SaudiNIC Riyadh, Saudi Arabia May 2017

Slides:

Advertisements

Similar presentations

Web Hosting. The purpose of this Startup Guide is to familiarize you with Own Web Now's Web Hosting. Own Web Now offers two web hosting platforms, one.

Advertisements

Research and Innovation Participant Portal How to register for an ECAS account NEXT.

Existing Customer: Please visit Bonaqua Website for registration.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

1.ORG DNSSEC Testbed Deployment Edmon Chung Creative Director Afilias Perth, AU 2 March, 2006.

The Domain Name System Overview Introduction DNS overview How DNS helps us? Summary.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

Domain Name System Security Extensions (DNSSEC) Hackers 2.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

ICANN’s multi-stakeholder approach OAS-CICTE REMJA/OAS + WEF Cyber Crime Workshop, Montevideo, Uruguay 10 July 2012

The Business Case for DNSSEC InterOp/ION Mumbai October 2012

Distributed Systems. Outline  Services: DNSSEC  Architecture Models: Grid  Network Protocols: IPv6  Design Issues: Security  The Future: World Community.

DNSSEC: Where We Are (and how we get to where we want to be)

IIT Indore © Neminath Hubballi

What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie

DNSSEC: A Game Changer ICCS 2012 January 9, 2012 New York, NY

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.

Security Through Publicity Eric Osterweil Dan Massey Batsukh Tsendjav Beichuan Zhang Lixia Zhang.

1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.

1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

DNSSEC Update SANOG 27 Kathmandu, Nepal January 2016

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

Internet infrastructure 1. Infrastructure Security r User expectations  Reliable service  Reliable endpoints – although we know of spoofing and phishing.

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

DNSSec.TLD is signed! What next? V.Dolmatov November 2011.

Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

DNS Security Risks Section 0x02. Joke/Cool thing traceroute traceroute c

Secure HTTP (HTTPS) Pat Morin COMP 2405.

Key management issues in PGP

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

Security Issues with Domain Name Systems

KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting

A longitudinal, End-to-End View of the DNSSEC Ecosystem

DNS Security Advanced Network Security Peter Reiher August, 2014

Agenda DNSSEC automation overview How to implement it in FRED

Public Key Infrastructure (PKI)

KSK Rollover Update David Conrad, CTO ICANN 59 – GAC 29 June 2017.

Principles of Computer Security

Living on the Edge: (Re)focus DNS Efforts on the End-Points

Cybersecurity and Governance

DNS Cache Poisoning Attack

CZ.NIC in a nutshell Domain, DNSSEC, Turris Project and others

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

DANE: The Future of Transport Layer Security (TLS)

S/MIME T ANANDHAN.

DNSSEC Iván González Montemayor A

A Longitudinal, End-to-End View of the DNSSEC Ecosystem

Choosing the Discovery Model Martin Forsberg

TRA, UAE May 2017 DNSSEC Introduction TRA, UAE May 2017

What DNSSEC Provides Cryptographic signatures in the DNS

ONE® Mail Training Presentation

NET 536 Network Security Lecture 8: DNS Security

NET 536 Network Security Lecture 6: DNS Security

Geoff Huston APNIC Labs

DNS operator transfers with DNSSEC

DNSSEC & KSK Rollover Patrick Jones Middle East DNS Forum & APTLD 75

Computer Networks Primary, Secondary and Root Servers

Introduction to Let’s Encrypt

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

Neda Kianpour - Lead Network Engineer - Salesforce

Presentation transcript:

SaudiNIC Riyadh, Saudi Arabia May 2017 richard.lamb@icann.org DNSSEC Introduction SaudiNIC Riyadh, Saudi Arabia May 2017 richard.lamb@icann.org

The Internet’s Phone Book - Domain Name System (DNS) www.majorbank.se = 1.2.3.4 www.majorbank.se=? DNS Resolver DNS Server 1.2.3.4 Get page webserverwww @ 1.2.3.4 Login page Username / Password Account Data ISP Majorbank (Registrant) DNS Hierarchy se com root majorbank.se www.majorbank.se Actually MANY phone books

