september 18th 2009 dnssec restoring trust in dns roland van rijswijk roland.vanrijswijk [at]...
TRANSCRIPT
![Page 1: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/1.jpg)
September 18th 2009
DNSSECRestoring trust in DNS
Roland van Rijswijkroland.vanrijswijk [at] surfnet.nl
In cooperation with:
![Page 2: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/2.jpg)
About us
SURFnet. We make innovation work2
High quality and high bandwith network for higher education and research
Shared ICT innovation centre for academia
Over 180 connected institutions (universities, polytechnics, vocational education, hospitals, research institutions) with 1 million end-users
Independent consultancy company
Cryptography expertise
Internet security expertise
![Page 3: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/3.jpg)
SURFnet. We make innovation work3
Overview
- First half:
- Attacks on DNS
- Second half:
- DNSSEC in detail
- Questions: please ask!
![Page 4: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/4.jpg)
SURFnet. We make innovation work4
DNS: Roadsigns for the net
![Page 5: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/5.jpg)
SURFnet. We make innovation work5
DNS: insecurity by design?
- DNS was designed in the early Internet era
- Everybody more or less knew everybody else
- And everybody trusted everybody else
- Bottom line: Security was not a design criterion
![Page 6: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/6.jpg)
SURFnet. We make innovation work6
Threats to DNS
- Availability- If DNS is not available, the internet is broken (users think)- A typical DNS resolver services 100000+ end users- Some authoritative servers host over 8 million zones
- Exploitation- On an exploited server availability and integrity are broken- Plus the attacker can gain access to all other software on the
same server/client
- Integrity- DNS gives the wrong answer and sends you the wrong way
Slide content courtesy of Bert Hubert (PowerDNS)
![Page 7: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/7.jpg)
SURFnet. We make innovation work7
Why attack DNS?
- DNS is everywhere:- In your phone, in your laptop, in your PC…- But also in your car, in an ATM, in your
elevator, …
- It is very hard to protect DNS against attacks (currently)
- It is very easy to attack a lot of users
![Page 8: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/8.jpg)
www.piggybank.dom
A: 123.45.67.89
Let’s start simple
DNS resolver
Client
Authoritative server
Root & TLD serverswww.piggybank.dom A?
www.piggybank.dom A?
Referral to auth.
www.piggybank.dom
A: 123.45.67.89
www.piggybank.dom A?
Question: name a general attack model that is applicable to this setupAnswer: a man in the middle attack
![Page 9: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/9.jpg)
Beyond M-i-t-M: spoofingIP headers & stuff
src IP = 192.87.106.101 (ns1.surfnet.nl)
dst IP = 208.77.188.166 (www.example.com)
UDP src port = 53 dst port = 4321
headers & stuff
DNS QID = 1201 some flags
Question# = 1 Answer# = 1
Authority# = 3 Add. record# = 3
Q? A record for www.surfnet.nl
Ans. www.surfnet.nl = 194.171.26.203
Aut. surfnet.nl = ns1.surfnet.nl
Aut. surfnet.nl = ns2.surfnet.nl
Aut. surfnet.nl = ns3.surfnet.nl
Add. ns1.surfnet.nl = 192.87.106.101
Add. ns2.surfnet.nl = 192.87.36.2
Add. ns3.surfnet.nl = 195.169.124.71
![Page 10: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/10.jpg)
www.piggybank.dom
A: 123.57.89.15
Cache poisoning
DNS resolver
Client
Authoritative server
Root & TLD serverswww.piggybank.dom A?
www.piggybank.dom A?
Referral to auth.
www.piggybank.dom
A: 123.57.89.15
www.piggybank.dom A?
Rogue responder
Question: how can I target a specific name?Answer: introduce a rogue client
![Page 11: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/11.jpg)
SURFnet. We make innovation work11
So where do we go today? ;-)
![Page 12: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/12.jpg)
SURFnet. We make innovation work12
Is it really a threat?
Yes because:
- Source port randomisation was not common practice before Kaminsky
- Query ID randomisation wasn’t common practice either
No because:
- You can only attempt to poison a name a few times per day (why?)
