ion sri lanka - why implement dnssec?

© 2015 Afilias Limited

Why DNSSEC?

Jitender Kumar

Afilias

18 January 2015

ION Sri Lanka

1


• Afilias makes Internet addressesmore accessible and useful throughregistry services, Managed DNS,and mobile Web services likegoMobi® and DeviceAtlas®.

– Second largest registry serviceprovider

– Have one of the largest DNSinfrastructures

• Started with DNSSEC in 2008

– Signed ORG in June 2009

– Found bug in DNSSECextension to EPP

– ORG offered signed delegationsin June 2010

– Signed all TLDs and offeredsigned delegations soon after

– Root signed in July 2010

Afilias and DNSSEC

2


• DNSSEC Basics

• Benefits of DNSSEC

• Internet Future

3


DNSSEC - Basics

4


• DNSSEC provides an assertion by a zone that a specific data element is bound to a domain name.

• This is most often used to bind an IP address to a domain name, e.g., to find a web site.

• The validation of the assertion is possible independent of its source.

• Features

– Critical Infrastructure: everything uses the DNS

– Hierarchical: delegate and distribute responsibility

What is DNSSEC?

5


DNS with DNSSEC

Local application/service client

Stub Resolver

SLDAuthoritative NS

IterativeResolver

TLDAuthoritative

NS

Local cache

ROOT SERVERS

Local cache

DN

SSEC

-aw

are

app

licat

ion

/ser

vice

2

1

3

21 3

DNSSEC

DNSSEC

DNSSEC

6


• Domain registration system

– Registries: operate the TLDs

– (Registrars): middleman between registry and registrant

– Registrant: own, manage, and deploy domain names

• Domain name system

– Root system

– Registries

– DNS Operators (authoritative)

• Community

– ISPs

– Users (maybe not)

Who are the Players?

7


Benefits of DNSSEC

8


• DNSSEC protects the DNS system from cache poisoning attacks, viz the “Kaminsky Bug”

• DNS is a critical infrastructure system. Virtually everything depends on it.

• DNSSEC is the next step in the evolution of the Internet, similar to the web back in 1993.

• Deploying a safe and secure DNS is not just the right thing to do, it is the cornerstone of building the next generation Internet, a safe and secure Internet.

Why DNSSEC?

9


Without DNSSEC…

When you visit a web site

can you be sure you are communicating

with

the server that you think you are?

10


TLS/SSL and DNSSEC benefits

Users from DNS data tampered by

or originating from malicious actors

DNS DataSigned

Encryption

AuthenticationDNSSEC DNSSEC

IntegrityDNS Data

Guaranteed not tamperedDNSSEC

TLS !^^x<>Data DataTLS/SSL

ChannelData

DNSSEC protects…

11


INTERNET FUTURE

12


• A domain name is just a label. Most commonly used to identify hosts and services.

– Web sites

– Application servers

• DNSSEC ensures we have the correct service/address

• TLS/SSL (https) gives us good confidence that we have an encrypted tunnel

• Matching the domain in the TLS/SSL certificate with the domain from DNSSEC offers greater assurance that you are communicating with the desired site/service

Building Trusted Domains

13


• Security increases the baseline expertise required

• Key management becomes mainstream

– Key rollover timings are subtle

• DNS operators are visibly essential

– DNS Operator and registrar/registry relationship

– Transfers are a process• Key rollover is required

• Losing and gaining operator must overlap services

DNSSEC Challenges

14


• A mix of pioneers, early adopters and legislated compliance

• In the early stages for registrant/user, application, and service awareness

The demand for DNSSEC?

Barriers Incentives

New hw & sw solutions

Signing TLDs

Costs

Complexity

15


• Centralize the complexity

– Registrars

– DNS operators

– Application service providers

• Keep it simple for the registrant/user

– Should be invisible

• DNSSEC is about what we can do with it. It is an essential building block in a critical infrastructure system that will change the Internet in ways we can not yet imagine.

What’s Next?

16


• IETF reaches broad consensus to improve the security of Internet protocols to respond to pervasive surveillance

– http://www.ietf.org/media/2013-11-07-internet-privacy-and-security.html

– http://tools.ietf.org/html/rfc7258

– DNS-based Authentication of Named Entities (DANE)

Pervasive Monitoring

17

http://www.ietf.org/media/2013-11-07-internet-privacy-and-security.html

http://tools.ietf.org/html/rfc7258


Dr. James Galvin

Director,

Technical Standards,

Afilias

Credit

18


Jitender Kumar

jkumar “at” afilias.info

+91-11-4644-8809

https://afilias.info/dnssec

Thank You!

19

ion sri lanka - why implement dnssec?

Technology

afilias limited dns

afilias limitedsecurity

afilias limited1afilias

afilias limited8dnssec

afilias limited4dnssec

afilias limited12

afilias limitedtlsssl

dnssec extension