Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

Published byTheodore Percival Lewis Modified over 9 years ago

Similar presentations

Presentation on theme: "1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb."— Presentation transcript:

1 1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb

2 2 A protocol from better times An ancient protocol People were friendly and trustworthy Internet was a warm and fuzzy place DNS is a protocol from admins for admins Main assumption: Computers do not lie Idea: A hierarchical distributed database Store locally, read globally

3 3 Playground to extend DNS works, so use is as a container http://tools.ietf.org/wg/dnsext/ DNS scales, so push a lot of data in in-addr.arpa DNS can be misused as a catchword repository: www.catchword.com DNS may have multiple roots, so introduce private name spaces

4 4 Playground to manipulate Push all initial requests to a payment site Prevent requests to bad sites Offer own search engine for NXDOMAIN Geolocation for efficient content delivery Geolocation for lawful content selection Provide different software updates Prevent worm updates

5 5 trustroute +trace Modelling real world data as DNS records Transferring data into DNS primary server Transferring data into DNS secondaries Updating meta data in parent zone Delivering data to recursive servers Processing by resolver code Providing structures to applications Interpreting data by users

6 6 Securing the data flow Two possible design goals: Detect manipulation Prevent wire-tapping Facing typical problems The compatibility hydra Partial roll-out Satellite networks Still designed by admins: NSEC(3)

7 7 DNS SECurity Trust the primary name server data Signed by the zone-c A framework to verify integrity Signature chains up to a trust anchor In band key management DS records in parent zone (but glue!) Supports caching as well as offloading Provides peer authentication

8 8 Trust anchor management The root is signed In band key roll-overs: RFC 5011 Fill the gaps (parent zone not signed) Manual trust anchors: Edit files on disk Trust Anchor Repositories: Look aside zones DS do.main => DLV do.main.dlv.pro.vi.der Question: Precedence of sources?

9 9 The last mile In an ideal world, apps use a new API Error messages might become helpful Validation errors are SERVFAIL Resolver offloading Provide validated data with AD Allow validator chaining with CD Question: Provide bogus data at all? Attacks on the last mile even for LEAs

10 10 Finally gain benefits DNSSEC adds trust to DNS Use DNS as a hierarchical distributed DB Manage your SSHFPs centrally Manage your CERTs distributed Manage your OpenPGP keys distributed Do not deliver poisoned data to clients Validate late, validate centrally

11 11 Further Consequences Current practice for Intranets Build a separate network using site specific names and numbers Provide application layer gateways, NAT, Split-DNS, and VPN for non-local access Hide internal structure Statically map necessary services (Firewall) Provide local “root” services (Active Directory)

12 12 Current Intranets

13 13 The IPv6 impact IPv6 provides public, globally routable IPs Clients do IPv6 automatically (even tunnel) IPv6 provides end-to-end communication IPv6 is not designed to be translated Future protocols rely on direct channels Web 2.0: Numerous bits from different servers Client to client communication Shortest routing for “quality enhancements”

14 14 The DNSSEC impact Validation chain from a well-known key Clients may have the key hardcoded Only one root possible No local names Prevents rdata and NXDOMAIN rewriting Consistent external and internal view Enterprise DNS rely on DNSSEC from everywhere (DirectAccess, SSH, _tcp …)

15 15 The horrible mobile client Public mobile networks are everywhere Mobile clients Important status symbols Roam in and out quickly Always on: Cloud services Can’t be configured IPv6 Exposes internal DNS servers Create mobile peer-to-peer networks

16 16 Future (Intra)Nets

17 17 Modern intranets Accept consistency requirement Local WLAN and mobile networks REST web applications instead of VPN Secure the services, not the networks Secure the data, not the servers (cloud) Authenticate the user, not the computer Use DNS as trustworthy resource Always use direct communication

18 18 Conclusion IPv6 and DNSSEC dramatically change the design of modern networks Information hiding policies do not work Centralized policy enforcement unusable Concentrate on benefits Build stable, globally routable networks Enforce data security at the data level Trust the people, not the devices

19 19 Did you sign your zones? Why not?

Download ppt "1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb."

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
The following 10 questions test your knowledge of client site assignment in Configuration Manager 2007. Configuration Manager 2007 Client Site Assignment.

The following 10 questions test your knowledge of client site assignment in Configuration Manager Configuration Manager 2007 Client Site Assignment.
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Module 4: Configuring Network Connectivity

Module 4: Configuring Network Connectivity
1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.

1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.

Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Module 3 Windows Server 2008 Branch Office Scenario.

Module 3 Windows Server 2008 Branch Office Scenario.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
1 Name Service in IPv6 Mobile Ad-hoc Network connected to the Internet Jaehoon Jeong, ETRI PIMRC 2003.

1 Name Service in IPv6 Mobile Ad-hoc Network connected to the Internet Jaehoon Jeong, ETRI PIMRC 2003.
Lesson 20 – OTHER WINDOWS 2000 SERVER SERVICES. DHCP server DNS RAS and RRAS Internet Information Server Cluster services Windows terminal services OVERVIEW.

Lesson 20 – OTHER WINDOWS 2000 SERVER SERVICES. DHCP server DNS RAS and RRAS Internet Information Server Cluster services Windows terminal services OVERVIEW.
Exchange server 2003. Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.

Exchange server Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.
Subnetting.

Subnetting.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

Similar presentations

Ads by Google