Your SlideShare is downloading. ×
0
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
ION Singapore - Dan York: DNSSEC Introduction
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

ION Singapore - Dan York: DNSSEC Introduction

345

Published on

In these introductory slides from the DNSSEC panel at ION Singapore, Dan York discusses what DNSSEC is and why it matters.

In these introductory slides from the DNSSEC panel at ION Singapore, Dan York discusses what DNSSEC is and why it matters.

Published in: News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
345
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Deploying DNSSEC: From End-Customer To Content March 28, 2013www.internetsociety.org
  • 2. Our PanelModerator:•  Dan York, Senior Content Strategist, Internet SocietyPanelists:•  Sanjeev Gupta, Principal Technical Architect, DCS1 Pte•  Jitender Kumar, Technical Account Manager, Afilias•  Richard Lamb, DNSSEC Program Manager, ICANNwww.internetsociety.org/deploy360/
  • 3. A Quick Introduction to DNS and DNSSEC
  • 4. What Problem Is DNSSEC Trying To Solve?DNSSEC = "DNS Security Extensions" •  Defined in RFCs 4033, 4034, 4035 •  Operational Practices: RFC 4641Ensures that the information entered into DNS by thedomain name holder is the SAME information retrievedfrom DNS by an end user.Lets walk through an example to explain…www.internetsociety.org/deploy360/
  • 5. A Normal DNS Interaction WebServer example.com? Resolver checks its local cache. If it has the 3 DNS answer, it sends it back. 1 https://example.com/ Resolver example.com 10.1.1.123 4 If not…web page Web Browser 2 10.1.1.123 www.internetsociety.org/deploy360/
  • 6. A Normal DNS Interaction DNS Svr root .com NS DNS Svr .com Web example.com NSServer example.com? 5 DNS 2 https://example.com/ 1 Resolver DNS Svr example.com 3 6 10.1.1.123web page Web Browser 4 10.1.1.123 www.internetsociety.org/deploy360/
  • 7. DNS Works On SpeedFirst result received by a DNS resolver is treated as thecorrect answer.Opportunity is there for an attacker to be the first one toget an answer to the DNS resolver, either by: •  Getting to the correct point in the network to provide faster responses; •  Blocking the responses from the legitimate servers (ex. executing a Denial of Service attack against the legitimate servers to slow their responses)www.internetsociety.org/deploy360/
  • 8. Attacking DNS DNS Svr root .com NS DNS Svr .com Web example.com NSServer example.com? 5 DNS 2 https://example.com/ 1 Resolver DNS Svr example.com 10.1.1.123 6web page Web 3 Browser 4 192.168.2.2 Attacking 192.168.2.2 DNS Svr example.com www.internetsociety.org/deploy360/
  • 9. A Poisoned Cache WebServer example.com? Resolver cache now has wrong data: 3 DNS 1 example.com 192.168.2.2 https://example.com/ Resolver 4 This stays in the cache until theweb page Web Time-To-Live (TTL) expires! Browser 2 192.168.2.2 www.internetsociety.org/deploy360/
  • 10. How Does DNSSEC Help?DNSSEC introduces new DNS records for a domain: •  RRSIG – a signature ("hash") of a set of DNS records •  DNSKEY – a public key that a resolver can use to validate RRSIGA DNSSEC-validating DNS resolver: •  Uses DNSKEY to perform a hash calculation on received DNS records •  Compares result with RRSIG records. If results match, records are the same as those transmitted. If the results do NOT match, they were potentially changed during the travel from the DNS server.www.internetsociety.org/deploy360/
  • 11. A DNSSEC Interaction DNS Svr root DNS Svr .com WebServer example.com? 5 DNS 2 https://example.com/ 1 Resolver DNS Svr example.com 3 6 10.1.1.123web page Web DNSKEY RRSIGs Browser 4 10.1.1.123 www.internetsociety.org/deploy360/
