The problem DNS is insecure: one packet for query, one packet for response; easily spoofed DNS Spoofing & cache poisoning DNS server accepts and uses data from a host which shouldn’t have been allowed to provide reply
The solution DNSSEC Eliminates known cache-poisoning attacks & cache-manipulation Public key cryptography and digital signatures provide data origin authentication provide data integrity Doesn’t encrypt data -- that would be stupid But: not end-to-end. (From validating cache to auth. server only.) Install validating cache "close" to you validating auth client resolver servers
The solution DNSSEC Eliminates known cache-poisoning attacks & cache-manipulation Public key cryptography and digital signatures provide data origin authentication provide data integrity Doesn’t encrypt data -- that would be stupid But: not end-to-end. (From validating cache to auth. server only.) Install validating cache "close" to you validating auth client resolver servers auth client resolver valid. servers resolv
Authenticated Data dig +dnssec and watch for AD flag indicating successful validation $ dig +dnssec @127.0.0.1 localhost.jpmens.org a ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, [...]
Problem: At work At $WORK resolution doesn’t work; validating resolver
No problem: At home At home it works; ISP doesn’t (yet) do DNSSEC
Proof Does it exist or doesn’t it? Validating query $ dig +dnssec www.dnssec-failed.org ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL ;; flags: qr rd ra; QUERY: 1, ANSWER: 0 Checking Disabled $ dig +cd +dnssec www.dnssec-failed.org ;; ->>HEADER<<- opcode: QUERY, status: NOERROR ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2 ;; ANSWER SECTION: www.dnssec-failed.org. 5620 IN A 220.127.116.11
Proof (2) $ dig +cd +dnssec +multiline www.dnssec-failed.org ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2 ;; ANSWER SECTION: www.dnssec-failed.org. 3202 IN A 18.104.22.168 www.dnssec-failed.org. 4751 IN RRSIG A 5 3 7200 20090201000000 ( 20090101000000 48621 dnssec-failed.org. gM8IbzE3N4xx4DQog+W2UvY+BwnLIJojFmuQUdUb7FAm wtD3k673q+005FDCW8xf88b+9QtvslrpNyi5ZLUq4v9k Xdya9Je0O2ByYjfrgjYqk4Qu37lfPe+iGvl9aSSMyGeu UHv9NWWY10nXjCp2rTdCSpXc7xt3CSMW7pFNFg0= )
Signing and validation Signing Create keys and add to zone Sign zone Enable DNSSEC and load signed zones Submit DS-RR to parent zone Alternatively: use DLV Validation Configure trust anchor Enable DNSSEC
Unbound as a DNS cache Unbound is a secure, caching-only, portable DNS server Maintained by NLNetlabs under BSD license Designed with DNSSEC and IPv6 from the ground up Trusts nothing Good security Many "distros" have packages I recommend newest version http://unbound.net/ Lightweight, fast, and easy to configure No split-personalities (And I was first to write about Unbound :-)
Configuration One file (but we’ll add more later on) $ cat /etc/unbound/unbound.conf server: access-control: 127.0.0.1/8 allow verbosity: 1 Launch unbound (and watch your syslog) # unbound Query it $ dig +short @127.0.0.1 techforum.jpmens.org txt "Moscow" That’s it!
