Securing The Root: A Proposal For Distributing Signing Authority

Management of the Domain Name System (DNS) root zone file is a uniquely global policy problem. For the Internet to connect everyone, the root must be coordinated and compatible. While authority over the legacy root zone file has been contentious and divisive at times, everyone agrees that the Internet should be made more secure. A newly standardized protocol, DNS Security Extensions (DNSSEC), would make the Internet's infrastructure more secure. In order to fully implement DNSSEC, the procedures for managing the DNS root must be revised. Therein lies an opportunity. In revising the root zone management procedures, we can develop a new solution that diminishes the impact of the legacy monopoly held by the U.S. government and avoids another contentious debate over unilateral U.S. control. In this paper we describe the outlines of a new system for the management of a DNSSEC-enabled root. Our proposal distributes authority over securing the root, unlike another recently suggested method, while avoiding the risks and pitfalls of an intergovernmental power sharing scheme

Evaluation of Dnssec in Microsoft Windows and Microsoft Windows Server 2008 R2

The Domain Name System (DNS) provides important name resolution services on the Internet. The DNS has been found to have security flaws which have the potential to undermine the reliability of many Internet-based systems. DNS Security Extensions (DNSSEC) offers a long-term solution these DNS security flaws. However, DNSSEC adoption has been slow because it is challenging to deploy and administer. DNSSEC has also been criticized for not being an end-toend solution. Microsoft included support for DNSSEC in its latest operating systems, Windows Server 2008 R2 and Windows 7. This thesis concluded that DNSSEC features in Windows Server 2008 R2 and Windows 7 are not fully developed and are unlikely to impact DNSSEC adoption rates

IPv6-kotiverkon liittäminen Internetin nimipalveluun

Current home networks are very simple containing only a few devices. As the number of devices connected to the home network increases, there is no reasonable way for a user to access devices using only IP addresses. Due to the exponential growth of devices connected to the Internet, the addresses of the current IP version are however soon to be depleted. A new IP version has already been implemented in the Internet, containing a very large amount of addresses compared to the current IP version. Addresses in the new IP address version are also much longer and more complicated. Therefore it is not reasonable to try to use IP addresses alone to access devices anymore. The previous facts force to implement a name service to the home network. Name service is quite similar to that used in the Internet, although the home network version should be much more automatic and user friendly. This means that users do not have to type IP addresses anymore to be able to access services, but they can use meaningful names like in the Internet. The first objective of the thesis is to examine methods to implement as automated name service as possible to the home network. Second objective is to examine connecting the home network name service to the Internet name service. Accomplishing this allows users to access services at home from the Internet. This has to be made in a secure manner to protect the integrity and authenticity of the user information. A live experiment of the thesis concentrates to the second objective of the thesis by establishing the connection and transferring the name service information between home network and the Internet name service. The study and the live experiments indicate that there is still work to be done before the two objectives can be fully accomplished. At the moment there is no convenient way to automatically name devices at home. Connecting to the Internet name service involves also quite a lot of effort, thus requiring more than basic computing skills from the user

TLS/PKI Challenges and certificate pinning techniques for IoT and M2M secure communications

Transport Layer Security is becoming the de facto standard to provide end-to-end security in the current Internet. IoT and M2M scenarios are not an exception since TLS is also being adopted there. The ability of TLS for negotiating any security parameter, its flexibility and extensibility are responsible for its wide adoption but also for several attacks. Moreover, as it relies on Public Key Infrastructure (PKI) for authentication, it is also affected by PKI problems. Considering the advent of IoT/M2M scenarios and their particularities, it is necessary to have a closer look at TLS history to evaluate the potential challenges of using TLS and PKI in these scenarios. According to this, the article provides a deep revision of several security aspects of TLS and PKI, with a particular focus on current Certificate Pinning solutions in order to illustrate the potential problems that should be addressed

