DNSSEC - PowerPoint PPT Presentation

About This Presentation
Title:

DNSSEC

Description:

ICANN - Cape Town 11/30/2004. Facts ... ICANN - Cape Town 11/30/2004. Security problem? An attack begins by identifying your target: ... – PowerPoint PPT presentation

Number of Views:52
Avg rating:3.0/5.0
Slides: 11
Provided by: marco104
Learn more at: http://www.wwtld.org
Category:
Tags: dnssec | cape

less

Transcript and Presenter's Notes

Title: DNSSEC


1
  • DNSSEC
  • and the
  • Zone Enumeration
  • Andreas Baess
  • DENIC eG
  • baess_at_denic.de

2
Abstract
  • Known Facts
  • Claimed problems
  • Way ahead

3
Facts
  • The introduction of DNSSEC with the current form
    of the specification provides Zone Enumeration
  • http//josefsson.org/walker/
  • An authoritative denial of existence of a given
    domain name delivers as a proof the next existing
    domain name.
  • There were protocol changes to refuse AXFR

4
Facts
  • Some key players for a successful widespread
    deployment of DNSSEC consider this as a problem
  • Security problem?
  • Policy problem?
  • Legal problem?

5
Security problem?
  • An attack begins by identifying your
    targethttp//www.research.att.com/smb/papers/dn
    shack.pdf
  • But domain names can be gathered by other means,
    for instance, dictionary attacks
  • German English dictionary John the Ripper
    1 of the de-zone
  • Brute force on all 8-characters delivers 13 of
    the de-zone.
  • com-zone as a dictionary 42 of the nl-zone

6
Policy problem?
  • DNS information is public...
  • ...theres a qualitative difference between
  • Making data available as a query/response
    mechanism
  • Making data available as a compilation
  • DENICs policy http//www.denic.de/en/faqs/allgem
    eine_faqs/index.htmlsection_185

7
Legal problem?
  • IANAL
  • Nominets position http//ops.ietf.org/lists/name
    droppers/namedroppers.2004/msg00687.html
  • DENICs position
  • In conflict with Germanys Federal Data
    Protection Act

8
Way ahead
  • IETF dnsext wg decided to advance the current
    specification as a proposed standard
  • Inmediately started to work on the problem
    following The Engineering Way (TM)
  • Listing the requirements for a denial of
    existence
  • Weighting their relevance, since sometimes
    trade-offs exist
  • Evaluating proposals

9
Working documents
  • http//www.ietf.org/internet-drafts/draft-ietf-dns
    ext-signed-nonexistence-requirements-01.txt
  • http//www.links.org/dnssec/requirements-matrix3.h
    tm
  • http//www.links.org/dnssec/draft-laurie-dnsext-ns
    ec2-02.txt
  • http//www.ietf.org/internet-drafts/draft-arends-d
    nsnr-00.txt
  • http//www.ietf.org/internet-drafts/draft-ietf-dns
    ext-dnssec-trans-01.txt

10
Many thanks for your attention!Any questions?
Write a Comment
User Comments (0)
About PowerShow.com