Cybertelecom
Cybertelecom
Federal Internet Law & Policy
An Educational Project

DNS: Security

- Security
- Encryption

Internet Addresses
- DNS
- History
- NTIA & Fed Activity
- ICANN
- Root Servers
- ccTLDs
- - .us
- - -.kids.us
- gTLDs
- - .gov
- - .edu
- - .mil
- - .xxx
- WHOIS
- WGIG
- ENUM
- IP Numbers
- - IPv6
- BGP
- NATs
- Ports
- Security
- Trademark
- AntiCybersquatter Consumer Protection Act
- Gripe Sites
- Truth in Domain Names

Derived From: Derived From: Lennard Kruger, Internet Domain Names: Background and Policy Issues, Congressional Research Service p 10 (Oct. 28, 2009)

The security and stability of the Internet has always been a preeminent goal of DNS operation and management. One issue of recent concern is an intrinsic vulnerability in the DNS which allows malicious parties to distribute false DNS information. Under this scenario, Internet users could be unknowingly redirected to fraudulent and deceptive websites established to collect passwords and sensitive account information.

A technology called DNS Security Extensions (DNSSEC) has been developed to mitigate those vulnerabilities. DNSSEC assures the validity of transmitted DNS addresses by digitally "signing" DNS data via electronic signature. "Signing the root" (deploying DNSSEC on the root zone) is a necessary first and critical step towards protecting against malicious attacks on the DNS.19 On October 9, 2009, NTIA issued a Notice of Inquiry (NOI) seeking public comment on the deployment of DNSSEC into the Internet's DNS infrastructure, including the authoritative root zone.20 On June 3, 2009, NTIA and the National Institute of Standards and Technology (NIST) announced they will work with ICANN and VeriSign to develop an interim approach for deploying DNSSEC in the root zone by the end of 2009.21

Meanwhile, section 8 of S. 773, the Cybersecurity Act of 2009, would require that any renewals or modifications made to DOC contracts regarding the operation of IANA be subject to review by a Cybersecurity Advisory Panel. S. 773 would also require NTIA to "develop a strategy to implement a secure domain name addressing system."

Derived From: NIST Special Publication (SP) 800-81, Secure Domain Name System (DNS) Deployment GuidePDF, Exec. Sum. May 2006

Because DNS data is meant to be public, preserving the confidentiality of DNS data pertaining to publicly accessible IT resources is not a security objective. The primary security goals for DNS are data integrity and source authentication, which are needed to ensure the authenticity of domain name information and maintain the integrity of domain name information in transit. Availability of DNS services and data is also very important; DNS components are often subjected to denial of service attacks intended to disrupt access to the resources whose domain names are handled by the attacked DNS components.

DNS is susceptible to the same types of vulnerabilities (platform, software, and network-level) as any other distributed computing system. However, because it is an infrastructure system for the global Internet, it has the following special characteristics not found in many distributed computing systems:

  • No well-defined system boundaries?participating entities are not subject to geographic or topologic confinement rules
  • No need for data confidentiality?the data should be accessible to any entity regardless of the entity?s location or affiliation.
  • Because of these characteristics, conventional network-level attacks such as masquerading and message tampering, as well as violations of the integrity of the hosted and disseminated data, have a completely different set of functional impacts, as follows:

  • A masquerader that spoofs the identity of a DNS node can deny access to services for the set of Internet resources for which the node provides information (i.e., domains served by the node). This denial is not only for a limited set of clients but also for the entire universe of all clients needing access to those resources.
  • Bogus DNS information provided by a masquerader or intruder can poison the information cache of the DNS node providing that subset of DNS information (i.e., the name server providing Internet access service to the enterprise?s users), resulting in a denial of service to the resources serviced by it.
  • Violation of the integrity of DNS information resident on its authoritative source or the information cache of an intermediary that has accumulated information from several historical queries may break the chained information retrieval process of DNS. This could result in either a denial of service for DNS name resolution function or misdirection of users to a harmful set of illegitimate resources.
  • If the name resolution data hosted by the DNS system violates content requirements as defined in DNS standards, it could have adverse impacts such as increased workload on the DNS system, or serving obsolete data that could result in denial of service to Internet resources. In most software, program data independence (as in conventional database management systems [DBMS]) provides a degree of buffer against adverse impacts due to erroneous data. In the case of DNS, the data content determines the integrity of the entire system.
  • Based on these functional impacts, the deployment guidelines for secure DNS presented by NIST consist of the following generic and DNS-specific recommendations:

  • Implement appropriate system and network security controls for securing the DNS hosting environment, such as operating system and application patching, process isolation, and network fault tolerance.
  • Protect DNS transactions such as update of DNS name resolution data and data replication that involve DNS nodes within an enterprises control. The transactions should be protected using hash-based message authentication codes based on shared secrets, as outlined in the Internet Engineering Task Force's (IETF) Transaction Signature (TSIG) specification.
  • Protect the ubiquitous DNS query/response transaction that could involve any DNS node in the global Internet using digital signatures based on asymmetric cryptography, as outlined in IETF's Domain Name System Security Extensions (DNSSEC) specification.
  • Enforce content control of DNS name resolution data using a set of integrity constraints that are able to provide the right balance between performance and integrity of the DNS system.
  • (ii) Secure the Domain Name System. DNS serves as the central database that helps route information throughout the Internet. The ability to route information can be disrupted when the databases cannot be accessed or updated or when they have been corrupted. Attackers can disrupt the DNS by flooding the system with information or requests or by gaining access to the system and corrupting or destroying the information that it contains. The October 21, 2002 attacks on the core DNS root servers revealed a vulnerability of the Internet by degrading or disrupting some of the 13 root servers necessary for the DNS to function. The occurrence of this attack punctuates the urgent need for expeditious action to make such attacks more difficult and less effective. - U.S. National Strategy to Secure Cyberspace , February 2003 p. 30

    DNSSEC

    DNS Security (DNSSEC) refers to the addition of data authentication and integrity protection to the DNS protocol. This is accomplished by the inclusion of public keys and the use of digital signatures to DNS information.

  • DNSSEC
  • Modifies DNS resource records and protocols; introduces public key crypto.
  • Hierarchical model of trust
  • Validation of responses established by an authentication cahin from a known trust anchors
  • Chain can always be constructed from the root to the lower zones, assuming that the intermediary zones are validated
  • Root
  • Root Names Space - this is what DNSSEC would protect
  • Root infrastructure
  • DNSSEC is designed to

  • Provide Data Integrity
  • Provide origin authentication
  • authenticate denial of existence of record (its really not there)
  • Prevent Man in the Middle Attack
  • Helps deal with population from alternate roots, cache poisoning, hijacking of domain names.
  • Prevent Corrupt DNS Records. (RFC 3833)
  • DNSSEC does not

  • provide for confidentiality of data (DNS is an open public database)
  • prevent DDOS
  • Administrative requirements for DNSSEC include

  • Key generation and managment
  • Zone signing operations
  • DNSSEC implementation concerns include

  • Key security
  • What do you do if all keys are compromise
  • Creates a single point of failure - which must therefore be guarded carefully
  • Key rollover
  • Keys have a temporal dependancy and therefore need synchronized time
  • Key management
  • If the keys dont work for any particular reason, domain zones will simply vanish
  • Zone walking
  • Signed records are 3 to 5 times larger and require greater computational power
  • Administrative Concerns
  • The key question is who signs the root. DHS is concerned about this
  • IGP recommends that root be signed by multiple root key operators. IGP Paper released May 17, 2007. Diffuses responsibility across multiple parties.
  • Multiple signatures required in order to generate sufficient trust each time published
  • Add process to a procedure that is already demanding - creating more points of failure
  • Currently root zone is published twice a day every day
  • Signer of the root key decides who can edit the root and who can read the zone
  • Issue of liability for holding the key
  • Risk to economic infrastructures
  • One assumption was that IANA would sign the root. Prob: Signing the root does not appear to be within the contract between IANA/ICANN and USG.
  • Economic incentive problem
  • No incentive to invest in infrastructure until demand; no demand until there is an infrastructure
  • Issue of alternate roots - would appear to kill alternate root initiates
  • Alt Root would have to strip out ICANN root signatures and insert all of its own signatures
  • Currently, DNS Security is still in the experimental stage. There are currently several experimental tests of secure DNS zones. [NIST]

    DNSSEC Deployment Status
    RIPE NCC Zone by Zone as requested
    dot ORG Testbed
    Netherlands  
    Sweden  
    Japan  
    Verisign dot net  

    Trust anchor - signed areas within the DNS hierarchy without the whole hierarchy being signed. Where foo.acme is signed but .foo is not yet signed.

    DNSSEC Documentation

    DNSSEC Current Drafts

    DNSSEC Status

  • Sweden (.se) and Bulgarian TLDs are reportedly operational.
  • .ARPA signed by IANA pursuant to IAB instruction
  • RIPE's portion of in-addr.arpa is signed
  • .ORG, .COM, and .NET have test beds
  • Others are in progress (.AERO)
  • Implementing .gov
  • DNSSEC is apparently a fed procurement spec (TCP/IP, Y2K, and OSI were all fed procurement specs)
  • Browser and desktop will take a while. About half of root servers are ready; they all have to be ready.
  • US Goverment Activity

    Links

    Papers

    DNSSEC Webcast

    dnssecuritydnssecurity

    News

    © Cybertelecom ::