Category: DNSSEC

Oct 08

Watch LIVE Today – INET Trinidad and Tobago – IPv6, DNSSEC, More

INET Trinidad and TobagoAs we mentioned earlier this week,  the INET Trinidad and Tobago event starts TODAY bringing great Internet infrastructure information to the Caribbean region. Some of the presentations today covering IPv6 and DNSSEC include:

  • IPv6: What Is It? Why Is It Needed?
  • IPv6 Deployment: Business Cases and Development Options (in the Caribbean)
  • Securing the DNS and Internet Routes

The event continues tomorrow, Thursday, October 9, with a range of sessions related to Internet Exchange Points (IXPs), cybersecurity and trends in the overall industry.

You can watch the event live at:

http://new.livestream.com/internetsociety/inet-trinidad-and-tobago

The agenda can be found at:

http://www.internetsociety.org/events/inet-trinidad-and-tobago

Note that Trinidad and Tobago use Atlantic Standard Time (AST) which is UTC-4 and right now the same as US Eastern Daylight Time.

Our colleague Shernon Osepa has more information about the INET Trinidid and Tobago event in a post on our Internet Technology Matters (ITM) blog earlier this week.

Oct 07

CloudFlare Publishes Excellent Introduction To DNSSEC

CloudFlare logoThe team over at CloudFlare published an excellent introduction to DNSSEC today that is well worth a read.  CloudFlare has developed a reputation for writing blog posts that provide a solid level of technical depth and this one certainly does.  Nick Sullivan starts by walking through the basics of DNS and including some packet captures and nice illustrations. Then he gets into man-in-the-middle (MITM) attacks and provides a great graphic that very succinctly shows a MITM attack against DNS:

CloudFlare MITM example

Even better, Sullivan nicely explains the “Kaminsky Attack” and the situation that makes the attack possible.    He then plunges into DNSSEC, explains RRsets and RRSIGs, ZSKs and KSKs, and touches on the value of NSEC/NSEC3 to prove that records don’t exist.

All in all it is an excellent introduction and we’re very pleased to see CloudFlare publishing this piece.  Thanks to Nick Sullivan and his team for getting this out there!

As we’ve written about before, CloudFlare has been saying since the ICANN 50 DNSSEC Workshop back in July that they would have DNSSEC available for their customers by the end of 2014.  Their post today says “in the next six months”… but we’ll hope it comes in on the sooner side of that. :-)  It was also great to see the official announcement that CloudFlare has hired Olafur Gudmundsson, one of the developers of the first DNSSEC implementation many, many years ago and currently one of the co-chairs of the DANE Working Group within the IETF.  We’ve been working with Olafur over the past few years through our partnership with Shinkuro, Inc., where he worked before, and we’re delighted that he’s now working on DNSSEC at CloudFlare.

All great to see – and this will only help get DNSSEC much more widely deployed!

If you want to get started with DNSSEC today, please visit our Start Here page to find resources targeted at your role or type of organization. Help us make the Internet more secure today!

Oct 07

Simple DNSSEC Fact Sheet Now Available In English, French and Spanish

DNSSEC Fact SheetHave you ever wished that there was a simple “2-page” document that you could give people explaining DNSSEC and what it is all about?  Would you like a DNSSEC “handout” that you can distribute at events or send to colleagues or vendors?

If so, we’ve now added a “DNSSEC Fact Sheet” to our site in the following languages:

We’ll be adding versions in Arabic,  Chinese and Russian soon.

Please feel free to download these and use them in whatever way you wish.  Email them to people.  Print them out and pass them out at a meeting.  Distribute them on a conference USB drive… do whatever you want with them!

Because we may update the fact sheets from time to time, we would encourage you to direct people to this simple URL to find the fact sheets:

http://www.internetsociety.org/deploy360/dnssec/factsheet/

And please let us know any feedback you have on these documents.  We’re here to help you get DNSSEC more widely deployed and want to be as helpful as possible.  How can we help you get the information you need?

