Introduction to DNS Protocol Security - PDF by pengxiang


									                               Understanding the
                        USG Incremental Deployment Plan
                                 for DNSSEC:

                        Standards, Guidance, FISMA, Policies, Plans
                                        and Pilots.

                              Doug Montgomery (
                               Manager Internet Technologies Research Group
                        Our Critical Infrastructures
                        U.S. Critical Infrastructures
                          “ and assets, whether physical or virtual, so vital to the
                          United States that the incapacity or destruction of such systems
                          and assets would have a debilitating impact on security, national
                          economic security, national public health and safety, or any
                          combination of those matters.” -- USA Patriot Act (P.L. 107-56)
                        The Internet & The Information Economy
                        – Internet technologies are vital to the operation of defense

                          systems, financial services, news and entertainment, medicine,
                          education, manufacturing, emergency response and
                        – Critical Internet Infrastructure - what are the Internet’s critical
                          components / resources?
                            • Naming – Domain Name System (DNS)
                            • Addressing – IPv4 and IPv6 Address Space
                            • Routing – Border Gateway Protocol (BGP)
                         Motivations and Constraints
                        • The bad guys …
                          – Increasingly attacks are much more sophisticated, highly
                            motivated and resource rich.
                              • Phishing and pharming attacks for $.
                              • Nation state attacks for military / intelligence goals.
                              • Infrastructure attacks to “pull the rug from under” hardened
                                hosts / services.
                        • The good guys …

                          – Face technical, economic, and political barriers to
                            deployment of some technologies.
                              • Unregulated, low margin industry in the core of the network.
                          – Who pays for security? Who pays for insecurity?
                              • Must have incremental deployment plan.
                              • Must have favorable / viable business model.
                         Cache Poisoning (Kaminsky) Attack.
                        • Technically nothing new
                           – vulnerability identified in ‘95 at least.
                        • What opened eyes:
                           – …was the scope of vulnerability – millions of DNS servers.
                           – … was the ease of executing the attack.
                           – … was the novel ways in which cache poisoning could be used as
                             a tool to undermine other critical network services and trust
                        • What people are learning:

                           – Is that there is no simple quick fix.
                           – “The patch” – while important – only moved the vulnerability from
                             trivial to exploit to easy to exploit
                           – The real vulnerability is the inherent lack of security in the DNS.
                           – The Kaminsky attacks will continue – software available, patched
                             systems proven still vulnerable.
                           – The Kaminsky attack is just the latest instance to exploit a
                             systemic DNS vulnerability. There are and will be more..
                               USG and NIST RD&D Plans
                        Internet Infrastructure Protection:
                        • Clearly Identified National Priorities:
                           – The National Strategy to Secure Cyberspace and
                             OSTP Federal Plan for Cyber Security and
                             Information Assurance Research and Development
                             identifies improving the security and resilience of
                             DNS, BGP and IP as national priorities for threat and
                             vulnerability reduction
                        • Strong component of standards, metrology and
                          cyber security guidance.

                           – NIST has the technical expertise and the
                             jurisdiction/scope to lead efforts in many of these
                             areas …
                           – … and we are collaborating with DHS, OMB, NTIA
                             and GSA where the others have the lead.
                          Research, Development & Deployment
                        Problem                                                              Consensus
                        Identification      Requirements                                     Standards
                                            Threat Modeling                       Design

                                                Problem Space
                                                Characterization               Protocol
                        Define USG
                        R&D Priorities                                         Modeling


                                                                FIPS / FISMA                   Analysis
                           Pilot Testbeds

                                                    Metrology                  Develop
                            USG Road to Deployment
                        • Not a Chicken and Egg Problem!
                           – Clear answer is to establish signed infrastructure first ….
                           – … then deploy validators/applications to use it.
                        • Phased Development & Deployment Plan
                           – Phase 1 2000-2007
                               • Technology Development and Testing
                               • Deployment Guidance

                           – Phase 2 2007-2010
                               • Sign the USG DNS Infrastructure (.gov)
                           – Phase 3 2010+
                               • Deploy validation tools to leverage signed infrastructure.
                               • Deploy DNSSEC-aware applications.
                                Recommendations, Requirements
                                       and Policies
                        •   Embodied in evolving FISMA Requirements:
                             – FIPS 200 - Minimum Security Requirements for Federal
                               Information and Information Systems
                             – (FISMA) Recommended Security Controls for Federal Information
                               Systems (NIST SP 800-53)
                             – (FISMA) Guide for Assessing the Security Controls in Federal
                               Information Systems (NIST SP 800-53A)

