Presentation is loading. Please wait.

Presentation is loading. Please wait.

Who’s watching your network DNS Security Extensions Presentation to 19th NANOG meeting Albuquerque, NM Edward Lewis NAI Labs June 11-13,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Who’s watching your network DNS Security Extensions Presentation to 19th NANOG meeting Albuquerque, NM Edward Lewis NAI Labs June 11-13,"— Presentation transcript:

1 Who’s watching your network DNS Security Extensions Presentation to 19th NANOG meeting Albuquerque, NM Edward Lewis lewis@tislabs.com NAI Labs June 11-13, 2000

2 #2 11-13 June 2000lewis@tislabs.com Who’s watching your network Changes are coming to DNS DNS is undergoing a number of changes –DNSSEC - my topic –Dynamic Update RFC 2136 (see bibliography for URL) –IPv6 - new A6 records and reverse map http://www.ietf.org/internet-drafts/draft-ietf-ipngwg- dns-lookups-08.txt –Various other improvements EDNS0 - ftp://ftp.isi.edu/in-notes/rfc2671.txt Software boosts

3 #3 11-13 June 2000lewis@tislabs.com Who’s watching your network DNSSEC Ingredients DNS Security Extensions –KEY and SIG resource records –NXT resource records Query-Response Security –TSIG and SIG(0) meta records –TKEY meta record Serving Security Data –CERT(ificate) resource record Dynamic Update Security –Update authorization

4 #4 11-13 June 2000lewis@tislabs.com Who’s watching your network Features Protection of Internet-scale DNS data transfers –Data is signed using scaleable public keys –Absent data notices (e.g. NXDOMAIN) secured Protection of local DNS transfers –Entire message secured (header and data) Public Key Infrastructure –Look up keys instead of trusting “what is heard” or manually entered Secured dynamic updates to zones –Authorized changes to zone data can be made

5 #5 11-13 June 2000lewis@tislabs.com Who’s watching your network Specification, Software Status DNSSEC is defined in RFC 2535 & others –IETF proposed standard (proposed,draft,full) –See bibliography for more docs Internet Software Consortium’s BIND –Version 8.2 (March 1999) was the beginning Not a full implementation of DNSSEC Current version 8.2.2-P5 –Third Beta of Version 9 has been released Partial build of what will be the first full implementation of DNSSEC

6 #6 11-13 June 2000lewis@tislabs.com Who’s watching your network State of the Protocol Work is progressing to refine protocol –IETF WG on DNS Extensions (DNSEXT) –Much work remains to progress to "Full Standard" –Internet Drafts document the work in progress Operational experience is very limited –IETF WG on DNS Operations (DNSOP) –Three workshops have been held with BINDv8 –“How to operate” and “policy” questions abound

7 #7 11-13 June 2000lewis@tislabs.com Who’s watching your network Deployment Plans Major push in Europe –Three ccTLD's plan to have signed zones by first quarter next year, one as soon as 1/1/2001 –CENTR has a DNSSEC WG in action Root Servers –Looking into adoption, sooner rather than later –Need BIND 9 to be out & stable first U.S. –Nothing firm, just some "interest" Deployment experience is needed to evaluate the current protocol definition

8 #8 11-13 June 2000lewis@tislabs.com Who’s watching your network DNS Terminology Secondary “Other” Server Recursive ServerCache Root Server Secondary Authoritative Server Primary Resolver Name Servers Things to keep in mind

9 #9 11-13 June 2000lewis@tislabs.com Who’s watching your network DNS RRs and RR sets –myname.xy. 14400 IN A 123.123.123.123 –myname.xy. 14400 IN A 203.123.245.123 In DNS today –Records with common owner, type, class are treated together, but still are singular entities For DNSSEC –The RR set is formalized –No longer are records singular, always treated as a set  So, I will be talking about “sets” of data Things to keep in mind

10 #10 11-13 June 2000lewis@tislabs.com Who’s watching your network Zones vs. Servers Zone is an a dministrative cut of the name space Name server is a h ost dispensing information Relationship –A zone is served by name servers (1 or more) –A name server may serve many zones (0 or more) –Authoritative servers have the original zone data –Primary master server has the data in a source text file  DNSSEC secures on the basis of zones  Query/Response secures between a resolver and a server –Or, in the case of zone transfers, between two servers Things to keep in mind

11 #11 11-13 June 2000lewis@tislabs.com Who’s watching your network Cryptography Symmetric keys (aka shared secret) –One key, encrypts and decrypts/signs and verifies –Problem: distributing the secret secretly, storing the secret secretly Asymmetric keys (aka public key) –Pair of keys, one encrypts/signs, other decrypts/verifies –Problem: slower than symmetric Optimization –Use asymmetric keys to agree upon a symmetric key Other issues: patents and export control Things to keep in mind

