![Page 1: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/1.jpg)
Hands-on DNSSEC with DNSVizCasey Deccio, Verisign LabsRIPE 70, AmsterdamMay 11, 2015
![Page 2: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/2.jpg)
Verisign Public
Preparation
• Demo and exercises available at:• http://dnsviz.net/demo/
• Includes links to the following:• VirtualBox software• VirtualBox demo image• Tutorial exercises
![Page 3: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/3.jpg)
Verisign Public
Objectives
• Understand the basics of DNS and DNSSEC• Become familiar with DNS server and analysis tools
• DiG• BIND• DNSViz
• Learn how tools might be used to routinely analyze/monitor your DNS health
![Page 4: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/4.jpg)
Verisign Public
Caveats
• The exercises range from novice-level to advanced.• Many of the exercises are more to facilitate understanding than efficiency.
• The exercises are be meant for learning DNS/DNSSEC and related tools, but do not cover all details for proper DNS/DNSSEC maintenance.
![Page 5: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/5.jpg)
Verisign Public
DNS Overview
5
![Page 6: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/6.jpg)
Verisign Public
DNS Namespace
• Namespace is organized hierarchically
• DNS root is top of namespace
• Zones are autonomously managed pieces of DNS namespace
• Subdomain namespace is delegated to child zones
.
com net
example.com
example.net
6
![Page 7: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/7.jpg)
Verisign Public
referrals
DNS Name Resolution • Resolvers query authoritative servers • Queries begin at root zone, resolvers follow downward referrals
• Resolver stops when it receives authoritative answer
…
.
…
com
…
example.com stub resolver recursiveresolver
authoritative servers
Answer: 192.0.2.16
7
Query: example.com/A ?
![Page 8: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/8.jpg)
Verisign Public
Virtual Environment Initialization
• Unzip dnsviz-demo-v1.zip• Open dnsviz-demo-v1/dnsviz-demo-v1.vbox
• “Start” VM• Enlarge screen• Double-click “demo” icon
• (Exercises 0.1 – 0.2)• Open “Terminal Emulator”• Change to “demo” directory
8
$ cd demo
![Page 9: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/9.jpg)
Verisign Public
Query DNS Servers (1.1 – 1.5)
9
query a specific server(rather than querying your
configured resolver)
$ dig @a.root-servers.net example.com
no record type specified, so default type
“A” (address) is used
$ dig @a.gtld-servers.net example.com
$ dig @a.iana-servers.net example.com
$ dig www.example.com
no server is explicitly designated, so query goes to local resolver
$ dig @a.iana-servers.net foobar.example.com
![Page 10: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/10.jpg)
Verisign Public
Query a root Server
10
![Page 11: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/11.jpg)
Verisign Public
Query a TLD Server
11
![Page 12: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/12.jpg)
Verisign Public
Query an SLD Server
12
![Page 13: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/13.jpg)
Verisign Public
Query Local Recursive Resolver
13
![Page 14: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/14.jpg)
Verisign Public
Query for a Non-existent Name
14
![Page 15: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/15.jpg)
Verisign Public
DNSSEC Overview
15
![Page 16: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/16.jpg)
Verisign Public
Public Key Cryptography
• Keys• Public Key – advertised to everyone• Private Key – kept hidden
• Signatures• Made by private key• Validated with public key
• Validation• Consumer uses public key, message, and signature to validate
message
16
Data
Private KeySig
Data
Public Key
Sig Valid or Bogus?
![Page 17: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/17.jpg)
Verisign Public
DNS Security Extensions (DNSSEC)
• DNS data signed with private keys• Signatures (RRSIGs) and public keys (DNSKEYs) published in
zone data• Resolver response
• If authentic: Authenticated data (AD) bit is set• If bogus: SERVFAIL message is returned
example.com
stub resolver recursive/validatingresolver
authoritative server
Query: example.com/A ?
Answer: 192.0.2.16 RRSIG
Query: example.com/DNSKEY ?
Answer: DNSKEY… RRSIG
Query: example.com/A ?
Answer: 192.0.2.16 AD
validate
17
![Page 18: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/18.jpg)
Verisign Public
DNSSEC Chain of Trust • DNSKEY must be authenticated.
• Trust extends through ancestry to a trust anchor at resolver.
