ION Tokyo slides for "The Business Case for Implementing DNSSEC" by Dan York (Internet Society).
DNSSEC helps prevent attackers from subverting and modifying DNS messages and sending users to wrong (and potentially malicious) sites. So what needs to be done for DNSSEC to be deployed on a large scale? We’ll discuss the business reasons for, and financial implications of, deploying DNSSEC, from staying ahead of the technological curve, to staying ahead of your competition, to keeping your customers satisfied and secure on the Internet. We’ll also examine some of the challenges operators have faced and the opportunities to address those challenges and move deployment forward.
3. A Normal DNS Interaction
Web
Server
Web
Browser
https://example.com/
web page
DNS
Resolver
10.1.1.123
1
25
6
DNS Svr
example.com
DNS Svr
.com
DNS Svr
root
3
10.1.1.123
4
example.com
NS
.com
NS
example.com?
5. A Poisoned Cache
Web
Server
Web
Browser
https://example.com/
web page
DNS
Resolver
1
2
3
4
192.168.2.2
Resolver cache now has wrong data:
example.com 192.168.2.2
This stays in the cache until the
Time-To-Live (TTL) expires!
example.com?
False
Site
example.co
m
7. Attempting to Spoof DNS
Web
Server
Web
Browser
https://example.com/
web page
DNS
Resolver
10.1.1.123
DNSKEY
RRSIGs
1
25
6
DNS Svr
example.com
DNS Svr
.com
DNS Svr
root
3
SERVFAIL
4
Attacking
DNS Svr
example.co
m
192.168.2.2
DNSKEY
RRSIGs
example.com
NS
DS
.com
NS
DS
example.com?
8. DNSSEC Is Not Just For The Web
DNSSEC protects ALL information coming from DNS
Significant deployments of DNSSEC (and DANE) in:
• Email (SMTP)
• Instant messaging (XMPP/Jabber)
Other potential uses:
• Voice over IP (VoIP)
• Any application that communicates over the Internet
9. Email Hijacking – A Current Threat
• CERT-CC researchers have identified that someone is
hijacking email by using DNS cache poisoning of MX
records
• Could be prevented by DNSSEC deployment
• CERT-CC (Sept 10, 2014):
– https://www.cert.org/blogs/certcc/post.cfm?EntryID=206
• Deploy360 blog post (Sept 12, 2014):
• http://wp.me/p4eijv-5jI
11. The Two Parts of DNSSEC
Signing Validating
ISPs
Enterprises
Applications
DNS
Hosting
Registrars
Registries
12. DNSSEC Signing - The Individual Steps
Registry
Registrar
DNS Hosting Provider
Domain Name
Registrant
• Signs TLD
• Accepts DS records
• Publishes/signs records
• Accepts DS records
• Sends DS to registry
• Provides UI for mgmt
• Signs zones
• Publishes all records
• Provides UI for mgmt
• Enables DNSSEC
(unless automatic)
13. DNSSEC Signing - The Players
Registries
Registrars
DNS Hosting
Providers
Domain Name
Registrants
Registrar also
provides DNS
hosting services
14. DNSSEC Signing - The Players
Registries
Registrars
DNS Hosting
Providers
Domain Name
Registrants
Registrant hosts
own DNS
22. The Typical TLS (SSL) Web Interaction
Web
Server
Web
Browser
https://example.com/
TLS-encrypted
web page
DNS
Resolver
example.com?
10.1.1.1231
2
5
6
DNS Svr
example.co
m
DNS Svr
.com
DNS Svr
root
3
10.1.1.123
4
23. The Typical TLS (SSL) Web Interaction
Web
Server
Web
Browser
https://example.com/
TLS-encrypted
web page
DNS
Resolver
10.1.1.1231
2
5
6
DNS Svr
example.co
m
DNS Svr
.com
DNS Svr
root
3
10.1.1.123
4
Is this encrypted
with the
CORRECT
certificate?
example.com?
