Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DNSSec

1,370 views

Published on

Talk given at RMLL Security Track 2016, about DNS and security, DNSSEC and DANE. Focusing on bind and Puppet.

Published in: Technology
  • Be the first to comment

DNSSec

  1. 1. DNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and Security Julien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien Pivotto RMLL Security Track July 5th, 2016
  2. 2. whoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhois Julien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien Pivotto • Sysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.eu • From small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgs • Automation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & Monitoring • @roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie on irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/github
  3. 3. inuits.eu
  4. 4. DNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNS
  5. 5. What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS? • TTTTTTTTTTTTTTTTTL;DR Translates domain name to IP • IIIIIIIIIIIIIIIIIn facto, stores much more data than IP
  6. 6. How it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it works Licensed under a Creative Commons Attribution-ShareAlike 2.0 License https://www.flickr.com/photos/frans16611/6139595092
  7. 7. Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
  8. 8. Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
  9. 9. Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
  10. 10. Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
  11. 11. Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
  12. 12. DNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-critical • HHHHHHHHHHHHHHHHHolds IP addresses • HHHHHHHHHHHHHHHHHolds service definitions • HHHHHHHHHHHHHHHHHolds hostnames, TXT records
  13. 13. DNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practices • DDDDDDDDDDDDDDDDDo not mix Authoritative and Recursive servers • MMMMMMMMMMMMMMMMMix your DNS server `brand' • HHHHHHHHHHHHHHHHHide your DNS masters • DDDDDDDDDDDDDDDDDo not invent new TLD
  14. 14. Data stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNS • AAAAAAAAAAAAAAAAA records: IP addresses • CCCCCCCCCCCCCCCCCNAME: Cannonical names • SSSSSSSSSSSSSSSSSRV: Service record • MMMMMMMMMMMMMMMMMX: Mail servers • TTTTTTTTTTTTTTTTTXT: Text record
  15. 15. SRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV records _xmpp−client._tcp.inuits.eu. IN SRV 0 5 5222 xmpp.inuits.eu.
  16. 16. TXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT Records • SSSSSSSSSSSSSSSSSPF record: Sender Policy Framework • DDDDDDDDDDDDDDDDDKIM • KKKKKKKKKKKKKKKKKeybase.io • LLLLLLLLLLLLLLLLLet's Encrypt DNS challenge
  17. 17. Not secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by design • 11111111111111111983 • DDDDDDDDDDDDDDDDDesigned for scale, not security • EEEEEEEEEEEEEEEEEarly 2000: birth of DNSSec
  18. 18. DNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSec • 22222222222222222000's DNSSec RFC • DDDDDDDDDDDDDDDDDNSSec hit DNS root in 2010 • MMMMMMMMMMMMMMMMMultiple iteration of RFC
  19. 19. The Domain Name System Security Extensions (DNSSEC) add data origin authentication and data integrity to the Domain Name System. RFC 4033
  20. 20. What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec? • PPPPPPPPPPPPPPPPProof of origin and integrity • ZZZZZZZZZZZZZZZZZones and records signing • PPPPPPPPPPPPPPPPProof of non-existence
  21. 21. Two types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keys • ZZZZZZZZZZZZZZZZZSK: Zone Signing Key • KKKKKKKKKKKKKKKKKSK: Key Signing Key
  22. 22. Zone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing key • PPPPPPPPPPPPPPPPPrivate/Public key pair • SSSSSSSSSSSSSSSSSign the Records • eeeeeeeeeeeeeeeee.g sign the A records, the MX records … • RRRRRRRRRRRRRRRRRolled out frequently
  23. 23. Key Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing Key • PPPPPPPPPPPPPPPPPrivate/Public key pair • SSSSSSSSSSSSSSSSSign the ZSK • DDDDDDDDDDDDDDDDDesigned to be stronger than the ZSK • IIIIIIIIIIIIIIIIIts fingerprint is stored in parent zone
  24. 24. DNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records types • RRRRRRRRRRRRRRRRRRSIG: Signature • DDDDDDDDDDDDDDDDDNSKEY: Public key • DDDDDDDDDDDDDDDDDS: Hash of a DNSKEY (parent zone)