• DS resource record – provides digest of DNSKEY in child zone.
• Resolver must start with trusted key, at root.
example.com
Zone data
DNSKEY
com
Zone data
DNSKEY
.
Zone data
DNSKEY
DS
DS
Resolver trust anchor
18
![Page 19: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/19.jpg)
Verisign Public
Key Roles – KSK/ZSK
• DNSKEY RRset usually has multiple keys, often with split roles.
• KSK (Key signing key)• Signs (only) the DNSKEY
RRset.• Corresponds to DS records
in parent, providing “secure entry point” into zone.
• ZSK (Zone signing key)• Signs the rest of the zone.
example.com Zone data
DNSKEY (ZSK)
com
Zone data
DNSKEY
DS
DNSKEY (KSK)
…
![Page 20: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/20.jpg)
Verisign Public
example.com
Authenticated Denial of Existence• How do you prove something doesn’t exist?• “Chain” of names of zone formed using NSEC records.• NSEC records form comprehensive chain of names (and their record types) in zone in canonical ordering.
• Server uses NSEC records to prove non-existence.
20
example.com.
apple.example.com.
banana.example.com.
grape.example.com.
recursive/validatingresolver authoritative server
Query: coconut.example.com/A ?
NXDOMAIN: banana.example.com/NSEC RRSIG
Query: example.com/DNSKEY ?
Answer: DNSKEY… RRSIGvalidate
![Page 21: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/21.jpg)
Verisign Public
Insecure delegations • How can DNSSEC be deployed incrementally?
• If child zone is unsigned, resolver must be able to prove it is insecure.
• NSEC resource records provide proof of absence of DS.
21
example.com Zone data
net
Zone data
DNSKEY
.
Zone data
DNSKEY
DS
NSEC/DS
Resolver DNSKEY
21
![Page 22: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/22.jpg)
Verisign Public
Zone Enumeration and NSEC3
• NSEC records allow enumeration of entire zone contents.• NSEC3 standard introduces hashed denial of existence.
• Joint effort between Verisign, Nominet (.uk), and DENIC (.de).
• Chain is of hashes of names, not names themselves.(a hash is the output of a one-way cryptographic function.)
22
example.com
example.com.
apple.example.com.
banana.example.com.
grape.example.com.
V6AVHMGSO0IVEI55QMHIAM276OJJER6L.example.com.
VLN8BKFFT1FEVQOLFGOBKJKQA1JVNR86.example.com.
BFO8EKQ9L4V2N4AGI9RCMOTV32J8LJ4C.example.com.
VLVVLES7LF0ARNU38OHRUP804KPEAGOE.examplec.com.
![Page 23: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/23.jpg)
Verisign Public
Query for DNSSEC Records (2.1 – 2.5)
23
include DNSSEC recordsin response (e.g., RRSIG)
$ dig +dnssec +multi @a.iana-servers.net example.com
present response in multi-line format with comments
(for readability)
$ dig +dnssec +multi @a.iana-servers.net example.com DNSKEY
query for records of type “DNSKEY” (DNSSEC public key)
instead of the default, “A” (address)
$ dig +dnssec +multi @a.gtld-servers.net example.com DS
query a “parent” server because we’re seeking a DS record
$ dig +dnssec +multi example.com
$ dig +dnssec +multi @a.iana-servers.net foobar.example.com
![Page 24: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/24.jpg)
Verisign Public
Query for DNSSEC Records (RRSIGs)
24
![Page 25: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/25.jpg)
Verisign Public
Query for DNSSEC Records (DNSKEY)
25
![Page 26: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/26.jpg)
Verisign Public
Query for DNSSEC Records (DS)
26
![Page 27: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/27.jpg)
Verisign Public
Query for DNSSEC Records
27
![Page 28: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/28.jpg)
Verisign Public
Query For DNSSEC Records (NSEC)
28
![Page 29: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/29.jpg)
Verisign Public
DNSViz
29
![Page 30: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/30.jpg)
Verisign Public
referrals
DNS Analysis Using DNSViz(dnsget command line)• Queries issued
• Referral queries – to learn delegation NS records from parent• NS queries – to learn authoritative NS records• DNSKEY/DS queries – for building a DNSSEC chain• A/AAAA/TXT/MX/SOA queries• Diagnostic queries (special handling of errors, etc.)
