dnssec for everybody a beginner s guide
play

DNSSEC for Everybody: A Beginners Guide | ICANN 55 | March 2016 - PowerPoint PPT Presentation

Apr 01, 2023 •186 likes •667 views

DNSSEC for Everybody: A Beginners Guide | ICANN 55 | March 2016 The Schedule Outline(Concept( Segment( Duration( Speaker( Welcome'and'Introduction' 2'mins' Dan' (((((((((((((((((((((((((Welcome( Caveman''DNSSEC'5000BC' 3'mins'

  1. DNSSEC for Everybody: A Beginner’s Guide | ICANN 55 | March 2016

  2. The Schedule Outline(Concept( Segment( Duration( Speaker( Welcome'and'Introduction' 2'mins' Dan' (((((((((((((((((((((((((Welcome( Caveman'–'DNSSEC'5000BC' 3'mins' Dan' DNS'Basics' 5'mins' Dan' Basic(Concepts( DNS'Chain'of'Trust'@'Live' 5'mins' Dan' DNSSEC'–'How'it'works' 10'mins' Dan' Core(Concepts( DNSSEC'–'Chain'of'Trust'Live' 5'mins' Wes' ' A'sample'DNSSEC'implementation' 10'mins' Russ' (what'it'looks'like,'s/w'etc).'A'simple' guide'to'deployment.' Real(World(Examples( A'guide'to'DNSSEC'Deployment' 10'mins' Russ' options:'Technologies'and'vendors.' Session'Round'up,'hand'out'of' 2'mins' Dan' Summary( materials,'Thank'you’s' ' | 2

  4. This is Ugwina. She lives in a cave on the edge of the Grand Canyon...

  5. This is Og. He lives in a cave on the other side of the Grand Canyon...

  6. It’s a long way down and a long way round. Ugwina and Og don’t get to talk much...

  7. On one of their rare visits, they notice the smoke coming from Og’s fire

  8. ...and soon they are chatting regularly using smoke signals

  9. until one day, mischievous caveman Kaminsky moves in next door to Ug and starts sending smoke signals too...

  10. Now Ugwina is really confused. She doesn’t know which smoke to believe...

  11. So Ugwina sets off down the canyon to try and sort out the mess...

  12. Ugwina and Og consult the wise village elders. Caveman Diffie thinks that he might have a cunning idea...

  13. And in a flash, jumps up and runs into Ug’s cave...!

  14. Right at the back, he finds a pile of strangely coloured sand that has only ever been found in Ug’s cave...

  15. And with a skip, he rushes out and throws some of the sand onto the fire. The smoke turns a magnificent blue...

  16. Now Ugwina and Og can chat happily again, safe in the knowledge that nobody can interfere with their conversation…

  17. Introduction to DNSSEC | Dan York, Internet Society | ICANN 55 | March 2016

  18. High level concept of DNS root … uk com ma … co.uk bigbank.com nic.ma

  19. High level concept of DNS • A resolver knows where the root-zone is • Traverses the DNS hierarchy • Each level refers the resolver to the next level • UnDl the quesDon has been answered • The resolver caches all that informaDon for future use.

  20. High level concept of DNS • There is no security • Names are easily spoofed • Caches are easily poisoned

  21. A Skit/Play

  22. …Ugwina, the resolver, chatting with Og, the server…

  23. …Ugwina, the resolver is confused. She doesn’t know who the real Og is…

  24. …Ugwina, the resolver, can verify that the real Og sends the message…

  25. High level concept of DNS root uk com ma bigbank.com bigbank.com (www) (www)

  26. DNSSEC is the soluDon • DNSSEC uses digital signatures to assure that informaDon is correct and came from the right place. • The keys and signatures to verify the informaDon, is stored in the DNS as well • Since DNS is a lookup system, keys can simply be looked up, like any data.

