Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing."— Presentation transcript:

1 DNS Security Extension (DNSSEC)

2 Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing and corruption

3 Outline Introduction DNSSEC mechanisms –to authenticate servers (TSIG / SIG0) –to establish authenticity and integrity of data Quick overview New RRs Using public key cryptography to sign a single zone Delegating signing authority ; building chains of trust Key exchange and rollovers Conclusions

4 DNS: Known Concepts Known DNS concepts: –Delegation, Referral, Zone, RRs, label, RDATA, authoritative server, caching forwarder, stub and full resolver, SOA parameters, etc –Don’t know? Do ask!

5 Reminder: DNS Resolving Resolver Question: www.ripe.net A www.ripe.net A ? Caching forwarder (recursive) root-server www.ripe.net A ? “go ask net server @ X.gtld-servers.net” (+ glue) gtld-server www.ripe.net A ? “go ask ripe server @ ns.ripe.net” (+ glue) ripe-server www.ripe.net A ? “192.168.5.10” 192.168.5.10 12345 6 7 Add to cache 9 810 TTL

6 DNS: Data Flow master Caching forwarder resolver Zone administrator Zone file Dynamic updates 12 slaves 345

7 DNS Vulnerabilities master Caching forwarder resolver Zone administrator Zone file Dynamic updates 12 slaves 3 Server protection 45 Corrupting data Impersonating master Unauthorized updates Cache impersonation Cache pollution by Data spoofing Data protection

8 DNS Protocol Vulnerability DNS data can be spoofed and corrupted on its way between server and resolver or forwarder The DNS protocol does not allow you to check the validity of DNS data Exploited by bugs in resolver implementation (predictable transaction ID) Corrupted DNS data might end up in caches and stay there for a long time (TTL) How does a slave (secondary) knows it is talking to the proper master (primary)?

9 Motivation for DNSSEC DNSSEC protects against data spoofing and corruption DNSSEC (TSIG) provides mechanisms to authenticate servers DNSSEC (KEY/SIG/NXT) provides mechanisms to establish authenticity and integrity of data A secure DNS will be used as a public key infrastructure (PKI) –However it is NOT a PKI

10 DNSSEC Mechanisms to Authenticate Servers TSIG SIG0

11 TSIG Protected Vulnerabilities Zone file slaves master Caching forwarder resolver Zone administrator Dynamic updates Unauthorized updates Impersonating master

12 SOA … SOA Sig... Master AXFR TSIG example Slave KEY: %sgs!f23fv AXFR Sig... SOA … SOA Sig... Slave KEY: %sgs!f23fv verification Query: AXFR Response: Zone

13 Authenticating Servers Using SIG0 Alternatively its possible to use SIG0 –Not widely used yet –Works well in dynamic update environment Public key algorithm –Authentication against a public key published in the DNS

14 Questions?

Download ppt "DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing."

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Internet Infrastructure Protection May 23, 2006 Steve Crocker, ICANN Security and Stability Committee Shinkuro, Inc.

Internet Infrastructure Protection May 23, 2006 Steve Crocker, ICANN Security and Stability Committee Shinkuro, Inc.
February 2003slideset 1 Introduction to the DNS system Olaf M. Kolkman

February 2003slideset 1 Introduction to the DNS system Olaf M. Kolkman
DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.

DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.
A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.

A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.
RNDC & TSIG. What is RNDC? Remote Name Daemon Controller Command-line control of named daemon Usually on same host, can be across hosts –Locally or remotely.

RNDC & TSIG. What is RNDC? Remote Name Daemon Controller Command-line control of named daemon Usually on same host, can be across hosts –Locally or remotely.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.

1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.

DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.
Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Peter Janssen, EURid.eu Ljubljana, RIPE 64, April 18 2012.

Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Peter Janssen, EURid.eu Ljubljana, RIPE 64, April
11.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,

11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,

Similar presentations

Ads by Google