dns security - mcmaster.ca presentations/session 4... · dns == domain name system . stub resolver....
TRANSCRIPT
![Page 2: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/2.jpg)
<0>
![Page 3: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/3.jpg)
Caveat Emptor
![Page 4: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/4.jpg)
Computer security usually means...
![Page 5: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/5.jpg)
Communication between two parties
![Page 6: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/6.jpg)
But it’s complicated
![Page 7: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/7.jpg)
![Page 8: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/8.jpg)
Eve is the Wo(Man) in the Middle
![Page 9: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/9.jpg)
3 goals of good computer security
![Page 10: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/10.jpg)
Confidentiality...
![Page 11: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/11.jpg)
despite espionage...
![Page 12: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/12.jpg)
e.g. Eve wants to steal data
![Page 13: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/13.jpg)
But to Eve it’s all gibberish )@*#)@*#)*$@)
![Page 14: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/14.jpg)
Integrity...
![Page 15: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/15.jpg)
despite corruption...
![Page 16: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/16.jpg)
e.g. Eve wants to change data
![Page 17: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/17.jpg)
Alice and Bob are NOT getting the wrong data
![Page 18: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/18.jpg)
Forged data is detected
![Page 19: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/19.jpg)
e.g. Not knowing that data has been corrupted is a violation of integrity
![Page 20: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/20.jpg)
Availability...
![Page 21: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/21.jpg)
despite sabotage...
![Page 22: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/22.jpg)
e.g. Eve wants to destroy data
![Page 23: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/23.jpg)
Bob and Alice are getting the right data
![Page 24: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/24.jpg)
e.g. DoS attack is a violation of availability
![Page 25: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/25.jpg)
e.g. Blocking data is a violation of availability
![Page 26: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/26.jpg)
Computer security usually means...
![Page 27: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/27.jpg)
Cryptography
![Page 28: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/28.jpg)
Cryptography usually means...
![Page 29: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/29.jpg)
Mathematics
![Page 30: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/30.jpg)
Mathematics usually means...
![Page 31: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/31.jpg)
Rigorous proofs
![Page 32: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/32.jpg)
Rigorous proof means ...
![Page 33: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/33.jpg)
The masses* trust the few elite who “know”
* the intelligent, educated ones are included here
![Page 34: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/34.jpg)
e.g.
![Page 35: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/35.jpg)
Andrew Wiles
1994/95
1637
Pierre de Fermat
Famous “Last” Theorem
an + bn �= cn
{n ≥ 3, a, b, c > 0 } a, b, c, n ∈ Z
![Page 36: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/36.jpg)
It takes a very great deal of mathematical knowledge to understand Wile’s proof; the original paper is hundreds of pages and when I tried to read it I couldn't get past page one; this highlights the fact that proof really has to do with authority and trust, not whether a computer can verify the mathematician's steps
Allan Reeve Wilks Ph.D., Statistician, AT&T Bell [email protected]
![Page 37: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/37.jpg)
Therefore ...
![Page 38: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/38.jpg)
it’s good to remember
![Page 39: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/39.jpg)
when it comes to security and cryptography in particular ...
![Page 40: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/40.jpg)
There are professionals*, stuffed shirts, plumbers and actors
![Page 41: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/41.jpg)
* Even the professionals do not always agree.
![Page 42: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/42.jpg)
* This is certainly the case in DNS security.
![Page 43: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/43.jpg)
<1>
![Page 44: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/44.jpg)
Nomenclature
![Page 45: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/45.jpg)
DNS == Domain Name System
![Page 46: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/46.jpg)
Stub Resolver
![Page 47: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/47.jpg)
Caching Name Server
![Page 48: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/48.jpg)
Authoritative Name Server
![Page 49: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/49.jpg)
<2>
![Page 50: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/50.jpg)
Function of the DNS
f(x) =�
a2 − 4ab + b2
![Page 51: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/51.jpg)
Name/Number Lookup Service
![Page 52: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/52.jpg)
Map/TranslateNames to Addresses*
* there are other important data /resource records
![Page 53: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/53.jpg)
E.g.
![Page 57: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/57.jpg)
worldbank.intdns1.worldbank.orgdns2.worldbank.orgdns3.worldbank.orgdns4.worldbank.org
NS record
![Page 59: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/59.jpg)
president@whitehouse.govmail1.eop.gov.mail2.eop.gov.mail3.eop.gov.mail4.eop.gov.
MX record
![Page 60: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/60.jpg)
<3>
![Page 61: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/61.jpg)
DNS Implementation
![Page 62: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/62.jpg)
Hierarchical
![Page 63: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/63.jpg)
Globally Distributed
![Page 64: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/64.jpg)
Scalable
![Page 65: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/65.jpg)
Standard IP Protocol
![Page 66: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/66.jpg)
Database
Query
Response
![Page 67: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/67.jpg)
<4>
![Page 68: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/68.jpg)
DNS Centrality & Criticality
![Page 69: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/69.jpg)
DNS is a central anchor point of trust for the entire Internet's infrastructure
![Page 70: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/70.jpg)
DNS is a central anchor point of trust for the entire Internet's infrastructure
![Page 71: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/71.jpg)
Almost every user interaction deals with names.
![Page 72: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/72.jpg)
Almost every user interaction deals with names.
![Page 75: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/75.jpg)
Almost every Internet protocol interaction deals with numbers and addresses.
![Page 76: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/76.jpg)
128.100.103.10
![Page 77: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/77.jpg)
2001:beef:0666::2
![Page 78: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/78.jpg)
2007: 24 Billion DNS Queries A Day
![Page 79: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/79.jpg)
2008: 48 Billion DNS Queries A Day
![Page 80: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/80.jpg)
Q: How secure is the Internet?
![Page 81: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/81.jpg)
Q: Can Internet Mail be stolen?
![Page 82: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/82.jpg)
A: Yes. And it’s not too hard.
![Page 83: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/83.jpg)
Mail client uses DNS, gets the wrong address for the remote mail server
![Page 84: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/84.jpg)
Mail client uses DNS, attackers see and change the packets en-route
![Page 85: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/85.jpg)
Q: Can Web Pages be Forged?
![Page 86: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/86.jpg)
A: Yes. And it’s not too hard.
![Page 87: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/87.jpg)
Browser sends DNS request, gets the wrong address and makes a HTTP connection to the bad guys server
![Page 88: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/88.jpg)
Browser sends DNS request, makes a HTTP connection, attackers see and change the packets.
![Page 89: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/89.jpg)
![Page 90: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/90.jpg)
Q: How do we protect the DNS?
![Page 91: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/91.jpg)
Q: Does cryptography solve the problem?
![Page 92: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/92.jpg)
A: In theory... Yes!
![Page 93: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/93.jpg)
A: In practice... ???
![Page 94: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/94.jpg)
Q: Am I using cryptography?
![Page 95: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/95.jpg)
Q: Are you using cryptography?
![Page 96: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/96.jpg)
A: Sometimes yes; Normally no.
![Page 97: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/97.jpg)
Q: Why is this so?
![Page 98: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/98.jpg)
A: Most Internet Protocols do not support cryptography
![Page 99: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/99.jpg)
Q: Why is this so?
![Page 100: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/100.jpg)
A: Integration of cryptography is hard for protocol designers.
![Page 101: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/101.jpg)
N.B. Some popular IP protocols do have cryptographic options!
![Page 102: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/102.jpg)
e.g. HTTPS (RFC 2818)
![Page 103: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/103.jpg)
Q: Why do some implementations of these protocols do not support cryptography?
![Page 104: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/104.jpg)
A: It’s hard for software authors to implement the cryptography. Non cryptographic options are much easier.
![Page 105: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/105.jpg)
N.B.
Some popular implementations do support cryptography!
![Page 107: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/107.jpg)
Q: Why do 99% of Apache installations do NOT enable SSL
![Page 108: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/108.jpg)
A: It’s harder and more costly for site administrators to turn it on and to keep it on.
![Page 109: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/109.jpg)
Q: How secure are SSL certificates?
![Page 110: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/110.jpg)
A: You tell me ...
![Page 111: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/111.jpg)
Q: How many certificate authorities does your browser trust?
![Page 112: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/112.jpg)
A: ~ 1400 if your browser is Firefox or IE
![Page 113: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/113.jpg)
N.B. Some important installations do support cryptography!
![Page 114: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/114.jpg)
e.g. SourceForge has an SSL certificate and has set up SSL servers:https://sourceforge.net/account/
![Page 115: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/115.jpg)
N.B. Cryptography is not enabled everywhere on the site!
![Page 116: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/116.jpg)
e.g.https://sourceforge.net/community gets redirected tohttp://sourceforge.net/community
![Page 117: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/117.jpg)
Q: Why does SourceForge turn off SSL/cryptographic protection?
![Page 118: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/118.jpg)
A: Enabling SSL for all transactions is costly in terms of CPU cycles/load.
![Page 119: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/119.jpg)
A: SSL-acceleration is available but again costly ($$$).
![Page 120: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/120.jpg)
![Page 121: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/121.jpg)
Q: Why are cryptographic operations so expensive?
![Page 122: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/122.jpg)
Q: Can cryptographic operations be made faster and still be correct?
![Page 123: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/123.jpg)
Q: Can cryptographic operations be made fast enough to handle all of a www site’s operation?
![Page 124: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/124.jpg)
Q: Can cryptographic operations be made fast enough to handle all Internet transactions?
![Page 125: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/125.jpg)
Q: Can Internet cryptography be easy to implement and manage?
![Page 126: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/126.jpg)
Q: Can Internet cryptography be done in software?
![Page 127: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/127.jpg)
Q: Can Internet cryptography be easy to add to Internet protocols?
![Page 128: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/128.jpg)
Q: Will governments be afraid of universal Internet cryptography ?
![Page 129: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/129.jpg)
Q: Given gangsters and bad guys get to use cryptography can the average user have access to the same stuff?
![Page 130: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/130.jpg)
<5>
![Page 131: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/131.jpg)
A normal DNS transaction
![Page 132: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/132.jpg)
Time to check mybank balance!!
![Page 135: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/135.jpg)
I am going to assumeFoxy meant:
www.cibc.ca.
![Page 137: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/137.jpg)
That last dot is actually significant.
I am going to assumeFoxy meant:
www.cibc.ca.
![Page 139: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/139.jpg)
www.cibc.ca.?
Hmmm. Have I notseen that name before?
![Page 140: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/140.jpg)
www.cibc.ca. ? Yes!
Here it is in my stash:
159.231.80.200
![Page 143: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/143.jpg)
![Page 144: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/144.jpg)
Security Audit time ...
![Page 145: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/145.jpg)
![Page 146: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/146.jpg)
Confidentiality ?
Integrity ?
Availability ?
![Page 147: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/147.jpg)
Confidentiality ?
Integrity ?
Availability ?
![Page 148: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/148.jpg)
![Page 149: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/149.jpg)
Time to check mycredit card balance!!
![Page 152: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/152.jpg)
People always forgetthat final dot. Sigh ...
www.americanexpress.com.
![Page 154: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/154.jpg)
www.americanexpress.com.
Hmmm. That looks like a new one. Let’s check.
![Page 155: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/155.jpg)
www.americanexpress.com.
Rats! I do not have thatone stored. Time to go fish!
![Page 156: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/156.jpg)
![Page 157: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/157.jpg)
$ dig -t ns .
; <<>> DiG 9.7.0-P1 <<>> -t ns .;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47571;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:;. IN NS
;; ANSWER SECTION:. 518375 IN NS g.root-servers.net.. 518375 IN NS a.root-servers.net.. 518375 IN NS e.root-servers.net.. 518375 IN NS b.root-servers.net.. 518375 IN NS k.root-servers.net.. 518375 IN NS l.root-servers.net.. 518375 IN NS c.root-servers.net.. 518375 IN NS i.root-servers.net.. 518375 IN NS d.root-servers.net.. 518375 IN NS j.root-servers.net.. 518375 IN NS f.root-servers.net.. 518375 IN NS m.root-servers.net.. 518375 IN NS h.root-servers.net.
![Page 158: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/158.jpg)
$ dig +short -t ns .g.root-servers.net.a.root-servers.net.e.root-servers.net.b.root-servers.net.k.root-servers.net.l.root-servers.net.c.root-servers.net.i.root-servers.net.d.root-servers.net.j.root-servers.net.f.root-servers.net.m.root-servers.net.h.root-servers.net.
$ dig +short -t a g.root-servers.net.192.112.36.4
![Page 159: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/159.jpg)
$ cat @198.41.0.4128.9.0.107192.33.4.12128.8.10.90192.203.230.10192.5.5.241192.112.36.4128.63.2.53192.36.148.17192.58.128.30193.0.14.129198.32.64.12202.12.27.33
![Page 160: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/160.jpg)
![Page 161: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/161.jpg)
Root
g.root-servers.net.192.112.36.4
Query: A record for www.americanexpress.com.
www.americanexpress.com.
![Page 162: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/162.jpg)
Root
g.root-servers.net.192.112.36.4
www.americanexpress.com.
d.gtld-servers.net.a.gtld-servers.net.k.gtld-servers.net.c.gtld-servers.net.m.gtld-servers.net.i.gtld-servers.net.l.gtld-servers.net.f.gtld-servers.net.e.gtld-servers.net.h.gtld-servers.net.g.gtld-servers.net.b.gtld-servers.net.j.gtld-servers.net.
Query: A record for www.americanexpress.com.
Response: NS records for com.
![Page 163: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/163.jpg)
Root
g.root-servers.net.192.112.36.4
www.americanexpress.com.
f.gtld-servers.net.192.35.51.30
.com
Query: A record for www.americanexpress.com.
