DNSSEC and DANE

ION TokyoNovember 17, 2014

Dan YorkSenior Content StrategistInternet Societyyork@isoc.org

Overview of DNS Security Extensions (DNSSEC)

A Normal DNS Interaction

Web Server

Web Browser

https://example.com/

web page

DNS Resolver

10.1.1.123

125

6

DNS Svrexample.com

DNS Svr.com

DNS Svrroot

3

10.1.1.123

4

example.comNS

.comNS

example.com?

Attacking DNS

Web Server

Web Browser

https://example.com/

web pageDNS

Resolver

10.1.1.123

12

5

6

DNS Svrexample.com

DNS Svr.com

DNS Svrroot

3

192.168.2.2

4

AttackingDNS Svrexample.com

192.168.2.2

example.comNS

.comNS

example.com?

False Site

example.com

A Poisoned Cache

Web Server

Web Browser

https://example.com/

web pageDNS

Resolver1

2

34

192.168.2.2

Resolver cache now has wrong data:

example.com 192.168.2.2

This stays in the cache until the Time-To-Live (TTL) expires!

example.com?

False Site

example.com

A DNSSEC Interaction

Web Server

Web Browser

https://example.com/

web page

DNS Resolver

10.1.1.123DNSKEYRRSIGs

125

6

DNS Svrexample.com

DNS Svr.com

DNS Svrroot

3

10.1.1.123

4

example.comNSDS

.comNSDS

example.com?

Attempting to Spoof DNS

Web Server

Web Browser

https://example.com/

web page

DNS Resolver

10.1.1.123DNSKEYRRSIGs

125

6

DNS Svrexample.com

DNS Svr.com

DNS Svrroot

3

SERVFAIL

4

AttackingDNS Svrexample.com

192.168.2.2DNSKEYRRSIGs

example.comNSDS

.comNSDS

example.com?

DNSSEC Is Not Just For The Web

DNSSEC protects ALL information coming from DNS

Significant deployments of DNSSEC (and DANE) in:

• Email (SMTP)

• Instant messaging (XMPP/Jabber)

Other potential uses:

• Voice over IP (VoIP)

• Any application that communicates over the Internet

Email Hijacking – A Current Threat

• CERT-CC researchers have identified that someone is hijacking email by using DNS cache poisoning of MX records

• Could be prevented by DNSSEC deployment

• CERT-CC (Sept 10, 2014): – https://www.cert.org/blogs/certcc/post.cfm?EntryID=206

• Deploy360 blog post (Sept 12, 2014): • http://wp.me/p4eijv-5jI

The Two Parts of DNSSEC

04/13/2023

The Two Parts of DNSSEC

Signing Validating

ISPs

Enterprises

Applications

DNS Hosting

Registrars

Registries

DNSSEC Signing - The Individual Steps

Registry

Registrar

DNS Hosting Provider

Domain Name Registrant

• Signs TLD• Accepts DS records• Publishes/signs records

• Accepts DS records• Sends DS to registry• Provides UI for mgmt

• Signs zones• Publishes all records• Provides UI for mgmt

• Enables DNSSEC (unless automatic)

DNSSEC Signing - The Players

Registries

Registrars

DNS Hosting Providers

Domain Name Registrants

Registrar alsoprovides DNShosting services

DNSSEC Signing - The Players

Registries

Registrars

DNS Hosting Providers

Domain Name Registrants

Registrant hostsown DNS

DNSSEC Deployment Metrics

04/13/2023

DNSSEC Deployment Maps

• DNSSEC deployment maps:• http://www.internetsociety.org/deploy360/dnssec/maps/

• Mailing list to receive weekly maps:• https://elists.isoc.org/mailman/listinfo/dnssec-maps

DNSSEC Deployment Maps

Signed TLDs (both ccTLDs and gTLDs)

https://rick.eng.br/dnssecstat/

DNSSEC Validation – Worldwide Trend

http://stats.labs.apnic.net/dnssec/XA?c=XA&x=1&g=1&r=1&w=7&g=0

DNSSEC Deployment – Second-level domains

Links from http://www.internetsociety.org/deploy360/dnssec/statistics/

A Quick Overview of DANE

04/13/2023

The Typical TLS (SSL) Web Interaction

Web Server

Web Browser

https://example.com/

TLS-encryptedweb page

DNS Resolver

example.com?

10.1.1.1231

2

5

6DNS Svrexample.com

DNS Svr.com

DNS Svrroot

3

10.1.1.123

4

The Typical TLS (SSL) Web Interaction

Web Server

Web Browser

https://example.com/

TLS-encryptedweb page

DNS Resolver

10.1.1.1231

2

5

6DNS Svrexample.com

DNS Svr.com

DNS Svrroot

3

10.1.1.123

4

Is this encrypted with the

CORRECT certificate?

example.com?

