Random people Random location Random misc

Securing the DNS, one zone at a time

In real life if you want to talk to your bank you look up their phone number in the whitepages and call them *knowing* it is your bank. Why do you trust the phone number? Because it came from a trusted source - the whitepages.

If you want to visit your banks website, your browser looks up their IP address in the DNS. Why do you trust the IP address? You can't. The IP address has normally come across an unauthenticated link using an assortment of third party servers and hopefully the IP address actually came from your bank's DNS server.

To work around this we use SSL certificates with HTTPS to forge encrypted connections to webservers and hopefully determine some form of trust. But since a lot of sites have expired certs or snake oil certs or other brokenness, this obviously doesn't work. Besides, how many end users actually check those certificates?

This talk will discuss aspects of making the DNS secure and trustworthy, such as DNSSEC, NSEC, NSEC3, TSIG and a bunch of other obscure names that I will hopefully explain and highlight some of the outstanding issues.

Project: DNS 


Andrew Ruthven

Andrew has worked with the DNS system for many years, both at New Zealand's first commercial ISP and now for Catalyst It Limited as a member of the team that maintains the .nz name servers and maintains and develops the software that runs the .nz registry. Andrew has contributed to a number of open source projects and is proud to work for Catalyst IT - largest OSS company in Australasia.

Andrew Ruthven

Andrew has worked with the DNS system for many years, both at New Zealand's first commercial ISP and now for Catalyst It Limited as a member of the team that maintains the .nz name servers and maintains and develops the software that runs the .nz registry. Andrew has contributed to a number of open source projects and is proud to work for Catalyst IT - largest OSS company in Australasia.

© 2007 MEL8OURNE LCA2008 and Linux Australia | Linux is a registered trademark of Linus Torvalds | Site map | Valid XHTML 1.0

rja