![Page 164: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/164.jpg)
Root
g.root-servers.net.192.112.36.4
www.americanexpress.com.
f.gtld-servers.net.192.35.51.30
.com
gw4.aexp.com.gw5.aexp.com.gw.aexp.com.gw2.aexp.com.gw3.aexp.com.
Query: A record for www.americanexpress.com.
Response: NS records for americanexpress.com.
![Page 165: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/165.jpg)
Root
g.root-servers.net.192.112.36.4
www.americanexpress.com.
f.gtld-servers.net.192.35.51.30
.com
americanexpress.com
gw5.aexp.com.192.102.253.16
Query: A record for www.americanexpress.com.
![Page 166: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/166.jpg)
Root
g.root-servers.net.192.112.36.4
www.americanexpress.com.
f.gtld-servers.net.192.35.51.30
.com
americanexpress.com
gw5.aexp.com.192.102.253.16
12.29.100.148
Query: A record for www.americanexpress.com.
Response: A record for www.americanexpress.com.
12.29.100.148
![Page 167: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/167.jpg)
www.americanexpress.com.12.29.100.148
That took a bit of work. Let’sstore it in our local stash.
![Page 170: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/170.jpg)
![Page 171: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/171.jpg)
Security Audit time ...
![Page 172: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/172.jpg)
RootCase I: Eve (remote)
TLD
NameConfidentiality?Integrity?Availability ?
![Page 173: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/173.jpg)
RootCase II: Eve (local)
TLD
NameConfidentiality?Integrity?Availability ?
Dan Kaminsky 2008-07-21
Cache Poisoning Attack
![Page 174: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/174.jpg)
Cache Poisoning Attack
Normal Case: Alice - Bob
![Page 175: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/175.jpg)
Cache Poisoning Attack
Imposter Case: Eve - Bob
![Page 176: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/176.jpg)
Houston, we really do have a problem!
![Page 177: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/177.jpg)
There be many DNS dragons...
![Page 178: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/178.jpg)
Passive Attacks
Man in Middle collects data regarding users queries
![Page 179: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/179.jpg)
Active Attacks
Man in Middle changes data
![Page 180: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/180.jpg)
Active Attacks
Man in Middle changes data
Wrong answer to a valid queryNo answer to a valid queryBlock query and responseFlip Bits to Mess up DNS Servers
![Page 181: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/181.jpg)
Passive Attacks
Devious users can poison Caching Name servers
![Page 182: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/182.jpg)
Solutions
![Page 183: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/183.jpg)
For passive cache poisoning attacks
![Page 184: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/184.jpg)
Random Query IDs makes guessing difficult
216 = 65536
![Page 185: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/185.jpg)
Random QIDS & SRC ports minimizes risk
216 ∗ 211 = 227 = 134217728
![Page 186: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/186.jpg)
Modify DNS to use Cryptographic Tools
![Page 187: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/187.jpg)
Confidentiality...
![Page 188: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/188.jpg)
Would thwart passive man in the middle attacks
![Page 189: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/189.jpg)
Integrity...
![Page 190: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/190.jpg)
Would thwart all of the spoofing attacks
![Page 191: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/191.jpg)
<6>
![Page 192: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/192.jpg)
DNS Security Extensions
![Page 193: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/193.jpg)
aka DNSSEC
![Page 194: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/194.jpg)
What is it?
![Page 195: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/195.jpg)
“The DNS Security extensions provide originauthentication and integrity protection for DNS data,as well as a means of public key distribution. These extensions do not provide confidentiality.”
![Page 196: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/196.jpg)
“ It is a set of extensions to DNS, which provide: a. origin authentication of DNS data b. data integrity c. authenticated denial of existence ”
![Page 197: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/197.jpg)
History
![Page 198: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/198.jpg)
1987: Regular DNS standardized [RFC 1034,1035]
![Page 199: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/199.jpg)
1987: Regular DNS standardized [RFC 1034,1035]
1990: DNS vulnerabilities come to light[ Steve Bellovin, Bell Laboratories ]
![Page 200: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/200.jpg)
1987: Regular DNS standardized [RFC 1034,1035]
1990: DNS vulnerabilities come to light
1995: Steve Bellovin makes public the vulnerabilities
![Page 201: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/201.jpg)
1987: Regular DNS standardized [RFC 1034,1035]
1990: DNS vulnerabilities come to light
1995: IETF strikes a DNSEXT working group
1995: Steve Bellovin makes public the vulnerabilities
![Page 202: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/202.jpg)
1987: Regular DNS standardized [RFC 1034,1035]
1990: DNS vulnerabilities come to light
1997: IETF Domain Name Security Extensions [RFC 2065]
1995: Steve Bellovin makes public the vulnerabilities
1995: IETF strikes a DNSEXT working group
![Page 203: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/203.jpg)
1987: Regular DNS standardized [RFC 1034,1035]
1990: DNS vulnerabilities come to light
1999: RFC 2535 supercedes RFC 2065 implementation problems
1995: Steve Bellovin makes public the vulnerabilities
1995: IETF strikes a DNSEXT working group
1997: IETF Domain Name Security Extensions [RFC 2065]
![Page 204: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/204.jpg)
1987: Regular DNS standardized [RFC 1034,1035]
1990: DNS vulnerabilities come to light
1999: end of year, ISC ships bind with RFC2535 exts.
1995: Steve Bellovin makes public the vulnerabilities
1995: IETF strikes a DNSEXT working group
1997: IETF Domain Name Security Extensions [RFC 2065]
1999: RFC 2535 supercedes RFC 2065
![Page 205: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/205.jpg)
1987: Regular DNS standardized [RFC 1034,1035]
1990: DNS vulnerabilities come to light
1999: end of year, ISC ships bind with RFC2535 exts.
1995: Steve Bellovin makes public the vulnerabilities
1995: IETF strikes a DNSEXT working group
1997: IETF Domain Name Security Extensions [RFC 2065]
1999: RFC 2535 supercedes RFC 2065
2001: RFC2535 key handling operational problems. Restart! Writing, Drafting, Publishing
![Page 206: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/206.jpg)
1987: Regular DNS standardized [RFC 1034,1035]
1990: DNS vulnerabilities come to light
1999: end of year, ISC ships bind with RFC2535 exts.
1995: Steve Bellovin makes public the vulnerabilities
1995: IETF strikes a DNSEXT working group
1997: IETF Domain Name Security Extensions [RFC 2065]
1999: RFC 2535 supercedes RFC 2065
2001: RFC2535 key handling operational problems.
2005: 3 new RFCs: 4033,4034, 4035: DNSSEC-bis
![Page 207: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/207.jpg)
1987: Regular DNS standardized [RFC 1034,1035]
1990: DNS vulnerabilities come to light
1999: end of year, ISC ships bind with RFC2535 exts.
1995: Steve Bellovin makes public the vulnerabilities
1995: IETF strikes a DNSEXT working group
1997: IETF Domain Name Security Extensions [RFC 2065]
1999: RFC 2535 supercedes RFC 2065
2001: RFC2535 key handling operational problems.2005: 3 new RFCs: 4033,4034, 4035: DNSSEC-bis
2005: First ccTLD implements DNSSEC: .se
![Page 208: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/208.jpg)
1987: Regular DNS standardized [RFC 1034,1035]
1990: DNS vulnerabilities come to light
1999: end of year, ISC ships bind with RFC2535 exts.
1995: Steve Bellovin makes public the vulnerabilities
1995: IETF strikes a DNSEXT working group
1997: IETF Domain Name Security Extensions [RFC 2065]
1999: RFC 2535 supercedes RFC 2065
2001: RFC2535 key handling operational problems.2005: 3 new RFCs: 4033,4034, 4035: DNSSEC-bis
2010: All root name servers are DNSSEC ready
2005: First ccTLD implements DNSSEC: .se
![Page 209: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/209.jpg)
1987: Regular DNS standardized [RFC 1034,1035]
1990: DNS vulnerabilities come to light
1999: end of year, ISC ships bind with RFC2535 exts.
1995: Steve Bellovin makes public the vulnerabilities
1995: IETF strikes a DNSEXT working group
1997: IETF Domain Name Security Extensions [RFC 2065]
1999: RFC 2535 supercedes RFC 2065
2001: RFC2535 key handling operational problems.2005: 3 new RFCs: 4033,4034, 4035: DNSSEC-bis
2010: All root name servers are DNSSEC ready2005: First ccTLD implements DNSSEC: .se
2012: .ca name servers are DNSSEC ready
![Page 210: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/210.jpg)
Recent Uptake
![Page 211: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/211.jpg)
End of 2009: ~1000
![Page 212: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/212.jpg)
End of 2010: ~2500
![Page 213: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/213.jpg)
Number of registered domains: ~200,000,000
![Page 214: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/214.jpg)
DNSSEC: Objectives
![Page 215: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/215.jpg)
<0>
![Page 216: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/216.jpg)
N.B:
DNSSEC is designed to detect attacks and not necessarily to prevent them.
![Page 217: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/217.jpg)
<1>
![Page 218: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/218.jpg)
Origin Authentication of DNS Data
Client can trust that the authoritative name server really is the authority for a certain zone.
![Page 219: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/219.jpg)
Origin Authentication of DNS Data
Client can trust that the authoritative name server really is the authority for a certain zone.
Authenticity is a case of Integrity
![Page 220: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/220.jpg)
<2>
![Page 221: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/221.jpg)
Data Integrity
Either end can detect if query or response has been modified by an unauthorized third party
![Page 222: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/222.jpg)
Data Integrity
Either end can detect if query or response has been modified by an unauthorized third party
![Page 223: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/223.jpg)
<3>
![Page 224: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/224.jpg)
Authenticated Denial of Existence
The client can be sure not only of the response from data which exists but also that certain data does NOT exist.
![Page 225: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/225.jpg)
Authenticated Denial of Existence
The client can be sure not only of the response from data which exists but also that certain data does NOT exist.
This is necessary to prevent certain forms of attacks
![Page 226: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/226.jpg)
<4>
![Page 227: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/227.jpg)
Backward Compatibility with Regular DNS
DNSSEC and non DNSSEC environments both need to interoperate.
![Page 228: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/228.jpg)
DNSSEC: Non Objectives
![Page 229: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/229.jpg)
<1>
![Page 230: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/230.jpg)
Confidentiality
![Page 231: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/231.jpg)
All DNSSEC traffic is plaintext
![Page 232: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/232.jpg)
... that all data in the DNS is thus visible.Accordingly, DNSSEC is not designed to provide confidentiality, access control lists, or other means of differentiating between inquirers.
RFC 4033
![Page 233: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/233.jpg)
... that all data in the DNS is thus visible.Accordingly, DNSSEC is not designed to provide confidentiality, access control lists, or other means of differentiating between inquirers.
RFC 4033
![Page 234: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/234.jpg)
This design decision has security implications
![Page 235: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/235.jpg)
Availability
![Page 236: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/236.jpg)
DNSSEC provides no protection against denial of service attacks. Security-aware resolvers and security-aware name servers are vulnerable to an additional class of denial of service attacks based on cryptographic operations.
RFC 4033
![Page 237: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/237.jpg)
DNSSEC provides no protection against denial of service attacks. Security-aware resolvers and security-aware name servers are vulnerable to an additional class of denial of service attacks based on cryptographic operations.
RFC 4033
![Page 238: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/238.jpg)
There are no extra features, over and above regular DNS, to prevent DoS or buffer overflow attacks
![Page 239: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/239.jpg)
DNSSEC Specifications
![Page 240: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/240.jpg)
New Resource Records
![Page 241: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/241.jpg)
Regular Resource Records
![Page 242: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/242.jpg)
NS - name server delegation
![Page 243: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/243.jpg)
A - IP address
![Page 244: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/244.jpg)
MX - mail server name & priority
![Page 245: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/245.jpg)
CNAME - name alias
![Page 246: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/246.jpg)
TXT - text description
![Page 247: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/247.jpg)
SOA - start of authority
![Page 248: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/248.jpg)
New Resource Records
![Page 249: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/249.jpg)
DNSSEC uses public key cryptography to sign and authenticate DNS resource record sets (RRsets).
RFC 4034
![Page 250: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/250.jpg)
DNSSEC uses public key cryptography to sign and authenticate DNS resource record sets (RRsets).
RFC 4034
![Page 251: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/251.jpg)
DNSKEY - for storing public keys
![Page 252: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/252.jpg)
A zone signs its authoritative RRsets by using a private key and stores the corresponding public key in a DNSKEY RR.
RFC 4034
![Page 253: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/253.jpg)
A zone signs its authoritative RRsets by using a private key and stores the corresponding public key in a DNSKEY RR.
