SlideShare a Scribd company logo

DNSSEC: What a Registrar Needs to Know

L
laurenrprice

DNSSEC Industry Coalition Webinar - DNSSEC - What a Registar Needs to Know

1 of 39
Download to read offline
DNSSEC Industry Coalition Webinar Series Brought to you by .ORG, The Public Interest Registry and Afilias
 Lauren Price, DNSSEC Industry Coalition Chair ◦ Sr. Product Marketing Manager, .ORG The Public Interest Registry ◦ lprice@pir.org  Jim Galvin, Afilias ◦ Director, Strategic Relationships & Technical Standards ◦ jgalvin@afilias.info  Sadik Chandiwala, Afilias ◦ Technical Account Manager ◦ sadik@ca.afilias.info 2
 The Vulnerability of DNS  Quick Intro to DNSSEC  PIR and DNSSEC Timeline  Friends and Family Program  Some DNSSEC Terminology  OT&E Functionality and Changes ◦ EPP ◦ Etc.  Resources  Questions
 When you visit a web site, send an email, or download software, can you be sure you are communicating with the server that you think you are?  The answer is ‘no’, at least not with certainty.
 DNSSEC (short for Domain Name System Security Extensions) adds security to the Domain Name System.  DNSSEC is designed to protect Internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning.
 Currently, a DNS resolver sends a query out to the Internet and then accepts the first response it receives, without question.  If a malicious system were to send back an incorrect response, the resolver would use this address until its cache expired.  This is bad enough if a single user's computer gets this bad data, but it is much worse if it's another name server that answers queries for an ISP – affecting thousands of users.
 It provides proof that DNS data has not been modified in transit to the end-user  It does this by providing additional information, something like a “seal of origin”, that can be verified as being correct or not.  It is a set of extensions to DNS, which provide: a) origin authentication of DNS data, b) data integrity, and c) authenticated denial of existence.
 Each piece of a domain’s DNS information has a digital signature attached to it.  When a user enters the domain in a browser, the resolver verifies the signature.  If it does not match, the resolver discards the response and waits for another.  Only a response with a verified signature will be accepted by the resolver  The description above is a common scenario. Please note that different resolvers may take different actions ** Note: DNSSEC only adds signatures to DNS data. It does not encrypt anything. It has no effect on increasing the privacy of the DNS, and information in the DNS is still public information.
End User Benefits  Ensures you are communicating to the correct website  End Users that are not DNSSEC aware will not see any adverse effect. Registrant Benefits  Mitigates the risk of possible fraud  Greater protection of brand ◦ Significantly decreases the threat of domain hijacking
Registrar Benefits  Ability to meet Registrant demands for increase security of their domain  Ability to continue to sell domains that are not secured by DNSSEC for those registrants who are not interested.  Complying with new industry standards Registry Benefits  Meeting new industry standards  Ability to meet Registrar demands for increase security of their portfolio of domains
 Top five perceptions of the .ORG Brand* ◦ Informative ◦ Well-Intentioned ◦ Trustworthy ◦ Valuable Information ◦ Reliable We expect to keep it that way! * Source: e5 Marketing Survey of over 10,000 respondents in an electronic form, November 2008 12
 .ORG zone signed June 2, 2009  Registrars can participate in the testing phase  Registrars are encouraged to test in OTE  A certification test will be required  2 registrars have passed their certification test to date  We have selected small set of domains and have manually inserted the DS records at the Registry  Successful scheduled Key Rollovers
 Additional mandatory .ORG DNSSEC OT&E Test required  Registrars must pass the OT&E Test to become DNSSEC Aware  PIR will enable DNSSEC functionality for the Registrar after successful completion of the OT&E test.
