Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

You Need More Than Just SSL: Locking Down Interop With DNSSEC


Published on

This presentation from Interop 2011 in Las Vegas is a high and low-level discussion on how Dyn providing DNSSEC to Interop, why DNSSEC is as important (if not more) than HTTPS and the technical details of DNSSEC as done by Dyn, aka the DNS experts.

To see the video version as a companion, enjoy Kevin Gray's chat here:

Published in: Technology
  • Be the first to comment

  • Be the first to like this

You Need More Than Just SSL: Locking Down Interop With DNSSEC

  1. 1. The need for more than just SSL, locking down Interop with DNSSEC
  2. 2. Who is Dyn? The DNS and Email Experts Powering the biggest and fastest growing brands on the Internet Providing DNS to InteropNET with our Enterprise Managed DNS service: Dynect Platform
  3. 3. First there was unsecured http....
  4. 4. To verify the correct domain name, https....
  5. 5. Add in DNSSEC to secure the entire lookup.
  6. 6. Quick reminder about the basics of DNS... <ul><li>DNS maps names to numbers. You and I understand but your computer only knows how to get to IP addresses. DNS bridges the two. </li></ul><ul><li>2 Types of DNS servers </li></ul><ul><ul><li>Authoritative – Answers specific DNS queries: ie: What is the A record for </li></ul></ul><ul><ul><li>Recursive – Query Authoritative servers for DNS information and store it (Cache it) for a period of time </li></ul></ul><ul><li>DNS recursion is the process of a recursive server iteratively asking authoritative servers questions until it finds out a definitive answer. </li></ul>
  7. 7. DNS Recursion – Query the recursive server
  8. 8. DNS Recursion – Recursive server queries root...
  9. 9. DNS Recursion – Recursive server queries com
  10. 10. DNS Recursion – Recursive server queries
  11. 11. DNS Recursion – Recursive server queries
  12. 12. DNS Recursion – Recursive server responds to original request
  13. 13. I'm doing my online banking, I see the https lock is green but you're saying I'm not safe!? <ul><li>Only Partly! </li></ul><ul><ul><li>As we saw the name of the site you are going to is trusted </li></ul></ul><ul><ul><li>The ip address you are being brought to is at the mercy of DNS </li></ul></ul><ul><ul><ul><li>Think about what would happen if someone changed your /etc/hosts file to point to a fake site.... would your computer know? </li></ul></ul></ul><ul><ul><ul><li>This is basically what DNS cache poisoning or DNS man in the middle attacks are but on a larger scale </li></ul></ul></ul>
  14. 14. What types of security breaches occur at the DNS level? <ul><li>Man in the middle attack </li></ul><ul><ul><li>Malicious machine intercepts every packet going from one machine to another </li></ul></ul><ul><ul><li>When returning information changes DNS records to point to bad site </li></ul></ul><ul><li>DNS cache poisoning Attack </li></ul><ul><ul><li>Malicious machine continuously re-sends response for a site to the recursive DNS server </li></ul></ul><ul><ul><li>When recursive server eventually asks for the information the first reply that it sees is from the malicious machine </li></ul></ul>
  15. 15. DNS Cache Poisoning
  16. 16. You would be securely connected... but to the wrong computer!
  17. 17. Need a way to do SSL like verification in DNS... Enter DNSSEC! <ul><li>DNSSEC is a way for the recursive server to validate each of the replies it gets to make sure the correct response is given. </li></ul>
  18. 18. DNSSEC Secured
  19. 19. Interop and DNS … and DNSSEC <ul><li>First the DNS layout </li></ul><ul><li>Providing both Authoritative and Recursive DNS to interop </li></ul>
  20. 20. The starting point...
  21. 21. Cisco providing DHCP service through their CNR
  22. 22. CNR pushes updates to Dynect show floor hidden master
  23. 23. It's good to have redundancy plus redundancy is good to have
  24. 24. Sign the update and propagate it to Dynect
