Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
DNSSEC Deployment Introduction
2016-07
OUTLINE
DNSSEC Deployment
Introduction
1、Brief Introduction
2、Preparation
3、Process
4、Strategy
5、Influence
OUTLINE
DNSSEC Deployment
Introduction
1、Brief Introduction
2、Preparation
3、Process
4、Strategy
5、Influence
1.1. DNSSEC
• DNS Security Extensions
• A system to verify the authenticity of DNS “Data”
• Detecting cache poisoning, MIT...
1.2. Progress
• 1378 TLDs in the root zone in total
• 1223 TLDs are signed
• 1213 TLDs have trust anchors
published as DS ...
1.3. Timeline
Experimental
Announced
Partial
DS in Root
Operational
Internal
experimentation
Public
commitment
to deploy
Z...
1.3. Timeline
• 2010-12~
2013-03
Experimental
• 2013-04
Announced
• 2013-08
Partial
• 2013-09
DS in Root
• 2013-12
Operati...
OUTLINE
DNSSEC Deployment
Introduction
1、Brief Introduction
2、Preparation
3、Process
4、Strategy
5、Influence
2.1. Test-bed
1. Simulate the real
environment
2. DNS system
3. EPP
4. Sign zone
5. Key rotation
6. Emergency
response
7. ...
2.2. Upgrading & Survey
1. Data packet increase
2. Insufficient memory
3. Network bandwidth
4. EDNS0
5. TCP
6. …
1. DNS se...
2.3. Documents & Training
1. Deployment scheme
a) Make technical details clear
b) Arrange every task to people
c) Promote ...
OUTLINE
DNSSEC Deployment
Introduction
1、Brief Introduction
2、Preparation
3、Process
4、Strategy
5、Influence
3.1. Keys
• Key type, algorithm and lens
Key Type Function Algorithm Lens NSEC/NSEC3
ZSK Sign RRSET
RSA-SHA256
1024
NSEC3
...
3.2. DNSSEC Environment
HSM
FW
FW
RT
FW
LB
SW
SW
DB SERVER
SITEs
SERVERs
SERVERs
3.3. Switching Scheme
1. Several sites using anycast
2. On-line switching
3. Immediate verification
a) Part of servers rec...
3.4. Emergency Response Strategy
1. Emergency response strategy for every step;
2. Anycast ensure the availability of serv...
3.5. Submit DS in Root
1. Email
2. Online system
3. Check, check, check…
4. Validation
Partial DS in Root
3.6. Commands
• Recursive • Authority
options {
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;
};
trust...
OUTLINE
DNSSEC Deployment
Introduction
1、Brief Introduction
2、Preparation
3、Process
4、Strategy
5、Influence
• Zone signing is recommended to be executed in the HSM, the
basic procedures are as follows:
a) The primary master obtain...
4.2. Key Rollover
ZSK
• To prevent the keys from being cracked or
leaked out, ZSK should be replaced and
rotated on a regu...
4.2. Key Rollover
• Steps (KSK)
• New KSK generation, resigning the zone with ZSK, KSK_old and
KSK_new
• Submit new DS to ...
4.3. Key management
1. Key pairs generation offline
2. Key pairs backup online/offline
3. Private key protection
4. Key pa...
4.4. Security consideration
1. Physical Controls
 Electromagnetic shielding
 Physical access management
 Different role...
OUTLINE
DNSSEC Deployment
Introduction
1、Brief Introduction
2、Preparation
3、Process
4、Strategy
5、Influence
5.1. Size
• Zone Size
− Opt-out
− Increased a little (7%)
• Packet Size
− RRSIG
− 2.5 times larger in average
Zone Size
No...
5.2. Challenge
DDoS Attack
• QpS increased to 2.4 times larger
• Packet size increased to 700 Byte
average (1.65 times)
• ...
Sharing
• http://www.internetsociety.org/deploy360/dnssec/
• http://www.nlnetlabs.nl/publications/dnssec_howto/
• http://s...
Information Sharing
Thank you!
Questions?
北京市海淀区中关村南四街四号中科院软件园 邮编: 100190
www.cnnic.cn
Upcoming SlideShare
Loading in …5
×

