SlideShare a Scribd company logo

Mens jan piet_dnssec-in-practice

K
kuchinskaya

Jan-Piet Mens gave a presentation on DNSSEC and securing DNS with cryptography. He discussed how DNSSEC works by adding digital signatures to DNS records to authenticate their source and integrity. It provides data origin authentication and integrity but does not encrypt data. He demonstrated how to configure and use DNSSEC with Unbound and PowerDNS to enable validating queries. Attendees were encouraged to set up test environments to better understand DNSSEC.

Technology
1 of 30
Download to read offline
DNSSEC in Practice Mail.Ru Technology Forum 2012 Moscow, RU April 2012 Jan-Piet Mens $ dig 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa naptr
DNSSEC in Practice Mail.Ru Technology Forum 2012 Moscow, RU April 2012 Jan-Piet Mens $ dig 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa naptr
DNS is easy Ask a question, get a reply or a referral.
Resolution
The problem DNS is insecure: one packet for query, one packet for response; easily spoofed DNS Spoofing & cache poisoning DNS server accepts and uses data from a host which shouldn’t have been allowed to provide reply
The solution DNSSEC Eliminates known cache-poisoning attacks & cache-manipulation Public key cryptography and digital signatures provide data origin authentication provide data integrity Doesn’t encrypt data -- that would be stupid But: not end-to-end. (From validating cache to auth. server only.) Install validating cache "close" to you validating auth client resolver servers
The solution DNSSEC Eliminates known cache-poisoning attacks & cache-manipulation Public key cryptography and digital signatures provide data origin authentication provide data integrity Doesn’t encrypt data -- that would be stupid But: not end-to-end. (From validating cache to auth. server only.) Install validating cache "close" to you validating auth client resolver servers auth client resolver valid. servers resolv
New DNS records DNSKEY DS RRSIG NSEC/NSEC3
Authenticated Data dig +dnssec and watch for AD flag indicating successful validation $ dig +dnssec @127.0.0.1 localhost.jpmens.org a ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, [...]
Problem: At work At $WORK resolution doesn’t work; validating resolver
No problem: At home At home it works; ISP doesn’t (yet) do DNSSEC
Proof Does it exist or doesn’t it? Validating query $ dig +dnssec www.dnssec-failed.org ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL ;; flags: qr rd ra; QUERY: 1, ANSWER: 0 Checking Disabled $ dig +cd +dnssec www.dnssec-failed.org ;; ->>HEADER<<- opcode: QUERY, status: NOERROR ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2 ;; ANSWER SECTION: www.dnssec-failed.org. 5620 IN A 68.87.64.48
Proof (2) $ dig +cd +dnssec +multiline www.dnssec-failed.org ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2 ;; ANSWER SECTION: www.dnssec-failed.org. 3202 IN A 68.87.64.48 www.dnssec-failed.org. 4751 IN RRSIG A 5 3 7200 20090201000000 ( 20090101000000 48621 dnssec-failed.org. gM8IbzE3N4xx4DQog+W2UvY+BwnLIJojFmuQUdUb7FAm wtD3k673q+005FDCW8xf88b+9QtvslrpNyi5ZLUq4v9k Xdya9Je0O2ByYjfrgjYqk4Qu37lfPe+iGvl9aSSMyGeu UHv9NWWY10nXjCp2rTdCSpXc7xt3CSMW7pFNFg0= )
Signing and validation Signing Create keys and add to zone Sign zone Enable DNSSEC and load signed zones Submit DS-RR to parent zone Alternatively: use DLV Validation Configure trust anchor Enable DNSSEC
Unbound as a DNS cache Unbound is a secure, caching-only, portable DNS server Maintained by NLNetlabs under BSD license Designed with DNSSEC and IPv6 from the ground up Trusts nothing Good security Many "distros" have packages I recommend newest version http://unbound.net/ Lightweight, fast, and easy to configure No split-personalities (And I was first to write about Unbound :-)
Configuration One file (but we’ll add more later on) $ cat /etc/unbound/unbound.conf server: access-control: 127.0.0.1/8 allow verbosity: 1 Launch unbound (and watch your syslog) # unbound Query it $ dig +short @127.0.0.1 techforum.jpmens.org txt "Moscow" That’s it!
Enable DNSSEC validation Needs root DNSSEC trust anchor Utility retrieves root zone’s DNSSEC key securely $ unbound-anchor -a /etc/unbound/root.key Configure trust anchor in unbound.conf auto-trust-anchor-file: "/etc/unbound/root.key" Ensure unbound-anchor in start-up scripts Reload $ unbound-control reload Did that work? $ dig +dnssec @127.0.0.1 techforum.jpmens.org txt
