SlideShare una empresa de Scribd logo

Day 2 Dns Cert 3 Dns Organizations

V
vngundi

Presentation by ICANN

Tecnología
1 de 27
Descargar para leer sin conexión
DNS Security for CERTs - DNS Organizational Structures & Policy - Chris Evans Delta Risk, LLC 7 March 2010 1
Overview • Organizational Alphabet Soup – Policy, Standards & Governance – Technical Operators • Registry Structures • Relevant Policy Issues 2
Organizational Alphabet Soup ICANN ccTLD SSAC, RSSAC, ALAC, GAC… RO IANA ISOC IGF gTLD IAB ASO RSO RIR IETF 3
Organizational Alphabet Soup • ICANN – Internet Corporation for Assigned Names and Numbers – coordinates unique identifiers (names and numbers) and ensure their stable and secure operation. – ICANN has several technical and policy committees which operate independently • SSAC – Security and Stability Advisory Council • RSSAC – Root Server System Advisory Council • ALAC – At Large Advisory Council • ccNSO – Country Code Name Supporting Organization • GNSO – Generic Names Supporting Organization • ASO - Address Supporting Organization 4
Organizational Alphabet Soup • IANA – Internet Assigned Numbers Authority – allocates and maintains unique codes and numbering systems; manages & publishes root zone • ISOC – Internet Society – global nonprofit supporting Internet standards, education & policy • IETF – Internet Engineering Task Force – produces engineering documents that describe the design, use and management of the Internet • IAB – Internet Architecture Board - provides architectural oversight of IETF, oversight & appeals of Internet standards. • IGF – Internet Governance Forum – multi- stakeholder forum for discussing policy issues 5
Organizational Alphabet Soup • RIR – Regional Internet Registry – perform identification assignment (IP addresses & AS numbers) within geographic region – ARIN – RIPENCC – LACNIC – AFRINIC – APNIC • gTLD – generic Top Level Domain – function as registry for unrestricted, sponsored, geographic, or commecial domains • ccTLD – country code Top Level Domain - function as registry for their respective countries 6
Organizational Alphabet Soup • RO – Root Operator – an operator of one of the 13 named root servers. • ASO – Authoritative Server Operator – an operator of an authoritative name server; typically an enterprise’s IT department, TLD operator, or even outsourced providers • RSO – Recursive Server Operator – an operator of a recursive or caching name server; can be anyone running DNS server software! 7
Organizational Alphabet Soup • Regional TLD Organization – membership based organizations supporting TLDs within a geographic region – LACTLD – Latin America, South America, Carribean – CENTR - Europe – AFTLD - Africa – APTLD – Asia (including middle east) and Pacific • Registry – an entity given the authority to operate a top level domain; manages zone and administrative data; typically an organization, business, government, university or network operators center • Registrar – an entity accredited by ICANN to register domains at retail within one or more TLDs. 8
Registry Structures • Registries Come in All Shapes and Sizes – Structure, Technical Implementation, Goals & Policies • “Models” Define How the Registry Operates – 2R vs. 3R – Thick vs. Thin – 2 vs. 3 Levels 9
Registry Structures • Registry “2R” Model – Registry - Registrant – Registry provides direct registrations to consumers – Registrants request domains directly through registry • Simple model Registry • Doesn’t scale without lots of work from registry • Direct customer relationships Registrant Registrant 10
Registry Structures • Registry “2R” Model – Registry - Registrant – Registry provides direct registrations to consumers – Registrants request domains directly through registry or optionally through a direct reseller • Simple model • Direct customer Registry relationships • Offloads some “customer interface” work from registry to Reseller reseller Registrant Registrant 11
Registry Structures • Registry “3R” Model – Registry – Registrar – Registrant – Registrars interface between customer and registry Registry • More stakeholders -> Registrar Registrar more policies / business models • Less work for registry (automation / EPP) – Reseller • Focus on DNS Registrant services Registrant 12
Registry Structures • Registries can define WHERE their customer administrative data resides (WHOIS) – Thick – the registry stores all customer data for registrations regardless of _WHERE_ it originates (direct, registrar) – Thin – Registrars manage all customer data for their registrants and serve this information via WHOIS TLD TLD Registrar WHOIS WHOIS Registrar Registrar Thick Thin 13
Registry Structures • Registries define how subdomains are permitted – either at the top or second level. • Top level – delegations fall immediately under the top level – E.g. www.google.jo • Second level – delegations fall under a generic domain, under the top level – E.g. www.moict.gov.jo • Registries can pick one or the other, or do both! 14
Policies • Policies govern how registries operate, from internal workings to dealing with customers. • Policies can be derived from operational necessities, business goals, or best practices in use by other registries • Policies vary by registry – and vary nearly as widely as the registries themselves. • Its important for registries to define policies to respond and operate in a consistent manner • Frequently, there is no right or wrong policy – what matters is the registry’s definition of that policy. The wrong policy is NO policy… 15