ION Hangzhou - How to Deploy DNSSEC

474 views

Published on

14 July 2016, ION Hangzhou (China). How to deploy DNSSEC - a case study from CNNIC.

Published in: Technology
  • Login to see the comments

  • Be the first to like this

ION Hangzhou - How to Deploy DNSSEC

  1. 1. DNSSEC Deployment Introduction 2016-07
  2. 2. OUTLINE DNSSEC Deployment Introduction 1、Brief Introduction 2、Preparation 3、Process 4、Strategy 5、Influence
  3. 3. OUTLINE DNSSEC Deployment Introduction 1、Brief Introduction 2、Preparation 3、Process 4、Strategy 5、Influence
  4. 4. 1.1. DNSSEC • DNS Security Extensions • A system to verify the authenticity of DNS “Data” • Detecting cache poisoning, MITM… • Data origin authentication and data integrity • Authenticating name and type non-existence
  5. 5. 1.2. Progress • 1378 TLDs in the root zone in total • 1223 TLDs are signed • 1213 TLDs have trust anchors published as DS records in the root zone • 5 TLDs have trust anchors published in the ISC DLV Repository
  6. 6. 1.3. Timeline Experimental Announced Partial DS in Root Operational Internal experimentation Public commitment to deploy Zone is signed but not in operation Zone is signed and its DS has been published Accepting signed delegations and DS in root
  7. 7. 1.3. Timeline • 2010-12~ 2013-03 Experimental • 2013-04 Announced • 2013-08 Partial • 2013-09 DS in Root • 2013-12 Operational Experimental:  Software development  Risk analysis Announced:  Hardware & software deployment  Training and drills Partial:  Signed & roller  Observation & verification DS in Root:  Generation & submission  Observation & verification Operational:  Development and upgrades  Debugging
  8. 8. OUTLINE DNSSEC Deployment Introduction 1、Brief Introduction 2、Preparation 3、Process 4、Strategy 5、Influence
  9. 9. 2.1. Test-bed 1. Simulate the real environment 2. DNS system 3. EPP 4. Sign zone 5. Key rotation 6. Emergency response 7. … HSM FW FW USER REGISTRAR RT FW LB SW SW DB SERVER SERVERs
  10. 10. 2.2. Upgrading & Survey 1. Data packet increase 2. Insufficient memory 3. Network bandwidth 4. EDNS0 5. TCP 6. … 1. DNS server 2. Router 3. Firewall 4. Switch 5. Load-balance 6. …
  11. 11. 2.3. Documents & Training 1. Deployment scheme a) Make technical details clear b) Arrange every task to people c) Promote the work by time 2. Emergency plan 3. DPS 4. … 1. Basic knowledges about DNSSEC 2. Operational skills 3. Emergency response 4. … AnnouncedExperimental
  12. 12. OUTLINE DNSSEC Deployment Introduction 1、Brief Introduction 2、Preparation 3、Process 4、Strategy 5、Influence
  13. 13. 3.1. Keys • Key type, algorithm and lens Key Type Function Algorithm Lens NSEC/NSEC3 ZSK Sign RRSET RSA-SHA256 1024 NSEC3 KSK Sign DNSKEY RRSET 2048 • Key rollover cycle and RRSIG period Key Type Period Roll Overlap RRSIG Period ZSK 100 day 90 day 10 day 30 day KSK 13 month 12 month 30 day • Different types of zones use different key pairs
  14. 14. 3.2. DNSSEC Environment HSM FW FW RT FW LB SW SW DB SERVER SITEs SERVERs SERVERs
  15. 15. 3.3. Switching Scheme 1. Several sites using anycast 2. On-line switching 3. Immediate verification a) Part of servers received DNSSEC zone data b) Verify data c) Online d) No-dnssec off-line e) Repeat
  16. 16. 3.4. Emergency Response Strategy 1. Emergency response strategy for every step; 2. Anycast ensure the availability of service; 3. If DNSSEC service in the main operation center is down, secondary operation center can take over the service shortly; 4. If DNSSEC service in sites is down, DNS service (without DNSSEC) can take over the service in 10 minute; 5. Comprehensive checking mechanism.
  17. 17. 3.5. Submit DS in Root 1. Email 2. Online system 3. Check, check, check… 4. Validation Partial DS in Root
