Presentation is loading. Please wait.

Presentation is loading. Please wait.

Building Trust with Anchors Eric Osterweil Dan Massey Lixia Zhang 1.

Published byMae Boone Modified over 8 years ago

Similar presentations

Presentation on theme: "Building Trust with Anchors Eric Osterweil Dan Massey Lixia Zhang 1."— Presentation transcript:

1 Building Trust with Anchors Eric Osterweil Dan Massey Lixia Zhang 1

2 What is DNSSEC and How it Works Just kidding… – Does anyone really want another DNSSEC 101? First, background on how DNSSEC actually works 2

3 What Do We Have Today Zone admins know their own DNSKEYs – Nominally, this info is held in a local file Some software is starting to bundle DNSKEY sets in local config files to bootstrap resolvers – Lets resolvers verify DNSSEC data out of the box – Useful in some ways, but… – What’s the shelf-life of those keys? – Don’t change that file, or when you update, you get your changes overwritten 3

4 Key Configuration Today 4 Software key file Locally managed configuration

5 Using Local Files for Verification Thus, our starting point today is a set of two types of local files This structure has some clear benefits – Local verification can be done without introducing external (especially single) points of failure – Local knowledge can take precedence over 3 rd party data – Ops can even remove keys that use “undesirable” crypto algorithms (i.e. GOST vs. RSA) 5

6 One More Step Completes the Spectrum What about keys that an operator believes should override or supplement the distro file, but not based on local knowledge? – Keys from web pages, newspapers, Ms. Cleo TM, etc. One more type of file gives a sufficient set of basic trust management components – A TAR keys file 6

7 Adding TARs to This 7 Vendor key file Local config Keys from TAR (in the sky) Keys from TAR (in the sky)

8 Managing Trust Anchors Will we always need local TAs? – I think yes (consider local knowledge if nothing else) Trust management should be done locally – Isolation from 3 rd party failures – Local ground truth – Local policies Three basic elements facilitate this – Local configuration key file + TAR key file + vendor key file Now resolvers can function out of the box In addition, can still use local knowledge, preferences, and expertise to enhance operations 8

9 Thanks 9

10 Backup 10

11 11 DNSSEC Background DNSSEC provides origin authenticity, data integrity, and secure denial of existence by using public-key cryptography Origin authenticity: – Resolvers can verify that data has originated from authoritative sources. Data integrity – Can also verify that responses are not modified in-flight Secure denial of existence – When there is no data for a query, authoritative servers can provide a response that proves no data exists

12 12 How DNSSEC Works DNSSEC zones create public/private keys – Public portion goes in DNSSEC record type: DNSKEY Zones sign all RRsets and resolvers use DNSKEYs to verify them – Each RRset has a signature attached to it: RRSIG So, once a resolver has a zone’s DNSKEY(s) it can verify that RRsets are intact by verifying their RRSIGs

13 13 Signing Example Using a zone’s key on a standard RRset (the NS) Signature (RRSIG) will only verify with the DNSKEY if no data was modified

14 14 Getting the Keys Until a resolver gets the DNSKEY(s) for a zone, data can be spoofed How can a resolver know that the DNSKEYs themselves are not being spoofed? DNSSEC zones securely delegate from parents to children Zones that have no secure parents are called trust anchors When a zone is a trust anchor the zones that it delegates to (and itself) form an island of security

Download ppt "Building Trust with Anchors Eric Osterweil Dan Massey Lixia Zhang 1."

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
Availability Problems in the DNSSEC Deployment Eric Osterweil Dan Massey Lixia Zhang 1.

Availability Problems in the DNSSEC Deployment Eric Osterweil Dan Massey Lixia Zhang 1.
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
Improving DNS contents in the RRR world Ólafur Guðmundsson Steve Crocker 2012 Oct.

Improving DNS contents in the RRR world Ólafur Guðmundsson Steve Crocker Oct.
RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.

RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.
DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.

DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.

1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
Email Security Jonathan Calazan December 12, 2005.

Security Jonathan Calazan December 12, 2005.

Similar presentations

Ads by Google