DNSSEC

1. DNSSEC
PLNOG 5
Eric Ziegast
Internet Systems Consortium
Deck Version 0.2
Zbigniew Jasinski
NASK.PL

2. SIE
Changing how the
Security
Communities
Productively
Collaborate
Eric Ziegast
ziegast@isc.org
We help make the Internet
work better.

3. Why are we here?

4. This DNSSEC Talk
• Explain need for DNSSEC
• Point to some implementation
examples
• NASK provides some implementation
plans for .PL

5. Why DNSSEC?
• 5 years ago (2005), talking about
DNSSEC being deployed anywhere
would cause laughter.
• 3 years ago (2007), talking about
DNSSEC being deployed to the root
would result in laughter.

6. Why DNSSEC?
• 2 years ago (2008), Verisign and
ICANN provided proposals about how
the root would be signed.
• On July 15, 2010, the first full
production DNSSEC root zone was
signed. (ask Chris)
• Signing road show:
– ORG & EDU, now
– NET 2010, COM 2011, TLDs...

7. Why DNSSEC?
http://www.xelerance.com/dnssec/

8. Deployment growth
http://secspider.cs.ucla.edu/

9. Why DNSSEC?
• What spurred this rapid change in
attitudes?
• Was the world as we knew it about to
end?
• Possibly. Maybe.

10. Why DNSSEC?
• Contemplate for a moment the
amount of trust that we put into the
DNS infrastructure
• If DNS were to suddenly become
unreliable or untrustworthy, what
would the result be?

11. Why DNSSEC?

12. Why DNSSEC?
• There are lots of places for "bad
people" to do "bad things" in the
DNS infrastructure.
• Aren't these the same problems that
DNS has had since 1983? (just like
SMTP, FTP, HTTP)
• Yes, but...

13. Known threats to DNS cache servers
Check out the Cricket Liu webcast
SANTA CLARA, Calif. - (Business Wire) Infoblox Inc., the market leading provider of network infrastructure control
solutions, today announced that it will host a live webcast entitled “Why We Need the Domain Name System
Security Extensions: A Look into the Threats to DNS and How DNSSEC Addresses Them.”
The webcast features DNS expert and O'Reilly & Associates author Cricket Liu, who will discuss cache poisoning
vulnerabilities and what they mean to enterprises worldwide. The free event will be broadcasted live on Tuesday,
September 28, from San Francisco at 9:00 a.m. PDT, along with in-person “viewing parties” in 5 cities across North
America: Seattle, Chicago, Toronto, Philadelphia and Fort Worth, Texas.
DNSSEC is suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information
provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. Additionally, Cricket Liu
will discuss: 1) Interim measures to combat cache poisoning, 2) DNSSEC and why it's necessary for long-term
security; and 3) Automating DNSSEC management.
About 90 minutes, easy to watch, good for IT managers
http://www.infoblox.com/en/resources/webinars/cache-poisoning-and-dnssec.html

14. Attacks against recursives
• Kashpuref cache poisoning
• Birthday attack cache poisoning
• Kaminsky cachepoisoning

15. Kashpuref poisoning (1997)
• A typical DNS response has:
– Query
– Answer
– Nameservers
– Glue

16. Kashpuref cache poisoning
• Incorrect NS or A records provided in
glue could by trusted by BIND
nameservers and cached.
• AlterNIC used it to redirect
internic.net to them.
• Bailiwick checking
for glue

17. Birthday Attack Poisoning
www.isc.org A
192.153.154.4
w
w
w
.isc.org
?
192.153.154.4
www.isc.org?
Attacker
caching
recursive
server
www.isc.org A
192.153.154.4
www.isc.org A
192.153.154.4
www.isc.org A
192.153.154.4
www.isc.org A
192.153.154.4
www.isc.org A
192.153.154.4
www.isc.org A
192.153.154.4
www.isc.org A
192.153.154.4
www.isc.org A
192.153.154.4
www.isc.org A
192.153.154.4
V
ictim
C
lient
V
ictim
S
erver