25. DANE
Web
Server
Web
Browser
w/DANE
https://example.com/
TLS-encrypted web page
with CORRECT certificate
DNS
Server
10.1.1.123
DNSKEY
RRSIGs
TLSA
1
2
Firewall
(or
attacker)
https://example.com/
TLS-encrypted web page
with NEW certificate
(re-signed by firewall)
Log
files or
other
servers
DANE-equipped browser
compares TLS certificate
with what DNS / DNSSEC
says it should be.
example.com?
26. DNS-Based Authentication of Named Entities
(DANE)
• Q: How do you know if the TLS (SSL) certificate is the
correct one the site wants you to use?
• A: Store the certificate (or fingerprint) in DNS (new TLSA
record) and sign them with DNSSEC.
An application that understand DNSSEC and DANE will
then know when the required certificate is NOT being used.
Certificate stored in DNS is controlled by the domain name
holder. It could be a certificate signed by a CA – or a self-
signed certificate.
27. DANE – Different operation modes
("certificate usage" field)
• 0 – CA specification
• The TLSA record specifies the Certificate Authority (CA) who will provide TLS
certificates for the domain. Must be a valid CA included in browser/app.
• 1 – Specific TLS certificate
• The TLSA record specifies the exact TLS certificate that should be used for the
domain. Note that this TLS certificate must be one that is issued by a valid CA.
• 2 – Trust anchor assertion
• The TLSA record specifies the “trust anchor” to be used for validating the TLS
certificates for the domain. Allows for the use of a CA not included in
application.
• 3 – Domain-issued certificate
• The TLS record specifies the exact TLS certificate that should be used for the
domain, BUT, in contrast to usage #1, the TLS certificate does not need to be
signed by a valid CA. This allows for the use of self-signed certificates.
28. DANE – Not Just For The Web
•DANE defines protocol for storing TLS certificates in DNS
•Securing Web transactions is an obvious use case
•Other uses also possible:
• Email
• VoIP
• Jabber/XMPP
• PGP
• ?
29. DANE Success Stories
SMTP
360+ SMTP servers with TLSA records
http://www.tlsa.info/
XMPP (Jabber)
229 servers
client-to-server & server-to-server
https://xmpp.net/reports.php#dnssecdane
Advertisements!
31. Business Reasons For Deploying DNSSEC
• TRUST – You can be sure your customers are
reaching your sites – and that you are communicating
with their servers.
• SECURITY – You can be sure you are communicating
with the correct sites and not sharing business
information with attackers, ex. email hijacking.
• INNOVATION – Services such as DANE built on top of
DNSSEC enable innovative uses of TLS certificates
• CONFIDENTIALITY – DANE enables easier use of
encryption for applications and services that
communicate across the Internet
33. DANE Resources
DANE Overview and Resources:
• http://www.internetsociety.org/deploy360/resources/dane/
IETF Journal article explaining DANE:
• http://bit.ly/dane-dnssec
RFC 6394 - DANE Use Cases:
• http://tools.ietf.org/html/rfc6394
RFC 6698 – DANE Protocol:
• http://tools.ietf.org/html/rfc6698
34. DANE Resources
DANE and email:
• https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane
• http://tools.ietf.org/html/draft-ietf-dane-smime
DANE Operational Guidance:
• https://tools.ietf.org/html/draft-ietf-dane-ops
DANE and SIP (VoIP):
• http://tools.ietf.org/html/draft-johansson-dispatch-dane-sip
• https://tools.ietf.org/html/draft-ietf-dane-srv
Other uses:
• https://tools.ietf.org/html/draft-ietf-dane-openpgpkey
• https://tools.ietf.org/html/draft-ietf-dane-rawkeys
35. Start Here Page
http://www.internetsociety.org/deploy360/start/
Easy method of finding resources for
specific audiences, including:
• Network operators
• Content providers (ex. web site
owners)
• Developers
• Governments
• Consumer electronics vendors
• Enterprises and campus networks
• Registrars
• Internet exchange points (IXPs)