The Importance of Being an Earnest stub Challenges and solution for - - PowerPoint PPT Presentation

The Importance of Being an Earnest stub

Challenges and solution for the versatile stub Willem Toorop 13 May 2017 OARC 26 (Madrid)

The Importance of Being an Earnest stub – OARC 26 2/45 Willem Toorop (NLnet Labs)

From the ground-up security

• Every “secure” connection is preceded by a DNS lookup
• The stub does the lookup at the request of the application

The recursive resolver does all the heavy lifting

Recursive resolver

Authoritative net Authoritative . Authoritative dns-oarc.net dns-oarc.net A

→

← 64.191.0.198 WebSrv Browser (application) OS

stub

dns-oarc.net A

→

https

The Importance of Being an Earnest stub – OARC 26 3/45 Willem Toorop (NLnet Labs)

From the ground-up security

• DNSSEC protects against cache poisoning

Validation Recursive resolver

Authoritative net Authoritative . Authoritative dns-oarc.net dns-oarc.net A

→

← 64.191.0.198 WebSrv Browser (application) OS

stub

dns-oarc.net A

→

https d n s

• a

r c . n e t = 6 . 6 . 6 . 1

The Importance of Being an Earnest stub – OARC 26 4/45 Willem Toorop (NLnet Labs)

From the ground-up security

• DNSSEC protects against cache poisoning
• But not against resolver hijacking

( i.e. ARP or DHCP hijacking or routing tricks )

Validation Recursive resolver

Authoritative net Authoritative . Authoritative dns-oarc.net ← 6.6.6.1 Browser (application) OS

stub

dns-oarc.net A? → WebSrv http

THE FIRST/LAST MILE

The Importance of Being an Earnest stub – OARC 26 5/45 Willem Toorop (NLnet Labs)

From the ground-up security

• DNSSEC protects against cache poisoning
• But not against resolver hijacking
• One possibility: DNSSEC on the stub

DNSSEC Aware

Recursive resolver

Authoritative net Authoritative . Authoritative dns-oarc.net WebSrv Browser (application) OS

stub

https

DNSKEY DS A

dns-oarc.net

DNSKEY DS

net

DNSKEY

·

THE FIRST/LAST MILE

The Importance of Being an Earnest stub – OARC 26 6/45 Willem Toorop (NLnet Labs)

From the ground-up security/privacy

• DNSSEC protects against cache poisoning
• But not against resolver hijacking
• Another possibility: DNS over TLS

Validation Recursive resolver

Authoritative net Authoritative . Authoritative dns-oarc.net WebSrv Browser (application) OS

stub

https dns-oarc.net A

→

← 64.191.0.198

THE FIRST/LAST MILE

The Importance of Being an Earnest stub – OARC 26 7/45 Willem Toorop (NLnet Labs)

From the ground-up security/privacy

• TLS hijacking? Is That Possible?!
• Durumeric, Zakir, et al. "The Security Impact of HTTPS Interception."

Network and Distributed Systems Symposium (NDSS’17). 2017. https://www.internetsociety.org/doc/security-impact-https-interception

Validation Recursive resolver

Authoritative net Authoritative . Authoritative dns-oarc.net WebSrv Browser (application) OS

stub

https dns-oarc.net A

→

← 64.191.0.198 https

Applies to DNS

• ver TLS too

The Importance of Being an Earnest stub – OARC 26 8/45 Willem Toorop (NLnet Labs)

From the ground-up security/privacy

• Strengthen TLS security with the stub: DANE

( DNS-based Authentication of Named Entities )

• Also signalling system for TLS support

( For application without user interaction )

The Importance of Being an Earnest stub – OARC 26 9/45 Willem Toorop (NLnet Labs)

Validation Recursive resolver

Authoritative net Authoritative . Authoritative dns-oarc.net WebSrv Browser (application) OS

stub

https dns-oarc.net A

→

← 64.191.0.198

From the ground-up security/privacy

• Bootstrap the TLSA lookup with regular DNS?

Authenticate DNS-over-TLS with DANE?

