1 DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec 1.6.5.3.7.5.1.4.6.3.9.4.e164.arpa. naptr.

Slides:



Advertisements
Similar presentations
Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
Advertisements

Review iClickers. Ch 1: The Importance of DNS Security.
DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.
1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.
A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Domain Name System Security Extensions (DNSSEC) Hackers 2.
1 Securing BGP Large scale trust to build an Internet again Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
Copyright line. Configuring DNS EXAM OBJECTIVES  An Introduction to Domain Name System (DNS)  Configuring a DNS Server  Creating DNS Zones  Configuring.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, Jelte Jansen, Antoin Verschuren.
X-Road (X-tee) A platform-independent secure standard interface between databases and information systems to connect databases and information systems.
Tony Kombol ITIS Who knows this? Who controls this? DNS!
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Chapter 16 – DNS. DNS Domain Name Service This service allows client machines to resolve computer names (domain names) to IP addresses DNS works at the.
Implementing DNS Module D 7: Implementing DNS
Distributed Systems. Outline  Services: DNSSEC  Architecture Models: Grid  Network Protocols: IPv6  Design Issues: Security  The Future: World Community.
IIT Indore © Neminath Hubballi
Test cases for domain checks – a step towards a best practice Mats Dufberg,.SE Sandoche Balakrichenan, AFNIC.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.
Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman
McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Network Protocols Chapter 25 (Data Communication & Networking Book): Domain Name System (DNS) 1.
Chapter 17 Domain Name System
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Troubleshooting.
Introduction to DNSSEC AROC Bamako, Mali, What is DNSSEC?
Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.
DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 6: Name Resolution.
Domain Name System CH 25 Aseel Alturki
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for.
Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License The details.
1 Kyung Hee University Chapter 18 Domain Name System.
Tony Kombol ITIS DNS! overview history features architecture records name server resolver dnssec.
1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
How to use DNS during the evolution of ICN? Zhiwei Yan.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
DNS DNS overview DNS operation DNS zones. DNS Overview Name to IP address lookup service based on Domain Names Some DNS servers hold name and address.
OpenDNSSEC Deployment Tianyi Xing. Roadmap By mid-term – Establish a DNSSEC server within the mobicloud system (Hopfully be done by next week) Successfully.
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
Linux Operations and Administration
By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.
Web Server Administration Chapter 4 Name Resolution.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
Internet infrastructure 1. Infrastructure Security r User expectations  Reliable service  Reliable endpoints – although we know of spoofing and phishing.
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
1 Improving the resilience of DNS ENISA – Athens Productive DNSSEC environments Lutz Donnerhacke IKS GmbH, Jena DNSSEC e164.arpa.
Security Issues with Domain Name Systems
Module 5: Resolving Host Names by Using Domain Name System (DNS)
DNS Security Issues SeongHo Cho DPNM Lab., POSTECH
IMPLEMENTING NAME RESOLUTION USING DNS
Managing Name Resolution
A New Approach to DNS Security (DNSSEC)
NET 536 Network Security Lecture 8: DNS Security
NET 536 Network Security Lecture 6: DNS Security
Presentation transcript:

1 DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec e164.arpa. naptr

2 A protocol from better times An ancient protocol People were friendly and trustworthy Internet was a warm and fuzzy place DNS is a protocol from admins for admins Main assumption: Computers do not lie Idea: A hierarchical distributed database Store locally, read globally

3 Playground to extend DNS works, so use is as a container – DNS scales, so push a lot of data in – in-addr.arpa DNS can be misused as a catchword repository: DNS may have multiple roots, so introduce private name spaces

4 Playground to manipulate Push all initial requests to a payment site Prevent requests to bad sites Offer own search engine for NXDOMAIN Geolocation for efficient content delivery Geolocation for lawful content selection Provide different software updates Prevent worm updates

5 domain label Basic definitions zone.money.net.kids.net corp.money.net.unix.os.net.mac.os.net.nt.os.net.os.net.net.com marnick.kids.net dop.kids.net. root top level

