1 / 8

Earl Crane Department of Homeland Security Office of the CIO

DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC). Earl Crane Department of Homeland Security Office of the CIO. Scott Rose National Institute of Standards and Technology. Technology Background.

chester-andrews
Download Presentation

Earl Crane Department of Homeland Security Office of the CIO

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DNSSEC & Email Validation Tiger TeamDHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department of Homeland Security Office of the CIO Scott Rose National Institute of Standards and Technology

  2. Technology Background • DNSSEC Overview • OMB M-08-23 “Securing the Federal Government's Domain Name System Infrastructure”. All agencies must deploy DNSSEC by December 2009. • Internet Systems Consortium: DNSSEC “only full solution” to DNS attacks • Considered more viable long-term solution • Cryptographic signatures over DNS data (not messages) • Assures integrity of results returned from DNS queries • Users can validate source authenticity and data integrity • Checks chain of signatures up to root • Protects against tampering in caches, during transmission • Email Validation overview • Detects and Blocks spoofed/forged mail • Sender Policy Framework (SPF) for domains that do not send email • “Path Based” - Senders publish acceptable message paths (IP) for domain • Near-zero deployment requirements for senders • DNS records only, no change to outbound servers • Domain Keys Identified Mail (DKIM) for domains authorized to send mail • “Signature based” - Senders insert digital cryptographic signature in emails for domain • Requires cryptographic operation by sender and receiver’s gateway infrastructure

  3. The “Kaminsky Bug” • Rapid, widespread and resilient • Reduces time required to poison recursive name server's cache • All known name server implementations are affected • Some more than others (took < 10s to poison the cache) • Most implementations patched; now as easy/difficult to poison as any other implementation • Even patched software vulnerable • cache poisoning attempt possible in < 10 hours

  4. What DNSSEC Provides Cryptographic signatures over DNS data (not messages) Assures integrity of results returned from DNS queries: Users can validate source authenticity and data integrity Checks chain of signatures up to root Chain completely contained within DNS (no PKI or X.509 certs needed) Protects against tampering in caches, during transmission Not provided: message encryption, security for denial-of-service attacks

  5. DNSSEC Chain of Trust “.” – DNS root. Trust Anchors installed on client resolvers. KSK ZSK KSK KSK se. gov. KSK KSK KSK ZSK ZSK ZSK KSKs KSKs KSK KSK nist.gov. opm.gov. • KSK’s often serve as the “anchor” of authentication chain. • The higher up in the tree, the more useful the trust anchor KSK KSK ZSK ZSK Data Data

  6. FNS Tiger Team: DNSSEC and E-Mail ValidationNetwork and Infrastructure Security Subcommittee, ISIMC, Federal CIO Council • FY11 FISMA Metrics for DNSSEC and Email Validation: • Network Security Protocols: DNSSEC: • % of external-facing second-level DNS Names signed; • % of external-facing DNS hierarchies with all sub-domains (second-level and below) signed • Boundary Protection: Email Validation: • % of agency email systems that implement sender verification (anti-spoofing) technologies when sending messages from/to government agencies or the public such as S/MIME, DKIM, and SPF.

  7. Current Federal DNSSEC Status

More Related