Policy Some Policies of Note… 16
Policy • Registrant Requirements – This policy defines the requirements to register a domain with the registry; specifically addresses issues like residency or ownership • Things that may restrict registrations to only local or national entities: – Desire to limit competition from foreign entities – Desire for nationalism • Things that may encourage registration from foreign entities: – Access to a larger pool of customers 17
Policy • Dispute Resolution – A controversial subject; one that is used infrequently, but must be defined before its needed! – Disputes may arise between potential registrants for a domain name – each claiming the “right” to register it, - or - - Disputes may arise between current registrant a one that desires ownership of the domain • Policy should define the notion of “ownership”, the process of determining “ownership”, and process for arbitrating a claim of “ownership” – First come / first served = “ownership” – International trademark or copyright = “ownership” 18
Policy • Registration Process – This policy defines how the registry accepts requests for registrations, validates, and publishes them – Usually defined by operational necessity • Larger registries that process hundreds of registrations per day will use automated processes as much as possible • Smaller registries may use manual processes • Policy should cover registrant data verification – Automated, multi-factor, out-of-band, etc – Desire to detect and restrict malicious registrations? – How should the registry define “malicious”? Tough Question! 19
Policy • Information Release (WHOIS) – This policy defines how the registry handles “privacy” information and what information it publicly publishes – The traditional approach is to publish administrative and technical point of contact information for each domain • BUT, some registries / registrars offer a “anonymous” registration service which publishes “empty” or generic information – This may be governed by local, national, or organizational privacy policies. • This policy should cover what information can be published, to who & where, how the policy is conveyed to registrants, and what to release to law enforcement or government agencies. 20
Policy • Pricing / Funding Model – This policy defines how much domain registrations, their renewal, transfer or other “action” cost. – Additional or value-added services may also be defined • This policy should address costs to registrants, registrars and resellers accordingly and is likely defined by the registry’s business model. – Registries set their own prices, from free to $$$$ – Some registries are funded by their governments, some are non-profits, some are for-profit corporations. – Competition with gTLDs (e.g. .COM) may drive pricing decisions – Prices may be different for local and foreign registrants, for resellers, and for registrars 21
Policy • Permissible Registrations – This policy defines what domain names may be registered • Factors affecting “permissible” registrations: – Religion & Culture – some names may be offensive – Technical – some characters are disallowed by the RFC, or some may not be allowed by the registry system – Operational – International Domain Names may not be supported – Business – some names may be restricted based on international trademarks or intellectual property 22
Policy • Takedown – A very controversial topic, this defines how the registry may temporarily or permanently deactivate a registration – More importantly, under what circumstances it may do so. • Policy should account for: – Business concerns / loss of revenue – Upset customers? – Malicious use (what is malicious?) – Legality of denying freedom of speech – Fallout of not following a government / law enforcement order 23
A Hypothetical Example Let’s take the simple example of a registration made for the purpose of conducting a phishing attack. • The domain name closely resembles that used by an international bank • The registrant provides fake name and address for registration • The registrant uses the domain to propagate a phishing attack, soliciting bank customers for their usernames and passwords. Who’s responsible and who’s accountable? • The malicious registrant? How do you find him? • The registry? They didn’t validate the registrant – but they get 5000 a day • The bank? They didn’t educate their customers on phishing attacks 24
Take Aways • The DNS operationally is simple; organizationally, it’s a much different story – there are many (widely varying) stakeholders involved • Policies define how registries operate, but are frequently ill-defined and untested • Unlike the traditional network security world, which has CERTs and NOCs focusing on operating systems and applications, the DNS has no equivalent structure for focusing on security 25
Review • DNS Organizations – ICANN, IANA, RIR, IGF, … ABC, XYZ… • Registry Structures – 2R vs. 3R – Thick vs. Thin – Top vs. Second Level Domains • Policies – Registrations, Dispute Resolution, Price, Takedown … 26
Questions? ? 27