  25. 25. DNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records types • NNNNNNNNNNNNNNNNNSEC: Next secure • RRRRRRRRRRRRRRRRReturns the next secure entry • RRRRRRRRRRRRRRRRReturned when next secure is not found • NNNNNNNNNNNNNNNNNSEC/NSEC3 records are signed • NNNNNNNNNNNNNNNNNSEC3 prevents zone walking
  26. 26. In PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn Practice
  27. 27. BindBindBindBindBindBindBindBindBindBindBindBindBindBindBindBindBind • RRRRRRRRRRRRRRRRReference DNS Server • DDDDDDDDDDDDDDDDDeveloped by the Internet Systems Consortium • CCCCCCCCCCCCCCCCCurrent version: bind9 • bbbbbbbbbbbbbbbbbind10 project is abandoned
  28. 28. Bind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind features • SSSSSSSSSSSSSSSSSupports everything • RRRRRRRRRRRRRRRRRecurive, Authoritative • DDDDDDDDDDDDDDDDDynamic updates • DDDDDDDDDDDDDDDDDNSSec
  29. 29. Bind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSec • FFFFFFFFFFFFFFFFFull support + NSEC3 • MMMMMMMMMMMMMMMMManual signing • AAAAAAAAAAAAAAAAAutomated signing • DDDDDDDDDDDDDDDDDNSSec and dynamic zones
  30. 30. Generating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keys mkdir /etc/bind/keys cd /etc/bind/keys dnssec−keygen rmll.example dnssec−keygen −f KSK rmll.example
  31. 31. Generating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keys dnssec−keygen −a NSEC3RSASHA1 −b 2048 rmll .example dnssec−keygen −a NSEC3RSASHA1 −b 4096 −f KSK rmll.example
  32. 32. Generating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keys dnssec−dsfromkey −f /var/bind/rmll. example −K /etc/bind/keys/ rmll.example rmll.example. IN DS 18025 8 1 E223065EE5EE66F08CA1C89D8 rmll.example. IN DS 18025 8 2 522 D8EA3287FFF41186169A30
  33. 33. Enable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bind options { dnssec−enable yes; dnssec−validation yes; }
  34. 34. Enable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zone Manually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signed zone "rmll.example" IN { type master; file "rmll.example.zone.signed"; };
  35. 35. Enable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zone Auto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto Signing zone "rmll.example" IN { type master; file "rmll.example.zone"; key−directory "/etc/bind/keys"; auto−dnssec maintain; inline−signing yes; };
  36. 36. Manually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zone dnssec−signzone −S −o rmll.example −K /etc /bind/keys/ /var/bind/master/rmll. example.zone • Creates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone file
  37. 37. DANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANE
  38. 38. DANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANE • DDDDDDDDDDDDDDDDDNS-based Authentication of Named Entities • NNNNNNNNNNNNNNNNNew record types to store public keys hashes • IIIIIIIIIIIIIIIIIndependant from DNSSec (!)
  39. 39. TLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA records • HHHHHHHHHHHHHHHHHash the fingerprint of a TLS key • """""""""""""""""Replacement" for the CA (https) • NNNNNNNNNNNNNNNNNot implemented natively in browsers • IIIIIIIIIIIIIIIIImplemented in IRC clients (irssi)
  40. 40. TLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA records _443._tcp IN TLSA 3 0 1 2 bfa3214fda53315b140e65fe66 _443._tcp.www IN TLSA 3 0 1 2 bfa3214fda53315b140e65 _6697._tcp.irc IN TLSA 3 0 1 2 bfa3214fda53315b140e6
  41. 41. Generating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hash openssl x509 −in cert.pem −outform DER | openssl sha256
  42. 42. SSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSH
  43. 43. TOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFU • TTTTTTTTTTTTTTTTTrust on first use • WWWWWWWWWWWWWWWWWorks on slowly moving env's • NNNNNNNNNNNNNNNNNowadays we populate new hosts all the time • NNNNNNNNNNNNNNNNNowadays we rebuild existing hosts
  44. 44. SSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP records • HHHHHHHHHHHHHHHHHash the fingerprint of a SSH server • IIIIIIIIIIIIIIIIImplemented in OpenSSH • UUUUUUUUUUUUUUUUUses DNS to recognize SSH key
  45. 45. IN SSHFP 1 1 e0fd9112d2fc6974597fe8968665ad6b420c IN SSHFP 1 2 9 de5bc066a898733420bcfaae8f43e80e532 IN SSHFP 2 1 223 e89447a53a3178be02fee6fdd5b44228a IN SSHFP 2 2 2644 fcbd2a1b179091a195207e395d009b16
  46. 46. VerifyHostKeyDNS no VerifyHostKeyDNS yes VerifyHostKeyDNS ask
  47. 47. $ ssh −o VerifyHostKeyDNS=yes rmll.example The authenticity of host 'rmll.example (1.2.3.4)' can't be established. ECDSA key fingerprint is SHA256: f8zwQD3RU62PXgwCw5WRk2OIyVY. Matching host key fingerprint found in DNS Are you sure you want to continue?
