Deploying DNSSEC without Losing Your Mind Summer ESNET Conference July 2009

2 DNS Infrastructure Challenges Performance Demands Conventional DNS solutions can’t keep up with today’s performance and security demands BotnetsMalwareCache Poisoning DNS Security Demands Web 2.0More Devices Hidden Computing

3 Security Concerns Source: Arbor Networks Botnets, DNS and cache poisoning among the top concerns

4 The DDoS Threat Trends Attack volume is increasing Recent victims Time Warner Cable UltraDNS Register.com The Planet Results Outages and slowdowns Customer support issues Negative publicity Source: Arbor Networks Attacks on service providers are becoming bigger and more common

5 The Cache Poisoning Threat Attacks are real 1-3% of monitored unpatched nameservers have had a poisoning event detected Confirmed phishing attacks have been found Brazilian Bank poisoned April 23, 2009 Patches are short term fix Patched systems have been compromised in <10 hours Use of botnets can greatly reduce time to compromise DNSSEC is permanent solution Source: IO Active, Dagon et. al.

6 What Is DNSSEC? What does it do? Validates the source of the DNS response Ensures the response has not been altered in transit Authenticates replies of non- existence How does it work? Adds digital signatures to DNS responses Uses chains of trust to validate responses Identifies bogus responses With DNSSEC, we are certain that a response is correct Caching Server Authoritative Server Client Digitally Signed Response Bogus Response Digitally Signed Response Bogus Response

7 Why You Must Act Now Because you have to … OMB mandate M requires all agencies to sign all external zones (low, medium and high impact) by December 2009 Publication of NIST SP rev 3 specifies deployment of DNSSEC with internal zones (low, medium and high impact) FISMA requires compliance 1 year from publication date, which is June 2010 Because you should … Real attacks have escalated. The Kaminsky exploit alone has captured the attention of the entire planet. Your user base is at risk right now with any web, , or other Internet transaction

8 DNSSEC Deployment Challenges Complexity Education, development, QA required Security General purpose OS cannot protect keys Crypto cards are complicated Offline keys labor intensive Failover How to handle a hardware or network failure? Scalability Signing speed for large or numerous zones Offline key management Dynamic Updates to DNS zone data Auditability What zones are signed? What keys are about to expire? Early adopters invest 4-6+ man-months to deploy, ½ full time person to maintain

9 DNSSEC Complexity Initially Generate public/private key pairs (one pair per zone, ideally) Insert keys into zone files Sign the zones Whenever data changes or before signatures expire Retrieve keys from secure storage Re-sign the zones Roll the ZSKs Generate new key pairs per zone Add the new keys to the zone Re-sign the zone using the old key Wait for one TTL period Re-sign the zone using the new key Wait for one TTL period Remove the old ZSK from the zone file Re-sign the zone Roll the KSKs Generate new key pairs (ideally one per zone) Sign the DNSKEY RRset with both KSKs Wait one TTL period Update the DS record at the parent and verify Remove the old KSK from the zone and re-sign Complexity must be managed with good process discipline or automated tools Once At least weekly, or whenever data changes Monthly Once or twice a year

10 DNSSEC Solution Matrix Provisioning Systems Secure Key Management (Risk driver) DNSSEC Automation (Cost driver) Low High 1 st Gen Manual Tools 2nd Gen Manual Tools Secure, Automated Appliances

11 Do-It-Yourself Method BIND programs DNSSEC-Keygen & DNSSEC-Signzone Visit LDNS library  Examples include a zone-walker (follows NSEC records) and DNSSEC validation tools to check signatures, etc.  Also contain programs to manually sign zones and generate keys (alternative to BIND tools) DRILL (an interesting version of DIG) Visit Tools and programs from SPARTA labs created with DHS funding assistance to validate, error-check, sign zones, rollkeys Key signer and roller Donuts (LINT-like error checking tool) Validation tools to check signatures, etc.

12 Manual DNSSEC Deployment Steps Generate keys and Insert them into zone files Sign and publish the zones generate NSECs generate RRSIGs Do process over and over again when data changes or when keys need to be replaced OK for small deployments, but begs for automation

13 What could go wrong…will go wRornG Wrong keys Expired Keys Stolen Keys Lose the Recipe Solution doesn’t scale

14 Manual Deployment Example: Swedbank

15 Secure Key Management Offline Keys Pros Keys can be secured with proper procedures in place Cons Labor intensive for zones that change Introduces higher potential for errors Possible risk of insider attack Online Keys Pros Can sign dynamic zones Reduces operational costs Eliminates manual errors Eliminates insider attacks Cons Crypto module should be certified to FIPS level 2 or above OS must be hardened DNS data must be secured Trust in signed responses is only as good as your key and data security

16 DNSSEC Solution Matrix Provisioning Systems Secure Key Management (Risk driver) DNSSEC Automation (Cost driver) Low High 1 st Gen Manual Tools 2nd Gen Manual Tools Secure, Automated Appliances

