SlideShare une entreprise Scribd logo

An Introduction to DANE - Securing TLS using DNSSEC

Carlos Martinez Cagnazzo
Carlos Martinez Cagnazzo

This presentation is a tutorial intro to DANE (DNS Authentication of Named Entities). It describes the root problem, a possible solution using DANE, and briefly shows how you can starting using DANE and TLSA records yourself.

Ingénierie
1  sur  23
Télécharger pour lire hors ligne
A  Tutorial  Introduction   to  DANE Jan  Zorz /  ISOC Carlos  Martinez  /  LACNIC
Mechanics  of  Web  Browsing • Security? 1. DNS  query  for   www.google.com 2. TCP  connection  to  IP   obtained  in  (1) 3. Data  flows  in  plain  text Data  flowing  in  plain  text?  That  can  be   solved  by  encrypting  the  connection,  right   ?   Enter  TLS,  Transport  Layer  Security
Securing  and  Authenticating   Endpoints Application TLS   Handshake TLS  Record  Protocol TCP IP Link  and  Physical  Layers Application TLS   Handshake TLS  Record  Protocol TCP IP Link  and  Physical  Layers
TLS  Handshake ClientHello ServerHello ServerCertificate ServerKeyExchange ServerHelloDone [ClientCertificate] ClientKeyExchange ChangeCipherSpec ChangeCipherSpec Client Server
Digital  Certificates • A  Public  Key  Certificate  is  a  digital  document  that  binds   a  set  of  information  (fields)  with  a  public  key  and  is   digitally  signed. • Signatures  can  be  either  be  performed  by  a  third  party   or  by  the  issuer  itself  (self-­‐signed  certificates) • Validation • Observers  can  verify  the  digital  signature  of  the  certificate • Trust • Certificate  Authority  model • Signature  verification  is  followed  up  a  chain  until  reaching  a   commonly  agreed  trust  anchor
Digital  Certificates  (2) • Fields  and  flags  in  a  certificate  define  how,  where  and   when  the  certificate  can  be  used  and  define    is  valid  to   be  used • Valid-­‐from,  Valid-­‐until  times • Express  constraints  on  usage • Extensions • Lists  of  [type-­‐value-­‐critical_flag] • Examples • Key  usage • Extended  key  usage  (clientAuth,  serverAuth,  emailProtection,   ...  ) • RFC  3779  (Internet  number  resources)
Trust  Chain I’m  Carlos S4 I’m  LACNIC S3 Kpriv3 I’m  the  CA2 S2 Kpriv2 I’m  the   United   Nations S1 Kpriv1 I’m  Jan S7 I’m  Go6Labs S6 Kpriv6 I’m  the  ISOC S5 Kpriv5 ● Certs  are  public ● Private  keys  are  not   published,  but  held  by  their   owners  and  used  for  signing   when  needed ● A  common  root  serves  as   the  agreed  trust  anchor
Drawbacks  of  the  CA-­‐Based  Chain • Trust  anchors  can  (and  have  been)  successfully  attacked   • DigiNotar,  GlobalSign,  DigiCert Malaysia  are  just  some  examples • The  process  that  CAs  use  to  validate  information  provided   by  customers  can  be  subverted • CAs  are  slow  to  react  when  a  certificate  is  compromised • The  revocation  process  can  be  slow  and  is  based  on  the   concept  of  CRLs  that  have  to  be  downloaded  and  are  re-­‐ created  every  few  hours • [Check  https://tools.ietf.org/html/draft-­‐housley-­‐web-­‐pki-­‐ problems-­‐00 ]
The  DigiNotar Debacle • [https://www.enisa.europa.eu/media/news-­‐ items/operation-­‐black-­‐tulip]  
