2010 za con_todor_genov
TRANSCRIPT
![Page 2: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/2.jpg)
Who is this guy?
Sunday 17 October 2010
![Page 3: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/3.jpg)
Who is this guy?
Unix geek/sysadmin
Sunday 17 October 2010
![Page 4: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/4.jpg)
Who is this guy?
Unix geek/sysadmin
Works at a yellow-branded ISP
Sunday 17 October 2010
![Page 5: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/5.jpg)
Who is this guy?
Unix geek/sysadmin
Works at a yellow-branded ISP
Does a lot of DNS as a result
Sunday 17 October 2010
![Page 6: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/6.jpg)
What is DNSSEC?
Sunday 17 October 2010
![Page 7: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/7.jpg)
What is DNSSEC?
DNS + public key crypto
Sunday 17 October 2010
![Page 8: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/8.jpg)
What is DNSSEC?
DNS + public key crypto
Implemented as an extension to current DNS protocol
Sunday 17 October 2010
![Page 9: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/9.jpg)
What is DNSSEC good for?
Sunday 17 October 2010
![Page 10: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/10.jpg)
What is DNSSEC good for?
Authenticating response origin
Sunday 17 October 2010
![Page 11: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/11.jpg)
What is DNSSEC good for?
Authenticating response origin
Authenticating denial of existence
Sunday 17 October 2010
![Page 12: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/12.jpg)
What is DNSSEC good for?
Authenticating response origin
Authenticating denial of existence
Not much else
Sunday 17 October 2010
![Page 13: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/13.jpg)
How it works(simplified)
Sunday 17 October 2010
![Page 14: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/14.jpg)
How it works(simplified)
Each zone has public/private key
Sunday 17 October 2010
![Page 15: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/15.jpg)
How it works(simplified)
Each zone has public/private key
All RRs are signed
Sunday 17 October 2010
![Page 16: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/16.jpg)
How it works(simplified)
Each zone has public/private key
All RRs are signed
Crypto signature and public key published in DNS alongside RR
Sunday 17 October 2010
![Page 17: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/17.jpg)
A few new RRs
Sunday 17 October 2010
![Page 18: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/18.jpg)
A few new RRsRRSIG - crypto signature of RR data
Sunday 17 October 2010
![Page 19: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/19.jpg)
A few new RRs
DNSKEY - zone public keys-Key-signing key (KSK) - used to sign own ZSK
-Zone-signing key (ZSK) - used to sign all other RRs
RRSIG - crypto signature of RR data
Sunday 17 October 2010
![Page 20: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/20.jpg)
A few new RRs
DNSKEY - zone public keys-Key-signing key (KSK) - used to sign own ZSK
-Zone-signing key (ZSK) - used to sign all other RRs
RRSIG - crypto signature of RR data
DS - delegation signer-Secure pointer to (checksum of) child KSK
Sunday 17 October 2010
![Page 21: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/21.jpg)
A few new RRs
DNSKEY - zone public keys-Key-signing key (KSK) - used to sign own ZSK
-Zone-signing key (ZSK) - used to sign all other RRs
RRSIG - crypto signature of RR data
DS - delegation signer-Secure pointer to (checksum of) child KSK
NSEC and NSEC3 - authenticated denial of existence (NXDOMAIN)
Sunday 17 October 2010
![Page 22: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/22.jpg)
RR set - the building block of DNSSEC
RR (A, PTR, MX, NS etc) + RRSIG (crypto signature)
RR sets
Sunday 17 October 2010
![Page 23: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/23.jpg)
RR setsRR set - the building block of DNSSEC
RR (A, PTR, MX, NS etc)
Sunday 17 October 2010
![Page 24: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/24.jpg)
Vanilla DNS org. 79810 IN NS d0.org.afilias-nst.org.org. 79810 IN NS c0.org.afilias-nst.info.org. 79810 IN NS a2.org.afilias-nst.info.org. 79810 IN NS b2.org.afilias-nst.org.org. 79810 IN NS a0.org.afilias-nst.info.org. 79810 IN NS b0.org.afilias-nst.org.
