SlideShare ist ein Scribd-Unternehmen logo

ION Mumbai - Richard Lamb: Why DNSSEC?

Deploy360 Programme (Internet Society)
Deploy360 Programme (Internet Society)

Rick Lamb's DNSSEC presentation from ION Mumbai on 11 October 2012

Technologie
1 von 18
Downloaden Sie, um offline zu lesen
The  Business  Case  for  DNSSEC      InterOp/ION  Mumbai  2012     11  October  2012   richard.lamb@icann.org  
The  Business  Case  for  DNSSEC   •  Cyber  security  is  becoming  a  greater  concern  to   enterprises,  government,  and  end  users.  DNSSEC   is  a  key  tool  and  differenFator.   •  DNSSEC  is  the  biggest  security  upgrade  to   Internet  infrastructure  in  over  20  years.  It  is  a   plaHorm  for  new  security  applicaFons  (for  those   that  see  the  opportunity).   •  DNSSEC  infrastructure  deployment  has  been   brisk  but  requires  experFse.    GeOng  ahead  of  the   curve  is  a  compeFFve  advantage.  
Where  DNSSEC  fits  in   •  DNS  converts  names  (www.tata.in)  to   numbers  (64.37.102.54)   •  ..to  idenFfy  services  such  as  www  and  e-­‐mail   •  ..that  idenFfy  and  link  customers  to  business   and  visa  versa  
Where  DNSSEC  fits  in   •  ..but  CPU  and  bandwidth  advances  make   legacy  DNS  vulnerable  to  MITM  aYacks   •  DNS  Security  Extensions  (DNSSEC)  introduces   digital  signatures  into  DNS  to   cryptographically  protect  contents     •  With  DNSSEC  fully  deployed  a  business  can  be   sure  a  customer  gets  un-­‐modified  data  (and   visa  versa)  
The  Original  Problem:     DNS  Cache  Poisoning  A?ack     www.majorbank.se = 1.2.3.4   www.majorbank.se=?   DNS   DNS 5.6.7.8   Resolver                          Server        ENTERPRISE                           Attacker   www.majorbank.se = 5.6.7.8 Get page   Attacker Login page webserver   Username / Password   www @ Error 5.6.7.8   ISP  /   ENTERPRISE  /   END  NODE   Password database Animated  slide   detailed  descripFon  at:  h?p://unixwiz.net/techFps/iguide-­‐kaminsky-­‐dns-­‐vuln.html  
Argghh!  Now  all  ISP  customers  get   sent  to  a?acker.   www.majorbank.se = 1.2.3.4 www.majorbank.se=? DNS DNS 5.6.7.8 Resolver Server Get page Attacker Login page webserver Username / Password www @ Error 5.6.7.8 Password database Animated  slide  
The  Bad:  DNSChanger  -­‐  ‘Biggest   Cybercriminal  Takedown  in  History’  –   4M  machines,  100  countries,  $14M   Nov  2011  h?p://krebsonsecurity.com/2011/11/malware-­‐click-­‐fraud-­‐kingpins-­‐arrested-­‐in-­‐estonia/                                                          End-­‐2-­‐end  DNSSEC  validaFon  would  have  avoided  the  problems  
The  Bad:  Brazilian  ISP  fall  vicFm  to  a   series  of  DNS  a?acks     7  Nov  2011  h?p://www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_a?acks_in_Brazil                                                                                            End-­‐2-­‐end  DNSSEC  validaFon  would  have  avoided  the  problems  
The  Bad:  Other  DNS  hijacks*   •  25  Dec  2010  -­‐  Russian  e-­‐Payment  Giant  ChronoPay  Hacked   •  18  Dec  2009  –  Twi?er  –  “Iranian  cyber  army”   •  13  Aug  2010  -­‐  Chinese  gmail  phishing  a?ack   •  25  Dec  2010  Tunisia  DNS  Hijack   •  2009-­‐2012  google.*   –  April  28  2009  Google  Puerto  Rico  sites  redirected  in  DNS  a?ack   –  May  9  2009  Morocco  temporarily  seize  Google  domain  name   •  9  Sep  2011  -­‐  Diginotar  cerFficate  compromise  for  Iranian  users     •  SSL  /  TLS  doesn't  tell  you  if  you've  been  sent  to  the  correct  site,  it  only   tells  you  if  the  DNS  matches  the  name  in  the  cerFficate.  Unfortunately,   majority  of  Web  site  cerFficates  rely  on  DNS  to  validate  idenFty.   •  DNS  is  relied  on  for  unexpected  things  though  insecure.   *A  Brief  History  of  DNS  Hijacking  -­‐  Google   h?p://costarica43.icann.org/meeFngs/sanjose2012/presentaFon-­‐dns-­‐hijackings-­‐marquis-­‐boire-­‐12mar12-­‐en.pdf  
