dnssec
play

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 - PowerPoint PPT Presentation

Oct 30, 2023 •327 likes •835 views

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

  1. DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016

  2. DNSSEC • Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: – Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the network or resolvers involved. • Remaining challenges: – DNS records change over time – Distributed database: No single central source of truth • Today: how DNSSEC works

  3. Securing DNS Lookups • How can we ensure that when clients look up names with DNS, they can trust the answers they receive? • Idea #1: do DNS lookups over TLS (SSL)

  4. Securing DNS Using SSL/TLS root DNS server ( ‘ . ’ ) Host at xyz.poly.edu wants IP address for 2 www.mit.edu 3 TLD DNS server 4 ( ‘ .edu ’ ) local DNS server 5 (resolver) dns.poly.edu Idea: connections 6 7 {1,8}, {2,3}, {4,5} 1 8 authoritative DNS server and {6,7} all run ns.mit.edu over SSL / TLS requesting host xyz.poly.edu www.mit.edu

  5. Securing DNS Lookups • How can we ensure that when clients look up names with DNS, they can trust the answers they receive? • Idea #1: do DNS lookups over TLS (SSL) – Performance: DNS is very lightweight. TLS is not. – Caching: crucial for DNS scaling. But then how do we keep authentication assurances? – Security: must trust the resolver. Object security vs. Channel security • Idea #2: make DNS results like certs – I.e., a verifiable signature that guarantees who generated a piece of data; signing happens off-line

  6. Operation of DNSSEC • DNSSEC = standardized DNS security extensions currently being deployed • As a resolver works its way from DNS root down to final name server for a name, at each level it gets a signed statement regarding the key(s) used by the next level • This builds up a chain of trusted keys • Resolver has root’s key wired into it • The final answer that the resolver receives is signed by that level’s key • Resolver can trust it’s the right key because of chain of support from higher levels • All keys as well as signed results are cacheable

  7. Ordinary DNS: www.google.com A? Client’s k.root-servers.net Resolver

  8. Ordinary DNS: www.google.com A? Client’s k.root-servers.net Resolver We start off by sending the query to one of the root name servers. These range from a.root-servers.net through m.root-servers.net . Here we just picked one.

  9. Ordinary DNS: www.google.com A? Client’s k.root-servers.net com. NS a.gtld-servers.net Resolver a.gtld-servers.net A 192.5.6.30 …

  10. Ordinary DNS: www.google.com A? Client’s k.root-servers.net com. NS a.gtld-servers.net Resolver a.gtld-servers.net A 192.5.6.30 … The reply didn’t include an answer for www.google.com . That means that k.root-servers.net is instead telling us where to ask next , namely one of the name servers for .com specified in an NS record.

  11. Ordinary DNS: www.google.com A? Client’s k.root-servers.net com. NS a.gtld-servers.net Resolver a.gtld-servers.net A 192.5.6.30 … This Resource Record ( RR ) tells us that one of the name servers for .com is the host a.gtld-servers.net . (GTLD = Global Top Level Domain.)

  12. Ordinary DNS: www.google.com A? Client’s k.root-servers.net com. NS a.gtld-servers.net Resolver a.gtld-servers.net A 192.5.6.30 … (The line above shows com . rather than . com because technically that’s the actual name, and that’s what the Unix dig utility shows; but the convention is to call it “ dot-com ” )

  13. Ordinary DNS: www.google.com A? Client’s k.root-servers.net com. NS a.gtld-servers.net Resolver a.gtld-servers.net A 192.5.6.30 … This RR tells us that an Internet address ( “ A ” record) for a.gtld-servers.net is 192.5.6.30 . That allows us to know where to send our next query.

  14. Ordinary DNS: www.google.com A? Client’s k.root-servers.net com. NS a.gtld-servers.net Resolver a.gtld-servers.net A 192.5.6.30 … The actual response includes a bunch of NS and A records for additional .com name servers, which we omit here for simplicity.

  15. Ordinary DNS: www.google.com A? Client’s k.root-servers.net com. NS a.gtld-servers.net Resolver a.gtld-servers.net A 192.5.6.30 … www.google.com A? Client’s a.gtld-servers.net Resolver We send the same query to one of the .com name servers we’ve been told about

  16. Ordinary DNS: www.google.com A? Client’s k.root-servers.net com. NS a.gtld-servers.net Resolver a.gtld-servers.net A 192.5.6.30 … www.google.com A? Client’s a.gtld-servers.net google.com. NS ns1.google.com Resolver ns1.google.com A 216.239.32.10 …

  17. Ordinary DNS: www.google.com A? Client’s k.root-servers.net com. NS a.gtld-servers.net Resolver a.gtld-servers.net A 192.5.6.30 … www.google.com A? Client’s a.gtld-servers.net google.com. NS ns1.google.com Resolver ns1.google.com A 216.239.32.10 … That server again doesn’t have a direct answer for us, but tells us about a google.com name server we can try

