Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNSSEC Deployment Challenges

Published byAlbert Merritt Modified over 6 years ago

Similar presentations

Presentation on theme: "DNSSEC Deployment Challenges"— Presentation transcript:

1 DNSSEC Deployment Challenges
Geoff Huston APNIC June 2016

2 Turning Validation on Bind Config

3 Turning Validation on Bind Config
Yes, it really is a one line config entry!

4 Why Not? It’s too hard It will take more time to resolve a name
It will block out names with invalid DNSSEC signatures Too few names are signed to make a difference Attacks on the DNS are too rare to raise concerns Many folk rely on lies in the DNS DNS64, national content blocking measures, forced proxy redirection No browser wants to commit to DANE to take a positive step in cleaning up the putrid rotting security fiasco that is CA certificates today!

5 Why Not? It’s too hard It will take more time to resolve a name
It will block out names with invalid DNSSEC signatures Too few names are signed to make a difference Attacks on the DNS are too rare to raise concerns Many folk rely on lies in the DNS DNS64, national content blocking measures, forced proxy redirection No browser wants to commit to DANE to take a positive step in cleaning up the putrid rotting security fiasco that is CA certificates today! One line of config in a recursive resolver!

6 Why Not? It’s too hard It will take more time to resolve a name
It will block out names with invalid DNSSEC signatures Too few names are signed to make a difference Attacks on the DNS are too rare to raise concerns Many folk rely on lies in the DNS DNS64, national content blocking measures, forced proxy redirection No browser wants to commit to DANE to take a positive step in cleaning up the putrid rotting security fiasco that is CA certificates today! As with all things in the DNS, this is not necessarily true Cached answers will take no longer to resolve from a validating resolver as compared to a non-validating resolver Retrieving DNSSEC credentials take queries, and queries take time Currently, DNSSEC validation queries are serialized in most resolvers. This time could be reduced if these queries were parallelised

7 Why Not? It’s too hard It will take more time to resolve a name
It will block out names with invalid DNSSEC signatures Too few names are signed to make a difference Attacks on the DNS are too rare to raise concerns Many folk rely on lies in the DNS DNS64, national content blocking measures, forced proxy redirection No browser wants to commit to DANE to take a positive step in cleaning up the putrid rotting security fiasco that is CA certificates today! Yes, that’s what it’s meant to do!

8 Why Not? It’s too hard It will take more time to resolve a name
It will block out names with invalid DNSSEC signatures Too few names are signed to make a difference Attacks on the DNS are too rare to raise concerns Many folk rely on lies in the DNS DNS64, national content blocking measures, forced proxy redirection No browser wants to commit to DANE to take a positive step in cleaning up the putrid rotting security fiasco that is CA certificates today! But DNSSEC has incremental outcomes That benefit partial deployment : You can improve the integrity of YOUR name by signing it with DNSSEC!

9 Why Not? It’s too hard It will take more time to resolve a name
It will block out names with invalid DNSSEC signatures Too few names are signed to make a difference Attacks on the DNS are too rare to raise concerns Many folk rely on lies in the DNS DNS64, national content blocking measures, forced proxy redirection No browser wants to commit to DANE to take a positive step in cleaning up the putrid rotting security fiasco that is CA certificates today! That assumes structural DNS censorship is not in and of itself an attack on the integrity of the DNS!

10 Why Not? It’s too hard It will take more time to resolve a name
It will block out names with invalid DNSSEC signatures Too few names are signed to make a difference Attacks on the DNS are too rare to raise concerns Many folk rely on lies in the DNS DNS64, national content blocking measures, forced proxy redirection No browser wants to commit to DANE to take a positive step in cleaning up the putrid rotting security fiasco that is CA certificates today! True – but what do users want from the DNS? If they want the truth then you can’t lie!

11 Why Not? It’s too hard It will take more time to resolve a name
It will block out names with invalid DNSSEC signatures Too few names are signed to make a difference Attacks on the DNS are too rare to raise concerns Many folk rely on lies in the DNS DNS64, national content blocking measures, forced proxy redirection No browser wants to commit to DANE to take a positive step in cleaning up the putrid rotting security fiasco that is CA certificates today! Is ever so slightly faster really better than vulnerability to third party attack via compromised CAs?

12 But maybe there is a point here…
Is having resolvers validate what they provide back to the query agent enough to improve the security of the DNS? If you can intrude in an open conversation between the client and their resolver then MITM attacks in the DNS can still take place

13 Step 2 Validation in DNS recursive resolvers is the first step
We also need to also think about some further steps: Push DNSSEC validation all the way back to the client application Such as GetDNS ( Secure the conversation between the application and a trusted recursive validating resolver Such as (re)introduce DANE to browsers using DNSSEC credential stapling

14 Thanks! DNSSEC Reports:

Download ppt "DNSSEC Deployment Challenges"

Similar presentations

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.

Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Geoff Huston APNIC Labs

Geoff Huston APNIC Labs
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Measuring DNSSEC Validation: A Brief Update on DNSSEC Validation numbers, with an Asia Focus Geoff Huston APNIC Labs January 2015.

Measuring DNSSEC Validation: A Brief Update on DNSSEC Validation numbers, with an Asia Focus Geoff Huston APNIC Labs January 2015.
Electronic signature Validity Model 1. Shell model Certificate 1 Certificate 2 Certificate 3 Signed document Generate valid signature validCheck invalidCheck.

Electronic signature Validity Model 1. Shell model Certificate 1 Certificate 2 Certificate 3 Signed document Generate valid signature validCheck invalidCheck.
Fermilab CA Infrastructure EDG CA Managers Mtg June 13, 2003.

Fermilab CA Infrastructure EDG CA Managers Mtg June 13, 2003.
Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.

Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.
What if Everyone Did It? Geoff Huston APNIC Labs.

What if Everyone Did It? Geoff Huston APNIC Labs.
Ch 6: DNSSEC and Beyond Updated 4-28-15. DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
DNS Security Risks Section 0x02. Joke/Cool thing traceroute 216.81.59.173 traceroute 216.81.59.173 https://www.youtube.com/watch?v=5_dRqPLP1d c https://www.youtube.com/watch?v=5_dRqPLP1d.

DNS Security Risks Section 0x02. Joke/Cool thing traceroute traceroute c

Similar presentations

Ads by Google