Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Is DNSSEC a Burden? Thus far, DNSSEC adoption has been slow –In part, immaturity of the standards has been a past issue –Many trials, and some signed.

Published byMarcus Benson Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Is DNSSEC a Burden? Thus far, DNSSEC adoption has been slow –In part, immaturity of the standards has been a past issue –Many trials, and some signed."— Presentation transcript:

1 1 Is DNSSEC a Burden? Thus far, DNSSEC adoption has been slow –In part, immaturity of the standards has been a past issue –Many trials, and some signed ccTLD zones, but not much adoption by the largest gTLDs The real questions are: –Does it solve real problems? –Do customers want it? –How will it be financed (by registries/registrars)? Most real Internet security today relies on certificates –What is the impact of DNSSEC on certificates?

2 2 The Purpose of Certificates Certificates provide: –A binding between a domain name and a set of keying material Of course, there are many possible subjects of a certificate, but for e- commerce, the hostname of the web site is most common Thus, certificate authorities must verify namespace ownership –As a business requirement, they must do so quickly Many promise certificates in 30 minutes or less, like pizza For different levels of security, some more intensive verification schemes are employed –Many do so through simple DNS-based verification schemes Either using WHOIS, or simple DNS queries Certification of hostnames necessarily is predicated on the DNS! –Enrollment is the greatest challenge for the certificate business Successfully parlaying enrollment to business end users requires industrial- grade delegation technology Not successfully been demonstrated for consumers

3 3 The Business Model for Certificates Today, certificates come embedded in web browsers –Browser manufacturers are thus the ultimate keying authorities –Most charge some fee for inclusion of root CA certificates in distributions of their browser Do you trust browser manufacturers? Certificates are then sold to businesses and other end users by the CA –Prices vary quite widely, from as low as $10 to hundreds or thousands of dollars per year –Oftentimes coupled with domain name sales Certificates today are really used only for web browsers –Aside from hobbyist applications or closed networks –Thus, the business is limited to solving e-commerce problems

4 4 Domain-based Internet Applications The names used in the web (http://www.host) are URIs rooted in domains –Most common application of certificates today Email –Domain names are used in the email namespace (e.g. user@host) –The DNS root delegates to the name owner, and the name owner assigns the ‘local-part’ of an email address VoIP has several dependencies on hostnames –Most protocols use email-like URIs (sip:user@host) –ENUM as well has known privacy and security issues related to the openness of the DNS Because of enrollment problems, certificate usage today has not caught on for user-to-user applications like email and VoIP

5 5 DNSSEC and Email Authentication In the IETF, the MASS effort targets email authentication –Both use the DNS to discover keys scoped to a domain –Keys are either stored in the DNS directly, or, a pointer to a key is stored in the DNS Yahoo! DomainKeys –Uses a DNS TXT record, much like SPF Cisco Identified Internet Mail (IIM) –Uses a new DNS RR, “KR” Both approaches currently rely on the inherent security of the DNS –No question that it is easier to forge the From address of email than it is to subvert the DNS –However, both approaches would be made more secure by DNSSEC

6 6 DNSSEC and SIP Many VoIP requests established with SIP use telephone numbers –Instead of sip:user@host, tel:+17035551009 With DNSSEC, one can put keys in the DNS corresponding to the hostname of a SIP URI –What to do when a request is sent from a “tel” URI? –Common case for PSTN-SIP interworking An answer: ENUM can be used to find keys corresponding to the owner of the namespace ENUM provides a way of identifying the owner of the namespace via DNS –Accordingly, it is natural for the namespace owner to provide keys in this fashion

7 7 Leveraging DNSSEC for the Web Once keying material is in the DNS –It will be used to make decisions about higher-layer applications Connecting to a web site, one must verify the DNS first Other higher-layer security decisions may also be predicated on the presence of DNSSEC –Why is e-commerce secure (at a protocol level) today? Reference integrity: –The URL of the website is compared to the certificate returned by a TLS connection to the website –Even if the DNS is compromised, a violation will be detected However, a DNS lookup still must be performed –With DNSSEC, key exchange outside of the DNS may become superfluous

8 8 Corner-cases of Certificates: Revocation Why revoke certificates? –Certificates tend to be issued for long periods of time One or more years is common Accordingly, if your certificate is compromised, you need to inform relying parties –Based practice is certificate revocation lists (CRLs) Unfortunately, CRLs are rarely used by relying parties In DNSSEC, the lifetime of keys is based on the lifetime of DNS records (ttl) –Keys can therefore be changed as needed –Revocation is essentially free When your key changes, put a new one in the DNS Can still be cumbersome administratively –Delegation Signer (DS) records must also be updated –Root-key roll-over still needs to be addressed

9 9 Will DNSSEC Supplant Certificates? If you need keying material to verify DNS queries, why not reuse it at the application layer? –Even if the DNSKEY material isn’t suitable, it can be used to sign other keying material in the DNS What qualities do certificates provide that cannot be provided with DNSSEC? –DNSSEC keys can take the place of certificate keying material used to set up integrity/confidentiality mechanisms for TLS and other protocols –DNSKEY best practice is the use of RSA/SHA-1, same as for TLS –Some loose ends, like attribute certificates, contractual liability, and so on that are specific to the PKI model For cases where these are necessary, it is likely that certificates will continue to be used Change in the administration –Rather than the browser manufacturer controlling keys for Internet applications, the DNS root becomes the ultimate arbiter of trust for domain names –Increases the applicability of keys – no longer just e-commerce

10 10 Registry Incentives for DNSSEC New revenue from security services –The money currently being spent on certificates will go somewhere –Selling DNSSEC as an add-on to existing DNS sales follows existing marketing practice Names and certs are commonly bundled as an offering There are operational costs of implementing DNSSEC –These could be reimbursed, with a profit, and still undersell the existing cert market Likely that both registries and registrars can profit from this

Download ppt "1 Is DNSSEC a Burden? Thus far, DNSSEC adoption has been slow –In part, immaturity of the standards has been a past issue –Many trials, and some signed."

Similar presentations

International Telecommunication Union ENUM Issues and Solutions Houlin Zhao Director Telecommunication Standardization Bureau International Telecommunication.

International Telecommunication Union ENUM Issues and Solutions Houlin Zhao Director Telecommunication Standardization Bureau International Telecommunication.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Bridging Technical Possibilities With Policy Technicalities Montreal, QC June 24, 2003.

Bridging Technical Possibilities With Policy Technicalities Montreal, QC June 24, 2003.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn

Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn
Certificates Last Updated: Aug 29, 2013. A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
1 Lecture 13: Public Key Infrastructure terms PKI trust models –monopoly with registration authorities with delegated certificate authorities –oligarchy.

1 Lecture 13: Public Key Infrastructure terms PKI trust models –monopoly with registration authorities with delegated certificate authorities –oligarchy.
CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Vault: A Secure Binding Service Guor-Huar Lu, Changho Choi, Zhi-Li Zhang University of Minnesota.

Vault: A Secure Binding Service Guor-Huar Lu, Changho Choi, Zhi-Li Zhang University of Minnesota.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.

SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
DNS-centric PKI Sean Turner Russ Housley Tim Polk.

DNS-centric PKI Sean Turner Russ Housley Tim Polk.

Similar presentations

Ads by Google