SlideShare ist ein Scribd-Unternehmen logo

ION Bucharest - Deploying DNSSEC

Als PPTX, PDF herunterladen
Deploy360 Programme (Internet Society)
Deploy360 Programme (Internet Society)

This document summarizes Dan York's presentation on deploying DNSSEC. It discusses how DNSSEC helps ensure the integrity of DNS data by using digital signatures to authenticate DNS responses, preventing cache poisoning and man-in-the-middle attacks. It provides examples of normal DNS interactions versus attacks, and how DNSSEC establishes a chain of trust. The presentation also covers the current state of DNSSEC deployment, how it works in combination with TLS/SSL through DANE, and business reasons for organizations to deploy DNSSEC.

Technologie
1 von 46
Internet Society © 1992–2016 The role of the Internet Society (this report describes the timeline of activities of the Internet Society from the submission of the proposal to NTIA in March 2016 until September 30, 2016) The IANA Stewardship Transition Kathy Brown President & CEO October 6, 2016 Presentation title – Client name 1
Internet Society © 1992–2016 ION Bucharest October 12, 2016 Dan York, CISSP DNSSEC Program Manager – york@isoc.org Deploying DNSSEC 2
Trusted Internet 3 Trust in privacy of information (ex. encryption) Trust in online identity systems (ex. Kantara) Trust in network communication (ex. TLS, DANE) Trust in Internet identifiers (ex. DNSSEC) Trust in the Internet’s core infrastructure (ex. MANRS) Trust in cryptography (ex. Cryptech)
https://www.flickr.com/photos/powerbooktrance/466709245/ CC BY
Email Hijacking CERT-CC researchers have identified that someone was hijacking email by using DNS cache poisoning of MX records Could be prevented by DNSSEC deployment CERT-CC (Sept 10, 2014): — https://www.cert.org/blogs/certcc/post.cfm?EntryID=206 Deploy360 blog post (Sept 12, 2014): — http://wp.me/p4eijv-5jI
What Problem Is DNSSEC Trying To Solve? DNSSEC = "DNS Security Extensions" • Defined in RFCs 4033, 4034, 4035 • Operational Practices: RFC 4641 Ensures that the information entered into DNS by the domain name holder is the SAME information retrieved from DNS by an end user. Let's walk through an example to explain… 6
A Normal DNS Interaction 7 Web Server Web Browser https://example.com/ web page DNS Resolver example.com? 1 2 3 4 10.1.1.123 Resolver checks its local cache. If it has the answer, it sends it back. example.com 10.1.1.123 If not…
A Normal DNS Interaction 8 Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 10.1.1.123 4 example.com NS .com NS example.com?
DNS Works On Speed First result received by a DNS resolver is treated as the correct answer. Opportunity is there for an attacker to be the first one to get an answer to the DNS resolver, either by: Getting to the correct point in the network to provide faster responses; Blocking the responses from the legitimate servers (ex. executing a Denial of Service attack against the legitimate servers to slow their responses) 9
Attacking DNS 10 Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 192.168.2.2 4 Attacking DNS Svr example.com 192.168.2.2 example.com NS .com NS example.com?
A Poisoned Cache 11 Web Server Web Browser https://example.com/ web page DNS Resolver 1 2 3 4 192.168.2.2 Resolver cache now has wrong data: example.com 192.168.2.2 This stays in the cache until the Time-To-Live (TTL) expires! example.com?
How Does DNSSEC Help? DNSSEC introduces new DNS records for a domain: • RRSIG – a signature ("hash") of a set of DNS records • DNSKEY – a public key that a resolver can use to validate RRSIG A DNSSEC-validating DNS resolver: Uses DNSKEY to perform a hash calculation on received DNS records Compares result with RRSIG records. If results match, records are the same as those transmitted. If the results do NOT match, they were potentially changed during the travel from the DNS server. 12
A DNSSEC Interaction 13 Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 DNSKEY RRSIGs 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 10.1.1.123 4 example.com?
A DNSSEC Interaction 14 Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 DNSKEY RRSIGs 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 10.1.1.123 4 example.com NS DS .com NS DS example.com?
The Global Chain of Trust 15 Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 DNSKEY RRSIGs 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 10.1.1.123 4 example.com NS DS .com NS DS example.com?
Attempting to Spoof DNS 16 Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 DNSKEY RRSIGs 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 Attacking DNS Svr example.com 192.168.2.2 DNSKEY RRSIGs example.com NS DS .com NS DS example.com?
Attempting to Spoof DNS 17 Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 DNSKEY RRSIGs 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 SERVFAIL 4 Attacking DNS Svr example.com 192.168.2.2 DNSKEY RRSIGs example.com NS DS .com NS DS example.com?
What DNSSEC Proves: • "These ARE the IP addresses you are looking for." (or they are not) • Ensures that information entered into DNS by the domain name holder (or the operator of the DNS hosting service for the domain) is the SAME information that is received by the end user. 18 10/12/2016
The Two Parts of DNSSEC 19 Signing Validating ISPs Enterprises Applications DNS Hosting Registrars Registries
What DNSSEC Proves: • "These ARE the IP addresses you are looking for." (or they are not) • Ensures that information entered into DNS by the domain name holder (or the operator of the DNS hosting service for the domain) is the SAME information that is received by the end user. 20 10/12/2016
DNSSEC Validation – Current State • About 15% of all global DNS queries validated • ~20% of all European DNS queries validated • All major DNS resolvers support DNSSEC validation – often with a simple config change 21 http://stats.labs.apnic.net/dnssec
DNSSEC Validation – Romania 22http://stats.labs.apnic.net/dnssec
DNSSEC Validation – Romania 23http://stats.labs.apnic.net/dnssec
