dnssec - a small overview

Nucleus.be ● Windows & Linux Webhosting ● Dedicated servers ● Co-location ● Online Backup ● Domain Names ● Universal Groupware

DNSSECThe Good, The Bad & The Secure


Schedule- Recap: how DNS works

- What DNSSEC does

- How DNSSEC works

- How we implement it

- Why it’s a bitch to configure.


RECAPDNS – The Basics


SETUP

Stel dat …

Domain: dexia.be- ns1.nucleus.be- ns2.nucleus.be- ns3.nucleus.be- ns4.nucleus.be


End user

I should really pay my bill …


End user ISP

Q: www.dexia.be

Let’s go towww.dexia.be


End user ISP

Q: www.dexia.be

Let’s go towww.dexia.be Where the

f*#} is that?


End user ISP

Q: www.dexia.be


f*#} is that?

Root nameservers

Q: www.dex

ia.be


End user ISP

Q: www.dexia.be


f*#} is that?

Root nameservers

Q: www.dex

ia.be

A: Chec

k .BE T

LD

Dnow. Ask .BE


End user ISP

Q: www.dexia.be


f*#} is that?

Root nameservers

Q: www.dex

ia.be

A: Chec

k .BE T

LD

TLD - .BE nameQ: www.dexia.be

Dnow. Ask .BE


End user ISP

Q: www.dexia.be


f*#} is that?

Root nameservers

Q: www.dex

ia.be

A: Chec

k .BE T

LD


Dnow. Ask .BE

A: Check with Nucleus

Get lost. Ask Nucleus.


End user ISP

Q: www.dexia.be


f*#} is that?

Root nameservers

Q: www.dex

ia.be

A: Chec

k .BE T

LD


Dnow. Ask .BE



ns1.nucleus.be

Q: www.dexia.be


End user ISP

Q: www.dexia.be


f*#} is that?

Root nameservers

Q: www.dex

ia.be

A: Chec

k .BE T

LD


Dnow. Ask .BE



ns1.nucleus.be

Q: www.dexia.beA: 212.63.232.38

Here ya go.


End user ISP

Q: www.dexia.be


f*#} is that?

Root nameservers

Q: www.dex

ia.be

A: Chec

k .BE T

LD


Dnow. Ask .BE



ns1.nucleus.be

Q: www.dexia.beA: 212.63.232.38

Here ya go.

A: 212.63.232.38


Mkay. What’s the problem, Doc?


Vewwy vewwy old.


It works. Leave it.


Security is not a requirement


Here’s how we break it.


Security: don’t trust anyone.End user ISP

Q: www.dexia.be


Security: everybody lies.End user ISP

Q: www.dexia.be

A: 193.239.211.1My secret server.


I’m scared. Save me.


DNSSECDNS Security Extensions

Secures the DATA returned by nameservers

Created in 1997


DNSSEC

Backwards compatible.


DNSSEC

Signs data, does not encrypt. (private vs public keys)


DNSSEC

Publish the public key part.


DNSSEC

NSEC/NSEC3: Denial of Existence


End user ISP

Q: www.dexia.be

Root nameservers

Q: www.dex

ia.be

A: Chec

k .BE T

LD



ns1.nucleus.be

Q: www.dexia.beA: 212.63.232.38

A: 212.63.232.38


This must be magic?!Resource Record (A, CNAME, TXT, MX, …): signed with RRSIG Record

Public key gets published in DNSKEY record

Parent zone publishes public key of child zone in DS records

Non-existing entries signed with NSEC3


Keys? Keys!

Key rotation for public keys

Zone Signing Key (ZSK): sign records in a zone

Key Signing Key (KSK): sign the ZSK and link to parent zone


Show me the money!$TTL 1D@ IN SOA ns1.nucleus.be. dnsmaster.nucleus.be. (

2010073002 ; serial 1H; refresh 30M ; retry 4W ; expire 1D ) ; minimum

IN NS ns1.nucleus.be.IN NS ns2.nucleus.be.IN NS ns3.nucleus.be.IN NS ns4.nucleus.be.

