SlideShare a Scribd company logo

DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]

APNIC, profile picture
APNIC

This document provides an overview of DNSSEC (Domain Name System Security Extensions). It discusses how DNSSEC introduces digital signatures to cryptographically protect DNS data and prevent man-in-the-middle attacks. It also describes some common DNS record types used in DNSSEC like DNSKEY, RRSIG, and DS. The document notes that while DNSSEC deployment has increased in top-level domains and root servers, adoption remains low at the second-level domain level, and more work is still needed for full deployment.

Internet
1 of 38
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
DNSSEC Tutorial champika.wijayatunga@icann.org
Acknowledgements • Rick Lamb – Senior Program Manager, DNSSEC @ICANN • APNIC Training
DNS Basics • DNS converts names (www.icann.org) to numbers (192.0.32.7) • ..to idenOfy services such as www and e-­‐mail • ..that idenOfy and link customers to business and visa versa
Reminder: DNS Resolving Question: www.example.net A 1" 2" www.example.net A ? Resolver www.example.net A ? Caching forwarder (recursive) “go ask net server @ X.gtld-servers.net” (+ glue) gtld-server www.example.net A ? “go ask ripe server @ ns.example.net” (+ glue) www.example.net A ? example-server “x.y.z.1” x.y.z.1 3" 4" 5" 6" 7" 9" 8" Add to cache 10" TTL root-server
DNS: Data Flow master Caching forwarder Zone administrator Zone file Dynamic updates 1" 2" 3" slaves 4" 5" resolver
DNS VulnerabiliOes Corrupting data" Impersonating master" Cache impersonation" master Caching forwarder Zone administrator Zone file Dynamic updates 1" 2" 3" slaves 4" 5" resolver Unauthorized updates" Cache pollution by" Data spoofing" Server protection! Data protection!
+1-­‐202-­‐709-­‐5262 VoIP US-­‐NSTIC effort DNS is a part of all IT ecosystems lamb@xtcn.com mydomainname.com Smart Electrical Grid OECS ID effort
Where DNSSEC fits in • ..but CPU and bandwidth advances make legacy DNS vulnerable to MITM aWacks • DNS Security Extensions (DNSSEC) introduces digital signatures into DNS to cryptographically protect contents • With DNSSEC fully deployed a business can be sure a customer gets un-­‐modified data (and visa versa)
The Bad: DNSChanger -­‐ ‘Biggest Cybercriminal Takedown in History’ – 4M machines, 100 countries, $14M Nov 2011 h[p://krebsonsecurity.com/2011/11/malware-­‐click-­‐fraud-­‐kingpins-­‐arrested-­‐in-­‐estonia/ End-­‐2-­‐end DNSSEC valida_on would have avoided the problems
The Internet’s Phone Book -­‐ Domain Name System (DNS) www.majorbank.se=? Get page webserver www @ 1.2.3.4 Username / Password Account Data DNS Hierarchy DNS Resolver root se com majorbank.se www.majorbank.se www.majorbank.se = 1.2.3.4 DNS 1.2.3.4 Server Login page ISP Majorbank (Registrant)
Caching Responses for Efficiency www.majorbank.se=? Get page webserver www @ 1.2.3.4 Username / Password Account Data DNS Resolver www.majorbank.se = 1.2.3.4 DNS 1.2.3.4 Server Login page
The Problem: DNS Cache Poisoning AWack www.majorbank.se=? DNS Resolver www.majorbank.se = 1.2.3.4 DNS 5.6.7.8 Server Get page Attacker webserver www @ 5.6.7.8 Username / Password Error Attacker www.majorbank.se = 5.6.7.8 Login page Password database
Argghh! Now all ISP customers get sent to aWacker. www.majorbank.se=? DNS Resolver www.majorbank.se = 1.2.3.4 DNS 5.6.7.8 Server Get page Attacker webserver www @ 5.6.7.8 Login page Username / Password Error Password database
Securing The Phone Book -­‐ DNS Security Extensions (DNSSEC) www.majorbank.se=? DNS Resolver with DNSSEC Attacker’s record does not validate – drop it www.majorbank.se = 1.2.3.4 DNS Server with DNSSEC 1.2.3.4 Get page webserver www @ 1.2.3.4 Login page Username / Password Account Data Attacker www.majorbank.se = 5.6.7.8
Resolver only caches validated records www.majorbank.se=? DNS Resolver with DNSSEC www.majorbank.se = 1.2.3.4 DNS Server with DNSSEC 1.2.3.4 Get page webserver www @ 1.2.3.4 Login page Username / Password Account Data
The Bad: Other DNS hijacks* • 25 Dec 2010 -­‐ Russian e-­‐Payment Giant ChronoPay Hacked • 18 Dec 2009 – Twi[er – “Iranian cyber army” • 13 Aug 2010 -­‐ Chinese gmail phishing a[ack • 25 Dec 2010 Tunisia DNS Hijack • 2009-­‐2012 google.* – April 28 2009 Google Puerto Rico sites redirected in DNS a[ack – May 9 2009 Morocco temporarily seize Google domain name • 9 Sep 2011 -­‐ Diginotar cer_ficate compromise for Iranian users • SSL / TLS doesn't tell you if you've been sent to the correct site, it only tells you if the DNS matches the name in the cer_ficate. Unfortunately, majority of Web site cer_ficates rely on DNS to validate iden_ty. • DNS is relied on for unexpected things though insecure. *A Brief History of DNS Hijacking -­‐ Google h[p://costarica43.icann.org/mee_ngs/sanjose2012/presenta_on-­‐dns-­‐hijackings-­‐marquis-­‐boire-­‐12mar12-­‐en.pdf
The Business Case for DNSSEC • Cyber security is becoming a greater concern to enterprises, government, and end users. DNSSEC is a key tool and differenOator. • DNSSEC is the biggest security upgrade to Internet infrastructure in over 20 years. It is a pla`orm for new security applicaOons (for those that see the opportunity). • DNSSEC infrastructure deployment has been brisk but requires experOse. Gecng ahead of the curve is a compeOOve advantage.
• DNSSEC -­‐ Where we are Deployed on 462/654 TLDs (29 July 2014 70% .com .hr .es .in .af .ee .lb .bg .tm .cz .nl .uk .de .jp .cn .ru .р ф .my مليسيا .asia .tw 台灣, .kr 한국 .net, .org, .post, +gtlds) • Root signed** and audited • Required in new gTLDs. Basic support by ICANN registrars • Growing ISP support*. • 3rd party signing soluOons*** • Growing S/W H/W support: NLNetLabs, ISC, Microsop, PowerDNS, Secure64…? openssl, pos`ix, XMPP, mozilla: early DANE support • IETF standard on DNSSEC SSL cerOficates (RFC6698) • Growing support from major players…(Apple iPhone/iPad, Google 8.8.8.8,…) * COMCAST /w 20M and others; most ISPs in SE ,CZ. AND ~12% of resolvers validate using DNSSEC **Int’l bo[om-­‐up trust model /w 21 TCRs from: TT, BF, RU, CN, US, SE, NL, UG, BR, Benin, PT, NP, Mauri_us, CZ, CA, JP, UK, NZ… *** Par_al list of registrars: h[ps://www.icann.org/en/news/in-­‐focus/dnssec/deployment
