16. How it works
(simplified)
Each zone has public/private key
All RRs are signed
Crypto signature and public key published
in DNS alongside RR
Sunday 17 October 2010
18. A few new RRs
RRSIG - crypto signature of RR data
Sunday 17 October 2010
19. A few new RRs
DNSKEY - zone public keys
-Key-signing key (KSK) - used to sign own ZSK
-Zone-signing key (ZSK) - used to sign all other RRs
RRSIG - crypto signature of RR data
Sunday 17 October 2010
20. A few new RRs
DNSKEY - zone public keys
-Key-signing key (KSK) - used to sign own ZSK
-Zone-signing key (ZSK) - used to sign all other RRs
RRSIG - crypto signature of RR data
DS - delegation signer
-Secure pointer to (checksum of) child KSK
Sunday 17 October 2010
21. A few new RRs
DNSKEY - zone public keys
-Key-signing key (KSK) - used to sign own ZSK
-Zone-signing key (ZSK) - used to sign all other RRs
RRSIG - crypto signature of RR data
DS - delegation signer
-Secure pointer to (checksum of) child KSK
NSEC and NSEC3 - authenticated denial of
existence (NXDOMAIN)
Sunday 17 October 2010
22. RR set - the building block of DNSSEC
RR (A, PTR, MX, NS etc) + RRSIG (crypto signature)
RR sets
Sunday 17 October 2010
23. RR sets
RR set - the building block of DNSSEC
RR (A, PTR, MX, NS etc)
Sunday 17 October 2010
24. Vanilla DNS
org. 79810 IN NS d0.org.afilias-nst.org.
org. 79810 IN NS c0.org.afilias-nst.info.
org. 79810 IN NS a2.org.afilias-nst.info.
org. 79810 IN NS b2.org.afilias-nst.org.
org. 79810 IN NS a0.org.afilias-nst.info.
org. 79810 IN NS b0.org.afilias-nst.org.
RR sets
RR set - the building block of DNSSEC
RR (A, PTR, MX, NS etc)
Sunday 17 October 2010
25. DNSSEC
org. 79810 IN NS d0.org.afilias-nst.org.
org. 79810 IN NS c0.org.afilias-nst.info.
org. 79810 IN NS a2.org.afilias-nst.info.
org. 79810 IN NS b2.org.afilias-nst.org.
org. 79810 IN NS a0.org.afilias-nst.info.
org. 79810 IN NS b0.org.afilias-nst.org.
org. 79810 IN RRSIG NS 7 1 86400 20101015154542
20101001144542 245 org. Uy6dZ09BwvRmQHbzlK8gbflhQT1TVkEEYqrpff7W
+uHn5Sz1jwqpNpIH LIgs5M6sHgURvzzdEn8C
RR sets
RR set - the building block of DNSSEC
RR (A, PTR, MX, NS etc)
Sunday 17 October 2010
29. Query validation
Query result - A,MX,NS,PTR etc
Cryptographic signature - RRSIG
Public key - DNSKEY
Sunday 17 October 2010
30. Query validation
Query result - A,MX,NS,PTR etc
Cryptographic signature - RRSIG
Public key - DNSKEY <- Why should I
trust you?
Sunday 17 October 2010
31. Trust anchor
A DNSKEY that we trust to be correct
Confirmed from sources other than DNS
Enables us to validate data in a
specific zone
Sunday 17 October 2010
33. Chain of trust
Starts at a trust anchor
Can be delegated to child zones
- Name server delegation with NS records (NS RR set)
- Trust delegation with DS records (DS RR set)
Sunday 17 October 2010
39. As of July 2010 a trust anchor exists
for the ROOT KSK
Chain of trust
Sunday 17 October 2010
40. As of July 2010 a trust anchor exists
for the ROOT KSK
Chain of trust
. 84500 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR
+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/
RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/
Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu
+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
. 84500 IN DNSKEY 256 3 8
AwEAAcAPhPM4CQHqg6hZ49y2P3IdKZuF44QNCc50vjATD7W+je4va6dj
Y5JpnNP0pIohKNYiCFap/b4Y9jjJGSOkOfkfBR8neI7X5LisMEGUjwRc
rG8J9UYP1S1unTNqRcWyDYFH2q3KnIO08zImh5DiFt8yfCdKoqZUN1du p5hy0UWz
Sunday 17 October 2010
41. As of July 2010 a trust anchor exists
for the ROOT KSK
Chain of trust
. 84500 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR
+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/
RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/
Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu
+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
. 84500 IN DNSKEY 256 3 8
AwEAAcAPhPM4CQHqg6hZ49y2P3IdKZuF44QNCc50vjATD7W+je4va6dj
Y5JpnNP0pIohKNYiCFap/b4Y9jjJGSOkOfkfBR8neI7X5LisMEGUjwRc
rG8J9UYP1S1unTNqRcWyDYFH2q3KnIO08zImh5DiFt8yfCdKoqZUN1du p5hy0UWz
Less than 20 signed TLDs
Sunday 17 October 2010
45. Chain of trust
. IN DNSKEY ROOT-KSK-key (trust anchor)
ROOT zone
Delegating tld. to ns1.tld
Sunday 17 October 2010
46. Chain of trust
. IN DNSKEY ROOT-KSK-key (trust anchor)
ROOT zone
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
Delegating tld. to ns1.tld
Sunday 17 October 2010
47. Chain of trust
. IN DNSKEY ROOT-KSK-key (trust anchor)
ROOT zone
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
Delegating tld. to ns1.tld
(trusted)
Sunday 17 October 2010
48. Chain of trust
. IN DNSKEY ROOT-KSK-key (trust anchor)
ROOT zone
tld. IN NS ns1.tld.