3600 IN MX 10 asav01.bru.nucleus.be. 3600 IN MX 10 asav02.ant.nucleus.be.

nucleus.eu. 3600 IN A 188.93.153.72mail 3600 IN CNAME mail.nucleus.be.* 3600 IN CNAME nucleus.eu.www 3600 IN CNAME lin1.nucleus.be.blah 3600 IN CNAME www.nucleus.be.

nucleus.eu: normal, unsigned zone


Show me the money!nucleus.eu. 86400 IN SOA ns1.nucleus.be. dnsmaster.nucleus.be. ( 2010073002 ; serial 3600 ; refresh (1 hour) 1800 ; retry (30 minutes) 2419200 ; expire (4 weeks) 86400 ; minimum (1 day) ) 86400 RRSIG SOA 8 2 86400 20101026151414 ( 20101012141414 22506 nucleus.eu. j6n9E/xC2q+72sEIoWZhykBU3ZZ6mUtYMMfk PTbv5wlSdGQtiBlUK1xCux4BVBov/TQU3B1B hO0LaSOdgMhCnenmnxtUX6KwV2U+4JxR8PFy 2f0C+0EOlHU8xZ2oIaNWOZH71rl9EYVCO3Ya fl3eyD2dSITz2xT77WarLrbnul8= ) 86400 NS ns1.nucleus.be. 86400 NS ns2.nucleus.be. 86400 NS ns3.nucleus.be. 86400 NS ns4.nucleus.be. 86400 RRSIG NS 8 2 86400 20101026151414 ( 20101012141414 22506 nucleus.eu. QBN5NLbkijUGIky583MWmEm15vxVWkgksQvf T/cTzn+10JKHgm4Wzt8qjZdPrKH2OIPT3VVT rP7WI2+O6EMR+jRf6J1G/on4jNg+3fKG7ZO/ OsOj9HLZNzBQYDzGoO6lXe6fdsJNBNOvIFju wyhziw89bCzal/Hyb3VIPwV8Zpw= ) 3600 A 188.93.153.72

nucleus.eu: DNSSEC signed 3600 RRSIG A 8 2 3600 20101026151414 ( 20101012141414 22506 nucleus.eu. Oj465TVbJ/c1yieAzwOwLEh3qyRjmjr8+s8f JjseIRX4DiKj5sbS8dF/1mYwVyFRfXhqzrS5 hRS/j3RMx7WKXs2x4PoR6HzUqyWVBtMosyIC g/6tm9l3JsBjHHUwSS2b7Pe8aHLns1wb8eY5 XpEukb3aTPt6sbW7bpbmZVFzhSQ= ) 3600 MX 10 asav01.bru.nucleus.be. 3600 MX 10 asav02.ant.nucleus.be. 3600 RRSIG MX 8 2 3600 20101026151414 ( 20101012141414 22506 nucleus.eu. OFLT2VKX0Y/GIzHUlsSxD976iHZDLp77mf4p CanC5OMaA9dLlVEwIp2xdwqOAauluozmQAUJ Y7Y6Hb9g811MPcaU5wHyjVQR9cXZqk9KrzBE oOHMz3fprdH0pYAmcHhyixSs9ohLLTvwG37X GZcmMnu2qQgaqTyZfSe5T4wHFKA= ) 86400 DNSKEY 256 3 8 ( AwEAAbi/ArlDrarlPiu4PAt6HBnA+CsaP4Xa h0Uc8UGLNSPPtT/yiOR3zj9yHpkENsctIDzC bg8IWH1UdMnj19kvDIPHC9Diwngdl2meENm3 w9pZb7JiVkQAbrUJgYG21ldk4XdPd+Sratf6 ZB0ool6fTl3+6Rr2xwbGbFSJfcXCmKyl ) ; key id = 22506…