  • 12. But Can DNSSEC Be Spoofed?•  But why cant an attacker simply insert DNSKEY and RRSIG records? What prevents DNSSEC from being spoofed?•  An additional was introduced, the "Delegation Signer (DS)" record•  It is a fingerprint of the DNSKEY record that is sent to the TLD registry•  Provides a global "chain of trust" from the root of DNS down to the domain•  Attackers would have to compromise the registrywww.internetsociety.org/deploy360/
  • 13. A DNSSEC Interaction DNS Svr root .com NS DS DNS Svr .com Web example.com NSServer DS example.com? 5 DNS 2 https://example.com/ 1 Resolver DNS Svr example.com 3 6 10.1.1.123web page Web DNSKEY RRSIGs Browser 4 10.1.1.123 www.internetsociety.org/deploy360/
  • 14. The Global Chain of Trust DNS Svr root .com NS DS DNS Svr .com Web example.com NSServer DS example.com? 5 DNS 2 https://example.com/ 1 Resolver DNS Svr example.com 3 6 10.1.1.123web page Web DNSKEY RRSIGs Browser 4 10.1.1.123 www.internetsociety.org/deploy360/
  • 15. Attempting to Spoof DNS DNS Svr root .com NS DS DNS Svr .com Web example.com NSServer DS example.com? 5 DNS 2 https://example.com/ 1 Resolver DNS Svr example.com 10.1.1.123 6 DNSKEY RRSIGsweb page Web 3 Browser Attacking 192.168.2.2 DNS Svr DNSKEY example.com RRSIGs www.internetsociety.org/deploy360/
  • 16. Attempting to Spoof DNS DNS Svr root .com NS DS DNS Svr .com Web example.com NSServer DS example.com? 5 DNS 2 https://example.com/ 1 Resolver DNS Svr example.com 10.1.1.123 6 DNSKEY RRSIGsweb page Web 3 Browser 4 SERVFAIL Attacking 192.168.2.2 DNS Svr DNSKEY example.com RRSIGs www.internetsociety.org/deploy360/
  • 17. What DNSSEC Proves:"These ARE the IP addresses you are looking for."(or they are not)Ensures that information entered into DNS by the domainname holder (or the operator of the DNS hosting service forthe domain) is the SAME information that is received by theend user.www.internetsociety.org/deploy360/
  • 18. The Two Parts of DNSSEC Signing Validating Registries Applications Registrars Enterprises DNS Hosting ISPswww.internetsociety.org/deploy360/
  • 19. DNSSEC and SSL
  • 20. Why Do I Need DNSSEC If I Have SSL?A common question: why do I need DNSSEC if I alreadyhave a SSL certificate? (or an "EV-SSL" certificate?)SSL (more formerly known today as Transport LayerSecurity (TLS)) solves a different issue – it providesencryption and protection of the communication between thebrowser and the web serverwww.internetsociety.org/deploy360/
  • 21. The Typical TLS (SSL) Web Interaction DNS Svr root Web Server DNS Svr .com 5 https://example.com/ DNS Svr 6 example.comTLS-encryptedweb page 2 example.com? 3 1 10.1.1.123 DNS Resolver Web Browser 4 10.1.1.123 www.internetsociety.org/deploy360/
  • 22. The Typical TLS (SSL) Web Interaction DNS Svr root Web Server DNS Svr .com 5 https://example.com/ DNS Svr 6 example.comTLS-encryptedweb page 2 example.com? 3 1 10.1.1.123 DNS Is this encrypted Resolver with the Web CORRECT Browser 4 certificate? 10.1.1.123 www.internetsociety.org/deploy360/
  • 23. What About This? DNS Web Server https://www.example.com/ Server www.example.com? Firewall https://www.example.com/TLS-encrypted web page (or 1with CORRECT certificate attacker) 1.2.3.4 2 Web TLS-encrypted web page Browser with NEW certificate (re-signed by firewall) www.internetsociety.org/deploy360/
  • 24. Problems? DNS Web Server https://www.example.com/ Server www.example.com? https://www.example.com/TLS-encrypted web page Firewall 1with CORRECT certificate 1.2.3.4 2 Web TLS-encrypted web page Browser with NEW certificate (re-signed by firewall) www.internetsociety.org/deploy360/
