200 likes | 374 Vues
Open Issues in Secure DNS Deployment Securing DNS. Old Dominion University CS 772/882 – Fall 2009 Student presentation Matthias Prellwitz. Review DNS Domain Name System. Internet destination addresses Internet Protocol addresses IP/UDP service on port 53 Hierarchical organization
E N D
Open Issues in Secure DNS DeploymentSecuring DNS Old Dominion University CS 772/882 – Fall 2009 Student presentation Matthias Prellwitz
Review DNSDomain Name System • Internet destination addresses Internet Protocol addresses • IP/UDP • service on port 53 • Hierarchical organization • 1 root 13 root servers http://www.root-servers.org/ • >250 gTLD/ccTLDhttp://www.iana.org/domains/root/db/ • enterprise-level-domains • sub-domains . com edu de odu vt www cs Old Dominion University – CS 772/872 - Matthias Prellwitz
Review DNS ; <<>> DiG 9.6.0-APPLE-P2 <<>> cs.odu.edu ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12612 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 2 ;; QUESTION SECTION: ;cs.odu.edu. IN A ;; ANSWER SECTION: cs.odu.edu. 900 IN A 128.82.4.2 ;; AUTHORITY SECTION: cs.odu.edu. 228 IN NS 192.168.100.153. cs.odu.edu. 228 IN NS ns1.cs.odu.edu. cs.odu.edu. 228 IN NS ns2.cs.odu.edu. ;; ADDITIONAL SECTION: ns1.cs.odu.edu. 808 IN A 128.82.4.20 ns2.cs.odu.edu. 808 IN A 128.82.4.36 A IPv4 address AAAA IPv6 address NS authoritative name server for zone Old Dominion University – CS 772/872 - Matthias Prellwitz
Review DNSThreats • DNS query/response transactions • compromises of the authoritative name server of target URL • platform-level/distributed denial-of-service attacks (DDoS) • cache poisioning: corruption of cache data of any name server • spoofing by man-in-the-middle attack: modification over the wire Old Dominion University – CS 772/872 - Matthias Prellwitz
IntroductionDNS Security Extensions (DNSSEC) • suite of IETF specifications • extensions to DNS as used on IP networks for DNS clients • origin authentication of DNS data • data integrity • no data encryption: no confidentially • authenticated denial of existence Old Dominion University – CS 772/872 - Matthias Prellwitz
DNSSECSpecification / Theoretical workflow DNS client DNS server sign priv pub generate key pair querying RRSIG RR RR RR verify DNSKEY RR secure/trustful? Old Dominion University – CS 772/872 - Matthias Prellwitz
DNSSECRecords • DNSKEY record (public key) • Key Signing Keys (KSK) • to sign other DNSKEY and the DS • Zone Signing Keys (ZSK) • under complete control and use by one particular zone • sign RR and NSEC/NSEC3 records • RRSIG record (digital signature) • absolute timestamps to limit use until expiration of DNSKEY record • DS record (designated signer) • created with a message digest of the KSK • transferred/published at the parent parent zone RRSIG DS verify message digest & export zone RRSIG KSK RRSIG ZSK RRSIG RRSIG RRSIG A RR NS RR DS Old Dominion University – CS 772/872 - Matthias Prellwitz child zone
Trust anchors / Authentication chains • Trust anchors • for knowledge of correctness: >= 1 key with source != DNS • Authentication chains • series of linked DS and DNSKEY records • starting with a trust anchor to the authorative name server for the domain in question • complete chain nessecary to get a secure DNS lookup Old Dominion University – CS 772/872 - Matthias Prellwitz
