![Page 1: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/1.jpg)
DNSSEC and DANE
ION TokyoNovember 17, 2014
Dan YorkSenior Content StrategistInternet [email protected]
![Page 2: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/2.jpg)
Overview of DNS Security Extensions (DNSSEC)
![Page 3: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/3.jpg)
A Normal DNS Interaction
Web Server
Web Browser
https://example.com/
web page
DNS Resolver
10.1.1.123
125
6
DNS Svrexample.com
DNS Svr.com
DNS Svrroot
3
10.1.1.123
4
example.comNS
.comNS
example.com?
![Page 4: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/4.jpg)
Attacking DNS
Web Server
Web Browser
https://example.com/
web pageDNS
Resolver
10.1.1.123
12
5
6
DNS Svrexample.com
DNS Svr.com
DNS Svrroot
3
192.168.2.2
4
AttackingDNS Svrexample.com
192.168.2.2
example.comNS
.comNS
example.com?
False Site
example.com
![Page 5: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/5.jpg)
A Poisoned Cache
Web Server
Web Browser
https://example.com/
web pageDNS
Resolver1
2
34
192.168.2.2
Resolver cache now has wrong data:
example.com 192.168.2.2
This stays in the cache until the Time-To-Live (TTL) expires!
example.com?
False Site
example.com
![Page 6: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/6.jpg)
A DNSSEC Interaction
Web Server
Web Browser
https://example.com/
web page
DNS Resolver
10.1.1.123DNSKEYRRSIGs
125
6
DNS Svrexample.com
DNS Svr.com
DNS Svrroot
3
10.1.1.123
4
example.comNSDS
.comNSDS
example.com?
![Page 7: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/7.jpg)
Attempting to Spoof DNS
Web Server
Web Browser
https://example.com/
web page
DNS Resolver
10.1.1.123DNSKEYRRSIGs
125
6
DNS Svrexample.com
DNS Svr.com
DNS Svrroot
3
SERVFAIL
4
AttackingDNS Svrexample.com
192.168.2.2DNSKEYRRSIGs
example.comNSDS
.comNSDS
example.com?
![Page 8: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/8.jpg)
DNSSEC Is Not Just For The Web
DNSSEC protects ALL information coming from DNS
Significant deployments of DNSSEC (and DANE) in:
• Email (SMTP)
• Instant messaging (XMPP/Jabber)
Other potential uses:
• Voice over IP (VoIP)
• Any application that communicates over the Internet
![Page 9: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/9.jpg)
Email Hijacking – A Current Threat
• CERT-CC researchers have identified that someone is hijacking email by using DNS cache poisoning of MX records
• Could be prevented by DNSSEC deployment
• CERT-CC (Sept 10, 2014): – https://www.cert.org/blogs/certcc/post.cfm?EntryID=206
• Deploy360 blog post (Sept 12, 2014): • http://wp.me/p4eijv-5jI
![Page 10: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/10.jpg)
The Two Parts of DNSSEC
04/13/2023
![Page 11: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/11.jpg)
The Two Parts of DNSSEC
Signing Validating
ISPs
Enterprises
Applications
DNS Hosting
Registrars
Registries
![Page 12: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/12.jpg)
DNSSEC Signing - The Individual Steps
Registry
Registrar
DNS Hosting Provider
Domain Name Registrant
• Signs TLD• Accepts DS records• Publishes/signs records
• Accepts DS records• Sends DS to registry• Provides UI for mgmt
• Signs zones• Publishes all records• Provides UI for mgmt
• Enables DNSSEC (unless automatic)
![Page 13: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/13.jpg)
DNSSEC Signing - The Players
Registries
Registrars
DNS Hosting Providers
Domain Name Registrants
Registrar alsoprovides DNShosting services
![Page 14: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/14.jpg)
DNSSEC Signing - The Players
Registries
Registrars
DNS Hosting Providers
Domain Name Registrants
Registrant hostsown DNS
![Page 15: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/15.jpg)
DNSSEC Deployment Metrics
04/13/2023
![Page 16: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/16.jpg)
DNSSEC Deployment Maps
• DNSSEC deployment maps:• http://www.internetsociety.org/deploy360/dnssec/maps/
• Mailing list to receive weekly maps:• https://elists.isoc.org/mailman/listinfo/dnssec-maps
![Page 17: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/17.jpg)
DNSSEC Deployment Maps
![Page 18: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/18.jpg)
Signed TLDs (both ccTLDs and gTLDs)
https://rick.eng.br/dnssecstat/
![Page 19: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/19.jpg)
DNSSEC Validation – Worldwide Trend
http://stats.labs.apnic.net/dnssec/XA?c=XA&x=1&g=1&r=1&w=7&g=0
![Page 20: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/20.jpg)
DNSSEC Deployment – Second-level domains
Links from http://www.internetsociety.org/deploy360/dnssec/statistics/
![Page 21: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/21.jpg)
A Quick Overview of DANE
04/13/2023
![Page 22: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/22.jpg)
The Typical TLS (SSL) Web Interaction
Web Server
Web Browser
https://example.com/
TLS-encryptedweb page
DNS Resolver
example.com?
10.1.1.1231
2
5
6DNS Svrexample.com
DNS Svr.com
DNS Svrroot
3
10.1.1.123
4
![Page 23: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/23.jpg)
The Typical TLS (SSL) Web Interaction
Web Server
Web Browser
https://example.com/
TLS-encryptedweb page
DNS Resolver
10.1.1.1231
2
5
6DNS Svrexample.com
DNS Svr.com
DNS Svrroot
3
10.1.1.123
4
Is this encrypted with the
CORRECT certificate?
example.com?
