Upload File

dnssec for isps workshop for...dnssec for isps workshop joão damas ([email protected]) 1 thursday, 8...

  • Home
  • Documents
  • DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas ([email protected]) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing
53
DNSSEC for ISPs workshop João Damas ([email protected] ) 1 Thursday, 8 September 2011

Upload: others

Post on 02-Aug-2020

0 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

DNSSEC for ISPs workshop

João Damas([email protected])

1

Thursday, 8 September 2011

mailto:[email protected]
mailto:[email protected]
Page 2: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Outline of workshop

•Brief intro to DNSSEC •Overview of zone signing•DNSSEC validation

–trust anchors–validation–impact of enabling validation–debugging

•Making DNSSEC useful for you2

Thursday, 8 September 2011

Page 3: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Brief Introduction to DNSSEC

3

Thursday, 8 September 2011

Page 4: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

The protocol bits

•What is DNSSEC meant to do?•What does it do?•How does it do it?

4

Thursday, 8 September 2011

Page 5: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

What is DNSSEC meant to do?

•It protects data in transit between an authoritative name server and a client

•Optionally, it can securely link the zones in the DNS tree

•It does not:–ensure data is correct, only that no one has interfered with it

5

Thursday, 8 September 2011

Page 6: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

What is DNSSEC meant to do?

•This should enable a new world of applications/services–see DANE, SSHFP, new anti-spam tools

•DANE: http://tools.ietf.org/wg/dane/charters

6

Thursday, 8 September 2011

http://tools.ietf.org/wg/dane/charters
http://tools.ietf.org/wg/dane/charters
Page 7: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

What does DNSSEC do?

•It defines a protocol to allow verification of DNS data by a client who knows the public key used to sign the DNS data.

7

Thursday, 8 September 2011

Page 8: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

How does DNSSEC secure DNS?•Technical elements•Data signing

8

Thursday, 8 September 2011

Page 9: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Technical elements

•Keys•Proof of nonexistence•Zone links•Signatures

9

Thursday, 8 September 2011

Page 10: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Keys

•Public key cryptography–choice of algorithms: RSA/DSA/GOST

•Data digests–SHA1, SHA2, GOST

10

$ dig bondis.org dnskey....bondis.org. IN DNSKEY 256 3 5 BQEAAAAB1Io2mihvmT6Dj9CSNGOqWjklO2OlusMnOofmbBAbEHFTFhG69zE0DcT0Pyp9b0Iinvn1U389jlVdZvp9x2cIRjWMliR4Uo3TRfNkT4JewlbhwUFTPuH15idCTNFyWPKD5vDfOOPy8EDj2llH1iwiWQ8ryu9OtIR S8Nyrvb59g0=

Thursday, 8 September 2011

Page 11: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Keys

•Public key cryptography–choice of algorithms: RSA/DSA/GOST

•Data digests–SHA1, SHA2, GOST

10

$ dig bondis.org dnskey....bondis.org. IN DNSKEY 256 3 5 BQEAAAAB1Io2mihvmT6Dj9CSNGOqWjklO2OlusMnOofmbBAbEHFTFhG69zE0DcT0Pyp9b0Iinvn1U389jlVdZvp9x2cIRjWMliR4Uo3TRfNkT4JewlbhwUFTPuH15idCTNFyWPKD5vDfOOPy8EDj2llH1iwiWQ8ryu9OtIR S8Nyrvb59g0=

Flags

Thursday, 8 September 2011

Page 12: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Keys

•Public key cryptography–choice of algorithms: RSA/DSA/GOST

•Data digests–SHA1, SHA2, GOST

10

$ dig bondis.org dnskey....bondis.org. IN DNSKEY 256 3 5 BQEAAAAB1Io2mihvmT6Dj9CSNGOqWjklO2OlusMnOofmbBAbEHFTFhG69zE0DcT0Pyp9b0Iinvn1U389jlVdZvp9x2cIRjWMliR4Uo3TRfNkT4JewlbhwUFTPuH15idCTNFyWPKD5vDfOOPy8EDj2llH1iwiWQ8ryu9OtIR S8Nyrvb59g0=