Problems?

Web Server

Web Browser

https://www.example.com/TLS-encrypted web pagewith CORRECT certificate

DNS Server

www.example.com?

1.2.3.41

2

Firewall

https://www.example.com/

TLS-encrypted web pagewith NEW certificate(re-signed by firewall)

DANE

Web Server

Web Browserw/DANE

https://example.com/TLS-encrypted web pagewith CORRECT certificate

DNS Server

10.1.1.123DNSKEYRRSIGsTLSA

1

2Firewall(or

attacker)

https://example.com/

TLS-encrypted web pagewith NEW certificate(re-signed by firewall)

Log files or other

serversDANE-equipped browsercompares TLS certificatewith what DNS / DNSSECsays it should be.

example.com?

DNS-Based Authentication of Named Entities (DANE)• Q: How do you know if the TLS (SSL) certificate is the

correct one the site wants you to use?

• A: Store the certificate (or fingerprint) in DNS (new TLSA record) and sign them with DNSSEC.

An application that understand DNSSEC and DANE will then know when the required certificate is NOT being used.

Certificate stored in DNS is controlled by the domain name holder. It could be a certificate signed by a CA – or a self-signed certificate.

DANE – Different operation modes ("certificate usage" field)

• 0 – CA specification• The TLSA record specifies the Certificate Authority (CA) who will provide TLS

certificates for the domain. Must be a valid CA included in browser/app.

• 1 – Specific TLS certificate• The TLSA record specifies the exact TLS certificate that should be used for the

domain. Note that this TLS certificate must be one that is issued by a valid CA.

• 2 – Trust anchor assertion• The TLSA record specifies the “trust anchor” to be used for validating the TLS

certificates for the domain. Allows for the use of a CA not included in application.

• 3 – Domain-issued certificate• The TLS record specifies the exact TLS certificate that should be used for the

domain, BUT, in contrast to usage #1, the TLS certificate does not need to be signed by a valid CA. This allows for the use of self-signed certificates.

DANE – Not Just For The Web

•DANE defines protocol for storing TLS certificates in DNS

•Securing Web transactions is an obvious use case

•Other uses also possible:• Email

• VoIP

• Jabber/XMPP

• PGP

• ?

DANE Success Stories

SMTP

360+ SMTP servers with TLSA records

http://www.tlsa.info/

XMPP (Jabber)

229 servers

client-to-server & server-to-server

https://xmpp.net/reports.php#dnssecdane

Advertisements!

Why Deploy DNSSEC and DANE?

04/13/2023

Business Reasons For Deploying DNSSEC

• TRUST – You can be sure your customers are reaching your sites – and that you are communicating with their servers.

• SECURITY – You can be sure you are communicating with the correct sites and not sharing business information with attackers, ex. email hijacking.

• INNOVATION – Services such as DANE built on top of DNSSEC enable innovative uses of TLS certificates

• CONFIDENTIALITY – DANE enables easier use of encryption for applications and services that communicate across the Internet

Resources

04/13/2023

DANE Resources

DANE Overview and Resources:

• http://www.internetsociety.org/deploy360/resources/dane/

IETF Journal article explaining DANE:

• http://bit.ly/dane-dnssec

RFC 6394 - DANE Use Cases:

• http://tools.ietf.org/html/rfc6394

RFC 6698 – DANE Protocol:

• http://tools.ietf.org/html/rfc6698

DANE Resources

DANE and email:

• https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane

• http://tools.ietf.org/html/draft-ietf-dane-smime

DANE Operational Guidance:

• https://tools.ietf.org/html/draft-ietf-dane-ops

DANE and SIP (VoIP):

• http://tools.ietf.org/html/draft-johansson-dispatch-dane-sip

• https://tools.ietf.org/html/draft-ietf-dane-srv

Other uses:

• https://tools.ietf.org/html/draft-ietf-dane-openpgpkey

• https://tools.ietf.org/html/draft-ietf-dane-rawkeys

Start Here Pagehttp://www.internetsociety.org/deploy360/start/

Easy method of finding resources for

specific audiences, including:

• Network operators

• Content providers (ex. web site owners)

• Developers

• Governments

• Consumer electronics vendors

• Enterprises and campus networks

• Registrars

• Internet exchange points (IXPs)

https://twitter.com/deploy360

https://www.facebook.com/Deploy360

http://gplus.to/deploy360

http://www.youtube.com/user/Deploy360

http://www.internetsociety.org/deploy360/feed/

http://soundcloud.com/deploy360/

Social Media Channels

Thank You!Dan York

Senior Content Strategist

york@isoc.org