Presentation is loading. Please wait.

Presentation is loading. Please wait.

SaudiNIC Riyadh, Saudi Arabia May 2017

Published byMelinda Harvey Modified over 6 years ago

Similar presentations

Presentation on theme: "SaudiNIC Riyadh, Saudi Arabia May 2017"— Presentation transcript:

1 SaudiNIC Riyadh, Saudi Arabia May 2017 richard.lamb@icann.org
DNSSEC Introduction SaudiNIC Riyadh, Saudi Arabia May 2017

2 The Internet’s Phone Book - Domain Name System (DNS)
= DNS Resolver DNS Server Get page Login page Username / Password Account Data ISP Majorbank (Registrant) DNS Hierarchy se com root majorbank.se Actually MANY phone books

3 Caching Responses for Efficiency
= DNS Resolver DNS Server Get page Login page Username / Password Account Data

4 The Problem: DNS Cache Poisoning Attack
= DNS Resolver DNS Server Attacker = Get page Attacker Login page Username / Password Error Password database

5 Argghh! Now all ISP customers get sent to attacker.
= DNS Resolver DNS Server Get page Attacker Login page Username / Password Error Password database

6 Securing The Phone Book - DNS Security Extensions (DNSSEC)
Attacker’s record does not validate – drop it = DNS Resolver with DNSSEC DNS Server with DNSSEC Attacker = So DNSSEC is a good thing. Get page Login page Username / Password Account Data

7 Resolver only caches validated records
= DNS Resolver with DNSSEC DNS Server with DNSSEC So DNSSEC is a good thing. Get page Login page Username / Password Account Data

8 That’s it dnssec-signzone mydomain.zone mydomain.zone.signed
IN A IN A IN RRSIG A N7upFHNplnIiXAEMOTefeuJrwymNxF 8D6/poAoRVDThHVOnXniaIj2WuGVbCGvUMjayDhVNk9vAQtVHUIAnxZXsIlP4ZbtIgtZ/hbTKByySx1Y0u9aRD1ik=

9 History 9 DNS developed: 1983. Discovered vulnerability:1995
Triggered15+ years DNSSEC work in IETF 2007 Some ccTLDs have deployed DNSSEC. Community presses ICANN to deploy DNSSEC at root Aug 2008 Dan Kaminsky reveals DNS vulnerability shortcut Root signed June 2010 with direct international participation Nov 2011 report: DNSChanger/Ghost Click: 4M PCs across 100 countries suffer redirection. Large scale Brazilian ISP DNS poisoning attack Recognition of global PKI spurs development of innovative security solutions beyond DNS. 22 Feb US FCC Chairman: “A report by Gartner found 3.6 million Americans getting redirected to bogus websites in a single year, costing them $3.2 billion.,” …“I urge all broadband providers to begin implementing DNSSEC as soon as possible.” 9

10 How it Works DNSSEC uses public key cryptography where the private half of keys are used to create digital signatures for records and the public halves used to verify that they have not been modified. The Zone Signing Key (ZSK) public-private key pair is used to sign each record of a zone file, i.e, web server IP address, mail server, etc. The Key Signing Key (KSK) pair is used to sign the ZSK and KSK itself. All someone needs is the public KSK half to validate all records in the zone. By having each zone sign the KSK of its subordinate zone, a chain of trust is created from registrant to ISP/end user.

11 Signature of mybank.tz-ZSK1234
Trust us with your Money Bank (Registrant) IP address = ________________________ mybank.tz ZSK signature ______________________ Date Signature of mybank.tz-ZSK1234 1 September 2013

12 Signature of mybank.se-KSK5678
Trust us with your Money Bank (Registrant) mybank.tz ZSK = 1234 mybank.tz KSK = 5678 ________________________ mybank.tz KSK signature ______________________ Date Signature of mybank.se-KSK5678 1 August 2013

13 tz NIC 15 September 2013 Trust us, we are tz NIC (Registry)
mybank.tz KSK = 5678 ________________________ tz ZSK signature ______________________ Date Signature of tz-ZSK9012 15 September 2013

14 tz NIC 1 September 2013 Trust us, we are tz NIC (Registry)
tz ZSK = 9012 tz KSK = 3456 ________________________ tz KSK signature ______________________ Date Signature of tz-KSK3456 1 September 2013

15 18 September 2013 Multi-stakeholder Root tz KSK = 3456
________________________ root ZSK signature ______________________ Date Signature of root-ZSK7890 18 September 2013

16 15 September 2013 Multi-stakeholder Root root ZSK = 7890
root KSK = 1903 ________________________ root KSK signature ______________________ Date Signature of root-KSK1903 15 September 2013

17 End User Trusted Operating System or ISP
root KSK = 1903 ________________________ O/S Vendor Signature ______________________ Date O/S Vendor Signature 1 January 2013

18 Roles and responsibilities at the registry, registrar, registrant
Registrant is responsible for generating, signing their records with, and publishing KSK and ZSK. Registrar manages DS (derived from KSK) record at the Registry on behalf of the Registrant. Registry generates, signs Registrant DS records with, and publishes its own KSK and ZSK. The root generates, signs Registry DS (derived from KSK) records with, and publishes its own KSK and ZSK. ISP/End User uses a copy of the public half of the root KSK above and uses it to recursively validate and cache responses on behalf of end user DNS lookup requests. RegistrantRegistrarRegistryRootISPEnd User