Flags

Protocol

Thursday, 8 September 2011

Page 13: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Keys

•Public key cryptography–choice of algorithms: RSA/DSA/GOST

•Data digests–SHA1, SHA2, GOST

10

$ dig bondis.org dnskey....bondis.org. IN DNSKEY 256 3 5 BQEAAAAB1Io2mihvmT6Dj9CSNGOqWjklO2OlusMnOofmbBAbEHFTFhG69zE0DcT0Pyp9b0Iinvn1U389jlVdZvp9x2cIRjWMliR4Uo3TRfNkT4JewlbhwUFTPuH15idCTNFyWPKD5vDfOOPy8EDj2llH1iwiWQ8ryu9OtIR S8Nyrvb59g0=

Flags

Protocol

Algorithm

Thursday, 8 September 2011

Page 14: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Keys

•Key Signing Key•Zone Signing Key

•Only difference is how they are used, otherwise they are identical (1bit)

11

Thursday, 8 September 2011

Page 15: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Proof of nonexistence

•Critical to avoid false negatives (e.g. interception)

•Pre-computed (DoS mitigation)–probably modern hardware could compute the elements in real time.

•Two ways. Both valid–NSEC–NSEC3

12

Thursday, 8 September 2011

Page 16: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

NSEC

13

X

NSEC• Describe intervals between two consecutive names that existent in the zone

–Allows “zone walking”–Some TLDs see this as a privacy problem

•the problemtends to be in the whois, not in the DNS

Thursday, 8 September 2011

Page 17: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

NSEC

-$ dig patio.bondis.org +dnssec

;; QUESTION SECTION:;patio.bondis.org. IN A

;; AUTHORITY SECTION:ns.bondis.org. 300 IN NSEC smtp1.bondis.org. A RRSIG NSECns.bondis.org. 300 IN RRSIG NSEC 5 3 7200 20101215090000 20100913110215 40583 bondis.org. nYwLzU....

13

X

Thursday, 8 September 2011

Page 18: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

NSECZone Walking

14

Thursday, 8 September 2011

Page 19: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

NSEC

14

$ dig patio.bondis.org +dnssec;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN

;; QUESTION SECTION:;patio.bondis.org. IN A

;; AUTHORITY SECTION:ns.bondis.org. 300 IN NSEC smtp1.bondis.org. A RRSIG NSECns.bondis.org. 300 IN RRSIG NSEC 5 3 7200 20101215090000 20100913110215 40583 bondis.org. nYwLzUsk5Q.....

Thursday, 8 September 2011

Page 20: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

NSEC

14

$ dig patio.bondis.org +dnssec;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN

;; QUESTION SECTION:;patio.bondis.org. IN A

;; AUTHORITY SECTION:ns.bondis.org. 300 IN NSEC smtp1.bondis.org. A RRSIG NSECns.bondis.org. 300 IN RRSIG NSEC 5 3 7200 20101215090000 20100913110215 40583 bondis.org. nYwLzUsk5Q.....

previous

Thursday, 8 September 2011

Page 21: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

NSEC

14

$ dig patio.bondis.org +dnssec;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN

;; QUESTION SECTION:;patio.bondis.org. IN A

;; AUTHORITY SECTION:ns.bondis.org. 300 IN NSEC smtp1.bondis.org. A RRSIG NSECns.bondis.org. 300 IN RRSIG NSEC 5 3 7200 20101215090000 20100913110215 40583 bondis.org. nYwLzUsk5Q.....

previous next

Thursday, 8 September 2011

Page 22: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

NSEC3

•Replaces the names in NSEC records with hashes of existing names–hard for humans to debug