![Page 13: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/13.jpg)
SURFnet. We make innovation work13
Cache poisoning++
- Dan Kaminsky published an attack at last year’s Black Hat conference
- No need to wait for a resolver to take initiative, no need to wait for TTL expiry…
![Page 14: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/14.jpg)
Preparing for KaminskyIP headers & stuff
src IP = 192.87.106.101 (ns1.surfnet.nl)
dst IP = 208.77.188.166 (www.example.com)
UDP src port = 53 dst port = 4321
headers & stuff
DNS QID = 1201 some flags
Question# = 1 Answer# = 1
Authority# = 3 Add. record# = 3
Q? A record for www.surfnet.nl
Ans. www.surfnet.nl = 194.171.26.203
Aut. surfnet.nl = ns1.surfnet.nl
Aut. surfnet.nl = ns2.surfnet.nl
Aut. surfnet.nl = ns3.surfnet.nl
Add. ns1.surfnet.nl = 192.87.106.101
Add. ns2.surfnet.nl = 192.87.36.2
Add. ns3.surfnet.nl = 195.169.124.71
![Page 15: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/15.jpg)
Attack in action
Authoritative server
Rogue responder
DNS resolver Root & TLD servers
12345.piggybank.domA: 123.45.67.89
12345.piggybank.dom A???QID=1234
12345.piggybank.dom A???QID=1235
Rogue authoritative
QID=1233QID=1234
QID=1235
Success!
Additional: NS piggybank.dom
go to piggybank auth.
12345.piggybank.dom A???
![Page 16: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/16.jpg)
SURFnet. We make innovation work16
Spoofed additional section
;; QUESTION SECTION:
;abcde.piggybank.dom. IN A
;; ANSWER SECTION:
abcde.piggybank.dom. 582 IN A 123.45.67.89
;; AUTHORITY SECTION:
piggybank.dom. 3161 IN NS ns1.piggybank.dom.
piggybank.dom. 3161 IN NS ns2.piggybank.dom.
;; ADDITIONAL SECTION:
ns1.piggybank.dom. 604800 IN A 123.45.67.1
ns2.piggybank.dom. 604800 IN A 123.45.67.2
![Page 17: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/17.jpg)
Attack in action
DNS resolver
Vulnerable end userRogue authoritative
www.piggybank.dom A?www.piggybank.dom A?
Authoritative server
Root & TLD servers
www.piggybank.domA: 123.45.67.89
www.piggybank.dom
A: 123.45.67.89
![Page 18: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/18.jpg)
SURFnet. We make innovation work18
So it’s even worse!
![Page 19: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/19.jpg)
Impact on threat level (1)
- Kaminsky is happening (we think, but is damn hard to detect):
- Wide-scale patching has been rolled out- But research shows:
Poisoning unpatched BIND: ±3 secondsPoisoning patched BIND: 1-11 hours (source: NIC.cz)
SURFnet. We make innovation work19
![Page 20: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/20.jpg)
Impact on threat level (2)
- Kaminsky is happening on our network!
SURFnet. We make innovation work20
![Page 21: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/21.jpg)
Impact on threat level (3)
SURFnet. We make innovation work21
- Kaminsky is happening on our network!
![Page 22: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/22.jpg)
Impact on threat level (4)
SURFnet. We make innovation work22
- Kaminsky is happening on our network!
![Page 23: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/23.jpg)
SURFnet. We make innovation work23
The slow attack- Brute force attacks are easy to detect
- But the slow attack is very insidious…
research by Bert Hubert
(PowerDNS) shows:
Graph courtesy of Bert Hubert
![Page 24: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/24.jpg)
Summary
Stub resolver Caching resolver
Master
Zone file
queries
quer
ies
queries
Slaves
zone transfers
dynamic updates
Man in the middle
Cache poisoning
Data modification
Master spoofing
Spoofed updates
Corrupt data
![Page 25: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/25.jpg)
Break time
![Page 26: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/26.jpg)
SURFnet. We make innovation work26
What is DNSSEC? (1)
- DNSSEC is an extension to DNS specified by the IETF in a number of RFCs
- Actively developed since 1997
- According to RFC 4033:
“The Domain Name System Security Extensions (DNSSEC) add data origin authentication and data integrity to the Domain Name System.”
![Page 27: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/27.jpg)
SURFnet. We make innovation work27
What is DNSSEC? (2)
- DNSSEC makes it possible to check the authenticity of DNS records
- This is accomplished using public key cryptography
- What DNSSEC does not do:- Provide confidentiality- Protect against threats to the name server (DDoS,
etc.)- Guarantee correctness of the DNS data (only
authenticity)- Protect against phishing, typosquatting, etc.
![Page 28: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/28.jpg)
SURFnet. We make innovation work28
Cryptography in DNSSEC (1)
![Page 29: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/29.jpg)
SURFnet. We make innovation work29
Cryptography in DNSSEC (2)
- Signing takes place at zone level
- 2-tiered key model:
- Key Signing Key- Large key size (≥ 2048 bits RSA)- Long validity (≥ 1 year)- Used to sign Zone Signing Key
- Zone Signing Key- Smaller key size (≥ 1024 bits RSA)- Short validity (± 1 month)- Used to sign the zone (resource records)
![Page 30: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/30.jpg)
SURFnet. We make innovation work30
Signing DNS zones
- Additional resource records (RRs)
- For public keys:- DNSKEY, DS
- For signatures:- RRSIG
- For authenticated denial-of-existence:- NSEC, NSEC3
- Zones become quite a bit larger
![Page 31: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/31.jpg)
SURFnet. We make innovation work31
Validating a response
Query “www.nist.gov” @ns1.nist.gov
IN A www.nist.gov 129.6.13.45 IN RRSIG 156 0020502000151804A10
623C49E8D53CF7E6046E69737403676F7600... signature!
