1. DNSSEC 101 with a
pinch of salt
Todor Genov
todor@subnet.co.za
Sunday 17 October 2010

2. Who is this guy?
Sunday 17 October 2010

3. Who is this guy?
Unix geek/sysadmin
Sunday 17 October 2010

4. Who is this guy?
Unix geek/sysadmin
Works at a yellow-branded ISP
Sunday 17 October 2010

5. Who is this guy?
Unix geek/sysadmin
Works at a yellow-branded ISP
Does a lot of DNS as a result
Sunday 17 October 2010

6. What is DNSSEC?
Sunday 17 October 2010

7. What is DNSSEC?
DNS + public key crypto
Sunday 17 October 2010

8. What is DNSSEC?
DNS + public key crypto
Implemented as an extension to current
DNS protocol
Sunday 17 October 2010

9. What is DNSSEC good for?
Sunday 17 October 2010

10. What is DNSSEC good for?
Authenticating response origin
Sunday 17 October 2010

11. What is DNSSEC good for?
Authenticating response origin
Authenticating denial of existence
Sunday 17 October 2010

12. What is DNSSEC good for?
Authenticating response origin
Authenticating denial of existence
Not much else
Sunday 17 October 2010

13. How it works
(simplified)
Sunday 17 October 2010

14. How it works
(simplified)
Each zone has public/private key
Sunday 17 October 2010

15. How it works
(simplified)
Each zone has public/private key
All RRs are signed
Sunday 17 October 2010

16. How it works
(simplified)
Each zone has public/private key
All RRs are signed
Crypto signature and public key published
in DNS alongside RR
Sunday 17 October 2010

17. A few new RRs
Sunday 17 October 2010

18. A few new RRs
RRSIG - crypto signature of RR data
Sunday 17 October 2010

19. A few new RRs
DNSKEY - zone public keys
-Key-signing key (KSK) - used to sign own ZSK
-Zone-signing key (ZSK) - used to sign all other RRs
RRSIG - crypto signature of RR data
Sunday 17 October 2010

20. A few new RRs
DNSKEY - zone public keys
-Key-signing key (KSK) - used to sign own ZSK
-Zone-signing key (ZSK) - used to sign all other RRs
RRSIG - crypto signature of RR data
DS - delegation signer
-Secure pointer to (checksum of) child KSK
Sunday 17 October 2010

21. A few new RRs
DNSKEY - zone public keys
-Key-signing key (KSK) - used to sign own ZSK
-Zone-signing key (ZSK) - used to sign all other RRs
RRSIG - crypto signature of RR data
DS - delegation signer
-Secure pointer to (checksum of) child KSK
NSEC and NSEC3 - authenticated denial of
existence (NXDOMAIN)
Sunday 17 October 2010

22. RR set - the building block of DNSSEC
RR (A, PTR, MX, NS etc) + RRSIG (crypto signature)
RR sets
Sunday 17 October 2010

23. RR sets
RR set - the building block of DNSSEC
RR (A, PTR, MX, NS etc)
Sunday 17 October 2010

24. Vanilla DNS
org. 79810 IN NS d0.org.afilias-nst.org.
org. 79810 IN NS c0.org.afilias-nst.info.
org. 79810 IN NS a2.org.afilias-nst.info.
org. 79810 IN NS b2.org.afilias-nst.org.
org. 79810 IN NS a0.org.afilias-nst.info.
org. 79810 IN NS b0.org.afilias-nst.org.
RR sets
RR set - the building block of DNSSEC
RR (A, PTR, MX, NS etc)
Sunday 17 October 2010

25. DNSSEC
org. 79810 IN NS d0.org.afilias-nst.org.
org. 79810 IN NS c0.org.afilias-nst.info.
org. 79810 IN NS a2.org.afilias-nst.info.
org. 79810 IN NS b2.org.afilias-nst.org.
org. 79810 IN NS a0.org.afilias-nst.info.
org. 79810 IN NS b0.org.afilias-nst.org.
org. 79810 IN RRSIG NS 7 1 86400 20101015154542
20101001144542 245 org. Uy6dZ09BwvRmQHbzlK8gbflhQT1TVkEEYqrpff7W
+uHn5Sz1jwqpNpIH LIgs5M6sHgURvzzdEn8C
RR sets
RR set - the building block of DNSSEC
RR (A, PTR, MX, NS etc)
Sunday 17 October 2010

