SlideShare a Scribd company logo

Tsig 17022011

phosika sithisane
phosika sithisane

From Apricot2011

1 of 17
Download to read offline
DNS / DNSSEC Workshop DNS Security - TSIG Hong Kong 15-19 February 2011 in conjunction with APRICOT 2011
DNS: Data Flow Zone administrator 1! 4! Zone file master Caching forwarder 2! 3! 5! Dynamic updates slaves resolver
DNS Vulnerabilities Corrupting data! Impersonating master! Cache impersonation! Zone administrator 1! 4! Zone file master Caching forwarder 2! 3! 5! Dynamic updates slaves resolver Cache pollution by! Data spoofing! Unauthorized updates! Server protection! Data protection!
TSIG Protected Vulnerabilities Impersonating master! Zone administrator Zone file master Caching forwarder Dynamic updates slaves resolver Unauthorized updates!
What is TSIG - Transaction Signature? •  A mechanism for protecting a message from a primary to secondary and vice versa •  A keyed-hash is applied (like a digital signature) so recipient can verify message –  DNS question or answer –  & the timestamp •  Based on a shared secret - both sender and receiver are configured with it
What is TSIG - Transaction Signature? •  TSIG (RFC 2845) –  authorizing dynamic updates & zone transfers –  authentication of caching forwarders •  Used in server configuration, not in zone file
TSIG example verification! AXFR! AXFR! Sig ...! Sig ...! Query: AXFR! Slave! Master! KEY:
 KEY:
 %sgs!f23fv! %sgs!f23fv! Response: Zone! SOA ! SOA ! …! …! SOA! SOA! Sig ...! Sig ...! verification! 7
TSIG steps 1.  Generate secret 2.  Communicate secret 3.  Configure servers 4.  Test 8
TSIG - Names and Secrets •  TSIG name –  A name is given to the key, the name is what is transmitted in the message (so receiver knows what key the sender used) •  TSIG secret value –  A value determined during key generation –  Usually seen in Base64 encoding
TSIG – Generating a Secret •  dnssec-keygen –  Simple tool to generate keys –  Used here to generate TSIG keys  dnssec-keygen -a <algorithm> -b <bits> -n host <name of the key>!
TSIG – Generating a Secret •  Example! > dnssec-keygen –a HMAC-MD5 –b 128 –n HOST ns1-ns2.pcx.net This will generate the key > Kns1-ns2.pcx.net.+157+15921 >ls  Kns1-ns2.pcx.net.+157+15921.key  Kns1-ns2.pcx.net.+157+15921.private
TSIG – Generating a Secret •  TSIG should never be put in zone files!!! –  might be confusing because it looks like RR: ns1-ns2.pcx.net. IN KEY 128 3 157 nEfRX9…bbPn7lyQtE=!
TSIG – Configuring Servers •  Configuring the key –  in named.conf file, same syntax as for rndc – key { algorithm ...; secret ...;} •  Making use of the key –  in named.conf file – server x { key ...; }! –  where 'x' is an IP number of the other server
Configuration Example – named.conf Primary server 10.33.40.46! Secondary server 10.33.50.35 key ns1-ns2.pcx. net {! key ns1-ns2.pcx.net {! !algorithm hmac-md5;! !algorithm hmac-md5;! !secret "APlaceToBe";! !secret "APlaceToBe";! };! };! server 10.33.50.35 {! server 10.33.40.46 {! !keys {ns1-ns2.pcx.net;};! keys {ns1-ns2.pcx.net;};! };! };! zone "my.zone.test." {! zone "my.zone.test." {! !type master;! !type slave;! !file “db.myzone”;! !file “myzone.backup”;! !allow-transfer {! !masters {10.33.40.46;};! !key ns1-ns2..pcx.net ;};!};! };! You can save this in a file and refer to it in the named.conf using ‘include’ statement: include “/var/named/master/tsig-key-ns1-ns2”;
TSIG Testing : dig •  You can use dig to check TSIG configuration –  dig @<server> <zone> AXFR -k <TSIG keyfile>! $ dig @127.0.0.1 example.net AXFR ! -k Kns1-ns2.pcx.net.+157+15921.key! •  Wrong key will give “Transfer failed” and on the server the security-category will log this. 15
TSIG Testing - TIME! •  TSIG is time sensitive - to stop replays –  Message protection expires in 5 minutes –  Make sure time is synchronized –  For testing, set the time –  In operations, (secure) NTP is needed
Questions? 17