Recomendados

Sa202 Sn
Sa202 SnSa202 Sn
Sa202 Sn
cipriano1
 
Bishop
BishopBishop
Bishop
SAP Ariba
 
Stop Overpaying, Take Control of SAP Licensing and Only Pay for What You Actu...
Stop Overpaying, Take Control of SAP Licensing and Only Pay for What You Actu...Stop Overpaying, Take Control of SAP Licensing and Only Pay for What You Actu...
Stop Overpaying, Take Control of SAP Licensing and Only Pay for What You Actu...
Ivanti
 
UN INCB: RIRs and LEAs
UN INCB: RIRs and LEAsUN INCB: RIRs and LEAs
UN INCB: RIRs and LEAs
APNIC
 
APNIC's role in stability and security - 4th APT Cybersecurity Forum
APNIC's role in stability and security - 4th APT Cybersecurity ForumAPNIC's role in stability and security - 4th APT Cybersecurity Forum
APNIC's role in stability and security - 4th APT Cybersecurity Forum
APNIC
 
LEA Workshop dated 09052013
LEA Workshop dated 09052013LEA Workshop dated 09052013
LEA Workshop dated 09052013
APNIC
 
New Zealand | LEI Registry Numbering in the Future (Justin Hygate)
New Zealand | LEI Registry Numbering in the Future (Justin Hygate)New Zealand | LEI Registry Numbering in the Future (Justin Hygate)
New Zealand | LEI Registry Numbering in the Future (Justin Hygate)
Corporate Registers Forum
 
Cie Brochure
Cie BrochureCie Brochure
Cie Brochure
Jose Gonzalez
 

Recomendados

Sa202 Sn
Sa202 SnSa202 Sn
Sa202 Sn
cipriano1
 
Bishop
BishopBishop
Bishop
SAP Ariba
 
Stop Overpaying, Take Control of SAP Licensing and Only Pay for What You Actu...
Stop Overpaying, Take Control of SAP Licensing and Only Pay for What You Actu...Stop Overpaying, Take Control of SAP Licensing and Only Pay for What You Actu...
Stop Overpaying, Take Control of SAP Licensing and Only Pay for What You Actu...
Ivanti
 
UN INCB: RIRs and LEAs
UN INCB: RIRs and LEAsUN INCB: RIRs and LEAs
UN INCB: RIRs and LEAs
APNIC
 
APNIC's role in stability and security - 4th APT Cybersecurity Forum
APNIC's role in stability and security - 4th APT Cybersecurity ForumAPNIC's role in stability and security - 4th APT Cybersecurity Forum
APNIC's role in stability and security - 4th APT Cybersecurity Forum
APNIC
 
LEA Workshop dated 09052013
LEA Workshop dated 09052013LEA Workshop dated 09052013
LEA Workshop dated 09052013
APNIC
 
New Zealand | LEI Registry Numbering in the Future (Justin Hygate)
New Zealand | LEI Registry Numbering in the Future (Justin Hygate)New Zealand | LEI Registry Numbering in the Future (Justin Hygate)
New Zealand | LEI Registry Numbering in the Future (Justin Hygate)
Corporate Registers Forum
 
Cie Brochure
Cie BrochureCie Brochure
Cie Brochure
Jose Gonzalez
 
Regulatory Reporting of Asset Trading Using Apache Spark-(Sudipto Shankar Das...
Regulatory Reporting of Asset Trading Using Apache Spark-(Sudipto Shankar Das...Regulatory Reporting of Asset Trading Using Apache Spark-(Sudipto Shankar Das...
Regulatory Reporting of Asset Trading Using Apache Spark-(Sudipto Shankar Das...
Spark Summit
 
Micro services
Micro servicesMicro services
Micro services
Parthiban J
 
Micro services - Practicalities & things to watch out for
Micro services - Practicalities & things to watch out forMicro services - Practicalities & things to watch out for
Micro services - Practicalities & things to watch out for
Parthiban J
 
Alfresco Records Management 2.0
Alfresco Records Management 2.0Alfresco Records Management 2.0
Alfresco Records Management 2.0
Paul Hampton
 
