living on the edge: (re)focus dns efforts on the end-points · another possibility: dns over tls...
TRANSCRIPT
http://www.nlnetlabs.nl/
LivingontheEdge:(Re)focusDNSEffortsontheEnd-Points
BennoOvereinderNLnet Labs
RIPE75,Dubai,UAE
http://www.nlnetlabs.nl/
ComplexityatCore-Middle-Edge
recursiveresolver
Authoritative.
Authoritativenet
Authoritativeripe
application
stub
OS
simple complex
moderate
e2e-nesssimple
e2e-nessmoderate
e2e-nesscomplex
http://www.nlnetlabs.nl/
Fromtheground-upsecurity…andnowforsomethingcompletelydifferent
http://www.nlnetlabs.nl/
Customer–WebPortalInteraction
host
browser webportal
IPaddress
http/https httpserver
customer
auth nameservers
fullrecursiveresolver
http://www.nlnetlabs.nl/
DNSSpoofing
• DNSSpoofingbycachepoisoning• attackerfloodaDNSresolverwithphonyinformationwithbogusDNSresults• bythelawoflargenumbers,theseattacksgetamatchandplantabogusresultintothecache
• Man-in-the-middleattacks• redirecttowrongInternetsites• emailtonon-authorizedemailserver
http://www.nlnetlabs.nl/
The“TooManyCAs”Problem
• TLSclientshaveabundanceofTAs• modernwebbrowsershave1300+TAs• anyofthemcanissuecertificateforexample.com
7
The “Too Many CAs” Problem
● TLS clients often have an abundance of TAs
– Modern web browsers have 1300+ TAs
– Any of them can issue a certificate for example.com
example.com
example.com
The TLS Client Accepts Them Both!!!This has happened multiple times!
TLSclientacceptsboth!
http://www.nlnetlabs.nl/
Customer–WebPortalInteraction
host
browser webportal
IPaddress
http/https httpserver
customer
auth nameservers
fullrecursiveresolver
toomanyCAs
CApinning/HSTS?
http://www.nlnetlabs.nl/
DNSSEC-BasedSecureCustomer–WebPortalInteraction
host
browser webportal
IPaddress
http/https httpserver
customer
auth nameservers
fullrecursiveresolver
toomanyCAs
DNSSEC
DANE
http://www.nlnetlabs.nl/
ResolverHijack?!
host
browser webportal
IPaddresshttp/https
httpserver
auth nameservers
fullrecursiveresolver
toomanyCAs
DNSSEC
DANE
http://www.nlnetlabs.nl/
CounteringResolverHijack
• DNSSEConthestub • DNS-over-TLS
The Importance of Being an Earnest stub – OARC 26 5/45Willem Toorop (NLnet Labs)
From the ground-up security
● DNSSEC protects against cache poisoning● But not against resolver hijacking● One possibility: DNSSEC on the stub
DNSSEC AwareRecursiveresolver
Authoritativenet
Authoritative.
Authoritativedns-oarc.net
WebSrv
Browser(application)
OS
stubhttps
DNSKEY DS A
dns-oarc.net
DNSKEY DS
net
DNSKEY
·
THEFIRST/LAST
MILE
The Importance of Being an Earnest stub – OARC 26 6/45Willem Toorop (NLnet Labs)
From the ground-up security/privacy
● DNSSEC protects against cache poisoning● But not against resolver hijacking● Another possibility: DNS over TLS
ValidationRecursiveresolver
Authoritativenet
Authoritative.
Authoritativedns-oarc.net
WebSrv
Browser(application)
OS
stubhttps
dns-oarc.net A
→
←
64.191.0.198
THEFIRST/LAST
MILE
http://www.nlnetlabs.nl/
CounteringResolverHijack(cont’d)
• DNS-over-TLS • DNS-over-TLS
The Importance of Being an Earnest stub – OARC 26 6/45Willem Toorop (NLnet Labs)
From the ground-up security/privacy
● DNSSEC protects against cache poisoning● But not against resolver hijacking● Another possibility: DNS over TLS
ValidationRecursiveresolver
Authoritativenet
Authoritative.
