Jan-Piet Mens gave a presentation on DNSSEC and securing DNS with cryptography. He discussed how DNSSEC works by adding digital signatures to DNS records to authenticate their source and integrity. It provides data origin authentication and integrity but does not encrypt data. He demonstrated how to configure and use DNSSEC with Unbound and PowerDNS to enable validating queries. Attendees were encouraged to set up test environments to better understand DNSSEC.
5. The problem
DNS is insecure: one packet for query, one packet for
response; easily spoofed
DNS Spoofing & cache poisoning
DNS server accepts and uses data from a host which shouldn’t have been
allowed to provide reply
6. The solution
DNSSEC
Eliminates known cache-poisoning attacks & cache-manipulation
Public key cryptography and digital signatures
provide data origin authentication
provide data integrity
Doesn’t encrypt data -- that would be stupid
But: not end-to-end. (From validating cache to auth. server only.)
Install validating cache "close" to you
validating auth
client
resolver servers
7. The solution
DNSSEC
Eliminates known cache-poisoning attacks & cache-manipulation
Public key cryptography and digital signatures
provide data origin authentication
provide data integrity
Doesn’t encrypt data -- that would be stupid
But: not end-to-end. (From validating cache to auth. server only.)
Install validating cache "close" to you
validating auth
client
resolver servers
auth
client resolver
valid. servers
resolv
9. Authenticated Data
dig +dnssec and watch for AD flag indicating successful
validation
$ dig +dnssec @127.0.0.1 localhost.jpmens.org a
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, [...]
10. Problem: At work
At $WORK resolution doesn’t work; validating resolver
11. No problem: At home
At home it works; ISP doesn’t (yet) do DNSSEC
12. Proof
Does it exist or doesn’t it?
Validating query
$ dig +dnssec www.dnssec-failed.org
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL
;; flags: qr rd ra; QUERY: 1, ANSWER: 0
Checking Disabled
$ dig +cd +dnssec www.dnssec-failed.org
;; ->>HEADER<<- opcode: QUERY, status: NOERROR
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2
;; ANSWER SECTION:
www.dnssec-failed.org. 5620 IN A 68.87.64.48
13. Proof (2)
$ dig +cd +dnssec +multiline www.dnssec-failed.org
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2
;; ANSWER SECTION:
www.dnssec-failed.org. 3202 IN A 68.87.64.48
www.dnssec-failed.org. 4751 IN RRSIG A 5 3 7200
20090201000000 (
20090101000000 48621 dnssec-failed.org.
gM8IbzE3N4xx4DQog+W2UvY+BwnLIJojFmuQUdUb7FAm
wtD3k673q+005FDCW8xf88b+9QtvslrpNyi5ZLUq4v9k
Xdya9Je0O2ByYjfrgjYqk4Qu37lfPe+iGvl9aSSMyGeu
UHv9NWWY10nXjCp2rTdCSpXc7xt3CSMW7pFNFg0= )
14. Signing and validation
Signing
Create keys and add to zone
Sign zone
Enable DNSSEC and load signed zones
Submit DS-RR to parent zone
Alternatively: use DLV
Validation
Configure trust anchor
Enable DNSSEC
15. Unbound as a DNS cache
Unbound is a secure, caching-only, portable DNS server
Maintained by NLNetlabs under BSD license
Designed with DNSSEC and IPv6 from the ground up
Trusts nothing
Good security
Many "distros" have packages
I recommend newest version
http://unbound.net/
Lightweight, fast, and easy to configure
No split-personalities
(And I was first to write about Unbound :-)
16. Configuration
One file (but we’ll add more later on)
$ cat /etc/unbound/unbound.conf
server:
access-control: 127.0.0.1/8 allow
verbosity: 1
Launch unbound (and watch your syslog)
# unbound
Query it
$ dig +short @127.0.0.1 techforum.jpmens.org txt
"Moscow"
That’s it!
17. Enable DNSSEC validation
Needs root DNSSEC trust anchor
Utility retrieves root zone’s DNSSEC key securely
$ unbound-anchor -a /etc/unbound/root.key
Configure trust anchor in unbound.conf
auto-trust-anchor-file: "/etc/unbound/root.key"
Ensure unbound-anchor in start-up scripts
Reload
$ unbound-control reload
Did that work?
