The Importance of Being an Earnest stub Challenges and solution for the versatile stub Willem Toorop 13 May 2017 OARC 26 (Madrid)
From the ground-up security Authoritative . Authoritative net dns-oarc.net A dns-oarc.net A Recursive Authoritative resolver dns-oarc.net ← Browser 64.191.0.198 (application) WebSrv → → https stub OS ● Every “secure” connection is preceded by a DNS lookup ● The stub does the lookup at the request of the application The recursive resolver does all the heavy lifting Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 2/45
From the ground-up security Authoritative . t e n . c r a 1 o . - 6 s . n 6 d . Authoritative 6 = net dns-oarc.net A dns-oarc.net A Validation Authoritative Recursive dns-oarc.net resolver ← Browser 64.191.0.198 (application) WebSrv → → https stub OS ● DNSSEC protects against cache poisoning Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 3/45
From the ground-up security Authoritative . ← 6.6.6.1 Authoritative dns-oarc.net A? net Validation Authoritative Recursive dns-oarc.net resolver Browser (application) WebSrv → http stub OS THE ● DNSSEC protects against cache poisoning FIRST/LAST ● But not against resolver hijacking MILE ( i.e. ARP or DHCP hijacking or routing tricks ) Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 4/45
From the ground-up security Authoritative . Authoritative net dns-oarc.net DNSKEY DS A DNSSEC Aware Authoritative Recursive DNSKEY DS dns-oarc.net resolver net Browser DNSKEY (application) WebSrv · https stub OS THE ● DNSSEC protects against cache poisoning FIRST/LAST ● But not against resolver hijacking MILE ● One possibility: DNSSEC on the stub Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 5/45
From the ground-up security/privacy Authoritative . Authoritative net dns-oarc.net A Validation Authoritative Recursive dns-oarc.net ← resolver 64.191.0.198 Browser → (application) WebSrv https stub OS THE ● DNSSEC protects against cache poisoning FIRST/LAST ● But not against resolver hijacking MILE ● Another possibility: DNS over TLS Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 6/45
From the ground-up security/privacy Authoritative . Applies to DNS over TLS too Authoritative net dns-oarc.net A Validation Authoritative Recursive dns-oarc.net ← resolver 64.191.0.198 Browser → (application) WebSrv https https stub OS ● TLS hijacking? Is That Possible?! Durumeric, Zakir, et al. "The Security Impact of HTTPS Interception." ● Network and Distributed Systems Symposium (NDSS’17) . 2017. https://www.internetsociety.org/doc/security-impact-https-interception Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 7/45
From the ground-up security/privacy ● Strengthen TLS security with the stub: DANE ( DNS-based Authentication of Named Entities ) ● Also signalling system for TLS support ( For application without user interaction ) Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 8/45
From the ground-up security/privacy Authenticate DNS-over-TLS Authoritative with DANE? . Authoritative net dns-oarc.net A Validation Authoritative Recursive dns-oarc.net ← resolver 64.191.0.198 Browser → (application) WebSrv https stub OS ● Bootstrap the TLSA lookup with regular DNS? Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 9/45
From the ground-up security/privacy Authenticate A DNS-over-TLS S L T _853._tcp.getdnsapi.net Authoritative with DANE? . Authoritative DNSSEC Aware getdnsapi.net S net D S Recursive D Y E Y K E S K N S resolver D net N Authoritative D Y E K Authoritative S dns-oarc.net N D · getdnsapi.net Browser dns-oarc.net A → Validation (application) WebSrv Recursive stub resolver ← 64.191.0.198 https OS ● Bootstrap the TLSA lookup with regular DNS? – Chicken and Egg problem Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 10/45
From the ground-up security/privacy Authoritative . _853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS net DNSKEY DS Authoritative . DNSKEY RRSIGs net Authoritative Authoritative dns-oarc.net getdnsapi.net Browser dns-oarc.net A → Validation (application) WebSrv Recursive _853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS net DNSKEY DS . DNSKEY RRSIGs stub resolver ← 64.191.0.198 https OS ● Bootstrap the TLSA lookup with regular DNS? ● Have the TLSA record + the complete DNSSEC authentication chain embedded in a TLS extension https://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 11/45
From the ground-up security/privacy Authoritative . _853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS net DNSKEY DS Authoritative . DNSKEY RRSIGs net Authoritative Authoritative dns-oarc.net getdnsapi.net Browser dns-oarc.net A → Validation (application) WebSrv Recursive _853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS net DNSKEY DS . DNSKEY RRSIGs stub resolver ← 64.191.0.198 TLS DNSSEC https OS authentication chain ● Bootstrap the TLSA lookup with regular DNS? extension must be ● Have the TLSA record + the complete DNSSEC obligatory, to prevent the authentication chain embedded in a TLS extension “Too many CA’s” problem https://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 12/45
From the ground-up security/privacy DNS Privacy status DNSSEC Availability X Clear text DNS X Private DNS X Authenticated X Private DNS ● The stub is close to the application Inform status of DNSSEC and DNS Privacy Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 13/45
From the ground-up security/privacy Authoritative . Authoritative Round-robin net Validation Recursive Validation Authoritative dns-oarc.net resolver Recursive Validation Browser resolver Recursive Validation (application) resolver WebSrv Recursive Validation stub resolver Recursive resolver OS ● Enhanced privacy by Bonus round-robining Feature upstreams Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 14/45
From the ground-up Non address lookups security/privacy DNS over TLS DNSSEC ● Requirements for the versatile stub API Cross the first DNSSEC mile X From the ground up Privacy X Strengthened TLS authentication (DANE) X X Strengthened opportunistic TLS (DANE) X X Provide status of DNSSEC & DNS over TLS X Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 15/45
From the ground-up Non address lookups security/privacy DNS over TLS DNSSEC ● Requirements for the versatile stub API Cross the first DNSSEC mile X From the ground up Privacy X Strengthened TLS authentication (DANE) X X Strengthened opportunistic TLS (DANE) X X Provide status of DNSSEC & DNS over TLS X Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 16/45
DNSSEC Roadblocks Authoritative . Authoritative net dns-oarc.net DNSKEY DS A recu cursive ve Authoritative DNSKEY DS resolve ver dns-oarc.net net Browser DNSKEY (application) WebSrv · https stub OS ● Resolving DNSSEC (to cross the first mile) needs DNSSEC Aware recursive resolver Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 17/45
DNSSEC Roadblocks Authoritative . Authoritative net recu cursive ve Authoritative resolve ver dns-oarc.net Browser (application) WebSrv https stub OS ● Resolving DNSSEC (to cross the first mile) needs DNSSEC Aware recursive resolver ● DNSSEC Roadblock Avoidance https://tools.ietf.org/html/rfc8027 +Full recursion capability Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 18/45
DNSSEC Roadblocks Authoritative . Does not apply to first-mile Does not apply to first-mile Authoritative crossed by DNS-over-TLS net crossed by DNS-over-TLS recu cursive ve Authoritative Authoritative resolve ver . dns-oarc.net _853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS Browser net DNSKEY DS Authoritative . DNSKEY RRSIGs net (application) WebSrv Authoritative Authoritative https dns-oarc.net stub getdnsapi.net Browser dns-oarc.net A → Validation (application) Recursive WebSrv _853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS net DNSKEY DS . DNSKEY RRSIGs stub resolver OS ← 64.191.0.198 https OS ● Resolving DNSSEC (to cross the first mile) needs DNSSEC Aware recursive resolver ● DNSSEC Roadblock Avoidance https://tools.ietf.org/html/rfc8027 +Full recursion capability Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 19/45
Recommend
More recommend