RR setsRR set - the building block of DNSSEC
RR (A, PTR, MX, NS etc)
Sunday 17 October 2010
![Page 25: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/25.jpg)
DNSSECorg. 79810 IN NS d0.org.afilias-nst.org.org. 79810 IN NS c0.org.afilias-nst.info.org. 79810 IN NS a2.org.afilias-nst.info.org. 79810 IN NS b2.org.afilias-nst.org.org. 79810 IN NS a0.org.afilias-nst.info.org. 79810 IN NS b0.org.afilias-nst.org.org. 79810 IN RRSIG NS 7 1 86400 20101015154542 20101001144542 245 org. Uy6dZ09BwvRmQHbzlK8gbflhQT1TVkEEYqrpff7W+uHn5Sz1jwqpNpIH LIgs5M6sHgURvzzdEn8C
RR setsRR set - the building block of DNSSEC
RR (A, PTR, MX, NS etc)
Sunday 17 October 2010
![Page 26: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/26.jpg)
Query validation
Sunday 17 October 2010
![Page 27: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/27.jpg)
Query validation
Query result - A,MX,NS,PTR etc
Sunday 17 October 2010
![Page 28: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/28.jpg)
Query validation
Query result - A,MX,NS,PTR etc
Cryptographic signature - RRSIG
Sunday 17 October 2010
![Page 29: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/29.jpg)
Query validation
Query result - A,MX,NS,PTR etc
Cryptographic signature - RRSIG
Public key - DNSKEY
Sunday 17 October 2010
![Page 30: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/30.jpg)
Query validation
Query result - A,MX,NS,PTR etc
Cryptographic signature - RRSIG
Public key - DNSKEY <- Why should I trust you?
Sunday 17 October 2010
![Page 31: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/31.jpg)
Trust anchor
A DNSKEY that we trust to be correct
Confirmed from sources other than DNS
Enables us to validate data in a specific zone
Sunday 17 October 2010
![Page 32: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/32.jpg)
Chain of trust
Starts at a trust anchor
Sunday 17 October 2010
![Page 33: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/33.jpg)
Chain of trust
Starts at a trust anchor
Can be delegated to child zones- Name server delegation with NS records (NS RR set)
- Trust delegation with DS records (DS RR set)
Sunday 17 October 2010
![Page 34: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/34.jpg)
Trust anchor
Sunday 17 October 2010
![Page 35: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/35.jpg)
Trust anchor
ROOT
.COM .ORG
google.com insecure.org
.ZA
Sunday 17 October 2010
![Page 36: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/36.jpg)
Trust anchor
ROOT
.COM .ORG
google.com insecure.org
.ZA
.CO
Sunday 17 October 2010
![Page 37: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/37.jpg)
Trust anchor
.COM .ORG
google.com insecure.org
.ZA
.CO
ROOT
Sunday 17 October 2010
![Page 38: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/38.jpg)
Chain of trust
Sunday 17 October 2010
![Page 39: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/39.jpg)
As of July 2010 a trust anchor exists for the ROOT KSK
Chain of trust
Sunday 17 October 2010
![Page 40: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/40.jpg)
As of July 2010 a trust anchor exists for the ROOT KSK
Chain of trust
. 84500INDNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=. 84500INDNSKEY 256 3 8 AwEAAcAPhPM4CQHqg6hZ49y2P3IdKZuF44QNCc50vjATD7W+je4va6dj Y5JpnNP0pIohKNYiCFap/b4Y9jjJGSOkOfkfBR8neI7X5LisMEGUjwRc rG8J9UYP1S1unTNqRcWyDYFH2q3KnIO08zImh5DiFt8yfCdKoqZUN1du p5hy0UWz
Sunday 17 October 2010
![Page 41: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/41.jpg)
