• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
DNSSEC Grunderna
 

DNSSEC Grunderna

on

  • 1,160 views

 

Statistics

Views

Total Views
1,160
Views on SlideShare
1,157
Embed Views
3

Actions

Likes
0
Downloads
0
Comments
0

2 Embeds 3

https://www.linkedin.com 2
http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Apple Keynote

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • <br />
  • The root is at the top of the DNS hierarchy. The root contains NS records and glue records (A pointers for IP-addresses to the nameservers) for all TLDs. Each node in the hierarchy is called a zone. A zone contains the NS pointers to the zone itself and any child zone, and all other zone data for any services for that domain name (www.example.com). <br />
  • The root is at the top of the DNS hierarchy. The root contains NS records and glue records (A pointers for IP-addresses to the nameservers) for all TLDs. Each node in the hierarchy is called a zone. A zone contains the NS pointers to the zone itself and any child zone, and all other zone data for any services for that domain name (www.example.com). <br />
  • The root is at the top of the DNS hierarchy. The root contains NS records and glue records (A pointers for IP-addresses to the nameservers) for all TLDs. Each node in the hierarchy is called a zone. A zone contains the NS pointers to the zone itself and any child zone, and all other zone data for any services for that domain name (www.example.com). <br />
  • The root is at the top of the DNS hierarchy. The root contains NS records and glue records (A pointers for IP-addresses to the nameservers) for all TLDs. Each node in the hierarchy is called a zone. A zone contains the NS pointers to the zone itself and any child zone, and all other zone data for any services for that domain name (www.example.com). <br />
  • The root is at the top of the DNS hierarchy. The root contains NS records and glue records (A pointers for IP-addresses to the nameservers) for all TLDs. Each node in the hierarchy is called a zone. A zone contains the NS pointers to the zone itself and any child zone, and all other zone data for any services for that domain name (www.example.com). <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record. <br /> <br /> The servers responsible for each zone is called an Authoritative Nameserver. <br /> <br /> The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer. <br /> <br />
  • The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record. <br /> <br /> The servers responsible for each zone is called an Authoritative Nameserver. <br /> <br /> The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer. <br /> <br />
  • The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record. <br /> <br /> The servers responsible for each zone is called an Authoritative Nameserver. <br /> <br /> The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer. <br /> <br />
  • The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record. <br /> <br /> The servers responsible for each zone is called an Authoritative Nameserver. <br /> <br /> The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer. <br /> <br />
  • The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record. <br /> <br /> The servers responsible for each zone is called an Authoritative Nameserver. <br /> <br /> The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer. <br /> <br />
  • The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record. <br /> <br /> The servers responsible for each zone is called an Authoritative Nameserver. <br /> <br /> The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer. <br /> <br />
  • The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record. <br /> <br /> The servers responsible for each zone is called an Authoritative Nameserver. <br /> <br /> The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer. <br /> <br />
  • The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record. <br /> <br /> The servers responsible for each zone is called an Authoritative Nameserver. <br /> <br /> The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer. <br /> <br />