Recommended

Erlang Lightning Talk
Erlang Lightning TalkErlang Lightning Talk
Erlang Lightning TalkGiltTech
 
RIPE 70 Report Webinar
RIPE 70 Report WebinarRIPE 70 Report Webinar
RIPE 70 Report WebinarMen and Mice
 
The KNOT DNS Server
The KNOT DNS ServerThe KNOT DNS Server
The KNOT DNS ServerMen and Mice
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSMen and Mice
 
BIND’s New Security Feature: DNSRPZ - the &quot;DNS Firewall&quot;
BIND’s New Security Feature: DNSRPZ - the &quot;DNS Firewall&quot;BIND’s New Security Feature: DNSRPZ - the &quot;DNS Firewall&quot;
BIND’s New Security Feature: DNSRPZ - the &quot;DNS Firewall&quot;Barry Greene
 
WordPress Performance Tuning
WordPress Performance TuningWordPress Performance Tuning
WordPress Performance TuningJavier Arturo Rodríguez
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local NetworksMen and Mice
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksMen and Mice
 

Recommended

Erlang Lightning Talk
Erlang Lightning TalkErlang Lightning Talk
Erlang Lightning TalkGiltTech
 
RIPE 70 Report Webinar
RIPE 70 Report WebinarRIPE 70 Report Webinar
RIPE 70 Report WebinarMen and Mice
 
The KNOT DNS Server
The KNOT DNS ServerThe KNOT DNS Server
The KNOT DNS ServerMen and Mice
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSMen and Mice
 
BIND’s New Security Feature: DNSRPZ - the &quot;DNS Firewall&quot;
BIND’s New Security Feature: DNSRPZ - the &quot;DNS Firewall&quot;BIND’s New Security Feature: DNSRPZ - the &quot;DNS Firewall&quot;
BIND’s New Security Feature: DNSRPZ - the &quot;DNS Firewall&quot;Barry Greene
 
WordPress Performance Tuning
WordPress Performance TuningWordPress Performance Tuning
WordPress Performance TuningJavier Arturo Rodríguez
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local NetworksMen and Mice
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksMen and Mice
 
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchaginstackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
stackconf 2020 | Speeding up Linux disk encryption by Ignat KorchaginNETWAYS
 
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPMake Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPAPNIC
 
Dhcp security #netseckh
Dhcp security #netseckhDhcp security #netseckh
Dhcp security #netseckhHEM Sothon
 
DNSSEC and DANE – E-Mail security reloaded
DNSSEC and DANE – E-Mail security reloadedDNSSEC and DANE – E-Mail security reloaded
DNSSEC and DANE – E-Mail security reloadedMen and Mice
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial Men and Mice
 
Kubernetes at Datadog Scale
Kubernetes at Datadog ScaleKubernetes at Datadog Scale
Kubernetes at Datadog ScaleDocker, Inc.
 
DockerCon EU '17 - Dockerizing Aurea
DockerCon EU '17 - Dockerizing AureaDockerCon EU '17 - Dockerizing Aurea
DockerCon EU '17 - Dockerizing AureaŁukasz Piątkowski
 
How to monitor NGINX
How to monitor NGINXHow to monitor NGINX
How to monitor NGINXServer Density
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootMen and Mice
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?Men and Mice
 
Tendências e Evoluções em Armazemamento de Dados
Tendências e Evoluções em Armazemamento de Dados Tendências e Evoluções em Armazemamento de Dados
Tendências e Evoluções em Armazemamento de Dados Jefferson Alcantara
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practicesMen and Mice
 
DNS Survival Guide
DNS Survival GuideDNS Survival Guide
DNS Survival GuideAPNIC
 
How to tune Kafka® for production
How to tune Kafka® for productionHow to tune Kafka® for production
How to tune Kafka® for productionconfluent
 
Scripting and automation with the Men & Mice Suite
Scripting and automation with the Men & Mice SuiteScripting and automation with the Men & Mice Suite
Scripting and automation with the Men & Mice SuiteMen and Mice
 
Getting Started with a DNS Firewall
Getting Started with a DNS FirewallGetting Started with a DNS Firewall
Getting Started with a DNS FirewallAPNIC
 
Call Of Duty 2 Cheats
Call Of Duty 2 CheatsCall Of Duty 2 Cheats
Call Of Duty 2 Cheatsguest8c02548
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encryptedMen and Mice
 
分享互联网
分享互联网分享互联网
分享互联网alicanglang
 
7 technical-dns-workshop-day3
7 technical-dns-workshop-day37 technical-dns-workshop-day3
7 technical-dns-workshop-day3DNS Entrepreneurship Center
 
