Matt Larson On DNSSEC: Why? How? So What?
-
date post
21-Oct-2014 -
Category
Documents
-
view
578 -
download
0
description
Transcript of Matt Larson On DNSSEC: Why? How? So What?
DNSSEC: Why, How, So What?
Matt Larson, Chief Architect, Dyn
Security in DNS
• There isn’t any• OK, there wasn’t any• DNSSEC: The DNS Security Extensions
The Main Problem
• One packet for a query, one packet for a response
The Main Problem
• One packet for a query, one packet for a response
Who are you really?
• Client has to trust the source address• Source addresses can be spoofed
Who are you really?
Who are you really?
Possible Solutions
• Use a connection-oriented protocol• Sign the packets• Sign the DNS data
DNSSEC to the Rescue
1. All DNS data in a zone is signed2. Zones have public/private key pairs3. Your parent vouches for your public key
Delegation
Delegation
Delegation
Chain of Trust
Chain of Trust
Chain of Trust
Deploying DNSSEC
• Zones:– Sign DNS data– Send public key to parent
• Clients:– Configure trust anchor– Validate DNS responses
So What?
• No more spoofing
• Put stuff you really care about in DNS
Example: DANE