DNSSEC - A small overview

491 views
443 views

Published on

A small presentation on the workings of DNSSEC and how it looks (in practice and in your bind zone files).

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
491
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
9
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

DNSSEC - A small overview

  1. 1. DNSSEC The Good, The Bad & The SecureNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  2. 2. Schedule - Recap: how DNS works - What DNSSEC does - How DNSSEC works - How we implement it - Why it’s a bitch to configure.Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  3. 3. RECAP DNS – The BasicsNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  4. 4. SETUP Stel dat … Domain: dexia.be - ns1.nucleus.be - ns2.nucleus.be - ns3.nucleus.be - ns4.nucleus.beNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  5. 5. I should really pay my bill … End userNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  6. 6. Let’s go to www.dexia.be End user ISP Q: www.dexia.beNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  7. 7. Let’s go to www.dexia.be Where the f*#} is that? End user ISP Q: www.dexia.beNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  8. 8. Root nameservers Let’s go to www.dexia.be Where the f*#} is that? End user ISP Q: www.dexia.beNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  9. 9. Dnow. Ask .BE Root nameservers Let’s go to www.dexia.be Where the f*#} is that? End user ISP Q: www.dexia.beNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  10. 10. Dnow. Ask .BE Root nameservers Let’s go to www.dexia.be Where the f*#} is that? End user ISP TLD - .BE name Q: www.dexia.be Q: www.dexia.beNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  11. 11. Dnow. Ask .BE Root nameservers Let’s go to www.dexia.be Where the f*#} is that? End user ISP TLD - .BE name Q: www.dexia.be Q: www.dexia.be A: Check with Nucleus Get lost. Ask Nucleus.Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  12. 12. Dnow. Ask .BE Root nameservers Let’s go to www.dexia.be Where the f*#} is that? End user ISP TLD - .BE name Q: www.dexia.be Q: www.dexia.be A: Check with Nucleus Get lost. Ask Nucleus. ns1.nucleus.beNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  13. 13. Dnow. Ask .BE Root nameservers Let’s go to www.dexia.be Where the f*#} is that? End user ISP TLD - .BE name Q: www.dexia.be Q: www.dexia.be A: Check with Nucleus Get lost. Ask Nucleus. ns1.nucleus.be Here ya go.Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  14. 14. Dnow. Ask .BE Root nameservers Let’s go to www.dexia.be Where the f*#} is that? End user ISP TLD - .BE name Q: www.dexia.be Q: www.dexia.be A: 212.63.232.38 A: Check with Nucleus Get lost. Ask Nucleus. ns1.nucleus.be Here ya go.Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  15. 