 We expect to be done with our internal testing by Q409  Estimated full production timeframe first half of 2010 meaning registrars can submit live delegations
 A DNS resolver is the program on a user’s computer that sends the query to the DNS.  Once a response is received, the resolver returns the response back to the end user’s application. domain.org? 192.0.5.4 User’s PC Resolver
 A key pair contains two digital keys — a private key (held only by the .ORG registry) and a public key (distributed to the public).  The .ORG registry uses the .ORG private key pair to sign the zone.  End users' validators (or the validators at their ISPs) use the .ORG public key to validate the signature once they've asked for it.
If I trust a public key from someone, I can use that key to verify the signature … and authenticate the source  Make sure the root zone key can be trusted ◦ Pointers in the root zone point to lower zones (org/com/info/de etc) ◦ Each pointer is validated with the previous validated zone key  When DNSSEC is fully deployed, only the key for the root zone is needed to validate all the DNSSEC keys on the Internet
Root Servers .org authoritative NS Local Cache Recursive DNS Server Local cache domain.org authoritative NS User’s PC Resolver Confidential – Copyright 2008 Afilias Limited
Root Servers DNSSEC DNSSEC .ORG authoritative NS Recursive DNS Server DNSSEC Local cache domain.ORG authoritative NS User’s PC Resolver Confidential – Copyright 2008 Afilias Limited
 A key rollover will occur when the .ORG registry needs to change its side of a key pair.  This means that the entire pair needs to be changed ◦ The .ORG zone will need to be re-signed with a new private key AND ◦ The public will need to update their validating resolvers with the new public portion of the .ORG zone key.
PIR will be required to do Key Rollovers on a regular basis: 1. If one of the .ORG private keys were compromised (i.e., stolen) and had to be immediately revoked. 2. For prevention of compromise (see next question for further information), where a key rollover would be scheduled at regular intervals.
 Digital signatures are not secure all of the time. They are subject to cryptanalysis.  It is possible for an attacker to learn the private key in a key pair even though that key has never been disclosed, either through "brute force" or other types of attacks.  Since every attack requires time to complete, periodically changing the key decreases the length of time an attacker has to attempt the compromise.
What would happen if end users do not update their validating resolvers with the new .ORG zone key?  Once the old key is purged, domains in the .ORG zone that were signed would no longer resolve for those people who did not use the new .ORG key.  It would not affect people that are not using DNSSEC – they would continue to see the domain name.
 A key rollover will be announced on the PIR Web site prior to the scheduled event  Anyone using DNSSEC will have to watch for these announcements, specially ISPs, registrars, and people using DNSSEC in applications.
 Changes have been made to support the DNS protocol.  Built New Registrar Tool Kit for DNSSEC ◦ Adds DNSSEC EPP transactions (RFC 4310)  EPP server has been modified for DNSSEC  Adds DNSSEC EPP transactions (as per RFC 4310)  Changes to the Registry Database to now Store DS Information DNSSEC
 Covered in the ORG manual: Extensible Provisioning Protocol (EPP) v1.0 ORG DNSSEC Registrar Acceptance Criteria  Registrars must test the basic operations that their client application can perform in the ORG DNSSEC registry environment including: ◦ Create Domain ◦ Create Domain with Optional Key Data ◦ Query Domain ◦ Query Domain with Optional Key Data ◦ Update Domain – Adding DS Data ◦ Update Domain – Changing DS Data ◦ Update Domain – Change to Include Optional Data ◦ Update Domain – Removing DS Data
