AT-LARGE GATEWAY

At-Large Website

ALAC

RALOs

At-Large Regional Policy Engagement Program (ARPEP)

At-Large Governance

At-Large Reports

Policy Comments & Advice

Working Groups

ICANN Meetings

At-Large Summit (ATLAS III)

At-Large Review Implementation Plan Development

ALAC and RALO Elections, Selections, and Appointments

At-Large FY25 Strategic Priority Activities

Versions Compared

Old Version 5

changes.mady.by.user Darlene Thompson

Saved on

compared with

New Version 6

changes.mady.by.user Darlene Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

DNSSEC for Everybody:  A Beginners Guide

DNSSEC continues to be deployed around the world at an ever accelerating pace. From the Root, to both Generic Top Level Domains (gTLDs) and Country Code Top Level Domains (ccTLDs), the push is on to deploy DNSSEC to every corner of the internet. Businesses and ISPs are building their deployment plans too and interesting opportunities are opening up for all as the rollout continues.

Agenda Details:

  1. Welcome and Introduction, Simon McCalla, Nominet UK
  2. Basic Concepts:
    • Caveman, Simon McCalla, Nominet UK
    • DNS Basics, Matt Larson, VeriSign
  3. Core Concepts:
    • DNSSEC - How it Works, Matt Larson, VeriSign
    • DNSSEC - Chain of Trust, Norm Ritchie, ISC
  4. Real World Examples
    • A Sample DNSSEC Implementation - A Simple Guide to Deployment
    • Audience Interaction with Examples
  5. Summary: Session Round Up, Materials, and Thank you, Simon McCalla, Nominet UK

    In the beginning of this presentation, DNSSEC was cleverly illustrated through simple cartoons of cavemen.  Later, a series of (low budget but hilarious) scits were put on to illustrate DNSSEC and how and how it prevents malicious attacks.  This session really made DNSSEC easily understood.  Points that were raised:

    DNS Security
    • DNS has no security
    • One packet for query, one packet for response
    • Must rely on source IP‐based authentication
    • Easily spoofed
    • Clever resolvers help a lot
    • But we need something better

    What DNSSEC Does
    • DNSSEC uses public key cryptography and digital signatures to provide:
    • Data origin authentication
      • “Did this DNS response really come from the .com zone?”
    • Data integrity
      • “Did an attacker (e.g., a man-in-the-middle) modify the data in this response since it was signed?”
      • Bottom line: DNSSEC offers protection against spoofing of DNS data

      What DNSSEC Doesn’t Do
      • DNSSEC does not:
    • Provide any confidentiality for DNS data
      • I.e., no encryption
      • The data in the DNS is public, after all
    • Address attacks against the name server itself
      • Denial of service,
      • Packets of death,
      • etc.

      Key Pairs
      • In DNSSEC, each zone has a public/private key pair
      • The zone’s public key is stored in the new DNSKEY record
      • The zone’s private key is kept safe
    • Stored offline (ideally)
    • Perhaps held in an HSM (Hardware Security Module)

      Digital Signatures
      • A zone’s private key signs each piece of DNS data in a zone
      • Each digital signature is stored in an RRSIG record

      Chain of Trust
      • There are no certificates in DNSSEC
      • The trust model is rigid
      • The chain of trust flows from parent zone to child zone
      • Only a zone’s parent can vouch for its keys’ identity

      Types of Keys
      • Signed zone has DNSKEY records at its apex* Usually multiple keys
  • One or more key-signing keys (KSKs)
  • One or more zone-signing keys (ZSKs)• KSK
  • Signs only the DNSKEY records• ZSK
  • Signs the rest of the zone

    Delegation Signer (DS) Records
    • The Delegation Signer (DS) record specifies a child zone’s key
    • A zone’s DS records only appear in its parent zone
    • DS records are signed by the parent zone

    Trust Anchors
    • You have to trust somebody
    • DNSSEC validators need a list of trust anchors
    • A trust anchor is a key that is implicitly trusted
    • Analogous to list of certificate authorities (CAs) in web browsers

    DNSSEC Implementation Samples
    • DNSSEC implementation depends upon & is mostly driven by an activity’s DNS
    functions
  • DNS is made up of many parts, e.g., name server operators, applications users, name holders (“owners”), DNS provisioning
  • Activities with large, complex DNS functions are more likely to have more complex DNSSEC implementation activities• Also more likely to have ‘DNS knowledgeable’ staff
    • DNS size and complexity examples:
  • Registry responsible for a large TLD operation, e.g., .com
  • Substantial enterprise with many components with many geographic locations, e.g., hp.com
  • Internet-based businesses with a number of business critical zones, e.g., www.verisign.com
  • Activities with non-critical DNS zones, e.g., net-snmp.org
  • Proverbial Internet end users (all of us here)

    General Principle:
    • If an activity does a lot with their DNS functions and operations then they probably will want to do a lot with the associated DNSSEC pieces;
    • If an activity does little or nothing with their DNS functions and operations then they probably will want to do little or nothing with the associated DNSSEC pieces.

    DNS Basic Functions
    • DNS provides the translation from names to network addresses
    • Get the right DNS content to Internet users
    -->IT’S DNS CONTENT THAT MATTERS!

    How Does DNSSEC Fit?
    • DNSSEC is required to thwart attacks on DNS CONTENT
    • DNS attacks used to attack Internet users applications
      -->Protect DNS CONTENT as much as (or more than) any DNSSEC information
      -->Including DNSSEC private keys!!

...