The Importance of Being an Earnest stub – OARC 26 10/45 Willem Toorop (NLnet Labs)

Validation Recursive resolver

Authoritative net Authoritative . Authoritative getdnsapi.net WebSrv Browser (application) OS

stub

https dns-oarc.net A → ← 64.191.0.198 DNSSEC Aware

Recursive resolver

_853._tcp.getdnsapi.net

T L S A D N S K E Y D S

getdnsapi.net

D N S K E Y D S

net

D N S K E Y

·

Authoritative dns-oarc.net

From the ground-up security/privacy

• Bootstrap the TLSA lookup with regular DNS?

– Chicken and Egg problem

Authenticate DNS-over-TLS with DANE?

The Importance of Being an Earnest stub – OARC 26 11/45 Willem Toorop (NLnet Labs)

Validation Recursive resolver

Authoritative net Authoritative . Authoritative getdnsapi.net WebSrv Browser (application) OS

stub

https dns-oarc.net A → ← 64.191.0.198

_853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS net DNSKEY DS . DNSKEY

Authoritative dns-oarc.net

RRSIGs

From the ground-up security/privacy

• Bootstrap the TLSA lookup with regular DNS?
• Have the TLSA record + the complete DNSSEC

authentication chain embedded in a TLS extension

https://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension

The Importance of Being an Earnest stub – OARC 26 12/45 Willem Toorop (NLnet Labs)

Validation Recursive resolver

Authoritative net Authoritative . Authoritative getdnsapi.net WebSrv Browser (application) OS

stub

https dns-oarc.net A → ← 64.191.0.198

_853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS net DNSKEY DS . DNSKEY

Authoritative dns-oarc.net

RRSIGs

From the ground-up security/privacy

• Bootstrap the TLSA lookup with regular DNS?
• Have the TLSA record + the complete DNSSEC

authentication chain embedded in a TLS extension

https://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension

TLS DNSSEC authentication chain extension must be

• bligatory, to prevent the

“Too many CA’s” problem

The Importance of Being an Earnest stub – OARC 26 13/45 Willem Toorop (NLnet Labs)

From the ground-up security/privacy

• The stub is close to the application

Inform status of DNSSEC and DNS Privacy

X Clear text DNS X Private DNS X Authenticated X Private DNS

DNS Privacy status DNSSEC Availability

The Importance of Being an Earnest stub – OARC 26 14/45 Willem Toorop (NLnet Labs)

From the ground-up security/privacy

• Enhanced privacy by

round-robining upstreams

Validation Recursive resolver

Authoritative net Authoritative . Authoritative dns-oarc.net WebSrv Browser (application) OS

stub

Validation Recursive resolver Validation Recursive resolver Validation Recursive resolver Round-robin Validation Recursive resolver

Bonus Feature

The Importance of Being an Earnest stub – OARC 26 15/45 Willem Toorop (NLnet Labs)

From the ground-up security/privacy

Cross the first DNSSEC mile X From the ground up Privacy X Strengthened TLS authentication (DANE) X X Strengthened opportunistic TLS (DANE) X X Provide status of DNSSEC & DNS over TLS X

DNSSEC DNS over TLS Non address lookups API

• Requirements for the

versatile stub

The Importance of Being an Earnest stub – OARC 26 16/45 Willem Toorop (NLnet Labs)

From the ground-up security/privacy

Cross the first DNSSEC mile X From the ground up Privacy X Strengthened TLS authentication (DANE) X X Strengthened opportunistic TLS (DANE) X X Provide status of DNSSEC & DNS over TLS X

DNSSEC DNS over TLS Non address lookups API

• Requirements for the

versatile stub

The Importance of Being an Earnest stub – OARC 26 17/45 Willem Toorop (NLnet Labs) Authoritative net Authoritative . Authoritative dns-oarc.net WebSrv Browser (application) OS

stub

https

DNSKEY DS A

dns-oarc.net

DNSKEY DS

net

DNSKEY

·

recu cursive ve resolve ver

DNSSEC Roadblocks

• Resolving DNSSEC (to cross the first mile)

needs DNSSEC Aware recursive resolver

The Importance of Being an Earnest stub – OARC 26 18/45 Willem Toorop (NLnet Labs)

recu cursive ve resolve ver

Authoritative net Authoritative . Authoritative dns-oarc.net WebSrv Browser (application) OS

stub

https

DNSSEC Roadblocks

• Resolving DNSSEC (to cross the first mile)

needs DNSSEC Aware recursive resolver

• DNSSEC Roadblock Avoidance https://tools.ietf.org/html/rfc8027

+Full recursion capability

The Importance of Being an Earnest stub – OARC 26 19/45 Willem Toorop (NLnet Labs)

recu cursive ve resolve ver

Authoritative net Authoritative . Authoritative dns-oarc.net WebSrv Browser (application) OS

stub

https

DNSSEC Roadblocks

• Resolving DNSSEC (to cross the first mile)

needs DNSSEC Aware recursive resolver

• DNSSEC Roadblock Avoidance https://tools.ietf.org/html/rfc8027

+Full recursion capability

Does not apply to first-mile crossed by DNS-over-TLS Does not apply to first-mile crossed by DNS-over-TLS

