Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Cracking Internet: The urgency of DNSSEC

Information and a copy of the slides are available on the HAR2009 Wiki. You can also download the whitepaper on DNSSEC from http://dnssec.nu

Nice run through of the Kaminsky attack (as it’s being referred to now apparently) from last year.

There was a contest run at HAR2009 to see if anybody was able to bypass the new restrictions and poison the DNS cache on the server. Unfortunately nobody managed to succeed in the time given.

What is DNSSEC ?

Uses public key cryptography

DNSSEC doesn’t fix all our problems. DNSSEC doesn’t .:

  • protect confidentiality
  • protect against threats like DDoS
  • Guarentee of DNS records (human errors)

Currently DNSSEC is being implemented using a 2-tiered key model. Although this isn’t specifically in the spec.

Key Signing Key (large key size, long validity,…) is used to sign the Zone key (smaller key size, shorter validity,…)

Additional RRs (resource records)

  • For Public keys
    • DNSKEY
    • DS
  • For signatures
    • RRSIG
  • For authenticated denial of existance
    • NSEC
    • NSEC3

This increases the size of the zone, and will therefore increase the required bandwidth.

Current state of deployment

  • .gov
  • .org
  • .museum
  • .bg
  • .br
  • .cz
  • .pr
  • .se

.com and .net are planned to be signed by 2011 (this is more the 65% of all domains)

Root is likely to be signed before the end of 2009.

As the root isn’t yet signed, there are currently a number of islands of trust. Once the root is signed, then things will become more workable.

IANA has made an “Interim Trust Anchor Repository” (ITAR) available to http://itar.iana.org to help with the issue of islands of trust. Once the root is signed, then hopefully this will not be needed any longer. Even working with the ITAR list can be troublesome, as it is required to be downloaded (and validated against a hash value) and imported. It is also important to update the information as the keys expire and need to be refreshed.

DNSSEC is hard to do, but even critics agree that it is the only available solution at the moment.

There is a lack off available tools to assist in deployment of signed zones. DNS has always been very forgiving. However DNSSEC makes a small mistake something that could take your zone offline.


OpenDNSSEC –> http://www.opendnssec.org
Secure64 DNS Signer
Xelerance DNSX Signer
ZKT (Zone Key Tool)


  • Continue patching against attacks (keep with traditional DNS)
    • An arms race (which is already being lost=
    • Too heavyweight
    • Broken (see Dan Kaminsky)
  • TSIG/SIG(0)
    • Shared secrets ???
    • Doesn’t scale
  • DNScurve
    • Based on elliptic curve
    • Not available
  • DNS 0x20
    • Based on using capitalisation to introduce more entropy
    • Comparable to existing DNS infrastructure
    • Can it defend the root zones (too small to be effective, Com, cOm, coM, …)

Microsoft have commited to releasing DNSSEC tools in their next release of Windows 2008. What these tools are however, has not been made clear.


Comments are closed.

%d bloggers like this: