DNSSECDNSSECDNSSEC DNSSEC ––Protecting Your Good Internet Name.Protecting Your Good Internet Name.
Professor Emeritus William J (Bill) Caelli, AO([email protected])
SSaC Chair –Safety and Security Advisory Committeey y yauDa – Australian Domain Name Authority
17 May 2011, 10.50-11.20
DISCLAIMER:
The concepts and matters presented are those of the author and do not necessarily represent those of auDa,its Board or the auDa-SSaC.,
The Naming of sites is a difficult matterThe Naming of sites is a difficult matter,It isn't just one of your holiday games;You may think at first I'm as mad as a hatterYou may think at first I m as mad as a hatterWhen I tell you, a site must have THREE DIFFERENT NAMES
(at least).
DomainIP
Apologies toT. S. EliotIP
Access / type
DNS(Domain Name System)(Domain Name System)
The base for “cloud computing”cloud computing
and“web services”“web services”
BUTBUTnever designed with security in mind !
Directive for ICANN SSAC- November 2001.
CONNECTION
Source: http://blog.opendns.com/ S
DNSSEC finally goes mainstream
1 April 2011.1 April 2011.
For example, half the security experts quizzed in a recent survey by internet q y ysecurity firm IID (Internet Identity) admitted they either knew nothing about DNSSEC orthey either knew nothing about DNSSEC or only had limited familiarity with the
t lprotocol.
Source URLs: http://www.theregister.co.uk/2011/04/01/dnssec_com_goes_live/http://www.internetidentity.com/
.com TLD Signed
G t R h Di t L O
(31 March 2011)
Gartner Research Director, Lawrence Orans :
"The importance of DNSSEC in solving issues of trustThe importance of DNSSEC in solving issues of truston the Internet has reached a tipping point with the signing of com -- one of the most significantsigning of .com -- one of the most significant milestones in the history of DNSSEC to date. However there is still more work to be done and theHowever, there is still more work to be done and the effective deployment of DNSSEC requires collaboration from all parties in the Internetcollaboration from all parties in the Internet ecosystem."
Source URL: http://www.verisigninc.com/en_US/news-events/press-room/index.xhtml
FROM
TELEGRAPH/TELEGRAPH/ TELECOMSTELECOMSTELEGRAPH/TELEGRAPH/PSTN (POTS)PSTN (POTS)
TELECOMSIN
TELECOMSIN( )( )
TOTRANSITIONTRANSITION
TO
TCP/IP (PACKET SWITCHING)TCP/IP (PACKET SWITCHING)
TRANSITIONSPSTN:1881 – First Telephone Exchange – New Haven, Connecticut1891 – Strowger stepper switch (automation)
Uniselector – Cross-bar1972 IST model digital exchange (Telecom Research Labs)~1972 - IST model digital exchange (Telecom Research Labs)
1979 - Digital exchanges
PACKET:1969 – IMP (BBN-ARPA)1969 IMP (BBN ARPA)1970 – Mark 1 (UK – NPL – Davies)~1974 - Xerox Parc universal packet switch1980s – AustPAC (Telecom/Telstra) – X.251984 – Cisco
C b S it hCrossbar SwitchTwo-motion Switch
• Trusted (understood?) switching• Call tracingCall tracing• Emergency services
NC400 crossbar exchange '60 Unit Trouble Recorder'60 Unit Trouble Recorder . Fault records and '111' emergencycall trace records printerTRUSTTRUST
M lb E h 1887Melbourne Exchange 1887(Melbourne Telephone Exchange Company
White Pages.February 21, 1878. First “White Pages” forExchange Company
established a 100 line exchange in Melbourne
First White Pages forsubscribers in New Haven, Connecticut, USAg
in 1882. )Connecticut, USA
Yellow Pages (Classified Directory)Reuben H DonnellyReuben H Donnelly.Chicago. 1886
ISP++ISP++M lb E h 1887BROWSERMelbourne Exchange 1887(Melbourne Telephone Exchange Company
White Pages.February 21, 1878. First “White Pages” for
BROWSERExchange Company established a 100 line exchange in Melbourne
First White Pages forsubscribers in New Haven, Connecticut, USA
SEARCHg
in 1882. )Connecticut, USA
SEARCH Yellow Pages (Classified Directory)Reuben H DonnellyENGINEReuben H Donnelly.Chicago. 1886ENGINE
REGISTRARISP++RESOLVERISP RESOLVER
BROWSERBROWSERSEARCH ENGINESEARCH ENGINE
Trusting your connection !Trusting your connection !
July 22, 2010
• significant advance in the security of the Internet• new security upgrade ….. protect against an important online
l bilitvulnerability: • clandestine redirecting of online communications to
unwanted destinationsunwanted destinations• Domain Name System Security Extensions (DNSSEC)
protocolp• helps ensure that when computers want to communicate
with one another they don’t get tricked into talking to di it l i t i t d
13
digital imposters instead.
