Getting Your Foot in the Door or Selling Sniffer Basic
Download
Report
Transcript Getting Your Foot in the Door or Selling Sniffer Basic
Progress Of the DNS Security
Extensions
NANOG 22
May 21-22, 2001
Edward Lewis
[email protected]
Purpose of this talk
DNS Security is a set of extensions to DNS to make
attacking it harder and using it to attack other
applications harder
Over the course of the past two years, hands-on
workshops have been held to help accelerate
standards development
This presentation will cover lessons learned, open
issues, and the progress being made
[email protected]
2
Background
DNS Security presentation at NANOG 19
http://www.nanog.org/mtg-0006/lewis.html
Workshops are fairly unique in the IETF process
Only one available source of s/w, so no bake-off's
Multi-day events in which a mini-DNS world is built
Objective of Workshops
Education
Testing Specification & Software
Examination of inter-administration issues
[email protected]
3
Recent Workshops
APRICOT 2001 - Kuala Lumpur, February
49th IETF - San Diego, December
NANOG 20 - Washington, DC, October
RIPE 37 - Amsterdam, September
2nd DNSSEC workshop - Vasby (SE), September
RSSAC workshop - Pittsburgh, July
[email protected]
4
Highlights
Realization that DNS Security isn't one piece
Components advancing at different rates
Some parts are ready to pay off now
Progress is being made on the inter-zone
interface
Defining this is a prime goal of the workshops
Active discussions happening, consensus is forming
Good news is the frequency and dispersion of
dialog
[email protected]
5
Workshop Configuration
Workshop consists of about a half-dozen
"experts" and about 2 dozen students
set up includes an "augmented" DNS root, a
workshop top-level domain, other services (ftp, http)
Students set up zones as delegated from a TLD
created for the workshop
Students also set up secondary relationships
Initial round of keys and signatures, then a key
change
[email protected]
6
Highlights of Vasby Workshop
The second workshop held in Sweden
Invitation-only 2-day workshop, very organized,
knowledgeable DNS students
Keys were set up, validation done via a
simplistic HTML set-up
The workshop keys were changed causing
problems
"Lateral" signing requirement formalized
[email protected]
7
Highlights of NANOG 20 Wkshp
One day workshop, with "homework
assignments"
Different HTML interface used to exchange keys
Not as successful
The interface should not be under estimated
Lateral signing still not implemented
[email protected]
8
Highlights of 49th IETF Workshop
Mixture of IPv6 and DNS Security
Trying to teach/understand both concepts in one
event is difficult
Impact of DNS Security on A6 chains
multiplied by length of chain
Until name server resolvers can handle A6
chains and/or AAAA, IPv6-only infrastructure is
not possible
Desire to run a longer-term experiment
[email protected]
9
Highlight of APRICOT 2001 Wkshp
Rapid maturation of TSIG mechanism
Re-organization of material into "easy" and "hard"
TSIG easy
KEY/SIG hard
Use of TSIG configuration language extended to
other services
e.g., BIND's remote name server daemon control
(rndc)
[email protected]
10
Result: Shared secret Clearer
TSIG has become mature
Zone transfers can be protected
Lays the ground work for authorized dynamic update
Same language reused to secure non-TSIG
services, e.g., rndc
Perhaps time to revisit TKEY and SIG (0) now that
TSIG has come of age
[email protected]
11
Result: Operational Experience
Well, "initial operational experience"
More and more operators are now participating
Recent discussions have involved a wide
spread of people and organizations
still mostly in Europe
Many past decisions are being revisited now
that more experts are available
[email protected]
12
Result: Value of Key Distribution
The feature of publishing keys in DNS has
grown in importance
Putting application keys in DNS
Could be a big driver behind DNS Security
[email protected]
13
Result: Better Implementation
With each workshop, software bugs have
lessened
DNS Security code is still bleeding edge
Specifications aren't always clear and are being
reviewed
[email protected]
14
Issue: Parent holding of signature
When a parent zone's key changes, all child
zone key( set)s need to be validated again
Parent needs child key sets to do this
Parent has to make new signature known
Original thought was to have this happen with
the child being responsible for publishing data
But this means child has to be aware of key
change - or suffer the consequences
Proposal now to have parent publish data
[email protected]
15
Issue: Application keys
With parent signing and holding keys, what is the
impact on application keys?
Some zones use the apex as a host (A record, etc.)
IPSEC, SSH, et.al. host keys would be co-located
with the zone keys
Should parent zone be signing host key data for child?
Other issues: subtyping, message size
[email protected]
16
Issue: Persistent Testing vs. Fake
Roots
The parent-child interface in DNS Security is
evident in time-related SIG RR's
One-time set up of KEY's and SIG's is easy, it is the
"roll over" that is the headache
The only way to test this is to allow time to pass
DNS Security testing has depended on a
workshop root
What's the difference between a persistent test root
server and an "alternate" root server
[email protected]
17
Issue: Another Angle on
Persistence
One other need for a persistent test infrastructure
Strict "on-tree" zone signing depends on an
entirely available DNS
There are proposals to make DNS Security more
robust in the face of downed servers
Collaborative signing experiments need time to
develop
[email protected]
18
Issue: lwresd vs stub-resolver
lwresd is a BIND creation, a name server running
locally, replacing the old stub resolver
Perhaps lwresd runs as a caching forwarder
How does this impact the use of TSIG to secure
queries and responses, as opposed to configuring
public keys?
Original issue was the protection of the TSIG secret on a
multi-user machine for general lookups
/etc/resolv.conf is a natural place for secret, but "world"
readable (using UNIX as an example)
[email protected]
19
Issue: Multiple Implementations
For the DNS Security documents to progress in the
IETF, multiple interoperable implementations are
needed
Besides BIND, there are some other implementations
in the works
Will they implement all of DNS Security?
Will they be made available for testing?
[email protected]
20
Issue: Legal Attention
For better or worse, lawyers have taken notice
Impact of contract law on key distribution
service
Work is bring pioneered in Sweden, with contact
with the Netherlands and Germany
Interesting twist
Laws are national things, the Internet is defined
across boundaries
IETF avoids technology that is law-specific
What is the legal view of a server in .se and a
[email protected] in .de?
21
Unstudied
How "joint" administrations of a zone will work
Issues that are cryptographic in nature
Impacts of key lengths on security
Life span of a key
Issue was raised during the RSSAC workshop
[email protected]
22
Document Status
A new round of documents is being prepared
Same standards level
A reorganization to include the current base plus the
clarification RFCs
[email protected]
23
Current Discussion Forums
[email protected]
A mailing list that has been around a while, recently
has become quite active
[email protected]
[email protected]
[email protected]
24