Dnssec
DnssecDnssec
Dnssecguest3131f85
 
DNS Attacks
DNS AttacksDNS Attacks
DNS AttacksHimanshu Prabhakar
 

More Related Content

What's hot

stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchaginstackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
stackconf 2020 | Speeding up Linux disk encryption by Ignat KorchaginNETWAYS
 
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPMake Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPAPNIC
 
Dhcp security #netseckh
Dhcp security #netseckhDhcp security #netseckh
Dhcp security #netseckhHEM Sothon
 
DNSSEC and DANE – E-Mail security reloaded
DNSSEC and DANE – E-Mail security reloadedDNSSEC and DANE – E-Mail security reloaded
DNSSEC and DANE – E-Mail security reloadedMen and Mice
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial Men and Mice
 
Kubernetes at Datadog Scale
Kubernetes at Datadog ScaleKubernetes at Datadog Scale
Kubernetes at Datadog ScaleDocker, Inc.
 
DockerCon EU '17 - Dockerizing Aurea
DockerCon EU '17 - Dockerizing AureaDockerCon EU '17 - Dockerizing Aurea
DockerCon EU '17 - Dockerizing AureaŁukasz Piątkowski
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootMen and Mice
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?Men and Mice
 
Tendências e Evoluções em Armazemamento de Dados
Tendências e Evoluções em Armazemamento de Dados Tendências e Evoluções em Armazemamento de Dados
Tendências e Evoluções em Armazemamento de Dados Jefferson Alcantara
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practicesMen and Mice
 
DNS Survival Guide
DNS Survival GuideDNS Survival Guide
DNS Survival GuideAPNIC
 
How to tune Kafka® for production
How to tune Kafka® for productionHow to tune Kafka® for production
How to tune Kafka® for productionconfluent
 
Scripting and automation with the Men & Mice Suite
Scripting and automation with the Men & Mice SuiteScripting and automation with the Men & Mice Suite
Scripting and automation with the Men & Mice SuiteMen and Mice
 
Getting Started with a DNS Firewall
Getting Started with a DNS FirewallGetting Started with a DNS Firewall
Getting Started with a DNS FirewallAPNIC
 
Call Of Duty 2 Cheats
Call Of Duty 2 CheatsCall Of Duty 2 Cheats
Call Of Duty 2 Cheatsguest8c02548
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encryptedMen and Mice
 

What's hot (18)

stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchaginstackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
 
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPMake Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
 
Dhcp security #netseckh
Dhcp security #netseckhDhcp security #netseckh
Dhcp security #netseckh
 
DNSSEC and DANE – E-Mail security reloaded
DNSSEC and DANE – E-Mail security reloadedDNSSEC and DANE – E-Mail security reloaded
DNSSEC and DANE – E-Mail security reloaded
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial
 
Kubernetes at Datadog Scale
Kubernetes at Datadog ScaleKubernetes at Datadog Scale
Kubernetes at Datadog Scale
 
DockerCon EU '17 - Dockerizing Aurea
DockerCon EU '17 - Dockerizing AureaDockerCon EU '17 - Dockerizing Aurea
DockerCon EU '17 - Dockerizing Aurea
 
How to monitor NGINX
How to monitor NGINXHow to monitor NGINX
How to monitor NGINX
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the root
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?
 
Tendências e Evoluções em Armazemamento de Dados
Tendências e Evoluções em Armazemamento de Dados Tendências e Evoluções em Armazemamento de Dados
Tendências e Evoluções em Armazemamento de Dados
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practices
 
DNS Survival Guide
DNS Survival GuideDNS Survival Guide
DNS Survival Guide
 
How to tune Kafka® for production
How to tune Kafka® for productionHow to tune Kafka® for production
How to tune Kafka® for production
 
Scripting and automation with the Men & Mice Suite
Scripting and automation with the Men & Mice SuiteScripting and automation with the Men & Mice Suite
Scripting and automation with the Men & Mice Suite
 
Getting Started with a DNS Firewall
Getting Started with a DNS FirewallGetting Started with a DNS Firewall
Getting Started with a DNS Firewall
 
Call Of Duty 2 Cheats
Call Of Duty 2 CheatsCall Of Duty 2 Cheats
Call Of Duty 2 Cheats
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encrypted
 

Viewers also liked

CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013Shumon Huque
 

Viewers also liked (6)

分享互联网
分享互联网分享互联网
分享互联网
 
7 technical-dns-workshop-day3
7 technical-dns-workshop-day37 technical-dns-workshop-day3
7 technical-dns-workshop-day3
 
