SlideShare a Scribd company logo

ION Bucharest - Deploying DNSSEC

Download as PPTX, PDF
Deploy360 Programme (Internet Society)
Deploy360 Programme (Internet Society)

This document summarizes Dan York's presentation on deploying DNSSEC. It discusses how DNSSEC helps ensure the integrity of DNS data by using digital signatures to authenticate DNS responses, preventing cache poisoning and man-in-the-middle attacks. It provides examples of normal DNS interactions versus attacks, and how DNSSEC establishes a chain of trust. The presentation also covers the current state of DNSSEC deployment, how it works in combination with TLS/SSL through DANE, and business reasons for organizations to deploy DNSSEC.

Technology
1 of 46
Internet Society © 1992–2016 The role of the Internet Society (this report describes the timeline of activities of the Internet Society from the submission of the proposal to NTIA in March 2016 until September 30, 2016) The IANA Stewardship Transition Kathy Brown President & CEO October 6, 2016 Presentation title – Client name 1
Internet Society © 1992–2016 ION Bucharest October 12, 2016 Dan York, CISSP DNSSEC Program Manager – york@isoc.org Deploying DNSSEC 2
Trusted Internet 3 Trust in privacy of information (ex. encryption) Trust in online identity systems (ex. Kantara) Trust in network communication (ex. TLS, DANE) Trust in Internet identifiers (ex. DNSSEC) Trust in the Internet’s core infrastructure (ex. MANRS) Trust in cryptography (ex. Cryptech)
https://www.flickr.com/photos/powerbooktrance/466709245/ CC BY
Email Hijacking CERT-CC researchers have identified that someone was hijacking email by using DNS cache poisoning of MX records Could be prevented by DNSSEC deployment CERT-CC (Sept 10, 2014): — https://www.cert.org/blogs/certcc/post.cfm?EntryID=206 Deploy360 blog post (Sept 12, 2014): — http://wp.me/p4eijv-5jI
What Problem Is DNSSEC Trying To Solve? DNSSEC = "DNS Security Extensions" • Defined in RFCs 4033, 4034, 4035 • Operational Practices: RFC 4641 Ensures that the information entered into DNS by the domain name holder is the SAME information retrieved from DNS by an end user. Let's walk through an example to explain… 6
A Normal DNS Interaction 7 Web Server Web Browser https://example.com/ web page DNS Resolver example.com? 1 2 3 4 10.1.1.123 Resolver checks its local cache. If it has the answer, it sends it back. example.com 10.1.1.123 If not…
A Normal DNS Interaction 8 Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 10.1.1.123 4 example.com NS .com NS example.com?
DNS Works On Speed First result received by a DNS resolver is treated as the correct answer. Opportunity is there for an attacker to be the first one to get an answer to the DNS resolver, either by: Getting to the correct point in the network to provide faster responses; Blocking the responses from the legitimate servers (ex. executing a Denial of Service attack against the legitimate servers to slow their responses) 9
Attacking DNS 10 Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 192.168.2.2 4 Attacking DNS Svr example.com 192.168.2.2 example.com NS .com NS example.com?
A Poisoned Cache 11 Web Server Web Browser https://example.com/ web page DNS Resolver 1 2 3 4 192.168.2.2 Resolver cache now has wrong data: example.com 192.168.2.2 This stays in the cache until the Time-To-Live (TTL) expires! example.com?
How Does DNSSEC Help? DNSSEC introduces new DNS records for a domain: • RRSIG – a signature ("hash") of a set of DNS records • DNSKEY – a public key that a resolver can use to validate RRSIG A DNSSEC-validating DNS resolver: Uses DNSKEY to perform a hash calculation on received DNS records Compares result with RRSIG records. If results match, records are the same as those transmitted. If the results do NOT match, they were potentially changed during the travel from the DNS server. 12
A DNSSEC Interaction 13 Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 DNSKEY RRSIGs 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 10.1.1.123 4 example.com?
A DNSSEC Interaction 14 Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 DNSKEY RRSIGs 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 10.1.1.123 4 example.com NS DS .com NS DS example.com?
The Global Chain of Trust 15 Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 DNSKEY RRSIGs 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 10.1.1.123 4 example.com NS DS .com NS DS example.com?
Attempting to Spoof DNS 16 Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 DNSKEY RRSIGs 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 Attacking DNS Svr example.com 192.168.2.2 DNSKEY RRSIGs example.com NS DS .com NS DS example.com?
Attempting to Spoof DNS 17 Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 DNSKEY RRSIGs 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 SERVFAIL 4 Attacking DNS Svr example.com 192.168.2.2 DNSKEY RRSIGs example.com NS DS .com NS DS example.com?
What DNSSEC Proves: • "These ARE the IP addresses you are looking for." (or they are not) • Ensures that information entered into DNS by the domain name holder (or the operator of the DNS hosting service for the domain) is the SAME information that is received by the end user. 18 10/12/2016
The Two Parts of DNSSEC 19 Signing Validating ISPs Enterprises Applications DNS Hosting Registrars Registries
What DNSSEC Proves: • "These ARE the IP addresses you are looking for." (or they are not) • Ensures that information entered into DNS by the domain name holder (or the operator of the DNS hosting service for the domain) is the SAME information that is received by the end user. 20 10/12/2016
DNSSEC Validation – Current State • About 15% of all global DNS queries validated • ~20% of all European DNS queries validated • All major DNS resolvers support DNSSEC validation – often with a simple config change 21 http://stats.labs.apnic.net/dnssec
DNSSEC Validation – Romania 22http://stats.labs.apnic.net/dnssec
DNSSEC Validation – Romania 23http://stats.labs.apnic.net/dnssec
