o

o

o

o

o
o

o

o

o
o

o

o

o

o

o

o
o

o

o

o

o

o
o

o

o

o

o
o




o




o




o
TLD’s

   Printer                                                             root
                                       ...
o

o

o

o



o

    o

    o
(authoritative)
                                                                                         name servers

   ...
(authoritative)
                                                                                                   name se...
(authoritative)
                                                                                                      name...
o

    o

    o


o

    o

    o
o

    o




    o




o
o

    o




    o




o
o

    o




    o


o

    o

    o

    o
o

    o

    o

    o




o

    o

    o

    o

    o
o

    o

    o


o

    o

    o




    o

    o
zone

o

o          zone


o

o

o
root zone signing keys

zone

                        Signed records (including .dom)
       contains
                    ...
zone                     Public root key




           validates
       Public key for .dom




          validates
zone
...
o

    dnssec-keygen -a alg -b bits -n type [options] name
      o


      o


      o


      o




o

    Kzonename+<alg...
o

    dnssec-keygen -a alg -b bits -n type [options] name
      o


      o


      o


      o




o

    Kzonename+<alg...
o



    o

    o

    o




o

    o

    o

    o
o



    o   example.dom.           3600    IN      DNSKEY 257 3 5
        AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSn...
dnssec-signzone [-o zonename] [-N INCREMENT] [-k KSKfile]
   zonefile [ZSKfile]

o

    o

    o




    o




        exa...
o

o

    o

    o


o

    o

    o




        example.dom. 3600     DS 10177 5 1 (
            763F5C58926ECA5C4E1B6B27...
100   IN SOA ns.infra.work. olaf.nlnetlabs.nl. (
             2008091500 ; serial
                                        ...
o

    o


o

    o

    o

    o

    o
o

    o




o

    o

    o


o

    o

    o

    o
o

    o

    o

    o

    o

    o


o

    o

    o

    o
o

    o

    o


o

    o

    o


o

    o

    o


o

    o

    o

    o
o

    o

    o

    o


o

    o




    o

    o
o



    o


o

o
o

    o

    o

    o


o

o
Feb 10 04:16:43 ns0 unbound: [5973:1] info: validation failure <USPTO.GOV. MX IN>: no
signatures from 151.207.246.51 for k...
o




o

o
o

o

o

o
o

    o

    o


o

    o

    o


o

    o
o

    o

    o


o



o

o

    o

    o
@
DNSSEC - Towards Enhanced Internet Security
DNSSEC - Towards Enhanced Internet Security
DNSSEC - Towards Enhanced Internet Security
DNSSEC - Towards Enhanced Internet Security
DNSSEC - Towards Enhanced Internet Security
DNSSEC - Towards Enhanced Internet Security
DNSSEC - Towards Enhanced Internet Security
DNSSEC - Towards Enhanced Internet Security
DNSSEC - Towards Enhanced Internet Security
DNSSEC - Towards Enhanced Internet Security
DNSSEC - Towards Enhanced Internet Security
DNSSEC - Towards Enhanced Internet Security
Upcoming SlideShare
Loading in …5
×

DNSSEC - Towards Enhanced Internet Security

1,238 views

Published on

DNSSEC presentation at Infosecurity Brussels 25/03/2010

Published in: Technology
1 Comment
3 Likes
Statistics
Notes
  • interesantes conclusiones
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
1,238
On SlideShare
0
From Embeds
0
Number of Embeds
20
Actions
Shares
0
Downloads
0
Comments
1
Likes
3
Embeds 0
No embeds

