© Afilias Limited www.afilias.info
The History and Value of
Deploying DNSSEC
Dr. Jim Galvin
Director
Afilias
© Afilias Limited www.afilias.info
• 10 years of experience in critical Internet
infrastructure
• Best known for domain na...
© Afilias Limited www.afilias.info
What problem does DNSSEC solve?
When you visit a website, or send an e-
mail, can you b...
© Afilias Limited www.afilias.info
ITERATIVE
RESOLVER
AUTHORITATIVE
NAME SERVER
The risks without DNSSEC….
4
DOMAIN NAME S...
© Afilias Limited www.afilias.info
When does site identity matter?
5
DNSSEC is designed to protect users from the
conseque...
© Afilias Limited www.afilias.info
CACHE
trustus.asia =
192.172.3.4
Cache poisoning risks
1. A DNS resolver
sends a DNS qu...
© Afilias Limited www.afilias.info
How can DNSSEC help?
• Domain Name System
Security Extensions adds
security to the Doma...
© Afilias Limited www.afilias.info
DNSSEC Benefits by User
8
End –User Registrant Registrar Registry
Gain confidence
of re...
© Afilias Limited www.afilias.info
Afilias DNSSEC timeline
2008
June 2009:
.ORG zone
signed
2009 2010
PIR submitted a
.ORG...
© Afilias Limited www.afilias.info
Adoption timing is a
challenge
R&D Pioneers
Early
Adopters
Mass
Adoption
Mainstream
Nom...
© Afilias Limited www.afilias.info
Thank you!
Upcoming SlideShare
Loading in …5
×

History of DNSSEC from .ASIA signing event

884 views

Published on

Afilias Dr. James Galvin gives an overview and history of DNSSEC at the .ASIA DNSSEC signing press announcement at the IETF meeting in Beijing on Nov 11, 2010

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
884
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • DNSSEC is not new, having been in develop since 1992.
  • History of DNSSEC from .ASIA signing event

    1. 1. © Afilias Limited www.afilias.info The History and Value of Deploying DNSSEC Dr. Jim Galvin Director Afilias
    2. 2. © Afilias Limited www.afilias.info • 10 years of experience in critical Internet infrastructure • Best known for domain name registry services in support of 17 million domains across 15 TLDs • Diverse DNS Network handling billions of queries daily • Largest DNSSEC deployment – more TLDs than any other provider Who is Afilias?
    3. 3. © Afilias Limited www.afilias.info What problem does DNSSEC solve? When you visit a website, or send an e- mail, can you be sure you are communicating with the server that you think you are? (At least not with certainty) ON
    4. 4. © Afilias Limited www.afilias.info ITERATIVE RESOLVER AUTHORITATIVE NAME SERVER The risks without DNSSEC…. 4 DOMAIN NAME SYSTEM Cache Poisoning UNAUTHORIZED SERVER Authoritative Name Server Hijacking WEB BROWSER
    5. 5. © Afilias Limited www.afilias.info When does site identity matter? 5 DNSSEC is designed to protect users from the consequences of forged DNS data inserted by malicious actors The DNS was originally build on a model of trust As the Web has expanded, and new criminal exploits have grown more sophisticated, this is no longer an acceptable model for the future of applications and services that rely on the DNS
    6. 6. © Afilias Limited www.afilias.info CACHE trustus.asia = 192.172.3.4 Cache poisoning risks 1. A DNS resolver sends a DNS query and accepts the first response it receives. 2. If a malicious actor were to send back an incorrect response, the resolver would use this address until its cache expired. trustus.asia = DOMAIN NAME SYSTEM 192.168.16.2 trustus.asia SERVER get trustus.asia trustus.asia = 192.172.3.4 192.172.3.4
    7. 7. © Afilias Limited www.afilias.info How can DNSSEC help? • Domain Name System Security Extensions adds security to the Domain Name System • With DNSSEC, users and servers can verify DNS responses for: • Data integrity • Origin authentication • The data is protected. It does not matter what server or resolver provides the data. trustus.asia ? trustus.asia 192.168.16.2 DOMAIN NAME SYSTEM DNSSEC ZONE SERVER
    8. 8. © Afilias Limited www.afilias.info DNSSEC Benefits by User 8 End –User Registrant Registrar Registry Gain confidence of reaching the intended website Fraud mitigation Comply with new industry standards Meet new industry standards Greater brand protection Meet Registrant demands for increased domain security Meet Registrar demands for increased security of their domains
    9. 9. © Afilias Limited www.afilias.info Afilias DNSSEC timeline 2008 June 2009: .ORG zone signed 2009 2010 PIR submitted a .ORG DNSSEC proposal The proposal was approved by ICANN 1st Half 2010: .ORG signed delegations July 2010: Root signing 2011 Project Safeguard: Afilias deploys DNSSEC across 13 more TLDs including .Asia
    10. 10. © Afilias Limited www.afilias.info Adoption timing is a challenge R&D Pioneers Early Adopters Mass Adoption Mainstream Noman’sland • Now requires ISPs and application providers to get on board to envision new services that can bring this security to the mainstream DNSSEC adoption
    11. 11. © Afilias Limited www.afilias.info Thank you!

    ×