dns security - menog...dns security extensions • 2005 - 2008: stalled deployments due to the lack...
TRANSCRIPT
![Page 1: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/1.jpg)
DNS SecurityWolfgang NageleDNS Group Manager
![Page 2: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/2.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 2
DNS: the Domain Name System
• Specified by Paul Mockapetris in 1983• Distributed Hierarchical Database
– Main purpose: Translate names to IP addresses
– Since then: Extended to carry a multitude of information (such as SPF, DKIM)
• Critical Internet Infrastructure– Used by most systems (in the background)
![Page 3: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/3.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 3
DNS Tree Structure
![Page 4: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/4.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 4
How does it work?
![Page 5: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/5.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 5
How does it work?
![Page 6: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/6.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 6
How does it work?
![Page 7: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/7.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 7
How does it work?
![Page 8: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/8.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 8
How does it work?
![Page 9: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/9.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 9
How does it work?
![Page 10: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/10.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 10
How does it work?
![Page 11: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/11.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 11
How does it work?
![Page 12: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/12.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 12
What is the problem?
• UDP transport can be spoofed– Anybody can pretend to originate a response
• If a response is modified the user will connect to a possibly malicious system
![Page 13: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/13.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 13
The Solution
• Make the responses verifiable– Cryptographic signatures
• Hierarchy exists so a Public Key Infrastructure is the logical choice– Same concept as used in eGovernment infrastructures
![Page 14: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/14.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 14
How does it work with DNSSEC?
![Page 15: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/15.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 15
How does it work with DNSSEC?
![Page 16: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/16.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 16
How does it work with DNSSEC?
![Page 17: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/17.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 17
How does it work with DNSSEC?
![Page 18: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/18.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 18
How does it work with DNSSEC?
![Page 19: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/19.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 19
DNS Security Extensions: A Long Story
• 2005: Theoretical problem discovered (Bellovin)• 1995: Work on DNSSEC started• 1999: First support for DNSSEC in BIND• 2005: Standard is redesigned to better meet
operational needs
RIPE NCC along with .SE among the first to deploy it in their zones
![Page 20: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/20.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 20
DNS Security Extensions
• 2005 - 2008: Stalled deployments due to the lack of a signed root zone
• 2008: D. Kaminsky shows the practicaluse of the protocol weakness
Focus comes back to DNSSEC• July 2010: Root Zone signed with DNSSEC• March 2011: 69/306 signed TLDs
![Page 21: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/21.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 21
DNSSEC and the RIPE NCC
• Sponsor development of NSD DNS software• Participated in the “Deployment of Internet
Security Infrastructure” project– Signed all our DNS zones
– IPv4 & IPv6 reverse space
– E164.arpa
– ripe.net
• K-root server readiness for a signed root zone
![Page 22: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/22.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 22
Singing of the Root Zone
• Shared custody by Root Zone maintainers– Currently: U.S. DoC NTIA, IANA/ICANN, VeriSign
• Split key among 21 Trusted Community Representatives
• In production since July 2010
![Page 23: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/23.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 23
Deployment in ccTLDs: Europe
![Page 24: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/24.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 24
Deployment in ccTLDs: Middle East
OH NO!
![Page 25: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/25.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 25
Deployment in ccTLDs: Asia Pacfic
![Page 26: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/26.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 26
Deployment in ccTLDs
![Page 27: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/27.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 27
Deployment in ccTLDs
![Page 28: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/28.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 28
Deployment in ccTLDs
![Page 29: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/29.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 29
Deployment in gTLDs• .com/.net/.org (57% of world wide total domains)• .asia• .cat• .biz• .edu• .gov• .info• .museum• .mobi (Planned)
![Page 30: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/30.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 30
Deployment in Infrastructure TLD .arpa
• E164.arpa– ENUM number mapping
– signed by the RIPE NCC
• in-addr.arpa– Reverse DNS for IPv4
• ip6.arpa– Reverse DNS for IPv6
![Page 31: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/31.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 31
Are We Done?
• Signed TLD is not the same as a signed domain– Thick registry model (Registry-Registrar-Registrant)
– Registrars need to enable their customers to provide public key data to registry
![Page 32: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/32.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 32
Are We Done?
• Ultimately responses should be verified by the end user– Home routers need to support DNS specifications with large response packets
![Page 33: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/33.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 33
Leverage Infrastructure
• DNS is a cross organisational data directory• DNSSEC adds trust to this infrastructure
– Anybody can verify data published under ripe.net was originated by the domain holder
– Could be used to make DKIM and SPF widely used and trusted
– SSL certificates can be trusted through the DNS
– More ideas to come …
![Page 34: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/34.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011 34
What about SSL/TLS?
• SSL as a transport is well established• CA system currently in use is inherently broken
– Any Certificate Authority delivered with a browser to date can issue a certificate for any domain
– 100 and more shipped in every Browser
– If any one of them fails - security fails with it
– Recent incident with Comodo CA is one example
• DANE working group at IETF
![Page 35: DNS Security - MENOG...DNS Security Extensions • 2005 - 2008: Stalled deployments due to the lack of a signed root zone • 2008: D. Kaminsky shows the practical use of the protocol](https://reader034.vdocuments.us/reader034/viewer/2022043010/5f9fbc276e37460ab4753c91/html5/thumbnails/35.jpg)
Wolfgang Nagele, MENOG8, Al Khobar, May 2011
DNSSEC and the Middle East
• ccTLDs need to get signed• ISPs need to enable validation on their resolvers
• What keeps you from deploying?
• DNS Workshop including DNSSEC at MENOG8
35