But… • But deployed on ~1-­‐2% (3.5M) of 2nd level domains. Many have plans. Few have taken the step (e.g., yandex.com, paypal.com*, comcast.com). • DNSChanger and other aWacks highlight today’s need. (e.g end-­‐2-­‐end DNSSEC validaOon would have avoided the problems) • InnovaOve security soluOons (e.g., DANE) highlight tomorrow’s value. * h[p://fedv6-­‐deployment.antd.nist.gov/cgi-­‐bin/generate-­‐com h[p://www.thesecurityprac_ce.com/ the_security_prac_ce/2011/12/all-­‐paypal-­‐domains-­‐are-­‐now-­‐using-­‐dnssec.html h[p://www.nacion.com/2012-­‐03-­‐15/Tecnologia/Si_os-­‐web-­‐de-­‐bancos-­‐_cos-­‐podran-­‐ser-­‐mas-­‐seguros.aspx
DNSSEC: So what’s the problem? • Not enough IT departments know about it or are too busy pucng out other security fires. • When they do look into it they hear old stories of lack of turnkey soluOons. • Registrars*/DNS providers see no demand leading to “chicken-­‐and-­‐egg” problems. *but required by new ICANN registrar agreement
Too many CAs. Which one can we trust? DNSSEC to the rescue…. CA CerOficate roots ~1482 DNSSEC root -­‐ 1 Login security SSHFP RFC4255 Content security Commercial SSL CerOficates for Web and e-­‐mail DANE and other yet to be discovered security innovaOons, enhancements, and synergies Content security “Free SSL” cerOficates for Web and e-­‐mail and “trust agility” Network security IPSECKEY RFC4025 Cross-­‐ organizaOonal and trans-­‐naOonal idenOty and authenOcaOon E-­‐mail security DKIM RFC4871 Securing VoIP Domain Names hWps://www.eff.org/observatory hWp://royal.pingdom.com/2011/01/12/internet-­‐2010-­‐in-­‐numbers/
• For What you can do Companies: – Sign your corporate domain names – Just turn on validaOon on corporate DNS resolvers • For Users: – Ask ISP to turn on validaOon on their DNS resolvers • For All: – Take advantage of organizaOons offering DNSSEC educaOon and training
DNSSEC ImplementaOon
DNSSEC Resource Records • 3 Public key crypto related RRs – RRSIG = Signature over RRset made using private key – DNSKEY = Public key, needed for verifying a RRSIG – DS = DelegaOon Signer; ‘Pointer’ for building chains of authenOcaOon • One RR for internal consistency – NSEC = Next Secure; indicates which name is the next one in the zone and which typecodes are available for the current name • authenOcated non-­‐existence of data RFC 4034
DNSKEY • Contains the zone’s public key • Uses public key cryptography to sign and authenOcate DNS resource record sets (RRsets). • Example: myzone.net. IN DNSKEY 256 3 5 ( AwEAAagrVFd9xyFMQRjO4DlkL0dgUCtogviS+FG9Z6Au3h1ERe4EIi3L X49Ce1OFahdR2wPZyVeDvH6X4qlLnMQJsd7oFi4S9Ng+hLkgpm/n+otE kKiXGZzZn4vW0okuC0hHG2XU5zJhkct73FZzbmBvGxpF4svo5PPWZqVb H48T5Y/9 ) ; key id = 3510 Public key (base64)
RRSIG • The private part of the key-­‐pair is used to sign the resource record set (RRset) per zone • The digital signature per RRset is saved in an RRSIG record myzone.net. 86400 NS ns.myzone.net. 86400 NS ns.yourzone.net. 86400 RRSIG NS 5 2 86400 ( 20121202010528 20121102010528 3510 myzone.net. Y2J2+CVqQRjQvcWY256ffiw5mp0OQTQUF8vUHSHyUbbhmE56eJimqDh Xb8qwlFjl40kmlzmQC5CmgugBqjgLHZbuvSfd9+Ucwkxbwx3HonAPr3 +0HVqP8rSqGRqSq0VbR7LzNeaylBkumLDoriQxceV4z3d2jFv4ArnM= )
Types of Keys • Zone Signing Key (ZSK) – Sign the RRsets within the zone – Public key of ZSK is defined by a DNSKEY RR • Key Signing Key (KSK) – Signed the keys which includes ZSK and KSK and may also be used outside the zone • Using a single key or both keys is an operaOonal choice (RFC allows both methods)
NSEC Record example $ORIGIN myzone.net.! @!SOA …! ! !NS !NS.myzone.net.! ! !DNSKEY !…! ! !NSEC mailbox.myzone.net. SOA NS NSEC DNSKEY RRSIG! ! mailbox !A !192.168.10.2 !! ! ! !NSEC www.myzone.net. A NSEC RRSIG! WWW ! !A !192.168.10.3 !! ! ! !TXT !Public webserver! ! ! !NSEC myzone.net. A NSEC RRSIG TXT!
DelegaOon Signer (DS) • Establishes the chain of trust from parent to child zones • Found in the parent’s zone file • In this example, myzone.net has been delegated from .net. This is how it looks like in .net zone file myzone.net. IN NS ns1.myzone.net. NS ns2.myzone.net. IN DS 19996 5 1 ( CF96B018A496CD1A68EE7 C80A37EDFC6ABBF8175 ) IN DS 19996 5 2 ( 6927A531B0D89A7A4F13E11031 4C722EC156FF926D2052C7D8D70C50 14598CE9 )
DelegaOon Signer (DS) • DelegaOon Signer (DS) RR indicates that: – delegated zone is digitally signed – indicated key is used for the delegated zone • Parent is authoraOve for the DS of the childs zone – Not for the NS record delegaOng the childs zone! – DS should not be in the childs zone
DNSSEC ValidaOon • Recursive servers that are dnssec-­‐enabled can validate signed zones • The AD bit in the message flag shows if validated • Other opOons if you don’t have a validaOng resolver – Use a validator add-­‐on for your web browser • ex: hWps://www.dnssec-­‐validator.cz/ – Online web tools • hWp://dnsviz.net/ • hWp://dnssec-­‐debugger.verisignlabs.com/ – Use an open DNSSEC-­‐validaOng resolver • Some open validaOng resolvers – DNS-­‐OARC’s ODVR (link) • 149.20.64.20 (BIND9), 149.20.64.21 (Unbound) – Google Public DNS • 8.8.8.8 or 8.8.4.4
DNSSEC -­‐ Secng up a Secure Zone • Enable DNSSEC in the configuraOon file (named.conf) dnssec-enable yes; dnssec-validation yes; • Create key pairs (KSK and ZSK) dnssec-keygen -a rsasha1 -b 1024 -n zone myzone.net • Publish your public key • Signing the zone • Update the config file – Modify the zone statement, replace with the signed zone file • Test with dig
Signing the Zone • Sign the zone using the secret keys: dnssec-signzone –o <zonename> -N INCREMENT -f <output-file> -k <KSKfile> <zonefile> <ZSKfile> dnssec-signzone –o myzone.net db.myzone.net Kmyzone.net.+005+33633 • Once you sign the zone a file with a .signed extension will be created – db.myzone.net.signed
TesOng with dig: an example dig @localhost www.apnic.net +dnssec +multiline
Pushing the DS record • The DS record must be published by the parent zone. • Contact the parent zone to communicate the KSK to them.
Ways to Deploy DNSSEC • As part of the DNS sopware used – Manual key management – Can be quite complex – For staOc environment – Some means of automaOon using • opOon commands and scripts • Use DNSSEC tools for BIND, NSD, PowerDNS, etc with a hardware security module (HSM) – Semi-­‐automaOc – Good for dynamic environment • Using an external appliance – ‘dnssec-­‐in-­‐a-­‐box’ – Fully HSM, OpenDNSSEC DNS Appliance automates key generaOon, signing and rollover
DNSSEC: Internet infrastructure upgrade to help address today’s needs and create tomorrow’s opportunity.
Thank you!

