Transcription
Dept. of Homeland Security Science & Technology DirectorateWhat’s Next in DNSSEC: Securing theDomain Name System (DNS)FOSE 2010Washington, DCMarch 24, 2010Douglas Maughan, Ph.D.Program Manager, CCIdouglas.maughan@dhs.gov202-254-6145 / 202-360-31703/24/20101
Why are we here today? Update from last year’s GovSec session TheKeys to Deploying DNSSEC: Managing andMeeting Your OMB Domain Name SystemRequirements Discuss Federal Government activities with DNSSECHear from those “Beyond Federal Government” –Early adoptersVendor Panel – Lessons Learned from Deploymentwith Government and other customersFOSE Exhibit Floor – DNSSEC Pavilion3/24/20102
National Strategy to Secure Cyberspace TheNational Strategy to Secure Cyberspace(2003) recognized the DNS as a criticalweakness NSSC called for the Department of Homeland Securityto coordinate public-private partnerships to encouragethe adoption of improved security protocols, such asDNS – DNSSEC Deployment Coordination InitiativeThe security and continued functioning of theInternet will be greatly influenced by the success orfailure of implementing more secure and morerobust BGP and DNS. The Nation has a vital interest inensuring that this work proceeds. The governmentshould play a role when private efforts break downdue to a need for coordination or a lack of properincentives.3/24/20103
DNSSEC Initiative Performers Shinkuro, Washington, Roadmap Development and Execution Columbia, MDSoftware Development – Servers, resolvers,applicationsInternet Standards activities NIST, International partner participationSupport Tool DevelopmentOutreach – web presence Sparta, DCGaithersburg, MDMeasurement and Evaluation ToolsGovernment and Standards activities Connections with GSA, FISMA, and OMB3/24/20104
DNSSEC Initiative Activities Roadmap published in February 2005; Revised March 2007 Multiple workshops held world-wideInvolvement with numerous deployment pilotsDNSSEC testbed developed by NIST http://www.dnsops.gov/Formal publicity and awareness plan including newsletter,blog, wiki /www.dnssec-deployment.org/Working with Civilian government (.gov) to develop policyand technical guidance for secure DNS operations andbeginning deployment activities at all levels.Working with vendor community and others to promoteDNSSEC capability and awareness in their software orprojects3/24/20105
DNSSEC Roadmap http://www.dnssec-deployment.orgIdentifies the following activities: RemainingR&D Issues Software Development ServerResolverApplications Operational ConsiderationsRootRegistriesRegistrants Measurementand Evaluation Outreach and Training3/24/20106
DNSSEC Tools http://www.dnssec-tools.orgIdentifies the following available open-source tools: AuthoritativeZones Authoritative Servers Recursive Servers Applications Application Developers3/24/20107
Incremental Deployment Global ecosystem that benefits when all participate Registries Work through various readiness levelsRegistrarsISPsEnterprise Internal deployment as part of corporate system integrity and protectionDistinguish between safe and questionable sites3/24/20108
NIST Effort - SNIP Secure Naming Infrastructure Pilot (SNIP) Aiding deployment by: Providinga connected training ground Educational Modeling Testbed resources/guidesinfrastructuresfor systemsRelying on user participation Aidin deployment, not a proof-of-concept experiment3/24/20109
OMB memo on 08/m08-23.pdf3/24/201010
OMB DNSSEC Memo Discussions began back in 2006 with OMB/OSTPSpecific Purposes: Introductionto DNSSEC Reminder of existing security controls Announcement of plans to sign .gov domain Completed in January 2009 Instructionsfor each agency to develop plans for thedeployment of DNSSEC to all applicable systems Identifies other sources of information Discusses training available (from DNSSEC team)3/24/201011