  • The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record. <br /> <br /> The servers responsible for each zone is called an Authoritative Nameserver. <br /> <br /> The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer. <br /> <br />
  • Symmetric crypto is a crypto where both parties use the same key to encrypt and decrypt any message. <br /> <br /> Assymetric crypto has a feature where anybody can encrypt a message using the receiver’s public key, then the receiver can decrypt that message using only his private key. <br /> <br /> The reason for having different keys for signing the zone and signing the ZSK keys is that you want to separate the delegation of trust with the signing of all zone data. <br />
  • The DNSKEY record contains information about which algorithm is used for the key, and what type of key it is (ie, KSK or ZSK). You don’t ever store any private DNSSEC keys in DNS. <br /> <br /> The signatures over the \"apex\" RR-data (for example the DNSKEY records) is done with the KSK. <br /> <br />
  • MD5 is allowed by DNSSEC but not recommended. <br />
  • This is a validated DNS answer with added DNSSEC signatured. The AD-flag is the way the resolver tells the client that it has validated the DNSSEC signatures. If the DNSSEC aware resolver for some reason failed to validate the signatures, there would be no content in the answer and the result would have been SERVFAIL. <br />
  • This is a standard zonefile with no keys or signatures and with a very limited set of data. <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • This is not a complete zone, only an example! What is added here is RRSIGs over every RR-set, one DNSKEY (the ZSK is not here to simplify things) and an NSEC record. <br /> A signed zonefile grows approximately 3.5 times to the original size. <br />
  • This is not a complete zone, only an example! What is added here is RRSIGs over every RR-set, one DNSKEY (the ZSK is not here to simplify things) and an NSEC record. <br /> A signed zonefile grows approximately 3.5 times to the original size. <br />
  • This is not a complete zone, only an example! What is added here is RRSIGs over every RR-set, one DNSKEY (the ZSK is not here to simplify things) and an NSEC record. <br /> A signed zonefile grows approximately 3.5 times to the original size. <br />
  • <br />
  • <br />
  • <br />
  • The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record. <br /> <br /> The servers responsible for each zone is called an Authoritative Nameserver. <br /> <br /> The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer. <br /> <br />
  • The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record. <br /> <br /> The servers responsible for each zone is called an Authoritative Nameserver. <br /> <br /> The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer. <br /> <br />
  • The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record. <br /> <br /> The servers responsible for each zone is called an Authoritative Nameserver. <br /> <br /> The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer. <br /> <br />
  • The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record. <br /> <br /> The servers responsible for each zone is called an Authoritative Nameserver. <br /> <br /> The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer. <br /> <br />
  • The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record. <br /> <br /> The servers responsible for each zone is called an Authoritative Nameserver. <br /> <br /> The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer. <br /> <br />
  • The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record. <br /> <br /> The servers responsible for each zone is called an Authoritative Nameserver. <br /> <br /> The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer. <br /> <br />
  • The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record. <br /> <br /> The servers responsible for each zone is called an Authoritative Nameserver. <br /> <br /> The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer. <br /> <br />
  • The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record. <br /> <br /> The servers responsible for each zone is called an Authoritative Nameserver. <br /> <br /> The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer. <br /> <br />