DNS Abuse Handling
DNS Abuse HandlingDNS Abuse Handling
DNS Abuse Handling
APNIC
 
Data Lakes - The Key to a Scalable Data Architecture
Data Lakes - The Key to a Scalable Data ArchitectureData Lakes - The Key to a Scalable Data Architecture
Data Lakes - The Key to a Scalable Data Architecture
Zaloni
 
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdfESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
RIPE NCC
 
ARIN 35 Tutorial: How to certify your ARIN resources with RPKI
ARIN 35 Tutorial: How to certify your ARIN resources with RPKIARIN 35 Tutorial: How to certify your ARIN resources with RPKI
ARIN 35 Tutorial: How to certify your ARIN resources with RPKI
ARIN
 
Effective Internal Investigations
Effective Internal InvestigationsEffective Internal Investigations
Effective Internal Investigations
Daegis
 
application softwares.ppt
application softwares.pptapplication softwares.ppt
application softwares.ppt
ArtAwarenessPoster
 
software
softwaresoftware
software
LadyChristianneCalic
 
Chap3.ppt
Chap3.pptChap3.ppt
Chap3.ppt
mbpgnaac
 
Chap3.ppt
Chap3.pptChap3.ppt
Chap3.ppt
Zehaank
 
Application Software
Application SoftwareApplication Software
Application Software
Maricel Azcarraga
 
Advanced Logging and Analysis for SOA, Social, Cloud and Big Data
Advanced Logging and Analysis for SOA, Social, Cloud and Big DataAdvanced Logging and Analysis for SOA, Social, Cloud and Big Data
Advanced Logging and Analysis for SOA, Social, Cloud and Big Data
Perficient, Inc.
 
Blockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel AbiodunBlockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel Abiodun
Vishwas Manral
 
Get Your **IT Together: Log Retention, Clean-Up, & Compliance
Get Your **IT Together: Log Retention, Clean-Up, & ComplianceGet Your **IT Together: Log Retention, Clean-Up, & Compliance
Get Your **IT Together: Log Retention, Clean-Up, & Compliance
SolarWinds
 
31st TWNC IP OPM and TWNOG: RDAP and RPKI
31st TWNC IP OPM and TWNOG: RDAP and RPKI31st TWNC IP OPM and TWNOG: RDAP and RPKI
31st TWNC IP OPM and TWNOG: RDAP and RPKI
APNIC
 
Internet Resource Management Tutorial at SANOG 24
Internet Resource Management Tutorial at SANOG 24Internet Resource Management Tutorial at SANOG 24
Internet Resource Management Tutorial at SANOG 24
APNIC
 
Ram
RamRam
Ram
Rambabu M
 
Anatomy of a CERT - Gordon Love, Symantec
Anatomy of a CERT - Gordon Love, SymantecAnatomy of a CERT - Gordon Love, Symantec
Anatomy of a CERT - Gordon Love, Symantec
vngundi
 
Dealing With Security Threats
Dealing With Security ThreatsDealing With Security Threats
Dealing With Security Threats
vngundi
 

Más contenido relacionado

Similar a Day 2 Dns Cert 3 Dns Organizations

Blockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel AbiodunBlockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel Abiodun
Vishwas Manral
 

Similar a Day 2 Dns Cert 3 Dns Organizations (20)

Regulatory Reporting of Asset Trading Using Apache Spark-(Sudipto Shankar Das...
Regulatory Reporting of Asset Trading Using Apache Spark-(Sudipto Shankar Das...Regulatory Reporting of Asset Trading Using Apache Spark-(Sudipto Shankar Das...
Regulatory Reporting of Asset Trading Using Apache Spark-(Sudipto Shankar Das...
 
Micro services
Micro servicesMicro services
Micro services
 
Micro services - Practicalities & things to watch out for
Micro services - Practicalities & things to watch out forMicro services - Practicalities & things to watch out for
Micro services - Practicalities & things to watch out for
 
Alfresco Records Management 2.0
Alfresco Records Management 2.0Alfresco Records Management 2.0
Alfresco Records Management 2.0
 
DNS Abuse Handling
DNS Abuse HandlingDNS Abuse Handling
DNS Abuse Handling
 
Data Lakes - The Key to a Scalable Data Architecture
Data Lakes - The Key to a Scalable Data ArchitectureData Lakes - The Key to a Scalable Data Architecture
Data Lakes - The Key to a Scalable Data Architecture
 
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdfESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
 
