This presentation gives an overview of the Domain Name System (DNS) and what goes into making the DNS secure. This deck also answers the question what is ICANN's role in Domain Name System Security (DNSSEC) deployment?
2. The World’s Network – the Domain
Name System!
+ Internet Protocol address uniquely identifies
laptops or phones or other devices
+ The Domain Name System matches IP addresses
with a name
+ IP routing and DNS are the underpinning of unified
Internet
2
3. A sample DNS query!
Where
is
www.iana.org?
192.0.2.1
3
4. Making the DNS Secure!
+ A computer sends a question to a DNS server, like
“where is IANA.org?”
+ It receives an answer and assumes that it is
correct.
+ There are multiple ways that traffic on the Internet
can be intercepted and modified, so that the
answer given is false.
4
5. Receiving the Wrong Answer!
is
here org?
W
.
.iana
www
.2.0
192.0
13.1
3.14
.0
5
6. Poisoning a Cache!
+ Attacker knows iterative
resolvers may cache
+ Attacker
+ Composes a DNS response with
malicious data about a targeted
domain
+ Tricks a resolver into adding this
malicious data to its local cache
+ Later queries processed
by server will return
malicious data for the life
of the cached entry
+ Example: user at My Mac clicks
on a URL in an email message
from try@loseweightfastnow.com
What
is
the
IPv4
address
for
loseweigh<astnow.com?
My Mac
I’ll
cache
this
response…
and
update
www.ebay.com
My local resolver
loseweigh<astnow.com
IPv4
address
is
192.168.1.1
ALSO
www.ebay.com
is
at
192.168.1.2
6
ecrime name
server
7. DNS Security (DNSSEC)
+ Protects DNS data against forgery!
+ Uses public key cryptography to sign
authoritative zone data!
+ Assures that the data origin is authentic!
+ Assures that the data are what the authenticated
data originator published!
+ Trust model also uses public key
cryptography!
+ Parent zones sign public keys of child zone!
(root signs TLDs, TLDs sign registered
domains…!
7
7
8. Public Key Cryptography in
DNSSEC!
Authority signs zone data with
private key!
Authorities must keep private
keys secret!!
Sign with
Private key
DNS
Data
8
Signed DNS
Data
+
Digital
signatures
Authoritative"
server
Publish
8
9. Public Key Cryptography in
DNSSEC!
Authority
publishes
public
key
so
that
any
recipient
can
decrypt
to
verify
that
“the
data
are
correct
and
came
from
the
right
place”
Validate with
Public key
Signed
Zone
Data
Validating
recursive
server
9
Authoritative
server
9
10. ICANN’s Role in DNSSEC
Deployment!
+ Manages root key with VeriSign and trusted
international representatives of Internet community
+ Processes requests for changes of public key and
other records from registries at top of DNS
+ Educates and assists Internet community with
DNSSEC
+ Implements DNSSEC on its own domains
10
11. Obstacles to Broader DNSSEC
Adoption!
+ Browser and/or Operating System support
+ DNSSEC support from domain name registration
service providers (registrars, resellers)
+ Misconceptions regarding key management,
performance, software/hardware availability and
reliability
11
12. DNSSEC Deployment!
•
•
•
•
•
!
Fast pace of deployment at
the TLD level "!
Deployed at root!
Supported by software!
Growing support by ISPs!
Required by new gTLDs!
à Inevitable widespread deployment
across core Internet infrastructure!
12