The  Good:  Securing  DNS  with  DNSSEC   Attacker’s record does not validate – drop it www.majorbank.se = 1.2.3.4 www.majorbank.se=? DNS DNS 1.2.3.4 Resolver Server with with Attacker DNSSEC DNSSEC www.majorbank.se = 5.6.7.8 Get page Login page webserver Username / Password www @ Account Data 1.2.3.4 Animated  slide  
The  Good:  Resolver  only  caches   validated  records     www.majorbank.se = 1.2.3.4   www.majorbank.se=?   DNS   DNS 1.2.3.4   Resolver   Server with   with   DNSSEC   DNSSEC   Get page     Login page webserver     Username / Password www @     Account Data 1.2.3.4     ISP  /   ENTERPRISE   ENTERPRISE  /   END  NODE   Animated  slide  
DNSSEC  interest  from  governments   •  Sweden,  Brazil,  Netherlands  and  others   encourage  DNSSEC  deployment  to  varying   degrees   •  Mar  2012  -­‐  AT&T,  CenturyLink  (Qwest),  Comcast,   Cox,  Sprint,  TimeWarner  Cable,  and  Verizon  have   pledged  to  comply  and  abide  by  US  FCC  [1]   recommendaFons  that  include  DNSSEC..  “A  report  by   Gartner  found  3.6  million  Americans  geOng  redirected  to  bogus   websites  in  a  single  year,  cosFng  them  $3.2  billion.,”[2].   •  2008  US  .gov  mandate.    >60%  operaFonal.  [3]   [1]  FCC=Federal  CommunicaFons  Commission=US  communicaFons  Ministry     [2]  h?p://securitywatch.pcmag.com/security/295722-­‐isps-­‐agree-­‐to-­‐fcc-­‐rules-­‐on-­‐anF-­‐botnet-­‐dnssec-­‐internet-­‐rouFng       [3]  h?p://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2008/m08-­‐23.pdf  
Security  as  DifferenFator  and   Edge   •  DifferenFator   –  Increased  cyber  security  awareness  for  govts  and   industry   –  Major  ISP  says  security  now  on  checklist  for   customers   •  DNSSEC  Service  and  Support   –  94/316  TLDs  (e.g.,  .com,.in,.nl,..)   –  Growing  ISPs  adopFon*   –  Available  to  84%  of  domains   –  Vendor  support  (ISC/BIND,  Microsoo..)   –  gTLDs  (e.g.,  .bank,  .search)  require  it   *COMCAST  Internet  (18M),  TeliaSonera  SE,  Sprint,Vodafone  CZ,Telefonica  CZ,  T-­‐mobile  NL,   SurfNet  NL,  SANYO  InformaFon  Technology  SoluFons  JP,  others..    
+1-­‐202-­‐709-­‐5262   US-­‐NSTIC  effort            VoIP   DNS  is  a  part  of  all  IT  ecosystems     OECS  ID  effort   lamb@xtcn.com   Smart  Electrical  Grid   mydomainname.com  
The  Bad:  SSL  DiluFon  of  Trust     The  Good:  DNSSEC  =  Global  “free”  PKI   CA  CerFficate  roots  ~1482   DNSSEC  root  -­‐  1   Content  security   Cross-­‐ Content  security   “Free  SSL”   Commercial  SSL   organizaFonal  and   cerFficates  for  Web   trans-­‐naFonal   CerFficates  for   and  e-­‐mail  and  “trust   idenFty  and   Web  and  e-­‐mail   agility”   authenFcaFon   Network  security   DANE  and  other  yet  to  be   IPSECKEY  RFC4025   E-­‐mail  security   discovered  security    DKIM  RFC4871   innovaFons,  enhancements,   Securing  VoIP   and  synergies   Login  security   Domain  Names   SSHFP  RFC4255   hYps://www.eff.org/observatory   hYp://royal.pingdom.com/2011/01/12/internet-­‐2010-­‐in-­‐numbers/  
Opportunity:  New  Security  Products   •  Improved  Web  SSL  and  cerFficates  for  all*   •  Secured  e-­‐mail  (S/MIME)  for  all*   •  Validated  remote  login  SSH,  IPSEC*   •  Securing  VoIP   •  Cross  organizaFonal  digital  idenFty  systems   •  Secured  content  delivery  (e.g.  configuraFons,   updates,  keys)   •  Securing  Smart  Grid  efforts   •  A  global  PKI   •  Increasing  trust  in  e-­‐commerce   A  good  ref  h?p://www.internetsociety.org/deploy360/dnssec/   *IETF  standards  complete  or  currently  being  developed  
DNSSEC:  Internet  infrastructure   upgrade  to  help  address  today’s   needs  and  create  tomorrow’s   opportunity.  
The  Internet’s  Phone  Book  -­‐  Domain   Name  System  (DNS+DNSSEC)   www.majorbank.se = 1.2.3.4 www.majorbank.se=? DNS DNS 1.2.3.4 Resolver Server Get page Login page webserver Username / Password www @ Account Data 1.2.3.4 ISP/  HotSpot  /   Majorbank.se (Registrant)   Enterprise/  End   Node   DNS Server .se (Registry)   DNS Server Animated  slide   . (Root)  