More Related Content

PDF
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
APNIC
 
PDF
Dnssec
guest3131f85
 
PDF
Windows 2012 and DNSSEC
Men and Mice
 
ODP
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
Utah Networxs Consultoria e Treinamento
 
PDF
DNS/DNSSEC by Nurul Islam
MyNOG
 
PDF
Namespaces for Local Networks
Men and Mice
 
PDF
The DNSSEC KSK of the root rolls
Men and Mice
 
PDF
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Men and Mice
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
APNIC
 
Dnssec
guest3131f85
 
Windows 2012 and DNSSEC
Men and Mice
 
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
Utah Networxs Consultoria e Treinamento
 
DNS/DNSSEC by Nurul Islam
MyNOG
 
Namespaces for Local Networks
Men and Mice
 
The DNSSEC KSK of the root rolls
Men and Mice
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Men and Mice
 

What's hot (20)

PDF
Part 2 - Local Name Resolution in Windows Networks
Men and Mice
 
PDF
Encrypted DNS - DNS over TLS / DNS over HTTPS
Alex Mayrhofer
 
PDF
DNSSEC signing Tutorial
Men and Mice
 
PDF
Yeti DNS - Experimenting at the root
Men and Mice
 
PDF
The CAA-Record for increased encryption security
Men and Mice
 
PDF
DNS High-Availability Tools - Open-Source Load Balancing Solutions
Men and Mice
 