•Introduces an unrelated but useful feature: opt-out

15

Thursday, 8 September 2011

Page 23: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

NSEC3

16

$ dig isc0.org +dnssec +noall +answer +authority

; <<>> DiG 9.6.1-P1 <<>> isc0.org +dnssec +noall +answer +authority;; global options: +cmdorg. 872 IN SOA a0.org.afilias-nst.info. noc.afilias-nst.info. 2009765707 1800 900 604800 86400org. 872 IN RRSIG SOA 7 1 900 20110929095701 20110908085701 56472 org. DaeMBz24QcHdzTQrjE7SdzJ42SKgNBK2sFSZaWNRzwskT2QghgbUcywf 2GxSFf6cChEsFe4hULXzWWDHqMcipiIlAjT78UMfZ8o5XHFXw458M7FT bb+41u0OX75WtoCXXHa8+zrXGn9csa7QuE29c/JQhg/Ynv9ylAnww36U fJc=h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 872 IN RRSIG NSEC3 7 2 86400 20110929095701 20110908085701 56472 org. GmtpVsYkxJ1yRmt8vWsuHmbWBJCJhuGaRvoKccdDX8B/gO1Q+cUw8jG2 lH24MV4J4vipBvqvbI72g/1DNFdOPW2Vqn3aIctA+8co9wImHr/5tNHY HcCwF79x/wm38nFbhxxI7XDWPfvTMy+YbjCeSddxIPdegggBRHPZOLj5 QQA=h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 872 IN NSEC3 1 1 1 D399EAAB H9R9S3ARGOL56DI1SIA1K4AORTQ8FGPN NS SOA RRSIG DNSKEY NSEC3PARAMtc8i66k7jila0sgib7tjeic8vftrevko.org. 872 IN RRSIG NSEC3 7 2 86400 20110926183026 20110905173026 56472 org. E3DwrbG9RdbfaQcu0nDyylhYAP44Ezo48qwUO95wXVQPkgkdJnTgPz5P aecBljmbG4RIY7sa4SMwy6WPo3cpVPd7tcVOy5uJfqkEQJhOP8eYfaGf BpvlrBMPTo3KefFoEjQ0RscN0ZWIR+/rwlpZdA4R9yP7u+YU0AxOq6eb /bU=tc8i66k7jila0sgib7tjeic8vftrevko.org. 872 IN NSEC3 1 1 1 D399EAAB TCEKMSLUSATMEGL10541FLRRD7CNAL2J A RRSIGvaiuqvth0uj0nkst7dkbscpig5lcg2op.org. 872 IN RRSIG NSEC3 7 2 86400 20110922155643 20110901145643 56472 org. eyXNpLjjD/B3c9/V1Dfhyf5jJu1cwHc40V+zvVHYgKsNCsndZLXYiV/1 T33Lc5ka6cdCK/FHWy0/qn7idRvViyOrNDPQ0f8AKmme/Gl1ZvTuHzOZ 3fP0JkQgC2EmHF4m/sPOMPBVPUYwU3fnzh4XtBZJFcnrXSHv7Mg9E9P6 NQo=vaiuqvth0uj0nkst7dkbscpig5lcg2op.org. 872 IN NSEC3 1 1 1 D399EAAB VARKIF352C7E5J1AGLO6DJ68T9H5N4R1 A RRSIG

Thursday, 8 September 2011

Page 24: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Linking zones

•In DNS search jumps from zone to zone via delegations

17

$ dig @a0.org.afilias-nst.info. isc.org;; QUESTION SECTION:;isc.org. IN A;; AUTHORITY SECTION:isc.org. 86400 IN NS ams.sns-pb.isc.org.isc.org. 86400 IN NS ord.sns-pb.isc.org.isc.org. 86400 IN NS ns.isc.afilias-nst.info.isc.org. 86400 IN NS sfba.sns-pb.isc.org.

Thursday, 8 September 2011

Page 25: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Linking zones

18

DNSSEC creates a parallel tree.Keys are represented in parent zones with a new record

DS (delegation signer) $ dig @a0.org.afilias-nst.info. bondis.org any;; ANSWER SECTION:bondis.org. 32 IN NS ns.bondis.org.bondis.org. 32 IN NS borg.c-l-i.net.bondis.org. 84416 IN DS 46041 5 2 77B5E5C737CBA4D8610EF16D6161CDFF7C48F8C6A63157A900510ABC 1C52BE66bondis.org. 84416 IN DS 46041 5 1 4E64E49EAC3B9C6124925CDE6DE9A11A4BA9C061

