A Longitudinal, End-to-End View of the DNSSEC Ecosystem

Slides:

Advertisements

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

Advertisements

Review iClickers. Ch 1: The Importance of DNS Security.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.

Test cases for domain checks – a step towards a best practice Mats Dufberg,.SE Sandoche Balakrichenan, AFNIC.

1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.

Introduction to DNSSEC AROC Bamako, Mali, What is DNSSEC?

DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.

Andreas Steffen, , 12-DNSSEC.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

Naming March 8, Networks What is naming?  Associations between some elements in a set of names and some elements in a set of values  Binding.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

Olaf M. Kolkman. IETF58, Minneapolis, November DNSSEC Operational Practices draft-ietf-dnsop-dnssec-operational-practices-00.txt.

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

Developing a DNSSEC Policy The Compulsory Zone Distribution Which DNSSEC Protocol Keys – and Managing them Managing the Children Using DNSSEC Mark Elkins.

Internet infrastructure 1. Infrastructure Security r User expectations  Reliable service  Reliable endpoints – although we know of spoofing and phishing.

What's so hard about DNSSEC? Paul Ebersman – May 2016 RIPE72 – Copenhagen 1.

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

Increasing the Zone Signing Key Size for the Root Zone

DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.

Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved

KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting

A longitudinal, End-to-End View of the DNSSEC Ecosystem

SaudiNIC Riyadh, Saudi Arabia May 2017

Agenda DNSSEC automation overview How to implement it in FRED

Lecture 20 DNS Sec Slides adapted from Olag Kampman

In collaboration with HKCERT and HKIRC July 2016

KSK Rollover Update David Conrad, CTO ICANN 59 – GAC 29 June 2017.

Domain Name System Tony Kombol ITIS 3110.

State of DNSSEC deployment ISOC Advisory Council

Geoff Huston APNIC Labs

DNSSEC Operations in .gov

Geoff Huston APNIC Labs September 2017

DNSSEC made simple. DNSSEC made simple ~]$ whoami Emil Natan, CTO, ISOC-IL.

DNS Cache Poisoning Attack

CZ.NIC in a nutshell Domain, DNSSEC, Turris Project and others

DNSSEC Iván González Montemayor A

DNSSEC Basics, Risks and Benefits

TRA, UAE May 2017 DNSSEC Introduction TRA, UAE May 2017

Managing Name Resolution

What DNSSEC Provides Cryptographic signatures in the DNS

A New Approach to DNS Security (DNSSEC)

NET 536 Network Security Lecture 8: DNS Security

Casey Deccio Sandia National Laboratories

NET 536 Network Security Lecture 6: DNS Security

Geoff Huston APNIC Labs

DNS operator transfers with DNSSEC

DNSSEC & KSK Rollover Patrick Jones Middle East DNS Forum & APTLD 75

DNSSEC Status Update in UA

The Curious Case of the Crippling DS record

.uk DNSSEC Status update

ECDSA P-256 support in DNSSEC-validating Resolvers

Neda Kianpour - Lead Network Engineer - Salesforce

Presentation transcript:

A Longitudinal, End-to-End View of the DNSSEC Ecosystem Chung, Taejoong and van Rijswijk-Deij, Roland and Chandrasekaran, Balakrishnan and Choffnes, David and Levin, Dave and Maggs, Bruce M and Mislove, Alan and Wilson, Christo, 2017 Presented by – Kalyan

Motivation Even after 20 years, DNSSEC remains misconfigured in most of the zones. Complexity of the infrastructure Security compliance, Improved Automation, Auditing of DNSSEC Management. Re-examine the validation of the queries to the server logs from the authoritative nameservers, which is used to study DNSSEC enabled resolver behaviour.

Introduction DNS DNSSEC How is it different ? CNAME, MX, NS, A DS, DNSKEY, RRsigs How is it different ? Provides Authentication and Integrity

Paper Summary 1 Study of DNSSEC deployment from root zone to the child zone and validation by the resolver 2 Study on KSKs and ZSKs – PKI Infrastructure 3 RRsigs, DNSKEY, DS [Other resource records include NSEC, NSEC3 CDNSKEY, AND CDS] 4 Active Measurements – 59K Resolvers, 150K Domains Key Rollover 6 Daily, Hourly Dataset – TTL of the cached records

DNSSEC Cache poisoning An old idea which hasn’t been incorporated completely, improper Key Mismanagement. Most of them are incoherently managed

Resolver And Root Do Bit – 1, 0 DNSSEC Aware Resolvers – request and validate DNSSEC Aware – Root Zone – Authoritative Name Servers – Resolvers Publishing the DNSKEY to the parent domain, as a DS record, which contains the hashed DNSKEY KSK. Luminati HTTP/S Proxy Service – 400k end hosts – 59k Resolvers

Findings TTL of cached records. <= 1 Hour, => 1 Hour Key Rollover DNSKEY- DS Records Weak Key Length of Keys – 1024 bits is not adequate

Findings [Cont..] SOA Records – Cannot be validated No SOA records being signed DS Records - Incorrect Does not match the KSKs

Criticism Active measurements could have been incorporated for better results Other records were not available for the study. No explanation or very little insight about the records.

THANK YOU