DNSSEC - Amsterdam Roundtable 2011

1,336 views

Published on

This presentation has been given by Wolfgang Nageleduring the RIPE NCC Roundtable Meeting in Amsterdam on 4 April 2011

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,336
On SlideShare
0
From Embeds
0
Number of Embeds
75
Actions
Shares
0
Downloads
9
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

DNSSEC - Amsterdam Roundtable 2011

  1. 1. DNS SecurityWolfgang NageleDNS Services Manager
  2. 2. DNS: the Domain Name System • Specified by Paul Mockapetris in 1983 • Distributed Hierarchical Database – Main purpose: Translate names to IP addresses – Since then: Extended to carry a multitude of information (such as SPF, DKIM) • Critical Internet Infrastructure – Used by most systems (in the background)Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 2
  3. 3. DNS Tree StructureWolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 3
  4. 4. How does it work?Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 4
  5. 5. What is the problem? • UDP transport can be spoofed – Anybody can pretend to originate a response • If a response is modified the user will connect to a possibly malicious systemWolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 5
  6. 6. The Solution • Make the responses verifiable – Cryptographic signatures • Hierarchy exists so a Public Key Infrastructure is the logical choice – Same concept as used in eGovernment infrastructuresWolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 6
  7. 7. How does it work with DNSSEC?Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 7
  8. 8. How does it work with DNSSEC?Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 8
  9. 9. How does it work with DNSSEC?Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 9
  10. 10. How does it work with DNSSEC?Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 10
  11. 11. How does it work with DNSSEC?Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 11
  12. 12. DNS Security Extensions: A Long Story • 2005: Theoretical problem discovered (Bellovin) • 1995: Work on DNSSEC started • 1999: First support for DNSSEC in BIND • 2005: Standard is redesigned to better meet operational needs RIPE NCC along with .SE among the first to deploy it in their zonesWolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 12
  13. 13. DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol weakness Focus comes back to DNSSEC • July 2010: Root Zone signed with DNSSEC • March 2011: 69/306 signed TLDsWolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 13
  14. 14. DNSSEC and the RIPE NCC • Sponsor development of NSD DNS software • Participated in the “Deployment of Internet Security Infrastructure” project – Signed all our DNS zones – IPv4 & IPv6 reverse space – E164.arpa – ripe.net • K-root server readiness for a signed root zoneWolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 14
  15. 15. Singing of the Root Zone • Shared custody by Root Zone maintainers – Currently: U.S. DoC NTIA, IANA/ICANN, VeriSign • Split key among 21 Trusted Community Representatives • In production since July 2010Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 15
  16. 16. Deployment in ccTLDs: EuropeWolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 16
  17. 17. Deployment in ccTLDs: Middle EastWolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 17
  18. 18. Deployment in ccTLDs: Asia PacficWolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 18
  19. 19. Deployment in ccTLDsWolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 19
  20. 20. Deployment in ccTLDsWolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 20
  21. 21. Deployment in ccTLDsWolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 21
  22. 22. Deployment in gTLDs • .com/.net/.org (57% of world wide total domains) • .asia • .cat • .biz • .edu • .gov • .info • .museum • .mobi (Planned)Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 22
  23. 23. Deployment in Infrastructure TLD .arpa • E164.arpa – ENUM number mapping – signed by the RIPE NCC • in-addr.arpa – Reverse DNS for IPv4 • ip6.arpa – Reverse DNS for IPv6Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 23
  24. 24. Are We Done? • Signed TLD is not the same as a signed domain – Thick registry model (Registry-Registrar-Registrant) – Registrars need to enable their customers to provide public key data to registryWolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 24
  25. 25. Are We Done? • Ultimately responses should be verified by the end user – Home routers need to support DNS specifications with large response packetsWolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 25
  26. 26. Leverage Infrastructure • DNS is a cross organisational data directory • DNSSEC adds trust to this infrastructure – Anybody can verify data published under ripe.net was originated by the domain holder – Could be used to make DKIM and SPF widely used and trusted – SSL certificates can be trusted through the DNS – More ideas to come …Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 26
  27. 27. What about SSL/TLS? • SSL as a transport is well established • CA system currently in use is inherently broken – Any Certificate Authority delivered with a browser to date can issue a certificate for any domain – 100 and more shipped in every Browser – If any one of them fails - security fails with it – Recent incident with Comodo CA is one example • DANE working group at IETFWolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 27
  28. 28. Questions?wnagele@ripe.net

×