Introduction To The DANE Protocol (DNSSEC)

www.internetsociety.org/deploy360/

Introduction to the DANE Protocol

ICANN 47 July 17, 2013

Dan York, Internet Society

Internet Society Deploy360 Programme

Providing real-world deployment info for IPv6, DNSSEC, routing and other Internet technologies:

•  Case Studies

•  Tutorials

•  Videos

•  Whitepapers

•  News, information

English content, initially, but will be translated into other languages.

7/24/13

Why Do I Need DNSSEC If I Have SSL?

A common question:

•  why do I need DNSSEC if I already have a SSL certificate? (or an "EV-SSL" certificate?)

•  SSL (more formerly known today as Transport Layer Security (TLS)) solves a different issue – it provides encryption and protection of the communication between the browser and the web server

The Typical TLS (SSL) Web Interaction

Web Server

Web Browser

https://example.com/

TLS-encrypted web page

DNS Resolver

example.com?

10.1.1.123 1

6DNS Svr example.com

DNS Svr .com

DNS Svr root

10.1.1.123

The Typical TLS (SSL) Web Interaction

Web Server

Web Browser

TLS-encrypted web page

DNS Resolver

10.1.1.123 1

6DNS Svr example.com

DNS Svr .com

DNS Svr root

10.1.1.123

Is this encrypted with the

CORRECT certificate?

example.com?

What About This?

Web Server

Web Browser

https://www.example.com/ TLS-encrypted web page with CORRECT certificate

DNS Server

www.example.com?

1.2.3.4 1

Firewall (or

attacker)

https://www.example.com/

TLS-encrypted web page with NEW certificate (re-signed by firewall)

Problems?

Web Server

Web Browser

DNS Server

www.example.com?

1.2.3.4 1

Firewall (or

attacker)

TLS-encrypted web page with NEW certificate (re-signed by firewall)

Problems?

Web Server

Web Browser

DNS Server

www.example.com?

1.2.3.4 1

Firewall (or

attacker)

TLS-encrypted web page with NEW certificate (re-signed by firewall) Log files

or other servers

Potentially including personal information

Issues

A Certificate Authority (CA) can sign ANY domain.

Now over 1,500 CAs – there have been compromises where valid certs were issued for domains.

Some middle-boxes such as firewalls can re-sign sessions.

A Powerful Combination

•  TLS = encryption + limited integrity protection

•  DNSSEC = strong integrity protection

•  How to get encryption + strong integrity protection?

•  TLS + DNSSEC = DANE

7/24/13

DNS-Based Authentication of Named Entities (DANE) – RFC 6698

•  Q: How do you know if the TLS (SSL) certificate is the correct one the site wants you to use?

•  A: Store the certificate (or fingerprint) in DNS (new TLSA record) and sign them with DNSSEC.

A browser that understand DNSSEC and DANE will then know when the required certificate is NOT being used.

Certificate stored in DNS is controlled by the domain name holder. It could be a certificate signed by a CA – or a self-signed certificate.

Web Server

Web Browser w/DANE

https://example.com/ TLS-encrypted web page with CORRECT certificate

DNS Server

10.1.1.123 DNSKEY RRSIGs TLSA

2Firewall (or

attacker)

TLS-encrypted web page with NEW certificate (re-signed by firewall) Log files

or other servers

DANE-equipped browser compares TLS certificate with what DNS / DNSSEC says it should be.

example.com?

DANE – Not Just For The Web

•  DANE defines protocol for storing TLS certificates in DNS

•  Securing Web transactions is the obvious use case

•  Other uses also possible: •  Email

•  VoIP

•  Jabber/XMPP

•  ?

7/24/13

DANE Resources

DANE Overview and Resources:

•  http://www.internetsociety.org/deploy360/resources/dane/

IETF Journal article explaining DANE:

•  http://bit.ly/dane-dnssec

RFC 6394 - DANE Use Cases:

•  http://tools.ietf.org/html/rfc6394

RFC 6698 – DANE Protocol:

•  http://tools.ietf.org/html/rfc6698

How Do We Get DANE Deployed?

