ION San Diego - DNSSEC Deployment Panel Introductory Slides
Post on 15-May-2015
DESCRIPTIONDan York's introductory slides from the "DNSSEC Deployment: From End-Customer to Content" panel at ION San Diego on 11 December 2012.
- 1. DNSSEC Deployment: From End-Customer to Content ION San Diego December 11, 2012www.internetsociety.org/deploy360/
2. Our Panel Today Moderator: Dan York, Internet Society Panelists: Jim Galvin, Afilias Rick Lamb, ICANN Cricket Liu, Infoblox Roland M. van Rijswijk-Deij, SURFnetwww.internetsociety.org/deploy360/ 3. Internet Society Deploy360 Programme Providing real-world deployment info for IPv6, DNSSEC and other Internet technologies: Case Studies Tutorials Videos Whitepapers News, information English content, initially, but willwww.internetsociety.org/deploy360/ be translated into other languages.www.internetsociety.org/deploy360/ 12/11/12 4. What Problem Is DNSSEC Trying To Solve? DNSSEC = "DNS Security Extensions" Defined in RFCs 4033, 4034, 4035 Operational Practices: RFC 4641 Ensures that the information entered into DNS by the domain name holder is the SAME information retrieved from DNS by an end user. Lets walk through an example to explainwww.internetsociety.org/deploy360/ 5. A Normal DNS InteractionWeb Server example.com? Resolver checks its local cache. If it has the3 DNS answer, it sends it back.1https://example.com/ Resolver example.com 10.1.1.1234 If notweb pageWeb Browser184.108.40.206www.internetsociety.org/deploy360/ 6. A Normal DNS InteractionDNS Svr root.comNSDNS Svr .comWeb example.comNS Server example.com?5DNS 2https://example.com/1ResolverDNS Svrexample.com 36 10.1.1.123web pageWeb Browser4 10.1.1.123www.internetsociety.org/deploy360/ 7. DNS Works On Speed First result received by a DNS resolver is treated asthe correct answer. Opportunity is there for an attacker to be the first oneto get an answer to the DNS resolver, either by: Getting to the correct point in the network to provide faster responses; Blocking the responses from the legitimate servers (ex. executing aDenial of Service attack against the legitimate servers to slow theirresponses)www.internetsociety.org/deploy360/ 8. Attacking DNSDNS Svrroot .com NS DNS Svr.comWeb example.comNS Server example.com?5 DNS 2https://example.com/1 ResolverDNS Svr example.com10.1.1.1236web pageWeb 3 Browser4 192.168.2.2 Attacking192.168.2.2DNS Svr example.comwww.internetsociety.org/deploy360/ 9. A Poisoned CacheWeb Server example.com? Resolver cache now has wrong data:3 DNS1example.com 192.168.2.2https://example.com/ Resolver4This stays in the cache until theweb pageWeb Time-To-Live (TTL) expires! Browser2 192.168.2.2www.internetsociety.org/deploy360/ 10. How Does DNSSEC Help? DNSSEC introduces new DNS records for a domain: RRSIG a signature ("hash") of a set of DNS records DNSKEY a public key that a resolver can use to validate RRSIG A DNSSEC-validating DNS resolver: Uses DNSKEY to perform a hash calculation on received DNS records Compares result with RRSIG records. If results match, records are thesame as those transmitted. If the results do NOT match, they werepotentially changed during the travel from the DNS server.www.internetsociety.org/deploy360/ 12/11/12 11. A DNSSEC InteractionDNS Svr rootDNS Svr .comWeb Server example.com?5DNS 2https://example.com/1ResolverDNS Svrexample.com 36 10.1.1.123web pageWebDNSKEY RRSIGs Browser4 10.1.1.123www.internetsociety.org/deploy360/ 12. But Can DNSSEC Be Spoofed? But why cant an attacker simply insert DNSKEY andRRSIG records? What prevents DNSSEC from beingspoofed? An additional was introduced, the "Delegation Signer(DS)" record It is a fingerprint of the DNSKEY record that is sent tothe TLD registry Provides a global "chain of trust" from the root ofDNS down to the domain Attackers would have to compromise the registrywww.internetsociety.org/deploy360/ 12/11/12 13. A DNSSEC InteractionDNS Svr root.comNSDSDNS Svr .comWeb example.comNS Server DS example.com?5DNS 