DNSSEC Signing - The Individual Steps 24 Registry Registrar DNS Operator (or ”DNS Hosting Provider”) Domain Name Registrant • Signs TLD • Accepts DS records • Publishes/signs records • Accepts DS records • Sends DS to registry • Provides UI for mgmt • Signs zones • Publishes all records • Provides UI for mgmt • Enables DNSSEC (unless automatic)
DNSSEC Signing – Current State • Most TLDs now signed • including “new gTLDs” • Common DNS servers all support DNSSEC • Second-level domain support ranges from 100% in .BANK and 89% in .GOV down to < 1% in .COM • Still small % overall. 25 https://www.internetsociety.org/deploy360/d nssec/maps/
DNSSEC Signing – Second-level domains 26https://rick.eng.br/dnssecstat/
DNSSEC and TLS/SSL 27
Why Do I Need DNSSEC If I Have TLS? • A common question: why do I need DNSSEC if I already have a SSL certificate? (or an "EV-SSL" certificate?) • Transport Layer Security (TLS), sometimes called by its older name of “SSL”, solves a different issue – it provides encryption and protection of the communication between the browser and the web server 28
The Typical TLS Web Interaction Web Server Web Browser https://example.com/ TLS-encrypted web page DNS Resolver example.com? 10.1.1.1231 2 5 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 10.1.1.123 4
The Typical TLS Web Interaction Web Server Web Browser https://example.com/ TLS-encrypted web page DNS Resolver 10.1.1.1231 2 5 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 10.1.1.123 4 Is this encrypted with the CORRECT certificate? example.com?
What About This? 31 Web Server Web Browser https://www.example.com/ TLS-encrypted web page with CORRECT certificate DNS Server www.example.com? 1.2.3.4 1 2 Firewall (or attacker) https://www.example.com/ TLS-encrypted web page with NEW certificate (re-signed by firewall)
Problems? 32 Web Server Web Browser https://www.example.com/ TLS-encrypted web page with CORRECT certificate DNS Server www.example.com? 1.2.3.4 1 2 Firewall https://www.example.com/ TLS-encrypted web page with NEW certificate (re-signed by firewall)
Problems? 33 Web Server Web Browser https://www.example.com/ TLS-encrypted web page with CORRECT certificate DNS Server www.example.com? 1.2.3.4 1 2 Firewall https://www.example.com/ Log files or other servers Potentially including personal information TLS-encrypted web page with NEW certificate (re-signed by firewall)
Issues • A Certificate Authority (CA) can sign ANY domain. • Now over 1,500 CAs – there have been compromises where valid certs were issued for domains. • Middle-boxes such as firewalls can re-sign sessions. 34
DNS-Based Authentication of Named Entities (DANE) Q: How do you know if the TLS (SSL) certificate is the correct one the site wants you to use? A: Store the certificate (or fingerprint) in DNS (new TLSA record) and sign them with DNSSEC. An application that understand DNSSEC and DANE will then know when the required certificate is NOT being used. Certificate stored in DNS is controlled by the domain name holder. It could be a certificate signed by a CA – or a self-signed certificate. 35
A Powerful Combination • TLS = encryption + limited integrity protection • DNSSEC = strong integrity protection • How to get encryption + strong integrity protection? • TLS + DNSSEC = DANE 36
DANE 37 Web Server Web Browser w/DANE https://example.com/ TLS-encrypted web page with CORRECT certificate DNS Server 10.1.1.123 DNSKEY RRSIGs TLSA 1 2Firewall (or attacker) https://example.com/ TLS-encrypted web page with NEW certificate (re-signed by firewall)Log files or other servers DANE-equipped browser compares TLS certificate with what DNS / DNSSEC says it should be. example.com?
DANE Success – Not Just For The Web SMTP 1000+ SMTP servers with TLSA records http://dane.sys4.de/ - testing service XMPP (Jabber) 400+ servers client-to-server & server-to-server https://xmpp.net/reports.php#dnssecdane 38
DANE Resources DANE Overview and Resources: http://www.internetsociety.org/deploy360/resources/dane/ IETF Journal article explaining DANE: http://bit.ly/dane-dnssec RFC 6394 - DANE Use Cases: http://tools.ietf.org/html/rfc6394 RFC 6698 – DANE Protocol: http://tools.ietf.org/html/rfc6698 39
DNS Privacy 40
DNS Privacy • Issue - Queries from local DNS “stub resolver” (in PC, laptop, smartphone) to local DNS resolver are sent in clear • Surveillance of those queries can be revealing • Solution – Encrypt the connection
DNS Privacy 42 Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 10.1.1.123 4 example.com NS .com NS example.com?
DNS Privacy – Work Underway Now • IETF “DPRIVE” Working Group • New standards emerging– DNS queries over TLS • Expect to see implementations in software and operating systems in the future
Business Reasons For Deploying DNSSEC • TRUST – You can be sure your customers are reaching your sites – and that you are communicating with their servers. • SECURITY – You can be sure you are communicating with the correct sites and not sharing business information with attackers, ex. email hijacking. • INNOVATION – Services such as DANE built on top of DNSSEC enable innovative uses of TLS certificates. • CONFIDENTIALITY – DANE enables easier use of encryption for applications and services that communicate across the Internet. 44
Three Requests For Attendees 1. Deploy DNSSEC validation (or ask your IT team / network operator) 1. Sign your domains • Work with your registrar and/or DNS hosting provider to make this happen. 2. Help promote support of DANE protocol • Let browser vendors and others know you want to use DANE. If you use SSL, deploy a TLSA record if you are able to do so. Help raise awareness of how DANE and DNSSEC can make the Internet more secure.
Visit us at www.internetsociety.org Follow us @internetsociety Galerie Jean-Malbuisson 15, CH-1204 Geneva, Switzerland. +41 22 807 1444 1775 Wiehle Avenue, Suite 201, Reston, VA 20190-5108 USA. +1 703 439 2120 Thank you. 46 Dan York Senior Content Strategist – york@isoc.org