Validation Recursive resolver

Authoritative net Authoritative . Authoritative getdnsapi.net WebSrv Browser (application) OS

stub

https dns-oarc.net A → ← 64.191.0.198

_853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS net DNSKEY DS . DNSKEY

Authoritative dns-oarc.net

RRSIGs

The Importance of Being an Earnest stub – OARC 26 20/45 Willem Toorop (NLnet Labs)

DNSSEC Roadblocks

IPv6 Only

DNS64

Authoritative com Authoritative . Authoritative twitter.com twitter.com AAAA

→ ←

64:ff9b::68e0:2ac1

IPv4 only Browser (application) OS

stub

https

NAT64

104.244.42.193 https

• DNSSEC Roadblock Avoidance https://tools.ietf.org/html/rfc8027
• IPv6 Address Synthesis Prefix Discovery

https://tools.ietf.org/html/rfc7050 +DNS64 capability https://tools.ietf.org/html/rfc6147

The Importance of Being an Earnest stub – OARC 26 21/45 Willem Toorop (NLnet Labs)

DNSSEC Roadblocks

• DNSSEC Roadblock Avoidance https://tools.ietf.org/html/rfc8027
• IPv6 Address Synthesis Prefix Discovery

https://tools.ietf.org/html/rfc7050 +DNS64 capability https://tools.ietf.org/html/rfc6147

IPv6 Only

DNS64

Authoritative com Authoritative . Authoritative twitter.com Browser (application) OS

stub

NAT64 Privacy resolver

The Importance of Being an Earnest stub – OARC 26 22/45 Willem Toorop (NLnet Labs)

DNSSEC Roadblocks

• DNSSEC validating stubs must do RFC5011

Root KSK Rollover

The Importance of Being an Earnest stub – OARC 26 23/45 Willem Toorop (NLnet Labs)

DNSSEC Roadblocks

• DNSSEC validating stubs must do RFC5011

Root KSK Rollover

In-band RFC5011 tracking with DNSSEC auth chain TLS extension In-band RFC5011 tracking with DNSSEC auth chain TLS extension

Validation Recursive resolver

Authoritative net Authoritative . Authoritative getdnsapi.net WebSrv Browser (application) OS

stub

https dns-oarc.net A → ← 64.191.0.198

_853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS net DNSKEY DS . DNSKEY

Authoritative dns-oarc.net

RRSIGs

The Importance of Being an Earnest stub – OARC 26 24/45 Willem Toorop (NLnet Labs)

DNSSEC Roadblocks

• DNSSEC validating stubs must do RFC5011
• A stub library for DANE has no system config

+bootstrap DNSSEC capability: https://tools.ietf.org/html/rfc7958

• A stub library for DANE runs with user's privileges

Root KSK Rollover

The Importance of Being an Earnest stub – OARC 26 25/45 Willem Toorop (NLnet Labs)

DNSSEC Roadblocks

DNSSEC validation (various) DNSSEC Roadblock Avoidance RFC8027 IPv6 Prefix Discovery RFC7050 IPv6 Address Synthesis RFC6147 Automated Trust Anchor Updates RFC5011 Automated Initial Trust Anchor retrieval RFC7958

DNSSEC stubs capability requirements

The Importance of Being an Earnest stub – OARC 26 26/45 Willem Toorop (NLnet Labs)

From the ground-up security/privacy

Cross the first DNSSEC mile X From the ground up Privacy X Strengthened TLS authentication (DANE) X X Strengthened opportunistic TLS (DANE) X X Provide status of DNSSEC & DNS over TLS X

DNSSEC DNS over TLS Non address lookups API

• Requirements for the

versatile stub

The Importance of Being an Earnest stub – OARC 26 27/45 Willem Toorop (NLnet Labs)

