dnssec: what a registrar needs to know
TRANSCRIPT
![Page 1: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/1.jpg)
DNSSEC Industry Coalition Webinar Series
Brought to you by .ORG, The Public Interest Registry and
Afilias
![Page 2: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/2.jpg)
Lauren Price, DNSSEC Industry Coalition Chair◦ Sr. Product Marketing Manager, .ORG The Public
Interest Registry◦ [email protected]
Jim Galvin, Afilias◦ Director, Strategic Relationships & Technical
Standards◦ [email protected]
Sadik Chandiwala, Afilias◦ Technical Account Manager◦ [email protected]
2
![Page 3: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/3.jpg)
The Vulnerability of DNS Quick Intro to DNSSEC PIR and DNSSEC Timeline Friends and Family Program Some DNSSEC Terminology OT&E Functionality and Changes◦ EPP◦ Etc.
Resources Questions
![Page 4: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/4.jpg)
When you visit a web site, send an email, or download software, can you be sure you are communicating with the server that you think you are?
The answer is ‘no’, at least not with certainty.
![Page 5: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/5.jpg)
DNSSEC (short for Domain Name System Security Extensions) adds security to the Domain Name System.
DNSSEC is designed to protect Internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning.
![Page 6: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/6.jpg)
Currently, a DNS resolver sends a query out to the Internet and then accepts the first response it receives, without question.
If a malicious system were to send back an incorrect response, the resolver would use this address until its cache expired.
This is bad enough if a single user's computer gets this bad data, but it is much worse if it's another name server that answers queries for an ISP –affecting thousands of users.
![Page 7: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/7.jpg)
It provides proof that DNS data has not been modified in transit to the end-user
It does this by providing additional information, something like a “seal of origin”, that can be verified as being correct or not.
It is a set of extensions to DNS, which provide: a) origin authentication of DNS data, b) data integrity, and c) authenticated denial of existence.
![Page 8: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/8.jpg)
Each piece of a domain’s DNS information has a digital signature attached to it.
When a user enters the domain in a browser, the resolver verifies the signature.
If it does not match, the resolver discards the response and waits for another.
Only a response with a verified signature will be accepted by the resolver
The description above is a common scenario. Please note that different resolvers may take different actions
** Note: DNSSEC only adds signatures to DNS data. It does not encrypt anything. It has no effect on increasing the privacy of the DNS, and information in the DNS is still public information.
![Page 9: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/9.jpg)
End User Benefits Ensures you are communicating to the correct
website End Users that are not DNSSEC aware will not see
any adverse effect.
Registrant Benefits Mitigates the risk of possible fraud Greater protection of brand ◦ Significantly decreases the threat of domain hijacking
![Page 10: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/10.jpg)
Registrar Benefits Ability to meet Registrant demands for increase
security of their domain Ability to continue to sell domains that are not
secured by DNSSEC for those registrants who are not interested.
Complying with new industry standards
Registry Benefits Meeting new industry standards Ability to meet Registrar demands for increase
security of their portfolio of domains
![Page 11: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/11.jpg)
![Page 12: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/12.jpg)
Top five perceptions of the .ORG Brand*◦ Informative◦ Well-Intentioned◦ Trustworthy◦ Valuable Information◦ Reliable
We expect to keep it that way!
12
* Source: e5 Marketing Survey of over 10,000 respondents in an electronic form, November 2008
![Page 13: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/13.jpg)
.ORG zone signed June 2, 2009
Registrars can participate in the testing phase Registrars are encouraged to test in OTE A certification test will be required 2 registrars have passed their certification test to date
We have selected small set of domains and have manually inserted the DS records at the Registry
Successful scheduled Key Rollovers
![Page 14: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/14.jpg)
Additional mandatory .ORG DNSSEC OT&E Test required
Registrars must pass the OT&E Test to become DNSSEC Aware
PIR will enable DNSSEC functionality for the Registrar after successful completion of the OT&E test.
![Page 15: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/15.jpg)
We expect to be done with our internal testing by Q409
Estimated full production timeframe first half of 2010 meaning registrars can submit live delegations
![Page 16: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/16.jpg)
![Page 17: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/17.jpg)
A DNS resolver is the program on a user’s computer that sends the query to the DNS.
