Your SlideShare is downloading. ×
0
DNSSEC                       The Good, The Bad & The SecureNucleus.be   Windows & Linux Webhosting   Dedicated servers   C...
Schedule         - Recap: how DNS works         - What DNSSEC does         - How DNSSEC works         - How we implement i...
RECAP                                          DNS – The BasicsNucleus.be   Windows & Linux Webhosting   Dedicated servers...
SETUP                               Stel dat …                               Domain: dexia.be                             ...
I should really                       pay my bill …             End userNucleus.be   Windows & Linux Webhosting   Dedicate...
Let’s go to                     www.dexia.be             End user                                    ISP                  ...
Let’s go to                     www.dexia.be                                Where the                                     ...
Root nameservers                      Let’s go to                     www.dexia.be                                Where th...
Dnow.                                                                                Ask .BE                              ...
Dnow.                                                                                Ask .BE                              ...
Dnow.                                                                                Ask .BE                              ...
Dnow.                                                                                Ask .BE                              ...
Dnow.                                                                                  Ask .BE                            ...
Dnow.                                                                                   Ask .BE                           ...
Mkay. What’s the problem, Doc?Nucleus.be   Windows & Linux Webhosting   Dedicated servers   Co-location   Online Backup   ...
Vewwy vewwy old.Nucleus.be   Windows & Linux Webhosting   Dedicated servers   Co-location   Online Backup   Domain Names ●...
It works. Leave it.Nucleus.be   Windows & Linux Webhosting   Dedicated servers   Co-location   Online Backup   Domain Name...
Security is not a requirementNucleus.be   Windows & Linux Webhosting   Dedicated servers   Co-location   Online Backup   D...
Here’s how we break it.Nucleus.be   Windows & Linux Webhosting   Dedicated servers   Co-location   Online Backup   Domain ...
Security: don’t trust anyone.                  End user                                                                   ...
Security: everybody lies.                  End user                                                                       ...
I’m scared. Save me.Nucleus.be   Windows & Linux Webhosting   Dedicated servers   Co-location   Online Backup   Domain Nam...
DNSSEC             DNS Security Extensions             Secures the DATA returned by nameservers             Created in 199...
DNSSEC                                                   Backwards compatible.Nucleus.be   Windows & Linux Webhosting   De...
DNSSEC                                             Signs data, does not encrypt.                                          ...
DNSSEC                                             Publish the public key part.Nucleus.be   Windows & Linux Webhosting   D...
DNSSEC                                             NSEC/NSEC3: Denial of ExistenceNucleus.be   Windows & Linux Webhosting ...
Root nameservers             End user                                     ISP                                             ...
This must be magic?!      Resource Record (A, CNAME, TXT, MX, …): signed with RRSIG Record      Public key gets published ...
Keys? Keys!         Key rotation for public keys         Zone Signing Key (ZSK): sign records in a zone         Key Signin...
Show me the money!      nucleus.eu: normal, unsigned zone               $TTL 1D               @ IN SOA      ns1.nucleus.be...
Show me the money!      nucleus.eu: DNSSEC signed       nucleus.eu.       86400 IN SOA ns1.nucleus.be. dnsmaster.nucleus.b...
Show me the money!      nucleus.eu: DNSSEC signed       86400 RRSIG DNSKEY 8 2 86400 20101026151414 (                   *....
Auch, mi estómagoNucleus.be   Windows & Linux Webhosting   Dedicated servers   Co-location   Online Backup   Domain Names ...
Let’s analyze. KSK vs ZSK.     86400 DNSKEY 256 3 8 (                      AwEAAbi/ArlDrarlPiu4PAt6HBnA+CsaP4Xa           ...
Let’s analyze. KSK vs ZSK.     86400 DNSKEY 256 3 8 (                      AwEAAbi/ArlDrarlPiu4PAt6HBnA+CsaP4Xa           ...
Let’s analyze. RRSIG’s.     3600 RRSIG A 8 2 3600 20101026151414 (                       20101012141414 22506 nucleus.eu. ...
