dnssec
TRANSCRIPT
![Page 1: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/1.jpg)
DNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and Security
Julien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien Pivotto
RMLL Security TrackJuly 5th, 2016
![Page 2: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/2.jpg)
whoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoisJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien Pivotto
• Sysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.eu
• From small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgs• Automation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & Monitoring• @roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie on irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/github
![Page 3: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/3.jpg)
inuits.eu
![Page 4: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/4.jpg)
DNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNS
![Page 5: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/5.jpg)
What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?
• TTTTTTTTTTTTTTTTTL;DR Translates domain name to IP• IIIIIIIIIIIIIIIIIn facto, stores much more data than IP
![Page 6: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/6.jpg)
How it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksLicensed under a Creative Commons Attribution-ShareAlike 2.0 License
https://www.flickr.com/photos/frans16611/6139595092
![Page 7: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/7.jpg)
Licensed under a Creative Commons Attribution-ShareAlike 2.0 LicenseInspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
![Page 8: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/8.jpg)
Licensed under a Creative Commons Attribution-ShareAlike 2.0 LicenseInspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
![Page 9: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/9.jpg)
Licensed under a Creative Commons Attribution-ShareAlike 2.0 LicenseInspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
![Page 10: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/10.jpg)
Licensed under a Creative Commons Attribution-ShareAlike 2.0 LicenseInspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
![Page 11: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/11.jpg)
Licensed under a Creative Commons Attribution-ShareAlike 2.0 LicenseInspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
![Page 12: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/12.jpg)
DNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-critical
• HHHHHHHHHHHHHHHHHolds IP addresses• HHHHHHHHHHHHHHHHHolds service definitions• HHHHHHHHHHHHHHHHHolds hostnames, TXT records
![Page 13: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/13.jpg)
DNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practices
• DDDDDDDDDDDDDDDDDo not mix Authoritative and Recursiveservers
• MMMMMMMMMMMMMMMMMix your DNS server `brand'• HHHHHHHHHHHHHHHHHide your DNS masters• DDDDDDDDDDDDDDDDDo not invent new TLD
![Page 14: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/14.jpg)
Data stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNS
• AAAAAAAAAAAAAAAAA records: IP addresses• CCCCCCCCCCCCCCCCCNAME: Cannonical names• SSSSSSSSSSSSSSSSSRV: Service record• MMMMMMMMMMMMMMMMMX: Mail servers• TTTTTTTTTTTTTTTTTXT: Text record
![Page 15: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/15.jpg)
SRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV records
_xmpp−client._tcp.inuits.eu. IN SRV0 5 5222 xmpp.inuits.eu.
![Page 16: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/16.jpg)
TXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT Records
• SSSSSSSSSSSSSSSSSPF record: Sender Policy Framework• DDDDDDDDDDDDDDDDDKIM• KKKKKKKKKKKKKKKKKeybase.io• LLLLLLLLLLLLLLLLLet's Encrypt DNS challenge
![Page 17: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/17.jpg)
Not secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by design
• 11111111111111111983• DDDDDDDDDDDDDDDDDesigned for scale, not security• EEEEEEEEEEEEEEEEEarly 2000: birth of DNSSec
![Page 18: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/18.jpg)
DNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSec
• 22222222222222222000's DNSSec RFC• DDDDDDDDDDDDDDDDDNSSec hit DNS root in 2010• MMMMMMMMMMMMMMMMMultiple iteration of RFC
![Page 19: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/19.jpg)
The Domain Name System SecurityExtensions (DNSSEC) add data origin
authentication and data integrity to theDomain Name System.
RFC 4033
![Page 20: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/20.jpg)
What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?