RFC 4034
![Page 254: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/254.jpg)
Note:
The DNSKEY RR is only intended to store DNS related public keys. It MUST NOT be used to store generic public keys and certificates
RFC 4034
![Page 255: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/255.jpg)
DNSKEY - algorithms are also stored
![Page 256: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/256.jpg)
# dig +multiline vix.com DNSKEY
;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11667;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:;vix.com. IN DNSKEY
;; ANSWER SECTION:vix.com. 2894 IN DNSKEY 257 3 5 ( AwEAAbKW5zsYMBUX4MS0yq3MNm4312c7WEF1Af2Iy2O/ A+U+h7F3EtblBDJVs/LgtdjsE3JHak51iRaELLOoEvVe RIIa1UjNvXIeia+QV1nlSas8LcXya0XOYA2Jfxez0pEW ArN1QLhkgVDPAsEwKLzYfVjW78CFlOZnYxbBWXwKgb4z ) ; key id = 26437vix.com. 2894 IN DNSKEY 256 3 5 ( BEAAAAO6wBt1U39U8meHca3JBCWixBi8BvZLMJZp51/5 vViM2+fh93XF1SqJaAaqgX6PszTPUlElvuTV2xTV4uQj UTaFv8qDnsjbfXVusE1v+OaQpSVuP8GjI28cGi9PgAOc z2ACdiD2XVbYKUDTJb+pqoE/o3Z6FjKf6ByTkJUI5x9D lw== ) ; key id = 63066
![Page 257: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/257.jpg)
# dig +multiline vix.com DNSKEY
;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11667;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:;vix.com. IN DNSKEY
;; ANSWER SECTION:vix.com. 2894 IN DNSKEY 257 3 5 ( AwEAAbKW5zsYMBUX4MS0yq3MNm4312c7WEF1Af2Iy2O/ A+U+h7F3EtblBDJVs/LgtdjsE3JHak51iRaELLOoEvVe RIIa1UjNvXIeia+QV1nlSas8LcXya0XOYA2Jfxez0pEW ArN1QLhkgVDPAsEwKLzYfVjW78CFlOZnYxbBWXwKgb4z ) ; key id = 26437vix.com. 2894 IN DNSKEY 256 3 5 ( BEAAAAO6wBt1U39U8meHca3JBCWixBi8BvZLMJZp51/5 vViM2+fh93XF1SqJaAaqgX6PszTPUlElvuTV2xTV4uQj UTaFv8qDnsjbfXVusE1v+OaQpSVuP8GjI28cGi9PgAOc z2ACdiD2XVbYKUDTJb+pqoE/o3Z6FjKf6ByTkJUI5x9D lw== ) ; key id = 63066
![Page 258: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/258.jpg)
# dig +multiline vix.com DNSKEY
;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11667;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:;vix.com. IN DNSKEY
;; ANSWER SECTION:vix.com. 2894 IN DNSKEY 257 3 5 ( AwEAAbKW5zsYMBUX4MS0yq3MNm4312c7WEF1Af2Iy2O/ A+U+h7F3EtblBDJVs/LgtdjsE3JHak51iRaELLOoEvVe RIIa1UjNvXIeia+QV1nlSas8LcXya0XOYA2Jfxez0pEW ArN1QLhkgVDPAsEwKLzYfVjW78CFlOZnYxbBWXwKgb4z ) ; key id = 26437vix.com. 2894 IN DNSKEY 256 3 5 ( BEAAAAO6wBt1U39U8meHca3JBCWixBi8BvZLMJZp51/5 vViM2+fh93XF1SqJaAaqgX6PszTPUlElvuTV2xTV4uQj UTaFv8qDnsjbfXVusE1v+OaQpSVuP8GjI28cGi9PgAOc z2ACdiD2XVbYKUDTJb+pqoE/o3Z6FjKf6ByTkJUI5x9D lw== ) ; key id = 63066
![Page 259: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/259.jpg)
# dig +multiline vix.com DNSKEY
;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11667;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:;vix.com. IN DNSKEY
;; ANSWER SECTION:vix.com. 2894 IN DNSKEY 257 3 5 ( AwEAAbKW5zsYMBUX4MS0yq3MNm4312c7WEF1Af2Iy2O/ A+U+h7F3EtblBDJVs/LgtdjsE3JHak51iRaELLOoEvVe RIIa1UjNvXIeia+QV1nlSas8LcXya0XOYA2Jfxez0pEW ArN1QLhkgVDPAsEwKLzYfVjW78CFlOZnYxbBWXwKgb4z ) ; key id = 26437vix.com. 2894 IN DNSKEY 256 3 5 ( BEAAAAO6wBt1U39U8meHca3JBCWixBi8BvZLMJZp51/5 vViM2+fh93XF1SqJaAaqgX6PszTPUlElvuTV2xTV4uQj UTaFv8qDnsjbfXVusE1v+OaQpSVuP8GjI28cGi9PgAOc z2ACdiD2XVbYKUDTJb+pqoE/o3Z6FjKf6ByTkJUI5x9D lw== ) ; key id = 63066
![Page 260: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/260.jpg)
RRSIG - signatures are stored here
![Page 261: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/261.jpg)
Signature: DNS data + owners private key
![Page 262: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/262.jpg)
RRSIG - other fields as well
![Page 263: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/263.jpg)
RRSIG - sig. inception time
![Page 264: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/264.jpg)
RRSIG - sig. expiration time
![Page 265: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/265.jpg)
RRSIG - type covered
![Page 266: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/266.jpg)
RRSIG - algorithm
![Page 267: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/267.jpg)
RRSIG - key tag
![Page 268: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/268.jpg)
RRSIG - signers name
![Page 269: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/269.jpg)
RRSIG - Data signature
![Page 270: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/270.jpg)
# drill -D vix.com @ns.sql1.vix.com. rrsig;; QUESTION SECTION:;; vix.com. IN RRSIG
;; ANSWER SECTION:vix.com. 3600 IN RRSIG A 5 2 3600 20110629030401 20110331030401 63066 vix.com. CsxzLHeqDLi2XXKqGALXYn4lbmZrqkDzCYegv6EiZQFpPHG8oVdxvqJDCczpVHF3mykB05uHntpyoOS4om34l8fkIuVKViE6c/3b+j3jiJIfXbFYPqM501NChRf/SwkBqsmKRj4jbTp3jCicUG6M3lyNWe5B2CjVd9hEUmzrbjY= ;{id = 63066}
vix.com. 3600 IN RRSIG MX 5 2 3600 20110629030401 20110331030401 63066 vix.com. urjAd1NVJKNfUOI/l0aJRNEQJJfexjnwRTcyzcZmVvxnV5FlqlT9O4aIzcKMPnM2L3FWpf+F0Tzfjr9Cb46pUHrj9LApaKxAH7RTOGKz7t2kVd8bD62LbhkFiVVlvqVTBBIhHinzAx8wPSCaU2saAt4fYc+0w86it8IKBuwZyjE= ;{id = 63066}
vix.com. 3600 IN RRSIG DNSKEY 5 2 3600 20110629030401 20110331030401 26437 vix.com. QvyoIbB1fTtge9aBTj88oBBFUnfLdGxGoyABG3bkPDAiDB5TUgJa68UDcF5k9c5fQEHZA6rd52QRxkPKyOhb5Reh64cZMjzMBZxZaivxX+W+hmkEk9ztSgWaotNBw2RHechItBI4/IPZWRXGNPr1IIduI8KC+dm96tf404BraAU= ;{id = 26437}
![Page 271: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/271.jpg)
# drill -D vix.com @ns.sql1.vix.com. rrsig;; QUESTION SECTION:;; vix.com. IN RRSIG
;; ANSWER SECTION:vix.com. 3600 IN RRSIG A 5 2 3600 20110629030401 20110331030401 63066 vix.com. CsxzLHeqDLi2XXKqGALXYn4lbmZrqkDzCYegv6EiZQFpPHG8oVdxvqJDCczpVHF3mykB05uHntpyoOS4om34l8fkIuVKViE6c/3b+j3jiJIfXbFYPqM501NChRf/SwkBqsmKRj4jbTp3jCicUG6M3lyNWe5B2CjVd9hEUmzrbjY= ;{id = 63066}
vix.com. 3600 IN RRSIG MX 5 2 3600 20110629030401 20110331030401 63066 vix.com. urjAd1NVJKNfUOI/l0aJRNEQJJfexjnwRTcyzcZmVvxnV5FlqlT9O4aIzcKMPnM2L3FWpf+F0Tzfjr9Cb46pUHrj9LApaKxAH7RTOGKz7t2kVd8bD62LbhkFiVVlvqVTBBIhHinzAx8wPSCaU2saAt4fYc+0w86it8IKBuwZyjE= ;{id = 63066}
vix.com. 3600 IN RRSIG DNSKEY 5 2 3600 20110629030401 20110331030401 26437 vix.com. QvyoIbB1fTtge9aBTj88oBBFUnfLdGxGoyABG3bkPDAiDB5TUgJa68UDcF5k9c5fQEHZA6rd52QRxkPKyOhb5Reh64cZMjzMBZxZaivxX+W+hmkEk9ztSgWaotNBw2RHechItBI4/IPZWRXGNPr1IIduI8KC+dm96tf404BraAU= ;{id = 26437}
![Page 272: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/272.jpg)
# drill -D vix.com @ns.sql1.vix.com. rrsig;; QUESTION SECTION:;; vix.com. IN RRSIG
;; ANSWER SECTION:vix.com. 3600 IN RRSIG A 5 2 3600 20110629030401 20110331030401 63066 vix.com. CsxzLHeqDLi2XXKqGALXYn4lbmZrqkDzCYegv6EiZQFpPHG8oVdxvqJDCczpVHF3mykB05uHntpyoOS4om34l8fkIuVKViE6c/3b+j3jiJIfXbFYPqM501NChRf/SwkBqsmKRj4jbTp3jCicUG6M3lyNWe5B2CjVd9hEUmzrbjY= ;{id = 63066}
vix.com. 3600 IN RRSIG MX 5 2 3600 20110629030401 20110331030401 63066 vix.com. urjAd1NVJKNfUOI/l0aJRNEQJJfexjnwRTcyzcZmVvxnV5FlqlT9O4aIzcKMPnM2L3FWpf+F0Tzfjr9Cb46pUHrj9LApaKxAH7RTOGKz7t2kVd8bD62LbhkFiVVlvqVTBBIhHinzAx8wPSCaU2saAt4fYc+0w86it8IKBuwZyjE= ;{id = 63066}
vix.com. 3600 IN RRSIG DNSKEY 5 2 3600 20110629030401 20110331030401 26437 vix.com. QvyoIbB1fTtge9aBTj88oBBFUnfLdGxGoyABG3bkPDAiDB5TUgJa68UDcF5k9c5fQEHZA6rd52QRxkPKyOhb5Reh64cZMjzMBZxZaivxX+W+hmkEk9ztSgWaotNBw2RHechItBI4/IPZWRXGNPr1IIduI8KC+dm96tf404BraAU= ;{id = 26437}
![Page 273: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/273.jpg)
# drill -D vix.com @ns.sql1.vix.com. rrsig;; QUESTION SECTION:;; vix.com. IN RRSIG
;; ANSWER SECTION:vix.com. 3600 IN RRSIG A 5 2 3600 20110629030401 20110331030401 63066 vix.com. CsxzLHeqDLi2XXKqGALXYn4lbmZrqkDzCYegv6EiZQFpPHG8oVdxvqJDCczpVHF3mykB05uHntpyoOS4om34l8fkIuVKViE6c/3b+j3jiJIfXbFYPqM501NChRf/SwkBqsmKRj4jbTp3jCicUG6M3lyNWe5B2CjVd9hEUmzrbjY= ;{id = 63066}
vix.com. 3600 IN RRSIG MX 5 2 3600 20110629030401 20110331030401 63066 vix.com. urjAd1NVJKNfUOI/l0aJRNEQJJfexjnwRTcyzcZmVvxnV5FlqlT9O4aIzcKMPnM2L3FWpf+F0Tzfjr9Cb46pUHrj9LApaKxAH7RTOGKz7t2kVd8bD62LbhkFiVVlvqVTBBIhHinzAx8wPSCaU2saAt4fYc+0w86it8IKBuwZyjE= ;{id = 63066}
vix.com. 3600 IN RRSIG DNSKEY 5 2 3600 20110629030401 20110331030401 26437 vix.com. QvyoIbB1fTtge9aBTj88oBBFUnfLdGxGoyABG3bkPDAiDB5TUgJa68UDcF5k9c5fQEHZA6rd52QRxkPKyOhb5Reh64cZMjzMBZxZaivxX+W+hmkEk9ztSgWaotNBw2RHechItBI4/IPZWRXGNPr1IIduI8KC+dm96tf404BraAU= ;{id = 26437}
![Page 274: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/274.jpg)
# drill -D vix.com @ns.sql1.vix.com. rrsig;; QUESTION SECTION:;; vix.com. IN RRSIG
;; ANSWER SECTION:vix.com. 3600 IN RRSIG A 5 2 3600 20110629030401 20110331030401 63066 vix.com. CsxzLHeqDLi2XXKqGALXYn4lbmZrqkDzCYegv6EiZQFpPHG8oVdxvqJDCczpVHF3mykB05uHntpyoOS4om34l8fkIuVKViE6c/3b+j3jiJIfXbFYPqM501NChRf/SwkBqsmKRj4jbTp3jCicUG6M3lyNWe5B2CjVd9hEUmzrbjY= ;{id = 63066}
vix.com. 3600 IN RRSIG MX 5 2 3600 20110629030401 20110331030401 63066 vix.com. urjAd1NVJKNfUOI/l0aJRNEQJJfexjnwRTcyzcZmVvxnV5FlqlT9O4aIzcKMPnM2L3FWpf+F0Tzfjr9Cb46pUHrj9LApaKxAH7RTOGKz7t2kVd8bD62LbhkFiVVlvqVTBBIhHinzAx8wPSCaU2saAt4fYc+0w86it8IKBuwZyjE= ;{id = 63066}
vix.com. 3600 IN RRSIG DNSKEY 5 2 3600 20110629030401 20110331030401 26437 vix.com. QvyoIbB1fTtge9aBTj88oBBFUnfLdGxGoyABG3bkPDAiDB5TUgJa68UDcF5k9c5fQEHZA6rd52QRxkPKyOhb5Reh64cZMjzMBZxZaivxX+W+hmkEk9ztSgWaotNBw2RHechItBI4/IPZWRXGNPr1IIduI8KC+dm96tf404BraAU= ;{id = 26437}
![Page 275: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/275.jpg)
# drill -D vix.com @ns.sql1.vix.com. rrsig;; QUESTION SECTION:;; vix.com. IN RRSIG
;; ANSWER SECTION:vix.com. 3600 IN RRSIG A 5 2 3600 20110629030401 20110331030401 63066 vix.com. CsxzLHeqDLi2XXKqGALXYn4lbmZrqkDzCYegv6EiZQFpPHG8oVdxvqJDCczpVHF3mykB05uHntpyoOS4om34l8fkIuVKViE6c/3b+j3jiJIfXbFYPqM501NChRf/SwkBqsmKRj4jbTp3jCicUG6M3lyNWe5B2CjVd9hEUmzrbjY= ;{id = 63066}
vix.com. 3600 IN RRSIG MX 5 2 3600 20110629030401 20110331030401 63066 vix.com. urjAd1NVJKNfUOI/l0aJRNEQJJfexjnwRTcyzcZmVvxnV5FlqlT9O4aIzcKMPnM2L3FWpf+F0Tzfjr9Cb46pUHrj9LApaKxAH7RTOGKz7t2kVd8bD62LbhkFiVVlvqVTBBIhHinzAx8wPSCaU2saAt4fYc+0w86it8IKBuwZyjE= ;{id = 63066}
