SlideShare a Scribd company logo

DNS based Authentication of Named Entities (DANE)

Port25 Solutions
Port25 Solutions

Avinash Kulkarni, Lead Software Engineer at Port25 Solutions Inc. discusses DANE at the 2018 Port25 Summit

Technology
1 of 16
Download to read offline
1#P25Summit Because opportunistic STARTTLS isn’t good enough DNS based Authentication of Named Entities (DANE) Avinash Kulkarni Lead Software Engineer, Port25 Solutions Inc.
2#P25Summit About Me • Avinash Kulkarni • Lead Software Developer at Port25 Solutions Inc. • Work on core PowerMTA features • Working at Port25 since 2009
3#P25Summit Growth of STARTTLS • STARTTLS was introduced in 2002 - Encrypt emails during transit • Slow adoption at first • After several high profile email security breaches, adaption took off
4#P25Summit STARTTLS is great, but… • Entirely opportunistic EHLO I support STARTTLS Ok, fallback to unencrypted MTA-1 MTA-2 STARTTLS Failure
5#P25Summit STARTTLS is great, but… • susceptible to TLS downgrade attacks EHLO No STARTTLS Ok, unencrypted it is MTA-1 MTA-2MiTM attacker MTA Encrypted
6#P25Summit STARTTLS is great, but… • Server certificate validation isn’t required STARTTLS MTA-2 Spoof Certificate Continue, presumably talking to MTA-2 MTA-1 Spoof MTA-2
7#P25Summit Ah, about that certificate validation… • We could validate certificates using Public Key Infrastructure(PKI) • A la HTTPS • Accept only certificates signed by trusted Certificate Authorities(CAs) • But, its not without problems… • Too many CAs out there - Have to trust them all • CAs can be compromised • Certificates issued without due diligence on the part of CA • Learning about revoked certificates quickly is difficult - Failure to learn about revocation implies the certificate is trusted!
8#P25Summit And let’s not forget… • SMTP doesn’t rely on CA model • MTAs don’t ship with a list of trusted root certificates • So, we need another medium to obtain information about certificates • Should be fast • Should be secure • Easy to deploy • Simple to query
9#P25Summit DNS is a great medium • Fast, scalable, and widely deployed • But insecure and susceptible to MiTM attacks example.com IN A w.x.y.z DNS Resolver Root zone DNS Server MiTM attacker . IN A ?example.com IN A ? example.com IN A w.x.y.z .com zone DNS Server example.com zone DNS Server Attacker’s Phising site w.x.y.z com. IN A ? example.com IN A ?
10#P25Summit DNSSEC – a secure alternative • Provides origin authentication, integrity checking of DNS records • Cryptographically verifies DNS records from the root downwards • Provides visibility into MiTM attacks exam ple.com IN A w .x.y.z DNS Resolver Root zone DNS Server. IN A ?example.com IN A ? example.com IN A a.b.c.d .com zone DNS Server com. IN A ? example.com IN A ?example.com IN A a.b.c.d example.com zone DNS Server MiTM attacker
11#P25Summit Back to our original problems with STARTTLS • How to prevent TLS downgrades EHLO I support STARTTLS Can’t fallback to unencrypted MTA-1 MTA-2 STARTTLS Failure DNS Resolver with DNSSEC MTA-2 requires STARTTLS
12#P25Summit Back to our original problems with STARTTLS • How to prevent MiTM attacks STARTTLS Attacker’s Certificate Certificate mismatch, disconnect MTA-1 Spoof MTA-2 DNS Resolver with DNSSEC MTA-2’ s certificate MTA-2 STARTTLS MTA-2 Certificate Certificate matched, continue
13#P25Summit That’s DANE at work! • DNS-Based Authentication of Named Entities (DANE) • Administrators can publish info about their certificates using TLSA records • Clients can query that info securely via DNSSEC • Doesn’t use the CA model - Easily detect spoofed certificates - Revoking a certificate is easy – just remove the associated TLSA record • Avoids security pitfalls in DNS
14#P25Summit That’s not all.. • DANE deployment is easy once DNSSEC is in place • Publishing certificate info scales easily • Administrators can publish TLSA record for signing certificates as Trust Anchor • Adoption is growing (from “Real World DANE” talk at ICAAN 61) • Primarily in Northern Europe and USA • 5.2 million domains with DNSSEC-validated MX • 178,000 domains with DANE SMTP support • Examples include gmx.de, web.de, comcast.net • Feeds virtuous cycle of driving up DNSSEC adoption
15#P25Summit Some notes on DANE SMTP • Its not end-to-end security • Only provides for secure transmission channel with authentication • Not an alternative to PGP or S/MIME • Built on DNSSEC • Lack of Availability and Confidentiality • Bigger zone files, larger DNS responses • Needs more resources for crypto operations • An alternative to use of DNSSEC – DANE-STS – is in the works • Uses HTTPS
16#P25Summit DANE SMTP support in PowerMTA • Will be part of PowerMTA 5.0b1 release • Simple to configure – a per-domain setting to enable/disable outbound DANE • Compliant with RFC 7672 recommendations for SMTP DANE • Requires DNSSEC-validating DNS resolver Consider enabling both outbound and inbound DANE!

