Download - DNSSEC - Amsterdam Roundtable 2011
![Page 1: DNSSEC - Amsterdam Roundtable 2011](https://reader034.vdocuments.site/reader034/viewer/2022051616/55381c7e550346e0428b46a2/html5/thumbnails/1.jpg)
DNS SecurityWolfgang NageleDNS Services Manager
![Page 2: DNSSEC - Amsterdam Roundtable 2011](https://reader034.vdocuments.site/reader034/viewer/2022051616/55381c7e550346e0428b46a2/html5/thumbnails/2.jpg)
Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 2
DNS: the Domain Name System
• Specified by Paul Mockapetris in 1983• Distributed Hierarchical Database
– Main purpose: Translate names to IP addresses
– Since then: Extended to carry a multitude of information (such as SPF, DKIM)
• Critical Internet Infrastructure– Used by most systems (in the background)
![Page 3: DNSSEC - Amsterdam Roundtable 2011](https://reader034.vdocuments.site/reader034/viewer/2022051616/55381c7e550346e0428b46a2/html5/thumbnails/3.jpg)
Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 3
DNS Tree Structure
![Page 4: DNSSEC - Amsterdam Roundtable 2011](https://reader034.vdocuments.site/reader034/viewer/2022051616/55381c7e550346e0428b46a2/html5/thumbnails/4.jpg)
Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 4
How does it work?
![Page 5: DNSSEC - Amsterdam Roundtable 2011](https://reader034.vdocuments.site/reader034/viewer/2022051616/55381c7e550346e0428b46a2/html5/thumbnails/5.jpg)
Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 5
What is the problem?
• UDP transport can be spoofed– Anybody can pretend to originate a response
• If a response is modified the user will connect to a possibly malicious system
![Page 6: DNSSEC - Amsterdam Roundtable 2011](https://reader034.vdocuments.site/reader034/viewer/2022051616/55381c7e550346e0428b46a2/html5/thumbnails/6.jpg)
Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 6
The Solution
• Make the responses verifiable– Cryptographic signatures
• Hierarchy exists so a Public Key Infrastructure is the logical choice– Same concept as used in eGovernment infrastructures
![Page 7: DNSSEC - Amsterdam Roundtable 2011](https://reader034.vdocuments.site/reader034/viewer/2022051616/55381c7e550346e0428b46a2/html5/thumbnails/7.jpg)
Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 7
How does it work with DNSSEC?
![Page 8: DNSSEC - Amsterdam Roundtable 2011](https://reader034.vdocuments.site/reader034/viewer/2022051616/55381c7e550346e0428b46a2/html5/thumbnails/8.jpg)
Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 8
How does it work with DNSSEC?
![Page 9: DNSSEC - Amsterdam Roundtable 2011](https://reader034.vdocuments.site/reader034/viewer/2022051616/55381c7e550346e0428b46a2/html5/thumbnails/9.jpg)
Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 9
How does it work with DNSSEC?
![Page 10: DNSSEC - Amsterdam Roundtable 2011](https://reader034.vdocuments.site/reader034/viewer/2022051616/55381c7e550346e0428b46a2/html5/thumbnails/10.jpg)
Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 10
How does it work with DNSSEC?
![Page 11: DNSSEC - Amsterdam Roundtable 2011](https://reader034.vdocuments.site/reader034/viewer/2022051616/55381c7e550346e0428b46a2/html5/thumbnails/11.jpg)
Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 11
How does it work with DNSSEC?
![Page 12: DNSSEC - Amsterdam Roundtable 2011](https://reader034.vdocuments.site/reader034/viewer/2022051616/55381c7e550346e0428b46a2/html5/thumbnails/12.jpg)
Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 12
DNS Security Extensions: A Long Story
• 2005: Theoretical problem discovered (Bellovin)• 1995: Work on DNSSEC started• 1999: First support for DNSSEC in BIND• 2005: Standard is redesigned to better meet
operational needs
RIPE NCC along with .SE among the first to deploy it in their zones
![Page 13: DNSSEC - Amsterdam Roundtable 2011](https://reader034.vdocuments.site/reader034/viewer/2022051616/55381c7e550346e0428b46a2/html5/thumbnails/13.jpg)
Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 13
DNS Security Extensions
• 2005 - 2008: Stalled deployments due to the lack of a signed root zone
• 2008: D. Kaminsky shows the practicaluse of the protocol weakness
Focus comes back to DNSSEC• July 2010: Root Zone signed with DNSSEC• March 2011: 69/306 signed TLDs
![Page 14: DNSSEC - Amsterdam Roundtable 2011](https://reader034.vdocuments.site/reader034/viewer/2022051616/55381c7e550346e0428b46a2/html5/thumbnails/14.jpg)
Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 14
DNSSEC and the RIPE NCC
• Sponsor development of NSD DNS software• Participated in the “Deployment of Internet
Security Infrastructure” project– Signed all our DNS zones
