1 / 21

Internet Security 1 ( IntSi1 )

Internet Security 1 ( IntSi1 ). 12 DNS Security Extensions DNSSEC. Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA). DNS Resolution via Recursive Nameserver. DNS Request. DNS Response. Simple DNS Cache Poisoning.

arnoldo-cobelo
Download Presentation

Internet Security 1 ( IntSi1 )

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet Security 1 (IntSi1) 12 DNS Security ExtensionsDNSSEC Prof. Dr. Andreas SteffenInstitute for Internet Technologies and Applications (ITA)

  2. DNS Resolution via Recursive Nameserver

  3. DNS Request

  4. DNS Response

  5. Simple DNS Cache Poisoning

  6. Guessing Query ID and UDP Source Port

  7. The Dan Kaminsky DNS Vulnerability – July 2008

  8. DNS Root Servers IPv4 IPv6 Operator # 198.41.0.4 A VeriSign Inc. 2001:503:BA3E::2:30 4 B 192.228.79.201 2001:478:65::53 1 Information Sciences Institute, USC C 192.33.4.12 - Cogent Communications 6 D 128.8.10.90 - University of Maryland 1 E 192.203.230.10 - NASA Ames Research Center 1 F 192.5.5.241 2001:500:2F::F Internet Systems Consortium Inc. 49 G 192.112.36.4 - US DoDNetwork Information Center 6 H 128.63.3.53 2001:500:1::803F:235 US Army Research Lab 1 I 192.36.148.17 2001:7FE::53 Autonomica/NORDUnet 34 J 192.58.128.30 2001:503:C27::2:30 VeriSign Inc. 70 K 193.0.14.129 2001:7FD::1 RIPE NCC 18 199.7.83.42 L 2001:500:3::42 ICANN 3 M 202.12.27.33 2001:DC3::35 WIDE Project 6 Total number of servers: 200

  9. Global Map of Root Servers

  10. DNSSEC Chain of Trust root ch. switch.ch. root DNSKEY (KSK) * root DNSKEY (ZSK) KSK/ZSK ch. DNSKEY (KSK) ch. DS ch. DNSKEY (ZSK) ZSK KSK/ZSK switch.ch. DS switch.ch. DNSKEY (KSK) ZSK switch.ch. DNSKEY (ZSK) KSK/ZSK switch.ch. NS ns1/ns2 ZSK www.switch.ch. A x.x.x.x * explicit import e.g. via trusted web site ZSK

  11. DNSSEC Resource Records I - DNSKEY • DNSKEY - DNS Public Key • Contains a public key used to sign the RRsets of a zoneswitch.ch. 81154 IN DNSKEY 256 3 5 AwEAAeCDWwjJO4mXBzayiKf4p7waJ7Ew eUnsTsAWkxpfELci4iaVdBugzYPfsZIg 9R6TIPky3LoPAPmIjCc2fbFkKnrGI7hJ jXAGMRwRJIBprFx4BXZSsjsvGb6MGC+exHSlXw== ;{id = 64608 (zsk), size = 768b} • Flags field • 256 -> Zone Signing Key (ZSK) • 257 -> Key Signing Key (KSK) with secure entry point (SEP) flag set • Algorithm field • 5 -> SHA-1 with RSA • 7 -> SHA-1 with RSA & NSEC3 with SHA-1 • 8 -> SHA-256 with RSA • 10 -> SHA-512 with RSA

  12. DNSSEC Resource Records II - RRSIG • RRSIG - Resource Record Signature • Contains a public key signature over a resource record set (RRset)merapi.switch.ch. 172800 IN A 130.59.211.10merapi.switch.ch. 172800 IN RRSIG A 5 3 172800200911282310332009102923103364608 switch.ch. 3KW9YjxdL08FqVYKFSn9 Q4+8U1iYrVCun+J1Ny8Y IiMC+6oQS/GZwRn2mr+H MruwEjNB9s7bWGzRmRiR TATPvS67gxjCiJkSP58P kGJ1dW3wBaz6r1feGNvz KhHLhvRe ;{id = 64608} • Signature Expiration and Inception Fields • The signature is not valid before Inception and after Expiration date. • Key Tag Field • Contains the key tag of the key which signed the RRset.