  • The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record. <br /> <br /> The servers responsible for each zone is called an Authoritative Nameserver. <br /> <br /> The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer. <br /> <br />
  • The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record. <br /> <br /> The servers responsible for each zone is called an Authoritative Nameserver. <br /> <br /> The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer. <br /> <br />
  • <br />

DNSSEC Grunderna DNSSEC Grunderna Presentation Transcript

  • DNSSEC - Grunderna Patrik Wallström, R&D @ .SE Thursday, March 19, 2009
  • DNS-hierarkin Thursday, March 19, 2009
  • DNS-hierarkin . (root) Thursday, March 19, 2009
  • DNS-hierarkin . NS E.ROOT-SERVERS.NET. E.ROOT-SERVERS.NET. IN A 192.203.230.10 . NS D.ROOT-SERVERS.NET. . NS A.ROOT-SERVERS.NET.NS C.ROOT-SERVERS.NET. . D.ROOT-SERVERS.NET. IN A 128.8.10.90 C.ROOT-SERVERS.NET. IN A 192.33.4.12 A.ROOT-SERVERS.NET. IN A 198.41.0.4 A.ROOT-SERVERS.NET IN AAAA 2001:503:ba3e::2:30 B.ROOT-SERVERS.NET. . NS B.ROOT-SERVERS.NET. IN A 192.228.79.201 . (root) Thursday, March 19, 2009
  • DNS-hierarkin . NS E.ROOT-SERVERS.NET. E.ROOT-SERVERS.NET. IN A 192.203.230.10 . NS D.ROOT-SERVERS.NET. . NS A.ROOT-SERVERS.NET.NS C.ROOT-SERVERS.NET. . D.ROOT-SERVERS.NET. IN A 128.8.10.90 C.ROOT-SERVERS.NET. IN A 192.33.4.12 A.ROOT-SERVERS.NET. IN A 198.41.0.4 A.ROOT-SERVERS.NET IN AAAA 2001:503:ba3e::2:30 B.ROOT-SERVERS.NET. . NS B.ROOT-SERVERS.NET. IN A 192.228.79.201 . (root) org. NS a0.org.afilias-nst.org. se. NS b.ns.se. org. NS b0.org.afilias-nst.org. se. NS a.ns.se. a0.org.afilias-nst.info. IN A 199.19.56.1 b.ns.se. IN A 192.36.133.107 b0.org.afilias-nst.org. IN A 199.19.54.1 a.ns.se. IN A 192.36.144.107 .com .org .se .net .no Thursday, March 19, 2009
  • DNS-hierarkin . NS E.ROOT-SERVERS.NET. E.ROOT-SERVERS.NET. IN A 192.203.230.10 . NS D.ROOT-SERVERS.NET. . NS A.ROOT-SERVERS.NET.NS C.ROOT-SERVERS.NET. . D.ROOT-SERVERS.NET. IN A 128.8.10.90 C.ROOT-SERVERS.NET. IN A 192.33.4.12 A.ROOT-SERVERS.NET. IN A 198.41.0.4 A.ROOT-SERVERS.NET IN AAAA 2001:503:ba3e::2:30 B.ROOT-SERVERS.NET. . NS B.ROOT-SERVERS.NET. IN A 192.228.79.201 . (root) org. NS a0.org.afilias-nst.org. se. NS b.ns.se. org. NS b0.org.afilias-nst.org. se. NS a.ns.se. a0.org.afilias-nst.info. IN A 199.19.56.1 b.ns.se. IN A 192.36.133.107 b0.org.afilias-nst.org. IN A 199.19.54.1 a.ns.se. IN A 192.36.144.107 .com .org .se .net .no iana.org. NS a.iana-servers.net. iis.se. NS ns2.nic.se. a.iana-servers.net.ns.icann.org. iana.org. NS IN A 192.0.34.43 iis.se. NS ns.nic.se. ns2.nic.se. IN A 194.17.45.54 ns.icann.org. IN A 92.0.34.126 ns.nic.se. IN A 212.247.7.228 iana.org iis.se Thursday, March 19, 2009
  • DNS-hierarkin . NS E.ROOT-SERVERS.NET. E.ROOT-SERVERS.NET. IN A 192.203.230.10 . NS D.ROOT-SERVERS.NET. . NS A.ROOT-SERVERS.NET.NS C.ROOT-SERVERS.NET. . D.ROOT-SERVERS.NET. IN A 128.8.10.90 C.ROOT-SERVERS.NET. IN A 192.33.4.12 A.ROOT-SERVERS.NET. IN A 198.41.0.4 A.ROOT-SERVERS.NET IN AAAA 2001:503:ba3e::2:30 B.ROOT-SERVERS.NET. . NS B.ROOT-SERVERS.NET. IN A 192.228.79.201 . (root) org. NS a0.org.afilias-nst.org. se. NS b.ns.se. org. NS b0.org.afilias-nst.org. se. NS a.ns.se. a0.org.afilias-nst.info. IN A 199.19.56.1 b.ns.se. IN A 192.36.133.107 b0.org.afilias-nst.org. IN A 199.19.54.1 a.ns.se. IN A 192.36.144.107 .com .org .se .net .no iana.org. NS a.iana-servers.net. iis.se. NS ns2.nic.se. a.iana-servers.net.ns.icann.org. iana.org. NS IN A 192.0.34.43 iis.se. NS ns.nic.se. ns2.nic.se. IN A 194.17.45.54 ns.icann.org. IN A 92.0.34.126 ns.nic.se. IN A 212.247.7.228 iana.org iis.se www.iana.org. IN A 208.77.188.193 www.iis.se. IN A 212.247.7.220 www.iana.org. IN AAAA 2620:0:2d0:1::193 Thursday, March 19, 2009
  • . (root) Thursday, March 19, 2009
  • . (root) Thursday, March 19, 2009
  • . (root) Totalt 168 servrar Thursday, March 19, 2009
  • . (root) Totalt 168 servrar VeriSign USC-ISI Cogent UMD NASA-ARC ISC DOD-NIC ARL Autonomica RIPE ICANN WIDE Thursday, March 19, 2009