Finally, please do direct people to our Start Here page at https://www.internetsociety.org/deploy360/start/ so that they can find DNSSEC resources targeted at their role or type of organization.

P.S. You can expect to see a fact sheet for IPv6 coming soon…

Oct 06

INET Trinidad and Tobago To Cover IPv6, DNSSEC, IXPs and more

INET Trinidad and TobagoThis Wednesday and Thursday the INET Trinidad and Tobago event will bring a great amount of technical presentations to the Caribbean region. Starting on October 8, 2014, some of the presentations covering IPv6 and DNSSEC include:

  • IPv6: What Is It? Why Is It Needed?
  • IPv6 Deployment: Business Cases and Development Options (in the Caribbean)
  • Securing the DNS and Internet Routes

The event continues on Thursday, October 9, with a range of sessions related to Internet Exchange Points (IXPs), cybersecurity and trends in the overall industry.  It looks like a great event and the excellent news is that you can watch it all live at:

http://new.livestream.com/internetsociety/inet-trinidad-and-tobago

Note that Trinidad and Tobago use Atlantic Standard Time (AST) which is UTC-4 and right now the same as US Eastern Daylight Time.

Our colleague Shernon Osepa has more information about the INET Trinidid and Tobago event in a post on our Internet Technology Matters (ITM) blog earlier today.

Sep 29

Tunisia Signs .TN And Arabic IDN TLD With DNSSEC

Tunisia FlagLast Friday Tunisia became the latest country to be able to offer people registering domains in their country-code top-level domain (ccTLD) the higher security and trust that comes with DNSSEC. On September 26, 2014, DS records appeared in the root zone of DNS for two TLDs:

People who subscribe to our weekly distribution of DNSSEC deployment maps will have seen in the email message that went out this morning a new bright green country on the northern coast of Africa:

Africa with Tunisia highlighted

 

The data files will also reflect the status of the Arabic internationalized domain name (IDN) .تونس  although the data files reference that as “xn--pgbs0dh”.

Now, it is important to note that while the TLDs themselves are signed with DNSSEC and have a DS record in the root zone of DNS, this does NOT necessarily mean that second-level domains under these two TLDs can sign their domains and submit the DS records to the TLD registries.  That “Operational” stage of DNSSEC deployment will hopefully come soon, but that is something the TLD registries themselves have to start doing.  Please read our 5 Stages of DNSSEC Deployment page to understand where these TLDs are in the deployment cycle.

What this does mean is that there is one fewer barrier in the way for domain registrants who want to sign their domain under either .TN or .تونس. At some point soon they will hopefully be able to follow our information about how to sign your domain and upgrade the security of their domains.

Congratulations to the Agence Tunisienne d’Internet in Tunisia for making this happen!  It’s great to see ccTLDs throughout Africa starting to add the security of DNSSEC – we look forward to seeing the whole continent appear green on our maps!

P.S. Tunisian flag image courtesy of Wikipedia.

Sep 26

CloudFlare Re-affirms Goal of DNSSEC Support By End of 2014

CloudFlare logoOver on ThreatPost, Dennis Fisher wrote about “Small Signs Of Progress On DNSSEC” reporting on a presentation by CloudFlare’s Nick Sullivan at the Virus Bulletin conference in Seattle this week.  The article didn’t go deeply into DNSSEC (as our tutorial pages do) but did have this point which is key to me:

Sullivan said CloudFlare, one of the larger DNS providers in the world, plans to deploy DNSSEC on its network by the end of the year.

To no surprise, this reaffirms what CloudFlare’s John Graham-Cumming stated back in June at the ICANN 50 DNSSEC Workshop in London where he presented a set of slides that are available for download.  From what Graham-Cumming said in London, the intent was to make DNSSEC available to customers with as simple a switch as CloudFlare has done today with IPv6.

