ICANN Mexico ccTLD Practical DNSSEC - Filip and Hitchcock

2,648 views

Published on

ICANN Mexico 34 - Filip and Hitchcock on DNSSEC at ccTLD Tech Day Workshop

  • Be the first to comment

  • Be the first to like this

ICANN Mexico ccTLD Practical DNSSEC - Filip and Hitchcock

  1. 1. Prac'cal DNSSEC  (in less than 90 minutes)  ccTLD Techday – Mexico City – March 2, 2009 x x  Ondrej Filip (CZ NIC)  Jeremy Hitchcock (Dynamic Network Services) 
  2. 2. What We’re Covering  Big picture on DNSSEC  •  Some highlights on how it works  •  Trust anchors  •  DNSSEC at .CZ  •  x x  Future of DNSSEC  • 
  3. 3. Why DNSSEC  Secure DNS, true verifica'on of answers  •  Kaminsky aPack to trick recursive DNS servers  •  Lot of money in tricking users  •  Why is this hard?  •  –  Security not originally in DNS  –  Lot of actors to achieve results  x  x  •  Silver lining: we’re prePy fair along  –  End‐to‐end DNSSEC already here (.se, .cz, etc.)  –  First open gTLDS to come this year .org  •  .gov and .museum are signed 
  4. 4. DNSSEC Resolu'on Chain  x x 
  5. 5. DNSSEC Records  •  Keys to sign the zone (KSK/ZSK)  –  Those are used to create a “signed” zone  •  Key data in the zone  –  DNSKEY – public key  –  RSIG – record digest  x  x  –  NSEC – Proof of non‐existence (NSEC3)  •  Keys to go to the parent registry (DS)  –  Signature RR that the recursive verifies against 
  6. 6. DNSSEC Key Chain  x x 
  7. 7. Keys [Should] Start at the Root  •  We all trust named.hints (and rotate them)  •  Need to trust the keys, star'ng at the top  •  NTIA request for comments   –  hPp://www.n'a.doc.gov/dns/dnssec.html   •  S'll not signed but TLDs are signed  x x  •  That’s a problem… 
  8. 8. ITAR/DLV  •  VePed, accepted keys, think trusted root hints  •  ITAR – IANA run trust anchor, set of trusted DS  records to include in local recursive DNS  servers ‐ hPps://itar.iana.org/  •  DLV – ISC run dynamic trust anchor to verify  x x  lookup ‐ hPps://www.isc.org/solu'ons/dlv  •  One verifies against the real NS, other on ISC  •  Both work, different flavors 
  9. 9. (Ondrej slides)  x x 
  10. 10. DNSSEC deployment in .CZ CZ.NIC Ondrej Filip ondrej.filip@nic.cz 2. 3. 2009 CcNSO techday, Mexico City 1
  11. 11. FRED In-house created registry system ● Released as open source project: http://fred.nic.cz ● Registrar interface – EPP protocol ● Primary objects: domains, contacts, nameserver sets ● Zone generation every 30 minutes ● Used for .CZ since 2007 ● Used by Angola ● 2
  12. 12. DNSSEC preprations & plans Main project for 2008 ● DNSSEC is important technology for DNS – Meetings with registrars ● Explanation of DNSSEC principles – Exploring Sweden experiences – Presentation of our solution – Coding started at 2Q ● Kaminsky discovery ● Zone signing first ● Full deployment 30.9.2008 ● 3
  13. 13. Zone walking Zone data enumeration and disclosure ● Is it a problem? ● List of all .cz domains + technical information ● NSEC3 not supported yet ● Approved: no personal data disclosed, OK to ● implement 4
  14. 14. DNSSEC solution at registry Accept public keys from domain registrants ● Publishing them into generated zone ● Our own key pair generation and maintainance ● Zone signing with our private key ● Public key publishing ● 5
  15. 15. DNSSEC solution – step 1 Accepting public keys from registrants Significant registry modification ● EPP extended for new primary object - KeySet ● Support sharing between domains ● Support multiple keys for easy key exchange ● Registration of KeySet is free ● NS NS SET Tech-c Domain Reg / Admin-c DNSSEC Key SET 6 Tech-c
  16. 16. DNSSEC solution – step 2 Publishing them in zone Minor registry modification ● New type DS records generated into zone file ● DS records data counted from public keys in KeySet ● Creating “chaing of trust” ● 7
  17. 17. DNSSEC solution – step 3 Own private & public key generation Using Bind tool dnssec-keygen ● Zone signing key – weaker – 1024 bits ● Key signing key – stronger – 2048 bits ● Alternative tool – ldns ● Key storage, key management ● 8
  18. 18. DNSSEC solution – step 4 Zone signing Using Bind tool dnssec-signzone ● Huge increase in zone size, from 40MB to 180MB ● Transfering zone to 19 secondary locations – Memory and bandwidth problems – Solved with reusing signatures ● Own scripts based on ldns tools – Initial tests of HSM machine failed ● Software bugs – Every 30 minutes ● 9