12 #12 11-13 June 2000lewis@tislabs.com Who’s watching your network DNS Security Extensions Protecting data transfers in which scalability is critical –I.e., inter-server queries Resource records introduced –SIG holds a digital signature (asym. keys) –KEY holds a public key –NXT indicates data present and next name Start of "detail s"

13 #13 11-13 June 2000lewis@tislabs.com Who’s watching your network The KEY RR KEY 0x4101 3 1 AQOp5t...d68o6r Flags Protocol Algorithm (Crypto) Key bits

14 #14 11-13 June 2000lewis@tislabs.com Who’s watching your network The SIG RR SOA 1 4 600 19990528183511 19990430183511 2094 39.171.199.in-addr.arpa. (sig) Algorithm Original TTL Expiration Start Time Signer Key Footprint and Domain Name Signature Type Covered Label count Squint

15 #15 11-13 June 2000lewis@tislabs.com Who’s watching your network The NXT RR 1.39.171.199.in-addr.arpa. NS SOA TXT SIG KEY NXT Next name Type Bit Map

16 #16 11-13 June 2000lewis@tislabs.com Who’s watching your network A quirk of NXT The NXT record indicates the data sets present at the owner's name It also indicates the next name in the zone There is one NXT for most names, but delegation names have two –A delegation name appears both above and below the cut point –One NXT belongs to the "upper" zone –The other to the "lower" zone NXT's are not generally "loved"

17 #17 11-13 June 2000lewis@tislabs.com Who’s watching your network A signed zone, page 1 This example shows the KEY, SIG, and NXT RRs ; Generated by dns_signer dated October 18, 1999 $ORIGIN tise.cairn.net. @ 14400 IN SOA test.netsec.tislabs.com. lewis.tislabs.com. 2000020701 1D 1H 1W 4H 14400 IN SIG SOA 3 3 14400 20000306184745 20000207184745 48320 tise.cairn.net. ( AIrF9Hb/BzoZ3xir1K81xLzprIEVBFZLEE6Sqy8HlaU5r3ux VfBbcTA= ) 14400 IN KEY 0x4100 3 3 ( ALb/qZQ/oVHyotuSbBWI1N+OYwRLv5RMc7XXb0wYE/tY02qF Uf+9czS0B7pU2jYppF7RwL8b/OcWG3iAzaztzq6S0ZoQIh8J M5LummzJiNl3aqxDxUZH6pwmPNuiMbGl++2tUks+MAallpUz 4tEJPeBF+Zj8boYwWhQDaV6nwDY6kIrqRqhvAmOZHqtqzFT6 SdA07usEZEzZkXXS6PIg6JcN7mNhUa0qkDSNTIkrHWNCh++G 56dtKNxk4qn3ESreg/S2BRGWQ2/7X0PjMyBkDefvdIsw ) 14400 IN SIG KEY 3 3 14400 20000225145656 20000128145656 48320 tise.cairn.net. ( AKM6fdJmcV3Wec7sYKR5ktX2C3kWTLTcITD4iBP2rJVSF1Kx nsi3bRI= )...continues on next slide... Squint

18 #18 11-13 June 2000lewis@tislabs.com Who’s watching your network A signed zone, page 2 @ 14400 IN NS buddy.netsec.tislabs.com. 14400 IN NS active.netsec.tislabs.com. 14400 IN NS test.netsec.tislabs.com. 14400 IN SIG NS 3 3 14400 20000225145656 20000128145656 48320 tise.cairn.net. ( AKqbf3kRV1P63jDVS96dq9dMB/OXjLw0FDtdUuyVIq2Q3Z23Ep5835k= ) 14400 IN NXT active.tise.cairn.net. NS SOA SIG KEY NXT 14400 IN SIG NXT 3 3 14400 20000225145656 20000128145656 48320 tise.cairn.net. ( AHZaL7BjH0l2VULlQJb6gXIsXjRhICsWvMapVfP2qBrGMGYl3c7yIk8= ) active 14400 IN CNAME active.netsec.tislabs.com. 14400 IN SIG CNAME 3 4 14400 20000225145656 20000128145656 48320 tise.cairn.net. ( ACqtgIY8TkwTw83rQmt3f0P0x+TmpcCtCz1+EsFmYybcSY0lhP2Nht4= ) active 14400 IN NXT amp.tise.cairn.net. CNAME SIG NXT 14400 IN SIG NXT 3 4 14400 20000225145656 20000128145656 48320 tise.cairn.net. ( AC75idNrAm5O1YUS1ZBD9ecDgEDdFWlWN+etN74AqVoDlhtYW8dmWeo= ) amp 14400 IN NS test.netsec.tislabs.com. 14400 IN NS active.netsec.tislabs.com. 14400 IN NS buddy.netsec.tislabs.com. amp 14400 IN NXT buddy.tise.cairn.net. NS SIG KEY NXT 14400 IN SIG NXT 3 4 14400 20000225145656 20000128145656 48320 tise.cairn.net. ( ADg3LFw5GvcFHgC7UaCZrK/rn5IVOg8ddTgkWz9PK9Z1KvToQbNZ3NQ= )....and there's still more to the zone, not shown Squint