Your own DNSSEC testbed Set up your own trust anchors in a file "my.keys", which contains DS or DNSKEY records example.org IN DS 47534 8 1 74526d3f57... example.org IN DS 47534 8 2 82512fb4ad... example.com IN DS 47534 8 3 296fc89ee0... Configure keys into Unbound trust-anchor-file: "/etc/unbound/my.keys" Alternatively use trust-anchor configuration statements Configure the zone stub-zone: name: "example.org" stub-addr: 10.81.0.1 stub-addr: 10.2.14.3
Serve local data Unbound can serve "local" data to its clients For example, a static "zone": local-zone: "techforum." static local-data: "pc.techforum. IN A 192.168.1.12" local-data: ’kate.techforum. TXT "Hi Kate!"’ local-data-ptr: "192.168.1.12 beamer.techforum" Will it work? $ dig +short @127.0.0.1 kate.techforum txt "Hi Kate!" local data can be added on-the-fly with unbound-control
More local data Override a single name (all others resolved normally) local-data: "foo.jpmens.org A 127.0.0.1" Redirect a whole domain to an IP local-zone: "example.aa" redirect local-data: "example.aa A 127.0.0.9"
DNSSEC-Trigger Monitors changes to local network configuration (DHCP) Reconfigures local Unbound Forward to caches if possible Fallback to authoritative servers Fallback to NLnetLabs server via port 443 dnssec- trigger NLnetLabs C Unbound public B DNS Unbound A caching DNS
DNSSEC-Trigger (2) Works on Linux, Mac OS/X and Windows Installer http://www.nlnetlabs.nl/projects/dnssec-trigger/ Status bar
PowerDNS Supports pre-signed zones or live-signing operations Otherwise zone data and keys/signatures separate Some changes in database schema Small change in configuration launch=gpgsql gpgsql-dnssec gpgsql-host=127.0.0.1 gpgsql-user=powerdns gpgsql-password=secret gpgsql-dbname=powerdns Off we go: $ pdnssec secure-zone example.org That’s it. Honest!
PowerDNS (cont’d) Can import existing (BIND) keys (v1.2) Keys are in back-end database (gmysql, gpgsql, gsqlite) and need to be protected It’s a bit like a private key for your HTTPS server Alternatively run in pre-signed mode Encrypted file system Supports NSEC and NSEC3 Signatures (RRSIG records) are calculated on the fly Inception: previous Thursday Expiration: Thursday two weeks later No issue if PDNS is authoritative, but watch out if hidden master No DNSSEC relevance: PDNS 3.x also has TSIG for AXFR
PowerDNS: pdnssec New utility: pdnssec $ pdnssec secure-zone $z # creates 3 keys $ pdnssec show-zone $z # output formatted Zone has NSEC semantics Zone is not presigned keys: ID = 7 (KSK), tag = 41120, algo = 8, bits = 2048 KSK DNSKEY = example.org IN DNSKEY 257 3 8 Aw..5uc8= DS = example.org IN DS 41120 8 1 3296abd...b93 DS = example.org IN DS 41120 8 2 4bb00a5...fa1b78b DS = example.org IN DS 41120 8 3 3c01686...50be3e4 ID = 8 (ZSK),tag = 50853,algo = 8,bits = 1024 Active: 1 ID = 9 (ZSK),tag = 8751,algo = 8,bits = 1024 Active: 0
Testing & verification Configure island of trust in Unbound (or BIND) to test your authoritative server Check: DNSSEC or not? http://dnssectest.sidn.nl/ DNSViz http://dnsviz.net/ DNScheck http://dnscheck.iis.se/ ZoneCheck http://zonecheck.fr DNSSEC Debugger http://dnssec-debugger.verisignlabs.com/ SURFnet DNSSEC monitor http://www.dnssecmonitor.org/
Applications for DNSSEC Interesting new uses for DNS now that it’s secure DNS-based Authentication of Named Entities (dane) https://datatracker.ietf.org/wg/dane/charter/ SSL certificate validation and DNSSEC (also: Phreeload) http://mens.de/:/bo SSHFP http://mens.de/:/bt
Thank you Questions?
Further reading Alternative DNS Servers, UIT, 2009, Jan-Piet Mens http://mens.de/:/altdns
Whoami $ dig 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa naptr ;; ANSWER SECTION: 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 3 10 "u" "E2U+http" "!^.*$!http:mens.de!" . 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 3 20 "u" "E2U+http" "!^.*$!http:jpmens.net!" . 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 4 10 "u" "E2U+mailto" "!^.*$!mailto:jp@mens.de!" . 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 1 10 "u" "E2U+sip" "!^.*$!sip:5552064@sipgate.de!" . 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 2 10 "u" "E2U+tel" "!^.*$!tel:+491718033011!" .