No notes for slide

DNSSEC - Towards Enhanced Internet Security

  1. 1. o o o o o
  2. 2. o o o o
  3. 3. o o o o o o o
  4. 4. o o o o o o
  5. 5. o o o o o
  6. 6. o o o o
  7. 7. TLD’s Printer root resolvers Webcam Game Console Router / resolvers wifi Modem ISP’s Browser Mail agents resolvers OS Firewall Google Virus scanner Telephone Mobile resolvers Media Centre
  8. 8. o o o o o o o
  9. 9. (authoritative) name servers local resolver 2 Where’s www.mybank.dom? 1 Get me www.mybank.dom 3 Try the name server for .dom Here you can find www.mybank.dom: 192.0.32.10 8 4 Where’s www.mybank.dom? Try the name server for mybank.dom 5 9 online banking 6 Where’s www.mybank.dom? 7 Here you can find www.mybank.dom
  10. 10. (authoritative) name servers local resolver Where’s www.mybank.dom? Get me www.mybank.dom Try the auth for mybank.dom Here you can find www.mybank.dom Where’s www.mybank.dom? online banking Here you can find www.mybank.dom: 192.0.32.10 Here you can find www.mybank.dom: 6.6.6.10
  11. 11. (authoritative) name servers local resolver Where’s 1234.mybank.dom? Get me 1234.mybank.dom Try the auth for mybank.dom Where’s 1234.mybank.dom? online banking No such domain exists NXDOMAIN Here you can find 1234.mybank.dom: 6.6.6.10 And by the way: ns.mybank.dom = 6.6.6.1 ns2.mybank.dom = 6.6.6.2 And the authoritative nameserver for the entire .dom domain is ns.mine.dom = 6.6.6.6
  12. 12. o o o o o o
  13. 13. o o o o
  14. 14. o o o o
  15. 15. o o o o o o o
  16. 16. o o o o o o o o o
  17. 17. o o o o o o o o
  18. 18. zone o o zone o o o
  19. 19. root zone signing keys zone Signed records (including .dom) contains Public key for .dom .dom zone signing keys zone Signed records for mybank.dom contains Public key for mybank.dom .mybank.dom signing keys zone contains Signed record for www.mybank.dom
  20. 20. zone Public root key validates Public key for .dom validates zone Public key for mybank.dom validates zone Signed record for www.mybank.dom
  21. 21. o dnssec-keygen -a alg -b bits -n type [options] name o o o o o Kzonename+<alg>+<fing>.key Kzonename+<alg>+<fing>.private example.dom. 3600 IN DNSKEY 256 3 5 AQO6TtiOq7uZa8wHrQNUGT3ZXudaGjnbduUnyLw9WwiDEd8Vy1Ao4FVK 7xqEAFo4F5gOkdGr6Y7Xz0F+Z5e1AaQlvhBhjujvIhPZ5EIuNGkGUbRT YLhVX5OJUHMYdrXpGPdyG+V1TBTmxJ/+OmUdkWiT2J6w5XUpSYRB+p0k YwGf7uxPO/cDNp67fILtx1+dduS30B7QygOK+f7PeAZDcdBo2qsy5rnB sPsLhbEpdpWFs2WPTVo0IGYAER3nG6WZptiq8OYAb1K22K8i+j8+hDwv NRDMjWeVMebBZXbNQGkwsGgJsIsaoGfVOT3WdeJxDu9GqODM//mwZxTv O7StbOht