• All servers queried• IPv4/IPv6• UDP/TCP
30
.
com
example.com
output.json
Online analysisSerialized online analysis (JSON)$ dnsget example.com
![Page 31: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/31.jpg)
Verisign Public
DNS Analysis Using DNSViz(dnsgrok command line)• Responses analyzed (offline)
• Responsiveness• Query timeouts• Network errors• EDNS/fragmentation
capabilities• Consistency
• Across servers• Between DNSKEY/RRSIG• Between DNSKEY/DS
• Correctness• RRSIG
• Expiration/inception dates• Cryptographic signature
• DS• Cryptographic hash
• Negative responses• NSEC proof correctness• SOA record correctness
31
$ dnsgrok example.com
output.json
Serialized online analysis (JSON)
output-p.json
Serialized offline analysis (JSON)
![Page 32: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/32.jpg)
Verisign Public
DNS Analysis Using DNSViz(dnsviz command line)• Responses analyzed (offline)
• Responsiveness• Query timeouts• Network errors• EDNS/fragmentation
capabilities• Consistency
• Across servers• Between DNSKEY/RRSIG• Between DNSKEY/DS
• Correctness• RRSIG
• Expiration/inception dates• Cryptographic signature
• DS• Cryptographic hash
• Negative responses• NSEC proof correctness• SOA record correctness
32
output.json
Serialized online analysis (JSON)
$ dnsviz example.com Analysis graph(jpg, png, html)
![Page 33: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/33.jpg)
Verisign Public
Analyze Using dnsget (3.1 – 3.2)
33
$ dnsget -a . -p example.com > example.com.json
follow referrals from root (“.”) to analyze name
make the output “pretty” (for readability)
store analysis in file called
“example.com.json”
$ medit example.com.json &
![Page 34: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/34.jpg)
Verisign Public
$ dnsgrok -p example.com < example.com.json \ > example.com-p.json
Analyze Using dnsgrok (3.3 – 3.4)
34
make the output “pretty” (for readability)
store analysis in file called “example.com-p.json”
read analysis from “example.com.json”
$ medit example.com-p.json
![Page 35: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/35.jpg)
Verisign Public
$ dnsgrok -l info -p example.com < example.com.json \ > example.com-p1.json
Analyze Using dnsgrok (3.5 – 3.6)
35
show only information that is of priority “info” or
higher
$ medit example.com-p1.json
![Page 36: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/36.jpg)
Verisign Public
Analyze Using dnsgrok (3.7)
36
display output (if any) to screen,
instead of redirecting to file
$ dnsgrok -l error -p example.com < example.com.json
show only information that is of priority “error” or
higher
![Page 37: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/37.jpg)
Verisign Public
$ dnsviz -Thtml example.com < example.com.json \ > example.com.html
Analyze Using dnsviz (3.8 – 3.11)
37
output interactive HTML format
$ iceweasel example.com.html &
$ dnsviz -Thtml -t tk.txt example.com < example.com.json \ > example.com.html
anchor trust with root KSK
$ iceweasel example.com.html &
![Page 38: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/38.jpg)
Verisign Public
View dnsget Output
38
![Page 39: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/39.jpg)
Verisign Public
View dnsget Output
39
![Page 40: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/40.jpg)
Verisign Public
View dnsget Output
40
![Page 41: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/41.jpg)
Verisign Public
View dnsgrok Output
41
![Page 42: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/42.jpg)
Verisign Public
View dnsgrok Output
42
![Page 43: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/43.jpg)
Verisign Public
View dnsgrok Output
43
![Page 44: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/44.jpg)
Verisign Public
View dnsgrok Output
![Page 45: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/45.jpg)
Verisign Public
View dnsgrok Output
![Page 46: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/46.jpg)
Verisign Public
View dnsviz Output
46
![Page 47: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/47.jpg)
Verisign Public
View dnsviz Output
47
![Page 48: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/48.jpg)
Verisign Public