Empfohlen

DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSECMen and Mice
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
Dnssec
DnssecDnssec
Dnssecguest3131f85
 
Extending JMS to Web Devices over HTML5 WebSockets - JavaOne 2011
Extending JMS to Web Devices over HTML5 WebSockets - JavaOne 2011Extending JMS to Web Devices over HTML5 WebSockets - JavaOne 2011
Extending JMS to Web Devices over HTML5 WebSockets - JavaOne 2011Peter Moskovits
 
Soumika wls Resume
Soumika wls Resume Soumika wls Resume
Soumika wls Resume soumika A
 
Quantitative analysis of structural and signaling lipid networks
Quantitative analysis of structural and signaling lipid networksQuantitative analysis of structural and signaling lipid networks
Quantitative analysis of structural and signaling lipid networksDayanjan Wijesinghe
 
Il Romanzo Storico
Il Romanzo StoricoIl Romanzo Storico
Il Romanzo StoricoIacopo Pappalardo
 

Empfohlen

DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSECMen and Mice
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
Dnssec
DnssecDnssec
Dnssecguest3131f85
 
Extending JMS to Web Devices over HTML5 WebSockets - JavaOne 2011
Extending JMS to Web Devices over HTML5 WebSockets - JavaOne 2011Extending JMS to Web Devices over HTML5 WebSockets - JavaOne 2011
Extending JMS to Web Devices over HTML5 WebSockets - JavaOne 2011Peter Moskovits
 
Soumika wls Resume
Soumika wls Resume Soumika wls Resume
Soumika wls Resume soumika A
 
Quantitative analysis of structural and signaling lipid networks
Quantitative analysis of structural and signaling lipid networksQuantitative analysis of structural and signaling lipid networks
Quantitative analysis of structural and signaling lipid networksDayanjan Wijesinghe
 
Il Romanzo Storico
Il Romanzo StoricoIl Romanzo Storico
Il Romanzo StoricoIacopo Pappalardo
 
About Me
About MeAbout Me
About Meguest015076
 
question #1
question #1question #1
question #1sokim
 
Bgp Basic Labs
Bgp Basic LabsBgp Basic Labs
Bgp Basic Labssami36
 
Ete D Amour Party 3rd Of July 2008
Ete D Amour Party 3rd Of July 2008Ete D Amour Party 3rd Of July 2008
Ete D Amour Party 3rd Of July 2008lejeande
 
Industrial man power
Industrial man powerIndustrial man power
Industrial man powerRaju Insan
 
Bd26359376
Bd26359376Bd26359376
Bd26359376IJERA Editor
 
#ojokRuwet Solusi Adi Soeprijanto for ITS
#ojokRuwet Solusi Adi Soeprijanto for ITS#ojokRuwet Solusi Adi Soeprijanto for ITS
#ojokRuwet Solusi Adi Soeprijanto for ITSSolusi Adi 4ITS
 
Liuping
LiupingLiuping
Liupingtalentliuyang
 
Leyes básicas para un sistema
Leyes básicas para un sistemaLeyes básicas para un sistema
Leyes básicas para un sistemaFreddy Jerez
 
SYLVESTER OHIRI CV
SYLVESTER OHIRI CVSYLVESTER OHIRI CV
SYLVESTER OHIRI CVsylvester chidi
 
Question 4
Question 4Question 4
Question 4aksaah95
 
Tic
TicTic
TicFlorencia Rolón
 
Zara edit 600 (vision statement)
Zara edit 600 (vision statement)Zara edit 600 (vision statement)
Zara edit 600 (vision statement)zagvani
 
Jet Blue Media Planning Presentation
Jet Blue Media Planning Presentation Jet Blue Media Planning Presentation
Jet Blue Media Planning Presentation Carter Smalley
 
Profile Công ty Quảng cáo và Truyền thông Titan tại Đà Nẵng- Miền trung
Profile Công ty Quảng cáo và Truyền thông Titan tại Đà Nẵng- Miền trungProfile Công ty Quảng cáo và Truyền thông Titan tại Đà Nẵng- Miền trung
Profile Công ty Quảng cáo và Truyền thông Titan tại Đà Nẵng- Miền trungTran Huu Hoang
 