vix.com. 3600 IN RRSIG DNSKEY 5 2 3600 20110629030401 20110331030401 26437 vix.com. QvyoIbB1fTtge9aBTj88oBBFUnfLdGxGoyABG3bkPDAiDB5TUgJa68UDcF5k9c5fQEHZA6rd52QRxkPKyOhb5Reh64cZMjzMBZxZaivxX+W+hmkEk9ztSgWaotNBw2RHechItBI4/IPZWRXGNPr1IIduI8KC+dm96tf404BraAU= ;{id = 26437}
![Page 276: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/276.jpg)
# drill -D vix.com @ns.sql1.vix.com. rrsig;; QUESTION SECTION:;; vix.com. IN RRSIG
;; ANSWER SECTION:vix.com. 3600 IN RRSIG A 5 2 3600 20110629030401 20110331030401 63066 vix.com. CsxzLHeqDLi2XXKqGALXYn4lbmZrqkDzCYegv6EiZQFpPHG8oVdxvqJDCczpVHF3mykB05uHntpyoOS4om34l8fkIuVKViE6c/3b+j3jiJIfXbFYPqM501NChRf/SwkBqsmKRj4jbTp3jCicUG6M3lyNWe5B2CjVd9hEUmzrbjY= ;{id = 63066}
vix.com. 3600 IN RRSIG MX 5 2 3600 20110629030401 20110331030401 63066 vix.com. urjAd1NVJKNfUOI/l0aJRNEQJJfexjnwRTcyzcZmVvxnV5FlqlT9O4aIzcKMPnM2L3FWpf+F0Tzfjr9Cb46pUHrj9LApaKxAH7RTOGKz7t2kVd8bD62LbhkFiVVlvqVTBBIhHinzAx8wPSCaU2saAt4fYc+0w86it8IKBuwZyjE= ;{id = 63066}
vix.com. 3600 IN RRSIG DNSKEY 5 2 3600 20110629030401 20110331030401 26437 vix.com. QvyoIbB1fTtge9aBTj88oBBFUnfLdGxGoyABG3bkPDAiDB5TUgJa68UDcF5k9c5fQEHZA6rd52QRxkPKyOhb5Reh64cZMjzMBZxZaivxX+W+hmkEk9ztSgWaotNBw2RHechItBI4/IPZWRXGNPr1IIduI8KC+dm96tf404BraAU= ;{id = 26437}
![Page 277: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/277.jpg)
# drill -D vix.com @ns.sql1.vix.com. rrsig;; QUESTION SECTION:;; vix.com. IN RRSIG
;; ANSWER SECTION:vix.com. 3600 IN RRSIG A 5 2 3600 20110629030401 20110331030401 63066 vix.com. CsxzLHeqDLi2XXKqGALXYn4lbmZrqkDzCYegv6EiZQFpPHG8oVdxvqJDCczpVHF3mykB05uHntpyoOS4om34l8fkIuVKViE6c/3b+j3jiJIfXbFYPqM501NChRf/SwkBqsmKRj4jbTp3jCicUG6M3lyNWe5B2CjVd9hEUmzrbjY= ;{id = 63066}
vix.com. 3600 IN RRSIG MX 5 2 3600 20110629030401 20110331030401 63066 vix.com. urjAd1NVJKNfUOI/l0aJRNEQJJfexjnwRTcyzcZmVvxnV5FlqlT9O4aIzcKMPnM2L3FWpf+F0Tzfjr9Cb46pUHrj9LApaKxAH7RTOGKz7t2kVd8bD62LbhkFiVVlvqVTBBIhHinzAx8wPSCaU2saAt4fYc+0w86it8IKBuwZyjE= ;{id = 63066}
vix.com. 3600 IN RRSIG DNSKEY 5 2 3600 20110629030401 20110331030401 26437 vix.com. QvyoIbB1fTtge9aBTj88oBBFUnfLdGxGoyABG3bkPDAiDB5TUgJa68UDcF5k9c5fQEHZA6rd52QRxkPKyOhb5Reh64cZMjzMBZxZaivxX+W+hmkEk9ztSgWaotNBw2RHechItBI4/IPZWRXGNPr1IIduI8KC+dm96tf404BraAU= ;{id = 26437}
![Page 278: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/278.jpg)
# drill -D vix.com @ns.sql1.vix.com. rrsig;; QUESTION SECTION:;; vix.com. IN RRSIG
;; ANSWER SECTION:vix.com. 3600 IN RRSIG A 5 2 3600 20110629030401 20110331030401 63066 vix.com. CsxzLHeqDLi2XXKqGALXYn4lbmZrqkDzCYegv6EiZQFpPHG8oVdxvqJDCczpVHF3mykB05uHntpyoOS4om34l8fkIuVKViE6c/3b+j3jiJIfXbFYPqM501NChRf/SwkBqsmKRj4jbTp3jCicUG6M3lyNWe5B2CjVd9hEUmzrbjY=;{id = 63066}
vix.com. 3600 IN RRSIG MX 5 2 3600 20110629030401 20110331030401 63066 vix.com. urjAd1NVJKNfUOI/l0aJRNEQJJfexjnwRTcyzcZmVvxnV5FlqlT9O4aIzcKMPnM2L3FWpf+F0Tzfjr9Cb46pUHrj9LApaKxAH7RTOGKz7t2kVd8bD62LbhkFiVVlvqVTBBIhHinzAx8wPSCaU2saAt4fYc+0w86it8IKBuwZyjE= ;{id = 63066}
vix.com. 3600 IN RRSIG DNSKEY 5 2 3600 20110629030401 20110331030401 26437 vix.com. QvyoIbB1fTtge9aBTj88oBBFUnfLdGxGoyABG3bkPDAiDB5TUgJa68UDcF5k9c5fQEHZA6rd52QRxkPKyOhb5Reh64cZMjzMBZxZaivxX+W+hmkEk9ztSgWaotNBw2RHechItBI4/IPZWRXGNPr1IIduI8KC+dm96tf404BraAU= ;{id = 26437}
![Page 279: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/279.jpg)
NSEC - Next SECure Record
![Page 280: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/280.jpg)
NSEC - to accommodate negative authentication requests
![Page 281: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/281.jpg)
NSEC - indicates all zones for which the name server is authoritative
![Page 282: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/282.jpg)
NSEC - assume the following zones:
alpha.orgcharlie.orgdelta.org
![Page 283: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/283.jpg)
NSEC - A query for beta.org will yield:
alpha.org NSEC charlie.org
![Page 284: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/284.jpg)
NSEC3 : RFC5155 : 2008-02
![Page 285: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/285.jpg)
NSEC3 - like NSEC but to prevent tree walking
![Page 286: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/286.jpg)
NSEC3 - instead of actual names, the hash of the name is given
![Page 287: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/287.jpg)
# drill -D rps.vix.com @ns.sql1.vix.com A ;; QUESTION SECTION:;; rps.vix.com. IN A
;; ANSWER SECTION:
;; AUTHORITY SECTION:vix.com. 3600 IN SOA ns.lah1.vix.com. hostmaster.vix.com. 2011033116 3600 1800 604800 3600vix.com. 3600 IN RRSIG SOA 5 2 3600 20110629030401 20110331030401 63066 vix.com. fPpFeE/Y/1HfFtKTAjfWlBQafC2i4qf5gYewmr0fQHzH7xIYmvx+rpenaKfr4By2R01Dh5q6kKgB3DR7G9swmAXcAVB5TzvQ6UcmjXcGGZPw+HUwUSIAt6q559YMKxSN6DTeh7/kNlLPtoPZqSmz7rxIr0USe2VwAYDznGtlzdQ= ;{id = 63066}vix.com. 3600 IN NSEC ns-lah1._meta.vix.com. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY vix.com. 3600 IN RRSIG NSEC 5 2 3600 20110629030401 20110331030401 63066 vix.com. Hm3dfubDRTtF8BrztQ3X2tCc5IJ7+JO3cB8F5rQhDAyzBz7XcOESJrwyUCk8YL/w3i360fUuhN3MahOdTzrzoAMxWp90yM5MRbRSzUQwQ+73cRbq2C2YEfsYPatPiL9vHnc5Wvo9xtrFEjiWK7qcHgBwO3SrXPsUYzn8seB8DtA= ;{id = 63066}relay.vix.com. 3600 IN NSEC server99.vix.com. CNAME RRSIG NSEC relay.vix.com. 3600 IN RRSIG NSEC 5 3 3600 20110629030401 20110331030401 63066 vix.com. SrJ3NLPntXcN+SpT9igyoEyQYznsomsbAxqfXutF5o0VDfaeHZvB2LZC7+HjCAwwH6F7YWItdRVFt4PVQ6/ouZ2K7r2RLoaMyaaHAJzhq4EN503AoFD7ONcMyVV4BIzI6vsquORSPW8H03ym/OkZOaQG0Bw2UFW/Q6Pwx4xVbKA= ;{id = 63066}
![Page 288: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/288.jpg)
# drill -D rps.vix.com @ns.sql1.vix.com ;; QUESTION SECTION:;; rps.vix.com. IN A
;; ANSWER SECTION:
;; AUTHORITY SECTION:vix.com. 3600 IN SOA ns.lah1.vix.com. hostmaster.vix.com. 2011033116 3600 1800 604800 3600vix.com. 3600 IN RRSIG SOA 5 2 3600 20110629030401 20110331030401 63066 vix.com. fPpFeE/Y/1HfFtKTAjfWlBQafC2i4qf5gYewmr0fQHzH7xIYmvx+rpenaKfr4By2R01Dh5q6kKgB3DR7G9swmAXcAVB5TzvQ6UcmjXcGGZPw+HUwUSIAt6q559YMKxSN6DTeh7/kNlLPtoPZqSmz7rxIr0USe2VwAYDznGtlzdQ= ;{id = 63066}vix.com. 3600 IN NSEC ns-lah1._meta.vix.com. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY vix.com. 3600 IN RRSIG NSEC 5 2 3600 20110629030401 20110331030401 63066 vix.com. Hm3dfubDRTtF8BrztQ3X2tCc5IJ7+JO3cB8F5rQhDAyzBz7XcOESJrwyUCk8YL/w3i360fUuhN3MahOdTzrzoAMxWp90yM5MRbRSzUQwQ+73cRbq2C2YEfsYPatPiL9vHnc5Wvo9xtrFEjiWK7qcHgBwO3SrXPsUYzn8seB8DtA= ;{id = 63066}relay.vix.com. 3600 IN NSEC server99.vix.com. CNAME RRSIG NSEC relay.vix.com. 3600 IN RRSIG NSEC 5 3 3600 20110629030401 20110331030401 63066 vix.com. SrJ3NLPntXcN+SpT9igyoEyQYznsomsbAxqfXutF5o0VDfaeHZvB2LZC7+HjCAwwH6F7YWItdRVFt4PVQ6/ouZ2K7r2RLoaMyaaHAJzhq4EN503AoFD7ONcMyVV4BIzI6vsquORSPW8H03ym/OkZOaQG0Bw2UFW/Q6Pwx4xVbKA= ;{id = 63066}
![Page 289: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/289.jpg)
# drill -D rps.vix.com @ns.sql1.vix.com ;; QUESTION SECTION:;; rps.vix.com. IN A
;; ANSWER SECTION:
;; AUTHORITY SECTION:vix.com. 3600 IN SOA ns.lah1.vix.com. hostmaster.vix.com. 2011033116 3600 1800 604800 3600vix.com. 3600 IN RRSIG SOA 5 2 3600 20110629030401 20110331030401 63066 vix.com. fPpFeE/Y/1HfFtKTAjfWlBQafC2i4qf5gYewmr0fQHzH7xIYmvx+rpenaKfr4By2R01Dh5q6kKgB3DR7G9swmAXcAVB5TzvQ6UcmjXcGGZPw+HUwUSIAt6q559YMKxSN6DTeh7/kNlLPtoPZqSmz7rxIr0USe2VwAYDznGtlzdQ= ;{id = 63066}vix.com. 3600 IN NSEC ns-lah1._meta.vix.com. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY vix.com. 3600 IN RRSIG NSEC 5 2 3600 20110629030401 20110331030401 63066 vix.com. Hm3dfubDRTtF8BrztQ3X2tCc5IJ7+JO3cB8F5rQhDAyzBz7XcOESJrwyUCk8YL/w3i360fUuhN3MahOdTzrzoAMxWp90yM5MRbRSzUQwQ+73cRbq2C2YEfsYPatPiL9vHnc5Wvo9xtrFEjiWK7qcHgBwO3SrXPsUYzn8seB8DtA= ;{id = 63066}relay.vix.com. 3600 IN NSEC server99.vix.com. CNAME RRSIG NSEC relay.vix.com. 3600 IN RRSIG NSEC 5 3 3600 20110629030401 20110331030401 63066 vix.com. SrJ3NLPntXcN+SpT9igyoEyQYznsomsbAxqfXutF5o0VDfaeHZvB2LZC7+HjCAwwH6F7YWItdRVFt4PVQ6/ouZ2K7r2RLoaMyaaHAJzhq4EN503AoFD7ONcMyVV4BIzI6vsquORSPW8H03ym/OkZOaQG0Bw2UFW/Q6Pwx4xVbKA=;{id = 63066}
![Page 290: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/290.jpg)
# drill -D rps.vix.com @ns.sql1.vix.com ;; QUESTION SECTION:;; rps.vix.com. IN A
;; ANSWER SECTION:
;; AUTHORITY SECTION:vix.com. 3600 IN SOA ns.lah1.vix.com. hostmaster.vix.com. 2011033116 3600 1800 604800 3600vix.com. 3600 IN RRSIG SOA 5 2 3600 20110629030401 20110331030401 63066 vix.com. fPpFeE/Y/1HfFtKTAjfWlBQafC2i4qf5gYewmr0fQHzH7xIYmvx+rpenaKfr4By2R01Dh5q6kKgB3DR7G9swmAXcAVB5TzvQ6UcmjXcGGZPw+HUwUSIAt6q559YMKxSN6DTeh7/kNlLPtoPZqSmz7rxIr0USe2VwAYDznGtlzdQ= ;{id = 63066}vix.com. 3600 IN NSEC ns-lah1._meta.vix.com. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY vix.com. 3600 IN RRSIG NSEC 5 2 3600 20110629030401 20110331030401 63066 vix.com. Hm3dfubDRTtF8BrztQ3X2tCc5IJ7+JO3cB8F5rQhDAyzBz7XcOESJrwyUCk8YL/w3i360fUuhN3MahOdTzrzoAMxWp90yM5MRbRSzUQwQ+73cRbq2C2YEfsYPatPiL9vHnc5Wvo9xtrFEjiWK7qcHgBwO3SrXPsUYzn8seB8DtA= ;{id = 63066}relay.vix.com. 3600 IN NSEC server99.vix.com. CNAME RRSIG NSEC relay.vix.com. 3600 IN RRSIG NSEC 5 3 3600 20110629030401 20110331030401 63066 vix.com. SrJ3NLPntXcN+SpT9igyoEyQYznsomsbAxqfXutF5o0VDfaeHZvB2LZC7+HjCAwwH6F7YWItdRVFt4PVQ6/ouZ2K7r2RLoaMyaaHAJzhq4EN503AoFD7ONcMyVV4BIzI6vsquORSPW8H03ym/OkZOaQG0Bw2UFW/Q6Pwx4xVbKA= ;{id = 63066}
![Page 291: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/291.jpg)
DS - Delegation Signer
![Page 292: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/292.jpg)
DS:
A key signed by the parent zone to indicate stuff down in the hierarchy can be trusted
![Page 293: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/293.jpg)
DS:
The parent zone stores the key tag, algorithm and a digest/hash of the DNSKEY in the child zone.