- Validate this signature against the “nist.gov” zone public zone signing key
- It’s the resolver’s job to do this!
- How do I find and trust the “nist.gov” key?
![Page 32: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/32.jpg)
SURFnet. We make innovation work32
Current deployment
- Deployed on several TLDs:- ccTLD’s: .bg, .br, .cz, .pr, .se- generic TLD’s: .org, .gov, .museum
- Announced for more TLDs:- generic TLD’s: .com and .net (2011)
(> 65% of all domains!)
- Good news: root is likely to be signed before end of 2009 (bad news: politics…)
- Many (cc)TLD’s still to announce strategy
![Page 33: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/33.jpg)
DNS root (.)
Tru
sts
Signing keys for .gov
zone
Used to sign .gov zone
containsnist.gov public key
Signing keys for nist.gov
zone
Used to sign nist.gov zone
containssigned record for www.nist.gov
Not signed = no trust possible yet
TR
US
T C
HA
IN
.gov
nist.gov
Tru
sts
DNS root (.)
Tru
sts
Signing keys for .gov
zone
Used to sign .gov zone
containsnist.gov public key
Signing keys for nist.gov
zone
Used to sign nist.gov zone
containssigned record for www.nist.gov
Not signed = no trust possible yet
TR
US
T C
HA
IN
.gov
nist.gov
Tru
sts
DNS root (.)
Tru
sts
Signing keys for .gov
zone
Used to sign .gov zone
containsnist.gov public key
Signing keys for nist.gov
zone
Used to sign nist.gov zone
containssigned record for www.nist.gov
Not signed = no trust possible yet
TR
US
T C
HA
IN
.gov
nist.gov
Tru
sts
DNS root (.)
Tru
sts
Signing keys for .gov
zone
Used to sign .gov zone
containsnist.gov public key
Signing keys for nist.gov
zone
Used to sign nist.gov zone
containssigned record for www.nist.gov
Not signed = no trust possible yet
TR
US
T C
HA
IN
.gov
nist.gov
Tru
sts
Trust chain
![Page 34: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/34.jpg)
SURFnet. We make innovation work34
Islands of trust
.
nl org
com gov
verisign
surfnet
showcase
isc
www
nist
www
= island of trust
![Page 35: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/35.jpg)
SURFnet. We make innovation work35
Finding trust anchors
- Managing trust anchors by hand is hard work
- IANA has made the “Interim Trust Anchor Repository” (ITAR) availablehttps://itar.iana.org/
- ISC has introduced “DNSSEC look-a-side validation” (DLV) and made a repository available
- No standard way to trust the trust anchors of these repositories
- These are interim solutions
![Page 36: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/36.jpg)
DLV
= island of trust
= archipelago of trust
.
nl org
com gov
verisign
surfnet
showcase
isc
www
nist
www
DLV My ISP resolverQuery trust anchors
![Page 37: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/37.jpg)
SURFnet. We make innovation work37
Key management (1)
- Key Signing Key and Zone Signing Key have a limited validity; this requires regular roll-overs:
Key #2
Key is used for signing
Key has been announced but is not yet valid
Key is still valid but no longer used for signing
Key #3
Key #4
Key #1
Rollover #1
Rollover #2
Rollover #3
![Page 38: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/38.jpg)
SURFnet. We make innovation work38
Key management (2)
- Keys need to be stored securely off-line, smart card, Hardware Security Module (HSM), ...