  19. 19. DNSSEC solution – step 5 Own public key publishing Root zone still unsigned ● Public key available on our web pages: ● http://www.dnssec.cz Mailing list for notification of changes ● DLV registry of ISC ● ITAR solution from IANA ● Waiting for root... ● 10
  20. 20. Key management Keys managed manually ● Privilege separation ● Separate server – Logged access – individual accounts – Keys will move to HSM – KSK + ZSK ● Four Solaris server ● Sun Crypto Accelerator 6000 PCI ● Bind 9.6.1 will merge necessary fixes ● 11
  21. 21. Domain name transfer Registrar change – slightly complicated ● 1) Transfer Domain, NSSET and KEYSET 2) Generate new keys 3) Add new keys to KEYSET 4) New zone publishing 5) Nameservers (NSSET) change 6) Delete old keys from KEYSET and delete old zone file 12
  22. 22. Statistics Time from deployment: 4 month ● Domains signed: 500+ ● Registrars support: 80%+ market share (60% at day 1) ● ISP support – slowly growing ● Weekly statistic of signed domains: ● 13
  23. 23. New services with DNSSEC CZ.NIC Ondrej Filip ondrej.filip@nic.cz 2. 3. 2009 ccNSO techday, Mexico City 1
  24. 24. What's new with DNSSEC? No visible change for End User ● No visible change in DNS design ● So what is new? ● We have secure public federative database ● We can store new items into it ● Everybody can verify that it was published by domain ● administrator 2
  25. 25. Innovative example - SSHFP SSH login to unknown server – question ● Everybody ignores and simply acknowledges ● Idea – store fingerprint of ssh keys into DNS ● New record – SSHFP – secure shell finger print ● host.network.cz IN SSHFP 1 1 ● 8c211d5b58e625cf61889ffe38b6d082b1c841a3 Nice but quite limited usage ● Any other things to store in DNS? ● 3
  26. 26. What about SSL-HTTPS certs? Currently – use some CA from the Firefox/Explorer list ● You have to pay and prove you identity to third party ● Why not store fingerprint of your self-signed SSL ● certificate in DNS? Can avoid use of CAs ● Just in the beginning – idea ● Any other idea? ● E-mail related information? .... – SMTPs? – 4
  27. 27. DNSSEC in the Wild (auth)  •  Root signing (NTIA, IANA)  •  IANA DNSSEC testbed  –  hPps://ns.iana.org/dnssec/  •  IANA ITAR  •  ISC DLV  x x 
  28. 28. DNSSEC in the Wild (recursive)  •  Comcast DNSSEC test bed  –  hPp://www.dnssec.comcast.net/  •  OARC DNSSEC test bed  –  hPps://www.dns‐oarc.net/oarc/services/odvr  •  Dyn Inc. DNSSEC test bed  x x  –  hPp://dynamicnetworkservices.com/dnssec  •  ISPs are deploying it  –  Easy to do, lots of configs out there 
  29. 29. DNSSEC in the Applica'on  •  S'll a bit of work to do  •  Microsoh and DNSSEC  –  hPp://cai.icann.org/files/mee'ngs/cairo2008/ seshadri‐dnssec‐windows‐05nov08.pdf  –  In Windows 7  x  x  •  Drill and Mozilla plugin 
  30. 30. DNSSEC Coali'on  Workgroup spearheaded by PIR (.org)  •  Group to streamline adop'on of DNSSEC  •  gTLDs to rally around set standards (RFC 4310)  •  Discuss best prac'ces (like domain transfers)  •  x x  Teleconferences already happening  •  First mee'ng March 13  • 
  31. 31. DNSSEC Coali'on Members  Group Chair: .ORG, The Public Interest Registry  Educa=on Working Group  •  Outreach Working Group  •  EDUCAUSE  •  EDUCAUSE  •  Internet Society  •  Kirei AB  •  Internet Systems Consor'um, Inc. (ISC)  •  Internet Society  •  NLnet Labs  •  Internet Systems Consor'um, Inc. (ISC)  •  Secure64 Sohware Corpora'on  •  .ORG, The Public Interest Registry  •  Shinkuro  •  Secure64 Sohware Corpora'on  •  SIDN  •  SIDN  Tools & Applica=ons Working Group  Registry Implementa=ons Working Group  •  Afilias Limited  x x  •  Afilias Limited  •  Internet Systems Consor'um, Inc. (ISC)  •  Internet Systems Consor'um, Inc. (ISC)  •  NeuStar, Inc.  •  Secure64 Sohware Corpora'on  •  NLnet Labs  •  Shinkuro  •  Secure64 Sohware Corpora'on  •  SIDN  •  .SE (the Internet Infrastructure Founda'on)  •  VeriSign, Inc.  •  SIDN  •  VeriSign, Inc.  Registrars Working Group to come 
  32. 32. Tools and Support  •  Added into BIND, NSD  –  Lots of opera'onal tes'ng  •  Signing tools by Sparta   –  hPp://www.dnssec‐tools.org/  •  DNSSEC in 6 minutes (ISC)  x x  –  hPps://www.isc.org/files/DNSSEC_in_6_minutes.pdf  •  General informa'on  –  hPp://www.dnssec‐deployment.org/ 
  33. 33. Future of DNSSEC  •  Unknown when the root is going to be signed  –  ITAR and DLV make it maPer less  •  gTLDs are going to sign shortly  –  .com/net in 2011, .org in 2009  •  Greater applica'on support  x x  •  ISP/end users getng ready 
  34. 34. Closing Remarks  Any ques'ons?  Ondrej Filip – ondrej.filip@nic.cz  x x  Jeremy Hitchcock – jeremy@dyn‐inc.com  

×