Interview with Shumon Huque on his DNSSEC class

Shumon Huque is teaching two classes at LISA13: DNSSEC and IPv6. I'd already had the chance to interview him about IPv6, but I couldn't leave well enough alone, so I badgered him about the DNSSEC classs, and he was gracious enough to answer. Thanks Shumon! Here's what he had to say: 

Matt Simmons: Can you give us an overview of what DNSSEC is, and the problem it solves?

Shumon Huque: DNSSEC is a system to verify the authenticity of data in the DNS. Zone owners publish public key signatures for every DNS record set (e.g. A records,  AAAA records, MX records, etc) in their zones. DNS resolvers elsewhere check these signatures.

DNSSEC detects attacks that try to falsify responses to DNS queries, for example, an attempt to provide an incorrect address for www.amazon.com. These attacks could happen by direct spoofing via man-in-the-middle-attacks, or via a category of blind attacks called cache poisoning, most effectively demonstrated by Dan Kaminsky in 2008. If an attacker returning a false response, cannot also return an authentic signature, then DNS resolvers should be able to discard that response as unauthentic.

There are additional benefits that have been envisioned. Since DNSSEC provides an authenticated global database, it's possible to use it to securely publish cryptographic keys that could then be employed by many application security protocols.  You could for example use the DNS to securely store and retrieve fingerprints for SSH host keys, IPsec keys, or even SSL/TLS certificates. In fact, DNS record types to do this already exist, although it is still early in the DNSSEC
deployment story, and it will take a while until these capabilities see wide use.


MS: Do people who outsource their DNS services need to worry about DNSSEC?
SH: Yes, sure. Not matter who you've outsourced your DNS services too, it should be reasonable to assume that you're also interested in protecting the integrity of your DNS data, ie. making sure that the correct answer to DNS responses are being returned to everyone. And DNSSEC is the best means we have of doing this. In these situations, folks should be asking their DNS service providers about their ability to support DNSSEC.

MS: Are there specific types of organizations that would benefit from implementing DNSSEC earlier, rather than later?
SH: As with any new technology, there is a bit of a chicken-and-egg problem in that the more widely it's used the larger the benefit everyone derives from it. However, several large DNS service providers like Google and Comcast already perform DNSSEC validation in their resolvers, so there is a growing community of users that will benefit from DNSSEC signed data.


I don't think there is a specific type or organization that would benefit earlier rather than later.  Everyone will benefit. That said, organizations that feel they have high valued domains that might be more frequently targeted by DNS based attacks should probably be motivated to deploy DNSSEC more aggressively.

I should also point out that there are two distinct but related aspects to implementing DNSSEC. The first, signing your zones is a fairly complex undertaking and takes a significant amount of careful work. The second, configuring your DNS resolvers to validate signatures from other DNSSEC-signed zones is very easy to do. If
you aren't quite ready to sign your zones yet, you can turn on validation on your resolvers much more quickly. And thereby provide a benefit to your users in terms of validating DNS data from the growing number of sites that have signed their zones.


MS: I was fortunate enough to attend Wilson Lian's paper presentation at the USENIX Security Symposium on Measuring the Practical Impact of DNSSEC
Deployment
. I was wondering if you could weigh in with your thoughts on the tradeoff between enhanced security and usability of the DNS infrastructure.

SH: That was interesting work, and it's always good to see real world measurements of deployed technology. There is a clearly a tradeoff.

Security enhanced infrastructure requires more complicated software, and existing configurations of networks may be impacted by their use. I think there is considerable good news in the paper.

A major DNSSEC deployer, Comcast, shows a statistically insignificant breakage impact from their deployment, and a small but likely growing community of users benefiting from authenticated responses.

 
DNSSEC requires networking folks to make sure that important DNS functions and the mechanisms that support them (EDNS0 support, fragmentation, TCP fallback) are allowed to work properly. To the extent that the deployment of DNSSEC causes broken middleboxes and firewalls to get upgraded, fixed, or even disappeared, that will be a net win for all users of the Internet.


MS: What level of comfort should someone have with DNS administration to attend your tutorial?

SH: My tutorial from last year was focussed on DNS generally, and included a treatment of DNSSEC in the last half. While it was well received, several attendees approached me and asked if I'd consider doing a full class focussed on DNSSEC, so that we could go into more detail. That's what I'm teaching at LISA'13.

So, attendees will need to have some prior understanding of how the DNS works at least at a high level. DNS administrators will specially
find it useful, since I'm planning to do some hands on demonstrations of setting up DNSSEC, and a substantial portion of the class will be devoted to  teaching them how to deploy it. I will also cover how DNSSEC works, from a high level, and all the way down to protocol details, and cover new prospects for application use of DNS/DNSSEC.

So a range of folks at varying levels of technical expertise should be able to get something out of the course.


MS: If someone were on the fence about taking your tutorial, what would you say to them?
SH: If you're involved in providing DNS services, and are interesting in learning how to deploy and run DNSSEC, you should consider taking my class. If you want to learn what DNSSEC is and how it works, then this class will work for you too. If you're skeptical about DNSSEC, you're welcome to attend and share your thoughts. I'll try to convince you that DNSSEC is worth your time and investment.

 

I want to thank Shumon for his time and efforts in answering my many questions. 

You can attend Shumon's Half-day DNSSEC tutorial on Sunday morning at LISA13 in Washington, DC!