6 DNS Data Flow Modelling real world data as DNS records Transferring data into DNS primary server Transferring data into DNS secondaries Updating meta data in parent zone Delivering data to recursive servers Processing by resolver code Providing structures to applications Interpreting data by users

7 DNS Data flow master resolver stub resolver Zone administrator Zone file slaves Dynamic updates

8 DNS Vulnerabilities Data Protection Server Protection Zone file slaves master resolver stub resolver Zone administrator Dynamic updates Cache pollution by Data spoofing Unauthorized updates Corrupting data Impersonating master Cache impersonation

9 Securing the data flow Two possible design goals: – Detect manipulation – Prevent wire-tapping Facing typical problems – The compatibility hydra – Partial roll-out – Satellite networks

10 DNS SECurity Trust the primary name server data – Signed by the zone-c A framework to verify integrity – Signature chains up to a trust anchor In band key management – DS records in parent zone (but glue!) Supports caching as well as offloading Provides peer authentication Still designed by admins: NSEC(3)

11 Securing the communication stub resolver A ? resolver. (root) A ? ask.com server SIG(the ip address and PK of.com server) by its private key.com A ? ask cnn.com server SIG(the ip address and PK of cnn.com server) by its private key cnn.com A ? SIG(xxx.xxx.xxx.xxx) by its private key xxx.xxx.xxx.xxx add to cache lab.cs.umass.edu dns.cs.umass.edu transaction signatures slave servers transaction signatures

12 DEMO

13 Prerequisites Clean up DNS definition – Remove contradictional issues – Specify corner cases Define ownership of data – Specify glue at zone cut – Introduce DS in parent (long term error at Google) Ensure algorithm invariance – Parameterize and sort(!) everything Ease human debugging – Separate meta data from crypto Ensure backward compatibility – EDNS0 signalling

14 Signing System Archtitecture

15 Validation steps Top-Down: Resolve and check later. On error: SERVFAIL Bottom-Up: Check every response on arrival. On error: Try others.

16 LAB TIME

17 Proof of non-existence Precomputed answers to unknown queries missing record type for label – Show all existing records of label missing label – Show half open interval containing query missing wildcard – Show half open interval containing * Zone walker – Salt and hash all the labels (NSEC3) – Compute NSEC on the fly (trade in CPU)

18 Proof of non-existence A AAAA ::1 a NS a DS 8 3 x b MX 1 a NSEC a SOA NS NSEC RRSIG a NSEC b A AAAA NSEC RRSIG b NSEC c DS NSEC RRSIG c MX NSEC RRSIG

19 LAB TIME

20 Trust anchor management In an ideal world everything down from the root is signed Many roots: Trust Anchor Repositories Unattended roll-overs: RFC 5011 Manual trust anchors: Edit files on disk Automatic trust anchors: DLV Open question: Precedence of sources

21 Unexpected trust anchors Zone not delegable Private name space (local, internal) Reserved address space (private, CGN, local) Zone can’t be signed System unable to handle DNSSEC Internal dynamic updates Local trust anchor repository necessary Contains keys and negative anchors

22 Management hurdles RRSIGs time out (not keys!) Resign early, resign often (worst cast./NS) Use jitter to prevent DNS storms (Why?) Requires keys on public systems to sign zone Key rollovers Distinguish between work and management Limit lifetime to limit misuse if keys are lost Work keys (ZSK) signed by (offline) KSK KSK referenced by DS in parent zone (root?)

