Menu
Home
About
Contact


About

Department C Incorporated (DCI) is an engineering research and development company with over 4 decades of engineering, business, and policy experience in the networking and Internet arena. It develops innovative networking products, solutions, and intellectual property. Expertise includes WiFi, embedded systems, IoT, NFC Tags, PKI, secure email, HSM design, protocols: LDAP, TCP/IP, DNS, IPX, Q.921/931, H.323, X.509, DECNET, X.25, UUCP, MEP2, BiSync, SNA/SDLC. DNSSEC, NAT, (more)

iy3xk ftc9ky

Copyright © 2021-2022 Department C Incorporated

Today's Spotlight:

DNSSEC - The Key to Zero Trust Architectures

DNSSEC - The Key to Zero Trust Architectures (..and IoT security)

1 Oct 2021
"Zero trust is a response to enterprise network trends that include remote users, bring your own device (BYOD), and cloud-based assets..." (From NIST SP 800-207 [1]). Zero trust architecture (ZTA) requires authentication and authorization for all such assets (also from [1]). The one common infrastructure that all these devices and assets connect to is the DNS. This makes DNS secured with DNSSEC the perfect source for the enterprise owned and controlled key material used to authenticate and authorize all cloud-based assets and BYODs or be the basis for them.

Existing DNSSEC examples include secure email (server and end-to-end), remote access (e.g., SSH), in addition to protecting application data communicated via the DNS (e.g., MX, SPF, DKIM, DMARC, outlook server configs, asset identification, ownership proof, web sites). DNSSEC is mature and globally well established and ensures no one can modify data secured by it, not even a compromised cloud-based asset.
DNS security is key in zero trust architecture

4 Oct 2021
Example: Lessons learned from the 4 Oct 2021 Facebook BGP/DNS Catastrophe

  • All of facebook.com's nameservers are behind the same ASN AS32934 (see below). This is contrary to old, well established best practices for hosting a domain name which say nameservers should be distributed across disparate networks in addition to the ones you control. (The contact email should also not rely on the network and/or domain name it is supporting. So "domain@fb.com" as shown in the whois record is also a bad choice. How can I contact you to tell you your net is down?)
  • What could possibly be the reason for an organization as large and profitable as this to not follow best practice? Security and lack of trust in other parties providing, in this case secondary DNS service, might be a valid reason. But having even one of their nameservers hosted elsewhere would have avoided the 7 hour worldwide catastrophe.
  • If facebook would have had DNSSEC, they could have had their DNS information widely distributed AND protected across multiple ASN's and operators. The application of DNSSEC here is a perfect example of Zero Trust Architecture and its principles.



[1] NIST SP 800-207 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
Copyright © 2021 ZX Communications Incorporated. info@zxcominc.com