SlideShare a Scribd company logo

Mens jan piet_dnssec-in-practice

K
kuchinskaya

Jan-Piet Mens gave a presentation on DNSSEC and securing DNS with cryptography. He discussed how DNSSEC works by adding digital signatures to DNS records to authenticate their source and integrity. It provides data origin authentication and integrity but does not encrypt data. He demonstrated how to configure and use DNSSEC with Unbound and PowerDNS to enable validating queries. Attendees were encouraged to set up test environments to better understand DNSSEC.

Technology
1 of 30
Download to read offline
DNSSEC in Practice Mail.Ru Technology Forum 2012 Moscow, RU April 2012 Jan-Piet Mens $ dig 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa naptr
DNSSEC in Practice Mail.Ru Technology Forum 2012 Moscow, RU April 2012 Jan-Piet Mens $ dig 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa naptr
DNS is easy Ask a question, get a reply or a referral.
Resolution
The problem DNS is insecure: one packet for query, one packet for response; easily spoofed DNS Spoofing & cache poisoning DNS server accepts and uses data from a host which shouldn’t have been allowed to provide reply
The solution DNSSEC Eliminates known cache-poisoning attacks & cache-manipulation Public key cryptography and digital signatures provide data origin authentication provide data integrity Doesn’t encrypt data -- that would be stupid But: not end-to-end. (From validating cache to auth. server only.) Install validating cache "close" to you validating auth client resolver servers
The solution DNSSEC Eliminates known cache-poisoning attacks & cache-manipulation Public key cryptography and digital signatures provide data origin authentication provide data integrity Doesn’t encrypt data -- that would be stupid But: not end-to-end. (From validating cache to auth. server only.) Install validating cache "close" to you validating auth client resolver servers auth client resolver valid. servers resolv
New DNS records DNSKEY DS RRSIG NSEC/NSEC3
Authenticated Data dig +dnssec and watch for AD flag indicating successful validation $ dig +dnssec @127.0.0.1 localhost.jpmens.org a ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, [...]
Problem: At work At $WORK resolution doesn’t work; validating resolver
No problem: At home At home it works; ISP doesn’t (yet) do DNSSEC
Proof Does it exist or doesn’t it? Validating query $ dig +dnssec www.dnssec-failed.org ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL ;; flags: qr rd ra; QUERY: 1, ANSWER: 0 Checking Disabled $ dig +cd +dnssec www.dnssec-failed.org ;; ->>HEADER<<- opcode: QUERY, status: NOERROR ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2 ;; ANSWER SECTION: www.dnssec-failed.org. 5620 IN A 68.87.64.48
Proof (2) $ dig +cd +dnssec +multiline www.dnssec-failed.org ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2 ;; ANSWER SECTION: www.dnssec-failed.org. 3202 IN A 68.87.64.48 www.dnssec-failed.org. 4751 IN RRSIG A 5 3 7200 20090201000000 ( 20090101000000 48621 dnssec-failed.org. gM8IbzE3N4xx4DQog+W2UvY+BwnLIJojFmuQUdUb7FAm wtD3k673q+005FDCW8xf88b+9QtvslrpNyi5ZLUq4v9k Xdya9Je0O2ByYjfrgjYqk4Qu37lfPe+iGvl9aSSMyGeu UHv9NWWY10nXjCp2rTdCSpXc7xt3CSMW7pFNFg0= )
Signing and validation Signing Create keys and add to zone Sign zone Enable DNSSEC and load signed zones Submit DS-RR to parent zone Alternatively: use DLV Validation Configure trust anchor Enable DNSSEC
Unbound as a DNS cache Unbound is a secure, caching-only, portable DNS server Maintained by NLNetlabs under BSD license Designed with DNSSEC and IPv6 from the ground up Trusts nothing Good security Many "distros" have packages I recommend newest version http://unbound.net/ Lightweight, fast, and easy to configure No split-personalities (And I was first to write about Unbound :-)
Configuration One file (but we’ll add more later on) $ cat /etc/unbound/unbound.conf server: access-control: 127.0.0.1/8 allow verbosity: 1 Launch unbound (and watch your syslog) # unbound Query it $ dig +short @127.0.0.1 techforum.jpmens.org txt "Moscow" That’s it!
Enable DNSSEC validation Needs root DNSSEC trust anchor Utility retrieves root zone’s DNSSEC key securely $ unbound-anchor -a /etc/unbound/root.key Configure trust anchor in unbound.conf auto-trust-anchor-file: "/etc/unbound/root.key" Ensure unbound-anchor in start-up scripts Reload $ unbound-control reload Did that work? $ dig +dnssec @127.0.0.1 techforum.jpmens.org txt