Shortcomings  of  the  Traditional  CA   Model • The  attack  surface  is  huge  and  growing! • A  CA  can  sign  for  ANY  domain,  and  for  the  browser  it’s   enough  to  find  one  CA  vouching  for  a  given  combination   of  domain  and  IP     This  is  the  list  of  TAs   trusted  by  default by  the   latest  version  of  Firefox.  
And  there  is  one  hole  more... • Any web  browsing  starts  with  a  DNS  query 1. DNS  query  for  www.google.com 2. TCP  connection  to  IP  obtained  in   (1) 3. Hopefully,  SSL  handshake 4. Data  flows Even  if  all  the  certificates  and  SSL   servers  are  configured  perfectly,   there  is  still  at  least  one  insecure   DNS  query Enabling DNSSEC for  the  server  domain  secures   the  query. Without  DNSSEC  no  connection  is  fully  secured   even  if  all  certificates  look  fine.
Enter  DANE
To  Keep  in  Mind • TLS  secures  communications,  prevents   eavesdropping,  allows  server  identification • When  a  client  (C)  connects  to  a  TLS-­‐protected   server  (S): • S  presents  C  with  a  X.509  certificate • C  must  check  whether: • Does  the  certificate  contain  the  correct  server  name? • Does  the  certificate  contain  the  correct  IP  address? • Is  the  server  certificate  signed  by  a  CA  I  trust  ?
DANE  – The  TLSA  DNS  Record What  if…  I  could  publish  my   digital  certificates  in  the  DNS   itself  ?   From  this  point  we  assume   all  DNS  zones  are  DNSSEC-­‐ signed.  
DANE  – The  TLSA  DNS  Record ; Zone example.com - Signed with DNSSEC example.com IN SOA (...) IN NS …. IN DNSKEY ... www.example.com. IN A 10.0.0.1 _443._tcp.www.example.com. IN TLSA …. From  this  point  we   assume  all  DNS  zones   are  DNSSEC-­‐signed.  
TLSA  Record  Overview • The  TLSA  DNS  record  is  our  friend! • Contains  information  binding  keys  or  certificates  to   domain  names  and  DNS  zones • Four  fields: • Certificate  usage  field • Selector  field • Matching  type  field • DATA _443._tcp.www.example.com IN TLSA 3 1 1 DATA “3” - Certificate usage field “1” - Selector field “1” - Matching type field DATA - Depends on the values of the above
DANE  Use  Cases • Now  the  operator  of  a  TLS-­‐enabled  server  can: • publish  a  complete  certificate  on  the  DNS • refer  in  the  DNS  to  a  CA  that  can  validate  the  certs   within  that  domain
1-­‐Slide  DANE  HOW-­‐TO • Sign  your  zone  with  DNSSEC • Configure  ‘HTTPS’  in  your  web  server • Create  a  digital  certificate  yourself  using  OpenSSL • Configure  Apache  or  your  web  server  of  choice • Create  TLSA  records  using  ldns-­‐dane • http://www.nlnetlabs.nl/projects/ldns/ • There  are  other  tools  out  there,  I  just  found  this  one  to   be  easy  to  use • Add  the  TLSA  records  to  your  DNS  zone  and  re-­‐sign • Wait  for  TTLs  to  expire….  et  voilá!
Browser  Support  Via  Plugins • CZ.NIC  has  implemented  a  nice  set  of  plugins  for   validating  https  connections  with  DANE  and  for   validating  DNSSEC
LACNICLabs Site  Before  DANE • Certificate  is  not   trusted • It’s  not  signed  by   any  known  CA
LACNICLabs After  DANE • Validated!
Drawbacks  ?  Sure… • There  is  a  bit  of  a  learning  curve • Browser  support,  still  in  its  infancy • Application  support  in  general • Dependent  on  DNSSEC  adoption
Thanks!