Recommended

Tcp Udp Icmp And The Transport Layer
Tcp Udp Icmp And The Transport LayerTcp Udp Icmp And The Transport Layer
Tcp Udp Icmp And The Transport Layertmavroidis
 
AIRCOM LTE Webinar 2 - Air Interface
AIRCOM LTE Webinar 2 - Air InterfaceAIRCOM LTE Webinar 2 - Air Interface
AIRCOM LTE Webinar 2 - Air InterfaceAIRCOM International
 
IMS ENUM and DNS Mechanism
IMS ENUM and DNS MechanismIMS ENUM and DNS Mechanism
IMS ENUM and DNS MechanismKent Loh
 
XMPP and IoT - an overview
XMPP and IoT - an overviewXMPP and IoT - an overview
XMPP and IoT - an overviewPeter Waher
 
LTE Air Interface
LTE Air InterfaceLTE Air Interface
LTE Air InterfaceSpiros Louvros
 
LTE Training Course
LTE Training CourseLTE Training Course
LTE Training CourseChiehChun
 
LTE Air Interface
LTE Air InterfaceLTE Air Interface
LTE Air InterfaceAbdulrahman Fady
 
Paging in LTE
Paging in LTEPaging in LTE
Paging in LTESurya Munda
 

Recommended

Tcp Udp Icmp And The Transport Layer
Tcp Udp Icmp And The Transport LayerTcp Udp Icmp And The Transport Layer
Tcp Udp Icmp And The Transport Layertmavroidis
 
AIRCOM LTE Webinar 2 - Air Interface
AIRCOM LTE Webinar 2 - Air InterfaceAIRCOM LTE Webinar 2 - Air Interface
AIRCOM LTE Webinar 2 - Air InterfaceAIRCOM International
 
IMS ENUM and DNS Mechanism
IMS ENUM and DNS MechanismIMS ENUM and DNS Mechanism
IMS ENUM and DNS MechanismKent Loh
 
XMPP and IoT - an overview
XMPP and IoT - an overviewXMPP and IoT - an overview
XMPP and IoT - an overviewPeter Waher
 
LTE Air Interface
LTE Air InterfaceLTE Air Interface
LTE Air InterfaceSpiros Louvros
 
LTE Training Course
LTE Training CourseLTE Training Course
LTE Training CourseChiehChun
 
LTE Air Interface
LTE Air InterfaceLTE Air Interface
LTE Air InterfaceAbdulrahman Fady
 
Paging in LTE
Paging in LTEPaging in LTE
Paging in LTESurya Munda
 
The Application Layer
The Application LayerThe Application Layer
The Application Layeradil raja
 
CS-Core Mobile Network (General)
CS-Core Mobile Network (General)CS-Core Mobile Network (General)
CS-Core Mobile Network (General)Hamidreza Bolhasani
 
AIRCOM LTE Webinar 4 - LTE Coverage
AIRCOM LTE Webinar 4 - LTE CoverageAIRCOM LTE Webinar 4 - LTE Coverage
AIRCOM LTE Webinar 4 - LTE CoverageAIRCOM International
 
LTE: X2 interface
LTE: X2 interfaceLTE: X2 interface
LTE: X2 interfaceSchwannden Kuo
 
Lte training session_1
Lte training session_1Lte training session_1
Lte training session_1Sajal Kumar Das
 
Ims call flow
Ims call flowIms call flow
Ims call flowMorg
 
Introduction to SNMP
Introduction to SNMPIntroduction to SNMP
Introduction to SNMPMohammed Farrah
 
VoLTE Voice over LTE Explained - Complete End to End VoLTE Overview - What is...
VoLTE Voice over LTE Explained - Complete End to End VoLTE Overview - What is...VoLTE Voice over LTE Explained - Complete End to End VoLTE Overview - What is...
VoLTE Voice over LTE Explained - Complete End to End VoLTE Overview - What is...Vikas Shokeen
 