I highlight this because the content distribution networks (CDNs), of which CloudFlare is an example, are one of the major stumbling blocks for many companies to be able to sign their domains with DNSSEC.  Typically this is because of either:

1. The CDN vendor is also providing the DNS hosting for the domain (so that they can use DNS for load balancing and distribution to CDN edge servers) and would therefore be the one to do the DNSSEC signing of the zone; or

2. The CDN vendor is hosting the website via a CNAME, with the issue then that the company can sign their domain, but when DNSSEC validation hits the CNAME it has to restart, and typically the site referenced in the CNAME will not be signed because it is hosted on the CDN.

As John Graham-Cumming presented in his slides, there definitely ARE challenges related to DNSSEC-signing for CDNs and vendors providing global load balancing.  BUT… we as an industry have to figure out solutions so that we can get domains signed that are hosted by CDN vendors.

We’re thrilled that CloudFlare is again indicating that they will enable DNSSEC by the end of 2014 to provide a higher level of trust and security for their customers. We’re looking forward to seeing the nice spike in signed domains that should come from CloudFlare doing this.  And… we do hope to see the other major CDN vendors offering this soon, too!  Working together we can make the DNS part of Internet communication that much more secure!

P.S. Want to get started with DNSSEC?  Visit our Start Here page to find resources targeted for your role or type of organization.

Sep 19

Video: Geoff Huston – what if everyone did DNSSEC? (APNIC 38)

What if everyone enabled DNSSEC?  What would happen to your network? Should you be scared?

The good folks at APNIC are out with a video from Geoff Huston answering these questions:

If you want to get started with DNSSEC so that your domain name can be secure from being impersonated, please visit our Start Here page to find resources targeted for your type of organization.

Help us make the Internet more secure – deploy DNSSEC validation and start signing your domains NOW!

P.S. For a good example of HOW DNSSEC can help protect you, please read our recent article about email hijacking attacks that are going on now – but could be prevented by the use of DNSSEC.

Sep 12

Email Hijacking – New Research Shows Why We Need DNSSEC Now!

Want a great example of why we need DNSSEC now?  Consider this new research from the CERT/CC team at Carnegie Mellon University that finds that someone is hijacking email messages to relay them through another email server.  The messages are being delivered, but it’s unknown whether they are being modified before delivery or simply logged and monitored.  As they say:

The disconcerting aspect of this work is not how many domains we see being poisoned, as there are relatively few, but which domains they are. We observe changes in A records so that a domain resolves to a different IP address. But the domains being targeted are often listed as name servers or mail exchanges for other domains. The biggest free webmail providers have been repeatedly victimized on some unknown (but likely smaller) subsection of the Internet sometime during the last year.

Someone… or multiple entities… appear to be poisoning DNS caches so that they can interject their own mail server into the delivery path of the email messages.  The CERT/CC team goes on to explain the attack and provides a very useful diagram:

Figure 2 diagrams how this usual process can be thwarted if the DNS answer for the IP address of the destination MX is changed. The mail message makes an unintended pit stop at the poisonous IP address. That server can then forward the message to its intended destination. Since mail is transmitted asynchronously, the sender and recipient are not likely to notice anything out of the ordinary. The sending IP address in the message header would likely reflect the diversion, but since mail handling often has a few exchanges before the final destination, it is not immediately obvious to anyone along the path that the diversion was out of the ordinary. 

MX cache poisoning

They go on to outline the potential outcome of the attack:

Unless the whole message is cryptographically protected, the intermediate server can read and modify the message, or append malicious content. This attack would defeat opportunistic TLS encryption between MXs that is meant to ensure the confidentiality of messages in transit. And there are some small changes the intermediary could make to the mail that would make the attack worthwhile, such as changing a bank account number for a home purchase deposit.

