dns risks, dnssec - internet2...2006/02/08 · dnssec evangineers of the day allison: ¥independent...
TRANSCRIPT
Joint Techs, Albuquerque Feb 2006© 8 Feb 2006 Stichting NLnet Labs
http://www.nlnetlabs.nl/
DNS Risks, DNSSEC
Olaf M. Kolkman and Allison [email protected] and [email protected]
Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/
DNSSEC evangineers of the dayAllison:
• Independent consultant
• Member of the Internet2 Tech. Advisory Comm.
• IETF Transport Area Director
• Member of ICANN’s SSAC
Olaf:
• NLnet Labs (www.nlnetlabs.nl)– DNS and DNSSEC research
• Protocol and software development (NSD)
• Co-Chair of the IETF DNSEXT working group(Shinkuro is acknowledged for sponsoring our trip)
Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/
Why DNSSEC
• Good security is multi-layered– Multiple defense rings in physical secured
systems
Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/
Bourtange, source Wikipedia
Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/
Why DNSSEC
• Good security is multi-layered– Multiple defense rings in physical secured
systems
– Multiple ‘layers’ in the networking world
• DNS infrastructure– Providing DNSSEC to raise the barrier for
DNS based attacks
– Provides a security ‘ring’ around many systemsand applications
Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/
The Problem
• DNS data published by the registry is beingreplaced on its path between the “server” andthe “client”.
• This can happen in multiple places in the DNSarchitecture
– Some places are more vulnerable to attacks thenothers
– Vulnerabilities in DNS software make attacks easier(and there will always be software vulnerabilities)
Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/
Solutiona Metaphor
• Compare DNSSEC to a sealed transparentenvelope.
• The seal is applied by whoever closes theenvelope
• Anybody can read the message
• The seal is applied to the envelope, not tothe message
Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/
edu institution as ISP
edu as ‘friend’
edu as DNS provider
DNS Architecture
Registry DB
primary
secondary
Cache server
Registrars/
Registrants
client
DNS ProtocolProvisioning
secondary
Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/
DNS Architecture
Registry DB
Server compromise
Registrars
Registrants
DNS ProtocolProvisioning
Inter-server
communicationCache Poisoning
Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/
Astrophysics
Mail ServerAstrophysics
Mail Server
Example:Unauthorized mail scanning
DNSDNS
Central Admin
Mail ServerCentral Admin
Mail Server
Where?
There!
Subject: tenure
Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/
Astrophysics
Mail ServerAstrophysics
Mail Server
Example:Unauthorized mail scanning
DNSDNS
Central Admin
Mail ServerCentral Admin
Mail Server
Where?Elsewhere
Bad GuyBad Guy
Subject: tenure
Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/
Where Does DNSSEC Come In?
• DNSSEC secures the name to addressmapping
– Tranport and Application security are justother layers.
Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/
DNSSEC secondary benefits
• DNSSEC provides an “independent” trustpath– The person administering “https” is most
probably a different from person from the onethat does “DNSSEC”
– The chains of trust are most probably different
– See acmqueue.org article: “Is HierarchicalPublic-Key Certification the Next Target forHackers?”
Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/
More benefits?
• With reasonable confidence performopportunistic key exchanges
– SSHFP and IPSECKEY Resource Records
• With DNSSEC one could use the DNS fora priori negotiation of securityrequirements.
– “You can only access this service over a securechannel”
Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/
DNSSEC properties
• DNSSEC provides message authenticationand integrity verification throughcryptographic signatures– Authentic DNS source
– No modifications between signing andvalidation
• It does not provide authorization
• It does not provide confidentiality
Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/
DNSSEC deploymentpracticalities
• RIPE NCC deployed DNSSEC on thereverse tree– 202.in-addr.arpa etc are now signed and you
can get secure delegations
– We followed the architecture to plan thechanges to our system
• You may want to follow the same stepswhen planning for local DNSSECdeployment
Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/
DNSSECArchitecture modifications
Primary DNS
Secondary
DNS
Customer
interfaces
Zone signer
DNSSEC
aware servers
DNS and input
checks
Provisioning
DB
Zone
Creation
DNSSEC aware provisioning
Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/
Server Infrastructure
• Part of keeping up to date
– Your most recent version of BIND and NSDrun DNSSEC
• Memory might be an issue
– Predictable (see RIPE352)
• Coordination with secondaries
Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/
Provisioning
• Realize that interaction with child is notdrastically different.
– DS and NS have the same security properties
– You may need to respond a bit different to‘child’ emergency cases
• Thinking “security” will make you notice“security”
Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/
Key Mastering and Signing
• Key management and signing needs to bereliable
– Failure will lead to loss of service
• Cost factors:
– Automation and Education
Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/
How about the ‘client’ side
• Set up your caching nameserver to performvalidation and the infrastructure behind it isprotected
• DNSSEC has not yet been pushed to thehost or application
• Costs are in maintaining trust anchors
– There is no standard to automate against.
Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/
What’s keeping folk
• New technology; chicken and egg
• Zone walking possibility
– Is this really an issue in your environment?
– Solutions are being engineered
• Automated key rollover and distribution
Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/
Why would you be a(n) (early)player
• Keeping the commons clean
– EDU and international research nets areimportant parts of the commons
– Significant ‘hot spots’ of delegation
– EDU networks have ‘interesting’ properties forthe black hats.
Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/
Early players
• Demonstrate the ability to self-regulate
– Before the guys up the hill force it down yourthroat
– Before a bad thing happens and you are wokenup at 2 am
• Lead by example
– Break the egg
Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/
What you can do• Deploy in your own domain
– www.dnssec.net contains a myriad ofinformation resources.
• Ask your registry and your registrar?– Educause, ARIN, Verisign, CC-TLD registries,
.gov etc.
• Ask your OS and network equipment andapplication vendors– Microsoft, Cisco, Firewalls vendors, etc
Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/
This Week
• Get involved in an Internet2 pilot– Charles Yun, Internet2 Security Program
Director, organizing now
– Talk to him this week
• Get to our workshop– http://dnssec-nm.secret-wg.org
• Talk to your colleagues for bilateral pilots
• Talk to us.
Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/
Next Week
• Deploying locally provides immediatesecurity benefits
– Sign your own zone and configure your keys
Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/
Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/
Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/
Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/
Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/
Mitigate by Deploying SSL?
• Claim: SSL is not the magic bullet
– (Neither is DNSSEC)
• Problem: Users are offered a choice
– Far too often
– Users are annoyed
• Implementation and use make SSL vulnerable
– Not the technology
Joint Techs, Albuquerque Feb 2006http://www.nlnetlabs.nl/
Confused?