DNSSEC Signing - The Individual Steps 24 Registry Registrar DNS Operator (or ”DNS Hosting Provider”) Domain Name Registrant • Signs TLD • Accepts DS records • Publishes/signs records • Accepts DS records • Sends DS to registry • Provides UI for mgmt • Signs zones • Publishes all records • Provides UI for mgmt • Enables DNSSEC (unless automatic)
DNSSEC Signing – Current State • Most TLDs now signed • including “new gTLDs” • Common DNS servers all support DNSSEC • Second-level domain support ranges from 100% in .BANK and 89% in .GOV down to < 1% in .COM • Still small % overall. 25 https://www.internetsociety.org/deploy360/d nssec/maps/
DNSSEC Signing – Second-level domains 26https://rick.eng.br/dnssecstat/
DNSSEC and TLS/SSL 27
Why Do I Need DNSSEC If I Have TLS? • A common question: why do I need DNSSEC if I already have a SSL certificate? (or an "EV-SSL" certificate?) • Transport Layer Security (TLS), sometimes called by its older name of “SSL”, solves a different issue – it provides encryption and protection of the communication between the browser and the web server 28
The Typical TLS Web Interaction Web Server Web Browser https://example.com/ TLS-encrypted web page DNS Resolver example.com? 10.1.1.1231 2 5 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 10.1.1.123 4
The Typical TLS Web Interaction Web Server Web Browser https://example.com/ TLS-encrypted web page DNS Resolver 10.1.1.1231 2 5 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 10.1.1.123 4 Is this encrypted with the CORRECT certificate? example.com?
What About This? 31 Web Server Web Browser https://www.example.com/ TLS-encrypted web page with CORRECT certificate DNS Server www.example.com? 1.2.3.4 1 2 Firewall (or attacker) https://www.example.com/ TLS-encrypted web page with NEW certificate (re-signed by firewall)
Problems? 32 Web Server Web Browser https://www.example.com/ TLS-encrypted web page with CORRECT certificate DNS Server www.example.com? 1.2.3.4 1 2 Firewall https://www.example.com/ TLS-encrypted web page with NEW certificate (re-signed by firewall)
Problems? 33 Web Server Web Browser https://www.example.com/ TLS-encrypted web page with CORRECT certificate DNS Server www.example.com? 1.2.3.4 1 2 Firewall https://www.example.com/ Log files or other servers Potentially including personal information TLS-encrypted web page with NEW certificate (re-signed by firewall)
Issues • A Certificate Authority (CA) can sign ANY domain. • Now over 1,500 CAs – there have been compromises where valid certs were issued for domains. • Middle-boxes such as firewalls can re-sign sessions. 34
DNS-Based Authentication of Named Entities (DANE) Q: How do you know if the TLS (SSL) certificate is the correct one the site wants you to use? A: Store the certificate (or fingerprint) in DNS (new TLSA record) and sign them with DNSSEC. An application that understand DNSSEC and DANE will then know when the required certificate is NOT being used. Certificate stored in DNS is controlled by the domain name holder. It could be a certificate signed by a CA – or a self-signed certificate. 35
A Powerful Combination • TLS = encryption + limited integrity protection • DNSSEC = strong integrity protection • How to get encryption + strong integrity protection? • TLS + DNSSEC = DANE 36
DANE 37 Web Server Web Browser w/DANE https://example.com/ TLS-encrypted web page with CORRECT certificate DNS Server 10.1.1.123 DNSKEY RRSIGs TLSA 1 2Firewall (or attacker) https://example.com/ TLS-encrypted web page with NEW certificate (re-signed by firewall)Log files or other servers DANE-equipped browser compares TLS certificate with what DNS / DNSSEC says it should be. example.com?
DANE Success – Not Just For The Web SMTP 1000+ SMTP servers with TLSA records http://dane.sys4.de/ - testing service XMPP (Jabber) 400+ servers client-to-server & server-to-server https://xmpp.net/reports.php#dnssecdane 38
DANE Resources DANE Overview and Resources: http://www.internetsociety.org/deploy360/resources/dane/ IETF Journal article explaining DANE: http://bit.ly/dane-dnssec RFC 6394 - DANE Use Cases: http://tools.ietf.org/html/rfc6394 RFC 6698 – DANE Protocol: http://tools.ietf.org/html/rfc6698 39
DNS Privacy 40
DNS Privacy • Issue - Queries from local DNS “stub resolver” (in PC, laptop, smartphone) to local DNS resolver are sent in clear • Surveillance of those queries can be revealing • Solution – Encrypt the connection
DNS Privacy 42 Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 10.1.1.123 4 example.com NS .com NS example.com?
DNS Privacy – Work Underway Now • IETF “DPRIVE” Working Group • New standards emerging– DNS queries over TLS • Expect to see implementations in software and operating systems in the future
Business Reasons For Deploying DNSSEC • TRUST – You can be sure your customers are reaching your sites – and that you are communicating with their servers. • SECURITY – You can be sure you are communicating with the correct sites and not sharing business information with attackers, ex. email hijacking. • INNOVATION – Services such as DANE built on top of DNSSEC enable innovative uses of TLS certificates. • CONFIDENTIALITY – DANE enables easier use of encryption for applications and services that communicate across the Internet. 44
Three Requests For Attendees 1. Deploy DNSSEC validation (or ask your IT team / network operator) 1. Sign your domains • Work with your registrar and/or DNS hosting provider to make this happen. 2. Help promote support of DANE protocol • Let browser vendors and others know you want to use DANE. If you use SSL, deploy a TLSA record if you are able to do so. Help raise awareness of how DANE and DNSSEC can make the Internet more secure.
Visit us at www.internetsociety.org Follow us @internetsociety Galerie Jean-Malbuisson 15, CH-1204 Geneva, Switzerland. +41 22 807 1444 1775 Wiehle Avenue, Suite 201, Reston, VA 20190-5108 USA. +1 703 439 2120 Thank you. 46 Dan York Senior Content Strategist – york@isoc.org