23 Outsourcing The management way Buy an appliance, install, be happy, pay fees Inside a remote signer appliance AXFR unsigned zone into the appliance Sign and resign the zones NOTIFY changes to external name servers Handle key rollovers automatically Needs special privileges for the registry API Keeps keys internally, only TSIG connections

24 Key rollover Why change ZSK? Key might be exposed on public system Can be computed from e² related signatures Why change KSK? Practice operational procedures HSM needs to be replaced Customer changes registrar or reseller Be prepared for legal action (customer, LEA)

25 Roll Key, Roll Remove ZSK AAAA by Z1DNSKEY K,Z1 by K Double signing, large zone AAAA by Z0,Z1 DNSKEY K,Z0,Z1 by K Long term zone AAAA by Z0DNSKEY K,Z0 by K

26 Roll Key, Roll Remove ZSK AAAA by Z1DNSKEY K,Z1 by K Replace signatures AAAA by Z1DNSKEY K,Z0,Z1 by K Pre publish ZSK AAAA by Z0DNSKEY K,Z0,Z1 by K Long term zone AAAA by Z0DNSKEY K,Z0 by K

27 Roll Key, Roll Remove DS: Expensive DNSKEY K1,Z by K1DS K1 Replace KSK DNSKEY K1,Z by K1DS K0,K1 Pre publish DS: Expensive DNSKEY K0,Z by K0DS K0,K1 Long term zone DNSKEY K0,Z by K0DS K0

28 Roll Key, Roll Remove KSK DNSKEY K1,Z by K1DS K1 Replace DS: Expensive DNSKEY K0,K1,Z by K 0,K1DS K1 Double signing, large DNSKEY DNSKEY K0,K1,Z by K 0,K 1 DS K0 Long term zone DNSKEY K0,Z by K0DS K0

29 Roll Key, Roll DNSKEY K’,Z by K’ DS K’,K DNSKEY K,Z by K DS K’,K DNSKEY K’,Z by K’ DS K,K’ DNSKEY K,Z by K DS K,K’ Replace DS: Expensive Replace KSK Replace DS: Expensive Replace KSK

30 External references Public keys can be copied Everyone can make a TAR Trust Anchor Repositories are useful Quite common in ITIL driven companies Procedure describes only direct key exchange Parent zone not trustworthy Registrar fuckup causes loss of zone Registrant’s access token can be stolen RFC 5011 defines automatic update

31 Timeframe considering TARs

32 Change of registrar Customer wants to change everything DNSSEC renders changes as BOGUS Lock in scenario, lot of “after contract” work Old and new operators need to cooperate Old one prepares zone or parent for transfer New one removes old references later Old one keeps name server longer in old state New one does the change on the registry and changes name servers weeks after transfer

33 Insecure transfer Registries require every registrar to be able to remove DNSSEC at least.

34 Secure transfer Registrars need to cooperate before and after transfer.

35 Transfer considerations Caches have old and new information All keys needs to be known for a long time Put new keys in old zone long before transfer Keep old keys in new zone long after transfer Change DS once or twice? Prepublished KSKs: change DS on transfer Otherwise add new DS long before transfer Keep old DS long after transfer Without cooperation, zone will fail Old operator can only limit TTLs before transfer On failure, customers tend to sue you for old keys

36 The last mile In an ideal world, apps use a new API – Error messages might become helpful – Validation errors are SERVFAIL Resolver offloading – Provide validated data with AD – Allow validator chaining with CD – Question: Provide bogus data at all? Attacks on the last mile even for LEAs

37 Finally gain benefits DNSSEC adds trust to DNS DNS as a hierarchical distributed DB Manage your SSHFPs centrally Manage your CERTs distributed Manage your OpenPGP keys distributed Do not deliver poisoned data to clients Validate late, validate centrally

38 Real wold usage Microsoft does it AD can insist on DNSSEC Uses IPSec for last mile security Derived IPSec from DNSSEC DNSSEC based IPSec = VPN DirectAccess: IPv6 and DNSSEC for setup Build automatic VPNs using DNS policy Use case: Thousands of offices worldwide

39 Generalize Benefits Quick hack drawbacks: A new DNS record per application? How about same protocols on different ports? Generalized approach: DANE _._. TLSA Can crypt any TCP stream with TLS Surprise: Works nice with CNAMEs as well Where does the trust come from? Can it replace CAs?

40 Did you sign your zones? Why not?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.