DNSSEC adds four new resource record types: 1. Resource Record Signature (RRSIG)  Signature over RRset made using private key 2. DNS Public Key (DNSKEY)  Public key, needed for verifying a RRSIG 3. Delegation Signer (DS)  ‘Pointer’ for building chains of authentication 4. Next Secure (NSEC, NSEC3)  As an alternative to NSEC, NSEC3 (defined in RFC 5155) can prevent walking of DNSSEC zones and permits optional gradual expansion of delegation-centric zones.  NSEC: Indicates which name is the next one in the zone and which type-codes are available for the current name
The DNSSEC Data Fields Keytag • Contains the key tag value of the DNSKEY RR that validates this signature, in network byte order • Provides a mechanism for selecting a public key efficiently. Algorithm • Identifies the public key's cryptographic algorithm and determines the format of the Public Key field Digest Type • Identifies the algorithm used to construct the digest Digest • The DS record refers to a DNSKEY RR by including a digest of that DNSKEY RR. Maximum • Specifies a validity period for the signature Signature Life Flags • Identifies whether or not the DNSKEY record holds a DNS zone key Protocol • The Protocol Field MUST have value 3, and the DNSKEY RR MUST be treated as invalid during signature verification if it is found to be some value other tan 3. Confidential – Copyright Public Key • Holds the public key material 2005 Afilias Limited
The following EPP commands will now contain the optional DNSSEC data: 1. Session Mgmt. 2. Object Query 3. Object <login> <check> Transform <logout> <info> <create> <poll > <delete> <transfer> <renew> <transfer> <update>
 Create Domain is changed because a DNSSEC secure domain must be created with a DS record attached to it  Registrar needs to be accredited for creating domain names with DS records  If they are not, the system will reject the domain create command and throw a validation error – You are not authorized to perform this action.
 If the maxSigLife is not entered for a <create> domain name with DS records, the system will set it to the default value (40 days)  If the user provides empty tags for the following parameters, the domain will not be created and an error message will be returned: ◦ secDNS:keyTag ◦ secDNS:alg ◦ secDNS:digestType
 <update> domain command is now changed as DS information can be added or changed for each domain  If the Registrar is not accredited for creating domain names with DS records and attempts to add DS data to an existing domain name, the system will reject the domain update command and return an error  If the domain name already has 10 DS records and the sponsoring Registrar attempts to add another, the system will reject the domain update command and return an error per EPP RFC 3730.  If the maxSigLife is not entered for a domain name with DS records, the system will set it to the default value (40 days)
The following fields will be appended to the WHOIS output for a domain name with DS records – ◦ DNSSEC (Can be Signed or Unsigned) – To denote if the domain name is digitally signed. ◦ DS Created – Time stamp that the record was created in UTC ◦ DS Maximum Signature Life - Maximum Signature Life associated with this DS record
 If a domain name has more than one DS record associated with it, the DS record information for all the records will be displayed one after the other as displayed in the screenshot (above) If a domain name does not have any DS records associated with it, the DNSSEC value displayed will be Unsigned
 .ORG OT&E Test Criteria  General FAQ  ORG manual: Extensible Provisioning Protocol (EPP) v1.0 ORG DNSSEC Registrar Acceptance Criteria  Registrar Tool Kit (RTK – Addon) including the DNSSEC extensions is available for download from: ◦ https://registrars.pir.org/registrar_relations/dns_ security ◦ www.sourceforge.net
The Domain Name System Security Extensions (DNSSEC are described in these IETF documents: ◦ RFC 4033: DNS Security Introduction and Requirements ◦ RFC 4034: Resource Records for the DNS Security Extensions ◦ RFC 4035: Protocol Modifications for the DNS Security Extensions .ORG website ◦ http://www.pir.org/dnssec DNSSEC related information website www.dnssec-deployment.org www.dnssec.net
Questions?