PDF
Windows Server 2016 Webinar
Men and Mice
 
PDF
DNS Security
johnmcclure00
 
PDF
BIND 9 logging best practices
Men and Mice
 
PDF
DNSTap Webinar
Men and Mice
 
PDF
Introduction DNSSec
AFRINIC
 
PPT
Dns protocol design attacks and security
Michael Earls
 
PPTX
DoH, DoT and ESNI
Jisc
 
PPTX
Grey H@t - DNS Cache Poisoning
Christopher Grayson
 
ZIP
DNS Cache Poisoning
Christiaan Ottow
 
PDF
What is new in BIND 9.11?
Men and Mice
 
PDF
Fighting Abuse with DNS
Men and Mice
 
PDF
How to send DNS over anything encrypted
Men and Mice
 
PDF
Keeping DNS server up-and-running with “runit
Men and Mice
 
PDF
A study of our DNS full-resolvers
Bangladesh Network Operators Group
 
Part 2 - Local Name Resolution in Windows Networks
Men and Mice
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Alex Mayrhofer
 
DNSSEC signing Tutorial
Men and Mice
 
Yeti DNS - Experimenting at the root
Men and Mice
 
The CAA-Record for increased encryption security
Men and Mice
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
Men and Mice
 
Windows Server 2016 Webinar
Men and Mice
 
DNS Security
johnmcclure00
 
BIND 9 logging best practices
Men and Mice
 
DNSTap Webinar
Men and Mice
 
Introduction DNSSec
AFRINIC
 
Dns protocol design attacks and security
Michael Earls
 
DoH, DoT and ESNI
Jisc
 
Grey H@t - DNS Cache Poisoning
Christopher Grayson
 
DNS Cache Poisoning
Christiaan Ottow
 
What is new in BIND 9.11?
Men and Mice
 
Fighting Abuse with DNS
Men and Mice
 
How to send DNS over anything encrypted
Men and Mice
 
Keeping DNS server up-and-running with “runit
Men and Mice
 
A study of our DNS full-resolvers
Bangladesh Network Operators Group
 
Ad

Similar to DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38] (20)

PPTX
ION Malta - Introduction to DNSSEC
Deploy360 Programme (Internet Society)
 
PDF
8 technical-dns-workshop-day4
DNS Entrepreneurship Center
 
PDF
ION Hangzhou - Why Deploy DNSSEC?
Deploy360 Programme (Internet Society)
 
PDF
DNS & DNSSEC
APNIC
 
PDF
ION Trinidad and Tobago - The Business Case for DNSSEC
Deploy360 Programme (Internet Society)
 
PDF
ION Islamabad - Deploying DNSSEC
Deploy360 Programme (Internet Society)
 
PPTX
DNSandDNSSecurity (1).pptx
Aisha Siddiqui
 
PPTX
ION Bucharest - Deploying DNSSEC
Deploy360 Programme (Internet Society)
 
PDF
Session 4.1 Roy Arends
Commonwealth Telecommunications Organisation
 
PDF
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
FindWhitePapers
 
PDF
Understanding the DNS & DNSSEC
ICANN
 
PDF
RIPE 82: DNS Evolution
APNIC
 
PPTX
dnssec_networking_improvement_for_security.pptx
pipopopo3
 
PDF
DNS Over HTTPS by Michael Casadevall
Glenn McKnight
 
PDF
DNSSEC: What a Registrar Needs to Know
laurenrprice
 
PDF
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PROIDEA
 
PDF
Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted...
RootedCON
 
PDF
Information Security, Network Security, Cache Poisoning
ahmohil78
 
PPTX
AEP Netwrorks Keyper HSM & ICANN DNSSEC
Chin Wan Lim
 
PDF
CNIT 40: 6: DNSSEC and beyond
Sam Bowne
 
ION Malta - Introduction to DNSSEC
Deploy360 Programme (Internet Society)
 
8 technical-dns-workshop-day4
DNS Entrepreneurship Center
 
ION Hangzhou - Why Deploy DNSSEC?
Deploy360 Programme (Internet Society)
 
DNS & DNSSEC
APNIC
 
ION Trinidad and Tobago - The Business Case for DNSSEC
Deploy360 Programme (Internet Society)
 
ION Islamabad - Deploying DNSSEC
Deploy360 Programme (Internet Society)
 
DNSandDNSSecurity (1).pptx
Aisha Siddiqui
 
ION Bucharest - Deploying DNSSEC
Deploy360 Programme (Internet Society)
 
Session 4.1 Roy Arends
Commonwealth Telecommunications Organisation
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
FindWhitePapers
 
Understanding the DNS & DNSSEC
ICANN
 
RIPE 82: DNS Evolution
APNIC
 
dnssec_networking_improvement_for_security.pptx
pipopopo3
 
DNS Over HTTPS by Michael Casadevall
Glenn McKnight
 
DNSSEC: What a Registrar Needs to Know
laurenrprice
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PROIDEA
 
Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted...
RootedCON
 
Information Security, Network Security, Cache Poisoning
ahmohil78
 
AEP Netwrorks Keyper HSM & ICANN DNSSEC
Chin Wan Lim
 
CNIT 40: 6: DNSSEC and beyond
Sam Bowne
 
Ad

More from APNIC (20)

PDF
DNSSEC Made Easy, presented at PHNOG 2025
APNIC
 
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
PDF
BGP Security Best Practices that Matter, presented at PHNOG 2025
APNIC
 