Essentially, the attacker could do anything they want with the email message as it is now in their possession, including:

  • Modify the message to either add, change or remove content
  • Log the message (and all of its content) in some large database
  • Simply drop the message (i.e. don’t deliver it) so that the recipient never gets the message

The researchers don’t yet know who is behind this redirection.  It could be:

  • Criminals
  • Nation states (ex. intelligence agencies)
  • Other security researchers

All they know is someone is hijacking delivery of email messages for some reason – and they are seeking help from the larger Internet community!  (Please see the bottom of their post.)

How To Protect Your Email Delivery

As the researchers note, DNSSEC is designed to prevent this type of hijacking of DNS information.  This type of hijacking would be prevented if:

1. The recipient’s domain name was signed with DNSSEC which means that the MX records (and all other DNS records) would have a cryptographic signature added.

2. The sender’s local DNS resolver was performing DNSSEC validation in which it checked the DNSSEC signatures.

Had this been in place, then the sending mail server would not have received the false MX record and would not have delivered the email to the attacker’s server.  You can read more in our document about the two sides of DNSSEC.

This hijacking of email messages is going on right now on an ongoing basis according to the researchers, and so you can take two steps to ensure that your email messages are not being hijacked:

1. Sign Your Domain With DNSSEC

The first step is to sign your domain with DNSSEC so that your MX records are protected.  If you do not operate your own DNS servers, this may involve you contacting your DNS hosting provider or DNS registrar to ask them to perform DNSSEC-signing on your domain.  We have some information about how to do this here:

and ICANN has a list of some of the registrars that provide some degree of DNSSEC support.

If you do operate your own authoritative name servers for your domain, then you can determine what you need to do to sign the domain with DNSSEC.  Many of the common authoritative name servers such as BIND, NSD, Knot and Microsoft Windows Server 2012 all include support now for DNSSEC signing.  There are also additional tools such as OpenDNSSEC that can help make this work smoothly.  Some of the resources that may help:

Once you have signed your domain, you will then need to communicate your “DS record” to your parent zone (often the top-level domain) by way of your registrar.  See our page about working with registrars for more information.

2. Turn On DNSSEC Validation On Your Network

With signing, inbound email messages to you will not be hijacked (assuming the sender is performing DNSSEC validation), but the possibility will still exist for outbound messages you send to be hijacked if your mail server doesn’t learn the correct address for the recipient’s mail server.

To enable this layer of protection, all you need to do is turn on DNSSEC validation on your local DNS server – or whatever DNS resolver your email server uses.   That is the important part because in this instance we are trying to protect email delivery.  You want your email server to be getting the correct DNS information.

We wrote about how to do this and recommend an excellent whitepaper from SURFnet that explains how to easily do this with three of the common DNS resolvers: BIND, Unbound and Microsoft Windows Server.

Now… if you don’t control the local DNS server – for instance, if you use the DNS resolver at your local Internet service provider (ISP) – then you need to contact that organization to find out if they can enable DNSSEC validation.

If your ISP is unwilling/unable to turn on DNSSEC validation, you could set your mail server to use external DNS servers that perform DNSSEC validation such as Google’s Public DNS, but we don’t recommend this unless it is your last resort because using such a distant DNS server provides a lot of room for an attacker to still inject fake packets.  As we wrote about in our “plan for DNSSEC validation“, the ideal is to have the DNSSEC validation happening as close as possible to the mail server (in this case).    It would be much safer, and perhaps quite easy, to install a local DNSSEC-validating resolver on or near your mail server itself.

 

With those two steps, you will protect the delivery of email to your domains – and protect your mailserver from delivering email to whomever is out there right now hijacking all these messages.

Let’s do that today, okay?  If we all do it now we can make the Internet that much safer and more secure!

If you’d like more information about DNSSEC, please see our “Start Here” page to find resources tailored to your type of organization and role – and please let us know if you need even more information!

Sep 10

Any Ideas For A Better Color Scheme For Our DNSSEC Deployment Maps?