19 #19 11-13 June 2000lewis@tislabs.com Who’s watching your network DNSSEC Queries Query- Response Security DNSSEC Security Squint

20 #20 11-13 June 2000lewis@tislabs.com Who’s watching your network Going secure Preparation (not necessarily in order) –A "secured" zone begins with an "unsecured" zone –Zone key pair generated and validated by parent –SIG records generated for each set in zone –NXT and SIG(NXT) are generated and added Running –Response to query includes the desired set(s), the SIG (set), and possibly KEY and SIG(KEY)'s that will help the resolver evaluate the answer –There are many variations on this, this is the general theme

21 #21 11-13 June 2000lewis@tislabs.com Who’s watching your network Query/Response Security Processing power is a greater issue than scalability –This includes lightweight resolver queries to a "preferred" server –Zone transfers (AXFR) –A basis for securing dynamic update (Meta-) Resource records introduced –TSIG/SIG(0) –TKEY

22 #22 11-13 June 2000lewis@tislabs.com Who’s watching your network TSIG DNS Header Question Answer Authority Additional & TSIG data A “keyed hash” covering entire DNS message –Uses a shared secret, shared between resolver and server Messages covered –query - response –zone transfer –dynamic updates DNS’ Original Message Format

23 #23 11-13 June 2000lewis@tislabs.com Who’s watching your network TSIG Notes Storage of shared secret is an issue –No problem for named.conf, it can be protected –Problem for resolv.conf –TKEY is a proposed method for creating TSIGs Early use of TSIG –Zone transfers –“Special” clients (e.g., DHCP updaters) Widespread use later –Once overhead of sharing secrets is reduced

24 #24 11-13 June 2000lewis@tislabs.com Who’s watching your network TSIG in configuration files Primary server options {...;}; key "test" { algorithm hmac-md5; secret "ThePlaceToBe"; }; server 10.33.40.35 { keys {test;}; }; Secondary server options {...;}; key "test" { algorithm hmac-md5; secret "ThePlaceToBe"; }; server 10.33.40.46 { keys {test;}; };

25 #25 11-13 June 2000lewis@tislabs.com Who’s watching your network SIG(0) DNS Header Question Answer Authority Additional & SIG (0) data Functionally equivalent to TSIG –Uses asymmetric keys instead of shared secret Messages covered –query - response –zone transfer –dynamic updates DNS’ Original Message Format

26 #26 11-13 June 2000lewis@tislabs.com Who’s watching your network SIG (0) Notes Defined in RFC 2535 w/KEY, SIG, and NXT –A current Internet Draft fixes the specification SIG(0) requires a public key to be in a zone Suffers performance hit of public key cryptography –Useful where performance hit isn't as bad as overhead managing shared secrets Requires client to have a private key available to the resolver

27 #27 11-13 June 2000lewis@tislabs.com Who’s watching your network TKEY DNS Header Question Answer Authority Additional & TKEY,KEY,... Sent in a request to create a TSIG shared secret Request is accompanied by a KEY from which to generate the shared secret This is an example of the optimization on the "Cryptography" slide (#11) DNS’ Original Message Format

28 #28 11-13 June 2000lewis@tislabs.com Who’s watching your network TKEY Notes TKEY is sent by resolver to set up a TSIG with server –Diffie-Hellman mode –GSSAPI - in Windows 2000 –Server or Client assigned (no implementations) A TSIG is set up and used in subsequent queries and responses Unsigned DH TKEY requests can pose a denial of service threat –Allowing "anonymous" TKEY is dangerous because of the CPU load induced

29 #29 11-13 June 2000lewis@tislabs.com Who’s watching your network Security Data Server DNS can provide a public, scaleable, redundant mechanism to pass public security data –Certificates & Public Keys DNSSEC validation of data has limits –DNSSEC provides that "what you see is what I sent" –DNSSEC does not provide assurance that the contents were entered correctly Resource record introduced –CERT(ificate)

