Mens jan piet_dnssec-in-practice

435 views
371 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
435
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Mens jan piet_dnssec-in-practice

  1. 1. DNSSEC in Practice Mail.Ru Technology Forum 2012 Moscow, RU April 2012 Jan-Piet Mens$ dig 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa naptr
  2. 2. DNSSEC in Practice Mail.Ru Technology Forum 2012 Moscow, RU April 2012 Jan-Piet Mens$ dig 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa naptr
  3. 3. DNS is easy Ask a question, get a reply or a referral.
  4. 4. Resolution
  5. 5. The problem DNS is insecure: one packet for query, one packet for response; easily spoofed DNS Spoofing & cache poisoning DNS server accepts and uses data from a host which shouldn’t have been allowed to provide reply
  6. 6. The solution DNSSEC Eliminates known cache-poisoning attacks & cache-manipulation Public key cryptography and digital signatures provide data origin authentication provide data integrity Doesn’t encrypt data -- that would be stupid But: not end-to-end. (From validating cache to auth. server only.) Install validating cache "close" to you validating auth client resolver servers
  7. 7. The solution DNSSEC Eliminates known cache-poisoning attacks & cache-manipulation Public key cryptography and digital signatures provide data origin authentication provide data integrity Doesn’t encrypt data -- that would be stupid But: not end-to-end. (From validating cache to auth. server only.) Install validating cache "close" to you validating auth client resolver servers auth client resolver valid. servers resolv
  8. 8. New DNS records DNSKEY DS RRSIG NSEC/NSEC3
  9. 9. Authenticated Data dig +dnssec and watch for AD flag indicating successful validation $ dig +dnssec @127.0.0.1 localhost.jpmens.org a ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, [...]
  10. 10. Problem: At work At $WORK resolution doesn’t work; validating resolver
  11. 11. No problem: At home At home it works; ISP doesn’t (yet) do DNSSEC
  12. 12. Proof Does it exist or doesn’t it? Validating query $ dig +dnssec www.dnssec-failed.org ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL ;; flags: qr rd ra; QUERY: 1, ANSWER: 0 Checking Disabled $ dig +cd +dnssec www.dnssec-failed.org ;; ->>HEADER<<- opcode: QUERY, status: NOERROR ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2 ;; ANSWER SECTION: www.dnssec-failed.org. 5620 IN A 68.87.64.48
  13. 13. Proof (2) $ dig +cd +dnssec +multiline www.dnssec-failed.org ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2 ;; ANSWER SECTION: www.dnssec-failed.org. 3202 IN A 68.87.64.48 www.dnssec-failed.org. 4751 IN RRSIG A 5 3 7200 20090201000000 ( 20090101000000 48621 dnssec-failed.org. gM8IbzE3N4xx4DQog+W2UvY+BwnLIJojFmuQUdUb7FAm wtD3k673q+005FDCW8xf88b+9QtvslrpNyi5ZLUq4v9k Xdya9Je0O2ByYjfrgjYqk4Qu37lfPe+iGvl9aSSMyGeu UHv9NWWY10nXjCp2rTdCSpXc7xt3CSMW7pFNFg0= )
  14. 14. Signing and validation Signing Create keys and add to zone Sign zone Enable DNSSEC and load signed zones Submit DS-RR to parent zone Alternatively: use DLV Validation Configure trust anchor Enable DNSSEC
  15. 15. Unbound as a DNS cache Unbound is a secure, caching-only, portable DNS server Maintained by NLNetlabs under BSD license Designed with DNSSEC and IPv6 from the ground up Trusts nothing Good security Many "distros" have packages I recommend newest version http://unbound.net/ Lightweight, fast, and easy to configure No split-personalities (And I was first to write about Unbound :-)
  16. 16. Configuration One file (but we’ll add more later on) $ cat /etc/unbound/unbound.conf server: access-control: 127.0.0.1/8 allow verbosity: 1 Launch unbound (and watch your syslog) # unbound Query it $ dig +short @127.0.0.1 techforum.jpmens.org txt "Moscow" That’s it!
  17. 17. Enable DNSSEC validation Needs root DNSSEC trust anchor Utility retrieves root zone’s DNSSEC key securely $ unbound-anchor -a /etc/unbound/root.key Configure trust anchor in unbound.conf auto-trust-anchor-file: "/etc/unbound/root.key" Ensure unbound-anchor in start-up scripts Reload $ unbound-control reload Did that work? $ dig +dnssec @127.0.0.1 techforum.jpmens.org txt
