Presentation is loading. Please wait.

Presentation is loading. Please wait.

Andreas Steffen, 28.11.2011, 12-DNSSEC.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.

Published byAmbrose Rose Modified over 9 years ago

Similar presentations

Presentation on theme: "Andreas Steffen, 28.11.2011, 12-DNSSEC.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications."— Presentation transcript:

1 Andreas Steffen, 28.11.2011, 12-DNSSEC.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA) 12 DNS Security Extensions DNSSEC

2 Andreas Steffen, 28.11.2011, 12-DNSSEC.pptx 2 DNS Resolution via Recursive Nameserver

3 Andreas Steffen, 28.11.2011, 12-DNSSEC.pptx 3 DNS Request

4 Andreas Steffen, 28.11.2011, 12-DNSSEC.pptx 4 DNS Response

5 Andreas Steffen, 28.11.2011, 12-DNSSEC.pptx 5 Simple DNS Cache Poisoning

6 Andreas Steffen, 28.11.2011, 12-DNSSEC.pptx 6 Guessing Query ID and UDP Source Port

7 Andreas Steffen, 28.11.2011, 12-DNSSEC.pptx 7 The Dan Kaminsky DNS Vulnerability – July 2008

8 Andreas Steffen, 28.11.2011, 12-DNSSEC.pptx 8 DNS Root Servers A VeriSign Inc. B C D E F G H I J K L M Information Sciences Institute, USC OperatorIPv4 198.41.0.4 192.228.79.201 192.33.4.12 128.8.10.90 192.203.230.10 192.5.5.241 192.112.36.4 128.63.3.53 192.36.148.17 192.58.128.30 193.0.14.129 199.7.83.42 202.12.27.33 IPv6 2001:503:BA3E::2:30 # 2001:478:65::53 - - - 2001:500:2F::F - 2001:500:1::803F:235 2001:7FE::53 2001:503:C27::2:30 2001:7FD::1 2001:500:3::42 2001:DC3::35 Cogent Communications 4 1 6 University of Maryland1 NASA Ames Research Center1 Internet Systems Consortium Inc.49 US DoD Network Information Center6 US Army Research Lab1 Autonomica/NORDUnet34 VeriSign Inc.70 RIPE NCC18 ICANN3 WIDE Project6 200 Total number of servers:

9 Andreas Steffen, 28.11.2011, 12-DNSSEC.pptx 9 Global Map of Root Servers

10 Andreas Steffen, 28.11.2011, 12-DNSSEC.pptx 10 root DNSKEY (KSK) * * explicit import e.g. via trusted web site ch. DNSKEY (KSK) ZSK ch. DS DNSSEC Chain of Trust root KSK/ZSK ch. DNSKEY (ZSK) ZSK switch.ch. DS switch.ch. DNSKEY (KSK) KSK/ZSK switch.ch. DNSKEY (ZSK) ch. switch.ch. www.switch.ch. A x.x.x.x ZSK switch.ch. NS ns1/ns2 ZSKKSK/ZSK root DNSKEY (ZSK)

11 Andreas Steffen, 28.11.2011, 12-DNSSEC.pptx 11 DNSSEC Resource Records I - DNSKEY DNSKEY - DNS Public Key Contains a public key used to sign the RRsets of a zone switch.ch. 81154 IN DNSKEY 256 3 5 AwEAAeCDWwjJO4mXBzayiKf4p7waJ7Ew eUnsTsAWkxpfELci4iaVdBugzYPfsZIg 9R6TIPky3LoPAPmIjCc2fbFkKnrGI7hJ jXAGMRwRJIBprFx4BXZSsjsvGb6MGC+e xHSlXw== ;{id = 64608 (zsk), size = 768b} Flags field 256 -> Zone Signing Key (ZSK) 257 -> Key Signing Key (KSK) with secure entry point (SEP) flag set Algorithm field 5 -> SHA-1 with RSA 7 -> SHA-1 with RSA & NSEC3 with SHA-1 8 -> SHA-256 with RSA 10 -> SHA-512 with RSA

12 Andreas Steffen, 28.11.2011, 12-DNSSEC.pptx 12 DNSSEC Resource Records II - RRSIG RRSIG - Resource Record Signature Contains a public key signature over a resource record set (RRset) merapi.switch.ch. 172800 IN A 130.59.211.10 merapi.switch.ch. 172800 IN RRSIG A 5 3 172800 20091128231033 20091029231033 64608 switch.ch. 3KW9YjxdL08FqVYKFSn9 Q4+8U1iYrVCun+J1Ny8Y IiMC+6oQS/GZwRn2mr+H MruwEjNB9s7bWGzRmRiR TATPvS67gxjCiJkSP58P kGJ1dW3wBaz6r1feGNvz KhHLhvRe ;{id = 64608} Signature Expiration and Inception Fields The signature is not valid before Inception and after Expiration date. Key Tag Field Contains the key tag of the key which signed the RRset.