30 #30 11-13 June 2000lewis@tislabs.com Who’s watching your network The CERT RR Certificates are a means to bind a public key to an identity with conditions DNS CERT RR’s can store different kinds of certificates (X.509, SPKI, PGP) Software to make the RR’s is still lacking 3 10000 3 0123456789abcdef... Key Footprint Key Algorithm Certificate Cert Type

31 #31 11-13 June 2000lewis@tislabs.com Who’s watching your network Securing Dynamic Update Still in definition BINDv9 will implement "Simple Secure Update" –TSIG or SIG(0) covered messages identify the requestor –The name server holds an authorization matrix indicating whether the requestor is allowed to make the requested change –Granularity of the policy is being defined, some defaults are being identified, rest is up to admin

32 #32 11-13 June 2000lewis@tislabs.com Who’s watching your network Impact DNSSEC will increase attention paid to DNS –Data (SIG) "expires" from the authoritative server No more "load & forget" –Delegations have a recurring relationship –Administrators have to manage keys NOC procedures needed for this –Need more resources (CPU) to run Start of "wrap- up"

33 #33 11-13 June 2000lewis@tislabs.com Who’s watching your network Validating Delegations Validation of a zone's keys by its parent is important –Provides "proof" of zone delegation –Relationship between delegations be interactive Work is progressing on automating this Will this help keep registry info current?

34 #34 11-13 June 2000lewis@tislabs.com Who’s watching your network Off-line Signing Key Generator & Zone Signer Air Gap or Firewall DNS Server(s) Company/Public Network Admin/Protected Network Reason: Protect the Private Key(s) Secure Dynamic Update complicates this Issue: Will this be done? The DNSSEC specification refers to "off-line signing"

35 #35 11-13 June 2000lewis@tislabs.com Who’s watching your network Performance Hits Resource consumption –Increase data held and transferred –Increase in use of TCP –Increase in CPU cycles Verifying keys (up to the root) will require more queries –Requires a lot of computation, message latency

36 #36 11-13 June 2000lewis@tislabs.com Who’s watching your network Bibliography - IETF Documents IETF Standards Documents –RFC 2535-2539 and 2541 http://www.ietf.org/rfc/rfc2535.txt and others http://www.ietf.org/rfc/rfc2136.txt -- Dynamic Update ftp://ftp.isi.edu/in-notes/rfc2845.txt -- TSIG –DNSEXT, DNSOP WG pages http://www.ietf.org/html.charters/dnsext-charter.html http://www.ietf.org/html.charters/dnsop-charter.html –Internet Drafts (relevant to DNS security) TKEY http://www.ietf.org/internet-drafts/draft-ietf-dnsext-tkey-02.txt SIG(0) http://www.ietf.org/internet-drafts/draft-ietf-dnsext-sig-zero-01.txt Simple Secure Update http://www.ietf.org/internet-drafts/draft-ietf-dnsext-simple-secure-update-00.txt Other documents http://www.ietf.org/internet-drafts/draft-ietf-dnsext-zone-status-01.txt http://www.ietf.org/internet-drafts/draft-ietf-dnsext-signing-auth-00.txt

37 #37 11-13 June 2000lewis@tislabs.com Who’s watching your network Bibliography - Other Documents Technical Presentations –NAI Labs paper http://www.nai.com/nai_labs/asp_set/network_security/dns_secure_paper.asp Some of its references are out of date –NIC-SE Workshop, May, 1999 http://www.nic-se.se/dnssec/ –CAIRN Workshop, September, 1999 http://www.cairn.net/DNSSEC/ —NLnet Labs http://www.nlnetlabs.nl./dnssec/ DNS & BIND –Cricket Liu is working on explaining DNSSEC http://www.hp.dk/kursus/dns (in Danish) - PDF files are at the bottom of the page, in English –BIND http://www.isc.org/products/BIND/ ftp://ftp.isc.org/isc/bind9/ URLs checked May. 31, 2000

Download ppt "Who’s watching your network DNS Security Extensions Presentation to 19th NANOG meeting Albuquerque, NM Edward Lewis NAI Labs June 11-13,"

Similar presentations

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.

DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.
A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.

A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
Domain Name System: DNS

Domain Name System: DNS
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:

© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Domain Name System ( DNS )  DNS is the system that provides name to address mapping for the internet.

Domain Name System ( DNS )  DNS is the system that provides name to address mapping for the internet.

Similar presentations

Ads by Google