ION Tokyo: The Business Case for DNSSEC and DANE, Dan York

1. DNSSEC and DANE ION Tokyo November 17, 2014 Dan York Senior Content Strategist Internet Society york@isoc.org

2. Overview of DNS Security Extensions (DNSSEC)

3. A Normal DNS Interaction Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 10.1.1.123 4 example.com NS .com NS example.com?

4. Attacking DNS Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 1 2 5 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 192.168.2.2 4 Attacking DNS Svr example.co m 192.168.2.2 example.com NS .com NS example.com? False Site example.co m

5. A Poisoned Cache Web Server Web Browser https://example.com/ web page DNS Resolver 1 2 3 4 192.168.2.2 Resolver cache now has wrong data: example.com 192.168.2.2 This stays in the cache until the Time-To-Live (TTL) expires! example.com? False Site example.co m

6. A DNSSEC Interaction Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 DNSKEY RRSIGs 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 10.1.1.123 4 example.com NS DS .com NS DS example.com?

7. Attempting to Spoof DNS Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 DNSKEY RRSIGs 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 SERVFAIL 4 Attacking DNS Svr example.co m 192.168.2.2 DNSKEY RRSIGs example.com NS DS .com NS DS example.com?

8. DNSSEC Is Not Just For The Web DNSSEC protects ALL information coming from DNS Significant deployments of DNSSEC (and DANE) in: • Email (SMTP) • Instant messaging (XMPP/Jabber) Other potential uses: • Voice over IP (VoIP) • Any application that communicates over the Internet

9. Email Hijacking – A Current Threat • CERT-CC researchers have identified that someone is hijacking email by using DNS cache poisoning of MX records • Could be prevented by DNSSEC deployment • CERT-CC (Sept 10, 2014): – https://www.cert.org/blogs/certcc/post.cfm?EntryID=206 • Deploy360 blog post (Sept 12, 2014): • http://wp.me/p4eijv-5jI

10. The Two Parts of DNSSEC 11/17/2014

11. The Two Parts of DNSSEC Signing Validating ISPs Enterprises Applications DNS Hosting Registrars Registries

12. DNSSEC Signing - The Individual Steps Registry Registrar DNS Hosting Provider Domain Name Registrant • Signs TLD • Accepts DS records • Publishes/signs records • Accepts DS records • Sends DS to registry • Provides UI for mgmt • Signs zones • Publishes all records • Provides UI for mgmt • Enables DNSSEC (unless automatic)

13. DNSSEC Signing - The Players Registries Registrars DNS Hosting Providers Domain Name Registrants Registrar also provides DNS hosting services

14. DNSSEC Signing - The Players Registries Registrars DNS Hosting Providers Domain Name Registrants Registrant hosts own DNS

15. DNSSEC Deployment Metrics 11/17/2014

16. DNSSEC Deployment Maps • DNSSEC deployment maps: • http://www.internetsociety.org/deploy360/dnssec/maps/ • Mailing list to receive weekly maps: • https://elists.isoc.org/mailman/listinfo/dnssec-maps

17. DNSSEC Deployment Maps

18. Signed TLDs (both ccTLDs and gTLDs) https://rick.eng.br/dnssecstat/

19. DNSSEC Validation – Worldwide Trend http://stats.labs.apnic.net/dnssec/XA?c=XA&x=1&g=1&r=1&w=7&g=0

20. DNSSEC Deployment – Second-level domains Links from http://www.internetsociety.org/deploy360/dnssec/statistics/

21. A Quick Overview of DANE 11/17/2014

22. The Typical TLS (SSL) Web Interaction Web Server Web Browser https://example.com/ TLS-encrypted web page DNS Resolver example.com? 10.1.1.1231 2 5 6 DNS Svr example.co m DNS Svr .com DNS Svr root 3 10.1.1.123 4

23. The Typical TLS (SSL) Web Interaction Web Server Web Browser https://example.com/ TLS-encrypted web page DNS Resolver 10.1.1.1231 2 5 6 DNS Svr example.co m DNS Svr .com DNS Svr root 3 10.1.1.123 4 Is this encrypted with the CORRECT certificate? example.com?

24. Problems? Web Server Web Browser https://www.example.com/ TLS-encrypted web page with CORRECT certificate DNS Server www.example.com? 1.2.3.4 1 2 Firewall https://www.example.com/ TLS-encrypted web page with NEW certificate (re-signed by firewall)

25. DANE Web Server Web Browser w/DANE https://example.com/ TLS-encrypted web page with CORRECT certificate DNS Server 10.1.1.123 DNSKEY RRSIGs TLSA 1 2 Firewall (or attacker) https://example.com/ TLS-encrypted web page with NEW certificate (re-signed by firewall) Log files or other servers DANE-equipped browser compares TLS certificate with what DNS / DNSSEC says it should be. example.com?

