www.internetsociety.org/deploy360/ Slaying the Two-Headed Beast: Challenges and Triumphs of DNSSEC
Aug 31, 2014
www.internetsociety.org/deploy360/
Slaying the Two-Headed Beast: Challenges and Triumphs of DNSSEC
www.internetsociety.org/deploy360/
About Deploy360
The Challenge: – The IETF creates protocols based on open standards, but
some are not widely known or deployed
– People seeking to implement these protocols are confused by a lack of clear, concise deployment information
The Deploy360 Solution: – Provide hands-on information on IPv6, DNSSEC and routing
resiliency/security to advance real-world deployment
– Work with first adopters to collect and create technical resources and distribute these resources to fast following networks
www.internetsociety.org/deploy360/
Web Portal (Online Knowledge Repository)• Technical documents• Audience-specific information• Blogs & social media
Social Media (Constant Audience Engagement)• Twitter• Facebook• Google+• YouTube• RSS Feeds
Speaking Engagements (Come Meet Us or Invite Us to Speak)• Consumer Electronics Show• IPv6 Summits• Interop• Network Operators’ Groups
ION Conferences (Hands-on Educational Events)• Slovenia• India• USA• Canada• Argentina
Deploy360 Components
www.internetsociety.org/deploy360/
https://twitter.com/deploy360
https://www.facebook.com/Deploy360
http://gplus.to/deploy360
http://www.youtube.com/user/Deploy360
http://www.internetsociety.org/deploy360/feed/
Social Media
www.internetsociety.org/deploy360/
Our Panel
Moderator:
• Dan York, Internet Society
Panelists:
• Frederic Cambus, StatDNS
• Krzysztof Olesik, NASK
• Patrik Wallström, OpenDNSSEC
www.internetsociety.org/deploy360/
The Two Parts of DNSSEC
Signing Validating
ISPs
Enterprises
Applications
DNS Hosting
Registrars
Registries
www.internetsociety.org/deploy360/
DNSSEC Signing - The Individual Steps
Registry
Registrar
DNS Hosting Provider
Domain Name Registrant
• Signs TLD• Accepts DS records• Publishes/signs records
• Accepts DS records• Sends DS to registry• Provides UI for mgmt
• Signs zones• Publishes all records• Provides UI for mgmt
• Enables DNSSEC (unless automatic)
www.internetsociety.org/deploy360/
A Normal DNS Interaction
Web Server
Web Browser
https://example.com/
web page
DNS Resolver
10.1.1.123
125
6
DNS Svrexample.com
DNS Svr.com
DNS Svrroot
3
10.1.1.123
4
example.comNS
.comNS
example.com?
www.internetsociety.org/deploy360/
Attacking DNS
Web Server
Web Browser
https://example.com/
web page
DNS Resolver
10.1.1.123
125
6
DNS Svrexample.com
DNS Svr.com
DNS Svrroot
3
192.168.2.2
4
AttackingDNS Svrexample.com
192.168.2.2
example.comNS
.comNS
example.com?
www.internetsociety.org/deploy360/
A Poisoned Cache
Web Server
Web Browser
https://example.com/
web page
DNS Resolver1
2
3
4
192.168.2.2
Resolver cache now has wrong data:
example.com 192.168.2.2
This stays in the cache until the Time-To-Live (TTL) expires!
example.com?
www.internetsociety.org/deploy360/
Attempting to Spoof DNS
Web Server
Web Browser
https://example.com/
web page
DNS Resolver
10.1.1.123DNSKEYRRSIGs
125
6
DNS Svrexample.com
DNS Svr.com
DNS Svrroot
3
SERVFAIL
4
AttackingDNS Svrexample.com
192.168.2.2DNSKEYRRSIGs
example.comNSDS
.comNSDS
example.com?
www.internetsociety.org/deploy360/
The Typical TLS (SSL) Web Interaction
Web Server
Web Browser
https://example.com/
TLS-encryptedweb page
DNS Resolver
10.1.1.1231
2
5
6DNS Svrexample.com
DNS Svr.com
DNS Svrroot
3
10.1.1.123
4
Is this encrypted with the
CORRECT certificate?
example.com?
www.internetsociety.org/deploy360/
DANE
Web Server
Web Browserw/DANE
https://example.com/TLS-encrypted web pagewith CORRECT certificate
DNS Server
10.1.1.123DNSKEYRRSIGsTLSA
1
2Firewall(or
attacker)
https://example.com/
TLS-encrypted web pagewith NEW certificate(re-signed by firewall)
Log files or other
serversDANE-equipped browsercompares TLS certificatewith what DNS / DNSSECsays it should be.
example.com?
www.internetsociety.org/deploy360/
DNSSEC Deployment – Top-Level Domains
www.internetsociety.org/deploy360/
Resources
To learn more about DNSSEC and how to get started:
http://www.internetsociety.org/deploy360/dnssec/basics/
http://www.internetsociety.org/deploy360/resources/dane/
Specific resources that may be of interest:
• SURFnet whitepaper about deploying validating servers
• DNSSEC HOWTO
• NIST "Secure DNS Deployment Guide"
www.internetsociety.org/deploy360/
Three Requests For Network Operators
1. Deploy DNSSEC-validating DNS resolvers
2. Sign your own domains where possible
3. Help promote support of DANE protocol• Allow usage of TLSA record. Let browser vendors and others know you
want to use DANE. Help raise awareness of how DANE and DNSSEC can make the Internet more secure.
www.internetsociety.org/deploy360/
Internet Society Deploy360 Programme
Can You Help Us With:
• Case Studies?
• Tutorials?
• Videos?
How Can We Help You?
04/07/2023
www.internetsociety.org/deploy360/
www.internetsociety.org/deploy360/
http://www.internetsociety.org/deploy360/
Dan YorkSenior Content StrategistInternet Society
Thank You!