FCC CSRIC III Working Group 5 DNSSEC Implementation Practices Steve Crocker CEO, Shinkuro, Inc. March 6, 2013 Working Group 5: DNSSEC.

Slides:

Advertisements

Similar presentations

DNSSEC Support in SOHO CPE OARC Workshop Ottawa 24 th September 2008.

Advertisements

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Introduction.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

FCC CSRIC III Working Group 4 Network Security Best Practices Rodney Joffe SVP and Senior Technologist, Neustar, Inc.

IETF-751 Olafur Gudmundsson Andrew Sullivan.

Copyright© Telecom-ISAC Japan. All Rights Reserved. 1 Traceback Research & Experiments Against Source Address Attacks APRICOT2010 Japan Data Communications.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

Deployment Considerations for Dual-stack Lite draft-lee-softwire-dslite-deployment-00 Yiu Lee, Roberta Magione, Carl Williams, Christian Jacquenet Mohamed.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

Domain Name System Security Extensions (DNSSEC) Hackers 2.

Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

CORDRA Philip V.W. Dodds March The “Problem Space” The SCORM framework specifies how to develop and deploy content objects that can be shared and.

Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.

Evolved from ARPANET (Advanced Research Projects Agency of the U.S. Department of Defense) Was the first operational packet-switching network Began.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

July 18th, th IETF Yokohama A Protocol for Anycast Address Resolving Shingo Ata, Osaka City University Hiroshi Kitamura,

Name Resolution Domain Name System.

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

Chapter 16 – DNS. DNS Domain Name Service This service allows client machines to resolve computer names (domain names) to IP addresses DNS works at the.

Working Group #4: Network Security – Best Practices March 6, 2013 Presenters: Rod Rasmussen, Internet Identity Tony Tauber, Comcast WG #4.

Written By: David Dagon Manos Antonakakis Paul Vixie Georgia Institute of Georgia Institute ofInternet Systems. Technology Technology Consortium Wenke.

1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.

Staying Safe Online Keep your Information Secure.

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

Internet Ethernet Token Ring Video High Speed Router Host A: Client browser: REQUEST:http//mango.ee.nogradesu.edu/c461.

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

SWE © Solomon Seifu ELABORATION. SWE © Solomon Seifu Lesson 10 Use Case Design.

DNS Tunneling Mihir Nanavati & Long Zhang {mihirn, April 19th 2010.

Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.

Lemonade Requirements for Server to Client Notifications draft-ietf-lemonade-server-to-client-notifications-00.txt S. H. Maes C. Wilson Lemonade Intermediate.

Policies by FQDN WatchGuard Training.

Working Group #4: Network Security Best Practices March 22, 2012 Presenter: Tony Tauber, Comcast WG #4 Member Via teleconference: Rod Rasmussen, Internet.

DNSSEC Deployment Initiative: Roadmap Version 2.0 Suresh Krishnaswamy, SPARTA Steve Crocker, Shinkuro, Inc.

A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.

Working Group #4: Network Security Best Practices September 12, 2012 Presenter: Rod Rasmussen, Internet Identity WG #4 Co-Chair.

SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Tracy Wagner CDA 6938.

DNS Hijack Demonstration (Diverting User Application via DNS) Giovanni Marzot, Ólafur Guðmundsson,

1 Installing and Maintaining ISA Server Planning an ISA Server Deployment Understand the current network infrastructure. Review company security.

Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.

* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.

DNS Session 5 Additional Topics Joe Abley AfNOG 2006, Nairobi, Kenya.

Guidance for Running Multiple IPv6 Prefixes (draft-liu-v6ops-running-multiple-prefixes-02) Bing Liu, Sheng Jiang (Speaker), Yang Bo IETF91

IPv6 Site Renumbering Gap Analysis draft-ietf-6renum-gap-analysis-01 draft-ietf-6renum-gap-analysis-01 Bing Liu(speaker), Sheng Jiang, Brian.E.Carpenter.

DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

Gül Begüm ŞEMİS. Milestones Appointments Due dates Check lists Approval The FOAK Process Phase I2 Project Process.

ITU ccTLD Workshop March 3, 2003 A Survey of ccTLD DNS Vulnerabilities.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

DNS64 draft-bagnulo-behave-dns64-01 m. bagnulo, P. Matthews, I. van Beijnum, A. Sullivan, M. Endo IETF 73 - Mineapolis.

Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average

THE LARGEST NAME SERVICE ACTING AS A PHONE BOOK FOR THE INTERNET The Domain Name System click here to next page 1.

Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.

Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia

DIVYA K 1RN09IS016 RNSIT1. Cloud computing provides a framework for supporting end users easily through internet. One of the security issues is how to.

