DNSSEC - The Key to Zero Trust Architectures (..and IoT security)
1 Oct 2021
"Zero trust is a response to enterprise network trends that include
remote users, bring your own device (BYOD), and cloud-based assets..."
(From NIST SP 800-207 ).
Zero trust architecture (ZTA) requires authentication and authorization for
all such assets (also from ).
The one common infrastructure that all these devices and assets
connect to is the DNS.
This makes DNS secured with DNSSEC the perfect source for the enterprise owned
and controlled key material used to authenticate and authorize
all cloud-based assets and BYODs or be the basis for them.
Existing DNSSEC examples include secure email (server and end-to-end),
remote access (e.g., SSH), in addition to protecting application
data communicated via the DNS (e.g., MX, SPF, DKIM, DMARC, outlook server
asset identification, ownership proof, web sites).
DNSSEC is mature and globally well established
and ensures no one can modify data secured by it, not even a
compromised cloud-based asset.
DNS security is key in zero trust architecture
4 Oct 2021 Example: Lessons learned from the 4 Oct 2021 Facebook BGP/DNS Catastrophe
All of facebook.com's nameservers are behind the same ASN AS32934 (see below). This is contrary to old, well established best practices for hosting a domain name which say nameservers should be distributed across disparate networks in addition to the ones you control. (The contact email should also not rely on the network and/or domain name it is supporting. So "email@example.com" as shown in the whois record is also a bad choice. How can I contact you to tell you your net is down?)
What could possibly be the reason for an organization as large and profitable as this to not follow best practice? Security and lack of trust in other parties providing, in this case secondary DNS service, might be a valid reason. But having even one of their nameservers hosted elsewhere would have avoided the 7 hour worldwide catastrophe.
If facebook would have had DNSSEC, they could have had their DNS information widely distributed AND protected across multiple ASN's and operators. The application of DNSSEC here is a perfect example of Zero Trust Architecture and its principles.
$ dig ns facebook.com
; <<>> DiG 9.11.3-1ubuntu1.14-Ubuntu <<>> ns facebook.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64638
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 9
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1480
;; QUESTION SECTION:
;facebook.com. IN NS
;; ANSWER SECTION:
facebook.com. 166114 IN NS a.ns.facebook.com.
facebook.com. 166114 IN NS b.ns.facebook.com.
facebook.com. 166114 IN NS c.ns.facebook.com.
facebook.com. 166114 IN NS d.ns.facebook.com.
;; ADDITIONAL SECTION:
a.ns.facebook.com. 166114 IN AAAA 2a03:2880:f0fc:c:face:b00c:0:35
a.ns.facebook.com. 166114 IN A 188.8.131.52 (AS32934)
b.ns.facebook.com. 166114 IN AAAA 2a03:2880:f0fd:c:face:b00c:0:35
b.ns.facebook.com. 166114 IN A 184.108.40.206
c.ns.facebook.com. 166114 IN AAAA 2a03:2880:f1fc:c:face:b00c:0:35
c.ns.facebook.com. 166114 IN A 220.127.116.11 (AS32934)
d.ns.facebook.com. 166114 IN AAAA 2a03:2880:f1fd:c:face:b00c:0:35
d.ns.facebook.com. 166114 IN A 18.104.22.168
$ whois facebook.com
Updated Date: 2021-09-22T19:33:41Z
Creation Date: 1997-03-29T05:00:00Z
Registrar Registration Expiration Date: 2030-03-30T04:00:00Z
Registrar: RegistrarSafe, LLC
Registrar IANA ID: 3237
Registrar Abuse Contact Email: firstname.lastname@example.org
Registrar Abuse Contact Phone: +1.6503087004
Domain Status: clientDeleteProhibited https://www.icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://www.icann.org/epp#clientUpdateProhibited
Domain Status: serverDeleteProhibited https://www.icann.org/epp#serverDeleteProhibited
Domain Status: serverTransferProhibited https://www.icann.org/epp#serverTransferProhibited
Domain Status: serverUpdateProhibited https://www.icann.org/epp#serverUpdateProhibited
Registry Registrant ID:
Registrant Name: Domain Admin
Registrant Organization: Facebook, Inc.
Registrant Street: 1601 Willow Rd
Registrant City: Menlo Park
Registrant State/Province: CA
Registrant Postal Code: 94025
Registrant Country: US
Registrant Phone: +1.6505434800
Registrant Phone Ext:
Registrant Fax: +1.6505434800
Registrant Fax Ext:
Registrant Email: email@example.com
Registry Admin ID:
Admin Name: Domain Admin
Admin Organization: Facebook, Inc.
Admin Street: 1601 Willow Rd
Admin City: Menlo Park
Admin State/Province: CA
Admin Postal Code: 94025
Admin Country: US
Admin Phone: +1.6505434800
Admin Phone Ext:
Admin Fax: +1.6505434800
Admin Fax Ext:
Admin Email: firstname.lastname@example.org
Registry Tech ID:
Tech Name: Domain Admin
Tech Organization: Facebook, Inc.
Tech Street: 1601 Willow Rd
Tech City: Menlo Park
Tech State/Province: CA
Tech Postal Code: 94025
Tech Country: US
Tech Phone: +1.6505434800
Tech Phone Ext:
Tech Fax: +1.6505434800
Tech Fax Ext:
Tech Email: email@example.com
Name Server: C.NS.FACEBOOK.COM
Name Server: B.NS.FACEBOOK.COM
Name Server: A.NS.FACEBOOK.COM
Name Server: D.NS.FACEBOOK.COM