• PPPPPPPPPPPPPPPPProof of origin and integrity• ZZZZZZZZZZZZZZZZZones and records signing• PPPPPPPPPPPPPPPPProof of non-existence
![Page 21: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/21.jpg)
Two types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keys
• ZZZZZZZZZZZZZZZZZSK: Zone Signing Key• KKKKKKKKKKKKKKKKKSK: Key Signing Key
![Page 22: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/22.jpg)
Zone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing key
• PPPPPPPPPPPPPPPPPrivate/Public key pair• SSSSSSSSSSSSSSSSSign the Records• eeeeeeeeeeeeeeeee.g sign the A records, the MX records …• RRRRRRRRRRRRRRRRRolled out frequently
![Page 23: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/23.jpg)
Key Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing Key
• PPPPPPPPPPPPPPPPPrivate/Public key pair• SSSSSSSSSSSSSSSSSign the ZSK• DDDDDDDDDDDDDDDDDesigned to be stronger than the ZSK• IIIIIIIIIIIIIIIIIts fingerprint is stored in parent zone
![Page 24: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/24.jpg)
DNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records types
• RRRRRRRRRRRRRRRRRRSIG: Signature• DDDDDDDDDDDDDDDDDNSKEY: Public key• DDDDDDDDDDDDDDDDDS: Hash of a DNSKEY (parent zone)
![Page 25: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/25.jpg)
DNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records types
• NNNNNNNNNNNNNNNNNSEC: Next secure• RRRRRRRRRRRRRRRRReturns the next secure entry• RRRRRRRRRRRRRRRRReturned when next secure is not found• NNNNNNNNNNNNNNNNNSEC/NSEC3 records are signed• NNNNNNNNNNNNNNNNNSEC3 prevents zone walking
![Page 26: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/26.jpg)
In PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn Practice
![Page 27: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/27.jpg)
BindBindBindBindBindBindBindBindBindBindBindBindBindBindBindBindBind
• RRRRRRRRRRRRRRRRReference DNS Server• DDDDDDDDDDDDDDDDDeveloped by the Internet SystemsConsortium
• CCCCCCCCCCCCCCCCCurrent version: bind9• bbbbbbbbbbbbbbbbbind10 project is abandoned
![Page 28: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/28.jpg)
Bind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind features
• SSSSSSSSSSSSSSSSSupports everything• RRRRRRRRRRRRRRRRRecurive, Authoritative• DDDDDDDDDDDDDDDDDynamic updates• DDDDDDDDDDDDDDDDDNSSec
![Page 29: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/29.jpg)
Bind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSec
• FFFFFFFFFFFFFFFFFull support + NSEC3• MMMMMMMMMMMMMMMMManual signing• AAAAAAAAAAAAAAAAAutomated signing• DDDDDDDDDDDDDDDDDNSSec and dynamic zones
![Page 30: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/30.jpg)
Generating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keys
mkdir /etc/bind/keyscd /etc/bind/keysdnssec−keygen rmll.examplednssec−keygen −f KSK rmll.example
![Page 31: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/31.jpg)
Generating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keys
dnssec−keygen −a NSEC3RSASHA1 −b 2048 rmll.example
dnssec−keygen −a NSEC3RSASHA1 −b 4096 −fKSK rmll.example
![Page 32: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/32.jpg)
Generating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keys
dnssec−dsfromkey −f /var/bind/rmll.example −K /etc/bind/keys/ rmll.example
rmll.example. IN DS 18025 8 1E223065EE5EE66F08CA1C89D8
rmll.example. IN DS 18025 8 2 522D8EA3287FFF41186169A30
![Page 33: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/33.jpg)
Enable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bind
options {dnssec−enable yes;dnssec−validation yes;
}
![Page 34: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/34.jpg)
Enable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signed
zone "rmll.example" IN {type master;file "rmll.example.zone.signed";
};
![Page 35: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/35.jpg)
Enable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto Signing
zone "rmll.example" IN {type master;file "rmll.example.zone";key−directory "/etc/bind/keys";auto−dnssec maintain;inline−signing yes;
};
![Page 36: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/36.jpg)
Manually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zone
dnssec−signzone −S −o rmll.example −K /etc/bind/keys/ /var/bind/master/rmll.example.zone
• Creates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone file
![Page 37: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/37.jpg)
DANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANE
![Page 38: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/38.jpg)
DANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANE
• DDDDDDDDDDDDDDDDDNS-based Authentication of NamedEntities
• NNNNNNNNNNNNNNNNNew record types to store public keyshashes
• IIIIIIIIIIIIIIIIIndependant from DNSSec (!)