Empfohlen

ION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLSION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLS
Deploy360 Programme (Internet Society)
 
IETF Update: Making the Internet Work Better
IETF Update: Making the Internet Work BetterIETF Update: Making the Internet Work Better
IETF Update: Making the Internet Work Better
Deploy360 Programme (Internet Society)
 
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
Deploy360 Programme (Internet Society)
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
Deploy360 Programme (Internet Society)
 
Deploying DNSSEC: A .ZA Case Study - ION Cape Town
Deploying DNSSEC: A .ZA Case Study - ION Cape TownDeploying DNSSEC: A .ZA Case Study - ION Cape Town
Deploying DNSSEC: A .ZA Case Study - ION Cape Town
Deploy360 Programme (Internet Society)
 
ION Islamabad - DANE/DNSSEC/TLS Testing in the go6lab
ION Islamabad - DANE/DNSSEC/TLS Testing in the go6labION Islamabad - DANE/DNSSEC/TLS Testing in the go6lab
ION Islamabad - DANE/DNSSEC/TLS Testing in the go6lab
Deploy360 Programme (Internet Society)
 
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape TownDANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
Deploy360 Programme (Internet Society)
 
ION Cape Town - IETF Update and How to Get Involved
ION Cape Town - IETF Update and How to Get InvolvedION Cape Town - IETF Update and How to Get Involved
ION Cape Town - IETF Update and How to Get Involved
Deploy360 Programme (Internet Society)
 

Empfohlen

ION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLSION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLS
Deploy360 Programme (Internet Society)
 
IETF Update: Making the Internet Work Better
IETF Update: Making the Internet Work BetterIETF Update: Making the Internet Work Better
IETF Update: Making the Internet Work Better
Deploy360 Programme (Internet Society)
 
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
Deploy360 Programme (Internet Society)
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
Deploy360 Programme (Internet Society)
 
Deploying DNSSEC: A .ZA Case Study - ION Cape Town
Deploying DNSSEC: A .ZA Case Study - ION Cape TownDeploying DNSSEC: A .ZA Case Study - ION Cape Town
Deploying DNSSEC: A .ZA Case Study - ION Cape Town
Deploy360 Programme (Internet Society)
 
ION Islamabad - DANE/DNSSEC/TLS Testing in the go6lab
ION Islamabad - DANE/DNSSEC/TLS Testing in the go6labION Islamabad - DANE/DNSSEC/TLS Testing in the go6lab
ION Islamabad - DANE/DNSSEC/TLS Testing in the go6lab
Deploy360 Programme (Internet Society)
 
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape TownDANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
Deploy360 Programme (Internet Society)
 
ION Cape Town - IETF Update and How to Get Involved
ION Cape Town - IETF Update and How to Get InvolvedION Cape Town - IETF Update and How to Get Involved
ION Cape Town - IETF Update and How to Get Involved
Deploy360 Programme (Internet Society)
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNI
Jisc
 
ION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSEC
Deploy360 Programme (Internet Society)
 
ION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLS
Deploy360 Programme (Internet Society)
 
ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?
Deploy360 Programme (Internet Society)
 
Introduction To The DANE Protocol (DNSSEC)
Introduction To The DANE Protocol (DNSSEC)Introduction To The DANE Protocol (DNSSEC)
Introduction To The DANE Protocol (DNSSEC)
Deploy360 Programme (Internet Society)
 