Your own DNSSEC testbed Set up your own trust anchors in a file "my.keys", which contains DS or DNSKEY records example.org IN DS 47534 8 1 74526d3f57... example.org IN DS 47534 8 2 82512fb4ad... example.com IN DS 47534 8 3 296fc89ee0... Configure keys into Unbound trust-anchor-file: "/etc/unbound/my.keys" Alternatively use trust-anchor configuration statements Configure the zone stub-zone: name: "example.org" stub-addr: 10.81.0.1 stub-addr: 10.2.14.3
Serve local data Unbound can serve "local" data to its clients For example, a static "zone": local-zone: "techforum." static local-data: "pc.techforum. IN A 192.168.1.12" local-data: ’kate.techforum. TXT "Hi Kate!"’ local-data-ptr: "192.168.1.12 beamer.techforum" Will it work? $ dig +short @127.0.0.1 kate.techforum txt "Hi Kate!" local data can be added on-the-fly with unbound-control
More local data Override a single name (all others resolved normally) local-data: "foo.jpmens.org A 127.0.0.1" Redirect a whole domain to an IP local-zone: "example.aa" redirect local-data: "example.aa A 127.0.0.9"
DNSSEC-Trigger Monitors changes to local network configuration (DHCP) Reconfigures local Unbound Forward to caches if possible Fallback to authoritative servers Fallback to NLnetLabs server via port 443 dnssec- trigger NLnetLabs C Unbound public B DNS Unbound A caching DNS
DNSSEC-Trigger (2) Works on Linux, Mac OS/X and Windows Installer http://www.nlnetlabs.nl/projects/dnssec-trigger/ Status bar
PowerDNS Supports pre-signed zones or live-signing operations Otherwise zone data and keys/signatures separate Some changes in database schema Small change in configuration launch=gpgsql gpgsql-dnssec gpgsql-host=127.0.0.1 gpgsql-user=powerdns gpgsql-password=secret gpgsql-dbname=powerdns Off we go: $ pdnssec secure-zone example.org That’s it. Honest!
PowerDNS (cont’d) Can import existing (BIND) keys (v1.2) Keys are in back-end database (gmysql, gpgsql, gsqlite) and need to be protected It’s a bit like a private key for your HTTPS server Alternatively run in pre-signed mode Encrypted file system Supports NSEC and NSEC3 Signatures (RRSIG records) are calculated on the fly Inception: previous Thursday Expiration: Thursday two weeks later No issue if PDNS is authoritative, but watch out if hidden master No DNSSEC relevance: PDNS 3.x also has TSIG for AXFR
PowerDNS: pdnssec New utility: pdnssec $ pdnssec secure-zone $z # creates 3 keys $ pdnssec show-zone $z # output formatted Zone has NSEC semantics Zone is not presigned keys: ID = 7 (KSK), tag = 41120, algo = 8, bits = 2048 KSK DNSKEY = example.org IN DNSKEY 257 3 8 Aw..5uc8= DS = example.org IN DS 41120 8 1 3296abd...b93 DS = example.org IN DS 41120 8 2 4bb00a5...fa1b78b DS = example.org IN DS 41120 8 3 3c01686...50be3e4 ID = 8 (ZSK),tag = 50853,algo = 8,bits = 1024 Active: 1 ID = 9 (ZSK),tag = 8751,algo = 8,bits = 1024 Active: 0
Testing & verification Configure island of trust in Unbound (or BIND) to test your authoritative server Check: DNSSEC or not? http://dnssectest.sidn.nl/ DNSViz http://dnsviz.net/ DNScheck http://dnscheck.iis.se/ ZoneCheck http://zonecheck.fr DNSSEC Debugger http://dnssec-debugger.verisignlabs.com/ SURFnet DNSSEC monitor http://www.dnssecmonitor.org/
Applications for DNSSEC Interesting new uses for DNS now that it’s secure DNS-based Authentication of Named Entities (dane) https://datatracker.ietf.org/wg/dane/charter/ SSL certificate validation and DNSSEC (also: Phreeload) http://mens.de/:/bo SSHFP http://mens.de/:/bt
Thank you Questions?
Further reading Alternative DNS Servers, UIT, 2009, Jan-Piet Mens http://mens.de/:/altdns
Whoami $ dig 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa naptr ;; ANSWER SECTION: 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 3 10 "u" "E2U+http" "!^.*$!http:mens.de!" . 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 3 20 "u" "E2U+http" "!^.*$!http:jpmens.net!" . 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 4 10 "u" "E2U+mailto" "!^.*$!mailto:jp@mens.de!" . 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 1 10 "u" "E2U+sip" "!^.*$!sip:5552064@sipgate.de!" . 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 2 10 "u" "E2U+tel" "!^.*$!tel:+491718033011!" .

