DNS Security Extensions (DNSSEC)

Ryan Dearing

Topics

History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment

Terminology Zone – contains resource records Resource Record – Record with a name and value, (e.g

www.google.com → IP) Authoritative Server – server that can definitively answer

queries for a zone (non-caching) Master Server – Authoritative server that contains primary

copy of the zone and pushes to slave/secondary server Slave Server – Authoritative server that gets zone

information from master server (also called secondary server)

Recursive/Caching Server – server that caches query responses

Domain Name System

Created in 1983 by Paul Mockapetris Minimal Changes to the core protocol since

1987 Has scaled very well ~190 million domains

DNS Hierarchy and Protocol DNS uses a hierarchical model Root Servers, TLD Servers,

Domain Servers Small Efficient UDP Packets

No State Caching locally and at

recursive Servers Serial number is incremented

when zone information changes

DNS Stats

Verisign hosts DNS servers for .com and .net Receives 52 billion queries per day Peak at 61 billion queries per day 48% Yearly growth 13 Nameservers listed for .com and .net, but

most likely hundreds with load balancing

Security

DNS uses a trust model, popular in the 80s when the Internet was small and computing power was low

If attacker manages to impersonate an authoritative server, they can poison the cache of recursive caching servers

Suddenly BankOfAmerica.com is going to Nigeria

DNSSEC DNSSEC adds signing to a zone's

information Allows DNS responses to be

validated all the way from the root Increases zone and packet size

considerably Already implemented on the root

servers Only useful when zones start

using it

DNSSEC Validationgoogle.com

Request information from root server for .com, verify response based on public key (publicly distributed). Returns key for .com

Request information from .com server for google.com, verify response using key returned from the root. Returns key for google.com

Request information from google.com server, verify with key returned from the .com server.

DNSSEC Validation

DNSSEC Complexities Must tell parent zone when key is changed Changing key must be done very carefully, both

keys are used for a period of time due to caching

Must be careful about zone enumeration Servers will require more memory for holding

additional information (keys, response signatures)

More bandwidth utilization Larger packets (network equipment blocking)

DNSSEC Deployment Status

All root servers now use DNSSEC as of May 5 .com and .net by Q1 of 2011, requires upgrades

for scalability .org already deployed with DNSSEC .gov already deployed with DNSSEC Big zones will need to deploy it too

(google.com, yahoo.com, etc) Large DNS providers need to deploy too

(NeustarDNS, Markmonitor, etc)

Questions?