Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

ION Toronto - Why Implement DNSSEC?


Published on

ION Toronto, 11 November 2013: What is DNSSEC and why is it so important? We’ll discuss the business reasons for, and financial implications of, deploying DNSSEC, from staying ahead of the technological curve, to staying ahead of your competition, to keeping your customers satisfied and secure on the Internet.

Published in: Technology
  • Be the first to comment

ION Toronto - Why Implement DNSSEC?

  1. 1. Why  DNSSEC?   James  Galvin,  Ph.D.   Afilias  Limited   11  November  2013   ION  Toronto   ©  2013  Afilias  Limited   1  
  2. 2. Afilias  and  DNSSEC   •  Afilias  makes  Internet  addresses   more  accessible  and  useful   through  registry  services,   Managed  DNS,  and  mobile  Web   services  like  goMobi®  and   DeviceAtlas®.   –  Operator  INFO  and  MOBI   –  Host  to  9  ccTLDs  and  7  gTLDs   –  Have  one  of  the  largest  DNS   infrastructures   •  Started  with  DNSSEC  in  2008   –  Signed  ORG  in  June  2009   –  ORG  offered  signed  delegaYons  in   June  2010   –  Root  signed  in  July  2010   –  Signed  all  TLDs  and  offered  signed   delegaYons  soon  aZer   ©  2013  Afilias  Limited   2  
  3. 3. •  DNSSEC  Basics   •  Benefits  of  DNSSEC   •  Internet  Future   ©  2013  Afilias  Limited   3  
  4. 4. DNSSEC  -­‐  BASICS   ©  2013  Afilias  Limited   4  
  5. 5. What  is  DNSSEC?   •  DNSSEC  provides  an  asserYon   by  a  zone  that  a  specific  data   element  is  bound  to  a  domain   name.   •  This  is  most  oZen  used  to  bind   an  IP  address  to  a  domain   name,  e.g.,  to  find  a  web  site.   •  The  validaYon  of  the  asserYon   is  possible  independent  of  its   source.   •  Benefits   –  CriYcal  Infrastructure:   everything  uses  the  DNS   –  Hierarchical:  delegate  and   distribute  responsibility   ©  2013  Afilias  Limited   5  
  6. 6. DNSSEC-­‐aware  applicaYons   DNS  with  DNSSEC   2   1   ROOT  SERVERS   DNSSEC   DNSSEC   TLD   Authorita;ve   NS   Local   cache   1   2   3   DNSSEC   Itera;ve   Resolver   Local   cache   3   SLD   Authorita;ve  NS     Stub  Resolver   USER  PC   ©  2013  Afilias  Limited   6  
  7. 7. Who  are  the  Players?   •  Domain  registraYon  system   –  Registries:  operate  the  TLDs   –  (Registrars):  middleman   between  registry  and   registrant   –  Registrant:  own,  manage,  and   deploy  domain  names   •  Domain  name  system   –  Root  system   –  Registries   –  DNS  Operators   •  Community   –  ISPs   –  Users   ©  2013  Afilias  Limited   7  
  8. 8. BENEFITS  OF  DNSSEC   ©  2013  Afilias  Limited   8  
  9. 9. Why  DNSSEC?   •  DNSSEC  protects  the  DNS  system   from  cache  poisoning  adacks,  viz   the  “Kaminsky  Bug”   •  DNSSEC  is  the  next  step  in  the   evoluYon  of  the  Internet,  similar   to  the  web  back  in  1993.   •  DNS  is  a  criYcal  infrastructure   system.    Virtually  everything   depends  on  it.   •  Deploying  a  safe  and  secure  DNS   is  not  just  the  right  thing  to  do,  it   is  the  cornerstone  of  building  the   next  generaYon  Internet,  a  safe   and  secure  Internet.   ©  2013  Afilias  Limited   9  
  10. 10. Without  DNSSEC…   When  you  visit  a  web  site   can  you  be  sure  you  are  communicaYng  with  the   server  that  you  think  you  are?         ©  2013  Afilias  Limited   10  
  11. 11. TLS/SSL  and  DNSSEC  benefits   TLS   DNSSEC   Data   !^^x<>        TLS/SSL   Channel   DNS  Data   DNS  Data   DNSSEC   DNSSEC Data   Data   Signed   Guaranteed  not  tampered   Encryp;on   Authen;ca;on   Integrity   DNSSEC  protects…   Users  from  DNS  data  tampered  by     or  originaYng  from  malicious  actors     ©  2013  Afilias  Limited   11  
  12. 12. INTERNET  FUTURE   ©  2013  Afilias  Limited   12  
  13. 13. Building  Trusted  Domains   •  A  domain  name  is  just  a  label.     Most  commonly  used  to  idenYfy   hosts  and  services.   –  Web  sites   –  ApplicaYon  servers   •  DNSSEC  ensures  we  have  the   correct  service/address   •  TLS/SSL  (hdps)  gives  us  good   confidence  that  we  have  a   encrypted  tunnel   •  Matching  the  domain  in  the  TLS/ SSL  cerYficate  with  the  domain   from  DNSSEC  offers  greater   assurance  that  you  are   communicaYng  with  the  desired   site/service   ©  2013  Afilias  Limited   13  
  14. 14. DNSSEC  Challenges   •  Security  increases  the   baseline  experYse  required   •  Key  management  becomes   mainstream   –  Key  rollover  Ymings  are   subtle   •  DNS  operators  are  visibly   essenYal   –  Transfers  are  a  process   •  Key  rollover  is  required   •  Losing  and  gaining  operator   must  overlap  services   •  New  relaYonship   –  DNS  Operator  and  registrar/ registry   ©  2013  Afilias  Limited   14  
  15. 15. The  demand  for  DNSSEC?   •  A  mix  of  pioneers,  early   adopters  and  legislated   compliance   •  In  the  early  stages  for   registrant/user   awareness   Barriers   Incen;ves   Complexity   Signing  TLDs   Costs   New  hw  &   sw  soluYons   ©  2013  Afilias  Limited   15  
  16. 16. What’s  Next?   •  Centralize  the  complexity   –  Registrars   –  DNS  operators   –  ApplicaYon  service  providers   •  Keep  it  simple  for  the   registrant/user   –  Should  be  invisible   •  DNSSEC  is  about  what  we  can   do  with  it.    It  is  an  essenYal   building  block  in  a  criYcal   infrastructure  system  that  will   change  the  Internet  in  ways   we  can  not  yet  imagine.   ©  2013  Afilias  Limited   16  
  17. 17. IETF  and  Pervasive  Monitoring   •  Last  week  leading   engineers  agreed  that   pervasive  monitoring  is   a  threat  to  the  Internet   –  hdp:// media/2013-­‐11-­‐07-­‐ internet-­‐privacy-­‐and-­‐ security.html   ©  2013  Afilias  Limited   17  
  18. 18. Thank  You!   James  Galvin   jgalvin    “at”   +1-­‐215-­‐706-­‐5715     hdp://   ©  2013  Afilias  Limited   18