FPL'2014 - FlexTiles Workshop - 8 - FlexTiles Demo
FPL'2014 - FlexTiles Workshop - 8 - FlexTiles DemoFPL'2014 - FlexTiles Workshop - 8 - FlexTiles Demo
FPL'2014 - FlexTiles Workshop - 8 - FlexTiles DemoFlexTiles Team
 
bbnn
bbnnbbnn
bbnnBGMEA University Of Fashion & Technology
 
Keikkailu
Keikkailu Keikkailu
Keikkailu Nappiparisto - vertaisvoimaa oppimisympäristöjen kehittämiseen
 
Ruby Conf China 2012 presentation by Koz
Ruby Conf China 2012 presentation by KozRuby Conf China 2012 presentation by Koz
Ruby Conf China 2012 presentation by KozKosuke Masumitsu
 
TapSnap Partner Program Introduction
TapSnap Partner Program IntroductionTapSnap Partner Program Introduction
TapSnap Partner Program IntroductionTapSnap
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECDeploy360 Programme (Internet Society)
 
F5's Dynamic DNS Services
F5's Dynamic DNS ServicesF5's Dynamic DNS Services
F5's Dynamic DNS ServicesF5 Networks
 

Weitere ähnliche Inhalte

Andere mochten auch

question #1
question #1question #1
question #1sokim
 
Bgp Basic Labs
Bgp Basic LabsBgp Basic Labs
Bgp Basic Labssami36
 
Ete D Amour Party 3rd Of July 2008
Ete D Amour Party 3rd Of July 2008Ete D Amour Party 3rd Of July 2008
Ete D Amour Party 3rd Of July 2008lejeande
 
Industrial man power
Industrial man powerIndustrial man power
Industrial man powerRaju Insan
 
#ojokRuwet Solusi Adi Soeprijanto for ITS
#ojokRuwet Solusi Adi Soeprijanto for ITS#ojokRuwet Solusi Adi Soeprijanto for ITS
#ojokRuwet Solusi Adi Soeprijanto for ITSSolusi Adi 4ITS
 
Leyes básicas para un sistema
Leyes básicas para un sistemaLeyes básicas para un sistema
Leyes básicas para un sistemaFreddy Jerez
 
Question 4
Question 4Question 4
Question 4aksaah95
 
Zara edit 600 (vision statement)
Zara edit 600 (vision statement)Zara edit 600 (vision statement)
Zara edit 600 (vision statement)zagvani
 
Jet Blue Media Planning Presentation
Jet Blue Media Planning Presentation Jet Blue Media Planning Presentation
Jet Blue Media Planning Presentation Carter Smalley
 
Profile Công ty Quảng cáo và Truyền thông Titan tại Đà Nẵng- Miền trung
Profile Công ty Quảng cáo và Truyền thông Titan tại Đà Nẵng- Miền trungProfile Công ty Quảng cáo và Truyền thông Titan tại Đà Nẵng- Miền trung
Profile Công ty Quảng cáo và Truyền thông Titan tại Đà Nẵng- Miền trungTran Huu Hoang
 
FPL'2014 - FlexTiles Workshop - 8 - FlexTiles Demo
FPL'2014 - FlexTiles Workshop - 8 - FlexTiles DemoFPL'2014 - FlexTiles Workshop - 8 - FlexTiles Demo
FPL'2014 - FlexTiles Workshop - 8 - FlexTiles DemoFlexTiles Team
 
Ruby Conf China 2012 presentation by Koz
Ruby Conf China 2012 presentation by KozRuby Conf China 2012 presentation by Koz
Ruby Conf China 2012 presentation by KozKosuke Masumitsu
 
TapSnap Partner Program Introduction
TapSnap Partner Program IntroductionTapSnap Partner Program Introduction
TapSnap Partner Program IntroductionTapSnap
 

Andere mochten auch (20)

About Me
About MeAbout Me
About Me
 
question #1
question #1question #1
question #1
 
Bgp Basic Labs
Bgp Basic LabsBgp Basic Labs
Bgp Basic Labs
 
Ete D Amour Party 3rd Of July 2008
Ete D Amour Party 3rd Of July 2008Ete D Amour Party 3rd Of July 2008
Ete D Amour Party 3rd Of July 2008
 
Industrial man power
Industrial man powerIndustrial man power
Industrial man power
 
Bd26359376
Bd26359376Bd26359376
Bd26359376
 
#ojokRuwet Solusi Adi Soeprijanto for ITS
#ojokRuwet Solusi Adi Soeprijanto for ITS#ojokRuwet Solusi Adi Soeprijanto for ITS
#ojokRuwet Solusi Adi Soeprijanto for ITS
 