19 Walkthrough Typical Example
Registrant goes to Registrar to get domain name. Registrant selects Registrar provided DNS hosting and DNSSEC signing services. On behalf of Registrant, Registrar generates KSK and ZSK and submits KSK (DS records) to Registry. Registry automatically signs DS record with Registry’s ZSK. Registry KSK/DS has previously been incorporated into the root and signed by root ZSK. Registrant edits DNS records on Registrar (www, etc) and Registrar automatically signs records with ZSK. ISP follows the chain of signatures to validate DNSSEC signed DNS records and only sends valid entries to end users.

20 Common Issues (but all getting better)
Expiring signatures: monitoring, automation Complexity: experience, automation, training High equipment cost: $20K$5 Security and Trust: multi-person access, transparency (lessons learned from CAs) Lack of Registrar and ISP support: Raise registrant and end user awareness Random number generation: careful consideration, standards

21 Links IETF RFCs RFC 4033 DNS Security Introduction and Requirements RFC 4034 Resource Records for the DNS Security Extensions RFC 4035 Protocol Modifications for the DNS Security Extensions ISOC Deploy360 Program DNSSEC Deployment Initiative Contact ICANN if interested in training

22 But wait, there is more.. DANE Other… Improved Web TLS for all
S/MIME for all Other… SSH, IPSEC, VoIP Digital identity Other content (e.g. configurations) Global PKI TLD+SSL opportunity and economy - .NG and others.

23

24 Summary DNSSEC is the biggest improvement to the Internet’s core infrastructure in over 20 years. Deploying DNSSEC need not be complicated or costly. DNSSEC does not solve all the ills of the Internet but can become a powerful tool in improving security. DNSSEC is a cross-organizational and trans-national platform for cyber security innovation and international cooperation. In order to realize the full benefits of DNSSEC, greater end user and registrant awareness is needed to drive a virtuous cycle of trustworthy deployment. DNSSEC ensures DNS responses are not modified in flight thus protecting against redirection and cache poisoning attacks. DNSSEC does not solve all the ills of the Internet, but does provide a platform for innovative new solutions to address them. In order to realize the full benefits of DNSSEC, operators of DNS and other entities that make up the chain of trust must embrace transparent IT security processes and practices. With this Registrars and Registries are now part of a chain of trust …and part of future Internet security solutions. As part of the chain, build trust with improved processes, practices and education to differentiate offerings and develop new revenue streams. Doesn’t have to be expensive, just institutionalized. Related US DHS driven efforts: RPKI for protecting IP addressing/routing

25 Thank You

Download ppt "SaudiNIC Riyadh, Saudi Arabia May 2017"

Similar presentations

Web Hosting. The purpose of this Startup Guide is to familiarize you with Own Web Now's Web Hosting. Own Web Now offers two web hosting platforms, one.

Web Hosting. The purpose of this Startup Guide is to familiarize you with Own Web Now's Web Hosting. Own Web Now offers two web hosting platforms, one.
Research and Innovation Participant Portal How to register for an ECAS account NEXT.

Research and Innovation Participant Portal How to register for an ECAS account NEXT.
Existing Customer: Please visit Bonaqua Website for registration.

Existing Customer: Please visit Bonaqua Website for registration.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
1.ORG DNSSEC Testbed Deployment Edmon Chung Creative Director Afilias Perth, AU 2 March, 2006.

1.ORG DNSSEC Testbed Deployment Edmon Chung Creative Director Afilias Perth, AU 2 March, 2006.
The Domain Name System Overview Introduction DNS overview How DNS helps us? Summary.

The Domain Name System Overview Introduction DNS overview How DNS helps us? Summary.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
ICANN’s multi-stakeholder approach OAS-CICTE REMJA/OAS + WEF Cyber Crime Workshop, Montevideo, Uruguay 10 July 2012

ICANN’s multi-stakeholder approach OAS-CICTE REMJA/OAS + WEF Cyber Crime Workshop, Montevideo, Uruguay 10 July 2012
The Business Case for DNSSEC InterOp/ION Mumbai 2012 11 October 2012

The Business Case for DNSSEC InterOp/ION Mumbai October 2012
Distributed Systems. Outline  Services: DNSSEC  Architecture Models: Grid  Network Protocols: IPv6  Design Issues: Security  The Future: World Community.

Distributed Systems. Outline  Services: DNSSEC  Architecture Models: Grid  Network Protocols: IPv6  Design Issues: Security  The Future: World Community.
DNSSEC: Where We Are (and how we get to where we want to be)

DNSSEC: Where We Are (and how we get to where we want to be)
IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi
What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie. 2009.

What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie
DNSSEC: A Game Changer ICCS 2012 January 9, 2012 New York, NY

DNSSEC: A Game Changer ICCS 2012 January 9, 2012 New York, NY
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Similar presentations

Ads by Google