  22. 22. o dnssec-keygen -a alg -b bits -n type [options] name o o o o o Kzonename+<alg>+<fing>.key Kzonename+<alg>+<fing>.private example.dom. 3600 IN DNSKEY 256 3 5 AQO6TtiOq7uZa8wHrQNUGT3ZXudaGjnbduUnyLw9WwiDEd8Vy1Ao4FVK 7xqEAFo4F5gOkdGr6Y7Xz0F+Z5e1AaQlvhBhjujvIhPZ5EIuNGkGUbRT YLhVX5OJUHMYdrXpGPdyG+V1TBTmxJ/+OmUdkWiT2J6w5XUpSYRB+p0k YwGf7uxPO/cDNp67fILtx1+dduS30B7QygOK+f7PeAZDcdBo2qsy5rnB sPsLhbEpdpWFs2WPTVo0IGYAER3nG6WZptiq8OYAb1K22K8i+j8+hDwv NRDMjWeVMebBZXbNQGkwsGgJsIsaoGfVOT3WdeJxDu9GqODM//mwZxTv O7StbOht
  23. 23. o o o o o o o o
  24. 24. o o example.dom. 3600 IN DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N o Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW o 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ== example.dom. 3600 IN DNSKEY 256 3 5 AQOpbYrUNahQAV5/wTCJ9/wbSM/eV+N+jYZAMmIKn6QF3Z57B6upgcjV o HEOyFkA3YcIt5Fz+WqodCrABn4qShd6qJYR8iP3S6fjN6PVpljMjrhsp o /6yVc30C6c7P2b/mgWZi5iYC56lkegDs0VGfAW5HmosKjQVoYMjOtNo3 F+MGQw== o o
  25. 25. dnssec-signzone [-o zonename] [-N INCREMENT] [-k KSKfile] zonefile [ZSKfile] o o o o example.dom. 9504 IN RRSIG A 5 2 10200 20100412015003 20100315015003 18182 example.dom. H4Yy1ClPpBEj+Et3c7rkxZW3Q/w3O28sO3Mpt6c4HRpFdBwwMjzbYI0Q vWInuxSIWx3IJ455nX4k/N8NBRENzRK/+L74dM71OovOT50oLJ6ZOVvu /cjQtvQzHtJkoIvywsVpzDlgckvp8jVR6pDDM3TuXhehh6HHSR/E9NxT 7oE= example.dom. 9346 IN RRSIG NS 5 2 10200 20100412015003 20100315015003 18182 example.dom. XIUX8rm6LZQq1+agULABIllTWic18Fa92MrHtn+vRce+mHN6svWALutF SvsqqCbCCBMlwZgShXKNZjuSu8+NKMnurafAtWU4IVWrt3UqSsWxKYPZ N3qtKrSuTTo/8vwUmmvyShlehSQ2xTA6Sk6dnn8iwUObO+8eoX190A23 0Z8=
  26. 26. o o o o o o o example.dom. 3600 DS 10177 5 1 ( 763F5C58926ECA5C4E1B6B2701CA75E9F509F321 ) example.dom. 3600 DNSKEY 257 3 5 ( AwEAAbctL3nCKtl55NRZW6g4i3tajQi55OtP XZYIIPoo2h6ENB0eGA5xfeDDJZwDkZt6z5bp ur0P1zCMa17JPMMpylp1+4j8G3VyKuZkLBIV eQif7N7sbP14Qzuo/T90ErVG/YbUYTSZifu3 xm4D/P2xSV+SFe3tNd0g9o94TSs5jWM5 ) ; key id = 10177