Liuping
LiupingLiuping
Liuping
 
Leyes básicas para un sistema
Leyes básicas para un sistemaLeyes básicas para un sistema
Leyes básicas para un sistema
 
SYLVESTER OHIRI CV
SYLVESTER OHIRI CVSYLVESTER OHIRI CV
SYLVESTER OHIRI CV
 
Question 4
Question 4Question 4
Question 4
 
Tic
TicTic
Tic
 
Zara edit 600 (vision statement)
Zara edit 600 (vision statement)Zara edit 600 (vision statement)
Zara edit 600 (vision statement)
 
Jet Blue Media Planning Presentation
Jet Blue Media Planning Presentation Jet Blue Media Planning Presentation
Jet Blue Media Planning Presentation
 
Profile Công ty Quảng cáo và Truyền thông Titan tại Đà Nẵng- Miền trung
Profile Công ty Quảng cáo và Truyền thông Titan tại Đà Nẵng- Miền trungProfile Công ty Quảng cáo và Truyền thông Titan tại Đà Nẵng- Miền trung
Profile Công ty Quảng cáo và Truyền thông Titan tại Đà Nẵng- Miền trung
 
FPL'2014 - FlexTiles Workshop - 8 - FlexTiles Demo
FPL'2014 - FlexTiles Workshop - 8 - FlexTiles DemoFPL'2014 - FlexTiles Workshop - 8 - FlexTiles Demo
FPL'2014 - FlexTiles Workshop - 8 - FlexTiles Demo
 
bbnn
bbnnbbnn
bbnn
 
Keikkailu
Keikkailu Keikkailu
Keikkailu
 
Ruby Conf China 2012 presentation by Koz
Ruby Conf China 2012 presentation by KozRuby Conf China 2012 presentation by Koz
Ruby Conf China 2012 presentation by Koz
 
TapSnap Partner Program Introduction
TapSnap Partner Program IntroductionTapSnap Partner Program Introduction
TapSnap Partner Program Introduction
 

Ähnlich wie ION Mumbai - Richard Lamb: Why DNSSEC?

F5's Dynamic DNS Services
F5's Dynamic DNS ServicesF5's Dynamic DNS Services
F5's Dynamic DNS ServicesF5 Networks
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksFindWhitePapers
 
DNS Rebinding Attack
DNS Rebinding AttackDNS Rebinding Attack
DNS Rebinding AttackFelipe Japm
 
Whalebone-UKNOF44security992_new_impl.pptx
Whalebone-UKNOF44security992_new_impl.pptxWhalebone-UKNOF44security992_new_impl.pptx
Whalebone-UKNOF44security992_new_impl.pptxAns Sembiring
 
The DNS of Things
The DNS of ThingsThe DNS of Things
The DNS of ThingsF5 Networks
 
The latest news in the DNS resolution: DNSSEC
The latest news in the DNS resolution: DNSSECThe latest news in the DNS resolution: DNSSEC
The latest news in the DNS resolution: DNSSECWhalebone, s.r.o.
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsMen and Mice
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS SecurityThousandEyes
 
Intelligent DNS Scale
Intelligent DNS ScaleIntelligent DNS Scale
Intelligent DNS ScalePeter Silva
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 WebinarMen and Mice
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsOpenDNS
 
Securing Your Endpoints Using Novell ZENworks Endpoint Security Management
Securing Your Endpoints Using Novell ZENworks Endpoint Security ManagementSecuring Your Endpoints Using Novell ZENworks Endpoint Security Management
Securing Your Endpoints Using Novell ZENworks Endpoint Security ManagementNovell
 

Ähnlich wie ION Mumbai - Richard Lamb: Why DNSSEC? (20)

ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
 
F5's Dynamic DNS Services
F5's Dynamic DNS ServicesF5's Dynamic DNS Services
F5's Dynamic DNS Services
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
 
Dnssec
DnssecDnssec
Dnssec
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
DNS Rebinding Attack
DNS Rebinding AttackDNS Rebinding Attack
DNS Rebinding Attack
 
Whalebone-UKNOF44security992_new_impl.pptx
Whalebone-UKNOF44security992_new_impl.pptxWhalebone-UKNOF44security992_new_impl.pptx
Whalebone-UKNOF44security992_new_impl.pptx
 
DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?
 
