Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

DNSSUX - Why DNSSEC Makes Us Weaker

via YouTube

Overview

Save Big on Coursera Plus. 7,000+ courses at $160 off. Limited Time Only!
Explore the complexities and potential vulnerabilities of DNSSEC in this 23-minute conference talk from Derbycon 2016. Delve into the hierarchical structure of DNS and how DNSSEC implements a Public Key Infrastructure similar to X.509 for TLS. Examine the signing process of DNS records by parent nodes in zones and understand the role of NSEC records in DNSSEC-protected names. Learn about the critical reconnaissance step of zone enumeration for malicious actors and the evolution of NSEC to NSEC3 for improved protection. Discover CloudFlare's innovative "Black Lies" and DNS Shotgun approaches to DNS security. Conclude by considering the challenges in securing DNS and the ongoing search for effective solutions in this complex domain.

Syllabus

Intro
DNSSEC specifies a Public Key Infrastructure not unlike X.509 for TLS. .
DNS is hierarchical and divided into zones
Under DNSSEC, a name's DNS records are signed by the parent node in the zone.
NSEC records for a DNSSEC protected name point at the next node in the zone.
Enumerating a zone is a critical recon step for malicious actors.
A third iteration of NSEC, NSECS provably provides protection against zone enumeration.
CloudFlare takes an interesting approach they call "Black Lies" and DNS Shotgun
Ultimately, securing DNS is a non-trivial problem and it is unclear how we will solve it.

Reviews

Start your review of DNSSUX - Why DNSSEC Makes Us Weaker

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.