ION Bucharest - Deploying DNSSEC

Internet Society © 1992–2016
The role of the Internet Society
(this report describes the timeline of activities of the Internet Society from the submission of the proposal to NTIA in
March 2016 until September 30, 2016)
The IANA Stewardship Transition
Kathy Brown
President & CEO
October 6, 2016
Presentation title – Client name 1

Internet Society © 1992–2016
ION Bucharest
October 12, 2016
Dan York, CISSP
DNSSEC Program Manager – york@isoc.org
Deploying DNSSEC
2

Trusted Internet
3
Trust in privacy of information (ex. encryption)
Trust in online identity systems (ex. Kantara)
Trust in network communication (ex. TLS, DANE)
Trust in Internet identifiers (ex. DNSSEC)
Trust in the Internet’s core infrastructure (ex. MANRS)
Trust in cryptography (ex. Cryptech)

https://www.flickr.com/photos/powerbooktrance/466709245/ CC BY

Email Hijacking
CERT-CC researchers have identified that someone was hijacking email by
using DNS cache poisoning of MX records
Could be prevented by DNSSEC deployment
CERT-CC (Sept 10, 2014):
— https://www.cert.org/blogs/certcc/post.cfm?EntryID=206
Deploy360 blog post (Sept 12, 2014):
— http://wp.me/p4eijv-5jI

What Problem Is DNSSEC Trying To Solve?
DNSSEC = "DNS Security Extensions"
• Defined in RFCs 4033, 4034, 4035
• Operational Practices: RFC 4641
Ensures that the information entered into DNS by the domain name holder is the
SAME information retrieved from DNS by an end user.
Let's walk through an example to explain…
6

A Normal DNS Interaction
7
Web
Server
Web
Browser
https://example.com/
web page
DNS
Resolver
example.com?
1
2
3
4
10.1.1.123
Resolver checks its local cache. If it has the
answer, it sends it back.
example.com 10.1.1.123
If not…

A Normal DNS Interaction
8
Web
Server
Web
Browser
web page
DNS
Resolver
10.1.1.123
1
25
6
DNS Svr
example.com
DNS Svr
.com
DNS Svr
root
3
10.1.1.123
4
example.com
NS
.com
NS
example.com?

DNS Works On Speed
First result received by a DNS resolver is treated as the correct answer.
Opportunity is there for an attacker to be the first one to get an answer to the
DNS resolver, either by:
Getting to the correct point in the network to provide faster responses;
Blocking the responses from the legitimate servers (ex. executing a Denial of
Service attack against the legitimate servers to slow their responses)
9

Attacking DNS
10
Web
Server
Web
Browser
web page
DNS
Resolver
10.1.1.123
1
25
6
DNS Svr
example.com
DNS Svr
.com
DNS Svr
root
3
192.168.2.2
4
Attacking
DNS Svr
example.com
192.168.2.2
example.com
NS
.com
NS
example.com?

A Poisoned Cache
11
Web
Server
Web
Browser
web page
DNS
Resolver
1
2
3
4
192.168.2.2
Resolver cache now has wrong data:
example.com 192.168.2.2
This stays in the cache until the
Time-To-Live (TTL) expires!
example.com?

How Does DNSSEC Help?
DNSSEC introduces new DNS records for a domain:
• RRSIG – a signature ("hash") of a set of DNS records
• DNSKEY – a public key that a resolver can use to validate RRSIG
A DNSSEC-validating DNS resolver:
Uses DNSKEY to perform a hash calculation on received DNS records
Compares result with RRSIG records. If results match, records are the same as
those transmitted. If the results do NOT match, they were potentially changed
during the travel from the DNS server.
12

A DNSSEC Interaction
13
Web
Server
Web
Browser
web page
DNS
Resolver
10.1.1.123
DNSKEY
RRSIGs
1
25
6
DNS Svr
example.com
DNS Svr
.com
DNS Svr
root
3
10.1.1.123
4
example.com?

A DNSSEC Interaction
14
Web
Server
Web
Browser
web page
DNS
Resolver
10.1.1.123
DNSKEY
RRSIGs
1
25
6
DNS Svr
example.com
DNS Svr
.com
DNS Svr
root
3
10.1.1.123
4
example.com
NS
DS
.com
NS
DS
example.com?