$ dig +dnssec @127.0.0.1 techforum.jpmens.org txt
18. Your own DNSSEC testbed
Set up your own trust anchors in a file "my.keys", which
contains DS or DNSKEY records
example.org IN DS 47534 8 1 74526d3f57...
example.org IN DS 47534 8 2 82512fb4ad...
example.com IN DS 47534 8 3 296fc89ee0...
Configure keys into Unbound
trust-anchor-file: "/etc/unbound/my.keys"
Alternatively use trust-anchor configuration statements
Configure the zone
stub-zone:
name: "example.org"
stub-addr: 10.81.0.1
stub-addr: 10.2.14.3
19. Serve local data
Unbound can serve "local" data to its clients
For example, a static "zone":
local-zone: "techforum." static
local-data: "pc.techforum. IN A 192.168.1.12"
local-data: ’kate.techforum. TXT "Hi Kate!"’
local-data-ptr: "192.168.1.12 beamer.techforum"
Will it work?
$ dig +short @127.0.0.1 kate.techforum txt
"Hi Kate!"
local data can be added on-the-fly with unbound-control
20. More local data
Override a single name (all others resolved normally)
local-data: "foo.jpmens.org A 127.0.0.1"
Redirect a whole domain to an IP
local-zone: "example.aa" redirect
local-data: "example.aa A 127.0.0.9"
21. DNSSEC-Trigger
Monitors changes to local network configuration (DHCP)
Reconfigures local Unbound
Forward to caches if possible
Fallback to authoritative servers
Fallback to NLnetLabs server via port 443
dnssec-
trigger NLnetLabs
C Unbound
public
B DNS
Unbound
A
caching
DNS
22. DNSSEC-Trigger (2)
Works on Linux, Mac OS/X and Windows
Installer
http://www.nlnetlabs.nl/projects/dnssec-trigger/
Status bar
23. PowerDNS
Supports pre-signed zones or live-signing operations
Otherwise zone data and keys/signatures separate
Some changes in database schema
Small change in configuration
launch=gpgsql
gpgsql-dnssec
gpgsql-host=127.0.0.1
gpgsql-user=powerdns
gpgsql-password=secret
gpgsql-dbname=powerdns
Off we go:
$ pdnssec secure-zone example.org
That’s it. Honest!
24. PowerDNS (cont’d)
Can import existing (BIND) keys (v1.2)
Keys are in back-end database (gmysql, gpgsql, gsqlite)
and need to be protected
It’s a bit like a private key for your HTTPS server
Alternatively run in pre-signed mode
Encrypted file system
Supports NSEC and NSEC3
Signatures (RRSIG records) are calculated on the fly
Inception: previous Thursday
Expiration: Thursday two weeks later
No issue if PDNS is authoritative, but watch out if hidden master
No DNSSEC relevance: PDNS 3.x also has TSIG for AXFR
25. PowerDNS: pdnssec
New utility: pdnssec
$ pdnssec secure-zone $z # creates 3 keys
$ pdnssec show-zone $z # output formatted
Zone has NSEC semantics
Zone is not presigned
keys:
ID = 7 (KSK), tag = 41120, algo = 8, bits = 2048
KSK DNSKEY = example.org IN DNSKEY 257 3 8 Aw..5uc8=
DS = example.org IN DS 41120 8 1 3296abd...b93
DS = example.org IN DS 41120 8 2 4bb00a5...fa1b78b
DS = example.org IN DS 41120 8 3 3c01686...50be3e4
ID = 8 (ZSK),tag = 50853,algo = 8,bits = 1024 Active: 1
ID = 9 (ZSK),tag = 8751,algo = 8,bits = 1024 Active: 0
26. Testing & verification
Configure island of trust in Unbound (or BIND) to test your
authoritative server
Check: DNSSEC or not?
http://dnssectest.sidn.nl/
DNSViz
http://dnsviz.net/
DNScheck
http://dnscheck.iis.se/
ZoneCheck
http://zonecheck.fr
DNSSEC Debugger
http://dnssec-debugger.verisignlabs.com/
SURFnet DNSSEC monitor
http://www.dnssecmonitor.org/
27. Applications for DNSSEC
Interesting new uses for DNS now that it’s secure
DNS-based Authentication of Named Entities (dane)
https://datatracker.ietf.org/wg/dane/charter/
SSL certificate validation and DNSSEC (also: Phreeload)
http://mens.de/:/bo
SSHFP
http://mens.de/:/bt