Dnssec
DnssecDnssec
Dnssec
 
DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013
 

Similar to Tsig 17022011

DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECShumon Huque
 
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...MongoDB
 
MongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & AnalyticsMongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & AnalyticsServer Density
 
Scaling Servers and Storage for Film Assets
Scaling Servers and Storage for Film Assets Scaling Servers and Storage for Film Assets
Scaling Servers and Storage for Film Assets Perforce
 
GOTO Night with Todd Montgomery: Aeron: What, why and what next?
GOTO Night with Todd Montgomery: Aeron: What, why and what next?GOTO Night with Todd Montgomery: Aeron: What, why and what next?
GOTO Night with Todd Montgomery: Aeron: What, why and what next?Alexandra Masterson
 
Share winter 2016 encryption
Share winter 2016 encryptionShare winter 2016 encryption
Share winter 2016 encryptionbigendiansmalls
 
Data Decryption & Password Recovery
Data Decryption & Password RecoveryData Decryption & Password Recovery
Data Decryption & Password RecoveryAndrey Belenko
 
Host Intrusion Detection like a Boss
Host Intrusion Detection like a BossHost Intrusion Detection like a Boss
Host Intrusion Detection like a BossAndré Lima
 
Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Joe Arnold
 
NSLogger - Cocoaheads Paris Presentation - English
NSLogger - Cocoaheads Paris Presentation - EnglishNSLogger - Cocoaheads Paris Presentation - English
NSLogger - Cocoaheads Paris Presentation - EnglishFlorent Pillet
 
Project Basecamp: News From Camp 4
Project Basecamp: News From Camp 4Project Basecamp: News From Camp 4
Project Basecamp: News From Camp 4Digital Bond
 
Managing server secrets at scale with SaltStack and a vaultless password manager
Managing server secrets at scale with SaltStack and a vaultless password managerManaging server secrets at scale with SaltStack and a vaultless password manager
Managing server secrets at scale with SaltStack and a vaultless password managerIgnat Korchagin
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Docker, Inc.
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014Leonardo Nve Egea
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsAPNIC
 
VDI storage and storage virtualization
VDI storage and storage virtualizationVDI storage and storage virtualization
VDI storage and storage virtualizationSisimon Soman
 

Similar to Tsig 17022011 (20)

DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
 
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
 
MongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & AnalyticsMongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & Analytics
 
Scaling Servers and Storage for Film Assets
Scaling Servers and Storage for Film Assets Scaling Servers and Storage for Film Assets
Scaling Servers and Storage for Film Assets
 
Dnssec
DnssecDnssec
Dnssec
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptography
 
6 technical-dns-workshop-day3
6 technical-dns-workshop-day36 technical-dns-workshop-day3
6 technical-dns-workshop-day3
 
GOTO Night with Todd Montgomery: Aeron: What, why and what next?
GOTO Night with Todd Montgomery: Aeron: What, why and what next?GOTO Night with Todd Montgomery: Aeron: What, why and what next?
GOTO Night with Todd Montgomery: Aeron: What, why and what next?
 
Share winter 2016 encryption
Share winter 2016 encryptionShare winter 2016 encryption
Share winter 2016 encryption
 
You suck at Memory Analysis
You suck at Memory AnalysisYou suck at Memory Analysis
You suck at Memory Analysis
 
Data Decryption & Password Recovery
Data Decryption & Password RecoveryData Decryption & Password Recovery
Data Decryption & Password Recovery
 
Host Intrusion Detection like a Boss
Host Intrusion Detection like a BossHost Intrusion Detection like a Boss
Host Intrusion Detection like a Boss
 
Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012
 
NSLogger - Cocoaheads Paris Presentation - English
NSLogger - Cocoaheads Paris Presentation - EnglishNSLogger - Cocoaheads Paris Presentation - English
NSLogger - Cocoaheads Paris Presentation - English
 
Project Basecamp: News From Camp 4
Project Basecamp: News From Camp 4Project Basecamp: News From Camp 4
Project Basecamp: News From Camp 4
 
Managing server secrets at scale with SaltStack and a vaultless password manager
Managing server secrets at scale with SaltStack and a vaultless password managerManaging server secrets at scale with SaltStack and a vaultless password manager
Managing server secrets at scale with SaltStack and a vaultless password manager
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
 
VDI storage and storage virtualization
VDI storage and storage virtualizationVDI storage and storage virtualization
VDI storage and storage virtualization
 

