dnssec deployment from end customer to content
play

DNSSEC Deployment: From End-Customer to Content ION San Diego - PowerPoint PPT Presentation

Feb 20, 2023 •345 likes •772 views

DNSSEC Deployment: From End-Customer to Content ION San Diego December 11, 2012 www.internetsociety.org/deploy360/ Our Panel Today Moderator: Dan York, Internet Society Panelists: Jim Galvin, Afilias Rick Lamb, ICANN Cricket Liu,

  1. DNSSEC Deployment: From End-Customer to Content ION San Diego December 11, 2012 www.internetsociety.org/deploy360/

  2. Our Panel Today Moderator: Dan York, Internet Society Panelists: • Jim Galvin, Afilias • Rick Lamb, ICANN • Cricket Liu, Infoblox • Roland M. van Rijswijk-Deij, SURFnet www.internetsociety.org/deploy360/

  3. Internet Society Deploy360 Programme Providing real-world deployment info for IPv6, DNSSEC and other Internet technologies: • Case Studies • Tutorials • Videos • Whitepapers • News, information English content, initially, but will www.internetsociety.org/deploy360/ be translated into other languages. www.internetsociety.org/deploy360/ 12/11/12

  4. What Problem Is DNSSEC Trying To Solve? DNSSEC = "DNS Security Extensions" • Defined in RFCs 4033, 4034, 4035 • Operational Practices: RFC 4641 Ensures that the information entered into DNS by the domain name holder is the SAME information retrieved from DNS by an end user. Let's walk through an example to explain … www.internetsociety.org/deploy360/

  5. A Normal DNS Interaction Web Server Resolver checks its local cache. If it has the example.com? DNS answer, it sends it back. 3 1 Resolver https://example.com/ example.com 10.1.1.123 If not … 4 Web web page Browser 2 10.1.1.123 www.internetsociety.org/deploy360/

  6. A Normal DNS Interaction DNS Svr root .com NS DNS Svr .com example.com Web NS Server example.com? DNS 2 5 1 DNS Svr Resolver https://example.com/ example.com 3 6 10.1.1.123 Web web page Browser 4 10.1.1.123 www.internetsociety.org/deploy360/

  7. DNS Works On Speed • First result received by a DNS resolver is treated as the correct answer. • Opportunity is there for an attacker to be the first one to get an answer to the DNS resolver, either by: • Getting to the correct point in the network to provide faster responses; • Blocking the responses from the legitimate servers (ex. executing a Denial of Service attack against the legitimate servers to slow their responses) www.internetsociety.org/deploy360/

  8. Attacking DNS DNS Svr root .com NS DNS Svr .com example.com Web NS Server example.com? DNS 2 5 1 DNS Svr Resolver https://example.com/ example.com 10.1.1.123 6 Web 3 web page Browser 4 192.168.2.2 Attacking 192.168.2.2 DNS Svr example.com www.internetsociety.org/deploy360/

  9. A Poisoned Cache Web Server Resolver cache now has wrong data: example.com? DNS 3 1 example.com 192.168.2.2 Resolver https://example.com/ 4 This stays in the cache until the Web Time-To-Live (TTL) expires! web page Browser 2 192.168.2.2 www.internetsociety.org/deploy360/

  10. How Does DNSSEC Help? • DNSSEC introduces new DNS records for a domain: • RRSIG – a signature ("hash") of a set of DNS records • DNSKEY – a public key that a resolver can use to validate RRSIG • A DNSSEC-validating DNS resolver: • Uses DNSKEY to perform a hash calculation on received DNS records • Compares result with RRSIG records. If results match, records are the same as those transmitted. If the results do NOT match, they were potentially changed during the travel from the DNS server. www.internetsociety.org/deploy360/ 12/11/12

  11. A DNSSEC Interaction DNS Svr root DNS Svr .com Web Server example.com? DNS 2 5 1 DNS Svr Resolver https://example.com/ example.com 3 6 10.1.1.123 Web DNSKEY web page RRSIGs Browser 4 10.1.1.123 www.internetsociety.org/deploy360/