Signing a DNS Zone
48
![Page 49: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/49.jpg)
Verisign Public
Setup Virtual DNS Environment (4.1 – 4.2)
49
VirtualBox Guest
UML Guest
UML Guest
UML Guest
Host
$ ./start_all
(Wait for all three consoles to come up)
$ cd /etc/bind
Change directory for all three consoles: root, tld1, sld1
![Page 50: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/50.jpg)
Verisign Public
Setup Virtual DNS Environment (4.3)
50
VirtualBox Guest
UML Guest“root1”
UML Guest“sld1”
UML Guest“tld1”
$ ./dns_change_root local
(point DNS root hints and trusted keys to internal root server)
virtual switch
Host
virtual switch
![Page 51: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/51.jpg)
Verisign Public
Analyze example.com in Local Environment (4.4 – 4.6)
51
$ ���dnsget -a . -x .:root1=192.168.213.9 -4 192.168.213.1 \ -6 fd02:f00d::1 example.com | \ dnsviz -Thtml -O -t tk-local.txt example.com
Specify addresses for
alternate (local) root servers
Specify internal (local) IPv4
address to bind to
Specify internal (local) IPv6
address to bind toPipe results directly to dnsviz, rather than
redirecting to file
Output analysis to file named
“example.com.html”Use local trust anchor,
rather than the one for the public root
$ ���./dnsviz_analyze example.com (script included for simplification)
$ iceweasel example.com.html &
![Page 52: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/52.jpg)
Verisign Public
View dnsviz Output
52
![Page 53: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/53.jpg)
Verisign Public
Add Records to example.com Zone (5.1 – 5.4)
• Add A records for names “a”, “c”, and “e” (on sld1)(hint: see existing record for “www”)
• Check zone
• Reload zone
• Check that record shows up (query from VirtualBox guest)
53
# nano db.example.com
# vi db.example.com
or
# service bind9 reload
# named-checkzone example.com db.example.com
$ dig @sld1 a.example.com
![Page 54: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/54.jpg)
Verisign Public
Add Records to example.com Zone
54
![Page 55: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/55.jpg)
Verisign Public
Add Records to example.com Zone
55
![Page 56: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/56.jpg)
Verisign Public
Create DNSSEC Keys for example.com Zone (6.1 – 6.3)
56
# ��� KSK=`dnssec-keygen -n ZONE -f KSK -a RSASHA256 -b 2048 \ -r /dev/urandom example.com`
# ��� ZSK=`dnssec-keygen -n ZONE -a RSASHA256 -b 1024 \ -r /dev/urandom example.com`
Set the “SEP” bit for this DNSKEY
Create a 2048-bit key
Use algorithm RSASHA256
for signing
No “SEP” bit here
(on sld1)
Create a 1024-bit key
# ls $KSK* $ZSK*
![Page 57: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/57.jpg)
Verisign Public
Add DNSKEY Records to example.com Zone (6.4 – 6.9)• Look at DNSKEY records (on sld1):
• Add DNSKEY records to zone
• Reload zone
• Re-analyze
57
# service bind9 reload
# cat Kexample.com*key >> db.example.com
# cat Kexample.com*key
57
$ ���./dnsviz_analyze example.com
$ iceweasel example.com.html &
$ dig +noall +comment +ad example.com
![Page 58: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/58.jpg)
Verisign Public
Create DNSSEC keys for example.com
58
![Page 59: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/59.jpg)
Verisign Public
Create DNSSEC keys for example.com
59
![Page 60: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/60.jpg)
Verisign Public
View dnsviz Output: DNSKEYs with no RRSIGs
60
![Page 61: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/61.jpg)
Verisign Public
View dig Output: no AD bit
61
![Page 62: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/62.jpg)
Verisign Public
Sign Records in example.com Zone (7.1 – 7.4)
• Sign zone (sld1)
• Point named.conf to signed zone file
• Reload zone
62
# dnssec-signzone -r /dev/urandom \ -k $KSK -o example.com db.example.com $ZSK
Use pseudo-random entropy source (not for
production use)
Sign entire zone with this key
Sign only DNSKEY records with this key
# service bind9 reload
# sed -i -e ‘s:/db.example.com:&.signed:’ named.conf.local
6262
$ ���./dnsviz_analyze example.com
$ iceweasel example.com.html &
$ dig +noall +comment +ad example.com