tld. IN RRSIG NS (ROOT-KSK-key signature)
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
Delegating tld. to ns1.tld
(trusted)
Sunday 17 October 2010
49. Chain of trust
. IN DNSKEY ROOT-KSK-key (trust anchor)
ROOT zone
tld. IN NS ns1.tld.
tld. IN RRSIG NS (ROOT-KSK-key signature)
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
ns1.tld. IN A 10.10.10.5
ns1.tld. IN RRSIG A (ROOT-ZSK-key signature)
Delegating tld. to ns1.tld
(trusted)
Sunday 17 October 2010
50. Chain of trust
. IN DNSKEY ROOT-KSK-key (trust anchor)
ROOT zone
tld. IN NS ns1.tld.
tld. IN RRSIG NS (ROOT-KSK-key signature)
tld. IN DS crypto_hash(tld-KSK)
tld. IN RRSIG DS (ROOT-ZSK-key signature)
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
ns1.tld. IN A 10.10.10.5
ns1.tld. IN RRSIG A (ROOT-ZSK-key signature)
Delegating tld. to ns1.tld
(trusted)
Sunday 17 October 2010
51. Chain of trust
. IN DNSKEY ROOT-KSK-key (trust anchor)
tld. IN DNSKEY tld-KSK
tld. IN RRSIG DNSKEY (tld-KSK-self-signed-signature)
ROOT zone
tld zone (ns1.tld - 10.10.10.5)
tld. IN NS ns1.tld.
tld. IN RRSIG NS (ROOT-KSK-key signature)
tld. IN DS crypto_hash(tld-KSK)
tld. IN RRSIG DS (ROOT-ZSK-key signature)
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
ns1.tld. IN A 10.10.10.5
ns1.tld. IN RRSIG A (ROOT-ZSK-key signature)
Delegating tld. to ns1.tld
(trusted)
Sunday 17 October 2010
52. Chain of trust
. IN DNSKEY ROOT-KSK-key (trust anchor)
tld. IN DNSKEY tld-KSK
tld. IN RRSIG DNSKEY (tld-KSK-self-signed-signature)
ROOT zone
tld zone (ns1.tld - 10.10.10.5)
tld. IN NS ns1.tld.
tld. IN RRSIG NS (ROOT-KSK-key signature)
tld. IN DS crypto_hash(tld-KSK)
tld. IN RRSIG DS (ROOT-ZSK-key signature)
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
ns1.tld. IN A 10.10.10.5
ns1.tld. IN RRSIG A (ROOT-ZSK-key signature)
Delegating tld. to ns1.tld
(trusted)
(trusted from DS in ROOT)
Sunday 17 October 2010
53. Chain of trust
. IN DNSKEY ROOT-KSK-key (trust anchor)
tld. IN DNSKEY tld-KSK
tld. IN RRSIG DNSKEY (tld-KSK-self-signed-signature)
ROOT zone
tld zone (ns1.tld - 10.10.10.5)
tld. IN NS ns1.tld.
tld. IN RRSIG NS (ROOT-KSK-key signature)
tld. IN DS crypto_hash(tld-KSK)
tld. IN RRSIG DS (ROOT-ZSK-key signature)
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
ns1.tld. IN A 10.10.10.5
ns1.tld. IN RRSIG A (ROOT-ZSK-key signature)
Delegating tld. to ns1.tld
(trusted)
tld. IN DNSKEY tld-ZSK
tld. IN RRSIG DNSKEY (tld-KSK-signature)
(trusted from DS in ROOT)
Sunday 17 October 2010
54. Chain of trust
. IN DNSKEY ROOT-KSK-key (trust anchor)
tld. IN DNSKEY tld-KSK
tld. IN RRSIG DNSKEY (tld-KSK-self-signed-signature)
ROOT zone
tld zone (ns1.tld - 10.10.10.5)
tld. IN NS ns1.tld.