26. Query validation
Sunday 17 October 2010

27. Query validation
Query result - A,MX,NS,PTR etc
Sunday 17 October 2010

28. Query validation
Query result - A,MX,NS,PTR etc
Cryptographic signature - RRSIG
Sunday 17 October 2010

29. Query validation
Query result - A,MX,NS,PTR etc
Cryptographic signature - RRSIG
Public key - DNSKEY
Sunday 17 October 2010

30. Query validation
Query result - A,MX,NS,PTR etc
Cryptographic signature - RRSIG
Public key - DNSKEY <- Why should I
trust you?
Sunday 17 October 2010

31. Trust anchor
A DNSKEY that we trust to be correct
Confirmed from sources other than DNS
Enables us to validate data in a
specific zone
Sunday 17 October 2010

32. Chain of trust
Starts at a trust anchor
Sunday 17 October 2010

33. Chain of trust
Starts at a trust anchor
Can be delegated to child zones
- Name server delegation with NS records (NS RR set)
- Trust delegation with DS records (DS RR set)
Sunday 17 October 2010

34. Trust anchor
Sunday 17 October 2010

35. Trust anchor
ROOT
.COM .ORG
google.com insecure.org
.ZA
Sunday 17 October 2010

36. Trust anchor
ROOT
.COM .ORG
google.com insecure.org
.ZA
.CO
.google
Sunday 17 October 2010

37. Trust anchor
.COM .ORG
google.com insecure.org
.ZA
.CO
.google
ROOT
Sunday 17 October 2010

38. Chain of trust
Sunday 17 October 2010

39. As of July 2010 a trust anchor exists
for the ROOT KSK
Chain of trust
Sunday 17 October 2010

40. As of July 2010 a trust anchor exists
for the ROOT KSK
Chain of trust
. 84500 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR
+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/
RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/
Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu
+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
. 84500 IN DNSKEY 256 3 8
AwEAAcAPhPM4CQHqg6hZ49y2P3IdKZuF44QNCc50vjATD7W+je4va6dj
Y5JpnNP0pIohKNYiCFap/b4Y9jjJGSOkOfkfBR8neI7X5LisMEGUjwRc
rG8J9UYP1S1unTNqRcWyDYFH2q3KnIO08zImh5DiFt8yfCdKoqZUN1du p5hy0UWz
Sunday 17 October 2010

41. As of July 2010 a trust anchor exists
for the ROOT KSK
Chain of trust
. 84500 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR
+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/
RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/
Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu
+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
. 84500 IN DNSKEY 256 3 8
AwEAAcAPhPM4CQHqg6hZ49y2P3IdKZuF44QNCc50vjATD7W+je4va6dj
Y5JpnNP0pIohKNYiCFap/b4Y9jjJGSOkOfkfBR8neI7X5LisMEGUjwRc
rG8J9UYP1S1unTNqRcWyDYFH2q3KnIO08zImh5DiFt8yfCdKoqZUN1du p5hy0UWz
Less than 20 signed TLDs
Sunday 17 October 2010

42. DS
.org
tld.org
tld.org NS ns1.tld.org
tld.org DS checksum(KSK)
tld.org NS ns1.tld.org
tld.org DNSKEY KSK
Sunday 17 October 2010

43. Chain of trust
Sunday 17 October 2010

44. Chain of trustDelegating tld. to ns1.tld
Sunday 17 October 2010

45. Chain of trust
. IN DNSKEY ROOT-KSK-key (trust anchor)
ROOT zone
Delegating tld. to ns1.tld
Sunday 17 October 2010

46. Chain of trust
. IN DNSKEY ROOT-KSK-key (trust anchor)
ROOT zone
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
Delegating tld. to ns1.tld
Sunday 17 October 2010

47. Chain of trust
. IN DNSKEY ROOT-KSK-key (trust anchor)
ROOT zone
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
Delegating tld. to ns1.tld
(trusted)
Sunday 17 October 2010

48. Chain of trust
. IN DNSKEY ROOT-KSK-key (trust anchor)
ROOT zone
tld. IN NS ns1.tld.
tld. IN RRSIG NS (ROOT-KSK-key signature)
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
Delegating tld. to ns1.tld
(trusted)
Sunday 17 October 2010

49. Chain of trust
. IN DNSKEY ROOT-KSK-key (trust anchor)
ROOT zone
tld. IN NS ns1.tld.
tld. IN RRSIG NS (ROOT-KSK-key signature)
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
ns1.tld. IN A 10.10.10.5
ns1.tld. IN RRSIG A (ROOT-ZSK-key signature)
Delegating tld. to ns1.tld
(trusted)
Sunday 17 October 2010