  25. 25. Need to handle DNS requests too!
  26. 26. Handle it by show floor anycast recursive servers.... and here is the complete DNS picture
  27. 27. So the authoritative zones are signed, how do you actually sign a zone... <ul><li>The BIND way (for each and every zone...) </li></ul><ul><ul><li>Generate the keys using dnssec-keygen twice, once for the ZSK and once for the KSK </li></ul></ul><ul><ul><li>Store the private keys someplace safe (since anyone with the private keys can sign as you) </li></ul></ul><ul><ul><li>Include the correct keys in the zone file </li></ul></ul><ul><ul><li>Actually sign the zone using dnssec-signzone </li></ul></ul><ul><li>The Dynect way... </li></ul>
  28. 28. Click “Add DNSSEC”!
  29. 29. Just one more step... <ul><li>After the zone is signed, just publish the DS record to your registrar and you are trusted! </li></ul><ul><li>This isn't always the fastest thing. At the moment we are waiting for the registrar to update their DS record – being a newer technology this sometimes takes a while, particularly if it isn't something the registrar does all the time </li></ul>
  30. 30. DNSSEC tools <ul><li>Being the DNS Experts we aren't going to leave you hanging in regards to a DNSSEC tool! </li></ul><ul><ul><li>DNSCog: - Lets you verify the DNSSEC chain </li></ul></ul><ul><ul><li>Notice that is signed up to the registrar </li></ul></ul>
  31. 31. Some other cool DNSSEC related stuff to check out <ul><li>This is a site with a purposely broken DNSSEC chain that can be used to check untrusted handling: </li></ul><ul><li>FireFox DNSSEC plugin: - Adds a simple graphical interface for sites to let you know their DNSSEC status </li></ul><ul><li>Tools/patches for adding DNSSEC awareness into some common applications like postfix and sendmail: </li></ul><ul><li>A one stop shop for all your DNSSEC needs: </li></ul>
  32. 32. Booth #715 in Cloud and Virtualization Zone Get a free Dynect Platform trial and get started with DNSSEC Dyn On the web: Twitter: @DynInc Kevin Gray Tech Integrator Email: Twitter: @tuftsmoose Interested in hearing the DNSSEC details... keep going!
  33. 33. How does DNSSEC work? <ul><li>Implemented as a pair (2) of public key/private key pairs </li></ul><ul><ul><li>A zone signing key pair (ZSK) used to sign every record type except for DNSKEY records </li></ul></ul><ul><ul><li>A key signing key pair (KSK) used to sign DNSKEY records </li></ul></ul><ul><li>A zone uses it's ZSK private key to sign each of it's record sets, the signature is stored in an RRSIG record type which is a DNSSEC specific DNS record type </li></ul><ul><li>A zone stores the public ZSK in a DNSKEY record which is another DNSSEC specific DNS record type, this record is then signed with the private KSK </li></ul><ul><li>The zone administrator then sends a DS record to the parent zone owner. The DS record is the public KSK. This DS record exists only on the parent zone and is signed by the parent zone to verify it's validity. </li></ul><ul><li>Now to validate a zone one takes the validated DS record from the parent zone to get the zone's public KSK, uses this KSK to validate the DNSKEY record of the zone then uses the public ZSK stored in the validated DNSKEY record to validate every other record set in the zone. </li></ul>
  34. 34. The DNSSEC Chain of Trust <ul><li>In the manner just described each validated parent is able to give the validated public KSK for it's signed children. This linking is called the DNSSEC Chain of Trust </li></ul><ul><li>Basics of the Chain (where is </li></ul><ul><ul><li>root KSK validates root DNSKEY with ZSK -> ZSK validates .com DS record which contains .com KSK </li></ul></ul><ul><ul><li>.com KSK validates .com DNSKEY with ZSK -> ZSK validates DS record which contains KSK </li></ul></ul><ul><ul><li> KSK validates DNSKEY with ZSK -> ZSK validates DS record which contains KSK </li></ul></ul><ul><ul><li> KSK validates DNSKEY with ZSK -> ZSK validates A record </li></ul></ul>
