Presentation is loading. Please wait.

Presentation is loading. Please wait.

ICANN - Cape Town 11/30/2004 DNSSEC and the Zone Enumeration Andreas Baess DENIC eG

Published byCharla Hicks Modified over 9 years ago

Similar presentations

Presentation on theme: "ICANN - Cape Town 11/30/2004 DNSSEC and the Zone Enumeration Andreas Baess DENIC eG"— Presentation transcript:

1 ICANN - Cape Town 11/30/2004 DNSSEC and the Zone Enumeration Andreas Baess DENIC eG baess@denic.de

2 ICANN - Cape Town 11/30/2004 Abstract Known Facts Claimed problems Way ahead

3 ICANN - Cape Town 11/30/2004 Facts The introduction of DNSSEC with the current form of the specification provides Zone Enumeration: –http://josefsson.org/walker/http://josefsson.org/walker/ An authoritative denial of existence of a given domain name delivers as a proof the next existing domain name. There were protocol changes to refuse AXFR

4 ICANN - Cape Town 11/30/2004 Facts Some key players for a successful widespread deployment of DNSSEC consider this as a problem: –Security problem? –Policy problem? –Legal problem?

5 ICANN - Cape Town 11/30/2004 Security problem? An attack begins by identifying your target: http://www.research.att.com/~smb/papers/dnshack.pdf http://www.research.att.com/~smb/papers/dnshack.pdf “But domain names can be gathered by other means, for instance, dictionary attacks” –German + English dictionary + John the Ripper = 1% of the de-zone –Brute force on all 8-characters delivers 13% of the de-zone. –com-zone as a dictionary = 42% of the nl-zone

6 ICANN - Cape Town 11/30/2004 Policy problem? DNS information is public......there’s a qualitative difference between: –Making data available as a query/response mechanism –Making data available as a compilation DENIC’s policy: http://www.denic.de/en/faqs/allgemeine_faqs /index.html#section_185 http://www.denic.de/en/faqs/allgemeine_faqs /index.html#section_185

7 ICANN - Cape Town 11/30/2004 Legal problem? IANAL Nominet’s position: http://ops.ietf.org/lists/namedroppers/namedr oppers.2004/msg00687.html http://ops.ietf.org/lists/namedroppers/namedr oppers.2004/msg00687.html DENIC’s position: –In conflict with Germany’s Federal Data Protection Act

8 ICANN - Cape Town 11/30/2004 Way ahead IETF dnsext wg decided to advance the current specification as a proposed standard Inmediately started to work on the problem following The Engineering Way (TM): –Listing the requirements for a denial of existence –Weighting their relevance, since sometimes trade-offs exist –Evaluating proposals

9 ICANN - Cape Town 11/30/2004 Working documents http://www.ietf.org/internet-drafts/draft-ietf-dnsext- signed-nonexistence-requirements-01.txthttp://www.ietf.org/internet-drafts/draft-ietf-dnsext- signed-nonexistence-requirements-01.txt http://www.links.org/dnssec/requirements-matrix3.htm http://www.links.org/dnssec/draft-laurie-dnsext-nsec2- 02.txthttp://www.links.org/dnssec/draft-laurie-dnsext-nsec2- 02.txt http://www.ietf.org/internet-drafts/draft-arends-dnsnr- 00.txthttp://www.ietf.org/internet-drafts/draft-arends-dnsnr- 00.txt http://www.ietf.org/internet-drafts/draft-ietf-dnsext- dnssec-trans-01.txthttp://www.ietf.org/internet-drafts/draft-ietf-dnsext- dnssec-trans-01.txt

10 ICANN - Cape Town 11/30/2004 Many thanks for your attention! Any questions?

Download ppt "ICANN - Cape Town 11/30/2004 DNSSEC and the Zone Enumeration Andreas Baess DENIC eG"

Similar presentations

Whois Task Force GNSO Public Forum Wellington March 28, 2006.

Whois Task Force GNSO Public Forum Wellington March 28, 2006.
© 2006 NEC Corporation - Confidential age 1 November 2008 - 1 SPEERMINT Security Threats and Suggested Countermeasures draft-ietf-speermint-voipthreats-01.

© 2006 NEC Corporation - Confidential age 1 November SPEERMINT Security Threats and Suggested Countermeasures draft-ietf-speermint-voipthreats-01.
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
NSEC5: Provably Preventing DNSSEC Zone Enumeration

NSEC5: Provably Preventing DNSSEC Zone Enumeration
The German Experience: Patent litigation and nullification cases

The German Experience: Patent litigation and nullification cases
RSVP Cryptographic Authentication ...RSVP requires the ability to protect its messages against corruption and spoofing. This document defines a mechanism.

RSVP Cryptographic Authentication "...RSVP requires the ability to protect its messages against corruption and spoofing. This document defines a mechanism.
1 Improved DNS Server Selection for Multi-Homed Nodes draft-savolainen-mif-dns-server-selection-04 Teemu Savolainen (Nokia) Jun-ya Kato (NTT) MIF WG meeting.

1 Improved DNS Server Selection for Multi-Homed Nodes draft-savolainen-mif-dns-server-selection-04 Teemu Savolainen (Nokia) Jun-ya Kato (NTT) MIF WG meeting.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
IANA Activities Update Jean-Jacques Sahel | RIPE 70 Amsterdam| 15 May 2015.

IANA Activities Update Jean-Jacques Sahel | RIPE 70 Amsterdam| 15 May 2015.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.

PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.
New gTLD Basics. 2  Overview about domain names, gTLD timeline and the New gTLD Program  Why is ICANN doing this; potential impact of this initiative.

New gTLD Basics. 2  Overview about domain names, gTLD timeline and the New gTLD Program  Why is ICANN doing this; potential impact of this initiative.
1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.

1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Transition of U.S. Commerce Department’s National Telecommunications and Information Administration (NTIA) Stewardship of the IANA Functions to the Global.

Transition of U.S. Commerce Department’s National Telecommunications and Information Administration (NTIA) Stewardship of the IANA Functions to the Global.
Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.

Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Distributed Systems. Outline  Services: DNSSEC  Architecture Models: Grid  Network Protocols: IPv6  Design Issues: Security  The Future: World Community.

Distributed Systems. Outline  Services: DNSSEC  Architecture Models: Grid  Network Protocols: IPv6  Design Issues: Security  The Future: World Community.
DSSA-WG Progress Update Dakar – October 2011. Charter: Background At their meetings during the ICANN Brussels meeting the At-Large Advisory Committee.

DSSA-WG Progress Update Dakar – October Charter: Background At their meetings during the ICANN Brussels meeting the At-Large Advisory Committee.
Working Group #4: Network Security – Best Practices March 6, 2013 Presenters: Rod Rasmussen, Internet Identity Tony Tauber, Comcast WG #4.

Working Group #4: Network Security – Best Practices March 6, 2013 Presenters: Rod Rasmussen, Internet Identity Tony Tauber, Comcast WG #4.

Similar presentations

Ads by Google