DNSSEC

This month, SGVLUG member Carlos Meza will preview his SCALE 14x talk on DNSSEC. Why should you care?

"DNSSec is an absolute requirement if we want to ... use the Internet for anything non-trivial." - Cricket Liu, Leading expert on the Domain Name System (DNS)

"The Internet needs this technology and it needs it now" - Vint Cerf, Father of the Internet

"It is arguably one of the most important security improvements to the Internet ever." -Steve Crocker, Internet Pioneer and Chair of the Board of ICANN

Abstract:

DNS (Domain Name System) is used by everyone who is a consumer of the Internet. It is a core component of the Internet, yet it is completely insecure. This puts us all at risk. DNSSEC offers a solution to address the vulnerabilities of DNS . For this reason I hope stir up demand and motivation to deploy DNSSEC.

We will go over the basic of DNS and its vulnerabilities. Then we will go over how DNSSEC works and the solution it provides. As users, we will look at why it is important for our safety to require that our service providers (ISPs, Registrars, Hosted Services (banking, commerce, etc)) provide DNSSEC. And we will also look at some user-end tools available to advantage of DNSSEC today. We will go over reasons why companies would want to make the effort and investment. For sysadmins, we will go over tools to aid with deployment and some considerations to be aware of.

At its essence, DNS translates names, that humans understand, to IP addresses, that computers understand. This is how we are able to find other computers on the Internet (webpages, email servers, etc). But DNS does not provide a way to validate the answer we receive. This exposes all of us to a large vulnerability. Exploits such as DNS hijacking and DNS cache poisoning miss direct us and can lead us to potentially malicious computers. DNSSEC provides a solution to this by allowing authentication of DNS data through a chain-of- trust. Being able to trust DNS goes a long way to creating a safer Internet.

When we can trust DNS other things become possible. We can now leverage DNS to store other information such as cryptographic keys. This means we can store and trust self signed SSL certificates in DNS because it is now a trusted source. This eliminates the need for certificate authorities and the issues with them.

DNSSEC is a great improvement on a fundamental component of the Internet we all us.

Biography:

Carlos has worked many years as a system administrator. His interest include InfoSec, site reliability and automation, and open source development. While volunteering as an Interop Team Member, he was introduced to the significance of DNSSEC.

Links:

• Why you need to deploy DNSSec now
• DNSSEC Industry Coalition Meets with Google's Chief Internet Evangelist Vint Cerf and Internet Researcher Dan Kaminsky
• 2011 Steve Crocker speaks about DNSSEC Deployment