Matt Larson On DNSSEC: Why? How? So What?

  • 296 views
Uploaded on

So what is DNSSEC? Why do people need to know about it? So what? Dyn Chief Architect Matt Larson talks about that and more in this 20 minute talk at the first-ever Geek Summer Camp. …

So what is DNSSEC? Why do people need to know about it? So what? Dyn Chief Architect Matt Larson talks about that and more in this 20 minute talk at the first-ever Geek Summer Camp.

Watch the video here: http://dyn.wistia.com/medias/pl865m2qp7

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
296
On Slideshare
0
From Embeds
0
Number of Embeds
5

Actions

Shares
Downloads
2
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. DNSSEC: Why, How, So What? Matt Larson, Chief Architect, Dyn
  • 2. Security in DNS • There isn’t any • OK, there wasn’t any • DNSSEC: The DNS Security Extensions
  • 3. The Main Problem • One packet for a query, one packet for a response
  • 4. The Main Problem • One packet for a query, one packet for a response
  • 5. Who are you really? • Client has to trust the source address • Source addresses can be spoofed
  • 6. Who are you really?
  • 7. Who are you really?
  • 8. Possible Solutions • Use a connection-oriented protocol • Sign the packets • Sign the DNS data
  • 9. DNSSEC to the Rescue 1. All DNS data in a zone is signed 2. Zones have public/private key pairs 3. Your parent vouches for your public key
  • 10. Delegation
  • 11. Delegation
  • 12. Delegation
  • 13. Chain of Trust
  • 14. Chain of Trust
  • 15. Chain of Trust
  • 16. Deploying DNSSEC • Zones: – Sign DNS data – Send public key to parent • Clients: – Configure trust anchor – Validate DNS responses
  • 17. So What? • No more spoofing • Put stuff you really care about in DNS
  • 18. Example: DANE