Do any of you have any suggestions for a better palette of colors for us to use for our DNSSEC deployment maps?  We generate them every Monday morning and send them out to a public mailing list (to which any of you are welcome to subscribe).  Here is a recent global view (click/tap to see larger image):

2014-09-02-2014-09-02

My issue (and maybe this is just me) is that I’m not entirely fond of the colors used in the “early” stages of a TLD’s deployment.  As we note on the deployment maps page, we track a TLD through five stages of DNSSEC deployment:

  • Experimental – Internal experimentation announced or observed
  • Announced – Public commitment to deploy
  • Partial – Zone is signed but not in operation (no DS in root)
  • DS in Root – Zone is signed and its DS has been published
  • Operational – Accepting signed delegations and DS in root

The most important states are the final two when DNSSEC for the TLD is “working”.  I like the existing green colors for those two states, although the “DS in Root” green is perhaps a bit brighter than I would want.  The point is that we want to use green to show the “good” states of DNSSEC deployment – and over time we’d like to see the whole map go to that darker shade of green.

It is the first three states that bother me a bit.  There is a progression between those three states as it often goes like this:

  • Someone from a TLD says at a conference or on a mailing list that they are experimenting with DNSSEC.  We can then flag them as “Experimental”.
  • Perhaps next someone from that TLD issues a formal statement, publishes a blog post or these days sends out a tweet or posts another social media update saying that they are going to deploy DNSSEC.  We can then flag them as “Announced”.
  • Then at some point the TLD’s zone is actually signed with DNSSEC, but the DS key hasn’t been uploaded to the root.  Now we can put them as “Partial” in the database.

In my ideal world I’d have some color progression that shows the movement along this path.  The orange, yellow and blue we currently use don’t really show a progression.   I’ve tried using different shades of yellow or orange but you also want it to be easy to determine what state a given TLD is in – and for that the current set of colors does work.

Anyway… if anyone has ideas I’d be open to hearing them.  The software we’re using can set the colors to be any of the typical hex-encoded colors used in web pages.  It can’t do shading or lines or anything like that, just colors.

Please feel free to leave suggestions here – or contact me directly at york@isoc.org.  Thanks!

P.S. And if you would like to help get more domains signed with DNSSEC, please see our “Start Here” page to find resources targeted at your type of organization!

Sep 09

Watch ION Belfast Live TODAY To Learn About IPv6, DNSSEC, BGP and more

ION Belfast LogoWant to learn the current state of IPv6 deployment? DNSSEC? Securing BGP and more? If so you can watch LIVE today our ION Belfast event at:

http://uknof.bogons.net/uknof29.html

Today’s ION agenda begins at 1:45 pm British Summer Time (UTC+1) and is packed with information about our topics. Sessions include:

  • Two Years After World IPv6 Launch: Are We There Yet?
  • Why Implement DNSSEC?
  • IPv6 Success Stories – Network Operators Tell All!
  • IETF Update
  • Panel: Routing Around Catastrophe
  • Securing BGP

There are an outstanding set of speakers and we’re very excited to hear their sessions and the conversations that will emerge out of them.

All the sessions will be streamed live and will be recorded for later posting on our Deploy360 YouTube channel.

Please join us as it should be a great event!

NOTE: As we mentioned yesterday, there are also what look to be some excellent sessions happening in the morning UK time as part of the UKNOF agenda.  In particular, these two sessions should be of interest to those concerned about IPv6:

  • 11:30 BST – What went wrong with IPv6?
  • 12:00 BST – IPV6-only Data Centres: What happens when you turn off IPv4

They, too, will be webcast on the same live stream link and will be recorded for later viewing.

Again, it should be an outstanding day at the combined UKNOF / ION Belfast event – we do hope you will join us!

P.S. And if you are motivated to deploy these technologies such as IPv6 and DNSSEC, please visit our Start Here page to find resources to help you get started!