15. Mkay. What’s the problem, Doc?Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  16. 16. Vewwy vewwy old.Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  17. 17. It works. Leave it.Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  18. 18. Security is not a requirementNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  19. 19. Here’s how we break it.Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  20. 20. Security: don’t trust anyone. End user ISP Q: www.dexia.beNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  21. 21. Security: everybody lies. End user ISP Q: www.dexia.be A: 193.239.211.1 My secret server.Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  22. 22. I’m scared. Save me.Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  23. 23. DNSSEC DNS Security Extensions Secures the DATA returned by nameservers Created in 1997Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  24. 24. DNSSEC Backwards compatible.Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  25. 25. DNSSEC Signs data, does not encrypt. (private vs public keys)Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  26. 26. DNSSEC Publish the public key part.Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  27. 27. DNSSEC NSEC/NSEC3: Denial of ExistenceNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  28. 28. Root nameservers End user ISP TLD - .BE name Q: www.dexia.be Q: www.dexia.be A: 212.63.232.38 A: Check with Nucleus ns1.nucleus.beNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  29. 29. This must be magic?! Resource Record (A, CNAME, TXT, MX, …): signed with RRSIG Record Public key gets published in DNSKEY record Parent zone publishes public key of child zone in DS records Non-existing entries signed with NSEC3Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  30. 30. Keys? Keys! Key rotation for public keys Zone Signing Key (ZSK): sign records in a zone Key Signing Key (KSK): sign the ZSK and link to parent zoneNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  31. 31. Show me the money! nucleus.eu: normal, unsigned zone $TTL 1D @ IN SOA ns1.nucleus.be. dnsmaster.nucleus.be. ( 2010073002 ; serial 1H; refresh 30M ; retry 4W ; expire 1D ) ; minimum IN NS ns1.nucleus.be. IN NS ns2.nucleus.be. IN NS ns3.nucleus.be. IN NS ns4.nucleus.be. 3600 IN MX 10 asav01.bru.nucleus.be. 3600 IN MX 10 asav02.ant.nucleus.be. nucleus.eu. 3600 IN A 188.93.153.72 mail 3600 IN CNAME mail.nucleus.be. * 3600 IN CNAME nucleus.eu. www 3600 IN CNAME lin1.nucleus.be. blah 3600 IN CNAME www.nucleus.be.Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  32. 