Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNSSEC Basics, Risks and Benefits

Published byFrancis Leonard Modified over 6 years ago

Similar presentations

Presentation on theme: "DNSSEC Basics, Risks and Benefits"— Presentation transcript:

1 DNSSEC Basics, Risks and Benefits
Olaf M. Kolkman

2 This presentation About DNS and its vulnerabilities DNSSEC status
DNSSEC near term future

3 DNS: Data Flow Provisioning master Zone file Dynamic updates slaves
Registry/Registrar Provisioning 1 4 Zone administrator Zone file master Caching forwarder 2 slaves 3 5 Dynamic updates resolver

4 DNS Vulnerabilities Provisioning Zone file master Dynamic updates
Registry/Registrar Provisioning Impersonating master Cache impersonation Zone administrator Zone file 1 4 master Caching forwarder 2 Corrupting data slaves 3 5 Dynamic updates resolver Cache pollution by Data spoofing Unauthorized updates Altered zone data

5 DNS exploit example Mail gets delivered to the MTA listed in the MX RR. Man in the middle attack. Blackhat MTA MX RR Resolver MX RR? MX RR Sending MTA Receiving MTA

6 Mail man in the middle ‘Ouch that mail contained stock sensitive information’ Who per default encrypts all their mails? We’ll notice when that happens, we have log files You have to match address to MTA for each logline.

7 Other possible DNS targets
SPF, DomainKey and family Technologies that use the DNS to mitigate spam and phishing: $$$ value for the black hats StockTickers, RSS feeds Usually no source authentication but supplying false stock information via a stockticker and via a news feed can have $$$ value ENUM Mapping telephone numbers to services in the DNS As soon as there is some incentive

8 Mitigate by deploying SSL?
Claim: SSL is not the magic bullet (Neither is DNSSEC) Problem: Users are offered a choice happens to often users are not surprised but annoyed Not the technology but the implementation and use makes SSL vulnerable Examples follow

9 Example 1: mismatched CN

10 Example 2: Unknown CA Unknown Certificate Authority

11 Confused?

12 How does DNSSEC come into this picture
DNSSEC secures the name to address mapping before the certificates are needed DNSSEC provides an “independent” trust path. The person administering “https” is most probably a different from person from the one that does “DNSSEC” The chains of trust are most probably different See acmqueue.org article: “Is Hierarchical Public-Key Certification the Next Target for Hackers?”

13 Any Questions so far? We covered some of the possible motivations for DNSSEC deployment Next: What is the status of DNSSEC, can it be deployed today?

14 DEPLOYMENT NOW DNS server infrastructure related
signing Protocol spec is clear on: Signing Serving Validating Implemented in Signer Authoritative servers Security aware recursive nameservers ` APP STUB serving validating

15 Main Problem Areas “the last mile” Key management and key distribution
improvement “the last mile” Key management and key distribution NSEC walk

16 The last mile How to get validation results back to the user
The user may want to make different decisions based on the validation result Not secured Time out Crypto failure Query failure From the recursive resolver to the stub resolver to the Application ` APP STUB validating

17 Problem Area signing Key Management
Keys need to propagate from the signer to the validating entity The validating entity will need to “trust” the key to “trust” the signature. Possibly many islands of security ` APP STUB validating

18 Secure Islands and key management
. com. net. os.net. money.net. kids.net. corp geerthe mac unix nt marnick dev market dilbert

19 Secure Islands Server Side
Different key management policies for all these islands Different rollover mechanisms and frequencies Client Side (Clients with a few to 10, 100 or more trust-anchors) How to keep the configured trust anchors in sync with the rollover Bootstrapping the trust relation

20 NSEC walk The record for proving the non-existence of data allows for zone enumeration Providing privacy was not a requirement for DNSSEC Zone enumeration does provide a deployment barrier Work starting to study possible solutions Requirements are gathered If and when a solution is developed it will be co-existing with DNSSEC-BIS !!! Until then on-line keys will do the trick.

21 Current work in the IETF (a selection based on what fits on one slide)
Last Mile draft-gieben-resolver-application-interface Key Rollover draft-ietf-dnsext-dnssec-trustupdate-timers draft-ietf-dnsext-dnssec-trustupdate-treshold Operations draft-ietf-dnsop-dnssec-operations NSEC++ draft-arends-dnsnr draft-ietf-dnsext-nsec3 draft-ietf-dnsext-trans

22 Questions??? Ask or send questions and feedback to

23 References and Acknowledgements
Some links “Is Hierarchical Public-Key Certification the Next Target for Hackers” can be found at: The participants in the dnssec-deployment working group provided useful feedback used in this presentation.

Download ppt "DNSSEC Basics, Risks and Benefits"

Similar presentations

Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.

A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.

PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. /disi Steps towards a secured DNS Olaf M. Kolkman, Henk Uijterwaal, Daniel.

Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. /disi Steps towards a secured DNS Olaf M. Kolkman, Henk Uijterwaal, Daniel.
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman
DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.

DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.
Security Through Publicity Eric Osterweil Dan Massey Batsukh Tsendjav Beichuan Zhang Lixia Zhang.

Security Through Publicity Eric Osterweil Dan Massey Batsukh Tsendjav Beichuan Zhang Lixia Zhang.
Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License The details.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License The details.
ISOC.NL SIP © 15 March 2007 Stichting NLnet Labs DNSSEC and ENUM Olaf M. Kolkman

ISOC.NL SIP © 15 March 2007 Stichting NLnet Labs DNSSEC and ENUM Olaf M. Kolkman
1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.

1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.

Similar presentations

Ads by Google