Presentation from ION Djibouti on 2 June 2014 by Mark Elkins. DNSSEC helps prevent attackers from subverting and modifying DNS messages and sending users to wrong (and potentially malicious) sites. So what needs to be done for DNSSEC to be deployed on a large scale? We’ll discuss the business reasons for, and financial implications of, deploying DNSSEC, from staying ahead of the technological curve, to staying ahead of your competition, to keeping your customers satisfied and secure on the Internet. We’ll also examine some of the challenges operators have faced and the opportunities to address those challenges and move deployment forward.

1. A Business Case for DNSSECA Business Case for DNSSEC
By
Mark Elkins
June 2014

2. What DNSSEC Gives UsWhat DNSSEC Gives Us
Validation of Data lookups published in the DNS
very simple to activate on a recursive Nameserver
Bind: addition to named.conf
managed-keys {
. initial-key 257 3 8
"AwEAAagAIKlVZrpC6Ia7g....
QxA+Uk1ihz0=";
};

3. If you use Chrome or Firefox, install the
"DNSSEC Validator" Add-on.
Search for "DNSSEC Validator"
- Signed and Validates, Chain of Trust is intact.
- Signed, but Chain of Trust is broken.
- Signed, but does not Validate, Chain of Trust is intact.
- Not Signed.
What DNSSEC Gives UsWhat DNSSEC Gives Us

4. ftth.posix.co.za AAAA ??? → 2001:42a0:1:208::13
A Trusted Reply!
_443._tcp.ftth.posix.co.za TLSA ??? → 3 0 1
B635D5DECFF4C30F7DC6606EB12D9CC8C5C05E3F89221FE74
23AA2D5 AC8CAADA
A Trusted DANE/TLSA Record!
(Created by hash-slinger, Thanks Dan)
What DNSSEC Gives UsWhat DNSSEC Gives Us

5. ●Is the art of deception
●This is not the droid computer you are looking for
●Mission: to be one with your computer
Back to business - PhishingBack to business - Phishing

6. We need HTTPS (Mission: HTTP on everything)
● Identifies the site we are connect to
● Padlock is there
Except there are over a hundred Certificate Authorities...
I use StartCom/StartSSL - but how would you know?
Back to business - PhishingBack to business - Phishing

7. ●With DNSSEC securing a TLSA Signature
●With a TLSA Signature covering the SSL Certificate
●With Padlocks, Keys - almost covered!
Back to business - PhishingBack to business - Phishing

8. It talks to my X509 Certificate
Back to StartCOMBack to StartCOM

9. ● Signing (and keeping it signed)
● Interaction with Parents
Deployment ChallengesDeployment Challenges

10. Signing can be simple
There are Scripts (eg. mine) (http://posixafrica.com)
and black box solutions (eg. OpenDNSSEC)
This can be done in just three commands....
(Assuming you have a zone called 'web.za')
# dnssec-keygen -a RSASHA256 -b 1024 web.za
# dnssec-keygen -a RSASHA256 -b 2048 -f KSK web.za
# dnssec-signzone -S web.za
Signing and keeping it signedSigning and keeping it signed

11. 'web.za' is now signed and the new zone is called 'web.za.signed'
There is also a file called 'dsset-web.za.' (discussed next slide)
Edit your 'named.conf' to use the new 'signed' version of the zone.
In reality - one should at some regular determined frequency,
generate new keys and roll out the old keys....
Signing and keeping it signedSigning and keeping it signed

12. The contents of the file 'dsset-web.za.' needs to be
securely installed into the parent zone of 'za'.
web.za. IN DS 52867 8 1 921AFBC6DF6....
web.za. IN DS 52867 8 2 9FBC5FBC6B9....
1 - Encrypted e-mail (How I talk to Tanzania or Namibia)
2 - Via a web front-end (AFRINIC, Root)
3 - Via the Registries EPP system (COZA/dotAfrica)
Signing and keeping it signedSigning and keeping it signed

13. Dealing with parentsDealing with parents
Uncooperative Parents?

14. The Deployment of DNSSEC is a way to make the
Internet a Safer place.
It is not a Silver Bullet, but combined with other
security features gets us pointed in the right
direction.
ConclusionsConclusions

15. Questions?
mje@posix.co.za
A Business Case for DNSSECA Business Case for DNSSEC