18. Birthday attack
Great article by Joe Stewart:
http://www.secureworks.com/
research/articles/dns-cache-poisoning

19. PRNG DNS cache poisoning
• Amit Klein, Trusteer
• Message ID's are supposed to be
unpredictable
• PRNG generator had issues
– If MSGID is even, next ID in 1 of just 10
• OpenBSD PRNG fixed

20. Kaminsky
• January 2008 – Life as normal
• February 2008 – Dan Kaminsky
makes contact with Vixie
http://www.wired.com/techbiz/people/magazine/16-12/ff_kaminsky

21. Kaminsky
• Since then, nothing has been
normal...
• In February, ISC, Microsoft, Cisco
and other vendors were notified of
the new DNS attack vector
• An effort was undertaken to provide
software updates that would be
released simultaneously across
multiple platforms

22. Kaminsky
• "Classic" cache poisoning was known
about for years.
• What was so magical about the
"Kamisky" attack?
• It's all about timing... and scale...

23. Kaminsky NS Poisoning
<rnd>.isc.org?
Attacker
caching
recursive
server
<rnd>.isc.org NS
ns1.mydomain.com<rnd>.isc.org NS
ns1.mydomain.com<rnd>.isc.org NS
ns1.mydomain.com<rnd>.isc.org NS
ns1.mydomain.com<rnd>.isc.org NS
ns1.mydomain.com
~200 responses can be sent
before the true authoritative
server responds with an
NXDOMAIN

24. Kaminsky NS Poisoning
<rnd>.isc.org?
Attacker
caching
recursive
server
<rnd>.isc.org NS
ns1.mydomain.com<rnd>.isc.org NS
ns1.mydomain.com<rnd>.isc.org NS
ns1.mydomain.com<rnd>.isc.org NS
ns1.mydomain.com<rnd>.isc.org NS
ns1.mydomain.com
Since <rnd> is different
at every query, the TTL of
cached data is no-longer
a deterrent

25. Kaminsky NS Poisoning
<rnd>.isc.org?
Attacker
caching
recursive
server
<rnd>.isc.org NS
ns1.mydomain.com<rnd>.isc.org NS
ns1.mydomain.com<rnd>.isc.org NS
ns1.mydomain.com<rnd>.isc.org NS
ns1.mydomain.com<rnd>.isc.org NS
ns1.mydomain.com
Attacker continues to use
a fixed block of query IDs
that will cause a hit

26. Kaminsky NS Poisoning
<rnd>.isc.org?
Attacker
caching
recursive
server
<rnd>.isc.org NS
ns1.mydomain.com<rnd>.isc.org NS
ns1.mydomain.com<rnd>.isc.org NS
ns1.mydomain.com<rnd>.isc.org NS
ns1.mydomain.com<rnd>.isc.org NS
ns1.mydomain.com
65536 / 200 = 327
Attacker has to send 327
<rnd> queries to
guarantee a hit

27. Kaminsky NS Poisoning
w
w
w
.isc.org
?
N
S
ns1.m
ydom
ain.com
<rnd>.isc.org?
Attacker
caching
recursive
server
V
ictim
C
lient
V
ictim
S
erver
<rnd>.isc.org NS
ns1.mydomain.com<rnd>.isc.org NS
ns1.mydomain.com<rnd>.isc.org NS
ns1.mydomain.com<rnd>.isc.org NS
ns1.mydomain.com<rnd>.isc.org NS
ns1.mydomain.com
Since the attack replaces
the NS records,the entire
domain is owned

28. Why DNSSEC?
• This vulnerability was a "game-changer"
• Suddenly, caching servers across the
Internet were vulnerable.
(10 seconds – DEFCON 2008)
• While a port randomization work-around
was put into place, it still is not a long-
term fix.
(10 days – Eugeniy Polyakov [sp?])

29. Why DNSSEC?
• In addition to the Kaminsky attack,
what about untrusted environments?
• The hotel that you stay in as you
travel.
• The network that you attach to in the
airport or coffe shop...