Recommended

DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
dns-sec-4-slides
dns-sec-4-slidesdns-sec-4-slides
dns-sec-4-slideskj teoh
 
Nagios Conference 2006 | Nagios 3.0 and beyond by Ethan Galstad
Nagios Conference 2006 | Nagios 3.0 and beyond by Ethan GalstadNagios Conference 2006 | Nagios 3.0 and beyond by Ethan Galstad
Nagios Conference 2006 | Nagios 3.0 and beyond by Ethan GalstadNETWAYS
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local NetworksMen and Mice
 
getdns PyCon presentation
getdns PyCon presentationgetdns PyCon presentation
getdns PyCon presentationMelinda Shore
 
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labDeploy360 Programme (Internet Society)
 
Hardening the Core of the Internet
Hardening the Core of the InternetHardening the Core of the Internet
Hardening the Core of the InternetRIPE NCC
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Dan York
 

Recommended

DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
dns-sec-4-slides
dns-sec-4-slidesdns-sec-4-slides
dns-sec-4-slideskj teoh
 
Nagios Conference 2006 | Nagios 3.0 and beyond by Ethan Galstad
Nagios Conference 2006 | Nagios 3.0 and beyond by Ethan GalstadNagios Conference 2006 | Nagios 3.0 and beyond by Ethan Galstad
Nagios Conference 2006 | Nagios 3.0 and beyond by Ethan GalstadNETWAYS
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local NetworksMen and Mice
 
getdns PyCon presentation
getdns PyCon presentationgetdns PyCon presentation
getdns PyCon presentationMelinda Shore
 
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labDeploy360 Programme (Internet Society)
 
Hardening the Core of the Internet
Hardening the Core of the InternetHardening the Core of the Internet
Hardening the Core of the InternetRIPE NCC
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Dan York
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSMen and Mice
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksMen and Mice
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial Men and Mice
 
DNS OARC 27: DNS over IPv6 - A study in fragmentation
DNS OARC 27: DNS over IPv6 - A study in fragmentationDNS OARC 27: DNS over IPv6 - A study in fragmentation
DNS OARC 27: DNS over IPv6 - A study in fragmentationAPNIC
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPROIDEA
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsMen and Mice
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksFindWhitePapers
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encryptedMen and Mice
 
Software Development with Apache Cassandra
Software Development with Apache CassandraSoftware Development with Apache Cassandra
Software Development with Apache Cassandrazznate
 
Enterprise Manager Cloud Control 12c Release 4 - Installation
Enterprise Manager Cloud Control 12c Release 4 - InstallationEnterprise Manager Cloud Control 12c Release 4 - Installation
Enterprise Manager Cloud Control 12c Release 4 - InstallationIvica Arsov
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013Shumon Huque
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiaSeattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiazznate
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootMen and Mice
 
Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...
Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...
Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...Ruo Ando
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSECMen and Mice
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practicesMen and Mice
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 WebinarMen and Mice
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016zznate
 
AWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNSAWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNSJames Bromberger
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 

More Related Content

What's hot

Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSMen and Mice
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksMen and Mice
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial Men and Mice
 
DNS OARC 27: DNS over IPv6 - A study in fragmentation
DNS OARC 27: DNS over IPv6 - A study in fragmentationDNS OARC 27: DNS over IPv6 - A study in fragmentation
DNS OARC 27: DNS over IPv6 - A study in fragmentationAPNIC
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPROIDEA
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsMen and Mice
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksFindWhitePapers
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encryptedMen and Mice
 
Software Development with Apache Cassandra
Software Development with Apache CassandraSoftware Development with Apache Cassandra
Software Development with Apache Cassandrazznate
 
Enterprise Manager Cloud Control 12c Release 4 - Installation
Enterprise Manager Cloud Control 12c Release 4 - InstallationEnterprise Manager Cloud Control 12c Release 4 - Installation
Enterprise Manager Cloud Control 12c Release 4 - InstallationIvica Arsov
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013Shumon Huque
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiaSeattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiazznate
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootMen and Mice
 
Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...
Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...
Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...Ruo Ando
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSECMen and Mice
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practicesMen and Mice
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 WebinarMen and Mice
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016zznate
 

What's hot (20)

Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial
 
DNS OARC 27: DNS over IPv6 - A study in fragmentation
DNS OARC 27: DNS over IPv6 - A study in fragmentationDNS OARC 27: DNS over IPv6 - A study in fragmentation
DNS OARC 27: DNS over IPv6 - A study in fragmentation
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rolls
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encrypted
 
Software Development with Apache Cassandra
Software Development with Apache CassandraSoftware Development with Apache Cassandra
Software Development with Apache Cassandra
 
Enterprise Manager Cloud Control 12c Release 4 - Installation
Enterprise Manager Cloud Control 12c Release 4 - InstallationEnterprise Manager Cloud Control 12c Release 4 - Installation
Enterprise Manager Cloud Control 12c Release 4 - Installation
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
 
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiaSeattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the root
 
Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...
Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...
Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSEC
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practices
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016
 

Similar to Mens jan piet_dnssec-in-practice

AWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNSAWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNSJames Bromberger
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 
DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxviditsir
 
Integration of neutron, nova and designate how to use it and how to configur...
Integration of neutron, nova and designate how to use it and how to configur...Integration of neutron, nova and designate how to use it and how to configur...
Integration of neutron, nova and designate how to use it and how to configur...Miguel Lavalle
 
Minieri CS6262 Project Poster
Minieri CS6262 Project PosterMinieri CS6262 Project Poster
Minieri CS6262 Project PosterJoe Minieri
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallGlenn McKnight
 
2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover2017 DNSSEC KSK Rollover
2017 DNSSEC KSK RolloverAPNIC
 
BIND DNS IPWorks Introduction To Advanced
BIND DNS IPWorks Introduction To AdvancedBIND DNS IPWorks Introduction To Advanced
BIND DNS IPWorks Introduction To AdvancedMustafa Golam
 
Dns presentation
Dns presentationDns presentation
Dns presentationgaurav_c
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsPeter R. Egli
 
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 HackathonDNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 HackathonDan York
 
The New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSKThe New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSKAPNIC
 
Data Grids with Oracle Coherence
Data Grids with Oracle CoherenceData Grids with Oracle Coherence
Data Grids with Oracle CoherenceBen Stopford
 

Similar to Mens jan piet_dnssec-in-practice (20)

AWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNSAWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNS
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
 
DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptx
 
Integration of neutron, nova and designate how to use it and how to configur...
Integration of neutron, nova and designate how to use it and how to configur...Integration of neutron, nova and designate how to use it and how to configur...
Integration of neutron, nova and designate how to use it and how to configur...
 
DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
 
Minieri CS6262 Project Poster
Minieri CS6262 Project PosterMinieri CS6262 Project Poster
Minieri CS6262 Project Poster
 
Soa with consul
Soa with consulSoa with consul
Soa with consul
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
ION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSEC
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
 
2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover
 
BIND DNS IPWorks Introduction To Advanced
BIND DNS IPWorks Introduction To AdvancedBIND DNS IPWorks Introduction To Advanced
BIND DNS IPWorks Introduction To Advanced
 
Dns presentation
Dns presentationDns presentation
Dns presentation
 
Hands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentHands-on DNSSEC Deployment
Hands-on DNSSEC Deployment
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
 
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 HackathonDNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
 
IoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasIoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideas
 
The New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSKThe New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSK
 
Data Grids with Oracle Coherence
Data Grids with Oracle CoherenceData Grids with Oracle Coherence
Data Grids with Oracle Coherence
 

More from kuchinskaya

Smirnov dependency-injection-techforum(1)
Smirnov dependency-injection-techforum(1)Smirnov dependency-injection-techforum(1)
Smirnov dependency-injection-techforum(1)kuchinskaya
 
Smirnov reverse-engineering-techforum
Smirnov reverse-engineering-techforumSmirnov reverse-engineering-techforum
Smirnov reverse-engineering-techforumkuchinskaya
 
Kalugin balashov
Kalugin balashovKalugin balashov
Kalugin balashovkuchinskaya
 

More from kuchinskaya (20)

Kharkov
KharkovKharkov
Kharkov
 
Balashov
BalashovBalashov
Balashov
 
Zamyakin
ZamyakinZamyakin
Zamyakin
 
Panfilov
PanfilovPanfilov
Panfilov
 
Platov
PlatovPlatov
Platov
 
Rabovoluk
RabovolukRabovoluk
Rabovoluk
 
Smirnov dependency-injection-techforum(1)
Smirnov dependency-injection-techforum(1)Smirnov dependency-injection-techforum(1)
Smirnov dependency-injection-techforum(1)
 
Smirnov reverse-engineering-techforum
Smirnov reverse-engineering-techforumSmirnov reverse-engineering-techforum
Smirnov reverse-engineering-techforum
 
Zacepin
ZacepinZacepin
Zacepin
 
Zagursky
ZagurskyZagursky
Zagursky
 
Haritonov
HaritonovHaritonov
Haritonov
 
Chudov
ChudovChudov
Chudov
 
Bubnov
BubnovBubnov
Bubnov
 
A.pleshkov
A.pleshkovA.pleshkov
A.pleshkov
 
Zenovich
ZenovichZenovich
Zenovich
 
Romanenko
RomanenkoRomanenko
Romanenko
 
Perepelitsa
PerepelitsaPerepelitsa
Perepelitsa
 
Osipov
OsipovOsipov
Osipov
 
Kubasov
KubasovKubasov
Kubasov
 
Kalugin balashov
Kalugin balashovKalugin balashov
Kalugin balashov
 

Recently uploaded

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Recently uploaded (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

