day 2 dns cert 3 dns organizations
DESCRIPTION
Presentation by ICANNTRANSCRIPT
DNS Security for CERTs- DNS Organizational Structures & Policy -
Chris EvansDelta Risk, LLC
7 March 2010
1
Overview
• Organizational Alphabet Soup
– Policy, Standards & Governance
– Technical Operators
• Registry Structures
• Relevant Policy Issues
2
Organizational Alphabet Soup
3
ICANNSSAC, RSSAC, ALAC, GAC…
IANA
IGF
IETF
IAB
ISOC
gTLD
ccTLD
RIR
RO
ASO
RSO
Organizational Alphabet Soup
• ICANN – Internet Corporation for Assigned Names and Numbers – coordinates unique identifiers (names and numbers) and ensure their stable and secure operation.
– ICANN has several technical and policy committees which operate independently
• SSAC – Security and Stability Advisory Council
• RSSAC – Root Server System Advisory Council
• ALAC – At Large Advisory Council
• ccNSO – Country Code Name Supporting Organization
• GNSO – Generic Names Supporting Organization
• ASO - Address Supporting Organization
4
Organizational Alphabet Soup
• IANA – Internet Assigned Numbers Authority –allocates and maintains unique codes and numbering systems; manages & publishes root zone
• ISOC – Internet Society – global nonprofit supporting Internet standards, education & policy
• IETF – Internet Engineering Task Force – produces engineering documents that describe the design, use and management of the Internet
• IAB – Internet Architecture Board - provides architectural oversight of IETF, oversight & appeals of Internet standards.
• IGF – Internet Governance Forum – multi-stakeholder forum for discussing policy issues
5
Organizational Alphabet Soup
• RIR – Regional Internet Registry – perform identification assignment (IP addresses & AS numbers) within geographic region– ARIN
– RIPENCC
– LACNIC
– AFRINIC
– APNIC
• gTLD – generic Top Level Domain – function as registry for unrestricted, sponsored, geographic, or commecialdomains
• ccTLD – country code Top Level Domain - function as registry for their respective countries
6
Organizational Alphabet Soup
• RO – Root Operator – an operator of one of the 13 named root servers.
• ASO – Authoritative Server Operator – an operator of an authoritative name server; typically an enterprise’s IT department, TLD operator, or even outsourced providers
• RSO – Recursive Server Operator – an operator of a recursive or caching name server; can be anyone running DNS server software!
7
Organizational Alphabet Soup
• Regional TLD Organization – membership based organizations supporting TLDs within a geographic region– LACTLD – Latin America, South America, Carribean
– CENTR - Europe
– AFTLD - Africa
– APTLD – Asia (including middle east) and Pacific
• Registry – an entity given the authority to operate a top level domain; manages zone and administrative data; typically an organization, business, government, university or network operators center
• Registrar – an entity accredited by ICANN to register domains at retail within one or more TLDs.
8
Registry Structures
• Registries Come in All Shapes and Sizes
– Structure, Technical Implementation, Goals & Policies
• “Models” Define How the Registry Operates
– 2R vs. 3R
– Thick vs. Thin
– 2 vs. 3 Levels
9
Registry Structures
• Registry “2R” Model
– Registry - Registrant
– Registry provides direct registrations to consumers
– Registrants request domains directly through registry
10
Registry
RegistrantRegistrant
• Simple model
• Doesn’t scale without
lots of work from registry
• Direct customer
relationships
Registry Structures
• Registry “2R” Model
– Registry - Registrant
– Registry provides direct registrations to consumers
– Registrants request domains directly through registry or optionally through a direct reseller
11
• Simple model
• Direct customer
relationships
• Offloads some
“customer interface”
work from registry to
reseller
Registry
Registrant
Registrant
Reseller
Registry Structures
• Registry “3R” Model
– Registry – Registrar – Registrant
– Registrars interface between customer and registry
12
• More stakeholders ->
more policies / business
models
• Less work for registry
(automation / EPP) –
• Focus on DNS
services
Registry
Registrant
Reseller
Registrar
Registrant
Registrar
Registry Structures
• Registries can define WHERE their customer administrative data resides (WHOIS)
– Thick – the registry stores all customer data for registrations regardless of _WHERE_ it originates (direct, registrar)
– Thin – Registrars manage all customer data for their registrants and serve this information via WHOIS
13
TLDWHOIS
TLD
WHOIS
Registrar
Registrar
Thick Thin
Registrar
Registry Structures
• Registries define how subdomains are permitted –either at the top or second level.