  • . (root) Totalt 168 servrar VeriSign USC-ISI Cogent UMD NASA-ARC ISC DOD-NIC ARL Autonomica RIPE ICANN WIDE http://www.internic.net/zones/named.root Thursday, March 19, 2009
  • .SE Thursday, March 19, 2009
  • .SE Thursday, March 19, 2009
  • .SE Ca 150 namnservrar 4 Operatörer 3 Anycast-kluster Thursday, March 19, 2009
  • Slå upp i DNS . (root) Klient- dator Cacheing .com resolver .org .se iis.se iana.org Thursday, March 19, 2009
  • Slå upp i DNS DHCP server . (root) Klient- dator Cacheing .com resolver .org .se iis.se iana.org Thursday, March 19, 2009
  • Slå upp i DNS DHCP server . (root) Klient- dator Cacheing .com resolver .org www.iis.se? 1 .se iis.se iana.org Thursday, March 19, 2009
  • Slå upp i DNS DHCP server . (root) 2 www.iis.se? Klient- dator Cacheing .com resolver .org www.iis.se? 1 .se iis.se iana.org Thursday, March 19, 2009
  • Slå upp i DNS DHCP server . (root) 2 www.iis.se? fråga a.ns.se! Klient- 3 dator Cacheing .com resolver .org www.iis.se? 1 .se iis.se iana.org Thursday, March 19, 2009
  • Slå upp i DNS DHCP server . (root) 2 www.iis.se? fråga a.ns.se! Klient- 3 dator Cacheing .com resolver .org www.iis.se? 1 www.iis.se? .se 4 iis.se iana.org Thursday, March 19, 2009
  • Slå upp i DNS DHCP server . (root) 2 www.iis.se? fråga a.ns.se! Klient- 3 dator Cacheing .com resolver .org www.iis.se? 1 www.iis.se? .se 4 fråga ns.nic.se! 5 iis.se iana.org Thursday, March 19, 2009
  • Slå upp i DNS DHCP server . (root) 2 www.iis.se? fråga a.ns.se! Klient- 3 dator Cacheing .com resolver .org www.iis.se? 1 www.iis.se? .se 4 fråga ns.nic.se! 5 www.iis.se? 6 iis.se iana.org Thursday, March 19, 2009
  • Slå upp i DNS DHCP server . (root) 2 www.iis.se? fråga a.ns.se! Klient- 3 dator Cacheing .com resolver .org www.iis.se? 1 www.iis.se? .se 4 fråga ns.nic.se! 5 www.iis.se? www.iis.se 6 fråga adress iis.se 7 212.247.7.210 iana.org Thursday, March 19, 2009
  • Slå upp i DNS DHCP server . (root) 2 www.iis.se? fråga a.ns.se! Klient- 3 dator Cacheing .com resolver .org www.iis.se? 1 www.iis.se? .se www.iis.se 4 8 har adressen fråga ns.nic.se! 212.247.7.210 5 www.iis.se? www.iis.se 6 fråga adress iis.se 7 212.247.7.210 iana.org Thursday, March 19, 2009
  • Blanda in krypto i mixen Assymetriska krypton: Assymetriska nyckalpar har en publik och privat del Skydda den privata nyckeln Publicera den publika nyckeln KSK: Nyckelsigneringsnyckeln - Vad man litar på Signerar Zonsigneringsnyckeln, ZSK ZSK: Zonsigneringsnyckeln Skapar signaturer av poster i zonen - RRSIG Thursday, March 19, 2009
  • DNSKEY och RRSIG iis.se. IN DNSKEY 257 3 5 wEAAcq5uqe5VibnyvSnGU20panweAk2QxflGVuVQhzQABQV4SIdAQs LNVHF61lcxe504jhPmjeQ656X6tdHpRz1DdPOukcIITjIRoJHqSXXyL6gUluZoDUK6vpxkGJx5m5n4boRTKCT KSK UAR9rw2+IQRRTtb6nBwsC3pmf9IlJQjQMb1cQTb0UO7fYgXDZIYVul2LwGpKRrMJ6Ul1nepkSxTMwQ4H9iK E9FhqPeIpzU9dnXGtJZCx9tWSZ9VsSLWBJtUwoE6ZfIoF1ioq qxfGl9JV1/6GkDxo3pMN2edhkp8aqoo/R +mrJYi0vE8jbXvhZ12151Dy wuSxbGjAlxk= iis.se. IN DNSKEY 256 3 5 AwEAAdancK9+0Il/tuXCBylBiUpNq4RGzDE2uQ6+nb6Un0myCJFzaN3 ZSK bzSMjAU5xlt6vnAfFZkRNKANu06j2zYjRbQucYfLEq69GIKOBnSHA46H 7uUDqM32KEL+KflIlQvFpXW2/ r835mP9+dtlsa860Kf1n2ye/77I9QtC gBeZ5okF Thursday, March 19, 2009
  • DNSKEY och RRSIG iis.se. IN DNSKEY 257 3 5 wEAAcq5uqe5VibnyvSnGU20panweAk2QxflGVuVQhzQABQV4SIdAQs LNVHF61lcxe504jhPmjeQ656X6tdHpRz1DdPOukcIITjIRoJHqSXXyL6gUluZoDUK6vpxkGJx5m5n4boRTKCT KSK UAR9rw2+IQRRTtb6nBwsC3pmf9IlJQjQMb1cQTb0UO7fYgXDZIYVul2LwGpKRrMJ6Ul1nepkSxTMwQ4H9iK E9FhqPeIpzU9dnXGtJZCx9tWSZ9VsSLWBJtUwoE6ZfIoF1ioq qxfGl9JV1/6GkDxo3pMN2edhkp8aqoo/R +mrJYi0vE8jbXvhZ12151Dy wuSxbGjAlxk= iis.se. IN DNSKEY 256 3 5 AwEAAdancK9+0Il/tuXCBylBiUpNq4RGzDE2uQ6+nb6Un0myCJFzaN3 ZSK bzSMjAU5xlt6vnAfFZkRNKANu06j2zYjRbQucYfLEq69GIKOBnSHA46H 7uUDqM32KEL+KflIlQvFpXW2/ r835mP9+dtlsa860Kf1n2ye/77I9QtC gBeZ5okF iis.se. IN RRSIG DNSKEY 5 2 3600 20090205084501 20090126084501 18937 iis.se. DiNYYelgXcgIi6+xevjgqSy/ilcWmu52LkcKk9AwoWbcBrf1Zag8gowv 8S0LWJjKUO2aYRy53VvU/nkI20AJBuec/ RRSIG PYtEw7pK8Z3fMFspQZeqR8Z kTQv6+l5w1n1UUKIzRNtFG5FEH5zSdb5sOL8YEyIUVScuHewmtkwoN+M dWkoB5IEb3IuT57LgiQPxMogFRH9xoR/DrP299pvBQ78dgmbCwHxQCVG orGY1XHbvfwndsqrnFmBxrxu6DwZitXSCVHWgsiMMVE/rhKpdlCwl3uZ WJ4vipACelaqjdqpZG2sLbfKpeK44WeMTiaSgypDQVnXdDaP0g7mMk3o 0xGLXQ== iis.se. IN RRSIG DNSKEY 5 2 3600 20090205084501 20090126084501 27345 iis.se. DLAB4SbzYw9YEs3rj0vE3eXmA6J3HiFIi0jgO3wVtnwnCzn9J5iSuTUn b1iUjsk4TpwuF6tf4udo9L1lAQPGyw RRSIG +qLzEKdfQ+G02n1rvcSBDU8pPT MsgyCz6DV+TJ/oGkCVi4grUycj4q5rtCRToL4Icdx+F91moY0yW2LO6T qMw= Thursday, March 19, 2009
