dnssec basics, risks and benefits
DESCRIPTION
DNSSEC Basics, Risks and Benefits. Olaf M. Kolkman [email protected]. This presentation. About DNS and its vulnerabilities DNSSEC status DNSSEC near term future. Zone administrator. Registry/Registrar. 1. 2. 3. 4. 5. Zone file. Provisioning. slaves. DNS: Data Flow. master. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: DNSSEC Basics, Risks and Benefits](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815068550346895dbe6644/html5/thumbnails/1.jpg)
Olaf M. Kolkman . Domain Pulse, February 2005, Vienna . http://www.ripe.net/disi
DNSSECBasics, Risks and Benefits
Olaf M. Kolkman
![Page 2: DNSSEC Basics, Risks and Benefits](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815068550346895dbe6644/html5/thumbnails/2.jpg)
Olaf M. Kolkman . Domain Pulse, February 2005, Vienna . http://www.ripe.net/disi
This presentation
• About DNS and its vulnerabilities• DNSSEC status• DNSSEC near term future
![Page 3: DNSSEC Basics, Risks and Benefits](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815068550346895dbe6644/html5/thumbnails/3.jpg)
Olaf M. Kolkman . Domain Pulse, February 2005, Vienna . http://www.ripe.net/disi
DNS: Data Flow
master Caching forwarder
resolver
Zone administrator
Zone file
Dynamicupdates
1
2
slaves
3
4
5
Registry/Registrar
Provisioning
![Page 4: DNSSEC Basics, Risks and Benefits](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815068550346895dbe6644/html5/thumbnails/4.jpg)
Olaf M. Kolkman . Domain Pulse, February 2005, Vienna . http://www.ripe.net/disi
DNS Vulnerabilities
master Caching forwarder
resolver
Zone administrator
Zone file
Dynamicupdates
1
2
slaves
3
4
5Corrupting data
Impersonating master
Unauthorized updates
Cache impersonation
Cache pollution byData spoofing
Altered zone data
Registry/Registrar
Provisioning
![Page 5: DNSSEC Basics, Risks and Benefits](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815068550346895dbe6644/html5/thumbnails/5.jpg)
Olaf M. Kolkman . Domain Pulse, February 2005, Vienna . http://www.ripe.net/disi
DNS exploit example
• Mail gets delivered to the MTA listed in the MX RR.
• Man in the middle attack.
Sending MTA
Blackhat MTA
Receiving MTA
Resolver
MX RR? MX RR
MX RR
![Page 6: DNSSEC Basics, Risks and Benefits](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815068550346895dbe6644/html5/thumbnails/6.jpg)
Olaf M. Kolkman . Domain Pulse, February 2005, Vienna . http://www.ripe.net/disi
Mail man in the middle
• ‘Ouch that mail contained stock sensitive information’– Who per default encrypts all their mails?
• We’ll notice when that happens, we have log files– You have to match address to MTA for each
logline.
![Page 7: DNSSEC Basics, Risks and Benefits](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815068550346895dbe6644/html5/thumbnails/7.jpg)
Olaf M. Kolkman . Domain Pulse, February 2005, Vienna . http://www.ripe.net/disi
Other possible DNS targets
• SPF, DomainKey and family– Technologies that use the DNS to mitigate spam
and phishing: $$$ value for the black hats
• StockTickers, RSS feeds– Usually no source authentication but supplying
false stock information via a stockticker and via a news feed can have $$$ value
• ENUM– Mapping telephone numbers to services in the DNS
• As soon as there is some incentive
![Page 8: DNSSEC Basics, Risks and Benefits](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815068550346895dbe6644/html5/thumbnails/8.jpg)
Olaf M. Kolkman . Domain Pulse, February 2005, Vienna . http://www.ripe.net/disi
Mitigate by deploying SSL?
• Claim: SSL is not the magic bullet– (Neither is DNSSEC)
• Problem: Users are offered a choice– happens to often– users are not surprised but annoyed
• Not the technology but the implementation and use makes SSL vulnerable
• Examples follow
![Page 9: DNSSEC Basics, Risks and Benefits](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815068550346895dbe6644/html5/thumbnails/9.jpg)
Olaf M. Kolkman . Domain Pulse, February 2005, Vienna . http://www.ripe.net/disi
www.robecodirect.nlwww.robecoadvies.nl
Example 1: mismatched CN
![Page 10: DNSSEC Basics, Risks and Benefits](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815068550346895dbe6644/html5/thumbnails/10.jpg)
Olaf M. Kolkman . Domain Pulse, February 2005, Vienna . http://www.ripe.net/disi
Unknown Certificate Authority
Example 2: Unknown CA
![Page 11: DNSSEC Basics, Risks and Benefits](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815068550346895dbe6644/html5/thumbnails/11.jpg)
Olaf M. Kolkman . Domain Pulse, February 2005, Vienna . http://www.ripe.net/disi
Confused?
![Page 12: DNSSEC Basics, Risks and Benefits](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815068550346895dbe6644/html5/thumbnails/12.jpg)
Olaf M. Kolkman . Domain Pulse, February 2005, Vienna . http://www.ripe.net/disi
How does DNSSEC come into this picture
• DNSSEC secures the name to address mapping– before the certificates are needed
• DNSSEC provides an “independent” trust path.– The person administering “https” is most probably a
different from person from the one that does “DNSSEC”
– The chains of trust are most probably different– See acmqueue.org article: “Is Hierarchical Public-
Key Certification the Next Target for Hackers?”