Recommended

DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
dns-sec-4-slides
dns-sec-4-slidesdns-sec-4-slides
dns-sec-4-slideskj teoh
 
Nagios Conference 2006 | Nagios 3.0 and beyond by Ethan Galstad
Nagios Conference 2006 | Nagios 3.0 and beyond by Ethan GalstadNagios Conference 2006 | Nagios 3.0 and beyond by Ethan Galstad
Nagios Conference 2006 | Nagios 3.0 and beyond by Ethan GalstadNETWAYS
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local NetworksMen and Mice
 
getdns PyCon presentation
getdns PyCon presentationgetdns PyCon presentation
getdns PyCon presentationMelinda Shore
 
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labDeploy360 Programme (Internet Society)
 
Hardening the Core of the Internet
Hardening the Core of the InternetHardening the Core of the Internet
Hardening the Core of the InternetRIPE NCC
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Dan York
 

Recommended

DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
dns-sec-4-slides
dns-sec-4-slidesdns-sec-4-slides
dns-sec-4-slideskj teoh
 
Nagios Conference 2006 | Nagios 3.0 and beyond by Ethan Galstad
Nagios Conference 2006 | Nagios 3.0 and beyond by Ethan GalstadNagios Conference 2006 | Nagios 3.0 and beyond by Ethan Galstad
Nagios Conference 2006 | Nagios 3.0 and beyond by Ethan GalstadNETWAYS
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local NetworksMen and Mice
 
getdns PyCon presentation
getdns PyCon presentationgetdns PyCon presentation
getdns PyCon presentationMelinda Shore
 
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labDeploy360 Programme (Internet Society)
 
Hardening the Core of the Internet
Hardening the Core of the InternetHardening the Core of the Internet
Hardening the Core of the InternetRIPE NCC
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Dan York
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSMen and Mice
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksMen and Mice
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial Men and Mice
 
DNS OARC 27: DNS over IPv6 - A study in fragmentation
DNS OARC 27: DNS over IPv6 - A study in fragmentationDNS OARC 27: DNS over IPv6 - A study in fragmentation
DNS OARC 27: DNS over IPv6 - A study in fragmentationAPNIC
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPROIDEA
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsMen and Mice
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksFindWhitePapers
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encryptedMen and Mice
 
Software Development with Apache Cassandra
Software Development with Apache CassandraSoftware Development with Apache Cassandra
Software Development with Apache Cassandrazznate
 
Enterprise Manager Cloud Control 12c Release 4 - Installation
Enterprise Manager Cloud Control 12c Release 4 - InstallationEnterprise Manager Cloud Control 12c Release 4 - Installation
Enterprise Manager Cloud Control 12c Release 4 - InstallationIvica Arsov
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013Shumon Huque
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiaSeattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiazznate
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootMen and Mice
 
Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...
Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...
Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...Ruo Ando
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSECMen and Mice
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practicesMen and Mice
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 WebinarMen and Mice
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016zznate
 
AWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNSAWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNSJames Bromberger
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 

More Related Content

What's hot

Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSMen and Mice
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksMen and Mice
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial Men and Mice
 
DNS OARC 27: DNS over IPv6 - A study in fragmentation
DNS OARC 27: DNS over IPv6 - A study in fragmentationDNS OARC 27: DNS over IPv6 - A study in fragmentation
DNS OARC 27: DNS over IPv6 - A study in fragmentationAPNIC
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPROIDEA
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsMen and Mice
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksFindWhitePapers
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encryptedMen and Mice
 
Software Development with Apache Cassandra
Software Development with Apache CassandraSoftware Development with Apache Cassandra
Software Development with Apache Cassandrazznate
 
Enterprise Manager Cloud Control 12c Release 4 - Installation
Enterprise Manager Cloud Control 12c Release 4 - InstallationEnterprise Manager Cloud Control 12c Release 4 - Installation
Enterprise Manager Cloud Control 12c Release 4 - InstallationIvica Arsov
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013Shumon Huque
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiaSeattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiazznate
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootMen and Mice
 
Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...
Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...
Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...Ruo Ando
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSECMen and Mice
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practicesMen and Mice
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 WebinarMen and Mice
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016zznate
 

What's hot (20)

Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial
 
DNS OARC 27: DNS over IPv6 - A study in fragmentation
DNS OARC 27: DNS over IPv6 - A study in fragmentationDNS OARC 27: DNS over IPv6 - A study in fragmentation
DNS OARC 27: DNS over IPv6 - A study in fragmentation
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rolls
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encrypted
 
Software Development with Apache Cassandra
Software Development with Apache CassandraSoftware Development with Apache Cassandra
Software Development with Apache Cassandra
 
Enterprise Manager Cloud Control 12c Release 4 - Installation
Enterprise Manager Cloud Control 12c Release 4 - InstallationEnterprise Manager Cloud Control 12c Release 4 - Installation
Enterprise Manager Cloud Control 12c Release 4 - Installation
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
 
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiaSeattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the root
 
Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...
Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...
Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSEC
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practices
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016
 

Similar to Mens jan piet_dnssec-in-practice

AWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNSAWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNSJames Bromberger
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 
DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxviditsir
 
Integration of neutron, nova and designate how to use it and how to configur...
Integration of neutron, nova and designate how to use it and how to configur...Integration of neutron, nova and designate how to use it and how to configur...
Integration of neutron, nova and designate how to use it and how to configur...Miguel Lavalle
 
Minieri CS6262 Project Poster
Minieri CS6262 Project PosterMinieri CS6262 Project Poster
Minieri CS6262 Project PosterJoe Minieri
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallGlenn McKnight
 
2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover2017 DNSSEC KSK Rollover
2017 DNSSEC KSK RolloverAPNIC
 
BIND DNS IPWorks Introduction To Advanced
BIND DNS IPWorks Introduction To AdvancedBIND DNS IPWorks Introduction To Advanced
BIND DNS IPWorks Introduction To AdvancedMustafa Golam
 
Dns presentation
Dns presentationDns presentation
Dns presentationgaurav_c
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsPeter R. Egli
 
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 HackathonDNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 HackathonDan York
 
The New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSKThe New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSKAPNIC
 
Data Grids with Oracle Coherence
Data Grids with Oracle CoherenceData Grids with Oracle Coherence
Data Grids with Oracle CoherenceBen Stopford
 

Similar to Mens jan piet_dnssec-in-practice (20)

AWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNSAWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNS
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
 
DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptx
 
Integration of neutron, nova and designate how to use it and how to configur...
Integration of neutron, nova and designate how to use it and how to configur...Integration of neutron, nova and designate how to use it and how to configur...
Integration of neutron, nova and designate how to use it and how to configur...
 
DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
 
Minieri CS6262 Project Poster
Minieri CS6262 Project PosterMinieri CS6262 Project Poster
Minieri CS6262 Project Poster
 
Soa with consul
Soa with consulSoa with consul
Soa with consul
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
ION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSEC
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
 
2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover
 
BIND DNS IPWorks Introduction To Advanced
BIND DNS IPWorks Introduction To AdvancedBIND DNS IPWorks Introduction To Advanced
BIND DNS IPWorks Introduction To Advanced
 
Dns presentation
Dns presentationDns presentation
Dns presentation
 
Hands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentHands-on DNSSEC Deployment
Hands-on DNSSEC Deployment
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
 
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 HackathonDNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
 
IoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasIoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideas
 
The New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSKThe New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSK
 
Data Grids with Oracle Coherence
Data Grids with Oracle CoherenceData Grids with Oracle Coherence
Data Grids with Oracle Coherence
 

More from kuchinskaya

Smirnov dependency-injection-techforum(1)
Smirnov dependency-injection-techforum(1)Smirnov dependency-injection-techforum(1)
Smirnov dependency-injection-techforum(1)kuchinskaya
 
Smirnov reverse-engineering-techforum
Smirnov reverse-engineering-techforumSmirnov reverse-engineering-techforum
Smirnov reverse-engineering-techforumkuchinskaya
 
Kalugin balashov
Kalugin balashovKalugin balashov
Kalugin balashovkuchinskaya
 

More from kuchinskaya (20)

Kharkov
KharkovKharkov
Kharkov
 
Balashov
BalashovBalashov
Balashov
 
Zamyakin
ZamyakinZamyakin
Zamyakin
 
Panfilov
PanfilovPanfilov
Panfilov
 
Platov
PlatovPlatov
Platov
 
Rabovoluk
RabovolukRabovoluk
Rabovoluk
 
Smirnov dependency-injection-techforum(1)
Smirnov dependency-injection-techforum(1)Smirnov dependency-injection-techforum(1)
Smirnov dependency-injection-techforum(1)
 
Smirnov reverse-engineering-techforum
Smirnov reverse-engineering-techforumSmirnov reverse-engineering-techforum
Smirnov reverse-engineering-techforum
 
Zacepin
ZacepinZacepin
Zacepin
 
Zagursky
ZagurskyZagursky
Zagursky
 
Haritonov
HaritonovHaritonov
Haritonov
 
Chudov
ChudovChudov
Chudov
 
Bubnov
BubnovBubnov
Bubnov
 
A.pleshkov
A.pleshkovA.pleshkov
A.pleshkov
 
Zenovich
ZenovichZenovich
Zenovich
 
Romanenko
RomanenkoRomanenko
Romanenko
 
Perepelitsa
PerepelitsaPerepelitsa
Perepelitsa
 
Osipov
OsipovOsipov
Osipov
 
Kubasov
KubasovKubasov
Kubasov
 
Kalugin balashov
Kalugin balashovKalugin balashov
Kalugin balashov
 

Recently uploaded

Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 

Recently uploaded (20)

Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 

Mens jan piet_dnssec-in-practice

  • 1. DNSSEC in Practice Mail.Ru Technology Forum 2012 Moscow, RU April 2012 Jan-Piet Mens $ dig 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa naptr
  • 2. DNSSEC in Practice Mail.Ru Technology Forum 2012 Moscow, RU April 2012 Jan-Piet Mens $ dig 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa naptr
  • 3. DNS is easy Ask a question, get a reply or a referral.
  • 5. The problem DNS is insecure: one packet for query, one packet for response; easily spoofed DNS Spoofing & cache poisoning DNS server accepts and uses data from a host which shouldn’t have been allowed to provide reply
  • 6. The solution DNSSEC Eliminates known cache-poisoning attacks & cache-manipulation Public key cryptography and digital signatures provide data origin authentication provide data integrity Doesn’t encrypt data -- that would be stupid But: not end-to-end. (From validating cache to auth. server only.) Install validating cache "close" to you validating auth client resolver servers
  • 7. The solution DNSSEC Eliminates known cache-poisoning attacks & cache-manipulation Public key cryptography and digital signatures provide data origin authentication provide data integrity Doesn’t encrypt data -- that would be stupid But: not end-to-end. (From validating cache to auth. server only.) Install validating cache "close" to you validating auth client resolver servers auth client resolver valid. servers resolv
  • 8. New DNS records DNSKEY DS RRSIG NSEC/NSEC3
  • 9. Authenticated Data dig +dnssec and watch for AD flag indicating successful validation $ dig +dnssec @127.0.0.1 localhost.jpmens.org a ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, [...]
  • 10. Problem: At work At $WORK resolution doesn’t work; validating resolver
  • 11. No problem: At home At home it works; ISP doesn’t (yet) do DNSSEC
  • 12. Proof Does it exist or doesn’t it? Validating query $ dig +dnssec www.dnssec-failed.org ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL ;; flags: qr rd ra; QUERY: 1, ANSWER: 0 Checking Disabled $ dig +cd +dnssec www.dnssec-failed.org ;; ->>HEADER<<- opcode: QUERY, status: NOERROR ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2 ;; ANSWER SECTION: www.dnssec-failed.org. 5620 IN A 68.87.64.48
  • 13. Proof (2) $ dig +cd +dnssec +multiline www.dnssec-failed.org ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2 ;; ANSWER SECTION: www.dnssec-failed.org. 3202 IN A 68.87.64.48 www.dnssec-failed.org. 4751 IN RRSIG A 5 3 7200 20090201000000 ( 20090101000000 48621 dnssec-failed.org. gM8IbzE3N4xx4DQog+W2UvY+BwnLIJojFmuQUdUb7FAm wtD3k673q+005FDCW8xf88b+9QtvslrpNyi5ZLUq4v9k Xdya9Je0O2ByYjfrgjYqk4Qu37lfPe+iGvl9aSSMyGeu UHv9NWWY10nXjCp2rTdCSpXc7xt3CSMW7pFNFg0= )
  • 14. Signing and validation Signing Create keys and add to zone Sign zone Enable DNSSEC and load signed zones Submit DS-RR to parent zone Alternatively: use DLV Validation Configure trust anchor Enable DNSSEC
  • 15. Unbound as a DNS cache Unbound is a secure, caching-only, portable DNS server Maintained by NLNetlabs under BSD license Designed with DNSSEC and IPv6 from the ground up Trusts nothing Good security Many "distros" have packages I recommend newest version http://unbound.net/ Lightweight, fast, and easy to configure No split-personalities (And I was first to write about Unbound :-)
  • 16. Configuration One file (but we’ll add more later on) $ cat /etc/unbound/unbound.conf server: access-control: 127.0.0.1/8 allow verbosity: 1 Launch unbound (and watch your syslog) # unbound Query it $ dig +short @127.0.0.1 techforum.jpmens.org txt "Moscow" That’s it!
  • 17. Enable DNSSEC validation Needs root DNSSEC trust anchor Utility retrieves root zone’s DNSSEC key securely $ unbound-anchor -a /etc/unbound/root.key Configure trust anchor in unbound.conf auto-trust-anchor-file: "/etc/unbound/root.key" Ensure unbound-anchor in start-up scripts Reload $ unbound-control reload Did that work? $ dig +dnssec @127.0.0.1 techforum.jpmens.org txt