Recommended

DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasORG, The Public Interest Registry
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Dan York
 
Hands-on getdns Tutorial
Hands-on getdns TutorialHands-on getdns Tutorial
Hands-on getdns TutorialShumon Huque
 
Dnssec proposal-09oct08-en
Dnssec proposal-09oct08-enDnssec proposal-09oct08-en
Dnssec proposal-09oct08-enguest3131f85
 
DNS Security
DNS SecurityDNS Security
DNS Securityjohnmcclure00
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsPeter R. Egli
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 

Recommended

DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasORG, The Public Interest Registry
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Dan York
 
Hands-on getdns Tutorial
Hands-on getdns TutorialHands-on getdns Tutorial
Hands-on getdns TutorialShumon Huque
 
Dnssec proposal-09oct08-en
Dnssec proposal-09oct08-enDnssec proposal-09oct08-en
Dnssec proposal-09oct08-enguest3131f85
 
DNS Security
DNS SecurityDNS Security
DNS Securityjohnmcclure00
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsPeter R. Egli
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentationjohnmcclure00
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSECAPNIC
 
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017APNIC
 
DNS Cache Poisoning
DNS Cache PoisoningDNS Cache Poisoning
DNS Cache PoisoningChristiaan Ottow
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSECMen and Mice
 
getdns PyCon presentation
getdns PyCon presentationgetdns PyCon presentation
getdns PyCon presentationMelinda Shore
 
DNS Security Presentation ISSA
DNS Security Presentation ISSADNS Security Presentation ISSA
DNS Security Presentation ISSASrikrupa Srivatsan
 
Early Detection of Malicious Activity—How Well Do You Know Your DNS?
Early Detection of Malicious Activity—How Well Do You Know Your DNS?Early Detection of Malicious Activity—How Well Do You Know Your DNS?
Early Detection of Malicious Activity—How Well Do You Know Your DNS?Priyanka Aash
 
DNS Security, is it enough?
DNS Security, is it enough? DNS Security, is it enough?
DNS Security, is it enough? Zscaler
 
Dnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsDnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsAFRINIC
 
Rolling the Root KSK
Rolling the Root KSKRolling the Root KSK
Rolling the Root KSKAPNIC
 
2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover2017 DNSSEC KSK Rollover
2017 DNSSEC KSK RolloverAPNIC
 
ICANN 51: Name Collision
ICANN 51: Name CollisionICANN 51: Name Collision
ICANN 51: Name CollisionICANN
 
ION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECDeploy360 Programme (Internet Society)
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningChristopher Grayson
 
An Overview of DNSSEC
An Overview of DNSSECAn Overview of DNSSEC
An Overview of DNSSECCarlos Martinez Cagnazzo
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsAPNIC
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliMarta Pacyga
 
DNS Cache White Paper
DNS Cache White PaperDNS Cache White Paper
DNS Cache White PaperRyan Ellingson
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ONOWASP EEE
 
ION Toronto - Why Implement DNSSEC?
ION Toronto - Why Implement DNSSEC? ION Toronto - Why Implement DNSSEC?
ION Toronto - Why Implement DNSSEC? Deploy360 Programme (Internet Society)
 
DNSSEC FIRST
DNSSEC FIRSTDNSSEC FIRST
DNSSEC FIRSTVictor Ramiro
 

More Related Content

What's hot

IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentationjohnmcclure00
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSECAPNIC
 
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017APNIC
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSECMen and Mice
 
getdns PyCon presentation
getdns PyCon presentationgetdns PyCon presentation
getdns PyCon presentationMelinda Shore
 
DNS Security Presentation ISSA
DNS Security Presentation ISSADNS Security Presentation ISSA
DNS Security Presentation ISSASrikrupa Srivatsan
 
Early Detection of Malicious Activity—How Well Do You Know Your DNS?
Early Detection of Malicious Activity—How Well Do You Know Your DNS?Early Detection of Malicious Activity—How Well Do You Know Your DNS?
Early Detection of Malicious Activity—How Well Do You Know Your DNS?Priyanka Aash
 
DNS Security, is it enough?
DNS Security, is it enough? DNS Security, is it enough?
DNS Security, is it enough? Zscaler
 
Dnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsDnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsAFRINIC
 
Rolling the Root KSK
Rolling the Root KSKRolling the Root KSK
Rolling the Root KSKAPNIC
 
2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover2017 DNSSEC KSK Rollover
2017 DNSSEC KSK RolloverAPNIC
 
ICANN 51: Name Collision
ICANN 51: Name CollisionICANN 51: Name Collision
ICANN 51: Name CollisionICANN
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsAPNIC
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliMarta Pacyga
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ONOWASP EEE
 

What's hot (20)

IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentation
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSEC
 
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
 
DNS Cache Poisoning
DNS Cache PoisoningDNS Cache Poisoning
DNS Cache Poisoning
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSEC
 
getdns PyCon presentation
getdns PyCon presentationgetdns PyCon presentation
getdns PyCon presentation
 
DNS Security Presentation ISSA
DNS Security Presentation ISSADNS Security Presentation ISSA
DNS Security Presentation ISSA
 
Early Detection of Malicious Activity—How Well Do You Know Your DNS?
Early Detection of Malicious Activity—How Well Do You Know Your DNS?Early Detection of Malicious Activity—How Well Do You Know Your DNS?
Early Detection of Malicious Activity—How Well Do You Know Your DNS?
 