ION Bucharest - ISOC & Deploy360 overview
ION Bucharest - ISOC & Deploy360 overviewION Bucharest - ISOC & Deploy360 overview
ION Bucharest - ISOC & Deploy360 overview
Deploy360 Programme (Internet Society)
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
Alex Mayrhofer
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit -
wolfSSL
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS Security
ThousandEyes
 
ION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain Registry
Deploy360 Programme (Internet Society)
 
An Overview of DNSSEC
An Overview of DNSSECAn Overview of DNSSEC
An Overview of DNSSEC
Carlos Martinez Cagnazzo
 
ROTLD DNSSEC Implementation
ROTLD DNSSEC ImplementationROTLD DNSSEC Implementation
ROTLD DNSSEC Implementation
Kevin Meynell
 
ION Sri Lanka - TLS for Network Operators
ION Sri Lanka - TLS for Network OperatorsION Sri Lanka - TLS for Network Operators
ION Sri Lanka - TLS for Network Operators
Deploy360 Programme (Internet Society)
 
Lots More LOCKSS for Web Archiving: Boons from the LOCKSS Software Re-Archite...
Lots More LOCKSS for Web Archiving: Boons from the LOCKSS Software Re-Archite...Lots More LOCKSS for Web Archiving: Boons from the LOCKSS Software Re-Archite...
Lots More LOCKSS for Web Archiving: Boons from the LOCKSS Software Re-Archite...
nullhandle
 
DNS Security
DNS SecurityDNS Security
DNS Security
johnmcclure00
 
wolfSSL TLS 1.3 Support in 2018
wolfSSL TLS 1.3 Support in 2018wolfSSL TLS 1.3 Support in 2018
wolfSSL TLS 1.3 Support in 2018
wolfSSL
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSEC
Carlos Martinez Cagnazzo
 
IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentation
johnmcclure00
 
Decentralized possibilities with filecoin &amp; ipfs_encode filecoin club
Decentralized possibilities with filecoin &amp; ipfs_encode filecoin clubDecentralized possibilities with filecoin &amp; ipfs_encode filecoin club
Decentralized possibilities with filecoin &amp; ipfs_encode filecoin club
KlaraOrban
 
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
Deploy360 Programme (Internet Society)
 
Appunti di Diritto Privato: Saggi
Appunti di Diritto Privato: SaggiAppunti di Diritto Privato: Saggi
Appunti di Diritto Privato: Saggi
profman
 
2 warning
2 warning2 warning
2 warning
Donna M. Lee
 

Weitere ähnliche Inhalte

Was ist angesagt?

ION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLS
Deploy360 Programme (Internet Society)
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit -
wolfSSL
 
IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentation
johnmcclure00
 
Decentralized possibilities with filecoin &amp; ipfs_encode filecoin club
Decentralized possibilities with filecoin &amp; ipfs_encode filecoin clubDecentralized possibilities with filecoin &amp; ipfs_encode filecoin club
Decentralized possibilities with filecoin &amp; ipfs_encode filecoin club
KlaraOrban
 

Was ist angesagt? (20)

DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNI
 
ION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSEC
 
ION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLS
 
ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?
 
Introduction To The DANE Protocol (DNSSEC)
Introduction To The DANE Protocol (DNSSEC)Introduction To The DANE Protocol (DNSSEC)
Introduction To The DANE Protocol (DNSSEC)
 
ION Bucharest - ISOC & Deploy360 overview
ION Bucharest - ISOC & Deploy360 overviewION Bucharest - ISOC & Deploy360 overview
ION Bucharest - ISOC & Deploy360 overview
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit -
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS Security
 
ION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain Registry
 
An Overview of DNSSEC
An Overview of DNSSECAn Overview of DNSSEC
An Overview of DNSSEC
 
ROTLD DNSSEC Implementation
ROTLD DNSSEC ImplementationROTLD DNSSEC Implementation
ROTLD DNSSEC Implementation
 
ION Sri Lanka - TLS for Network Operators
ION Sri Lanka - TLS for Network OperatorsION Sri Lanka - TLS for Network Operators
ION Sri Lanka - TLS for Network Operators
 
Lots More LOCKSS for Web Archiving: Boons from the LOCKSS Software Re-Archite...
Lots More LOCKSS for Web Archiving: Boons from the LOCKSS Software Re-Archite...Lots More LOCKSS for Web Archiving: Boons from the LOCKSS Software Re-Archite...
Lots More LOCKSS for Web Archiving: Boons from the LOCKSS Software Re-Archite...
 
