A longitudinal, End-to-End View of the DNSSEC Ecosystem

Slides:

Advertisements

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

Advertisements

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

APNIC Member Services George Kuo. MyAPNIC 2 What is MyAPNIC A secure Member services website Internet resources management, for example: –Whois updates.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Survey of DNSSEC Lutz Donnerhacke DNSSEC Meeting ( )

Security and Information Assurance for the DNS Dan Massey USC/ISI.

Domain Name System Security Extensions (DNSSEC) Hackers 2.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

IIT Indore © Neminath Hubballi

1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.

1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

Lecture 18 Page 1 CS 236, Spring 2008 DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

APNIC DNSSEC deployment considerations APNIC 23, Bali George Michaelson R&D Officer APNIC.

Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

SaudiNIC Experience in Deploying DNSSec AbdulRahman Al-Ghadir SaudiNIC - CITC MENOG 16.

DNSSec.TLD is signed! What next? V.Dolmatov November 2011.

Host Identifier Revocation in HIP draft-irtf-hiprg-revocation-01 Dacheng Zhang IETF 79.

Increasing the Zone Signing Key Size for the Root Zone

A Logo for DNSSEC Wrapping DNSSEC into marketing Lutz Donnerhacke

DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.

DNSSEC usage statistics and some observations SEE 5, Tirana Sergey Myasoedov

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

Security Issues with Domain Name Systems

Rolling the Root Zone DNSSEC Key Signing Key

KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting

SaudiNIC Riyadh, Saudi Arabia May 2017

DNS Security Advanced Network Security Peter Reiher August, 2014

Agenda DNSSEC automation overview How to implement it in FRED

In collaboration with HKCERT and HKIRC July 2016

KSK Rollover Update David Conrad, CTO ICANN 59 – GAC 29 June 2017.

Domain Name System Tony Kombol ITIS 3110.

State of DNSSEC deployment ISOC Advisory Council

DNSSEC Operations in .gov

Geoff Huston APNIC Labs September 2017

DNS Cache Poisoning Attack

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

DNSSEC Iván González Montemayor A

A Longitudinal, End-to-End View of the DNSSEC Ecosystem

draft-zhang-dnsext-test-result-00

TRA, UAE May 2017 DNSSEC Introduction TRA, UAE May 2017

Managing Name Resolution

What DNSSEC Provides Cryptographic signatures in the DNS

A New Approach to DNS Security (DNSSEC)

NET 536 Network Security Lecture 8: DNS Security

Casey Deccio Sandia National Laboratories

NET 536 Network Security Lecture 6: DNS Security

Geoff Huston APNIC Labs

DNS operator transfers with DNSSEC

DNSSEC & KSK Rollover Patrick Jones Middle East DNS Forum & APTLD 75

COMPUTER NETWORKS PRESENTATION

DNSSEC Status Update in UA

Computer Networks Presentation

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

The Curious Case of the Crippling DS record

Trust Anchor Signals from Custom Applications

.uk DNSSEC Status update

Neda Kianpour - Lead Network Engineer - Salesforce

Presentation transcript:

A longitudinal, End-to-End View of the DNSSEC Ecosystem Taejoong Chung, Roland van Rijswijk-Deij, Balakrishnan Chandrasekaran, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Christo Wilson Presenter: Ruiyan Ma A longitudinal, End-to-End View of the DNSSEC Ecosystem

Introduction: DNS DNS maps domain name to IP address from its records

Introduction: DNSSEC DNSSEC (DNS security extensions) gives each zone a digit signature, also validate their next level zone. DNSKEY record KSK ZSK RRSIG record DS record

Problems in DNSSEC DNSSEC is complex DNSSEC is a new mechanism DNSSEC need secure every DNS level from root to leaf

Motivation of Research Previous researches doesn’t study the whole ecosystem Researchers want to know the percentage of DNSSEC deployment Researchers want to know the trend of DNSSEC deployment Researchers want to know the management level

Solutions Data Collection: Collect large number of data Research Range: Investigate over .com, .net, .org zones, over 150M domains Time cost: Take long period for data collection, about two years Solutions

Result: DNSSEC Deployment The percentage of DNSSEC enabled domains keeps at low level. The number of DNSSEC enabled domains is increasing

Result: Management Record management Key management

Record Management DS record 28%-32% signed domains do not have DS record RRSIG record Most domains have the record, some domain start updating at late time Missing Record Almost the whole domain with the records are valid Most RRSIG record are valid Incorrect Record

Key Management Three problems are observed Shared keys Weak keys Keys does not update frequently

Result: Resolver support Lots resolvers do not make validation Some of validations are not correct

Criticism Advantage Disadvantage Large number of data Long period The research only use Alexa Top 1M domains, and Top 1K website to collect data, the sample may not standard for the whole ecosystem.

Summary The research shows most of DNS do not enable DNSSEC, but the trend is slowly increasing. Some DNSSEC enabled DNS does not fully satisfy the requirement of DNSSEC Most resolvers do not validate DNS record The ecosystem of DNSSEC need to keep improve.

Thank you