  35. 35. Wait! What about root? <ul><li>Need a trust starting point just like you need a DNS look up starting point </li></ul><ul><li>Validators maintain list of KSKs for trusted zones. These are updated either by hand, through some secure method or through Automated Updates of DNSSEC Trust Anchors (RFC 5011) </li></ul><ul><li>RFC 5011, in a nutshell is using current trust anchors to validate new ones. Software implementing this is just starting to gain traction but many lists are still maintain using other methods. </li></ul><ul><li>As of July 2010 root is signed (Yeah!) </li></ul>
  36. 36. What if a domain doesn't exist? <ul><li>NXDOMAIN is returned, how do you sign it? </li></ul><ul><ul><li>NSEC records fill this void </li></ul></ul><ul><ul><li>NSEC is a signed negative response. It spans a gap between two consecutive existing zones and includes the types of records the first of of the zones has </li></ul></ul><ul><ul><li>In this way the NXDOMAIN or NOERROR with no records can be signed too </li></ul></ul><ul><ul><li>Consecutive zones... so there is an order? Yes! </li></ul></ul><ul><ul><ul><li>Domain names in a zone are sorted rightmost label then the next label to the left and so on. Sorting is done case insensitive in dictionary order. </li></ul></ul></ul><ul><ul><ul><li>Order,,,, and </li></ul></ul></ul><ul><ul><ul><ul><li> </li></ul></ul></ul></ul><ul><ul><ul><ul><li> </li></ul></ul></ul></ul><ul><ul><ul><ul><li> </li></ul></ul></ul></ul><ul><ul><ul><ul><li> </li></ul></ul></ul></ul><ul><ul><ul><ul><li> </li></ul></ul></ul></ul><ul><ul><ul><ul><li> </li></ul></ul></ul></ul>
  37. 37. Yes, there is another option to NSEC... <ul><li>More recently NSEC3 records have begun being used instead of NSEC </li></ul><ul><ul><li>NSEC3 is a signed record with a hash of the name </li></ul></ul><ul><ul><li>Intent is to thwart automatic walking of all the names in a zone in an attack attempt. </li></ul></ul><ul><ul><li>RFC 5155 </li></ul></ul>
  38. 38. If this is still relatively new, what happens if someone in my chain isn’t signed? <ul><li>A good number of zones are still unsigned and don't support DNSSEC, if one of those is above you in the trust chain you need to follow a slightly different method to DNSSEC secure yourself </li></ul><ul><li>To get a pseudo trust chain you can use DNSSEC Lookaside Validation (DLV) </li></ul><ul><ul><li>DLV essentially uses a DLV service like the ISC (Internet Systems Consortium) as the trusted source for your DS records thus allowing the security aware resolver to “look aside” to the ISC server for the DS verification of the next step in the trust chain. </li></ul></ul><ul><ul><li>This requires you to trust the DLV service ahead of time and then upload your DS record for a signed zone to the DLV service </li></ul></ul>
  39. 39. Since everyone in the world isn't using this there must be a reason or two... <ul><li>It is still relatively new and takes a while to propagate </li></ul><ul><li>Root was just recently signed... It took a while politically, think about it, the trusted root signature is done by organizations strongly tied to the US and believe it or not the US isn't the favorite country of some nations. </li></ul><ul><li>It is more work to maintain -> need to roll over the KSK roughly every 30 days and the ZSK about once a year which requires generating and storing the keys, resigning the zones then propagating the new DS records. </li></ul><ul><li>Many people think HTTPS is good enough. </li></ul><ul><li>Many end user tools don't have native support for DNSSEC checking. For example, no browser monitors it natively and a search revealed only FireFox has a free production level plugin supporting it. </li></ul><ul><li>Truthfully, DNSSEC isn't the most intuitive to setup/maintain which makes the barrier to entry on setting it up not worth it to many (which Dyn is trying to fix!) </li></ul>