  27. 27. 100 IN SOA ns.infra.work. olaf.nlnetlabs.nl. ( 2008091500 ; serial *.c.infra.work. 100 IN A 192.168.2.12 100 ; refresh (1 minute 40 seconds) 100 RRSIG A 5 3 100 20081113113016 ( 200 ; retry (3 minutes 20 seconds) 20081014113016 57798 infra.work. 604800 ; expire (1 week) coilWP7ucljFJDR/LHan1qCHsgKGony16IEs 100 ; minimum (1 minute 40 seconds) FZdPDnPiRsbtfJN539OOxV1Zxw6ZxjoBNXDJ ) ze9TsJ9zHYrZbZvOVvI31fBKCEwWcfYnRHUY 100 RRSIG SOA 5 2 100 20081113113016 ( UV1Hc4OQZCdQg3zcPggK8ldzuPrYiqzfQEnY 20081014113016 57798 infra.work. ns.infra.work. 100 IN A 192.168.1.12 NGtDS6Az9q/hZu5cPbRnQ76ODBg= ) cwFdqVOSA616uejb7F4E9w7x8lNh8P9bGyCG 100 RRSIG A 5 3 100 20081113113016 ( 100 NSEC a.b.c.infra.work. A RRSIG NSEC f2cLW011tzqaW0u5vx6jEFgQ0ZTn/6XDNDkv 20081014113016 57798 infra.work. 100 RRSIG NSEC 5 3 100 20081113113016 ( rRpD8YWljdhZB4i1fdyPPXPdpEVZFLGE/5mC TWLzBuUgXWMA9cj+xe6YMjXy2/VdauWnONk7 20081014113016 57798 infra.work. VgCwHldg3pFcW1FtQbyCGkKaooZ45gF2vcsz uAP8JcdzsemcfWov4cFzXowS2YX291+5jBMp e/lQV5TV2VFda2B0mKalvONDmnnQPDt3/wPf 43WlZN2Vw2Tlz9bM0nnK56puCbc= ) m5AlwpM7ijbSBgAGz22ywlKN8JoOg3KtCM2Y 100 NS ns.infra.work. ; infra.work zone o zGNoIIGDbyyYdcnpEfSrum0Qm2ImQXCuWnK/ UX/c8/ATbYEBPKRjBs+YQKmY1NppwSjFi9Y0 ; Srpr/DobW441qQ6c9K9u84YnzfcFRG3CnV/U 100 RRSIG NS 5 2 100 20081113113016 ( 1fVEBbrCnI0EP33c/VK97s8oNG8= ) $TTL 100 /q8t8uB8xCGmMCKXFZcNoS4kCbRBqMLwBJ+Y 20081014113016 57798 infra.work. 100 NSEC www.infra.work. A RRSIG NSEC YJUKUxqlLqykRORd1QJRQEtxpac= ) $ORIGIN infra.work. AsnyzVoc9mb64BdmIm59IM6bJHaDVkJoP6pz 100 RRSIG NSEC 5 3 100 20081113113016 ( a.b.c.infra.work. 100 IN A 192.168.2.13 1KNnEy+Om3ogi7Ub9KlO3RN2gKZY56iKmQqe @ 100 IN SOA 20081014113016 57798 infra.work. 100 RRSIG A 5 5 100 20081113113016 ( tCqYOnfdhqanAt3s7qMUEd/XCJFvEepzjeJW ns.infra.work. ( InaRxkn17s8cofPa7yADRtEVeNkuBeklODST 20081014113016 57798 infra.work. Tjk4hMHnRm50WaGX9LwqocGRNTigAlw/aNO1 nWFCY4meHrwoVMqZa1G+PRmybTxEOY10rmPi J56QbbCD4K1TNnNbfST+0KRGZ3xW3zqEJt7s sWyqPyATNxYLGpfgE6OVBz1SPEc= ) lkkqluZNymAaD890dX4I1ogykI6wgpeiIb3O olaf.nlnetlabs.nl. cCttaA8kTb8vb3MEXEC/JWdcwgHenrc9cUzL 100 NSEC *.infra.work. NS SOA RRSIG NSEC DNSKEY jCiK8L1vamAeEB4JRI77b/XUI2TOErPkaWxi 2008091500 Popz5780j+pvsKnQbQK5nVxPi0OibzjkjQ6x 100 RRSIG NSEC 5 2 100 20081113113016 ( CSTT6gBza3ZFCB86YEAwjOxbCPw= ) SxoNy2y8S7lnaJln6ACR70SiWwiK15RGciEC 20081014113016 57798 infra.work. 100 www.infra.work. 100 IN A 192.168.1.10 i3akL9AYuwcCM6n6iVSH4SRwaJU= ) Oxn+rklVkPLQHi7zl1BmT/nwQIuTbaMR7wed 200 100 RRSIG A 5 3 100 20081113113016 ( 100 NSEC ns.infra.work. A RRSIG NSEC