Mens jan piet_dnssec-in-practice

  • 1. DNSSEC in Practice Mail.Ru Technology Forum 2012 Moscow, RU April 2012 Jan-Piet Mens $ dig 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa naptr
  • 2. DNSSEC in Practice Mail.Ru Technology Forum 2012 Moscow, RU April 2012 Jan-Piet Mens $ dig 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa naptr
  • 3. DNS is easy Ask a question, get a reply or a referral.
  • 5. The problem DNS is insecure: one packet for query, one packet for response; easily spoofed DNS Spoofing & cache poisoning DNS server accepts and uses data from a host which shouldn’t have been allowed to provide reply
  • 6. The solution DNSSEC Eliminates known cache-poisoning attacks & cache-manipulation Public key cryptography and digital signatures provide data origin authentication provide data integrity Doesn’t encrypt data -- that would be stupid But: not end-to-end. (From validating cache to auth. server only.) Install validating cache "close" to you validating auth client resolver servers
  • 7. The solution DNSSEC Eliminates known cache-poisoning attacks & cache-manipulation Public key cryptography and digital signatures provide data origin authentication provide data integrity Doesn’t encrypt data -- that would be stupid But: not end-to-end. (From validating cache to auth. server only.) Install validating cache "close" to you validating auth client resolver servers auth client resolver valid. servers resolv
  • 8. New DNS records DNSKEY DS RRSIG NSEC/NSEC3
  • 9. Authenticated Data dig +dnssec and watch for AD flag indicating successful validation $ dig +dnssec @127.0.0.1 localhost.jpmens.org a ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, [...]
  • 10. Problem: At work At $WORK resolution doesn’t work; validating resolver
  • 11. No problem: At home At home it works; ISP doesn’t (yet) do DNSSEC
  • 12. Proof Does it exist or doesn’t it? Validating query $ dig +dnssec www.dnssec-failed.org ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL ;; flags: qr rd ra; QUERY: 1, ANSWER: 0 Checking Disabled $ dig +cd +dnssec www.dnssec-failed.org ;; ->>HEADER<<- opcode: QUERY, status: NOERROR ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2 ;; ANSWER SECTION: www.dnssec-failed.org. 5620 IN A 68.87.64.48
  • 13. Proof (2) $ dig +cd +dnssec +multiline www.dnssec-failed.org ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2 ;; ANSWER SECTION: www.dnssec-failed.org. 3202 IN A 68.87.64.48 www.dnssec-failed.org. 4751 IN RRSIG A 5 3 7200 20090201000000 ( 20090101000000 48621 dnssec-failed.org. gM8IbzE3N4xx4DQog+W2UvY+BwnLIJojFmuQUdUb7FAm wtD3k673q+005FDCW8xf88b+9QtvslrpNyi5ZLUq4v9k Xdya9Je0O2ByYjfrgjYqk4Qu37lfPe+iGvl9aSSMyGeu UHv9NWWY10nXjCp2rTdCSpXc7xt3CSMW7pFNFg0= )
  • 14. Signing and validation Signing Create keys and add to zone Sign zone Enable DNSSEC and load signed zones Submit DS-RR to parent zone Alternatively: use DLV Validation Configure trust anchor Enable DNSSEC
  • 15. Unbound as a DNS cache Unbound is a secure, caching-only, portable DNS server Maintained by NLNetlabs under BSD license Designed with DNSSEC and IPv6 from the ground up Trusts nothing Good security Many "distros" have packages I recommend newest version http://unbound.net/ Lightweight, fast, and easy to configure No split-personalities (And I was first to write about Unbound :-)
  • 16. Configuration One file (but we’ll add more later on) $ cat /etc/unbound/unbound.conf server: access-control: 127.0.0.1/8 allow verbosity: 1 Launch unbound (and watch your syslog) # unbound Query it $ dig +short @127.0.0.1 techforum.jpmens.org txt "Moscow" That’s it!
  • 17. Enable DNSSEC validation Needs root DNSSEC trust anchor Utility retrieves root zone’s DNSSEC key securely $ unbound-anchor -a /etc/unbound/root.key Configure trust anchor in unbound.conf auto-trust-anchor-file: "/etc/unbound/root.key" Ensure unbound-anchor in start-up scripts Reload $ unbound-control reload Did that work? $ dig +dnssec @127.0.0.1 techforum.jpmens.org txt