DNS Security
DNS SecurityDNS Security
DNS Security
 
wolfSSL TLS 1.3 Support in 2018
wolfSSL TLS 1.3 Support in 2018wolfSSL TLS 1.3 Support in 2018
wolfSSL TLS 1.3 Support in 2018
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSEC
 
IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentation
 
Decentralized possibilities with filecoin &amp; ipfs_encode filecoin club
Decentralized possibilities with filecoin &amp; ipfs_encode filecoin clubDecentralized possibilities with filecoin &amp; ipfs_encode filecoin club
Decentralized possibilities with filecoin &amp; ipfs_encode filecoin club
 
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
 

Andere mochten auch

State Support of Youth Initiatives The Experience of Regional Application
State Support of Youth Initiatives The Experience of Regional ApplicationState Support of Youth Initiatives The Experience of Regional Application
State Support of Youth Initiatives The Experience of Regional Application
Dmitry Nortsev
 
TamiamiTrailBrwnflds11-10-14
TamiamiTrailBrwnflds11-10-14TamiamiTrailBrwnflds11-10-14
TamiamiTrailBrwnflds11-10-14
Barbara L. Nelson
 
evaluating software development team
evaluating software development teamevaluating software development team
evaluating software development team
sruthy lekshmanan
 
CHIEF SALES & MARKETING OFFICER
CHIEF SALES & MARKETING OFFICERCHIEF SALES & MARKETING OFFICER
CHIEF SALES & MARKETING OFFICER
Tram Duong
 

Andere mochten auch (13)

Appunti di Diritto Privato: Saggi
Appunti di Diritto Privato: SaggiAppunti di Diritto Privato: Saggi
Appunti di Diritto Privato: Saggi
 
2 warning
2 warning2 warning
2 warning
 
State Support of Youth Initiatives The Experience of Regional Application
State Support of Youth Initiatives The Experience of Regional ApplicationState Support of Youth Initiatives The Experience of Regional Application
State Support of Youth Initiatives The Experience of Regional Application
 
Icann idn program se asia 0.2
Icann idn program se asia 0.2Icann idn program se asia 0.2
Icann idn program se asia 0.2
 
APNIC Update: ARIN 37
APNIC Update: ARIN 37APNIC Update: ARIN 37
APNIC Update: ARIN 37
 
ION Hangzhou - About IETF
ION Hangzhou - About IETFION Hangzhou - About IETF
ION Hangzhou - About IETF
 
TamiamiTrailBrwnflds11-10-14
TamiamiTrailBrwnflds11-10-14TamiamiTrailBrwnflds11-10-14
TamiamiTrailBrwnflds11-10-14
 
eBrochure
eBrochureeBrochure
eBrochure
 
evaluating software development team
evaluating software development teamevaluating software development team
evaluating software development team
 
CHIEF SALES & MARKETING OFFICER
CHIEF SALES & MARKETING OFFICERCHIEF SALES & MARKETING OFFICER
CHIEF SALES & MARKETING OFFICER
 
Universal Acceptance: APNIC system readiness
Universal Acceptance: APNIC system readinessUniversal Acceptance: APNIC system readiness
Universal Acceptance: APNIC system readiness
 
Tank sluice with tower head
Tank sluice with tower headTank sluice with tower head
Tank sluice with tower head
 
Identifying market segments and targets
Identifying market segments and targetsIdentifying market segments and targets
Identifying market segments and targets
 

Ähnlich wie ION Bucharest - Deploying DNSSEC

8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
DNS Entrepreneurship Center
 
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan YorkION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
Deploy360 Programme (Internet Society)
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
Michael Earls
 
Minieri CS6262 Project Poster
Minieri CS6262 Project PosterMinieri CS6262 Project Poster
Minieri CS6262 Project Poster
Joe Minieri
 
ION Toronto - Deploying DNSSEC: A .CA Case Study
ION Toronto - Deploying DNSSEC: A .CA Case StudyION Toronto - Deploying DNSSEC: A .CA Case Study
ION Toronto - Deploying DNSSEC: A .CA Case Study
Deploy360 Programme (Internet Society)
 

Ähnlich wie ION Bucharest - Deploying DNSSEC (20)

8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan YorkION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
 
Understanding DNS Security
Understanding DNS SecurityUnderstanding DNS Security
Understanding DNS Security
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
 
DNS - MCSE 2019
DNS - MCSE 2019DNS - MCSE 2019
DNS - MCSE 2019
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
 
Minieri CS6262 Project Poster
Minieri CS6262 Project PosterMinieri CS6262 Project Poster
Minieri CS6262 Project Poster
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
 
DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?
 
DNS Security (DNSSEC) With BIG-IP Global Traffic Manager
DNS Security (DNSSEC) With BIG-IP Global Traffic ManagerDNS Security (DNSSEC) With BIG-IP Global Traffic Manager
DNS Security (DNSSEC) With BIG-IP Global Traffic Manager
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
 
Quad9 and DNS Privacy
Quad9 and DNS PrivacyQuad9 and DNS Privacy
Quad9 and DNS Privacy
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
 
ION Toronto - Deploying DNSSEC: A .CA Case Study
ION Toronto - Deploying DNSSEC: A .CA Case StudyION Toronto - Deploying DNSSEC: A .CA Case Study
ION Toronto - Deploying DNSSEC: A .CA Case Study
 
AWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNSAWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNS
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
 

Mehr von Deploy360 Programme (Internet Society)

ION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLSION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLS
Deploy360 Programme (Internet Society)
 
ION Malta - IANA Transition Roles & Accountability
ION Malta - IANA Transition Roles & AccountabilityION Malta - IANA Transition Roles & Accountability
ION Malta - IANA Transition Roles & Accountability
Deploy360 Programme (Internet Society)
 