Thursday, 8 September 2011

Page 26: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Signing the Data

•Signatures are what you can actually check to verify data is real

•Stored in the RRSIG record–one per name and record type

19

Thursday, 8 September 2011

Page 27: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Signing the Data

•Signatures are what you can actually check to verify data is real

•Stored in the RRSIG record–one per name and record type

19

$ dig isc.org any +dnssec;; QUESTION SECTION:;isc.org. IN ANY;; ANSWER SECTION:isc.org. 7071 IN RRSIG DNSKEY 5 2 7200 20110829230209 20110730230209 12892 isc.org. J7d/2l/cPUHzyg3ze....isc.org. 7071 IN RRSIG DNSKEY 5 2 7200 20110829230209 20110730230209 21693 isc.org. WO2LHgs1bkK2d04FCkCG01O4Z....isc.org. 7071 IN DNSKEY 257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjGr hhCeFvAZih7yJ....isc.org. 7071 IN DNSKEY 256 3 5 BEAAAAO6L6BadeFzvt6J63GDGrFANfJAitCd9Njcj49y6PE1Bv6t33sE yxSVi4KWbjQgV....isc.org. 7070 IN RRSIG NS 5 2 7200 20110829233225 20110730233225 21693 isc.org. QD/j5eKOVyYW+iOUTDGzo....isc.org. 7070 IN NS sfba.sns-pb.isc.org.isc.org. 7070 IN NS ns.isc.afilias-nst.info.isc.org. 7070 IN NS ams.sns-pb.isc.org.isc.org. 7070 IN NS ord.sns-pb.isc.org.isc.org. 34420 IN RRSIG DS 7 2 86400 20110830154907 20110809144907 11028 org. WA/UeCd+Pi6eNmPFWAXQ5O7k....isc.org. 34420 IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759isc.org. 34420 IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5

Thursday, 8 September 2011

Page 28: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Signing the Data

•Signatures are what you can actually check to verify data is real

•Stored in the RRSIG record–one per name and record type

19

$ dig isc.org any +dnssec;; QUESTION SECTION:;isc.org. IN ANY;; ANSWER SECTION:isc.org. 7071 IN RRSIG DNSKEY 5 2 7200 20110829230209 20110730230209 12892 isc.org. J7d/2l/cPUHzyg3ze....isc.org. 7071 IN RRSIG DNSKEY 5 2 7200 20110829230209 20110730230209 21693 isc.org. WO2LHgs1bkK2d04FCkCG01O4Z....isc.org. 7071 IN DNSKEY 257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjGr hhCeFvAZih7yJ....isc.org. 7071 IN DNSKEY 256 3 5 BEAAAAO6L6BadeFzvt6J63GDGrFANfJAitCd9Njcj49y6PE1Bv6t33sE yxSVi4KWbjQgV....isc.org. 7070 IN RRSIG NS 5 2 7200 20110829233225 20110730233225 21693 isc.org. QD/j5eKOVyYW+iOUTDGzo....isc.org. 7070 IN NS sfba.sns-pb.isc.org.isc.org. 7070 IN NS ns.isc.afilias-nst.info.isc.org. 7070 IN NS ams.sns-pb.isc.org.isc.org. 7070 IN NS ord.sns-pb.isc.org.isc.org. 34420 IN RRSIG DS 7 2 86400 20110830154907 20110809144907 11028 org. WA/UeCd+Pi6eNmPFWAXQ5O7k....isc.org. 34420 IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759isc.org. 34420 IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5

Thursday, 8 September 2011

Page 29: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Signing the Data

•Signatures are what you can actually check to verify data is real

•Stored in the RRSIG record–one per name and record type

19

$ dig isc.org any +dnssec;; QUESTION SECTION:;isc.org. IN ANY;; ANSWER SECTION:isc.org. 7071 IN RRSIG DNSKEY 5 2 7200 20110829230209 20110730230209 12892 isc.org. J7d/2l/cPUHzyg3ze....isc.org. 7071 IN RRSIG DNSKEY 5 2 7200 20110829230209 20110730230209 21693 isc.org. WO2LHgs1bkK2d04FCkCG01O4Z....isc.org. 7071 IN DNSKEY 257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjGr hhCeFvAZih7yJ....isc.org. 7071 IN DNSKEY 256 3 5 BEAAAAO6L6BadeFzvt6J63GDGrFANfJAitCd9Njcj49y6PE1Bv6t33sE yxSVi4KWbjQgV....isc.org. 7070 IN RRSIG NS 5 2 7200 20110829233225 20110730233225 21693 isc.org. QD/j5eKOVyYW+iOUTDGzo....isc.org. 7070 IN NS sfba.sns-pb.isc.org.isc.org. 7070 IN NS ns.isc.afilias-nst.info.isc.org. 7070 IN NS ams.sns-pb.isc.org.isc.org. 7070 IN NS ord.sns-pb.isc.org.isc.org. 34420 IN RRSIG DS 7 2 86400 20110830154907 20110809144907 11028 org. WA/UeCd+Pi6eNmPFWAXQ5O7k....isc.org. 34420 IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759isc.org. 34420 IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5

