DNSSEC in

Document Sample
DNSSEC in Powered By Docstoc
					               DNSSEC in .ie




HEAnet Annual Conference, Kilkenny November 2010
                                 Introduction



       • Billy Glynn (IEDR Techie)

       • M.Sc MIS in TCD
          • Distinction
          • Thesis based on DNSSEC in Ireland

       • IEDR operate the ccTLD for Ireland (dot IE)

       •DNS vulnerabilities

       •DNSSEC in dot IE
Glynn, B :: IEDR :: 11/11/2010
       • Packet Interception

       • Query ID guessing or prediction

       • Betrayal by a trusted server

       • Cache Poisoning

       • Kaminsky’s Cache Poisoning
          • Still poses a risk! - Evgeniy Polyakov **
                                                  * http://www.dnssec.net/dns-threats
                                                  * http://www.ietf.org/rfc/rfc3833.txt
                                                               ** http://bit.ly/a7dR62



Glynn, B :: IEDR :: 11/11/2010
                                 DNS Vulnerabilities




Glynn, B :: IEDR :: 11/11/2010
                                 DNS Vulnerabilities




Glynn, B :: IEDR :: 11/11/2010
                                 Vulnerable Name Server Versions




Glynn, B :: IEDR :: 11/11/2010
                                 DNSSEC

       • Authenticated DNS Messages

       • PKI
          • KSK, ZSK (pub+priv)

       • New RRs
          • DS, DNSKEY, RRSIG, NSEC, NSEC3

       • When?
          • Root Zone “.” is signed since July 15th 2010
          • dot IE ?

Glynn, B :: IEDR :: 11/11/2010
Glynn, B :: IEDR :: 11/11/2010
Glynn, B :: IEDR :: 11/11/2010
Glynn, B :: IEDR :: 11/11/2010
                                 dot IE DNSSEC Testbed




Glynn, B :: IEDR :: 11/11/2010
                                 DNSSEC



       •Task Force
          • http://www.dnssec.ie
          • Operational Guidelines
          • Policy
          • Mailing List - dnssec-tf@iedr.ie
              • Subscribe at: dnssec-tf-subscribe@iedr.ie




Glynn, B :: IEDR :: 11/11/2010
                                                     Example DNSSEC Query Response


; <<>> DiG <<>> +norec +dnssec @sec1.iedr.ie ie. DNSKEY
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3961
;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ie.               IN DNSKEY

;; ANSWER SECTION:
ie.          3600 IN DNSKEY 256 3 10 AwEAAd70huFUJUr9XTkl1bXu/Ykrk2jXvyj9lfi2dkrYUucDL9e0LsHH
uU/Eibr/06jjnOt88Tp8r3Pr8o6sNtoNpNuOhEemXeMnkXFDOoeqnvbS a09ASjh77KYGrVZCCKcErlNn1nGiBvoexmYUIFvhBeN8gNMwV4b9U3q/ soWKCFED
ie.          3600 IN DNSKEY 257 3 10 AwEAAdaEXv6yFAwUvbiFEaVSG0aNjWzhEGi0AocYUieuYtNialOOIww2
p+fCJjl+MSbDY9YEyxVSAIukIPMgIDnWPRNGqBIEzu1ZFSA7HffNUN9u NSPIFICXIIBkHXa4O8jZXMnSSuQVipccy8vFu4+Oa4+VVOtX9x6wTX9V
v2D1e5m4AAxvUL4i1ZPhPRI+SM3JjWbtlMcLv1vPKc/ah4oq2sYKg75j sj59NPifCQvUmu7Ebel4tHVbinjtF7Qh9CWzt6uDGs9Z97FyPTV8og43
dCHzoliwZy6+FMVSqQZK86XOra7dBoPdv9bnwP14xSQQN5td0a39l1z2 hVogW3jov/c=
ie.          3600 IN DNSKEY 256 3 10 AwEAAZt2lv8XNEQZzop2mvthQXh6HvTd107GxDZx3IhcKPwT7JY+PJmh
GYocSUQzf4ipmi9RqdPexX7XLJSvn/JJp5WkWozLKTeeskn9FJSq4Fle gH2HjF+g/F+h0rHnuwi7rT0+EuhK8MzhmhPacHB+GD9RzvPSo1OWUg/O osm4CXKv
ie.          3600 IN DNSKEY 256 3 10 AwEAAaLqy0t2GcQE9UAY9TtWCDWSfg5M5VEXh3SUQnlNLJx3oogIfwKQ
5rbwAA3qR99rgdgDDa9Hc9Y00tpWMepzQ0lcZpuc9CSJctHyCiqrLJTH +/0Jiddm8A3jEoxmcOO3sbyoIyItncjGA4dravHJs/L6evWwWq/m4YBP kH+cnZxv
ie.          3600 IN RRSIG DNSKEY 10 1 3600 20101210103959 20101109115513 63903 ie. VCPWxrQu/SD9gERo/jMMrT4ZEmJ+kQTVHJQhxtZmgyxAXP3YYCOjm5Mx
5O+69rVpDWYzArp1HPSmjLCe3PW99hyAiZQ94Vp53AHC4/DhhwC6s4qz 06VGvTuy3IgdmrcVUFsOqJQXY+5z9Uz2a8bAXd8l77RtxbC/v7bkHjxG
HSupA/ACulzvAWUElZB4DYqFP1KK9U+THHLoEjOClYuPuDT5cEqEB5v/ Z0/OMstyaL4rVyJUHLcCZUTeyitXa2vBmfOKioAMTdmj1IJe6HBvQwNA
0/xTu6K0EFYz4A2jwKy39GxiuQ3AHgTVqbwovVRThGHrZNhAfVuMzrQP TIrkkw==