PDF
APNIC's Role in the Pacific Islands, presented at Pacific IGF 2205
APNIC
 
PDF
IPv6 Deployment and Best Practices, presented by Makito Lay
APNIC
 
PDF
Cleaning up your RPKI invalids, presented at PacNOG 35
APNIC
 
PDF
The Internet - By the numbers, presented at npNOG 11
APNIC
 
PDF
Transmission Control Protocol (TCP) and Starlink
APNIC
 
PDF
DDoS in India, presented at INNOG 8 by Dave Phelan
APNIC
 
PDF
Global Networking Trends, presented at the India ISP Conclave 2025
APNIC
 
PDF
Make DDoS expensive for the threat actors
APNIC
 
PDF
Fast Reroute in SR-MPLS, presented at bdNOG 19
APNIC
 
PDF
DDos Mitigation Strategie, presented at bdNOG 19
APNIC
 
PDF
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
APNIC
 
PDF
APNIC Update - Global Synergy among the RIRs: Connecting the Regions
APNIC
 
PDF
Measuring Starlink Protocol Performance, presented at LACNIC 43
APNIC
 
PDF
Prop-154: Resizing of IPv4 assignments for IXPs
APNIC
 
PDF
Internet Exchange Points, presented at Peering Workshop at the PITA 29th AGM,...
APNIC
 
PDF
Exploring the Evolving Internet Landscape
APNIC
 
PDF
Regional Development for an Open, Stable, and Secure Internet
APNIC
 
DNSSEC Made Easy, presented at PHNOG 2025
APNIC
 
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
BGP Security Best Practices that Matter, presented at PHNOG 2025
APNIC
 
APNIC's Role in the Pacific Islands, presented at Pacific IGF 2205
APNIC
 
IPv6 Deployment and Best Practices, presented by Makito Lay
APNIC
 
Cleaning up your RPKI invalids, presented at PacNOG 35
APNIC
 
The Internet - By the numbers, presented at npNOG 11
APNIC
 
Transmission Control Protocol (TCP) and Starlink
APNIC
 
DDoS in India, presented at INNOG 8 by Dave Phelan
APNIC
 
Global Networking Trends, presented at the India ISP Conclave 2025
APNIC
 
Make DDoS expensive for the threat actors
APNIC
 
Fast Reroute in SR-MPLS, presented at bdNOG 19
APNIC
 
DDos Mitigation Strategie, presented at bdNOG 19
APNIC
 
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
APNIC
 
APNIC Update - Global Synergy among the RIRs: Connecting the Regions
APNIC
 
Measuring Starlink Protocol Performance, presented at LACNIC 43
APNIC
 
Prop-154: Resizing of IPv4 assignments for IXPs
APNIC
 
Internet Exchange Points, presented at Peering Workshop at the PITA 29th AGM,...
APNIC
 
Exploring the Evolving Internet Landscape
APNIC
 
Regional Development for an Open, Stable, and Secure Internet
APNIC
 

Recently uploaded (20)

PDF
Project English Paja Jara Alejandro.jpdf
AlejandroAlonsoPajaJ
 
PDF
LOGENVIDAD DANNYFGRETRRTTRRRTRRRRRRRRR.pdf
juan456ytpro
 
PPTX
dns domain name system history work.pptx
MUHAMMADKAVISHSHABAN
 
PPTX
办理方法西班牙假毕业证蒙德拉贡大学成绩单MULetter文凭样本
xxxihn4u
 
PPTX
Generics jehfkhkshfhskjghkshhhhlshluhueheuhuhhlhkhk.pptx
yashpavasiya892
 
PDF
KIPER4D situs Exclusive Game dari server Star Gaming Asia
hokimamad0
 
PDF
Generative AI Foundations: AI Skills for the Future of Work
hemal sharma
 
PPTX
Different Generation Of Computers .pptx
divcoder9507
 
PDF
UI/UX Developer Guide: Tools, Trends, and Tips for 2025
Penguin peak
 
PDF
Slides: PDF Eco Economic Epochs for World Game (s) pdf
Steven McGee
 
PPTX
Slides Powerpoint: Eco Economic Epochs.pptx
Steven McGee
 
PPTX
The Monk and the Sadhurr and the story of how
BeshoyGirgis2
 
PPT
1965 INDO PAK WAR which Pak will never forget.ppt
sanjaychief112
 
PDF
The Internet of Things (IoT) refers to a vast network of interconnected devic...
chethana8182
 
PPTX
SEO Trends in 2025 | B3AITS - Bow & 3 Arrows IT Solutions
B3AITS - Bow & 3 Arrows IT Solutions
 
PPTX
B2B_Ecommerce_Internship_Simranpreet.pptx
LipakshiJindal
 
PPTX
LESSON-2-Roles-of-ICT-in-Teaching-for-learning_123922 (1).pptx
renavieramopiquero
 
PPTX
Pengenalan perangkat Jaringan komputer pada teknik jaringan komputer dan tele...
Prayudha3
 