uby+HwTsgPjtS4PDgn6vb9zHyoSB9jTN15BD 604800100 20081014113016 57798 infra.work. RRSIG NSEC 5 5 100 20081113113016 ( cWQhMwITek8Pb+XnVQhIGmWSpt9PNCabMOI1 S3UWujWBQK1ecV2WQGYSzyObqQfizIKUKi9Q itYrGHOnVNNyi2AzHCkQfSNMZcbhKILLzawd 100 20081014113016 57798 infra.work. R0pX2usXUP4qgQrBGhzVOXrJq8uwcAm6eolt ) jY0wdhQPN3FBdMxelA1+mRkD7lcdZK2MWmvC m47E+I8gxHncY8+vHF5yK05eBbE= ) McGVTR7VOhSpkvuNyQ/HKMPeRR5DGMR3QK4+ AJeytGB+z1+qC42dmWTqcr+K0cAQ8QSl/Hf8 100 DNSKEY 256 3 5 ( lY7LShQ6itiSkhohUl8KMJv91XtmOodCn/D+ HrjcPxByb6FKjEWVwMz/YPrr3vO20EbV6jYF AwEAAagntu9mrHJO6d0BeNGFN7XoPfcc7JTH NS ns.infra.work. zmaxUZ3xo9IezPyRxAzFlrL8rMo= ) hVfvO3+2jeYP9X6qpu+DGcQiFfQ0Obc5Er05 sYk1l35EhF8bLzq4Yr24WshoQrmsijCyuC0r ns.infra.work. A 192.168.1.12 100 NSEC infra.work. A RRSIG NSEC 4Ss3QleMKj0eyWEtq/zS+79D93E= ) QIucEE1lbDIaZ7W3GpFNNG6avs7uELm9v3el 100 RRSIG NSEC 5 3 100 20081113113016 ( 4VgZ909oBHRtIYISDUi/JsNyhSJ8WjmIGw5W 20081014113016 57798 infra.work. www x0XySf7hcfdLU6uK4cXG+oJkmsgMGXl1 A 192.168.1.10 HCvz/wd+5S3CVWX+y1MAVgKxBGgnmdJaMmls ) ; key id = 57798 QQUVS3weSvgNwV1KNHm8svbAUpy3exzY9yKC * A 192.168.2.11 Bw0enV06y5A0tb5Us5VW5XCwUiDXAvME9N6+ *.c A 192.168.2.12 IlIET90o7syM2RwmjuZeLEd+m3NQYb0/MZcu a.b.c A 192.168.2.13 ML2HkI8jzw93hRQO3egUlBcqrWQ= )
  28. 28. o o o o o o o
  29. 29. o o o o o o o o o
  30. 30. o o o o o o o o o o
  31. 31. o o o o o o o o o o o o o
  32. 32. o o o o o o o o
  33. 33. o o o o
  34. 34. o o o o o o
  35. 35. Feb 10 04:16:43 ns0 unbound: [5973:1] info: validation failure <USPTO.GOV. MX IN>: no signatures from 151.207.246.51 for key USPTO.GOV. while building chain of trust Feb 10 04:53:00 ns0 unbound: [5973:0] info: validation failure <gk-w-mail.srvs.usps.gov. A IN>: no signatures over NSEC3s from 56.0.141.25 for DS gk-w-mail.srvs.usps.gov. while... Feb 10 14:21:48 ns0 unbound: [5973:1] info: validation failure <www.hud.gov. A IN>: no DS... Feb 10 13:47:35 ns0 unbound: [5973:0] info: validation failure <www.atol.bg. A IN>: No DNSK... Feb 10 13:37:17 ns0 unbound: [5973:0] info: validation failure <ns.unicycle.cz. A IN>: no k... Feb 15 19:10:25 ns0 unbound: [5973:1] info: validation failure <FM.UL.PT. MX IN>: no NSEC3 records from 2001:690:21c0:b::150 for DS FM.UL.PT. while building chain of trust o o
  36. 36. o o o
  37. 37. o o o o
  38. 38. o o o o o o o o
  39. 39. o o o o o o o o
  40. 40. @

×