Caching Responses for Efficiency www.majorbank.se = 1.2.3.4 www.majorbank.se=? DNS Resolver DNS Server 1.2.3.4 Get page webserverwww @ 1.2.3.4 Login page Username / Password Account Data

The Problem: DNS Cache Poisoning Attack www.majorbank.se = 1.2.3.4 www.majorbank.se=? DNS Resolver DNS Server 5.6.7.8 Attacker www.majorbank.se = 5.6.7.8 Get page Attacker webserverwww @ 5.6.7.8 Login page Username / Password Error Password database

Argghh! Now all ISP customers get sent to attacker. www.majorbank.se = 1.2.3.4 www.majorbank.se=? DNS Resolver DNS Server 5.6.7.8 Get page Attacker webserverwww @ 5.6.7.8 Login page Username / Password Error Password database

Securing The Phone Book - DNS Security Extensions (DNSSEC) Attacker’s record does not validate – drop it www.majorbank.se = 1.2.3.4 www.majorbank.se=? DNS Resolver with DNSSEC DNS Server with DNSSEC Attacker www.majorbank.se = 5.6.7.8 1.2.3.4 So DNSSEC is a good thing. Get page webserverwww @ 1.2.3.4 Login page Username / Password Account Data

Resolver only caches validated records www.majorbank.se = 1.2.3.4 www.majorbank.se=? DNS Resolver with DNSSEC DNS Server with DNSSEC 1.2.3.4 So DNSSEC is a good thing. Get page webserverwww @ 1.2.3.4 Login page Username / Password Account Data

That’s it dnssec-signzone mydomain.zone mydomain.zone.signed www.abc.com. IN A 192.101.186.125 www.abc.com. IN A 192.101.186.125 IN RRSIG A 8 3 3600 20130926030000 20130909030000 32799 www.abc.com. N7upFHNplnIiXAEMOTefeuJrwymNxF 8D6/poAoRVDThHVOnXniaIj2WuGVbCGvUMjayDhVNk9vAQtVHUIAnxZXsIlP4ZbtIgtZ/hbTKByySx1Y0u9aRD1ik=

History 9 DNS developed: 1983. Discovered vulnerability:1995 Triggered15+ years DNSSEC work in IETF 2007 Some ccTLDs have deployed DNSSEC. Community presses ICANN to deploy DNSSEC at root Aug 2008 Dan Kaminsky reveals DNS vulnerability shortcut Root signed June 2010 with direct international participation Nov 2011 report: DNSChanger/Ghost Click: 4M PCs across 100 countries suffer redirection. Large scale Brazilian ISP DNS poisoning attack Recognition of global PKI spurs development of innovative security solutions beyond DNS. 22 Feb 2012- US FCC Chairman: “A report by Gartner found 3.6 million Americans getting redirected to bogus websites in a single year, costing them $3.2 billion.,” …“I urge all broadband providers to begin implementing DNSSEC as soon as possible.” 9

How it Works DNSSEC uses public key cryptography where the private half of keys are used to create digital signatures for records and the public halves used to verify that they have not been modified. The Zone Signing Key (ZSK) public-private key pair is used to sign each record of a zone file, i.e, web server IP address, mail server, etc. The Key Signing Key (KSK) pair is used to sign the ZSK and KSK itself. All someone needs is the public KSK half to validate all records in the zone. By having each zone sign the KSK of its subordinate zone, a chain of trust is created from registrant to ISP/end user.