26. DNS-Based Authentication of Named Entities (DANE) • Q: How do you know if the TLS (SSL) certificate is the correct one the site wants you to use? • A: Store the certificate (or fingerprint) in DNS (new TLSA record) and sign them with DNSSEC. An application that understand DNSSEC and DANE will then know when the required certificate is NOT being used. Certificate stored in DNS is controlled by the domain name holder. It could be a certificate signed by a CA – or a self- signed certificate.

27. DANE – Different operation modes ("certificate usage" field) • 0 – CA specification • The TLSA record specifies the Certificate Authority (CA) who will provide TLS certificates for the domain. Must be a valid CA included in browser/app. • 1 – Specific TLS certificate • The TLSA record specifies the exact TLS certificate that should be used for the domain. Note that this TLS certificate must be one that is issued by a valid CA. • 2 – Trust anchor assertion • The TLSA record specifies the “trust anchor” to be used for validating the TLS certificates for the domain. Allows for the use of a CA not included in application. • 3 – Domain-issued certificate • The TLS record specifies the exact TLS certificate that should be used for the domain, BUT, in contrast to usage #1, the TLS certificate does not need to be signed by a valid CA. This allows for the use of self-signed certificates.

28. DANE – Not Just For The Web •DANE defines protocol for storing TLS certificates in DNS •Securing Web transactions is an obvious use case •Other uses also possible: • Email • VoIP • Jabber/XMPP • PGP • ?

29. DANE Success Stories SMTP  360+ SMTP servers with TLSA records  http://www.tlsa.info/ XMPP (Jabber)  229 servers  client-to-server & server-to-server  https://xmpp.net/reports.php#dnssecdane Advertisements!

30. Why Deploy DNSSEC and DANE? 11/17/2014

31. Business Reasons For Deploying DNSSEC • TRUST – You can be sure your customers are reaching your sites – and that you are communicating with their servers. • SECURITY – You can be sure you are communicating with the correct sites and not sharing business information with attackers, ex. email hijacking. • INNOVATION – Services such as DANE built on top of DNSSEC enable innovative uses of TLS certificates • CONFIDENTIALITY – DANE enables easier use of encryption for applications and services that communicate across the Internet

32. Resources 11/17/2014

33. DANE Resources DANE Overview and Resources: • http://www.internetsociety.org/deploy360/resources/dane/ IETF Journal article explaining DANE: • http://bit.ly/dane-dnssec RFC 6394 - DANE Use Cases: • http://tools.ietf.org/html/rfc6394 RFC 6698 – DANE Protocol: • http://tools.ietf.org/html/rfc6698

34. DANE Resources DANE and email: • https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane • http://tools.ietf.org/html/draft-ietf-dane-smime DANE Operational Guidance: • https://tools.ietf.org/html/draft-ietf-dane-ops DANE and SIP (VoIP): • http://tools.ietf.org/html/draft-johansson-dispatch-dane-sip • https://tools.ietf.org/html/draft-ietf-dane-srv Other uses: • https://tools.ietf.org/html/draft-ietf-dane-openpgpkey • https://tools.ietf.org/html/draft-ietf-dane-rawkeys

35. Start Here Page http://www.internetsociety.org/deploy360/start/ Easy method of finding resources for specific audiences, including: • Network operators • Content providers (ex. web site owners) • Developers • Governments • Consumer electronics vendors • Enterprises and campus networks • Registrars • Internet exchange points (IXPs)

36. https://twitter.com/deploy360 https://www.facebook.com/Deploy360 http://gplus.to/deploy360 http://www.youtube.com/user/Deploy360 http://www.internetsociety.org/deploy360/feed/ http://soundcloud.com/deploy360/ Social Media Channels

37. Thank You! Dan York Senior Content Strategist york@isoc.org

ION Tokyo: The Business Case for DNSSEC and DANE, Dan York

ION Tokyo: The Business Case for DNSSEC and DANE, Dan York

Recommended

More Related Content

What's hot

What's hot(20)

Viewers also liked

Viewers also liked(6)

Similar to ION Tokyo: The Business Case for DNSSEC and DANE, Dan York

Similar to ION Tokyo: The Business Case for DNSSEC and DANE, Dan York(20)

More from Deploy360 Programme (Internet Society)

More from Deploy360 Programme (Internet Society)(20)

Recently uploaded

Recently uploaded(20)

ION Tokyo: The Business Case for DNSSEC and DANE, Dan York