32. Show me the money! nucleus.eu: DNSSEC signed nucleus.eu. 86400 IN SOA ns1.nucleus.be. dnsmaster.nucleus.be. ( 3600 RRSIG A 8 2 3600 20101026151414 ( 2010073002 ; serial 20101012141414 22506 nucleus.eu. 3600 ; refresh (1 hour) Oj465TVbJ/c1yieAzwOwLEh3qyRjmjr8+s8f 1800 ; retry (30 minutes) JjseIRX4DiKj5sbS8dF/1mYwVyFRfXhqzrS5 2419200 ; expire (4 weeks) hRS/j3RMx7WKXs2x4PoR6HzUqyWVBtMosyIC 86400 ; minimum (1 day) g/6tm9l3JsBjHHUwSS2b7Pe8aHLns1wb8eY5 ) XpEukb3aTPt6sbW7bpbmZVFzhSQ= ) 86400 RRSIG SOA 8 2 86400 20101026151414 ( 3600 MX 10 asav01.bru.nucleus.be. 20101012141414 22506 nucleus.eu. 3600 MX 10 asav02.ant.nucleus.be. j6n9E/xC2q+72sEIoWZhykBU3ZZ6mUtYMMfk 3600 RRSIG MX 8 2 3600 20101026151414 ( PTbv5wlSdGQtiBlUK1xCux4BVBov/TQU3B1B 20101012141414 22506 nucleus.eu. hO0LaSOdgMhCnenmnxtUX6KwV2U+4JxR8PFy OFLT2VKX0Y/GIzHUlsSxD976iHZDLp77mf4p 2f0C+0EOlHU8xZ2oIaNWOZH71rl9EYVCO3Ya CanC5OMaA9dLlVEwIp2xdwqOAauluozmQAUJ fl3eyD2dSITz2xT77WarLrbnul8= ) Y7Y6Hb9g811MPcaU5wHyjVQR9cXZqk9KrzBE 86400 NS ns1.nucleus.be. oOHMz3fprdH0pYAmcHhyixSs9ohLLTvwG37X 86400 NS ns2.nucleus.be. GZcmMnu2qQgaqTyZfSe5T4wHFKA= ) 86400 NS ns3.nucleus.be. 86400 DNSKEY 256 3 8 ( 86400 NS ns4.nucleus.be. AwEAAbi/ArlDrarlPiu4PAt6HBnA+CsaP4Xa 86400 RRSIG NS 8 2 86400 20101026151414 ( h0Uc8UGLNSPPtT/yiOR3zj9yHpkENsctIDzC 20101012141414 22506 nucleus.eu. bg8IWH1UdMnj19kvDIPHC9Diwngdl2meENm3 QBN5NLbkijUGIky583MWmEm15vxVWkgksQvf w9pZb7JiVkQAbrUJgYG21ldk4XdPd+Sratf6 T/cTzn+10JKHgm4Wzt8qjZdPrKH2OIPT3VVT ZB0ool6fTl3+6Rr2xwbGbFSJfcXCmKyl rP7WI2+O6EMR+jRf6J1G/on4jNg+3fKG7ZO/ ) ; key id = 22506 OsOj9HLZNzBQYDzGoO6lXe6fdsJNBNOvIFju … wyhziw89bCzal/Hyb3VIPwV8Zpw= ) 3600 A 188.93.153.72Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  33. 33. Show me the money! nucleus.eu: DNSSEC signed 86400 RRSIG DNSKEY 8 2 86400 20101026151414 ( *.nucleus.eu. 3600 IN CNAME nucleus.eu. 20101012141414 22225 nucleus.eu. 3600 RRSIG CNAME 8 2 3600 20101026151414 ( GrlJYgv9OIaWHKw2csLeSZw151WB4wFMchM3 20101012141414 22506 nucleus.eu. syGq8tcV7p6V50w/wGDMoEshkQI0CdEILgxa EBe1hfvY1Skm3YZXm/h/X6YmuV02vQwthXNa F2NtmnUniy4hfafKcVHPg25rj0kQio79l0Rs ieYmbkVZmoeWzxFQWoAqPmgJ8RKsThQXNY0n QQPjDmXGIdkyWbRbK7M/ptnfjfq6v37NMVLP s5/Naf866yhxLGv+3dL+kie4YAT44IxTtk3a Rv7BQ27u/NATI89tj6l45pOa6nB53RfRRfLM hzd8ORdbSEU/LtX7/deKbfkKMYaqEsYLAM9f nVEumTzYdQi3YTiewfP2DrmL/qJoaSZVC/BR tsk8QindoiXkNKXGd0Z5XusJhFI= ) 9jRg36F6FLHez3nxdEBP8YFnJi1CukRaJA8e blah.nucleus.eu. 3600 IN CNAME www.nucleus.be. zHUFeUcMhPG3X0LRFdBxpI3eNaOv5T5AGvKw 3600 RRSIG CNAME 8 3 3600 20101026151414 ( ODMD1qmVPsi/doakRu93WIk+hVt1B0y5jAe+ 20101012141414 22506 nucleus.eu. 1pErKmKcH6Pf4N28wA== ) KY4dsjePG1i5akcN4q/JvQHjC9l6/kgkQX02 86400 RRSIG DNSKEY 8 2 86400 20101026151414 ( cjz3990hhsUghMbxJrdL+dCndXj65Kh7YuDa 20101012141414 22506 nucleus.eu. IYXNgkyLzooRYnRq74XLd8/yWrhrlQMGRZJH VX49z+fLmab6Nno5jdISGd6PhTi0ovMmjwfL gpdv+HrTY0Bex9S2eO+1E1UISY8i/g7ND4hn 7jQIGHl3Jsbbtw2TMFvuROPIXlSWcN2L6ixr gBaWQrA3rKz5wA2662jPhjV06jQ= ) t5PJoFFlYQl3qsCUZQjHsbvvQNGDQN2i0zCK mail.nucleus.eu. 3600 IN CNAME mail.nucleus.be. qWaC0aui7LhdXCPrv8Gf2KskANNoTk0NmAuu 3600 RRSIG