Enable DNSSEC validation Needs root DNSSEC trust anchor Utility retrieves root zone’s DNSSEC key securely $ unbound-anchor -a /etc/unbound/root.key Configure trust anchor in unbound.conf auto-trust-anchor-file: "/etc/unbound/root.key" Ensure unbound-anchor in start-up scripts Reload $ unbound-control reload Did that work? $ dig +dnssec @127.0.0.1 techforum.jpmens.org txt
Your own DNSSEC testbed Set up your own trust anchors in a file "my.keys", which contains DS or DNSKEY records example.org IN DS 47534 8 1 74526d3f57... example.org IN DS 47534 8 2 82512fb4ad... example.com IN DS 47534 8 3 296fc89ee0... Configure keys into Unbound trust-anchor-file: "/etc/unbound/my.keys" Alternatively use trust-anchor configuration statements Configure the zone stub-zone: name: "example.org" stub-addr: 10.81.0.1 stub-addr: 10.2.14.3
Serve local data Unbound can serve "local" data to its clients For example, a static "zone": local-zone: "techforum." static local-data: "pc.techforum. IN A 192.168.1.12" local-data: ’kate.techforum. TXT "Hi Kate!"’ local-data-ptr: "192.168.1.12 beamer.techforum" Will it work? $ dig +short @127.0.0.1 kate.techforum txt "Hi Kate!" local data can be added on-the-fly with unbound-control
More local data Override a single name (all others resolved normally) local-data: "foo.jpmens.org A 127.0.0.1" Redirect a whole domain to an IP local-zone: "example.aa" redirect local-data: "example.aa A 127.0.0.9"
DNSSEC-Trigger Monitors changes to local network configuration (DHCP) Reconfigures local Unbound Forward to caches if possible Fallback to authoritative servers Fallback to NLnetLabs server via port 443 dnssec- trigger NLnetLabs C Unbound public B DNS Unbound A caching DNS
DNSSEC-Trigger (2) Works on Linux, Mac OS/X and Windows Installer http://www.nlnetlabs.nl/projects/dnssec-trigger/ Status bar
PowerDNS Supports pre-signed zones or live-signing operations Otherwise zone data and keys/signatures separate Some changes in database schema Small change in configuration launch=gpgsql gpgsql-dnssec gpgsql-host=127.0.0.1 gpgsql-user=powerdns gpgsql-password=secret gpgsql-dbname=powerdns Off we go: $ pdnssec secure-zone example.org That’s it. Honest!
PowerDNS (cont’d) Can import existing (BIND) keys (v1.2) Keys are in back-end database (gmysql, gpgsql, gsqlite) and need to be protected It’s a bit like a private key for your HTTPS server Alternatively run in pre-signed mode Encrypted file system Supports NSEC and NSEC3 Signatures (RRSIG records) are calculated on the fly Inception: previous Thursday Expiration: Thursday two weeks later No issue if PDNS is authoritative, but watch out if hidden master No DNSSEC relevance: PDNS 3.x also has TSIG for AXFR
PowerDNS: pdnssec New utility: pdnssec $ pdnssec secure-zone $z # creates 3 keys $ pdnssec show-zone $z # output formatted Zone has NSEC semantics Zone is not presigned keys: ID = 7 (KSK), tag = 41120, algo = 8, bits = 2048 KSK DNSKEY = example.org IN DNSKEY 257 3 8 Aw..5uc8= DS = example.org IN DS 41120 8 1 3296abd...b93 DS = example.org IN DS 41120 8 2 4bb00a5...fa1b78b DS = example.org IN DS 41120 8 3 3c01686...50be3e4 ID = 8 (ZSK),tag = 50853,algo = 8,bits = 1024 Active: 1 ID = 9 (ZSK),tag = 8751,algo = 8,bits = 1024 Active: 0
Testing & verification Configure island of trust in Unbound (or BIND) to test your authoritative server Check: DNSSEC or not? http://dnssectest.sidn.nl/ DNSViz http://dnsviz.net/ DNScheck http://dnscheck.iis.se/ ZoneCheck http://zonecheck.fr DNSSEC Debugger http://dnssec-debugger.verisignlabs.com/ SURFnet DNSSEC monitor http://www.dnssecmonitor.org/
Applications for DNSSEC Interesting new uses for DNS now that it’s secure DNS-based Authentication of Named Entities (dane) https://datatracker.ietf.org/wg/dane/charter/ SSL certificate validation and DNSSEC (also: Phreeload) http://mens.de/:/bo SSHFP http://mens.de/:/bt