As of July 2010 a trust anchor exists for the ROOT KSK
Chain of trust
. 84500INDNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=. 84500INDNSKEY 256 3 8 AwEAAcAPhPM4CQHqg6hZ49y2P3IdKZuF44QNCc50vjATD7W+je4va6dj Y5JpnNP0pIohKNYiCFap/b4Y9jjJGSOkOfkfBR8neI7X5LisMEGUjwRc rG8J9UYP1S1unTNqRcWyDYFH2q3KnIO08zImh5DiFt8yfCdKoqZUN1du p5hy0UWz
Less than 20 signed TLDs
Sunday 17 October 2010
![Page 42: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/42.jpg)
DS.org
tld.org
tld.org NS ns1.tld.orgtld.org DS checksum(KSK)
tld.org NS ns1.tld.orgtld.org DNSKEY KSK
Sunday 17 October 2010
![Page 43: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/43.jpg)
Chain of trust
Sunday 17 October 2010
![Page 44: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/44.jpg)
Chain of trustDelegating tld. to ns1.tld
Sunday 17 October 2010
![Page 45: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/45.jpg)
Chain of trust. IN DNSKEY ROOT-KSK-key (trust anchor)
ROOT zone
Delegating tld. to ns1.tld
Sunday 17 October 2010
![Page 46: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/46.jpg)
Chain of trust. IN DNSKEY ROOT-KSK-key (trust anchor)
ROOT zone
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
Delegating tld. to ns1.tld
Sunday 17 October 2010
![Page 47: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/47.jpg)
Chain of trust. IN DNSKEY ROOT-KSK-key (trust anchor)
ROOT zone
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
Delegating tld. to ns1.tld
(trusted)
Sunday 17 October 2010
![Page 48: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/48.jpg)
Chain of trust. IN DNSKEY ROOT-KSK-key (trust anchor)
ROOT zone
tld. IN NS ns1.tld.tld. IN RRSIG NS (ROOT-KSK-key signature)
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
Delegating tld. to ns1.tld
(trusted)
Sunday 17 October 2010
![Page 49: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/49.jpg)
Chain of trust. IN DNSKEY ROOT-KSK-key (trust anchor)
ROOT zone
tld. IN NS ns1.tld.tld. IN RRSIG NS (ROOT-KSK-key signature)
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
ns1.tld. IN A 10.10.10.5ns1.tld. IN RRSIG A (ROOT-ZSK-key signature)
Delegating tld. to ns1.tld
(trusted)
Sunday 17 October 2010
![Page 50: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/50.jpg)
Chain of trust. IN DNSKEY ROOT-KSK-key (trust anchor)
ROOT zone
tld. IN NS ns1.tld.tld. IN RRSIG NS (ROOT-KSK-key signature)
tld. IN DS crypto_hash(tld-KSK)tld. IN RRSIG DS (ROOT-ZSK-key signature)
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
ns1.tld. IN A 10.10.10.5ns1.tld. IN RRSIG A (ROOT-ZSK-key signature)
Delegating tld. to ns1.tld
(trusted)
Sunday 17 October 2010
![Page 51: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/51.jpg)
Chain of trust. IN DNSKEY ROOT-KSK-key (trust anchor)
tld. IN DNSKEY tld-KSK tld. IN RRSIG DNSKEY (tld-KSK-self-signed-signature)
ROOT zone
tld zone (ns1.tld - 10.10.10.5)
tld. IN NS ns1.tld.tld. IN RRSIG NS (ROOT-KSK-key signature)
tld. IN DS crypto_hash(tld-KSK)tld. IN RRSIG DS (ROOT-ZSK-key signature)
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
ns1.tld. IN A 10.10.10.5ns1.tld. IN RRSIG A (ROOT-ZSK-key signature)
Delegating tld. to ns1.tld
(trusted)
Sunday 17 October 2010
![Page 52: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/52.jpg)
Chain of trust. IN DNSKEY ROOT-KSK-key (trust anchor)
tld. IN DNSKEY tld-KSK tld. IN RRSIG DNSKEY (tld-KSK-self-signed-signature)
ROOT zone
tld zone (ns1.tld - 10.10.10.5)
tld. IN NS ns1.tld.tld. IN RRSIG NS (ROOT-KSK-key signature)