Thursday, 8 September 2011

Page 30: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Signing the Data

•Signatures are what you can actually check to verify data is real

•Stored in the RRSIG record–one per name and record type

19

$ dig isc.org any +dnssec;; QUESTION SECTION:;isc.org. IN ANY;; ANSWER SECTION:isc.org. 7071 IN RRSIG DNSKEY 5 2 7200 20110829230209 20110730230209 12892 isc.org. J7d/2l/cPUHzyg3ze....isc.org. 7071 IN RRSIG DNSKEY 5 2 7200 20110829230209 20110730230209 21693 isc.org. WO2LHgs1bkK2d04FCkCG01O4Z....isc.org. 7071 IN DNSKEY 257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjGr hhCeFvAZih7yJ....isc.org. 7071 IN DNSKEY 256 3 5 BEAAAAO6L6BadeFzvt6J63GDGrFANfJAitCd9Njcj49y6PE1Bv6t33sE yxSVi4KWbjQgV....isc.org. 7070 IN RRSIG NS 5 2 7200 20110829233225 20110730233225 21693 isc.org. QD/j5eKOVyYW+iOUTDGzo....isc.org. 7070 IN NS sfba.sns-pb.isc.org.isc.org. 7070 IN NS ns.isc.afilias-nst.info.isc.org. 7070 IN NS ams.sns-pb.isc.org.isc.org. 7070 IN NS ord.sns-pb.isc.org.isc.org. 34420 IN RRSIG DS 7 2 86400 20110830154907 20110809144907 11028 org. WA/UeCd+Pi6eNmPFWAXQ5O7k....isc.org. 34420 IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759isc.org. 34420 IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5

Thursday, 8 September 2011

Page 31: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Signing the Data

•Signatures are what you can actually check to verify data is real

•Stored in the RRSIG record–one per name and record type

19

$ dig isc.org any +dnssec;; QUESTION SECTION:;isc.org. IN ANY;; ANSWER SECTION:isc.org. 7071 IN RRSIG DNSKEY 5 2 7200 20110829230209 20110730230209 12892 isc.org. J7d/2l/cPUHzyg3ze....isc.org. 7071 IN RRSIG DNSKEY 5 2 7200 20110829230209 20110730230209 21693 isc.org. WO2LHgs1bkK2d04FCkCG01O4Z....isc.org. 7071 IN DNSKEY 257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjGr hhCeFvAZih7yJ....isc.org. 7071 IN DNSKEY 256 3 5 BEAAAAO6L6BadeFzvt6J63GDGrFANfJAitCd9Njcj49y6PE1Bv6t33sE yxSVi4KWbjQgV....isc.org. 7070 IN RRSIG NS 5 2 7200 20110829233225 20110730233225 21693 isc.org. QD/j5eKOVyYW+iOUTDGzo....isc.org. 7070 IN NS sfba.sns-pb.isc.org.isc.org. 7070 IN NS ns.isc.afilias-nst.info.isc.org. 7070 IN NS ams.sns-pb.isc.org.isc.org. 7070 IN NS ord.sns-pb.isc.org.isc.org. 34420 IN RRSIG DS 7 2 86400 20110830154907 20110809144907 11028 org. WA/UeCd+Pi6eNmPFWAXQ5O7k....isc.org. 34420 IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759isc.org. 34420 IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5

Thursday, 8 September 2011

Page 32: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Signing the Data

•Signatures are what you can actually check to verify data is real

•Stored in the RRSIG record–one per name and record type

19

$ dig isc.org any +dnssec;; QUESTION SECTION:;isc.org. IN ANY;; ANSWER SECTION:isc.org. 7071 IN RRSIG DNSKEY 5 2 7200 20110829230209 20110730230209 12892 isc.org. J7d/2l/cPUHzyg3ze....isc.org. 7071 IN RRSIG DNSKEY 5 2 7200 20110829230209 20110730230209 21693 isc.org. WO2LHgs1bkK2d04FCkCG01O4Z....isc.org. 7071 IN DNSKEY 257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjGr hhCeFvAZih7yJ....isc.org. 7071 IN DNSKEY 256 3 5 BEAAAAO6L6BadeFzvt6J63GDGrFANfJAitCd9Njcj49y6PE1Bv6t33sE yxSVi4KWbjQgV....isc.org. 7070 IN RRSIG NS 5 2 7200 20110829233225 20110730233225 21693 isc.org. QD/j5eKOVyYW+iOUTDGzo....isc.org. 7070 IN NS sfba.sns-pb.isc.org.isc.org. 7070 IN NS ns.isc.afilias-nst.info.isc.org. 7070 IN NS ams.sns-pb.isc.org.isc.org. 7070 IN NS ord.sns-pb.isc.org.isc.org. 34420 IN RRSIG DS 7 2 86400 20110830154907 20110809144907 11028 org. WA/UeCd+Pi6eNmPFWAXQ5O7k....isc.org. 34420 IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759isc.org. 34420 IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5