30. Why DNSSEC?
• If I run your recursive server, I can
provide you with any response that I
want..
www.google.com => 10.0.0.1
• Does the consumer believe that?

31. Why DNSSEC?
• DNSSEC provides the ability to
validate responses to insure that the
response is unaltered since it left the
authoritative server.
• DNSSEC data can, if you wish, be
ignored.

32. How do I get started?
• Training
– Invest in your staff. The keys to your
kingdom are literally in their hands.
• Server software
http://en.wikipedia.org/wiki/Comparison_of_DNS_server_software
• Appliances
• Services / outsourcing
– “Bump in the wire”

33. Try DNSSEC validation
• BIND 9.7 (also HOWTO https://dnssec.surfnet.nl/?p=402):
options {
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside . trust-anchor dlv.isc.org.;
}
managed-keys {
"." initial-key 257 3 8
"AwEAAagAIKlVZrp ...etc... QxA+Uk1ihz0=";
};
$ dig . DNSKEY | grep “257 ”
• Unbound:
http://www.unbound.net/documentation/howto_anchor.html
(also HOWTO: https://dnssec.surfnet.nl/?p=212)

34. Who do you trust?
• You're an ISP
– Don't take my word for it
– Software vendors? OS vendor? Current DNS?
– IANA? ICANN? (http://www.root-dnssec.org/documentation/ )
– NASK.pl? www.cert.pl?
• You're a user
– ISP example:
• http://www.dnssec.comcast.net/
– OS vendors?

35. dlv.isc.org (ITAR)
• BIND 9.7 (https://dlv.isc.org/about/using):
options {
dnssec-lookaside . trust-anchor dlv.isc.org.;
}
trusted-keys {
dlv.isc.org. 257 3 5 "BEAAAAPHMu/5onz ...etc... TDN0YUuWrBNh";
};
$ dig dlv.isc.org DNSKEY | grep “257 ”
https://www.isc.org/solutions/dlv#dlv_key
• Unbound (http://www.unbound.net/documentation/howto_itar.html)
$ dig dlv.isc.org DNSKEY | grep “257 3” > dlv.isc.org.key
dlv-anchor-file: "dlv.isc.org.key"

36. Learn how to sign zones
• As an ISP, you're responsible for IN-
ADDR.ARPA and IP6.ARPA delegations.
• Get Alan's DNSSEC tutorial:
http://www.nanog.org/meetings/nanog50/agenda.php
See “Tutorial: DNSSEC Implementation Using Bind 9.7”
• Try some test domains (or your real
domain)
– Publish them in DLV
– Ask your registrar now what they are doing to
prepare for registration of DS records

37. Chris Griffiths found these resources useful:

38. More DNSSEC fun
• http://www.practicesafedns.org/
• Comcast Public Service Announcement
http://www.youtube.com/watch?v=boyl6o7nkLQ
• Statistics:
– http://secspider.cs.ucla.edu/

39. What could go wrong?
• Expired keys (implemented without
monitoring) or bad key rollover
• Firewalls
– Not yours, everyone else's
– TCP blocking
– EDNS0 support
– Packet size limitations
• Human error
– Upstream problems (DS records, Registrar)
– Misconfigured recursive servers (DLV, ITARs)

40. What could go wrong?
The new amplification attack:
% dig isc.org ANY
Try it: Recently 3384 bytes
Need robust caching databases,
possibly pre-filled out of band or
saved state.

41. What next? (local devices)

42. What next? (client trust)
NXDOMAIN is a pain

43. DNSSEC IN EUROPE – Wim Degezelle, CENTR, 21st CENTR Admisnitrative workshop

44. DNSSEC w .pl
Testowa strefa dnssec.pl dostępna dla
Partnerów od września 2010
System Registry zgodny ze
standardem SecDNS-1.1 (RFC5910)

45. DNSSEC w .pl
Baza
Registry
Registrars ISP
?

46. Pytania?
Questions?
szopen@nask.pl
ziegast@isc.org