Domain Name System | DNSSEC

2

+Internet Protocol address uniquely identifies laptops or phones or other devices

+The Domain Name System matches IP addresses with a name

+IP routing and DNS are the underpinning of unified Internet

The World’s Network – the Domain Name System

3

A sample DNS query

Where is www.iana.org?

192.0.2.1

4

+A computer sends a question to a DNS server, like “where is IANA.org?”

+It receives an answer and assumes that it is correct.

+There are multiple ways that traffic on the Internet can be intercepted and modified, so that the answer given is false.

Making the DNS Secure

5

Receiving the Wrong Answer

Where is

www.iana.org?

192.0.2.0

13.13.14.0

Poisoning a Cache

+ Attacker knows iterative resolvers may cache

+ Attacker + Composes a DNS response with

malicious data about a targeted domain

+ Tricks a resolver into adding this malicious data to its local cache

+ Later queries processed by server will return malicious data for the life of the cached entry

+ Example: user at My Mac clicks on a URL in an email message from try@loseweightfastnow.com

What is the IPv4 address for loseweightfastnow.com?

My Mac

My local resolver

ecrime nameserver

loseweightfastnow.com IPv4 address is 192.168.1.1

ALSO www.ebay.com is at 192.168.1.2

I’ll cache this response… and

update www.ebay.com

6

7

+ Protects DNS data against forgery

+ Uses public key cryptography to sign authoritative zone data

+ Assures that the data origin is authentic

+ Assures that the data are what the authenticated data originator published

+ Trust model also uses public key cryptography

+ Parent zones sign public keys of child zone(root signs TLDs, TLDs sign registered domains…

DNS Security (DNSSEC)

7

8

Authority signs zone data with private key

Authorities must keep private keys secret!

Public Key Cryptography in DNSSEC

8

DNSData

Signed DNSData

+Digital

signatures

Publish

Sign withPrivate key

Authoritativeserver

9

Authority publishes public key so that any recipient can decrypt to verify that “the data are correct and came from the right place”

Public Key Cryptography in DNSSEC

9

Authoritativeserver

Signed ZoneData

Validatingrecursive

server

Validate withPublic key

10

+Manages root key with VeriSign and trusted international representatives of Internet community

+Processes requests for changes of public key and other records from registries at top of DNS

+Educates and assists Internet community with DNSSEC

+Implements DNSSEC on its own domains

ICANN’s Role in DNSSEC Deployment

11

+Browser and/or Operating System support

+DNSSEC support from domain name registration service providers (registrars, resellers)

+Misconceptions regarding key management, performance, software/hardware availability and reliability

Obstacles to Broader DNSSEC Adoption

12

• Fast pace of deployment at the TLD level

• Deployed at root• Supported by software• Growing support by ISPs• Required by new gTLDs

Inevitable widespread deployment across core Internet infrastructure

DNSSEC Deployment

Thank You & Questions?