DNSSEC for Everybody: A Beginners Guide | ICANN 55 | March 2016 - - PowerPoint PPT Presentation

dnssec for everybody a beginner s guide
SMART_READER_LITE
LIVE PREVIEW

DNSSEC for Everybody: A Beginners Guide | ICANN 55 | March 2016 - - PowerPoint PPT Presentation

Apr 01, 2023 186 likes •669 views

DNSSEC for Everybody: A Beginners Guide | ICANN 55 | March 2016 The Schedule Outline(Concept( Segment( Duration( Speaker( Welcome'and'Introduction' 2'mins' Dan' (((((((((((((((((((((((((Welcome( Caveman''DNSSEC'5000BC' 3'mins'

slide-1
SLIDE 1

DNSSEC for Everybody: A Beginner’s Guide

| ICANN 55 | March 2016

slide-2
SLIDE 2

| 2

The Schedule

Outline(Concept( Segment( Duration( Speaker(

(((((((((((((((((((((((((Welcome( Welcome'and'Introduction' 2'mins' Dan' Basic(Concepts( Caveman'–'DNSSEC'5000BC' 3'mins' Dan' DNS'Basics' 5'mins' Dan' DNS'Chain'of'Trust'@'Live' 5'mins' Dan' Core(Concepts( ' DNSSEC'–'How'it'works' 10'mins' Dan' DNSSEC'–'Chain'of'Trust'Live' 5'mins' Wes' Real(World(Examples( A'sample'DNSSEC'implementation' (what'it'looks'like,'s/w'etc).'A'simple' guide'to'deployment.' 10'mins' Russ' A'guide'to'DNSSEC'Deployment'

  • ptions:'Technologies'and'vendors.'

10'mins' Russ' Summary( Session'Round'up,'hand'out'of' materials,'Thank'you’s' 2'mins' Dan' '

slide-3
SLIDE 3
slide-4
SLIDE 4

This is Ugwina. She lives in a cave on the edge of the Grand Canyon...

slide-5
SLIDE 5

This is Og. He lives in a cave on the other side of the Grand Canyon...

slide-6
SLIDE 6

It’s a long way down and a long way round. Ugwina and Og don’t get to talk much...

slide-7
SLIDE 7

On one of their rare visits, they notice the smoke coming from Og’s fire

slide-8
SLIDE 8

...and soon they are chatting regularly using smoke signals

slide-9
SLIDE 9

until one day, mischievous caveman Kaminsky moves in next door to Ug and starts sending smoke signals too...

slide-10
SLIDE 10

Now Ugwina is really confused. She doesn’t know which smoke to believe...

slide-11
SLIDE 11

So Ugwina sets off down the canyon to try and sort out the mess...

slide-12
SLIDE 12

Ugwina and Og consult the wise village elders. Caveman Diffie thinks that he might have a cunning idea...

slide-13
SLIDE 13

And in a flash, jumps up and runs into Ug’s cave...!

slide-14
SLIDE 14

Right at the back, he finds a pile of strangely coloured sand that has only ever been found in Ug’s cave...

slide-15
SLIDE 15

And with a skip, he rushes out and throws some of the sand onto the

  • fire. The smoke turns a magnificent blue...
slide-16
SLIDE 16

Now Ugwina and Og can chat happily again, safe in the knowledge that nobody can interfere with their conversation…

slide-17
SLIDE 17

Introduction to DNSSEC

| Dan York, Internet Society | ICANN 55 | March 2016

slide-18
SLIDE 18

High level concept of DNS

root … uk co.uk com bigbank.com ma nic.ma …

slide-19
SLIDE 19

High level concept of DNS

  • A resolver knows where the root-zone is
  • Traverses the DNS hierarchy
  • Each level refers the resolver to the next level
  • UnDl the quesDon has been answered
  • The resolver caches all that informaDon for

future use.

slide-20
SLIDE 20

High level concept of DNS

  • There is no security
  • Names are easily spoofed
  • Caches are easily poisoned
slide-21
SLIDE 21

A Skit/Play

slide-22
SLIDE 22

…Ugwina, the resolver, chatting with Og, the server…

slide-23
SLIDE 23

…Ugwina, the resolver is confused. She doesn’t know who the real Og is…

slide-24
SLIDE 24

…Ugwina, the resolver, can verify that the real Og sends the message…

slide-25
SLIDE 25

High level concept of DNS

root uk com bigbank.com (www) bigbank.com (www) ma

slide-26
SLIDE 26

DNSSEC is the soluDon

  • DNSSEC uses digital signatures to assure that

informaDon is correct and came from the right place.

  • The keys and signatures to verify the

informaDon, is stored in the DNS as well

  • Since DNS is a lookup system, keys can simply

be looked up, like any data.

slide-27
SLIDE 27

High level concept of DNSSEC

  • A resolver knows what the root-key is
  • It builds a Chain of Trust:

– Each level signs the key of the next level – UnDl the chain is complete

slide-28
SLIDE 28

High level concept of DNSSEC

✔ root uk ✔ com ✔ bigbank.com (www) ✗ bigbank.com (www) ma

slide-29
SLIDE 29

A Skit/Play

DNSSEC To The Rescue!

slide-30
SLIDE 30

Example of Why You Need DNSSEC and a Simple Guide to Deployment

| Russ Mundy, Parsons| ICANN 55 | March 2016

slide-31
SLIDE 31

Why Worry About DNS?

