Why DNSSEC?
James Galvin, Ph.D. Afilias Limited
9 September 2014 ION Belfast
© 2014 Afilias Limited 1
Afilias and DNSSEC • Afilias makes Internet addresses
more accessible and useful through registry services, Managed DNS, and mobile Web services like goMobi® and DeviceAtlas®. – Second largest registry service
provider – Have one of the largest DNS
infrastructures • Started with DNSSEC in 2008
– Signed ORG in June 2009 – Found bug in DNSSEC extension to
EPP – ORG offered signed delegaXons in
June 2010 – Signed all TLDs and offered signed
delegaXons soon aZer – Root signed in July 2010
© 2014 Afilias Limited 2
• DNSSEC Basics • Benefits of DNSSEC • Internet Future
© 2014 Afilias Limited 3
DNSSEC -‐ BASICS
© 2014 Afilias Limited 4
What is DNSSEC? • DNSSEC provides an asserXon
by a zone that a specific data element is bound to a domain name.
• This is most oZen used to bind an IP address to a domain name, e.g., to find a web site.
• The validaXon of the asserXon is possible independent of its source.
• Features – CriXcal Infrastructure:
everything uses the DNS – Hierarchical: delegate and
distribute responsibility
© 2014 Afilias Limited 5
DNS with DNSSEC
Local applica2on/service client
Stub Resolver
SLD Authorita2ve NS
Itera2ve Resolver
TLD Authorita2ve
NS
Local cache
ROOT SERVERS
Local cache
DNSSEC
-‐aware applicaX
on/service
2 1
3 2 1 3
DNSSEC
DNSSEC
DNSSEC
© 2014 Afilias Limited 6
Who are the Players? • Domain registraXon system
– Registries: operate the TLDs – (Registrars): middleman
between registry and registrant
– Registrant: own, manage, and deploy domain names
• Domain name system – Root system – Registries – DNS Operators (authoritaXve)
• Community – ISPs – Users (maybe not)
© 2014 Afilias Limited 7
BENEFITS OF DNSSEC
© 2014 Afilias Limited 8
Why DNSSEC? • DNSSEC protects the DNS system
from cache poisoning afacks, viz the “Kaminsky Bug”
• DNS is a criXcal infrastructure system. Virtually everything depends on it.
• DNSSEC is the next step in the evoluXon of the Internet, similar to the web back in 1993.
• Deploying a safe and secure DNS is not just the right thing to do, it is the cornerstone of building the next generaXon Internet, a safe and secure Internet.
© 2014 Afilias Limited 9
Without DNSSEC…
When you visit a web site can you be sure you are communicaXng with
the server that you think you are?
© 2014 Afilias Limited 10
TLS/SSL and DNSSEC benefits
Users from DNS data tampered by or originaXng from malicious actors
DNS Data Signed
Encryp2on
Authen2ca2on DNSSEC DNSSEC
Integrity DNS Data
Guaranteed not tampered DNSSEC
TLS !^^x<> Data Data TLS/SSL Channel
Data
DNSSEC protects…
© 2014 Afilias Limited 11
INTERNET FUTURE
© 2014 Afilias Limited 12
Building Trusted Domains • A domain name is just a label.
Most commonly used to idenXfy hosts and services. – Web sites – ApplicaXon servers
• DNSSEC ensures we have the correct service/address
• TLS/SSL (hfps) gives us good confidence that we have a encrypted tunnel
• Matching the domain in the TLS/SSL cerXficate with the domain from DNSSEC offers greater assurance that you are communicaXng with the desired site/service
© 2014 Afilias Limited 13
DNSSEC Challenges • Security increases the
baseline experXse required • Key management becomes
mainstream – Key rollover Xmings are
subtle • DNS operators are visibly
essenXal – DNS Operator and registrar/
registry relaXonship – Transfers are a process
• Key rollover is required • Losing and gaining operator
must overlap services
© 2014 Afilias Limited 14
The demand for DNSSEC?
• A mix of pioneers, early adopters and legislated compliance
• In the early stages for registrant/user, applicaXon, and service awareness
Barriers Incen2ves
New hw & sw soluXons
Signing TLDs
Costs
Complexity
© 2014 Afilias Limited 15
What’s Next? • Centralize the complexity
– Registrars – DNS operators – ApplicaXon service providers
• Keep it simple for the registrant/user – Should be invisible
• DNSSEC is about what we can do with it. It is an essenXal building block in a criXcal infrastructure system that will change the Internet in ways we can not yet imagine.
© 2014 Afilias Limited 16
Pervasive Monitoring • IETF reaches broad consensus
to improve the security of Internet protocols to respond to pervasive surveillance – hfp://www.iet.org/media/2013-‐11-‐07-‐internet-‐privacy-‐and-‐security.html
– hfp://tools.iet.org/html/rfc7258
– DNS-‐based AuthenXcaXon of Named EnXXes (DANE)
© 2014 Afilias Limited 17
Thank You!
James Galvin jgalvin “at” afilias.info +1-‐215-‐706-‐5715 hfps://afilias.info/dnssec
© 2014 Afilias Limited 18