DNS Security, is it enough?
DNS Security, is it enough? DNS Security, is it enough?
DNS Security, is it enough?
 
Dnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsDnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defs
 
Rolling the Root KSK
Rolling the Root KSKRolling the Root KSK
Rolling the Root KSK
 
2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover
 
ICANN 51: Name Collision
ICANN 51: Name CollisionICANN 51: Name Collision
ICANN 51: Name Collision
 
ION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSEC
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
 
An Overview of DNSSEC
An Overview of DNSSECAn Overview of DNSSEC
An Overview of DNSSEC
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
 
DNS Cache White Paper
DNS Cache White PaperDNS Cache White Paper
DNS Cache White Paper
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
 

Viewers also liked

AEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSECAEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSECChin Wan Lim
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondSam Bowne
 
Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC PilotShumon Huque
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECShumon Huque
 

Viewers also liked (9)

ION Toronto - Why Implement DNSSEC?
ION Toronto - Why Implement DNSSEC? ION Toronto - Why Implement DNSSEC?
ION Toronto - Why Implement DNSSEC?
 
DNSSEC FIRST
DNSSEC FIRSTDNSSEC FIRST
DNSSEC FIRST
 
AEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSECAEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSEC
 
MCSA 70-412 Chapter 01
MCSA 70-412 Chapter 01MCSA 70-412 Chapter 01
MCSA 70-412 Chapter 01
 
DNSSEC at Penn
DNSSEC at PennDNSSEC at Penn
DNSSEC at Penn
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyond
 
Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC Pilot
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
 

Similar to DNSSEC: What a Registrar Needs to Know

Dnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnDnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnErol Dizdar
 
FOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedFOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedNeustar, Inc.
 
DNSSEC in Windows DNS Server
DNSSEC in Windows DNS ServerDNSSEC in Windows DNS Server
DNSSEC in Windows DNS ServerKumar Ashutosh
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
 
DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxviditsir
 
Content Navigation
Content NavigationContent Navigation
Content Navigationsanjoysanyal
 
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]APNIC
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view APNIC
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallGlenn McKnight
 
Top 10 interview question and answers for mcsa
Top 10 interview question and answers for mcsaTop 10 interview question and answers for mcsa
Top 10 interview question and answers for mcsahopesuresh
 
Understanding DNSSEC in Windows DNS Server
Understanding DNSSEC in Windows DNS Server Understanding DNSSEC in Windows DNS Server
Understanding DNSSEC in Windows DNS Server Kumar Ashutosh
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksFindWhitePapers
 
How to configure dns server(2)
How to configure dns server(2)How to configure dns server(2)
How to configure dns server(2)Amandeep Kaur
 

Similar to DNSSEC: What a Registrar Needs to Know (20)

Dnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnDnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 En
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
Domain Name System (DNS)
Domain Name System (DNS)Domain Name System (DNS)
Domain Name System (DNS)
 
FOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedFOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons Learned
 
DNSSEC in Windows DNS Server
DNSSEC in Windows DNS ServerDNSSEC in Windows DNS Server
DNSSEC in Windows DNS Server
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
 
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSECION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptx
 
Content Navigation
Content NavigationContent Navigation
Content Navigation
 
ION Djibouti: KENIC DNSSEC Case Study
ION Djibouti: KENIC DNSSEC Case StudyION Djibouti: KENIC DNSSEC Case Study
ION Djibouti: KENIC DNSSEC Case Study
 