PPTX
How tech helps people in the modern era.
upadhyayaryan154
 
PDF
Latest Scam Shocking the USA in 2025.pdf
onlinescamreport4
 
Project English Paja Jara Alejandro.jpdf
AlejandroAlonsoPajaJ
 
LOGENVIDAD DANNYFGRETRRTTRRRTRRRRRRRRR.pdf
juan456ytpro
 
dns domain name system history work.pptx
MUHAMMADKAVISHSHABAN
 
办理方法西班牙假毕业证蒙德拉贡大学成绩单MULetter文凭样本
xxxihn4u
 
Generics jehfkhkshfhskjghkshhhhlshluhueheuhuhhlhkhk.pptx
yashpavasiya892
 
KIPER4D situs Exclusive Game dari server Star Gaming Asia
hokimamad0
 
Generative AI Foundations: AI Skills for the Future of Work
hemal sharma
 
Different Generation Of Computers .pptx
divcoder9507
 
UI/UX Developer Guide: Tools, Trends, and Tips for 2025
Penguin peak
 
Slides: PDF Eco Economic Epochs for World Game (s) pdf
Steven McGee
 
Slides Powerpoint: Eco Economic Epochs.pptx
Steven McGee
 
The Monk and the Sadhurr and the story of how
BeshoyGirgis2
 
1965 INDO PAK WAR which Pak will never forget.ppt
sanjaychief112
 
The Internet of Things (IoT) refers to a vast network of interconnected devic...
chethana8182
 
SEO Trends in 2025 | B3AITS - Bow & 3 Arrows IT Solutions
B3AITS - Bow & 3 Arrows IT Solutions
 
B2B_Ecommerce_Internship_Simranpreet.pptx
LipakshiJindal
 
LESSON-2-Roles-of-ICT-in-Teaching-for-learning_123922 (1).pptx
renavieramopiquero
 
Pengenalan perangkat Jaringan komputer pada teknik jaringan komputer dan tele...
Prayudha3
 
How tech helps people in the modern era.
upadhyayaryan154
 
Latest Scam Shocking the USA in 2025.pdf
onlinescamreport4
 

DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]