tld. IN RRSIG NS (ROOT-KSK-key signature)
tld. IN DS crypto_hash(tld-KSK)
tld. IN RRSIG DS (ROOT-ZSK-key signature)
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
ns1.tld. IN A 10.10.10.5
ns1.tld. IN RRSIG A (ROOT-ZSK-key signature)
Delegating tld. to ns1.tld
(trusted)
tld. IN DNSKEY tld-ZSK
tld. IN RRSIG DNSKEY (tld-KSK-signature)
(trusted from DS in ROOT)
(trusted)
Sunday 17 October 2010
56. Caching DNS servers
Validating cache
- Performs crypto number-crunching on behalf of DNS client
- Affirms authenticity of data by setting AD bit in response
- Client session susceptible to spoofing (fake AD bit)
Sunday 17 October 2010
57. Caching DNS servers
Validating cache
- Performs crypto number-crunching on behalf of DNS client
- Affirms authenticity of data by setting AD bit in response
- Client session susceptible to spoofing (fake AD bit)
Non-validating cache
- Merely returns RR sets
- To ensure authenticity client must perform its own validation
Sunday 17 October 2010
60. Denial of existence
NSEC
NSEC record creates a chain of non-
existence between RRs in a zone
C-3PO.com. IN A 10.10.10.1
C-3PO.com. IN RRSIG jDDoe/x3r#
luke.com. IN A 10.10.10.2
luke.com. IN RRSIG d<edNcd#?d
r2d2.com. IN A 10.10.10.3
r2d2.com. IN RRSIG zDsc>dybhDe
Sunday 17 October 2010
61. Denial of existence
NSEC
NSEC record creates a chain of non-
existence between RRs in a zone
C-3PO.com. IN A 10.10.10.1
C-3PO.com. IN RRSIG jDDoe/x3r#
luke.com. IN A 10.10.10.2
luke.com. IN RRSIG d<edNcd#?d
r2d2.com. IN A 10.10.10.3
r2d2.com. IN RRSIG zDsc>dybhDe
C-3PO.com IN NSEC to luke.com.
luke.com. IN NSEC to r2d2.com.
Sunday 17 October 2010
64. Denial of existence
NSEC
dig doesnotexist.se NS
doesithurt.se. 7200 IN NSEC dof.se. NS RRSIG NSEC
doesithurt.se. 7200 IN RRSIG NSEC 5 2 7200 20101007045252
20100930031234 26215 se. XH6itihRj7u/
XJDNV0uaDfS72Ak8NL6A8xg1fa1vuOG8wrYLYf+iNO
Sunday 17 October 2010
65. Denial of existence
NSEC
dig doesnotexist.se NS
doesithurt.se. 7200 IN NSEC dof.se. NS RRSIG NSEC
doesithurt.se. 7200 IN RRSIG NSEC 5 2 7200 20101007045252
20100930031234 26215 se. XH6itihRj7u/
XJDNV0uaDfS72Ak8NL6A8xg1fa1vuOG8wrYLYf+iNO
eg. there is nothing between
doesithurt.se and dof.se
Sunday 17 October 2010
66. Denial of existence
NSEC
dig doesnotexist.se NS
doesithurt.se. 7200 IN NSEC dof.se. NS RRSIG NSEC
doesithurt.se. 7200 IN RRSIG NSEC 5 2 7200 20101007045252
20100930031234 26215 se. XH6itihRj7u/
XJDNV0uaDfS72Ak8NL6A8xg1fa1vuOG8wrYLYf+iNO
eg. there is nothing between
doesithurt.se and dof.se
Bad idea?
Sunday 17 October 2010
67. Denial of existence
NSEC3
NSEC3 creates a chain of non-existence
between hashes of RRs in a zone
03450ad8d88fa9bc8f22d9063328c08f52c0fa03 (hash of C-3PO.com.)
bc6ec803d77136128483bb220e449353a6a432a8 (hash of luke.com.)
f545de7360c432fcbfcfc1d80fa9b142cd359b79 (hash of r2d2.com.)
hash-of-C-3PO.com IN NSEC3 to hash-of-luke.com.
