DNSSECDNSSECDNSSEC DNSSEC ––Protecting Your Good Internet Name.Protecting Your Good Internet Name.

Professor Emeritus William J (Bill) Caelli, AO(w.caelli@iisec.com.au)

SSaC Chair –Safety and Security Advisory Committeey y yauDa – Australian Domain Name Authority

17 May 2011, 10.50-11.20

DISCLAIMER:

The concepts and matters presented are those of the author and do not necessarily represent those of auDa,its Board or the auDa-SSaC.,

The Naming of sites is a difficult matterThe Naming of sites is a difficult matter,It isn't just one of your holiday games;You may think at first I'm as mad as a hatterYou may think at first I m as mad as a hatterWhen I tell you, a site must have THREE DIFFERENT NAMES

(at least).

DomainIP

Apologies toT. S. EliotIP

Access / type

DNS(Domain Name System)(Domain Name System)

The base for “cloud computing”cloud computing

and“web services”“web services”

BUTBUTnever designed with security in mind !

Directive for ICANN SSAC- November 2001.

CONNECTION

Source: http://blog.opendns.com/ S

DNSSEC finally goes mainstream

1 April 2011.1 April 2011.

For example, half the security experts quizzed in a recent survey by internet q y ysecurity firm IID (Internet Identity) admitted they either knew nothing about DNSSEC orthey either knew nothing about DNSSEC or only had limited familiarity with the

t lprotocol.

Source URLs: http://www.theregister.co.uk/2011/04/01/dnssec_com_goes_live/http://www.internetidentity.com/

.com TLD Signed

G t R h Di t L O

(31 March 2011)

Gartner Research Director, Lawrence Orans :

"The importance of DNSSEC in solving issues of trustThe importance of DNSSEC in solving issues of truston the Internet has reached a tipping point with the signing of com -- one of the most significantsigning of .com -- one of the most significant milestones in the history of DNSSEC to date. However there is still more work to be done and theHowever, there is still more work to be done and the effective deployment of DNSSEC requires collaboration from all parties in the Internetcollaboration from all parties in the Internet ecosystem."

Source URL: http://www.verisigninc.com/en_US/news-events/press-room/index.xhtml

FROM

TELEGRAPH/TELEGRAPH/ TELECOMSTELECOMSTELEGRAPH/TELEGRAPH/PSTN (POTS)PSTN (POTS)

TELECOMSIN

TELECOMSIN( )( )

TOTRANSITIONTRANSITION

TO

TCP/IP (PACKET SWITCHING)TCP/IP (PACKET SWITCHING)

TRANSITIONSPSTN:1881 – First Telephone Exchange – New Haven, Connecticut1891 – Strowger stepper switch (automation)

Uniselector – Cross-bar1972 IST model digital exchange (Telecom Research Labs)~1972 - IST model digital exchange (Telecom Research Labs)

1979 - Digital exchanges

PACKET:1969 – IMP (BBN-ARPA)1969 IMP (BBN ARPA)1970 – Mark 1 (UK – NPL – Davies)~1974 - Xerox Parc universal packet switch1980s – AustPAC (Telecom/Telstra) – X.251984 – Cisco

C b S it hCrossbar SwitchTwo-motion Switch

• Trusted (understood?) switching• Call tracingCall tracing• Emergency services

NC400 crossbar exchange '60 Unit Trouble Recorder'60 Unit Trouble Recorder . Fault records and '111' emergencycall trace records printerTRUSTTRUST

M lb E h 1887Melbourne Exchange 1887(Melbourne Telephone Exchange Company

White Pages.February 21, 1878. First “White Pages” forExchange Company

established a 100 line exchange in Melbourne

First White Pages forsubscribers in New Haven, Connecticut, USAg

in 1882. )Connecticut, USA

Yellow Pages (Classified Directory)Reuben H DonnellyReuben H Donnelly.Chicago. 1886

ISP++ISP++M lb E h 1887BROWSERMelbourne Exchange 1887(Melbourne Telephone Exchange Company

White Pages.February 21, 1878. First “White Pages” for

BROWSERExchange Company established a 100 line exchange in Melbourne

First White Pages forsubscribers in New Haven, Connecticut, USA

SEARCHg

in 1882. )Connecticut, USA

SEARCH Yellow Pages (Classified Directory)Reuben H DonnellyENGINEReuben H Donnelly.Chicago. 1886ENGINE

REGISTRARISP++RESOLVERISP RESOLVER

BROWSERBROWSERSEARCH ENGINESEARCH ENGINE

Trusting your connection !Trusting your connection !

July 22, 2010

• significant advance in the security of the Internet• new security upgrade ….. protect against an important online

l bilitvulnerability: • clandestine redirecting of online communications to

unwanted destinationsunwanted destinations• Domain Name System Security Extensions (DNSSEC)

protocolp• helps ensure that when computers want to communicate

with one another they don’t get tricked into talking to di it l i t i t d

13

digital imposters instead.