ARIN 35 Tutorial: How to certify your ARIN resources with RPKI
ARIN 35 Tutorial: How to certify your ARIN resources with RPKIARIN 35 Tutorial: How to certify your ARIN resources with RPKI
ARIN 35 Tutorial: How to certify your ARIN resources with RPKI
 
Effective Internal Investigations
Effective Internal InvestigationsEffective Internal Investigations
Effective Internal Investigations
 
application softwares.ppt
application softwares.pptapplication softwares.ppt
application softwares.ppt
 
software
softwaresoftware
software
 
Chap3.ppt
Chap3.pptChap3.ppt
Chap3.ppt
 
Chap3.ppt
Chap3.pptChap3.ppt
Chap3.ppt
 
Application Software
Application SoftwareApplication Software
Application Software
 
Advanced Logging and Analysis for SOA, Social, Cloud and Big Data
Advanced Logging and Analysis for SOA, Social, Cloud and Big DataAdvanced Logging and Analysis for SOA, Social, Cloud and Big Data
Advanced Logging and Analysis for SOA, Social, Cloud and Big Data
 
Blockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel AbiodunBlockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel Abiodun
 
Get Your **IT Together: Log Retention, Clean-Up, & Compliance
Get Your **IT Together: Log Retention, Clean-Up, & ComplianceGet Your **IT Together: Log Retention, Clean-Up, & Compliance
Get Your **IT Together: Log Retention, Clean-Up, & Compliance
 
31st TWNC IP OPM and TWNOG: RDAP and RPKI
31st TWNC IP OPM and TWNOG: RDAP and RPKI31st TWNC IP OPM and TWNOG: RDAP and RPKI
31st TWNC IP OPM and TWNOG: RDAP and RPKI
 
Internet Resource Management Tutorial at SANOG 24
Internet Resource Management Tutorial at SANOG 24Internet Resource Management Tutorial at SANOG 24
Internet Resource Management Tutorial at SANOG 24
 
Ram
RamRam
Ram
 

Más de vngundi

Anatomy of a CERT - Gordon Love, Symantec
Anatomy of a CERT - Gordon Love, SymantecAnatomy of a CERT - Gordon Love, Symantec
Anatomy of a CERT - Gordon Love, Symantec
vngundi
 

Más de vngundi (11)

Anatomy of a CERT - Gordon Love, Symantec
Anatomy of a CERT - Gordon Love, SymantecAnatomy of a CERT - Gordon Love, Symantec
Anatomy of a CERT - Gordon Love, Symantec
 
Dealing With Security Threats
Dealing With Security ThreatsDealing With Security Threats
Dealing With Security Threats
 
Cyber Security Strategies and Approaches
Cyber Security Strategies and ApproachesCyber Security Strategies and Approaches
Cyber Security Strategies and Approaches
 
Day 2 Dns Cert 4 Scenarios
Day 2 Dns Cert 4 ScenariosDay 2 Dns Cert 4 Scenarios
Day 2 Dns Cert 4 Scenarios
 
Day 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious UseDay 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Use
 
Day 2 Dns Cert 4b Name Server Redirection
Day 2 Dns Cert 4b Name Server RedirectionDay 2 Dns Cert 4b Name Server Redirection
Day 2 Dns Cert 4b Name Server Redirection
 
Day 2 Dns Cert 4a Cache Poisoning
Day 2 Dns Cert 4a Cache PoisoningDay 2 Dns Cert 4a Cache Poisoning
Day 2 Dns Cert 4a Cache Poisoning
 
Day 1 Large Scale Attacks
Day 1 Large Scale AttacksDay 1 Large Scale Attacks
Day 1 Large Scale Attacks
 
Day 1 From CERT To NCSC
Day 1 From CERT To NCSCDay 1 From CERT To NCSC
Day 1 From CERT To NCSC
 
Day 1 Enisa Setting Up A Csirt
Day 1 Enisa Setting Up A CsirtDay 1 Enisa Setting Up A Csirt
Day 1 Enisa Setting Up A Csirt
 