• Top level – delegations fall immediately under the top level
– E.g. www.google.jo
• Second level – delegations fall under a generic domain, under the top level
– E.g. www.moict.gov.jo
• Registries can pick one or the other, or do both!
14
Policies
• Policies govern how registries operate, from internal workings to dealing with customers.
• Policies can be derived from operational necessities, business goals, or best practices in use by other registries
• Policies vary by registry – and vary nearly as widely as the registries themselves.
• Its important for registries to define policies to respond and operate in a consistent manner
• Frequently, there is no right or wrong policy – what matters is the registry’s definition of that policy.
15
The wrong policy is NO policy…
Policy
16
Some Policies of Note…
Policy
• Registrant Requirements
– This policy defines the requirements to register a domain with the registry; specifically addresses issues like residency or ownership
• Things that may restrict registrations to only local or national entities:
– Desire to limit competition from foreign entities
– Desire for nationalism
• Things that may encourage registration from foreign entities:
– Access to a larger pool of customers
17
Policy
• Dispute Resolution– A controversial subject; one that is used infrequently, but
must be defined before its needed!
– Disputes may arise between potential registrants for a domain name – each claiming the “right” to register it,
- or -
- Disputes may arise between current registrant a one that desires ownership of the domain
• Policy should define the notion of “ownership”, the process of determining “ownership”, and process for arbitrating a claim of “ownership”– First come / first served = “ownership”
– International trademark or copyright = “ownership”
18
Policy
• Registration Process
– This policy defines how the registry accepts requests for registrations, validates, and publishes them
– Usually defined by operational necessity• Larger registries that process hundreds of registrations per day
will use automated processes as much as possible
• Smaller registries may use manual processes
• Policy should cover registrant data verification
– Automated, multi-factor, out-of-band, etc
– Desire to detect and restrict malicious registrations?
– How should the registry define “malicious”?
19
Tough
Question!
Policy
• Information Release (WHOIS)– This policy defines how the registry handles “privacy”
information and what information it publicly publishes
– The traditional approach is to publish administrative and technical point of contact information for each domain
• BUT, some registries / registrars offer a “anonymous” registration service which publishes “empty” or generic information
– This may be governed by local, national, or organizational privacy policies.
• This policy should cover what information can be published, to who & where, how the policy is conveyed to registrants, and what to release to law enforcement or government agencies.
20
Policy
• Pricing / Funding Model– This policy defines how much domain registrations, their
renewal, transfer or other “action” cost.
– Additional or value-added services may also be defined
• This policy should address costs to registrants, registrars and resellers accordingly and is likely defined by the registry’s business model.– Registries set their own prices, from free to $$$$
– Some registries are funded by their governments, some are non-profits, some are for-profit corporations.
– Competition with gTLDs (e.g. .COM) may drive pricing decisions
– Prices may be different for local and foreign registrants, for resellers, and for registrars
21
Policy
• Permissible Registrations
– This policy defines what domain names may be registered
• Factors affecting “permissible” registrations:
– Religion & Culture – some names may be offensive
– Technical – some characters are disallowed by the RFC, or some may not be allowed by the registry system
– Operational – International Domain Names may not be supported
– Business – some names may be restricted based on international trademarks or intellectual property
22
Policy
• Takedown
– A very controversial topic, this defines how the registry may temporarily or permanently deactivate a registration
– More importantly, under what circumstances it may do so.
• Policy should account for:
– Business concerns / loss of revenue
– Upset customers?
– Malicious use (what is malicious?)
– Legality of denying freedom of speech
– Fallout of not following a government / law enforcement order
23
A Hypothetical Example
Let’s take the simple example of a registration made for the purpose of conducting a phishing attack.
• The domain name closely resembles that used by an international bank
• The registrant provides fake name and address for registration
• The registrant uses the domain to propagate a phishing attack, soliciting bank customers for their usernames and passwords.
Who’s responsible and who’s accountable?• The malicious registrant? How do you find him?• The registry? They didn’t validate the registrant – but they get
5000 a day• The bank? They didn’t educate their customers on phishing
attacks
24
Take Aways
• The DNS operationally is simple; organizationally, it’s a much different story – there are many (widely varying) stakeholders involved
• Policies define how registries operate, but are frequently ill-defined and untested
• Unlike the traditional network security world, which has CERTs and NOCs focusing on operating systems and applications, the DNS has no equivalent structure for focusing on security
25
Review
• DNS Organizations
– ICANN, IANA, RIR, IGF, … ABC, XYZ…
• Registry Structures
– 2R vs. 3R
– Thick vs. Thin
– Top vs. Second Level Domains
• Policies
– Registrations, Dispute Resolution, Price, Takedown …
26
Questions?
27
?