Deploying DNSSEC in islands of security

The Domain Name System (DNS), a name resolution protocol is one of the vulnerable network protocols that has been subjected to many security attacks such as cache poisoning, denial of service and the 'Kaminsky' spoofing attack. When DNS was designed, security was not incorporated into its design. The DNS Security Extensions (DNSSEC) provides security to the name resolution process by using public key cryptosystems. Although DNSSEC has backward compatibility with unsecured zones, it only offers security to clients when communicating with security aware zones. Widespread deployment of DNSSEC is therefore necessary to secure the name resolution process and provide security to the Internet. Only a few Top Level Domains (TLD's) have deployed DNSSEC, this inherently makes it difficult for their sub-domains to implement the security extensions to the DNS. This study analyses mechanisms that can be used by domains in islands of security to deploy DNSSEC so that the name resolution process can be secured in two specific cases where either the TLD is not signed or the domain registrar is not able to support signed domains. The DNS client side mechanisms evaluated in this study include web browser plug-ins, local validating resolvers and domain look-aside validation. The results of the study show that web browser plug-ins cannot work on their own without local validating resolvers. The web browser validators, however, proved to be useful in indicating to the user whether a domain has been validated or not. Local resolvers present a more secure option for Internet users who cannot trust the communication channel between their stub resolvers and remote name servers. However, they do not provide a way of showing the user whether a domain name has been correctly validated or not. Based on the results of the tests conducted, it is recommended that local validators be used with browser validators for visibility and improved security. On the DNS server side, Domain Look-aside Validation (DLV) presents a viable alternative for organizations in islands of security like most countries in Africa where only two country code Top Level Domains (ccTLD) have deployed DNSSEC. This research recommends use of DLV by corporates to provide DNS security to both internal and external users accessing their web based services.LaTeX with hyperref packagepdfTeX-1.40.1

ROVER: a DNS-based method to detect and prevent IP hijacks

2013 Fall.Includes bibliographical references.The Border Gateway Protocol (BGP) is critical to the global internet infrastructure. Unfortunately BGP routing was designed with limited regard for security. As a result, IP route hijacking has been observed for more than 16 years. Well known incidents include a 2008 hijack of YouTube, loss of connectivity for Australia in February 2012, and an event that partially crippled Google in November 2012. Concern has been escalating as critical national infrastructure is reliant on a secure foundation for the Internet. Disruptions to military, banking, utilities, industry, and commerce can be catastrophic. In this dissertation we propose ROVER (Route Origin VERification System), a novel and practical solution for detecting and preventing origin and sub-prefix hijacks. ROVER exploits the reverse DNS for storing route origin data and provides a fail-safe, best effort approach to authentication. This approach can be used with a variety of operational models including fully dynamic in-line BGP filtering, periodically updated authenticated route filters, and real-time notifications for network operators. Our thesis is that ROVER systems can be deployed by a small number of institutions in an incremental fashion and still effectively thwart origin and sub-prefix IP hijacking despite non-participation by the majority of Autonomous System owners. We then present research results supporting this statement. We evaluate the effectiveness of ROVER using simulations on an Internet scale topology as well as with tests on real operational systems. Analyses include a study of IP hijack propagation patterns, effectiveness of various deployment models, critical mass requirements, and an examination of ROVER resilience and scalability

Cracks in the internet's foundation: the future of the internet's infrastructure and global internet governance

The foundation of the Internet is showing cracks. Central elements of the Internet's infrastructure are the result of decisions made decades ago. Since then, however, the technical context has changed dramatically, as has the political significance of the Internet. Three conflicts over the future development of the Internet infrastructure are particularly important for German policy-makers. The first is about secu­rity and privacy in the Internet’s addressing system, the so-called Domain Name System (DNS). Second, a conflict is building up over the security of the Border Gateway Protocol (BGP) - the protocol used to coordinate data traffic on the Internet. Third, the security and availability of submarine cables, which form the physical backbone of the global Internet, are proving in­creasingly problematic. If these conflicts remain unresolved, while at the same time the demands on the Internet continue to rise worldwide, the consequences for security, privacy, and economic development will be increasingly negative. Moreover, the Internet is in danger of being split, all the way to the infrastructure level. This multifaceted field of conflict demands a clear strategic approach from German policy-makers. In accordance with their own digital policy demands, they should at the same time pursue the goal of worldwide inter­operability and address the issues described within a European framework. The challenge here is to shape the further development of the Internet infra­tructure in Europe in such a way that it complements - and does not fur­ther jeopardise - the shared global foundation of the Internet. (author's abstract