  13. DNSSEC ResourceRecords III - DS • DS - Delegation Signer • Signed hash computed over KSK of child zoneswitch.ch. 3364 IN DS 43837 5 1 91dcfca519cf8b038441869878cc3610 60200534switch.ch. 3364 IN DS 43837 5 2 838cef7635952df83311a92b48ae7f19 1ae29484534e38b1ab7b3d0966b9ee55switch.ch. 3416 IN RRSIG DS 7 2 3600 20091123183442 20091117220724 31034 ch. LPh8RgXQSqPcdQz6s1PJOjTuopO9RxQg s1YYCY/CnhYaHxb6ndNBJ7QP20eKN+91 /ULjN4Ep/k9Pgtos979i5OfEXpfLcWcv rKP1xGvqW4PjP+MT1PDs6uKisEUqGBoQ p7+nkkzjY+YsDbxtTV+/8uHcSnNmXoMm SqPms3G0aw4= ;{id = 31034}

  14. DNSSEC Resource Records IV - NSEC • NSEC – Next Owner Name • Authenticated denial of existence of an owner namemerapi.switch.ch. 180 IN NSEC mercury.switch.ch. A PTR AAAA LOC RRSIG NSECmerapi.switch.ch. 180 IN RRSIG NSEC 5 3 180 20091128231033 20091029231033 64608 switch.ch. kW1SnXWoJKwOHEG1P3INI83EOGuQGujwvBT/MSWVQ+ms/2DXxjQcpt1Z P07+XI51cc0t7erUUG31KZdmUpXZ tQzPUJh49jjLh9aTjRiH1xGhlxv5 af+N95JDykRGSOAq ;{id = 64608} • Proof that there is no name between merapi.switch.ch. and mercury.switch.ch. • Allows enumeration of complete zone data!!!

  15. DNSSEC Resource Records V - NSEC3 • NSEC3 – Next Owner Name in Hashed Order • Hashed Authenticated Denial of Existenceh9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 691 IN NSEC3 1 1 1 d399eaabh9rsfb7fpf2l8hg35cmpc765tdk23rp6 NS SOA RRSIG DNSKEY NSEC3PARAM ; flags: optouth9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 691 IN RRSIG NSEC3 7 2 86400 20091202211702 20091118201702 5273 org. a+CC37hRM7yCFBaZn2SeRgY9h247GXptCuBYf45TwaoRxvBwTAXPT+UwZ/4hxwc2v7AR7ZZ8UOMiNJvYsl59eFW8 Xtgws4/Aih0fJ2/O8yUHwI695fRf9PrpxXEpqzStjSZP 5arJ1oldDAHcnxgLqdAMW6wnK1FNrslfJblJlmU= ;{id = 5273} • Proof that there is no name between org. and ???.org. • Does not allow straight enumeration of zone data! • Dictionary attacks are possible but expensive.

  16. DNSSEC Root Zone SigningProcess TLD Operator DS Records ICANN Vetting and Processing DS Records DoC NTIA Authorization of Changes DS Records VeriSign Editing and Signing of Root Zone Root ZSK DS Records ZSK Root Servers (A, ... , M)

  17. ZSK KSK ZSK ZSK KSK KSK DNSSEC Root Zone Signing Key SigningProcess ZSK Private Key VeriSignZSK Management KSR Key SigningRequest SKR Signed Key Response ICANNKSK Management Published on Web Site KSK Private Key

  18. ICANN Key Ceremonies Tier 1 – Facility – Access Controlby Data Center Tier 2 – Facility – Access Control by Data Center Tier 3 – Facility – Access Control by Data Center Tier 4 – Cage – Access Control by Data Center Tier 5 – Safe Room – Access Control by ICANN Tier 6 – Safe #1 Tier 6 – Safe #2 Tier 7 – HSM Tier 7 – Safe Deposit Box Key CeremonyComputer KSK Private Keys Crypto Officers‘Credentials

  19. ICANN Key Ceremonies

  20. Periodic Key Rollover T-10 T+0 T+10 T+20 T+30 T+40 T+50 T+60 T+70 T+80 T+90 ZSK Rollover (every 90 days) ZSK ZSK post-publish ZSK pre-publish ZSK ZSK ZSK ZSK ZSK ZSK ZSK ZSK ZSK ZSK post-publish ZSK pre-publish ZSK Optional KSK Rollover (every 2-5 yearsor on demand) KSK publish+sign KSK publish+sign KSK publish+sign KSK publish+sign KSK publish+sign KSK publish+sign KSK publish+sign KSK revoke+sign KSK revoke+sign KSK publish KSK publish KSK publish KSK publish KSK publish KSK publish+sign KSK publish+sign KSK publish+sign KSK publish+sign RRSIG ValidityPeriod (10 days + 50% overlap)

  21. DNSSEC Deployment (November 28 2011) • TLDs signed by root zone: • 11 gTLDs: arpaasiabizcatcomedugovinfomuseumnetorg • 54 ccTLDS: acag am bebgbrbzch cl cocz de dkeufifrgiglgrhn in iojpkg krla lclilklumemnmy na ncnl nu pmprptrescse shsutfthtmtwugukuswfyt • 2 IDN ccTLDS: xn--kprw13d xn--kpry57d (台湾 Taiwan) • TLDs with DNSKEY set: • 1 gTLD: mil • 3 ccTLDs: mm nzvc • 2 IDN ccTLDs: xn--fzc2c9e2c (ලංකා Sinhala Sri Lanka)xn--xkc2al3hye2a (இலங்கைTamil Sri Lanka) • Signing of major gTLDs: • net: December 9, 2010 • com: March 2011

More Related