Recommandé

getdns PyCon presentation
getdns PyCon presentationgetdns PyCon presentation
getdns PyCon presentationMelinda Shore
 
Hack Proof: Software Design for a Hostile Internet
Hack Proof: Software Design for a Hostile InternetHack Proof: Software Design for a Hostile Internet
Hack Proof: Software Design for a Hostile InternetRob Bogue
 
ION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECDeploy360 Programme (Internet Society)
 
Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014Cloudflare
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS SecurityThousandEyes
 
ION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLSION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLSDeploy360 Programme (Internet Society)
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECShumon Huque
 
OpenSSL
OpenSSLOpenSSL
OpenSSLTimbal Mayank
 

Recommandé

getdns PyCon presentation
getdns PyCon presentationgetdns PyCon presentation
getdns PyCon presentationMelinda Shore
 
Hack Proof: Software Design for a Hostile Internet
Hack Proof: Software Design for a Hostile InternetHack Proof: Software Design for a Hostile Internet
Hack Proof: Software Design for a Hostile InternetRob Bogue
 
ION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECDeploy360 Programme (Internet Society)
 
Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014Cloudflare
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS SecurityThousandEyes
 
ION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLSION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLSDeploy360 Programme (Internet Society)
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECShumon Huque
 
OpenSSL
OpenSSLOpenSSL
OpenSSLTimbal Mayank
 
BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...
BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...
BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...BlueHat Security Conference
 
Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013Cloudflare
 
Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014Cloudflare
 
Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Cloudflare
 
ION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSDeploy360 Programme (Internet Society)
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
RSA APJ Velociraptor Lab
RSA APJ Velociraptor LabRSA APJ Velociraptor Lab
RSA APJ Velociraptor LabVelocidex Enterprises
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)Gabriella Davis
 
OWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a ServiceOWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a ServiceToni de la Fuente
 
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan YorkION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan YorkDeploy360 Programme (Internet Society)
 
Secure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej SistlaSecure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej SistlaRedis Labs
 
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096APNIC
 
Running Secure Server Software on Insecure Hardware Without Parachute
Running Secure Server Software on Insecure Hardware Without ParachuteRunning Secure Server Software on Insecure Hardware Without Parachute
Running Secure Server Software on Insecure Hardware Without ParachuteCloudflare
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL PracticesBrian A. McHenry
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL EnglishSSL247®
 
Detecting Malicious SSL Certificates Using Bro
Detecting Malicious SSL Certificates Using BroDetecting Malicious SSL Certificates Using Bro
Detecting Malicious SSL Certificates Using BroAndrew Beard
 
Sniffing SSL Traffic
Sniffing SSL TrafficSniffing SSL Traffic
Sniffing SSL Trafficdkaya
 
TLS/SSL Protocol Design
TLS/SSL Protocol DesignTLS/SSL Protocol Design
TLS/SSL Protocol DesignNate Lawson
 
DNS Security, is it enough?
DNS Security, is it enough? DNS Security, is it enough?
DNS Security, is it enough? Zscaler
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)Deploy360 Programme (Internet Society)
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applicationsArash Ramez
 

Contenu connexe

Tendances

BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...
BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...
BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...BlueHat Security Conference
 
Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013Cloudflare
 
Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014Cloudflare
 
Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Cloudflare
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)Gabriella Davis
 
OWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a ServiceOWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a ServiceToni de la Fuente
 
Secure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej SistlaSecure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej SistlaRedis Labs
 
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096APNIC
 
Running Secure Server Software on Insecure Hardware Without Parachute
Running Secure Server Software on Insecure Hardware Without ParachuteRunning Secure Server Software on Insecure Hardware Without Parachute
Running Secure Server Software on Insecure Hardware Without ParachuteCloudflare
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL EnglishSSL247®
 
Detecting Malicious SSL Certificates Using Bro
Detecting Malicious SSL Certificates Using BroDetecting Malicious SSL Certificates Using Bro
Detecting Malicious SSL Certificates Using BroAndrew Beard
 
Sniffing SSL Traffic
Sniffing SSL TrafficSniffing SSL Traffic
Sniffing SSL Trafficdkaya
 
TLS/SSL Protocol Design
TLS/SSL Protocol DesignTLS/SSL Protocol Design
TLS/SSL Protocol DesignNate Lawson
 
DNS Security, is it enough?
DNS Security, is it enough? DNS Security, is it enough?
DNS Security, is it enough? Zscaler
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 

Tendances (20)

BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...
BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...
BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...
 
Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013
 
Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014
 
Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014
 
ION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLS
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
RSA APJ Velociraptor Lab
RSA APJ Velociraptor LabRSA APJ Velociraptor Lab
RSA APJ Velociraptor Lab
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
 
OWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a ServiceOWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a Service
 
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan YorkION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
 
Secure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej SistlaSecure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
 
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
 
Running Secure Server Software on Insecure Hardware Without Parachute
Running Secure Server Software on Insecure Hardware Without ParachuteRunning Secure Server Software on Insecure Hardware Without Parachute
Running Secure Server Software on Insecure Hardware Without Parachute
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL English
 
Detecting Malicious SSL Certificates Using Bro
Detecting Malicious SSL Certificates Using BroDetecting Malicious SSL Certificates Using Bro
Detecting Malicious SSL Certificates Using Bro
 
