ion belfast - why implement dnssec? - jim galvin
DESCRIPTION
Presentation during ION Belfast called "Why Implement DNSSEC" from Jim Galvin of Afilias. DNSSEC helps prevent attackers from subverting and modifying DNS messages and sending users to wrong (and potentially malicious) sites. So what needs to be done for DNSSEC to be deployed on a large scale? We’ll discuss the business reasons for, and financial implications of, deploying DNSSEC, from staying ahead of the technological curve, to staying ahead of your competition, to keeping your customers satisfied and secure on the Internet. We’ll also examine some of the challenges operators have faced and the opportunities to address those challenges and move deployment forward.TRANSCRIPT
Why DNSSEC?
James Galvin, Ph.D. Afilias Limited
9 September 2014 ION Belfast
© 2014 Afilias Limited 1
Afilias and DNSSEC • Afilias makes Internet addresses
more accessible and useful through registry services, Managed DNS, and mobile Web services like goMobi® and DeviceAtlas®. – Second largest registry service
provider – Have one of the largest DNS
infrastructures • Started with DNSSEC in 2008
– Signed ORG in June 2009 – Found bug in DNSSEC extension to
EPP – ORG offered signed delegaXons in
June 2010 – Signed all TLDs and offered signed
delegaXons soon aZer – Root signed in July 2010
© 2014 Afilias Limited 2
• DNSSEC Basics • Benefits of DNSSEC • Internet Future
© 2014 Afilias Limited 3
DNSSEC -‐ BASICS
© 2014 Afilias Limited 4
What is DNSSEC? • DNSSEC provides an asserXon
by a zone that a specific data element is bound to a domain name.
• This is most oZen used to bind an IP address to a domain name, e.g., to find a web site.
• The validaXon of the asserXon is possible independent of its source.
• Features – CriXcal Infrastructure:
everything uses the DNS – Hierarchical: delegate and
distribute responsibility
© 2014 Afilias Limited 5
DNS with DNSSEC
Local applica2on/service client
Stub Resolver
SLD Authorita2ve NS
Itera2ve Resolver
TLD Authorita2ve
NS
Local cache
ROOT SERVERS
Local cache
DNSSEC
-‐aware applicaX
on/service
2 1
3 2 1 3
DNSSEC
DNSSEC
DNSSEC
© 2014 Afilias Limited 6
Who are the Players? • Domain registraXon system
– Registries: operate the TLDs – (Registrars): middleman
between registry and registrant
– Registrant: own, manage, and deploy domain names
• Domain name system – Root system – Registries – DNS Operators (authoritaXve)
• Community – ISPs – Users (maybe not)
© 2014 Afilias Limited 7
BENEFITS OF DNSSEC
© 2014 Afilias Limited 8
Why DNSSEC? • DNSSEC protects the DNS system
from cache poisoning afacks, viz the “Kaminsky Bug”
• DNS is a criXcal infrastructure system. Virtually everything depends on it.
• DNSSEC is the next step in the evoluXon of the Internet, similar to the web back in 1993.
• Deploying a safe and secure DNS is not just the right thing to do, it is the cornerstone of building the next generaXon Internet, a safe and secure Internet.
© 2014 Afilias Limited 9
Without DNSSEC…
When you visit a web site can you be sure you are communicaXng with
the server that you think you are?
© 2014 Afilias Limited 10
TLS/SSL and DNSSEC benefits
Users from DNS data tampered by or originaXng from malicious actors
DNS Data Signed
Encryp2on
Authen2ca2on DNSSEC DNSSEC
Integrity DNS Data
Guaranteed not tampered DNSSEC
TLS !^^x<> Data Data TLS/SSL Channel
Data
DNSSEC protects…
© 2014 Afilias Limited 11
INTERNET FUTURE
© 2014 Afilias Limited 12
Building Trusted Domains • A domain name is just a label.
Most commonly used to idenXfy hosts and services. – Web sites – ApplicaXon servers
• DNSSEC ensures we have the correct service/address
• TLS/SSL (hfps) gives us good confidence that we have a encrypted tunnel
• Matching the domain in the TLS/SSL cerXficate with the domain from DNSSEC offers greater assurance that you are communicaXng with the desired site/service
© 2014 Afilias Limited 13
DNSSEC Challenges • Security increases the
baseline experXse required • Key management becomes
mainstream – Key rollover Xmings are
subtle • DNS operators are visibly
essenXal – DNS Operator and registrar/
registry relaXonship – Transfers are a process
• Key rollover is required • Losing and gaining operator
must overlap services
© 2014 Afilias Limited 14
The demand for DNSSEC?
• A mix of pioneers, early adopters and legislated compliance
• In the early stages for registrant/user, applicaXon, and service awareness
Barriers Incen2ves
New hw & sw soluXons
Signing TLDs
Costs
Complexity
© 2014 Afilias Limited 15
What’s Next? • Centralize the complexity
– Registrars – DNS operators – ApplicaXon service providers
• Keep it simple for the registrant/user – Should be invisible
• DNSSEC is about what we can do with it. It is an essenXal building block in a criXcal infrastructure system that will change the Internet in ways we can not yet imagine.
© 2014 Afilias Limited 16
Pervasive Monitoring • IETF reaches broad consensus
to improve the security of Internet protocols to respond to pervasive surveillance – hfp://www.iet.org/media/2013-‐11-‐07-‐internet-‐privacy-‐and-‐security.html
– hfp://tools.iet.org/html/rfc7258
– DNS-‐based AuthenXcaXon of Named EnXXes (DANE)
© 2014 Afilias Limited 17
Thank You!
James Galvin jgalvin “at” afilias.info +1-‐215-‐706-‐5715 hfps://afilias.info/dnssec
© 2014 Afilias Limited 18