Thursday, 8 September 2011

Page 33: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

20

Overview of zone signing

Thursday, 8 September 2011

Page 34: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Create key(s)

•standard utilities come with BIND and others

•dnsssec-keygen•Most common case people create 2 types of keys–DNS itself doesn’t care about these key types, purely administrative

–KSK/SEP, ZSK

21

Thursday, 8 September 2011

Page 35: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Sign zone

•Use cli tools that ship with BIND and others–dnssec-signzone

•Use automated processes–BIND 9.7+–zkt–opendnssec

22

Thursday, 8 September 2011

Page 36: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Serve the signed zone

•Make sure all NS are DNSSEC enabled•Don’t forget signatures have an expiry date

23

Thursday, 8 September 2011

Page 37: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

More details

•See online resources–https://www.dnssec-deployment.org/wiki/index.php/Tools_and_Resources

24

Thursday, 8 September 2011

https://www.dnssec-deployment.org/wiki/index.php/Tools_and_Resources
https://www.dnssec-deployment.org/wiki/index.php/Tools_and_Resources
https://www.dnssec-deployment.org/wiki/index.php/Tools_and_Resources
https://www.dnssec-deployment.org/wiki/index.php/Tools_and_Resources
Page 38: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

DNSSEC Validation

25

Thursday, 8 September 2011

Page 39: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Getting the necessary elements•The server software

–BIND, Unbound, PowerDNS recursor•we will use BIND here

•The Key material–https://data.iana.org/root-anchors/–http://www.root-dnssec.org/documentation/

26

Thursday, 8 September 2011

https://data.iana.org/root-anchors/
https://data.iana.org/root-anchors/
http://www.root-dnssec.org/documentation/
http://www.root-dnssec.org/documentation/
http://www.root-dnssec.org/documentation/
http://www.root-dnssec.org/documentation/
Page 40: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Getting the necessary elements•Tools

–DiG (with the special sauce)–drill–wireshark–dnscap (https://www.dns-oarc.net/tools/dnscap)

27

Thursday, 8 September 2011

https://www.dns-oarc.net/tools/dnscap
https://www.dns-oarc.net/tools/dnscap
Page 41: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Getting our hands dirty

•First make sure DiG is ready–compile BIND using STD_CDEFINES='-DDIG_SIGCHASE=1 ./configure

–not the cleanest code ever but it solves the problem nicely

28

Thursday, 8 September 2011

Page 42: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Get the keys for the root zone•https://data.iana.org/root-anchors/

29

Kjqmt7v.crt 30-Jun-2011 19:53Kjqmt7v.csr 15-Jul-2010 19:13draft-icann-dnssec-trust-anchor.html 15-Jul-2010 20:44draft-icann-dnssec-trust-anchor.txt 15-Jul-2010 20:44icann.pgp 15-Jul-2011 19:48icannbundle.p12 15-Jul-2010 19:13icannbundle.pem 15-Jul-2010 19:13root-anchors.asc 15-Jul-2010 19:13root-anchors.p7s 30-Jun-2011 19:53root-anchors.xml 15-Jul-2010 19:13

Multiple choices. For me the most convenient is the combination of the PGP signature with the xml file...

