Ordinary DNS: www.google.com A? Client's k.root-servers.net com. - - PowerPoint PPT Presentation

ordinary dns
SMART_READER_LITE
LIVE PREVIEW

Ordinary DNS: www.google.com A? Client's k.root-servers.net com. - - PowerPoint PPT Presentation

Dec 10, 2022 241 likes •377 views

Ordinary DNS: www.google.com A? Client's k.root-servers.net com. NS a.gtld-servers.net Resolver a.gtld-servers.net A 192.5.6.30 www.google.com A? Client's a.gtld-servers.net google.com. NS ns1.google.com Resolver ns1.google.com A

slide-1
SLIDE 1

www.google.com A?

  • com. NS a.gtld-servers.net

a.gtld-servers.net A 192.5.6.30

Client's Resolver

k.root-servers.net

Ordinary DNS:

www.google.com A?

google.com. NS ns1.google.com ns1.google.com A 216.239.32.10 …

Client's Resolver

a.gtld-servers.net www.google.com A?

www.google.com. A 74.125.24.14 …

Client's Resolver

ns1.google.com

slide-2
SLIDE 2

www.google.com A? DO

  • com. NS a.gtld-servers.net

a.gtld-servers.net. A 192.5.6.30

  • com. DS description-of-com's-key
  • com. RRSIG DS signature-of-that-

DS-record-using-root's-key

Client's Resolver

k.root-servers.net

DNSSEC (with simplifications):

Delegation Signer identifies .com's public key (name and hash)

slide-3
SLIDE 3

www.google.com A? DO

  • com. NS a.gtld-servers.net

a.gtld-servers.net. A 192.5.6.30

  • com. DS description-of-com's-key
  • com. RRSIG DS signature-of-that-

DS-record-using-root's-key

Client's Resolver

k.root-servers.net

DNSSEC (with simplifications):

Retrieving .com's public key is complicated (actually involves multiple keys) …

slide-4
SLIDE 4

www.google.com A? DO

  • com. NS a.gtld-servers.net

a.gtld-servers.net. A 192.5.6.30

  • com. DS description-of-com's-key
  • com. RRSIG DS signature-of-that-

DS-record-using-root's-key

Client's Resolver

k.root-servers.net

DNSSEC (with simplifications):

RRSIG specifies signature over another RR … here, the above DS record

slide-5
SLIDE 5

www.google.com A? DO

  • com. NS a.gtld-servers.net

a.gtld-servers.net. A 192.5.6.30

  • com. DS description-of-com's-key
  • com. RRSIG DS signature-of-that-

DS-record-using-root's-key

Client's Resolver

k.root-servers.net

DNSSEC (with simplifications):

Note: no signature over NS or A!

slide-6
SLIDE 6

www.google.com A? DO

google.com. NS ns1.google.com ns1.google.com. A 216.239.32.10 … google.com. DS description-of- google.com's-key google.com. RRSIG DS signature-

  • f-that-DS-record-using-com's-key

Client's Resolver

a.gtld-servers.net

DNSSEC (with simplifications):

slide-7
SLIDE 7

www.google.com A? DO

www.google.com. A 74.125.24.14 … www.google.com. RRSIG A signature-of-the-A-records-using- google.com's-key

Client's Resolver

ns1.google.com

DNSSEC (with simplifications):

slide-8
SLIDE 8

www.google.com A? DO

www.google.com. A 6.6.6.6

Client's Resolver

ns1.evil.com

DNSSEC - Mallory attacks!

Resolver observes that the reply didn't include a signature, rejects it as insecure

slide-9
SLIDE 9

www.google.com A? DO

www.google.com. A 6.6.6.6 www.google.com RRSIG A signature-of-the-A-record-using- evil.com's-key

Client's Resolver

ns1.evil.com

DNSSEC - Mallory attacks!

(1) If resolver didn't receive a signature from .com for evil.com's key, then it can't validate this signature & ignores reply since it's not properly signed …

slide-10
SLIDE 10

www.google.com A? DO

www.google.com. A 6.6.6.6 www.google.com RRSIG A signature-of-the-A-record-using- evil.com's-key

Client's Resolver

ns1.evil.com

DNSSEC - Mallory attacks!

(2) If resolver did receive a signature from .com for evil.com's key, then it knows the key is for evil.com and not google.com … and ignores it

slide-11
SLIDE 11

www.google.com A? DO

www.google.com. A 6.6.6.6 www.google.com RRSIG A signature-of-the-A-record-using- google.com's-key

Client's Resolver

ns1.evil.com

DNSSEC - Mallory attacks!

If signature actually comes from google.com's key, resolver will believe it … … but no such signature should exist unless either: (1) google.com's private key was compromised, or (2) google.com intended to sign the RR

slide-12
SLIDE 12

69-byte query

slide-13
SLIDE 13

3419-byte reply