Transcript Security in DNS(DNSSEC)

Security in DNS(DNSSEC)
Yalda Edalat
Pramodh Pallapothu
Agenda







What is DNS?
Cashing in DNS
Threats to the DNS
What should match in DNS transaction?
What is DNSSEC?
DNSKEY, RRSIG, NSEC, DS
DNSSEC issues
What is DNS?






First step to communicate between computers which
support IP is knowing IP address.
Memorizing four decimal numbers for each web site is
difficult.
Memorizing host names are easier.
At beginning, SRI-NIC was responsible to maintain a
single file containing IP addresses for hosts.
Internet grows rapidly and need to guarantee the
uniqueness of IP addresses.
Creating an Internet distribution database (DNS).
Cashing in DNS


To reduce load on DNS server
caching mechanism for a specific period of time
after a successful answer.
Threats to the DNS:
Most weaknesses in DNS fall into these
categories:




Cache poisoning
Client flooding
Compromise of DNS server’s authoritative data
Cache Poisoning
What should match in DNS transaction?
1
2
3
4
2
1
3
4
Other threats

Client flooding: client sends a query, but
receives thousands of DNS responses from
attacker


lake in authentication of responses, without strong
authentication, the client can not verify the origin of
response.
Compromise of DNS server’s authoritative data:
attacker gains administrative privileges and
plans to modify zone information
Need for more security




Original DNS did not include security.
Dependency of some commands on hostnames
for authentication (“r” command in UNIX).
False information in DNS cause unexpected
results.
appropriate security is needed to provide
adequate protection in DNS, and it is
accomplished through DNSSEC
DNSSEC



DNS Security Extension
Defines additional Resource Records
DNSKEY, RRSIG, NSEC and DS are four
of those Resource Records.
DNSKEY
It is the public key for the zone and is
published in zone file.
example.com. 86400 IN DNSKEY 256 3 5 (
AQPSKmynfzW4kyBv015MUG2DeIQ3)
86400 secs -> TTL of 1 day
256 -> Flag value which indicates it’s a zone key.
3 -> Protocol value
5 -> RSA/SHA1 , RR value is base64 encoding.
RRSIG
RRSIG records store digital signatures that were
created by signing the resource records associated
with a domain using a DNSKEY.
host.example.com. 86400 IN RRSIG A 5 3 86400 20030322173103 (
20030220173103 2642 example.com.
oJB1W6WNGv+ldvQ3WDG0MQkg5IEhjRip8WTr )
86400 secs -> TTL
A -> indicates that this is a signing of the A RRs for
"host.example.com"
5 -> RSA/SHA1
….
….
NSEC
NSEC is used to provide proof of nonexistense of any name within a zone.
alfa.example.com. 86400 IN NSEC host.example.com. ( A MX RRSIG
NSEC TYPE1234 )
The first four text fields specify the name, TTL, Class, and RR type (NSEC). The
entry host.example.com. is the next authoritative name after alfa.example.com.
in canonical order. The A, MX, RRSIG, NSEC, and TYPE1234 mnemonics
indicate that there are A, MX, RRSIG, NSEC, and TYPE1234 RRsets
associated with the name alfa.example.com.
DS
The Delegation Signer (DS) RR contains the hash of
the public key of the child zone. This record is
signed by the parent zone's private key with a
matching RRSIG RR.
dskey.example.com. 86400 IN DS 60485 5 1 (
2BB183AF5F22588179A53B0A
98631FAD1A292118 )
How does DNSSEC
work ?
DNSSEC issues





The average size of a DNS response message increases.
The zone file increases in size due to the addition of the
additional DNSSEC records.
The number of DNS transactions increases due to the
requirement to perform additional queries for zone public key
records when constructing trust chains.
The client has to spend additional time validating the signed data
and validating the public key, potentially slowing the resolution
process.
The server has to generate new signatures over all RRset
changes, which places an incremental load on the server
function.
DNSSEC Reference

RFC 3833 A Threat Analysis of the Domain Name System
RFC 4033 DNS Security Introduction and Requirements
RFC 4034 Resource Records for the DNS Security
Extensions
RFC 4035 Protocol Modifications for the DNS Security
Extensions
RFC 4398 Storing Certificates in the Domain Name System
(DNS)
NSEC3 - "DNSSEC Hashed Authenticated Denial of
Existence" draft-ietf-dnsext-nsec3-06.txt
DNS and Bind, 4th Edition, Paul Albitz and Cricket Liu, O'Reilly
www.dnssec.org – A resource page for DNSSEC