50. Chain of trust
. IN DNSKEY ROOT-KSK-key (trust anchor)
ROOT zone
tld. IN NS ns1.tld.
tld. IN RRSIG NS (ROOT-KSK-key signature)
tld. IN DS crypto_hash(tld-KSK)
tld. IN RRSIG DS (ROOT-ZSK-key signature)
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
ns1.tld. IN A 10.10.10.5
ns1.tld. IN RRSIG A (ROOT-ZSK-key signature)
Delegating tld. to ns1.tld
(trusted)
Sunday 17 October 2010

51. Chain of trust
. IN DNSKEY ROOT-KSK-key (trust anchor)
tld. IN DNSKEY tld-KSK
tld. IN RRSIG DNSKEY (tld-KSK-self-signed-signature)
ROOT zone
tld zone (ns1.tld - 10.10.10.5)
tld. IN NS ns1.tld.
tld. IN RRSIG NS (ROOT-KSK-key signature)
tld. IN DS crypto_hash(tld-KSK)
tld. IN RRSIG DS (ROOT-ZSK-key signature)
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
ns1.tld. IN A 10.10.10.5
ns1.tld. IN RRSIG A (ROOT-ZSK-key signature)
Delegating tld. to ns1.tld
(trusted)
Sunday 17 October 2010

52. Chain of trust
. IN DNSKEY ROOT-KSK-key (trust anchor)
tld. IN DNSKEY tld-KSK
tld. IN RRSIG DNSKEY (tld-KSK-self-signed-signature)
ROOT zone
tld zone (ns1.tld - 10.10.10.5)
tld. IN NS ns1.tld.
tld. IN RRSIG NS (ROOT-KSK-key signature)
tld. IN DS crypto_hash(tld-KSK)
tld. IN RRSIG DS (ROOT-ZSK-key signature)
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
ns1.tld. IN A 10.10.10.5
ns1.tld. IN RRSIG A (ROOT-ZSK-key signature)
Delegating tld. to ns1.tld
(trusted)
(trusted from DS in ROOT)
Sunday 17 October 2010

53. Chain of trust
. IN DNSKEY ROOT-KSK-key (trust anchor)
tld. IN DNSKEY tld-KSK
tld. IN RRSIG DNSKEY (tld-KSK-self-signed-signature)
ROOT zone
tld zone (ns1.tld - 10.10.10.5)
tld. IN NS ns1.tld.
tld. IN RRSIG NS (ROOT-KSK-key signature)
tld. IN DS crypto_hash(tld-KSK)
tld. IN RRSIG DS (ROOT-ZSK-key signature)
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
ns1.tld. IN A 10.10.10.5
ns1.tld. IN RRSIG A (ROOT-ZSK-key signature)
Delegating tld. to ns1.tld
(trusted)
tld. IN DNSKEY tld-ZSK
tld. IN RRSIG DNSKEY (tld-KSK-signature)
(trusted from DS in ROOT)
Sunday 17 October 2010

54. Chain of trust
. IN DNSKEY ROOT-KSK-key (trust anchor)
tld. IN DNSKEY tld-KSK
tld. IN RRSIG DNSKEY (tld-KSK-self-signed-signature)
ROOT zone
tld zone (ns1.tld - 10.10.10.5)
tld. IN NS ns1.tld.
tld. IN RRSIG NS (ROOT-KSK-key signature)
tld. IN DS crypto_hash(tld-KSK)
tld. IN RRSIG DS (ROOT-ZSK-key signature)
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
ns1.tld. IN A 10.10.10.5
ns1.tld. IN RRSIG A (ROOT-ZSK-key signature)
Delegating tld. to ns1.tld
(trusted)
tld. IN DNSKEY tld-ZSK
tld. IN RRSIG DNSKEY (tld-KSK-signature)
(trusted from DS in ROOT)
(trusted)
Sunday 17 October 2010

55. Caching DNS servers
Sunday 17 October 2010

56. Caching DNS servers
Validating cache
- Performs crypto number-crunching on behalf of DNS client
- Affirms authenticity of data by setting AD bit in response
- Client session susceptible to spoofing (fake AD bit)
Sunday 17 October 2010

