Understanding the DNS & DNSSEC
Upcoming SlideShare
Loading in...5

Understanding the DNS & DNSSEC



This presentation gives an overview of the Domain Name System (DNS) and what goes into making the DNS secure. This deck also answers the question what is ICANN's role in Domain Name System Security ...

This presentation gives an overview of the Domain Name System (DNS) and what goes into making the DNS secure. This deck also answers the question what is ICANN's role in Domain Name System Security (DNSSEC) deployment?



Total Views
Views on SlideShare
Embed Views



10 Embeds 265

http://unjobs.org 151
https://twitter.com 60
http://new-icann-staging.herokuapp.com 18
https://www.icann.org 10
http://localhost 9
http://select.unjobs.org 8
http://www.unjobs.org 6
https://new.icann.org 1
http://www.linkedin.com 1
http://icann.dev 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-ShareAlike LicenseCC Attribution-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Understanding the DNS & DNSSEC Understanding the DNS & DNSSEC Presentation Transcript

  • Understanding the DNS & DNS Security!
  • The World’s Network – the Domain Name System! + Internet Protocol address uniquely identifies laptops or phones or other devices + The Domain Name System matches IP addresses with a name + IP routing and DNS are the underpinning of unified Internet 2
  • A sample DNS query! Where  is   www.iana.org?   3
  • Making the DNS Secure! + A computer sends a question to a DNS server, like “where is IANA.org?” + It receives an answer and assumes that it is correct. + There are multiple ways that traffic on the Internet can be intercepted and modified, so that the answer given is false. 4
  • Receiving the Wrong Answer!  is   here org?   W . .iana www .2.0   192.0 13.1 3.14 .0   5
  • Poisoning a Cache! +  Attacker knows iterative resolvers may cache +  Attacker +  Composes a DNS response with malicious data about a targeted domain +  Tricks a resolver into adding this malicious data to its local cache +  Later queries processed by server will return malicious data for the life of the cached entry +  Example: user at My Mac clicks on a URL in an email message from try@loseweightfastnow.com What  is  the  IPv4  address  for   loseweigh<astnow.com?   My Mac I’ll  cache  this   response…  and   update   www.ebay.com     My local resolver loseweigh<astnow.com  IPv4   address  is     ALSO  www.ebay.com  is  at   6   ecrime name server
  • DNS Security (DNSSEC)   +  Protects DNS data against forgery! +  Uses public key cryptography to sign authoritative zone data! +  Assures that the data origin is authentic! +  Assures that the data are what the authenticated data originator published! +  Trust model also uses public key cryptography! +  Parent zones sign public keys of child zone! (root signs TLDs, TLDs sign registered domains…! 7 7  
  • Public Key Cryptography in DNSSEC! Authority signs zone data with private key! Authorities must keep private keys secret!! Sign with Private key DNS
 Data 8 Signed DNS
 Data + Digital signatures Authoritative" server Publish 8  
  • Public Key Cryptography in DNSSEC! Authority  publishes   public  key  so  that  any   recipient  can  decrypt  to   verify  that  “the  data  are   correct  and  came  from   the  right  place”   Validate with   Public key Signed Zone
 Data Validating
 server 9 Authoritative
 server 9  
  • ICANN’s Role in DNSSEC Deployment! + Manages root key with VeriSign and trusted international representatives of Internet community + Processes requests for changes of public key and other records from registries at top of DNS + Educates and assists Internet community with DNSSEC + Implements DNSSEC on its own domains 10
  • Obstacles to Broader DNSSEC Adoption! + Browser and/or Operating System support + DNSSEC support from domain name registration service providers (registrars, resellers) + Misconceptions regarding key management, performance, software/hardware availability and reliability 11
  • DNSSEC Deployment! •  •  •  •  •  ! Fast pace of deployment at the TLD level "! Deployed at root! Supported by software! Growing support by ISPs! Required by new gTLDs! à Inevitable widespread deployment across core Internet infrastructure! 12
  • Thank You & Questions?!