![Page 39: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/39.jpg)
TLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA records
• HHHHHHHHHHHHHHHHHash the fingerprint of a TLS key• """""""""""""""""Replacement" for the CA (https)• NNNNNNNNNNNNNNNNNot implemented natively in browsers• IIIIIIIIIIIIIIIIImplemented in IRC clients (irssi)
![Page 40: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/40.jpg)
TLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA records
_443._tcp IN TLSA 3 0 1 2bfa3214fda53315b140e65fe66
_443._tcp.www IN TLSA 3 0 1 2bfa3214fda53315b140e65
_6697._tcp.irc IN TLSA 3 0 1 2bfa3214fda53315b140e6
![Page 41: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/41.jpg)
Generating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hash
openssl x509 −in cert.pem −outform DER |openssl sha256
![Page 42: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/42.jpg)
SSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSH
![Page 43: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/43.jpg)
TOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFU
• TTTTTTTTTTTTTTTTTrust on first use• WWWWWWWWWWWWWWWWWorks on slowly moving env's• NNNNNNNNNNNNNNNNNowadays we populate new hosts all thetime
• NNNNNNNNNNNNNNNNNowadays we rebuild existing hosts
![Page 44: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/44.jpg)
SSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP records
• HHHHHHHHHHHHHHHHHash the fingerprint of a SSH server• IIIIIIIIIIIIIIIIImplemented in OpenSSH• UUUUUUUUUUUUUUUUUses DNS to recognize SSH key
![Page 45: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/45.jpg)
IN SSHFP 1 1e0fd9112d2fc6974597fe8968665ad6b420c
IN SSHFP 1 2 9de5bc066a898733420bcfaae8f43e80e532
IN SSHFP 2 1 223e89447a53a3178be02fee6fdd5b44228a
IN SSHFP 2 2 2644fcbd2a1b179091a195207e395d009b16
![Page 46: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/46.jpg)
VerifyHostKeyDNS noVerifyHostKeyDNS yesVerifyHostKeyDNS ask
![Page 47: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/47.jpg)
$ ssh −o VerifyHostKeyDNS=yes rmll.exampleThe authenticity of host 'rmll.example
(1.2.3.4)' can't be established.ECDSA key fingerprint is SHA256:
f8zwQD3RU62PXgwCw5WRk2OIyVY.Matching host key fingerprint found in DNSAre you sure you want to continue?
![Page 48: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/48.jpg)
Populating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fields
• WWWWWWWWWWWWWWWWWhat if we have a single source of truth?• SSSSSSSSSSSSSSSSSomething that can scale, and be quickenough?
![Page 49: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/49.jpg)
Config ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig Management
• QQQQQQQQQQQQQQQQQuickly moving env often use CfgmgmtTools
• TTTTTTTTTTTTTTTTThey know the env, store data• WWWWWWWWWWWWWWWWWe use Puppet+The foreman
![Page 50: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/50.jpg)
PuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppet
• AAAAAAAAAAAAAAAAA Config Management Tool• DDDDDDDDDDDDDDDDDeclarative• EEEEEEEEEEEEEEEEEnforces a desired state
![Page 51: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/51.jpg)
Puppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet Facts
• VVVVVVVVVVVVVVVVValues collected on the host• OOOOOOOOOOOOOOOOOS version, Uptime, kernel• SSSSSSSSSSSSSSSSSSH fingerprints• SSSSSSSSSSSSSSSSSent back to master
![Page 52: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/52.jpg)
facts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfp
• hhhhhhhhhhhhhhhhhttps://github.com/jpmens/facts2sshfp• PPPPPPPPPPPPPPPPPython script• RRRRRRRRRRRRRRRRRead facts yaml files• CCCCCCCCCCCCCCCCConverts Puppet facts to SSHFP records• UUUUUUUUUUUUUUUUUses Puppet as single source of truth• fffffffffffffffffacts2sshfp.py -T nsupdate.template -Da.aa.