  • Signaturer? En signatur är en krypterad hash av data. Nyckeln som används för kryptering är den privata nyckeln och signaturen kan verifieras genom att dekryptera hashen med den publika nyckeln. Thursday, March 19, 2009
  • Signaturer? En signatur är en krypterad hash av data. Nyckeln som används för kryptering är den privata nyckeln och signaturen kan verifieras genom att dekryptera hashen med den publika nyckeln. En hash är en checksumma av en uppsättning data. Typiska checksummealgoritmer är MD5, SHA-1 och SHA-256. MD5 antas vara sårbar. Thursday, March 19, 2009
  • DNSSEC-signaturer fou$~>dig ns iis.se +dnssec ; <<>> DiG 9.4.2-P2 <<>> ns iis.se +dnssec ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34814 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 6 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;iis.se. IN NS ;; ANSWER SECTION: iis.se. 2272 IN NS ns.nic.se. iis.se. 2272 IN NS ns2.nic.se. iis.se. 2272 IN NS ns3.nic.se. iis.se. 2272 IN RRSIG NS 5 2 3600 20081204120501 20081124120501 51402 iis.se. ukl8uMjAcAC0MiFD9jtWGR5/2AOQ4zrQ3U+x7GmHDBcUBwnRbL/v+BFW yaJdOwwUEpVf30abdRSlNfQRJB19/bt3Rs2AlqLhoQHBFGFuohNVp16D dQyvtJgxnufD+RR/E9iwEgXwIxIFnJ1xnT1GfAqmgiHZhiuzU6DqOMmb tBI= ;; ADDITIONAL SECTION: ns.nic.se. 876 IN A 212.247.7.228 ns2.nic.se. 876 IN A 194.17.45.54 ns3.nic.se. 85433 IN A 212.247.3.83 ns.nic.se. 876 IN RRSIG A 5 3 3600 20081202051001 20081122051001 54675 nic.se. bb6J +7yhGzZORCtCMtFU9BDX8uVbn4ySh6+Ssh02xojzt+OnKdaUj4ZC c9yyqqEfz2hZmY1T91lMhHp+38MSlbAs8Lmtn8sL+K+AOKNfA3dVSOOx oDOI0xxUfFXXExNw/KBBUPVDqGOQnhMsvAMN721NaS8XNqhKPCtRWm24 fkg= ns2.nic.se. 876 IN RRSIG A 5 3 3600 20081202051001 20081122051001 54675 nic.se. FD5c3mS +ul4HmTHHOfO9jkVVgH/9h+Ai5LZ9snxZbIjkX2z5ysqhT3qp ucHUd5vz1TRJkyr2hSpKQjEiHw3fP4bphUCnP72B8g3jwxIU3RaBwPGL xLYt7Zb//5q/ jY72ppgtijNSRwvkS/ghhjiKK6/nG/itymVtIPRHVtF5 RMI= ;; Query time: 1 msec ;; SERVER: 212.247.7.170#53(212.247.7.170) ;; WHEN: Thu Nov 27 14:52:09 2008 ;; MSG SIZE rcvd: 638 Thursday, March 19, 2009
  • Zonfil utan DNSSEC @ IN SOA ns.nic.se. hostmaster.iis.se. ( 2009012701 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS ns.nic.se. NS ns2.nic.se. NS ns3.nic.se. MX 10 cleaner.prod.iis.se. $ORIGIN iis.se. www IN A 212.247.7.210 Thursday, March 19, 2009
  • Fingeravtryck Ett fingeravtryck är en checksumma av en nyckel. Fingeravtryck publiceras ofta istllet för nycklar eftersom de är mycket kortare än en nyckel, och betydligt lättare att läsa. Thursday, March 19, 2009
  • Fingeravtryck Ett fingeravtryck är en checksumma av en nyckel. Fingeravtryck publiceras ofta istllet för nycklar eftersom de är mycket kortare än en nyckel, och betydligt lättare att läsa. AwEAAcq5u+qe5VibnyvSnGU20panweAk2QxflGVuVQhzQABQV4SIdAQs +LNVHF61lcxe504jhPmjeQ656X6t+dHpRz1DdPO/ukcIITjIRoJHqS+X XyL6gUluZoD +K6vpxkGJx5m5n4boRTKCTUAR9rw2+IQRRTtb6nBwsC3pmf9IlJQjQMb1cQTb0U O7fYgXDZIYVul2LwGpKRrMJ6Ul1nepkSxTMwQ4H9iKE9FhqPeIpzU9dnXGtJZCx9t WSZ9VsSLWBJtUwoE6ZfIoF1ioqqxfGl9JV1/6GkDxo3pMN2edhkp8aqoo/R +mrJYi0vE8jbXvhZ12151DywuSxbGjAlxk= 10DD1EFDC7841ABFDF630C8BB37153724D70830A Thursday, March 19, 2009
  • DS-poster DS - Delegation Signer. En DS-post (hashen av en DNSKEY) publiceras i förälderzonen för att delegera tillit till barnzonen. Thursday, March 19, 2009
  • DS-poster DS - Delegation Signer. En DS-post (hashen av en DNSKEY) publiceras i förälderzonen för att delegera tillit till barnzonen. Detta är vad som är publicerat för iis.se hos .se: iis.se. IN DS 18937 5 2 B5C422428DEA4137FBF15E1049A48D27FA5EADE64D2EC9F3B58A994A6ABDE543 iis.se. IN DS 18937 5 1 10DD1EFDC7841ABFDF630C8BB37153724D70830A Thursday, March 19, 2009
  • DS-poster DS - Delegation Signer. En DS-post (hashen av en DNSKEY) publiceras i förälderzonen för att delegera tillit till barnzonen. Detta är vad som är publicerat för iis.se hos .se: iis.se. IN DS 18937 5 2 B5C422428DEA4137FBF15E1049A48D27FA5EADE64D2EC9F3B58A994A6ABDE543 iis.se. IN DS 18937 5 1 10DD1EFDC7841ABFDF630C8BB37153724D70830A Två DS-poster - två algoritmer används för .SE, SHA-1 och SHA-256. Både DS och NS signeras av föräldern. Thursday, March 19, 2009