B

Privacy resolver

Browser (application) OS

stub

DNS-over-TLS

A

Privacy resolver

Browser (application) OS

stub

DNS-over-TLS

B

A

Requirements for DNS-over-TLS

• TCP fastopen (optional)

https://tools.ietf.org/html/rfc7413

• Connection reuse

https://tools.ietf.org/html/rfc7766

• EDNS0 keepalive

https://tools.ietf.org/html/rfc7828

• EDNS0 padding

https://tools.ietf.org/html/rfc7830

The Importance of Being an Earnest stub – OARC 26 28/45 Willem Toorop (NLnet Labs)

Requirements for DNS-over-TLS

• Connection reuse

(Q/R, Q/R, Q/R)

• Pipe-lining of queries

(Q,Q,Q,R,R,R)

Privacy resolver

Browser (application) OS

stub A B C

DNS-over-TLS

A B C

The Importance of Being an Earnest stub – OARC 26 29/45 Willem Toorop (NLnet Labs)

Requirements for DNS-over-TLS

Privacy resolver

Browser (application) OS

stub B

DNS-over-TLS

C A B C A

Privacy resolver

Browser (application) OS

stub A B C

DNS-over-TLS

A B C

• Connection reuse

(Q/R, Q/R, Q/R)

• Pipe-lining of queries

(Q,Q,Q,R,R,R)

• Process Out-Of-Order-Responses (Q1,Q2, R2, R1)

The Importance of Being an Earnest stub – OARC 26 30/45 Willem Toorop (NLnet Labs)

Requirements for DNS-over-TLS

• Strict or Opportunistic usage profiles?

https://tools.ietf.org/html/draft-ietf-dprive-dtls-and-tls-profiles-09 1) Authenticated Private DNS 2) Private DNS 3) Clear text DNS

Privacy resolver

Authoritative net Authoritative . Authoritative dns-oarc.net WebSrv Browser (application) OS

stub

https d n s

• a

r c . n e t A

→

← 6 4 . 1 9 1 . . 1 9 8

The Importance of Being an Earnest stub – OARC 26 31/45 Willem Toorop (NLnet Labs)

Requirements for DNS-over-TLS

• Strict or Opportunistic usage profiles?

https://tools.ietf.org/html/draft-ietf-dprive-dtls-and-tls-profiles-09 1) Authenticated Private DNS 2) Private DNS 3) Clear text DNS

Privacy resolver

Authoritative net Authoritative . Authoritative dns-oarc.net WebSrv Browser (application) OS

stub

https d n s

• a

r c . n e t A

→

← 6 4 . 1 9 1 . . 1 9 8

RFC7858 (DNS-over-TLS) defined direct SPKI authentication only RFC7858 (DNS-over-TLS) defined direct SPKI authentication only

The Importance of Being an Earnest stub – OARC 26 32/45 Willem Toorop (NLnet Labs)

Privacy resolver

Authoritative net Authoritative . Authoritative getdnsapi.net WebSrv Browser (application) OS

stub

https dns-oarc.net A → ← 64.191.0.198

DNSSEC Resolver

g e t d n s a p i . n e t A / A A A A Authoritative dns-oarc.net

Requirements for DNS-over-TLS

• Regular PKIX authentication

(bootstrap address lookup with regular DNS(SEC))

The Importance of Being an Earnest stub – OARC 26 33/45 Willem Toorop (NLnet Labs)

Privacy resolver

Authoritative net Authoritative . Authoritative getdnsapi.net WebSrv Browser (application) OS

stub

https dns-oarc.net A → ← 64.191.0.198 DNSSEC Aware

Recursive resolver

Requirements for DNS-over-TLS

• Regular PKIX authentication
• Authenticate with DANE

(stricter opportunistic with TLSA signalling)

D N S S E C D N S S E C

D N S K E Y D S

A g e t d n s a p i . n e t

The Importance of Being an Earnest stub – OARC 26 34/45 Willem Toorop (NLnet Labs)

Privacy resolver

Authoritative net Authoritative . Authoritative getdnsapi.net WebSrv Browser (application) OS

stub

https dns-oarc.net A → ← 64.191.0.198

_853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS net DNSKEY DS . DNSKEY

Authoritative dns-oarc.net

RRSIGs

Requirements for DNS-over-TLS

• Regular PKIX authentication
• Authenticate with DANE
• DNSSEC authentication chain TLS extension