even if xml has DS record. BIND needs DNSKEY

Thursday, 8 September 2011

https://data.iana.org/root-anchors/
https://data.iana.org/root-anchors/
https://data.iana.org/root-anchors/Kjqmt7v.crt
https://data.iana.org/root-anchors/Kjqmt7v.crt
https://data.iana.org/root-anchors/Kjqmt7v.csr
https://data.iana.org/root-anchors/Kjqmt7v.csr
https://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.html
https://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.html
https://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.txt
https://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.txt
https://data.iana.org/root-anchors/icann.pgp
https://data.iana.org/root-anchors/icann.pgp
https://data.iana.org/root-anchors/icannbundle.p12
https://data.iana.org/root-anchors/icannbundle.p12
https://data.iana.org/root-anchors/icannbundle.pem
https://data.iana.org/root-anchors/icannbundle.pem
https://data.iana.org/root-anchors/root-anchors.asc
https://data.iana.org/root-anchors/root-anchors.asc
https://data.iana.org/root-anchors/root-anchors.p7s
https://data.iana.org/root-anchors/root-anchors.p7s
https://data.iana.org/root-anchors/root-anchors.xml
https://data.iana.org/root-anchors/root-anchors.xml
Page 43: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Get the keys for the root zone•To verify, get the DNSKEY from the DNS itself–dig @f.root-servers.net . DNSKEY +noall +answer +multi >/tmp/root-key

•and convert to DS using a BIND utility–dnssec-dsfromkey -f /tmp/root-key .

•Compare the DS with the one in root-anchors.xml

30

Thursday, 8 September 2011

Page 44: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Configure BIND to validate

•Introduce the validate key into named.conf–Manual management

•trusted-keys–Automatic management

•managed-keys–RFC5011

•Make sure DNSSEC is enabled

31

Thursday, 8 September 2011

Page 45: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

DLV

•Useful under some circumstances–frequent use of islands of security–testing

•What is it?–early deployment aid

•how does it work?

32

Thursday, 8 September 2011

Page 46: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Enabling DLV

•enable it with–dnssec-lookaside auto

•You can register your own DNSSEC keys with ISC’s DLV registry–https://dlv.isc.org/

33

Thursday, 8 September 2011

https://dlv.isc.org
https://dlv.isc.org
Page 47: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Making DNSSEC useful for you

34

Thursday, 8 September 2011

Page 48: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

You can use it now, to your own advantage•Problem to be solved:a new server comes online or you change the SSH host key (e.g. OS change/upgrade)

35

You need to manually refresh the key at all clients

you can use SSHFP

or

Thursday, 8 September 2011

Page 49: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Using SSHFP with your SSH system•This is something that benefits you in your daily work

•You need to:–generate SSHFP records and put them in the zone (one time per key)

–Sign the zone with DNSSEC–configure SSH clients (one time)

36

Thursday, 8 September 2011

Page 50: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Get data into the zone

•Generate SSHFP records–by hand–using tools, such as

• http://www.xelerance.com/services/software/sshfp/

•Add to the corresponding server name

•Sign the zone

37

shuttle.c-l-i.net. IN SSHFP 2 1 575897C6164E07B920CE92416049AB33DFAF30E6

Thursday, 8 September 2011

http://www.xelerance.com/services/software/sshfp/
http://www.xelerance.com/services/software/sshfp/
Page 51: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Configure the SSH client

•Add option

VerifyHostKeyDNS yes (or ask)

to .ssh/config

•Enable EDNS0 in /etc/resolv.conf–options edns0–or use and env var in $SHELL

•RES_OPTIONS=edns0

38

Thursday, 8 September 2011

Page 52: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

Voilá

•If DNSSEC validation is working OpenSSH will use the keys automatically

39

Thursday, 8 September 2011

Page 53: DNSSEC for ISPs workshop for...DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Thursday, 8 September 2011 Outline of workshop •Brief intro to DNSSEC •Overview of zone signing

When things break

•Things don’t break...

40

Thursday, 8 September 2011


DNSSEC Workshop - ICANN...0915-0930 – Presentation: Update on the ‘Sunset’ of the DNSSEC Look-aside Validation Registry (DLV) 0930-1030 – Panel Discussion: DNSSEC Activities

DNSSEC:’’Where’We’Are’(and’how’ …...Resolver’only’caches’validated’records’ =? DNS Resolver with DNSSEC = 1.2.3.4 DNS Server with DNSSEC 1.2.3.4 Get page

DNSSEC MANAGEMENT - efficientip.com€¦ · DNSSEC Principles An important point to underline is that DNSSEC (DNS Security Extensions) does not modify DNS protocol. DNSSEC is an extension

ISPS Research

Threats to DNS DNSSEC overview/history DNSSEC in … · Threats to DNS DNSSEC overview/history DNSSEC today ... signed.infoblox.com. 3600 IN RRSIG NS 5 3 3600 20080410205926 20080311205926