  18. 18. 3.6. Commands • Recursive • Authority options { dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto; }; trusted-keys { . 257 3 8 “AwEAAag……1ihz0=”; }; options { dnssec-enable yes; }; dnssec-keygen …… dnssec-signzone …… >***.zone.signed zone “example.com” { type master; file “zones/example.com/***.zone.signed”; key-directory “keys/”; };
  19. 19. OUTLINE DNSSEC Deployment Introduction 1、Brief Introduction 2、Preparation 3、Process 4、Strategy 5、Influence
  20. 20. • Zone signing is recommended to be executed in the HSM, the basic procedures are as follows: a) The primary master obtains RR from the registration database and generates the original zone file; b) The hidden primary master sends the original zone file to HSM; c) HSM read the right keys; d) HSM sign zone using keys; e) HSM sends the signed zone back to the hidden primary master; f) The signed zone are loaded onto hidden primary master, which will update to secondary master servers. 4.1. Zone Signing
  21. 21. 4.2. Key Rollover ZSK • To prevent the keys from being cracked or leaked out, ZSK should be replaced and rotated on a regular basis; • The ZSK roll-over policy is to adopt a pre- publish mechanism (RFC4641); • The validity period of each ZSK generated is 100 days and the roll-over cycle is 90 days. KSK • To prevent the keys from being cracked or leaked out, ZSK should be replaced and rotated on a regular basis; • The ZSK roll-over policy is to adopt a pre- publish mechanism (RFC4641); • The validity period of each ZSK generated is 100 days and the roll-over cycle is 90 days.
  22. 22. 4.2. Key Rollover • Steps (KSK) • New KSK generation, resigning the zone with ZSK, KSK_old and KSK_new • Submit new DS to root & delete old DS • KSK_old Revoke • KSK_old delete KSK_1 KSK_old KSK_new Active KSK_old Revoke KSK_new KSK_old Delete KSK_new 300 days KSK_new KSK_new_2 Active 35 days 30 days 1 2 3
  23. 23. 4.3. Key management 1. Key pairs generation offline 2. Key pairs backup online/offline 3. Private key protection 4. Key pairs management document/system
  24. 24. 4.4. Security consideration 1. Physical Controls  Electromagnetic shielding  Physical access management  Different roles for different tasks  Teamwork  Procedural Controls 2. Technical Controls  Certifications  Network controls: FW, ACL, VLAN  Software controls: Versions, Bugs, documents
  25. 25. OUTLINE DNSSEC Deployment Introduction 1、Brief Introduction 2、Preparation 3、Process 4、Strategy 5、Influence
  26. 26. 5.1. Size • Zone Size − Opt-out − Increased a little (7%) • Packet Size − RRSIG − 2.5 times larger in average Zone Size No DNSSEC 700 DNSSEC 750 1 201 401 601 No DNSSEC DNSSEC Mb Packet size No DNSSEC 170 DNSSEC 423 1 201 401 601 No DNSSEC DNSSEC Byte• 73% DNSSEC query in usual • After sub-domain and recursive nameservers implemented DNSSEC, bandwidth costs will be much larger
  27. 27. 5.2. Challenge DDoS Attack • QpS increased to 2.4 times larger • Packet size increased to 700 Byte average (1.65 times) • Bandwidth reach 4 (2.4*1.65) times larger than usual Packet size Usual 423 Attack 700 423 700 1 101 201 301 401 501 601 701 Usual Attack Byte
  28. 28. Sharing • http://www.internetsociety.org/deploy360/dnssec/ • http://www.nlnetlabs.nl/publications/dnssec_howto/ • http://stats.research.icann.org/dns/tld_report/ • http://www.nlnetlabs.nl/projects/dnssec/ • http://www.dnssec-deployment.org/ • https://www.iana.org/dnssec/ • http://dnssec-debugger.verisignlabs.com/ • https://www.opendnssec.org/ • zhaoqi@cnnic.cn
  29. 29. Information Sharing Thank you! Questions?
  30. 30. 北京市海淀区中关村南四街四号中科院软件园 邮编: 100190 www.cnnic.cn

×