Application-Level Assurances Using DNSSEC

advertisement
Providing ApplicationLevel Assurances
Using DNSSEC
Suresh Krishnaswamy
SPARTA, Inc. dba Cobham
Analytic Solutions
(suresh AT sparta DOT com)
Domain Name
Service
• Internet infrastructure protocol that
provides mapping between a human
memorable name and some information
about that name (e.g. IP address)
• Hierarchical, Decentralized, Scalable,
redundant, highly available service that
makes the Internet as useful as it
currently is.
• Very easy to spoof!
Spoofing DNS Responses
•
•
Difficulty level roughly that of correctly guessing
two random 16-bit values
Difficulty is even less
•
•
•
•
… if one of the two 16-bit values is predictable
… if the two 16-bit values are not *that* random
… if name server sends out multiple queries for
the same name in parallel, with different values
for the two 16-bit values
… if some NAT device reduces the
effectiveness of any name server randomization
technique
Why is this Important
• DNS resolution is normally the first step
in most Internet communications
• Web site can be replaced with a false
site without ever touching the victim site
• E-mail can be re-routed (SPF and DKIM
also rely on the DNS)
• Login compromised through man in the
middle attack
• Any technology that relies on DNS will
be affected: Anti-spam, ENUM, SIP, etc
The DNS is
transparent
1 address = multiple DNS
lookups
Weather.com
Foxnews.com
Spoof Example
The DNSSEC Pieces
Root
Validate signed
answers using a Trust
DNS Namespace
Anchor
TA Rollover
com
Registrants/Registrar
s the
(define
edu
org
namespace)
owasp
Dnssec-tools
Resolvers
(lookup DNS data)
test
Add Secure
Delegations
EPP
extensions,
Registrar Interfaces
Zone Data Administrators/
Name Server Operators
(publish DNS content)
Sign Zones
Zone Re-signing,
Key Rollover
DNSSEC at the publication
end
• The Root is signed!
• 62/294 TLDs signed
• NET to be signed Dec 2010
• COM to be signed by March 2011
• Number of registrars are capable of accepting
secure delegation information for their
registrants.
•
About 26K production DNSSEC-enabled
zones according to SecSpider
(http://secspider.cs.ucla.edu/)
DNSSEC at the validation
end
• The Root is signed! (implies a single
Trust Anchor)
• Top 4 Swedish ISPs
• COMCAST
• UCBerkeley
DNSSEC and FISMA
• Applies to all systems that "host, store,
or process Federal information”.
• Requires DNSSEC signing of all zone
data - internal and external zones, at all
levels of the DNS tree.
• Validation required for high impact
zones only, but will soon apply to lower
impact levels.
The Last Mile
Coffee shops
Conferences
Airports
Stub
First Response
wins
Recursive NS
The Last Mile
Certain ISPs
Hotels
Recursive NS
Stub
In-application
• Central resolver
can refuse to relay
validation
bad/insecure answers and can still be
spoofed locally.
• Even if users are behind a central validating
resolver at work, they may not be when they
are traveling/using their phone to check
email.
• Provides for validation up to the application.
Important if we want to use the DNS for
bootstrapping other security mechanisms.
• Provides better error codes to the
applications
Retrofitting DNSSEC
• Internet applications have been using DNS
for over 20 years.
• Significant liberties taken when processing
error conditions based on the invalid
assumption that no further changes would
occur to the DNS.
• Example: error handling loops that do not
have proper fallback cases to default
“unknown error” handling code.
• No propagation of the DNS error code up
multiple levels of the stack.
Authentication
•
Chains
Various error codes
possible
•
A
AAAA
CNAME
•
•
Maybe the name server
failed to respond?
Multiple records may be
returned for a function
call. E.g. getaddrinfo() can
return A and AAAA;
CNAME and its target
may have completely
different authentication
chains.
Each element in the
authentication chain has
getaddrinfo(): badsign-alias.netsec.tislabs.com
its own validation status.