  18. 18. Your own DNSSEC testbed Set up your own trust anchors in a file "my.keys", which contains DS or DNSKEY records example.org IN DS 47534 8 1 74526d3f57... example.org IN DS 47534 8 2 82512fb4ad... example.com IN DS 47534 8 3 296fc89ee0... Configure keys into Unbound trust-anchor-file: "/etc/unbound/my.keys" Alternatively use trust-anchor configuration statements Configure the zone stub-zone: name: "example.org" stub-addr: 10.81.0.1 stub-addr: 10.2.14.3
  19. 19. Serve local data Unbound can serve "local" data to its clients For example, a static "zone": local-zone: "techforum." static local-data: "pc.techforum. IN A 192.168.1.12" local-data: ’kate.techforum. TXT "Hi Kate!"’ local-data-ptr: "192.168.1.12 beamer.techforum" Will it work? $ dig +short @127.0.0.1 kate.techforum txt "Hi Kate!" local data can be added on-the-fly with unbound-control
  20. 20. More local data Override a single name (all others resolved normally) local-data: "foo.jpmens.org A 127.0.0.1" Redirect a whole domain to an IP local-zone: "example.aa" redirect local-data: "example.aa A 127.0.0.9"
  21. 21. DNSSEC-Trigger Monitors changes to local network configuration (DHCP) Reconfigures local Unbound Forward to caches if possible Fallback to authoritative servers Fallback to NLnetLabs server via port 443 dnssec- trigger NLnetLabs C Unbound public B DNS Unbound A caching DNS
  22. 22. DNSSEC-Trigger (2) Works on Linux, Mac OS/X and Windows Installer http://www.nlnetlabs.nl/projects/dnssec-trigger/ Status bar
  23. 23. PowerDNS Supports pre-signed zones or live-signing operations Otherwise zone data and keys/signatures separate Some changes in database schema Small change in configuration launch=gpgsql gpgsql-dnssec gpgsql-host=127.0.0.1 gpgsql-user=powerdns gpgsql-password=secret gpgsql-dbname=powerdns Off we go: $ pdnssec secure-zone example.org That’s it. Honest!
  24. 24. PowerDNS (cont’d) Can import existing (BIND) keys (v1.2) Keys are in back-end database (gmysql, gpgsql, gsqlite) and need to be protected It’s a bit like a private key for your HTTPS server Alternatively run in pre-signed mode Encrypted file system Supports NSEC and NSEC3 Signatures (RRSIG records) are calculated on the fly Inception: previous Thursday Expiration: Thursday two weeks later No issue if PDNS is authoritative, but watch out if hidden master No DNSSEC relevance: PDNS 3.x also has TSIG for AXFR
  25. 25. PowerDNS: pdnssec New utility: pdnssec $ pdnssec secure-zone $z # creates 3 keys $ pdnssec show-zone $z # output formatted Zone has NSEC semantics Zone is not presigned keys: ID = 7 (KSK), tag = 41120, algo = 8, bits = 2048 KSK DNSKEY = example.org IN DNSKEY 257 3 8 Aw..5uc8= DS = example.org IN DS 41120 8 1 3296abd...b93 DS = example.org IN DS 41120 8 2 4bb00a5...fa1b78b DS = example.org IN DS 41120 8 3 3c01686...50be3e4 ID = 8 (ZSK),tag = 50853,algo = 8,bits = 1024 Active: 1 ID = 9 (ZSK),tag = 8751,algo = 8,bits = 1024 Active: 0
  26. 26. Testing & verification Configure island of trust in Unbound (or BIND) to test your authoritative server Check: DNSSEC or not? http://dnssectest.sidn.nl/ DNSViz http://dnsviz.net/ DNScheck http://dnscheck.iis.se/ ZoneCheck http://zonecheck.fr DNSSEC Debugger http://dnssec-debugger.verisignlabs.com/ SURFnet DNSSEC monitor http://www.dnssecmonitor.org/
  27. 27. Applications for DNSSEC Interesting new uses for DNS now that it’s secure DNS-based Authentication of Named Entities (dane) https://datatracker.ietf.org/wg/dane/charter/ SSL certificate validation and DNSSEC (also: Phreeload) http://mens.de/:/bo SSHFP http://mens.de/:/bt
  28. 28. Thank youQuestions?
  29. 29. Further reading Alternative DNS Servers, UIT, 2009, Jan-Piet Mens http://mens.de/:/altdns
  30. 30. Whoami$ dig 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa naptr;; ANSWER SECTION:1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 3 10 "u" "E2U+http" "!^.*$!http:mens.de!" .1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 3 20 "u" "E2U+http" "!^.*$!http:jpmens.net!" .1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 4 10 "u" "E2U+mailto" "!^.*$!mailto:jp@mens.de!" .1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 1 10 "u" "E2U+sip" "!^.*$!sip:5552064@sipgate.de!" .1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 2 10 "u" "E2U+tel" "!^.*$!tel:+491718033011!" .

×