An Analysis of DNSSEC

1
An Analysis of DNSSEC

• By Team Trojans -1
• Arjun Ashok
• Priyank Mohan
• Balaji Thirunavukkarasu

2
Agenda

• DNS its structure
• DNS Threats
• DNSSEC
• Trust Models for Key Validation
• DNSSEC Vulnerabilities
• DNSSEC Roadblocks
• Alternatives to DNS Security
• The Road ahead

3
Domain Name System (DNS)

• Hierarchical distributed database which provides
  the service of translating the domain names to IP
  addresses.
• Follows a hierarchical tree structure analogous
  to the Unix file system

4
DNS Communication

• DNS Threats
• Packet interception
• Name Chaining

• Denial of Service
• Brute Force

5
DNSSEC

• First introduced in RFC 2535 "Domain Name System
  Security Extensions" in 1999.
• Provides authentication and integrity of DNS data
• Authentication of Name Server (NS) data by
  resolver
• Integrity of data checked through signed, hashed
  public key.
• Resolver is configured with public key of NSs
• A resolver that knows the zones public key can
  verify the signature and authenticate the DNS
  response.
• Can be visualized as a sealed transparent
  envelope, wherein seal applied to envelope and
  not to message, by the sender.

6
Trust Models for Key Validation

• A Tree Based approach
• Follows a strict chain/hierarchy of trust.
• Zone public key considered valid only if signed
  by parent.
• Disadvantages
• Creates a single point of failure.
• Places all the peer zones under the same umbrella
  of security.

7
Trust Models for Key Validation

• A Web of Trust approach
• Allows servers to choose their own trust
  relationships.
• A public key is considered valid as long as it
  has been signed by another server.
• No single point of failure.
• Robust and scalable.
• Disadvantages
• An impersonated malicious zone can create its own
  set of keys and establish a trust relationship.

8
DNSSec Vulnerabilities

• Zone private/public key compromise Key
  compromise can lead to an entire sub-domain being
  marked as bogus.
• A servers current time could be changed in order
  to validate expired signatures. Hence there
  should be some means to sync the time between
  primary and secondary servers.
• An attacker can spoof an entire zone server by
  querying the NSEC RRs, which store an ordered
  list of all the existing domain names.

9
Roadblocks and Challenges

• It is infeasible to implement a PKI
  infrastructure.
• No third party authority of trust (CA) exists in
  DNSSec, highly dependable on private key usage.
• trade-off between performance and security.
• It is difficult to ensure all the servers have
  the updated keys.
• Servers high up in hierarchy are unaware of the
  state of the child nodes.
• All servers need to be online within a specified
  time frame in order to receive the updated keys.

10
Alternatives to DNSSEC

• Name Server Software
• Configuration and maintenance of name server to
  avoid
• DOS, Attacks such as Zone transfer, packet
  flooding, ARP spoofing.
• To counter these attacks, the following steps are
  implemented
• Using secure OS, Using software to check
  integrity of zone files and Restricting
  access privileges on name server.

11
Contd..

• TSIG Transition Signature
• Involves mutual Authentication of servers based
  on shared secret key, Source side it employs HMAC
• Threats avoided by TSIG

12
Road Ahead..

• The main hindrance in adopting DNSSEC
• Implementation complexity and Scalability
• To overcome this Software64 DNS signer is used to
  automate processes like generation, backup,
  restoration, roll over and zone signing in
  configuration file.
• Higher scalability achieved using high speed
  crypto. Algorithms 6,000 RSA operations/sec with
  1024 bit key.
• Another improvisation is implementation of DNSSEC
  till the client stub resolver level (user level).

13

• QUESTIONS