An Analysis of DNSSEC
Download
Report
Transcript An Analysis of DNSSEC
By Team Trojans -1
Arjun Ashok
Priyank Mohan
Balaji Thirunavukkarasu
Agenda
DNS & its structure
DNS Threats
DNSSEC
Trust Models for Key Validation
DNSSEC Vulnerabilities
DNSSEC Roadblocks
Alternatives to DNS Security
The Road ahead
Domain Name System (DNS)
Hierarchical distributed database which provides the
service of translating the domain names to IP addresses.
Follows a hierarchical tree structure – analogous to the
Unix file system
DNS Communication
DNS Threats:
Packet interception
Name Chaining
Denial of Service
Brute Force
DNSSEC
First introduced in RFC 2535 "Domain Name System
Security Extensions" in 1999.
Provides authentication and integrity of DNS data
Authentication of Name Server (NS) data by resolver
Integrity of data checked through signed, hashed public
key.
Resolver is configured with public key of NSs
A resolver that knows the zone’s public key can verify the
signature and authenticate the DNS response.
Can be visualized as a sealed transparent envelope,
wherein seal applied to envelope and not to message, by
the sender.
Trust Models for Key Validation
A Tree Based approach:
Follows a strict chain/hierarchy of trust.
Zone public key considered valid only if signed by
parent.
Disadvantages:
Creates a single point of failure.
Places all the peer zones under the same umbrella
of security.
Trust Models for Key Validation
A Web of Trust approach:
Allows servers to choose their own trust
relationships.
A public key is considered valid as long as it has
been signed by another server.
No single point of failure.
Robust and scalable.
Disadvantages:
An impersonated malicious zone can create its
own set of keys and establish a trust relationship.
DNSSec Vulnerabilities
Zone private/public key compromise – Key compromise
can lead to an entire sub-domain being marked as bogus.
A server’s current time could be changed in order to
validate expired signatures. Hence there should be some
means to sync the time between primary and secondary
servers.
An attacker can spoof an entire zone server by querying the
NSEC RR’s, which store an ordered list of all the existing
domain names.
Roadblocks and Challenges
It is infeasible to implement a PKI infrastructure.
No third party authority of trust (CA) exists in DNSSec,
highly dependable on private key usage.
trade-off between performance and security.
It is difficult to ensure all the servers have the
updated keys.
Servers high up in hierarchy are unaware of the state of
the child nodes.
All servers need to be online within a specified time
frame in order to receive the updated keys.
Alternatives to DNSSEC
Name Server Software
Configuration and maintenance of name server to avoid
DOS, Attacks such as Zone transfer, packet
flooding, ARP spoofing.
To counter these attacks, the following steps are
implemented:
Using secure OS, Using software to check integrity
of zone files and Restricting access privileges on
name server.
Contd..
TSIG – Transition Signature
Involves mutual Authentication of servers based on
shared secret key, Source side it employs HMAC
Threats avoided by TSIG
Road Ahead..
The main hindrance in adopting DNSSEC
Implementation complexity and Scalability
To overcome this Software64 DNS signer is used to
automate processes like generation, backup, restoration,
roll over and zone signing in configuration file.
Higher scalability achieved using high speed crypto.
Algorithms 6,000 RSA operations/sec with 1024 bit key.
Another improvisation is implementation of DNSSEC
till the client stub resolver level (user level).
QUESTIONS