  27. High level concept of DNSSEC • A resolver knows what the root-key is • It builds a Chain of Trust: – Each level signs the key of the next level – UnDl the chain is complete

  28. High level concept of DNSSEC ✔ root uk ✔ com ma ✔ ✗ bigbank.com bigbank.com (www) (www)

  29. A Skit/Play DNSSEC To The Rescue!

  30. Example of Why You Need DNSSEC and a Simple Guide to Deployment | Russ Mundy, Parsons| ICANN 55 | March 2016

  31. Why Worry About DNS? • Users think in terms of names – Applications primarily use DNS names – Internet uses network addresses to connect locations • DNS provides the translation from names to network addresses • Proper DNS functions required by essentially all Network Applications – If DNS doesn ’ t work right, è the applications won ’ t get to the intended locations russ.mundy@parsons.com

  32. DNS Hijack Threat • DNS attacks provide a way to divert users ’ applications, e.g., – Redirecting user applications to false locations to steal passwords or other sensitive information – Redirect to a man-in-the-middle location • See and copy an entire session: Web, email, IM, etc. • Multiple DNS hijack tools available on the Internet – Some University courses have required students to write DNS hijack software as a class assignment! russ.mundy@parsons.com

  33. How Can DNSSEC Help? • DNSSEC can assure users they are reaching the right location – DNSSEC provides cryptographic information that can be used to verify that DNS information: • came from the proper source and • it was not changed enroute • Hijack example will show DNSSEC preventing redirection of a web application – Web site tailored for effective use of DNSSEC and a web browser that uses DNSSEC russ.mundy@parsons.com

  34. Normal DNS & Web Exchange Web Server Auth NS Recursive NS www.ab.org ns1.ab.org 192.168.2.80 192.168.2.252 2 Query: www.ab.org? 3 www.ab.org=192.168.2.80 10.1.1.253 192.168.2.1 4 10.1.1.1 10.2.2.2 10.2.2.1 5 “ INTERNET ” 10.1.1.2 192.168.1.1 www.ab.org=192.168.2.80 1 Query: www.ab.org? “Joe User” 192.168.1.3

  35. russ.mundy@parsons.com

  36. DNS Hijacked Web Exchange Web Server Auth NS Recursive NS Redirected www.ab.org ns1.ab.org Website 192.168.2.80 192.168.2.252 Query: www.ab.org? ? www.ab.org=192.168.2.80 10.1.1.253 192.168.2.1 10.1.1.1 10.2.2.2 10.2.2.1 “ INTERNET ” 10.1.1.2 3 192.168.1.1 www.ab.org=192.168.2.80 1 Query: www.ab.org? Dr Evil Hijacker 192.168.1.99 ? “Joe User” 2 192.168.1.3 www.ab.org=10.2.2.1

  37. Attempted DNS Hijacked Web Exchange Stopped by DNSSEC Web Server Auth NS Recursive NS Redirected www.ab.org ns1.ab.org Website 192.168.2.80 192.168.2.252 Query: www.ab.org? ? www.ab.org=192.168.2.80 10.1.1.253 192.168.2.1 10.1.1.1 10.2.2.2 10.2.2.1 “ INTERNET ” DNSSEC Validation 10.1.1.2 stops ‘ False ’ answer 192.168.1.1 www.ab.org=192.168.2.80 Query: www.ab.org? Dr Evil Hijacker 192.168.1.99 ? “Joe User” 2 192.168.1.3 30 June 2010 russ.mundy@parsons.com www.ab.org=10.2.2.1

  38. russ.mundy@parsons.com

  39. 1 Webpage = Multiple DNS Name Resolutions 39 russ.mundy@parsons.com

  40. www.cnn.com russ.mundy@parsons.com

  41. DNS Basic Functions • DNS provides the translation from names to network addresses • Get the right DNS content to Internet users Ø IT ’ S DNS ZONE DATA THAT MATTERS! russ.mundy@parsons.com

  42. Simple Illustration I need to have a WWW of DNS Components record Zone Authoritative Add publish Data Server 3. www is 1.2.3.4 2. Request www “Joe User” 1. Request www Client Recursive 4. www is 1.2.3.4 Server russ.mundy@parsons.com

  43. DNSSEC Implementation Samples • DNSSEC implementation depends upon & is mostly driven by an activity ’ s DNS functions – DNS is made up of many parts, e.g., name server operators, applications users, name holders ( “ owners ” ), DNS provisioning – Activities with large, complex DNS functions are more likely to have more complex DNSSEC implementation activities • Also more likely to have ‘ DNS knowledgeable ’ staff russ.mundy@parsons.com

