This document provides an introduction to DNSSEC and DANE based security for TLS. It discusses how DANE uses DNSSEC-signed TLSA records to bind TLS certificates to domain names, solving problems with the traditional PKIX trust model. The document outlines how DANE works, how to create TLSA records, and how DANE can secure protocols like HTTPS, SMTP, and XMPP that currently rely on PKIX certificates. It also introduces the Bloodhound browser that includes DANE support to validate TLS connections using DNSSEC and DANE.
Boost Fertility New Invention Ups Success Rates.pdf
ION Santiago - DNSSEC and DANE Based Security for TLS
1. DNSSEC and DANE Based
Security For TLS
An Introduction
Wes Hardaker
Parsons
<wes.hardaker@parsons.com>
2. Who is Wes Hardaker?
● Work for PARSONS
– Cyber securty parsons.com/cyber
● Network Security Research Group
– Technical Director
– Infrastructure security specialists
● DNSSEC, RPKI, BGPSEC, SNMP, IPSec, …
● DNS and DNSSEC monitoring services
– Open Source Software
● Net-SNMP
● DNSSEC-Tools
● IETF Participant DNS-Sentinel
3. 3
wes.hardaker@parsons.com
Overview
● Current TLS Trust Anchoring Problems
● What is DANE? How does it help?
● DANE & The Web
● DANE & SMTP
● DANE & XMPP
4. 4
Data
wes.hardaker@parsons.com
TLS Overview
● TLS is:
– An application-layer security tunnel
– A TCP-based security protocol to secure TCP
● DTLS secures datagram protocols (eg, UDP)
– Can provide authentication and encryption
● Typically based on X.509 Certificate bootstrapping
User TLS Protection “Tunnel” Server
5. 5
TLS Properties
● TLS ensures that:
– Eves-dropping is impossible
– The client connected to the correct server
– But, this only works when properly anchored
● TLS certificates and trust anchors
– A server must present a X.509 certificate
– The client checks this certificate
● Did it present one with the right name?
● Did it present one with the right IP address?
● Was it signed by a CA I trust?
wes.hardaker@parsons.com
6. 6
PKIX / X.509 Certificate Trees
● Certificate Authorities (CAs)
– Sign child certificates
– Should verify the child's identity
● Domain ownership
● Or their legal business name
– Can be “Trust Anchors” (TAs)
● TLS clients
– Trust their trust anchors
● All is good? CAs are trustworthy?
wes.hardaker@parsons.com
Root Certificate
AKA “Trust Anchor”
ICANN
.ORG
signs
signs
7. – Modern web browsers have 1300+ TAs
– Any of them can issue a certificate for example.com
7
The “Too Many CAs” Problem
● TLS clients often have an abundance of TAs
example
.com
wes.hardaker@parsons.com
example
.com
The TLS Client Accepts Them Both!!!
This has happened multiple times!
8. 8
DANE To The Rescue!
● DNS-Based Authentication of Named Entities
– A new DNS resource record: “TLSA”
– Indicates the correct server certificate
– MUST be DNSSEC signed to be valid
– Marries the DNSSEC tree to the X.509 tree
– Defined in RFC6698
● Updated by RFC7218
wes.hardaker@parsons.com
9. 9
DNSSEC, DANE and X.509
. (DNS root)
Dane allows DNS, secured by DNSSEC, to indicate which
TLS/X.509 certificate is the right one to use.
This reduces the attack footprint of TLS significantly.
wes.hardaker@parsons.com
example
.com
example
.com
com
example.com
TLSA
record
Accept
ONLY
this one X
MUST BE DNSSEC SIGNED!!!
10. What does a TLSA record look like?
10
_25._tcp.example.com.
14400
IN
TLSA
3 1 1
FA2AE51F6831B10CE2EFC
933D860579ED1E0FA7974
AF964F02AC3BC4093C0404
wes.hardaker@parsons.com
Name
TTL
Class
Type
TLSA Parameters
Data
port protocol
11. 11
TLSA Parameters
● Certificate Usage Field
– What certificate should we match against
● (where in the chain is the TLSA record pointing at)
● Selector Field
– Match the full certificate, or just the key (SPKI)?
● Matching Type Field
– What type of match? SHA1, SHA256, or full?
wes.hardaker@parsons.com
12. 12
TLSA Matching Types
… IN TLSA 3 1 1 DATA
Value Acronym Description
0 Full No hash used;
wes.hardaker@parsons.com
DATA is the Cert or SPKI
1 SHA-256 DATA is the SHA-256 of
the Cert or SPKI
2 SHA-512 DATA is the SHA-256 of
the Cert or SPKI
13. 13
… IN TLSA 3 1 1 DATA
wes.hardaker@parsons.com
TLSA Selector
Value Acronym Description
0 Cert Data is based on the full
certificate
1 SPKI Data is based on the
public key
Certificate
Name: example.com
Key Info: public key
...