  • 2. Acknowledgements • Rick Lamb – Senior Program Manager, DNSSEC @ICANN • APNIC Training
  • 3. DNS Basics • DNS converts names (www.icann.org) to numbers (192.0.32.7) • ..to idenOfy services such as www and e-­‐mail • ..that idenOfy and link customers to business and visa versa
  • 4. Reminder: DNS Resolving Question: www.example.net A 1" 2" www.example.net A ? Resolver www.example.net A ? Caching forwarder (recursive) “go ask net server @ X.gtld-servers.net” (+ glue) gtld-server www.example.net A ? “go ask ripe server @ ns.example.net” (+ glue) www.example.net A ? example-server “x.y.z.1” x.y.z.1 3" 4" 5" 6" 7" 9" 8" Add to cache 10" TTL root-server
  • 5. DNS: Data Flow master Caching forwarder Zone administrator Zone file Dynamic updates 1" 2" 3" slaves 4" 5" resolver
  • 6. DNS VulnerabiliOes Corrupting data" Impersonating master" Cache impersonation" master Caching forwarder Zone administrator Zone file Dynamic updates 1" 2" 3" slaves 4" 5" resolver Unauthorized updates" Cache pollution by" Data spoofing" Server protection! Data protection!
  • 7. +1-­‐202-­‐709-­‐5262 VoIP US-­‐NSTIC effort DNS is a part of all IT ecosystems [email protected] mydomainname.com Smart Electrical Grid OECS ID effort
  • 8. Where DNSSEC fits in • ..but CPU and bandwidth advances make legacy DNS vulnerable to MITM aWacks • DNS Security Extensions (DNSSEC) introduces digital signatures into DNS to cryptographically protect contents • With DNSSEC fully deployed a business can be sure a customer gets un-­‐modified data (and visa versa)
  • 9. The Bad: DNSChanger -­‐ ‘Biggest Cybercriminal Takedown in History’ – 4M machines, 100 countries, $14M Nov 2011 h[p://krebsonsecurity.com/2011/11/malware-­‐click-­‐fraud-­‐kingpins-­‐arrested-­‐in-­‐estonia/ End-­‐2-­‐end DNSSEC valida_on would have avoided the problems
  • 10. The Internet’s Phone Book -­‐ Domain Name System (DNS) www.majorbank.se=? Get page webserver www @ 1.2.3.4 Username / Password Account Data DNS Hierarchy DNS Resolver root se com majorbank.se www.majorbank.se www.majorbank.se = 1.2.3.4 DNS 1.2.3.4 Server Login page ISP Majorbank (Registrant)
  • 11. Caching Responses for Efficiency www.majorbank.se=? Get page webserver www @ 1.2.3.4 Username / Password Account Data DNS Resolver www.majorbank.se = 1.2.3.4 DNS 1.2.3.4 Server Login page
  • 12. The Problem: DNS Cache Poisoning AWack www.majorbank.se=? DNS Resolver www.majorbank.se = 1.2.3.4 DNS 5.6.7.8 Server Get page Attacker webserver www @ 5.6.7.8 Username / Password Error Attacker www.majorbank.se = 5.6.7.8 Login page Password database
  • 13. Argghh! Now all ISP customers get sent to aWacker. www.majorbank.se=? DNS Resolver www.majorbank.se = 1.2.3.4 DNS 5.6.7.8 Server Get page Attacker webserver www @ 5.6.7.8 Login page Username / Password Error Password database
  • 14. Securing The Phone Book -­‐ DNS Security Extensions (DNSSEC) www.majorbank.se=? DNS Resolver with DNSSEC Attacker’s record does not validate – drop it www.majorbank.se = 1.2.3.4 DNS Server with DNSSEC 1.2.3.4 Get page webserver www @ 1.2.3.4 Login page Username / Password Account Data Attacker www.majorbank.se = 5.6.7.8
  • 15. Resolver only caches validated records www.majorbank.se=? DNS Resolver with DNSSEC www.majorbank.se = 1.2.3.4 DNS Server with DNSSEC 1.2.3.4 Get page webserver www @ 1.2.3.4 Login page Username / Password Account Data
  • 16. The Bad: Other DNS hijacks* • 25 Dec 2010 -­‐ Russian e-­‐Payment Giant ChronoPay Hacked • 18 Dec 2009 – Twi[er – “Iranian cyber army” • 13 Aug 2010 -­‐ Chinese gmail phishing a[ack • 25 Dec 2010 Tunisia DNS Hijack • 2009-­‐2012 google.* – April 28 2009 Google Puerto Rico sites redirected in DNS a[ack – May 9 2009 Morocco temporarily seize Google domain name • 9 Sep 2011 -­‐ Diginotar cer_ficate compromise for Iranian users • SSL / TLS doesn't tell you if you've been sent to the correct site, it only tells you if the DNS matches the name in the cer_ficate. Unfortunately, majority of Web site cer_ficates rely on DNS to validate iden_ty. • DNS is relied on for unexpected things though insecure. *A Brief History of DNS Hijacking -­‐ Google h[p://costarica43.icann.org/mee_ngs/sanjose2012/presenta_on-­‐dns-­‐hijackings-­‐marquis-­‐boire-­‐12mar12-­‐en.pdf
  • 17. The Business Case for DNSSEC • Cyber security is becoming a greater concern to enterprises, government, and end users. DNSSEC is a key tool and differenOator. • DNSSEC is the biggest security upgrade to Internet infrastructure in over 20 years. It is a pla`orm for new security applicaOons (for those that see the opportunity). • DNSSEC infrastructure deployment has been brisk but requires experOse. Gecng ahead of the curve is a compeOOve advantage.
  • 18. • DNSSEC -­‐ Where we are Deployed on 462/654 TLDs (29 July 2014 70% .com .hr .es .in .af .ee .lb .bg .tm .cz .nl .uk .de .jp .cn .ru .р ф .my مليسيا .asia .tw 台灣, .kr 한국 .net, .org, .post, +gtlds) • Root signed** and audited • Required in new gTLDs. Basic support by ICANN registrars • Growing ISP support*. • 3rd party signing soluOons*** • Growing S/W H/W support: NLNetLabs, ISC, Microsop, PowerDNS, Secure64…? openssl, pos`ix, XMPP, mozilla: early DANE support • IETF standard on DNSSEC SSL cerOficates (RFC6698) • Growing support from major players…(Apple iPhone/iPad, Google 8.8.8.8,…) * COMCAST /w 20M and others; most ISPs in SE ,CZ. AND ~12% of resolvers validate using DNSSEC **Int’l bo[om-­‐up trust model /w 21 TCRs from: TT, BF, RU, CN, US, SE, NL, UG, BR, Benin, PT, NP, Mauri_us, CZ, CA, JP, UK, NZ… *** Par_al list of registrars: h[ps://www.icann.org/en/news/in-­‐focus/dnssec/deployment
  • 19. But… • But deployed on ~1-­‐2% (3.5M) of 2nd level domains. Many have plans. Few have taken the step (e.g., yandex.com, paypal.com*, comcast.com). • DNSChanger and other aWacks highlight today’s need. (e.g end-­‐2-­‐end DNSSEC validaOon would have avoided the problems) • InnovaOve security soluOons (e.g., DANE) highlight tomorrow’s value. * h[p://fedv6-­‐deployment.antd.nist.gov/cgi-­‐bin/generate-­‐com h[p://www.thesecurityprac_ce.com/ the_security_prac_ce/2011/12/all-­‐paypal-­‐domains-­‐are-­‐now-­‐using-­‐dnssec.html h[p://www.nacion.com/2012-­‐03-­‐15/Tecnologia/Si_os-­‐web-­‐de-­‐bancos-­‐_cos-­‐podran-­‐ser-­‐mas-­‐seguros.aspx
