Joint Techs, Albuquerque Feb 2006© 8 Feb 2006 Stichting NLnet Labs

http://www.nlnetlabs.nl/

DNS Risks, DNSSEC

Olaf M. Kolkman and Allison Mankinolaf@nlnetlabs.nl and mankin@psg.com

Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

DNSSEC evangineers of the dayAllison:

• Independent consultant

• Member of the Internet2 Tech. Advisory Comm.

• IETF Transport Area Director

• Member of ICANN’s SSAC

Olaf:

• NLnet Labs (www.nlnetlabs.nl)– DNS and DNSSEC research

• Protocol and software development (NSD)

• Co-Chair of the IETF DNSEXT working group(Shinkuro is acknowledged for sponsoring our trip)

Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

Why DNSSEC

• Good security is multi-layered– Multiple defense rings in physical secured

systems

Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

Bourtange, source Wikipedia

Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

Why DNSSEC

• Good security is multi-layered– Multiple defense rings in physical secured

systems

– Multiple ‘layers’ in the networking world

• DNS infrastructure– Providing DNSSEC to raise the barrier for

DNS based attacks

– Provides a security ‘ring’ around many systemsand applications

Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

The Problem

• DNS data published by the registry is beingreplaced on its path between the “server” andthe “client”.

• This can happen in multiple places in the DNSarchitecture

– Some places are more vulnerable to attacks thenothers

– Vulnerabilities in DNS software make attacks easier(and there will always be software vulnerabilities)

Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

Solutiona Metaphor

• Compare DNSSEC to a sealed transparentenvelope.

• The seal is applied by whoever closes theenvelope

• Anybody can read the message

• The seal is applied to the envelope, not tothe message

Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

edu institution as ISP

edu as ‘friend’

edu as DNS provider

DNS Architecture

Registry DB

primary

secondary

Cache server

Registrars/

Registrants

client

DNS ProtocolProvisioning

secondary

Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

DNS Architecture

Registry DB

Server compromise

Registrars

Registrants

DNS ProtocolProvisioning

Inter-server

communicationCache Poisoning

Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

Astrophysics

Mail ServerAstrophysics

Mail Server

Example:Unauthorized mail scanning

DNSDNS

Central Admin

Mail ServerCentral Admin

Mail Server

Where?

There!

Subject: tenure

Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

Astrophysics

Mail ServerAstrophysics

Mail Server

Example:Unauthorized mail scanning

DNSDNS

Central Admin

Mail ServerCentral Admin

Mail Server

Where?Elsewhere

Bad GuyBad Guy

Subject: tenure

Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

Where Does DNSSEC Come In?

• DNSSEC secures the name to addressmapping

– Tranport and Application security are justother layers.

Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

DNSSEC secondary benefits

• DNSSEC provides an “independent” trustpath– The person administering “https” is most

probably a different from person from the onethat does “DNSSEC”

– The chains of trust are most probably different

– See acmqueue.org article: “Is HierarchicalPublic-Key Certification the Next Target forHackers?”

Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

More benefits?

• With reasonable confidence performopportunistic key exchanges

– SSHFP and IPSECKEY Resource Records

• With DNSSEC one could use the DNS fora priori negotiation of securityrequirements.

– “You can only access this service over a securechannel”

Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

DNSSEC properties

• DNSSEC provides message authenticationand integrity verification throughcryptographic signatures– Authentic DNS source

– No modifications between signing andvalidation

• It does not provide authorization

• It does not provide confidentiality

Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

DNSSEC deploymentpracticalities

• RIPE NCC deployed DNSSEC on thereverse tree– 202.in-addr.arpa etc are now signed and you

can get secure delegations

– We followed the architecture to plan thechanges to our system

• You may want to follow the same stepswhen planning for local DNSSECdeployment

Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

DNSSECArchitecture modifications

Primary DNS

Secondary

DNS

Customer

interfaces

Zone signer

DNSSEC

aware servers

DNS and input

checks

Provisioning

DB

Zone

Creation

DNSSEC aware provisioning

Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

Server Infrastructure

• Part of keeping up to date

– Your most recent version of BIND and NSDrun DNSSEC

• Memory might be an issue

– Predictable (see RIPE352)

• Coordination with secondaries

Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

Provisioning

• Realize that interaction with child is notdrastically different.

– DS and NS have the same security properties

– You may need to respond a bit different to‘child’ emergency cases

• Thinking “security” will make you notice“security”

Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

Key Mastering and Signing

• Key management and signing needs to bereliable

– Failure will lead to loss of service

• Cost factors:

– Automation and Education

Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

How about the ‘client’ side

• Set up your caching nameserver to performvalidation and the infrastructure behind it isprotected

• DNSSEC has not yet been pushed to thehost or application

• Costs are in maintaining trust anchors

– There is no standard to automate against.

Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

What’s keeping folk

• New technology; chicken and egg

• Zone walking possibility

– Is this really an issue in your environment?

– Solutions are being engineered

• Automated key rollover and distribution

Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

Why would you be a(n) (early)player

• Keeping the commons clean

– EDU and international research nets areimportant parts of the commons

– Significant ‘hot spots’ of delegation

– EDU networks have ‘interesting’ properties forthe black hats.

Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

Early players

• Demonstrate the ability to self-regulate

– Before the guys up the hill force it down yourthroat

– Before a bad thing happens and you are wokenup at 2 am

• Lead by example

– Break the egg

Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

What you can do• Deploy in your own domain

– www.dnssec.net contains a myriad ofinformation resources.

• Ask your registry and your registrar?– Educause, ARIN, Verisign, CC-TLD registries,

.gov etc.

• Ask your OS and network equipment andapplication vendors– Microsoft, Cisco, Firewalls vendors, etc

Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

This Week

• Get involved in an Internet2 pilot– Charles Yun, Internet2 Security Program

Director, organizing now

– Talk to him this week

• Get to our workshop– http://dnssec-nm.secret-wg.org

• Talk to your colleagues for bilateral pilots

• Talk to us.

Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

Next Week

• Deploying locally provides immediatesecurity benefits

– Sign your own zone and configure your keys

Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

Mitigate by Deploying SSL?

• Claim: SSL is not the magic bullet

– (Neither is DNSSEC)

• Problem: Users are offered a choice

– Far too often

– Users are annoyed

• Implementation and use make SSL vulnerable

– Not the technology

Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/

Confused?