Sniffing SSL Traffic
Sniffing SSL TrafficSniffing SSL Traffic
Sniffing SSL Traffic
 
TLS/SSL Protocol Design
TLS/SSL Protocol DesignTLS/SSL Protocol Design
TLS/SSL Protocol Design
 
DNS Security, is it enough?
DNS Security, is it enough? DNS Security, is it enough?
DNS Security, is it enough?
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 

Similaire à An Introduction to DANE - Securing TLS using DNSSEC

Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applicationsArash Ramez
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer securityMaarten Smeets
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
 
TLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsTLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsNitin Ramesh
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOHAPNIC
 
#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2Olle E Johansson
 
SSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprisesSSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprisesNelson Calero
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLContinuent
 
020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPS020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPSJackio Kwok
 
RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?APNIC
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layerBU
 
Certificates, PKI, and SSL/TLS for infrastructure builders and operators
Certificates, PKI, and SSL/TLS for infrastructure builders and operatorsCertificates, PKI, and SSL/TLS for infrastructure builders and operators
Certificates, PKI, and SSL/TLS for infrastructure builders and operatorsDavid Ochel
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People SPC Adriatics
 

Similaire à An Introduction to DANE - Securing TLS using DNSSEC (20)

ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer security
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
Let's Encrypt + DANE
Let's Encrypt + DANELet's Encrypt + DANE
Let's Encrypt + DANE
 
Understanding DNS Security
Understanding DNS SecurityUnderstanding DNS Security
Understanding DNS Security
 
TLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsTLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured Communications
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOH
 
#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2
 
IoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasIoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideas
 
SSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprisesSSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprises
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
 
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
 
020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPS020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPS
 
RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
 
Certificates, PKI, and SSL/TLS for infrastructure builders and operators
Certificates, PKI, and SSL/TLS for infrastructure builders and operatorsCertificates, PKI, and SSL/TLS for infrastructure builders and operators
Certificates, PKI, and SSL/TLS for infrastructure builders and operators
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People
 

Plus de Carlos Martinez Cagnazzo

Como brindar servicio de Internet (casi) sin IPv4
Como brindar servicio de Internet (casi) sin IPv4Como brindar servicio de Internet (casi) sin IPv4
Como brindar servicio de Internet (casi) sin IPv4Carlos Martinez Cagnazzo
 
Evolución del stack de protocolos de Internet - IPv6 y QUIC
Evolución del stack de protocolos de Internet - IPv6 y QUICEvolución del stack de protocolos de Internet - IPv6 y QUIC
Evolución del stack de protocolos de Internet - IPv6 y QUICCarlos Martinez Cagnazzo
 
The End of IPv4: What It Means for Incident Responders
The End of IPv4: What It Means for Incident RespondersThe End of IPv4: What It Means for Incident Responders
The End of IPv4: What It Means for Incident RespondersCarlos Martinez Cagnazzo
 
Actualización sobre DNS en el IETF para LACNIC 28
Actualización sobre DNS en el IETF para LACNIC 28Actualización sobre DNS en el IETF para LACNIC 28
Actualización sobre DNS en el IETF para LACNIC 28Carlos Martinez Cagnazzo
 
Introduccion a RPKI - Certificacion de Recursos de Internet
Introduccion a RPKI - Certificacion de Recursos de InternetIntroduccion a RPKI - Certificacion de Recursos de Internet
Introduccion a RPKI - Certificacion de Recursos de InternetCarlos Martinez Cagnazzo
 
Seguridad de la Información para Traductores
Seguridad de la Información para TraductoresSeguridad de la Información para Traductores
Seguridad de la Información para TraductoresCarlos Martinez Cagnazzo
 
Mitigación de denegaciones de servicio en DNS con RRL
Mitigación de denegaciones de servicio en DNS con RRLMitigación de denegaciones de servicio en DNS con RRL
Mitigación de denegaciones de servicio en DNS con RRLCarlos Martinez Cagnazzo
 
NAT64 en LACNIC 18: Experimentos con NAT64 sin estado
NAT64 en LACNIC 18: Experimentos con NAT64 sin estadoNAT64 en LACNIC 18: Experimentos con NAT64 sin estado
NAT64 en LACNIC 18: Experimentos con NAT64 sin estadoCarlos Martinez Cagnazzo
 

