State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

Slides:

Advertisements

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Advertisements

Session ID Georg Carle, John Vollbrecht, Sebastian Zander, Tanja Zseby San Diego, December 2000.

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman

Reverse DNS SIG Summary Report APNIC Annual Member Meeting Bangkok, March

Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.

International Telecommunication Union ENUM Issues and Solutions Houlin Zhao Director Telecommunication Standardization Bureau International Telecommunication.

Digital Signatures in State of Tennessee Pam Roberts Finance & Administration Office for Information Resources Planning, Research & Development.

SNMP (Simple Network Management Protocol) Overview Draft Version.

INTERNET PROTOCOLS Class 9 CSCI 6433 David C. Roberts Entire contents copyright 2011, David C. Roberts, all rights reserved.

1 News from APNIC AfriNIC 9 27 November Coming up Some numbers Some service updates Some policy news 2.

Review iClickers. Ch 1: The Importance of DNS Security.

Update about the “SHOULDs Analysing Project” in RIPE Policy Documents “Should” we use the RFC 2119 Defined Language in RIPE Policy Documents? Jan Žorž,

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

Lecture 23 Internet Authentication Applications

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.

A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

Who’s watching your network DNS Security Extensions Presentation to 19th NANOG meeting Albuquerque, NM Edward Lewis NAI Labs June 11-13,

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

RNDC & TSIG. What is RNDC? Remote Name Daemon Controller Command-line control of named daemon Usually on same host, can be across hosts –Locally or remotely.

DNS & DHCP in the 21st Century William D. Kramp Network Administrator Finger Lakes Community College.

Investigations into BIND Dynamic Update with OpenSSL by David Wilkinson.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.

1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.

Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. /disi Steps towards a secured DNS Olaf M. Kolkman, Henk Uijterwaal, Daniel.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 17 Domain Name System (DNS)

Progress Of the DNS Security Extensions NANOG 22 May 21-22, 2001 Edward Lewis

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Security and Stability of Root Name Server System Jun Murai (From the panel on Nov. 13 th by Paul Vixie, Mark Kosters, Lars-Johan Liman and Jun Murai)

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Module 9: Fundamentals of Securing Network Communication.

TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)

Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Bibliography.

1 ESnet DNSSEC Update ESCC/Internet2 Joint Techs Workshop February 14, 2007 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

Mar 3, 2006APNIC 21 Meeting -- Perth, AU1 IANA Status Report David Conrad, ICANN IANA General Manager.

DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.

1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.

1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

DNS Session 5 Additional Topics Joe Abley AfNOG 2006, Nairobi, Kenya.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

1 DNSMON DNS Server Monitoring RIPE NCC 3 December 2015.

DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

Linux Operations and Administration

Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.

By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

Basics of the Domain Name System (DNS) By : AMMY- DRISS Mohamed Amine KADDARI Zakaria MAHMOUDI Soufiane Oujda Med I University National College of Applied.

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

Security Issues with Domain Name Systems

Principles of Computer Security

Living on the Edge: (Re)focus DNS Efforts on the End-Points

A New Approach to DNS Security (DNSSEC)

Presentation transcript:

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel

Slide 2 P R O T E C T I N G Y O U R P R I V A C Y APRICOT 2001 Agenda  Brief overview of DNS Security Extensions  Current state of specifications  Current state of software  Efforts underway

Slide 3 P R O T E C T I N G Y O U R P R I V A C Y APRICOT 2001 DNSSEC Components  Name server to name server protections  Digital signatures, KEY, SIG, NXT records  Scaleable, Internet-wide transfers  Query/Response protections  TSIG addition to message, also a digital sig approach  Resolver to "default" name server, zone transfer  Publication of certificates  Distribution of X.509, PGP certificates, CERT record  Dynamic update security  Authentication and authorization to change zones

Slide 4 P R O T E C T I N G Y O U R P R I V A C Y APRICOT 2001 DNSSEC in the network root server top level domain authoritative name server recursive (conference net) name server KEY RR, SIG RR, NXT RR conference machine TSIG

Slide 5 P R O T E C T I N G Y O U R P R I V A C Y APRICOT 2001 IETF Status  The current document set is at the Proposed Standard level  Documents are listed in upcoming slides  The documents are to be rewritten as early experience is gained  The goal is to progress to Draft Standard in 2002