![Page 294: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/294.jpg)
DS:
The parent zone then signs the DS record and creates a corresponding RRSIG record
![Page 295: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/295.jpg)
# drill -s -D vix.com DNSKEY;; ANSWER SECTION:
vix.com. 3600 IN DNSKEY 257 3 5 AwEAAbKW5zsYMBUX4MS0yq3MNm4312c7WEF1Af2Iy2O/A+U+h7F3EtblBDJVs/LgtdjsE3JHak51iRaELLOoEvVeRIIa1UjNvXIei+QV1nlSas8LcXya0XOYA2Jfxez0pEWArN1QLhkgVDPAsEwKLzYfVjW78CFlOZnYxbBWXwKgb4z;{id = 26437 (ksk), size = 1024b}
vix.com. 3600 IN DNSKEY 256 3 5 BEAAAAO6wBt1U39U8meHca3JBCWixBi8BvZLMJZp51/5vViM2+fh93XF1SqJaAaqgX6PszTPUlElvuTV2xTV4uQjUTaFv8qDnsjbfXVusE1v+OaQpSVuP8GjI28cGi9PgAOcz2ACdiD2XVbYKUDTJb+pqoE/o3Z6FjKf6ByTkJUI5x9Dlw==;{id = 63066 (zsk), size = 1024b}
; vix.com. 3600 IN DS 26437 5 1 483cca94fd7e2aa30f4fca34ccf0db4ddc601388; xidaf-sidan-gazol-vupap-fofag-zudif-gufyz-bikag-talyk-begom-muxox
; vix.com. 3600 IN DS 63066 5 1 8229b0484396f12015de1cb7e3267ed1f109060a; xobid-nusog-mebon-kusid-bihyt-velyr-lomid-kizut-ceseb-nacab-puxux
}vix.com.
}com.
![Page 296: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/296.jpg)
# drill -s -D vix.com DNSKEY;; ANSWER SECTION:
vix.com. 3600 IN DNSKEY 257 3 5 AwEAAbKW5zsYMBUX4MS0yq3MNm4312c7WEF1Af2Iy2O/A+U+h7F3EtblBDJVs/LgtdjsE3JHak51iRaELLOoEvVeRIIa1UjNvXIei+QV1nlSas8LcXya0XOYA2Jfxez0pEWArN1QLhkgVDPAsEwKLzYfVjW78CFlOZnYxbBWXwKgb4z;{id = 26437 (ksk), size = 1024b}
vix.com. 3600 IN DNSKEY 256 3 5 BEAAAAO6wBt1U39U8meHca3JBCWixBi8BvZLMJZp51/5vViM2+fh93XF1SqJaAaqgX6PszTPUlElvuTV2xTV4uQjUTaFv8qDnsjbfXVusE1v+OaQpSVuP8GjI28cGi9PgAOcz2ACdiD2XVbYKUDTJb+pqoE/o3Z6FjKf6ByTkJUI5x9Dlw==;{id = 63066 (zsk), size = 1024b}
; vix.com. 3600 IN DS 26437 5 1 483cca94fd7e2aa30f4fca34ccf0db4ddc601388; xidaf-sidan-gazol-vupap-fofag-zudif-gufyz-bikag-talyk-begom-muxox
; vix.com. 3600 IN DS 63066 5 1 8229b0484396f12015de1cb7e3267ed1f109060a; xobid-nusog-mebon-kusid-bihyt-velyr-lomid-kizut-ceseb-nacab-puxux
![Page 297: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/297.jpg)
# drill -s -D vix.com DNSKEY;; ANSWER SECTION:
vix.com. 3600 IN DNSKEY 257 3 5 AwEAAbKW5zsYMBUX4MS0yq3MNm4312c7WEF1Af2Iy2O/A+U+h7F3EtblBDJVs/LgtdjsE3JHak51iRaELLOoEvVeRIIa1UjNvXIei+QV1nlSas8LcXya0XOYA2Jfxez0pEWArN1QLhkgVDPAsEwKLzYfVjW78CFlOZnYxbBWXwKgb4z;{id = 26437 (ksk), size = 1024b}
vix.com. 3600 IN DNSKEY 256 3 5 BEAAAAO6wBt1U39U8meHca3JBCWixBi8BvZLMJZp51/5vViM2+fh93XF1SqJaAaqgX6PszTPUlElvuTV2xTV4uQjUTaFv8qDnsjbfXVusE1v+OaQpSVuP8GjI28cGi9PgAOcz2ACdiD2XVbYKUDTJb+pqoE/o3Z6FjKf6ByTkJUI5x9Dlw==;{id = 63066 (zsk), size = 1024b}
; vix.com. 3600 IN DS 26437 5 1 483cca94fd7e2aa30f4fca34ccf0db4ddc601388; xidaf-sidan-gazol-vupap-fofag-zudif-gufyz-bikag-talyk-begom-muxox
; vix.com. 3600 IN DS 63066 5 1 8229b0484396f12015de1cb7e3267ed1f109060a; xobid-nusog-mebon-kusid-bihyt-velyr-lomid-kizut-ceseb-nacab-puxux
![Page 298: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/298.jpg)
# drill -s -D vix.com DNSKEY;; ANSWER SECTION:
vix.com. 3600 IN DNSKEY 257 3 5 AwEAAbKW5zsYMBUX4MS0yq3MNm4312c7WEF1Af2Iy2O/A+U+h7F3EtblBDJVs/LgtdjsE3JHak51iRaELLOoEvVeRIIa1UjNvXIei+QV1nlSas8LcXya0XOYA2Jfxez0pEWArN1QLhkgVDPAsEwKLzYfVjW78CFlOZnYxbBWXwKgb4z;{id = 26437 (ksk), size = 1024b}
vix.com. 3600 IN DNSKEY 256 3 5 BEAAAAO6wBt1U39U8meHca3JBCWixBi8BvZLMJZp51/5vViM2+fh93XF1SqJaAaqgX6PszTPUlElvuTV2xTV4uQjUTaFv8qDnsjbfXVusE1v+OaQpSVuP8GjI28cGi9PgAOcz2ACdiD2XVbYKUDTJb+pqoE/o3Z6FjKf6ByTkJUI5x9Dlw==;{id = 63066 (zsk), size = 1024b}
; vix.com. 3600 IN DS 26437 5 1 483cca94fd7e2aa30f4fca34ccf0db4ddc601388; xidaf-sidan-gazol-vupap-fofag-zudif-gufyz-bikag-talyk-begom-muxox
; vix.com. 3600 IN DS 63066 5 1 8229b0484396f12015de1cb7e3267ed1f109060a; xobid-nusog-mebon-kusid-bihyt-velyr-lomid-kizut-ceseb-nacab-puxux
![Page 299: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/299.jpg)
Parameter Value
Key Signing Key (KSK) 2048 RSA
KSK Rollover Schedule once per year
KSK Algorithm RSA/SHA/256
Zone Signing Key (ZSK) 1024-bit RSA
ZSK Rollover Schedule once per month
ZSK Signature Algorithm RSA/SHA/256
Authenticated Proof of Non Existence
NSEC3 with opt-out
.CA Recommended DNSSEC Key Parameters
![Page 300: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/300.jpg)
DNSSEC - Traversal
![Page 301: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/301.jpg)
Caching Name Server
DNSSEC aware
![Page 302: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/302.jpg)
caching
recursivenameserver
resolver
client (aka)stub resolver
authority
RFC 4035
![Page 303: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/303.jpg)
DNSSEC - Bootstrapping
![Page 304: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/304.jpg)
Assumption - Root Zone has been signed
![Page 305: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/305.jpg)
Assumption - Public Keys are available
![Page 306: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/306.jpg)
FACT - Root keys available since: 2010-07-15
![Page 307: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/307.jpg)
DNSSEC - Fetch and Validate Root Keys
![Page 308: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/308.jpg)
This is a manual process.
![Page 309: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/309.jpg)
PGP signature: https://data.iana.org/root-anchors/root-anchors.asc
Guide: http://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.txt
Complete trust anchor: https://data.iana.org/root-anchors/root-anchors.xml
![Page 310: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/310.jpg)
DNSSEC - Traversal
![Page 311: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/311.jpg)
0
![Page 312: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/312.jpg)
1
Query
![Page 313: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/313.jpg)
2
Response
![Page 314: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/314.jpg)
2
Response
![Page 315: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/315.jpg)
2
Response
![Page 316: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/316.jpg)
3
Verification
![Page 317: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/317.jpg)
4
Query
![Page 318: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/318.jpg)
5
Response
![Page 319: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/319.jpg)
6a
Verification
![Page 320: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/320.jpg)
7
Query
![Page 321: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/321.jpg)
7
Response
![Page 322: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/322.jpg)
8
![Page 323: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/323.jpg)
9a
![Page 324: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/324.jpg)
DNSSEC - Management
![Page 325: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/325.jpg)
<1>
![Page 326: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/326.jpg)
Generate a Key Signing Pair*
* KSK: Larger is better as the life time may be long
![Page 327: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/327.jpg)
<2>
![Page 328: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/328.jpg)
Create a MD of the KSK for the Boss*
* Whoever administers the zone above in the hierarchy
![Page 329: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/329.jpg)
<3>
![Page 330: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/330.jpg)
Generate a Zone Signing Pair*
* ZSK is authenticated by signing with the KSK.
![Page 331: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/331.jpg)
<4>
![Page 332: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/332.jpg)
Create the NSEC/NSEC3 RRs
![Page 333: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/333.jpg)
<5>
![Page 334: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/334.jpg)
Create RRSIGs for all RRs using the ZSK
![Page 335: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/335.jpg)
<6>
![Page 336: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/336.jpg)
Recreate RRSIGs when editing RRs or upon expiry *
* NTP is important for proper DNSSEC
![Page 337: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/337.jpg)
<7>
![Page 338: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/338.jpg)
Recreate ZSK/KSK from time to time and resign
![Page 339: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/339.jpg)
<8>
![Page 340: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/340.jpg)
time, disk, bandwidth,memory requirements
![Page 341: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/341.jpg)
time, disk, bandwidth,memory requirements
hours, 4-12x, 90% -> 400%,10-200%
![Page 342: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/342.jpg)
DNSSEC - Security
![Page 343: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/343.jpg)
3 goals of good computer security
![Page 344: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/344.jpg)
Confidentiality
![Page 345: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/345.jpg)
Integrity
![Page 346: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/346.jpg)
Availability
![Page 347: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/347.jpg)
Confidentiality?
![Page 348: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/348.jpg)
![Page 349: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/349.jpg)
Integrity?