Recommended

ION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLSION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLSDeploy360 Programme (Internet Society)
 
IETF Update: Making the Internet Work Better
IETF Update: Making the Internet Work BetterIETF Update: Making the Internet Work Better
IETF Update: Making the Internet Work BetterDeploy360 Programme (Internet Society)
 
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)Deploy360 Programme (Internet Society)
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECDeploy360 Programme (Internet Society)
 
Deploying DNSSEC: A .ZA Case Study - ION Cape Town
Deploying DNSSEC: A .ZA Case Study - ION Cape TownDeploying DNSSEC: A .ZA Case Study - ION Cape Town
Deploying DNSSEC: A .ZA Case Study - ION Cape TownDeploy360 Programme (Internet Society)
 
ION Islamabad - DANE/DNSSEC/TLS Testing in the go6lab
ION Islamabad - DANE/DNSSEC/TLS Testing in the go6labION Islamabad - DANE/DNSSEC/TLS Testing in the go6lab
ION Islamabad - DANE/DNSSEC/TLS Testing in the go6labDeploy360 Programme (Internet Society)
 
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape TownDANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape TownDeploy360 Programme (Internet Society)
 
ION Cape Town - IETF Update and How to Get Involved
ION Cape Town - IETF Update and How to Get InvolvedION Cape Town - IETF Update and How to Get Involved
ION Cape Town - IETF Update and How to Get InvolvedDeploy360 Programme (Internet Society)
 

Recommended

ION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLSION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLSDeploy360 Programme (Internet Society)
 
IETF Update: Making the Internet Work Better
IETF Update: Making the Internet Work BetterIETF Update: Making the Internet Work Better
IETF Update: Making the Internet Work BetterDeploy360 Programme (Internet Society)
 
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)Deploy360 Programme (Internet Society)
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECDeploy360 Programme (Internet Society)
 
Deploying DNSSEC: A .ZA Case Study - ION Cape Town
Deploying DNSSEC: A .ZA Case Study - ION Cape TownDeploying DNSSEC: A .ZA Case Study - ION Cape Town
Deploying DNSSEC: A .ZA Case Study - ION Cape TownDeploy360 Programme (Internet Society)
 
ION Islamabad - DANE/DNSSEC/TLS Testing in the go6lab
ION Islamabad - DANE/DNSSEC/TLS Testing in the go6labION Islamabad - DANE/DNSSEC/TLS Testing in the go6lab
ION Islamabad - DANE/DNSSEC/TLS Testing in the go6labDeploy360 Programme (Internet Society)
 
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape TownDANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape TownDeploy360 Programme (Internet Society)
 
ION Cape Town - IETF Update and How to Get Involved
ION Cape Town - IETF Update and How to Get InvolvedION Cape Town - IETF Update and How to Get Involved
ION Cape Town - IETF Update and How to Get InvolvedDeploy360 Programme (Internet Society)
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNIJisc
 
ION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECDeploy360 Programme (Internet Society)
 
ION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSDeploy360 Programme (Internet Society)
 
ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?Deploy360 Programme (Internet Society)
 
Introduction To The DANE Protocol (DNSSEC)
Introduction To The DANE Protocol (DNSSEC)Introduction To The DANE Protocol (DNSSEC)
Introduction To The DANE Protocol (DNSSEC)Deploy360 Programme (Internet Society)
 
ION Bucharest - ISOC & Deploy360 overview
ION Bucharest - ISOC & Deploy360 overviewION Bucharest - ISOC & Deploy360 overview
ION Bucharest - ISOC & Deploy360 overviewDeploy360 Programme (Internet Society)
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit - wolfSSL
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS SecurityThousandEyes
 
ION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryDeploy360 Programme (Internet Society)
 
An Overview of DNSSEC
An Overview of DNSSECAn Overview of DNSSEC
An Overview of DNSSECCarlos Martinez Cagnazzo
 
ROTLD DNSSEC Implementation
ROTLD DNSSEC ImplementationROTLD DNSSEC Implementation
ROTLD DNSSEC ImplementationKevin Meynell
 