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

Understand Names Resolution

Security Issues with Domain Name Systems

DNS Security Advanced Network Security Peter Reiher August, 2014

Living on the Edge: (Re)focus DNS Efforts on the End-Points

DNS Session 5 Additional Topics

AbbottLink™ - IP Address Overview

COMPUTER NETWORKS PRESENTATION

Presentation transcript:

FCC CSRIC III Working Group 5 DNSSEC Implementation Practices Steve Crocker CEO, Shinkuro, Inc. March 6, 2013 Working Group 5: DNSSEC Implementation Practices

The Opportunity Protection against cache poisoning Security increasingly resonates with customers DNSSEC can be a market differentiator for early adopters DNSSEC may help ISPs avoid some costs if a cache poisoning attack occurs ISP DNSSEC awareness in DNS recursive nameservers is necessary for end- user validation (e.g., DANE) Working Group 5: DNSSEC Implementation Practices March 6, 2013

WG5 Objective Recommend the best practices for deploying and managing the Domain Name System Security Extensions (DNSSEC) by Internet service providers (ISPs). Recommend proper metrics and measurements that allow for evaluation of the effectiveness of DNSSEC deployment by ISPs. March 6, 2013Working Group 5: DNSSEC Implementation Practices

Measurements Measurements of recursive resolvers were carried out through two methods: 1.Broad survey of the IPv4 address space to find putative resolvers, followed by detailed probing of each putative resolver. 2.Similar detailed probing from SamKnows clients inside of networks. The detailed probing comprised 13 tests for both basic functionality and specific edge cases. We restated basic functionality as: ValidatorThis means the resolver checks signatures when requested to do so. DNSSEC Aware ResolverThis means the resolver retrieves and passes back to the client the full set of keys, signatures, etc. that enable the client to validate. OtherThis means the resolver does not provide enough functionality to enable the client to do his own validation. March 6, 2013 Working Group 5: DNSSEC Implementation Practices

Measurements – Edge Cases In preliminary measurement we discovered unanticipated limitations. We evolved the test set to check for: Support for large responses via large packets and/or TCP Support for DNAME Support for NSEC3 Support for unknown (new) record types We annotated the description of a resolver to reflect these limitations, as in this case: Partial Validator [DNAME] March 6, 2013 Working Group 5: DNSSEC Implementation Practices

Measurements – SamKnows Results >1/6 Validators 2/3 Full Validators 1/3 Partial 1/2 DNSSEC Aware 2/3 Full 1/3 Partial >1/4 Broken ~ 5% Other March 6, 2013 Working Group 5: DNSSEC Implementation Practices

Measurements – Shinkuro Survey IPv4 space4,294,967,295 Addresses probed3,421,239,040 Dropped responses 10,197,657Probably overran our nameserver bandwidth Full responses 26,603,239 “Good” responses 11,697,272 Well-formed responses 5,908,002 Most of these were evaluated as Not a Resolver or alternately, we had timeout issues. This part of the testing needs to be redone. March 6, 2013 Working Group 5: DNSSEC Implementation Practices

Measurements – Shinkuro Setup Shinkuro test site sent a basic DNS query to each IPv4 address. The query was tailored to the address being sent. The address was encoded in the query. This query was resolvable only via a special Shinkuro nameserver. Thus, we could see the query we sent, and we could see the resolver trying to fetch the answer from our nameserver. This gave us insight into which resolvers were forwarding to other resolvers versus sending queries to our nameservers. We discovered many SOHO stub resolvers accepting queries from off net. We discovered some “closed” resolvers accessible via open SOHO stub resolvers. March 6, 2013 Working Group 5: DNSSEC Implementation Practices

Findings Many resolvers are DNSSEC Aware. This is good news. Of these, a significant portion have specific limitations. Improvement is needed. Some resolvers check signatures, i.e. are Validators. Some of these also have specific limitations. March 6, 2013 Working Group 5: DNSSEC Implementation Practices

Recommendations ISPs implement their DNS recursive nameservers so that they are at a minimum DNSSEC- aware, as soon as possible. Key industry segments, such as banking, credit cards, healthcare and others, sign their respective domain names with DNSSEC. Software developers, such as those creating operating-system, web-browser, and other Internet-focused applications, study how and when to incorporate DNSSEC validation functions into their software. The survey and description process should continue with refinement and with continued measurement over time. Controversy over DNSSEC and DDoS attacks persists. This should be documented and these attacks countered thoroughly. March 6, 2013 Working Group 5: DNSSEC Implementation Practices

Comments for Working Group 5 Laurie Flaherty at DOT suggested that an acronym list, and the spelling out of acronyms on first citation, would help potential lay readers understand the report better. We added an acronym list and made sure that acronyms’ elements were spelled out on first reference. March 6, 2013 Working Group 5: DNSSEC Implementation Practices

Conclusion ISP support for DNSSEC is necessary even in a future in which end points perform all validation. They must be able to, at a minimum, recognize DNSSEC-related traffic and allow it to pass for the smooth functioning of an end- to-end, DNSSEC-secured system. March 6, 2013 Working Group 5: DNSSEC Implementation Practices

Thank You Steve Crocker (301) , ext. 111 March 6, 2013 Working Group 5: DNSSEC Implementation Practices