Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

Slides:



Advertisements
Similar presentations
DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Advertisements

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman
Review iClickers. Ch 1: The Importance of DNS Security.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
DNS-centric PKI Sean Turner Russ Housley Tim Polk.
PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.
1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.
Domain Name System Security Extensions (DNSSEC) Hackers 2.
Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. /disi Steps towards a secured DNS Olaf M. Kolkman, Henk Uijterwaal, Daniel.
Tony Kombol ITIS Who knows this? Who controls this? DNS!
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
1 San Diego, California 25 February Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer.
DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.
Security Through Publicity Eric Osterweil Dan Massey Batsukh Tsendjav Beichuan Zhang Lixia Zhang.
Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License The details.
ISOC.NL SIP © 15 March 2007 Stichting NLnet Labs DNSSEC and ENUM Olaf M. Kolkman
Tony Kombol ITIS DNS! overview history features architecture records name server resolver dnssec.
1 DNSSEC Deployment: Big Steps Forward; Several Steps to Go NANOG 32 Deployment D N S S E C Rob Austein Steve Crocker
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.
Joint Techs, Albuquerque Feb © 8 Feb 2006 Stichting NLnet Labs DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin
How to use DNS during the evolution of ICN? Zhiwei Yan.
DNS Session 5 Additional Topics Joe Abley AfNOG 2006, Nairobi, Kenya.
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.
DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.
By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.
Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Lecture 18 Page 1 CS 236, Spring 2008 DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
Basics of the Domain Name System (DNS) By : AMMY- DRISS Mohamed Amine KADDARI Zakaria MAHMOUDI Soufiane Oujda Med I University National College of Applied.
Internet infrastructure 1. Infrastructure Security r User expectations  Reliable service  Reliable endpoints – although we know of spoofing and phishing.
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
DNS Security Risks Section 0x02. Joke/Cool thing traceroute traceroute c
DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.
DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin
Security Issues with Domain Name Systems
Lecture 20 DNS Sec Slides adapted from Olag Kampman
DNS Security.
DNS Security Issues SeongHo Cho DPNM Lab., POSTECH
State of DNSSEC deployment ISOC Advisory Council
IMPLEMENTING NAME RESOLUTION USING DNS
Living on the Edge: (Re)focus DNS Efforts on the End-Points
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania
DNS Cache Poisoning Attack
DNSSEC Basics, Risks and Benefits
A New Approach to DNS Security (DNSSEC)
NET 536 Network Security Lecture 8: DNS Security
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania
Presentation transcript:

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. This presentation About DNS and its vulnerabilities DNSSEC status DNSSEC near term future

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNS: Data Flow master Caching forwarder resolver Zone administrator Zone file Dynamic updates 12 slaves 345 Registry/Registrar Provisioning

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNS Vulnerabilities master Caching forwarder resolver Zone administrator Zone file Dynamic updates 12 slaves 345 Corrupting data Impersonating master Unauthorized updates Cache impersonation Cache pollution by Data spoofing Altered zone data Registry/Registrar Provisioning

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNS exploit example Mail gets delivered to the MTA listed in the MX RR. Man in the middle attack. Sending MTA Blackhat MTA Receiving MTA Resolver MX RR? MX RR

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. Mail man in the middle ‘Ouch that mail contained stock sensitive information’ –Who per default encrypts all their mails? We’ll notice when that happens, we have log files –You have to match address to MTA for each logline.

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. Other possible DNS targets SPF, DomainKey and family –Technologies that use the DNS to mitigate spam and phishing: $$$ value for the black hats StockTickers, RSS feeds –Usually no source authentication but supplying false stock information via a stockticker and via a news feed can have $$$ value ENUM –Mapping telephone numbers to services in the DNS As soon as there is some incentive

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. Mitigate by deploying SSL? Claim: SSL is not the magic bullet –(Neither is DNSSEC) Problem: Users are offered a choice –happens to often –users are not surprised but annoyed Not the technology but the implementation and use makes SSL vulnerable Examples follow

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna Example 1: mismatched CN

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. Unknown Certificate Authority Example 2: Unknown CA

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. Confused?

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. How does DNSSEC come into this picture DNSSEC secures the name to address mapping –before the certificates are needed DNSSEC provides an “independent” trust path. –The person administering “https” is most probably a different from person from the one that does “DNSSEC” –The chains of trust are most probably different –See acmqueue.org article: “Is Hierarchical Public- Key Certification the Next Target for Hackers?”

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. Any Questions so far? We covered some of the possible motivations for DNSSEC deployment Next: What is the status of DNSSEC, can it be deployed today?

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DEPLOYMENT NOW DNS server infrastructure related ` APP STUB Protocol spec is clear on: Signing Serving Validating Implemented in Signer Authoritative servers Security aware recursive nameservers signing serving validating

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. Main Problem Areas “the last mile” Key management and key distribution NSEC walk improvement

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. The last mile ` APP STUB How to get validation results back to the user The user may want to make different decisions based on the validation result –Not secured –Time out –Crypto failure –Query failure From the recursive resolver to the stub resolver to the Application validating

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. Problem Area ` APP STUB Key Management Keys need to propagate from the signer to the validating entity The validating entity will need to “trust” the key to “trust” the signature. Possibly many islands of security signing validating

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. Secure Islands and key management net. money.net. kids.net. geerthe corp dev market dilbert unixmac marnick nt os.net. com..

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. Secure Islands Server Side –Different key management policies for all these islands –Different rollover mechanisms and frequencies Client Side (Clients with a few to 10, 100 or more trust-anchors) –How to keep the configured trust anchors in sync with the rollover –Bootstrapping the trust relation

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. NSEC walk The record for proving the non-existence of data allows for zone enumeration Providing privacy was not a requirement for DNSSEC Zone enumeration does provide a deployment barrier Work starting to study possible solutions –Requirements are gathered –If and when a solution is developed it will be co- existing with DNSSEC-BIS !!! –Until then on-line keys will do the trick.

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. Current work in the IETF (a selection based on what fits on one slide) Last Mile draft-gieben-resolver-application-interface Key Rollover draft-ietf-dnsext-dnssec-trustupdate-timers draft-ietf-dnsext-dnssec-trustupdate-treshold Operations draft-ietf-dnsop-dnssec-operations NSEC++ draft-arends-dnsnr draft-ietf-dnsext-nsec3 draft-ietf-dnsext-trans

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. Questions??? or send questions and feedback to

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. References and Acknowledgements Some links – – – “Is Hierarchical Public-Key Certification the Next Target for Hackers” can be found at: wpage&pid=181 The participants in the dnssec-deployment working group provided useful feedback used in this presentation.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.