DNSSEC

About This Presentation

Title:

Description:

Number of Views:52

Avg rating:3.0/5.0

Slides: 11

Provided by: marco104

Learn more at: http://www.wwtld.org

Category:

Tags: dnssec | cape

Transcript and Presenter's Notes

Title: DNSSEC

1

2
Abstract

3
Facts

The introduction of DNSSEC with the current form
of the specification provides Zone Enumeration
http//josefsson.org/walker/
An authoritative denial of existence of a given
domain name delivers as a proof the next existing
domain name.
There were protocol changes to refuse AXFR

4
Facts

Some key players for a successful widespread
deployment of DNSSEC consider this as a problem
Security problem?
Policy problem?
Legal problem?

5
Security problem?

An attack begins by identifying your
targethttp//www.research.att.com/smb/papers/dn
shack.pdf
But domain names can be gathered by other means,
for instance, dictionary attacks
German English dictionary John the Ripper
1 of the de-zone
Brute force on all 8-characters delivers 13 of
the de-zone.
com-zone as a dictionary 42 of the nl-zone

6
Policy problem?

7
Legal problem?

IANAL
Nominets position http//ops.ietf.org/lists/name
droppers/namedroppers.2004/msg00687.html
DENICs position
In conflict with Germanys Federal Data
Protection Act

8
Way ahead

IETF dnsext wg decided to advance the current
specification as a proposed standard
Inmediately started to work on the problem
following The Engineering Way (TM)
Listing the requirements for a denial of
existence
Weighting their relevance, since sometimes
trade-offs exist
Evaluating proposals

9
Working documents

http//www.ietf.org/internet-drafts/draft-ietf-dns
ext-signed-nonexistence-requirements-01.txt
http//www.links.org/dnssec/requirements-matrix3.h
tm
http//www.links.org/dnssec/draft-laurie-dnsext-ns
ec2-02.txt
http//www.ietf.org/internet-drafts/draft-arends-d
nsnr-00.txt
http//www.ietf.org/internet-drafts/draft-ietf-dns
ext-dnssec-trans-01.txt

10
Many thanks for your attention!Any questions?

Write a Comment

User Comments (0)