Towards a validator
API
• Standardizing the API
is important.
• Starting from scratch would be great, but we
have legacy code to worry about. Small code
change footprint would be nice.
• Should be possible to take advantage of new
error codes that DNSSEC returns.
• Bogus is bad, un-signed does not necessarily
mean bad, validated is generally good, you
may trust something even if you know it is
bogus, and you may decide that you won’t
accept some answers at all.
Proposed
API
• Documented in “DNSSEC Validator API”
draft-hayatnagarkar-dnsext-validator-api
• Two levels of DNSSEC-awareness
• High-level: “just tell me if I can use this
answer or not”.
• Low-level: “need more information on
why DNSSEC validation failed; was this
answer actually validated or implicitly
trusted?”.
• Different validation “contexts” for different
validation policies, if needed.
Libval and its
extensions
• C Library that implements the proposed
API
• Perl module Net::DNS::Sec::Validator
that wraps around the C library
• All available from www.dnssec-tools.org
DNSSEC-capable Apps
• Secure bootstrapping of the SSH key
through the SSHFP record
% ./ssh ssh.example.com
The authenticity of host 'ssh.example.com
(192.168.1.1)' was
validated via DNSSEC.
Warning: Permanently added
'ssh.example.com,192.168.1.1' (RSA) to the list
of known hosts.
Last login: Thu Sep 20 19:49:53 2007
Welcome to Darwin!
• SPF, MX validation
• Jabberd, wget, etc
$
Libval_shim
•
•
•
•
LD_PRELOAD-based approach for adding
DNSSEC capability to existing applications
The shim library implements most of the
commonly-used resolver functions
Applications that use these functions can
automatically become DNSSEC-capable if
they run within an LD_PRELOAD environment
with libval_shim.
Many applications are known to work out of
the box with libval_shim
Firefox with
libval_shim
Validating within a
browser
• DNS intensive application, with immediate visible
effect when resolution fails.
•
What if validation fails?
•
•
Should the user be told that this was a DNSSEC
issue?
Avoid “Security check failed. Continue?
Yes/No?”
•
•
•
•
•
Modifying Firefox
Could not merely be an extension, had to be a
patch.
Allow user to enable/disable DNSSEC. All other
policy knobs are within the validator library,
libval.
Content not loaded from domains that fail
validation
Better error messages when names do not exist.
Somewhat of a challenge to throw the error to
the user
•
•
DNS error “lost” in the stack.
Firefox does pre-fetching of names
DNSSEC-enabled
Firefox
Some DNSSEC
Indicators
Name does not exist. At
All!
Other Possibilities
• Public keys in the DNS
• Force HTTPS
• ENUM
• Gaming Community
On the phone!
N900 Users: it's “lookup” in extras-testing
•
List of Resources
http://www.dnssec-tools.org
•
•
•
•
•
Zone Maintenance Tools: zonesigner, rollerd, donuts,
mapper
Troubleshooting Utilities:, dnspktflow, validate, getds,
logwatch, test zone
Validator C library, PERL modules
http://www.dnssec-deployment.org
•
•
DNSSEC-enabled applications: firefox, thunderbird,
openssh, postfix, sendmail libspf, wget, ncftp
Blog/News site devoted to DNSSEC Deployment.
https://www.iana.org/dnssec
•
Getting the Root Key
•
•
•
•
•
•
Summary/Next Steps
We have been using DNS for the last 20 years as though it
were already secure, when it really wasn’t.
With DNSSEC we now have the basis for this security (and a
signed Root!) such that that we can begin to use DNSSEC
effectively.
It’s possible to come up with innovative ways of using
DNSSEC assurances within applications. As we develop new
APIs consider how DNSSEC can be leveraged by the higher
layers.
As a web developer do you really need to fetch those remote
javascript/css? If you do, are those names under a signed
domain?
What would you need from a DNSSEC capable browser so
that your web apps can fail “smart”?
Turn on validation!
Questions?
Download