  • DS-delegeringen .se: iis.se. IN DS 18937 5 2 B5C422428DEA4137FBF15E1049A48D27FA5EADE64D2EC9F3B58A994A6ABDE543 DS iis.se. IN DS 18937 5 1 10DD1EFDC7841ABFDF630C8BB37153724D70830A iis.se: iis.se. IN DNSKEY 257 3 5 AwEAAcq5u +qe5VibnyvSnGU20panweAk2QxflGVuVQhzQABQV4SIdAQs +LNVHF61lcxe504jhPmjeQ656X6t KSK+dHpRz1DdPO/ukcIITjIRoJHqS+X XyL6gUluZoDU+K6vpxkGJx5m5n4boRTKCTUAR/9rw2+IQRRTtb6nBwsC 3pmf9IlJQjQMb1cQTb0UO7fYgXDZIYVul2LwGpKRrMJ6Ul1nepkSxTMw Q4H9iKE9FhqPeIpzU9dnXGtJ +ZCx9tWSZ9VsSLWBJtUwoE6ZfIoF1ioq qxfGl9JV1/6GkDxo3pMN2edhkp8aqoo/R +mrJYi0vE8jbXvhZ12151Dy wuSxbGjAlxk= Thursday, March 19, 2009
  • DS-delegeringen .se: iis.se. IN DS 18937 5 2 B5C422428DEA4137FBF15E1049A48D27FA5EADE64D2EC9F3B58A994A6ABDE543 DS iis.se. IN DS 18937 5 1 10DD1EFDC7841ABFDF630C8BB37153724D70830A iis.se: iis.se. IN DNSKEY 257 3 5 AwEAAcq5u +qe5VibnyvSnGU20panweAk2QxflGVuVQhzQABQV4SIdAQs +LNVHF61lcxe504jhPmjeQ656X6t KSK+dHpRz1DdPO/ukcIITjIRoJHqS+X XyL6gUluZoDU+K6vpxkGJx5m5n4boRTKCTUAR/9rw2+IQRRTtb6nBwsC 3pmf9IlJQjQMb1cQTb0UO7fYgXDZIYVul2LwGpKRrMJ6Ul1nepkSxTMw Q4H9iKE9FhqPeIpzU9dnXGtJ +ZCx9tWSZ9VsSLWBJtUwoE6ZfIoF1ioq qxfGl9JV1/6GkDxo3pMN2edhkp8aqoo/R +mrJYi0vE8jbXvhZ12151Dy wuSxbGjAlxk= Om du har flera KSK-nycklar kommer du också ha fler DS-poster i förälderzonen. Thursday, March 19, 2009
  • NSEC Proof of non-existance. Man vill också skydda sig från att någon genomför en DoS- attack mot ett namn i DNS. Detta görs med NSEC. Thursday, March 19, 2009
  • NSEC Proof of non-existance. Man vill också skydda sig från att någon genomför en DoS- attack mot ett namn i DNS. Detta görs med NSEC. iis.se. IN NSEC iis07.se. NS DS RRSIG NSEC iis.se. IN RRSIG NSEC 5 2 7200 20090131230405 20090126101756 28770 se. GK6JQNDTsHlI3z8v1QR2jHr2VNpzhyB2UYFCEASJJBINnRpaUpmnsE4 iF9AoyS4g50Lly1zJb659bY76hkmaJDO6Xwl0+llefX8ZN9iv0snfd2GUJyGyJzlu9txg ZTsfC7HQcX1gZPjnq9BgE1YDHifJNZAqijBG83rtj 9Wc= NSEC pekar på nästa label (domännamn) i zonen. Thursday, March 19, 2009
  • En signerad zon Thursday, March 19, 2009
  • @ IN SOA ns.nic.se. hostmaster.iis.se. ( En signerad zon 2009012501 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) RRSIG SOA 5 2 86400 20090131030501 ( 20090125030501 53069 iis.se. BGZ3AMUQ3GL3yowBrrLhV9Sa8s47nmXm2ci6ZjC4kCickw5Wo1d+zSPpV9SL4hVF0XwYOtP fNAcGh7BaasK/jhDLMBzoI4O5ZujV0erUj/U2or27WEinUu+q5zeLiPrPy4pG654dZ+0y9aT 7NwvCkxliKoaVlweyU4UafyxA8U= ) NS ns.nic.se. NS ns2.nic.se. NS ns3.nic.se. RRSIG NS 5 2 86400 20090131030501 ( 20090125030501 53069 iis.se. sPbCYM62YiB0ciIBev+As97d/oTXVy/97EV6JITcod4xUWMjAIcuAyoFdYpGTEddAfe8xK+w D1nwSJLAleA7uefzOOClCxS/pIJq8Hbh92nZ0VN30wTEHk8mb97ivWrRxAqUQaeINSOei5Zh /J8ymfL9X639SvO2y5jHiXeZ0JM= ) MX 10 cleaner.prod.iis.se. RRSIG MX 5 2 86400 20090131030501 ( 20090125030501 53069 iis.se. L+EZ/NDc5/PTDx6PLOkAUJOUdbd50bYAqNpA/WQq3s8l6g5she6A5IpgtR7BQ4zF2XtnDX0G vE7Zxqi6iWE/Pyd1iVxChi7NmgzK7siazfYl R7fFE+ZPSAfIHjAafD5scmk2OOIMaZzvhkk8 nYzqbCCC0gVgurXsx8nycOUZbTM= ) DNSKEY 257 3 5 ( BQEAAAABuM9XroBb7Qrrz3winhL2vgNOEKDqTwiajUt/lYn9Z6GlPjd2hAsubgm+tXGKs2qo kdfsvCOVljiyRA885uI2o2S5ELLFlCw4LiJbedAAuJXNDvwwB8Xf8tYwxxh82fZ9JqwqD+n6 E31w/aL0UlGuIh7PWE/lMj+O8iMv3croHScHkfVxtz9aF2fRI2QwXCjcrvS5i06Ss14Af2bB BUrX0y8cXKI9AulrWZIniWLIce6b88yzxPuqJaNjOg8LFC1tMsSm6aeEKErQgJaeMJheRo4P WFitdMB9FpCH/6ylVEbZJpm/hKOZp2uedh8AmxmSDhUM7bMngQmXD/qpgrApqQ== ) ; key id = 27840 RRSIG DNSKEY 5 2 3600 20090131030501 ( 20090125030501 53069 iis.se. Kco8fH1BINR2xVe4kTtFBbjKtLe0BFvhP9iZWxgR9DCqKVK5VzxnTcLAJGF8xjwq0W8IUZws GSgWyOsx7bzrfoMNlkutYP14nTJio5zjX4heSx2C4Dx33egg0IlM/iur52O7KWEF7AC7l+ra RP3GGTCu7Ls0kGc2GDGNxothr8A= ) NSEC www.iis.se. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY RRSIG NSEC 5 2 86400 20090131030501 ( 20090125030501 53069 iis.se. KOFHUf1ZB+e/AxGdMkTkq9W461AjFjxLHBrMRt5ULZ4+lfMsYHw5VSecMq61VabhXO5ziOCj B1vK4BYrUeC+xAMFWJzn6xsLMDj/MMjM5d2iZhjE1zPc2sX42M6er1fjF9rw3qjWCFTLdy8Z CTsiw0Ou7ESX6afYwkb7QkTdL9g= ) Thursday, March 19, 2009