; <<>> DiG 9.6.0-APPLE-P2 <<>> +dnssec +multiline dnssec-tools.org a ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55221 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dnssec-tools.org. IN A ;; ANSWER SECTION: dnssec-tools.org. 900 IN A 192.94.214.6 dnssec-tools.org. 900 IN RRSIG A 5 2 86400 20091126194603 ( 20091027194603 2697 dnssec-tools.org. ro+b+4aNVZw5kQnhOlGERV2kKqMpIc7wKlUn/JH8vsOb ... 3 lines ) ;; AUTHORITY SECTION: dnssec-tools.org. 900 IN NS ns6.dnssec-tools.org. dnssec-tools.org. 900 IN NS ns1.dnssec-tools.org. dnssec-tools.org. 900 IN RRSIG NS 5 2 14400 20091209001827 ( 20091109001827 2697 dnssec-tools.org. DN4qo6TY3DHRvTLtWkfOgFGrZ+uHSj0fhnjJjLlPEeRJ ... 3 lines ) type covered, here A signature's cryptographic algorithm Key Tag of DNSKEY for verification Signer's Name Old Dominion University – CS 772/872 - Matthias Prellwitz
DNSSECAlgorithm types and Flag bit values • http://www.ietf.org/rfc/rfc4034.txt A.1. DNSSEC Algorithm Types Zone Value Algorithm [Mnemonic] Signing References Status ----- -------------------- --------- ---------- --------- 0 reserved 1 RSA/MD5 [RSAMD5] n [RFC2537] NOT RECOMMENDED 2 Diffie-Hellman [DH] n [RFC2539] - 3 DSA/SHA-1 [DSA] y [RFC2536] OPTIONAL 4 Elliptic Curve [ECC] TBA - 5 RSA/SHA-1 [RSASHA1] y [RFC3110] MANDATORY 252 Indirect [INDIRECT] n - 253 Private [PRIVATEDNS] y see below OPTIONAL 254 Private [PRIVATEOID] y see below OPTIONAL 255 reserved 6 - 251 Available for assignment by IETF Standards Action. Old Dominion University – CS 772/872 - Matthias Prellwitz
; <<>> DiG 9.6.0-APPLE-P2 <<>> +dnssec +multiline dnssec-tools.org dnskey ... ;; QUESTION SECTION: ;dnssec-tools.org. IN DNSKEY ;; ANSWER SECTION: dnssec-tools.org. 900 IN DNSKEY 257 3 5 ( AwEAAcUa48KRuPrTSYBF1HkLbM+KLQYc3Mwt/LFKLkah ... 15 lines ) ; key id = 54556 dnssec-tools.org. 900 IN DNSKEY 256 3 5 ( AwEAAcReJryc5dPcftJaO939HN4/HDZVUa+Nl89l++EL ... 3 lines ) ; key id = 3015 dnssec-tools.org. 900 IN DNSKEY 256 3 5 ( AwEAAdxnftQKTAUJXjOE03kd1v5hfojNq2YJb96Hb6c0 ... 3 lines ) ; key id = 2697 dnssec-tools.org. 900 IN RRSIG DNSKEY 5 2 14400 20091126194603 ( 20091027194603 2697 dnssec-tools.org. D3MKE7GjZc99SqY2c20OSv483he3b8/B8C9WWtiaL4dF ... 3 lines ) dnssec-tools.org. 900 IN RRSIG DNSKEY 5 2 14400 20091126194603 ( 20091027194603 54556dnssec-tools.org. Qgj2jqRO5va1EE8lUf5zxNQH1SE2YBfWvXSCogf8Fb2X ... 15 lines ) flag: bit 7 (ZK) bit 15 (SEP) 0 0 0 256 1 0 ZSK 257 1 1 KSK protocol field: 3 = DNSKEY public key's cryptographic algorithm KSK ZSK Old Dominion University – CS 772/872 - Matthias Prellwitz
NSEC3 (RFC 5155)DNSSEC Hashed Authenticated Denial of Existence • no result of queried zone • proof of the closest encloser is required • signed with RRSIG • NSEC • returns previous and following entriesin plain text zone walking • NSEC3 • includes hashed value of zones, and not the name directly • flags • “all of the NSEC3 RRs MUST use the same hash algorithm, iteration, and salt values. The Flags field value MUST be either zero or one.” http://tools.ietf.org/html/rfc5155 7.2 name5? name8 name4 name15 name42 name16 name23 Old Dominion University – CS 772/872 - Matthias Prellwitz
Lookup procedureRECURSIVE NAME SERVERS • Exceptions • exists.org does not support DNSSEC • no DS record for exists.org in org zone • no RRSIG record replied • no domain name notexists.org • no RRSIG record for requested RR replied, but NSEC/NSEC3 record having a RRSIG record • ‚abc.de‘ implements DNSSEC, but not TLD or root zone • Island of Security that needs to be validated in another way Old Dominion University – CS 772/872 - Matthias Prellwitz