The Global Chain of Trust
15
Web
Server
Web
Browser
web page
DNS
Resolver
10.1.1.123
DNSKEY
RRSIGs
1
25
6
DNS Svr
example.com
DNS Svr
.com
DNS Svr
root
3
10.1.1.123
4
example.com
NS
DS
.com
NS
DS
example.com?

Attempting to Spoof DNS
16
Web
Server
Web
Browser
web page
DNS
Resolver
10.1.1.123
DNSKEY
RRSIGs
1
25
6
DNS Svr
example.com
DNS Svr
.com
DNS Svr
root
3
Attacking
DNS Svr
example.com
192.168.2.2
DNSKEY
RRSIGs
example.com
NS
DS
.com
NS
DS
example.com?

Attempting to Spoof DNS
17
Web
Server
Web
Browser
web page
DNS
Resolver
10.1.1.123
DNSKEY
RRSIGs
1
25
6
DNS Svr
example.com
DNS Svr
.com
DNS Svr
root
3
SERVFAIL
4
Attacking
DNS Svr
example.com
192.168.2.2
DNSKEY
RRSIGs
example.com
NS
DS
.com
NS
DS
example.com?

What DNSSEC Proves:
• "These ARE the IP addresses you are looking for."
(or they are not)
• Ensures that information entered into DNS by the domain name holder (or the
operator of the DNS hosting service for the domain) is the SAME information
that is received by the end user.
18
10/12/2016

The Two Parts of DNSSEC
19
Signing Validating
ISPs
Enterprises
Applications
DNS
Hosting
Registrars
Registries

What DNSSEC Proves:
• "These ARE the IP addresses you are looking for."
(or they are not)
• Ensures that information entered into DNS by the domain name holder (or the
operator of the DNS hosting service for the domain) is the SAME information
that is received by the end user.
20
10/12/2016

DNSSEC Validation – Current State
• About 15% of all global DNS queries validated
• ~20% of all European DNS queries validated
• All major DNS resolvers support DNSSEC
validation – often with a simple config change
21
http://stats.labs.apnic.net/dnssec

DNSSEC Validation – Romania
22http://stats.labs.apnic.net/dnssec

DNSSEC Validation – Romania
23http://stats.labs.apnic.net/dnssec

DNSSEC Signing - The Individual Steps
24
Registry
Registrar
DNS Operator
(or ”DNS Hosting Provider”)
Domain Name
Registrant
• Signs TLD
• Accepts DS records
• Publishes/signs records
• Accepts DS records
• Sends DS to registry
• Provides UI for mgmt
• Signs zones
• Publishes all records
• Provides UI for mgmt
• Enables DNSSEC
(unless automatic)

DNSSEC Signing – Current State
• Most TLDs now signed
• including “new gTLDs”
• Common DNS servers all
support DNSSEC
• Second-level domain support
ranges from 100% in .BANK
and 89% in .GOV
down to < 1% in .COM
• Still small % overall.
25
https://www.internetsociety.org/deploy360/d
nssec/maps/

DNSSEC Signing – Second-level domains
26https://rick.eng.br/dnssecstat/

Why Do I Need DNSSEC If I Have TLS?
• A common question:
why do I need DNSSEC if I already have a SSL certificate? (or an "EV-SSL"
certificate?)
• Transport Layer Security (TLS), sometimes called by its older name of “SSL”,
solves a different issue – it provides encryption and protection of the
communication between the browser and the web server
28

The Typical TLS Web Interaction
Web
Server
Web
Browser
TLS-encrypted
web page
DNS
Resolver
example.com?
10.1.1.1231
2
5
6
DNS Svr
example.com
DNS Svr
.com
DNS Svr
root
3
10.1.1.123
4

The Typical TLS Web Interaction
Web
Server
Web
Browser
TLS-encrypted
web page
DNS
Resolver
10.1.1.1231
2
5
6
DNS Svr
example.com
DNS Svr
.com
DNS Svr
root
3
10.1.1.123
4
Is this encrypted with
the CORRECT
certificate?
example.com?