![Page 63: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/63.jpg)
Verisign Public
View dnsviz Output: Signed example.com Zone
63
![Page 64: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/64.jpg)
Verisign Public
View dig Output: no AD bit
64
![Page 65: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/65.jpg)
Verisign Public
Generate DS Records for example.com (8.1 – 8.2)
• Create/copy DS records (on sld1)
65
# ���dnssec-dsfromkey $KSK
![Page 66: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/66.jpg)
Verisign Public
Add DS Records for example.com (8.3a – 8.3c)
• Add DS records to “example” zone (on tld1)
66
# ��� nano dsset-example.com. ���
![Page 67: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/67.jpg)
Verisign Public
Sign Records in “example.com” Zone (8.4 – 8.5)
• Sign zone (on tld1)
67
# ./resign_tld
676767
$ ���./dnsviz_analyze example.com
$ iceweasel example.com.html &
$ dig +noall +comment +ad example.com
![Page 68: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/68.jpg)
Verisign Public
View dnsviz Output: Full Chain of Trust
68
![Page 69: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/69.jpg)
Verisign Public
View dig Output: AD bit
69
![Page 70: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/70.jpg)
Verisign Public
Fun with DNSViz
70
![Page 71: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/71.jpg)
Verisign Public
Use KSK to Only Sign DNSKEY RRset (9.1 – 9.3)
71
# dnssec-signzone -x -r /dev/urandom \ -k $KSK -o example.com db.example.com $ZSK
Don’t sign zone data with KSK
# service bind9 reload
$ ���./dnsviz_analyze example.com
$ iceweasel example.com.html &
$ dig +noall +comment +ad example.com
![Page 72: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/72.jpg)
Verisign Public
View dnsviz Output: KSK-only
72
![Page 73: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/73.jpg)
Verisign Public
View dig Output: AD bit
73
![Page 74: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/74.jpg)
Verisign Public
Add New KSK to example.com Zone (9.4 – 9.8)
• Generate new KSK:
• Re-sign zone:
• Reload zone
74
# service bind9 reload
# ��� NEWKSK=`dnssec-keygen -n ZONE -f KSK -a RSASHA256 -b 2048 \ -r /dev/urandom example.com`
# dnssec-signzone -x -r /dev/urandom \ -k $KSK -o example.com db.example.com $ZSK
$ ���./dnsviz_analyze example.com
$ iceweasel example.com.html &
# cat $NEWKSK.key >> db.example.com
$ dig +noall +comment +ad example.com
![Page 75: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/75.jpg)
Verisign Public
View dnsviz Output: Standby KSK
75
![Page 76: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/76.jpg)
Verisign Public
View dig Output: AD bit
76
![Page 77: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/77.jpg)
Verisign Public
Add New KSK to example.com Zone (9.9 – 9.11)
• Re-sign zone with two KSKs:
• Reload zone
77
# service bind9 reload
# dnssec-signzone -x -r /dev/urandom \ -k $KSK -k $NEWKSK -o example.com db.example.com $ZSK
$ ���./dnsviz_analyze example.com
$ iceweasel example.com.html &
$ dig +noall +comment +ad example.com
![Page 78: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/78.jpg)
Verisign Public
View dnsviz Output: Multiple KSKs
78
![Page 79: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/79.jpg)
Verisign Public
View dig Output: AD bit
79
![Page 80: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/80.jpg)
Verisign Public
Change KSK for example.com Zone (9.12 – 9.14)
• Sign with only the second KSK:
• Reload zone
80
# service bind9 reload
# dnssec-signzone -x -r /dev/urandom \ -k $NEWKSK -o example.com db.example.com $ZSK
$ ���./dnsviz_analyze example.com
$ iceweasel example.com.html &
$ dig +noall +comment +ad example.com
![Page 81: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/81.jpg)
Verisign Public
View dnsviz Output: DS Mismatch
81
![Page 82: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/82.jpg)
Verisign Public
View dig Output: SERVFAIL
82
![Page 83: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/83.jpg)
Verisign Public
Tamper with Record Content (9.15 – 9.17)
• Change SOA record:
83
# sed -i -e ‘s/root.localhost/root1.localhost/’ \ db.example.com.signed
# service bind9 reload
$ ���./dnsviz_analyze example.com