13 Andreas Steffen, 28.11.2011, 12-DNSSEC.pptx 13 DNSSEC Resource Records III - DS DS - Delegation Signer Signed hash computed over KSK of child zone switch.ch. 3364 IN DS 43837 5 1 91dcfca519cf8b038441869878cc3610 60200534 switch.ch. 3364 IN DS 43837 5 2 838cef7635952df83311a92b48ae7f19 1ae29484534e38b1ab7b3d0966b9ee55 switch.ch. 3416 IN RRSIG DS 7 2 3600 20091123183442 20091117220724 31034 ch. LPh8RgXQSqPcdQz6s1PJOjTuopO9RxQg s1YYCY/CnhYaHxb6ndNBJ7QP20eKN+91 /ULjN4Ep/k9Pgtos979i5OfEXpfLcWcv rKP1xGvqW4PjP+MT1PDs6uKisEUqGBoQ p7+nkkzjY+YsDbxtTV+/8uHcSnNmXoMm SqPms3G0aw4= ;{id = 31034}

14 Andreas Steffen, 28.11.2011, 12-DNSSEC.pptx 14 DNSSEC Resource Records IV - NSEC NSEC – Next Owner Name Authenticated denial of existence of an owner name merapi.switch.ch. 180 IN NSEC mercury.switch.ch. A PTR AAAA LOC RRSIG NSEC merapi.switch.ch. 180 IN RRSIG NSEC 5 3 180 20091128231033 20091029231033 64608 switch.ch. kW1SnXWoJKwOHEG1P3INI83EOGuQ GujwvBT/MSWVQ+ms/2DXxjQcpt1Z P07+XI51cc0t7erUUG31KZdmUpXZ tQzPUJh49jjLh9aTjRiH1xGhlxv5 af+N95JDykRGSOAq ;{id = 64608} Proof that there is no name between merapi.switch.ch. and mercury.switch.ch. Allows enumeration of complete zone data!!!

15 Andreas Steffen, 28.11.2011, 12-DNSSEC.pptx 15 DNSSEC Resource Records V - NSEC3 NSEC3 – Next Owner Name in Hashed Order Hashed Authenticated Denial of Existence h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 691 IN NSEC3 1 1 1 d399eaab h9rsfb7fpf2l8hg35cmpc765tdk23rp6 NS SOA RRSIG DNSKEY NSEC3PARAM ; flags: optout h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 691 IN RRSIG NSEC3 7 2 86400 20091202211702 20091118201702 5273 org. a+CC37hRM7yCFBaZn2SeRgY9h247GXptCuBYf45TwaoR xvBwTAXPT+UwZ/4hxwc2v7AR7ZZ8UOMiNJvYsl59eFW8 Xtgws4/Aih0fJ2/O8yUHwI695fRf9PrpxXEpqzStjSZP 5arJ1oldDAHcnxgLqdAMW6wnK1FNrslfJblJlmU= ;{id = 5273} Proof that there is no name between org. and ???.org. Does not allow straight enumeration of zone data! Dictionary attacks are possible but expensive.

16 Andreas Steffen, 28.11.2011, 12-DNSSEC.pptx 16 DNSSEC Root Zone Signing Process ICANN Vetting and Processing TLD Operator DS Records DoC NTIA Authorization of Changes DS Records VeriSign Editing and Signing of Root Zone DS Records Root Servers (A,..., M) DS Records Root ZSK ZSK

17 Andreas Steffen, 28.11.2011, 12-DNSSEC.pptx 17 DNSSEC Root Zone Signing Key Signing Process VeriSign ZSK Management ZSK Private Key ZSK ICANN KSK Management KSR Key Signing Request KSK Private Key KSK Published on Web Site ZSK KSK SKR Signed Key Response