Day 1 Coop Banks
Day 1 Coop BanksDay 1 Coop Banks
Day 1 Coop Banks
 

Último

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 

Último (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 

Day 2 Dns Cert 3 Dns Organizations

  • 1. DNS Security for CERTs - DNS Organizational Structures & Policy - Chris Evans Delta Risk, LLC 7 March 2010 1
  • 2. Overview • Organizational Alphabet Soup – Policy, Standards & Governance – Technical Operators • Registry Structures • Relevant Policy Issues 2
  • 3. Organizational Alphabet Soup ICANN ccTLD SSAC, RSSAC, ALAC, GAC… RO IANA ISOC IGF gTLD IAB ASO RSO RIR IETF 3
  • 4. Organizational Alphabet Soup • ICANN – Internet Corporation for Assigned Names and Numbers – coordinates unique identifiers (names and numbers) and ensure their stable and secure operation. – ICANN has several technical and policy committees which operate independently • SSAC – Security and Stability Advisory Council • RSSAC – Root Server System Advisory Council • ALAC – At Large Advisory Council • ccNSO – Country Code Name Supporting Organization • GNSO – Generic Names Supporting Organization • ASO - Address Supporting Organization 4
  • 5. Organizational Alphabet Soup • IANA – Internet Assigned Numbers Authority – allocates and maintains unique codes and numbering systems; manages & publishes root zone • ISOC – Internet Society – global nonprofit supporting Internet standards, education & policy • IETF – Internet Engineering Task Force – produces engineering documents that describe the design, use and management of the Internet • IAB – Internet Architecture Board - provides architectural oversight of IETF, oversight & appeals of Internet standards. • IGF – Internet Governance Forum – multi- stakeholder forum for discussing policy issues 5
  • 6. Organizational Alphabet Soup • RIR – Regional Internet Registry – perform identification assignment (IP addresses & AS numbers) within geographic region – ARIN – RIPENCC – LACNIC – AFRINIC – APNIC • gTLD – generic Top Level Domain – function as registry for unrestricted, sponsored, geographic, or commecial domains • ccTLD – country code Top Level Domain - function as registry for their respective countries 6
  • 7. Organizational Alphabet Soup • RO – Root Operator – an operator of one of the 13 named root servers. • ASO – Authoritative Server Operator – an operator of an authoritative name server; typically an enterprise’s IT department, TLD operator, or even outsourced providers • RSO – Recursive Server Operator – an operator of a recursive or caching name server; can be anyone running DNS server software! 7
  • 8. Organizational Alphabet Soup • Regional TLD Organization – membership based organizations supporting TLDs within a geographic region – LACTLD – Latin America, South America, Carribean – CENTR - Europe – AFTLD - Africa – APTLD – Asia (including middle east) and Pacific • Registry – an entity given the authority to operate a top level domain; manages zone and administrative data; typically an organization, business, government, university or network operators center • Registrar – an entity accredited by ICANN to register domains at retail within one or more TLDs. 8
  • 9. Registry Structures • Registries Come in All Shapes and Sizes – Structure, Technical Implementation, Goals & Policies • “Models” Define How the Registry Operates – 2R vs. 3R – Thick vs. Thin – 2 vs. 3 Levels 9
  • 10. Registry Structures • Registry “2R” Model – Registry - Registrant – Registry provides direct registrations to consumers – Registrants request domains directly through registry • Simple model Registry • Doesn’t scale without lots of work from registry • Direct customer relationships Registrant Registrant 10
  • 11. Registry Structures • Registry “2R” Model – Registry - Registrant – Registry provides direct registrations to consumers – Registrants request domains directly through registry or optionally through a direct reseller • Simple model • Direct customer Registry relationships • Offloads some “customer interface” work from registry to Reseller reseller Registrant Registrant 11
  • 12. Registry Structures • Registry “3R” Model – Registry – Registrar – Registrant – Registrars interface between customer and registry Registry • More stakeholders -> Registrar Registrar more policies / business models • Less work for registry (automation / EPP) – Reseller • Focus on DNS Registrant services Registrant 12
  • 13. Registry Structures • Registries can define WHERE their customer administrative data resides (WHOIS) – Thick – the registry stores all customer data for registrations regardless of _WHERE_ it originates (direct, registrar) – Thin – Registrars manage all customer data for their registrants and serve this information via WHOIS TLD TLD Registrar WHOIS WHOIS Registrar Registrar Thick Thin 13
  • 14. Registry Structures • Registries define how subdomains are permitted – either at the top or second level. • Top level – delegations fall immediately under the top level – E.g. www.google.jo • Second level – delegations fall under a generic domain, under the top level – E.g. www.moict.gov.jo • Registries can pick one or the other, or do both! 14
