Challenges Faced in DNSSEC Deployment by Geoff Huston at APNIC June 2016

Slide Note
Embed
Share

Geoff Huston addresses the challenges of DNSSEC deployment, discussing turning on validation in Bind configurations, reasons why it may be perceived as difficult, and the importance of DNSSEC in enhancing security within the DNS. Despite concerns about increased resolution time and limited signed names, Huston emphasizes the need for DNSSEC adoption and highlights the potential for optimization in DNSSEC validation processes.

seraphine
seraphine Follow

Uploaded on Aug 23, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. DNSSEC Deployment Challenges Geoff Huston APNIC June 2016

  2. Turning Validation on Bind Config

  3. Turning Validation on Bind Config Yes, it really is a one line config entry!

  4. Why Not? It s too hard It will take more time to resolve a name It will block out names with invalid DNSSEC signatures Too few names are signed to make a difference Attacks on the DNS are too rare to raise concerns Many folk rely on lies in the DNS DNS64, national content blocking measures, forced proxy redirection No browser wants to commit to DANE to take a positive step in cleaning up the putrid rotting security fiasco that is CA certificates today!

  5. Why Not? It s too hard It will take more time to resolve a name It will block out names with invalid DNSSEC signatures Too few names are signed to make a difference Attacks on the DNS are too rare to raise concerns Many folk rely on lies in the DNS DNS64, national content blocking measures, forced proxy redirection No browser wants to commit to DANE to take a positive step in cleaning up the putrid rotting security fiasco that is CA certificates today! One line of config in a recursive resolver!

  6. Why Not? It s too hard It will take more time to resolve a name It will block out names with invalid DNSSEC signatures Too few names are signed to make a difference Attacks on the DNS are too rare to raise concerns Many folk rely on lies in the DNS DNS64, national content blocking measures, forced proxy redirection No browser wants to commit to DANE to take a positive step in cleaning up the putrid rotting security fiasco that is CA certificates today! As with all things in the DNS, this is not necessarily true Cached answers will take no longer to resolve from a validating resolver as compared to a non-validating resolver Retrieving DNSSEC credentials take queries, and queries take time Currently, DNSSEC validation queries are serialized in most resolvers. This time could be reduced if these queries were parallelised

  7. Why Not? It s too hard It will take more time to resolve a name It will block out names with invalid DNSSEC signatures Too few names are signed to make a difference Attacks on the DNS are too rare to raise concerns Many folk rely on lies in the DNS DNS64, national content blocking measures, forced proxy redirection No browser wants to commit to DANE to take a positive step in cleaning up the putrid rotting security fiasco that is CA certificates today! Yes, that s what it s meant to do!

  8. Why Not? It s too hard It will take more time to resolve a name It will block out names with invalid DNSSEC signatures Too few names are signed to make a difference Attacks on the DNS are too rare to raise concerns Many folk rely on lies in the DNS DNS64, national content blocking measures, forced proxy redirection No browser wants to commit to DANE to take a positive step in cleaning up the putrid rotting security fiasco that is CA certificates today! But DNSSEC has incremental outcomes That benefit partial deployment : You can improve the integrity of YOUR name by signing it with DNSSEC!

  9. Why Not? It s too hard It will take more time to resolve a name It will block out names with invalid DNSSEC signatures Too few names are signed to make a difference Attacks on the DNS are too rare to raise concerns Many folk rely on lies in the DNS DNS64, national content blocking measures, forced proxy redirection No browser wants to commit to DANE to take a positive step in cleaning up the putrid rotting security fiasco that is CA certificates today! That assumes structural DNS censorship is not in and of itself an attack on the integrity of the DNS!

  10. Why Not? It s too hard It will take more time to resolve a name It will block out names with invalid DNSSEC signatures Too few names are signed to make a difference Attacks on the DNS are too rare to raise concerns Many folk rely on lies in the DNS DNS64, national content blocking measures, forced proxy redirection No browser wants to commit to DANE to take a positive step in cleaning up the putrid rotting security fiasco that is CA certificates today! truth then you can t lie! True but what do users want from the DNS? If they want the

  11. Why Not? It s too hard It will take more time to resolve a name It will block out names with invalid DNSSEC signatures Too few names are signed to make a difference Attacks on the DNS are too rare to raise concerns Many folk rely on lies in the DNS DNS64, national content blocking measures, forced proxy redirection No browser wants to commit to DANE to take a positive step in cleaning up the putrid rotting security fiasco that is CA certificates today! Is ever so slightly faster really better than vulnerability to third party attack via compromised CAs?