ION Sri Lanka - TLS for Network Operators
ION Sri Lanka - TLS for Network OperatorsION Sri Lanka - TLS for Network Operators
ION Sri Lanka - TLS for Network OperatorsDeploy360 Programme (Internet Society)
 
Lots More LOCKSS for Web Archiving: Boons from the LOCKSS Software Re-Archite...
Lots More LOCKSS for Web Archiving: Boons from the LOCKSS Software Re-Archite...Lots More LOCKSS for Web Archiving: Boons from the LOCKSS Software Re-Archite...
Lots More LOCKSS for Web Archiving: Boons from the LOCKSS Software Re-Archite...nullhandle
 
DNS Security
DNS SecurityDNS Security
DNS Securityjohnmcclure00
 
wolfSSL TLS 1.3 Support in 2018
wolfSSL TLS 1.3 Support in 2018wolfSSL TLS 1.3 Support in 2018
wolfSSL TLS 1.3 Support in 2018wolfSSL
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECCarlos Martinez Cagnazzo
 
IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentationjohnmcclure00
 
Decentralized possibilities with filecoin &amp; ipfs_encode filecoin club
Decentralized possibilities with filecoin &amp; ipfs_encode filecoin clubDecentralized possibilities with filecoin &amp; ipfs_encode filecoin club
Decentralized possibilities with filecoin &amp; ipfs_encode filecoin clubKlaraOrban
 
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labDeploy360 Programme (Internet Society)
 
Appunti di Diritto Privato: Saggi
Appunti di Diritto Privato: SaggiAppunti di Diritto Privato: Saggi
Appunti di Diritto Privato: Saggiprofman
 
2 warning
2 warning2 warning
2 warningDonna M. Lee
 

More Related Content

What's hot

DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNIJisc
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit - wolfSSL
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS SecurityThousandEyes
 
ROTLD DNSSEC Implementation
ROTLD DNSSEC ImplementationROTLD DNSSEC Implementation
ROTLD DNSSEC ImplementationKevin Meynell
 
Lots More LOCKSS for Web Archiving: Boons from the LOCKSS Software Re-Archite...
Lots More LOCKSS for Web Archiving: Boons from the LOCKSS Software Re-Archite...Lots More LOCKSS for Web Archiving: Boons from the LOCKSS Software Re-Archite...
Lots More LOCKSS for Web Archiving: Boons from the LOCKSS Software Re-Archite...nullhandle
 
wolfSSL TLS 1.3 Support in 2018
wolfSSL TLS 1.3 Support in 2018wolfSSL TLS 1.3 Support in 2018
wolfSSL TLS 1.3 Support in 2018wolfSSL
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECCarlos Martinez Cagnazzo
 
IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentationjohnmcclure00
 
Decentralized possibilities with filecoin &amp; ipfs_encode filecoin club
Decentralized possibilities with filecoin &amp; ipfs_encode filecoin clubDecentralized possibilities with filecoin &amp; ipfs_encode filecoin club
Decentralized possibilities with filecoin &amp; ipfs_encode filecoin clubKlaraOrban
 

What's hot (20)

DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNI
 
ION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSEC
 
ION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLS
 
ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?
 
Introduction To The DANE Protocol (DNSSEC)
Introduction To The DANE Protocol (DNSSEC)Introduction To The DANE Protocol (DNSSEC)
Introduction To The DANE Protocol (DNSSEC)
 
ION Bucharest - ISOC & Deploy360 overview
ION Bucharest - ISOC & Deploy360 overviewION Bucharest - ISOC & Deploy360 overview
ION Bucharest - ISOC & Deploy360 overview
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit -
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS Security
 
ION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain Registry
 
An Overview of DNSSEC
An Overview of DNSSECAn Overview of DNSSEC
An Overview of DNSSEC
 
ROTLD DNSSEC Implementation
ROTLD DNSSEC ImplementationROTLD DNSSEC Implementation
ROTLD DNSSEC Implementation
 
ION Sri Lanka - TLS for Network Operators
ION Sri Lanka - TLS for Network OperatorsION Sri Lanka - TLS for Network Operators
ION Sri Lanka - TLS for Network Operators
 
Lots More LOCKSS for Web Archiving: Boons from the LOCKSS Software Re-Archite...
Lots More LOCKSS for Web Archiving: Boons from the LOCKSS Software Re-Archite...Lots More LOCKSS for Web Archiving: Boons from the LOCKSS Software Re-Archite...
Lots More LOCKSS for Web Archiving: Boons from the LOCKSS Software Re-Archite...
 