  • 18. Your own DNSSEC testbed Set up your own trust anchors in a file "my.keys", which contains DS or DNSKEY records example.org IN DS 47534 8 1 74526d3f57... example.org IN DS 47534 8 2 82512fb4ad... example.com IN DS 47534 8 3 296fc89ee0... Configure keys into Unbound trust-anchor-file: "/etc/unbound/my.keys" Alternatively use trust-anchor configuration statements Configure the zone stub-zone: name: "example.org" stub-addr: 10.81.0.1 stub-addr: 10.2.14.3
  • 19. Serve local data Unbound can serve "local" data to its clients For example, a static "zone": local-zone: "techforum." static local-data: "pc.techforum. IN A 192.168.1.12" local-data: ’kate.techforum. TXT "Hi Kate!"’ local-data-ptr: "192.168.1.12 beamer.techforum" Will it work? $ dig +short @127.0.0.1 kate.techforum txt "Hi Kate!" local data can be added on-the-fly with unbound-control
  • 20. More local data Override a single name (all others resolved normally) local-data: "foo.jpmens.org A 127.0.0.1" Redirect a whole domain to an IP local-zone: "example.aa" redirect local-data: "example.aa A 127.0.0.9"
  • 21. DNSSEC-Trigger Monitors changes to local network configuration (DHCP) Reconfigures local Unbound Forward to caches if possible Fallback to authoritative servers Fallback to NLnetLabs server via port 443 dnssec- trigger NLnetLabs C Unbound public B DNS Unbound A caching DNS
  • 22. DNSSEC-Trigger (2) Works on Linux, Mac OS/X and Windows Installer http://www.nlnetlabs.nl/projects/dnssec-trigger/ Status bar
  • 23. PowerDNS Supports pre-signed zones or live-signing operations Otherwise zone data and keys/signatures separate Some changes in database schema Small change in configuration launch=gpgsql gpgsql-dnssec gpgsql-host=127.0.0.1 gpgsql-user=powerdns gpgsql-password=secret gpgsql-dbname=powerdns Off we go: $ pdnssec secure-zone example.org That’s it. Honest!
  • 24. PowerDNS (cont’d) Can import existing (BIND) keys (v1.2) Keys are in back-end database (gmysql, gpgsql, gsqlite) and need to be protected It’s a bit like a private key for your HTTPS server Alternatively run in pre-signed mode Encrypted file system Supports NSEC and NSEC3 Signatures (RRSIG records) are calculated on the fly Inception: previous Thursday Expiration: Thursday two weeks later No issue if PDNS is authoritative, but watch out if hidden master No DNSSEC relevance: PDNS 3.x also has TSIG for AXFR
  • 25. PowerDNS: pdnssec New utility: pdnssec $ pdnssec secure-zone $z # creates 3 keys $ pdnssec show-zone $z # output formatted Zone has NSEC semantics Zone is not presigned keys: ID = 7 (KSK), tag = 41120, algo = 8, bits = 2048 KSK DNSKEY = example.org IN DNSKEY 257 3 8 Aw..5uc8= DS = example.org IN DS 41120 8 1 3296abd...b93 DS = example.org IN DS 41120 8 2 4bb00a5...fa1b78b DS = example.org IN DS 41120 8 3 3c01686...50be3e4 ID = 8 (ZSK),tag = 50853,algo = 8,bits = 1024 Active: 1 ID = 9 (ZSK),tag = 8751,algo = 8,bits = 1024 Active: 0
  • 26. Testing & verification Configure island of trust in Unbound (or BIND) to test your authoritative server Check: DNSSEC or not? http://dnssectest.sidn.nl/ DNSViz http://dnsviz.net/ DNScheck http://dnscheck.iis.se/ ZoneCheck http://zonecheck.fr DNSSEC Debugger http://dnssec-debugger.verisignlabs.com/ SURFnet DNSSEC monitor http://www.dnssecmonitor.org/
  • 27. Applications for DNSSEC Interesting new uses for DNS now that it’s secure DNS-based Authentication of Named Entities (dane) https://datatracker.ietf.org/wg/dane/charter/ SSL certificate validation and DNSSEC (also: Phreeload) http://mens.de/:/bo SSHFP http://mens.de/:/bt
  • 29. Further reading Alternative DNS Servers, UIT, 2009, Jan-Piet Mens http://mens.de/:/altdns
  • 30. Whoami $ dig 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa naptr ;; ANSWER SECTION: 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 3 10 "u" "E2U+http" "!^.*$!http:mens.de!" . 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 3 20 "u" "E2U+http" "!^.*$!http:jpmens.net!" . 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 4 10 "u" "E2U+mailto" "!^.*$!mailto:jp@mens.de!" . 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 1 10 "u" "E2U+sip" "!^.*$!sip:5552064@sipgate.de!" . 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 2 10 "u" "E2U+tel" "!^.*$!tel:+491718033011!" .