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
 
Top 10 interview question and answers for mcsa
Top 10 interview question and answers for mcsaTop 10 interview question and answers for mcsa
Top 10 interview question and answers for mcsa
 
Understanding DNSSEC in Windows DNS Server
Understanding DNSSEC in Windows DNS Server Understanding DNSSEC in Windows DNS Server
Understanding DNSSEC in Windows DNS Server
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
 
Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time
 
How to configure dns server(2)
How to configure dns server(2)How to configure dns server(2)
How to configure dns server(2)
 
Linux and DNS Server
Linux and DNS ServerLinux and DNS Server
Linux and DNS Server
 

DNSSEC: What a Registrar Needs to Know

  • 1. DNSSEC Industry Coalition Webinar Series Brought to you by .ORG, The Public Interest Registry and Afilias
  • 2. Lauren Price, DNSSEC Industry Coalition Chair ◦ Sr. Product Marketing Manager, .ORG The Public Interest Registry ◦ lprice@pir.org  Jim Galvin, Afilias ◦ Director, Strategic Relationships & Technical Standards ◦ jgalvin@afilias.info  Sadik Chandiwala, Afilias ◦ Technical Account Manager ◦ sadik@ca.afilias.info 2
  • 3. The Vulnerability of DNS  Quick Intro to DNSSEC  PIR and DNSSEC Timeline  Friends and Family Program  Some DNSSEC Terminology  OT&E Functionality and Changes ◦ EPP ◦ Etc.  Resources  Questions
  • 4. When you visit a web site, send an email, or download software, can you be sure you are communicating with the server that you think you are?  The answer is ‘no’, at least not with certainty.
  • 5. DNSSEC (short for Domain Name System Security Extensions) adds security to the Domain Name System.  DNSSEC is designed to protect Internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning.
  • 6. Currently, a DNS resolver sends a query out to the Internet and then accepts the first response it receives, without question.  If a malicious system were to send back an incorrect response, the resolver would use this address until its cache expired.  This is bad enough if a single user's computer gets this bad data, but it is much worse if it's another name server that answers queries for an ISP – affecting thousands of users.
  • 7. It provides proof that DNS data has not been modified in transit to the end-user  It does this by providing additional information, something like a “seal of origin”, that can be verified as being correct or not.  It is a set of extensions to DNS, which provide: a) origin authentication of DNS data, b) data integrity, and c) authenticated denial of existence.
  • 8. Each piece of a domain’s DNS information has a digital signature attached to it.  When a user enters the domain in a browser, the resolver verifies the signature.  If it does not match, the resolver discards the response and waits for another.  Only a response with a verified signature will be accepted by the resolver  The description above is a common scenario. Please note that different resolvers may take different actions ** Note: DNSSEC only adds signatures to DNS data. It does not encrypt anything. It has no effect on increasing the privacy of the DNS, and information in the DNS is still public information.
  • 9. End User Benefits  Ensures you are communicating to the correct website  End Users that are not DNSSEC aware will not see any adverse effect. Registrant Benefits  Mitigates the risk of possible fraud  Greater protection of brand ◦ Significantly decreases the threat of domain hijacking
  • 10. Registrar Benefits  Ability to meet Registrant demands for increase security of their domain  Ability to continue to sell domains that are not secured by DNSSEC for those registrants who are not interested.  Complying with new industry standards Registry Benefits  Meeting new industry standards  Ability to meet Registrar demands for increase security of their portfolio of domains
  • 11.
  • 12. Top five perceptions of the .ORG Brand* ◦ Informative ◦ Well-Intentioned ◦ Trustworthy ◦ Valuable Information ◦ Reliable We expect to keep it that way! * Source: e5 Marketing Survey of over 10,000 respondents in an electronic form, November 2008 12