  • 20. DNSSEC: So what’s the problem? • Not enough IT departments know about it or are too busy pucng out other security fires. • When they do look into it they hear old stories of lack of turnkey soluOons. • Registrars*/DNS providers see no demand leading to “chicken-­‐and-­‐egg” problems. *but required by new ICANN registrar agreement
  • 21. Too many CAs. Which one can we trust? DNSSEC to the rescue…. CA CerOficate roots ~1482 DNSSEC root -­‐ 1 Login security SSHFP RFC4255 Content security Commercial SSL CerOficates for Web and e-­‐mail DANE and other yet to be discovered security innovaOons, enhancements, and synergies Content security “Free SSL” cerOficates for Web and e-­‐mail and “trust agility” Network security IPSECKEY RFC4025 Cross-­‐ organizaOonal and trans-­‐naOonal idenOty and authenOcaOon E-­‐mail security DKIM RFC4871 Securing VoIP Domain Names hWps://www.eff.org/observatory hWp://royal.pingdom.com/2011/01/12/internet-­‐2010-­‐in-­‐numbers/
  • 22. • For What you can do Companies: – Sign your corporate domain names – Just turn on validaOon on corporate DNS resolvers • For Users: – Ask ISP to turn on validaOon on their DNS resolvers • For All: – Take advantage of organizaOons offering DNSSEC educaOon and training
  • 24. DNSSEC Resource Records • 3 Public key crypto related RRs – RRSIG = Signature over RRset made using private key – DNSKEY = Public key, needed for verifying a RRSIG – DS = DelegaOon Signer; ‘Pointer’ for building chains of authenOcaOon • One RR for internal consistency – NSEC = Next Secure; indicates which name is the next one in the zone and which typecodes are available for the current name • authenOcated non-­‐existence of data RFC 4034
  • 25. DNSKEY • Contains the zone’s public key • Uses public key cryptography to sign and authenOcate DNS resource record sets (RRsets). • Example: myzone.net. IN DNSKEY 256 3 5 ( AwEAAagrVFd9xyFMQRjO4DlkL0dgUCtogviS+FG9Z6Au3h1ERe4EIi3L X49Ce1OFahdR2wPZyVeDvH6X4qlLnMQJsd7oFi4S9Ng+hLkgpm/n+otE kKiXGZzZn4vW0okuC0hHG2XU5zJhkct73FZzbmBvGxpF4svo5PPWZqVb H48T5Y/9 ) ; key id = 3510 Public key (base64)
  • 26. RRSIG • The private part of the key-­‐pair is used to sign the resource record set (RRset) per zone • The digital signature per RRset is saved in an RRSIG record myzone.net. 86400 NS ns.myzone.net. 86400 NS ns.yourzone.net. 86400 RRSIG NS 5 2 86400 ( 20121202010528 20121102010528 3510 myzone.net. Y2J2+CVqQRjQvcWY256ffiw5mp0OQTQUF8vUHSHyUbbhmE56eJimqDh Xb8qwlFjl40kmlzmQC5CmgugBqjgLHZbuvSfd9+Ucwkxbwx3HonAPr3 +0HVqP8rSqGRqSq0VbR7LzNeaylBkumLDoriQxceV4z3d2jFv4ArnM= )
  • 27. Types of Keys • Zone Signing Key (ZSK) – Sign the RRsets within the zone – Public key of ZSK is defined by a DNSKEY RR • Key Signing Key (KSK) – Signed the keys which includes ZSK and KSK and may also be used outside the zone • Using a single key or both keys is an operaOonal choice (RFC allows both methods)
  • 28. NSEC Record example $ORIGIN myzone.net.! @!SOA …! ! !NS !NS.myzone.net.! ! !DNSKEY !…! ! !NSEC mailbox.myzone.net. SOA NS NSEC DNSKEY RRSIG! ! mailbox !A !192.168.10.2 !! ! ! !NSEC www.myzone.net. A NSEC RRSIG! WWW ! !A !192.168.10.3 !! ! ! !TXT !Public webserver! ! ! !NSEC myzone.net. A NSEC RRSIG TXT!
  • 29. DelegaOon Signer (DS) • Establishes the chain of trust from parent to child zones • Found in the parent’s zone file • In this example, myzone.net has been delegated from .net. This is how it looks like in .net zone file myzone.net. IN NS ns1.myzone.net. NS ns2.myzone.net. IN DS 19996 5 1 ( CF96B018A496CD1A68EE7 C80A37EDFC6ABBF8175 ) IN DS 19996 5 2 ( 6927A531B0D89A7A4F13E11031 4C722EC156FF926D2052C7D8D70C50 14598CE9 )
  • 30. DelegaOon Signer (DS) • DelegaOon Signer (DS) RR indicates that: – delegated zone is digitally signed – indicated key is used for the delegated zone • Parent is authoraOve for the DS of the childs zone – Not for the NS record delegaOng the childs zone! – DS should not be in the childs zone
  • 31. DNSSEC ValidaOon • Recursive servers that are dnssec-­‐enabled can validate signed zones • The AD bit in the message flag shows if validated • Other opOons if you don’t have a validaOng resolver – Use a validator add-­‐on for your web browser • ex: hWps://www.dnssec-­‐validator.cz/ – Online web tools • hWp://dnsviz.net/ • hWp://dnssec-­‐debugger.verisignlabs.com/ – Use an open DNSSEC-­‐validaOng resolver • Some open validaOng resolvers – DNS-­‐OARC’s ODVR (link) • 149.20.64.20 (BIND9), 149.20.64.21 (Unbound) – Google Public DNS • 8.8.8.8 or 8.8.4.4
  • 32. DNSSEC -­‐ Secng up a Secure Zone • Enable DNSSEC in the configuraOon file (named.conf) dnssec-enable yes; dnssec-validation yes; • Create key pairs (KSK and ZSK) dnssec-keygen -a rsasha1 -b 1024 -n zone myzone.net • Publish your public key • Signing the zone • Update the config file – Modify the zone statement, replace with the signed zone file • Test with dig
  • 33. Signing the Zone • Sign the zone using the secret keys: dnssec-signzone –o <zonename> -N INCREMENT -f <output-file> -k <KSKfile> <zonefile> <ZSKfile> dnssec-signzone –o myzone.net db.myzone.net Kmyzone.net.+005+33633 • Once you sign the zone a file with a .signed extension will be created – db.myzone.net.signed
  • 34. TesOng with dig: an example dig @localhost www.apnic.net +dnssec +multiline
  • 35. Pushing the DS record • The DS record must be published by the parent zone. • Contact the parent zone to communicate the KSK to them.
  • 36. Ways to Deploy DNSSEC • As part of the DNS sopware used – Manual key management – Can be quite complex – For staOc environment – Some means of automaOon using • opOon commands and scripts • Use DNSSEC tools for BIND, NSD, PowerDNS, etc with a hardware security module (HSM) – Semi-­‐automaOc – Good for dynamic environment • Using an external appliance – ‘dnssec-­‐in-­‐a-­‐box’ – Fully HSM, OpenDNSSEC DNS Appliance automates key generaOon, signing and rollover
  • 37. DNSSEC: Internet infrastructure upgrade to help address today’s needs and create tomorrow’s opportunity.