tld. IN DS crypto_hash(tld-KSK)tld. IN RRSIG DS (ROOT-ZSK-key signature)
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
ns1.tld. IN A 10.10.10.5ns1.tld. IN RRSIG A (ROOT-ZSK-key signature)
Delegating tld. to ns1.tld
(trusted)
(trusted from DS in ROOT)
Sunday 17 October 2010
![Page 53: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/53.jpg)
Chain of trust. IN DNSKEY ROOT-KSK-key (trust anchor)
tld. IN DNSKEY tld-KSK tld. IN RRSIG DNSKEY (tld-KSK-self-signed-signature)
ROOT zone
tld zone (ns1.tld - 10.10.10.5)
tld. IN NS ns1.tld.tld. IN RRSIG NS (ROOT-KSK-key signature)
tld. IN DS crypto_hash(tld-KSK)tld. IN RRSIG DS (ROOT-ZSK-key signature)
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
ns1.tld. IN A 10.10.10.5ns1.tld. IN RRSIG A (ROOT-ZSK-key signature)
Delegating tld. to ns1.tld
(trusted)
tld. IN DNSKEY tld-ZSKtld. IN RRSIG DNSKEY (tld-KSK-signature)
(trusted from DS in ROOT)
Sunday 17 October 2010
![Page 54: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/54.jpg)
Chain of trust. IN DNSKEY ROOT-KSK-key (trust anchor)
tld. IN DNSKEY tld-KSK tld. IN RRSIG DNSKEY (tld-KSK-self-signed-signature)
ROOT zone
tld zone (ns1.tld - 10.10.10.5)
tld. IN NS ns1.tld.tld. IN RRSIG NS (ROOT-KSK-key signature)
tld. IN DS crypto_hash(tld-KSK)tld. IN RRSIG DS (ROOT-ZSK-key signature)
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
ns1.tld. IN A 10.10.10.5ns1.tld. IN RRSIG A (ROOT-ZSK-key signature)
Delegating tld. to ns1.tld
(trusted)
tld. IN DNSKEY tld-ZSKtld. IN RRSIG DNSKEY (tld-KSK-signature)
(trusted from DS in ROOT)
(trusted)
Sunday 17 October 2010
![Page 55: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/55.jpg)
Caching DNS servers
Sunday 17 October 2010
![Page 56: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/56.jpg)
Caching DNS serversValidating cache
- Performs crypto number-crunching on behalf of DNS client
- Affirms authenticity of data by setting AD bit in response
- Client session susceptible to spoofing (fake AD bit)
Sunday 17 October 2010
![Page 57: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/57.jpg)
Caching DNS serversValidating cache
- Performs crypto number-crunching on behalf of DNS client
- Affirms authenticity of data by setting AD bit in response
- Client session susceptible to spoofing (fake AD bit)
Non-validating cache- Merely returns RR sets
- To ensure authenticity client must perform its own validation
Sunday 17 October 2010
![Page 58: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/58.jpg)
Denial of existenceNSEC
Sunday 17 October 2010
![Page 59: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/59.jpg)
Denial of existenceNSEC
NSEC record creates a chain of non-existence between RRs in a zone
Sunday 17 October 2010
![Page 60: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/60.jpg)
Denial of existenceNSEC
NSEC record creates a chain of non-existence between RRs in a zoneC-3PO.com. IN A 10.10.10.1C-3PO.com. IN RRSIG jDDoe/x3r#
luke.com. IN A 10.10.10.2luke.com. IN RRSIG d<edNcd#?d
r2d2.com. IN A 10.10.10.3r2d2.com. IN RRSIG zDsc>\dybhDe
Sunday 17 October 2010
![Page 61: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/61.jpg)
Denial of existenceNSEC
NSEC record creates a chain of non-existence between RRs in a zoneC-3PO.com. IN A 10.10.10.1C-3PO.com. IN RRSIG jDDoe/x3r#
luke.com. IN A 10.10.10.2luke.com. IN RRSIG d<edNcd#?d
r2d2.com. IN A 10.10.10.3r2d2.com. IN RRSIG zDsc>\dybhDe
C-3PO.com IN NSEC to luke.com.
luke.com. IN NSEC to r2d2.com.