![Page 350: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/350.jpg)
Mostly
![Page 351: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/351.jpg)
DNSSEC - Prevents Active MiM attacks *
* given all links in the DNS query-response are DNSSEC aware
![Page 352: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/352.jpg)
DNSSEC - Allows for replay attacks.
![Page 353: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/353.jpg)
DNSSEC - Crypto brute force attacks
![Page 354: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/354.jpg)
DNSSEC - How safe is RSA/SHA-1?
![Page 355: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/355.jpg)
Availability
![Page 356: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/356.jpg)
Potential and Risk of
![Page 357: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/357.jpg)
DNSSEC - Creates other types of attacks
![Page 358: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/358.jpg)
DNSSEC - Enhances DoS/Availability attacks
![Page 359: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/359.jpg)
DNSSEC - Amplification Attack
![Page 360: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/360.jpg)
# drill -D se. @a.ns.se. DNSKEY ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 37009;; flags: qr aa rd ; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION:;; se. IN DNSKEY
;; ANSWER SECTION:se. 3600 IN DNSKEY 256 3 5 AwEAAYUDNvoT6yfrNra/7d2c7ZoSBphCxjs5xrpPbAPi8F6aP/oC2W9xPaXa5BXcEhneMwiabUBErF4LWFkSher5z2mrPN/3/YH/78IGwMMWV2wxOAtzbLkhuXWTh7cjH2u5sR8xvVeAQgAV0fGCE/ykvj6bF2pvj1r/5KRY0izG7PAZ ;{id = 57240 (zsk), size = 1024b}se. 3600 IN DNSKEY 256 3 5 AwEAAdZgee2x1z9yHDWAfJ3oqAnwoU/v/awpObk6lCnxtoZ6ukq6+OxgYOdusS7qCHf+LcBRCsAehpQJAWzL7c4xRrs2PT4/z4jZMtfa1EX6hN+s0ZXjxYwR7WdqVje4/Jtn2krpUvE+jjIyegQ+DKFkbxawGJ5pG3EgU3B0MSvEonMT ;{id = 12973 (zsk), size = 1024b}se. 3600 IN DNSKEY 257 3 5 AwEAAbaxTum9L7z1DmPiXPk0QZ2/qUM3to210Caey/ycZuvQ8Mh/dgGpwBmyZB9xZSkaCLa2Mw6pmDLrjK9hWOffq5PXRVm9RrcA/eIEBEvbQzkY5sFkWAczNAs58Oscxi+/Gd5KfuVi3lJpYgJwwa2JB4doZ00IXywcCn0VTz0Hsl/lqpA2Bqj+e+ATzA5hWyiNyHPjiYvyMCkSXTiGgFVVuG8H3N6Us8uSABuO2UoFQeQi6YikIiCbf1FfCzr4vBIRXW6MaDs8kqAAadKjLk3i39dviL/YeyGUvq9Dan9PsvkwQejKN/7J0yCr2nYXfwGGCHkcBKkagv79EaRlZigUCp8= ;{id = 39547 (ksk), size = 2048b}se. 3600 IN DNSKEY 257 3 5 AwEAAb6IEZ2ETrgngbjONAC1Ob4dRs/jD0MYPcMXRzQlo/eqo5AHXvqPaav+rgA3q+I6zvWYFTMUPxNT2wdJwV4R7VbXb3pBfYPBzeacqPaWSbw4W1BFdYyOWKe0sw3gvwD62dLGbykQAqx5gUYZ8gBtFXDsJe/x+JvenC/wmz7yW6mxpn3Tzd60vE6wjXhnBs62905xckOBskVx6dI+dMLoXNG2p5tpXfT4dGrA10SFWVb2C9QTaFww9fP60QqVoYz1xU1Z5BXa5ZB1O8I4rHYGtDYU36n0UhCG4nWnTJgUbNRsN3CeeTplkZ94JS8jMsdA0x983VIn5stGU1W4juyDqF0= ;{id = 7649 (ksk), size = 2048b}se. 3600 IN RRSIG DNSKEY 5 1 3600 20110409220345 20110403210548 7649 se. U8IIYExbbCcxYeTfQQGB/jEYuKnVFlG2c8bojkvt3U7fNx7l7Z3IUdEuLxATR4+xw3aKmGdfioC6EXNt5UmcOoUNxyf6t4zhEMmV9/LDXxUlASDIBmk/e5RWTCFeiY+BU2nY2Rir8owku5C+Rk9bJDx886VhnKj4qD0MJB2Xep1WmFqnPQ8siTEb/rYJ1h/3ao4wWim8lMNttTY4SQC+A7sEAFlY7vN2D73W0lAVIEde/sh6ARQEgv+YqPTYbN2Wae7tzyI1efr0Ih8suSF8DjUoLeWnFhbSzAbAooS4CegiF/Kkc+2MwuFLtzuYeZVAZnegAZuAH81N833owMfShw== ;{id = 7649}se. 3600 IN RRSIG DNSKEY 5 1 3600 20110410160345 20110404150548 39547 se. E3uA3bUSOhBNTWoqARj6fSrFdxvaGDjSQRipT5Em+HUX4NO9TR2/02tweeA8QKII3bKBRfZ1r56blLK9nqOelv3UhPgEbwHwmdpC9fHbRi9FCX+hL5UuZWCUqcwnu3rTLRIckpAGf+LOnuXyurwHauVhb2ij1QQ9W/A1a4dddDwbiFxgg0Lo5xaTmA8ixw4Z59AvM5WudWHv5X1yG0VX3dDNoHFbD+PdOBuZ0ZZg4XnYKFAWBu6gUPsgTkhCrF+q+9k+0d9duybXXrDEJnOBu+YVEVu1ECtdekvGPV+UWOA/SOLfLWPNPPjjgu/JsMeKLIbgEvQIsu6zpaZvc1l8ng== ;{id = 39547}
![Page 361: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/361.jpg)
# drill -D se. @a.ns.se. DNSKEY ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 37009;; flags: qr aa rd ; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION:;; se. IN DNSKEY
;; ANSWER SECTION:se. 3600 IN DNSKEY 256 3 5 AwEAAYUDNvoT6yfrNra/7d2c7ZoSBphCxjs5xrpPbAPi8F6aP/oC2W9xPaXa5BXcEhneMwiabUBErF4LWFkSher5z2mrPN/3/YH/78IGwMMWV2wxOAtzbLkhuXWTh7cjH2u5sR8xvVeAQgAV0fGCE/ykvj6bF2pvj1r/5KRY0izG7PAZ ;{id = 57240 (zsk), size = 1024b}se. 3600 IN DNSKEY 256 3 5 AwEAAdZgee2x1z9yHDWAfJ3oqAnwoU/v/awpObk6lCnxtoZ6ukq6+OxgYOdusS7qCHf+LcBRCsAehpQJAWzL7c4xRrs2PT4/z4jZMtfa1EX6hN+s0ZXjxYwR7WdqVje4/Jtn2krpUvE+jjIyegQ+DKFkbxawGJ5pG3EgU3B0MSvEonMT ;{id = 12973 (zsk), size = 1024b}se. 3600 IN DNSKEY 257 3 5 AwEAAbaxTum9L7z1DmPiXPk0QZ2/qUM3to210Caey/ycZuvQ8Mh/dgGpwBmyZB9xZSkaCLa2Mw6pmDLrjK9hWOffq5PXRVm9RrcA/eIEBEvbQzkY5sFkWAczNAs58Oscxi+/Gd5KfuVi3lJpYgJwwa2JB4doZ00IXywcCn0VTz0Hsl/lqpA2Bqj+e+ATzA5hWyiNyHPjiYvyMCkSXTiGgFVVuG8H3N6Us8uSABuO2UoFQeQi6YikIiCbf1FfCzr4vBIRXW6MaDs8kqAAadKjLk3i39dviL/YeyGUvq9Dan9PsvkwQejKN/7J0yCr2nYXfwGGCHkcBKkagv79EaRlZigUCp8= ;{id = 39547 (ksk), size = 2048b}se. 3600 IN DNSKEY 257 3 5 AwEAAb6IEZ2ETrgngbjONAC1Ob4dRs/jD0MYPcMXRzQlo/eqo5AHXvqPaav+rgA3q+I6zvWYFTMUPxNT2wdJwV4R7VbXb3pBfYPBzeacqPaWSbw4W1BFdYyOWKe0sw3gvwD62dLGbykQAqx5gUYZ8gBtFXDsJe/x+JvenC/wmz7yW6mxpn3Tzd60vE6wjXhnBs62905xckOBskVx6dI+dMLoXNG2p5tpXfT4dGrA10SFWVb2C9QTaFww9fP60QqVoYz1xU1Z5BXa5ZB1O8I4rHYGtDYU36n0UhCG4nWnTJgUbNRsN3CeeTplkZ94JS8jMsdA0x983VIn5stGU1W4juyDqF0= ;{id = 7649 (ksk), size = 2048b}se. 3600 IN RRSIG DNSKEY 5 1 3600 20110409220345 20110403210548 7649 se. U8IIYExbbCcxYeTfQQGB/jEYuKnVFlG2c8bojkvt3U7fNx7l7Z3IUdEuLxATR4+xw3aKmGdfioC6EXNt5UmcOoUNxyf6t4zhEMmV9/LDXxUlASDIBmk/e5RWTCFeiY+BU2nY2Rir8owku5C+Rk9bJDx886VhnKj4qD0MJB2Xep1WmFqnPQ8siTEb/rYJ1h/3ao4wWim8lMNttTY4SQC+A7sEAFlY7vN2D73W0lAVIEde/sh6ARQEgv+YqPTYbN2Wae7tzyI1efr0Ih8suSF8DjUoLeWnFhbSzAbAooS4CegiF/Kkc+2MwuFLtzuYeZVAZnegAZuAH81N833owMfShw== ;{id = 7649}se. 3600 IN RRSIG DNSKEY 5 1 3600 20110410160345 20110404150548 39547 se. E3uA3bUSOhBNTWoqARj6fSrFdxvaGDjSQRipT5Em+HUX4NO9TR2/02tweeA8QKII3bKBRfZ1r56blLK9nqOelv3UhPgEbwHwmdpC9fHbRi9FCX+hL5UuZWCUqcwnu3rTLRIckpAGf+LOnuXyurwHauVhb2ij1QQ9W/A1a4dddDwbiFxgg0Lo5xaTmA8ixw4Z59AvM5WudWHv5X1yG0VX3dDNoHFbD+PdOBuZ0ZZg4XnYKFAWBu6gUPsgTkhCrF+q+9k+0d9duybXXrDEJnOBu+YVEVu1ECtdekvGPV+UWOA/SOLfLWPNPPjjgu/JsMeKLIbgEvQIsu6zpaZvc1l8ng== ;{id = 39547}
![Page 362: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/362.jpg)
Response:Query = 120:1
![Page 363: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/363.jpg)
Average amplification factor: 30x
![Page 364: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/364.jpg)
DNSCurve
![Page 365: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/365.jpg)
DNSCurve: Rationale
![Page 366: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/366.jpg)
DNSSEC: 15 years in the making
![Page 367: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/367.jpg)
DNSSEC: does not solve all the security issues
![Page 368: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/368.jpg)
DNSCurve: History
mathematiciancryptologistprogrammer
![Page 369: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/369.jpg)
DNSCurve: Proposed in 2008
![Page 370: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/370.jpg)
DNSCurve: Objectives
![Page 371: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/371.jpg)
Confidentiality
![Page 372: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/372.jpg)
All DNS payload data is encrypted
![Page 373: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/373.jpg)
IP, UDP, TCP headers are plaintext
![Page 374: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/374.jpg)
Encryption Methods
![Page 375: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/375.jpg)
Does not use standard RSA
![Page 376: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/376.jpg)
Does use ECC*
* Elliptic-Curve Cryptography
![Page 377: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/377.jpg)
Specifically: Curve25519
![Page 378: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/378.jpg)
Curve25519 is Open/Free
![Page 379: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/379.jpg)
Curve25519 is fast enough for real time encryption
![Page 380: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/380.jpg)
RSA-1024 requires ~ 2^80 operations to break
![Page 381: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/381.jpg)
How large computationally speaking is 2^80?
![Page 382: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/382.jpg)
x 1 year == 2^69
![Page 383: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/383.jpg)
x 1 year == 2^802048
![Page 384: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/384.jpg)
2003: 1024-bit RSA deemed breakable
![Page 385: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/385.jpg)
2003: RSA Labs recommends 2048-bit RSA for the remainder of the decade
![Page 386: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/386.jpg)
2005: NSA recommends ECC for all public-key cryptography and withdrawing previous recommendations of RSA.
![Page 387: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/387.jpg)
2007: NIST recommends 2048-bit RSA
![Page 388: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/388.jpg)
2010: US gov. recommends 2048-bit RSA
![Page 389: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/389.jpg)
Curve25519 == 3000 bit RSA
![Page 390: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/390.jpg)
ECC-256 requires 2^128 operations
![Page 391: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/391.jpg)
ECC-256: no attack degradation on 25 years
![Page 392: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/392.jpg)
Confidentiality?
![Page 393: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/393.jpg)
Integrity...
![Page 394: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/394.jpg)
All DNS Queries and Responses are authenticated, cryptographically
![Page 395: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/395.jpg)
Authenticity is guaranteed as well as non-repudiation
![Page 396: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/396.jpg)
Uses nonces* in all communication to prevent replay attacks
* one time use number
![Page 397: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/397.jpg)
Backwards compatible with regular DNS services
![Page 398: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/398.jpg)
Integrity?