The DNS of Things
The DNS of ThingsThe DNS of Things
The DNS of Things
 
The latest news in the DNS resolution: DNSSEC
The latest news in the DNS resolution: DNSSECThe latest news in the DNS resolution: DNSSEC
The latest news in the DNS resolution: DNSSEC
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rolls
 
EMAIL
EMAIL EMAIL
EMAIL
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS Security
 
Intelligent DNS Scale
Intelligent DNS ScaleIntelligent DNS Scale
Intelligent DNS Scale
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
 
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSECION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
 
Securing Your Endpoints Using Novell ZENworks Endpoint Security Management
Securing Your Endpoints Using Novell ZENworks Endpoint Security ManagementSecuring Your Endpoints Using Novell ZENworks Endpoint Security Management
Securing Your Endpoints Using Novell ZENworks Endpoint Security Management
 
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan YorkION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
 

Mehr von Deploy360 Programme (Internet Society)

Mehr von Deploy360 Programme (Internet Society) (20)

ION Belgrade - Jordi Palet Martinez IPv6 Success Stories
ION Belgrade - Jordi Palet Martinez IPv6 Success StoriesION Belgrade - Jordi Palet Martinez IPv6 Success Stories
ION Belgrade - Jordi Palet Martinez IPv6 Success Stories
 
ION Belgrade - ISOC Serbia Belgrade Chapter Presentation
ION Belgrade - ISOC Serbia Belgrade Chapter PresentationION Belgrade - ISOC Serbia Belgrade Chapter Presentation
ION Belgrade - ISOC Serbia Belgrade Chapter Presentation
 
ION Belgrade - IETF Update
ION Belgrade - IETF UpdateION Belgrade - IETF Update
ION Belgrade - IETF Update
 
ION Belgrade - Opening Slides
ION Belgrade - Opening SlidesION Belgrade - Opening Slides
ION Belgrade - Opening Slides
 
ION Belgrade - MANRS by Serbian Open eXchange (SOX)
ION Belgrade - MANRS by Serbian Open eXchange (SOX)ION Belgrade - MANRS by Serbian Open eXchange (SOX)
ION Belgrade - MANRS by Serbian Open eXchange (SOX)
 
ION Belgrade - Closing Slides
ION Belgrade - Closing SlidesION Belgrade - Closing Slides
ION Belgrade - Closing Slides
 
AusNOG - Two Years of Good MANRS
AusNOG - Two Years of Good MANRSAusNOG - Two Years of Good MANRS
AusNOG - Two Years of Good MANRS
 
ION Malta - IETF Update
ION Malta - IETF UpdateION Malta - IETF Update
ION Malta - IETF Update
 
ION Malta - MANRS Introduction
ION Malta - MANRS IntroductionION Malta - MANRS Introduction
ION Malta - MANRS Introduction
 
ION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSECION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSEC
 
ION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLSION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLS
 
ION Malta - IANA Transition Roles & Accountability
ION Malta - IANA Transition Roles & AccountabilityION Malta - IANA Transition Roles & Accountability
ION Malta - IANA Transition Roles & Accountability
 
ION Malta - IPv6 Case Study: Finland
ION Malta - IPv6 Case Study: FinlandION Malta - IPv6 Case Study: Finland
ION Malta - IPv6 Case Study: Finland
 
ION Malta - Seeweb Thoughts on IPv6 Transition
ION Malta - Seeweb Thoughts on IPv6 TransitionION Malta - Seeweb Thoughts on IPv6 Transition
ION Malta - Seeweb Thoughts on IPv6 Transition
 
ION Malta - Seeweb Why MANRS is good for you
ION Malta - Seeweb Why MANRS is good for youION Malta - Seeweb Why MANRS is good for you
ION Malta - Seeweb Why MANRS is good for you
 
ION Malta - Opening Slides
ION Malta - Opening SlidesION Malta - Opening Slides
ION Malta - Opening Slides
 
ION Malta - Closing Slides
ION Malta - Closing SlidesION Malta - Closing Slides
ION Malta - Closing Slides
 
ION Durban - How peering behaviour affects growth of the internet
ION Durban - How peering behaviour affects growth of the internetION Durban - How peering behaviour affects growth of the internet
ION Durban - How peering behaviour affects growth of the internet
 
ION Durban - Introduction to ISOC Gauteng Chapter
ION Durban - Introduction to ISOC Gauteng ChapterION Durban - Introduction to ISOC Gauteng Chapter
ION Durban - Introduction to ISOC Gauteng Chapter
 
ION Durban - What's Happening at the IETF?
ION Durban - What's Happening at the IETF?ION Durban - What's Happening at the IETF?
ION Durban - What's Happening at the IETF?
 

Kürzlich hochgeladen

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 

Kürzlich hochgeladen (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 

ION Mumbai - Richard Lamb: Why DNSSEC?