Upcoming SlideShare
Loading in...5
×

DNSSEC - A small overview

348

Published on

A small presentation on the workings of DNSSEC and how it looks (in practice and in your bind zone files).

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
348
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
9
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "DNSSEC - A small overview"

  1. 1. DNSSEC The Good, The Bad & The SecureNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  2. 2. Schedule - Recap: how DNS works - What DNSSEC does - How DNSSEC works - How we implement it - Why it’s a bitch to configure.Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  3. 3. RECAP DNS – The BasicsNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  4. 4. SETUP Stel dat … Domain: dexia.be - ns1.nucleus.be - ns2.nucleus.be - ns3.nucleus.be - ns4.nucleus.beNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  5. 5. I should really pay my bill … End userNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  6. 6. Let’s go to www.dexia.be End user ISP Q: www.dexia.beNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  7. 7. Let’s go to www.dexia.be Where the f*#} is that? End user ISP Q: www.dexia.beNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  8. 8. Root nameservers Let’s go to www.dexia.be Where the f*#} is that? End user ISP Q: www.dexia.beNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  9. 9. Dnow. Ask .BE Root nameservers Let’s go to www.dexia.be Where the f*#} is that? End user ISP Q: www.dexia.beNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  10. 10. Dnow. Ask .BE Root nameservers Let’s go to www.dexia.be Where the f*#} is that? End user ISP TLD - .BE name Q: www.dexia.be Q: www.dexia.beNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  11. 11. Dnow. Ask .BE Root nameservers Let’s go to www.dexia.be Where the f*#} is that? End user ISP TLD - .BE name Q: www.dexia.be Q: www.dexia.be A: Check with Nucleus Get lost. Ask Nucleus.Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  12. 12. Dnow. Ask .BE Root nameservers Let’s go to www.dexia.be Where the f*#} is that? End user ISP TLD - .BE name Q: www.dexia.be Q: www.dexia.be A: Check with Nucleus Get lost. Ask Nucleus. ns1.nucleus.beNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  13. 13. Dnow. Ask .BE Root nameservers Let’s go to www.dexia.be Where the f*#} is that? End user ISP TLD - .BE name Q: www.dexia.be Q: www.dexia.be A: Check with Nucleus Get lost. Ask Nucleus. ns1.nucleus.be Here ya go.Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  14. 14. Dnow. Ask .BE Root nameservers Let’s go to www.dexia.be Where the f*#} is that? End user ISP TLD - .BE name Q: www.dexia.be Q: www.dexia.be A: 212.63.232.38 A: Check with Nucleus Get lost. Ask Nucleus. ns1.nucleus.be Here ya go.Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  15. 