trust infrastructure and dnssec deployment l.
Skip this Video
Loading SlideShow in 5 Seconds..
Trust Infrastructure and DNSSEC Deployment PowerPoint Presentation
Download Presentation
Trust Infrastructure and DNSSEC Deployment

Loading in 2 Seconds...

play fullscreen
1 / 16

Trust Infrastructure and DNSSEC Deployment - PowerPoint PPT Presentation

  • Uploaded on

Under normal circumstances, this [a way that the BlackBerry Router can be shut down using a flaws in the ... BlackBerry Router will only communicate with the BlackBerry ...

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Trust Infrastructure and DNSSEC Deployment' - Kelvin_Ajay

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
trust infrastructure and dnssec deployment

Trust Infrastructure and DNSSEC Deployment

Allison Mankin

5th Annual PKI R&D Workshop 2006

why dnssec
  • Good security is multi-layered and preventive
    • Multiple defense barriers in physical world
    • Multiple ‘layers’ in the networking world
  • DNS infrastructure
    • Providing DNSSEC extensions to raise the barrier for DNS based attacks
    • Provides a security barrier or an enhancement for systems and applications
the problem
The Problem
  • DNS data is too readily changed, removed or replaced between the “server” and the “client”.
  • This can happen in multiple places in the DNS architecture
    • Some places are more vulnerable than others
    • Vulnerabilities in DNS software make attacks easier (and software will never stop being at risk)
solution a metaphor
Solutiona Metaphor
  • Compare DNSSEC to a sealed transparent envelope.
  • The seal is applied by whoever closes the envelope
  • Anybody can read the message
  • The seal is applied to the envelope, not to the message
  • This Metaphor is the Brilliant Work of Olaf Kolkman
secure dns query and response simple case
Secure DNS Query and Response (simple case)

Root Server

Local Server

com Server =

Plus signature for

End-user Server

Attacker can not forge this answer without the associated private keys.

how does dnssec extend dns
How Does DNSSEC Extend DNS?
  • DNSSEC adds four new record types:
    • DNSKEY - carries public key
    • RRSIG - carries signature of DNS information
    • DS - carries a signed hash of key
    • NSEC - signs gaps to assure non-existence
  • Working on one more, NSEC3
    • This would provide privacy enhancement
dns vectored attacks in current events blackberry router
DNS-Vectored Attacks in Current Events: BlackBerry Router
  • From RIM (January, updated 29 Mar):

Under normal circumstances, this [a way that the BlackBerry Router can be shut down using a flaws in the routing protocol] should be viewed as an internal-only vulnerability because the BlackBerry Router will only communicate with the BlackBerry Infrastructure. An external user attempting to exploit this needs to manipulate Domain Name System (DNS) queries. This results in a denial of service and does not require any further action to interrupt connectivity to external services. Enterprises can mitigate the risk of DNS hijacking by creating static entries in their local DNS or HOSTS tables for the BlackBerry Infrastructure.

  • Pointers and info on several DNS attacks from 2005 at
status of dnssec
Status of DNSSEC
  • Production: major server implementations of the protocols
    • RFCs 4033, 4034, 4035
  • Not ready: some OS (Microsoft); embedded-type systems (e.g. firewalls); applications-awareness
  • Still in development: an extension to prevent zone-walking, an important concern for a small but key set of sites
  • Incremental deployment of what we’ve got currently is like setting tripwires - this is good because all past experience suggests the tripwires are needed
state of the art deployment ripe
State of the art deployment: RIPE
  • Signed reverse tree zones (, for protection of this infrastructure
  • Because .arpa and root not yet signed, developed careful web and secure-mail mechanism for announcing, distributing and rolling-over the public key signing key for their zones
state of the art se
State of the art: SE
  • .SE was first to turn on production DNSSEC and first to receive delegations
  • A characteristic of their operation is their transparency of security planning
    • Deliberations on key length, smart card for the private keys, CA software for managing the delegations, all documented on the site
other environments
Other environments
  • Internet2 and U.S. universities including Berkeley, Penn, MIT are in DNSSEC efforts
    • Campuses have many targets
    • DNS organizations are very active, provide many trusted secondaries
  • Status here is complex
  • Regular DNSSEC workshop at ICANN has minimal ties to IANA
  • The DNS technical community consensus is that incremental, large deployment is the answer and root deployment can come later, as a “pull”
trust infrastructure sshfp
Trust Infrastructure: SSHFP
  • RFC 4255 allows ssh fingerprints to be published in the DNS
    • SSHFP Resource Record (RR)
    • A replaced or modified DNS response destroys ssh host verification, so this mechanism mandates use of DNSSEC authentication
    • A different take: DNSSEC extensions allow DNS to vector the trust infrastructure
  • More of this: RFC 4025, IPSECKEY
    • DNSSEC allows opportunistic key exchange
trust infrastructure dkim
Trust Infrastructure: DKIM
  • Domain Keys Identified Mail stores and retrieves a public key for signing of email in the DNS
    • The signature goal varies by use but attests a domain and often also an identity “on behalf of whom”
    • Given this, it is obvious that the protection of the DKIM usage in DNS is needed
dkim in a vulnerable dns server
DKIM in a Vulnerable DNS Server

Mar 2005 style

ISP server attack



Valid reply with poisoned additional information. False .com server address installed in ISP servers - 10% of servers vulnerable


ISP Server




Hypothetical attack: a new signature is added by X, whose public key resides at a false domain Y. A commercially successful DNS attack last year used the same vulnerabilities and topology.

observations and conclusions
Observations and conclusions
  • There are cost tradeoffs to deploying DNSSEC
    • Good studies of the computing and network costs from NLNET Labs and NIST (low-moderate, probably even taking into account size of SHA-256)
    • Training and operation, key management
  • Besides thinking of costs, consider risk-benefit
    • We need metrics for exploits caught by current deployments
    • Are there alternatives to DNSSEC for protecting DKIM?
    • How costly is the exploitation that occurs if we don’t have this protection?