Conference #195 - Thwart DNS poisoners : secure DNS with DNSSEC

Security 40 mn en_US Professionnal Confirmed

Conference introduction

DNS poisoning attacks are one of the major threats on the security of DNS. However a solution has been designed many years ago, DNSSEC, which is deployed on the root and all the main TLDs. Around 10% of DNS users in the world use a DNSSEC validating resolver. This is still insufficient considering the risks.

This talk will go back to the poisoning menace, will explain DNSSEC and how to use it in practice, focusing on free software obviously.

About speaker


Stéphane Bortzmeyer is a R&D engineer, specialising in Internet infrastructure, in particular DNS. He worked on topics such as resilience, security, DoS attacks, DNSSEC amongst many others.

Stéphane Bortzmeyer est ingénieur R&D, spécialiste des infrastructures de l'Internet, notamment le DNS. Il a travaillé sur des questions comme la résilience, la sécurité, les attaques DoS, DNSSEC, et bien d'autres choses.

Conference description

DNS poisoning vulnerability (accepting an answer from a different server thant the one requested) has been well known for many years, but it has won a great fame since the talks from David Kaminisky in 2008. Recent news (the interception of requests to the Google DNS servers in Turkey) have reminded us that a lot of people are interested in modifying legitimate DNS answers.

DNSSEC has a solution has been standardized, and widely deployed in free software like BIND, NSD, Unbound, and of course in more specific software like OpenDNSSEC. The principle is to cryptographically sign the DNS records. A validating resolver must know the root public key, and starting from here, it can recursively validate any signed record, whatever the number of intermediary authorities on the way.

But DNSSEC is not only signing and validation: experience gained from the use of cryptography on the Internet shows us that many issues can occur. That's why it is critical to supervise your DNS.

Finally, DNSSEC can be used for other purposes that just validating DNS records, new usages are conceived for DNS such as DANE that allows to publish one's own certificate in the DNS system, in an authenticated manner, without having them signed by an independant authority.


  • Tuesday 8/7 à 09:30 | 31 SC002 - 43.632778;3.862760

Linked documents

amarok apache archlinux arduino bitcoin blender creativecommons cernohl debian chamilo drupal elphel eZ Publish fedoraproject firefox gentoo gimp gnome gnu freebsd freeguppy gnuhealth haiku imagemagick inkscape jabber jenkins joomla kde knoppix lea-linux libreoffice linux mageia mandriva moodle mozilla openarena openbsd Open Street Map opensuse perl php pidgin plone postgresql python ruby rudder scribus spip thunderbird tomcat tryton typo3 ubuntu vlc wikipedia wordpress xfce xonotic