Mehr von Deploy360 Programme (Internet Society) (20)

ION Belgrade - Jordi Palet Martinez IPv6 Success Stories
ION Belgrade - Jordi Palet Martinez IPv6 Success StoriesION Belgrade - Jordi Palet Martinez IPv6 Success Stories
ION Belgrade - Jordi Palet Martinez IPv6 Success Stories
 
ION Belgrade - ISOC Serbia Belgrade Chapter Presentation
ION Belgrade - ISOC Serbia Belgrade Chapter PresentationION Belgrade - ISOC Serbia Belgrade Chapter Presentation
ION Belgrade - ISOC Serbia Belgrade Chapter Presentation
 
ION Belgrade - IETF Update
ION Belgrade - IETF UpdateION Belgrade - IETF Update
ION Belgrade - IETF Update
 
ION Belgrade - Opening Slides
ION Belgrade - Opening SlidesION Belgrade - Opening Slides
ION Belgrade - Opening Slides
 
ION Belgrade - MANRS by Serbian Open eXchange (SOX)
ION Belgrade - MANRS by Serbian Open eXchange (SOX)ION Belgrade - MANRS by Serbian Open eXchange (SOX)
ION Belgrade - MANRS by Serbian Open eXchange (SOX)
 
ION Belgrade - Closing Slides
ION Belgrade - Closing SlidesION Belgrade - Closing Slides
ION Belgrade - Closing Slides
 
AusNOG - Two Years of Good MANRS
AusNOG - Two Years of Good MANRSAusNOG - Two Years of Good MANRS
AusNOG - Two Years of Good MANRS
 
ION Malta - IETF Update
ION Malta - IETF UpdateION Malta - IETF Update
ION Malta - IETF Update
 
ION Malta - MANRS Introduction
ION Malta - MANRS IntroductionION Malta - MANRS Introduction
ION Malta - MANRS Introduction
 
ION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSECION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSEC
 
ION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLSION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLS
 
ION Malta - IANA Transition Roles & Accountability
ION Malta - IANA Transition Roles & AccountabilityION Malta - IANA Transition Roles & Accountability
ION Malta - IANA Transition Roles & Accountability
 
ION Malta - IPv6 Case Study: Finland
ION Malta - IPv6 Case Study: FinlandION Malta - IPv6 Case Study: Finland
ION Malta - IPv6 Case Study: Finland
 
ION Malta - Seeweb Thoughts on IPv6 Transition
ION Malta - Seeweb Thoughts on IPv6 TransitionION Malta - Seeweb Thoughts on IPv6 Transition
ION Malta - Seeweb Thoughts on IPv6 Transition
 
ION Malta - Seeweb Why MANRS is good for you
ION Malta - Seeweb Why MANRS is good for youION Malta - Seeweb Why MANRS is good for you
ION Malta - Seeweb Why MANRS is good for you
 
ION Malta - Opening Slides
ION Malta - Opening SlidesION Malta - Opening Slides
ION Malta - Opening Slides
 
ION Malta - Closing Slides
ION Malta - Closing SlidesION Malta - Closing Slides
ION Malta - Closing Slides
 
ION Durban - How peering behaviour affects growth of the internet
ION Durban - How peering behaviour affects growth of the internetION Durban - How peering behaviour affects growth of the internet
ION Durban - How peering behaviour affects growth of the internet
 
ION Durban - Introduction to ISOC Gauteng Chapter
ION Durban - Introduction to ISOC Gauteng ChapterION Durban - Introduction to ISOC Gauteng Chapter
ION Durban - Introduction to ISOC Gauteng Chapter
 
ION Durban - What's Happening at the IETF?
ION Durban - What's Happening at the IETF?ION Durban - What's Happening at the IETF?
ION Durban - What's Happening at the IETF?
 

Kürzlich hochgeladen

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Kürzlich hochgeladen (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