Authoritativedns-oarc.net
WebSrv
Browser(application)
OS
stubhttps
dns-oarc.net A
→
←
64.191.0.198
THEFIRST/LAST
MILETLShijackofDNS-over-TLS BootstraptheTLSAlookupwithregularDNS?
Chickenandeggproblem.
The Importance of Being an Earnest stub – OARC 26 10/45Willem Toorop (NLnet Labs)
ValidationRecursiveresolver
Authoritativenet
Authoritative.
Authoritativegetdnsapi.net
WebSrv
Browser(application)
OS
stub
https
dns-oarc.net A
→
← 64.191.0.198
DNSSEC AwareRecursiveresolver_8
53._tcp.getdnsapi.net TLSA
DNSKEY DS
getdnsapi.net
DNSKEY DS
net
DNSKEY
·
Authoritativedns-oarc.net
From the ground-up security/privacy
● Bootstrap the TLSA lookup with regular DNS?
– Chicken and Egg problem
Authenticate DNS-over-TLS with DANE?
http://www.nlnetlabs.nl/
DNSSECDataBlob-over-TLS
• TLSArecord+thecompleteDNSSECauthenticationchainembeddedinaTLSextension• TLSDNSSECauthenticationtoprevent“ToomanyCA’s”problem• https://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension
The Importance of Being an Earnest stub – OARC 26 11/45Willem Toorop (NLnet Labs)
ValidationRecursiveresolver
Authoritativenet
Authoritative.
Authoritativegetdnsapi.net
WebSrv
Browser(application)
OS
stub
https
dns-oarc.net A
→
← 64.191.0.198
_853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS
net DNSKEY DS. DNSKEY
Authoritativedns-oarc.net
RRSIGs
_853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS
net DNSKEY DS. DNSKEY
RRSIGs
From the ground-up security/privacy
● Bootstrap the TLSA lookup with regular DNS?● Have the TLSA record + the complete DNSSEC
authentication chain embedded in a TLS extensionhttps://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension
http://www.nlnetlabs.nl/
DNSPrivacyandStandards
• DNSprivacyrequirements
Capability Standard
DNS-over-TLS RFC7858
Reuse/pipelining/OOOP RFC7766
TCPfast open RFC7413
ENDS0keepalive RFC7828
ENDS0padding RFC7830
PKIXsupportforauthentication (various)
DNSSECsupport(foraddresslookupandauthentication)
(various)
http://www.nlnetlabs.nl/
DNSSECRoadblocksConsequencesoflivingontheedge
http://www.nlnetlabs.nl/
DNSSECRoadblocks
• ResolvingDNSSEC(tocrossthefirstmile)needsDNSSECawarerecursiveresolver
The Importance of Being an Earnest stub – OARC 26 17/45Willem Toorop (NLnet Labs)
Authoritativenet
Authoritative.
Authoritativedns-oarc.net
WebSrv
Browser(application)
OS
stubhttps
DNSKEY DS A
dns-oarc.net
DNSKEY DS
net
DNSKEY
·
recursiveresolver
DNSSEC Roadblocks
● Resolving DNSSEC (to cross the first mile)needs DNSSEC Aware recursive resolver
http://www.nlnetlabs.nl/
DNSSECRoadblockAvoidance
• DNSSECroadblockavoidance+fullrecursioncapability• https://tools.ietf.org/html/rfc8027
http://www.nlnetlabs.nl/
DNSSECRoadblockAvoidance
• DNSSECroadblockavoidance+fullrecursioncapability• https://tools.ietf.org/html/rfc8027
http://www.nlnetlabs.nl/
The Importance of Being an Earnest stub – OARC 26 20/45Willem Toorop (NLnet Labs)
DNSSEC Roadblocks
IPv6 Only
DNS64
Authoritativecom
Authoritative.