OPEN RAN by Pourya Alinezhad
OPEN RAN by Pourya AlinezhadOPEN RAN by Pourya Alinezhad
OPEN RAN by Pourya AlinezhadPourya Alinezhad
 
PONs overview
PONs overviewPONs overview
PONs overviewTasuka Hsu
 
5g and 4g architecture
5g and 4g architecture5g and 4g architecture
5g and 4g architectureHafiz Muhammad Attaullah
 
Lte basic
Lte basicLte basic
Lte basicgovind sable
 
Lte air-interface
Lte air-interfaceLte air-interface
Lte air-interfaceArshad Alam
 
NGFI (Next Generation Fronthaul Interface) native RoE (Radio over Ethernet)
NGFI (Next Generation Fronthaul Interface) native RoE (Radio over Ethernet)NGFI (Next Generation Fronthaul Interface) native RoE (Radio over Ethernet)
NGFI (Next Generation Fronthaul Interface) native RoE (Radio over Ethernet)ITU
 
Lte epc kp is and signalling (sf)
Lte epc kp is and signalling (sf)Lte epc kp is and signalling (sf)
Lte epc kp is and signalling (sf)Cesar Cardozo Barrios
 
Lte system signaling procedures
Lte system signaling proceduresLte system signaling procedures
Lte system signaling procedurestharinduwije
 
Lte Presentation.Ppt
Lte Presentation.PptLte Presentation.Ppt
Lte Presentation.Pptvaimalik
 
IPTV Security
IPTV SecurityIPTV Security
IPTV SecurityM.Syarifudin, ST, OSCP, OSWP
 
PS Core Presentation
PS Core PresentationPS Core Presentation
PS Core PresentationNarendra Negi 7777+ Direct Connection
 
Totem协议(SRP/RRP)讲解
Totem协议(SRP/RRP)讲解Totem协议(SRP/RRP)讲解
Totem协议(SRP/RRP)讲解chinainvent
 
ION Santiago - DNSSEC and DANE Based Security for TLS
ION Santiago - DNSSEC and DANE Based Security for TLSION Santiago - DNSSEC and DANE Based Security for TLS
ION Santiago - DNSSEC and DANE Based Security for TLSDeploy360 Programme (Internet Society)
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECCarlos Martinez Cagnazzo
 

More Related Content

What's hot

The Application Layer
The Application LayerThe Application Layer
The Application Layeradil raja
 
CS-Core Mobile Network (General)
CS-Core Mobile Network (General)CS-Core Mobile Network (General)
CS-Core Mobile Network (General)Hamidreza Bolhasani
 
AIRCOM LTE Webinar 4 - LTE Coverage
AIRCOM LTE Webinar 4 - LTE CoverageAIRCOM LTE Webinar 4 - LTE Coverage
AIRCOM LTE Webinar 4 - LTE CoverageAIRCOM International
 
Ims call flow
Ims call flowIms call flow
Ims call flowMorg
 
VoLTE Voice over LTE Explained - Complete End to End VoLTE Overview - What is...
VoLTE Voice over LTE Explained - Complete End to End VoLTE Overview - What is...VoLTE Voice over LTE Explained - Complete End to End VoLTE Overview - What is...
VoLTE Voice over LTE Explained - Complete End to End VoLTE Overview - What is...Vikas Shokeen
 
OPEN RAN by Pourya Alinezhad
OPEN RAN by Pourya AlinezhadOPEN RAN by Pourya Alinezhad
OPEN RAN by Pourya AlinezhadPourya Alinezhad
 
Lte air-interface
Lte air-interfaceLte air-interface
Lte air-interfaceArshad Alam
 
NGFI (Next Generation Fronthaul Interface) native RoE (Radio over Ethernet)
NGFI (Next Generation Fronthaul Interface) native RoE (Radio over Ethernet)NGFI (Next Generation Fronthaul Interface) native RoE (Radio over Ethernet)
NGFI (Next Generation Fronthaul Interface) native RoE (Radio over Ethernet)ITU
 
Lte system signaling procedures
Lte system signaling proceduresLte system signaling procedures
Lte system signaling procedurestharinduwije
 
Lte Presentation.Ppt
Lte Presentation.PptLte Presentation.Ppt
Lte Presentation.Pptvaimalik
 
Totem协议(SRP/RRP)讲解
Totem协议(SRP/RRP)讲解Totem协议(SRP/RRP)讲解
Totem协议(SRP/RRP)讲解chinainvent
 