Show me the money!86400 RRSIG DNSKEY 8 2 86400 20101026151414 ( 20101012141414 22225 nucleus.eu. GrlJYgv9OIaWHKw2csLeSZw151WB4wFMchM3 syGq8tcV7p6V50w/wGDMoEshkQI0CdEILgxa F2NtmnUniy4hfafKcVHPg25rj0kQio79l0Rs QQPjDmXGIdkyWbRbK7M/ptnfjfq6v37NMVLP Rv7BQ27u/NATI89tj6l45pOa6nB53RfRRfLM nVEumTzYdQi3YTiewfP2DrmL/qJoaSZVC/BR 9jRg36F6FLHez3nxdEBP8YFnJi1CukRaJA8e zHUFeUcMhPG3X0LRFdBxpI3eNaOv5T5AGvKw ODMD1qmVPsi/doakRu93WIk+hVt1B0y5jAe+ 1pErKmKcH6Pf4N28wA== )86400 RRSIG DNSKEY 8 2 86400 20101026151414 ( 20101012141414 22506 nucleus.eu. VX49z+fLmab6Nno5jdISGd6PhTi0ovMmjwfL 7jQIGHl3Jsbbtw2TMFvuROPIXlSWcN2L6ixr t5PJoFFlYQl3qsCUZQjHsbvvQNGDQN2i0zCK qWaC0aui7LhdXCPrv8Gf2KskANNoTk0NmAuu Ke60oX4P00x4NeT1xpFnZnsgXbw= ) 0 NSEC3PARAM 1 0 5 46AF2E27 0 RRSIG NSEC3PARAM 8 2 0 20101026151414 ( 20101012141414 22506 nucleus.eu. jhayx2h6g0gsJb/oe5m0F3bRxd4GtRPhbfKX 4I5934SoF5/ofnYlxOTyV4ey/m/9dnxS5IIq ej7Kzjv8HB6e7yTgr2zzrhTshtcZaJIhBRar zIAVny60xDpCz/V/qtjEZw1+SwjrE3aPaFDQ NyMZetYK4LL8uiT3szi4f+L/peo= )

nucleus.eu: DNSSEC signed*.nucleus.eu. 3600 IN CNAME nucleus.eu. 3600 RRSIG CNAME 8 2 3600 20101026151414 ( 20101012141414 22506 nucleus.eu. EBe1hfvY1Skm3YZXm/h/X6YmuV02vQwthXNa ieYmbkVZmoeWzxFQWoAqPmgJ8RKsThQXNY0n s5/Naf866yhxLGv+3dL+kie4YAT44IxTtk3a hzd8ORdbSEU/LtX7/deKbfkKMYaqEsYLAM9f tsk8QindoiXkNKXGd0Z5XusJhFI= )blah.nucleus.eu. 3600 IN CNAME www.nucleus.be. 3600 RRSIG CNAME 8 3 3600 20101026151414 ( 20101012141414 22506 nucleus.eu. KY4dsjePG1i5akcN4q/JvQHjC9l6/kgkQX02 cjz3990hhsUghMbxJrdL+dCndXj65Kh7YuDa IYXNgkyLzooRYnRq74XLd8/yWrhrlQMGRZJH gpdv+HrTY0Bex9S2eO+1E1UISY8i/g7ND4hn gBaWQrA3rKz5wA2662jPhjV06jQ= )mail.nucleus.eu. 3600 IN CNAME mail.nucleus.be. 3600 RRSIG CNAME 8 3 3600 20101026151414 ( 20101012141414 22506 nucleus.eu. sw4UsLjt9Car++ZXsSby1Lqa1XmWeyOZFsiF oHAT6HAUzYK19qwPz5nJc6aQoLzvH3F6PjqJ Kwek4SJUGMPpZOLOqGtguerNUxAK7XIHxgaJ REpF6u77NqAmTxYafmkXnUVzA9QeYS49ocQ5 GpB8iVd7zwNYDo1LmZzBszjmOMo= )