; <<>> DiG 9.6.0-APPLE-P2 <<>> +dnssec +multiline dnssec-tools.org ds ... ;; AUTHORITY SECTION: ... org. 900 IN RRSIG SOA 7 1 900 20091122233014 ( 20091108223014 5273 org. Q62gM7ZdGXcLp+vz6W9TrK3xb0qb5tzA3Cua9Yoa0a40 ... 3 lines ) 42f5nmrh2nqqrq6q80mr729h4mgfjnt4.org. 900 IN RRSIG NSEC3 7 2 86400 20091116011258 ( 20091102001258 5273 org. KqtUx4vOhlW+XPJmZls4+ONggRvn+CxFuCyV7cy4obRu ... 3 lines ) 42f5nmrh2nqqrq6q80mr729h4mgfjnt4.org. 900 IN NSEC3 1 1 1 D399EAAB 432DH8PCEQQV2HABCULQ7T7DOBRHVSQQ ARRSIG h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 900 IN RRSIG NSEC3 7 2 86400 20091122233014 ( 20091108223014 5273 org. QjSh3rPIgIgxVGtbE+ebwj4v0SJ4TvME4hhkzx7C+a65 ... 3 lines ) h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 900 IN NSEC3 1 1 1 D399EAAB H9RSFB7FPF2L8HG35CMPC765TDK23RP6 NS SOA RRSIG DNSKEY NSEC3PARAM 5273: ZSK id of .org zone hash-algo, iterations, salt http://secspider.cs.ucla.edu/dnssec-tools-org--zone.html Old Dominion University – CS 772/872 - Matthias Prellwitz
; <<>> DiG 9.6.0-APPLE-P2 <<>> +dnssec +multiline iis.seds ... ;; ANSWER SECTION: iis.se. 900 IN DS 18937 5 2 ( B5C422428DEA4137FBF15E1049A48D27FA5EADE64D2E C9F3B58A994A6ABDE543 ) iis.se. 900 IN DS 18937 5 1 ( 10DD1EFDC7841ABFDF630C8BB37153724D70830A ) iis.se. 900 IN RRSIG DS 5 2 3600 20091115192357 ( 20091109082316 13173 se. OEZ7p5uVA+d8FlUIPHQNbKe5B2I6L529aTFO3QRnlU51 ... 3 lines ) ;; AUTHORITY SECTION: ... se. 900 IN NS a.NS.se. se. 900 IN RRSIG NS 5 1 172800 20091116145602 ( 20091109222317 13173 se. dj9mDaHJGDm50J3zNUyi7lbkps5Ae5w4xbXfRtHU357d ... 3 lines ) ;; ADDITIONAL SECTION: ... b.NS.se. 900 IN A 192.36.133.107 ... b.NS.se. 900 IN RRSIG A 5 3 172800 20091114005853 ( 20091108062317 13173 se. XaFta/h92liKT/Cyji34DTBNGPVOig+pnIUdeFD6tsyI ... 3 lines ) ... key tag for the corresponding DNSKEY RR, here DNSKEY #18937 of iis.se algorithm used to construct the digest algorithm used by iie.se, here 5 = RSA/SHA-1 http://secspider.cs.ucla.edu/iis-se--zone.html Old Dominion University – CS 772/872 - Matthias Prellwitz
Implementation options { dnssec-enable yes; dnssec-validation yes; }; dnssec-keygen -a RSASHA1 -b 1024 -n ZONE zonename dnssec-keygen -a RSASHA1 -b 4096 -n ZONE -f KSK zonename dnssec-signzone [-o zonename] ...[-k KSKfile] zonefile [ZSKfile] • at any level of a DNS hierarchy • server • update with DNSSEC supporting sw • creating DNSSEC data and adding to DNS zone data • client (resolver) • requires >= one trustful public key • received != DNS • secure!: https://itar.iana.org/, https://trustanchor.dotgov.gov/ • XML file for some TLDs: https://itar.iana.org/anchors/anchors.xml • DNSSECLook-aside Validationhttps://www.isc.org/ops/dlv/ /etc/named.conf trusted-keys { ... “iis.se.” 257 3 5 “AwE...”; ... } Old Dominion University – CS 772/872 - Matthias Prellwitz
Tools • BIND >= 9.6 • Drill/ldns http://www.nlnetlabs.nl/projects/ldns/ • dig tool bundled with ldns • DNSSEC-Tools http://dnssec-tools.org/ • support included in OS • Windows 7, Windows Server 2008 R2 Old Dominion University – CS 772/872 - Matthias Prellwitz
Deployments • early adopters: country code TLDs: .br, .bg, .cz, .pr, .se • 2007/06: IANA started sample signed root • 2009/02: Versign Inc: DNSSEC for their TLDs within 24 months • 2009/06: The Public Interest Registry: .ORG zone signed • 2009/06: NIST: announced plans to sign root by end of 2009 • current issues: signing the root zone • http://www.h-online.com/security/news/item/Seven-key-holders-for-the-DNS-root-zone-857180.html • http://www.h-online.com/security/news/item/First-root-server-provides-a-DNSSEC-signed-zone-as-of-December-1st-819870.html Old Dominion University – CS 772/872 - Matthias Prellwitz
References • Security & Privacy, IEEEVolume 7, Issue 5, Sept.-Oct. 2009 • Chandramouli, R.; Rose, S.;Open Issues in Secure DNS DeploymentPage(s):29 - 35 Digital Object Identifier 10.1109/MSP.2009.129 • Wijngaards, W.C.A.; Overeinder, B.J.;Securing DNS: Extending DNS Servers with a DNSSEC ValidatorPage(s):36 - 43 Digital Object Identifier 10.1109/MSP.2009.133 • http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions Old Dominion University – CS 772/872 - Matthias Prellwitz