  • 1. The  Business  Case  for  DNSSEC      InterOp/ION  Mumbai  2012     11  October  2012   richard.lamb@icann.org  
  • 2. The  Business  Case  for  DNSSEC   •  Cyber  security  is  becoming  a  greater  concern  to   enterprises,  government,  and  end  users.  DNSSEC   is  a  key  tool  and  differenFator.   •  DNSSEC  is  the  biggest  security  upgrade  to   Internet  infrastructure  in  over  20  years.  It  is  a   plaHorm  for  new  security  applicaFons  (for  those   that  see  the  opportunity).   •  DNSSEC  infrastructure  deployment  has  been   brisk  but  requires  experFse.    GeOng  ahead  of  the   curve  is  a  compeFFve  advantage.  
  • 3. Where  DNSSEC  fits  in   •  DNS  converts  names  (www.tata.in)  to   numbers  (64.37.102.54)   •  ..to  idenFfy  services  such  as  www  and  e-­‐mail   •  ..that  idenFfy  and  link  customers  to  business   and  visa  versa  
  • 4. Where  DNSSEC  fits  in   •  ..but  CPU  and  bandwidth  advances  make   legacy  DNS  vulnerable  to  MITM  aYacks   •  DNS  Security  Extensions  (DNSSEC)  introduces   digital  signatures  into  DNS  to   cryptographically  protect  contents     •  With  DNSSEC  fully  deployed  a  business  can  be   sure  a  customer  gets  un-­‐modified  data  (and   visa  versa)  
  • 5. The  Original  Problem:     DNS  Cache  Poisoning  A?ack     www.majorbank.se = 1.2.3.4   www.majorbank.se=?   DNS   DNS 5.6.7.8   Resolver                          Server        ENTERPRISE                           Attacker   www.majorbank.se = 5.6.7.8 Get page   Attacker Login page webserver   Username / Password   www @ Error 5.6.7.8   ISP  /   ENTERPRISE  /   END  NODE   Password database Animated  slide   detailed  descripFon  at:  h?p://unixwiz.net/techFps/iguide-­‐kaminsky-­‐dns-­‐vuln.html  
  • 6. Argghh!  Now  all  ISP  customers  get   sent  to  a?acker.   www.majorbank.se = 1.2.3.4 www.majorbank.se=? DNS DNS 5.6.7.8 Resolver Server Get page Attacker Login page webserver Username / Password www @ Error 5.6.7.8 Password database Animated  slide  
  • 7. The  Bad:  DNSChanger  -­‐  ‘Biggest   Cybercriminal  Takedown  in  History’  –   4M  machines,  100  countries,  $14M   Nov  2011  h?p://krebsonsecurity.com/2011/11/malware-­‐click-­‐fraud-­‐kingpins-­‐arrested-­‐in-­‐estonia/                                                          End-­‐2-­‐end  DNSSEC  validaFon  would  have  avoided  the  problems  
  • 8. The  Bad:  Brazilian  ISP  fall  vicFm  to  a   series  of  DNS  a?acks     7  Nov  2011  h?p://www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_a?acks_in_Brazil                                                                                            End-­‐2-­‐end  DNSSEC  validaFon  would  have  avoided  the  problems  
  • 9. The  Bad:  Other  DNS  hijacks*   •  25  Dec  2010  -­‐  Russian  e-­‐Payment  Giant  ChronoPay  Hacked   •  18  Dec  2009  –  Twi?er  –  “Iranian  cyber  army”   •  13  Aug  2010  -­‐  Chinese  gmail  phishing  a?ack   •  25  Dec  2010  Tunisia  DNS  Hijack   •  2009-­‐2012  google.*   –  April  28  2009  Google  Puerto  Rico  sites  redirected  in  DNS  a?ack   –  May  9  2009  Morocco  temporarily  seize  Google  domain  name   •  9  Sep  2011  -­‐  Diginotar  cerFficate  compromise  for  Iranian  users     •  SSL  /  TLS  doesn't  tell  you  if  you've  been  sent  to  the  correct  site,  it  only   tells  you  if  the  DNS  matches  the  name  in  the  cerFficate.  Unfortunately,   majority  of  Web  site  cerFficates  rely  on  DNS  to  validate  idenFty.   •  DNS  is  relied  on  for  unexpected  things  though  insecure.   *A  Brief  History  of  DNS  Hijacking  -­‐  Google   h?p://costarica43.icann.org/meeFngs/sanjose2012/presentaFon-­‐dns-­‐hijackings-­‐marquis-­‐boire-­‐12mar12-­‐en.pdf  
  • 10. The  Good:  Securing  DNS  with  DNSSEC   Attacker’s record does not validate – drop it www.majorbank.se = 1.2.3.4 www.majorbank.se=? DNS DNS 1.2.3.4 Resolver Server with with Attacker DNSSEC DNSSEC www.majorbank.se = 5.6.7.8 Get page Login page webserver Username / Password www @ Account Data 1.2.3.4 Animated  slide  