Auch, mi estómago


Let’s analyze. KSK vs ZSK.86400 DNSKEY 256 3 8 ( AwEAAbi/ArlDrarlPiu4PAt6HBnA+CsaP4Xa h0Uc8UGLNSPPtT/yiOR3zj9yHpkENsctIDzC bg8IWH1UdMnj19kvDIPHC9Diwngdl2meENm3 w9pZb7JiVkQAbrUJgYG21ldk4XdPd+Sratf6 ZB0ool6fTl3+6Rr2xwbGbFSJfcXCmKyl ) ; key id = 22506

86400 DNSKEY 257 3 8 ( AwEAAefl1K20cC22qiDnfGyA99lM8fmbGc/1 QHql63coA+hfbFGORPu716UfGxIJWazTTmQZ 0zpqNeXZeEZHPNqu6NdyctHAlIMLelX5/Brm NCjB9OdmZuX0EGKKDePGh5JSwhYSnC89JeV7 nnD5b9SBANEbqsBALx6lQiTfbt0DMO8fD4yO OXmgknYP7u7vvsSzAmlXxpGA8ARFcWkgJvZv bahT5DFR+GtoEWhU8+yyeX0MCIVyRCBEQAzH cBQfhzE+aw/UDntij3of7LsFbBh38PNIrBO6 FrNFrdynlc8z5Ah6m1AxyxIbEFjfb5KSV4rx 9MZXN8iwZFZLRZeu9vJDuQ8= ) ; key id = 22225

256: Zone Signing Key- 1024 bit- monthly rotated

257: Key Signing Key- 2048 bit- yearly rotated


Let’s analyze. KSK vs ZSK.86400 DNSKEY 256 3 8 ( AwEAAbi/ArlDrarlPiu4PAt6HBnA+CsaP4Xa h0Uc8UGLNSPPtT/yiOR3zj9yHpkENsctIDzC bg8IWH1UdMnj19kvDIPHC9Diwngdl2meENm3 w9pZb7JiVkQAbrUJgYG21ldk4XdPd+Sratf6 ZB0ool6fTl3+6Rr2xwbGbFSJfcXCmKyl ) ; key id = 22506

86400 DNSKEY 257 3 8 ( AwEAAefl1K20cC22qiDnfGyA99lM8fmbGc/1 QHql63coA+hfbFGORPu716UfGxIJWazTTmQZ 0zpqNeXZeEZHPNqu6NdyctHAlIMLelX5/Brm NCjB9OdmZuX0EGKKDePGh5JSwhYSnC89JeV7 nnD5b9SBANEbqsBALx6lQiTfbt0DMO8fD4yO OXmgknYP7u7vvsSzAmlXxpGA8ARFcWkgJvZv bahT5DFR+GtoEWhU8+yyeX0MCIVyRCBEQAzH cBQfhzE+aw/UDntij3of7LsFbBh38PNIrBO6 FrNFrdynlc8z5Ah6m1AxyxIbEFjfb5KSV4rx 9MZXN8iwZFZLRZeu9vJDuQ8= ) ; key id = 22225

256/257: Key flag (KSK or ZSK)3: Protocol used8: Algoritme used


Let’s analyze. RRSIG’s.3600 RRSIG A 8 2 3600 20101026151414 ( 20101012141414 22506 nucleus.eu. Oj465TVbJ/c1yieAzwOwLEh3qyRjmjr8+s8f JjseIRX4DiKj5sbS8dF/1mYwVyFRfXhqzrS5 hRS/j3RMx7WKXs2x4PoR6HzUqyWVBtMosyIC g/6tm9l3JsBjHHUwSS2b7Pe8aHLns1wb8eY5 XpEukb3aTPt6sbW7bpbmZVFzhSQ= )

3600 : TTLRRSIG : Resource RecordA: Type of signed record8: Algoritme (RSA-SHA256)2: # labels of signed record3600: TTL of signed record 20101026151414: Signature expiration20101012141414: Signature creation22506: Key ID

dnssec - a small overview

Technology

end userispq

end userisptld

setup stel dat domain

bill end

end userisp q

beroot nameserverslets

dnssec backwards

dnssec nsecnsec3