DNSSEC Summary Domain Name System has vulnerabilities Beingexploited, most recent demonstrations in Aug 2008,Google Aurora Fixing it requires significant involvement withgovernments and private sector entities ICANN,USG, Foreign governments, Domain owners,Domain Name Registrars There is a lack of customer “pull” for DNSSECdeployment Governmentneeds to set the example and we believe weare doing that with OMB and GSA Still plenty of work to do .3/24/201012
Douglas Maughan, Ph.D.Program Manager, CCIdouglas.maughan@dhs.gov202-254-6145 / 202-360-3170http://www.cyber.st.dhs.govFor more information, visithttp://www.dnssec-deployment.org3/24/201013
ResourcesReference: DNS and BIND, Albitz & Liu, O’ Reilly & Associates FAQ: d 8 BIND9 Administrator Reference Manual http://www.bind9.net/manualsRFCs: http://www.rfc-editor.org/ http://www.ietf.org/ http://www.dnssec.net/rfc ftp://ftp.ripe.net/rfc/Drafts: http://www.ietf.org http://tools.ietf.org/wg/dnsop/ http://tools.ietf.org/wg/dnsext/ http://www.dnssec.net/drafts ftp://ftp.ripe.net/internet-drafts/3/24/201014
Additional Resources e.net/disi/Papers from the 5th USENIX UNIX Security Symposium, SaltLake City, Utah, June 1995 P. Vixie: DNS and BIND Security Issues ings/security95/vixie.htmlS. Bellovin: Using the DNS for Break-ins ings/security95/bellovin.html3/24/201015
Related mailing lists DNS OARC: dns-operations@lists.dns-oarc.netIETF DNSOP: dnsop@ietf.orgnamedroppers@ops.ietf.org techsec@ripe.net DNSEXT IETF working group (DNS protocol development)RIPE Technical Security working groupdns-wg@ripe.net RIPE DNS working group3/24/201016
Domain Name System and Security Critical Internet infrastructure component Virtually DNS database maps: Name to IP address(for example: www.dhs.gov 206.18.104.198) And every Internet application uses the DNSmany other mappings (mail servers, IPv6, reverse )DNSSEC Cryptographicsignatures in the DNS Assures integrity of results returned from DNS queries Protects against tampering in caches and during transmission End-systemchecks the chain of signatures up to the root3/24/201017
The Domain Name System DNS database maps: Name to IP addresswww.dhs.gov 206.18.104.198 And many other mappings(mail servers, IPv6, reverse )Data organized as treestructure:Each zone is authoritativefor its own data Minimal coordination betweenzone operatorsroot.eduisi.mildarpa.ruusmcmil ngealpha3/24/201018
DNS Name ResolutionRoot Server TLD Server Other ServersZone Server"End" userImportant“Other” serversinclude: ISP EnterpriseLocal DNS Server Hotel/travel Public WLAN3/24/201019
Why is the DNS so Vulnerable? Designed in 1980s when the trust model and thethreat model were very different from today Attackthe trust model and you can change the wayinformation is found and exchanged on the Internet Optimized for fast query/response times Notoptimized for authenticity or integrity Trust is implied - legitimate queries and legitimate repliesare expected DNS threats identified in early 1990sAttacks via and against the DNS are increasing2008 – Kaminsky bug is a prime example Attacks are becoming costly and difficult to remedy August3/24/201020
What and Who are the DNS (andDNSSEC) Players and Pieces?DNSSEC fits HERERegistriesZone Name ServersPublication AreaContent Responsibility AreaContentFlowRegistrarsContent StartsHereRegistrantsDNS andDNSSEC‘ContentPicture’DNS ResolversContentFlowContent UsedHereUser Applications3/24/201021
3/24/2010 12 DNSSEC Summary Domain Name System has vulnerabilities Being exploited, most recent demonstrations in Aug 2008, Google Aurora Fixing it requires significant involvement with governments and private sector entities ICANN, USG, Foreign governments, Domain owners, Domain Name Registrars There is a lack of customer "pull" for DNSSEC