Tsig 17022011

  • 1. DNS / DNSSEC Workshop DNS Security - TSIG Hong Kong 15-19 February 2011 in conjunction with APRICOT 2011
  • 2. DNS: Data Flow Zone administrator 1! 4! Zone file master Caching forwarder 2! 3! 5! Dynamic updates slaves resolver
  • 3. DNS Vulnerabilities Corrupting data! Impersonating master! Cache impersonation! Zone administrator 1! 4! Zone file master Caching forwarder 2! 3! 5! Dynamic updates slaves resolver Cache pollution by! Data spoofing! Unauthorized updates! Server protection! Data protection!
  • 4. TSIG Protected Vulnerabilities Impersonating master! Zone administrator Zone file master Caching forwarder Dynamic updates slaves resolver Unauthorized updates!
  • 5. What is TSIG - Transaction Signature? •  A mechanism for protecting a message from a primary to secondary and vice versa •  A keyed-hash is applied (like a digital signature) so recipient can verify message –  DNS question or answer –  & the timestamp •  Based on a shared secret - both sender and receiver are configured with it
  • 6. What is TSIG - Transaction Signature? •  TSIG (RFC 2845) –  authorizing dynamic updates & zone transfers –  authentication of caching forwarders •  Used in server configuration, not in zone file
  • 7. TSIG example verification! AXFR! AXFR! Sig ...! Sig ...! Query: AXFR! Slave! Master! KEY:
 KEY:
 %sgs!f23fv! %sgs!f23fv! Response: Zone! SOA ! SOA ! …! …! SOA! SOA! Sig ...! Sig ...! verification! 7
  • 8. TSIG steps 1.  Generate secret 2.  Communicate secret 3.  Configure servers 4.  Test 8
  • 9. TSIG - Names and Secrets •  TSIG name –  A name is given to the key, the name is what is transmitted in the message (so receiver knows what key the sender used) •  TSIG secret value –  A value determined during key generation –  Usually seen in Base64 encoding
  • 10. TSIG – Generating a Secret •  dnssec-keygen –  Simple tool to generate keys –  Used here to generate TSIG keys  dnssec-keygen -a <algorithm> -b <bits> -n host <name of the key>!
  • 11. TSIG – Generating a Secret •  Example! > dnssec-keygen –a HMAC-MD5 –b 128 –n HOST ns1-ns2.pcx.net This will generate the key > Kns1-ns2.pcx.net.+157+15921 >ls  Kns1-ns2.pcx.net.+157+15921.key  Kns1-ns2.pcx.net.+157+15921.private
  • 12. TSIG – Generating a Secret •  TSIG should never be put in zone files!!! –  might be confusing because it looks like RR: ns1-ns2.pcx.net. IN KEY 128 3 157 nEfRX9…bbPn7lyQtE=!
  • 13. TSIG – Configuring Servers •  Configuring the key –  in named.conf file, same syntax as for rndc – key { algorithm ...; secret ...;} •  Making use of the key –  in named.conf file – server x { key ...; }! –  where 'x' is an IP number of the other server
  • 14. Configuration Example – named.conf Primary server 10.33.40.46! Secondary server 10.33.50.35 key ns1-ns2.pcx. net {! key ns1-ns2.pcx.net {! !algorithm hmac-md5;! !algorithm hmac-md5;! !secret "APlaceToBe";! !secret "APlaceToBe";! };! };! server 10.33.50.35 {! server 10.33.40.46 {! !keys {ns1-ns2.pcx.net;};! keys {ns1-ns2.pcx.net;};! };! };! zone "my.zone.test." {! zone "my.zone.test." {! !type master;! !type slave;! !file “db.myzone”;! !file “myzone.backup”;! !allow-transfer {! !masters {10.33.40.46;};! !key ns1-ns2..pcx.net ;};!};! };! You can save this in a file and refer to it in the named.conf using ‘include’ statement: include “/var/named/master/tsig-key-ns1-ns2”;
  • 15. TSIG Testing : dig •  You can use dig to check TSIG configuration –  dig @<server> <zone> AXFR -k <TSIG keyfile>! $ dig @127.0.0.1 example.net AXFR ! -k Kns1-ns2.pcx.net.+157+15921.key! •  Wrong key will give “Transfer failed” and on the server the security-category will log this. 15
  • 16. TSIG Testing - TIME! •  TSIG is time sensitive - to stop replays –  Message protection expires in 5 minutes –  Make sure time is synchronized –  For testing, set the time –  In operations, (secure) NTP is needed