  12. But Can DNSSEC Be Spoofed? • But why can't an attacker simply insert DNSKEY and RRSIG records? What prevents DNSSEC from being spoofed? • An additional was introduced, the "Delegation Signer (DS)" record • It is a fingerprint of the DNSKEY record that is sent to the TLD registry • Provides a global "chain of trust" from the root of DNS down to the domain • Attackers would have to compromise the registry www.internetsociety.org/deploy360/ 12/11/12

  13. A DNSSEC Interaction DNS Svr root .com NS DS DNS Svr .com example.com Web NS Server DS example.com? DNS 2 5 1 DNS Svr Resolver https://example.com/ example.com 3 6 10.1.1.123 Web DNSKEY web page RRSIGs Browser 4 10.1.1.123 www.internetsociety.org/deploy360/

  14. The Global Chain of Trust DNS Svr root .com NS DS DNS Svr .com example.com Web NS Server DS example.com? DNS 2 5 1 DNS Svr Resolver https://example.com/ example.com 3 6 10.1.1.123 Web DNSKEY web page RRSIGs Browser 4 10.1.1.123 www.internetsociety.org/deploy360/

  15. Attempting to Spoof DNS DNS Svr root .com NS DS DNS Svr .com example.com Web NS Server DS example.com? DNS 2 5 1 DNS Svr Resolver https://example.com/ example.com 10.1.1.123 6 DNSKEY RRSIGs Web 3 web page Browser Attacking 192.168.2.2 DNS Svr DNSKEY example.com RRSIGs www.internetsociety.org/deploy360/

  16. Attempting to Spoof DNS DNS Svr root .com NS DS DNS Svr .com example.com Web NS Server DS example.com? DNS 2 5 1 DNS Svr Resolver https://example.com/ example.com 10.1.1.123 6 DNSKEY RRSIGs Web 3 web page Browser 4 SERVFAIL Attacking 192.168.2.2 DNS Svr DNSKEY example.com RRSIGs www.internetsociety.org/deploy360/

  17. What DNSSEC Proves: • "These ARE the IP addresses you are looking for." (or they are not) • Ensures that information entered into DNS by the domain name holder (or the operator of the DNS hosting service for the domain) is the SAME information that is received by the end user. www.internetsociety.org/deploy360/ 12/11/12

  18. The Two Parts of DNSSEC Signing Validating Registries Applications Registrars Enterprises DNS Hosting ISPs www.internetsociety.org/deploy360/

  19. DNSSEC Signing - The Individual Steps • Signs TLD Registry • Accepts DS records • Publishes/signs records • Accepts DS records Registrar • Sends DS to registry • Provides UI for mgmt • Signs zones DNS Hosting Provider • Publishes all records • Provides UI for mgmt Domain Name • Enables DNSSEC Registrant (unless automatic) www.internetsociety.org/deploy360/

  20. Our Panel Today Moderator: Dan York, Internet Society Panelists: • Jim Galvin, Afilias • Rick Lamb, ICANN • Cricket Liu, Infoblox • Roland M. van Rijswijk-Deij, SURFnet www.internetsociety.org/deploy360/

  21. DNSSEC and SSL www.internetsociety.org/deploy360/

  22. Why Do I Need DNSSEC If I Have SSL? • A common question: why do I need DNSSEC if I already have a SSL certificate? (or an "EV-SSL" certificate?) • SSL (more formerly known today as Transport Layer Security (TLS)) solves a different issue – it provides encryption and protection of the communication between the browser and the web server www.internetsociety.org/deploy360/

  23. The Typical TLS (SSL) Web Interaction DNS Svr root Web Server DNS Svr .com 5 https://example.com/ DNS Svr 6 example.com TLS-encrypted web page 2 example.com? 3 10.1.1.123 1 DNS Resolver Web Browser 4 10.1.1.123 www.internetsociety.org/deploy360/

  24. The Typical TLS (SSL) Web Interaction DNS Svr root Web Server DNS Svr .com 5 https://example.com/ DNS Svr 6 example.com TLS-encrypted web page 2 example.com? 3 10.1.1.123 1 DNS Resolver Is this encrypted with the Web CORRECT Browser 4 certificate? 10.1.1.123 www.internetsociety.org/deploy360/

  25. What About This? DNS Server Web https://www.example.com/ Server www.example.com? Firewall https://www.example.com/ TLS-encrypted web page (or 1 with CORRECT certificate attacker) 1.2.3.4 2 Web TLS-encrypted web page Browser with NEW certificate (re-signed by firewall) www.internetsociety.org/deploy360/