15. Mkay. What’s the problem, Doc?Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  16. 16. Vewwy vewwy old.Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  17. 17. It works. Leave it.Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  18. 18. Security is not a requirementNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  19. 19. Here’s how we break it.Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  20. 20. Security: don’t trust anyone. End user ISP Q: www.dexia.beNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  21. 21. Security: everybody lies. End user ISP Q: www.dexia.be A: 193.239.211.1 My secret server.Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  22. 22. I’m scared. Save me.Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  23. 23. DNSSEC DNS Security Extensions Secures the DATA returned by nameservers Created in 1997Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  24. 24. DNSSEC Backwards compatible.Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  25. 25. DNSSEC Signs data, does not encrypt. (private vs public keys)Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  26. 26. DNSSEC Publish the public key part.Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  27. 27. DNSSEC NSEC/NSEC3: Denial of ExistenceNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  28. 28. Root nameservers End user ISP TLD - .BE name Q: www.dexia.be Q: www.dexia.be A: 212.63.232.38 A: Check with Nucleus ns1.nucleus.beNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  29. 29. This must be magic?! Resource Record (A, CNAME, TXT, MX, …): signed with RRSIG Record Public key gets published in DNSKEY record Parent zone publishes public key of child zone in DS records Non-existing entries signed with NSEC3Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  30. 30. Keys? Keys! Key rotation for public keys Zone Signing Key (ZSK): sign records in a zone Key Signing Key (KSK): sign the ZSK and link to parent zoneNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  31. 31. Show me the money! nucleus.eu: normal, unsigned zone $TTL 1D @ IN SOA ns1.nucleus.be. dnsmaster.nucleus.be. ( 2010073002 ; serial 1H; refresh 30M ; retry 4W ; expire 1D ) ; minimum IN NS ns1.nucleus.be. IN NS ns2.nucleus.be. IN NS ns3.nucleus.be. IN NS ns4.nucleus.be. 3600 IN MX 10 asav01.bru.nucleus.be. 3600 IN MX 10 asav02.ant.nucleus.be. nucleus.eu. 3600 IN A 188.93.153.72 mail 3600 IN CNAME mail.nucleus.be. * 3600 IN CNAME nucleus.eu. www 3600 IN CNAME lin1.nucleus.be. blah 3600 IN CNAME www.nucleus.be.Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  32. 