Security%20in%20DNS(DNSSEC) - PowerPoint PPT Presentation

About This Presentation
Title:

Security%20in%20DNS(DNSSEC)

Description:

What should match in DNS transaction? What is DNSSEC? DNSKEY, RRSIG, NSEC, DS ... alfa.example.com. 86400 IN NSEC host.example.com. ( A MX RRSIG NSEC TYPE1234 ) ... – PowerPoint PPT presentation

Number of Views:100
Avg rating:3.0/5.0
Slides: 19
Provided by: bahado
Category:
Tags: 20dns | 20in | dnssec | com | match | mx | security

less

Transcript and Presenter's Notes

Title: Security%20in%20DNS(DNSSEC)


1
Security in DNS(DNSSEC)
  • Yalda Edalat
  • Pramodh Pallapothu

2
Agenda
  • What is DNS?
  • Cashing in DNS
  • Threats to the DNS
  • What should match in DNS transaction?
  • What is DNSSEC?
  • DNSKEY, RRSIG, NSEC, DS
  • DNSSEC issues

3
What is DNS?
  • First step to communicate between computers which
    support IP is knowing IP address.
  • Memorizing four decimal numbers for each web site
    is difficult.
  • Memorizing host names are easier.
  • At beginning, SRI-NIC was responsible to maintain
    a single file containing IP addresses for hosts.
  • Internet grows rapidly and need to guarantee the
    uniqueness of IP addresses.
  • Creating an Internet distribution database (DNS).

4
Cashing in DNS
  • To reduce load on DNS server
  • caching mechanism for a specific period of time
    after a successful answer.

5
Threats to the DNS
  • Most weaknesses in DNS fall into these
    categories
  • Cache poisoning
  • Client flooding
  • Compromise of DNS servers authoritative data

6
Cache Poisoning
7
What should match in DNS transaction?
1
2
3
4
2
1
3
4
8
Other threats
  • Client flooding client sends a query, but
    receives thousands of DNS responses from attacker
  • lake in authentication of responses, without
    strong authentication, the client can not verify
    the origin of response.
  • Compromise of DNS servers authoritative data
    attacker gains administrative privileges and
    plans to modify zone information

9
Need for more security
  • Original DNS did not include security.
  • Dependency of some commands on hostnames for
    authentication (r command in UNIX).
  • False information in DNS cause unexpected
    results.
  • appropriate security is needed to provide
    adequate protection in DNS, and it is
    accomplished through DNSSEC

10
DNSSEC
  • DNS Security Extension
  • Defines additional Resource Records
  • DNSKEY, RRSIG, NSEC and DS are four
  • of those Resource Records.

11
DNSKEY
  • It is the public key for the zone and is
    published in zone file.
  • example.com. 86400 IN DNSKEY 256 3 5 (
    AQPSKmynfzW4kyBv015MUG2DeIQ3)
  • 86400 secs -gt TTL of 1 day
  • 256 -gt Flag value which indicates its a zone
    key.
  • 3 -gt Protocol value
  • 5 -gt RSA/SHA1 , RR value is base64 encoding.

12
RRSIG
  • RRSIG records store digital signatures that
    were created by signing the resource records
    associated with a domain using a DNSKEY.
  • host.example.com. 86400 IN RRSIG A 5 3 86400
    20030322173103 ( 20030220173103 2642 example.com.
    oJB1W6WNGvldvQ3WDG0MQkg5IEhjRip8WTr )
  • 86400 secs -gt TTL
  • A -gt indicates that this is a signing of the A
    RRs for "host.example.com"
  • 5 -gt RSA/SHA1
  • .
  • .

13
NSEC
  • NSEC is used to provide proof of non-
    existense of any name within a zone.
  • alfa.example.com. 86400 IN NSEC host.example.com.
    ( A MX RRSIG NSEC TYPE1234 )
  • The first four text fields specify the name, TTL,
    Class, and RR type (NSEC). The entry
    host.example.com. is the next authoritative name
    after alfa.example.com. in canonical order. The
    A, MX, RRSIG, NSEC, and TYPE1234 mnemonics
    indicate that there are A, MX, RRSIG, NSEC, and
    TYPE1234 RRsets associated with the name
    alfa.example.com.

14
DS
  • The Delegation Signer (DS) RR contains the
    hash of the public key of the child zone. This
    record is signed by the parent zone's private key
    with a matching RRSIG RR.
  • dskey.example.com. 86400 IN DS 60485 5 1 (
    2BB183AF5F22588179A53B0A 98631FAD1A292118 )

15
How does DNSSEC work ?
16
DNSSEC issues
  • The average size of a DNS response message
    increases.
  • The zone file increases in size due to the
    addition of the additional DNSSEC records.
  • The number of DNS transactions increases due to
    the requirement to perform additional queries for
    zone public key records when constructing trust
    chains.
  • The client has to spend additional time
    validating the signed data and validating the
    public key, potentially slowing the resolution
    process.
  • The server has to generate new signatures over
    all RRset changes, which places an incremental
    load on the server function.

17
DNSSEC Reference
  • RFC 3833 A Threat Analysis of the Domain Name
    SystemRFC 4033 DNS Security Introduction and
    RequirementsRFC 4034 Resource Records for the
    DNS Security ExtensionsRFC 4035 Protocol
    Modifications for the DNS Security ExtensionsRFC
    4398 Storing Certificates in the Domain Name
    System (DNS)NSEC3 - "DNSSEC Hashed Authenticated
    Denial of Existence" draft-ietf-dnsext-nsec3-06.tx
    tDNS and Bind, 4th Edition, Paul Albitz and
    Cricket Liu, O'Reillywww.dnssec.org A resource
    page for DNSSEC

18
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Security%20in%20DNS(DNSSEC)" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!