14. 14
Certificate Usage Field
… IN TLSA 3 1 1 DATA
Value Acronym Description
0 PKIX-TA Public CA from X.509
wes.hardaker@parsons.com
tree
1 PKIX-EE End-Certificate plus
X.509 validation
2 DANE-TA Private CA from X.509
tree
3 DANE-EE End-Entity Certificate
15. 15
Certificate Usage Field
… IN TLSA 3 1 1 DATA
Value Acronym
0 PKIX-TA
1 PKIX-EE
2 DANE-TA
3 DANE-EE
wes.hardaker@parsons.com
ICANN
.ORG
Public
“Trust Anchor”
Private
“Trust Anchor”
16. 16
Using and Deploying DANE
● Creating TLSA Records
● HTTPS
● SMTP
● XMPP
●SIP
wes.hardaker@parsons.com
17. 17
Creating a TLSA Record
● Useful package: hashslinger
– Contains a “tlsa” script to generate records
● From a certificate file:
# tlsa usage
3 selector
1 mtype
1 certificate
/path/to/cert.crt
example.com
_443._tcp.example.com. IN TLSA 3 1 1
152d75a2d529e3035760125be0560741f58fe
e7af18e20c1ace7d2cabc04277c
wes.hardaker@parsons.com
18. 18
Creating a TLSA Record
● Connect to a port:
# tlsa usage
3 selector
1
mtype
1 port
443 example.com
_443._tcp.example.com. IN TLSA 3 1 1
152d75a2d529e3035760125be0560741f58fe
e7af18e20c1ace7d2cabc04277c
wes.hardaker@parsons.com
19. 19
DANE and HTTPS
HTTPS suffers the most from
the “too many CAs problem”
wes.hardaker@parsons.com
20. 20
HTTPS and DANE
● Deploying DANE requires:
– Serving TLSA records
● Easy for HTTPS: defined in RFC6698
● Not many publishers yet; people are watching though!
– A client that can make use of them
● Google Chome: NO
● Mozilla Firefox: NO
● Safari: NO
● … NO
● Some plugins: Yes, but...
wes.hardaker@parsons.com
21. 21
HTTPS and DANE
● Deploying DANE requires:
– Serving TLSA records
● Easy for HTTPS: defined in RFC6698
● Not many publishers yet; people are watching though!
– A client that can make use of them
● Google Chome: NO
● Mozilla Firefox: NO
● Safari: NO
● … NO
● Some plugins: Yes, but...
● Bloodhound: YES!
wes.hardaker@parsons.com
22. 22
wes.hardaker@parsons.com
Bloodhound
● A derivative of the Firefox code
– Developed by Parsons
– All DNS requests are validated via DNSSEC
● DANE support mostly complete
– DANE-EE(3) DANE-SPKI(1) SHA-256(1)
● Works on:
– OS X
– Linux
– Microsoft Windows needs some work
23. 23
DANE and SMTP
SMTP can't be secured without
DNSSEC and DANE!
wes.hardaker@parsons.com
24. 24
Server-to-Server Email
1: Alice's
Mail User Agent (MUA)
sends the email
via the configured SMTP
server
wes.hardaker@parsons.com
3: Bob's MUA
downloads
the message
via IMAP
2: Alice's ISP
forwards the
message to
Bob's ISP
Mail Transfer
Agent
Simple Mail
Transport Protocol
(SMTP)
Mail Transfer
Agent
25. 25
Server-to-Server Email
1: Alice's
Mail User Agent (MUA)
sends the email
via the configured SMTP
server
wes.hardaker@parsons.com
3: Bob's MUA
downloads
the message
via IMAP
2: Alice's ISP
forwards the
message to
Bob's ISP
Mail Transfer
Agent
Simple Mail
Transport Protocol
(SMTP)
Mail Transfer
Agent
We're talking about
this part today
Largely secured today through
Manual configuration parameters
26. 26
Server-to-Server Email
wes.hardaker@parsons.com
with DNS
DNS Server
1: Where should I send mail for @bobsISP.com?
2: You should send it to mail.bobsISP.com
3: I've got mail for Bob
Mail Transfer
Agent
Mail Transfer
Agent
(and the address for it is ….)
