The Last Link in the DNSSEC Chain of Trust

Slides:

Advertisements

Similar presentations

Sep 2008ALAC Webinar 1 DNS Response Modification David Piscitello Senior Security Technologist ICANN.

Advertisements

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

FCC CSRIC III Working Group 4 Network Security Best Practices Rodney Joffe SVP and Senior Technologist, Neustar, Inc.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

What’s Next: DNSSEC & RPKI Mark Kosters. Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised.

1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

Technical Question Technical Question

Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

FCC CSRIC III Working Group 5 DNSSEC Implementation Practices Steve Crocker CEO, Shinkuro, Inc. March 6, 2013 Working Group 5: DNSSEC.

1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

OARC TAR Panel. La Brea Tar Pit What was originally intended to expedite the roll-out of DNSSEC seems to be bogging it down instead People who read press.

EMU and DANE Jim Schaad August Cellars. EMU TLS Issues Trust Anchor Matching PKIX cert to EMU Server Name Certificate Revocation Checking – CRLs – OCSP.

Draft-wing-v6ops-happy-eyeballs-ipv6 Happy Eyeballs: Trending Towards Success with Dual-Stack Hosts Dan Wing Andrew Yourtchenko {dwing,

DNSSec.TLD is signed! What next? V.Dolmatov November 2011.

An information sharing and analysis centre for the global DNS. DNS OARC.

RIPE Network Coordination Centre APRICOT Feb Mirjam Kühne..illuminating new ideas and tools from the community for the community.

Draft-kwatsen-netconf-zerotouch-00 Zero Touch Provisioning for NETCONF Call Home.

High performance recursive DNS solution

Geoff Huston Chief Scientist, APNIC

CRLite: A Scalable System for Pushing All TLS Revocations to All Browsers By Kartik Patel.

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

Security Issues with Domain Name Systems

KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting

SaudiNIC Riyadh, Saudi Arabia May 2017

DNS Security Advanced Network Security Peter Reiher August, 2014

DNS Team IETF 99 Hackathon.

KSK Rollover Update David Conrad, CTO ICANN 59 – GAC 29 June 2017.

DNS Operation And Security Protection

DNSSEC Deployment Challenges

Measuring IXP Interconnectivity

CDAR Continuous Data-driven Analysis of Root Stability

DNS Privacy: Problem and solutions

Chongfeng. Xie(Presenter), Qiong Sun, Qi He, Cathy Zhou

Living on the Edge: (Re)focus DNS Efforts on the End-Points

Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania

The Importance of Being an Earnest stub

IPv6 / IP Next Generation

draft-huston-kskroll-sentinel

CZ.NIC in a nutshell Domain, DNSSEC, Turris Project and others

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

DANE: The Future of Transport Layer Security (TLS)

Lame DNS Server Sweeping

DNSSEC Basics, Risks and Benefits

CS4622: Computer Networking

Proactive Network Protection Through DNS

TRA, UAE May 2017 DNSSEC Introduction TRA, UAE May 2017

Root KSK Roll Update DNS-OARC 27 Matt Larson, VP of Research

What DNSSEC Provides Cryptographic signatures in the DNS

Measuring KSK Roll Readiness

Designing an Intervention

Encrypting DNS traffic

Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania

DNS Operations SIG Feb APNIC19, Kyoto, Japan

RIPE Atlas Viktor Naumov R&D Software Engineer

Designing an Intervention

DoH! Peter Van Roste GAC/ccNSO meeting - ICANN 64

Problem solving.

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

Trust Anchor Signals from Custom Applications

Update on DHCPv6 On-Demand Mobility Extension draft

Hackathon AIS’19 Measurement group DNS over HTTPS/TLS team

Remote ATtestation ProcedureS (RATS)

When Can We Start Dropping IPv4 on the DNS Root Servers?

Presentation transcript:

The Last Link in the DNSSEC Chain of Trust Stub Resolver or ISP cache? Andrew White / Charter Communications DNS OARC 25 Dallas, TX 16 Oct 2016

Is DNSSEC practical? DNSSEC provably makes DNS reflection attacks worse Stub resolvers today generally do not validate DNSSEC responses Stub resolver’s failure validate responses allows potentially undesirable behavior such as NXDOMAIN redirection from the ISP DNSSEC does not solve privacy issues with DNS even with stub resolver validation No motivation for implementation until DANE is adopted by ISP caching servicers and stub resolvers

Potential Solutions Adoption of DANE and RFC5934 for management of DNS-sourced trust anchors Stub resolvers could validate DNS responses if root trust anchors were preloaded like C.A. certs are with browsers Ditch DNSSEC for DNS over TLS (RFC 7858) Other options include DNSCurve, DNSCrypt, Confidential DNS, IPSECA, DNSoD Caveat with all: Adoption only likely if popular apps (browsers) or operating systems provide it out of the box. Users are not generally interested in privacy (unfortunately).

Two non-sequiturs Please support the RIPE Atlas project -- get probes in your network! Please find me if you have interested in discussing the problems of IPv6 synthetic response (RFC-1912 recommendations)