ION Krakow - DNSSEC Panel Introduction

783 views

Published on

ION Krakow, 30 September 2013: Introductory slides from the "Slaying the Two-headed Beast: Challenges and Triumphs of DNSSEC" panel.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
783
On SlideShare
0
From Embeds
0
Number of Embeds
56
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

ION Krakow - DNSSEC Panel Introduction

  1. 1. www.internetsociety.org/deploy360/ Slaying the Two-Headed Beast: Challenges and Triumphs of DNSSEC
  2. 2. www.internetsociety.org/deploy360/ About Deploy360 The Challenge: – The IETF creates protocols based on open standards, but some are not widely known or deployed – People seeking to implement these protocols are confused by a lack of clear, concise deployment information The Deploy360 Solution: – Provide hands-on information on IPv6, DNSSEC and routing resiliency/security to advance real-world deployment – Work with first adopters to collect and create technical resources and distribute these resources to fast following networks
  3. 3. www.internetsociety.org/deploy360/ Web Portal (Online Knowledge Repository) • Technical documents • Audience-specific information • Blogs & social media Social Media (Constant Audience Engagement) • Twitter • Facebook • Google+ • YouTube • RSS Feeds Speaking Engagements (Come Meet Us or Invite Us to Speak) • Consumer Electronics Show • IPv6 Summits • Interop • Network Operators’ Groups ION Conferences (Hands-on Educational Events) • Slovenia • India • USA • Canada • Argentina Deploy360 Components
  4. 4. www.internetsociety.org/deploy360/ https://twitter.com/deploy360 https://www.facebook.com/Deploy360 http://gplus.to/deploy360 http://www.youtube.com/user/Deploy360 http://www.internetsociety.org/deploy360/feed/ Social Media
  5. 5. www.internetsociety.org/deploy360/ Our Panel Moderator: • Dan York, Internet Society Panelists: • Frederic Cambus, StatDNS • Krzysztof Olesik, NASK • Patrik Wallström, OpenDNSSEC
  6. 6. www.internetsociety.org/deploy360/ The Two Parts of DNSSEC Signing Validating ISPs Enterprises Applications DNS Hosting Registrars Registries
  7. 7. www.internetsociety.org/deploy360/ DNSSEC Signing - The Individual Steps Registry Registrar DNS Hosting Provider Domain Name Registrant • Signs TLD • Accepts DS records • Publishes/signs records • Accepts DS records • Sends DS to registry • Provides UI for mgmt • Signs zones • Publishes all records • Provides UI for mgmt • Enables DNSSEC (unless automatic)
  8. 8. www.internetsociety.org/deploy360/ A Normal DNS Interaction Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 1 25 6 DNS Svr example.co m DNS Svr .com DNS Svr root 3 10.1.1.123 4 example.com NS .com NS example.com?
  9. 9. www.internetsociety.org/deploy360/ Attacking DNS Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 1 25 6 DNS Svr example.co m DNS Svr .com DNS Svr root 3 192.168.2.2 4 Attacking DNS Svr example.co m 192.168.2.2 example.com NS .com NS example.com?
  10. 10. www.internetsociety.org/deploy360/ A Poisoned Cache Web Server Web Browser https://example.com/ web page DNS Resolver 1 2 3 4 192.168.2.2 Resolver cache now has wrong data: example.com 192.168.2.2 This stays in the cache until the Time-To-Live (TTL) expires! example.com?
  11. 11. www.internetsociety.org/deploy360/ Attempting to Spoof DNS Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 DNSKEY RRSIGs 1 25 6 DNS Svr example.co m DNS Svr .com DNS Svr root 3 SERVFAIL 4 Attacking DNS Svr example.co m 192.168.2.2 DNSKEY RRSIGs example.com NS DS .com NS DS example.com?
  12. 12. www.internetsociety.org/deploy360/ The Typical TLS (SSL) Web Interaction Web Server Web Browser https://example.com/ TLS-encrypted web page DNS Resolver 10.1.1.1231 2 5 6 DNS Svr example.co m DNS Svr .com DNS Svr root 3 10.1.1.123 4 Is this encrypted with the CORRECT certificate? example.com?
  13. 13. www.internetsociety.org/deploy360/ DANE Web Server Web Browser w/DANE https://example.com/ TLS-encrypted web page with CORRECT certificate DNS Server 10.1.1.123 DNSKEY RRSIGs TLSA 1 2 Firewall (or attacker) https://example.com/ TLS-encrypted web page with NEW certificate (re-signed by firewall) Log files or other servers DANE-equipped browser compares TLS certificate with what DNS / DNSSEC says it should be. example.com?
  14. 14. www.internetsociety.org/deploy360/ DNSSEC Deployment – Top-Level Domains
  15. 15. www.internetsociety.org/deploy360/ Resources To learn more about DNSSEC and how to get started: http://www.internetsociety.org/deploy360/dnssec/basics/ http://www.internetsociety.org/deploy360/resources/dane/ Specific resources that may be of interest: • SURFnet whitepaper about deploying validating servers • DNSSEC HOWTO • NIST "Secure DNS Deployment Guide"
  16. 16. www.internetsociety.org/deploy360/ Three Requests For Network Operators 1. Deploy DNSSEC-validating DNS resolvers 2. Sign your own domains where possible 3. Help promote support of DANE protocol • Allow usage of TLSA record. Let browser vendors and others know you want to use DANE. Help raise awareness of how DANE and DNSSEC can make the Internet more secure.
  17. 17. www.internetsociety.org/deploy360/ Internet Society Deploy360 Programme Can You Help Us With: • Case Studies? • Tutorials? • Videos? How Can We Help You? 10/9/2013 www.internetsociety.org/deploy360/
  18. 18. www.internetsociety.org/deploy360/ york@isoc.org http://www.internetsociety.org/deploy360/ Dan York Senior Content Strategist Internet Society Thank You!

×