  • 13. .ORG zone signed June 2, 2009  Registrars can participate in the testing phase  Registrars are encouraged to test in OTE  A certification test will be required  2 registrars have passed their certification test to date  We have selected small set of domains and have manually inserted the DS records at the Registry  Successful scheduled Key Rollovers
  • 14. Additional mandatory .ORG DNSSEC OT&E Test required  Registrars must pass the OT&E Test to become DNSSEC Aware  PIR will enable DNSSEC functionality for the Registrar after successful completion of the OT&E test.
  • 15. We expect to be done with our internal testing by Q409  Estimated full production timeframe first half of 2010 meaning registrars can submit live delegations
  • 16.
  • 17. A DNS resolver is the program on a user’s computer that sends the query to the DNS.  Once a response is received, the resolver returns the response back to the end user’s application. domain.org? 192.0.5.4 User’s PC Resolver
  • 18. A key pair contains two digital keys — a private key (held only by the .ORG registry) and a public key (distributed to the public).  The .ORG registry uses the .ORG private key pair to sign the zone.  End users' validators (or the validators at their ISPs) use the .ORG public key to validate the signature once they've asked for it.
  • 19. If I trust a public key from someone, I can use that key to verify the signature … and authenticate the source  Make sure the root zone key can be trusted ◦ Pointers in the root zone point to lower zones (org/com/info/de etc) ◦ Each pointer is validated with the previous validated zone key  When DNSSEC is fully deployed, only the key for the root zone is needed to validate all the DNSSEC keys on the Internet
  • 20. Root Servers .org authoritative NS Local Cache Recursive DNS Server Local cache domain.org authoritative NS User’s PC Resolver Confidential – Copyright 2008 Afilias Limited
  • 21. Root Servers DNSSEC DNSSEC .ORG authoritative NS Recursive DNS Server DNSSEC Local cache domain.ORG authoritative NS User’s PC Resolver Confidential – Copyright 2008 Afilias Limited
  • 22. A key rollover will occur when the .ORG registry needs to change its side of a key pair.  This means that the entire pair needs to be changed ◦ The .ORG zone will need to be re-signed with a new private key AND ◦ The public will need to update their validating resolvers with the new public portion of the .ORG zone key.
  • 23. PIR will be required to do Key Rollovers on a regular basis: 1. If one of the .ORG private keys were compromised (i.e., stolen) and had to be immediately revoked. 2. For prevention of compromise (see next question for further information), where a key rollover would be scheduled at regular intervals.
  • 24. Digital signatures are not secure all of the time. They are subject to cryptanalysis.  It is possible for an attacker to learn the private key in a key pair even though that key has never been disclosed, either through "brute force" or other types of attacks.  Since every attack requires time to complete, periodically changing the key decreases the length of time an attacker has to attempt the compromise.
  • 25. What would happen if end users do not update their validating resolvers with the new .ORG zone key?  Once the old key is purged, domains in the .ORG zone that were signed would no longer resolve for those people who did not use the new .ORG key.  It would not affect people that are not using DNSSEC – they would continue to see the domain name.
  • 26. A key rollover will be announced on the PIR Web site prior to the scheduled event  Anyone using DNSSEC will have to watch for these announcements, specially ISPs, registrars, and people using DNSSEC in applications.
  • 27. Changes have been made to support the DNS protocol.  Built New Registrar Tool Kit for DNSSEC ◦ Adds DNSSEC EPP transactions (RFC 4310)  EPP server has been modified for DNSSEC  Adds DNSSEC EPP transactions (as per RFC 4310)  Changes to the Registry Database to now Store DS Information DNSSEC
  • 28. Covered in the ORG manual: Extensible Provisioning Protocol (EPP) v1.0 ORG DNSSEC Registrar Acceptance Criteria  Registrars must test the basic operations that their client application can perform in the ORG DNSSEC registry environment including: ◦ Create Domain ◦ Create Domain with Optional Key Data ◦ Query Domain ◦ Query Domain with Optional Key Data ◦ Update Domain – Adding DS Data ◦ Update Domain – Changing DS Data ◦ Update Domain – Change to Include Optional Data ◦ Update Domain – Removing DS Data