• OOOOOOOOOOOOOOOOOutput to templates, nsupdate commands…
![Page 53: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/53.jpg)
The Foreman
Provisioning Configuration MonitoringReporting
![Page 54: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/54.jpg)
The Foreman
Provisioning
Configuration MonitoringReporting
![Page 55: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/55.jpg)
The Foreman
Provisioning Configuration
MonitoringReporting
![Page 56: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/56.jpg)
The Foreman
Provisioning Configuration Monitoring
Reporting
![Page 57: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/57.jpg)
The Foreman
Provisioning Configuration MonitoringReporting
![Page 58: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/58.jpg)
![Page 59: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/59.jpg)
![Page 60: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/60.jpg)
![Page 61: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/61.jpg)
Foreman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman Proxies
• FFFFFFFFFFFFFFFFForeman works with a GUI + Proxies• DDDDDDDDDDDDDDDDDHCP proxy, Puppet Proxy, DNS proxy…• DDDDDDDDDDDDDDDDDNS Proxy is pluggable: bind9, powerdns…
![Page 62: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/62.jpg)
Foreman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is great
• OOOOOOOOOOOOOOOOOpen Source• BBBBBBBBBBBBBBBBBacked by Red Hat• TTTTTTTTTTTTTTTTThe main brick behind Red Hat Satellite 6• PPPPPPPPPPPPPPPPProvides a REST API
![Page 63: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/63.jpg)
Building a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) host
• CCCCCCCCCCCCCCCCCreate/update DNS entries• CCCCCCCCCCCCCCCCCreate/update DHCP entries• CCCCCCCCCCCCCCCCCreate the VM in libvirt• BBBBBBBBBBBBBBBBBoot the VM• SSSSSSSSSSSSSSSSServe a kickstart• RRRRRRRRRRRRRRRRRun Puppet
![Page 64: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/64.jpg)
The Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxy
• PPPPPPPPPPPPPPPPPuppet Collects and save Facts on themachines
• IIIIIIIIIIIIIIIIIt can send it back to the Foreman• FFFFFFFFFFFFFFFFForeman can graph them, query them…
![Page 65: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/65.jpg)
facts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfp
• hhhhhhhhhhhhhhhhhttps://github.com/jpmens/facts2sshfp• fffffffffffffffffacts2sshfp.py -T nsupdate.template--foreman-url=https://foreman.example -Da.aa.
![Page 66: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/66.jpg)
ConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionLicensed under a Creative Commons Attribution 2.0 License
https://www.flickr.com/photos/haslamdigital/17191280202/sizes/h/
![Page 67: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/67.jpg)
DNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocks
• NNNNNNNNNNNNNNNNNeeded everywhere• DDDDDDDDDDDDDDDDDistributed• CCCCCCCCCCCCCCCCContains lots of data• MMMMMMMMMMMMMMMMMakes our life easier
![Page 68: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/68.jpg)
DNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implement
• AAAAAAAAAAAAAAAAAutomation is key• IIIIIIIIIIIIIIIIImplemented in most of the tools• AAAAAAAAAAAAAAAAAnd most of the DNS servers
![Page 69: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/69.jpg)
DANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more security
• SSSSSSSSSSSSSSSSSSH fingerprint• IIIIIIIIIIIIIIIIIRC, SMTP certificates hashes• EEEEEEEEEEEEEEEEExisting client-side implementations
![Page 70: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/70.jpg)
DNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANE
• DDDDDDDDDDDDDDDDDNSSec and Dane are more useful together• MMMMMMMMMMMMMMMMMake sure your resolver supports DNSsec!• TTTTTTTTTTTTTTTTThe power to check certificates without CA
![Page 71: DNSSec](https://reader034.vdocument.in/reader034/viewer/2022050614/58a297031a28ab36508b6b1b/html5/thumbnails/71.jpg)
ContactContactContactContactContactContactContactContactContactContactContactContactContactContactContactContactContact
Julien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien [email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie
inuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitshttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.eu
[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636