(Digital signatures)

TOP REGISTRARS BY NUMBER OF DOMAINS

Source URLs (110319): http://www.webhosting.info/registrars/top-registrars/global/http://www internic net/

14

http://www.internic.net/

APNIC APNIC -- One of five Regional Internet Registries (RIRs) One of five Regional Internet Registries (RIRs)

15

• 33 open registrars (2 provisional) (April 2011)33 open registrars (2 provisional) (April 2011)• Note - .gov.au: Contracted to NetRegistry (No .mil 2Tld)

• 1 closed registrar• edu au: Education Services Australia•.edu.au: Education Services Australia

• 84 open registrars• 2 closed registrars

• gov in mil in: National Informatics Centre (NIC)• gov.in, mil.in: National Informatics Centre (NIC)• ac.in, edu.in, res.in: ERNET

16Total domains in “.au” at April 2011 : 2,045,961

S

TLD DNSSEC Report (2011-05-06)

Summary* 310 TLDs in the

root zone in totalroot zone in total* 72 TLDs are

signed;40 * 69 TLDs have

trust anchorsbli h d DS

65 0

published as DSrecords in theroot zone;root zone;

* 4 TLDs have trustanchorspublished in theISC DLVRepository

TLD Signed? DS in Root? ISC DLV?au. NO NO NOin. YES YES NO

17

Repository.

Note: New “open” TLDs – 2011?

8 March 2011.

18

8 March 2011.

19

8 March 2011.

20

DNSSEC Standards:

3 “Core” RFCs, March 2005:

RFC 4033 –DNS Security Introduction and Requirements

RFC 4034 –Resource Records for the DNS Security Extensions

4035RFC 4035 –Protocol Modifications for the DNS Security Extensions

+ 36 associated RFCs ?21

+ 36 associated RFCs ?

DNSSEC MANAGEMENT & USES

• Key generation – KSK/ZSKs – technology/policy – FIPS 140-2• HSMs vs software ?

• Technology / policy for crypto/hash algorithms• e.g. Elliptic curve(s), RSA key length, SHA256, etc.

P f ti b d idth• Performance questions – bandwidth• Trusted system environment (OS, access control, etc.)• Incompatibilities – large message size for resolvers etcIncompatibilities large message size for resolvers, etc.

• Firewall interactions• DNSSEC / BGP /NAT interaction

22• Note: Mobile & wireless

TECHNO / PUBLIC POLICY INTERACTION:

• CAs, ISPs and DNS / DNSSEC• DNSSEC key hierarchy (NOT certificate based)DNSSEC key hierarchy (NOT certificate based)

• International / global DNS (e.g. OpenDNS, etc)• National vs International crypto policy/law

• e.g. Turkey (crypto usage?)

• “Filters” at DNSSEC level?

• Changing registrars (effective lock-in ?)

DNSSEC = PKI23

USER -VALUEVALUEINDICATIONS& TRUST& TRUST

Afilias (2010)

24

SUMMARY (1): Website http://www dnssec validator cz/

Education & trainingVery steep learning curve for staff

http://www.dnssec-validator.cz/

Very steep learning curve for staff

Product and system availability “off the shelf”Bespoke software / scripting, e.g. VerisignEvaluated products – HSMs – FIPS-140 DNSSEC API ? (Web services / apps) DNSSEC API ? (Web services / apps)

Technical, management and business environmentTechnical, management and business environmentProcesses and procedures / costs / ROI?Allocated personnel and functionsOS / system environment (SELinux ?)

Risk assessment and managementRisk assessment and managementMistakes - bringing down your domains?

SUMMARY (2):

• New gTLDs – DNSSEC compulsory !• “.brisbane”, “.sydney”, “.racv”, “.apple”, ..... ??, y y , , pp ,

• Worldwide (TLD, ccTLD, 2TLD)( , , )• Verisign – Afilias – Sweden – Czech Republic• Limited experiencep

• Australia• In-principle movement towards DNSSEC• Phased plan announced by auDa (12 August 2010)p y ( g )• Current extensive evaluation of implications

Technical, administrative and economic• Federal gov’t participation in SSaC

SUMMARY (3):

EDUCATION & TRAINING• The key y

& it’s missing!• Traditional tertiary education ?• Traditional tertiary education ?• Private providers ?• Vendors ? (Early days!)• Vendors ? (Early days!)

• Courses and staff ?• Technical & management aspects• Technical & management aspects

• Test laboratories ? • Remember the OSI test lab? e g NIST/USA:• Remember the OSI test lab? e.g. NIST/USA:

• The U.S. GOSIP Testing Program - 1990)

THE FUTURE (kidns / DANE):THE FUTURE (kidns / DANE):Diffie & Hellman’sDiffie & Hellman s

“public key register”?

(sec re ke distrib tion(secure key distributionfor e-mail/voice-image/SCADA connections,g

TLS, certificates, etc.“my key is in the phone book!”)my key is in the phone book! )

DNS-based Authentication of Named Entities (dane)

THANK YOU !THANK YOU !

Binna Burra

Welcome to the Gold Coast!