Embed Size (px)
DESCRIPTION
Presentation from ION Djibouti on 2 June 2014 by Mark Elkins. DNSSEC helps prevent attackers from subverting and modifying DNS messages and sending users to wrong (and potentially malicious) sites. So what needs to be done for DNSSEC to be deployed on a large scale? We’ll discuss the business reasons for, and financial implications of, deploying DNSSEC, from staying ahead of the technological curve, to staying ahead of your competition, to keeping your customers satisfied and secure on the Internet. We’ll also examine some of the challenges operators have faced and the opportunities to address those challenges and move deployment forward.
Citation preview
A Business Case for DNSSECA Business Case for DNSSEC
ByMark ElkinsJune 2014
What DNSSEC Gives UsWhat DNSSEC Gives Us
Validation of Data lookups published in the DNS
very simple to activate on a recursive Nameserver
Bind: addition to named.conf
managed-keys {. initial-key 257 3 8"AwEAAagAIKlVZrpC6Ia7g....QxA+Uk1ihz0=";};
If you use Chrome or Firefox, install the "DNSSEC Validator" Add-on.
Search for "DNSSEC Validator"
- Signed and Validates, Chain of Trust is intact.
- Signed, but Chain of Trust is broken.
- Signed, but does not Validate, Chain of Trust is intact.
- Not Signed.
What DNSSEC Gives UsWhat DNSSEC Gives Us
ftth.posix.co.za AAAA ??? → 2001:42a0:1:208::13
A Trusted Reply!
_443._tcp.ftth.posix.co.za TLSA ??? → 3 0 1 B635D5DECFF4C30F7DC6606EB12D9CC8C5C05E3F89221FE7423AA2D5 AC8CAADA
A Trusted DANE/TLSA Record!(Created by hash-slinger, Thanks Dan)
What DNSSEC Gives UsWhat DNSSEC Gives Us
●Is the art of deception
●This is not the droid computer you are looking for
●Mission: to be one with your computer
Back to business - PhishingBack to business - Phishing
We need HTTPS (Mission: HTTP on everything)● Identifies the site we are connect to● Padlock is there
Except there are over a hundred Certificate Authorities...
I use StartCom/StartSSL - but how would you know?
Back to business - PhishingBack to business - Phishing
●With DNSSEC securing a TLSA Signature
●With a TLSA Signature covering the SSL Certificate
●With Padlocks, Keys - almost covered!
Back to business - PhishingBack to business - Phishing
It talks to my X509 Certificate
Back to StartCOMBack to StartCOM
● Signing (and keeping it signed)
● Interaction with Parents
Deployment ChallengesDeployment Challenges
Signing can be simple
There are Scripts (eg. mine) (http://posixafrica.com)
and black box solutions (eg. OpenDNSSEC)
This can be done in just three commands....
(Assuming you have a zone called 'web.za')
# dnssec-keygen -a RSASHA256 -b 1024 web.za
# dnssec-keygen -a RSASHA256 -b 2048 -f KSK web.za
# dnssec-signzone -S web.za
Signing and keeping it signedSigning and keeping it signed
'web.za' is now signed and the new zone is called 'web.za.signed'
There is also a file called 'dsset-web.za.' (discussed next slide)
Edit your 'named.conf' to use the new 'signed' version of the zone.
In reality - one should at some regular determined frequency, generate new keys and roll out the old keys....
Signing and keeping it signedSigning and keeping it signed
The contents of the file 'dsset-web.za.' needs to be securely installed into the parent zone of 'za'.
web.za. IN DS 52867 8 1 921AFBC6DF6....
web.za. IN DS 52867 8 2 9FBC5FBC6B9....
1 - Encrypted e-mail (How I talk to Tanzania or Namibia)
2 - Via a web front-end (AFRINIC, Root)
3 - Via the Registries EPP system (COZA/dotAfrica)
Signing and keeping it signedSigning and keeping it signed
Dealing with parentsDealing with parents
Uncooperative Parents?
The Deployment of DNSSEC is a way to make the Internet a Safer place.
It is not a Silver Bullet, but combined with other security features gets us pointed in the right direction.
ConclusionsConclusions