(Digital signatures)
TOP REGISTRARS BY NUMBER OF DOMAINS
Source URLs (110319): http://www.webhosting.info/registrars/top-registrars/global/http://www internic net/
14
http://www.internic.net/
APNIC APNIC -- One of five Regional Internet Registries (RIRs) One of five Regional Internet Registries (RIRs)
15
• 33 open registrars (2 provisional) (April 2011)33 open registrars (2 provisional) (April 2011)• Note - .gov.au: Contracted to NetRegistry (No .mil 2Tld)
• 1 closed registrar• edu au: Education Services Australia•.edu.au: Education Services Australia
• 84 open registrars• 2 closed registrars
• gov in mil in: National Informatics Centre (NIC)• gov.in, mil.in: National Informatics Centre (NIC)• ac.in, edu.in, res.in: ERNET
16Total domains in “.au” at April 2011 : 2,045,961
S
TLD DNSSEC Report (2011-05-06)
Summary* 310 TLDs in the
root zone in totalroot zone in total* 72 TLDs are
signed;40 * 69 TLDs have
trust anchorsbli h d DS
65 0
published as DSrecords in theroot zone;root zone;
* 4 TLDs have trustanchorspublished in theISC DLVRepository
TLD Signed? DS in Root? ISC DLV?au. NO NO NOin. YES YES NO
17
Repository.
Note: New “open” TLDs – 2011?
8 March 2011.
18
DNSSEC Standards:
3 “Core” RFCs, March 2005:
RFC 4033 –DNS Security Introduction and Requirements
RFC 4034 –Resource Records for the DNS Security Extensions
4035RFC 4035 –Protocol Modifications for the DNS Security Extensions
+ 36 associated RFCs ?21
+ 36 associated RFCs ?
DNSSEC MANAGEMENT & USES
• Key generation – KSK/ZSKs – technology/policy – FIPS 140-2• HSMs vs software ?
• Technology / policy for crypto/hash algorithms• e.g. Elliptic curve(s), RSA key length, SHA256, etc.
P f ti b d idth• Performance questions – bandwidth• Trusted system environment (OS, access control, etc.)• Incompatibilities – large message size for resolvers etcIncompatibilities large message size for resolvers, etc.
• Firewall interactions• DNSSEC / BGP /NAT interaction
22• Note: Mobile & wireless
TECHNO / PUBLIC POLICY INTERACTION:
• CAs, ISPs and DNS / DNSSEC• DNSSEC key hierarchy (NOT certificate based)DNSSEC key hierarchy (NOT certificate based)
• International / global DNS (e.g. OpenDNS, etc)• National vs International crypto policy/law
• e.g. Turkey (crypto usage?)
• “Filters” at DNSSEC level?
• Changing registrars (effective lock-in ?)
DNSSEC = PKI23
USER -VALUEVALUEINDICATIONS& TRUST& TRUST
Afilias (2010)
24
SUMMARY (1): Website http://www dnssec validator cz/
Education & trainingVery steep learning curve for staff
http://www.dnssec-validator.cz/
Very steep learning curve for staff
Product and system availability “off the shelf”Bespoke software / scripting, e.g. VerisignEvaluated products – HSMs – FIPS-140 DNSSEC API ? (Web services / apps) DNSSEC API ? (Web services / apps)
Technical, management and business environmentTechnical, management and business environmentProcesses and procedures / costs / ROI?Allocated personnel and functionsOS / system environment (SELinux ?)
Risk assessment and managementRisk assessment and managementMistakes - bringing down your domains?
SUMMARY (2):
• New gTLDs – DNSSEC compulsory !• “.brisbane”, “.sydney”, “.racv”, “.apple”, ..... ??, y y , , pp ,
• Worldwide (TLD, ccTLD, 2TLD)( , , )• Verisign – Afilias – Sweden – Czech Republic• Limited experiencep
• Australia• In-principle movement towards DNSSEC• Phased plan announced by auDa (12 August 2010)p y ( g )• Current extensive evaluation of implications
Technical, administrative and economic• Federal gov’t participation in SSaC
SUMMARY (3):
EDUCATION & TRAINING• The key y
& it’s missing!• Traditional tertiary education ?• Traditional tertiary education ?• Private providers ?• Vendors ? (Early days!)• Vendors ? (Early days!)
• Courses and staff ?• Technical & management aspects• Technical & management aspects
• Test laboratories ? • Remember the OSI test lab? e g NIST/USA:• Remember the OSI test lab? e.g. NIST/USA:
• The U.S. GOSIP Testing Program - 1990)
THE FUTURE (kidns / DANE):THE FUTURE (kidns / DANE):Diffie & Hellman’sDiffie & Hellman s
“public key register”?
(sec re ke distrib tion(secure key distributionfor e-mail/voice-image/SCADA connections,g
TLS, certificates, etc.“my key is in the phone book!”)my key is in the phone book! )
DNS-based Authentication of Named Entities (dane)