Signature of mybank.tz-ZSK1234 Trust us with your Money Bank (Registrant) www.mybank.tz IP address = 192.101.186.7 ________________________ mybank.tz ZSK signature ______________________ Date Signature of mybank.tz-ZSK1234 1 September 2013

Signature of mybank.se-KSK5678 Trust us with your Money Bank (Registrant) mybank.tz ZSK = 1234 mybank.tz KSK = 5678 ________________________ mybank.tz KSK signature ______________________ Date Signature of mybank.se-KSK5678 1 August 2013

tz NIC 15 September 2013 Trust us, we are tz NIC (Registry) mybank.tz KSK = 5678 ________________________ tz ZSK signature ______________________ Date Signature of tz-ZSK9012 15 September 2013

tz NIC 1 September 2013 Trust us, we are tz NIC (Registry) tz ZSK = 9012 tz KSK = 3456 ________________________ tz KSK signature ______________________ Date Signature of tz-KSK3456 1 September 2013

18 September 2013 Multi-stakeholder Root tz KSK = 3456 ________________________ root ZSK signature ______________________ Date Signature of root-ZSK7890 18 September 2013

15 September 2013 Multi-stakeholder Root root ZSK = 7890 root KSK = 1903 ________________________ root KSK signature ______________________ Date Signature of root-KSK1903 15 September 2013

End User Trusted Operating System or ISP root KSK = 1903 ________________________ O/S Vendor Signature ______________________ Date O/S Vendor Signature 1 January 2013

Roles and responsibilities at the registry, registrar, registrant Registrant is responsible for generating, signing their records with, and publishing KSK and ZSK. Registrar manages DS (derived from KSK) record at the Registry on behalf of the Registrant. Registry generates, signs Registrant DS records with, and publishes its own KSK and ZSK. The root generates, signs Registry DS (derived from KSK) records with, and publishes its own KSK and ZSK. ISP/End User uses a copy of the public half of the root KSK above and uses it to recursively validate and cache responses on behalf of end user DNS lookup requests. RegistrantRegistrarRegistryRootISPEnd User

Walkthrough Typical Example Registrant goes to Registrar to get domain name. Registrant selects Registrar provided DNS hosting and DNSSEC signing services. On behalf of Registrant, Registrar generates KSK and ZSK and submits KSK (DS records) to Registry. Registry automatically signs DS record with Registry’s ZSK. Registry KSK/DS has previously been incorporated into the root and signed by root ZSK. Registrant edits DNS records on Registrar (www, etc) and Registrar automatically signs records with ZSK. ISP follows the chain of signatures to validate DNSSEC signed DNS records and only sends valid entries to end users.

Common Issues (but all getting better) Expiring signatures: monitoring, automation Complexity: experience, automation, training High equipment cost: $20K$5 Security and Trust: multi-person access, transparency (lessons learned from CAs) Lack of Registrar and ISP support: Raise registrant and end user awareness Random number generation: careful consideration, standards

Links IETF RFCs RFC 4033 DNS Security Introduction and Requirements RFC 4034 Resource Records for the DNS Security Extensions RFC 4035 Protocol Modifications for the DNS Security Extensions ISOC Deploy360 Program http://www.internetsociety.org/deploy360/dnssec/ DNSSEC Deployment Initiative http://dnssec-deployment.org/ Contact ICANN if interested in training

But wait, there is more.. DANE Other… Improved Web TLS for all Email S/MIME for all Other… SSH, IPSEC, VoIP Digital identity Other content (e.g. configurations) Global PKI TLD+SSL opportunity and economy - .NG and others.

Summary DNSSEC is the biggest improvement to the Internet’s core infrastructure in over 20 years. Deploying DNSSEC need not be complicated or costly. DNSSEC does not solve all the ills of the Internet but can become a powerful tool in improving security. DNSSEC is a cross-organizational and trans-national platform for cyber security innovation and international cooperation. In order to realize the full benefits of DNSSEC, greater end user and registrant awareness is needed to drive a virtuous cycle of trustworthy deployment. DNSSEC ensures DNS responses are not modified in flight thus protecting against redirection and cache poisoning attacks. DNSSEC does not solve all the ills of the Internet, but does provide a platform for innovative new solutions to address them. In order to realize the full benefits of DNSSEC, operators of DNS and other entities that make up the chain of trust must embrace transparent IT security processes and practices. With this Registrars and Registries are now part of a chain of trust …and part of future Internet security solutions. As part of the chain, build trust with improved processes, practices and education to differentiate offerings and develop new revenue streams. Doesn’t have to be expensive, just institutionalized. Related US DHS driven efforts: RPKI for protecting IP addressing/routing

Thank You