Joint Techs, Albuquerque Feb 2006 © 8 Feb 2006 Stichting NLnet Labs DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin

Slides:



Advertisements
Similar presentations
Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman
Advertisements

The Domain Name System Continuity of Operations Apricot 2008 Taipei TAIWAN 28feb2008.
Internet Protocol Security (IP Sec)
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Introduction.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Managing IP addresses for your private clouds 2013 ASEAN CAS Summit Bangkok, Thailand 7 February 2013 George Kuo Member Services Manager.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
Secure Communications … or, the usability of PKI.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
1 DNS,NFS & RPC Rizwan Rehman, CCS, DU. Netprog: DNS and name lookups 2 Hostnames IP Addresses are great for computers –IP address includes information.
Technical Area Report Bryon Ellacott, Technical Area Manager APNIC 28.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. /disi Steps towards a secured DNS Olaf M. Kolkman, Henk Uijterwaal, Daniel.
Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
CS 4396 Computer Networks Lab
Deploying Security for the Domain Name System Securing the Infrastructure Panel Allison Mankin, Amy Friedlander Shinkuro, Inc
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
CSUF Chapter 6 1. Computer Networks: Domain Name System 2.
IIT Indore © Neminath Hubballi
Security for the Internet’s Domain Name System DNSSEC Current State of Deployment Prepared for Internet2 BoF Amy Friedlander, Shinkuro, Inc. Based on a.
1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.
1 San Diego, California 25 February Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer.
Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License The details.
Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Bibliography.
ISOC.NL SIP © 15 March 2007 Stichting NLnet Labs DNSSEC and ENUM Olaf M. Kolkman
1 DNSSEC Deployment: Big Steps Forward; Several Steps to Go NANOG 32 Deployment D N S S E C Rob Austein Steve Crocker
DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.
1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
Leo vegoda. APNIC 14, 3–6 Sept. 2002, Kitakyushu, Japan. 1 RIPE NCC Status Report at APNIC 14 Looking forward to winter…
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.
By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania ESCC/Internet2 Joint Techs Workshop Madison, Wisconsin, U.S.A., July 19 th 2006.
Olaf M. Kolkman. IETF58, Minneapolis, November DNSSEC Operational Practices draft-ietf-dnsop-dnssec-operational-practices-00.txt.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
IS3220 Information Technology Infrastructure Security
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania Sprint Internet2 Member Meeting Arlington, Virginia, U.S.A., Apr 23rd 2007.
DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin
Security Issues with Domain Name Systems
Principles of Computer Security
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania
Chapter 19 Domain Name System (DNS)
DNSSEC Basics, Risks and Benefits
Distributed Peer-to-peer Name Resolution
What DNSSEC Provides Cryptographic signatures in the DNS
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania
Presentation transcript:

Joint Techs, Albuquerque Feb © 8 Feb 2006 Stichting NLnet Labs DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin and

Joint Techs, Albuquerque Feb 2006http:// DNSSEC evangineers of the day Allison: Independent consultant Member of the Internet2 Tech. Advisory Comm. IETF Transport Area Director Member of ICANN’s SSAC Olaf: NLnet Labs ( –DNS and DNSSEC research Protocol and software development (such as NSD, a lean and mean authoritative nameserver) Co-Chair of the IETF DNSEXT working group (Shinkuro is acknowledged for sponsoring our trip)

Joint Techs, Albuquerque Feb 2006http:// Why DNSSEC Good security is multi-layered –Multiple defense rings in physical secured systems

Joint Techs, Albuquerque Feb 2006http:// Bourtange, source Wikipedia

Joint Techs, Albuquerque Feb 2006http:// Why DNSSEC Good security is multi-layered –Multiple defense rings in physical secured systems –Multiple ‘layers’ in the networking world DNS infrastructure –Providing DNSSEC to raise the barrier for DNS based attacks –Provides a security ‘ring’ around many systems and applications

Joint Techs, Albuquerque Feb 2006http:// The Problem DNS data published by the registry is being replaced on its path between the “server” and the “client”. This can happen in multiple places in the DNS architecture –Some places are more vulnerable to attacks then others –Vulnerabilities in DNS software make attacks easier (and there will always be software vulnerabilities)

Joint Techs, Albuquerque Feb 2006http:// Solution a Metaphor Compare DNSSEC to a sealed transparent envelope. The seal is applied by whoever closes the envelope Anybody can read the message The seal is applied to the envelope, not to the message

Joint Techs, Albuquerque Feb 2006http:// edu institution as ISP edu as ‘friend’ edu as DNS provider DNS Architecture Registry DB primary secondary Cache server Registrars/ Registrants client DNS ProtocolProvisioning secondary

Joint Techs, Albuquerque Feb 2006http:// DNS Architecture Registry DB Server compromise Registrars Registrants DNS ProtocolProvisioning Inter-server communication Cache Poisoning

Joint Techs, Albuquerque Feb 2006http:// DNSSEC protection Registry DB Registrars Registrants DNS ProtocolProvisioning ‘envelope sealed’‘Seal checked’

Joint Techs, Albuquerque Feb 2006http:// Astrophysics Mail Server Example: Unauthorized mail scanning DNS Central Admin Mail Server Central Admin Mail Server Where? There! Subject: tenure

Joint Techs, Albuquerque Feb 2006http:// Astrophysics Mail Server Example: Unauthorized mail scanning DNS Central Admin Mail Server Central Admin Mail Server Where? Elsewhere Bad Guy Subject: tenure

Joint Techs, Albuquerque Feb 2006http:// Where Does DNSSEC Come In? DNSSEC secures the name to address mapping –Tranport and Application security are just other layers.