  • Users think in terms of names

– Applications primarily use DNS names – Internet uses network addresses to connect locations

  • DNS provides the translation from names to

network addresses

  • Proper DNS functions required by essentially all

Network Applications

– If DNS doesn’t work right, è the applications won’t get to the intended locations

russ.mundy@parsons.com

slide-32
SLIDE 32

DNS Hijack Threat

  • DNS attacks provide a way to divert users’

applications, e.g.,

– Redirecting user applications to false locations to steal passwords or other sensitive information – Redirect to a man-in-the-middle location

  • See and copy an entire session: Web, email, IM, etc.
  • Multiple DNS hijack tools available on the

Internet

– Some University courses have required students to write DNS hijack software as a class assignment!

russ.mundy@parsons.com

slide-33
SLIDE 33

How Can DNSSEC Help?

  • DNSSEC can assure users they are reaching

the right location

– DNSSEC provides cryptographic information that can be used to verify that DNS information:

  • came from the proper source and
  • it was not changed enroute
  • Hijack example will show DNSSEC preventing

redirection of a web application

– Web site tailored for effective use of DNSSEC and a web browser that uses DNSSEC

russ.mundy@parsons.com

slide-34
SLIDE 34

Normal DNS & Web Exchange

Web Server www.ab.org 192.168.2.80 Auth NS ns1.ab.org 192.168.2.252 “Joe User” 192.168.1.3 192.168.1.1 192.168.2.1 Recursive NS 10.2.2.2 10.1.1.2 10.1.1.253 10.1.1.1 10.2.2.1

1

Query: www.ab.org?

2

Query: www.ab.org? www.ab.org=192.168.2.80

4 5

www.ab.org=192.168.2.80

3

“INTERNET”

slide-35
SLIDE 35

russ.mundy@parsons.com

slide-36
SLIDE 36

Web Server www.ab.org 192.168.2.80 Auth NS ns1.ab.org 192.168.2.252 “Joe User” 192.168.1.3 192.168.1.1 192.168.2.1 Recursive NS 10.2.2.2 10.1.1.2 10.1.1.253 10.1.1.1 10.2.2.1 Redirected Website

1

Query: www.ab.org?

2

www.ab.org=10.2.2.1 Query: www.ab.org? www.ab.org=192.168.2.80 www.ab.org=192.168.2.80

“INTERNET”

DNS Hijacked Web Exchange

Dr Evil Hijacker 192.168.1.99

3

? ?

slide-37
SLIDE 37

30 June 2010 Web Server www.ab.org 192.168.2.80 Auth NS ns1.ab.org 192.168.2.252 “Joe User” 192.168.1.3 192.168.1.1 192.168.2.1 Recursive NS 10.2.2.2 10.1.1.2 10.1.1.253 10.1.1.1 10.2.2.1 Redirected Website Query: www.ab.org?

2

www.ab.org=10.2.2.1 Query: www.ab.org? www.ab.org=192.168.2.80 www.ab.org=192.168.2.80

“INTERNET”

Attempted DNS Hijacked Web Exchange Stopped by DNSSEC

Dr Evil Hijacker 192.168.1.99

? ?

DNSSEC Validation stops ‘False’ answer russ.mundy@parsons.com

slide-38
SLIDE 38

russ.mundy@parsons.com

slide-39
SLIDE 39

39

1 Webpage = Multiple DNS Name Resolutions

russ.mundy@parsons.com

slide-40
SLIDE 40

www.cnn.com

russ.mundy@parsons.com

slide-41
SLIDE 41

russ.mundy@parsons.com

DNS Basic Functions

  • DNS provides the translation from names

to network addresses

  • Get the right DNS content to Internet

users Ø IT’S DNS ZONE DATA THAT MATTERS!

slide-42
SLIDE 42

“Joe User”

Simple Illustration

  • f DNS Components

Zone Data Authoritative Server Recursive Server Client I need to have a WWW record Add publish

  • 1. Request www
  • 4. www is 1.2.3.4
  • 2. Request www
  • 3. www is 1.2.3.4

russ.mundy@parsons.com

slide-43
SLIDE 43

DNSSEC Implementation Samples

  • DNSSEC implementation depends upon & is

mostly driven by an activity’s DNS functions

– DNS is made up of many parts, e.g., name server operators, applications users, name holders (“owners”), DNS provisioning – Activities with large, complex DNS functions are more likely to have more complex DNSSEC implementation activities

  • Also more likely to have ‘DNS knowledgeable’ staff

russ.mundy@parsons.com

slide-44
SLIDE 44

DNSSEC Implementation Samples, Continued

  • DNS size and complexity examples:

– Registry responsible for a large TLD operation, e.g., .com – Substantial enterprise with many components with many geographic locations, e.g., hp.com – Internet-based businesses with a number of business critical zones, e.g., www.verisign.com – Activities with non-critical DNS zones, e.g., net- snmp.org – Proverbial Internet end users (all of us here)

russ.mundy@parsons.com

slide-45
SLIDE 45

How Does DNSSEC Fit?

  • DNSSEC required to thwart attacks on DNS

CONTENT

– DNS attacks used to attack Internet users applications

Ø Protect DNS ZONE DATA as much as (or more than) any DNSSEC information

Ø Including DNSSEC private keys!!

russ.mundy@parsons.com

slide-46
SLIDE 46

“Joe User”

Simple Addition

  • f DNSSEC

(there are both much more and less complex setups than this)‏

Zone Data Authoritative Server Validating Recursive Server Client I need to have a signed WWW record Add publish

  • 1. Request www
  • 4. www is 1.2.3.4
  • 2. Request www
  • 3. www is 1.2.3.4

Signed Data sign new

russ.mundy@parsons.com

slide-47
SLIDE 47

General Principle:

  • If an activity does a lot with their DNS

functions and operations then they probably will want to do a lot with the associated DNSSEC pieces;

  • If an activity does little or nothing with

their DNS functions and operations then they probably will do little or nothing directly with their DNSSEC elements but Require DNSSEC from their suppliers

russ.mundy@parsons.com

slide-48
SLIDE 48

Thank You and Questions