  • 25. Problems? DNS Web Server https://www.example.com/ Server www.example.com? https://www.example.com/TLS-encrypted web page Firewall 1with CORRECT certificate 1.2.3.4 2 Web TLS-encrypted web page Browser with NEW certificate Log files (re-signed by firewall) or other servers Potentially including personal information www.internetsociety.org/deploy360/
  • 26. IssuesA Certificate Authority (CA) can sign ANY domain.Now over 1,500 CAs – there have been compromiseswhere valid certs were issued for domains.Middle-boxes such as firewalls can re-sign sessions.www.internetsociety.org/deploy360/
  • 27. A Powerful CombinationTLS/SSL = encryption + limited integrity protectionDNSSEC = strong integrity protectionHow to get encryption + strong integrity protection?TLS + DNSSEC = DANEwww.internetsociety.org/deploy360/
  • 28. DNS-Based Authentication of Named Entities(DANE)Q: How do you know if the TLS (SSL) certificate is thecorrect one the site wants you to use? A: Store the certificate (or fingerprint) in DNS (new TLSArecord) and sign them with DNSSEC.A browser that understand DNSSEC and DANE will thenknow when the required certificate is NOT being used.Certificate stored in DNS is controlled by the domain nameholder. It could be a certificate signed by a CA – or a self-signed certificate.www.internetsociety.org/deploy360/
  • 29. DANE DNS Web Server https://example.com/ Server example.com? 2 Firewall https://example.com/TLS-encrypted web page (or 1with CORRECT certificate attacker) 10.1.1.123 DNSKEY RRSIGs TLSA Web TLS-encrypted web page Browser with NEW certificate w/DANE Log files (re-signed by firewall) or other servers DANE-equipped browser compares TLS certificate with what DNS / DNSSEC says it should be. www.internetsociety.org/deploy360/
  • 30. DANE – Not Just For The Web• DANE defines protocol for storing TLS certificates in DNS• Securing Web transactions is the obvious use case• Other uses also possible: •  Email via S/MIME •  VoIP •  Jabber/XMPP •  ?www.internetsociety.org/deploy360/
  • 31. DNSSEC Deployment In Asia
  • 32. Map courtesy of Shinkuro, Inc.www.internetsociety.org/deploy360/
  • 33. Map courtesy of Shinkuro, Inc.www.internetsociety.org/deploy360/
  • 34. Panel Discussion
  • 35. Our PanelModerator:•  Dan York, Senior Content Strategist, Internet SocietyPanelists:•  Sanjeev Gupta, Principal Technical Architect, DCS1 Pte•  Jitender Kumar, Technical Account Manager, Afilias•  Richard Lamb, DNSSEC Program Manager, ICANNwww.internetsociety.org/deploy360/
  • 36. Next Steps In Deploying DNSSEC
  • 37. Three Steps TLD Operators Can Take:1.  Sign your TLD •  Tools and services available to help automate process2.  Accept DS records •  Make it as easy as possible (and accept multiple records)3.  Work with your registrars •  Help them make it easy for DNS hosting providers and registrants4.  Help With Statistics •  Can you help by providing statistics?Implement DNSSEC and make your TLD more securewww.internetsociety.org/deploy360/
  • 38. Three Steps For Network Operators andEnterprises1.  Deploy DNSSEC-validating DNS resolvers2.  Sign your own domains where possible3.  Help promote support of DANE protocol •  Allow usage of TLSA record. Let browser vendors and others know you want to use DANE. Help raise awareness of how DANE and DNSSEC can make the Internet more secure.www.internetsociety.org/deploy360/
  • 39. Internet Society Deploy360 Programme Providing real-world deployment info for IPv6, DNSSEC and other Internet technologies: • Case Studies • Tutorials • Videos • Whitepapers • News, information English content, initially, but will www.internetsociety.org/deploy360/ be translated into other languages.www.internetsociety.org/deploy360/
  • 40. Dan York, CISSP Senior Content Strategist, Internet Society york@isoc.org www.internetsociety.org/deploy360/ Thank You!www.internetsociety.org

×