![Page 13: DNSSEC Basics, Risks and Benefits](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815068550346895dbe6644/html5/thumbnails/13.jpg)
Olaf M. Kolkman . Domain Pulse, February 2005, Vienna . http://www.ripe.net/disi
Any Questions so far?
• We covered some of the possible motivations for DNSSEC deployment
• Next: What is the status of DNSSEC, can it be deployed today?
![Page 14: DNSSEC Basics, Risks and Benefits](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815068550346895dbe6644/html5/thumbnails/14.jpg)
Olaf M. Kolkman . Domain Pulse, February 2005, Vienna . http://www.ripe.net/disi
DEPLOYMENT NOWDNS server infrastructure related
` APP
STUB
Protocol spec is clear on:• Signing• Serving• Validating
Implemented in• Signer• Authoritative servers• Security aware
recursive nameservers
signing
serving
validating
![Page 15: DNSSEC Basics, Risks and Benefits](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815068550346895dbe6644/html5/thumbnails/15.jpg)
Olaf M. Kolkman . Domain Pulse, February 2005, Vienna . http://www.ripe.net/disi
Main Problem Areas
• “the last mile”• Key management and key distribution• NSEC walk
improvement
![Page 16: DNSSEC Basics, Risks and Benefits](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815068550346895dbe6644/html5/thumbnails/16.jpg)
Olaf M. Kolkman . Domain Pulse, February 2005, Vienna . http://www.ripe.net/disi
The last mile
` APP
STUB
• How to get validation results back to the user
• The user may want to make different decisions based on the validation result– Not secured– Time out– Crypto failure– Query failure
• From the recursive resolver to the stub resolver to the Application
validating
![Page 17: DNSSEC Basics, Risks and Benefits](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815068550346895dbe6644/html5/thumbnails/17.jpg)
Olaf M. Kolkman . Domain Pulse, February 2005, Vienna . http://www.ripe.net/disi
Problem Area
` APP
STUB
Key Management• Keys need to
propagate from the signer to the validating entity
• The validating entity will need to “trust” the key to “trust” the signature.
• Possibly many islands of security
signing
validating
![Page 18: DNSSEC Basics, Risks and Benefits](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815068550346895dbe6644/html5/thumbnails/18.jpg)
Olaf M. Kolkman . Domain Pulse, February 2005, Vienna . http://www.ripe.net/disi
Secure Islands and key management
net.
money.net. kids.net.
geerthecorp
dev market dilbert
unixmacmarnick
nt
os.net.
com.
.
![Page 19: DNSSEC Basics, Risks and Benefits](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815068550346895dbe6644/html5/thumbnails/19.jpg)
Olaf M. Kolkman . Domain Pulse, February 2005, Vienna . http://www.ripe.net/disi
Secure Islands
• Server Side– Different key management policies for all these
islands– Different rollover mechanisms and frequencies
• Client Side (Clients with a few to 10, 100 or more trust-anchors)– How to keep the configured trust anchors in sync
with the rollover– Bootstrapping the trust relation
![Page 20: DNSSEC Basics, Risks and Benefits](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815068550346895dbe6644/html5/thumbnails/20.jpg)
Olaf M. Kolkman . Domain Pulse, February 2005, Vienna . http://www.ripe.net/disi
NSEC walk
• The record for proving the non-existence of data allows for zone enumeration
• Providing privacy was not a requirement for DNSSEC
• Zone enumeration does provide a deployment barrier
• Work starting to study possible solutions– Requirements are gathered– If and when a solution is developed it will be co-
existing with DNSSEC-BIS !!!– Until then on-line keys will do the trick.
![Page 21: DNSSEC Basics, Risks and Benefits](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815068550346895dbe6644/html5/thumbnails/21.jpg)
Olaf M. Kolkman . Domain Pulse, February 2005, Vienna . http://www.ripe.net/disi
Current work in the IETF(a selection based on what fits on one slide)
Last Mile• draft-gieben-resolver-application-interfaceKey Rollover• draft-ietf-dnsext-dnssec-trustupdate-timers• draft-ietf-dnsext-dnssec-trustupdate-tresholdOperations• draft-ietf-dnsop-dnssec-operationsNSEC++• draft-arends-dnsnr• draft-ietf-dnsext-nsec3• draft-ietf-dnsext-trans
![Page 22: DNSSEC Basics, Risks and Benefits](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815068550346895dbe6644/html5/thumbnails/22.jpg)
Olaf M. Kolkman . Domain Pulse, February 2005, Vienna . http://www.ripe.net/disi
Questions???
or send questions and feedback to [email protected]
![Page 23: DNSSEC Basics, Risks and Benefits](https://reader035.vdocuments.us/reader035/viewer/2022062222/56815068550346895dbe6644/html5/thumbnails/23.jpg)
Olaf M. Kolkman . Domain Pulse, February 2005, Vienna . http://www.ripe.net/disi
References and Acknowledgements
• Some links– www.dnssec.net – www.dnssec-deployment.org– www.ripe.net/disi/dnssec_howto
• “Is Hierarchical Public-Key Certification the Next Target for Hackers” can be found at: http://www.acmqueue.org/modules.php?
name=Content&pa=showpage&pid=181
• The participants in the dnssec-deployment working group provided useful feedback used in this presentation.