Your SlideShare is downloading. ×
0
ION Djibouti: A Business Case for DNSSEC - Mark Elkins
ION Djibouti: A Business Case for DNSSEC - Mark Elkins
ION Djibouti: A Business Case for DNSSEC - Mark Elkins
ION Djibouti: A Business Case for DNSSEC - Mark Elkins
ION Djibouti: A Business Case for DNSSEC - Mark Elkins
ION Djibouti: A Business Case for DNSSEC - Mark Elkins
ION Djibouti: A Business Case for DNSSEC - Mark Elkins
ION Djibouti: A Business Case for DNSSEC - Mark Elkins
ION Djibouti: A Business Case for DNSSEC - Mark Elkins
ION Djibouti: A Business Case for DNSSEC - Mark Elkins
ION Djibouti: A Business Case for DNSSEC - Mark Elkins
ION Djibouti: A Business Case for DNSSEC - Mark Elkins
ION Djibouti: A Business Case for DNSSEC - Mark Elkins
ION Djibouti: A Business Case for DNSSEC - Mark Elkins
ION Djibouti: A Business Case for DNSSEC - Mark Elkins
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

ION Djibouti: A Business Case for DNSSEC - Mark Elkins

351

Published on

Presentation from ION Djibouti on 2 June 2014 by Mark Elkins. …

Presentation from ION Djibouti on 2 June 2014 by Mark Elkins.

DNSSEC helps prevent attackers from subverting and modifying DNS messages and sending users to wrong (and potentially malicious) sites. So what needs to be done for DNSSEC to be deployed on a large scale? We’ll discuss the business reasons for, and financial implications of, deploying DNSSEC, from staying ahead of the technological curve, to staying ahead of your competition, to keeping your customers satisfied and secure on the Internet. We’ll also examine some of the challenges operators have faced and the opportunities to address those challenges and move deployment forward.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
351
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. A Business Case for DNSSECA Business Case for DNSSEC By Mark Elkins June 2014
  • 2. What DNSSEC Gives UsWhat DNSSEC Gives Us Validation of Data lookups published in the DNS very simple to activate on a recursive Nameserver Bind: addition to named.conf managed-keys { . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7g.... QxA+Uk1ihz0="; };
  • 3. If you use Chrome or Firefox, install the "DNSSEC Validator" Add-on. Search for "DNSSEC Validator" - Signed and Validates, Chain of Trust is intact. - Signed, but Chain of Trust is broken. - Signed, but does not Validate, Chain of Trust is intact. - Not Signed. What DNSSEC Gives UsWhat DNSSEC Gives Us
  • 4. ftth.posix.co.za AAAA ??? → 2001:42a0:1:208::13 A Trusted Reply! _443._tcp.ftth.posix.co.za TLSA ??? → 3 0 1 B635D5DECFF4C30F7DC6606EB12D9CC8C5C05E3F89221FE74 23AA2D5 AC8CAADA A Trusted DANE/TLSA Record! (Created by hash-slinger, Thanks Dan) What DNSSEC Gives UsWhat DNSSEC Gives Us
  • 5. ●Is the art of deception ●This is not the droid computer you are looking for ●Mission: to be one with your computer Back to business - PhishingBack to business - Phishing
  • 6. We need HTTPS (Mission: HTTP on everything) ● Identifies the site we are connect to ● Padlock is there Except there are over a hundred Certificate Authorities... I use StartCom/StartSSL - but how would you know? Back to business - PhishingBack to business - Phishing
  • 7. ●With DNSSEC securing a TLSA Signature ●With a TLSA Signature covering the SSL Certificate ●With Padlocks, Keys - almost covered! Back to business - PhishingBack to business - Phishing
  • 8. It talks to my X509 Certificate Back to StartCOMBack to StartCOM
  • 9. ● Signing (and keeping it signed) ● Interaction with Parents Deployment ChallengesDeployment Challenges
  • 10. Signing can be simple There are Scripts (eg. mine) (http://posixafrica.com) and black box solutions (eg. OpenDNSSEC) This can be done in just three commands.... (Assuming you have a zone called 'web.za') # dnssec-keygen -a RSASHA256 -b 1024 web.za # dnssec-keygen -a RSASHA256 -b 2048 -f KSK web.za # dnssec-signzone -S web.za Signing and keeping it signedSigning and keeping it signed
  • 11. 'web.za' is now signed and the new zone is called 'web.za.signed' There is also a file called 'dsset-web.za.' (discussed next slide) Edit your 'named.conf' to use the new 'signed' version of the zone. In reality - one should at some regular determined frequency, generate new keys and roll out the old keys.... Signing and keeping it signedSigning and keeping it signed
  • 12. The contents of the file 'dsset-web.za.' needs to be securely installed into the parent zone of 'za'. web.za. IN DS 52867 8 1 921AFBC6DF6.... web.za. IN DS 52867 8 2 9FBC5FBC6B9.... 1 - Encrypted e-mail (How I talk to Tanzania or Namibia) 2 - Via a web front-end (AFRINIC, Root) 3 - Via the Registries EPP system (COZA/dotAfrica) Signing and keeping it signedSigning and keeping it signed
  • 13. Dealing with parentsDealing with parents Uncooperative Parents?
  • 14. The Deployment of DNSSEC is a way to make the Internet a Safer place. It is not a Silver Bullet, but combined with other security features gets us pointed in the right direction. ConclusionsConclusions
  • 15. Questions? mje@posix.co.za A Business Case for DNSSECA Business Case for DNSSEC

×