Authoritativetwitter.com
twitter.co
m AAAA
→←
64:ff9b:
:68e0:2a
c1
IPv4 only
Browser(application)
OS
stub
https
NAT64
104.244.42.193https
● DNSSEC Roadblock Avoidance https://tools.ietf.org/html/rfc8027
● IPv6 Address Synthesis Prefix Discovery https://tools.ietf.org/html/rfc7050+DNS64 capability https://tools.ietf.org/html/rfc6147
DNSSECwithDNS64&NAT64
• JenLinkova’s “Let’stalkaboutIPv6DNS64&DNSSEC”• https://blog.apnic.net/2016/06/09/lets-talk-ipv6-dns64-dnssec/
• WithIPv6prefixdiscovery,stubcandoDNSSECvalidationofARRitself
http://www.nlnetlabs.nl/
DNSSECwithDNS64&NAT64
• IPv6addresssynthesisprefixdiscovery+DNS64capability• https://tools.ietf.org/html/rfc7050• https://tools.ietf.org/html/rfc6147
The Importance of Being an Earnest stub – OARC 26 21/45Willem Toorop (NLnet Labs)
DNSSEC Roadblocks
● DNSSEC Roadblock Avoidance https://tools.ietf.org/html/rfc8027
● IPv6 Address Synthesis Prefix Discovery https://tools.ietf.org/html/rfc7050+DNS64 capability https://tools.ietf.org/html/rfc6147
IPv6 Only
DNS64
Authoritativecom
Authoritative.
Authoritativetwitter.com
Browser(application)
OS
stub NAT64Privacyresolver
http://www.nlnetlabs.nl/
KSKRootRolloverMoreroadblocksahead
The Importance of Being an Earnest stub – OARC 26 22/45Willem Toorop (NLnet Labs)
DNSSEC Roadblocks
● DNSSEC validating stubs must do RFC5011
RootKSK
Rollover
http://www.nlnetlabs.nl/
The Importance of Being an Earnest stub – OARC 26 22/45Willem Toorop (NLnet Labs)
DNSSEC Roadblocks
● DNSSEC validating stubs must do RFC5011
RootKSK
Rollover
RFC5011forDNSSECValidatingStubs
• DNSSECvalidatingstubmust doRFC5011
In-bandRFC5011trackingwithDNSSECauth chainTLSextension
http://www.nlnetlabs.nl/
KSKRootRolloverforStubLibrary
• AstublibraryforDANE• runswithuser’sprivileges• nosystemconfig• bootstrapDNSSECcapabilities
• https://tools.ietf.org/html/rfc7958• unbound-anchorfunctionality
The Importance of Being an Earnest stub – OARC 26 22/45Willem Toorop (NLnet Labs)
DNSSEC Roadblocks
● DNSSEC validating stubs must do RFC5011
RootKSK
Rollover
http://www.nlnetlabs.nl/
DNSSECRoadblocksandStandards
• DNSSECstubscapabilityrequirements
Capability Standard
DNSSECvalidation (various)
DNSSECroadblock avoidance RFC8027
IPv6 prefixdiscovery RFC7050
IPv6 addresssynthesis RFC6147
Automatedtrustanchorupdates RFC5011
Automated initialtrustanchorretrieval RFC7958
http://www.nlnetlabs.nl/
LivingontheEdge“FinalThoughts”
http://www.nlnetlabs.nl/
WrappingUp
• Stubresolver/libraryexperiencecomplexe2e-ness• attheedgeofthenetworkmanykindsofroadblocks/brokenness
• DNS-basedsecurityfromthegroundup• bootstrapswiththestub
• Closingthegapinthelastmilewithongoingwork• overviewofRFCsanddrafts• mostofdiscussedworkisimplementedingetdns anditsstubresolverStubby
• DNSSECAuthenticationChainExtension• https://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension