1 / 14

DNS Security Extension (DNSSEC)

DNS Security Extension (DNSSEC). Why DNSSEC?. DNS is not secure Applications depend on DNS Known vulnerabilities DNSSEC protects against data spoofing and corruption. Outline. Introduction DNSSEC mechanisms to authenticate servers (TSIG / SIG0)

jolene
Télécharger la présentation

DNS Security Extension (DNSSEC)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DNS Security Extension (DNSSEC)

  2. Why DNSSEC? • DNS is not secure • Applications depend on DNS • Known vulnerabilities • DNSSEC protects against data spoofing and corruption

  3. Outline • Introduction • DNSSEC mechanisms • to authenticate servers (TSIG / SIG0) • to establish authenticity and integrity of data • Quick overview • New RRs • Using public key cryptography to sign a single zone • Delegating signing authority ; building chains of trust • Key exchange and rollovers • Conclusions

  4. DNS: Known Concepts • Known DNS concepts: • Delegation, Referral, Zone, RRs, label, RDATA, authoritative server, caching forwarder, stub and full resolver, SOA parameters, etc • Don’t know? Do ask!

  5. 2 1 3 Caching forwarder (recursive) 4 8 5 9 Add to cache 6 10 TTL 7 Reminder: DNS Resolving Question: www.ripe.net A root-server www.ripe.net A ? “go ask net server @ X.gtld-servers.net” (+ glue) www.ripe.net A ? Resolver 192.168.5.10 www.ripe.net A ? gtld-server “go ask ripe server @ ns.ripe.net” (+ glue) www.ripe.net A ? “192.168.5.10” ripe-server

  6. Zone administrator 1 2 3 4 5 Zone file slaves DNS: Data Flow master Caching forwarder Dynamic updates resolver

  7. Zoneadministrator 5 4 3 2 1 Zone file slaves DNS Vulnerabilities Corrupting data Impersonating master Cache impersonation master Caching forwarder Dynamic updates resolver Cache pollution by Data spoofing Unauthorized updates Server protection Data protection

  8. DNS Protocol Vulnerability • DNS data can be spoofed and corrupted on its way between server and resolver or forwarder • The DNS protocol does not allow you to check the validity of DNS data • Exploited by bugs in resolver implementation (predictable transaction ID) • Corrupted DNS data might end up in caches and stay there for a long time (TTL) • How does a slave (secondary) knows it is talking to the proper master (primary)?

  9. Motivation for DNSSEC • DNSSEC protects against data spoofing and corruption • DNSSEC (TSIG) provides mechanisms to authenticate servers • DNSSEC (KEY/SIG/NXT) provides mechanisms to establish authenticity and integrity of data • A secure DNS will be used as a public key infrastructure (PKI) • However it is NOT a PKI

  10. DNSSEC Mechanisms to Authenticate Servers • TSIG • SIG0

  11. Impersonating master Unauthorized updates TSIG Protected Vulnerabilities Zone administrator Zone file master Caching forwarder Dynamic updates slaves resolver

  12. AXFR AXFR verification Sig ... Sig ... Slave KEY:%sgs!f23fv SOA … SOA SOA … SOA Sig ... Sig ... verification TSIG example Query: AXFR Master Slave KEY:%sgs!f23fv KEY:%sgs!f23fv Response: Zone

  13. Authenticating Servers Using SIG0 • Alternatively its possible to use SIG0 • Not widely used yet • Works well in dynamic update environment • Public key algorithm • Authentication against a public key published in the DNS

  14. Questions?

More Related