ION Bucharest - Deploying DNSSEC

  • 1. Internet Society © 1992–2016 The role of the Internet Society (this report describes the timeline of activities of the Internet Society from the submission of the proposal to NTIA in March 2016 until September 30, 2016) The IANA Stewardship Transition Kathy Brown President & CEO October 6, 2016 Presentation title – Client name 1
  • 2. Internet Society © 1992–2016 ION Bucharest October 12, 2016 Dan York, CISSP DNSSEC Program Manager – york@isoc.org Deploying DNSSEC 2
  • 3. Trusted Internet 3 Trust in privacy of information (ex. encryption) Trust in online identity systems (ex. Kantara) Trust in network communication (ex. TLS, DANE) Trust in Internet identifiers (ex. DNSSEC) Trust in the Internet’s core infrastructure (ex. MANRS) Trust in cryptography (ex. Cryptech)
  • 5. Email Hijacking CERT-CC researchers have identified that someone was hijacking email by using DNS cache poisoning of MX records Could be prevented by DNSSEC deployment CERT-CC (Sept 10, 2014): — https://www.cert.org/blogs/certcc/post.cfm?EntryID=206 Deploy360 blog post (Sept 12, 2014): — http://wp.me/p4eijv-5jI
  • 6. What Problem Is DNSSEC Trying To Solve? DNSSEC = "DNS Security Extensions" • Defined in RFCs 4033, 4034, 4035 • Operational Practices: RFC 4641 Ensures that the information entered into DNS by the domain name holder is the SAME information retrieved from DNS by an end user. Let's walk through an example to explain… 6
  • 7. A Normal DNS Interaction 7 Web Server Web Browser https://example.com/ web page DNS Resolver example.com? 1 2 3 4 10.1.1.123 Resolver checks its local cache. If it has the answer, it sends it back. example.com 10.1.1.123 If not…
  • 8. A Normal DNS Interaction 8 Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 10.1.1.123 4 example.com NS .com NS example.com?
  • 9. DNS Works On Speed First result received by a DNS resolver is treated as the correct answer. Opportunity is there for an attacker to be the first one to get an answer to the DNS resolver, either by: Getting to the correct point in the network to provide faster responses; Blocking the responses from the legitimate servers (ex. executing a Denial of Service attack against the legitimate servers to slow their responses) 9
  • 10. Attacking DNS 10 Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 192.168.2.2 4 Attacking DNS Svr example.com 192.168.2.2 example.com NS .com NS example.com?
  • 11. A Poisoned Cache 11 Web Server Web Browser https://example.com/ web page DNS Resolver 1 2 3 4 192.168.2.2 Resolver cache now has wrong data: example.com 192.168.2.2 This stays in the cache until the Time-To-Live (TTL) expires! example.com?
  • 12. How Does DNSSEC Help? DNSSEC introduces new DNS records for a domain: • RRSIG – a signature ("hash") of a set of DNS records • DNSKEY – a public key that a resolver can use to validate RRSIG A DNSSEC-validating DNS resolver: Uses DNSKEY to perform a hash calculation on received DNS records Compares result with RRSIG records. If results match, records are the same as those transmitted. If the results do NOT match, they were potentially changed during the travel from the DNS server. 12
  • 13. A DNSSEC Interaction 13 Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 DNSKEY RRSIGs 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 10.1.1.123 4 example.com?
  • 14. A DNSSEC Interaction 14 Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 DNSKEY RRSIGs 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 10.1.1.123 4 example.com NS DS .com NS DS example.com?
  • 15. The Global Chain of Trust 15 Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 DNSKEY RRSIGs 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 10.1.1.123 4 example.com NS DS .com NS DS example.com?
  • 16. Attempting to Spoof DNS 16 Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 DNSKEY RRSIGs 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 Attacking DNS Svr example.com 192.168.2.2 DNSKEY RRSIGs example.com NS DS .com NS DS example.com?
  • 17. Attempting to Spoof DNS 17 Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 DNSKEY RRSIGs 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 SERVFAIL 4 Attacking DNS Svr example.com 192.168.2.2 DNSKEY RRSIGs example.com NS DS .com NS DS example.com?
  • 18. What DNSSEC Proves: • "These ARE the IP addresses you are looking for." (or they are not) • Ensures that information entered into DNS by the domain name holder (or the operator of the DNS hosting service for the domain) is the SAME information that is received by the end user. 18 10/12/2016
  • 19. The Two Parts of DNSSEC 19 Signing Validating ISPs Enterprises Applications DNS Hosting Registrars Registries
  • 20. What DNSSEC Proves: • "These ARE the IP addresses you are looking for." (or they are not) • Ensures that information entered into DNS by the domain name holder (or the operator of the DNS hosting service for the domain) is the SAME information that is received by the end user. 20 10/12/2016
  • 21. DNSSEC Validation – Current State • About 15% of all global DNS queries validated • ~20% of all European DNS queries validated • All major DNS resolvers support DNSSEC validation – often with a simple config change 21 http://stats.labs.apnic.net/dnssec
  • 22. DNSSEC Validation – Romania 22http://stats.labs.apnic.net/dnssec
  • 23. DNSSEC Validation – Romania 23http://stats.labs.apnic.net/dnssec
  • 24. DNSSEC Signing - The Individual Steps 24 Registry Registrar DNS Operator (or ”DNS Hosting Provider”) Domain Name Registrant • Signs TLD • Accepts DS records • Publishes/signs records • Accepts DS records • Sends DS to registry • Provides UI for mgmt • Signs zones • Publishes all records • Provides UI for mgmt • Enables DNSSEC (unless automatic)
