Embed Size (px)
DESCRIPTION
So what is DNSSEC? Why do people need to know about it? So what? Dyn Chief Architect Matt Larson talks about that and more in this 20 minute talk at the first-ever Geek Summer Camp. Watch the video here: http://dyn.wistia.com/medias/pl865m2qp7
Citation preview
DNSSEC: Why, How, So What?
Matt Larson, Chief Architect, Dyn
Security in DNS
• There isn’t any• OK, there wasn’t any• DNSSEC: The DNS Security Extensions
The Main Problem
• One packet for a query, one packet for a response
The Main Problem
• One packet for a query, one packet for a response
Who are you really?
• Client has to trust the source address• Source addresses can be spoofed
Who are you really?
Who are you really?
Possible Solutions
• Use a connection-oriented protocol• Sign the packets• Sign the DNS data
DNSSEC to the Rescue
1. All DNS data in a zone is signed2. Zones have public/private key pairs3. Your parent vouches for your public key
Delegation
Delegation
Delegation
Chain of Trust
Chain of Trust
Chain of Trust
Deploying DNSSEC
• Zones:– Sign DNS data– Send public key to parent
• Clients:– Configure trust anchor– Validate DNS responses
So What?
• No more spoofing
• Put stuff you really care about in DNS
Example: DANE
