ion sri lanka - why implement dnssec?
TRANSCRIPT
© 2015 Afilias Limited
• Afilias makes Internet addressesmore accessible and useful throughregistry services, Managed DNS,and mobile Web services likegoMobi® and DeviceAtlas®.
– Second largest registry serviceprovider
– Have one of the largest DNSinfrastructures
• Started with DNSSEC in 2008
– Signed ORG in June 2009
– Found bug in DNSSECextension to EPP
– ORG offered signed delegationsin June 2010
– Signed all TLDs and offeredsigned delegations soon after
– Root signed in July 2010
Afilias and DNSSEC
2
© 2015 Afilias Limited
• DNSSEC provides an assertion by a zone that a specific data element is bound to a domain name.
• This is most often used to bind an IP address to a domain name, e.g., to find a web site.
• The validation of the assertion is possible independent of its source.
• Features
– Critical Infrastructure: everything uses the DNS
– Hierarchical: delegate and distribute responsibility
What is DNSSEC?
5
© 2015 Afilias Limited
DNS with DNSSEC
Local application/service client
Stub Resolver
SLDAuthoritative NS
IterativeResolver
TLDAuthoritative
NS
Local cache
ROOT SERVERS
Local cache
DN
SSEC
-aw
are
app
licat
ion
/ser
vice
2
1
3
21 3
DNSSEC
DNSSEC
DNSSEC
6
© 2015 Afilias Limited
• Domain registration system
– Registries: operate the TLDs
– (Registrars): middleman between registry and registrant
– Registrant: own, manage, and deploy domain names
• Domain name system
– Root system
– Registries
– DNS Operators (authoritative)
• Community
– ISPs
– Users (maybe not)
Who are the Players?
7
© 2015 Afilias Limited
• DNSSEC protects the DNS system from cache poisoning attacks, viz the “Kaminsky Bug”
• DNS is a critical infrastructure system. Virtually everything depends on it.
• DNSSEC is the next step in the evolution of the Internet, similar to the web back in 1993.
• Deploying a safe and secure DNS is not just the right thing to do, it is the cornerstone of building the next generation Internet, a safe and secure Internet.
Why DNSSEC?
9
© 2015 Afilias Limited
Without DNSSEC…
When you visit a web site
can you be sure you are communicating
with
the server that you think you are?
10
© 2015 Afilias Limited
TLS/SSL and DNSSEC benefits
Users from DNS data tampered by
or originating from malicious actors
DNS DataSigned
Encryption
AuthenticationDNSSEC DNSSEC
IntegrityDNS Data
Guaranteed not tamperedDNSSEC
TLS !^^x<>Data DataTLS/SSL
ChannelData
DNSSEC protects…
11
© 2015 Afilias Limited
• A domain name is just a label. Most commonly used to identify hosts and services.
– Web sites
– Application servers
• DNSSEC ensures we have the correct service/address
• TLS/SSL (https) gives us good confidence that we have an encrypted tunnel
• Matching the domain in the TLS/SSL certificate with the domain from DNSSEC offers greater assurance that you are communicating with the desired site/service
Building Trusted Domains
13
© 2015 Afilias Limited
• Security increases the baseline expertise required
• Key management becomes mainstream
– Key rollover timings are subtle
• DNS operators are visibly essential
– DNS Operator and registrar/registry relationship
– Transfers are a process• Key rollover is required
• Losing and gaining operator must overlap services
DNSSEC Challenges
14
© 2015 Afilias Limited
• A mix of pioneers, early adopters and legislated compliance
• In the early stages for registrant/user, application, and service awareness
The demand for DNSSEC?
Barriers Incentives
New hw & sw solutions
Signing TLDs
Costs
Complexity
15
© 2015 Afilias Limited
• Centralize the complexity
– Registrars
– DNS operators
– Application service providers
• Keep it simple for the registrant/user
– Should be invisible
• DNSSEC is about what we can do with it. It is an essential building block in a critical infrastructure system that will change the Internet in ways we can not yet imagine.
What’s Next?
16
© 2015 Afilias Limited
• IETF reaches broad consensus to improve the security of Internet protocols to respond to pervasive surveillance
– http://www.ietf.org/media/2013-11-07-internet-privacy-and-security.html
– http://tools.ietf.org/html/rfc7258
– DNS-based Authentication of Named Entities (DANE)
Pervasive Monitoring
17