DNSSEC Deployment Challenges

Slides:



Advertisements
Similar presentations
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Advertisements

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
Domain Name System Security Extensions (DNSSEC) Hackers 2.
Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Geoff Huston APNIC Labs
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Measuring DNSSEC Validation: A Brief Update on DNSSEC Validation numbers, with an Asia Focus Geoff Huston APNIC Labs January 2015.
Electronic signature Validity Model 1. Shell model Certificate 1 Certificate 2 Certificate 3 Signed document Generate valid signature validCheck invalidCheck.
Fermilab CA Infrastructure EDG CA Managers Mtg June 13, 2003.
Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.
What if Everyone Did It? Geoff Huston APNIC Labs.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
DNS Security Risks Section 0x02. Joke/Cool thing traceroute traceroute c
Why Dane? Geoff Huston Chief Scientist, APNIC. Security on the Internet How do you know that you are going to where you thought you were going to?
Security and Stuff Geoff Huston APNIC. What I’m working on at the moment..
TAG Presentation 18th May 2004 Paul Butler
Secure HTTP (HTTPS) Pat Morin COMP 2405.
Geoff Huston Chief Scientist, APNIC
Mark Ryan Professor of Computer Security 25 November 2009
CRLite: A Scalable System for Pushing All TLS Revocations to All Browsers By Kartik Patel.
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
Security Issues with Domain Name Systems
KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting
A Speculation on DNS DDOS
DNS Security Advanced Network Security Peter Reiher August, 2014
Geoff Huston APNIC March 2017
Auto-Detecting Hijacked Prefixes?
DNS Security.
TAG Presentation 18th May 2004 Paul Butler
Practical Censorship Evasion Leveraging Content Delivery Networks
Living on the Edge: (Re)focus DNS Efforts on the End-Points
A quick review of DNSSEC Validation in today’s Internet
Geoff Huston APNIC Labs September 2017
CPS 512 midterm exam #1, 10/5/17 Your name please: NetID:_______ Sign for your honor:____________________________.
DNS Session 5 Additional Topics
Uses Uses of cryptography Lab today on RSA
draft-huston-kskroll-sentinel
CPS 512 midterm exam #1, 10/5/17 Your name please: NetID:_______ Sign for your honor:____________________________.
The Last Link in the DNSSEC Chain of Trust
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
A Speculation on DNS DDOS
Joao Damas, Geoff Labs March 2018
DNSSEC Basics, Risks and Benefits
APNIC Trial of Certification of IP Addresses and ASes
DNS Privacy (or not!) Geoff Huston APNIC.
Who am I talking to?.
What DNSSEC Provides Cryptographic signatures in the DNS
Measuring KSK Roll Readiness
NET 536 Network Security Lecture 8: DNS Security
Geoff Huston APNIC Labs
Why don’t we have a Secure and Trusted Inter-Domain Routing System?
ROA Content Proposal November 2006 Geoff Huston.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006
Measuring KSK Roll Readiness
Content Delivery and Remote DNS services
DoH! Peter Van Roste GAC/ccNSO meeting - ICANN 64
Anonymous Communication
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
IPv6 Reliability Measurements
What part of “NO” is so hard for the DNS to understand?
STIR Certificate delegation
The Resolvers We Use Geoff Huston APNIC.
Presentation transcript:

DNSSEC Deployment Challenges Geoff Huston APNIC June 2016

Turning Validation on Bind Config

Turning Validation on Bind Config Yes, it really is a one line config entry!

Why Not? It’s too hard It will take more time to resolve a name It will block out names with invalid DNSSEC signatures Too few names are signed to make a difference Attacks on the DNS are too rare to raise concerns Many folk rely on lies in the DNS DNS64, national content blocking measures, forced proxy redirection No browser wants to commit to DANE to take a positive step in cleaning up the putrid rotting security fiasco that is CA certificates today!