![Page 399: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/399.jpg)
Availability
![Page 400: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/400.jpg)
Server: several authoritative servers
![Page 401: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/401.jpg)
Client: Non-authenticated/Rogue DNS servers are rejected
![Page 402: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/402.jpg)
Client: some amplification is produced
![Page 403: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/403.jpg)
Availability
Mostly
![Page 404: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/404.jpg)
Protocol Specification
![Page 405: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/405.jpg)
Two data formats of are used
![Page 406: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/406.jpg)
Streamlined Format
![Page 407: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/407.jpg)
Custom & Efficient
![Page 408: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/408.jpg)
CHAPTER 4. DNSCURVE 4.4. SPECIFICATION
information that is needed for a DNSCurve conversation. It should how-
ever be noticed there is a difference between a streamlined query, and a
streamlined response.
Let’s first focus on a streamlined query. Figure 4.1 illustrates what a stream-
lined query looks like. Remark that the figure is 16-byte horizontally aligned,
one box in the protocol format is one byte.
1 1 1 1 1 10 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+| Q| 6| f| n| v| W| j| 8|+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+| CLIENT PUBLIC KEY || |+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+| CLIENT NONCE |+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+/ // CRYPTOGRAPHIC BOX // /+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
Figure 4.1: DNSCurve streamlined query format
A query starts by an 8-byte fixed string (i.e. Q6fnvWj8) that will always
prefix a streamlined DNSCurve query packet. What follows is the client’s
public key, that is 32-bytes long. How and what this client public key ex-
actly is, will be discussed in the next subsection, that focuses on the used
cryptographic primitives.
Next, a 12-byte client selected nonce can be distinguished. This nonce
should be different for each and every packet. It is used to guarantee fresh-
ness and helps by preventing replay attacks. The specification [6] suggests
to use either a counter or time related data for the first 64-bits of the nonce.
The last 32-bits can be cryptographically random generated. This would
make collisions improbable.
Finally an arbitrary length cryptographic box is found. This crypto-
graphic box will contain the entire original standard DNS query packet, only
now encrypted, and authenticated. What this cryptobox exactly is, will be
discussed in a later subsection, that focuses on DNSCurve’s cryptography.
It might seem awkward there is no length field, specifying the size of the
cryptographic box. This is done on purpose, because operating systems will
deliver the entire streamlined packet together with a total number of bytes,
to a program. Making it easy to calculate the only variable length in the
packet.
Notice that all bytes discussed here, are truly bytes. In the sense that
79
Query Format
![Page 409: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/409.jpg)
Response Format
4.4. SPECIFICATION CHAPTER 4. DNSCURVE
there is no restriction on (alpha-)numeric character use.
Now focus on a streamlined response. The format of a streamlined responsepacket is portrayed in Figure 4.2.
1 1 1 1 1 10 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+| R| 6| f| n| v| W| J| 8|+--+--+--+--+--+--+--+--+--+--+--+--+| CLIENT NONCE |+--+--+--+--+--+--+--+--+--+--+--+--+| SERVER NONCE |+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+/ // CRYPTOGRAPHIC BOX // /+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
Figure 4.2: DNSCurve streamlined response format
Just like the query format, this packet is prefixed with an 8-byte fixedstring (that is equal to the one from the query, only the first byte is differ-ent, indicating it is a response: R6fnvWj8). What follows is a copy of theclient’s 12-byte nonce, that was sent to the server in the query packet. Next,a server selected 12-byte nonce is included. This nonce, together with theclient’s one, will guarantee total freshness, and should be created in thesame matter as the client nonce was. Finally, the cryptographic box contain-ing the entire regular DNS response can be found. The length of the box isagain arbitrary.
It is obvious that the client’s public key is not needed anymore in a re-sponse, since this is already known by the client. It is therefore intentionallyleft out.
TXT-formatIt is clear that a firewall that actively checks any packet that is passing onUDP port 53 will notice a streamlined query is not a true DNS query. There-fore it will reject the packet from passing, making DNSCurve unavailable toclients behind this firewall. That is why the TXT-format was introduced. Asthe name suggests, DNSCurve uses the TXT-type resource records to ‘hide’its details in. Just like with the streamlined format, a differentiation hasbeen made between a query and response format.
There is not much space in a regular DNS query to hide any information in.Most firewalls allow only one query in the query section, and zero records inthe answer-, authority-, and additional section. This means that all informa-tion that a client has to send to a server, should be put inside a part that has
80
![Page 410: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/410.jpg)
TXT-Format
Deep DNS 53
![Page 411: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/411.jpg)
DNSCurve: Key Usage
![Page 412: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/412.jpg)
No new RRs are introduced
![Page 413: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/413.jpg)
DNSSEC: RRs provide the keys
![Page 414: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/414.jpg)
DNSCurve: No new RRs
![Page 415: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/415.jpg)
How do we get the name server keys?
![Page 416: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/416.jpg)
“If it were not for key management, Cryptography would be easy!”
![Page 417: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/417.jpg)
“note -- i think dnssec is terribly ugly but i have come to terms with that and am pushing forward with it because i want what it can do for the world.”
Paul Vixie, BIND/DNSSEC author/architect
![Page 418: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/418.jpg)
Keys are obtained from existing RRs!
![Page 419: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/419.jpg)
Server pub keys are hidden in NS records
![Page 420: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/420.jpg)
E.g. example.org
![Page 421: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/421.jpg)
Regular DNS: ns1.example.org
![Page 422: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/422.jpg)
DNScurve:uz5dkhm9g380kyx9slmktyvmb1h0ck7whwzc5uqvl8f1cwfp8zl3ub.ns1.example.org
![Page 423: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/423.jpg)
DNSCurve: Traversal
![Page 424: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/424.jpg)
0
CHAPTER 4. DNSCURVE 4.4. SPECIFICATION
org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
. name serversQuery: foo.example.org. A
Response:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
Time
example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1
example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1
uz5b63cp···.ns1.iana.com name server
foo.example.org A 10.34.56.78foo.example.org A 10.34.56.78
uz5bm7r2···.ns2.example.org. name server
44
Trust anchors:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
Trust anchors:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
00
11
22
33
Response: R6fnvWJ8··· (DNSCurve respone packet containing: example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1 )
55
66Query: Q6fnvWj8··· (DNSCurve query packet containing: foo.example.org. A )
77
Response: R6fnvWJ8··· (DNSCurve response packet containing: foo.example.org. A 10.34.56.78 )
88
99
Query: Q6fnvWj8··· (DNSCurve query packet containing: foo.example.org. A )
Client key pair:nd871j5kdrl0pzsw···x1a3f29d0rxc7wq9···
Client key pair:nd871j5kdrl0pzsw···x1a3f29d0rxc7wq9···
Figure 4.6: Graphical representation of a DNSCurve traversal
private key. The lower base-32 encoded string is the client’s public key,
that is preceded by the magic (client public key) string: x1a.
1. Because no trusted keys are found for the root (.), a regular DNS A-
type query for foo.example.org is send to one of the randomly picked
root servers.
2. The root servers do not know anything about foo.example.org, but it
does know something about the .org zone. A regular DNS response is
received, with this information included.
Note this response can be subject to active cache poisoning attacks.
However, because a trusted key is used for the .org zone, a rogue
response will be noticed in the next step.
3. The first ‘verification’ step can now start. Since no DNSCurve response
is received, nothing has to be done with the received packet. However,
referrals have been received that refer to the same zone that is in the
trusted keys of circle 0. To initiate trust in these keys, the received
ones and the already known ones are compared. If they equalize, the
91
![Page 425: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/425.jpg)
CHAPTER 4. DNSCURVE 4.4. SPECIFICATION
org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
. name serversQuery: foo.example.org. A
Response:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
Time
example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1
example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1
uz5b63cp···.ns1.iana.com name server
foo.example.org A 10.34.56.78foo.example.org A 10.34.56.78
uz5bm7r2···.ns2.example.org. name server
44
Trust anchors:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
Trust anchors:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
00
11
22
33
Response: R6fnvWJ8··· (DNSCurve respone packet containing: example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1 )
55
66Query: Q6fnvWj8··· (DNSCurve query packet containing: foo.example.org. A )
77
Response: R6fnvWJ8··· (DNSCurve response packet containing: foo.example.org. A 10.34.56.78 )
88
99
Query: Q6fnvWj8··· (DNSCurve query packet containing: foo.example.org. A )
Client key pair:nd871j5kdrl0pzsw···x1a3f29d0rxc7wq9···
Client key pair:nd871j5kdrl0pzsw···x1a3f29d0rxc7wq9···
Figure 4.6: Graphical representation of a DNSCurve traversal
private key. The lower base-32 encoded string is the client’s public key,
that is preceded by the magic (client public key) string: x1a.
1. Because no trusted keys are found for the root (.), a regular DNS A-
type query for foo.example.org is send to one of the randomly picked
root servers.
2. The root servers do not know anything about foo.example.org, but it
does know something about the .org zone. A regular DNS response is
received, with this information included.
Note this response can be subject to active cache poisoning attacks.
However, because a trusted key is used for the .org zone, a rogue
response will be noticed in the next step.
3. The first ‘verification’ step can now start. Since no DNSCurve response
is received, nothing has to be done with the received packet. However,
referrals have been received that refer to the same zone that is in the
trusted keys of circle 0. To initiate trust in these keys, the received
ones and the already known ones are compared. If they equalize, the
91
1
![Page 426: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/426.jpg)
CHAPTER 4. DNSCURVE 4.4. SPECIFICATION
org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
. name serversQuery: foo.example.org. A
Response:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
Time
example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1
example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1
uz5b63cp···.ns1.iana.com name server
foo.example.org A 10.34.56.78foo.example.org A 10.34.56.78
uz5bm7r2···.ns2.example.org. name server
44
Trust anchors:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
Trust anchors:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
00
11
22
33
Response: R6fnvWJ8··· (DNSCurve respone packet containing: example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1 )
55
66Query: Q6fnvWj8··· (DNSCurve query packet containing: foo.example.org. A )
77
Response: R6fnvWJ8··· (DNSCurve response packet containing: foo.example.org. A 10.34.56.78 )
88
99
Query: Q6fnvWj8··· (DNSCurve query packet containing: foo.example.org. A )
Client key pair:nd871j5kdrl0pzsw···x1a3f29d0rxc7wq9···
Client key pair:nd871j5kdrl0pzsw···x1a3f29d0rxc7wq9···
Figure 4.6: Graphical representation of a DNSCurve traversal
private key. The lower base-32 encoded string is the client’s public key,
that is preceded by the magic (client public key) string: x1a.
1. Because no trusted keys are found for the root (.), a regular DNS A-
type query for foo.example.org is send to one of the randomly picked
root servers.
2. The root servers do not know anything about foo.example.org, but it
does know something about the .org zone. A regular DNS response is
received, with this information included.
Note this response can be subject to active cache poisoning attacks.
However, because a trusted key is used for the .org zone, a rogue
response will be noticed in the next step.
3. The first ‘verification’ step can now start. Since no DNSCurve response
is received, nothing has to be done with the received packet. However,
referrals have been received that refer to the same zone that is in the
trusted keys of circle 0. To initiate trust in these keys, the received
ones and the already known ones are compared. If they equalize, the
91
2
![Page 427: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/427.jpg)
CHAPTER 4. DNSCURVE 4.4. SPECIFICATION
org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
. name serversQuery: foo.example.org. A
Response:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
Time
example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1
example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1
uz5b63cp···.ns1.iana.com name server
foo.example.org A 10.34.56.78foo.example.org A 10.34.56.78
uz5bm7r2···.ns2.example.org. name server
44
Trust anchors:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
Trust anchors:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
00
11
22
33
Response: R6fnvWJ8··· (DNSCurve respone packet containing: example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1 )
55
66Query: Q6fnvWj8··· (DNSCurve query packet containing: foo.example.org. A )
77
Response: R6fnvWJ8··· (DNSCurve response packet containing: foo.example.org. A 10.34.56.78 )
88
99
Query: Q6fnvWj8··· (DNSCurve query packet containing: foo.example.org. A )
Client key pair:nd871j5kdrl0pzsw···x1a3f29d0rxc7wq9···
Client key pair:nd871j5kdrl0pzsw···x1a3f29d0rxc7wq9···
Figure 4.6: Graphical representation of a DNSCurve traversal
private key. The lower base-32 encoded string is the client’s public key,
that is preceded by the magic (client public key) string: x1a.
1. Because no trusted keys are found for the root (.), a regular DNS A-
type query for foo.example.org is send to one of the randomly picked
root servers.
2. The root servers do not know anything about foo.example.org, but it
does know something about the .org zone. A regular DNS response is
received, with this information included.
Note this response can be subject to active cache poisoning attacks.
However, because a trusted key is used for the .org zone, a rogue
response will be noticed in the next step.
3. The first ‘verification’ step can now start. Since no DNSCurve response
is received, nothing has to be done with the received packet. However,
referrals have been received that refer to the same zone that is in the
trusted keys of circle 0. To initiate trust in these keys, the received
ones and the already known ones are compared. If they equalize, the
91
3
![Page 428: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/428.jpg)
CHAPTER 4. DNSCURVE 4.4. SPECIFICATION
org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
. name serversQuery: foo.example.org. A
Response:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
Time
example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1
example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1
uz5b63cp···.ns1.iana.com name server
foo.example.org A 10.34.56.78foo.example.org A 10.34.56.78
uz5bm7r2···.ns2.example.org. name server
44
Trust anchors:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
Trust anchors:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
00
11
22
33
Response: R6fnvWJ8··· (DNSCurve respone packet containing: example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1 )
55
66Query: Q6fnvWj8··· (DNSCurve query packet containing: foo.example.org. A )
77
Response: R6fnvWJ8··· (DNSCurve response packet containing: foo.example.org. A 10.34.56.78 )
88
99
Query: Q6fnvWj8··· (DNSCurve query packet containing: foo.example.org. A )
Client key pair:nd871j5kdrl0pzsw···x1a3f29d0rxc7wq9···
Client key pair:nd871j5kdrl0pzsw···x1a3f29d0rxc7wq9···
Figure 4.6: Graphical representation of a DNSCurve traversal
private key. The lower base-32 encoded string is the client’s public key,
that is preceded by the magic (client public key) string: x1a.