;; Query time: 4 msec
;; SERVER: 193.1.32.45#53(193.1.32.45)
;; WHEN: Wed Nov 10 10:42:52 2010
;; MSG SIZE rcvd: 1041




  Glynn, B :: IEDR :: 21/07/2010
       Stephen M. Bellovin*

“Security mechanisms are not magic
pixie dust that can be sprinkled over
        completed protocols”

 *Author: “Using the Domain Name System for System Break-Ins” (Seminal DNS Threat Paper)
        Questions ?




dnssec-tf-subscribe@iedr.ie

    billy.glynn@iedr.ie

http://twitter.com/billyglynn
                                                      Backup Slide: Which TLDs are signed *
                                     ccTLDs                                         gTLDs                                                  IDN TLDs
                                         be.                                            biz.                                                xn--zckzah. (テスト)
                                         bg.                                            cat.                                                xn--0zwm56d. (测试)
                                         br.                                            edu.                                                xn--deba0ad. (‫)טעסט‬
                                         bz.                                            gov.                                                xn--g6w251d. (測試)
                                         ch.                                            org.                                                xn--jxalpdlp. (δοκιμή)
                                         cz.                                            info.                                               xn--kgbechtv. (‫)إختبار‬
                                         dk.                                            museum.                                             xn--9t4b11yi5a. (테스트)
                                         eu.                                                                                                xn--80akhbyknj4f. (испытание)
                                         fi.                                                                                                xn--11b5bs3a9aj6g. (परीक्षा)
                                         fr.                                                                                                xn--hgbk6aj7f53bba. (‫)آزمایشی‬
                                         gi.                                                                                                xn--hlcj6aya9esc7a. (பரிட்சை)
                                         hn.
                                         lc.
                                         li.
                                         lk.
                                         mn.
                                         na.
                                         nu.
                                         pm.
                                         pr.
                                         pt.
                                         re.
                                         se.
                                         tf.
                                         th.
                                         tm.
                                         uk.
                                         us.
                                         yt.
   dig @k.root-servers.net . axfr | awk '/^[a-zA-Z0-9-]+\.[[:space:]]/ { print $1, "DS"; }' | sort | uniq | dig -f - | awk '/^[a-zA-Z0-9].*DS/ { print $1; }' | uniq | awk '{ print length($0),$0 | "sort
   -n"}' | awk '{print $2 }'

Glynn, B :: IEDR :: 21/07/2010                                                                                                                                             * Data as of: 10/11/2010
                            Backup Slide: Example of DNSSEC Validation




Glynn, B :: IEDR :: 11/11/2010

				
DOCUMENT INFO
Shared By:
Stats:
views:23
posted:1/30/2011
language:English
pages:17
Description: DNS Security Extensions, is a series provided by the IETF DNS security authentication mechanisms (refer to RFC2535). It provides a source of identification and data integrity of the extensions, but do not guarantee availability, encryption, and proven domain name does not exist.