57. Caching DNS servers
Validating cache
- Performs crypto number-crunching on behalf of DNS client
- Affirms authenticity of data by setting AD bit in response
- Client session susceptible to spoofing (fake AD bit)
Non-validating cache
- Merely returns RR sets
- To ensure authenticity client must perform its own validation
Sunday 17 October 2010

58. Denial of existence
NSEC
Sunday 17 October 2010

59. Denial of existence
NSEC
NSEC record creates a chain of non-
existence between RRs in a zone
Sunday 17 October 2010

60. Denial of existence
NSEC
NSEC record creates a chain of non-
existence between RRs in a zone
C-3PO.com. IN A 10.10.10.1
C-3PO.com. IN RRSIG jDDoe/x3r#
luke.com. IN A 10.10.10.2
luke.com. IN RRSIG d<edNcd#?d
r2d2.com. IN A 10.10.10.3
r2d2.com. IN RRSIG zDsc>dybhDe
Sunday 17 October 2010

61. Denial of existence
NSEC
NSEC record creates a chain of non-
existence between RRs in a zone
C-3PO.com. IN A 10.10.10.1
C-3PO.com. IN RRSIG jDDoe/x3r#
luke.com. IN A 10.10.10.2
luke.com. IN RRSIG d<edNcd#?d
r2d2.com. IN A 10.10.10.3
r2d2.com. IN RRSIG zDsc>dybhDe
C-3PO.com IN NSEC to luke.com.
luke.com. IN NSEC to r2d2.com.
Sunday 17 October 2010

62. Denial of existence
NSEC
Sunday 17 October 2010

63. Denial of existence
NSEC
dig doesnotexist.se NS
Sunday 17 October 2010

64. Denial of existence
NSEC
dig doesnotexist.se NS
doesithurt.se. 7200 IN NSEC dof.se. NS RRSIG NSEC
doesithurt.se. 7200 IN RRSIG NSEC 5 2 7200 20101007045252
20100930031234 26215 se. XH6itihRj7u/
XJDNV0uaDfS72Ak8NL6A8xg1fa1vuOG8wrYLYf+iNO
Sunday 17 October 2010

65. Denial of existence
NSEC
dig doesnotexist.se NS
doesithurt.se. 7200 IN NSEC dof.se. NS RRSIG NSEC
doesithurt.se. 7200 IN RRSIG NSEC 5 2 7200 20101007045252
20100930031234 26215 se. XH6itihRj7u/
XJDNV0uaDfS72Ak8NL6A8xg1fa1vuOG8wrYLYf+iNO
eg. there is nothing between
doesithurt.se and dof.se
Sunday 17 October 2010

66. Denial of existence
NSEC
dig doesnotexist.se NS
doesithurt.se. 7200 IN NSEC dof.se. NS RRSIG NSEC
doesithurt.se. 7200 IN RRSIG NSEC 5 2 7200 20101007045252
20100930031234 26215 se. XH6itihRj7u/
XJDNV0uaDfS72Ak8NL6A8xg1fa1vuOG8wrYLYf+iNO
eg. there is nothing between
doesithurt.se and dof.se
Bad idea?
Sunday 17 October 2010

67. Denial of existence
NSEC3
NSEC3 creates a chain of non-existence
between hashes of RRs in a zone
03450ad8d88fa9bc8f22d9063328c08f52c0fa03 (hash of C-3PO.com.)
bc6ec803d77136128483bb220e449353a6a432a8 (hash of luke.com.)
f545de7360c432fcbfcfc1d80fa9b142cd359b79 (hash of r2d2.com.)
hash-of-C-3PO.com IN NSEC3 to hash-of-luke.com.
hash-of-luke.com. IN NSEC3 to hash-of-r2d2.com
NSEC3 response returns hash salt and
number of iterations used
Sunday 17 October 2010

