Building Trust with Anchors Eric Osterweil Dan Massey Lixia Zhang 1.

Slides:

Advertisements

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

Advertisements

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

Availability Problems in the DNSSEC Deployment Eric Osterweil Dan Massey Lixia Zhang 1.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

Improving DNS contents in the RRR world Ólafur Guðmundsson Steve Crocker Oct.

RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.

DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

Security Jonathan Calazan December 12, 2005.

Domain Name System Security Extensions (DNSSEC) Hackers 2.

DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Module 10 Advanced Topics. DNS and DHCP DHCP can be configured to auto- update (using DDNS) the forward and reverse map zones Can be secured using allow-update.

DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.

Identity Management and DNS Services Tianyi XING.

Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

Issues in Internet Security. Securing the Internet How does the internet hold up security-wise? How does the internet hold up security-wise? Not well:

IIT Indore © Neminath Hubballi

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

Introduction to DNSSEC AROC Bamako, Mali, What is DNSSEC?

Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.

POSITIONING STATEMENT For people who operate shared computers with Genuine Windows XP, the Shared Computer Toolkit is an affordable, integrated, and easy-to-use.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.

Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for.

Security Through Publicity Eric Osterweil Dan Massey Batsukh Tsendjav Beichuan Zhang Lixia Zhang.

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License The details.

Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Bibliography.

1 DNSSEC Deployment: Big Steps Forward; Several Steps to Go NANOG 32 Deployment D N S S E C Rob Austein Steve Crocker

DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.

1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

Zone State Revocation (ZSR) for DNSSEC Eric Osterweil (UCLA) Vasileios Pappas (IBM Research) Dan Massey (Colorado State Univ.) Lixia Zhang (UCLA)

OARC TAR Panel. La Brea Tar Pit What was originally intended to expedite the roll-out of DNSSEC seems to be bogging it down instead People who read press.

Publishing zone scan data using an open data portal Sebastian Castro OARC Workshop Montreal – Oct 2015.

DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

What if Everyone Did It? Geoff Huston APNIC Labs.

Presented by Mark Minasi 1 SESSION CODE: WSV333.

By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.

Olaf M. Kolkman. IETF58, Minneapolis, November DNSSEC Operational Practices draft-ietf-dnsop-dnssec-operational-practices-00.txt.

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

1 Is an Internet PKI the Right Approach? Eric Osterweil Join work with: Dan Massey and Lixia Zhang.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.

Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

Security Issues with Domain Name Systems

Lecture 20 DNS Sec Slides adapted from Olag Kampman

DNS Cache Poisoning Attack

What DNSSEC Provides Cryptographic signatures in the DNS

Measuring KSK Roll Readiness

NET 536 Network Security Lecture 8: DNS Security

NET 536 Network Security Lecture 6: DNS Security

Measuring KSK Roll Readiness

ECDSA P-256 support in DNSSEC-validating Resolvers

Presentation transcript:

Building Trust with Anchors Eric Osterweil Dan Massey Lixia Zhang 1

What is DNSSEC and How it Works Just kidding… – Does anyone really want another DNSSEC 101? First, background on how DNSSEC actually works 2

What Do We Have Today Zone admins know their own DNSKEYs – Nominally, this info is held in a local file Some software is starting to bundle DNSKEY sets in local config files to bootstrap resolvers – Lets resolvers verify DNSSEC data out of the box – Useful in some ways, but… – What’s the shelf-life of those keys? – Don’t change that file, or when you update, you get your changes overwritten 3

Key Configuration Today 4 Software key file Locally managed configuration

Using Local Files for Verification Thus, our starting point today is a set of two types of local files This structure has some clear benefits – Local verification can be done without introducing external (especially single) points of failure – Local knowledge can take precedence over 3 rd party data – Ops can even remove keys that use “undesirable” crypto algorithms (i.e. GOST vs. RSA) 5

One More Step Completes the Spectrum What about keys that an operator believes should override or supplement the distro file, but not based on local knowledge? – Keys from web pages, newspapers, Ms. Cleo TM, etc. One more type of file gives a sufficient set of basic trust management components – A TAR keys file 6

Adding TARs to This 7 Vendor key file Local config Keys from TAR (in the sky) Keys from TAR (in the sky)

Managing Trust Anchors Will we always need local TAs? – I think yes (consider local knowledge if nothing else) Trust management should be done locally – Isolation from 3 rd party failures – Local ground truth – Local policies Three basic elements facilitate this – Local configuration key file + TAR key file + vendor key file Now resolvers can function out of the box In addition, can still use local knowledge, preferences, and expertise to enhance operations 8

Thanks 9

Backup 10

11 DNSSEC Background DNSSEC provides origin authenticity, data integrity, and secure denial of existence by using public-key cryptography Origin authenticity: – Resolvers can verify that data has originated from authoritative sources. Data integrity – Can also verify that responses are not modified in-flight Secure denial of existence – When there is no data for a query, authoritative servers can provide a response that proves no data exists

12 How DNSSEC Works DNSSEC zones create public/private keys – Public portion goes in DNSSEC record type: DNSKEY Zones sign all RRsets and resolvers use DNSKEYs to verify them – Each RRset has a signature attached to it: RRSIG So, once a resolver has a zone’s DNSKEY(s) it can verify that RRsets are intact by verifying their RRSIGs

13 Signing Example Using a zone’s key on a standard RRset (the NS) Signature (RRSIG) will only verify with the DNSKEY if no data was modified

14 Getting the Keys Until a resolver gets the DNSKEY(s) for a zone, data can be spoofed How can a resolver know that the DNSKEYs themselves are not being spoofed? DNSSEC zones securely delegate from parents to children Zones that have no secure parents are called trust anchors When a zone is a trust anchor the zones that it delegates to (and itself) form an island of security