  • 11. The  Good:  Resolver  only  caches   validated  records     www.majorbank.se = 1.2.3.4   www.majorbank.se=?   DNS   DNS 1.2.3.4   Resolver   Server with   with   DNSSEC   DNSSEC   Get page     Login page webserver     Username / Password www @     Account Data 1.2.3.4     ISP  /   ENTERPRISE   ENTERPRISE  /   END  NODE   Animated  slide  
  • 12. DNSSEC  interest  from  governments   •  Sweden,  Brazil,  Netherlands  and  others   encourage  DNSSEC  deployment  to  varying   degrees   •  Mar  2012  -­‐  AT&T,  CenturyLink  (Qwest),  Comcast,   Cox,  Sprint,  TimeWarner  Cable,  and  Verizon  have   pledged  to  comply  and  abide  by  US  FCC  [1]   recommendaFons  that  include  DNSSEC..  “A  report  by   Gartner  found  3.6  million  Americans  geOng  redirected  to  bogus   websites  in  a  single  year,  cosFng  them  $3.2  billion.,”[2].   •  2008  US  .gov  mandate.    >60%  operaFonal.  [3]   [1]  FCC=Federal  CommunicaFons  Commission=US  communicaFons  Ministry     [2]  h?p://securitywatch.pcmag.com/security/295722-­‐isps-­‐agree-­‐to-­‐fcc-­‐rules-­‐on-­‐anF-­‐botnet-­‐dnssec-­‐internet-­‐rouFng       [3]  h?p://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2008/m08-­‐23.pdf  
  • 13. Security  as  DifferenFator  and   Edge   •  DifferenFator   –  Increased  cyber  security  awareness  for  govts  and   industry   –  Major  ISP  says  security  now  on  checklist  for   customers   •  DNSSEC  Service  and  Support   –  94/316  TLDs  (e.g.,  .com,.in,.nl,..)   –  Growing  ISPs  adopFon*   –  Available  to  84%  of  domains   –  Vendor  support  (ISC/BIND,  Microsoo..)   –  gTLDs  (e.g.,  .bank,  .search)  require  it   *COMCAST  Internet  (18M),  TeliaSonera  SE,  Sprint,Vodafone  CZ,Telefonica  CZ,  T-­‐mobile  NL,   SurfNet  NL,  SANYO  InformaFon  Technology  SoluFons  JP,  others..    
  • 14. +1-­‐202-­‐709-­‐5262   US-­‐NSTIC  effort            VoIP   DNS  is  a  part  of  all  IT  ecosystems     OECS  ID  effort   lamb@xtcn.com   Smart  Electrical  Grid   mydomainname.com  
  • 15. The  Bad:  SSL  DiluFon  of  Trust     The  Good:  DNSSEC  =  Global  “free”  PKI   CA  CerFficate  roots  ~1482   DNSSEC  root  -­‐  1   Content  security   Cross-­‐ Content  security   “Free  SSL”   Commercial  SSL   organizaFonal  and   cerFficates  for  Web   trans-­‐naFonal   CerFficates  for   and  e-­‐mail  and  “trust   idenFty  and   Web  and  e-­‐mail   agility”   authenFcaFon   Network  security   DANE  and  other  yet  to  be   IPSECKEY  RFC4025   E-­‐mail  security   discovered  security    DKIM  RFC4871   innovaFons,  enhancements,   Securing  VoIP   and  synergies   Login  security   Domain  Names   SSHFP  RFC4255   hYps://www.eff.org/observatory   hYp://royal.pingdom.com/2011/01/12/internet-­‐2010-­‐in-­‐numbers/  
  • 16. Opportunity:  New  Security  Products   •  Improved  Web  SSL  and  cerFficates  for  all*   •  Secured  e-­‐mail  (S/MIME)  for  all*   •  Validated  remote  login  SSH,  IPSEC*   •  Securing  VoIP   •  Cross  organizaFonal  digital  idenFty  systems   •  Secured  content  delivery  (e.g.  configuraFons,   updates,  keys)   •  Securing  Smart  Grid  efforts   •  A  global  PKI   •  Increasing  trust  in  e-­‐commerce   A  good  ref  h?p://www.internetsociety.org/deploy360/dnssec/   *IETF  standards  complete  or  currently  being  developed  
  • 17. DNSSEC:  Internet  infrastructure   upgrade  to  help  address  today’s   needs  and  create  tomorrow’s   opportunity.  
  • 18. The  Internet’s  Phone  Book  -­‐  Domain   Name  System  (DNS+DNSSEC)   www.majorbank.se = 1.2.3.4 www.majorbank.se=? DNS DNS 1.2.3.4 Resolver Server Get page Login page webserver Username / Password www @ Account Data 1.2.3.4 ISP/  HotSpot  /   Majorbank.se (Registrant)   Enterprise/  End   Node   DNS Server .se (Registry)   DNS Server Animated  slide   . (Root)