                             – Secure Domain Name System (DNS) Deployment Guide (NIST SP
                             – Recommendation for Key Management (NIST SP 800-57).
                        •   Embodied in specific policies:
                            – Securing the Federal Government’s Domain Name System
                              Infrastructure (OMB M-08-23)
                             What is Required When?
                        • Phase 2 – Sign the USG Infrastructure
                           – FISMA Dec 2006 Revision
                              • Required HIGH & MODERATE impact systems to sign and HIGH
                                *to be able to* validate zones.
                           – Aug 2008 OMB-08-23
                              • Requires .gov TLD to be signed by early 2009.
                              • External facing agency .gov zones to be signed by Dec 2009.

                              • Agencies to comply with 2009 FISMA DNSSEC requirements.
                           – FISMA May 2009 Revision
                              • All (HIGH, MODERATE, LOW) systems must sign DNS by May
                        • Phase 3 – Validation / Application Infrastructure
                           – Target FISMA 2010 Revision.
                        International Standards
                              DNS Security Extensions
                        • DNSSEC Standards:
                          – Open, consensus, international
                            IETF standard extensions to
                            add basic security mechanisms
                            and trust models to the DNS.     •   RFC 4033 - DNS Security
                                                                 Introduction and Requirements
                          – Adds digital signatures to DNS
                            data.                            •   RFC 4034 - Resource Records
                                                                 for the DNS Security Extensions

                             • Source authentication and
                               Data integrity                •   RFC 403 - Protocol
                                                                 Modifications for the DNS
                          – Incremental deployment model
                                                                 Security Extensions
                            on current DNS infrastructure.
                                                             •   RFC 5011 - DNS Key Rollover
                          – Enables establishment
                            verifiable “chain of trust”      •   RFC 5155 - DNSSEC Hashed
                                                                 Authenticated Denial of
                            between parent and child
                                   Features of DNSSEC
                        • Zones are signed, not servers
                           – Keys are associated with zones
                           – There is only one version of the zone
                        • Backward Compatible with existing DNS
                           – Client must signal it wants signatures in response, otherwise servers
                             behave as today’s DNS.
                           – Also allows for other DNS extensions to co-exist.

                        • Crypto agnostic
                           – Cryptographic algorithms can be swapped out
                           – …. or multiple used at once.
                        • Based on open standards
                           – Several independent implementations
                           – DNSSEC totally contained within DNS protocol
                        USG Deployment Guidance
                        DNSSEC Deployment Guidance
                        •   Secure DNS Deployment Guide
                            – NIST Special Publication 800-81
                            – Deals with DNS Security, not just DNSSEC
                            – Technical deployment guidance for enterprise
                              DNS administrators and security officers.
                            – Provides both information for robust
                              configuration of traditional DNS services and
                              deployment / operational guidance for

                            – Provides cookbook configuration examples for
                              commonly used DNS servers.
                        • Revision 1 – out for public comment!
                            – Addresses additional issues in key and zone
                              management and the use of NSEC3.
                            – Additional configuration examples.
                            – Search for NIST 800-81r1.
                            – Comments to before
                              March 31, 2009.
                           NIST Recommendations for Key
                               Management SP800-57
                        • 3 Part guide on Federal key management
                          – Part 1 General: Defines scope, gives overview of process, crypto
                            algorithms and procedures and terms used in the document
                          – Part 2 Best Practices for Key Management Organization:
                            Identifies requirements, and policies for IT organizations.

                          – Part 3 Application Specific Key Management Guidance: Gives
                            specific guidelines for procurement and configuration of software
                            to support given applications
                               DNSSEC Key Management
                                             SP 800-57 Part 1
                        • DNSSEC signing keys are “authentication keys” not
                          “digital signing keys”
                        • Key Parameters:
                           – Algorithm: RSA/SHA-256 (RSA/SHA-1 for now)
                           – Size: 2048 bit minimum
                           – Lifecycle: 1-2 years but recommendations:

                              • ZSK: 30 – 90 days (1-3 months)
                              • KSK: 1 year
                        • NSEC3 not required, but parameters given if desired (in
                          NIST SP 800-81r1)
                           – Iterations: 1-10 for SHA-1
                           – Salt: change monthly
                          DNSSEC in SP800-57 Part 3
                        • Procurement
                          – What crypto algorithms, hash algorithms, and
                            key sizes a software product must and should

                        • System Installers
                          – Configuration recommendations.