DNS Security
DNS SecurityDNS Security
DNS Security
 
wolfSSL TLS 1.3 Support in 2018
wolfSSL TLS 1.3 Support in 2018wolfSSL TLS 1.3 Support in 2018
wolfSSL TLS 1.3 Support in 2018
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSEC
 
IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentation
 
Decentralized possibilities with filecoin &amp; ipfs_encode filecoin club
Decentralized possibilities with filecoin &amp; ipfs_encode filecoin clubDecentralized possibilities with filecoin &amp; ipfs_encode filecoin club
Decentralized possibilities with filecoin &amp; ipfs_encode filecoin club
 
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
 

Viewers also liked

Appunti di Diritto Privato: Saggi
Appunti di Diritto Privato: SaggiAppunti di Diritto Privato: Saggi
Appunti di Diritto Privato: Saggiprofman
 
State Support of Youth Initiatives The Experience of Regional Application
State Support of Youth Initiatives The Experience of Regional ApplicationState Support of Youth Initiatives The Experience of Regional Application
State Support of Youth Initiatives The Experience of Regional ApplicationDmitry Nortsev
 
Icann idn program se asia 0.2
Icann idn program se asia 0.2Icann idn program se asia 0.2
Icann idn program se asia 0.2Ranadaya Sa
 
APNIC Update: ARIN 37
APNIC Update: ARIN 37APNIC Update: ARIN 37
APNIC Update: ARIN 37APNIC
 
TamiamiTrailBrwnflds11-10-14
TamiamiTrailBrwnflds11-10-14TamiamiTrailBrwnflds11-10-14
TamiamiTrailBrwnflds11-10-14Barbara L. Nelson
 
evaluating software development team
evaluating software development teamevaluating software development team
evaluating software development teamsruthy lekshmanan
 
CHIEF SALES & MARKETING OFFICER
CHIEF SALES & MARKETING OFFICERCHIEF SALES & MARKETING OFFICER
CHIEF SALES & MARKETING OFFICERTram Duong
 
Universal Acceptance: APNIC system readiness
Universal Acceptance: APNIC system readinessUniversal Acceptance: APNIC system readiness
Universal Acceptance: APNIC system readinessAPNIC
 
Identifying market segments and targets
Identifying market segments and targetsIdentifying market segments and targets
Identifying market segments and targetsFedrian Putra
 

Viewers also liked (13)

Appunti di Diritto Privato: Saggi
Appunti di Diritto Privato: SaggiAppunti di Diritto Privato: Saggi
Appunti di Diritto Privato: Saggi
 
2 warning
2 warning2 warning
2 warning
 
State Support of Youth Initiatives The Experience of Regional Application
State Support of Youth Initiatives The Experience of Regional ApplicationState Support of Youth Initiatives The Experience of Regional Application
State Support of Youth Initiatives The Experience of Regional Application
 
Icann idn program se asia 0.2
Icann idn program se asia 0.2Icann idn program se asia 0.2
Icann idn program se asia 0.2
 
APNIC Update: ARIN 37
APNIC Update: ARIN 37APNIC Update: ARIN 37
APNIC Update: ARIN 37
 
ION Hangzhou - About IETF
ION Hangzhou - About IETFION Hangzhou - About IETF
ION Hangzhou - About IETF
 
TamiamiTrailBrwnflds11-10-14
TamiamiTrailBrwnflds11-10-14TamiamiTrailBrwnflds11-10-14
TamiamiTrailBrwnflds11-10-14
 
eBrochure
eBrochureeBrochure
eBrochure
 
evaluating software development team
evaluating software development teamevaluating software development team
evaluating software development team
 
CHIEF SALES & MARKETING OFFICER
CHIEF SALES & MARKETING OFFICERCHIEF SALES & MARKETING OFFICER
CHIEF SALES & MARKETING OFFICER
 
Universal Acceptance: APNIC system readiness
Universal Acceptance: APNIC system readinessUniversal Acceptance: APNIC system readiness
Universal Acceptance: APNIC system readiness
 
Tank sluice with tower head
Tank sluice with tower headTank sluice with tower head
Tank sluice with tower head
 
Identifying market segments and targets
Identifying market segments and targetsIdentifying market segments and targets
Identifying market segments and targets
 

Similar to ION Bucharest - Deploying DNSSEC

DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallGlenn McKnight
 
Minieri CS6262 Project Poster
Minieri CS6262 Project PosterMinieri CS6262 Project Poster
Minieri CS6262 Project PosterJoe Minieri
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECShumon Huque
 
DNS Security (DNSSEC) With BIG-IP Global Traffic Manager
DNS Security (DNSSEC) With BIG-IP Global Traffic ManagerDNS Security (DNSSEC) With BIG-IP Global Traffic Manager
DNS Security (DNSSEC) With BIG-IP Global Traffic ManagerDSorensenCPR
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksFindWhitePapers
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsOpenDNS
 
AWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNSAWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNSJames Bromberger
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsAPNIC
 

Similar to ION Bucharest - Deploying DNSSEC (20)

8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan YorkION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
 
Understanding DNS Security
Understanding DNS SecurityUnderstanding DNS Security
Understanding DNS Security
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
 
DNS - MCSE 2019
DNS - MCSE 2019DNS - MCSE 2019
DNS - MCSE 2019
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
 
Minieri CS6262 Project Poster
Minieri CS6262 Project PosterMinieri CS6262 Project Poster
Minieri CS6262 Project Poster
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
 
DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?
 