Once a response is received, the resolver returns the response back to the end user’s application.
User’s PCResolver
domain.org?
192.0.5.4
![Page 18: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/18.jpg)
A key pair contains two digital keys — a private key (held only by the .ORG registry) and a public key (distributed to the public).
The .ORG registry uses the .ORG private key pair to sign the zone.
End users' validators (or the validators at their ISPs) use the .ORG public key to validate the signature once they've asked for it.
![Page 19: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/19.jpg)
If I trust a public key from someone, I can use that key to verify the signature … and authenticate the source
Make sure the root zone key can be trusted◦ Pointers in the root zone point to lower zones
(org/com/info/de etc)◦ Each pointer is validated with the previous validated
zone key
When DNSSEC is fully deployed, only the key for the root zone is needed to validate all the DNSSEC keys on the Internet
![Page 20: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/20.jpg)
Confidential – Copyright2008 Afilias LimitedUser’s PC
Root Servers
Local cache
Resolver
.org authoritative NS
domain.org authoritative NS
Local Cache
RecursiveDNS Server
![Page 21: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/21.jpg)
Confidential – Copyright2008 Afilias LimitedUser’s PC
Root Servers
Resolver
.ORG authoritative NS
domain.ORG authoritative NS
RecursiveDNS Server
DNSSEC
Local cache
DNSSEC
DNSSEC
![Page 22: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/22.jpg)
A key rollover will occur when the .ORG registry needs to change its side of a key pair.
This means that the entire pair needs to be changed◦ The .ORG zone will need to be re-signed with a
new private keyAND
◦ The public will need to update their validating resolvers with the new public portion of the .ORG zone key.
![Page 23: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/23.jpg)
PIR will be required to do Key Rollovers on a regular basis:
1. If one of the .ORG private keys were compromised (i.e., stolen) and had to be immediately revoked.
2. For prevention of compromise (see next question for further information), where a key rollover would be scheduled at regular intervals.
![Page 24: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/24.jpg)
Digital signatures are not secure all of the time. They are subject to cryptanalysis.
It is possible for an attacker to learn the private key in a key pair even though that key has never been disclosed, either through "brute force" or other types of attacks.
Since every attack requires time to complete, periodically changing the key decreases the length of time an attacker has to attempt the compromise.
![Page 25: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/25.jpg)
What would happen if end users do not update their validating resolvers with the new .ORG zone key?
Once the old key is purged, domains in the .ORG zone that were signed would no longer resolve for those people who did not use the new .ORG key.
It would not affect people that are not using DNSSEC – they would continue to see the domain name.
![Page 26: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/26.jpg)
A key rollover will be announced on the PIR Web site prior to the scheduled event
Anyone using DNSSEC will have to watch for these announcements, specially ISPs, registrars, and people using DNSSEC in applications.
![Page 27: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/27.jpg)
Changes have been made to support the DNS protocol.
Built New Registrar Tool Kit for DNSSEC◦ Adds DNSSEC EPP transactions (RFC 4310)
EPP server has been modified for DNSSEC Adds DNSSEC EPP transactions (as per RFC 4310)
Changes to the Registry Database to now Store DS Information
DNSSEC
![Page 28: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/28.jpg)
Covered in the ORG manual: Extensible Provisioning Protocol (EPP) v1.0 ORG DNSSEC Registrar Acceptance Criteria
Registrars must test the basic operations that their client application can perform in the ORG DNSSEC registry environment including:◦ Create Domain◦ Create Domain with Optional Key Data◦ Query Domain◦ Query Domain with Optional Key Data◦ Update Domain – Adding DS Data◦ Update Domain – Changing DS Data◦ Update Domain – Change to Include Optional Data◦ Update Domain – Removing DS Data
![Page 29: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/29.jpg)
DNSSEC adds four new resource record types: 1. Resource Record Signature (RRSIG) Signature over RRset made using private key
2. DNS Public Key (DNSKEY) Public key, needed for verifying a RRSIG
3. Delegation Signer (DS) ‘Pointer’ for building chains of authentication
4. Next Secure (NSEC, NSEC3) As an alternative to NSEC, NSEC3 (defined in RFC 5155) can
prevent walking of DNSSEC zones and permits optional gradual expansion of delegation-centric zones. NSEC: Indicates which name is the next one in the zone and which
type-codes are available for the current name
![Page 30: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/30.jpg)
Confidential – Copyright2005 Afilias Limited
Keytag • Contains the key tag value of the DNSKEY RR that validates this signature, in network byte order• Provides a mechanism for selecting a public key efficiently.