Sunday 17 October 2010
![Page 62: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/62.jpg)
Denial of existenceNSEC
Sunday 17 October 2010
![Page 63: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/63.jpg)
Denial of existenceNSEC
dig doesnotexist.se NS
Sunday 17 October 2010
![Page 64: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/64.jpg)
Denial of existenceNSEC
dig doesnotexist.se NSdoesithurt.se. 7200INNSECdof.se. NS RRSIG NSECdoesithurt.se. 7200INRRSIGNSEC 5 2 7200 20101007045252 20100930031234 26215 se. XH6itihRj7u/XJDNV0uaDfS72Ak8NL6A8xg1fa1vuOG8wrYLYf+iNO
Sunday 17 October 2010
![Page 65: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/65.jpg)
Denial of existenceNSEC
dig doesnotexist.se NSdoesithurt.se. 7200INNSECdof.se. NS RRSIG NSECdoesithurt.se. 7200INRRSIGNSEC 5 2 7200 20101007045252 20100930031234 26215 se. XH6itihRj7u/XJDNV0uaDfS72Ak8NL6A8xg1fa1vuOG8wrYLYf+iNO
eg. there is nothing between doesithurt.se and dof.se
Sunday 17 October 2010
![Page 66: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/66.jpg)
Denial of existenceNSEC
dig doesnotexist.se NSdoesithurt.se. 7200INNSECdof.se. NS RRSIG NSECdoesithurt.se. 7200INRRSIGNSEC 5 2 7200 20101007045252 20100930031234 26215 se. XH6itihRj7u/XJDNV0uaDfS72Ak8NL6A8xg1fa1vuOG8wrYLYf+iNO
eg. there is nothing between doesithurt.se and dof.se
Bad idea?
Sunday 17 October 2010
![Page 67: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/67.jpg)
Denial of existenceNSEC3
NSEC3 creates a chain of non-existence between hashes of RRs in a zone03450ad8d88fa9bc8f22d9063328c08f52c0fa03 (hash of C-3PO.com.)
bc6ec803d77136128483bb220e449353a6a432a8 (hash of luke.com.)
f545de7360c432fcbfcfc1d80fa9b142cd359b79 (hash of r2d2.com.)
hash-of-C-3PO.com IN NSEC3 to hash-of-luke.com.
hash-of-luke.com. IN NSEC3 to hash-of-r2d2.com
NSEC3 response returns hash salt and number of iterations used
Sunday 17 October 2010
![Page 68: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/68.jpg)
Denial of existenceNSEC3
dig idontexist.org NS Yrp8N36uMZUgWRLUi9xVMq2GylslnLD6ehEoRVecDnWxPumIPt8iXi8i oj1XrQ5k8Dg9RINp19rcuaRcecmEUedtmfIdPvGtwWSUsoWP5XiGF/nx 2/Y=d78ice6u9jvfjqtfsesaoek3rg81fshn.org. 833 IN RRSIG NSEC3 7 2 86400 20101015154542 20101001144542 245 org. Zaq/jsAGv/GxG/wPWgpjczhzeTdwIFLykxbxzap3lWRK16+Q64d4F31Z ady60BSEyErddv2oafewi+eE6IG7zX6QvLrXZlAE5KYD2P1SswfFf/n+ IenKtXyCfFv7q9FeOr7Ex6aqUShIPg2asL8mAWWWPxn4knRsmR9hoz/C udo=d78ice6u9jvfjqtfsesaoek3rg81fshn.org. 833 IN NSEC3 1 1 1 D399EAAB D7DM84D9Q90H2UV918MF4BGDUKR4S5NNh9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 833 IN RRSIG NSEC3 7 2 86400 20101016052757 20101002042757 245 org. IZESTR/sqJI/ZDega0df557XQ6JhK42TaAhYyeR7RI3f9XD7nyULE8nk WTZv38Um/wzVFu6haBmSb4iz5TmShL1pUqlwZbQzZ7mpbxaY4iPwVfZ6 9JSSCnwaTWpg/pS17dyP+MiB4/yffaJnXiAVlTp6FNO7IFz735mD717C 4yU=h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 833 IN NSEC3 1 1 1 D399EAAB H9RSFB7FPF2L8HG35CMPC765TDK23RP6 NS SOA RRSIG DNSKEY NSEC3PARAMvagq7rk03g3to127qkkhkn3vfmeivgpf.org. 833 IN RRSIG NSEC3 7 2 86400 20101015154542 20101001144542 245 org. 7KbiYKaNPtNIbTpDTAu+qcdiRrOn73qZztjEWL5/wc4HvCtp+ziIG9P1 nZ0fgBj7VFETp0P6V1+QVkjy5SoAennzEN9201v7f7e4iCPrqf/1q/k8 8cNNGvTk5/+/Me7qWEIYRUU3Dyy61rGaYZES8zAoR9TUhmubj8mIGzR+ MOE=vagq7rk03g3to127qkkhkn3vfmeivgpf.org. 833 IN NSEC3 1 1 1 D399EAAB VAPM2EIMJPEU2R3SNRILHGU61CHOC96A NS DS RRSIG
