ion toronto - why implement dnssec?
DESCRIPTION
ION Toronto, 11 November 2013: What is DNSSEC and why is it so important? We’ll discuss the business reasons for, and financial implications of, deploying DNSSEC, from staying ahead of the technological curve, to staying ahead of your competition, to keeping your customers satisfied and secure on the Internet.TRANSCRIPT
Why DNSSEC?
James Galvin, Ph.D. Afilias Limited
11 November 2013 ION Toronto
© 2013 Afilias Limited 1
Afilias and DNSSEC • Afilias makes Internet addresses
more accessible and useful through registry services, Managed DNS, and mobile Web services like goMobi® and DeviceAtlas®. – Operator INFO and MOBI – Host to 9 ccTLDs and 7 gTLDs – Have one of the largest DNS
infrastructures • Started with DNSSEC in 2008
– Signed ORG in June 2009 – ORG offered signed delegaYons in
June 2010 – Root signed in July 2010 – Signed all TLDs and offered signed
delegaYons soon aZer
© 2013 Afilias Limited 2
• DNSSEC Basics • Benefits of DNSSEC • Internet Future
© 2013 Afilias Limited 3
DNSSEC -‐ BASICS
© 2013 Afilias Limited 4
What is DNSSEC? • DNSSEC provides an asserYon
by a zone that a specific data element is bound to a domain name.
• This is most oZen used to bind an IP address to a domain name, e.g., to find a web site.
• The validaYon of the asserYon is possible independent of its source.
• Benefits – CriYcal Infrastructure:
everything uses the DNS – Hierarchical: delegate and
distribute responsibility
© 2013 Afilias Limited 5
DNS with DNSSEC
USER PC
Stub Resolver
SLD Authorita;ve NS
Itera;ve Resolver
TLD Authorita;ve
NS
Local cache
ROOT SERVERS
Local cache
DNSSEC
-‐aware applicaY
ons 2
1
3 2 1 3
DNSSEC
DNSSEC
DNSSEC
© 2013 Afilias Limited 6
Who are the Players? • Domain registraYon system
– Registries: operate the TLDs – (Registrars): middleman
between registry and registrant
– Registrant: own, manage, and deploy domain names
• Domain name system – Root system – Registries – DNS Operators
• Community – ISPs – Users
© 2013 Afilias Limited 7
BENEFITS OF DNSSEC
© 2013 Afilias Limited 8
Why DNSSEC? • DNSSEC protects the DNS system
from cache poisoning adacks, viz the “Kaminsky Bug”
• DNSSEC is the next step in the evoluYon of the Internet, similar to the web back in 1993.
• DNS is a criYcal infrastructure system. Virtually everything depends on it.
• Deploying a safe and secure DNS is not just the right thing to do, it is the cornerstone of building the next generaYon Internet, a safe and secure Internet.
© 2013 Afilias Limited 9
Without DNSSEC…
When you visit a web site can you be sure you are communicaYng with the
server that you think you are?
© 2013 Afilias Limited 10
TLS/SSL and DNSSEC benefits
Users from DNS data tampered by or originaYng from malicious actors
DNS Data Signed
Encryp;on
Authen;ca;on DNSSEC DNSSEC
Integrity DNS Data
Guaranteed not tampered DNSSEC
TLS !^^x<> Data Data TLS/SSL Channel
Data
DNSSEC protects…
© 2013 Afilias Limited 11
INTERNET FUTURE
© 2013 Afilias Limited 12
Building Trusted Domains • A domain name is just a label.
Most commonly used to idenYfy hosts and services. – Web sites – ApplicaYon servers
• DNSSEC ensures we have the correct service/address
• TLS/SSL (hdps) gives us good confidence that we have a encrypted tunnel
• Matching the domain in the TLS/SSL cerYficate with the domain from DNSSEC offers greater assurance that you are communicaYng with the desired site/service
© 2013 Afilias Limited 13
DNSSEC Challenges • Security increases the
baseline experYse required • Key management becomes
mainstream – Key rollover Ymings are
subtle • DNS operators are visibly
essenYal – Transfers are a process
• Key rollover is required • Losing and gaining operator
must overlap services
• New relaYonship – DNS Operator and registrar/
registry
© 2013 Afilias Limited 14
The demand for DNSSEC?
• A mix of pioneers, early adopters and legislated compliance
• In the early stages for registrant/user awareness
Barriers Incen;ves
New hw & sw soluYons
Signing TLDs
Costs
Complexity
© 2013 Afilias Limited 15
What’s Next? • Centralize the complexity
– Registrars – DNS operators – ApplicaYon service providers
• Keep it simple for the registrant/user – Should be invisible
• DNSSEC is about what we can do with it. It is an essenYal building block in a criYcal infrastructure system that will change the Internet in ways we can not yet imagine.
© 2013 Afilias Limited 16
IETF and Pervasive Monitoring
• Last week leading engineers agreed that pervasive monitoring is a threat to the Internet – hdp://www.iet.org/media/2013-‐11-‐07-‐internet-‐privacy-‐and-‐security.html
© 2013 Afilias Limited 17
Thank You!
James Galvin jgalvin “at” afilias.info +1-‐215-‐706-‐5715 hdp://afilias.info/dnssec
© 2013 Afilias Limited 18