Weitere ähnliche Inhalte Ähnlich wie ION Toronto - Why Implement DNSSEC? (20) Mehr von Deploy360 Programme (Internet Society) (20) Kürzlich hochgeladen (20) ION Toronto - Why Implement DNSSEC? 1. Why
DNSSEC?
James
Galvin,
Ph.D.
Afilias
Limited
11
November
2013
ION
Toronto
©
2013
Afilias
Limited
1
2. Afilias
and
DNSSEC
• Afilias
makes
Internet
addresses
more
accessible
and
useful
through
registry
services,
Managed
DNS,
and
mobile
Web
services
like
goMobi®
and
DeviceAtlas®.
– Operator
INFO
and
MOBI
– Host
to
9
ccTLDs
and
7
gTLDs
– Have
one
of
the
largest
DNS
infrastructures
• Started
with
DNSSEC
in
2008
– Signed
ORG
in
June
2009
– ORG
offered
signed
delegaYons
in
June
2010
– Root
signed
in
July
2010
– Signed
all
TLDs
and
offered
signed
delegaYons
soon
aZer
©
2013
Afilias
Limited
2
3. • DNSSEC
Basics
• Benefits
of
DNSSEC
• Internet
Future
©
2013
Afilias
Limited
3
5. What
is
DNSSEC?
• DNSSEC
provides
an
asserYon
by
a
zone
that
a
specific
data
element
is
bound
to
a
domain
name.
• This
is
most
oZen
used
to
bind
an
IP
address
to
a
domain
name,
e.g.,
to
find
a
web
site.
• The
validaYon
of
the
asserYon
is
possible
independent
of
its
source.
• Benefits
– CriYcal
Infrastructure:
everything
uses
the
DNS
– Hierarchical:
delegate
and
distribute
responsibility
©
2013
Afilias
Limited
5
6. DNSSEC-‐aware
applicaYons
DNS
with
DNSSEC
2
1
ROOT
SERVERS
DNSSEC
DNSSEC
TLD
Authorita;ve
NS
Local
cache
1
2
3
DNSSEC
Itera;ve
Resolver
Local
cache
3
SLD
Authorita;ve
NS
Stub
Resolver
USER
PC
©
2013
Afilias
Limited
6
7. Who
are
the
Players?
• Domain
registraYon
system
– Registries:
operate
the
TLDs
– (Registrars):
middleman
between
registry
and
registrant
– Registrant:
own,
manage,
and
deploy
domain
names
• Domain
name
system
– Root
system
– Registries
– DNS
Operators
• Community
– ISPs
– Users
©
2013
Afilias
Limited
7
9. Why
DNSSEC?
• DNSSEC
protects
the
DNS
system
from
cache
poisoning
adacks,
viz
the
“Kaminsky
Bug”
• DNSSEC
is
the
next
step
in
the
evoluYon
of
the
Internet,
similar
to
the
web
back
in
1993.
• DNS
is
a
criYcal
infrastructure
system.
Virtually
everything
depends
on
it.
• Deploying
a
safe
and
secure
DNS
is
not
just
the
right
thing
to
do,
it
is
the
cornerstone
of
building
the
next
generaYon
Internet,
a
safe
and
secure
Internet.
©
2013
Afilias
Limited
9
10. Without
DNSSEC…
When
you
visit
a
web
site
can
you
be
sure
you
are
communicaYng
with
the
server
that
you
think
you
are?
©
2013
Afilias
Limited
10
11. TLS/SSL
and
DNSSEC
benefits
TLS
DNSSEC
Data
!^^x<>
TLS/SSL
Channel
DNS
Data
DNS
Data
DNSSEC
DNSSEC
Data
Data
Signed
Guaranteed
not
tampered
Encryp;on
Authen;ca;on
Integrity
DNSSEC
protects…
Users
from
DNS
data
tampered
by
or
originaYng
from
malicious
actors
©
2013
Afilias
Limited
11
13. Building
Trusted
Domains
• A
domain
name
is
just
a
label.
Most
commonly
used
to
idenYfy
hosts
and
services.
– Web
sites
– ApplicaYon
servers
• DNSSEC
ensures
we
have
the
correct
service/address
• TLS/SSL
(hdps)
gives
us
good
confidence
that
we
have
a
encrypted
tunnel
• Matching
the
domain
in
the
TLS/
SSL
cerYficate
with
the
domain
from
DNSSEC
offers
greater
assurance
that
you
are
communicaYng
with
the
desired
site/service
©
2013
Afilias
Limited
13
14. DNSSEC
Challenges
• Security
increases
the
baseline
experYse
required
• Key
management
becomes
mainstream
– Key
rollover
Ymings
are
subtle
• DNS
operators
are
visibly
essenYal
– Transfers
are
a
process
• Key
rollover
is
required
• Losing
and
gaining
operator
must
overlap
services
• New
relaYonship
– DNS
Operator
and
registrar/
registry
©
2013
Afilias
Limited
14
15. The
demand
for
DNSSEC?
• A
mix
of
pioneers,
early
adopters
and
legislated
compliance
• In
the
early
stages
for
registrant/user
awareness
Barriers
Incen;ves
Complexity
Signing
TLDs
Costs
New
hw
&
sw
soluYons
©
2013
Afilias
Limited
15
16. What’s
Next?
• Centralize
the
complexity
– Registrars
– DNS
operators
– ApplicaYon
service
providers
• Keep
it
simple
for
the
registrant/user
– Should
be
invisible
• DNSSEC
is
about
what
we
can
do
with
it.
It
is
an
essenYal
building
block
in
a
criYcal
infrastructure
system
that
will
change
the
Internet
in
ways
we
can
not
yet
imagine.
©
2013
Afilias
Limited
16
17. IETF
and
Pervasive
Monitoring
• Last
week
leading
engineers
agreed
that
pervasive
monitoring
is
a
threat
to
the
Internet
– hdp://www.iet.org/
media/2013-‐11-‐07-‐
internet-‐privacy-‐and-‐
security.html
©
2013
Afilias
Limited
17
18. Thank
You!
James
Galvin
jgalvin
“at”
afilias.info
+1-‐215-‐706-‐5715
hdp://afilias.info/dnssec
©
2013
Afilias
Limited
18