Using the DNS as a Trust Infrastructure with DNSSEC

1. Using the DNS as a Trust Infrastructure with DNSSEC Scott Rose NIST {scott.rose@nist.gov} IDTrust 2010, April 14, 2010

2. About DNS • Worldwide database, widest deployed standards-based name system • “PKI without the ‘K’” – Dan Kaminsky • Essential component of Internet • Robust even in the presence of some errors • Often the first part of any Internet transaction • Due to lightweight, distributed nature, attacks very difficult to detect • cache poisoning • response re-writing • In response, the IETF developed the DNS Security Extensions (DNSSEC)

3. What DNSSEC Provides Cryptographic signatures in the DNS Integrates with existing server infrastructure and user clients (i.e. Backwards compatible) Assures integrity of results returned from DNS queries: Users can validate source authenticity and data integrity Checks chain of signatures up to root Protects against tampering in caches, during transmission Not provided: confidentiality, security for denial-of-service attacks

4. DNSSEC Chain of Trust “.” – DNS root. Trust Anchors installed on client resolvers. KSK ZSK KSK KSK se. gov. KSK KSK KSK ZSK ZSK ZSK KSKs KSKs KSK KSK nist.gov. opm.gov. • KSK’s often serve as the “anchor” of authentication chain. • The higher up in the tree, the more useful the trust anchor KSK KSK ZSK ZSK Data Data

5. Deployment is Real • Several TLD’s and lower zones are signed now • .gov, .org, and country codes like .us, .se, .br… • .edu, .net and .com are planning to deploy by 2011 • Drivers to deploy in .gov – OMB mandate and FISMA • Root zone to be signed by July 1, 2010 • What’s Missing/Still in Development? • Application support • Stable means to distribute trust anchors • Full registrar support

6. DNSSEC Becoming a Feature • Tools available • Open source software to turnkey appliances • Becoming available by ISP’s (Comcast) • Integrated into Windows 7 and Windows Server 2008 R2 • managed via group policy • Some application patches available • Firefox browser and Thunderbird email client • Third party plug-ins and patches

7. So What Does This Get Us? • Single, distributed, global, lightweight trust infrastructure. • DNS is a lookup protocol • different types of data can be placed in the DNS • Example: digital certs, SSH key hashes • All would be DNSSEC signed. • Could we use this to bootstrap trust between organizations? • Both would have a common 3rd party trust anchor (root zone for example) • Data needed to establish trust in other protocols could be stored in an organization’s DNS zone (and signed).

8. Examples – Bootstrapping Trust • Crude transport security • encoded public keys in DNS CERT RR’s to set up secure communication • Or SSH key hashes (SSHFP RR’s) • CERT RR protected by DNSSEC signature • IP address of server also protected • Not ideal, but could work • Need to be sure you are actually talking to the actual server (no IP address spoofing) • Signed Email • user public keys encoded in CERT RRs (e.g. scottr@nist.gov becomes “scottr.nist.gov IN CERT …”

9. Some Things to Keep in Mind • DNS has caching and no revoke feature • Data is considered valid as long as the signature is valid (replay attacks possible) • DNS updates might not be seen until old data times out of caches • DNSSEC validation would have to be done by the client, or a trusted recursive server • Right now, stub clients on desktop/laptop systems rely on an upstream cache to do most of the work (including validation) • Do you always trust the recursive server? What about Wi-Fi hotspots? • No Cross-Signing • Hierarchy built upon the existing DNS hierarchy (so “example.com” can’t authenticate “sub.example.org”)

10. Resources • DNSSEC Resources • General Information • http://www.dnssec.net/ • NIST DNSSEC Testbed • http://www.dnsops.gov/ • DNSSEC Deployment Initiative • http://www.dnssec-deployment.org/ • Root Zone DNSSEC Deployment • http://www.root-dnssec.org/