DNS Security Extensions (DNSSEC)

1
DNS Security Extensions (DNSSEC)
Ryan Dearing
2
Topics

• History
• What is DNS?
• DNS Stats
• Security
• DNSSEC
• DNSSEC Validation
• Deployment

3
Terminology

• Zone contains resource records
• Resource Record Record with a name and value,
  (e.g www.google.com ? IP)
• Authoritative Server server that can
  definitively answer queries for a zone
  (non-caching)
• Master Server Authoritative server that
  contains primary copy of the zone and pushes to
  slave/secondary server
• Slave Server Authoritative server that gets
  zone information from master server (also called
  secondary server)
• Recursive/Caching Server server that caches
  query responses

4
Domain Name System

• Created in 1983 by Paul Mockapetris
• Minimal Changes to the core protocol since 1987
• Has scaled very well
• 190 million domains

5
DNS Hierarchy and Protocol

• DNS uses a hierarchical model
• Root Servers, TLD Servers, Domain Servers
• Small Efficient UDP Packets
• No State
• Caching locally and atrecursive Servers
• Serial number is incremented when zone
  information changes

6
DNS Stats

• Verisign hosts DNS servers for .com and .net
• Receives 52 billion queries per day
• Peak at 61 billion queries per day
• 48 Yearly growth
• 13 Nameservers listed for .com and .net, but most
  likely hundreds with load balancing

7
Security

• DNS uses a trust model, popular in the 80s when
  the Internet was small and computing power was
  low
• If attacker manages to impersonate an
  authoritative server, they can poison the cache
  of recursive caching servers
• Suddenly BankOfAmerica.com is going to Nigeria

8
DNSSEC

• DNSSEC adds signing to a zone's information
• Allows DNS responses to be validated all the way
  from the root
• Increases zone and packet size considerably
• Already implemented on the root servers
• Only useful when zones start using it

9
DNSSEC Validationgoogle.com

• Request information from root server for .com,
  verify response based on public key (publicly
  distributed). Returns key for .com
• Request information from .com server for
  google.com, verify response using key returned
  from the root. Returns key for google.com
• Request information from google.com server,
  verify with key returned from the .com server.

10
DNSSEC Validation
11
DNSSEC Complexities

• Must tell parent zone when key is changed
• Changing key must be done very carefully, both
  keys are used for a period of time due to caching
• Must be careful about zone enumeration
• Servers will require more memory for holding
  additional information (keys, response
  signatures)
• More bandwidth utilization
• Larger packets (network equipment blocking)

12
DNSSEC Deployment Status

• All root servers now use DNSSEC as of May 5
• .com and .net by Q1 of 2011, requires upgrades
  for scalability
• .org already deployed with DNSSEC
• .gov already deployed with DNSSEC
• Big zones will need to deploy it too (google.com,
  yahoo.com, etc)
• Large DNS providers need to deploy too
  (NeustarDNS, Markmonitor, etc)

13
Questions?