Presentation is loading. Please wait.

Presentation is loading. Please wait.

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

Published byPercival Paul Modified over 9 years ago

Similar presentations

Presentation on theme: "Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman"— Presentation transcript:

1

2 Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. http://www.ripe.net/disi DNSSEC Basics, Risks and Benefits Olaf M. Kolkman olaf@ripe.net

3 Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. http://www.ripe.net/disi This presentation About DNS and its vulnerabilities DNSSEC status DNSSEC near term future

4 Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. http://www.ripe.net/disi DNS: Data Flow master Caching forwarder resolver Zone administrator Zone file Dynamic updates 12 slaves 345 Registry/Registrar Provisioning

5 Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. http://www.ripe.net/disi DNS Vulnerabilities master Caching forwarder resolver Zone administrator Zone file Dynamic updates 12 slaves 345 Corrupting data Impersonating master Unauthorized updates Cache impersonation Cache pollution by Data spoofing Altered zone data Registry/Registrar Provisioning

6 Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. http://www.ripe.net/disi DNS exploit example Mail gets delivered to the MTA listed in the MX RR. Man in the middle attack. Sending MTA Blackhat MTA Receiving MTA Resolver MX RR? MX RR

7 Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. http://www.ripe.net/disi Mail man in the middle ‘Ouch that mail contained stock sensitive information’ –Who per default encrypts all their mails? We’ll notice when that happens, we have log files –You have to match address to MTA for each logline.

8 Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. http://www.ripe.net/disi Other possible DNS targets SPF, DomainKey and family –Technologies that use the DNS to mitigate spam and phishing: $$$ value for the black hats StockTickers, RSS feeds –Usually no source authentication but supplying false stock information via a stockticker and via a news feed can have $$$ value ENUM –Mapping telephone numbers to services in the DNS As soon as there is some incentive

9 Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. http://www.ripe.net/disi Mitigate by deploying SSL? Claim: SSL is not the magic bullet –(Neither is DNSSEC) Problem: Users are offered a choice –happens to often –users are not surprised but annoyed Not the technology but the implementation and use makes SSL vulnerable Examples follow

10 Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. http://www.ripe.net/disi www.robecodirect.nl www.robecoadvies.nl Example 1: mismatched CN

11 Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. http://www.ripe.net/disi Unknown Certificate Authority Example 2: Unknown CA

12 Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. http://www.ripe.net/disi Confused?

13 Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. http://www.ripe.net/disi How does DNSSEC come into this picture DNSSEC secures the name to address mapping –before the certificates are needed DNSSEC provides an “independent” trust path. –The person administering “https” is most probably a different from person from the one that does “DNSSEC” –The chains of trust are most probably different –See acmqueue.org article: “Is Hierarchical Public- Key Certification the Next Target for Hackers?”

14 Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. http://www.ripe.net/disi Any Questions so far? We covered some of the possible motivations for DNSSEC deployment Next: What is the status of DNSSEC, can it be deployed today?

15 Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. http://www.ripe.net/disi DEPLOYMENT NOW DNS server infrastructure related ` APP STUB Protocol spec is clear on: Signing Serving Validating Implemented in Signer Authoritative servers Security aware recursive nameservers signing serving validating

16 Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. http://www.ripe.net/disi Main Problem Areas “the last mile” Key management and key distribution NSEC walk improvement

17 Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. http://www.ripe.net/disi The last mile ` APP STUB How to get validation results back to the user The user may want to make different decisions based on the validation result –Not secured –Time out –Crypto failure –Query failure From the recursive resolver to the stub resolver to the Application validating

18 Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. http://www.ripe.net/disi Problem Area ` APP STUB Key Management Keys need to propagate from the signer to the validating entity The validating entity will need to “trust” the key to “trust” the signature. Possibly many islands of security signing validating

19 Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. http://www.ripe.net/disi Secure Islands and key management net. money.net. kids.net. geerthe corp dev market dilbert unixmac marnick nt os.net. com..

20 Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. http://www.ripe.net/disi Secure Islands Server Side –Different key management policies for all these islands –Different rollover mechanisms and frequencies Client Side (Clients with a few to 10, 100 or more trust-anchors) –How to keep the configured trust anchors in sync with the rollover –Bootstrapping the trust relation

21 Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. http://www.ripe.net/disi NSEC walk The record for proving the non-existence of data allows for zone enumeration Providing privacy was not a requirement for DNSSEC Zone enumeration does provide a deployment barrier Work starting to study possible solutions –Requirements are gathered –If and when a solution is developed it will be co- existing with DNSSEC-BIS !!! –Until then on-line keys will do the trick.

22 Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. http://www.ripe.net/disi Current work in the IETF (a selection based on what fits on one slide) Last Mile draft-gieben-resolver-application-interface Key Rollover draft-ietf-dnsext-dnssec-trustupdate-timers draft-ietf-dnsext-dnssec-trustupdate-treshold Operations draft-ietf-dnsop-dnssec-operations NSEC++ draft-arends-dnsnr draft-ietf-dnsext-nsec3 draft-ietf-dnsext-trans

23 Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. http://www.ripe.net/disi Questions??? or send questions and feedback to olaf@ripe.net

24 Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. http://www.ripe.net/disi References and Acknowledgements Some links –www.dnssec.net –www.dnssec-deployment.org –www.ripe.net/disi/dnssec_howto “Is Hierarchical Public-Key Certification the Next Target for Hackers” can be found at: http://www.acmqueue.org/modules.php?name=Content&pa=sho wpage&pid=181 The participants in the dnssec-deployment working group provided useful feedback used in this presentation.

Download ppt "Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman"

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.

A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
DNS-centric PKI Sean Turner Russ Housley Tim Polk.

DNS-centric PKI Sean Turner Russ Housley Tim Polk.
PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.

PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.
1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.

1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.

Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.

Similar presentations

Ads by Google