1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

Slides:

Advertisements

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

Advertisements

Availability Problems in the DNSSEC Deployment Eric Osterweil Dan Massey Lixia Zhang 1.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.

DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Measuring DNSSEC validation i.e. how to do it Ólafur Guðmundsson Steve Crocker ogud, steve at shinkuro.com.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

What’s Next: DNSSEC & RPKI Mark Kosters. Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised.

Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

Security and Information Assurance for the DNS Dan Massey USC/ISI.

1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.

Impact of Configuration Errors on DNS Robustness Vasileios Pappas, Zhiguo Xu, Songwu Lu, Daniel Massey, Andreas Terzis, Lixia Zhang SIGCOMM 2004 Presented.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

Lecture 12 Security. Summary  PEM  secure  PGP  S/MIME.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.

Domain Name System Security Extensions (DNSSEC) Hackers 2.

Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Identity Management and DNS Services Tianyi XING.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Distributed Systems. Outline  Services: DNSSEC  Architecture Models: Grid  Network Protocols: IPv6  Design Issues: Security  The Future: World Community.

ABSTRACT Zirous Inc. is a growing company and they need a new way to track who their employees working on various different projects. To solve the issue.

IIT Indore © Neminath Hubballi

Geoff Huston APNIC Labs

Test cases for domain checks – a step towards a best practice Mats Dufberg,.SE Sandoche Balakrichenan, AFNIC.

1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

Introduction to DNSSEC AROC Bamako, Mali, What is DNSSEC?

DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.

Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for.

Configuring Directory Certificate Services Lesson 13.

Security Through Publicity Eric Osterweil Dan Massey Batsukh Tsendjav Beichuan Zhang Lixia Zhang.

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License The details.

Tony Kombol ITIS DNS! overview history features architecture records name server resolver dnssec.

DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.

1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

Zone State Revocation (ZSR) for DNSSEC Eric Osterweil (UCLA) Vasileios Pappas (IBM Research) Dan Massey (Colorado State Univ.) Lixia Zhang (UCLA)

OARC TAR Panel. La Brea Tar Pit What was originally intended to expedite the roll-out of DNSSEC seems to be bogging it down instead People who read press.

Publishing zone scan data using an open data portal Sebastian Castro OARC Workshop Montreal – Oct 2015.

DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

What if Everyone Did It? Geoff Huston APNIC Labs.

By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.

Building Trust with Anchors Eric Osterweil Dan Massey Lixia Zhang 1.

Lecture 18 Page 1 CS 236, Spring 2008 DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

1 Is an Internet PKI the Right Approach? Eric Osterweil Join work with: Dan Massey and Lixia Zhang.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

Security Issues with Domain Name Systems

DNS Security Advanced Network Security Peter Reiher August, 2014

KSK Rollover Update David Conrad, CTO ICANN 59 – GAC 29 June 2017.

DNS Cache Poisoning Attack

DNSSEC Iván González Montemayor A

What DNSSEC Provides Cryptographic signatures in the DNS

NET 536 Network Security Lecture 8: DNS Security

NET 536 Network Security Lecture 6: DNS Security

Presentation transcript:

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang

2 Why Monitoring is Important Distributed systems have different problems when viewed from different vantage points –It is important for zone admins to know their data is being served properly to resolvers in different places –It is important for resolvers to know if any availability problems they see are local or global Monitoring answers these immediate questions, and can generate aggregate and historical information In other words, monitoring can help the DNSSEC rollout

3 Outline How DNSSEC works What can go wrong What SecSpider can help with Summary

4 DNSSEC DNSSEC provides origin authenticity, data integrity, and secure denial of existence by using public-key cryptography Origin authenticity: –Resolvers can verify that data has originated from authoritative sources. Data integrity –Can also verify that responses are not modified in-flight Secure denial of existence –When there is no data for a query, authoritative servers can provide a response that proves no data exists

5 How DNSSEC Works Each DNSSEC zone creates one or more pairs of public/private key(s) –Public portion put in DNSSEC record type DNSKEY Zones sign all RRsets with private key(s) and resolvers use DNSKEY(s) to verify RRsets –Each RRset has a signature attached to it: RRSIG So, if a resolver has a zone’s DNSKEY(s) it can verify that RRsets are intact by verifying their RRSIGs

6 Signing Example Using a zone’s key on a standard RRset (the NS) Signature (RRSIG) will only verify with the DNSKEY if no data was modified

7 Getting the Keys Until a resolver gets the DNSKEY(s) for a zone, data can be spoofed How can a resolver know that the DNSKEY(s) themselves are not being spoofed? DNSSEC zones securely delegate from parents to children Zones that have no secure parents are called trust anchors When a zone is a trust anchor the zones that it delegates to form an island of security

8 What Can Go Wrong Getting the keys for a zone should be simple –Reality: cache problems, PMTU problems, etc Verifying data seems as simple as following the delegation hierarchy –Reality: the hierarchy is underdeveloped (for now) Getting valid data should be as easy as verifying RSA signatures –Reality: signatures on data do not prove that the data is valid

9 Specifically… In this talk we pick one of these: availability –We discus all 3 of these issues in our 2008 IMC paper “Quantifying the Operational Status of the DNSSEC Deployment” Availability is important because getting DNSSEC keys is not always as easy as one would hope –And clearly this is a precondition for verifying RRSIGs

10 SecSpider

11 What We Track We currently try to track as many DNSSEC zones as we can find –We take user submissions, crawl various sources, do NSEC walking, etc. –We have been monitoring since 2005 We track all zones in our corpus from a set of distributed pollers From these vantage points we can observe many facets of DNSSEC zones

12 Distributed Polling We use distributed pollers to measure consistency (or inconsistencies) For example: DNSKEY RRsets spoofing at one poller will not fool others, and discrepencies can be seen In addition, network issues can cause some vantage points to be unable (or less able) to access DNSSEC information –We call this availability dispersion

13 Availability Dispersion SecSpider does PMTU walking to each zone whenever there is trouble retrieving DNSKEYs Some polling locations have serious PMTU problems that disrupt availability

14 Whose Problem is it? Without a monitoring system, how can zone administrators know there is a problem? –With SecSpider, zone admins can see issues and correct them How can resolvers know why they are having a problem –With SecSpider, people can (sometimes) see if their problems are local or global

15 How to Use SecSpider From our front page, submit your zone After the next polling cycle, you will see your zone on our web site For DNSKEYs (for example) check their consistency

16 Zone Drilldown Page

17 Secure Delegation Hierarchy

18 Summary The DNSSEC rollout has gotten a shot in the arm, but open issues remain A distributed monitoring system can help and is here today We can track zones and highlight configuration and availability problems to aid early adopters But also, distributed monitoring is a general tool whose utility is not limited to the early stages of the rollout –As new problems arise, monitoring will allow us to see them and address them

19 Thank you