- Administrators need to plan for emergency key roll-over
- The parent has to be notified of new keys for a domain (this needs to be automated)
![Page 39: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/39.jpg)
SURFnet. We make innovation work39
Future
DNSSEC usage
research early adopters commodity latecomers
Current phase, early adopters are starting with DNSSEC,
momentum is slowly gathering, standards mature
Adoption takes off, multiple TLDs start offering
DNSSEC, default support in major operating systems
Rapid growth of #signed zones
Growth slows, latecomers are coming on-line
Initial phase, researchers realise DNS needs to be
secured
2009 futureearly 00's
DNSSEC usage
research early adopters commodity latecomers
Current phase, early adopters are starting with DNSSEC,
momentum is slowly gathering, standards mature
Adoption takes off, multiple TLDs start offering
DNSSEC, default support in major operating systems
Rapid growth of #signed zones
Growth slows, latecomers are coming on-line
Initial phase, researchers realise DNS needs to be
secured
2009 futureearly 00's
![Page 40: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/40.jpg)
SURFnet. We make innovation work40
Criticism on DNSSEC
The Top-10 Reasons Why DNSSEC Is the String Theory of the Internet 10. Adds many new dimensions to an already complex problem
9. Hogs all the research funds
8. Has many careers riding on it
7. Widely hailed by expert and layman alike as the next big thing
6. Responds to shortcomings by reinventing itself and doubling its complexity
5. On its third iteration to succes
4. Attracts the brightest minds of the industry
3. Cult-like following among believers
2. Always on the verge of solving a real world problem
1. Will be ready in 6 months! Bert Hubert (PowerDNS)
- Even the critics agree that DNSSEC is the only available solution at the moment
- That doesn’t mean that DNSSEC is perfect… far from it
- DNSSEC is hard (especially compared to ‘ordinary’ DNS, which is very forgiving)
- The (un)availability of easy-to-use tools is hindering deployment of signed zones
![Page 41: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/41.jpg)
SURFnet. We make innovation work41
DNSSEC software
- But there is light on the tool horizon:- OpenDNSSEC (www.opendnssec.org)- Secure64 DNS Signer- Xelerance DNSX Signer- ZKT (Zone Key Tool, www.hznet.de/dns/zkt)- PowerDNS + DNSSEC = PowerDNSSEC- other vendors have announced products
- For resolvers it’s a different matter, tools are widely available:- Unbound (by NLnetLabs)- BIND 9.x and up- Windows Server announced (2008 R2, Server 7)
![Page 42: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/42.jpg)
SURFnet. We make innovation work42
Alternatives (1)
- Continue patching against attacks (keep using traditional DNS)- This is an arms race- The race is already being lost!
(remember the 6 weeks attack that Bert Hubert talked about yesterday)
- SSL/TLS- Too heavyweight to use on connections
to DNS servers- Does not secure a domain against
cache-poisoning; getting an SSL certificate is easy
![Page 43: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/43.jpg)
SURFnet. We make innovation work43
Alternatives (2)
- TSIG/SIG(0)- TSIG is based on shared secrets (does
not scale)- SIG(0) secures transactions (no
authentication of records!)
- DNScurve- Based on elliptic curve crypto- Can do much more than DNSSEC- Only proves authenticity online
(forwarder based)- No widescale deployment/support
![Page 44: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/44.jpg)
SURFnet. We make innovation work44
Alternatives (3)
- DNS 0x20- Based on using capitalisation to
introduce extra entropy into a query- Capitalise parts of the query at random
and check that the capitalisation in the answer matches the query
- Should be compatible with existing DNS infrastructure (RFC 4343)
- But depends on all name server software to implement literal query copying (most do)
- Criticism: it’s still an arms race- And it doesn’t protect ‘.’
![Page 45: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/45.jpg)
SURFnet. We make innovation work45
Summary
- What does DNSSEC do for you?
- You can prove the authenticity of the records in your domain
- You can check the authenticity of the records of others
- You effectively protect yourself against attacks like Kaminsky’s
![Page 46: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/46.jpg)
SURFnet. We make innovation work46
What have we done?
- SURFnet’s resolvers perform DNSSEC validation:
![Page 47: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/47.jpg)
SURFnet. We make innovation work47
What are we going to do?
- Extend our managed DNS service with DNSSEC support
- Testing DNSSEC appliances as they appear on the market
- Keep supporting OpenDNSSEC
- Give talks like this one :-)
![Page 48: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/48.jpg)
SURFnet. We make innovation work48
What can you do?
- Gather knowledge on DNSSEC- SURFnet DNSSEC white paper (www.dnssec.nu)- Available at the end of this class
- Update/reconfigure your resolvers to support DNSSEC validation and experiment with it
- Work on an open source tool project!- Go to the OpenDNSSEC website and test the
software
![Page 49: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/49.jpg)
SURFnet. We make innovation work49
Questions?
Thank you for your attention!
Roland van Rijswijk
roland.vanrijswijk [at] surfnet.nl
Rick van Rein
rick [at] openfortress.nl
Presentation released under Creative Commons(http://creativecommons.org/licenses/by-nc-sa/3.0/nl/deed.en)
![Page 50: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/50.jpg)
Lab work
- You are going to perform the Kaminsky attack
- Install BIND as a resolver
- Download the code
IMPORTANT: The code is provided under embargo, please discard it after the lab work is done
- We’d like you to finish with a short presentation of your findings
![Page 51: September 18th 2009 DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl In cooperation with:](https://reader035.vdocuments.site/reader035/viewer/2022062409/56649eba5503460f94bc20be/html5/thumbnails/51.jpg)
URL
- http://dnssec1.students.os3.nl/DNSspoof.tgz