  • 25. DNSSEC Signing – Current State • Most TLDs now signed • including “new gTLDs” • Common DNS servers all support DNSSEC • Second-level domain support ranges from 100% in .BANK and 89% in .GOV down to < 1% in .COM • Still small % overall. 25 https://www.internetsociety.org/deploy360/d nssec/maps/
  • 26. DNSSEC Signing – Second-level domains 26https://rick.eng.br/dnssecstat/
  • 28. Why Do I Need DNSSEC If I Have TLS? • A common question: why do I need DNSSEC if I already have a SSL certificate? (or an "EV-SSL" certificate?) • Transport Layer Security (TLS), sometimes called by its older name of “SSL”, solves a different issue – it provides encryption and protection of the communication between the browser and the web server 28
  • 29. The Typical TLS Web Interaction Web Server Web Browser https://example.com/ TLS-encrypted web page DNS Resolver example.com? 10.1.1.1231 2 5 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 10.1.1.123 4
  • 30. The Typical TLS Web Interaction Web Server Web Browser https://example.com/ TLS-encrypted web page DNS Resolver 10.1.1.1231 2 5 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 10.1.1.123 4 Is this encrypted with the CORRECT certificate? example.com?
  • 31. What About This? 31 Web Server Web Browser https://www.example.com/ TLS-encrypted web page with CORRECT certificate DNS Server www.example.com? 1.2.3.4 1 2 Firewall (or attacker) https://www.example.com/ TLS-encrypted web page with NEW certificate (re-signed by firewall)
  • 32. Problems? 32 Web Server Web Browser https://www.example.com/ TLS-encrypted web page with CORRECT certificate DNS Server www.example.com? 1.2.3.4 1 2 Firewall https://www.example.com/ TLS-encrypted web page with NEW certificate (re-signed by firewall)
  • 33. Problems? 33 Web Server Web Browser https://www.example.com/ TLS-encrypted web page with CORRECT certificate DNS Server www.example.com? 1.2.3.4 1 2 Firewall https://www.example.com/ Log files or other servers Potentially including personal information TLS-encrypted web page with NEW certificate (re-signed by firewall)
  • 34. Issues • A Certificate Authority (CA) can sign ANY domain. • Now over 1,500 CAs – there have been compromises where valid certs were issued for domains. • Middle-boxes such as firewalls can re-sign sessions. 34
  • 35. DNS-Based Authentication of Named Entities (DANE) Q: How do you know if the TLS (SSL) certificate is the correct one the site wants you to use? A: Store the certificate (or fingerprint) in DNS (new TLSA record) and sign them with DNSSEC. An application that understand DNSSEC and DANE will then know when the required certificate is NOT being used. Certificate stored in DNS is controlled by the domain name holder. It could be a certificate signed by a CA – or a self-signed certificate. 35
  • 36. A Powerful Combination • TLS = encryption + limited integrity protection • DNSSEC = strong integrity protection • How to get encryption + strong integrity protection? • TLS + DNSSEC = DANE 36
  • 37. DANE 37 Web Server Web Browser w/DANE https://example.com/ TLS-encrypted web page with CORRECT certificate DNS Server 10.1.1.123 DNSKEY RRSIGs TLSA 1 2Firewall (or attacker) https://example.com/ TLS-encrypted web page with NEW certificate (re-signed by firewall)Log files or other servers DANE-equipped browser compares TLS certificate with what DNS / DNSSEC says it should be. example.com?
  • 38. DANE Success – Not Just For The Web SMTP 1000+ SMTP servers with TLSA records http://dane.sys4.de/ - testing service XMPP (Jabber) 400+ servers client-to-server & server-to-server https://xmpp.net/reports.php#dnssecdane 38
  • 39. DANE Resources DANE Overview and Resources: http://www.internetsociety.org/deploy360/resources/dane/ IETF Journal article explaining DANE: http://bit.ly/dane-dnssec RFC 6394 - DANE Use Cases: http://tools.ietf.org/html/rfc6394 RFC 6698 – DANE Protocol: http://tools.ietf.org/html/rfc6698 39
  • 41. DNS Privacy • Issue - Queries from local DNS “stub resolver” (in PC, laptop, smartphone) to local DNS resolver are sent in clear • Surveillance of those queries can be revealing • Solution – Encrypt the connection
  • 42. DNS Privacy 42 Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 10.1.1.123 4 example.com NS .com NS example.com?
  • 43. DNS Privacy – Work Underway Now • IETF “DPRIVE” Working Group • New standards emerging– DNS queries over TLS • Expect to see implementations in software and operating systems in the future
  • 44. Business Reasons For Deploying DNSSEC • TRUST – You can be sure your customers are reaching your sites – and that you are communicating with their servers. • SECURITY – You can be sure you are communicating with the correct sites and not sharing business information with attackers, ex. email hijacking. • INNOVATION – Services such as DANE built on top of DNSSEC enable innovative uses of TLS certificates. • CONFIDENTIALITY – DANE enables easier use of encryption for applications and services that communicate across the Internet. 44
  • 45. Three Requests For Attendees 1. Deploy DNSSEC validation (or ask your IT team / network operator) 1. Sign your domains • Work with your registrar and/or DNS hosting provider to make this happen. 2. Help promote support of DANE protocol • Let browser vendors and others know you want to use DANE. If you use SSL, deploy a TLSA record if you are able to do so. Help raise awareness of how DANE and DNSSEC can make the Internet more secure.
  • 46. Visit us at www.internetsociety.org Follow us @internetsociety Galerie Jean-Malbuisson 15, CH-1204 Geneva, Switzerland. +41 22 807 1444 1775 Wiehle Avenue, Suite 201, Reston, VA 20190-5108 USA. +1 703 439 2120 Thank you. 46 Dan York Senior Content Strategist – york@isoc.org