Algorithm • Identifies the public key's cryptographic algorithm and determines the format of the Public Key field
Digest Type • Identifies the algorithm used to construct the digest
Digest • The DS record refers to a DNSKEY RR by including a digest of that DNSKEY RR.
Maximum Signature Life
• Specifies a validity period for the signature
Flags • Identifies whether or not the DNSKEY record holds a DNS zone key
Protocol • The Protocol Field MUST have value 3, and the DNSKEY RR MUST be treated as invalid during signature verification if it is found to be some value other tan 3.
Public Key • Holds the public key material
The DNSSEC Data Fields
![Page 31: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/31.jpg)
The following EPP commands will now contain the optional DNSSEC data:
1. Session Mgmt.<login> <logout>
3. Object Transform
<create><delete><renew><transfer><update>
2. Object Query<check><info><poll ><transfer>
![Page 32: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/32.jpg)
Create Domain is changed because a DNSSEC secure domain must be created with a DS record attached to it
Registrar needs to be accredited for creating domain names with DS records
If they are not, the system will reject the domain create command and throw a validation error – You are not authorized to perform this action.
![Page 33: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/33.jpg)
If the maxSigLife is not entered for a <create> domain name with DS records, the system will set it to the default value (40 days)
If the user provides empty tags for the following parameters, the domain will not be created and an error message will be returned: ◦ secDNS:keyTag◦ secDNS:alg◦ secDNS:digestType
![Page 34: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/34.jpg)
<update> domain command is now changed as DS information can be added or changed for each domain
If the Registrar is not accredited for creating domain names with DS records and attempts to add DS data to an existing domain name, the system will reject the domain update command and return an error
If the domain name already has 10 DS records and the sponsoring Registrar attempts to add another, the system will reject the domain update command and return an error per EPP RFC 3730.
If the maxSigLife is not entered for a domain name with DS records, the system will set it to the default value (40 days)
![Page 35: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/35.jpg)
The following fields will be appended to the WHOIS output for a domain name with DS records –◦ DNSSEC (Can be Signed or Unsigned) – To denote if the
domain name is digitally signed. ◦ DS Created – Time stamp that the record was created in
UTC◦ DS Maximum Signature Life - Maximum Signature Life
associated with this DS record
![Page 36: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/36.jpg)
If a domain name has more than one DS record associated with it, the DS record information for all the records will be displayed one after the other as displayed in the screenshot (above) If a domain name does not have any DS records associated with it, the DNSSEC value displayed will be Unsigned
![Page 37: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/37.jpg)
.ORG OT&E Test Criteria General FAQ ORG manual: Extensible Provisioning Protocol (EPP)
v1.0 ORG DNSSEC Registrar Acceptance Criteria Registrar Tool Kit (RTK – Addon) including the
DNSSEC extensions is available for download from:◦ https://registrars.pir.org/registrar_relations/dns_
security◦ www.sourceforge.net
![Page 38: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/38.jpg)
The Domain Name System Security Extensions (DNSSEC are described in these IETF documents:◦ RFC 4033: DNS Security Introduction and Requirements◦ RFC 4034: Resource Records for the DNS Security
Extensions◦ RFC 4035: Protocol Modifications for the DNS Security
Extensions
.ORG website◦ http://www.pir.org/dnssec
DNSSEC related information websitewww.dnssec-deployment.orgwww.dnssec.net
![Page 39: DNSSEC: What a Registrar Needs to Know](https://reader035.vdocuments.us/reader035/viewer/2022062515/55d74209bb61eb71628b458c/html5/thumbnails/39.jpg)
Questions?