  44. DNSSEC Implementation Samples, Continued • DNS size and complexity examples: – Registry responsible for a large TLD operation, e.g., .com – Substantial enterprise with many components with many geographic locations, e.g., hp.com – Internet-based businesses with a number of business critical zones, e.g., www.verisign.com – Activities with non-critical DNS zones, e.g., net- snmp.org – Proverbial Internet end users (all of us here) russ.mundy@parsons.com

  45. How Does DNSSEC Fit? • DNSSEC required to thwart attacks on DNS CONTENT – DNS attacks used to attack Internet users applications Ø Protect DNS ZONE DATA as much as (or more than) any DNSSEC information Ø Including DNSSEC private keys!! russ.mundy@parsons.com

  46. Simple Addition I need to have a signed of DNSSEC WWW record (there are both much more and less complex setups than this) ‏ Zone Signed Authoritative Add sign publish Data Data Server 3. www is 1.2.3.4 2. Request www “Joe User” new 1. Request www Client Validating Recursive 4. www is 1.2.3.4 Server russ.mundy@parsons.com

  47. General Principle: • If an activity does a lot with their DNS functions and operations then they probably will want to do a lot with the associated DNSSEC pieces; • If an activity does little or nothing with their DNS functions and operations then they probably will do little or nothing directly with their DNSSEC elements but Require DNSSEC from their suppliers russ.mundy@parsons.com

  48. Thank You and Questions

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Beginner's Guide to Dimensionality Reduction Explore the methods that data scientists use to

The Beginner's Guide to Dimensionality Reduction Explore the methods that data scientists use to

The Beginner's Guide to Dimensionality Reduction Explore the methods that data scientists use to visualize high-dimensional data. By: Matthew Conlen and Fred Hohman Workshop on Visualization for AI Explainability October 22, 2018 Who it Reached

400 views • 13 slides
Testing the Untestable A beginner's guide to mock objects @andrewburrows London based

Testing the Untestable A beginner's guide to mock objects @andrewburrows London based

Testing the Untestable A beginner's guide to mock objects @andrewburrows London based systematic hedge fund since 1987 $19.2bn Funds Under Management (2016-03-31) We are active in 400+ markets in 40+ countries We take ~2bn

717 views • 44 slides
MODULES MODULES The Beginner's Guide by Daniela Engert 1 ABOUT ME ABOUT ME Diploma degree in

MODULES MODULES The Beginner's Guide by Daniela Engert 1 ABOUT ME ABOUT ME Diploma degree in

Meeting C++ 2019 MODULES MODULES The Beginner's Guide by Daniela Engert 1 ABOUT ME ABOUT ME Diploma degree in electrical engineering For 40 years creating computers and software For 30 years developing hardware and software in the field

1.09k views • 68 slides
The NSAA Beginner Conversion Study Longitudinally Tracking the Beginner Industry Support

The NSAA Beginner Conversion Study Longitudinally Tracking the Beginner Industry Support

The NSAA Beginner Conversion Study Longitudinally Tracking the Beginner Industry Support Overview of Program Why Beginner Conversion? Preliminary Findings 2015-2016 Updates 3 Overview of Program 4 NSAAs Beginner Conversion study targets

595 views • 33 slides
Manual On Body Language For Presentation Skills+body This presentation is a beginner's guide to

Manual On Body Language For Presentation Skills+body This presentation is a beginner's guide to

Manual On Body Language For Presentation Skills+body This presentation is a beginner's guide to understanding body language. Outside of our and Body Language. Soft Skills Training / Communication Series MillionThe Social Media Handbook: Five

464 views • 3 slides
.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
Contents So what is it about ? Motivation Why Chips stop working Electromigration

Contents So what is it about ? Motivation Why Chips stop working Electromigration

How to destroy your ASIC:A beginner's guide 2/21/2012 Spoiler Alert ! What this presentation is NOT about Burn Baby Burn ! How to destroy your ASIC: A beginners' guide Diptyajit Choudhury & Pramod Ghimire Student lecture : ETI135 MS in System

