ION Krakow - DNSSEC Panel Introduction


Published on

ION Krakow, 30 September 2013: Introductory slides from the "Slaying the Two-headed Beast: Challenges and Triumphs of DNSSEC" panel.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

ION Krakow - DNSSEC Panel Introduction

  1. 1. Slaying the Two-Headed Beast: Challenges and Triumphs of DNSSEC
  2. 2. About Deploy360 The Challenge: – The IETF creates protocols based on open standards, but some are not widely known or deployed – People seeking to implement these protocols are confused by a lack of clear, concise deployment information The Deploy360 Solution: – Provide hands-on information on IPv6, DNSSEC and routing resiliency/security to advance real-world deployment – Work with first adopters to collect and create technical resources and distribute these resources to fast following networks
  3. 3. Web Portal (Online Knowledge Repository) • Technical documents • Audience-specific information • Blogs & social media Social Media (Constant Audience Engagement) • Twitter • Facebook • Google+ • YouTube • RSS Feeds Speaking Engagements (Come Meet Us or Invite Us to Speak) • Consumer Electronics Show • IPv6 Summits • Interop • Network Operators’ Groups ION Conferences (Hands-on Educational Events) • Slovenia • India • USA • Canada • Argentina Deploy360 Components
  4. 4. Social Media
  5. 5. Our Panel Moderator: • Dan York, Internet Society Panelists: • Frederic Cambus, StatDNS • Krzysztof Olesik, NASK • Patrik Wallström, OpenDNSSEC
  6. 6. The Two Parts of DNSSEC Signing Validating ISPs Enterprises Applications DNS Hosting Registrars Registries
  7. 7. DNSSEC Signing - The Individual Steps Registry Registrar DNS Hosting Provider Domain Name Registrant • Signs TLD • Accepts DS records • Publishes/signs records • Accepts DS records • Sends DS to registry • Provides UI for mgmt • Signs zones • Publishes all records • Provides UI for mgmt • Enables DNSSEC (unless automatic)
  8. 8. A Normal DNS Interaction Web Server Web Browser web page DNS Resolver 1 25 6 DNS Svr m DNS Svr .com DNS Svr root 3 4 NS .com NS
  9. 9. Attacking DNS Web Server Web Browser web page DNS Resolver 1 25 6 DNS Svr m DNS Svr .com DNS Svr root 3 4 Attacking DNS Svr m NS .com NS
  10. 10. A Poisoned Cache Web Server Web Browser web page DNS Resolver 1 2 3 4 Resolver cache now has wrong data: This stays in the cache until the Time-To-Live (TTL) expires!
  11. 11. Attempting to Spoof DNS Web Server Web Browser web page DNS Resolver DNSKEY RRSIGs 1 25 6 DNS Svr m DNS Svr .com DNS Svr root 3 SERVFAIL 4 Attacking DNS Svr m DNSKEY RRSIGs NS DS .com NS DS
  12. 12. The Typical TLS (SSL) Web Interaction Web Server Web Browser TLS-encrypted web page DNS Resolver 2 5 6 DNS Svr m DNS Svr .com DNS Svr root 3 4 Is this encrypted with the CORRECT certificate?
  13. 13. DANE Web Server Web Browser w/DANE TLS-encrypted web page with CORRECT certificate DNS Server DNSKEY RRSIGs TLSA 1 2 Firewall (or attacker) TLS-encrypted web page with NEW certificate (re-signed by firewall) Log files or other servers DANE-equipped browser compares TLS certificate with what DNS / DNSSEC says it should be.
  14. 14. DNSSEC Deployment – Top-Level Domains
  15. 15. Resources To learn more about DNSSEC and how to get started: Specific resources that may be of interest: • SURFnet whitepaper about deploying validating servers • DNSSEC HOWTO • NIST "Secure DNS Deployment Guide"
  16. 16. Three Requests For Network Operators 1. Deploy DNSSEC-validating DNS resolvers 2. Sign your own domains where possible 3. Help promote support of DANE protocol • Allow usage of TLSA record. Let browser vendors and others know you want to use DANE. Help raise awareness of how DANE and DNSSEC can make the Internet more secure.
  17. 17. Internet Society Deploy360 Programme Can You Help Us With: • Case Studies? • Tutorials? • Videos? How Can We Help You? 10/9/2013
  18. 18. Dan York Senior Content Strategist Internet Society Thank You!