  26. Problems? DNS Server Web https://www.example.com/ Server www.example.com? https://www.example.com/ TLS-encrypted web page Firewall 1 with CORRECT certificate 1.2.3.4 2 Web TLS-encrypted web page Browser with NEW certificate (re-signed by firewall) www.internetsociety.org/deploy360/

  27. Problems? DNS Server Web https://www.example.com/ Server www.example.com? https://www.example.com/ TLS-encrypted web page Firewall 1 with CORRECT certificate 1.2.3.4 2 Web TLS-encrypted web page Browser with NEW certificate Log files (re-signed by firewall) or other servers Potentially including personal information www.internetsociety.org/deploy360/

  28. Issues A Certificate Authority (CA) can sign ANY domain. Now over 1,500 CAs – there have been compromises where valid certs were issued for domains. Middle-boxes such as firewalls can re-sign sessions. www.internetsociety.org/deploy360/

  29. A Powerful Combination • TLS = encryption + limited integrity protection • DNSSEC = strong integrity protection • How to get encryption + strong integrity protection? • TLS + DNSSEC = DANE www.internetsociety.org/deploy360/ 12/11/12

  30. DNS-Based Authentication of Named Entities (DANE) • Q: How do you know if the TLS (SSL) certificate is the correct one the site wants you to use? • A: Store the certificate (or fingerprint) in DNS (new TLSA record) and sign them with DNSSEC. A browser that understand DNSSEC and DANE will then know when the required certificate is NOT being used. Certificate stored in DNS is controlled by the domain name holder. It could be a certificate signed by a CA – or a self- signed certificate. www.internetsociety.org/deploy360/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Deploying DNSSEC: From End-Customer To Content March 28, 2013 www.internetsociety.org Our Panel

Deploying DNSSEC: From End-Customer To Content March 28, 2013 www.internetsociety.org Our Panel

Deploying DNSSEC: From End-Customer To Content March 28, 2013 www.internetsociety.org Our Panel Moderator: Dan York, Senior Content Strategist, Internet Society Panelists: Sanjeev Gupta, Principal Technical Architect, DCS1 Pte

432 views • 40 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010 Sara Monteiro Technical Infrastructure Service of DNS.PT Agenda ! About us ! Scope ! Goals ! Initiatives and Support ! Developments on .pt ! Next Steps

468 views • 11 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
Assessing and Improving the Quality of DNSSEC Deployment Deployment Casey Deccio, Ph.D. Sandia

Assessing and Improving the Quality of DNSSEC Deployment Deployment Casey Deccio, Ph.D. Sandia

Assessing and Improving the Quality of DNSSEC Deployment Deployment Casey Deccio, Ph.D. Sandia National Laboratories AIMS-4 CAIDA, SDSC, San Diego, CA Feb 9, 2012 Sandia is a multiprogram laboratory operated by Sandia Corporation, a

913 views • 37 slides
Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions

Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions

COBHAM Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions (aka: SPARTA, Inc. ) 08 December 2010 COBHAM Simple Illustration I need to have a of DNS Components WWW record Zone Administrator

979 views • 62 slides
Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van

Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van

Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van Rijswijk-Deij, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Christo Wilson 1 DNSSEC 101 example.com's Authoritative DNS Resolver DNS

1.54k views • 119 slides
Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based

Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based

Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based on current DNSSEC deployments in .com, .net and .org Introduction DNSSEC deployment has taken off, but there are still operational issues

408 views • 16 slides
1 Overview Introduction DNSSEC mechanisms To authenticate servers (TSIG ) To

1 Overview Introduction DNSSEC mechanisms To authenticate servers (TSIG ) To

Welcome! DNS/DNSSEC Deployment tutorial Champika Wijayatunga <champika@apnic.net> 2 August 2006, Karachi, Pakistan In conjunction with SANOG 8 Background The original DNS protocol wasnt designed with security in mind It has

705 views • 15 slides
Measuring the Deployment of DNSSEC over the Internet System & Network Engineering Research

Measuring the Deployment of DNSSEC over the Internet System & Network Engineering Research