What's hot (20)

The Application Layer
The Application LayerThe Application Layer
The Application Layer
 
CS-Core Mobile Network (General)
CS-Core Mobile Network (General)CS-Core Mobile Network (General)
CS-Core Mobile Network (General)
 
AIRCOM LTE Webinar 4 - LTE Coverage
AIRCOM LTE Webinar 4 - LTE CoverageAIRCOM LTE Webinar 4 - LTE Coverage
AIRCOM LTE Webinar 4 - LTE Coverage
 
LTE: X2 interface
LTE: X2 interfaceLTE: X2 interface
LTE: X2 interface
 
Lte training session_1
Lte training session_1Lte training session_1
Lte training session_1
 
Ims call flow
Ims call flowIms call flow
Ims call flow
 
Introduction to SNMP
Introduction to SNMPIntroduction to SNMP
Introduction to SNMP
 
VoLTE Voice over LTE Explained - Complete End to End VoLTE Overview - What is...
VoLTE Voice over LTE Explained - Complete End to End VoLTE Overview - What is...VoLTE Voice over LTE Explained - Complete End to End VoLTE Overview - What is...
VoLTE Voice over LTE Explained - Complete End to End VoLTE Overview - What is...
 
OPEN RAN by Pourya Alinezhad
OPEN RAN by Pourya AlinezhadOPEN RAN by Pourya Alinezhad
OPEN RAN by Pourya Alinezhad
 
PONs overview
PONs overviewPONs overview
PONs overview
 
5g and 4g architecture
5g and 4g architecture5g and 4g architecture
5g and 4g architecture
 
Lte basic
Lte basicLte basic
Lte basic
 
Lte air-interface
Lte air-interfaceLte air-interface
Lte air-interface
 
NGFI (Next Generation Fronthaul Interface) native RoE (Radio over Ethernet)
NGFI (Next Generation Fronthaul Interface) native RoE (Radio over Ethernet)NGFI (Next Generation Fronthaul Interface) native RoE (Radio over Ethernet)
NGFI (Next Generation Fronthaul Interface) native RoE (Radio over Ethernet)
 
Lte epc kp is and signalling (sf)
Lte epc kp is and signalling (sf)Lte epc kp is and signalling (sf)
Lte epc kp is and signalling (sf)
 
Lte system signaling procedures
Lte system signaling proceduresLte system signaling procedures
Lte system signaling procedures
 
Lte Presentation.Ppt
Lte Presentation.PptLte Presentation.Ppt
Lte Presentation.Ppt
 
IPTV Security
IPTV SecurityIPTV Security
IPTV Security
 
PS Core Presentation
PS Core PresentationPS Core Presentation
PS Core Presentation
 
Totem协议(SRP/RRP)讲解
Totem协议(SRP/RRP)讲解Totem协议(SRP/RRP)讲解
Totem协议(SRP/RRP)讲解
 

Similar to DNS based Authentication of Named Entities (DANE)

An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECCarlos Martinez Cagnazzo
 
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPROIDEA
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondSam Bowne
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS PrivacyAPNIC
 
RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?APNIC
 
Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Darren Duke
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 

Similar to DNS based Authentication of Named Entities (DANE) (20)

ION Santiago - DNSSEC and DANE Based Security for TLS
ION Santiago - DNSSEC and DANE Based Security for TLSION Santiago - DNSSEC and DANE Based Security for TLS
ION Santiago - DNSSEC and DANE Based Security for TLS
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSEC
 
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape TownDANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
 
DNS Security
DNS SecurityDNS Security
DNS Security
 
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
 
ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?
 
ION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLSION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLS
 
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyond
 
ION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLS
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS Privacy
 
RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?
 
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
 
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
 
Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan YorkION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 

More from Port25 Solutions

PowerMTA and Me: Still a Better Love Story Than Twilight
PowerMTA and Me: Still a Better Love Story Than TwilightPowerMTA and Me: Still a Better Love Story Than Twilight
PowerMTA and Me: Still a Better Love Story Than TwilightPort25 Solutions
 
Zen & The Art of PowerMTA Maintenance
Zen & The Art of PowerMTA Maintenance Zen & The Art of PowerMTA Maintenance
Zen & The Art of PowerMTA Maintenance Port25 Solutions
 
Lessons Learned Building a Deliverability Business
Lessons Learned Building a Deliverability Business Lessons Learned Building a Deliverability Business
Lessons Learned Building a Deliverability Business Port25 Solutions
 