27. 27
I Wish It Were So Simple
● There can be multiple DNS servers
– Every domain should have at least two
● Alice's mail server asks her ISP's resolver
– It doesn't talk directly to the distant DNS server
– There may be multiple resolvers
● There can be multiple mail servers
wes.hardaker@parsons.com
28. 28
Server-to-Server Email
Reality Sets In
DNS Server
1: Where should I send mail for @bobsISP.com?
2: You should send it to mail1, mail2 or mail3
3: Do you have an address for mail1?
Mail Transfer
Agent
wes.hardaker@parsons.com
DNS Server
Mail Transfer
Agent
4: Yep, it's 192.0.2.3
5: Hi, I'm representing Alice, I have mail for Bob
6: Hi, I'll take mail for Bob; PS: I don't do security
7: Here's the mail for Bob from Alice
8: Thanks, I'll make sure he gets it
(Actually, reality is even worse but wouldn't fit on this slide)
29. 29
Back To: I Wish It Were So Simple
● There can be multiple DNS servers
– Every domain should have at least two
● Alice's mail server asks her ISP's resolver
– It doesn't talk directly to the distant DNS server
– There may be multiple resolvers
● There can be multiple mail servers
wes.hardaker@parsons.com
30. 30
What could possibly go wrong???
● There can be multiple DNS servers
– Compromised?
● Alice's mail server asks her ISP's resolver
– It doesn't talk directly to the distant DNS server
– Compromised?
● There can be multiple mail servers
– Compromised?
● Man In The Middle
wes.hardaker@parsons.com
DNS Attack
Point!!!
Network
Attack
31. 31
DANE/DNSSEC To The Rescue
● There can be multiple DNS servers
– Compromised?
● Alice's mail server asks her ISP's resolver
– It doesn't talk directly to the distant DNS server
– Compromised?
● There can be multiple mail servers
– Compromised?
● Man In The Middle
wes.hardaker@parsons.com
Use
DNSSEC
Use
DANE
32. 32
SMTP Vulnerabilities
● MX, A and other DNS records can be spoofed
– DNS redirects SMTP clients to the...
– DNSSEC detects this, and clients won't proceed
● Eavesdropping is Easy
– SMTP is unencrypted by default
– Opportunistic encryption helps
● See if they offer a certificate and start encryption
● However, you may just be encrypting to the...
wes.hardaker@parsons.com
33. ● Server indicates “I do security”
● But a man-in-the-middle can just say “I don't do security”
33
SMTP Vulnerabilities
● If DNS is spoofed, you get a...
● ...Man In The Middle
– SMTP is unauthenticated by default
– SMTP is unencrypted by default
– They can turn on opportunistic encryption
– CA based solutions don't help because:
● The man-in-the-middle says “I don't do security”
● You've been redirected to a name the attacker controls
wes.hardaker@parsons.com
34. ● DNSSEC and DANE solves all these problems!
34
DNSSEC/DANE For The Win
● With DNSSEC: you can believe:
– The MX that led you here
– The TLSA is accurately pointing to my certificate
● With DANE's TLSA record:
– “This is my certificate” or “This is my CA”
● (accept no others)
– You MUST expect security!!! (i.e., must do TLS)
– You connected to the right place
wes.hardaker@parsons.com
35. 35
Deployment Options
● Postfix 2.11
– Server side (receiving mail):
● Publish a TLSA record: _25._tcp.smtp.example.com
● smtpd_tls_cert_file = /path/to/mycert.crt
● smtpd_tls_key_file = /path/to/mycert.key
– Client side (sending mail):
● smtp_tls_security_level = dane
● smtp_dns_support_level = dnssec
● CAVEAT: MUST use a secure local resolver
● Exim: Implementation underway (~ 2015)
wes.hardaker@parsons.com
36. 36
DANE and XMPP
XMPP also uses STARTTLS
wes.hardaker@parsons.com
37. 37
DANE and XMPP
● XMPP
– The recommended security solution:
● Check the PKI
● If that fails, use DANE
● STARTTLS is required
– Being defined now in the IETF
● draft-ietf-xmpp-dna
● draft-ietf-dane-srv
● Deployed and running code!
– Prosody & more ???
wes.hardaker@parsons.com
38. 38
DANE and SIP
Another level of indirection!
wes.hardaker@parsons.com
39. 39
DANE and SIP
● Just getting started!
● Not an official WG item yet
– There is interest in making it one
– One personal draft discussing it
wes.hardaker@parsons.com
40. 40
Questions?
The Future of TLS Security
Is Looking Up!
wes.hardaker@parsons.com
IIEETTFF 9900
TToorroonnttoo
JJuullyy,, 22001144