Introduction Methodology Results Measuring the Deployment of DNSSEC over the Internet System & Network Engineering Research Project Nicolas Canceill SNE RP2 Presentations July 2, 2014 1/19 Introduction Methodology Results

398 views • 19 slides
.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
Measuring the Deployment of DNSSEC over the Internet System & Network Engineering Research

Measuring the Deployment of DNSSEC over the Internet System & Network Engineering Research

Introduction Methodology Results Measuring the Deployment of DNSSEC over the Internet System & Network Engineering Research Project Nicolas Canceill RIPE68 May 14, 2014 1/20 Introduction Methodology Results Introduction 1

673 views • 20 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
The ABCs of School Debt Financing Basic School Debt: Financing Mechanisms Part 2 Prepared

The ABCs of School Debt Financing Basic School Debt: Financing Mechanisms Part 2 Prepared

California Debt and Investment Advisory Commission and California Association of School Business Officials The ABCs of School Debt Financing Basic School Debt: Financing Mechanisms Part 2 Prepared by Dawn Vincent, January 2008 515 South

1.14k views • 68 slides
RAD Completion Certification Presented by HUDs Office of Recapitalization: Isabella

RAD Completion Certification Presented by HUDs Office of Recapitalization: Isabella

Overview of the RAD Completion Certification Presented by HUDs Office of Recapitalization: Isabella Cabbagestalk, Branch Chief, Closing & Post-Closing July 3, 2019 Agenda What is the RAD Completion Certification Requirements

347 views • 15 slides
FOR PHAs AND RAD TRANSACTIONS December 2015 Structure Tax Credit Syndication Limited

FOR PHAs AND RAD TRANSACTIONS December 2015 Structure Tax Credit Syndication Limited

LOW-INCOME HOUSING TAX CREDIT CLOSINGS FOR PHAs AND RAD TRANSACTIONS December 2015 Structure Tax Credit Syndication Limited partnership structure General partner owns just 0.01%, but controls and operates the project Passive

439 views • 26 slides
A Blockchain-based Mapping System IETF 98 Chicago March 2017 Jordi Pailliss, Albert

A Blockchain-based Mapping System IETF 98 Chicago March 2017 Jordi Pailliss, Albert

A Blockchain-based Mapping System IETF 98 Chicago March 2017 Jordi Pailliss, Albert Cabellos , Vina Ermagan, Fabio Maino acabello@ac.upc.edu htup://openoverlayrouter.org 1 A short Blockchain tutorial 2 Blockchain - Introductjon

545 views • 38 slides
Web Security: Web Security: Secure Electronic Transaction Secure Electronic Transaction

Web Security: Web Security: Secure Electronic Transaction Secure Electronic Transaction

Web Security: Web Security: Secure Electronic Transaction Secure Electronic Transaction Cunsheng Cunsheng Ding Ding HKUST, Hong Kong, CHI NA HKUST, Hong Kong, CHI NA Secure Elect ronic Transact ions An applicat ion-layer secur it y

483 views • 24 slides
Related Party Transactions Audit and Appraiser Requirements 21 March 2018 EAD Regulation

Related Party Transactions Audit and Appraiser Requirements 21 March 2018 EAD Regulation

Related Party Transactions Audit and Appraiser Requirements 21 March 2018 EAD Regulation Development Team Outline Key audit aspects of the new rules What independent auditors should be looking for Impact of a modified audit

467 views • 43 slides
Bitcoin Selfish Mining Marie Vasek Secure Electric Commerce (some slides heavily inspired by Dr.

Bitcoin Selfish Mining Marie Vasek Secure Electric Commerce (some slides heavily inspired by Dr.

Bitcoin Selfish Mining Marie Vasek Secure Electric Commerce (some slides heavily inspired by Dr. Moore) s k c a t t a g n i d l o h h t i w k c o l b y r a r o p m e T n i o c t i B Bitcoin Selfish

567 views • 14 slides
Low Overhead Concurrency Control for Partitioned Main Memory Databases Evan P. C. Jones

Low Overhead Concurrency Control for Partitioned Main Memory Databases Evan P. C. Jones

Low Overhead Concurrency Control for Partitioned Main Memory Databases Evan P. C. Jones Daniel J. Abadi Samuel Madden Banks Payment Processing Airline Reservations E-Commerce Web 2.0 Problem :

1.09k views • 81 slides

More recommend