18 Andreas Steffen, 28.11.2011, 12-DNSSEC.pptx 18 ICANN Key Ceremonies Tier 1 – Facility – Access Control by Data Center Tier 2 – Facility – Access Control by Data Center Tier 3 – Facility – Access Control by Data Center Tier 4 – Cage – Access Control by Data Center Tier 5 – Safe Room – Access Control by ICANN Tier 6 – Safe #1 Tier 6 – Safe #2 Tier 7 – Safe Deposit Box Crypto Officers‘ Credentials Tier 7 – HSM KSK Private Keys Key Ceremony Computer

19 Andreas Steffen, 28.11.2011, 12-DNSSEC.pptx 19 ICANN Key Ceremonies

20 Andreas Steffen, 28.11.2011, 12-DNSSEC.pptx 20 Periodic Key Rollover T-10T+0T+10T+20T+30T+40T+50T+60T+70T+80T+90 ZSK post-publish ZSK pre-publish ZSK post-publish ZSK pre-publish ZSK KSK publish+sign KSK publish+sign KSK publish+sign KSK publish+sign KSK publish+sign KSK publish+sign KSK publish+sign KSK revoke+sign KSK revoke+sign KSK publish KSK publish KSK publish KSK publish KSK publish KSK publish+sign KSK publish+sign KSK publish+sign KSK publish+sign ZSK Rollover (every 90 days) Optional KSK Rollover (every 2-5 years or on demand) RRSIG Validity Period (10 days + 50% overlap)

21 Andreas Steffen, 28.11.2011, 12-DNSSEC.pptx 21 DNSSEC Deployment (November 28 2011) TLDs signed by root zone: 11 gTLDs: arpa asia biz cat com edu gov info museum net org 54 ccTLDS: ac ag am be bg br bz ch cl co cz de dk eu fi fr gi gl gr hn in io jp kg kr la lc li lk lu me mn my na nc nl nu pm pr pt re sc se sh su tf th tm tw ug uk us wf yt 2 IDN ccTLDS: xn--kprw13d xn--kpry57d ( 台湾 Taiwan) TLDs with DNSKEY set: 1 gTLD: mil 3 ccTLDs: mm nz vc 2 IDN ccTLDs: xn--fzc2c9e2c ( Sinhala Sri Lanka) xn--xkc2al3hye2a ( இலங்கை Tamil Sri Lanka) Signing of major gTLDs: net: December 9, 2010 com: March 2011

Download ppt "Andreas Steffen, 28.11.2011, 12-DNSSEC.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications."

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
Naming: The Domain Name System Nick Feamster CS 4251 Fall 2008.

Naming: The Domain Name System Nick Feamster CS 4251 Fall 2008.
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
ICANN’s Preparedness for Signing the Root September 24, 2008 DNS OARC Meeting, Ottawa, CA

ICANN’s Preparedness for Signing the Root September 24, 2008 DNS OARC Meeting, Ottawa, CA
DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.

DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.
DNSSEC Sample Implementation MENOG 10 Workshop 22 April 2012, Dubai

DNSSEC Sample Implementation MENOG 10 Workshop 22 April 2012, Dubai
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
DNS DOMAIN NAME SYSTEM NAME SYSTEM By Lijo George.

DNS DOMAIN NAME SYSTEM NAME SYSTEM By Lijo George.
High-Level Awareness of DNSSEC KENIC/NSRC Workshop, Nairobi, May 2011 Phil Regnauld Joe Abley

High-Level Awareness of DNSSEC KENIC/NSRC Workshop, Nairobi, May 2011 Phil Regnauld Joe Abley
Anne-Marie Eklund Löwinder Chief Information Security Officer Twitter: amelsec Thank’s to Fredrik Ljunggren, Kirei & Mehmet.

Anne-Marie Eklund Löwinder Chief Information Security Officer Twitter: amelsec Thank’s to Fredrik Ljunggren, Kirei & Mehmet.
IANA Status Update ARIN XXVI meeting, Atlanta Barbara Roseman October 2010.

IANA Status Update ARIN XXVI meeting, Atlanta Barbara Roseman October 2010.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
1 DNSSEC BoF Internet2 Member Meeting October 15th, 2008 Noon, Napoleon A2

1 DNSSEC BoF Internet2 Member Meeting October 15th, 2008 Noon, Napoleon A2
1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.

1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.
© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:

© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:

Similar presentations

Ads by Google