Going the Extra Mile in Innovation and Delivery
Going the Extra Mile in Innovation and DeliveryGoing the Extra Mile in Innovation and Delivery
Going the Extra Mile in Innovation and DeliveryPort25 Solutions
 
Send More with Less: How to Improve PowerMTA Efficiency
Send More with Less: How to Improve PowerMTA EfficiencySend More with Less: How to Improve PowerMTA Efficiency
Send More with Less: How to Improve PowerMTA EfficiencyPort25 Solutions
 
Email Infrastructure: Open Source vs. Commercial MTAs
Email Infrastructure: Open Source vs. Commercial MTAsEmail Infrastructure: Open Source vs. Commercial MTAs
Email Infrastructure: Open Source vs. Commercial MTAsPort25 Solutions
 
Case Study - Communicator Corporation
Case Study - Communicator CorporationCase Study - Communicator Corporation
Case Study - Communicator CorporationPort25 Solutions
 
The Future of PowerMTA - November 2018
The Future of PowerMTA - November 2018The Future of PowerMTA - November 2018
The Future of PowerMTA - November 2018Port25 Solutions
 

More from Port25 Solutions (16)

PowerMTA and Me: Still a Better Love Story Than Twilight
PowerMTA and Me: Still a Better Love Story Than TwilightPowerMTA and Me: Still a Better Love Story Than Twilight
PowerMTA and Me: Still a Better Love Story Than Twilight
 
Zen & The Art of PowerMTA Maintenance
Zen & The Art of PowerMTA Maintenance Zen & The Art of PowerMTA Maintenance
Zen & The Art of PowerMTA Maintenance
 
Lessons Learned Building a Deliverability Business
Lessons Learned Building a Deliverability Business Lessons Learned Building a Deliverability Business
Lessons Learned Building a Deliverability Business
 
Going the Extra Mile in Innovation and Delivery
Going the Extra Mile in Innovation and DeliveryGoing the Extra Mile in Innovation and Delivery
Going the Extra Mile in Innovation and Delivery
 
Send More with Less: How to Improve PowerMTA Efficiency
Send More with Less: How to Improve PowerMTA EfficiencySend More with Less: How to Improve PowerMTA Efficiency
Send More with Less: How to Improve PowerMTA Efficiency
 
Case Study - Teneo
Case Study - TeneoCase Study - Teneo
Case Study - Teneo
 
Case Study - Sailthru
Case Study - SailthruCase Study - Sailthru
Case Study - Sailthru
 
Case Study - Pure360
Case Study - Pure360Case Study - Pure360
Case Study - Pure360
 
Email Infrastructure: Open Source vs. Commercial MTAs
Email Infrastructure: Open Source vs. Commercial MTAsEmail Infrastructure: Open Source vs. Commercial MTAs
Email Infrastructure: Open Source vs. Commercial MTAs
 
Case Study - MailChimp
Case Study - MailChimpCase Study - MailChimp
Case Study - MailChimp
 
Forfront - Case Study
Forfront - Case StudyForfront - Case Study
Forfront - Case Study
 
MIS Sciences - Case Study
MIS Sciences - Case StudyMIS Sciences - Case Study
MIS Sciences - Case Study
 
Listrak - Case Study
Listrak - Case StudyListrak - Case Study
Listrak - Case Study
 
Emma Inc - Case Study
Emma Inc - Case StudyEmma Inc - Case Study
Emma Inc - Case Study
 
Case Study - Communicator Corporation
Case Study - Communicator CorporationCase Study - Communicator Corporation
Case Study - Communicator Corporation
 
The Future of PowerMTA - November 2018
The Future of PowerMTA - November 2018The Future of PowerMTA - November 2018
The Future of PowerMTA - November 2018
 

Recently uploaded

FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

DNS based Authentication of Named Entities (DANE)