Slide 6 P R O T E C T I N G Y O U R P R I V A C Y APRICOT 2001 Implementations  ISC's BIND  First in version 8.2  Full implementations starting in version 9  Current version 9.1.x  Some implementations in other code bases, none are publicly or widely available

Slide 7 P R O T E C T I N G Y O U R P R I V A C Y APRICOT 2001 KEY, SIG and NXT  Documents  RFC 2535, Basic definition  RFC 2536, 2537 Key and signature algorithms  RFC 2539 Diffie-Hellman keys  Updates to this set  RFC 3008 Signing authorization model  More coming soon

Slide 8 P R O T E C T I N G Y O U R P R I V A C Y APRICOT 2001 What works  Key generation  Making, storing keys  Signing and loading zones  Addition of signatures, NXTs, to zones  Basic validation of data  Resolver fetches keys and verifies signatures

Slide 9 P R O T E C T I N G Y O U R P R I V A C Y APRICOT 2001 Remaining Issues  Validation of child by parent (delegator)  Child zone keys have to signed by parent zone  Impact on high-volume TLDs  Negative response issues  NXT record does not satisfy everyone  Impact on staff operations  Management and protection of keys  Need to sign zone data at intervals  regular intervals - week? month? year?  Interaction with parent zone

Slide 10 P R O T E C T I N G Y O U R P R I V A C Y APRICOT 2001 Query/Response  Documents  RFC 2535, in the basic definition  Updates  RFC 2845 Secret Key Transaction (TSIG)  RFC 2931 Public Key Query/Response approach

Slide 11 P R O T E C T I N G Y O U R P R I V A C Y APRICOT 2001 What works  Use of TSIG for zone transfers  Addition of TSIG to authoritative servers to protect NOTIFY and AXFR  Use of TSIG to authorize dynamic updates  Updates can be restricted based upon the key used to sign request

Slide 12 P R O T E C T I N G Y O U R P R I V A C Y APRICOT 2001 Remaining Issues  Distributing and Configuring Secrets for general queries  General purpose queries, larger scale  Where is the secret stored on a multiuser machine?  Use of TKEY and SIG(0)  Not in widespread use, not much experience

Slide 13 P R O T E C T I N G Y O U R P R I V A C Y APRICOT 2001 Publishing Certificates  Documents  RFC 2538 Basic definition  What works  CERT Record, simple addition to DNS  Issues  Software for applications to insert and extract certificates from DNS

Slide 14 P R O T E C T I N G Y O U R P R I V A C Y APRICOT 2001 Securing Dynamic Update  Documents  RFC 2136 Dynamic Update  RFC 2137 Secure Dynamic Update (not implemented)  RFC 3007 Secure Dynamic Update (implemented)

Slide 15 P R O T E C T I N G Y O U R P R I V A C Y APRICOT 2001 What Works/Issues  Authorizing updates based upon keys used to sign request  No longer need to trust based upon IP address  Keeping signatures up to date  Data not updated becomes stale  Need tools to fix this

Slide 16 P R O T E C T I N G Y O U R P R I V A C Y APRICOT 2001 Other issues  Need for applications to make use of these new features  E.g., a secure shell implementation that uses keys from DNS  E.g., a web browser that lets user know if the web site's address was digitally signed for protection  E.g., a simple method for users to publish their personal certificates for

Slide 17 P R O T E C T I N G Y O U R P R I V A C Y APRICOT 2001 Who's Working On It  Status meeting summarized in  draft-lewis-state-of-dnssec-00.txt  Minutes of December meeting at San Diego IETF  Attendees  NLnet Labs, Verisign, The Foundation for Internet Infrastructure, Root Server System Advisory Committee, National Institute of Standards and Technology, Defense Information Systems Agency, RIPE NCC, Network Associates, Information Sciences Institute

Slide 18 P R O T E C T I N G Y O U R P R I V A C Y APRICOT 2001 Summary  DNSSEC is a lot of work to define and implement  Progress is happening, but not at a lightening-fast rate  There is a lot of interest in the technology  No matter the outcome, maintaining security will always increase workload,  We do want to keep the increase to a minimum