  18. Ordinary DNS: www.google.com A? Client’s k.root-servers.net com. NS a.gtld-servers.net Resolver a.gtld-servers.net A 192.5.6.30 … www.google.com A? Client’s a.gtld-servers.net google.com. NS ns1.google.com Resolver ns1.google.com A 216.239.32.10 … www.google.com A? Client’s ns1.google.com www.google.com. A 74.125.24.14 Resolver …

  19. Ordinary DNS: www.google.com A? Client’s k.root-servers.net com. NS a.gtld-servers.net Resolver a.gtld-servers.net A 192.5.6.30 … www.google.com A? Trying one of the google.com name servers then gets us Client ’ s an answer to our query, and we’re good-to-go … a.gtld-servers.net google.com. NS ns1.google.com Resolver … though with no confidence that an attacker hasn’t led ns1.google.com A 216.239.32.10 us astray with a bogus reply somewhere along the way :-( … www.google.com A? Client’s ns1.google.com www.google.com. A 74.125.24.14 Resolver …

  20. DNSSEC (with simplifications): www.google.com A? Client’s k.root-servers.net com. NS a.gtld-servers.net Resolver a.gtld-servers.net. A 192.5.6.30 … com. DS com’s-public-key com. RRSIG DS signature-of-that- DS -record-using-root’s-key

  21. DNSSEC (with simplifications): www.google.com A? Client’s k.root-servers.net com. NS a.gtld-servers.net Resolver a.gtld-servers.net. A 192.5.6.30 … com. DS com’s-public-key com. RRSIG DS signature-of-that- DS -record-using-root’s-key Up through here is the same as before …

  22. DNSSEC (with simplifications): www.google.com A? Client’s k.root-servers.net com. NS a.gtld-servers.net Resolver a.gtld-servers.net. A 192.5.6.30 … com. DS com’s-public-key com. RRSIG DS signature-of-that- DS -record-using-root’s-key This new RR ( “ Delegation Signer ” ) lists .com ’s public key

  23. DNSSEC (with simplifications): www.google.com A? Client’s k.root-servers.net com. NS a.gtld-servers.net Resolver a.gtld-servers.net. A 192.5.6.30 … com. DS description-of-com’s-key com. RRSIG DS signature-of-that- DS -record-using-root’s-key The actual process of retrieving .com ’s public key is complicated (actually involves multiple keys) but for our purposes doesn’t change how things work

  24. DNSSEC (with simplifications): www.google.com A? Client’s k.root-servers.net com. NS a.gtld-servers.net Resolver a.gtld-servers.net. A 192.5.6.30 … com. DS com’s-public-key com. RRSIG DS signature-of-that- DS -record-using-root’s-key This new RR specifies a signature over another RR … in this case, the signature covers the above DS record, and is made using the root’s private key

  25. DNSSEC (with simplifications): www.google.com A? Client’s k.root-servers.net com. NS a.gtld-servers.net Resolver a.gtld-servers.net. A 192.5.6.30 … com. DS com’s-public-key com. RRSIG DS signature-of-that- DS -record-using-root’s-key The resolver has the root’s public key hardwired into it. The client only proceeds with DNSSEC if it can validate the signature.

  26. DNSSEC (with simplifications): www.google.com A? Client’s k.root-servers.net com. NS a.gtld-servers.net Resolver a.gtld-servers.net. A 192.5.6.30 … com. DS com’s-public-key com. RRSIG DS signature-of-that- DS -record-using-root’s-key Note: there’s no signature over the NS or A information! If an attacker has fiddled with those, the resolver will ultimately find it has a record for which it can’t verify the signature.

  27. DNSSEC (with simplifications): www.google.com A? Client’s a.gtld-servers.net Resolver The resolver again proceeds to trying one of the name servers it’s learned about. Nothing guarantees this is a legitimate name server for the query!

  28. DNSSEC (with simplifications): www.google.com A? Client’s a.gtld-servers.net google.com. NS ns1.google.com Resolver ns1.google.com. A 216.239.32.10 … google.com. DS google.com’s-public-key google.com. RRSIG DS signature- of-that- DS -record-using-com’s-key

  29. DNSSEC (with simplifications): www.google.com A? Client’s a.gtld-servers.net google.com. NS ns1.google.com Resolver ns1.google.com. A 216.239.32.10 … google.com. DS google.com’s-public-key google.com. RRSIG DS signature- of-that- DS -record-using-com’s-key Back comes similar information as before: google.com ’s public key, signed by .com ’s key (which the resolver trusts because the root signed information about it)

Recommend

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

609 views • 34 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry experienced 30th April 2015-- Longest mornings I have ever had. Day started as usual but takes a turn at 9:30am Great day turns to a

449 views • 11 slides
DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010 Sara Monteiro Technical Infrastructure Service of DNS.PT Agenda ! About us ! Scope ! Goals ! Initiatives and Support ! Developments on .pt ! Next Steps

468 views • 11 slides
13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff Team Cymru 1 Where is the DNSSEC? We make no endorsement of DNSSEC here We offer no repudiation of DNSSEC here The considerations herein

543 views • 31 slides
DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes Hardaker <wes.hardaker@parsons.com> Overview Business Model Changes Relationship Requirements Relationship with your DNS parent

