DNSSEC & Email Validation Tiger Team

DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC)

Earl CraneDepartment of

Homeland SecurityOffice of the CIO

Scott RoseNational Institute of

Standards and Technology

HomelandSecurity

Technology Background

• DNSSEC Overview• OMB M-08-23 “Securing the Federal Government's Domain Name System

Infrastructure”. All agencies must deploy DNSSEC by December 2009.• Internet Systems Consortium: DNSSEC “only full solution” to DNS attacks

• Considered more viable long-term solution• Cryptographic signatures over DNS data (not messages)

• Assures integrity of results returned from DNS queries• Users can validate source authenticity and data integrity

• Checks chain of signatures up to root• Protects against tampering in caches, during transmission

• Email Validation overview• Detects and Blocks spoofed/forged mail• Sender Policy Framework (SPF) for domains that do not send email

• “Path Based” - Senders publish acceptable message paths (IP) for domain• Near-zero deployment requirements for senders

• DNS records only, no change to outbound servers• Domain Keys Identified Mail (DKIM) for domains authorized to send mail

• “Signature based” - Senders insert digital cryptographic signature in emails for domain

• Requires cryptographic operation by sender and receiver’s gateway infrastructure

Cyber

and N

etw

ork

Secu

rity

Pro

gra

m

The “Kaminsky Bug”• Rapid, widespread and resilient• Reduces time required to poison recursive name

server's cache• All known name server implementations are

affected– Some more than others (took < 10s to poison the

cache)– Most implementations patched; now as easy/difficult

to poison as any other implementation• Even patched software vulnerable

– cache poisoning attempt possible in < 10 hours

Cyber

and N

etw

ork

Secu

rity

Pro

gra

m

What DNSSEC Provides• Cryptographic signatures over DNS data (not

messages)• Assures integrity of results returned from DNS

queries:– Users can validate source authenticity and data

integrity• Checks chain of signatures up to root

– Chain completely contained within DNS (no PKI or X.509 certs needed)

– Protects against tampering in caches, during transmission

• Not provided: message encryption, security for denial-of-service attacks

Cyber

and N

etw

ork

Secu

rity

Pro

gra

m

DNSSEC Chain of Trust

Data

ZSK

KSK

Data

ZSK

KSK

KSK

ZSK

KSK

KSKs

ZSK

KSK

KSK

ZSK

KSK

KSKs

ZSK

KSK

KSK

KSK

• KSK’s often serve as the “anchor” of authentication chain.

• The higher up in the tree, the more useful the trust anchor

Trust Anchors installed on client

resolvers.

“.” – DNS root.

gov.

opm.gov. nist.gov.

se.

HomelandSecurity

FNS Tiger Team: DNSSEC and E-Mail ValidationNetwork and Infrastructure Security Subcommittee, ISIMC, Federal CIO Council

7

FY11 FISMA Metrics for DNSSEC and Email Validation:

•Network Security Protocols: DNSSEC: •% of external-facing second-level DNS Names

signed; •% of external-facing DNS hierarchies with all sub-

domains (second-level and below) signed

•Boundary Protection: Email Validation: •% of agency email systems that implement sender

verification (anti-spoofing) technologies when sending messages from/to government agencies or the public such as S/MIME, DKIM, and SPF.

Office of the Chief Information Officer 8

UNCLASSIFIED/FOR OFFICIAL USE ONLY

Current Federal DNSSEC Status