Why  DNSSEC?  

James  Galvin,  Ph.D.  Afilias  Limited  

9  September  2014  ION  Belfast  

©  2014  Afilias  Limited   1  

Afilias  and  DNSSEC  •  Afilias  makes  Internet  addresses  

more  accessible  and  useful  through  registry  services,  Managed  DNS,  and  mobile  Web  services  like  goMobi®  and  DeviceAtlas®.  –  Second  largest  registry  service  

provider  –  Have  one  of  the  largest  DNS  

infrastructures  •  Started  with  DNSSEC  in  2008  

–  Signed  ORG  in  June  2009  –  Found  bug  in  DNSSEC  extension  to  

EPP  –  ORG  offered  signed  delegaXons  in  

June  2010  –  Signed  all  TLDs  and  offered  signed  

delegaXons  soon  aZer  –  Root  signed  in  July  2010  

©  2014  Afilias  Limited   2  

•  DNSSEC  Basics  •  Benefits  of  DNSSEC  •  Internet  Future  

©  2014  Afilias  Limited   3  

DNSSEC  -­‐  BASICS  

©  2014  Afilias  Limited   4  

What  is  DNSSEC?  •  DNSSEC  provides  an  asserXon  

by  a  zone  that  a  specific  data  element  is  bound  to  a  domain  name.  

•  This  is  most  oZen  used  to  bind  an  IP  address  to  a  domain  name,  e.g.,  to  find  a  web  site.  

•  The  validaXon  of  the  asserXon  is  possible  independent  of  its  source.  

•  Features  –  CriXcal  Infrastructure:  

everything  uses  the  DNS  –  Hierarchical:  delegate  and  

distribute  responsibility  

©  2014  Afilias  Limited   5  

DNS  with  DNSSEC  

Local  applica2on/service  client  

Stub  Resolver  

SLD  Authorita2ve  NS    

Itera2ve  Resolver  

TLD  Authorita2ve  

NS  

Local  cache  

ROOT  SERVERS  

Local  cache  

DNSSEC

-­‐aware  applicaX

on/service  

2  1  

3  2  1   3  

DNSSEC  

DNSSEC  

DNSSEC  

©  2014  Afilias  Limited   6  

Who  are  the  Players?  •  Domain  registraXon  system  

–  Registries:  operate  the  TLDs  –  (Registrars):  middleman  

between  registry  and  registrant  

–  Registrant:  own,  manage,  and  deploy  domain  names  

•  Domain  name  system  –  Root  system  –  Registries  –  DNS  Operators  (authoritaXve)  

•  Community  –  ISPs  –  Users  (maybe  not)  

©  2014  Afilias  Limited   7  

BENEFITS  OF  DNSSEC  

©  2014  Afilias  Limited   8  

Why  DNSSEC?  •  DNSSEC  protects  the  DNS  system  

from  cache  poisoning  afacks,  viz  the  “Kaminsky  Bug”  

•  DNS  is  a  criXcal  infrastructure  system.    Virtually  everything  depends  on  it.  

•  DNSSEC  is  the  next  step  in  the  evoluXon  of  the  Internet,  similar  to  the  web  back  in  1993.  

•  Deploying  a  safe  and  secure  DNS  is  not  just  the  right  thing  to  do,  it  is  the  cornerstone  of  building  the  next  generaXon  Internet,  a  safe  and  secure  Internet.  

©  2014  Afilias  Limited   9  

Without  DNSSEC…  

When  you  visit  a  web  site  can  you  be  sure  you  are  communicaXng  with  

the  server  that  you  think  you  are?    

   

©  2014  Afilias  Limited   10  

TLS/SSL  and  DNSSEC  benefits  

Users  from  DNS  data  tampered  by    or  originaXng  from  malicious  actors    

DNS  Data   Signed  

Encryp2on  

Authen2ca2on  DNSSEC   DNSSEC  

Integrity  DNS  Data  

Guaranteed  not  tampered  DNSSEC

TLS   !^^x<>  Data   Data        TLS/SSL  Channel  

Data  

DNSSEC  protects…  

©  2014  Afilias  Limited   11  

INTERNET  FUTURE  

©  2014  Afilias  Limited   12  

Building  Trusted  Domains  •  A  domain  name  is  just  a  label.    

Most  commonly  used  to  idenXfy  hosts  and  services.  –  Web  sites  –  ApplicaXon  servers  

•  DNSSEC  ensures  we  have  the  correct  service/address  

•  TLS/SSL  (hfps)  gives  us  good  confidence  that  we  have  a  encrypted  tunnel  

•  Matching  the  domain  in  the  TLS/SSL  cerXficate  with  the  domain  from  DNSSEC  offers  greater  assurance  that  you  are  communicaXng  with  the  desired  site/service  

©  2014  Afilias  Limited   13  

DNSSEC  Challenges  •  Security  increases  the  

baseline  experXse  required  •  Key  management  becomes  

mainstream  –  Key  rollover  Xmings  are  

subtle  •  DNS  operators  are  visibly  

essenXal  –  DNS  Operator  and  registrar/

registry  relaXonship  –  Transfers  are  a  process  

•  Key  rollover  is  required  •  Losing  and  gaining  operator  

must  overlap  services  

©  2014  Afilias  Limited   14  

The  demand  for  DNSSEC?  

•  A  mix  of  pioneers,  early  adopters  and  legislated  compliance  

•  In  the  early  stages  for  registrant/user,  applicaXon,  and  service  awareness  

Barriers   Incen2ves  

New  hw  &  sw  soluXons  

Signing  TLDs  

Costs  

Complexity  

©  2014  Afilias  Limited   15  

What’s  Next?  •  Centralize  the  complexity  

–  Registrars  –  DNS  operators  –  ApplicaXon  service  providers  

•  Keep  it  simple  for  the  registrant/user  –  Should  be  invisible  

•  DNSSEC  is  about  what  we  can  do  with  it.    It  is  an  essenXal  building  block  in  a  criXcal  infrastructure  system  that  will  change  the  Internet  in  ways  we  can  not  yet  imagine.  

©  2014  Afilias  Limited   16  

Pervasive  Monitoring  •  IETF  reaches  broad  consensus  

to  improve  the  security  of  Internet  protocols  to  respond  to  pervasive  surveillance  –  hfp://www.iet.org/media/2013-­‐11-­‐07-­‐internet-­‐privacy-­‐and-­‐security.html  

–  hfp://tools.iet.org/html/rfc7258  

–  DNS-­‐based  AuthenXcaXon  of  Named  EnXXes  (DANE)  

©  2014  Afilias  Limited   17  

Thank  You!  

James  Galvin  jgalvin    “at”    afilias.info  +1-­‐215-­‐706-­‐5715    hfps://afilias.info/dnssec  

©  2014  Afilias  Limited   18