DNS Resolver Testing

Tento dokument popisuje automatizaci tvorby scénářů pro nástroj Deckard, který slouží na testování rekurzivních resolverů. Tyto scénáře jsou založeny na skutečném provozu mezi prohlížečem a webovou stránkou zachyceném při načítání této stránky. Výsledný scénář je doplněn i o dotazy, které v zachyceném provoz nebyly, ale na které by se resolver mohl ptát například při minimalizaci dotazu. Na rozdíl od živého provozu by použití scénářů mělo zajistit deterministické prostředí pro testování. Reálný provoz není pro testování ideální kvůli například rotaci IP adres, rozdílnému obsahu serverů a úpravy obsahu. Scénář by měl obsahovat všechny odpovědi na dotazy, na které by se resolver mohl zeptat. S vygenerovanými scénáři můžeme porovnávat odpovědi různých implementací a verzí DNS resolveru. Můžeme tak odhalit změny v jejich chování.This paper describes automation of creating scenarios for Deckard, which is DNS resolver testing tool. Generating scenarios build on real traffic between a web browser and a web page. The scenarios consist not only of queries from that traffic but also queries the resolver might ask for, for example, with query minimization. We should get a deterministic environment as opposed to the live environment. Live environment isn't suitable for testing due to IP address rotation, different content on servers authoritative for the same zone, content modification and so on. Also, no query should remain unanswered by a scenario. With generated scenarios, we can compare responses from different resolvers and different versions of the resolvers. This gives us a way to detect changes in behavior on a stable set of data. Also, finding or testing a bug is a possibility.

Measuring Websites from a Global Perspective

Since the invention of the World Wide Web the content and services provided on the web have changed significantly. In search of cost savings governments and businesses push online services, and the web has therefore become ever more important to many people. It is therefore important to understand the performance of web page delivery, in order to improve the user experience of the web. The goal of this Master's thesis is to evaluate the network performance of web page delivery in relation to content distribution networks.We use the global measurement platform PlanetLab to perform active measurements of the performance of DNS and HTTP when downloading web pages. Domain names are resolved using iterative resolution, Google DNS, OpenDNS, and the default DNS server of measurement nodes. This enables us to asses how the choice of DNS resolver affects CDN server selection. The measurements reveal that network latency has the greatest impact on DNS resolution time and that nearby DNS servers will generally have the lowest resolution time. We developed an effective method of identifying CDNs and applied it to the measurement data. We analyze the accuracy of the DNS resolvers and determine that the use of a recursive DNS server close to the end-user typically results in server selections more similar to the optimal server selection of a CDN. However, we did not establish a relationship between resolver accuracy and HTTP performance. Finally, we compare the throughput of CDNs and observe that CDNs are likely optimized for different file sizes

Towards persistent resource identification with the uniform resource name

The exponential growth of the Internet, and the subsequent reliance on the resources it connects, has exposed a clear need for an Internet identifier which remains accessible over time. Such identifiers have been dubbed persistent identifiers owing to the promise of reliability they imply. Persistent naming systems exist at present, however it is the resolution of these systems into what Kunze, (2003) calls persistent actionable identifiers which is the focus of this work. Actionable identifiers can be thought of as identifiers which are accessible in a simple fashion such as through a web browser or through a specific application. This thesis identifies the Uniform Resource Name (URN) as an appropriate identification scheme for persistent resource naming. Evaluation of current URN systems finds that no practical means of global URN resolution is currently available. Two ,new approaches to URN resolution, unique in their use of the Domain Name System (DNS) are introduced. The proposed designs are assessed according to their Usability, Security and Evolution and an implementation described for an example URN namespace of language identifiers