273 views • 12 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

609 views • 34 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry experienced 30th April 2015-- Longest mornings I have ever had. Day started as usual but takes a turn at 9:30am Great day turns to a

449 views • 11 slides
retaining wall & regrading of slope The Futurist, Scarborough Overview of site This slide

retaining wall & regrading of slope The Futurist, Scarborough Overview of site This slide

The Futurist Theatre, Scarborough Methodology for demolition of the theatre, construction of new retaining wall & regrading of slope The Futurist, Scarborough Overview of site This slide indicates the key features and Kings Street

416 views • 22 slides
Shenandoah High School CONSTRUCTION BUDGET PRESENTATION 7/22/2019 Project Definition

Shenandoah High School CONSTRUCTION BUDGET PRESENTATION 7/22/2019 Project Definition

Shenandoah High School CONSTRUCTION BUDGET PRESENTATION 7/22/2019 Project Definition Budget Basis Renovations Overview ew Independent Renovations Additions & Repurposing Project Delivery Schedule Scope Details

489 views • 19 slides
TH D ECEMBER 2019 C ONFERENCE T RACK : B IG D ATA D ATE : 6 T IME : 2.30 PM 5.30 PM V ENUE : E

TH D ECEMBER 2019 C ONFERENCE T RACK : B IG D ATA D ATE : 6 T IME : 2.30 PM 5.30 PM V ENUE : E

I NTERNATIONAL C ONFERENCE ON B IG D ATA AND C LOUD C OMPUTING (ICBDCC19 ) 6 7 D ECEMBER , 2019 K ARUNYA I NSTITUTE OF T ECHNOLOGY & S CIENCES , C OIMBATORE 641 114, T AMILNADU , I NDIA TH D ECEMBER 2019 C ONFERENCE T RACK : B IG D

670 views • 10 slides
Top Ten Compliance Issues for Canadian Registered Charities Presentation to the Sustainability

Top Ten Compliance Issues for Canadian Registered Charities Presentation to the Sustainability

Top Ten Compliance Issues for Canadian Registered Charities Presentation to the Sustainability Network December 7, 2017 Mark Blumberg (mark@blumbergs.ca) Blumberg Segal LLP Blumberg Segal LLP Blumberg Segal LLP is a law firm based in

975 views • 80 slides
DNSSEC @ Mozilla OSCON, 2011 Shyam Mani shyam@mozilla.com about:mozilla Agenda The Basics

DNSSEC @ Mozilla OSCON, 2011 Shyam Mani shyam@mozilla.com about:mozilla Agenda The Basics

DNSSEC @ Mozilla OSCON, 2011 Shyam Mani shyam@mozilla.com about:mozilla Agenda The Basics Implementation What we I messed up The Future What and the Why DNS Security Extensions Based on public key crypto RFC

783 views • 64 slides
The iLab Experience a blended learning hands-on course concept you set the focus WWW Security /

The iLab Experience a blended learning hands-on course concept you set the focus WWW Security /

The iLab Experience a blended learning hands-on course concept you set the focus WWW Security / Your Exercise Topic Pitch 2018-05-8 10.4. Kick Off, IPv6 1 IPv6 BGP 17.4. 2 Minilab 1 2 mini labs Advanced Wireless Playground BGP 24.4.

646 views • 40 slides
ICANN Update Champika Wijayatunga <champika.wijayatunga@icann.org> Regional Security

ICANN Update Champika Wijayatunga <champika.wijayatunga@icann.org> Regional Security

ICANN Update Champika Wijayatunga <champika.wijayatunga@icann.org> Regional Security Engagement Manager Asia Pacific TWNIC OPM / TWNOG 27-28 November 2018 | 1 Overview Coordinating with our partners, we help make the Internet work.

555 views • 24 slides
A versatile platform for DNS metrics with its application to IPv6 St ephane Bortzmeyer AFNIC

A versatile platform for DNS metrics with its application to IPv6 St ephane Bortzmeyer AFNIC

A versatile platform for DNS metrics with its application to IPv6 St ephane Bortzmeyer AFNIC bortzmeyer@nic.fr RIPE 57 - Dubai - October 2008 1 A versatile platform for DNS metrics with its application to IPv6 Where are we in the talk?

821 views • 54 slides

More recommend