![Page 24: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/24.jpg)
Problems?
Web Server
Web Browser
https://www.example.com/TLS-encrypted web pagewith CORRECT certificate
DNS Server
www.example.com?
1.2.3.41
2
Firewall
https://www.example.com/
TLS-encrypted web pagewith NEW certificate(re-signed by firewall)
![Page 25: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/25.jpg)
DANE
Web Server
Web Browserw/DANE
https://example.com/TLS-encrypted web pagewith CORRECT certificate
DNS Server
10.1.1.123DNSKEYRRSIGsTLSA
1
2Firewall(or
attacker)
https://example.com/
TLS-encrypted web pagewith NEW certificate(re-signed by firewall)
Log files or other
serversDANE-equipped browsercompares TLS certificatewith what DNS / DNSSECsays it should be.
example.com?
![Page 26: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/26.jpg)
DNS-Based Authentication of Named Entities (DANE)• Q: How do you know if the TLS (SSL) certificate is the
correct one the site wants you to use?
• A: Store the certificate (or fingerprint) in DNS (new TLSA record) and sign them with DNSSEC.
An application that understand DNSSEC and DANE will then know when the required certificate is NOT being used.
Certificate stored in DNS is controlled by the domain name holder. It could be a certificate signed by a CA – or a self-signed certificate.
![Page 27: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/27.jpg)
DANE – Different operation modes ("certificate usage" field)
• 0 – CA specification• The TLSA record specifies the Certificate Authority (CA) who will provide TLS
certificates for the domain. Must be a valid CA included in browser/app.
• 1 – Specific TLS certificate• The TLSA record specifies the exact TLS certificate that should be used for the
domain. Note that this TLS certificate must be one that is issued by a valid CA.
• 2 – Trust anchor assertion• The TLSA record specifies the “trust anchor” to be used for validating the TLS
certificates for the domain. Allows for the use of a CA not included in application.
• 3 – Domain-issued certificate• The TLS record specifies the exact TLS certificate that should be used for the
domain, BUT, in contrast to usage #1, the TLS certificate does not need to be signed by a valid CA. This allows for the use of self-signed certificates.
![Page 28: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/28.jpg)
DANE – Not Just For The Web
•DANE defines protocol for storing TLS certificates in DNS
•Securing Web transactions is an obvious use case
•Other uses also possible:• Email
• VoIP
• Jabber/XMPP
• PGP
• ?
![Page 29: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/29.jpg)
DANE Success Stories
SMTP
360+ SMTP servers with TLSA records
http://www.tlsa.info/
XMPP (Jabber)
229 servers
client-to-server & server-to-server
https://xmpp.net/reports.php#dnssecdane
Advertisements!
![Page 30: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/30.jpg)
Why Deploy DNSSEC and DANE?
04/13/2023
![Page 31: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/31.jpg)
Business Reasons For Deploying DNSSEC
• TRUST – You can be sure your customers are reaching your sites – and that you are communicating with their servers.
• SECURITY – You can be sure you are communicating with the correct sites and not sharing business information with attackers, ex. email hijacking.
• INNOVATION – Services such as DANE built on top of DNSSEC enable innovative uses of TLS certificates
• CONFIDENTIALITY – DANE enables easier use of encryption for applications and services that communicate across the Internet
![Page 32: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/32.jpg)
Resources
04/13/2023
![Page 33: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/33.jpg)
DANE Resources
DANE Overview and Resources:
• http://www.internetsociety.org/deploy360/resources/dane/
IETF Journal article explaining DANE:
• http://bit.ly/dane-dnssec
RFC 6394 - DANE Use Cases:
• http://tools.ietf.org/html/rfc6394
RFC 6698 – DANE Protocol:
• http://tools.ietf.org/html/rfc6698
![Page 34: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/34.jpg)
DANE Resources
DANE and email:
• https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane
• http://tools.ietf.org/html/draft-ietf-dane-smime
DANE Operational Guidance:
• https://tools.ietf.org/html/draft-ietf-dane-ops
DANE and SIP (VoIP):
• http://tools.ietf.org/html/draft-johansson-dispatch-dane-sip
• https://tools.ietf.org/html/draft-ietf-dane-srv
Other uses:
• https://tools.ietf.org/html/draft-ietf-dane-openpgpkey
• https://tools.ietf.org/html/draft-ietf-dane-rawkeys
![Page 35: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/35.jpg)
Start Here Pagehttp://www.internetsociety.org/deploy360/start/
Easy method of finding resources for
specific audiences, including:
• Network operators
• Content providers (ex. web site owners)
• Developers
• Governments
• Consumer electronics vendors
• Enterprises and campus networks
• Registrars
• Internet exchange points (IXPs)
![Page 36: ION Tokyo: The Business Case for DNSSEC and DANE, Dan York](https://reader035.vdocument.in/reader035/viewer/2022062411/558e67e21a28ab7c218b4769/html5/thumbnails/36.jpg)
https://twitter.com/deploy360
https://www.facebook.com/Deploy360
http://gplus.to/deploy360
http://www.youtube.com/user/Deploy360
http://www.internetsociety.org/deploy360/feed/
http://soundcloud.com/deploy360/
Social Media Channels