[Opendnssec-develop] FYI: DNSSEC at HAR2009

Rick van Rein rick at openfortress.nl
Tue Jun 2 13:17:30 UTC 2009

Hello all,

FYI, this is our accepted submission about DNSSEC at HAR 2009,

We are very likely to mention OpenDNSSEC but, as agreed, will not
use it on our attacked servers unless we all feel good about it.


    ------- 8< ------- 8< ------- 8< ------- 8< ------- 8< -------

Title:    Cracking Internet
Subtitle: The urgency of DNSSEC


This workshop will introduce the problems with DNS that jeapardise the Internet
as a whole.  We will begin with a general discussion, and argue that the only
real solution that is ready now is DNSSEC.  We will continue with more detailed
discussions of the Kaminsky attack, and explain how to attack the machines that
we prepared for attack during HAR 2009.

Full description

We propose to present the following:

1. A general introduction into the Kaminsky attack, aimed at newcomers and
2. A detailed discussion of the Kaminsky attack.
3. A detailed discussion of DNSSEC.
4. Possibly a guided session in mounting the attack.

Aside from this, we propose to prepare a few servers available to the HAR 2009
crowd that may be freely attacked during the conference.  The servers will have
varying levels of defenses against the Kaminsky attack, but we expect them all
to break sooner or later.  We imagine these machines to be located off-site.

These presentations are a cooperative effort of:
* SURFnet, in the person of Roland van Rijswijk
* OpenFortress, in the person of Rick van Rein
SURFnet is working to roll out DNSSEC in The Netherlands.  OpenFortress provides
technical facilities to SURFnet in the area.  We cooperate with others such as
NLnet Labs, .SE and .UK in the OpenDNSSEC.org project.  We also discuss these
matters with SIDN.

One of our explicit goals is to get some media focus on this issue, so everyday
users become a more aware that virusses are not their main problem, and start
bothering their ISPs and banks about DNSSEC.  This is useful because DNSSEC has
a bit of a problem in that nobody starts using it because... nobody is using it
yet.  ISP's wait for banks to offer secure domains, banks wait for ISP's to
offer domain validation.  And of course we are all waiting for SIDN.

Our reasons for plugging DNSSEC are that it is dirty, but it works.  And it is
the only solution for DNS' leakage that actually works.

We also wrote a whitepaper and linked it, as well as attached it.


Rick (also for Roland)

More information about the Opendnssec-develop mailing list