2https://example.com/1ResolverDNS Svrexample.com 36 10.1.1.123web pageWebDNSKEY RRSIGs Browser4 10.1.1.123www.internetsociety.org/deploy360/ 14. The Global Chain of Trust DNS Svr root.comNSDSDNS Svr .comWeb example.comNS Server DS example.com?5DNS 2https://example.com/1ResolverDNS Svrexample.com 36 10.1.1.123web pageWebDNSKEY RRSIGs Browser4 10.1.1.123www.internetsociety.org/deploy360/ 15. Attempting to Spoof DNS DNS Svr root.comNSDSDNS Svr .comWebexample.com NS ServerDS example.com?5DNS 2https://example.com/1ResolverDNS Svrexample.com 10.1.1.1236DNSKEY RRSIGsweb pageWeb3 BrowserAttacking 192.168.2.2DNS Svr DNSKEY example.com RRSIGswww.internetsociety.org/deploy360/ 16. Attempting to Spoof DNS DNS Svr root.comNSDSDNS Svr .comWebexample.com NS ServerDS example.com?5DNS 2https://example.com/1ResolverDNS Svrexample.com 10.1.1.1236DNSKEY RRSIGsweb pageWeb3 Browser4 SERVFAILAttacking 192.168.2.2DNS Svr DNSKEY example.com RRSIGswww.internetsociety.org/deploy360/ 17. What DNSSEC Proves: "These ARE the IP addresses you are looking for."(or they are not) Ensures that information entered into DNS by the domainname holder (or the operator of the DNS hosting servicefor the domain) is the SAME information that is receivedby the end user.www.internetsociety.org/deploy360/ 12/11/12 18. The Two Parts of DNSSECSigningValidatingRegistries ApplicationsRegistrars Enterprises DNS HostingISPswww.internetsociety.org/deploy360/ 19. DNSSEC Signing - The Individual Steps Signs TLD Registry Accepts DS records Publishes/signs records Accepts DS recordsRegistrar Sends DS to registry Provides UI for mgmt Signs zones DNS Hosting Provider Publishes all records Provides UI for mgmtDomain Name Enables DNSSEC Registrant(unless automatic)www.internetsociety.org/deploy360/ 20. Our Panel Today Moderator: Dan York, Internet Society Panelists: Jim Galvin, Afilias Rick Lamb, ICANN Cricket Liu, Infoblox Roland M. van Rijswijk-Deij, SURFnetwww.internetsociety.org/deploy360/ 21. DNSSEC and SSLwww.internetsociety.org/deploy360/ 22. Why Do I Need DNSSEC If I Have SSL? A common question: why do I need DNSSEC if I alreadyhave a SSL certificate? (or an "EV-SSL" certificate?) SSL (more formerly known today as Transport LayerSecurity (TLS)) solves a different issue it providesencryption and protection of the communication betweenthe browser and the web serverwww.internetsociety.org/deploy360/ 23. The Typical TLS (SSL) Web InteractionDNS Svr rootWeb ServerDNS Svr .com5 https://example.com/DNS Svr 6example.comTLS-encryptedweb page2example.com? 3220.127.116.11DNS Resolver WebBrowser 4 10.1.1.123www.internetsociety.org/deploy360/ 24. The Typical TLS (SSL) Web InteractionDNS Svr rootWeb ServerDNS Svr .com5 https://example.com/DNS Svr 6example.comTLS-encryptedweb page2example.com? 318.104.22.168DNS Resolver Is this encryptedwith the WebCORRECT Browser 4 certificate?10.1.1.123www.internetsociety.org/deploy360/ 25. What About This?DNSWebServer https://www.example.com/ Serverwww.example.com? Firewall https://www.example.com/TLS-encrypted web page (or 1with CORRECT certificateattacker)22.214.171.124 Web TLS-encrypted web pageBrowser with NEW certificate (re-signed by firewall)www.internetsociety.org/deploy360/ 26. Problems? DNSWeb Server https://www.example.com/ Server www.example.com? https://www.example.com/TLS-encrypted web page Firewall1with CORRECT certificate126.96.36.199 2Web TLS-encrypted web page Browser with NEW certificate (re-signed by firewall)www.internetsociety.org/deploy360/ 27. Problems? DNSWeb Server https://www.example.com/ Server www.example.com? https://www.example.com/TLS-encrypted web page Firewall1with CORRECT certificate188.8.131.52 2Web TLS-encrypted web page Browser with NEW certificateLog files(re-signed by firewall)or otherserversPotentially includingpersonal informationwww.internetsociety.org/deploy360/ 28. IssuesA Certificate Authority (CA) can sign ANY domain.Now over 1,500 CAs there have been compromiseswhere valid certs