  • 29. DNSSEC adds four new resource record types: 1. Resource Record Signature (RRSIG)  Signature over RRset made using private key 2. DNS Public Key (DNSKEY)  Public key, needed for verifying a RRSIG 3. Delegation Signer (DS)  ‘Pointer’ for building chains of authentication 4. Next Secure (NSEC, NSEC3)  As an alternative to NSEC, NSEC3 (defined in RFC 5155) can prevent walking of DNSSEC zones and permits optional gradual expansion of delegation-centric zones.  NSEC: Indicates which name is the next one in the zone and which type-codes are available for the current name
  • 30. The DNSSEC Data Fields Keytag • Contains the key tag value of the DNSKEY RR that validates this signature, in network byte order • Provides a mechanism for selecting a public key efficiently. Algorithm • Identifies the public key's cryptographic algorithm and determines the format of the Public Key field Digest Type • Identifies the algorithm used to construct the digest Digest • The DS record refers to a DNSKEY RR by including a digest of that DNSKEY RR. Maximum • Specifies a validity period for the signature Signature Life Flags • Identifies whether or not the DNSKEY record holds a DNS zone key Protocol • The Protocol Field MUST have value 3, and the DNSKEY RR MUST be treated as invalid during signature verification if it is found to be some value other tan 3. Confidential – Copyright Public Key • Holds the public key material 2005 Afilias Limited
  • 31. The following EPP commands will now contain the optional DNSSEC data: 1. Session Mgmt. 2. Object Query 3. Object <login> <check> Transform <logout> <info> <create> <poll > <delete> <transfer> <renew> <transfer> <update>
  • 32. Create Domain is changed because a DNSSEC secure domain must be created with a DS record attached to it  Registrar needs to be accredited for creating domain names with DS records  If they are not, the system will reject the domain create command and throw a validation error – You are not authorized to perform this action.
  • 33. If the maxSigLife is not entered for a <create> domain name with DS records, the system will set it to the default value (40 days)  If the user provides empty tags for the following parameters, the domain will not be created and an error message will be returned: ◦ secDNS:keyTag ◦ secDNS:alg ◦ secDNS:digestType
  • 34. <update> domain command is now changed as DS information can be added or changed for each domain  If the Registrar is not accredited for creating domain names with DS records and attempts to add DS data to an existing domain name, the system will reject the domain update command and return an error  If the domain name already has 10 DS records and the sponsoring Registrar attempts to add another, the system will reject the domain update command and return an error per EPP RFC 3730.  If the maxSigLife is not entered for a domain name with DS records, the system will set it to the default value (40 days)
  • 35. The following fields will be appended to the WHOIS output for a domain name with DS records – ◦ DNSSEC (Can be Signed or Unsigned) – To denote if the domain name is digitally signed. ◦ DS Created – Time stamp that the record was created in UTC ◦ DS Maximum Signature Life - Maximum Signature Life associated with this DS record
  • 36. If a domain name has more than one DS record associated with it, the DS record information for all the records will be displayed one after the other as displayed in the screenshot (above) If a domain name does not have any DS records associated with it, the DNSSEC value displayed will be Unsigned
  • 37. .ORG OT&E Test Criteria  General FAQ  ORG manual: Extensible Provisioning Protocol (EPP) v1.0 ORG DNSSEC Registrar Acceptance Criteria  Registrar Tool Kit (RTK – Addon) including the DNSSEC extensions is available for download from: ◦ https://registrars.pir.org/registrar_relations/dns_ security ◦ www.sourceforge.net
  • 38. The Domain Name System Security Extensions (DNSSEC are described in these IETF documents: ◦ RFC 4033: DNS Security Introduction and Requirements ◦ RFC 4034: Resource Records for the DNS Security Extensions ◦ RFC 4035: Protocol Modifications for the DNS Security Extensions .ORG website ◦ http://www.pir.org/dnssec DNSSEC related information website www.dnssec-deployment.org www.dnssec.net