| 1

Champika WijayatungaRegional Security Engagement Manager – Asia Pacific<champika.wijayatunga@icann.org>

11 Sep 2017

DNS/DNSSECAPNIC44 – Taichung - Taiwan

| 2

Domain Name System (DNS)

TLDs gTLDs ccTLDs IDNs

| 3

Root Server Operation

| 4

How Secure are the Root Servers?

• Physically protected • Tested operational procedures • Experienced, professional, trusted staff• Defense against major operational threat – i.e. DDoS.

– Anycast• Setting up identical copies of existing servers • Same IP address• Exactly the same data. • Standard Internet routing will bring the queries to the nearest server• Provides better service to more users.

| 5

DNS Servers

• Root Servers• DNS Authoritative

– Primary / Master – Secondary / Slaves

• DNS Resolver– Recursive– Cache– Stub resolver

5

| 6

Who’s who in the DNS Ecosystem?

6

| 7

Domain Name Registration

How to register a domain:•Choose a string e.g., example•Visit a registrar to check string availability in a TLD•Pay a fee to register the name•Submit registration information•Registrar and registries manage:

– “string” + TLD (managed in registry DB)

– Contacts, DNS (managed in Whois)

– DNS, status (managed in Whois DBs)

– Payment information

| 8

Registration Data Directory Services

• Domain Whois– Sponsoring Registrar– Domain Name Servers– Domain Status– Creation/Expiry dates– Point of Contact– DNSSEC data

• Address Whois– Regional Internet Registry– IPv4/v6 address allocation– ASN allocation– Creation/Expiry dates– Point of Contact

WHOISDatabases containing records of registrations

| 9

WHOIS Inaccuracy Complaint

Filing Tips:• Responds to ICANN requests for more

information in the requested time frame.

• If you think the contact email address for the domain is incorrect, give evidence that emails you sent to the email address were undeliverable.

• Make sure your complaint is valid – e.g., a contact telephone doesn’t need to be in the same geographic location as the mailing address.

| 10

What is a DNS zone data?

• DNS zone data are hosted atan authoritative name server• Each “cut” has zone data

(root, TLD, delegations) • DNS zones contain resource

records that describe• name servers,• IP addresses, • Hosts, • Services • Cryptographic

keys & signatures…Only US ASCII-7 letters, digits, and hyphens

can be used as zone data.

In a zone, IDNs strings begin with XN--

| 11

How DNS Works

| 12

DNS: Data Flow

12

Primary Caching Servers

Resolvers

Zone administrator

Zone file

Dynamicupdates

1

2

Secondaries

3

4

5

| 13

DNS Vulnerabilities

13

Primary Caching Servers

Resolver

Zone administrator

Zone file

Dynamicupdates

1

2

Secondaries

3

Server protection

4

5

Corrupting data Impersonating master

Unauthorized updates

Cache impersonation

Cache pollution byData spoofing

Data protection

Altered zone data

| 14

The Bad

• Cache Poisoning Attacks– Vulnerable resolvers add malicious data to local caches

• DNS Hijacking– A man in the middle (MITM) or spoofing attack forwards DNS queries to a name server that

returns forge responses• E.g. DNSChanger

– One of the biggest cybercriminal takedown in history• And many other DNS hijacks in recent times• SSL / TLS doesn't tell you if you've been sent to the correct site, it only tells you

if the DNS matches the name in the certificate. • DNS is relied on for unexpected things though insecure.

| 15

Securing DNS

• There are two aspects when considering DNS Security– Server protection– Data protection

• Server protection– Protecting servers

• Make sure your DNS servers are protected (i.e. physical security, latest DNS server software, proper security policies, Server redundancies etc.)

– Protecting server transactions• Deployment of TSIG, ACLs etc. (To secure transactions against server impersonations, secure

zone transfers, unauthorized updates etc.)

• Data protection– Authenticity and Integrity of Data

• Deployment of DNSSEC (Protect DNS data against cache poisoning, cache impersonations, spoofing etc.)

| 16

Name Server Considerations

• Support technical standards

• Handle load multiple times the measured peak

• Diverse bandwidth to support above

• Must answer authoritatively

• Turn off recursion!

• Should “NOT” block access from a valid Internet hosts

| 17

Secondary Name Server Choice

Diversity, Diversity and Diversity!

•Don’t place all on the same LAN/building/segment

•Network diversity

•Geographical diversity

•Institutional diversity

•Software and hardware diversity

| 18

When It All Goes Wrong

• DNS is a known target for hackers.