were issued for domains.Middle-boxes such as firewalls can re-sign sessions.www.internetsociety.org/deploy360/ 29. A Powerful Combination TLS = encryption + limited integrity protection DNSSEC = strong integrity protection How to get encryption + strong integrity protection? TLS + DNSSEC = DANEwww.internetsociety.org/deploy360/ 12/11/12 30. DNS-Based Authentication of Named Entities (DANE) Q: How do you know if the TLS (SSL) certificate is the correct one the site wants you to use? A: Store the certificate (or fingerprint) in DNS (new TLSA record) and sign them with DNSSEC.A browser that understand DNSSEC and DANE will thenknow when the required certificate is NOT being used.Certificate stored in DNS is controlled by the domain nameholder. It could be a certificate signed by a CA or a self-signed certificate.www.internetsociety.org/deploy360/ 31. DANEDNSWebServer https://example.com/ Server example.com? 2Firewallhttps://example.com/TLS-encrypted web page (or 1with CORRECT certificateattacker)10.1.1.123 DNSKEY RRSIGs TLSAWeb TLS-encrypted web pageBrowser with NEW certificatew/DANELog files(re-signed by firewall)or otherserversDANE-equipped browsercompares TLS certificatewith what DNS / DNSSECsays it should be.www.internetsociety.org/deploy360/ 32. DANE Not Just For The Web DANE defines protocol for storing TLS certificates in DNS Securing Web transactions is the obvious use case Other uses also possible: Email via S/MIME VoIP Jabber/XMPP ?www.internetsociety.org/deploy360/12/11/12 33. DANE ResourcesDANE Overview and Resources: http://www.internetsociety.org/deploy360/resources/dane/IETF Journal article explaining DANE: http://bit.ly/dane-dnssecRFC 6394 - DANE Use Cases: http://tools.ietf.org/html/rfc6394RFC 6698 DANE Protocol: http://tools.ietf.org/html/rfc6698www.internetsociety.org/deploy360/ 34. How Do We Get DANE Deployed?Developers: Add DANE support into applications (see list of libraries)DNS Hosting Providers: Provide a way that customers can enter a TLSA record into DNS as defined in RFC 6698 ( http://tools.ietf.org/html/rfc6698 ) This will start getting TLS certificates into DNS so that when browsers support DANE they will be able to do so. [More tools are needed to help create TLSA records ex. hashslinger ]Network Operators / Enterprises / Governments: Start talking about need for DANE Express desire for DANE to app vendors (especially browsers)www.internetsociety.org/deploy360/ 35. Opportunities DANE is just one example of new opportunities broughtabout by DNSSEC Developers and others already exploring new ideaswww.internetsociety.org/deploy360/12/11/12 36. Getting DNSSEC Deployedwww.internetsociety.org/deploy360/ 37. Three Steps TLD Operators Can Take: 1. Sign your TLD!Tools and services available to help automate process 2. Accept DS recordsMake it as easy as possible (and accept multiple records) 3. Work with your registrarsHelp them make it easy for DNS hosting providers and registrants 4. Help With StatisticsCan you help by providing statistics? Implement DNSSEC and make your TLD more secure!www.internetsociety.org/deploy360/ 38. Three Requests For Network Operators 1. Deploy DNSSEC-validating DNS resolvers 2. Sign your own domains where possible 3. Help promote support of DANE protocolAllow usage of TLSA record. Let browser vendors and others know youwant to use DANE. Help raise awareness of how DANE and DNSSECcan make the Internet more secure.www.internetsociety.org/deploy360/ 39. Internet Society Deploy360 Programme Can You Help Us With: Case Studies? Tutorials? Videos? How Can We Help You?www.internetsociety.org/deploy360/www.internetsociety.org/deploy360/ 12/11/12 40. Dan York, CISSP Senior Content Strategist, Internet Society firstname.lastname@example.org www.internetsociety.org/deploy360/ Thank You!www.internetsociety.org/deploy360/ 41. Download A DNSSEC Whitepaper Challenges and Opportunities in Deploying DNSSEC http://bit.ly/isoc-satin2012www.internetsociety.org/deploy360/