What About This?
31
Web
Server
Web
Browser
https://www.example.com/
TLS-encrypted web page
with CORRECT certificate
DNS
Server
www.example.com?
1.2.3.4
1
2
Firewall
(or
attacker)
with NEW certificate
(re-signed by firewall)

Problems?
32
Web
Server
Web
Browser
DNS
Server
www.example.com?
1.2.3.4
1
2
Firewall

Problems?
33
Web
Server
Web
Browser
DNS
Server
www.example.com?
1.2.3.4
1
2
Firewall
Log files
or other
servers
Potentially including
personal information

Issues
• A Certificate Authority (CA) can sign ANY domain.
• Now over 1,500 CAs – there have been compromises where valid certs were
issued for domains.
• Middle-boxes such as firewalls can re-sign sessions.
34

DNS-Based Authentication of Named Entities (DANE)
Q: How do you know if the TLS (SSL) certificate is the correct one the site wants
you to use?
A: Store the certificate (or fingerprint) in DNS (new TLSA record) and sign them
with DNSSEC.
An application that understand DNSSEC and DANE will then know when the
required certificate is NOT being used.
Certificate stored in DNS is controlled by the domain name holder. It could be a
certificate signed by a CA – or a self-signed certificate.
35

A Powerful Combination
• TLS = encryption + limited integrity protection
• DNSSEC = strong integrity protection
• How to get encryption + strong integrity protection?
• TLS + DNSSEC = DANE
36

DANE
37
Web
Server
Web
Browser
w/DANE
DNS
Server
10.1.1.123
DNSKEY
RRSIGs
TLSA
1
2Firewall
(or
attacker)
(re-signed by firewall)Log files
or other
servers DANE-equipped browser
compares TLS certificate
with what DNS / DNSSEC
says it should be.
example.com?

DANE Success – Not Just For The Web
SMTP
1000+ SMTP servers with TLSA records
http://dane.sys4.de/ - testing service
XMPP (Jabber)
400+ servers
client-to-server & server-to-server
https://xmpp.net/reports.php#dnssecdane
38

DANE Resources
DANE Overview and Resources:
http://www.internetsociety.org/deploy360/resources/dane/
IETF Journal article explaining DANE:
http://bit.ly/dane-dnssec
RFC 6394 - DANE Use Cases:
http://tools.ietf.org/html/rfc6394
RFC 6698 – DANE Protocol:
http://tools.ietf.org/html/rfc6698
39

DNS Privacy
• Issue - Queries from local DNS “stub resolver” (in PC, laptop, smartphone) to
local DNS resolver are sent in clear
• Surveillance of those queries can be revealing
• Solution – Encrypt the connection

DNS Privacy
42
Web
Server
Web
Browser
web page
DNS
Resolver
10.1.1.123
1
25
6
DNS Svr
example.com
DNS Svr
.com
DNS Svr
root
3
10.1.1.123
4
example.com
NS
.com
NS
example.com?

DNS Privacy – Work Underway Now
• IETF “DPRIVE” Working Group
• New standards emerging– DNS queries over TLS
• Expect to see implementations in software and operating systems in the future

Business Reasons For Deploying DNSSEC
• TRUST – You can be sure your customers are reaching your sites – and that
you are communicating with their servers.
• SECURITY – You can be sure you are communicating with the correct sites
and not sharing business information with attackers, ex. email hijacking.
• INNOVATION – Services such as DANE built on top of DNSSEC enable
innovative uses of TLS certificates.
• CONFIDENTIALITY – DANE enables easier use of encryption for applications
and services that communicate across the Internet.
44

Three Requests For Attendees
1. Deploy DNSSEC validation (or ask your IT team / network operator)
1. Sign your domains
• Work with your registrar and/or DNS hosting provider to make this
happen.
2. Help promote support of DANE protocol
• Let browser vendors and others know you want to use DANE. If you use
SSL, deploy a TLSA record if you are able to do so. Help raise
awareness of how DANE and DNSSEC can make the Internet more
secure.

Visit us at
www.internetsociety.org
Follow us
@internetsociety
Galerie Jean-Malbuisson 15,
CH-1204 Geneva,
Switzerland.
+41 22 807 1444
1775 Wiehle Avenue,
Suite 201, Reston, VA
20190-5108 USA.
+1 703 439 2120
Thank you.
46
Dan York
Senior Content Strategist – york@isoc.org

ION Bucharest - Deploying DNSSEC

More Related Content

What's hot (19)

Viewers also liked (13)

Similar to ION Bucharest - Deploying DNSSEC (20)

More from Deploy360 Programme (Internet Society) (20)

Recently uploaded (20)

ION Bucharest - Deploying DNSSEC