Why Not? It’s too hard It will take more time to resolve a name It will block out names with invalid DNSSEC signatures Too few names are signed to make a difference Attacks on the DNS are too rare to raise concerns Many folk rely on lies in the DNS DNS64, national content blocking measures, forced proxy redirection No browser wants to commit to DANE to take a positive step in cleaning up the putrid rotting security fiasco that is CA certificates today! One line of config in a recursive resolver!

Why Not? It’s too hard It will take more time to resolve a name It will block out names with invalid DNSSEC signatures Too few names are signed to make a difference Attacks on the DNS are too rare to raise concerns Many folk rely on lies in the DNS DNS64, national content blocking measures, forced proxy redirection No browser wants to commit to DANE to take a positive step in cleaning up the putrid rotting security fiasco that is CA certificates today! As with all things in the DNS, this is not necessarily true Cached answers will take no longer to resolve from a validating resolver as compared to a non-validating resolver Retrieving DNSSEC credentials take queries, and queries take time Currently, DNSSEC validation queries are serialized in most resolvers. This time could be reduced if these queries were parallelised

Why Not? It’s too hard It will take more time to resolve a name It will block out names with invalid DNSSEC signatures Too few names are signed to make a difference Attacks on the DNS are too rare to raise concerns Many folk rely on lies in the DNS DNS64, national content blocking measures, forced proxy redirection No browser wants to commit to DANE to take a positive step in cleaning up the putrid rotting security fiasco that is CA certificates today! Yes, that’s what it’s meant to do!

Why Not? It’s too hard It will take more time to resolve a name It will block out names with invalid DNSSEC signatures Too few names are signed to make a difference Attacks on the DNS are too rare to raise concerns Many folk rely on lies in the DNS DNS64, national content blocking measures, forced proxy redirection No browser wants to commit to DANE to take a positive step in cleaning up the putrid rotting security fiasco that is CA certificates today! But DNSSEC has incremental outcomes That benefit partial deployment : You can improve the integrity of YOUR name by signing it with DNSSEC!

Why Not? It’s too hard It will take more time to resolve a name It will block out names with invalid DNSSEC signatures Too few names are signed to make a difference Attacks on the DNS are too rare to raise concerns Many folk rely on lies in the DNS DNS64, national content blocking measures, forced proxy redirection No browser wants to commit to DANE to take a positive step in cleaning up the putrid rotting security fiasco that is CA certificates today! That assumes structural DNS censorship is not in and of itself an attack on the integrity of the DNS!

Why Not? It’s too hard It will take more time to resolve a name It will block out names with invalid DNSSEC signatures Too few names are signed to make a difference Attacks on the DNS are too rare to raise concerns Many folk rely on lies in the DNS DNS64, national content blocking measures, forced proxy redirection No browser wants to commit to DANE to take a positive step in cleaning up the putrid rotting security fiasco that is CA certificates today! True – but what do users want from the DNS? If they want the truth then you can’t lie!

Why Not? It’s too hard It will take more time to resolve a name It will block out names with invalid DNSSEC signatures Too few names are signed to make a difference Attacks on the DNS are too rare to raise concerns Many folk rely on lies in the DNS DNS64, national content blocking measures, forced proxy redirection No browser wants to commit to DANE to take a positive step in cleaning up the putrid rotting security fiasco that is CA certificates today! Is ever so slightly faster really better than vulnerability to third party attack via compromised CAs?

But maybe there is a point here… Is having resolvers validate what they provide back to the query agent enough to improve the security of the DNS? If you can intrude in an open conversation between the client and their resolver then MITM attacks in the DNS can still take place

Step 2 Validation in DNS recursive resolvers is the first step We also need to also think about some further steps: Push DNSSEC validation all the way back to the client application Such as GetDNS (https://getdnsapi.net) Secure the conversation between the application and a trusted recursive validating resolver Such as https://dns.google.com (re)introduce DANE to browsers using DNSSEC credential stapling https://www.imperialviolet.org/2011/06/16/dnssecchrome.html https://tools.ietf.org/html/draft-shore-tls-dnssec-chain-extension-02

Thanks! DNSSEC Reports: http://stats.labs.apnic.net/dnssec

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.