dnsとtlsのビミョーな関係 · 2015. 9. 30. · idn practices repository root key signing...

46

DNSとTLSのビミョーな関係佐原具幸株式会社インターネットイニシアティブ

Upload: others

Post on 12-Oct-2020

3 views

Category:

Documents

0 download

Report

Download

Embed Size (px):

TRANSCRIPT

Page 1: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

DNSとTLSのビミョーな関係

佐原具幸株式会社インターネットイニシアティブ

Page 2: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

HTTPSクライアント

Page 3: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

Page 4: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

作っていて困ったこと。

Page 5: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

ドメイン名とTLSの関係

Page 6: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

TLS といえば HTTPS が代表格

Page 7: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

HTTPS は HTTP を安全にしたもの

Page 8: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

何をもって「安全」

と言っているのか？

Page 9: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

ブラウザが HTTP で取ってきた内容

HTML/CSS/JavaScript

Page 10: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

と

Page 11: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

ブラウザの上の方に表示されている

謎の文字列

Page 12: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

Page 13: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

の対応付けが、

Page 14: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

OS / ブラウザの開発元が認めた、認証局によって保証されている、証明書を使って検証されたこと、をもって安全だとしている。

Page 15: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

EV証明書だともうちょっとわかりやすい

Page 16: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

Page 17: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

ドメイン名

コンテンツ (HTML等)

Page 18: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

実はまだギャップがある

Page 19: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

ドメイン名

コンテンツ

サーバX.509 Certificate

TLS on TCP

ここがあやうい

Page 20: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

キモ(いの)はワイルドカード証明書

Page 21: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

広く使われている技術

Page 22: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

Page 23: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

ワイルドカード文字＊(スター)

は任意の文字列にマッチ

Page 24: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

*.google.comnews.google.com

maps.google.com

images.google.com

video.google.com

plus.google.com

play.google.com

Page 25: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

なんて便利 ♥

Page 26: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

ん? ひょっとして…

Page 27: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

最強の証明書

“*”

Page 28: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

x

Page 29: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

RFC2818 3.1.: Names may contain the wildcard character * which is considered to match any single domain name component or component fragment.

Page 30: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

Page 31: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

では “*.jp” なら？

Page 32: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

o or x

Page 33: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

実装依存... orz

Page 34: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

”*.jp” というワイルドカード証明書を

受け入れる受け入れないPython Ruby Safari

curl (Mac) wget

Chrome Firefox LibreSSL

curl (OpenSSL) ???

Page 35: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

“*.jp” なんて証明書を信じるのは脆弱性だ！直せばいいじゃないか

Page 36: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

では “*.google” なら...?

Page 37: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

o or x状況は “*.jp” と変わらない。

Page 38: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

Page 39: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

えー、何も悪いことしてないのに。

Page 40: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

Page 41: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

要するに単一の管理主体の元に運営されていると

証明できれば良い?

Page 42: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

あ、これどこかで聞いた。

Page 43: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

Public Suffix List !

Page 44: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

と、いうわけで

Page 45: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

ワイルドカード証明書の検証にも

Public Suffix Listを使う時代が来てしまうかも…?

Page 46: DNSとTLSのビミョーな関係 · 2015. 9. 30. · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT IANA Delegation Record for

おしまい

IANA and DNSSEC Root - Apricot · IANA ! and! DNSSEC! at! the ! Root APRICOT! 2009! Manila February! 25,! 2009 [email protected]

The IANA Stewardship Transition The role of the Internet ...ronog3.ronog.ro/wp-content/uploads/2016/11/Deploying-DNSSEC.pdf · An application that understand DNSSEC and DANE will

Global Domains Division ICANN 51 Update...Text #ICANN51 IANA Department • Priority: Liaison on the IANA Stewardship Coordinating Group (ICG) • 14 August 2014: 18th DNSSEC Key Signing

my DNSSEC Deployment Plans & Experience · 2018. 4. 17. · Duration: 29th Dec -16th May 2010 Zones: All zones Trust Anchor: IANA DNSSEC Root Test Bed Production Signed since 9th

DNSSEC Deployment Activity in Japan - Introduction of ... › wp-content › uploads › 2012 › 01 › ... · •What is DNSSEC •Introduction of DNSSEC Japan •DNSSEC Japan's

DNSSEC at Penn - internet2.edu · DNSSEC at a glance • “DNS Security Extensions” • A system to verify the authenticity of DNS “data” using public key signatures • Protocol

