Wednesday 24 September 14:00- 14:30, Red room.
Nick Sullivan CloudFlare
download slides (PDF)
DNSSEC is a set of security extensions to DNS intended to provide a root of trust for DNS records. This paper is a summary of the state of the art in DNSSEC deployment and implementation on the Internet. We start with a description of Kaminsky's attack on DNS to motivate the need for trust in the DNS system. From here we describe some of the common arguments against DNSSEC including NSEC and NSEC3 walking and how DNSSEC can be an enabler for UDP reflection attacks. We then discuss useful extensions to DNSSEC, like DANE, and how these can be used to secure websites without trusting the certificate authority system. We also examine how far the effort has come in the decades since the technology was standardized, including adoption statistics and trends.
Nick leads the security engineering team at CloudFlare, where he is working to build a better and more secure Internet. He is a respected security expert and digital rights management pioneer, having built many of the content security mechanisms for Apple's multi-billion-dollar iTunes store. He previously worked as a security analyst at Symantec, analysing large-scale threat data. He holds an M.Sc. in cryptography, a B.Math. in pure mathematics, and is the author of over a dozen computer security patents.