Ch 6: DNSSEC and Beyond Updated 4-28-15. DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

Slides:



Advertisements
Similar presentations
DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Advertisements

Review iClickers. Ch 1: The Importance of DNS Security.
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.
DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.
DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
Security and Information Assurance for the DNS Dan Massey USC/ISI.
1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Domain Name System Security Extensions (DNSSEC) Hackers 2.
DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Tony Kombol ITIS Who knows this? Who controls this? DNS!
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Distributed Systems. Outline  Services: DNSSEC  Architecture Models: Grid  Network Protocols: IPv6  Design Issues: Security  The Future: World Community.
IIT Indore © Neminath Hubballi
Geoff Huston APNIC Labs
Test cases for domain checks – a step towards a best practice Mats Dufberg,.SE Sandoche Balakrichenan, AFNIC.
1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Troubleshooting.
Introduction to DNSSEC AROC Bamako, Mali, What is DNSSEC?
Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.
Andreas Steffen, , 12-DNSSEC.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License The details.
Network Security David Lazăr.
Tony Kombol ITIS DNS! overview history features architecture records name server resolver dnssec.
1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
Private key
Presented by Mark Minasi 1 SESSION CODE: WSV333.
By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.
Building Trust with Anchors Eric Osterweil Dan Massey Lixia Zhang 1.
Olaf M. Kolkman. IETF58, Minneapolis, November DNSSEC Operational Practices draft-ietf-dnsop-dnssec-operational-practices-00.txt.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average
Internet infrastructure 1. Infrastructure Security r User expectations  Reliable service  Reliable endpoints – although we know of spoofing and phishing.
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
Security Issues with Domain Name Systems
Lecture 20 DNS Sec Slides adapted from Olag Kampman
IT443 – Network Security Administration Instructor: Bo Sheng
In collaboration with HKCERT and HKIRC July 2016
Domain Name System Tony Kombol ITIS 3110.
DNS Security Issues SeongHo Cho DPNM Lab., POSTECH
DNSSEC Iván González Montemayor A
A Longitudinal, End-to-End View of the DNSSEC Ecosystem
DNS security.
Managing Name Resolution
What DNSSEC Provides Cryptographic signatures in the DNS
NET 536 Network Security Lecture 8: DNS Security
NET 536 Network Security Lecture 6: DNS Security
ECDSA P-256 support in DNSSEC-validating Resolvers
Presentation transcript:

Ch 6: DNSSEC and Beyond Updated

DNSSEC

Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine source Data integrity – Assurance that the data have not been altered

Development of DNSSEC Record signatures use public-key cryptography to verify authenticity of DNS records RFC 2065 (1997): SIG and KEY records RFC 2535 (1999): NXT record – denial of existence of a record 2003: DS (Delegation Signer) record – Allows secure delegation to child zones – SIG, KEY, NXT evolved to RRSIG, DNSKEY, NSEC

Development of DNSSEC RFC 3757 (2004) – Zone-Signing Key (ZSK) – Key-Signing-Key (KSK) – Secure Entry Point (SEP) A flag used to identify a KSK 2005 – NSEC replaced by NSEC3

7 Man-in-the-Middle Attack –Attacker generates two “false” key pairs –Attacker intercepts the genuine keys and send false keys out –Client trusts the Attacker's data Trusted third party prevents this attack –The root of DNS VictimAttackerServer

Hierarchical Chain of Trust

The Delegation Signer (DS) Record Links in the chain of trust DS record contains a hash of a zone's public key To make performance better, the zone key may be separated into – Zone Signing Key (ZSK) and – Key Signing Key (KSK)

Authenticated Denial of Existence NSEC and NSEC3 Records Sort all domain names in zone in alphabetical order – a.example.com with A, AAAA, RRSIG – c.example.com NSEC Record – a.example.com TTL IN NSEC c.example.com A AAAA RRSIG – Nothing between a.example.com and c.example.com This record proves there is no b.example.com

Example Proves there is no *.us Proves there is no d.us

NSEC Information Disclosure Easy to find all domains in a zone Like a zone transfer dig *.se +dnssec – Reveals first valid hostname Dig for valid hostname* to find next one NSEC3 fixes this problem

NSEC3 Hostnames are Hashed and Salted Can be hashed many times

Algorithm and Salt in Record

Making a Validating Resolver See Proj 7x

Weaknesses of DNSSEC

Lack of Protection Between User Devices and Resolvers Attacker in the middle has enough info to perfectly forge responses – Unless DNSSEC is enforced in the client's browser Protected by DNSSEC DNS Resolver User DNS SOA Not protected

Lack of Protection of Glue Records DNSSEC only protects Resource Records if they are authoritative in the zone Glue records are resource records that facilitate a resolution that is delegated from a parent zone to a child zone They are owned by the child zone but appear in the parent zone So they are non-authoritative Not protected by DNSSEC

Key Changes Don't Propagate Keys can – Roll over – Be Revoked – Signatures can expire These events do not propagate down the DNS tree

NSEC3 Denial of Service If a zone is insecurely delegated to another zone And it includes NSEC3 records A MITM can block resolution of a domain Or delegate the resolution to another server and change the A record Enabling spoofing, cookie-stealing, etc.

Re-Addressing Replay Attack If a server moves to a new hosting provider The old IP address can be used until the signatures expire Because there's no way to push signature expiration from authoritative servers to resolvers

NSEC3 Still Allows Zone Walking An offline dictionary attack can be used to guess the hashes It's the same as cracking password hashes

No Protection of DNS or Lower Layer Header Data The AD flag is part of the DNS header – Authenticated Data flag, indicating that the response data was verified by DNSSEC – Can't be trusted, because Can be changed by a MITM DNSSEC won't detect that

DNSSEC Data Inflate Zone Files and DNS Packet Sizes Small requests lead to large responses UDP allows spoofing the source IP address AttackerOpen DNS ResolverTarget

DNSSEC Increases Computational Requirements on Validators and Servers Verifying signatures Calculating hashes for NSEC3 records

DNSCurve

Encrypted Packets Operates at layer 2 (Data Link) Uses Elliptic Curve Cryptography Each request and response packet is encrypted in its entirety – DNSSEC doesn't encrypt any data, it just signs it ECC keys are 256 bits long Calculation is much faster than RSA

DNSCurve Limitations Not yet an IETF standard Does not provide end-to-end security – Just from endpoint to resolver Name-server names need to be longer to include a Base-32 encoded 53-byte public key – Makes responses even larger DNS Queries may exceed 255 bytes, which will be dropped by old middleware Key compromise requires renaming the server – And manual update of NS record in the parent zone

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.