DNS Security (DNSSEC) With BIG-IP Global Traffic Manager
DNS Security (DNSSEC) With BIG-IP Global Traffic ManagerDNS Security (DNSSEC) With BIG-IP Global Traffic Manager
DNS Security (DNSSEC) With BIG-IP Global Traffic Manager
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
 
Quad9 and DNS Privacy
Quad9 and DNS PrivacyQuad9 and DNS Privacy
Quad9 and DNS Privacy
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
 
ION Toronto - Deploying DNSSEC: A .CA Case Study
ION Toronto - Deploying DNSSEC: A .CA Case StudyION Toronto - Deploying DNSSEC: A .CA Case Study
ION Toronto - Deploying DNSSEC: A .CA Case Study
 
AWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNSAWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNS
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
 

More from Deploy360 Programme (Internet Society)

More from Deploy360 Programme (Internet Society) (20)

ION Belgrade - Jordi Palet Martinez IPv6 Success Stories
ION Belgrade - Jordi Palet Martinez IPv6 Success StoriesION Belgrade - Jordi Palet Martinez IPv6 Success Stories
ION Belgrade - Jordi Palet Martinez IPv6 Success Stories
 
ION Belgrade - ISOC Serbia Belgrade Chapter Presentation
ION Belgrade - ISOC Serbia Belgrade Chapter PresentationION Belgrade - ISOC Serbia Belgrade Chapter Presentation
ION Belgrade - ISOC Serbia Belgrade Chapter Presentation
 
ION Belgrade - IETF Update
ION Belgrade - IETF UpdateION Belgrade - IETF Update
ION Belgrade - IETF Update
 
ION Belgrade - Opening Slides
ION Belgrade - Opening SlidesION Belgrade - Opening Slides
ION Belgrade - Opening Slides
 
ION Belgrade - MANRS by Serbian Open eXchange (SOX)
ION Belgrade - MANRS by Serbian Open eXchange (SOX)ION Belgrade - MANRS by Serbian Open eXchange (SOX)
ION Belgrade - MANRS by Serbian Open eXchange (SOX)
 
ION Belgrade - Closing Slides
ION Belgrade - Closing SlidesION Belgrade - Closing Slides
ION Belgrade - Closing Slides
 
AusNOG - Two Years of Good MANRS
AusNOG - Two Years of Good MANRSAusNOG - Two Years of Good MANRS
AusNOG - Two Years of Good MANRS
 
ION Malta - IETF Update
ION Malta - IETF UpdateION Malta - IETF Update
ION Malta - IETF Update
 
ION Malta - MANRS Introduction
ION Malta - MANRS IntroductionION Malta - MANRS Introduction
ION Malta - MANRS Introduction
 
ION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSECION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSEC
 
ION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLSION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLS
 
ION Malta - IANA Transition Roles & Accountability
ION Malta - IANA Transition Roles & AccountabilityION Malta - IANA Transition Roles & Accountability
ION Malta - IANA Transition Roles & Accountability
 
ION Malta - IPv6 Case Study: Finland
ION Malta - IPv6 Case Study: FinlandION Malta - IPv6 Case Study: Finland
ION Malta - IPv6 Case Study: Finland
 
ION Malta - Seeweb Thoughts on IPv6 Transition
ION Malta - Seeweb Thoughts on IPv6 TransitionION Malta - Seeweb Thoughts on IPv6 Transition
ION Malta - Seeweb Thoughts on IPv6 Transition
 
ION Malta - Seeweb Why MANRS is good for you
ION Malta - Seeweb Why MANRS is good for youION Malta - Seeweb Why MANRS is good for you
ION Malta - Seeweb Why MANRS is good for you
 
ION Malta - Opening Slides
ION Malta - Opening SlidesION Malta - Opening Slides
ION Malta - Opening Slides
 
ION Malta - Closing Slides
ION Malta - Closing SlidesION Malta - Closing Slides
ION Malta - Closing Slides
 
ION Durban - How peering behaviour affects growth of the internet
ION Durban - How peering behaviour affects growth of the internetION Durban - How peering behaviour affects growth of the internet
ION Durban - How peering behaviour affects growth of the internet
 
ION Durban - Introduction to ISOC Gauteng Chapter
ION Durban - Introduction to ISOC Gauteng ChapterION Durban - Introduction to ISOC Gauteng Chapter
ION Durban - Introduction to ISOC Gauteng Chapter
 
ION Durban - What's Happening at the IETF?
ION Durban - What's Happening at the IETF?ION Durban - What's Happening at the IETF?
ION Durban - What's Happening at the IETF?
 