Developers: •  Add DANE support into applications (see list of libraries)

DNS Hosting Providers: •  Provide a way that customers can enter a “TLSA” record into DNS

as defined in RFC 6698 ( http://tools.ietf.org/html/rfc6698 ) •  This will start getting TLS certificates into DNS so that when

browsers support DANE they will be able to do so. •  [More tools are needed to help create TLSA records –

ex. hashslinger ]

Network Operators / Enterprises / Governments: •  Start talking about need for DANE •  Express desire for DANE to app vendors (especially browsers)

Opportunities

•  DANE is just one example of new opportunities brought about by DNSSEC

•  Developers and others already exploring new ideas

7/24/13

york@isoc.org www.internetsociety.org/deploy360/

Dan York, CISSP Senior Content Strategist, Internet Society

Thank You!

Introduction To The DANE Protocol (DNSSEC)

Technology

A One Round Protocol for Tripartite Diffie Hellman By Dane Vanden Berg

Research Project 1: Implementing DANE · Basics DNS and DNSSEC PKIX and trust DANE Research Swede Features Reactions Tests and results Conclusion 2 of 21. Question ... Domain Name

DANE/DNSSEC/TLS tests from Go6lab – findings and results Jan Žorž, Go6 Institute

DNSSEC at Penn - internet2.edu · DNSSEC at a glance • “DNS Security Extensions” • A system to verify the authenticity of DNS “data” using public key signatures • Protocol

DNSSEC Securing the Internetdnssec-deployment.icann.org/en/dnssec/dnsseccard.pdfDNSSEC is a protocol that is currently being deployed to secure the Domain Name System (DNS), the Internet’s

ION Tokyo: The Business Case for DNSSEC and DANE, Dan York

DANE and DNSSEC Authentication Chain Extension for TLS

Introduction to DNSSEC & DANE - DeepDive Networking › files › Interop... · DNSSEC & DANE DeepDive Networking How Do I Know I Have DNSSEC? 22! Recursive servers, look for ad ﬂag

Securing Web Presence with DNSSEC · Securing Web Presence with dnSSec By Peter Silva this article discusses dnSSec, a series of dnS protocol extensions which ensure the integrity

How we are developing a next generation DNS API for ... · DANE Need DNSSEC to get TLSA, SSHFP, OPENPGPKEY etc. What else is needed? (i.e. still hampering DANE deployment) Verifcation

1 Eliot Lear. 2 2 SCTP, DCP? DNSSEC, DANE, new RR types? Thought exercise: MPLS-ng

Willem Toorop - NLnet Labs€¦ · by and for application developers (for application) ... from DNSSEC authenticated keys (DANE) especially applicable/suitable to system software!

DNSSEC MANAGEMENT - efficientip.com · DNSSEC Principles An important point to underline is that DNSSEC (DNS Security Extensions) does not modify DNS protocol. DNSSEC is an extension

Domain Name Server Security (DNSSEC) Protocol ... › FA8750-10-C-0020 › DNSSEC Protocol...Domain Name Server Security (DNSSEC) Protocol Deployment Final Technical Report November

DANE veri cation test suite report · 2016-07-11 · DANE is a protocol that allows certi cates used for TLS to be coupled to DNS domain names requiring DNSSEC. This paper describes

DNSSEC and DANE Deployment Trends, Tools And Challenges · 10/2/2013 · A browser that understand DNSSEC and DANE will then know when the required certificate is NOT being used

DANE & Application Uses of DNSSEC - Internet2 · Verisign Public! DNSSEC at a glance! • Original DNS protocol wasn’t built with security in mind! • No way to verify the authenticity

An Introduction to DANE - Securing TLS using DNSSEC

ION Islamabad - DANE/DNSSEC/TLS Testing in the go6lab

Overview - TWNIC · Overview • DNS Protocol Overview • DNS Security • DNS Transactions – TSIG and Lab • DNS Security Extensions (DNSSec) – DNSSEC Lab . 21/06/16 2 DNS