32. Show me the money! nucleus.eu: DNSSEC signed nucleus.eu. 86400 IN SOA ns1.nucleus.be. dnsmaster.nucleus.be. ( 3600 RRSIG A 8 2 3600 20101026151414 ( 2010073002 ; serial 20101012141414 22506 nucleus.eu. 3600 ; refresh (1 hour) Oj465TVbJ/c1yieAzwOwLEh3qyRjmjr8+s8f 1800 ; retry (30 minutes) JjseIRX4DiKj5sbS8dF/1mYwVyFRfXhqzrS5 2419200 ; expire (4 weeks) hRS/j3RMx7WKXs2x4PoR6HzUqyWVBtMosyIC 86400 ; minimum (1 day) g/6tm9l3JsBjHHUwSS2b7Pe8aHLns1wb8eY5 ) XpEukb3aTPt6sbW7bpbmZVFzhSQ= ) 86400 RRSIG SOA 8 2 86400 20101026151414 ( 3600 MX 10 asav01.bru.nucleus.be. 20101012141414 22506 nucleus.eu. 3600 MX 10 asav02.ant.nucleus.be. j6n9E/xC2q+72sEIoWZhykBU3ZZ6mUtYMMfk 3600 RRSIG MX 8 2 3600 20101026151414 ( PTbv5wlSdGQtiBlUK1xCux4BVBov/TQU3B1B 20101012141414 22506 nucleus.eu. hO0LaSOdgMhCnenmnxtUX6KwV2U+4JxR8PFy OFLT2VKX0Y/GIzHUlsSxD976iHZDLp77mf4p 2f0C+0EOlHU8xZ2oIaNWOZH71rl9EYVCO3Ya CanC5OMaA9dLlVEwIp2xdwqOAauluozmQAUJ fl3eyD2dSITz2xT77WarLrbnul8= ) Y7Y6Hb9g811MPcaU5wHyjVQR9cXZqk9KrzBE 86400 NS ns1.nucleus.be. oOHMz3fprdH0pYAmcHhyixSs9ohLLTvwG37X 86400 NS ns2.nucleus.be. GZcmMnu2qQgaqTyZfSe5T4wHFKA= ) 86400 NS ns3.nucleus.be. 86400 DNSKEY 256 3 8 ( 86400 NS ns4.nucleus.be. AwEAAbi/ArlDrarlPiu4PAt6HBnA+CsaP4Xa 86400 RRSIG NS 8 2 86400 20101026151414 ( h0Uc8UGLNSPPtT/yiOR3zj9yHpkENsctIDzC 20101012141414 22506 nucleus.eu. bg8IWH1UdMnj19kvDIPHC9Diwngdl2meENm3 QBN5NLbkijUGIky583MWmEm15vxVWkgksQvf w9pZb7JiVkQAbrUJgYG21ldk4XdPd+Sratf6 T/cTzn+10JKHgm4Wzt8qjZdPrKH2OIPT3VVT ZB0ool6fTl3+6Rr2xwbGbFSJfcXCmKyl rP7WI2+O6EMR+jRf6J1G/on4jNg+3fKG7ZO/ ) ; key id = 22506 OsOj9HLZNzBQYDzGoO6lXe6fdsJNBNOvIFju … wyhziw89bCzal/Hyb3VIPwV8Zpw= ) 3600 A 188.93.153.72Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  33. 33. Show me the money! nucleus.eu: DNSSEC signed 86400 RRSIG DNSKEY 8 2 86400 20101026151414 ( *.nucleus.eu. 3600 IN CNAME nucleus.eu. 20101012141414 22225 nucleus.eu. 3600 RRSIG CNAME 8 2 3600 20101026151414 ( GrlJYgv9OIaWHKw2csLeSZw151WB4wFMchM3 20101012141414 22506 nucleus.eu. syGq8tcV7p6V50w/wGDMoEshkQI0CdEILgxa EBe1hfvY1Skm3YZXm/h/X6YmuV02vQwthXNa F2NtmnUniy4hfafKcVHPg25rj0kQio79l0Rs ieYmbkVZmoeWzxFQWoAqPmgJ8RKsThQXNY0n QQPjDmXGIdkyWbRbK7M/ptnfjfq6v37NMVLP s5/Naf866yhxLGv+3dL+kie4YAT44IxTtk3a Rv7BQ27u/NATI89tj6l45pOa6nB53RfRRfLM hzd8ORdbSEU/LtX7/deKbfkKMYaqEsYLAM9f nVEumTzYdQi3YTiewfP2DrmL/qJoaSZVC/BR tsk8QindoiXkNKXGd0Z5XusJhFI= ) 9jRg36F6FLHez3nxdEBP8YFnJi1CukRaJA8e blah.nucleus.eu. 3600 IN CNAME www.nucleus.be. zHUFeUcMhPG3X0LRFdBxpI3eNaOv5T5AGvKw 3600 RRSIG CNAME 8 3 3600 20101026151414 ( ODMD1qmVPsi/doakRu93WIk+hVt1B0y5jAe+ 20101012141414 22506 nucleus.eu. 1pErKmKcH6Pf4N28wA== ) KY4dsjePG1i5akcN4q/JvQHjC9l6/kgkQX02 86400 RRSIG DNSKEY 8 2 86400 20101026151414 ( cjz3990hhsUghMbxJrdL+dCndXj65Kh7YuDa 20101012141414 22506 nucleus.eu. IYXNgkyLzooRYnRq74XLd8/yWrhrlQMGRZJH VX49z+fLmab6Nno5jdISGd6PhTi0ovMmjwfL gpdv+HrTY0Bex9S2eO+1E1UISY8i/g7ND4hn 7jQIGHl3Jsbbtw2TMFvuROPIXlSWcN2L6ixr gBaWQrA3rKz5wA2662jPhjV06jQ= ) t5PJoFFlYQl3qsCUZQjHsbvvQNGDQN2i0zCK mail.nucleus.eu. 3600 IN CNAME mail.nucleus.be. qWaC0aui7LhdXCPrv8Gf2KskANNoTk0NmAuu 3600 RRSIG CNAME 8 3 3600 20101026151414 ( Ke60oX4P00x4NeT1xpFnZnsgXbw= ) 20101012141414 22506 nucleus.eu. 0 NSEC3PARAM 1 0 5 46AF2E27 sw4UsLjt9Car++ZXsSby1Lqa1XmWeyOZFsiF 0 RRSIG NSEC3PARAM 8 2 0 20101026151414 ( oHAT6HAUzYK19qwPz5nJc6aQoLzvH3F6PjqJ 20101012141414 22506 nucleus.eu. Kwek4SJUGMPpZOLOqGtguerNUxAK7XIHxgaJ jhayx2h6g0gsJb/oe5m0F3bRxd4GtRPhbfKX REpF6u77NqAmTxYafmkXnUVzA9QeYS49ocQ5 4I5934SoF5/ofnYlxOTyV4ey/m/9dnxS5IIq GpB8iVd7zwNYDo1LmZzBszjmOMo= ) ej7Kzjv8HB6e7yTgr2zzrhTshtcZaJIhBRar zIAVny60xDpCz/V/qtjEZw1+SwjrE3aPaFDQ NyMZetYK4LL8uiT3szi4f+L/peo= )Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  34. 34. Auch, mi estómagoNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  35. 35. Let’s analyze. KSK vs ZSK. 86400 DNSKEY 256 3 8 ( AwEAAbi/ArlDrarlPiu4PAt6HBnA+CsaP4Xa h0Uc8UGLNSPPtT/yiOR3zj9yHpkENsctIDzC 256: Zone Signing Key bg8IWH1UdMnj19kvDIPHC9Diwngdl2meENm3 w9pZb7JiVkQAbrUJgYG21ldk4XdPd+Sratf6 - 1024 bit ZB0ool6fTl3+6Rr2xwbGbFSJfcXCmKyl ) ; key id = 22506 - monthly rotated 86400 DNSKEY 257 3 8 ( AwEAAefl1K20cC22qiDnfGyA99lM8fmbGc/1 QHql63coA+hfbFGORPu716UfGxIJWazTTmQZ 0zpqNeXZeEZHPNqu6NdyctHAlIMLelX5/Brm 257: Key Signing Key NCjB9OdmZuX0EGKKDePGh5JSwhYSnC89JeV7 nnD5b9SBANEbqsBALx6lQiTfbt0DMO8fD4yO - 2048 bit OXmgknYP7u7vvsSzAmlXxpGA8ARFcWkgJvZv bahT5DFR+GtoEWhU8+yyeX0MCIVyRCBEQAzH cBQfhzE+aw/UDntij3of7LsFbBh38PNIrBO6 - yearly rotated FrNFrdynlc8z5Ah6m1AxyxIbEFjfb5KSV4rx 9MZXN8iwZFZLRZeu9vJDuQ8= ) ; key id = 22225Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  36. 36. Let’s analyze. KSK vs ZSK. 86400 DNSKEY 256 3 8 ( AwEAAbi/ArlDrarlPiu4PAt6HBnA+CsaP4Xa h0Uc8UGLNSPPtT/yiOR3zj9yHpkENsctIDzC 256/257: Key flag (KSK or ZSK) bg8IWH1UdMnj19kvDIPHC9Diwngdl2meENm3 w9pZb7JiVkQAbrUJgYG21ldk4XdPd+Sratf6 3: Protocol used ZB0ool6fTl3+6Rr2xwbGbFSJfcXCmKyl ) ; key id = 22506 8: Algoritme used 86400 DNSKEY 257 3 8 ( AwEAAefl1K20cC22qiDnfGyA99lM8fmbGc/1 QHql63coA+hfbFGORPu716UfGxIJWazTTmQZ 0zpqNeXZeEZHPNqu6NdyctHAlIMLelX5/Brm NCjB9OdmZuX0EGKKDePGh5JSwhYSnC89JeV7 nnD5b9SBANEbqsBALx6lQiTfbt0DMO8fD4yO OXmgknYP7u7vvsSzAmlXxpGA8ARFcWkgJvZv bahT5DFR+GtoEWhU8+yyeX0MCIVyRCBEQAzH cBQfhzE+aw/UDntij3of7LsFbBh38PNIrBO6 FrNFrdynlc8z5Ah6m1AxyxIbEFjfb5KSV4rx 9MZXN8iwZFZLRZeu9vJDuQ8= ) ; key id = 22225Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  37. 37. Let’s analyze. RRSIG’s. 3600 RRSIG A 8 2 3600 20101026151414 ( 20101012141414 22506 nucleus.eu. Oj465TVbJ/c1yieAzwOwLEh3qyRjmjr8+s8f JjseIRX4DiKj5sbS8dF/1mYwVyFRfXhqzrS5 3600 : TTL hRS/j3RMx7WKXs2x4PoR6HzUqyWVBtMosyIC g/6tm9l3JsBjHHUwSS2b7Pe8aHLns1wb8eY5 RRSIG : Resource Record XpEukb3aTPt6sbW7bpbmZVFzhSQ= ) A: Type of signed record 8: Algoritme (RSA-SHA256) 2: # labels of signed record 3600: TTL of signed record 20101026151414: Signature expiration 20101012141414: Signature creation 22506: Key IDNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×