68. Denial of existence
NSEC3
dig idontexist.org NS
Yrp8N36uMZUgWRLUi9xVMq2GylslnLD6ehEoRVecDnWxPumIPt8iXi8i
oj1XrQ5k8Dg9RINp19rcuaRcecmEUedtmfIdPvGtwWSUsoWP5XiGF/nx 2/Y=
d78ice6u9jvfjqtfsesaoek3rg81fshn.org. 833 IN RRSIG NSEC3 7 2 86400 20101015154542
20101001144542 245 org. Zaq/jsAGv/GxG/wPWgpjczhzeTdwIFLykxbxzap3lWRK16+Q64d4F31Z
ady60BSEyErddv2oafewi+eE6IG7zX6QvLrXZlAE5KYD2P1SswfFf/n+
IenKtXyCfFv7q9FeOr7Ex6aqUShIPg2asL8mAWWWPxn4knRsmR9hoz/C udo=
d78ice6u9jvfjqtfsesaoek3rg81fshn.org. 833 IN NSEC3 1 1 1 D399EAAB
D7DM84D9Q90H2UV918MF4BGDUKR4S5NN
h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 833 IN RRSIG NSEC3 7 2 86400 20101016052757
20101002042757 245 org. IZESTR/sqJI/ZDega0df557XQ6JhK42TaAhYyeR7RI3f9XD7nyULE8nk
WTZv38Um/wzVFu6haBmSb4iz5TmShL1pUqlwZbQzZ7mpbxaY4iPwVfZ6 9JSSCnwaTWpg/pS17dyP
+MiB4/yffaJnXiAVlTp6FNO7IFz735mD717C 4yU=
h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 833 IN NSEC3 1 1 1 D399EAAB
H9RSFB7FPF2L8HG35CMPC765TDK23RP6 NS SOA RRSIG DNSKEY NSEC3PARAM
vagq7rk03g3to127qkkhkn3vfmeivgpf.org. 833 IN RRSIG NSEC3 7 2 86400 20101015154542
20101001144542 245 org. 7KbiYKaNPtNIbTpDTAu+qcdiRrOn73qZztjEWL5/wc4HvCtp+ziIG9P1
nZ0fgBj7VFETp0P6V1+QVkjy5SoAennzEN9201v7f7e4iCPrqf/1q/k8 8cNNGvTk5/+/
Me7qWEIYRUU3Dyy61rGaYZES8zAoR9TUhmubj8mIGzR+ MOE=
vagq7rk03g3to127qkkhkn3vfmeivgpf.org. 833 IN NSEC3 1 1 1 D399EAAB
VAPM2EIMJPEU2R3SNRILHGU61CHOC96A NS DS RRSIG
Sunday 17 October 2010

69. Denial of existence
NSEC3
NSEC3 adds additional workload on
authoritative AND caching DNS servers
- Authoritative: Calculating NSEC3 hash of QUERY in order to
return correct answer
- Caching: Calculating NSEC3 hash of QUERY in order to compare
to authoritative answer
Sunday 17 October 2010

70. Pitfalls of DNSSEC
Sunday 17 October 2010

71. Pitfalls of DNSSEC
Zone files no longer human-modifiable
-Abstraction/automation required to publish data in DNS
Sunday 17 October 2010

72. Pitfalls of DNSSEC
Zone files no longer human-modifiable
-Abstraction/automation required to publish data in DNS
ZSK and KSK lifetime expiration
- ZSK (30 days default)
- KSK (12 months default)
Sunday 17 October 2010

73. Pitfalls of DNSSEC
Zone files no longer human-modifiable
-Abstraction/automation required to publish data in DNS
ZSK and KSK lifetime expiration
- ZSK (30 days default)
- KSK (12 months default)
Requires parent (registrar) capable of
DNSSEC
- zaDNA is not one of them and will not be within next 18 months
- Neither is Uniforum
Sunday 17 October 2010

74. Lookaside validation
(DLV)
Sunday 17 October 2010

75. Lookaside validation
(DLV)
DNSSEC Lookaside Validation (DLV) is a mechanism for publishing
DNS Security (DNSSEC) trust anchors outside of the DNS delegation
chain. It allows validating resolvers to validate DNSSEC-signed data
from zones whose ancestors either aren't signed or don't publish
Delegation Signer (DS) records for their children.
RFC5074
Sunday 17 October 2010

76. Lookaside validation
(DLV)
DNSSEC Lookaside Validation (DLV) is a mechanism for publishing
DNS Security (DNSSEC) trust anchors outside of the DNS delegation
chain. It allows validating resolvers to validate DNSSEC-signed data
from zones whose ancestors either aren't signed or don't publish
Delegation Signer (DS) records for their children.
RFC5074
Requires manual DLV trust-anchor
config on resolvers
Sunday 17 October 2010

77. https://dlv.isc.org
Useful cludge for early adopters
Already configured on at least one
large ZA ISP’s caches
Workaround for zaDNA’s lack of DNSSEC
Sunday 17 October 2010

78. Questions?
Sunday 17 October 2010