1 / 14

Enhancing DNS Security: Understanding DNSSEC Deployment and Challenges

This document discusses the critical aspects of DNSSEC (Domain Name System Security Extensions) deployment, focusing on vulnerabilities such as cache pollution, unauthorized updates, and data corruption. It outlines the data flow from registries to resolvers, emphasizing the importance of secure key management and validation processes. Key implementation areas include the challenges of "the last mile," effective trust anchor management, and potential solutions for zone enumeration privacy issues. The paper encourages immediate DNSSEC deployment while acknowledging ongoing improvements.

hasad-barnett
Download Presentation

Enhancing DNS Security: Understanding DNSSEC Deployment and Challenges

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DNSSECAn Update Olaf M. Kolkman olaf@ripe.net

  2. Zone administrator Registry/Registrar 1 2 3 4 5 Zone file Provisioning slaves DNS: Data Flow master Caching forwarder Dynamic updates resolver

  3. Zone administrator Registry/Registrar 3 5 4 2 1 Provisioning Zone file slaves DNS Vulnerabilities Impersonating master Cache impersonation master Caching forwarder Corrupting data Dynamic updates resolver Cache pollution by Data spoofing Unauthorized updates Altered zone data

  4. example.com A 10.8.0.1 example.com A 10.8.0.1 Zone administrator Registry/Registrar Zone file Provisioning DNSSEC Provides Data Security example.com A 10.8.0.1 master Caching forwarder Dynamic updates slaves resolver

  5. ` APP STUB DEPLOYMENT NOWDNS server infrastructure related signing Protocol spec is clear on: • Signing • Serving • Validating Implemented in • Signer • Authoritative servers • Security aware recursive nameservers serving validating

  6. DNSSEC Implementations • BIND 9.3. • NSD 2. ( authoritative only) • Net::DNS::SEC for scripting tools

  7. Main Improvement Areas • “the last mile” • Key management and key distribution • NSEC walk

  8. ` APP STUB The last mile • How to get validation results back to the user • The user may want to make different decisions based on the validation result • Not secured • Time out • Crypto failure • Query failure • From the recursive resolver to the stub resolver to the Application validating

  9. ` APP STUB Problem Area signing Key Management • Keys need to propagate from the signer to the validating entity • The validating entity will need to “trust” the key to “trust” the signature. • Possibly many islands of security validating

  10. Secure Islands and key management . com. net. os.net. money.net. kids.net. corp geerthe mac unix nt marnick dev market dilbert

  11. Secure Islands • Server Side • Different key management policies for all these islands • Different rollover mechanisms and frequencies • Client Side (Clients with a few to 10, 100 or more trust-anchors) • How to keep the configured trust anchors in sync with the rollover • Bootstrapping the trust relation

  12. NSEC walk • The record for proving the non-existence of data allows for zone enumeration • Providing privacy was not a requirement for DNSSEC • Zone enumeration does provide a deployment barrier • Work starting to study possible solutions • Requirements are gathered • If and when a solution is developed it will be co-existing with DNSSEC-BIS !!! • Until then on-line keys will do the trick.

  13. Conclusion • DNSSEC Deployment can be started now. • .SE is preparing for deployment by end of this year • Improvements will come, some work may take one or more years

  14. References • Some links • www.dnssec.net • www.dnssec-deployment.org • www.ripe.net/disi/dnssec_howto • Apster number 12

More Related