| 1

ICANN & Internet Security (DNS) Security

11th October 2017Internet Week Guyana

Albert DanielsAlbert.daniels@icann.og

| 2

What Does ICANN Mean for the End User?

The Domain Name System allows you to easily

navigate the Internet. ICANN monitors for compliance with contracts, including

review of complaints.

Generic Top-Level Domains provide

choice in the domain name space.

Country Code Top-Level Domains allow countries to

host their own websites

Protocol Parameters allow computers to talk to each other

Internet Protocol Addresses are the

numbers that identify devices

Root Zone Management keeps

the DNS running smoothly

Policy Development is an inclusive, open and

transparent process for the Community to create effective rules for the

Internet

L-Root is one of the root servers that helps keeps the DNS stable

around the globe

Supporting and Growing the Community ensures

diverse participants contribute to bottom-up,

multistakeholder, consensus-driven policy

POLICY

IANA functions

| 3

How Internet Protocol (IP) Addresses are Distributed

Regional Internet Registries

Distributes IP address to Regional Internet Registries

DistributesIP address to ISP providers in your

region

End users connect their personal and

professional devices to the Internet

Distributes IP address by providing connectivity to homes

and businesses

IP

IANA functions

Internet Service Providers

Homes and Businesses

| 4

The Digital Universe is Growing Exponentially

“According to IDC, the digital universe is doubling in size every two years, and by 2020, the digital universe – the data we create and copy annually – will reach 44 zettabytes, or 44 trillion gigabytes.”

Source: http://www.emc.com/leadership/digital-universe/2014iview/executive-summary.htm* iPad Air - 0.29” thick, 128 GB

If the Digital Universe were represented by the memory in a stack of tablets, in 2013 it would have stretched two-thirds the way to the Moon*. By 2020there would be 6.6 stacks from the Earth to the Moon*

4.4 ZB2013

44 ZB2020

| 5

Most of the economic value the Internet creates falls

outside of the technology sector: companies in more traditional industries capture

75 percent of the benefits

75%

Growsbusiness

By 2019, there will be about 3.9 billion Internet users, or 51 percent of the world's projected

population of 7.6 billion

Internet Penetration51%

Reachesbillions

Source: Cisco, 2015

30%Today world trade

represents about 30% of global GDP, up

from 20% in the early days of the Internet

Why is the Internet Important to my Business?

Global GDP Internet Benefits

Source: BCG, 2014

Source: McKinsey, 2011

E x p a n d s trade

Businesses of any size, in any sector, depend on a global, interoperable Internet

| 6

The Internet in 60 Seconds…

According to CIO Media and The Independent: every minute:

350,000Tweets tweeted

31.5MFacebookmessagesposted

300hours of videouploaded to YouTube

70Domains Registered

48,611Instagram pictures posted

| 7

Unique Names and Numbers

Anything connected to the Internet – including computers, mobile phones and other devices – has a unique number called its IP address. IP stands for Internet Protocol.

This address is like a postal address. It allows messages, videos and other packets of data to be sent from anywhere on the Internet to the device that has been uniquely identified by its IP address.

IP addresses can be difficult to remember, so instead of numbers, the Internet’s domain name system uses letters, numbers and hyphens, to form a name that is easier to remember.

| 8| 8

DNSSEC

| 9

What is DNSSEC?

~ DNSSEC = “DNS Security Extensions”

~ DNSSEC is a protocol that is currently being deployed to secure the Domain Name System (DNS)

~ DNSSEC adds security to the DNS by incorporating public key cryptography into the DNS hierarchy, resulting in a single, open, global Public Key Infrastructure (PKI) for domain names

~ Result of over a decade of community based, open standards development

| 10

DNS Basics• DNS converts names (www.republicguyana.com) to

numbers (64.49.225.191)• ..to identify services such as www and e-mail• ..that identify and link customers to business and visa

versa

| 11lam

b@xt

cn.c

om

+1-202-709-5262VoIP

mydomainname.com

DNS is a part of all IT ecosystems US-NSTIC effort

Smart Electrical Grid

OECS ID effort

| 12

Where DNSSEC fits in

• ..but CPU and bandwidth advances make legacy DNS vulnerable to MITM attacks

• DNS Security Extensions (DNSSEC) introduces digital signatures into DNS to cryptographically protect contents

• With DNSSEC fully deployed a business can be sure a customer gets un-modified data (and visa versa)

| 13

The Bad: DNSChanger - ‘Biggest Cybercriminal Takedown in History’ – 4M machines, 100 countries, $14M

Nov 2011 http://krebsonsecurity.com/2011/11/malware-click-fraud-kingpins-arrested-in-estonia/

End-2-end DNSSEC validation would have avoided the problems

| 14

The Internet’s Phone Book - Domain Name System (DNS)

www.majorbank.gy=?

Get pagewebserverwww @ 1.2.3.4

Username / PasswordAccount Data

DNS Hierarchy

gy com

root

majorbank.vg

www.majorbank.gy

DNS Resolver

www.majorbank.gy = 1.2.3.4DNSServer1.2.3.4

Login page

ISP Majorbank (Registrant)

| 15

Caching Responses for Efficiency

www.majorbank.gy=?

