1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

Slides:

Advertisements

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

Advertisements

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman

Review iClickers. Ch 1: The Importance of DNS Security.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

Exchange server Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

1 System support & Management Protocols Lesson 13 NETS2150/2850 School of Information Technologies.

25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Domain Name System Security Extensions (DNSSEC) Hackers 2.

By Karan Oberoi.  A directory service (DS) is a software application- or a set of applications - that stores and organizes information about a computer.

1 Securing BGP Large scale trust to build an Internet again Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

Understanding Active Directory

1 CSIT 320. Just as the combination of a database and a database management system collects and organizes information about an institution/company/… as.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Overview of Active Directory Domain Services Lesson 1.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

Chapter 16 – DNS. DNS Domain Name Service This service allows client machines to resolve computer names (domain names) to IP addresses DNS works at the.

Distributed Systems. Outline  Services: DNSSEC  Architecture Models: Grid  Network Protocols: IPv6  Design Issues: Security  The Future: World Community.

1 DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec e164.arpa. naptr.

IIT Indore © Neminath Hubballi

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Network Protocols Chapter 25 (Data Communication & Networking Book): Domain Name System (DNS) 1.

Chapter 17 Domain Name System

Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.

Domain Name System CH 25 Aseel Alturki

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

Security Through Publicity Eric Osterweil Dan Massey Batsukh Tsendjav Beichuan Zhang Lixia Zhang.

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.

1 Windows 2008 Configuring Server Roles and Services.

ISOC.NL SIP © 15 March 2007 Stichting NLnet Labs DNSSEC and ENUM Olaf M. Kolkman

1 Kyung Hee University Chapter 18 Domain Name System.

Tony Kombol ITIS DNS! overview history features architecture records name server resolver dnssec.

DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.

 Identify Active Directory functions and Benefits.  Identify the major components that make up an Active Directory structure.  Identify how DNS relates.

1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.

How to use DNS during the evolution of ICN? Zhiwei Yan.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

DNS DNS overview DNS operation DNS zones. DNS Overview Name to IP address lookup service based on Domain Names Some DNS servers hold name and address.

OVERVIEW OF ACTIVE DIRECTORY

Introduction to Active Directory

11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,

By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.

The Hierarchical Trust Model. PGP Certificate Server details Fast, efficient key repository –LDAP, HTTP interfaces Secure remote administration –“Pending”

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

Directory Services CS5493/7493. Directory Services Directory services represent a technological breakthrough by integrating into a single management tool:

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

11 DEPLOYING AN UPDATE MANAGEMENT INFRASTRUCTURE Chapter 6.

1 Improving the resilience of DNS ENISA – Athens Productive DNSSEC environments Lutz Donnerhacke IKS GmbH, Jena DNSSEC e164.arpa.

KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting

DNS Security Advanced Network Security Peter Reiher August, 2014

Peer-to-peer networking

Computer Networks Presentation

Presentation transcript:

1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb

2 A protocol from better times An ancient protocol People were friendly and trustworthy Internet was a warm and fuzzy place DNS is a protocol from admins for admins Main assumption: Computers do not lie Idea: A hierarchical distributed database Store locally, read globally

3 Playground to extend DNS works, so use is as a container – DNS scales, so push a lot of data in – in-addr.arpa DNS can be misused as a catchword repository: DNS may have multiple roots, so introduce private name spaces

4 Playground to manipulate Push all initial requests to a payment site Prevent requests to bad sites Offer own search engine for NXDOMAIN Geolocation for efficient content delivery Geolocation for lawful content selection Provide different software updates Prevent worm updates

5 trustroute +trace Modelling real world data as DNS records Transferring data into DNS primary server Transferring data into DNS secondaries Updating meta data in parent zone Delivering data to recursive servers Processing by resolver code Providing structures to applications Interpreting data by users

6 Securing the data flow Two possible design goals: – Detect manipulation – Prevent wire-tapping Facing typical problems – The compatibility hydra – Partial roll-out – Satellite networks Still designed by admins: NSEC(3)

7 DNS SECurity Trust the primary name server data – Signed by the zone-c A framework to verify integrity – Signature chains up to a trust anchor In band key management – DS records in parent zone (but glue!) Supports caching as well as offloading Provides peer authentication

8 Trust anchor management In an ideal world the root is signed Many roots: Trust Anchor Repositories In band key roll-overs: RFC 5011 Manual trust anchors: Edit files on disk Automatic trust anchors: Look aside zones Open question: Precedence of sources

9 The last mile In an ideal world, apps use a new API – Error messages might become helpful – Validation errors are SERVFAIL Resolver offloading – Provide validated data with AD – Allow validator chaining with CD – Question: Provide bogus data at all? Attacks on the last mile even for LEAs

10 Finally gain benefits DNSSEC adds trust to DNS Use DNS as a hierarchical distributed DB Manage your SSHFPs centrally Manage your CERTs distributed Manage your OpenPGP keys distributed Do not deliver poisoned data to clients Validate late, validate centrally

11 Did you sign your zones? Why not?