ICANN - Cape Town 11/30/2004 DNSSEC and the Zone Enumeration Andreas Baess DENIC eG [email protected].
-
Upload
charla-hicks -
Category
Documents
-
view
212 -
download
0
Transcript of ICANN - Cape Town 11/30/2004 DNSSEC and the Zone Enumeration Andreas Baess DENIC eG [email protected].
![Page 2: ICANN - Cape Town 11/30/2004 DNSSEC and the Zone Enumeration Andreas Baess DENIC eG baess@denic.de.](https://reader036.fdocuments.in/reader036/viewer/2022072013/56649e725503460f94b709ea/html5/thumbnails/2.jpg)
ICANN - Cape Town 11/30/2004
Abstract
• Known Facts• Claimed problems• Way ahead
![Page 3: ICANN - Cape Town 11/30/2004 DNSSEC and the Zone Enumeration Andreas Baess DENIC eG baess@denic.de.](https://reader036.fdocuments.in/reader036/viewer/2022072013/56649e725503460f94b709ea/html5/thumbnails/3.jpg)
ICANN - Cape Town 11/30/2004
Facts
• The introduction of DNSSEC with the current form of the specification provides Zone Enumeration:– http://josefsson.org/walker/
• An authoritative denial of existence of a given domain name delivers as a proof the next existing domain name.
• There were protocol changes to refuse AXFR
![Page 4: ICANN - Cape Town 11/30/2004 DNSSEC and the Zone Enumeration Andreas Baess DENIC eG baess@denic.de.](https://reader036.fdocuments.in/reader036/viewer/2022072013/56649e725503460f94b709ea/html5/thumbnails/4.jpg)
ICANN - Cape Town 11/30/2004
Facts
• Some key players for a successful widespread deployment of DNSSEC consider this as a problem:– Security problem?– Policy problem?– Legal problem?
![Page 5: ICANN - Cape Town 11/30/2004 DNSSEC and the Zone Enumeration Andreas Baess DENIC eG baess@denic.de.](https://reader036.fdocuments.in/reader036/viewer/2022072013/56649e725503460f94b709ea/html5/thumbnails/5.jpg)
ICANN - Cape Town 11/30/2004
Security problem?
• An attack begins by identifying your target:http://www.research.att.com/~smb/papers/dnshack.pdf
• “But domain names can be gathered by other means, for instance, dictionary attacks”– German + English dictionary + John the Ripper = 1%
of the de-zone– Brute force on all 8-characters delivers 13% of the
de-zone.– com-zone as a dictionary = 42% of the nl-zone
![Page 6: ICANN - Cape Town 11/30/2004 DNSSEC and the Zone Enumeration Andreas Baess DENIC eG baess@denic.de.](https://reader036.fdocuments.in/reader036/viewer/2022072013/56649e725503460f94b709ea/html5/thumbnails/6.jpg)
ICANN - Cape Town 11/30/2004
Policy problem?
• DNS information is public...• ...there’s a qualitative difference between:
– Making data available as a query/response mechanism
– Making data available as a compilation• DENIC’s policy: http://www.denic.de/en/faqs/
allgemeine_faqs/index.html#section_185
![Page 7: ICANN - Cape Town 11/30/2004 DNSSEC and the Zone Enumeration Andreas Baess DENIC eG baess@denic.de.](https://reader036.fdocuments.in/reader036/viewer/2022072013/56649e725503460f94b709ea/html5/thumbnails/7.jpg)
ICANN - Cape Town 11/30/2004
Legal problem?
• IANAL• Nominet’s position:
http://ops.ietf.org/lists/namedroppers/namedroppers.2004/msg00687.html
• DENIC’s position:– In conflict with Germany’s Federal Data
Protection Act
![Page 8: ICANN - Cape Town 11/30/2004 DNSSEC and the Zone Enumeration Andreas Baess DENIC eG baess@denic.de.](https://reader036.fdocuments.in/reader036/viewer/2022072013/56649e725503460f94b709ea/html5/thumbnails/8.jpg)
ICANN - Cape Town 11/30/2004
Way ahead
• IETF dnsext wg decided to advance the current specification as a proposed standard
• Inmediately started to work on the problem following The Engineering Way (TM):– Listing the requirements for a denial of
existence– Weighting their relevance, since sometimes
trade-offs exist– Evaluating proposals
![Page 9: ICANN - Cape Town 11/30/2004 DNSSEC and the Zone Enumeration Andreas Baess DENIC eG baess@denic.de.](https://reader036.fdocuments.in/reader036/viewer/2022072013/56649e725503460f94b709ea/html5/thumbnails/9.jpg)
ICANN - Cape Town 11/30/2004
Working documents
• http://www.ietf.org/internet-drafts/draft-ietf-dnsext-signed-nonexistence-requirements-01.txt
• http://www.links.org/dnssec/requirements-matrix3.htm• http://www.links.org/dnssec/draft-laurie-dnsext-nsec2-0
2.txt• http://www.ietf.org/internet-drafts/draft-arends-dnsnr-
00.txt• http://www.ietf.org/internet-drafts/draft-ietf-dnsext-
dnssec-trans-01.txt
![Page 10: ICANN - Cape Town 11/30/2004 DNSSEC and the Zone Enumeration Andreas Baess DENIC eG baess@denic.de.](https://reader036.fdocuments.in/reader036/viewer/2022072013/56649e725503460f94b709ea/html5/thumbnails/10.jpg)
ICANN - Cape Town 11/30/2004
Many thanks for your attention!
Any questions?