  • @ IN SOA ns.nic.se. hostmaster.iis.se. ( En signerad zon 2009012501 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) RRSIG SOA 5 2 86400 20090131030501 ( 20090125030501 53069 iis.se. BGZ3AMUQ3GL3yowBrrLhV9Sa8s47nmXm2ci6ZjC4kCickw5Wo1d+zSPpV9SL4hVF0XwYOtP RRSIG fNAcGh7BaasK/jhDLMBzoI4O5ZujV0erUj/U2or27WEinUu+q5zeLiPrPy4pG654dZ+0y9aT 7NwvCkxliKoaVlweyU4UafyxA8U= ) NS ns.nic.se. NS ns2.nic.se. NS ns3.nic.se. RRSIG NS 5 2 86400 20090131030501 ( 20090125030501 53069 iis.se. sPbCYM62YiB0ciIBev+As97d/oTXVy/97EV6JITcod4xUWMjAIcuAyoFdYpGTEddAfe8xK+w RRSIG D1nwSJLAleA7uefzOOClCxS/pIJq8Hbh92nZ0VN30wTEHk8mb97ivWrRxAqUQaeINSOei5Zh /J8ymfL9X639SvO2y5jHiXeZ0JM= ) MX 10 cleaner.prod.iis.se. RRSIG MX 5 2 86400 20090131030501 ( 20090125030501 53069 iis.se. RRSIG L+EZ/NDc5/PTDx6PLOkAUJOUdbd50bYAqNpA/WQq3s8l6g5she6A5IpgtR7BQ4zF2XtnDX0G vE7Zxqi6iWE/Pyd1iVxChi7NmgzK7siazfYl R7fFE+ZPSAfIHjAafD5scmk2OOIMaZzvhkk8 nYzqbCCC0gVgurXsx8nycOUZbTM= ) DNSKEY 257 3 5 ( BQEAAAABuM9XroBb7Qrrz3winhL2vgNOEKDqTwiajUt/lYn9Z6GlPjd2hAsubgm+tXGKs2qo kdfsvCOVljiyRA885uI2o2S5ELLFlCw4LiJbedAAuJXNDvwwB8Xf8tYwxxh82fZ9JqwqD+n6 E31w/aL0UlGuIh7PWE/lMj+O8iMv3croHScHkfVxtz9aF2fRI2QwXCjcrvS5i06Ss14Af2bB KSK BUrX0y8cXKI9AulrWZIniWLIce6b88yzxPuqJaNjOg8LFC1tMsSm6aeEKErQgJaeMJheRo4P WFitdMB9FpCH/6ylVEbZJpm/hKOZp2uedh8AmxmSDhUM7bMngQmXD/qpgrApqQ== ) ; key id = 27840 RRSIG DNSKEY 5 2 3600 20090131030501 ( RRSIG 20090125030501 53069 iis.se. Kco8fH1BINR2xVe4kTtFBbjKtLe0BFvhP9iZWxgR9DCqKVK5VzxnTcLAJGF8xjwq0W8IUZws GSgWyOsx7bzrfoMNlkutYP14nTJio5zjX4heSx2C4Dx33egg0IlM/iur52O7KWEF7AC7l+ra RP3GGTCu7Ls0kGc2GDGNxothr8A= ) NSEC www.iis.se. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY NSEC RRSIG NSEC 5 2 86400 20090131030501 ( 20090125030501 53069 iis.se. KOFHUf1ZB+e/AxGdMkTkq9W461AjFjxLHBrMRt5ULZ4+lfMsYHw5VSecMq61VabhXO5ziOCj RRSIG B1vK4BYrUeC+xAMFWJzn6xsLMDj/MMjM5d2iZhjE1zPc2sX42M6er1fjF9rw3qjWCFTLdy8Z CTsiw0Ou7ESX6afYwkb7QkTdL9g= ) Thursday, March 19, 2009
  • @ IN SOA ns.nic.se. hostmaster.iis.se. ( En signerad zon 2009012501 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) RRSIG SOA 5 2 86400 20090131030501 ( 20090125030501 53069 iis.se. BGZ3AMUQ3GL3yowBrrLhV9Sa8s47nmXm2ci6ZjC4kCickw5Wo1d+zSPpV9SL4hVF0XwYOtP RRSIG fNAcGh7BaasK/jhDLMBzoI4O5ZujV0erUj/U2or27WEinUu+q5zeLiPrPy4pG654dZ+0y9aT 7NwvCkxliKoaVlweyU4UafyxA8U= ) NS ns.nic.se. NS ns2.nic.se. KSK publiceras som NS ns3.nic.se. RRSIG NS 5 2 86400 20090131030501 ( DS hos föräldern 20090125030501 53069 iis.se. sPbCYM62YiB0ciIBev+As97d/oTXVy/97EV6JITcod4xUWMjAIcuAyoFdYpGTEddAfe8xK+w RRSIG D1nwSJLAleA7uefzOOClCxS/pIJq8Hbh92nZ0VN30wTEHk8mb97ivWrRxAqUQaeINSOei5Zh /J8ymfL9X639SvO2y5jHiXeZ0JM= ) MX 10 cleaner.prod.iis.se. RRSIG MX 5 2 86400 20090131030501 ( 20090125030501 53069 iis.se. RRSIG L+EZ/NDc5/PTDx6PLOkAUJOUdbd50bYAqNpA/WQq3s8l6g5she6A5IpgtR7BQ4zF2XtnDX0G vE7Zxqi6iWE/Pyd1iVxChi7NmgzK7siazfYl R7fFE+ZPSAfIHjAafD5scmk2OOIMaZzvhkk8 nYzqbCCC0gVgurXsx8nycOUZbTM= ) DNSKEY 257 3 5 ( BQEAAAABuM9XroBb7Qrrz3winhL2vgNOEKDqTwiajUt/lYn9Z6GlPjd2hAsubgm+tXGKs2qo kdfsvCOVljiyRA885uI2o2S5ELLFlCw4LiJbedAAuJXNDvwwB8Xf8tYwxxh82fZ9JqwqD+n6 DS E31w/aL0UlGuIh7PWE/lMj+O8iMv3croHScHkfVxtz9aF2fRI2QwXCjcrvS5i06Ss14Af2bB KSK BUrX0y8cXKI9AulrWZIniWLIce6b88yzxPuqJaNjOg8LFC1tMsSm6aeEKErQgJaeMJheRo4P WFitdMB9FpCH/6ylVEbZJpm/hKOZp2uedh8AmxmSDhUM7bMngQmXD/qpgrApqQ== ) ; key id = 27840 RRSIG DNSKEY 5 2 3600 20090131030501 ( RRSIG 20090125030501 53069 iis.se. Kco8fH1BINR2xVe4kTtFBbjKtLe0BFvhP9iZWxgR9DCqKVK5VzxnTcLAJGF8xjwq0W8IUZws GSgWyOsx7bzrfoMNlkutYP14nTJio5zjX4heSx2C4Dx33egg0IlM/iur52O7KWEF7AC7l+ra RP3GGTCu7Ls0kGc2GDGNxothr8A= ) NSEC www.iis.se. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY NSEC RRSIG NSEC 5 2 86400 20090131030501 ( 20090125030501 53069 iis.se. KOFHUf1ZB+e/AxGdMkTkq9W461AjFjxLHBrMRt5ULZ4+lfMsYHw5VSecMq61VabhXO5ziOCj RRSIG B1vK4BYrUeC+xAMFWJzn6xsLMDj/MMjM5d2iZhjE1zPc2sX42M6er1fjF9rw3qjWCFTLdy8Z CTsiw0Ou7ESX6afYwkb7QkTdL9g= ) Thursday, March 19, 2009
  • Nycklar i resolvern En resolver måste åtminstone ha en nyckel för att verifiera DNSSEC-poster. För .SE använder vi två överlappande KSK, där varje är giltig i två år. Year 1 Year 2 Year 3 Year 4 KSK n KSK n+1 Thursday, March 19, 2009
