Download - ION Toronto - Why Implement DNSSEC?
Why DNSSEC?
James Galvin, Ph.D. Afilias Limited
11 November 2013 ION Toronto
© 2013 Afilias Limited 1
Afilias and DNSSEC • Afilias makes Internet addresses
more accessible and useful through registry services, Managed DNS, and mobile Web services like goMobi® and DeviceAtlas®. – Operator INFO and MOBI – Host to 9 ccTLDs and 7 gTLDs – Have one of the largest DNS
infrastructures • Started with DNSSEC in 2008
– Signed ORG in June 2009 – ORG offered signed delegaYons in
June 2010 – Root signed in July 2010 – Signed all TLDs and offered signed
delegaYons soon aZer
© 2013 Afilias Limited 2
• DNSSEC Basics • Benefits of DNSSEC • Internet Future
© 2013 Afilias Limited 3
DNSSEC -‐ BASICS
© 2013 Afilias Limited 4
What is DNSSEC? • DNSSEC provides an asserYon
by a zone that a specific data element is bound to a domain name.
• This is most oZen used to bind an IP address to a domain name, e.g., to find a web site.
• The validaYon of the asserYon is possible independent of its source.
• Benefits – CriYcal Infrastructure:
everything uses the DNS – Hierarchical: delegate and
distribute responsibility
© 2013 Afilias Limited 5
DNS with DNSSEC
USER PC
Stub Resolver
SLD Authorita;ve NS
Itera;ve Resolver
TLD Authorita;ve
NS
Local cache
ROOT SERVERS
Local cache
DNSSEC
-‐aware applicaY
ons 2
1
3 2 1 3
DNSSEC
DNSSEC
DNSSEC
© 2013 Afilias Limited 6
Who are the Players? • Domain registraYon system
– Registries: operate the TLDs – (Registrars): middleman
between registry and registrant
– Registrant: own, manage, and deploy domain names
• Domain name system – Root system – Registries – DNS Operators
• Community – ISPs – Users
© 2013 Afilias Limited 7
BENEFITS OF DNSSEC
© 2013 Afilias Limited 8
Why DNSSEC? • DNSSEC protects the DNS system
from cache poisoning adacks, viz the “Kaminsky Bug”
• DNSSEC is the next step in the evoluYon of the Internet, similar to the web back in 1993.
• DNS is a criYcal infrastructure system. Virtually everything depends on it.
• Deploying a safe and secure DNS is not just the right thing to do, it is the cornerstone of building the next generaYon Internet, a safe and secure Internet.
© 2013 Afilias Limited 9
Without DNSSEC…
When you visit a web site can you be sure you are communicaYng with the
server that you think you are?
© 2013 Afilias Limited 10
TLS/SSL and DNSSEC benefits
Users from DNS data tampered by or originaYng from malicious actors
DNS Data Signed
Encryp;on
Authen;ca;on DNSSEC DNSSEC
Integrity DNS Data
Guaranteed not tampered DNSSEC
TLS !^^x<> Data Data TLS/SSL Channel
Data
DNSSEC protects…
© 2013 Afilias Limited 11
INTERNET FUTURE
© 2013 Afilias Limited 12
Building Trusted Domains • A domain name is just a label.
Most commonly used to idenYfy hosts and services. – Web sites – ApplicaYon servers
• DNSSEC ensures we have the correct service/address
• TLS/SSL (hdps) gives us good confidence that we have a encrypted tunnel
• Matching the domain in the TLS/SSL cerYficate with the domain from DNSSEC offers greater assurance that you are communicaYng with the desired site/service
© 2013 Afilias Limited 13
DNSSEC Challenges • Security increases the
baseline experYse required • Key management becomes
mainstream – Key rollover Ymings are
subtle • DNS operators are visibly
essenYal – Transfers are a process
• Key rollover is required • Losing and gaining operator
must overlap services
• New relaYonship – DNS Operator and registrar/
registry
© 2013 Afilias Limited 14
The demand for DNSSEC?
• A mix of pioneers, early adopters and legislated compliance
• In the early stages for registrant/user awareness
Barriers Incen;ves
New hw & sw soluYons
Signing TLDs
Costs
Complexity
© 2013 Afilias Limited 15
What’s Next? • Centralize the complexity
– Registrars – DNS operators – ApplicaYon service providers
• Keep it simple for the registrant/user – Should be invisible
• DNSSEC is about what we can do with it. It is an essenYal building block in a criYcal infrastructure system that will change the Internet in ways we can not yet imagine.
© 2013 Afilias Limited 16
IETF and Pervasive Monitoring
• Last week leading engineers agreed that pervasive monitoring is a threat to the Internet – hdp://www.iet.org/media/2013-‐11-‐07-‐internet-‐privacy-‐and-‐security.html
© 2013 Afilias Limited 17
Thank You!
James Galvin jgalvin “at” afilias.info +1-‐215-‐706-‐5715 hdp://afilias.info/dnssec
© 2013 Afilias Limited 18