  12. But maybe there is a point here Is having resolvers validate what they provide back to the query agent enough to improve the security of the DNS? If you can intrude in an open conversation between the client and their resolver then MITM attacks in the DNS can still take place

  13. Step 2 Validation in DNS recursive resolvers is the first step We also need to also think about some further steps: Push DNSSEC validation all the way back to the client application Such as GetDNS (https://getdnsapi.net) Secure the conversation between the application and a trusted recursive validating resolver Such as https://dns.google.com (re)introduce DANE to browsers using DNSSEC credential stapling https://www.imperialviolet.org/2011/06/16/dnssecchrome.html https://tools.ietf.org/html/draft-shore-tls-dnssec-chain-extension-02

  14. Thanks! DNSSEC Reports: http://stats.labs.apnic.net/dnssec

Related


Insights on IPv6 Reliability Measurements by Geoff Huston at APNIC

Insights on IPv6 Reliability Measurements by Geoff Huston at APNIC

cascone_h
Evolution of DNSSEC Implementation at Nominet

Evolution of DNSSEC Implementation at Nominet

hieu_7
SaudiNIC's Experience in Deploying DNSSEC

SaudiNIC's Experience in Deploying DNSSEC

pray
Enhancing WHOIS Updates with DNSSEC, ASPLAIN, and Abuse Contact Implementation

Enhancing WHOIS Updates with DNSSEC, ASPLAIN, and Abuse Contact Implementation

lash_9
An In-Depth Look at QUIC Protocol

An In-Depth Look at QUIC Protocol

dala866
Exploring DANE, DNSSEC, and TLS in Go6Lab

Exploring DANE, DNSSEC, and TLS in Go6Lab

kasz640
DNS Testing and Signatures Rollover Analysis

DNS Testing and Signatures Rollover Analysis

naif959
Modern Strategies for Application Deployment: A Comprehensive Overview

Modern Strategies for Application Deployment: A Comprehensive Overview

mon_len
Streamlining Image Deployment with Windows Deployment Service and MDT

Streamlining Image Deployment with Windows Deployment Service and MDT

iver
Implementing Effective Procurement Strategies at Huston-Tillotson University

Implementing Effective Procurement Strategies at Huston-Tillotson University

aurelia
Understanding DNSSEC: Adding Digital Signatures to DNS Responses

Understanding DNSSEC: Adding Digital Signatures to DNS Responses

sdaco
Evaluation of Ed25519 Cryptography Performance in DNSSEC Validation

Evaluation of Ed25519 Cryptography Performance in DNSSEC Validation

lresc
DNS Research Federation: Advancing Understanding of Cybersecurity Impact

DNS Research Federation: Advancing Understanding of Cybersecurity Impact

bri_k
Power BI Deployment Pipelines - April 2021

Power BI Deployment Pipelines - April 2021

theodora
Practical Implementation of Machine Learning by Geoff Hulten

Practical Implementation of Machine Learning by Geoff Hulten

nilt889
APNIC Foundation Update and Grant Overview

APNIC Foundation Update and Grant Overview

pmar
APNIC Internet Resource Analyst Update

APNIC Internet Resource Analyst Update

kmarn
Understanding IPv6 ISP Performance: A Detailed Analysis by Geoff Huston

Understanding IPv6 ISP Performance: A Detailed Analysis by Geoff Huston

kai_718
Network Deployment and Monitoring Overview

Network Deployment and Monitoring Overview

taka_901
RPKI Deployment and Security Overview

RPKI Deployment and Security Overview

boehlke_j
Understanding QUIC: A Quick Overview by Geoff Huston

Understanding QUIC: A Quick Overview by Geoff Huston

cging
Understanding UML Deployment Diagrams

Understanding UML Deployment Diagrams

susannah
Understanding Deployment and Separation Data in Military Healthcare

Understanding Deployment and Separation Data in Military Healthcare

mees
Automating Deployment Using TeamCity and Octopus Deploy

Automating Deployment Using TeamCity and Octopus Deploy

lwert

More Related Content