– IPv4 & IPv6 reverse space
– E164.arpa
– ripe.net
• K-root server readiness for a signed root zone
![Page 15: DNSSEC - Amsterdam Roundtable 2011](https://reader034.vdocuments.site/reader034/viewer/2022051616/55381c7e550346e0428b46a2/html5/thumbnails/15.jpg)
Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 15
Singing of the Root Zone
• Shared custody by Root Zone maintainers– Currently: U.S. DoC NTIA, IANA/ICANN, VeriSign
• Split key among 21 Trusted Community Representatives
• In production since July 2010
![Page 16: DNSSEC - Amsterdam Roundtable 2011](https://reader034.vdocuments.site/reader034/viewer/2022051616/55381c7e550346e0428b46a2/html5/thumbnails/16.jpg)
Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 16
Deployment in ccTLDs: Europe
![Page 17: DNSSEC - Amsterdam Roundtable 2011](https://reader034.vdocuments.site/reader034/viewer/2022051616/55381c7e550346e0428b46a2/html5/thumbnails/17.jpg)
Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 17
Deployment in ccTLDs: Middle East
![Page 18: DNSSEC - Amsterdam Roundtable 2011](https://reader034.vdocuments.site/reader034/viewer/2022051616/55381c7e550346e0428b46a2/html5/thumbnails/18.jpg)
Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 18
Deployment in ccTLDs: Asia Pacfic
![Page 19: DNSSEC - Amsterdam Roundtable 2011](https://reader034.vdocuments.site/reader034/viewer/2022051616/55381c7e550346e0428b46a2/html5/thumbnails/19.jpg)
Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 19
Deployment in ccTLDs
![Page 20: DNSSEC - Amsterdam Roundtable 2011](https://reader034.vdocuments.site/reader034/viewer/2022051616/55381c7e550346e0428b46a2/html5/thumbnails/20.jpg)
Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 20
Deployment in ccTLDs
![Page 21: DNSSEC - Amsterdam Roundtable 2011](https://reader034.vdocuments.site/reader034/viewer/2022051616/55381c7e550346e0428b46a2/html5/thumbnails/21.jpg)
Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 21
Deployment in ccTLDs
![Page 22: DNSSEC - Amsterdam Roundtable 2011](https://reader034.vdocuments.site/reader034/viewer/2022051616/55381c7e550346e0428b46a2/html5/thumbnails/22.jpg)
Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 22
Deployment in gTLDs• .com/.net/.org (57% of world wide total domains)• .asia• .cat• .biz• .edu• .gov• .info• .museum• .mobi (Planned)
![Page 23: DNSSEC - Amsterdam Roundtable 2011](https://reader034.vdocuments.site/reader034/viewer/2022051616/55381c7e550346e0428b46a2/html5/thumbnails/23.jpg)
Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 23
Deployment in Infrastructure TLD .arpa
• E164.arpa– ENUM number mapping
– signed by the RIPE NCC
• in-addr.arpa– Reverse DNS for IPv4
• ip6.arpa– Reverse DNS for IPv6
![Page 24: DNSSEC - Amsterdam Roundtable 2011](https://reader034.vdocuments.site/reader034/viewer/2022051616/55381c7e550346e0428b46a2/html5/thumbnails/24.jpg)
Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 24
Are We Done?
• Signed TLD is not the same as a signed domain– Thick registry model (Registry-Registrar-Registrant)
– Registrars need to enable their customers to provide public key data to registry
![Page 25: DNSSEC - Amsterdam Roundtable 2011](https://reader034.vdocuments.site/reader034/viewer/2022051616/55381c7e550346e0428b46a2/html5/thumbnails/25.jpg)
Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 25
Are We Done?
• Ultimately responses should be verified by the end user– Home routers need to support DNS specifications with large response packets
![Page 26: DNSSEC - Amsterdam Roundtable 2011](https://reader034.vdocuments.site/reader034/viewer/2022051616/55381c7e550346e0428b46a2/html5/thumbnails/26.jpg)
Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 26
Leverage Infrastructure
• DNS is a cross organisational data directory• DNSSEC adds trust to this infrastructure
– Anybody can verify data published under ripe.net was originated by the domain holder
– Could be used to make DKIM and SPF widely used and trusted
– SSL certificates can be trusted through the DNS
– More ideas to come …
![Page 27: DNSSEC - Amsterdam Roundtable 2011](https://reader034.vdocuments.site/reader034/viewer/2022051616/55381c7e550346e0428b46a2/html5/thumbnails/27.jpg)
Wolfgang Nagele, RIPE NCC Roundtable Meeting, Amsterdam, April 2011 27
What about SSL/TLS?
• SSL as a transport is well established• CA system currently in use is inherently broken
– Any Certificate Authority delivered with a browser to date can issue a certificate for any domain
– 100 and more shipped in every Browser
– If any one of them fails - security fails with it
– Recent incident with Comodo CA is one example
• DANE working group at IETF