Plus de Carlos Martinez Cagnazzo (20)

Como brindar servicio de Internet (casi) sin IPv4
Como brindar servicio de Internet (casi) sin IPv4Como brindar servicio de Internet (casi) sin IPv4
Como brindar servicio de Internet (casi) sin IPv4
 
Evolución del stack de protocolos de Internet - IPv6 y QUIC
Evolución del stack de protocolos de Internet - IPv6 y QUICEvolución del stack de protocolos de Internet - IPv6 y QUIC
Evolución del stack de protocolos de Internet - IPv6 y QUIC
 
RPKI en America Latina y el Caribe
RPKI en America Latina y el CaribeRPKI en America Latina y el Caribe
RPKI en America Latina y el Caribe
 
The End of IPv4: What It Means for Incident Responders
The End of IPv4: What It Means for Incident RespondersThe End of IPv4: What It Means for Incident Responders
The End of IPv4: What It Means for Incident Responders
 
Evolución de Protocolos de Internet 2017
Evolución de Protocolos de Internet 2017Evolución de Protocolos de Internet 2017
Evolución de Protocolos de Internet 2017
 
Actualización sobre DNS en el IETF para LACNIC 28
Actualización sobre DNS en el IETF para LACNIC 28Actualización sobre DNS en el IETF para LACNIC 28
Actualización sobre DNS en el IETF para LACNIC 28
 
IPv6 Routing Table Prefix Size Analysis
IPv6 Routing Table Prefix Size AnalysisIPv6 Routing Table Prefix Size Analysis
IPv6 Routing Table Prefix Size Analysis
 
Internet of Things en el Dia de Internet
Internet of Things en el Dia de InternetInternet of Things en el Dia de Internet
Internet of Things en el Dia de Internet
 
Monitoreo de Red para Peering
Monitoreo de Red para PeeringMonitoreo de Red para Peering
Monitoreo de Red para Peering
 
An IPv6 Primer
An IPv6 PrimerAn IPv6 Primer
An IPv6 Primer
 
Introduccion a RPKI - Certificacion de Recursos de Internet
Introduccion a RPKI - Certificacion de Recursos de InternetIntroduccion a RPKI - Certificacion de Recursos de Internet
Introduccion a RPKI - Certificacion de Recursos de Internet
 
Enabling IPv6 Services Transparently
Enabling IPv6 Services TransparentlyEnabling IPv6 Services Transparently
Enabling IPv6 Services Transparently
 
LACNOG - Logging in the Post-IPv4 World
LACNOG - Logging in the Post-IPv4 WorldLACNOG - Logging in the Post-IPv4 World
LACNOG - Logging in the Post-IPv4 World
 
Seguridad de la Información para Traductores
Seguridad de la Información para TraductoresSeguridad de la Información para Traductores
Seguridad de la Información para Traductores
 
Mitigación de denegaciones de servicio en DNS con RRL
Mitigación de denegaciones de servicio en DNS con RRLMitigación de denegaciones de servicio en DNS con RRL
Mitigación de denegaciones de servicio en DNS con RRL
 
An Overview of DNSSEC
An Overview of DNSSECAn Overview of DNSSEC
An Overview of DNSSEC
 
An Overview of RPKI
An Overview of RPKIAn Overview of RPKI
An Overview of RPKI
 
IPv6 Transition Considerations for ISPs
IPv6 Transition Considerations for ISPsIPv6 Transition Considerations for ISPs
IPv6 Transition Considerations for ISPs
 
Una introduccion a IPv6
Una introduccion a IPv6Una introduccion a IPv6
Una introduccion a IPv6
 
NAT64 en LACNIC 18: Experimentos con NAT64 sin estado
NAT64 en LACNIC 18: Experimentos con NAT64 sin estadoNAT64 en LACNIC 18: Experimentos con NAT64 sin estado
NAT64 en LACNIC 18: Experimentos con NAT64 sin estado
 

Dernier

Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort servicejennyeacort
 
8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitter8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitterShivangiSharma879191
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...srsj9000
 
An introduction to Semiconductor and its types.pptx
An introduction to Semiconductor and its types.pptxAn introduction to Semiconductor and its types.pptx
An introduction to Semiconductor and its types.pptxPurva Nikam
 
Artificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptxArtificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptxbritheesh05
 
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncssuser2ae721
 
Correctly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleCorrectly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleAlluxio, Inc.
 
Electronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfElectronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfme23b1001
 
Comparative Analysis of Text Summarization Techniques
Comparative Analysis of Text Summarization TechniquesComparative Analysis of Text Summarization Techniques
Comparative Analysis of Text Summarization Techniquesugginaramesh
 
Work Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvWork Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvLewisJB
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx959SahilShah
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.eptoze12
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionDr.Costas Sachpazis
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfAsst.prof M.Gokilavani
 
Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Satyam Kumar
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidNikhilNagaraju
 

Dernier (20)

Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
 
8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitter8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitter
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
 
An introduction to Semiconductor and its types.pptx
An introduction to Semiconductor and its types.pptxAn introduction to Semiconductor and its types.pptx
An introduction to Semiconductor and its types.pptx
 
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptxExploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
 
Artificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptxArtificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptx
 
POWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examplesPOWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examples
 
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
 
Correctly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleCorrectly Loading Incremental Data at Scale
Correctly Loading Incremental Data at Scale
 
Electronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfElectronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdf
 
Comparative Analysis of Text Summarization Techniques
Comparative Analysis of Text Summarization TechniquesComparative Analysis of Text Summarization Techniques
Comparative Analysis of Text Summarization Techniques
 
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCRCall Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
 
Work Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvWork Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvv
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
 
young call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Serviceyoung call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Service
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
 
Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfid
 

An Introduction to DANE - Securing TLS using DNSSEC

  • 1. A  Tutorial  Introduction   to  DANE Jan  Zorz /  ISOC Carlos  Martinez  /  LACNIC
  • 2. Mechanics  of  Web  Browsing • Security? 1. DNS  query  for   www.google.com 2. TCP  connection  to  IP   obtained  in  (1) 3. Data  flows  in  plain  text Data  flowing  in  plain  text?  That  can  be   solved  by  encrypting  the  connection,  right   ?   Enter  TLS,  Transport  Layer  Security
  • 3. Securing  and  Authenticating   Endpoints Application TLS   Handshake TLS  Record  Protocol TCP IP Link  and  Physical  Layers Application TLS   Handshake TLS  Record  Protocol TCP IP Link  and  Physical  Layers
  • 5. Digital  Certificates • A  Public  Key  Certificate  is  a  digital  document  that  binds   a  set  of  information  (fields)  with  a  public  key  and  is   digitally  signed. • Signatures  can  be  either  be  performed  by  a  third  party   or  by  the  issuer  itself  (self-­‐signed  certificates) • Validation • Observers  can  verify  the  digital  signature  of  the  certificate • Trust • Certificate  Authority  model • Signature  verification  is  followed  up  a  chain  until  reaching  a   commonly  agreed  trust  anchor
  • 6. Digital  Certificates  (2) • Fields  and  flags  in  a  certificate  define  how,  where  and   when  the  certificate  can  be  used  and  define    is  valid  to   be  used • Valid-­‐from,  Valid-­‐until  times • Express  constraints  on  usage • Extensions • Lists  of  [type-­‐value-­‐critical_flag] • Examples • Key  usage • Extended  key  usage  (clientAuth,  serverAuth,  emailProtection,   ...  ) • RFC  3779  (Internet  number  resources)
  • 7. Trust  Chain I’m  Carlos S4 I’m  LACNIC S3 Kpriv3 I’m  the  CA2 S2 Kpriv2 I’m  the   United   Nations S1 Kpriv1 I’m  Jan S7 I’m  Go6Labs S6 Kpriv6 I’m  the  ISOC S5 Kpriv5 ● Certs  are  public ● Private  keys  are  not   published,  but  held  by  their   owners  and  used  for  signing   when  needed ● A  common  root  serves  as   the  agreed  trust  anchor
  • 8. Drawbacks  of  the  CA-­‐Based  Chain • Trust  anchors  can  (and  have  been)  successfully  attacked   • DigiNotar,  GlobalSign,  DigiCert Malaysia  are  just  some  examples • The  process  that  CAs  use  to  validate  information  provided   by  customers  can  be  subverted • CAs  are  slow  to  react  when  a  certificate  is  compromised • The  revocation  process  can  be  slow  and  is  based  on  the   concept  of  CRLs  that  have  to  be  downloaded  and  are  re-­‐ created  every  few  hours • [Check  https://tools.ietf.org/html/draft-­‐housley-­‐web-­‐pki-­‐ problems-­‐00 ]
  • 9. The  DigiNotar Debacle • [https://www.enisa.europa.eu/media/news-­‐ items/operation-­‐black-­‐tulip]  
  • 10. Shortcomings  of  the  Traditional  CA   Model • The  attack  surface  is  huge  and  growing! • A  CA  can  sign  for  ANY  domain,  and  for  the  browser  it’s   enough  to  find  one  CA  vouching  for  a  given  combination   of  domain  and  IP     This  is  the  list  of  TAs   trusted  by  default by  the   latest  version  of  Firefox.  
  • 11. And  there  is  one  hole  more... • Any web  browsing  starts  with  a  DNS  query 1. DNS  query  for  www.google.com 2. TCP  connection  to  IP  obtained  in   (1) 3. Hopefully,  SSL  handshake 4. Data  flows Even  if  all  the  certificates  and  SSL   servers  are  configured  perfectly,   there  is  still  at  least  one  insecure   DNS  query Enabling DNSSEC for  the  server  domain  secures   the  query. Without  DNSSEC  no  connection  is  fully  secured   even  if  all  certificates  look  fine.
  • 13. To  Keep  in  Mind • TLS  secures  communications,  prevents   eavesdropping,  allows  server  identification • When  a  client  (C)  connects  to  a  TLS-­‐protected   server  (S): • S  presents  C  with  a  X.509  certificate • C  must  check  whether: • Does  the  certificate  contain  the  correct  server  name? • Does  the  certificate  contain  the  correct  IP  address? • Is  the  server  certificate  signed  by  a  CA  I  trust  ?
  • 14. DANE  – The  TLSA  DNS  Record What  if…  I  could  publish  my   digital  certificates  in  the  DNS   itself  ?   From  this  point  we  assume   all  DNS  zones  are  DNSSEC-­‐ signed.  
  • 15. DANE  – The  TLSA  DNS  Record ; Zone example.com - Signed with DNSSEC example.com IN SOA (...) IN NS …. IN DNSKEY ... www.example.com. IN A 10.0.0.1 _443._tcp.www.example.com. IN TLSA …. From  this  point  we   assume  all  DNS  zones   are  DNSSEC-­‐signed.  
  • 16. TLSA  Record  Overview • The  TLSA  DNS  record  is  our  friend! • Contains  information  binding  keys  or  certificates  to   domain  names  and  DNS  zones • Four  fields: • Certificate  usage  field • Selector  field • Matching  type  field • DATA _443._tcp.www.example.com IN TLSA 3 1 1 DATA “3” - Certificate usage field “1” - Selector field “1” - Matching type field DATA - Depends on the values of the above
  • 17. DANE  Use  Cases • Now  the  operator  of  a  TLS-­‐enabled  server  can: • publish  a  complete  certificate  on  the  DNS • refer  in  the  DNS  to  a  CA  that  can  validate  the  certs   within  that  domain
  • 18. 1-­‐Slide  DANE  HOW-­‐TO • Sign  your  zone  with  DNSSEC • Configure  ‘HTTPS’  in  your  web  server • Create  a  digital  certificate  yourself  using  OpenSSL • Configure  Apache  or  your  web  server  of  choice • Create  TLSA  records  using  ldns-­‐dane • http://www.nlnetlabs.nl/projects/ldns/ • There  are  other  tools  out  there,  I  just  found  this  one  to   be  easy  to  use • Add  the  TLSA  records  to  your  DNS  zone  and  re-­‐sign • Wait  for  TTLs  to  expire….  et  voilá!
  • 19. Browser  Support  Via  Plugins • CZ.NIC  has  implemented  a  nice  set  of  plugins  for   validating  https  connections  with  DANE  and  for   validating  DNSSEC
  • 20. LACNICLabs Site  Before  DANE • Certificate  is  not   trusted • It’s  not  signed  by   any  known  CA
  • 22. Drawbacks  ?  Sure… • There  is  a  bit  of  a  learning  curve • Browser  support,  still  in  its  infancy • Application  support  in  general • Dependent  on  DNSSEC  adoption