Isps ocallv3

CODIGO ISPS

HZS ISPS 2006-20074.1 ISPS 4. Ship Security Assessment

MARRAKECH – DNSsec Workshop · MARRAKECH – DNSsec Workshop EN Note: The following is the output resulting from transcribing an audio file into a word/text document. Although the

DNSSEC Workshop - ICANN

Dnssec Tutorial

DNSSEC Deployment Activity in Japan - Introduction of ... › wp-content › uploads › 2012 › 01 › ... · •What is DNSSEC •Introduction of DNSSEC Japan •DNSSEC Japan's

DNSSEC for ISPs workshop - ESNOG · •This should enable a new world of applications/services –see DANE, SSHFP, new anti-spam tools 6. ... –Some TLDs see this as a privacy problem

DNSSEC Deployment - Internet Society · DNSSEC evangelist of the day ¥NLnet Labs ÐNot for profit Open Source Software lab ¥Developed NSD ÐDNS and DNSSEC research ... DNSSEC deployment

VOICE+IP Germany - Workshop DNSSEC-Testbed Frankfurt 04. November 2009

HZS ISPS 2006-20076.1 ISPS 6. Ship Security Plan

DNS/DNSSEC Workshop - wiki.apnictraining.net · –Take advantage of DNS and DNSSEC education and training ... o Have a plan for participating in the KSK rollover o Know the dates,

Track E0 AfNOG workshop April 23-27 2007 Abuja, … › wp-content › uploads › 2020 › 01 › dnssec...DNSSEC works fine with a single key pair... Problem with using a single

HZS ISPS 2006-200710.1 ISPS 10. Security Administration

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment

Workshop Summary ISPS Drills & Exercises Workshop Port Moresby 2006

DNSSEC Industry Survey Results - PCN, Inc.23.235.200.57/~pcninc5/wp-content/.../DNSSEC-Industry-Survey-Resu… · DNSSEC. DNS administrators can provide secure responses to DNSSEC-validating

HZS ISPS 2006-20073.1 ISPS 3. Security Responsibilities

DNSSEC for Everybody Workshop - archive.icann.org

COM/NET Registrar DNSSEC Uptake - archive.icann.org · COM/NET Registrar DNSSEC Uptake!! Duane Wessels, Verisign Labs! ICANN51 DNSSEC Workshop! Verisign Public! Trends in Signed COM/NET

DNSSEC - Red Hat · DNSSEC . Topics DNSSEC theory in 7 screen shots DNSSEC software: validating, signing Converting applications to use DNSSEC Using DNSSEC for non-DNS purposes TLSA,

DNSSEC Support in SOHO CPE OARC Workshop Ottawa 24 th September 2008

Introduction to DNSSEC AROC Bamako, Mali, 2010. What is DNSSEC?

DNS / DNSSEC Workshop - start [APNIC TRAINING WIKI]€¦ · DNS / DNSSEC Workshop Generic slides 03 November 2015 2.0-draft4. Overview • DNS Overview • BIND DNS Configuration

DNS/ DNSSEC Workshop - bdNOGwiki.bdnog.org/lib/exe/fetch.php/bdnog6/2.2.1.dns.pdf · DNS/ DNSSEC Workshop bdNOG6 19-23 May 2017, Bogra, Bangladesh 03 November 2015 2.0-draft4. Overview

The Role of ISPs in Botnet Mitigation - Workshop on the

DNSSEC - uniba.sknew.dcs.fmph.uniba.sk/files/biti/l03-dnssec-2016.pdf · I DNSSEC Root Zone High Level Technical Architecture (Dra˝) I DNSSEC Practice Statement for the Root Zone

DNSSEC MANAGEMENT - efficientip.com · DNSSEC Principles An important point to underline is that DNSSEC (DNS Security Extensions) does not modify DNS protocol. DNSSEC is an extension

DNSSEC in Practice: Using DNSSEC- Tools to Deploy DNSSEC · DNSSEC in Practice: Using DNSSEC-Tools to Deploy DNSSEC Wes Hardaker. Russ Mundy. Suresh Krishnaswamy {hardaker,mundy,suresh}@sparta.com

DNSSEC HOWTO, a tutorial in disguise - DNS(SEC) workshop Website