Get pagewebserverwww @ 1.2.3.4

Username / PasswordAccount Data

DNS Resolver

www.majorbank.gy = 1.2.3.4DNSServer1.2.3.4

Login page

| 16

The Problem: DNS Cache Poisoning Attack

www.majorbank.gy=? DNS Resolver

www.majorbank.gy = 1.2.3.4DNSServer5.6.7.8

Get page Attackerwebserverwww @ 5.6.7.8

Username / PasswordError

Attackerwww.majorbank.gy = 5.6.7.8

Login page

Password database

| 17

Now all ISP customers get sent to attacker.Caching Responses for Efficiency

www.majorbank.gy=? DNS Resolver

www.majorbank.gy = 1.2.3.4DNSServer5.6.7.8

Get page Attackerwebserverwww @ 5.6.7.8

Username / PasswordError

Login page

Password database

| 18

Securing The Phone Book – DNSSEC

www.majorbank.gy=? DNS Resolverwith DNSSEC

www.majorbank.gy = 1.2.3.4DNSServer with DNSSEC

1.2.3.4

Get pagewebserverwww @ 1.2.3.4

Username / PasswordAccount Data

Login page

Attackerwww.majorbank.gy = 5.6.7.8

Attacker’s record does not validate – drop it

| 19

Resolver only caches validated records

www.majorbank.gy=? DNS Resolverwith DNSSEC

www.majorbank.gy = 1.2.3.4DNSServer with DNSSEC

1.2.3.4

Get pagewebserverwww @ 1.2.3.4

Username / PasswordAccount Data

Login page

| 20

The Business Case for DNSSEC

• Cyber security is becoming a greater concern to enterprises, government, and end users. DNSSEC is a key tool and differentiator.

• DNSSEC is the biggest security upgrade to Internet infrastructure in over 20 years. It is a platform for new security applications (for those that see the opportunity).

• DNSSEC infrastructure deployment has been brisk but requires expertise. Getting ahead of the curve is a competitive advantage.

| 21

DNSSEC: So what’s the problem?

• Not enough IT departments know about it or are too busy putting out other security fires.

• When they do look into it they hear old stories of FUD and lack of turnkey solutions and CDN support.

• Registrars*/CDNs/DNS providers see no demand leading to “chicken-and-egg” problems.

*but required by new ICANN registrar agreement

| 22

Who Can Implement DNSSEC

• Enterprises – Sign their zones and validate lookups• TLD Operators – Sign the TLD• Domain Name holders – Sign their zones• Internet Service Providers – validate DNS lookups• Hosting Provider – offer signing services to customers• Registrars – accept DNSSEC records (e.g., DS)

| 23| 23

KSK Roll Over

| 24

KSK Rollover: An Overview

ICANN is in the process of performing a Root Zone DNSSecurity Extensions (DNSSEC) Key Signing Key (KSK) rollover

~The Root Zone DNSSEC Key Signing Key “KSK” is the top most cryptographic key in the DNSSEC hierarchy

~The KSK is a cryptographic public-private key pair: o Public part: trusted starting point for

DNSSEC validationo Private part: signs the Zone Signing

Key (ZSK)

~Builds a “chain of trust” of successive keys and signatures to validate the authenticity of any DNSSEC signed data

DATA

KSK

| 25

Why is ICANN Rolling the KSK?

~ Because it’s not good for a cryptographic key to live forever. The cryptographic keys used in DNSSEC-signing DNS data should be changed periodicallyo Ensures infrastructure can support key change in case of

emergency

~ This type of change has never before occurred at the root levelo There has been one functional, operational Root Zone DNSSEC

KSK since 2010

~ Because it’s better to make proactive changes during normal operations when things are running smoothly, rather than be reactive in an emergency. The KSK rollover must be widely and carefully coordinated to ensure that it does not interfere with normal operations

| 26

When Does the Rollover Take Place?

~ The changing or "rolling" of the KSK Key was originally scheduled to occur on 11 October 2017, but it is being delayed because some recently obtained data shows that a significant number of resolvers used by Internet Service Providers (ISPs) and Network Operators are not yet ready for the Key Rollover.

~ There may be multiple reasons why operators do not have the new key installed in their systems: some may not have their resolver software properly configured and a recently discovered issue in one widely used resolver program appears to not be automatically updating the key as it should, for reasons that are still being explored.

~ ICANN is tentatively hoping to reschedule the Key Rollover for the first quarter of 2018 and is encouraging ISPs and Network operators to use this additional time period to be certain that their systems are ready for the Key Rollover.

| 27

Who Will Be Impacted?

DNS Software Developers & Distributors

System Integrators

Network Operators

Root Server Operators

Internet Service

Providers

End Users

(if no action taken by resolver operators)

| 28

Why You Need to Prepare

If you have enabled DNSSEC validation, you must update your systems with the new KSK to help ensure trouble-free Internet access for users

~ Currently, 25 percent of global Internet users, or 750 million people, use DNSSEC-validating resolvers that could be affected by the KSK rollover

~ If these validating resolvers do not have the new key when the KSK is rolled, end users relying on those resolvers will encounter errors and be unable to access the Internet

| 29

What Do Operators Need to Do?

Be aware whether DNSSEC is enabled in your servers

Be aware of how trust is evaluated in your operations

Test/verify your set ups

Inspect configuration files, are they (also) up to date?

If DNSSEC validation is enabled or planned in your systemo Have a plan for participating in the KSK rollovero Know the dates, know the symptoms, solutions

| 30

Check to See If Your Systems Are Ready

ICANN is offering a test bed for operators or any interested parties to confirm that their systems handle the automated update process correctly.

Check to make sure your systems are ready by visiting:

go.icann.org/KSKtest

| 31

For More Information

Visit https://icann.org/kskroll

Join the conversation onlineo Use the hashtag #KeyRollo Sign up to the mailing list

https://mm.icann.org/listinfo/ksk-rollover

Ask a question to globalsupport@icann.orgo Subject line: “KSK Rollover”

Attend an evento Visit https://features.icann.org/calendar to find

upcoming KSK rollover presentations in your region

1

2

3

4

| 32

ICANN & Internet Security (DNS) Security

11th October 2017Intrnet Week Guyana

Albert DanielsAlbert.daniels@icann.og