Sunday 17 October 2010
![Page 69: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/69.jpg)
Denial of existenceNSEC3
NSEC3 adds additional workload on authoritative AND caching DNS servers
- Authoritative: Calculating NSEC3 hash of QUERY in order to return correct answer
- Caching: Calculating NSEC3 hash of QUERY in order to compare to authoritative answer
Sunday 17 October 2010
![Page 70: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/70.jpg)
Pitfalls of DNSSEC
Sunday 17 October 2010
![Page 71: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/71.jpg)
Pitfalls of DNSSECZone files no longer human-modifiable
-Abstraction/automation required to publish data in DNS
Sunday 17 October 2010
![Page 72: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/72.jpg)
Pitfalls of DNSSECZone files no longer human-modifiable
-Abstraction/automation required to publish data in DNS
ZSK and KSK lifetime expiration - ZSK (30 days default)
- KSK (12 months default)
Sunday 17 October 2010
![Page 73: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/73.jpg)
Pitfalls of DNSSECZone files no longer human-modifiable
-Abstraction/automation required to publish data in DNS
ZSK and KSK lifetime expiration - ZSK (30 days default)
- KSK (12 months default)
Requires parent (registrar) capable of DNSSEC
- zaDNA is not one of them and will not be within next 18 months
- Neither is Uniforum
Sunday 17 October 2010
![Page 74: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/74.jpg)
Lookaside validation(DLV)
Sunday 17 October 2010
![Page 75: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/75.jpg)
Lookaside validation(DLV)
DNSSEC Lookaside Validation (DLV) is a mechanism for publishing DNS Security (DNSSEC) trust anchors outside of the DNS delegation chain. It allows validating resolvers to validate DNSSEC-signed data from zones whose ancestors either aren't signed or don't publish Delegation Signer (DS) records for their children.
RFC5074
Sunday 17 October 2010
![Page 76: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/76.jpg)
Lookaside validation(DLV)
DNSSEC Lookaside Validation (DLV) is a mechanism for publishing DNS Security (DNSSEC) trust anchors outside of the DNS delegation chain. It allows validating resolvers to validate DNSSEC-signed data from zones whose ancestors either aren't signed or don't publish Delegation Signer (DS) records for their children.
RFC5074
Requires manual DLV trust-anchor config on resolvers
Sunday 17 October 2010
![Page 77: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/77.jpg)
https://dlv.isc.org
Useful cludge for early adopters
Already configured on at least one large ZA ISP’s caches
Workaround for zaDNA’s lack of DNSSEC
Sunday 17 October 2010
![Page 78: 2010 za con_todor_genov](https://reader034.vdocument.in/reader034/viewer/2022042821/55d2ada3bb61ebf85e8b477d/html5/thumbnails/78.jpg)
Questions?
Sunday 17 October 2010