  • 1. 1#P25Summit Because opportunistic STARTTLS isn’t good enough DNS based Authentication of Named Entities (DANE) Avinash Kulkarni Lead Software Engineer, Port25 Solutions Inc.
  • 2. 2#P25Summit About Me • Avinash Kulkarni • Lead Software Developer at Port25 Solutions Inc. • Work on core PowerMTA features • Working at Port25 since 2009
  • 3. 3#P25Summit Growth of STARTTLS • STARTTLS was introduced in 2002 - Encrypt emails during transit • Slow adoption at first • After several high profile email security breaches, adaption took off
  • 4. 4#P25Summit STARTTLS is great, but… • Entirely opportunistic EHLO I support STARTTLS Ok, fallback to unencrypted MTA-1 MTA-2 STARTTLS Failure
  • 5. 5#P25Summit STARTTLS is great, but… • susceptible to TLS downgrade attacks EHLO No STARTTLS Ok, unencrypted it is MTA-1 MTA-2MiTM attacker MTA Encrypted
  • 6. 6#P25Summit STARTTLS is great, but… • Server certificate validation isn’t required STARTTLS MTA-2 Spoof Certificate Continue, presumably talking to MTA-2 MTA-1 Spoof MTA-2
  • 7. 7#P25Summit Ah, about that certificate validation… • We could validate certificates using Public Key Infrastructure(PKI) • A la HTTPS • Accept only certificates signed by trusted Certificate Authorities(CAs) • But, its not without problems… • Too many CAs out there - Have to trust them all • CAs can be compromised • Certificates issued without due diligence on the part of CA • Learning about revoked certificates quickly is difficult - Failure to learn about revocation implies the certificate is trusted!
  • 8. 8#P25Summit And let’s not forget… • SMTP doesn’t rely on CA model • MTAs don’t ship with a list of trusted root certificates • So, we need another medium to obtain information about certificates • Should be fast • Should be secure • Easy to deploy • Simple to query
  • 9. 9#P25Summit DNS is a great medium • Fast, scalable, and widely deployed • But insecure and susceptible to MiTM attacks example.com IN A w.x.y.z DNS Resolver Root zone DNS Server MiTM attacker . IN A ?example.com IN A ? example.com IN A w.x.y.z .com zone DNS Server example.com zone DNS Server Attacker’s Phising site w.x.y.z com. IN A ? example.com IN A ?
  • 10. 10#P25Summit DNSSEC – a secure alternative • Provides origin authentication, integrity checking of DNS records • Cryptographically verifies DNS records from the root downwards • Provides visibility into MiTM attacks exam ple.com IN A w .x.y.z DNS Resolver Root zone DNS Server. IN A ?example.com IN A ? example.com IN A a.b.c.d .com zone DNS Server com. IN A ? example.com IN A ?example.com IN A a.b.c.d example.com zone DNS Server MiTM attacker
  • 11. 11#P25Summit Back to our original problems with STARTTLS • How to prevent TLS downgrades EHLO I support STARTTLS Can’t fallback to unencrypted MTA-1 MTA-2 STARTTLS Failure DNS Resolver with DNSSEC MTA-2 requires STARTTLS
  • 12. 12#P25Summit Back to our original problems with STARTTLS • How to prevent MiTM attacks STARTTLS Attacker’s Certificate Certificate mismatch, disconnect MTA-1 Spoof MTA-2 DNS Resolver with DNSSEC MTA-2’ s certificate MTA-2 STARTTLS MTA-2 Certificate Certificate matched, continue
  • 13. 13#P25Summit That’s DANE at work! • DNS-Based Authentication of Named Entities (DANE) • Administrators can publish info about their certificates using TLSA records • Clients can query that info securely via DNSSEC • Doesn’t use the CA model - Easily detect spoofed certificates - Revoking a certificate is easy – just remove the associated TLSA record • Avoids security pitfalls in DNS
  • 14. 14#P25Summit That’s not all.. • DANE deployment is easy once DNSSEC is in place • Publishing certificate info scales easily • Administrators can publish TLSA record for signing certificates as Trust Anchor • Adoption is growing (from “Real World DANE” talk at ICAAN 61) • Primarily in Northern Europe and USA • 5.2 million domains with DNSSEC-validated MX • 178,000 domains with DANE SMTP support • Examples include gmx.de, web.de, comcast.net • Feeds virtuous cycle of driving up DNSSEC adoption
  • 15. 15#P25Summit Some notes on DANE SMTP • Its not end-to-end security • Only provides for secure transmission channel with authentication • Not an alternative to PGP or S/MIME • Built on DNSSEC • Lack of Availability and Confidentiality • Bigger zone files, larger DNS responses • Needs more resources for crypto operations • An alternative to use of DNSSEC – DANE-STS – is in the works • Uses HTTPS
  • 16. 16#P25Summit DANE SMTP support in PowerMTA • Will be part of PowerMTA 5.0b1 release • Simple to configure – a per-domain setting to enable/disable outbound DANE • Compliant with RFC 7672 recommendations for SMTP DANE • Requires DNSSEC-validating DNS resolver Consider enabling both outbound and inbound DANE!