Recently uploaded

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

ION Bucharest - Deploying DNSSEC

  • 1. Internet Society © 1992–2016 The role of the Internet Society (this report describes the timeline of activities of the Internet Society from the submission of the proposal to NTIA in March 2016 until September 30, 2016) The IANA Stewardship Transition Kathy Brown President & CEO October 6, 2016 Presentation title – Client name 1
  • 2. Internet Society © 1992–2016 ION Bucharest October 12, 2016 Dan York, CISSP DNSSEC Program Manager – york@isoc.org Deploying DNSSEC 2
  • 3. Trusted Internet 3 Trust in privacy of information (ex. encryption) Trust in online identity systems (ex. Kantara) Trust in network communication (ex. TLS, DANE) Trust in Internet identifiers (ex. DNSSEC) Trust in the Internet’s core infrastructure (ex. MANRS) Trust in cryptography (ex. Cryptech)
  • 5. Email Hijacking CERT-CC researchers have identified that someone was hijacking email by using DNS cache poisoning of MX records Could be prevented by DNSSEC deployment CERT-CC (Sept 10, 2014): — https://www.cert.org/blogs/certcc/post.cfm?EntryID=206 Deploy360 blog post (Sept 12, 2014): — http://wp.me/p4eijv-5jI
  • 6. What Problem Is DNSSEC Trying To Solve? DNSSEC = "DNS Security Extensions" • Defined in RFCs 4033, 4034, 4035 • Operational Practices: RFC 4641 Ensures that the information entered into DNS by the domain name holder is the SAME information retrieved from DNS by an end user. Let's walk through an example to explain… 6
  • 7. A Normal DNS Interaction 7 Web Server Web Browser https://example.com/ web page DNS Resolver example.com? 1 2 3 4 10.1.1.123 Resolver checks its local cache. If it has the answer, it sends it back. example.com 10.1.1.123 If not…
  • 8. A Normal DNS Interaction 8 Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 10.1.1.123 4 example.com NS .com NS example.com?
  • 9. DNS Works On Speed First result received by a DNS resolver is treated as the correct answer. Opportunity is there for an attacker to be the first one to get an answer to the DNS resolver, either by: Getting to the correct point in the network to provide faster responses; Blocking the responses from the legitimate servers (ex. executing a Denial of Service attack against the legitimate servers to slow their responses) 9
  • 10. Attacking DNS 10 Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 192.168.2.2 4 Attacking DNS Svr example.com 192.168.2.2 example.com NS .com NS example.com?
  • 11. A Poisoned Cache 11 Web Server Web Browser https://example.com/ web page DNS Resolver 1 2 3 4 192.168.2.2 Resolver cache now has wrong data: example.com 192.168.2.2 This stays in the cache until the Time-To-Live (TTL) expires! example.com?
  • 12. How Does DNSSEC Help? DNSSEC introduces new DNS records for a domain: • RRSIG – a signature ("hash") of a set of DNS records • DNSKEY – a public key that a resolver can use to validate RRSIG A DNSSEC-validating DNS resolver: Uses DNSKEY to perform a hash calculation on received DNS records Compares result with RRSIG records. If results match, records are the same as those transmitted. If the results do NOT match, they were potentially changed during the travel from the DNS server. 12
  • 13. A DNSSEC Interaction 13 Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 DNSKEY RRSIGs 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 10.1.1.123 4 example.com?
  • 14. A DNSSEC Interaction 14 Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 DNSKEY RRSIGs 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 10.1.1.123 4 example.com NS DS .com NS DS example.com?
  • 15. The Global Chain of Trust 15 Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 DNSKEY RRSIGs 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 10.1.1.123 4 example.com NS DS .com NS DS example.com?
  • 16. Attempting to Spoof DNS 16 Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 DNSKEY RRSIGs 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 Attacking DNS Svr example.com 192.168.2.2 DNSKEY RRSIGs example.com NS DS .com NS DS example.com?
  • 17. Attempting to Spoof DNS 17 Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 DNSKEY RRSIGs 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 SERVFAIL 4 Attacking DNS Svr example.com 192.168.2.2 DNSKEY RRSIGs example.com NS DS .com NS DS example.com?
  • 18. What DNSSEC Proves: • "These ARE the IP addresses you are looking for." (or they are not) • Ensures that information entered into DNS by the domain name holder (or the operator of the DNS hosting service for the domain) is the SAME information that is received by the end user. 18 10/12/2016
  • 19. The Two Parts of DNSSEC 19 Signing Validating ISPs Enterprises Applications DNS Hosting Registrars Registries
  • 20. What DNSSEC Proves: • "These ARE the IP addresses you are looking for." (or they are not) • Ensures that information entered into DNS by the domain name holder (or the operator of the DNS hosting service for the domain) is the SAME information that is received by the end user. 20 10/12/2016
  • 21. DNSSEC Validation – Current State • About 15% of all global DNS queries validated • ~20% of all European DNS queries validated • All major DNS resolvers support DNSSEC validation – often with a simple config change 21 http://stats.labs.apnic.net/dnssec
  • 22. DNSSEC Validation – Romania 22http://stats.labs.apnic.net/dnssec
  • 23. DNSSEC Validation – Romania 23http://stats.labs.apnic.net/dnssec
  • 24. DNSSEC Signing - The Individual Steps 24 Registry Registrar DNS Operator (or ”DNS Hosting Provider”) Domain Name Registrant • Signs TLD • Accepts DS records • Publishes/signs records • Accepts DS records • Sends DS to registry • Provides UI for mgmt • Signs zones • Publishes all records • Provides UI for mgmt • Enables DNSSEC (unless automatic)