1. Because no trusted keys are found for the root (.), a regular DNS A-
type query for foo.example.org is send to one of the randomly picked
root servers.
2. The root servers do not know anything about foo.example.org, but it
does know something about the .org zone. A regular DNS response is
received, with this information included.
Note this response can be subject to active cache poisoning attacks.
However, because a trusted key is used for the .org zone, a rogue
response will be noticed in the next step.
3. The first ‘verification’ step can now start. Since no DNSCurve response
is received, nothing has to be done with the received packet. However,
referrals have been received that refer to the same zone that is in the
trusted keys of circle 0. To initiate trust in these keys, the received
ones and the already known ones are compared. If they equalize, the
91
4
![Page 429: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/429.jpg)
CHAPTER 4. DNSCURVE 4.4. SPECIFICATION
org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
. name serversQuery: foo.example.org. A
Response:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
Time
example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1
example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1
uz5b63cp···.ns1.iana.com name server
foo.example.org A 10.34.56.78foo.example.org A 10.34.56.78
uz5bm7r2···.ns2.example.org. name server
44
Trust anchors:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
Trust anchors:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
00
11
22
33
Response: R6fnvWJ8··· (DNSCurve respone packet containing: example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1 )
55
66Query: Q6fnvWj8··· (DNSCurve query packet containing: foo.example.org. A )
77
Response: R6fnvWJ8··· (DNSCurve response packet containing: foo.example.org. A 10.34.56.78 )
88
99
Query: Q6fnvWj8··· (DNSCurve query packet containing: foo.example.org. A )
Client key pair:nd871j5kdrl0pzsw···x1a3f29d0rxc7wq9···
Client key pair:nd871j5kdrl0pzsw···x1a3f29d0rxc7wq9···
Figure 4.6: Graphical representation of a DNSCurve traversal
private key. The lower base-32 encoded string is the client’s public key,
that is preceded by the magic (client public key) string: x1a.
1. Because no trusted keys are found for the root (.), a regular DNS A-
type query for foo.example.org is send to one of the randomly picked
root servers.
2. The root servers do not know anything about foo.example.org, but it
does know something about the .org zone. A regular DNS response is
received, with this information included.
Note this response can be subject to active cache poisoning attacks.
However, because a trusted key is used for the .org zone, a rogue
response will be noticed in the next step.
3. The first ‘verification’ step can now start. Since no DNSCurve response
is received, nothing has to be done with the received packet. However,
referrals have been received that refer to the same zone that is in the
trusted keys of circle 0. To initiate trust in these keys, the received
ones and the already known ones are compared. If they equalize, the
91
5
![Page 430: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/430.jpg)
CHAPTER 4. DNSCURVE 4.4. SPECIFICATION
org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
. name serversQuery: foo.example.org. A
Response:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
Time
example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1
example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1
uz5b63cp···.ns1.iana.com name server
foo.example.org A 10.34.56.78foo.example.org A 10.34.56.78
uz5bm7r2···.ns2.example.org. name server
44
Trust anchors:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
Trust anchors:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
00
11
22
33
Response: R6fnvWJ8··· (DNSCurve respone packet containing: example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1 )
55
66Query: Q6fnvWj8··· (DNSCurve query packet containing: foo.example.org. A )
77
Response: R6fnvWJ8··· (DNSCurve response packet containing: foo.example.org. A 10.34.56.78 )
88
99
Query: Q6fnvWj8··· (DNSCurve query packet containing: foo.example.org. A )
Client key pair:nd871j5kdrl0pzsw···x1a3f29d0rxc7wq9···
Client key pair:nd871j5kdrl0pzsw···x1a3f29d0rxc7wq9···
Figure 4.6: Graphical representation of a DNSCurve traversal
private key. The lower base-32 encoded string is the client’s public key,
that is preceded by the magic (client public key) string: x1a.
1. Because no trusted keys are found for the root (.), a regular DNS A-
type query for foo.example.org is send to one of the randomly picked
root servers.
2. The root servers do not know anything about foo.example.org, but it
does know something about the .org zone. A regular DNS response is
received, with this information included.
Note this response can be subject to active cache poisoning attacks.
However, because a trusted key is used for the .org zone, a rogue
response will be noticed in the next step.
3. The first ‘verification’ step can now start. Since no DNSCurve response
is received, nothing has to be done with the received packet. However,
referrals have been received that refer to the same zone that is in the
trusted keys of circle 0. To initiate trust in these keys, the received
ones and the already known ones are compared. If they equalize, the
91
6
![Page 431: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/431.jpg)
CHAPTER 4. DNSCURVE 4.4. SPECIFICATION
org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
. name serversQuery: foo.example.org. A
Response:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
Time
example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1
example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1
uz5b63cp···.ns1.iana.com name server
foo.example.org A 10.34.56.78foo.example.org A 10.34.56.78
uz5bm7r2···.ns2.example.org. name server
44
Trust anchors:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
Trust anchors:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
00
11
22
33
Response: R6fnvWJ8··· (DNSCurve respone packet containing: example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1 )
55
66Query: Q6fnvWj8··· (DNSCurve query packet containing: foo.example.org. A )
77
Response: R6fnvWJ8··· (DNSCurve response packet containing: foo.example.org. A 10.34.56.78 )
88
99
Query: Q6fnvWj8··· (DNSCurve query packet containing: foo.example.org. A )
Client key pair:nd871j5kdrl0pzsw···x1a3f29d0rxc7wq9···
Client key pair:nd871j5kdrl0pzsw···x1a3f29d0rxc7wq9···
Figure 4.6: Graphical representation of a DNSCurve traversal
private key. The lower base-32 encoded string is the client’s public key,
that is preceded by the magic (client public key) string: x1a.
1. Because no trusted keys are found for the root (.), a regular DNS A-
type query for foo.example.org is send to one of the randomly picked
root servers.
2. The root servers do not know anything about foo.example.org, but it
does know something about the .org zone. A regular DNS response is
received, with this information included.
Note this response can be subject to active cache poisoning attacks.
However, because a trusted key is used for the .org zone, a rogue
response will be noticed in the next step.
3. The first ‘verification’ step can now start. Since no DNSCurve response
is received, nothing has to be done with the received packet. However,
referrals have been received that refer to the same zone that is in the
trusted keys of circle 0. To initiate trust in these keys, the received
ones and the already known ones are compared. If they equalize, the
91
7
![Page 432: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/432.jpg)
CHAPTER 4. DNSCURVE 4.4. SPECIFICATION
org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
. name serversQuery: foo.example.org. A
Response:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
Time
example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1
example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1
uz5b63cp···.ns1.iana.com name server
foo.example.org A 10.34.56.78foo.example.org A 10.34.56.78
uz5bm7r2···.ns2.example.org. name server
44
Trust anchors:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
Trust anchors:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
00
11
22
33
Response: R6fnvWJ8··· (DNSCurve respone packet containing: example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1 )
55
66Query: Q6fnvWj8··· (DNSCurve query packet containing: foo.example.org. A )
77
Response: R6fnvWJ8··· (DNSCurve response packet containing: foo.example.org. A 10.34.56.78 )
88
99
Query: Q6fnvWj8··· (DNSCurve query packet containing: foo.example.org. A )
Client key pair:nd871j5kdrl0pzsw···x1a3f29d0rxc7wq9···
Client key pair:nd871j5kdrl0pzsw···x1a3f29d0rxc7wq9···
Figure 4.6: Graphical representation of a DNSCurve traversal
private key. The lower base-32 encoded string is the client’s public key,
that is preceded by the magic (client public key) string: x1a.
1. Because no trusted keys are found for the root (.), a regular DNS A-
type query for foo.example.org is send to one of the randomly picked
root servers.
2. The root servers do not know anything about foo.example.org, but it
does know something about the .org zone. A regular DNS response is
received, with this information included.
Note this response can be subject to active cache poisoning attacks.
However, because a trusted key is used for the .org zone, a rogue
response will be noticed in the next step.
3. The first ‘verification’ step can now start. Since no DNSCurve response
is received, nothing has to be done with the received packet. However,
referrals have been received that refer to the same zone that is in the
trusted keys of circle 0. To initiate trust in these keys, the received
ones and the already known ones are compared. If they equalize, the
91
8
![Page 433: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/433.jpg)
CHAPTER 4. DNSCURVE 4.4. SPECIFICATION
org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
. name serversQuery: foo.example.org. A
Response:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
Time
example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1
example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1
uz5b63cp···.ns1.iana.com name server
foo.example.org A 10.34.56.78foo.example.org A 10.34.56.78
uz5bm7r2···.ns2.example.org. name server
44
Trust anchors:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
Trust anchors:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
00
11
22
33
Response: R6fnvWJ8··· (DNSCurve respone packet containing: example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1 )
55
66Query: Q6fnvWj8··· (DNSCurve query packet containing: foo.example.org. A )
77
Response: R6fnvWJ8··· (DNSCurve response packet containing: foo.example.org. A 10.34.56.78 )
88
99
Query: Q6fnvWj8··· (DNSCurve query packet containing: foo.example.org. A )
Client key pair:nd871j5kdrl0pzsw···x1a3f29d0rxc7wq9···
Client key pair:nd871j5kdrl0pzsw···x1a3f29d0rxc7wq9···
Figure 4.6: Graphical representation of a DNSCurve traversal
private key. The lower base-32 encoded string is the client’s public key,
that is preceded by the magic (client public key) string: x1a.
1. Because no trusted keys are found for the root (.), a regular DNS A-
type query for foo.example.org is send to one of the randomly picked
root servers.
2. The root servers do not know anything about foo.example.org, but it
does know something about the .org zone. A regular DNS response is
received, with this information included.
Note this response can be subject to active cache poisoning attacks.
However, because a trusted key is used for the .org zone, a rogue
response will be noticed in the next step.
3. The first ‘verification’ step can now start. Since no DNSCurve response
is received, nothing has to be done with the received packet. However,
referrals have been received that refer to the same zone that is in the
trusted keys of circle 0. To initiate trust in these keys, the received
ones and the already known ones are compared. If they equalize, the
91
9
![Page 434: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/434.jpg)
CHAPTER 4. DNSCURVE 4.4. SPECIFICATION
org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
. name serversQuery: foo.example.org. A
Response:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
Time
example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1
example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1
uz5b63cp···.ns1.iana.com name server
foo.example.org A 10.34.56.78foo.example.org A 10.34.56.78
uz5bm7r2···.ns2.example.org. name server
44
Trust anchors:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
Trust anchors:org. NS uz5b63cp···.ns1.iana.com.org. NS uz5yw28c···.ns2.iana.com.
00
11
22
33
Response: R6fnvWJ8··· (DNSCurve respone packet containing: example.org. NS uz5j1lcp···.ns1.example.org. example.org. NS uz5bm7r2···.ns2.example.org.uz5j1lcp···.ns1.example.org. A 127.0.0.1 uz5bm7r2···.ns2.example.org. A 192.168.0.1 )
55
66Query: Q6fnvWj8··· (DNSCurve query packet containing: foo.example.org. A )
77
Response: R6fnvWJ8··· (DNSCurve response packet containing: foo.example.org. A 10.34.56.78 )
88
99
Query: Q6fnvWj8··· (DNSCurve query packet containing: foo.example.org. A )
Client key pair:nd871j5kdrl0pzsw···x1a3f29d0rxc7wq9···
Client key pair:nd871j5kdrl0pzsw···x1a3f29d0rxc7wq9···
Figure 4.6: Graphical representation of a DNSCurve traversal
private key. The lower base-32 encoded string is the client’s public key,
that is preceded by the magic (client public key) string: x1a.
1. Because no trusted keys are found for the root (.), a regular DNS A-
type query for foo.example.org is send to one of the randomly picked
root servers.
2. The root servers do not know anything about foo.example.org, but it
does know something about the .org zone. A regular DNS response is
received, with this information included.
Note this response can be subject to active cache poisoning attacks.
However, because a trusted key is used for the .org zone, a rogue
response will be noticed in the next step.
3. The first ‘verification’ step can now start. Since no DNSCurve response
is received, nothing has to be done with the received packet. However,
referrals have been received that refer to the same zone that is in the
trusted keys of circle 0. To initiate trust in these keys, the received
ones and the already known ones are compared. If they equalize, the
91
9
![Page 435: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/435.jpg)
Conclusions....
![Page 436: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/436.jpg)
DNSSEC is big and messy
![Page 437: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/437.jpg)
DNSSEC solves some security problems
![Page 438: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/438.jpg)
but creates some significant others
![Page 439: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/439.jpg)
DNSSEC has problems with the last mile
![Page 440: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/440.jpg)
Given HTTPS, what exactly does DNSSEC offer?
![Page 441: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/441.jpg)
DNSCurve is less messy
![Page 442: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/442.jpg)
DNSCurve solves more problems than DNSSEC
![Page 443: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/443.jpg)
DNSCurve is a more general solution
![Page 444: DNS Security - mcmaster.ca presentations/Session 4... · DNS == Domain Name System . Stub Resolver. Caching Name Server. Authoritative Name Server Function of the DNS](https://reader033.vdocument.in/reader033/viewer/2022041823/5e5f7421f1b54d008c566558/html5/thumbnails/444.jpg)
Both DNSSEC & DNSCurve need to be tested and tried locally.