CNAME 8 3 3600 20101026151414 ( Ke60oX4P00x4NeT1xpFnZnsgXbw= ) 20101012141414 22506 nucleus.eu. 0 NSEC3PARAM 1 0 5 46AF2E27 sw4UsLjt9Car++ZXsSby1Lqa1XmWeyOZFsiF 0 RRSIG NSEC3PARAM 8 2 0 20101026151414 ( oHAT6HAUzYK19qwPz5nJc6aQoLzvH3F6PjqJ 20101012141414 22506 nucleus.eu. Kwek4SJUGMPpZOLOqGtguerNUxAK7XIHxgaJ jhayx2h6g0gsJb/oe5m0F3bRxd4GtRPhbfKX REpF6u77NqAmTxYafmkXnUVzA9QeYS49ocQ5 4I5934SoF5/ofnYlxOTyV4ey/m/9dnxS5IIq GpB8iVd7zwNYDo1LmZzBszjmOMo= ) ej7Kzjv8HB6e7yTgr2zzrhTshtcZaJIhBRar zIAVny60xDpCz/V/qtjEZw1+SwjrE3aPaFDQ NyMZetYK4LL8uiT3szi4f+L/peo= )Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  34. 34. Auch, mi estómagoNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  35. 35. Let’s analyze. KSK vs ZSK. 86400 DNSKEY 256 3 8 ( AwEAAbi/ArlDrarlPiu4PAt6HBnA+CsaP4Xa h0Uc8UGLNSPPtT/yiOR3zj9yHpkENsctIDzC 256: Zone Signing Key bg8IWH1UdMnj19kvDIPHC9Diwngdl2meENm3 w9pZb7JiVkQAbrUJgYG21ldk4XdPd+Sratf6 - 1024 bit ZB0ool6fTl3+6Rr2xwbGbFSJfcXCmKyl ) ; key id = 22506 - monthly rotated 86400 DNSKEY 257 3 8 ( AwEAAefl1K20cC22qiDnfGyA99lM8fmbGc/1 QHql63coA+hfbFGORPu716UfGxIJWazTTmQZ 0zpqNeXZeEZHPNqu6NdyctHAlIMLelX5/Brm 257: Key Signing Key NCjB9OdmZuX0EGKKDePGh5JSwhYSnC89JeV7 nnD5b9SBANEbqsBALx6lQiTfbt0DMO8fD4yO - 2048 bit OXmgknYP7u7vvsSzAmlXxpGA8ARFcWkgJvZv bahT5DFR+GtoEWhU8+yyeX0MCIVyRCBEQAzH cBQfhzE+aw/UDntij3of7LsFbBh38PNIrBO6 - yearly rotated FrNFrdynlc8z5Ah6m1AxyxIbEFjfb5KSV4rx 9MZXN8iwZFZLRZeu9vJDuQ8= ) ; key id = 22225Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  36. 36. Let’s analyze. KSK vs ZSK. 86400 DNSKEY 256 3 8 ( AwEAAbi/ArlDrarlPiu4PAt6HBnA+CsaP4Xa h0Uc8UGLNSPPtT/yiOR3zj9yHpkENsctIDzC 256/257: Key flag (KSK or ZSK) bg8IWH1UdMnj19kvDIPHC9Diwngdl2meENm3 w9pZb7JiVkQAbrUJgYG21ldk4XdPd+Sratf6 3: Protocol used ZB0ool6fTl3+6Rr2xwbGbFSJfcXCmKyl ) ; key id = 22506 8: Algoritme used 86400 DNSKEY 257 3 8 ( AwEAAefl1K20cC22qiDnfGyA99lM8fmbGc/1 QHql63coA+hfbFGORPu716UfGxIJWazTTmQZ 0zpqNeXZeEZHPNqu6NdyctHAlIMLelX5/Brm NCjB9OdmZuX0EGKKDePGh5JSwhYSnC89JeV7 nnD5b9SBANEbqsBALx6lQiTfbt0DMO8fD4yO OXmgknYP7u7vvsSzAmlXxpGA8ARFcWkgJvZv bahT5DFR+GtoEWhU8+yyeX0MCIVyRCBEQAzH cBQfhzE+aw/UDntij3of7LsFbBh38PNIrBO6 FrNFrdynlc8z5Ah6m1AxyxIbEFjfb5KSV4rx 9MZXN8iwZFZLRZeu9vJDuQ8= ) ; key id = 22225Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware
  37. 37. Let’s analyze. RRSIG’s. 3600 RRSIG A 8 2 3600 20101026151414 ( 20101012141414 22506 nucleus.eu. Oj465TVbJ/c1yieAzwOwLEh3qyRjmjr8+s8f JjseIRX4DiKj5sbS8dF/1mYwVyFRfXhqzrS5 3600 : TTL hRS/j3RMx7WKXs2x4PoR6HzUqyWVBtMosyIC g/6tm9l3JsBjHHUwSS2b7Pe8aHLns1wb8eY5 RRSIG : Resource Record XpEukb3aTPt6sbW7bpbmZVFzhSQ= ) A: Type of signed record 8: Algoritme (RSA-SHA256) 2: # labels of signed record 3600: TTL of signed record 20101026151414: Signature expiration 20101012141414: Signature creation 22506: Key IDNucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware

×