Your SlideShare is downloading. ×
  • Like
DNSSEC - Amsterdam Roundtable 2011
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

DNSSEC - Amsterdam Roundtable 2011

  • 1,106 views
Published

This presentation has been given by Wolfgang Nageleduring the RIPE NCC Roundtable Meeting in Amsterdam on 4 April 2011

This presentation has been given by Wolfgang Nageleduring the RIPE NCC Roundtable Meeting in Amsterdam on 4 April 2011

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,106
On SlideShare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
7
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. DNS SecurityWolfgang NageleDNS Services Manager
  • 2. DNS: the Domain Name System • Specified by Paul Mockapetris in 1983 • Distributed Hierarchical Database – Main purpose: Translate names to IP addresses – Since then: Extended to carry a multitude of information (such as SPF, DKIM) • Critical Internet Infrastructure – Used by most systems (in the background)Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 2
  • 3. DNS Tree StructureWolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 3
  • 4. How does it work?Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 4
  • 5. What is the problem? • UDP transport can be spoofed – Anybody can pretend to originate a response • If a response is modified the user will connect to a possibly malicious systemWolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 5
  • 6. The Solution • Make the responses verifiable – Cryptographic signatures • Hierarchy exists so a Public Key Infrastructure is the logical choice – Same concept as used in eGovernment infrastructuresWolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 6
  • 7. How does it work with DNSSEC?Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 7
  • 8. How does it work with DNSSEC?Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 8
  • 9. How does it work with DNSSEC?Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 9
  • 10. How does it work with DNSSEC?Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 10
  • 11. How does it work with DNSSEC?Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 11
  • 12. DNS Security Extensions: A Long Story • 2005: Theoretical problem discovered (Bellovin) • 1995: Work on DNSSEC started • 1999: First support for DNSSEC in BIND • 2005: Standard is redesigned to better meet operational needs RIPE NCC along with .SE among the first to deploy it in their zonesWolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 12
  • 13. DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol weakness Focus comes back to DNSSEC • July 2010: Root Zone signed with DNSSEC • March 2011: 69/306 signed TLDsWolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 13
  • 14. DNSSEC and the RIPE NCC • Sponsor development of NSD DNS software • Participated in the “Deployment of Internet Security Infrastructure” project – Signed all our DNS zones – IPv4 & IPv6 reverse space – E164.arpa – ripe.net • K-root server readiness for a signed root zoneWolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 14
  • 15. Singing of the Root Zone • Shared custody by Root Zone maintainers – Currently: U.S. DoC NTIA, IANA/ICANN, VeriSign • Split key among 21 Trusted Community Representatives • In production since July 2010Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 15
  • 16. Deployment in ccTLDs: EuropeWolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 16
  • 17. Deployment in ccTLDs: Middle EastWolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 17
  • 18. Deployment in ccTLDs: Asia PacficWolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 18
  • 19. Deployment in ccTLDsWolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 19
  • 20. Deployment in ccTLDsWolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 20
  • 21. Deployment in ccTLDsWolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 21
  • 22. Deployment in gTLDs • .com/.net/.org (57% of world wide total domains) • .asia • .cat • .biz • .edu • .gov • .info • .museum • .mobi (Planned)Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 22
  • 23. Deployment in Infrastructure TLD .arpa • E164.arpa – ENUM number mapping – signed by the RIPE NCC • in-addr.arpa – Reverse DNS for IPv4 • ip6.arpa – Reverse DNS for IPv6Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 23
  • 24. Are We Done? • Signed TLD is not the same as a signed domain – Thick registry model (Registry-Registrar-Registrant) – Registrars need to enable their customers to provide public key data to registryWolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 24
  • 25. Are We Done? • Ultimately responses should be verified by the end user – Home routers need to support DNS specifications with large response packetsWolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 25
  • 26. Leverage Infrastructure • DNS is a cross organisational data directory • DNSSEC adds trust to this infrastructure – Anybody can verify data published under ripe.net was originated by the domain holder – Could be used to make DKIM and SPF widely used and trusted – SSL certificates can be trusted through the DNS – More ideas to come …Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 26
  • 27. What about SSL/TLS? • SSL as a transport is well established • CA system currently in use is inherently broken – Any Certificate Authority delivered with a browser to date can issue a certificate for any domain – 100 and more shipped in every Browser – If any one of them fails - security fails with it – Recent incident with Comodo CA is one example • DANE working group at IETFWolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 27
  • 28. Questions?wnagele@ripe.net