hash-of-luke.com. IN NSEC3 to hash-of-r2d2.com
NSEC3 response returns hash salt and
number of iterations used
Sunday 17 October 2010
68. Denial of existence
NSEC3
dig idontexist.org NS
Yrp8N36uMZUgWRLUi9xVMq2GylslnLD6ehEoRVecDnWxPumIPt8iXi8i
oj1XrQ5k8Dg9RINp19rcuaRcecmEUedtmfIdPvGtwWSUsoWP5XiGF/nx 2/Y=
d78ice6u9jvfjqtfsesaoek3rg81fshn.org. 833 IN RRSIG NSEC3 7 2 86400 20101015154542
20101001144542 245 org. Zaq/jsAGv/GxG/wPWgpjczhzeTdwIFLykxbxzap3lWRK16+Q64d4F31Z
ady60BSEyErddv2oafewi+eE6IG7zX6QvLrXZlAE5KYD2P1SswfFf/n+
IenKtXyCfFv7q9FeOr7Ex6aqUShIPg2asL8mAWWWPxn4knRsmR9hoz/C udo=
d78ice6u9jvfjqtfsesaoek3rg81fshn.org. 833 IN NSEC3 1 1 1 D399EAAB
D7DM84D9Q90H2UV918MF4BGDUKR4S5NN
h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 833 IN RRSIG NSEC3 7 2 86400 20101016052757
20101002042757 245 org. IZESTR/sqJI/ZDega0df557XQ6JhK42TaAhYyeR7RI3f9XD7nyULE8nk
WTZv38Um/wzVFu6haBmSb4iz5TmShL1pUqlwZbQzZ7mpbxaY4iPwVfZ6 9JSSCnwaTWpg/pS17dyP
+MiB4/yffaJnXiAVlTp6FNO7IFz735mD717C 4yU=
h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 833 IN NSEC3 1 1 1 D399EAAB
H9RSFB7FPF2L8HG35CMPC765TDK23RP6 NS SOA RRSIG DNSKEY NSEC3PARAM
vagq7rk03g3to127qkkhkn3vfmeivgpf.org. 833 IN RRSIG NSEC3 7 2 86400 20101015154542
20101001144542 245 org. 7KbiYKaNPtNIbTpDTAu+qcdiRrOn73qZztjEWL5/wc4HvCtp+ziIG9P1
nZ0fgBj7VFETp0P6V1+QVkjy5SoAennzEN9201v7f7e4iCPrqf/1q/k8 8cNNGvTk5/+/
Me7qWEIYRUU3Dyy61rGaYZES8zAoR9TUhmubj8mIGzR+ MOE=
vagq7rk03g3to127qkkhkn3vfmeivgpf.org. 833 IN NSEC3 1 1 1 D399EAAB
VAPM2EIMJPEU2R3SNRILHGU61CHOC96A NS DS RRSIG
Sunday 17 October 2010
69. Denial of existence
NSEC3
NSEC3 adds additional workload on
authoritative AND caching DNS servers
- Authoritative: Calculating NSEC3 hash of QUERY in order to
return correct answer
- Caching: Calculating NSEC3 hash of QUERY in order to compare
to authoritative answer
Sunday 17 October 2010
71. Pitfalls of DNSSEC
Zone files no longer human-modifiable
-Abstraction/automation required to publish data in DNS
Sunday 17 October 2010
72. Pitfalls of DNSSEC
Zone files no longer human-modifiable
-Abstraction/automation required to publish data in DNS
ZSK and KSK lifetime expiration
- ZSK (30 days default)
- KSK (12 months default)
Sunday 17 October 2010
73. Pitfalls of DNSSEC
Zone files no longer human-modifiable
-Abstraction/automation required to publish data in DNS
ZSK and KSK lifetime expiration
- ZSK (30 days default)
- KSK (12 months default)
Requires parent (registrar) capable of
DNSSEC
- zaDNA is not one of them and will not be within next 18 months
- Neither is Uniforum
Sunday 17 October 2010
75. Lookaside validation
(DLV)
DNSSEC Lookaside Validation (DLV) is a mechanism for publishing
DNS Security (DNSSEC) trust anchors outside of the DNS delegation
chain. It allows validating resolvers to validate DNSSEC-signed data
from zones whose ancestors either aren't signed or don't publish
Delegation Signer (DS) records for their children.
RFC5074
Sunday 17 October 2010
76. Lookaside validation
(DLV)
DNSSEC Lookaside Validation (DLV) is a mechanism for publishing
DNS Security (DNSSEC) trust anchors outside of the DNS delegation
chain. It allows validating resolvers to validate DNSSEC-signed data
from zones whose ancestors either aren't signed or don't publish
Delegation Signer (DS) records for their children.
RFC5074
Requires manual DLV trust-anchor
config on resolvers
Sunday 17 October 2010
77. https://dlv.isc.org
Useful cludge for early adopters
Already configured on at least one
large ZA ISP’s caches
Workaround for zaDNA’s lack of DNSSEC
Sunday 17 October 2010