DNS Security Extensions (DNSSEC) - PowerPoint PPT Presentation

1 / 13
About This Presentation
Title:

DNS Security Extensions (DNSSEC)

Description:

DNS Security Extensions (DNSSEC) Ryan Dearing Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment Terminology Zone contains ... – PowerPoint PPT presentation

Number of Views:342
Avg rating:3.0/5.0
Slides: 14
Provided by: csBoises
Category:

less

Transcript and Presenter's Notes

Title: DNS Security Extensions (DNSSEC)


1
DNS Security Extensions (DNSSEC)
Ryan Dearing
2
Topics
  • History
  • What is DNS?
  • DNS Stats
  • Security
  • DNSSEC
  • DNSSEC Validation
  • Deployment

3
Terminology
  • Zone contains resource records
  • Resource Record Record with a name and value,
    (e.g www.google.com ? IP)
  • Authoritative Server server that can
    definitively answer queries for a zone
    (non-caching)
  • Master Server Authoritative server that
    contains primary copy of the zone and pushes to
    slave/secondary server
  • Slave Server Authoritative server that gets
    zone information from master server (also called
    secondary server)
  • Recursive/Caching Server server that caches
    query responses

4
Domain Name System
  • Created in 1983 by Paul Mockapetris
  • Minimal Changes to the core protocol since 1987
  • Has scaled very well
  • 190 million domains

5
DNS Hierarchy and Protocol
  • DNS uses a hierarchical model
  • Root Servers, TLD Servers, Domain Servers
  • Small Efficient UDP Packets
  • No State
  • Caching locally and atrecursive Servers
  • Serial number is incremented when zone
    information changes

6
DNS Stats
  • Verisign hosts DNS servers for .com and .net
  • Receives 52 billion queries per day
  • Peak at 61 billion queries per day
  • 48 Yearly growth
  • 13 Nameservers listed for .com and .net, but most
    likely hundreds with load balancing

7
Security
  • DNS uses a trust model, popular in the 80s when
    the Internet was small and computing power was
    low
  • If attacker manages to impersonate an
    authoritative server, they can poison the cache
    of recursive caching servers
  • Suddenly BankOfAmerica.com is going to Nigeria

8
DNSSEC
  • DNSSEC adds signing to a zone's information
  • Allows DNS responses to be validated all the way
    from the root
  • Increases zone and packet size considerably
  • Already implemented on the root servers
  • Only useful when zones start using it

9
DNSSEC Validationgoogle.com
  • Request information from root server for .com,
    verify response based on public key (publicly
    distributed). Returns key for .com
  • Request information from .com server for
    google.com, verify response using key returned
    from the root. Returns key for google.com
  • Request information from google.com server,
    verify with key returned from the .com server.

10
DNSSEC Validation
11
DNSSEC Complexities
  • Must tell parent zone when key is changed
  • Changing key must be done very carefully, both
    keys are used for a period of time due to caching
  • Must be careful about zone enumeration
  • Servers will require more memory for holding
    additional information (keys, response
    signatures)
  • More bandwidth utilization
  • Larger packets (network equipment blocking)

12
DNSSEC Deployment Status
  • All root servers now use DNSSEC as of May 5
  • .com and .net by Q1 of 2011, requires upgrades
    for scalability
  • .org already deployed with DNSSEC
  • .gov already deployed with DNSSEC
  • Big zones will need to deploy it too (google.com,
    yahoo.com, etc)
  • Large DNS providers need to deploy too
    (NeustarDNS, Markmonitor, etc)

13
Questions?
Write a Comment
User Comments (0)
About PowerShow.com