  • 15. Policies • Policies govern how registries operate, from internal workings to dealing with customers. • Policies can be derived from operational necessities, business goals, or best practices in use by other registries • Policies vary by registry – and vary nearly as widely as the registries themselves. • Its important for registries to define policies to respond and operate in a consistent manner • Frequently, there is no right or wrong policy – what matters is the registry’s definition of that policy. The wrong policy is NO policy… 15
  • 16. Policy Some Policies of Note… 16
  • 17. Policy • Registrant Requirements – This policy defines the requirements to register a domain with the registry; specifically addresses issues like residency or ownership • Things that may restrict registrations to only local or national entities: – Desire to limit competition from foreign entities – Desire for nationalism • Things that may encourage registration from foreign entities: – Access to a larger pool of customers 17
  • 18. Policy • Dispute Resolution – A controversial subject; one that is used infrequently, but must be defined before its needed! – Disputes may arise between potential registrants for a domain name – each claiming the “right” to register it, - or - - Disputes may arise between current registrant a one that desires ownership of the domain • Policy should define the notion of “ownership”, the process of determining “ownership”, and process for arbitrating a claim of “ownership” – First come / first served = “ownership” – International trademark or copyright = “ownership” 18
  • 19. Policy • Registration Process – This policy defines how the registry accepts requests for registrations, validates, and publishes them – Usually defined by operational necessity • Larger registries that process hundreds of registrations per day will use automated processes as much as possible • Smaller registries may use manual processes • Policy should cover registrant data verification – Automated, multi-factor, out-of-band, etc – Desire to detect and restrict malicious registrations? – How should the registry define “malicious”? Tough Question! 19
  • 20. Policy • Information Release (WHOIS) – This policy defines how the registry handles “privacy” information and what information it publicly publishes – The traditional approach is to publish administrative and technical point of contact information for each domain • BUT, some registries / registrars offer a “anonymous” registration service which publishes “empty” or generic information – This may be governed by local, national, or organizational privacy policies. • This policy should cover what information can be published, to who & where, how the policy is conveyed to registrants, and what to release to law enforcement or government agencies. 20
  • 21. Policy • Pricing / Funding Model – This policy defines how much domain registrations, their renewal, transfer or other “action” cost. – Additional or value-added services may also be defined • This policy should address costs to registrants, registrars and resellers accordingly and is likely defined by the registry’s business model. – Registries set their own prices, from free to $$$$ – Some registries are funded by their governments, some are non-profits, some are for-profit corporations. – Competition with gTLDs (e.g. .COM) may drive pricing decisions – Prices may be different for local and foreign registrants, for resellers, and for registrars 21
  • 22. Policy • Permissible Registrations – This policy defines what domain names may be registered • Factors affecting “permissible” registrations: – Religion & Culture – some names may be offensive – Technical – some characters are disallowed by the RFC, or some may not be allowed by the registry system – Operational – International Domain Names may not be supported – Business – some names may be restricted based on international trademarks or intellectual property 22
  • 23. Policy • Takedown – A very controversial topic, this defines how the registry may temporarily or permanently deactivate a registration – More importantly, under what circumstances it may do so. • Policy should account for: – Business concerns / loss of revenue – Upset customers? – Malicious use (what is malicious?) – Legality of denying freedom of speech – Fallout of not following a government / law enforcement order 23
  • 24. A Hypothetical Example Let’s take the simple example of a registration made for the purpose of conducting a phishing attack. • The domain name closely resembles that used by an international bank • The registrant provides fake name and address for registration • The registrant uses the domain to propagate a phishing attack, soliciting bank customers for their usernames and passwords. Who’s responsible and who’s accountable? • The malicious registrant? How do you find him? • The registry? They didn’t validate the registrant – but they get 5000 a day • The bank? They didn’t educate their customers on phishing attacks 24
  • 25. Take Aways • The DNS operationally is simple; organizationally, it’s a much different story – there are many (widely varying) stakeholders involved • Policies define how registries operate, but are frequently ill-defined and untested • Unlike the traditional network security world, which has CERTs and NOCs focusing on operating systems and applications, the DNS has no equivalent structure for focusing on security 25
  • 26. Review • DNS Organizations – ICANN, IANA, RIR, IGF, … ABC, XYZ… • Registry Structures – 2R vs. 3R – Thick vs. Thin – Top vs. Second Level Domains • Policies – Registrations, Dispute Resolution, Price, Takedown … 26
  • 27. Questions? ? 27