  48. 48. Populating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fields • WWWWWWWWWWWWWWWWWhat if we have a single source of truth? • SSSSSSSSSSSSSSSSSomething that can scale, and be quick enough?
  49. 49. Config ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig Management • QQQQQQQQQQQQQQQQQuickly moving env often use Cfgmgmt Tools • TTTTTTTTTTTTTTTTThey know the env, store data • WWWWWWWWWWWWWWWWWe use Puppet+The foreman
  50. 50. PuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppet • AAAAAAAAAAAAAAAAA Config Management Tool • DDDDDDDDDDDDDDDDDeclarative • EEEEEEEEEEEEEEEEEnforces a desired state
  51. 51. Puppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet Facts • VVVVVVVVVVVVVVVVValues collected on the host • OOOOOOOOOOOOOOOOOS version, Uptime, kernel • SSSSSSSSSSSSSSSSSSH fingerprints • SSSSSSSSSSSSSSSSSent back to master
  52. 52. facts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfp • hhhhhhhhhhhhhhhhhttps://github.com/jpmens/facts2sshfp • PPPPPPPPPPPPPPPPPython script • RRRRRRRRRRRRRRRRRead facts yaml files • CCCCCCCCCCCCCCCCConverts Puppet facts to SSHFP records • UUUUUUUUUUUUUUUUUses Puppet as single source of truth • fffffffffffffffffacts2sshfp.py -T nsupdate.template -D a.aa. • OOOOOOOOOOOOOOOOOutput to templates, nsupdate commands…
  53. 53. The Foreman
  54. 54. The Foreman Provisioning
  55. 55. The Foreman Provisioning Configuration
  56. 56. The Foreman Provisioning Configuration Monitoring
  57. 57. The Foreman Provisioning Configuration Monitoring Reporting
  58. 58. Foreman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman Proxies • FFFFFFFFFFFFFFFFForeman works with a GUI + Proxies • DDDDDDDDDDDDDDDDDHCP proxy, Puppet Proxy, DNS proxy… • DDDDDDDDDDDDDDDDDNS Proxy is pluggable: bind9, powerdns…
  59. 59. Foreman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is great • OOOOOOOOOOOOOOOOOpen Source • BBBBBBBBBBBBBBBBBacked by Red Hat • TTTTTTTTTTTTTTTTThe main brick behind Red Hat Satellite 6 • PPPPPPPPPPPPPPPPProvides a REST API
  60. 60. Building a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) host • CCCCCCCCCCCCCCCCCreate/update DNS entries • CCCCCCCCCCCCCCCCCreate/update DHCP entries • CCCCCCCCCCCCCCCCCreate the VM in libvirt • BBBBBBBBBBBBBBBBBoot the VM • SSSSSSSSSSSSSSSSServe a kickstart • RRRRRRRRRRRRRRRRRun Puppet
  61. 61. The Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxy • PPPPPPPPPPPPPPPPPuppet Collects and save Facts on the machines • IIIIIIIIIIIIIIIIIt can send it back to the Foreman • FFFFFFFFFFFFFFFFForeman can graph them, query them…
  62. 62. facts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfp • hhhhhhhhhhhhhhhhhttps://github.com/jpmens/facts2sshfp • fffffffffffffffffacts2sshfp.py -T nsupdate.template --foreman-url=https://foreman.example -D a.aa.
  63. 63. ConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusion Licensed under a Creative Commons Attribution 2.0 License https://www.flickr.com/photos/haslamdigital/17191280202/sizes/h/
  64. 64. DNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocks • NNNNNNNNNNNNNNNNNeeded everywhere • DDDDDDDDDDDDDDDDDistributed • CCCCCCCCCCCCCCCCContains lots of data • MMMMMMMMMMMMMMMMMakes our life easier
  65. 65. DNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implement • AAAAAAAAAAAAAAAAAutomation is key • IIIIIIIIIIIIIIIIImplemented in most of the tools • AAAAAAAAAAAAAAAAAnd most of the DNS servers
  66. 66. DANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more security • SSSSSSSSSSSSSSSSSSH fingerprint • IIIIIIIIIIIIIIIIIRC, SMTP certificates hashes • EEEEEEEEEEEEEEEEExisting client-side implementations
  67. 67. DNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANE • DDDDDDDDDDDDDDDDDNSSec and Dane are more useful together • MMMMMMMMMMMMMMMMMake sure your resolver supports DNSsec! • TTTTTTTTTTTTTTTTThe power to check certificates without CA
  68. 68. ContactContactContactContactContactContactContactContactContactContactContactContactContactContactContactContactContact Julien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien Pivotto julien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eu @roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie inuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuits https://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.eu info@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.eu +32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636

×