  • Hämta nycklarna från .SE http://iis.se/domains/sednssec/publickey -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 se. IN DNSKEY 257 3 5 ( AwEAAdKc1sGsbv5jjeJ141IxNSTdR+nbtFn+JKQpvFZE TaY5iMutoyWHa+jCp0TBBAzB2trGHzdi7E55FFzbeG0r +G6SJbJ4DXYSpiiELPiu0i+jPp3C3kNwiqpPpQHWaYDS 9MTQMu/QZHR/sFPbUnsK30fuQbKKkKgnADms0aXalYUu CgDyVMjdxRLz5yzLoaSO9m5ii5cI0dQNCjexvj9M4ec6 woi6+N8v1pOmQAQ9at5Fd8A6tAxZI8tdlEUnXYgNwb8e VZEWsgXtBhoyAru7Tzw+F6ToYq6hmKhfsT+fIhFXsYso 7L4nYUqTnM4VOZgNhcTv+qVQkHfOOeJKUkNB8Qc= ); key id = 49678 se. IN DNSKEY 257 3 5 ( AwEAAeeGE5unuosN3c8tBcj1/q4TQEwzfNY0GK6kxMVZ 1wcTkypSExLCBPMS0wWkrA1n7t5hcM86VD94L8oEd9jn HdjxreguOZYEBWkckajU0tBWwEPMoEwepknpB14la1wy 3xR95PMt9zWceiqaYOLEujFAqe6F3tQ14lP6FdFL9wyC flV06K1ww+gQxYRDo6h+Wejguvpeg33KRzFtlwvbF3Aa pH2GXCi4Ok2+PO2ckzfKoikIe9ZOXfrCbG9ml2iQrRNS M4q3zGhuly4NrF/t9s9jakbWzd4PM1Q551XIEphRGyqc bA2JTU3/mcUVKfgrH7nxaPz5DoUB7TKYyQgsTlc= ); key id = 8779 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFJQmz4/OxRKPRA7psRAqKyAKCqzF2oamv1kwY3/5f27ioxicVMZACfX8By sKp405q8KBbheYVYKb5gE7k= =T8Is -----END PGP SIGNATURE----- Thursday, March 19, 2009
  • Exempel i BIND I din named.conf: trusted-keys { quot;se.quot; 257 3 5 quot;AQOfYGgsIqyVeES+J9JWQ/ xZdK92sZVN2tTXlJeDm5DgIQM0qfvC3Cd6T3unHQf7pTQv8hf3qP/ 50yFEVttiGPVL4ctm3KFhaybJGz/1/AGkCdqmGPymAcVVvdBICCx165gusSsK5fF70j +Zm6r4NBsFMyUiIPLiMkKHPQE2pWDMLw==quot;; }; options { dnssec-enable yes; dnssec-validation yes; }; Thursday, March 19, 2009
  • Slå upp DNS med DNSSEC . (root) Klientdator omedveten Cacheing resolver om DNSSEC .com konfigurerad för .SE .org .se iis.se iana.org Thursday, March 19, 2009
  • Slå upp DNS med DNSSEC . (root) Klientdator omedveten Cacheing resolver om DNSSEC .com konfigurerad för .SE .org www.iis.se? 1 .se iis.se iana.org Thursday, March 19, 2009
  • Slå upp DNS med DNSSEC . (root) 2 Klientdator www.iis.se? +do omedveten Cacheing resolver om DNSSEC .com konfigurerad för .SE .org www.iis.se? 1 .se iis.se iana.org Thursday, March 19, 2009
  • Slå upp DNS med DNSSEC . (root) 2 Klientdator www.iis.se? +do fråga a.ns.se! omedveten 3 Cacheing resolver om DNSSEC .com konfigurerad för .SE .org www.iis.se? 1 .se iis.se iana.org Thursday, March 19, 2009
  • Slå upp DNS med DNSSEC . (root) 2 Klientdator www.iis.se? +do fråga a.ns.se! omedveten 3 Cacheing resolver om DNSSEC .com konfigurerad för .SE .org www.iis.se? 1 www.iis.se? +do .se 4 iis.se iana.org Thursday, March 19, 2009
  • Slå upp DNS med DNSSEC . (root) 2 Klientdator www.iis.se? +do fråga a.ns.se! omedveten 3 Cacheing resolver om DNSSEC .com konfigurerad för .SE .org www.iis.se? 1 www.iis.se? +do .se 4 DS RRSIG fråga ns.nic.se! 5 iis.se iana.org Thursday, March 19, 2009
  • Slå upp DNS med DNSSEC . (root) 2 Klientdator www.iis.se? +do fråga a.ns.se! omedveten 3 Cacheing resolver om DNSSEC .com konfigurerad för .SE .org www.iis.se? 1 www.iis.se? +do .se DNSKEY 4 DS RRSIG fråga ns.nic.se! 5 iis.se iana.org Thursday, March 19, 2009
  • Slå upp DNS med DNSSEC . (root) 2 Klientdator www.iis.se? +do fråga a.ns.se! omedveten 3 Cacheing resolver om DNSSEC .com konfigurerad för .SE .org www.iis.se? 1 www.iis.se? +do .se DNSKEY 4 DS RRSIG fråga ns.nic.se! 5 www.iis.se? +do 6 iis.se iana.org Thursday, March 19, 2009
  • Slå upp DNS med DNSSEC . (root) 2 Klientdator www.iis.se? +do fråga a.ns.se! omedveten 3 Cacheing resolver om DNSSEC .com konfigurerad för .SE .org www.iis.se? 1 www.iis.se? +do .se DNSKEY 4 DS RRSIG fråga ns.nic.se! 5 www.iis.se? +do www.iis.se 6 har adressen iis.se 7 RRSIG 212.247.7.210 iana.org Thursday, March 19, 2009
  • Slå upp DNS med DNSSEC . (root) 2 Klientdator www.iis.se? +do fråga a.ns.se! omedveten 3 Cacheing resolver om DNSSEC .com konfigurerad för .SE .org www.iis.se? 1 www.iis.se? +do .se DNSKEY 4 DS RRSIG fråga ns.nic.se! 5 DNSKEY www.iis.se? +do www.iis.se 6 har adressen iis.se 7 RRSIG 212.247.7.210 iana.org Thursday, March 19, 2009
  • Slå upp DNS med DNSSEC . (root) 2 Klientdator www.iis.se? +do fråga a.ns.se! omedveten 3 Cacheing resolver om DNSSEC .com konfigurerad för .SE .org www.iis.se? 1 www.iis.se? +do .se www.iis.se DNSKEY 4 8 DS har adressen RRSIG 212.247.7.210 fråga ns.nic.se! 5 +ad DNSKEY www.iis.se? +do www.iis.se 6 har adressen iis.se 7 RRSIG 212.247.7.210 iana.org Thursday, March 19, 2009
  • Vanliga konfigurationsfel Alla namnservrar kör inte DNSSEC Endast ZSK i zonfilen Inga signaturer Thursday, March 19, 2009