  • 18. Your own DNSSEC testbed Set up your own trust anchors in a file "my.keys", which contains DS or DNSKEY records example.org IN DS 47534 8 1 74526d3f57... example.org IN DS 47534 8 2 82512fb4ad... example.com IN DS 47534 8 3 296fc89ee0... Configure keys into Unbound trust-anchor-file: "/etc/unbound/my.keys" Alternatively use trust-anchor configuration statements Configure the zone stub-zone: name: "example.org" stub-addr: 10.81.0.1 stub-addr: 10.2.14.3
  • 19. Serve local data Unbound can serve "local" data to its clients For example, a static "zone": local-zone: "techforum." static local-data: "pc.techforum. IN A 192.168.1.12" local-data: ’kate.techforum. TXT "Hi Kate!"’ local-data-ptr: "192.168.1.12 beamer.techforum" Will it work? $ dig +short @127.0.0.1 kate.techforum txt "Hi Kate!" local data can be added on-the-fly with unbound-control
  • 20. More local data Override a single name (all others resolved normally) local-data: "foo.jpmens.org A 127.0.0.1" Redirect a whole domain to an IP local-zone: "example.aa" redirect local-data: "example.aa A 127.0.0.9"
  • 21. DNSSEC-Trigger Monitors changes to local network configuration (DHCP) Reconfigures local Unbound Forward to caches if possible Fallback to authoritative servers Fallback to NLnetLabs server via port 443 dnssec- trigger NLnetLabs C Unbound public B DNS Unbound A caching DNS
  • 22. DNSSEC-Trigger (2) Works on Linux, Mac OS/X and Windows Installer http://www.nlnetlabs.nl/projects/dnssec-trigger/ Status bar
  • 23. PowerDNS Supports pre-signed zones or live-signing operations Otherwise zone data and keys/signatures separate Some changes in database schema Small change in configuration launch=gpgsql gpgsql-dnssec gpgsql-host=127.0.0.1 gpgsql-user=powerdns gpgsql-password=secret gpgsql-dbname=powerdns Off we go: $ pdnssec secure-zone example.org That’s it. Honest!
  • 24. PowerDNS (cont’d) Can import existing (BIND) keys (v1.2) Keys are in back-end database (gmysql, gpgsql, gsqlite) and need to be protected It’s a bit like a private key for your HTTPS server Alternatively run in pre-signed mode Encrypted file system Supports NSEC and NSEC3 Signatures (RRSIG records) are calculated on the fly Inception: previous Thursday Expiration: Thursday two weeks later No issue if PDNS is authoritative, but watch out if hidden master No DNSSEC relevance: PDNS 3.x also has TSIG for AXFR
  • 25. PowerDNS: pdnssec New utility: pdnssec $ pdnssec secure-zone $z # creates 3 keys $ pdnssec show-zone $z # output formatted Zone has NSEC semantics Zone is not presigned keys: ID = 7 (KSK), tag = 41120, algo = 8, bits = 2048 KSK DNSKEY = example.org IN DNSKEY 257 3 8 Aw..5uc8= DS = example.org IN DS 41120 8 1 3296abd...b93 DS = example.org IN DS 41120 8 2 4bb00a5...fa1b78b DS = example.org IN DS 41120 8 3 3c01686...50be3e4 ID = 8 (ZSK),tag = 50853,algo = 8,bits = 1024 Active: 1 ID = 9 (ZSK),tag = 8751,algo = 8,bits = 1024 Active: 0
  • 26. Testing & verification Configure island of trust in Unbound (or BIND) to test your authoritative server Check: DNSSEC or not? http://dnssectest.sidn.nl/ DNSViz http://dnsviz.net/ DNScheck http://dnscheck.iis.se/ ZoneCheck http://zonecheck.fr DNSSEC Debugger http://dnssec-debugger.verisignlabs.com/ SURFnet DNSSEC monitor http://www.dnssecmonitor.org/
  • 27. Applications for DNSSEC Interesting new uses for DNS now that it’s secure DNS-based Authentication of Named Entities (dane) https://datatracker.ietf.org/wg/dane/charter/ SSL certificate validation and DNSSEC (also: Phreeload) http://mens.de/:/bo SSHFP http://mens.de/:/bt
  • 29. Further reading Alternative DNS Servers, UIT, 2009, Jan-Piet Mens http://mens.de/:/altdns
  • 30. Whoami $ dig 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa naptr ;; ANSWER SECTION: 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 3 10 "u" "E2U+http" "!^.*$!http:mens.de!" . 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 3 20 "u" "E2U+http" "!^.*$!http:jpmens.net!" . 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 4 10 "u" "E2U+mailto" "!^.*$!mailto:jp@mens.de!" . 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 1 10 "u" "E2U+sip" "!^.*$!sip:5552064@sipgate.de!" . 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 2 10 "u" "E2U+tel" "!^.*$!tel:+491718033011!" .