docICANN Talk - State of Global DNSSEC
download 
Report Transcription
ICANN Talk - State of Global DNSSEC
DNSSECUpdate SANOG27 Kathmandu,Nepal January2016 Richard.Lamb@icann.org DNSBasics • DNSconvertsnames(www.nepalbank.com.np) tonumbers(198.1.112.132) • ..toidentifyservicessuchaswwwande-mail • ..thatidentifyandlinkcustomerstobusiness andvisaversa +1-202-709-5262 VoIP US-NSTICeffort DNSisapartofallITecosystems (muchmorethanoneexpects) lamb@xtcn.com OECSIDeffort SmartElectricalGrid mydomainname.com WhereDNSSECfitsin • CPUandbandwidthadvancesmakelegacy DNSvulnerabletoMITMattacks • DNSSecurityExtensions(DNSSEC)introduces digitalsignaturesintoDNSto cryptographicallyprotectcontents • WithDNSSECfullydeployedabusinesscanbe sureacustomergetsun-modifieddata(and visaversa) TheBad:DNSChanger - ‘Biggest CybercriminalTakedowninHistory’– 4Mmachines,100countries,$14M Nov2011http://krebsonsecurity.com/2011/11/malware-click-fraud-kingpins-arrested-in-estonia/ End-2-endDNSSECvalidationwouldhaveavoidedtheproblems TheInternet’sPhoneBook- Domain NameSystem(DNS) DNS Resolver www.majorbank.se=? 1.2.3.4 Get page Login page www.majorbank.se = 1.2.3.4 DNS Server webserver www @ 1.2.3.4 Username / Password Account Data ISP DNS Hierarchy se root com majorbank.se www.majorbank.se Majorbank (Registrant) CachingResponsesforEfficiency www.majorbank.se=? 1.2.3.4 Get page Login page Username / Password Account Data DNS Resolver www.majorbank.se = 1.2.3.4 DNS Server webserver www @ 1.2.3.4 TheProblem: DNSCachePoisoningAttack www.majorbank.se=? 5.6.7.8 Get page Login page Username / Password Error DNS Resolver www.majorbank.se = 1.2.3.4 DNS Server Attacker www.majorbank.se = 5.6.7.8 Attacker webserver www @ 5.6.7.8 Password database Argghh!NowallISPcustomersget senttoattacker. www.majorbank.se=? 5.6.7.8 Get page Login page Username / Password Error DNS Resolver www.majorbank.se = 1.2.3.4 DNS Server Attacker webserver www @ 5.6.7.8 Password database SecuringThePhoneBook- DNS SecurityExtensions(DNSSEC) www.majorbank.se=? 1.2.3.4 Get page Login page Username / Password Account Data DNS Resolver with DNSSEC Attacker’s record does not validate – drop it www.majorbank.se = 1.2.3.4 DNS Server with DNSSEC Attacker www.majorbank.se = 5.6.7.8 webserver www @ 1.2.3.4 Resolveronlycachesvalidatedrecords www.majorbank.se=? 1.2.3.4 Get page Login page Username / Password Account Data DNS Resolver with DNSSEC www.majorbank.se = 1.2.3.4 DNS Server with DNSSEC webserver www @ 1.2.3.4 Securingit • DNSconvertsnames(www.bncr.fi.cr)to numbers(201.220.29.26) • Makesurewegettherightnumbers(DNSSEC) • Verifytheidentityandencryptdata TheBad:OtherDNShijacks* • • • • • • • • 25Dec2010- Russiane-PaymentGiantChronoPay Hacked 18Dec2009– Twitter– “Iraniancyberarmy” 13Aug2010- Chinesegmail phishingattack 25Dec2010TunisiaDNSHijack 2009-2012google.* – April282009GooglePuertoRicositesredirectedinDNSattack – May92009MoroccotemporarilyseizeGoogledomainname 9Sep2011- Diginotar certificatecompromiseforIranianusers SSL/TLSdoesn'ttellyouifyou'vebeensenttothecorrectsite,itonly tellsyouiftheDNSmatchesthenameinthecertificate.Unfortunately, majorityofWebsitecertificatesrelyonDNStovalidateidentity. DNSisreliedonforunexpectedthingsthoughinsecure. *ABriefHistoryofDNSHijacking- Google http://costarica43.icann.org/meetings/sanjose2012/presentation-dns-hijackings-marquis-boire-12mar12-en.pdf