APNIC eLearning: DNSSEC · DNSKEY DNS Key Public key needed for verifying a RRSIG ... (Unbound) – Google Public DNS • 8.8.8.8 or 8.8.4.4 . DNSSEC – Setting up a Secure Zone

CCNSO MEMBERS MEETING IANA Names Function Update · 2017-11-13 · • Rolling the Root Zone Key Signing Key • Performance reporting • Customer Survey. New DNSSEC algorithm support

Rolling the Root Zone DNSSEC Key Signing Key - Eland Syssm/KSK_Roll_Plan_LewisAFRINIC25.pdf · Rolling the Root Zone DNSSEC Key Signing Key Edward Lewis ... and a trust anchor •

A Story on Unsupported DNSSEC Algorithms · $ dnssec-keygen -a RSAMD5 example.com. dnssec-keygen: fatal: unsupported algorithm: 1 pdnsutil generate-zone-key Syntax: pdnsutil generate-zone-key

IANA: Who, What, Why? - ICANN · 4.2.1.6. The fedfsAnnotation key namespace is to be managed by IANA. IANA is to create and maintain a new registry entitled "FedFS Annotation Keys"

DNSSEC in Practice: Using DNSSEC- Tools to Deploy DNSSEC · DNSSEC in Practice: Using DNSSEC-Tools to Deploy DNSSEC Wes Hardaker. Russ Mundy. Suresh Krishnaswamy {hardaker,mundy,suresh}@sparta.com

Dnssec key management part1

DNSSEC @ IANA · – dnssec operations considered and envisioned for some time • Transparency – system design help from experts in the Internet community which it would serve

IANA Update - APNIC · 2018. 1. 16. · IANA Update APNIC 31, Hong Kong February 2011 . Agenda 2 • Addressing • DNSSEC • Root management • Continuity Exercise • Business

DNSSEC - register.si · DNSSEC KSK key material is stored in a FIPS 140-2 Level 3 compliant ... 4.3.3 Training requirements Every person that fulfills a role in the DNSSEC ceremony

Vanishing Point - Resilient DNSSEC Key Repository

Understanding and Deploying DNSSEC - APNIC · • DNSSEC works fine with a single key pair • Problem with using a single key: – Every time the key is updated, the DS record must

IANA Numbering Services Review Committee · IANA Numbering Services Review Committee Nurani Nimpuno, IANA RC Chair RIPE80, 12 –14 May 2020. Background IANA Stewardship transition

Placeholder for DNSSEC Validation - CANTO · 2016-08-06 · The Root Zone DNSSEC Key Signing Key “KSK” is the top most cryptographic key in the DNSSEC hierarchy The KSK is a cryptographic

DNSSEC - Red Hat · DNSSEC . Topics DNSSEC theory in 7 screen shots DNSSEC software: validating, signing Converting applications to use DNSSEC Using DNSSEC for non-DNS purposes TLSA,

IANA FUNÇÕES DA IANA: O BÁSICO

ABC DNSSEC Practice Statement (DPS) - ICANN · ABC DNSSEC Practice Statement (DPS) ... 2.2 Publication of key signing keys (KSK) ... 4.3.3 Training requirements

Rolling the Root Zone DNSSEC Key Signing Key · DNSSEC Key Management in the Root Zone ¤ DNSSEC key management is divided into: o Key Signing Key (KSK), self-signs the key set o

DNSSEC Cryptography Review - APRICOT · PDF file · 2017-02-06DNSSEC Cryptography Review DNSSEC Tutoria l February 21, 2011 ... to decrypt anything using your private key. ... we

LDplayer: DNS Experimentation at Scale (abstract with poster) · Impact of Change in DNSSEC Key Size: Longer Zone Signing Key (ZSK) and more queries DNSSEC enabled (DO bit set) will

Dominic Stahl Infoblox DNSSEC Solution - DENIC eG: Wir ... · Infoblox DNSSEC Solution simple, secure and reliable Infoblox DNSSEC Solution ... Infoblox DNSSEC Offering:

Rolling the Root Zone DNSSEC Key Signing Key · • DNSSEC has three kinds of records that, in some loose definition, hold cryptographic key data. The records exist because of the

Rolling the Root Zone DNSSEC Key Signing Key

UMSSIA - DTCDNSSEC •DNSSEC Attempts to address these issues cryptographically. •In the “Ideal DNSSEC Deployment”: –There is a public key for the “root” domain. –This