D N S S E C D N S S E C

The Importance of Being an Earnest stub – OARC 26 35/45 Willem Toorop (NLnet Labs)

Requirements for DNS Privacy

DNS-over-TLS RFC7858 Reuse / Pipelining / OOOR RFC7766

TCP Fastopen

RFC7413 ENDS0 keepalive RFC7828 ENDS0 padding RFC7830 PKIX support for authentication (various) DNSSEC support (for address lookup and authentication) (various)

The Importance of Being an Earnest stub – OARC 26 36/45 Willem Toorop (NLnet Labs)

From the ground-up security/privacy

Cross the first DNSSEC mile X From the ground up Privacy X Strengthened TLS authentication (DANE) X X Strengthened opportunistic TLS (DANE) X X Provide status of DNSSEC & DNS over TLS X

DNSSEC DNS over TLS Non address lookups API

• Requirements for the

versatile stub

The Importance of Being an Earnest stub – OARC 26 37/45 Willem Toorop (NLnet Labs) Application OS

stub

Non address lookups -

Application Interface

getaddrinfo() and getnameinfo()

(POSIX standard extended by RFC3493 for IPv6)

The Importance of Being an Earnest stub – OARC 26 38/45 Willem Toorop (NLnet Labs) Application OS

stub

Non address lookups -

Application Interface

getaddrinfo() and getnameinfo()

(POSIX standard extended by RFC3493 for IPv6)

Talk to upstreams directly with a library:

• libresolv, libval, ldns,

libunbound, libgetdns

Learn upstreams from OS

• /etc/resolv.conf, NetworkManager, registry...

Application OS

stub library

The Importance of Being an Earnest stub – OARC 26 39/45 Willem Toorop (NLnet Labs) Application OS

stub

Non address lookups -

Application Interface

getaddrinfo() and getnameinfo()

(POSIX standard extended by RFC3493 for IPv6)

Talk to upstreams directly with a library:

• libresolv, libval, ldns,

libunbound, libgetdns

Learn upstreams from OS

• /etc/resolv.conf, NetworkManager, registry...

Applications using getaddrinfo() API will not get the versatile stub features

(first DNSSEC mile coverage, DNS privacy)

Applications using getaddrinfo() API will not get the versatile stub features

(first DNSSEC mile coverage, DNS privacy)

Application OS

stub library

The Importance of Being an Earnest stub – OARC 26 40/45 Willem Toorop (NLnet Labs)

Non address lookups -

Application Interface

Application OS

stub

Stub server listening on 127.0.0.1:53

• getaddrinfo() and getnameinfo()

use system stub which uses stub server

stub server

Stubby Dnsmasq Dnssec-Trigger

The Importance of Being an Earnest stub – OARC 26 41/45 Willem Toorop (NLnet Labs)

Non address lookups -

Application Interface

Application OS

getaddrinfo() and getnameinfo()

use systemd-resolved via nsswitch module

• Stub server listening on 127.0.0.53:53

stub server

systemd-resolved.service

systemd-resolved

The Importance of Being an Earnest stub – OARC 26 42/45 Willem Toorop (NLnet Labs)

Non address lookups -

Application Interface

Talk to stub server via a library:

• libresolv, libval, ldns,

libunbound, libgetdns

Application OS

stub library stub stub server

App

systemd-resolved.service

Stubby Dnsmasq systemd-resolved

127.0.0.53:53

Dnssec-Trigger

The Importance of Being an Earnest stub – OARC 26 43/45 Willem Toorop (NLnet Labs)

Non address lookups -

Application Interface

Talk to stub server via a library:

• libresolv, libval, ldns,

libunbound, libgetdns

Application OS

stub library stub stub server

App

systemd-resolved.service

Stubby Dnsmasq systemd-resolved

127.0.0.53:53

Dnssec-Trigger

The Importance of Being an Earnest stub – OARC 26 44/45 Willem Toorop (NLnet Labs)

Non address lookups -

Application Interface

Talk to stub server via the dbus API

• https://www.freedesktop.org/wiki/Software/systemd/resolved/

Application OS

dbus API stub server

App

systemd-resolved.service

systemd-resolved

The Importance of Being an Earnest stub – OARC 26 45/45 Willem Toorop (NLnet Labs)

The Importance of Being an Earnest stub