17 Questions To Ask Your Vendors CategoryQuestion Secure Key Management Is the product FIPS certified? If so, to what level (1-4)? Can the product use an HSM (crypto card) for key management? AutomationCan the product be used to manage key material? Does the product automatically sign and re-sign zones without user intervention? Does the product automatically roll the keys without user intervention? ComplianceDoes the product generate and use keys of the appropriate size (1024, 2048 bits)? Does the product meet the most current DNSSEC specs? Does the product meet the NIST guidelines in SP ? ScalabilityCan the product sign/serve/manage multiple zones? FunctionalityCan the product generate NSEC and NSEC3 signed zones? FailoverDoes the product have a failover mechanism to ensure continuous signing? CompatibilityDoes the product integrate with Content Management Systems? Which ones? Does it work with your agency’s network infrastructure? Does it work with Microsoft AD/DHCP? How do you update zone data with the product? AuditabilityWhat logging/debugging tools are provided? How do I know if something goes wrong? Sources:

18 Secure64 Software Corporation Privately funded, Colorado-based corporation, founded in 2002 Focused on making the DNS trustworthy and secure Secure64 products: ‘DNS Authority’ & ‘DNS Signer’ Partially funded by the US Department of Homeland Security

19 Automation: the Secure64 DNS Signer Simple Deployment Automated key management, rollover, signing, re-signing Secure Key Repository Malware-immune OS FIPS compliant (pending) Scalable High performance signing algorithms Incremental zone signing Secure64 DNS Signer makes it easy to deploy DNSSEC correctly and securely

20 Simple to Configure SERVER: # Default signing policy Dnssec-automate: ON Dnssec-notify: Dnssec-ksk: 1024 RSASHA1 Dnssec-ksk-rollover: ,8 * Dnssec-ksk-siglife 7D Dnssec-zsk: 2048 RSASHA1 Dnssec:zsk-rollover: * * Dnssec-zsk-siglife 7D Dnssec-nsec-type: nsec3 Dnssec-nsec-settings: OPT-OUT 12 aabbccdd ZONE: Name: myzone. File: myzonefile Dnssec-nsec-type: nsec … DNSSEC can be deployed in days, not months Configuration file 1-line automation Optional parameters to override defaults Can be applied system-wide or zone by zone

21 Compatible With Current Infrastructure “Signer-in-the-middle” Provisioning System (IPAM, Registry, Hidden Master, Etc.) Secure64 DNS Slave BIND Slave NSD Slave Unsigned Zone Data Signed Zone Data Secure64 DNS Signer Just plug it into your existing provisioning system

22 Automation from: Large-to-Small, Static-to-Dynamic Design for the extremes and the small cases will take care of themselves

23 Challenges for Large-Scale Deployments 1. Key Generation for huge numbers of keys 2. Bulk Signing and Re-signing can take lots of time --- and you don’t have enough time 3. Small Changes to Large Zones 4. Disaster Planning: Automatic & Secure Backup of Metadata 5. Chain-of-Trust Coordination

24 Fast Signing Performance Optimized code for 1024 bits outperforms many hardware cryptography accelerators Configuration: HP Integrity rx2660 server, 1 dual core Itanium 1.4 Ghz processor, 4 GB RAM 1 zone, 177,005 records, 344,010 signatures, 1024 bit RSA SHA1 algorithm

25 Incremental Signing Challenge How fast can zone changes be signed? Can you still meet your target update interval? Solution Accept changes via DDNS or IXFR Only sign changes Update slaves via IXFR Secure64 DNS Signer Signed Zones DDNS, IXFR Keys Even the largest, most dynamic environments can be updated quickly Signing Policy >20 updates/second, regardless of # zones, zone size

26 Simplified Key Rollover Currently Manual transmission of DS record to parent Automated DS detection and rollover Next Automated transmission of DS record to parent.gov DS RR example.gov DS RR sub.example.gov DS Offline, secure process DS Public KSK Are you there, yet? Are you there, yet?

27 Disaster Recovery DNSSEC MetaData: Signing Keys – private & public Serial # tracking key rollover state Chain-of-trust info Automated backup of encrypted metadata to standard storage devices Secure backup with TPM prevents INSIDER attacks

28 “The Secure64 software was subjected to a number of attacks known to be disruptive to servers, and ignored the attacks, delivering information as requested up to the saturation point of the Gigabit connection used.” Read the full report Resistant to Network Attacks DNS Authority Results Independently tested against DDoS attacks - 100% resistant Attack characteristics provided via SNMP and syslog to help set upstream filters Easily anycasted for improved performance & DDoS resiliency

29 Benefits Summary For management Quicker implementation Reduced cost For staff Simple. Less to learn Timely. Deploy in days, not months Correct. Eliminates errors that can take you offline Secure. Protects the signing keys For users: Internet is safer to access Secure64 DNS Signer makes it easy to deploy DNSSEC correctly and securely versus

30 Secure64: The DNSSEC Leader Agencies trained with NIST: US Department of Commerce National Telecommunication Information Administration Economic and Statistics Administration Bureau of Statistics Bureau of Economic Analysis International Trade Administration US Patent and Trademark Office National Oceanic and Atmospheric Administration US Department of Health and Human Services National Institute of Health Federal Aviation Administration US Department of Housing and Urban Development US Antarctic Program US Department of Energy US Department of Agriculture US Department of the Interior National Park Service US Agency of International Development US Department of State US Nuclear Regulatory Commission US Department of Treasury Court Services and Offender Supervision Agency Federal Maritime Commission US Government Accountability Office US Department of Labor

31 Thank You! For More Information Secure64 web site: Sign up to access to an online signing engine to try it out with your own data Contact Copies of this presentation Schedule a demo of our automated DNSSEC solution DNSSEC whitepapers, newsletters, case studies Invitation to hands on training workshops (NIST, HP)