  • 25. DNSSEC Signing – Current State • Most TLDs now signed • including “new gTLDs” • Common DNS servers all support DNSSEC • Second-level domain support ranges from 100% in .BANK and 89% in .GOV down to < 1% in .COM • Still small % overall. 25 https://www.internetsociety.org/deploy360/d nssec/maps/
  • 26. DNSSEC Signing – Second-level domains 26https://rick.eng.br/dnssecstat/
  • 28. Why Do I Need DNSSEC If I Have TLS? • A common question: why do I need DNSSEC if I already have a SSL certificate? (or an "EV-SSL" certificate?) • Transport Layer Security (TLS), sometimes called by its older name of “SSL”, solves a different issue – it provides encryption and protection of the communication between the browser and the web server 28
  • 29. The Typical TLS Web Interaction Web Server Web Browser https://example.com/ TLS-encrypted web page DNS Resolver example.com? 10.1.1.1231 2 5 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 10.1.1.123 4
  • 30. The Typical TLS Web Interaction Web Server Web Browser https://example.com/ TLS-encrypted web page DNS Resolver 10.1.1.1231 2 5 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 10.1.1.123 4 Is this encrypted with the CORRECT certificate? example.com?
  • 31. What About This? 31 Web Server Web Browser https://www.example.com/ TLS-encrypted web page with CORRECT certificate DNS Server www.example.com? 1.2.3.4 1 2 Firewall (or attacker) https://www.example.com/ TLS-encrypted web page with NEW certificate (re-signed by firewall)
  • 32. Problems? 32 Web Server Web Browser https://www.example.com/ TLS-encrypted web page with CORRECT certificate DNS Server www.example.com? 1.2.3.4 1 2 Firewall https://www.example.com/ TLS-encrypted web page with NEW certificate (re-signed by firewall)
  • 33. Problems? 33 Web Server Web Browser https://www.example.com/ TLS-encrypted web page with CORRECT certificate DNS Server www.example.com? 1.2.3.4 1 2 Firewall https://www.example.com/ Log files or other servers Potentially including personal information TLS-encrypted web page with NEW certificate (re-signed by firewall)
  • 34. Issues • A Certificate Authority (CA) can sign ANY domain. • Now over 1,500 CAs – there have been compromises where valid certs were issued for domains. • Middle-boxes such as firewalls can re-sign sessions. 34
  • 35. DNS-Based Authentication of Named Entities (DANE) Q: How do you know if the TLS (SSL) certificate is the correct one the site wants you to use? A: Store the certificate (or fingerprint) in DNS (new TLSA record) and sign them with DNSSEC. An application that understand DNSSEC and DANE will then know when the required certificate is NOT being used. Certificate stored in DNS is controlled by the domain name holder. It could be a certificate signed by a CA – or a self-signed certificate. 35
  • 36. A Powerful Combination • TLS = encryption + limited integrity protection • DNSSEC = strong integrity protection • How to get encryption + strong integrity protection? • TLS + DNSSEC = DANE 36
  • 37. DANE 37 Web Server Web Browser w/DANE https://example.com/ TLS-encrypted web page with CORRECT certificate DNS Server 10.1.1.123 DNSKEY RRSIGs TLSA 1 2Firewall (or attacker) https://example.com/ TLS-encrypted web page with NEW certificate (re-signed by firewall)Log files or other servers DANE-equipped browser compares TLS certificate with what DNS / DNSSEC says it should be. example.com?
  • 38. DANE Success – Not Just For The Web SMTP 1000+ SMTP servers with TLSA records http://dane.sys4.de/ - testing service XMPP (Jabber) 400+ servers client-to-server & server-to-server https://xmpp.net/reports.php#dnssecdane 38
  • 39. DANE Resources DANE Overview and Resources: http://www.internetsociety.org/deploy360/resources/dane/ IETF Journal article explaining DANE: http://bit.ly/dane-dnssec RFC 6394 - DANE Use Cases: http://tools.ietf.org/html/rfc6394 RFC 6698 – DANE Protocol: http://tools.ietf.org/html/rfc6698 39
  • 41. DNS Privacy • Issue - Queries from local DNS “stub resolver” (in PC, laptop, smartphone) to local DNS resolver are sent in clear • Surveillance of those queries can be revealing • Solution – Encrypt the connection
  • 42. DNS Privacy 42 Web Server Web Browser https://example.com/ web page DNS Resolver 10.1.1.123 1 25 6 DNS Svr example.com DNS Svr .com DNS Svr root 3 10.1.1.123 4 example.com NS .com NS example.com?
  • 43. DNS Privacy – Work Underway Now • IETF “DPRIVE” Working Group • New standards emerging– DNS queries over TLS • Expect to see implementations in software and operating systems in the future
  • 44. Business Reasons For Deploying DNSSEC • TRUST – You can be sure your customers are reaching your sites – and that you are communicating with their servers. • SECURITY – You can be sure you are communicating with the correct sites and not sharing business information with attackers, ex. email hijacking. • INNOVATION – Services such as DANE built on top of DNSSEC enable innovative uses of TLS certificates. • CONFIDENTIALITY – DANE enables easier use of encryption for applications and services that communicate across the Internet. 44
  • 45. Three Requests For Attendees 1. Deploy DNSSEC validation (or ask your IT team / network operator) 1. Sign your domains • Work with your registrar and/or DNS hosting provider to make this happen. 2. Help promote support of DANE protocol • Let browser vendors and others know you want to use DANE. If you use SSL, deploy a TLSA record if you are able to do so. Help raise awareness of how DANE and DNSSEC can make the Internet more secure.
  • 46. Visit us at www.internetsociety.org Follow us @internetsociety Galerie Jean-Malbuisson 15, CH-1204 Geneva, Switzerland. +41 22 807 1444 1775 Wiehle Avenue, Suite 201, Reston, VA 20190-5108 USA. +1 703 439 2120 Thank you. 46 Dan York Senior Content Strategist – york@isoc.org