Joint Techs, Albuquerque Feb 2006http:// DNSSEC secondary benefits DNSSEC provides an “independent” trust path –The person administering “https” is most probably a different from person from the one that does “DNSSEC” –The chains of trust are most probably different –See acmqueue.org article: “Is Hierarchical Public-Key Certification the Next Target for Hackers?”

Joint Techs, Albuquerque Feb 2006http:// More benefits? With reasonable confidence perform opportunistic key exchanges –SSHFP and IPSECKEY Resource Records With DNSSEC one could use the DNS for a priori negotiation of security requirements. –“You can only access this service over a secure channel”

Joint Techs, Albuquerque Feb 2006http:// DNSSEC properties DNSSEC provides message authentication and integrity verification through cryptographic signatures –Authentic DNS source –No modifications between signing and validation It does not provide authorization It does not provide confidentiality

Joint Techs, Albuquerque Feb 2006http:// DNSSEC deployment practicalities RIPE NCC deployed DNSSEC on the reverse tree –202.in-addr.arpa etc are now signed and you can get secure delegations –We followed the architecture to plan the changes to our system You may want to follow the same steps when planning for local DNSSEC deployment

Joint Techs, Albuquerque Feb 2006http:// DNSSEC Architecture modifications Primary DNS Secondary DNS Customer interfaces Zone signer DNSSEC aware servers DNS and input checks Provisioning DB Zone Creation DNSSEC aware provisioning

Joint Techs, Albuquerque Feb 2006http:// Server Infrastructure Part of keeping up to date –Your most recent version of BIND and NSD run DNSSEC Memory might be an issue –Predictable (see RIPE352) Coordination with secondaries

Joint Techs, Albuquerque Feb 2006http:// Provisioning Realize that interaction with child is not drastically different. –DS and NS have the same security properties –You may need to respond a bit different to ‘child’ emergency cases Thinking “security” will make you notice “security”

Joint Techs, Albuquerque Feb 2006http:// Key Mastering and Signing Key management and signing needs to be reliable –Failure will lead to loss of service Cost factors: –Automation and Education

Joint Techs, Albuquerque Feb 2006http:// How about the ‘client’ side Set up your caching nameserver to perform validation and the infrastructure behind it is protected DNSSEC has not yet been pushed to the host or application Costs are in maintaining trust anchors –There is no standard to automate against.

Joint Techs, Albuquerque Feb 2006http:// What’s keeping folk New technology; chicken and egg Zone walking possibility –Is this really an issue in your environment? –Solutions are being engineered Automated key rollover and distribution

Joint Techs, Albuquerque Feb 2006http:// Why would you be a(n) (early) player Keeping the commons clean –EDU and international research nets are important parts of the commons –Significant ‘hot spots’ of delegation –EDU networks have ‘interesting’ properties for the black hats.

Joint Techs, Albuquerque Feb 2006http:// Early players Demonstrate the ability to self-regulate –Before the guys up the hill force it down your throat –Before a bad thing happens and you are woken up at 2 am Lead by example –Break the egg

Joint Techs, Albuquerque Feb 2006http:// What you can do Deploy in your own domain – contains a myriad of information resources. Ask your registry and your registrar? –Educause, ARIN, Verisign, CC-TLD registries,.gov etc. Ask your OS and network equipment and application vendors –Microsoft, Cisco, Firewalls vendors, etc

Joint Techs, Albuquerque Feb 2006http:// This Week Get involved in an Internet2 pilot –Charles Yun, Internet2 Security Program Director, organizing now –Talk to him this week Get to our workshop – Talk to your colleagues for bilateral pilots Talk to us.

Joint Techs, Albuquerque Feb 2006http:// Next Week Deploying locally provides immediate security benefits –Sign your own zone and configure your keys

Joint Techs, Albuquerque Feb 2006http://

Joint Techs, Albuquerque Feb 2006http://

Joint Techs, Albuquerque Feb 2006http://

Joint Techs, Albuquerque Feb 2006http://

Joint Techs, Albuquerque Feb 2006http:// Mitigate by Deploying SSL? Claim: SSL is not the magic bullet –(Neither is DNSSEC) Problem: Users are offered a choice –Far too often –Users are annoyed Implementation and use make SSL vulnerable –Not the technology

Joint Techs, Albuquerque Feb 2006http:// Confused?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.