have been incorporated for better results Other records were not available for the study. No explanation or very little insight about the records.

10 THANK YOU

Download ppt "A Longitudinal, End-to-End View of the DNSSEC Ecosystem"

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.

DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.

DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.

1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.

DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.
Test cases for domain checks – a step towards a best practice Mats Dufberg,.SE Sandoche Balakrichenan, AFNIC.

Test cases for domain checks – a step towards a best practice Mats Dufberg,.SE Sandoche Balakrichenan, AFNIC.
1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.

1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.
Introduction to DNSSEC AROC Bamako, Mali, 2010. What is DNSSEC?

Introduction to DNSSEC AROC Bamako, Mali, What is DNSSEC?

Similar presentations

Ads by Google