                        • Server Administrators

                          – restating checklist items in NIST SP800-81
                          – Except in cryptographic related parameters

                        • Cache/Recursive Server

                        USG Requirements
                                      DNSSEC and FISMA
                        •   Putting the FISMA Puzzle Together.
                        •   FIPS-200 Minimum Security Requirements
                            for Federal Information Systems
                             – Points to NIST SP 800-53 Recommended
                               Security Controls for Federal Information
                               Systems for technical controls to meet these
                        •   NIST-800-53
                             – Defines DNS security controls
                             – Cites NIST-800-81 as reference.
                        •   NIST-800-53A
                             – Provides guidance for auditors on controls

                        •   Promulgation – closing the loop.
                             – Final FIPS-200 published March 2006.
                                 • Effective immediately, 1 year for
                                   compliance according to FISMA
                        •   OMB memo M-08-23
                             – In line with FISMA deadlines
                             – Special deadlines for .gov zone and all other
                               Federal agencies
                         DNS Related Controls in SP800-53r3
                        • NIST-800-53r3 out for comment!
                          – Comments will be accepted until March 27, 2009. Comments to
                   before March 27, 2009.
                        • SC-8 Transmission Integrity
                          – Use of Transaction Authentication/Integrity methods for server-
                            server transactions
                          – TSIG for zone transfers/dynamic update (or similar)

                        • SC-20 Secure Name/Address Resolution Service
                          (Authoritative Source)
                          –   For Low, Moderate and High
                          –   Matches up with OMB-08-23 memo on DNSSEC
                          –   DNSSEC signing of zone data
                          –   Reference: NIST SP800-81
                         DNS Related Controls in SP800-53r3
                        • SC-21 Secure Name/Address Revolution Service
                          (Recursive or Caching Resolver)
                           – For High category only (for this revision)
                           – Recursive servers (Primary and Secondary) must be able to validate
                             DNSSEC signed responses.
                           – NIST SP800-81 referenced
                        • SC-22 Architecture and Provisioning for Name/Address

                          Resolution Service
                           – For Moderate and High level systems
                           – Non-DNSSEC control
                           – addresses other best security practices for DNS deployment and
                                       NIST SP 800-53A
                        • Guide for Assessing the Security
                          Controls in Federal Information
                           – For each control gives assessment
                             objectives and checks based on
                             security classification (Low, Moderate
                             or High)

                           – Assessment recommendations given
                             in Examine/Test language
                               • Examine: policy document, plans,
                                 architecture, etc.
                               • Test: server configuration,
                                 messages, etc.
                                        OMB Memo M-08-23
                        •   “This memorandum describes existing and new
                           policies for deploying Domain Name System
                           Security (DNSSEC) to all Federal information
                           systems by December 2009.”
                        •   Existing – highlights the existing FISMA DNSSEC
                            requirements in NIST 800-53r1 (high and moderate
                            impact systems).
                        •   New – new and expanded policies for DNSSEC
                            deployment in the .gov zone and Federal .gov

                             – .gov TLD zone to be signed by Jan. 2009
                             – Required submission of plan of action “for the
                                deployment of DNSSEC to all applicable
                                information systems”.
                             – Deployment to all Federal information systems (in
                                accordance with NIST 800-53r3) by Dec. 2009
                        Deployment Plans &
                                     Moving Forward ….
                        •   Deployment at the .gov TLD.
                            – Feb 2009 - First global TLD to operationally deploy!
                            – See Fred Schobert/GSA presentation to follow!
                        •   SNIP Secure Naming Infrastructure Pilot
                            – Distributed testbed for agencies to experiment with DNSSEC
                              technologies and processes.
                            – See Scott Rose/NIST presentation to follow!
                        •   Deployment throughout .gov domain.

                            – All agencies submitted plans for deployment in response to OMB-08-23.
                                • Some agency zones already operationally signed!
                            – Technologies / services emerging to meet needs.
                                • See Russ Mundy/Sparta and Vendor presentations to follow!
                        •   Deployment at the root
                            – NTIA Notice of Inquiry – November 2008.
                               • See
                        Questions / Discussion?

To top