• You will be targeted at some point!

• Have plans in place to deal with attacks, failures and disasters.

• Test those plans regularly!

| 19| 19

DNSSEC

19

| 20

How DNSSEC Works

| 21

DNSSEC ccTLD Map

| 22

DNSSEC Deployment

| 23

DNSSEC: So what’s the problem?

• Not enough IT departments know about it or are too busy putting out other security fires.

• When they do look into it they hear old stories of FUD and lack of turnkey solutions.

• Registrars*/DNS providers see no demand leading to “chicken-and-egg” problems.

*but required by new ICANN registrar agreement

| 24

What you can do

• For Companies:– Sign your corporate domain names– Just turn on validation on corporate DNS resolvers

• For Users:– Ask ISP to turn on validation on their DNS resolvers

• For All:– Take advantage of DNSSEC education and training

| 25| 25

2017 Root Zone DNSSEC KSK Rollover

25

| 26

The Root Zone DNSSEC KSK

DATA

¤The Root Zone DNSSEC Key Signing Key “KSK” is the top most cryptographic key in the DNSSEC hierarchy

¤Public portion of the KSK is configuration parameter in DNS validating revolvers

KSK

| 27

Rollover of the Root Zone DNSSEC KSK

¤There has been one functional, operational Root Zone DNSSEC KSK¤Called "KSK-2010"¤Since 2010, nothing before that

¤A new KSK will be put into production later this year¤Call it "KSK-2017"¤An orderly succession for continued smooth operations

¤Operators of DNSSEC recursive servers may have some work¤As little as review configurations¤As much as install KSK-2017

| 28

Important Milestones

Event Date

Creation of KSK-2017 October 27, 2016

Production Qualified February 2, 2017

Out-of-DNS-band Publication July 11, 2017

In-band (Automated Updates) Publication July 11, 2017 and onwards

Sign (Production Use) October 11, 2017 and onwards

Revoke KSK-2010 January 11, 2018

Remove KSK-2010 from systems Aug, 2018

| 29

Call to Action

¤All the work is for operators, developers and distributors of software that performs DNSSEC validation – keep reading/listening!

¤What if you’re not one of them? What if you’re an Internet user?¤Be aware that the root KSK rollover is happening on

11 October 2017¤Do you know a DNS operator, software developer or software

distributor?¤Ask them if they know about the root KSK rollover and if

they’re ready¤Direct them to ICANN’s educational and information resources

| 30

What does an operator need to do?

¤Be aware whether DNSSEC is enabled in your servers

¤Be aware of how trust is evaluated in your operations

¤Test/verify your set ups

¤ Inspect configuration files, are they (also) up to date?

¤ If DNSSEC validation is enabled or planned in your system¤Have a plan for participating in the KSK rollover¤Know the dates, know the symptoms, solutions

| 31

Three Steps to Recovery

1. Stop the tickets! It's OK to turn off DNSSEC validation while you fix (but do turn it back on!)

2. Debug. If the problem is the trust anchor, find out why it isn't correct

¤ Did RFC 5011 fail? Did configuration tools fail to update the key?

¤ If the problem is fragmentation related, make sure TCP is enabled and/or make other transport adjustments

3. Test the recovery. Make sure your fixes take hold

| 32

Tools and Resources Provided by ICANN

¤A python-language script to retrieve KSK-2010 and KSK-2017¤get_trust_anchor.py

¤An Automated Updates testbed for production(test) servers¤https://automated-ksk-test.research.icann.org

¤Documentation¤https://www.icann.org/resources/pages/ksk-rollover

| 33

When Does the Rollover Take Place?

The KSK rollover is a process, not a single event

The following dates are key milestones in the process when end users may experience interruption in Internet services:

| 34

Be aware whether DNSSEC is enabled in your servers

Be aware of how trust is evaluated in your operations

Test/verify your set ups

Inspect configuration files, are they (also) up to date?

If DNSSEC validation is enabled or planned in your system

o Have a plan for participating in the KSK rollovero Know the dates, know the symptoms, solutions

What Do Operators Need to Do?

| 35

Engage with ICANN

Visit us at icann.org

Thank You and Questions

Email: champika.wijayatunga@icann.org

flickr.com/icann

linkedin/company/icann

@icann

facebook.com/icannorg

youtube.com/icannnews

soundcloud/icann

slideshare/icannpresentations