MoinQ: DNSSEC/good-bad

1. DNS/DNSSEC/good-bad

• http://xs.powerdns.com/presentation-hitb/ http://xs.powerdns.com/presentation-hitb/dnssec-good-very-bad.pdf

DNSSEC protects against

• ”Spoofing attacks”
  • Large amounts of spoofed packets with 'improved answers' try to get accepted as the real thing
• Unreliable secondaries/slaves
  • Your slave/secondary might fiddle with your data
• Unreliable governments and service providers
  • Might inject advertisements or redirect your vital facebook updates

第二の点、セカンダリサーバが信用できない時に改善できる可能性はありそう。

DNSSEC: How compelling?

• The threats on the previous page are not immediate

• Post RFC5452 spoofing attacks are very hard,
• you can pick your secondaries with care, and
• governments don't need DNS to get your packets.

2. 他の理由

脅迫的な理由は省略(客が求めるから、など）

 great excuse to clean up your DNS!

こうくるか。　順序が逆じゃないか。

  DNS設定がきちんとしていないとDNSSECは使えません。

DNSSECに対応するだけでなく、DNSをきちんと設定できない業者は生き残れないというのは正しそう。

• そうなって欲しいものです。 -- ToshinoriMaeno 2011-06-11 03:33:24

3. slide page 24

On the delegation issue

• Each name in DNSSEC has exactly ONE signature(set)
  • So if ns1.fox-it.com is part of the .com zone, AND part of the fox-it.com zone, it will only be signed in the fox-it.com zone

And not in com!

• So how do we perform a secure delegation?
  • WE DON'T!

So if your zone is not signed, but .com is, you don't benefit at all

4. slide 25

If your zone IS signed, verification only really happens at the very end

•  The delegating answer from COM is not verified

5. slide 26

DNSSEC technique: denial of service

• Since delegating answers, for example from .com, are not themselves DNSSEC secured,
  • they can be modified at will For example, to point at 127.0.0.1
• Since DNSSEC verification only happens at the end
  • Or in this case, not at all

This means that DNSSEC does nothing to protect the interim resolution steps

6. slide 31

Current DNSSEC deployments are secure up to the ISPs resolver

• ”Last mile” is unsecured!

7. slide 32

End-to-End DNSSEC

• Wow! So why are people pushing providers to ”do” DNSSEC?
  • No idea
• Solution right now is for everyone to run a validating resolver (would kill the internet)

Better solutions mean that the ISP resolver ships all the signing proof to the stub resolver in the client PC (nice)

• Stub resolvers are limited though..
• browsers themselves might do the validation though!

8. xxx

Downgrade attacks area big worry, it is very tricky to encode if a domain has DNSSEC enabled

Unsure how to deal with 'degrading' a broken protocol

9. Summary

そこにある。使える。でも、不良も多い。問題も多い。 ...