407 views • 25 slides
DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek petr.spacek@nic.cz 2019-02-03 1w Redraw max 1y 6m 3m 1m 5d 1h 1d 30 ~ 19 % DNSSEC? Who cares? DNSSEC Validation Capability Metrics

433 views • 25 slides
DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC

DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC

DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC history Defined by RFCs 4033-4035 March 2005 Root zone signed July 2010 March 2011 the biggest zone .com signed New GTLD

811 views • 32 slides
DNSSEC at Scale Dani Grant | DNS @ CloudFlare CloudFlare - Authoritative DNS provider (includes

DNSSEC at Scale Dani Grant | DNS @ CloudFlare CloudFlare - Authoritative DNS provider (includes

DNSSEC at Scale Dani Grant | DNS @ CloudFlare CloudFlare - Authoritative DNS provider (includes DNSSEC for free) - 4M+ domains - 40+ billion queries per day - 76 edge locations in 40 countries (growing) DNSSEC at Scale 1. Elliptic

597 views • 34 slides
Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based

Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based

Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based on current DNSSEC deployments in .com, .net and .org Introduction DNSSEC deployment has taken off, but there are still operational issues

408 views • 16 slides
Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions

Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions

COBHAM Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions (aka: SPARTA, Inc. ) 08 December 2010 COBHAM Simple Illustration I need to have a of DNS Components WWW record Zone Administrator

979 views • 62 slides
TLS and DNSSEC wrap-up CS 161: Computer Security Prof. David Wagner April 14, 2013 DNSSEC

TLS and DNSSEC wrap-up CS 161: Computer Security Prof. David Wagner April 14, 2013 DNSSEC

TLS and DNSSEC wrap-up CS 161: Computer Security Prof. David Wagner April 14, 2013 DNSSEC Mallory attacks! www.google.com A? Clients ns1.evil.com www.google.com. A 6.6.6.6 Resolver DNSSEC Mallory attacks! www.google.com A?

510 views • 30 slides
DNSSEC.CZ CZ.NIC - http://www.nic.cz Ondrej Filip / ondrej.filip @nic.cz Oct 26 2011, Dakar,

DNSSEC.CZ CZ.NIC - http://www.nic.cz Ondrej Filip / ondrej.filip @nic.cz Oct 26 2011, Dakar,

DNSSEC.CZ CZ.NIC - http://www.nic.cz Ondrej Filip / ondrej.filip @nic.cz Oct 26 2011, Dakar, ICANN DNSSEC WS 1 DNSSEC penetration About 17% domains is signed That means ~ 145.000 domains! (of 856.000) Check numbers at

180 views • 17 slides
DNSSEC resolving at SURFnet ICANN38, DNSSEC panel discussion, Brussels Roland van Rijswijk

DNSSEC resolving at SURFnet ICANN38, DNSSEC panel discussion, Brussels Roland van Rijswijk

DNSSEC resolving at SURFnet ICANN38, DNSSEC panel discussion, Brussels Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl June 23rd 2010 woensdag 2 juni 2010 About SURFnet National Research and Educational Network in The Netherlands

154 views • 11 slides
Fedora and DNSSEC Presented by Paul Wouters Fedora Packager, DNSSEC Advisor Creative Commons

Fedora and DNSSEC Presented by Paul Wouters Fedora Packager, DNSSEC Advisor Creative Commons

Fedora and DNSSEC Presented by Paul Wouters Fedora Packager, DNSSEC Advisor Creative Commons Attribution 3.0 https://fedoraproject.org/ What is Fedora Fedora is a fast, stable, and powerful

671 views • 7 slides
DNSSEC Impact on Registries Edward Lewis, Neustar Jakob Schlyter, .SE February 22, 2005 APRICOT

DNSSEC Impact on Registries Edward Lewis, Neustar Jakob Schlyter, .SE February 22, 2005 APRICOT

DNSSEC Impact on Registries Edward Lewis, Neustar Jakob Schlyter, .SE February 22, 2005 APRICOT Tutorial T11-3 1 Agenda What is a Registry, how is it run? Steps Towards Internal DNSSEC Steps Towards External DNSSEC Tough

898 views • 76 slides
DNS/DNSSEC/DPRIVE IETF 96 Hackathon Problem Solved DNS security and

DNS/DNSSEC/DPRIVE IETF 96 Hackathon Problem Solved DNS security and

DNS/DNSSEC/DPRIVE IETF 96 Hackathon Problem Solved DNS security and privacy enhancements and interoperabilty Method of Solution multiple user stories, multiple open source prototypes Highlight 1: DNSSEC

246 views • 12 slides
Multi Provider DNSSEC draft-huque-dnsop-multi-provider-dnssec-02 Shumon Huque March 22 nd 2018

Multi Provider DNSSEC draft-huque-dnsop-multi-provider-dnssec-02 Shumon Huque March 22 nd 2018

Multi Provider DNSSEC draft-huque-dnsop-multi-provider-dnssec-02 Shumon Huque March 22 nd 2018 DNSOP Working Group, IETF101, London, U.K. Note to the DNS Camel* This document does not propose any new extensions to the DNS protocol. It

663 views • 16 slides

More recommend