TheBusinessCaseforDNSSEC • Cybersecurityisbecomingagreaterconcernto enterprises,government,andendusers.DNSSEC isakeytoolanddifferentiator. • DNSSECisthebiggestsecurityupgradeto Internetinfrastructureinover20years.Itisa platformfornewsecurityapplications(forthose thatseetheopportunity). • DNSSECinfrastructuredeploymenthasbeenbrisk butrequiresexpertise.Gettingaheadofthe curveisacompetitiveadvantage. DNSSECinterestfromgovernments • Sweden,Brazil,Netherlands,CzechRepublicand othersencourageDNSSECdeploymenttovarying degrees • Mar2012- AT&T,CenturyLink (Qwest),Comcast, Cox,Sprint,TimeWarner Cable,andVerizonhave pledgedtocomplyandabidebyUSFCC[1] recommendationsthatincludeDNSSEC..“Areportby Gartnerfound3.6millionAmericansgettingredirectedtobogus websitesinasingleyear,costingthem$3.2billion.,”[2]. • 2008US.gov mandate.85%operational.[3] [1]FCC=FederalCommunicationsCommission=UScommunicationsMinistry [2]http://securitywatch.pcmag.com/security/295722-isps-agree-to-fcc-rules-on-anti-botnet-dnssec-internet-routing [3]http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2008/m08-23.pdf http://fedv6-deployment.antd.nist.gov/snap-all.html ThankyouGeoffHuston NL DNSSEC- Whereweare • • • • • • • • • Deployedon1034/1205TLDs (23Jan2016.az .in.af .tm.kg.cn .th .id.lk .se.de.ru .рф .com.uk .nl .fr .in.jp .us.my ﺎﯾﺳﯾﻠﻣ.asia .tw 台灣,.kr 한국 .net,.org,.post,+ntlds,.ibm .berlin) Rootsigned**andaudited >85%ofdomainnamescouldhaveDNSSEC RequiredinnewgTLDs.BasicsupportbyICANNregistrars GrowingISPsupport*- ~16%endusers“validate”. 3rd partysigningsolutions*** GrowingS/WH/Wsupport:NLNetLabs,ISC,Microsoft, PowerDNS,Secure64…?openssl,postfix,XMPP,mozilla:early DANEsupport IETFstandardonDNSSECTLScertificates(RFC6698)andothers Growingsupportfrommajorplayers…(AppleiPhone/iPad, Google8.8.8.8,hostingcoCloudflare DNSSECbydefault, Germanemailproviders…) Stats:https://rick.eng.br/dnssecstat/ *COMCAST /w20M and others; mostISPsinSE,CZ. **Int’l bottom-up trustmodel/w21TCRsfrom:TT,BF,RU,CN,US,SE,NL,UG,BR,Benin,PT, NP,Mauritius, CZ,CA,JP,UK,NZ… ***Partiallistofregistrars:https://www.icann.org/en/news/in-focus/dnssec/deployment But… • Butdeployedononly~2%of2nd level domains.Manyhaveplans.Fewhavetaken thestep(e.g.,yandex.com,paypal.com*, comcast.com). • DNSChanger andotherattackshighlight today’sneed.(e.g end-2-endDNSSECvalidation wouldhaveavoidedtheproblems) • Innovativesecuritysolutions(e.g.,DANE) highlighttomorrow’svalue. *http://fedv6-deployment.antd.nist.gov/cgi-bin/generate-com http://www.thesecuritypractice.com/the_security_practice/2011/12/all-paypal-domains-are-now-using-dnssec.html http://www.nacion.com/2012-03-15/Tecnologia/Sitios-web-de-bancos-ticos-podran-ser-mas-seguros.aspx DNSSEC:Sowhat’stheproblem? • NotenoughITdepartmentsknowaboutitorare toobusyputtingoutothersecurityfires. • Whentheydolookintoittheyhearoldstoriesof FUDandlackofturnkeysolutionsandCDN support. • Registrars*/CDNs/DNSprovidersseenodemand leadingto“chicken-and-egg”problems. *butrequiredbynewICANNregistraragreement Who Can Implement DNSSEC • • • • • • Enterprises – Sign their zones and validate lookups TLD Operators – Sign the TLD Domain Name holders – Sign their zones Internet Service Providers – validate DNS lookups Hosting Provider – offer signing services to customers Registrars – accept DNSSEC records (e.g., DS) Whatyoucando • ForCompanies: – Signyourcorporatedomainnames – JustturnonvalidationoncorporateDNSresolvers • ForUsers: – AskISPtoturnonvalidationontheirDNS resolvers • ForAll: – TakeadvantageofICANN,ISOCandother organizationsofferingDNSSECeducationand training DNSSEC:AGlobalPlatformforInnovation or.. I*$mell opportunity! GamechangingInternetCore InfrastructureUpgrade • “Morehashappenedheretodaythanmeets theeye.Aninfrastructurehasbeencreated forahierarchicalsecuritysystem,whichcan bepurposedandre-purposedinanumberof differentways...”– VintCerf(June2010) ForTechiesandotherDreamers ToomanyCAs.Whichonecanwe trust?DNSSECtotherescue…. CACertificateroots~1482 Symantec,Thawte,Godaddy DNSSECroot- 1 InternetofThings IoT Contentsecurity CommercialSSL Certificatesfor Webande-mail DANE andotheryettobe discoveredsecurity innovations,enhancements, andsynergies https://www.eff.org/observatory http://royal.pingdom.com/2011/01/12/internet-2010-in-numbers/ Contentsecurity “FreeSSL” certificatesforWeb ande-mailand“trust agility”DANE Cryptocurrencies ande-commerce? SecuringVoIP DomainNames Crossorganizationaland trans-national authenticationand security E-mailsecuritySMIME, DKIMRFC4871 Loginsecurity SSHFPRFC4255 Opportunity:NewSecuritySolutions • • • • • • • • • • ImprovedWebSSLandcertificatesforall* Securede-mail(SMTP+S/MIME)forall* ValidatedremoteloginSSH,IPSEC* SecuringVoIP Crossorganizationalauthentication,security Securedcontentdelivery (e.g.configurations,updates, keys)– InternetofThings SecuringSmartGridefforts Increasingtrustine-commerce Securingcryptocurrencies andothernewmodels FirstglobalFREEPKI Agoodrefhttp://www.internetsociety.org/deploy360/dnssec/ *IETFstandardscompleteandmorecurrentlybeingdeveloped Athought:ScalableSecurityforIoT root com google.com security.co.za za DNS is already there DNSSEC adds security and crosses organizational boundaries. co.za electric.co.za water.rickshome.security.co.za car.rickshome.iotdevices.co.za aircond.rickshome.electric.co.za window.rickshome.security.co.za meter.rickshome.electric.co.za door.rickshome.security.co.za Animatedslide iotdevices.co.za thermostat.rickshome.iotdevices.co.za refrigerator.rickshome.iotdevices.co.za DNSSEC:Internetinfrastructure upgradetohelpaddresstoday’s needsandcreatetomorrow’s opportunity. MoreTechiestuff.. Hmm…howdoItrustit? (transparencytransparency transparency!) ICANNDNSSECDeployment@Root • Multi-stakeholder,bottom-uptrustmodel*/w21 cryptoofficersfromaroundtheworld • BroadcastKeyCeremoniesandpublicdocs • SysTrust audited • FIPS140-2level4HSMs *Managedbytechnicalcommunity+ICANN RootDPS DNSSECPracticeStatement ICANNDNSSECDeployment@Root (andelsewhere) FIPS140-2level4 Next..ISO19790 DCID6/9 “SCIF”spec http://www.flickr.com/photos/kjd/sets/72157624302045698/ Photos:KimDavies Photos:KimDavies DNSSEC:Internetinfrastructure upgradetohelpaddresstoday’s needsandcreatetomorrow’s opportunity. TechDetailsofaDNSSECLookup TheInternet’sPhoneBook- Domain NameSystem(DNS+DNSSEC) www.bank.se=? 1.2.3.4 Get page Login page Username / Password Account Data bank.seDNSKEY+ RRSIG=? www.bank.se=? DNS DNS Resolver bank.seDNSKEY+ Server www.bank.se=1.2.3.4 RRSIG=455536 RRSIG=636345 webserver www @ 1.2.3.4 ISP/HotSpot / Enterprise/End Node bank.se (Registrant) DNS Server .se (Registry) DNS Server Details– yuk! Animatedslide . (Root)