$ iceweasel example.com.html &
![Page 84: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/84.jpg)
Verisign Public
View dnsviz Output: Invalid Signatures
84
![Page 85: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/85.jpg)
Verisign Public
Change RRSIG Expiration (9.18 – 9.21)
• Set the RRSIG expiration explicitly to 1 second from “now”
• Manipulate (again) SOA record
• Reload zone
85
# service bind9 reload
# dnssec-signzone -x -e now+1 -r /dev/urandom \ -k $NEWKSK -o example.com db.example.com $ZSK
$ ���./dnsviz_analyze example.com
$ iceweasel example.com.html &
# sed -i -e ‘s/root.localhost/root1.localhost/’ \ db.example.com.signed
![Page 86: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/86.jpg)
Verisign Public
View dnsviz Output: Expired RRSIGs
86
![Page 87: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/87.jpg)
Verisign Public
Modify Path MTU (9.22 – 9.23)
87
# ���iptables -A OUTPUT -p udp --sport 53 \ -m length --length 540:65535 -j DROP
$ ���./dnsviz_analyze example.com
$ iceweasel example.com.html &
• Drop UDP responses with payloads larger than 512 bytes
![Page 88: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/88.jpg)
Verisign Public
View dnsviz Output: Low PMTU
88
![Page 89: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/89.jpg)
Verisign Public
DNSViz Programmatic Analysis
89
![Page 90: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/90.jpg)
Verisign Public
dnsget Revisited (10.1 – 10.2)
90
$ ���./dnsget_default example.com > example.com-broken.json
$ medit example.com-broken.json &
$ vi example.com-broken.json
or
![Page 91: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/91.jpg)
Verisign Public
dnsgrok Revisited (10.3 – 10.4)
91
$ ���./dnsgrok -l warning -p example.com < example.com-broken.json \ > example.com-broken-p.json
$ medit example.com-broken-p.json &
$ vi example.com-broken-p.json
or
![Page 92: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/92.jpg)
Verisign Public
View dnsget Output: Diagnostic Query History
92
![Page 93: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/93.jpg)
Verisign Public
View dnsget Output: Diagnostic Query History
93
![Page 94: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/94.jpg)
Verisign Public
View dnsgrok Output: Errors, Warnings, Statuses
94
![Page 95: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/95.jpg)
Verisign Public
View dnsgrok Output: Errors, Warnings, Statuses
95
![Page 96: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/96.jpg)
Verisign Public
View dnsgrok Output: Errors, Warnings, Statuses
96
![Page 97: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/97.jpg)
Verisign Public
Monitoring with DNSViz
• Sample script uses combination of dnsget and dnsviz, e.g., for use with cron
97
#!/bin/shname=$1date=`date +%Y%m%d%H%M%S`dnsget_out=/tmp/$name-dnsget-$date.jsondnsgrok_out=/tmp/$name-dnsgrok-$date.jsondnsviz_out=/tmp/$name-dnsviz-$date.png
dnsget -d 0 $name > $dnsget_outdnsgrok -l warning -p $name < $dnsget_out > $dnsgrok_outif (( $( stat -c %s $dnsgrok_out ) > 0 )); then dnsviz -Tpng -o $dnsviz_out $name $name < $dnsget_out gzip $dnsget_out cat $dnsgrok_out | \ mutt -s “Problems with $name” -a $dnsviz_out $dnsget_out.gz -- \ [email protected]
rm $dnsget_out* $dnsgrok_out $dnsviz_out
![Page 98: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/98.jpg)
Verisign Public
Summary
• Understanding and analyzing DNS and DNSSEC can be complex.
• DiG, BIND, DNSViz, and other tools can aid in understanding, troubleshooting, and monitoring.
• Maintain and monitor your DNS zones!
![Page 99: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/99.jpg)
Verisign Public
Further Information on DNSViz
• Source: https://github.com/dnsviz/dnsviz (License: GPLv2)• Online version: http://dnsviz.net/• Mailing list: https://groups.google.com/d/forum/dnsviz-users
99
![Page 100: Hands-on DNSSEC with DNSViz · 5/11/2015 · Verisign Public DNS Security Extensions (DNSSEC) • DNS data signed with private keys • Signatures (RRSIGs) and public keys (DNSKEYs)](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3f3aa1188145a1e02685d/html5/thumbnails/100.jpg)
© 2015 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.