DNSSec

Julien Pivotto
Julien PivottoOpen Source Consultant at Inuits
DNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and Security Julien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien Pivotto RMLL Security Track July 5th, 2016
whoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhois Julien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien Pivotto • Sysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.eu • From small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgs • Automation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & Monitoring • @roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie on irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/github
inuits.eu
DNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNS
What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS? • TTTTTTTTTTTTTTTTTL;DR Translates domain name to IP • IIIIIIIIIIIIIIIIIn facto, stores much more data than IP
How it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it works Licensed under a Creative Commons Attribution-ShareAlike 2.0 License https://www.flickr.com/photos/frans16611/6139595092
Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
DNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-critical • HHHHHHHHHHHHHHHHHolds IP addresses • HHHHHHHHHHHHHHHHHolds service definitions • HHHHHHHHHHHHHHHHHolds hostnames, TXT records
DNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practices • DDDDDDDDDDDDDDDDDo not mix Authoritative and Recursive servers • MMMMMMMMMMMMMMMMMix your DNS server `brand' • HHHHHHHHHHHHHHHHHide your DNS masters • DDDDDDDDDDDDDDDDDo not invent new TLD
Data stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNS • AAAAAAAAAAAAAAAAA records: IP addresses • CCCCCCCCCCCCCCCCCNAME: Cannonical names • SSSSSSSSSSSSSSSSSRV: Service record • MMMMMMMMMMMMMMMMMX: Mail servers • TTTTTTTTTTTTTTTTTXT: Text record
SRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV records _xmpp−client._tcp.inuits.eu. IN SRV 0 5 5222 xmpp.inuits.eu.
TXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT Records • SSSSSSSSSSSSSSSSSPF record: Sender Policy Framework • DDDDDDDDDDDDDDDDDKIM • KKKKKKKKKKKKKKKKKeybase.io • LLLLLLLLLLLLLLLLLet's Encrypt DNS challenge
Not secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by design • 11111111111111111983 • DDDDDDDDDDDDDDDDDesigned for scale, not security • EEEEEEEEEEEEEEEEEarly 2000: birth of DNSSec
DNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSec • 22222222222222222000's DNSSec RFC • DDDDDDDDDDDDDDDDDNSSec hit DNS root in 2010 • MMMMMMMMMMMMMMMMMultiple iteration of RFC
The Domain Name System Security Extensions (DNSSEC) add data origin authentication and data integrity to the Domain Name System. RFC 4033
What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec? • PPPPPPPPPPPPPPPPProof of origin and integrity • ZZZZZZZZZZZZZZZZZones and records signing • PPPPPPPPPPPPPPPPProof of non-existence
Two types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keys • ZZZZZZZZZZZZZZZZZSK: Zone Signing Key • KKKKKKKKKKKKKKKKKSK: Key Signing Key
Zone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing key • PPPPPPPPPPPPPPPPPrivate/Public key pair • SSSSSSSSSSSSSSSSSign the Records • eeeeeeeeeeeeeeeee.g sign the A records, the MX records … • RRRRRRRRRRRRRRRRRolled out frequently
Key Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing Key • PPPPPPPPPPPPPPPPPrivate/Public key pair • SSSSSSSSSSSSSSSSSign the ZSK • DDDDDDDDDDDDDDDDDesigned to be stronger than the ZSK • IIIIIIIIIIIIIIIIIts fingerprint is stored in parent zone
DNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records types • RRRRRRRRRRRRRRRRRRSIG: Signature • DDDDDDDDDDDDDDDDDNSKEY: Public key • DDDDDDDDDDDDDDDDDS: Hash of a DNSKEY (parent zone)
DNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records types • NNNNNNNNNNNNNNNNNSEC: Next secure • RRRRRRRRRRRRRRRRReturns the next secure entry • RRRRRRRRRRRRRRRRReturned when next secure is not found • NNNNNNNNNNNNNNNNNSEC/NSEC3 records are signed • NNNNNNNNNNNNNNNNNSEC3 prevents zone walking
In PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn Practice
BindBindBindBindBindBindBindBindBindBindBindBindBindBindBindBindBind • RRRRRRRRRRRRRRRRReference DNS Server • DDDDDDDDDDDDDDDDDeveloped by the Internet Systems Consortium • CCCCCCCCCCCCCCCCCurrent version: bind9 • bbbbbbbbbbbbbbbbbind10 project is abandoned
Bind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind features • SSSSSSSSSSSSSSSSSupports everything • RRRRRRRRRRRRRRRRRecurive, Authoritative • DDDDDDDDDDDDDDDDDynamic updates • DDDDDDDDDDDDDDDDDNSSec
Bind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSec • FFFFFFFFFFFFFFFFFull support + NSEC3 • MMMMMMMMMMMMMMMMManual signing • AAAAAAAAAAAAAAAAAutomated signing • DDDDDDDDDDDDDDDDDNSSec and dynamic zones
Generating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keys mkdir /etc/bind/keys cd /etc/bind/keys dnssec−keygen rmll.example dnssec−keygen −f KSK rmll.example
Generating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keys dnssec−keygen −a NSEC3RSASHA1 −b 2048 rmll .example dnssec−keygen −a NSEC3RSASHA1 −b 4096 −f KSK rmll.example
Generating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keys dnssec−dsfromkey −f /var/bind/rmll. example −K /etc/bind/keys/ rmll.example rmll.example. IN DS 18025 8 1 E223065EE5EE66F08CA1C89D8 rmll.example. IN DS 18025 8 2 522 D8EA3287FFF41186169A30
Enable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bind options { dnssec−enable yes; dnssec−validation yes; }
Enable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zone Manually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signed zone "rmll.example" IN { type master; file "rmll.example.zone.signed"; };
Enable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zone Auto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto Signing zone "rmll.example" IN { type master; file "rmll.example.zone"; key−directory "/etc/bind/keys"; auto−dnssec maintain; inline−signing yes; };
Manually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zone dnssec−signzone −S −o rmll.example −K /etc /bind/keys/ /var/bind/master/rmll. example.zone • Creates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone file
DANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANE
DANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANE • DDDDDDDDDDDDDDDDDNS-based Authentication of Named Entities • NNNNNNNNNNNNNNNNNew record types to store public keys hashes • IIIIIIIIIIIIIIIIIndependant from DNSSec (!)
TLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA records • HHHHHHHHHHHHHHHHHash the fingerprint of a TLS key • """""""""""""""""Replacement" for the CA (https) • NNNNNNNNNNNNNNNNNot implemented natively in browsers • IIIIIIIIIIIIIIIIImplemented in IRC clients (irssi)
TLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA records _443._tcp IN TLSA 3 0 1 2 bfa3214fda53315b140e65fe66 _443._tcp.www IN TLSA 3 0 1 2 bfa3214fda53315b140e65 _6697._tcp.irc IN TLSA 3 0 1 2 bfa3214fda53315b140e6
Generating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hash openssl x509 −in cert.pem −outform DER | openssl sha256
SSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSH
TOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFU • TTTTTTTTTTTTTTTTTrust on first use • WWWWWWWWWWWWWWWWWorks on slowly moving env's • NNNNNNNNNNNNNNNNNowadays we populate new hosts all the time • NNNNNNNNNNNNNNNNNowadays we rebuild existing hosts
SSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP records • HHHHHHHHHHHHHHHHHash the fingerprint of a SSH server • IIIIIIIIIIIIIIIIImplemented in OpenSSH • UUUUUUUUUUUUUUUUUses DNS to recognize SSH key
IN SSHFP 1 1 e0fd9112d2fc6974597fe8968665ad6b420c IN SSHFP 1 2 9 de5bc066a898733420bcfaae8f43e80e532 IN SSHFP 2 1 223 e89447a53a3178be02fee6fdd5b44228a IN SSHFP 2 2 2644 fcbd2a1b179091a195207e395d009b16
VerifyHostKeyDNS no VerifyHostKeyDNS yes VerifyHostKeyDNS ask
$ ssh −o VerifyHostKeyDNS=yes rmll.example The authenticity of host 'rmll.example (1.2.3.4)' can't be established. ECDSA key fingerprint is SHA256: f8zwQD3RU62PXgwCw5WRk2OIyVY. Matching host key fingerprint found in DNS Are you sure you want to continue?
Populating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fields • WWWWWWWWWWWWWWWWWhat if we have a single source of truth? • SSSSSSSSSSSSSSSSSomething that can scale, and be quick enough?
Config ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig Management • QQQQQQQQQQQQQQQQQuickly moving env often use Cfgmgmt Tools • TTTTTTTTTTTTTTTTThey know the env, store data • WWWWWWWWWWWWWWWWWe use Puppet+The foreman
PuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppet • AAAAAAAAAAAAAAAAA Config Management Tool • DDDDDDDDDDDDDDDDDeclarative • EEEEEEEEEEEEEEEEEnforces a desired state
Puppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet Facts • VVVVVVVVVVVVVVVVValues collected on the host • OOOOOOOOOOOOOOOOOS version, Uptime, kernel • SSSSSSSSSSSSSSSSSSH fingerprints • SSSSSSSSSSSSSSSSSent back to master
facts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfp • hhhhhhhhhhhhhhhhhttps://github.com/jpmens/facts2sshfp • PPPPPPPPPPPPPPPPPython script • RRRRRRRRRRRRRRRRRead facts yaml files • CCCCCCCCCCCCCCCCConverts Puppet facts to SSHFP records • UUUUUUUUUUUUUUUUUses Puppet as single source of truth • fffffffffffffffffacts2sshfp.py -T nsupdate.template -D a.aa. • OOOOOOOOOOOOOOOOOutput to templates, nsupdate commands…
The Foreman
The Foreman Provisioning
The Foreman Provisioning Configuration
The Foreman Provisioning Configuration Monitoring
The Foreman Provisioning Configuration Monitoring Reporting
DNSSec
DNSSec
DNSSec
Foreman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman Proxies • FFFFFFFFFFFFFFFFForeman works with a GUI + Proxies • DDDDDDDDDDDDDDDDDHCP proxy, Puppet Proxy, DNS proxy… • DDDDDDDDDDDDDDDDDNS Proxy is pluggable: bind9, powerdns…
Foreman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is great • OOOOOOOOOOOOOOOOOpen Source • BBBBBBBBBBBBBBBBBacked by Red Hat • TTTTTTTTTTTTTTTTThe main brick behind Red Hat Satellite 6 • PPPPPPPPPPPPPPPPProvides a REST API
Building a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) host • CCCCCCCCCCCCCCCCCreate/update DNS entries • CCCCCCCCCCCCCCCCCreate/update DHCP entries • CCCCCCCCCCCCCCCCCreate the VM in libvirt • BBBBBBBBBBBBBBBBBoot the VM • SSSSSSSSSSSSSSSSServe a kickstart • RRRRRRRRRRRRRRRRRun Puppet
The Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxy • PPPPPPPPPPPPPPPPPuppet Collects and save Facts on the machines • IIIIIIIIIIIIIIIIIt can send it back to the Foreman • FFFFFFFFFFFFFFFFForeman can graph them, query them…
facts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfp • hhhhhhhhhhhhhhhhhttps://github.com/jpmens/facts2sshfp • fffffffffffffffffacts2sshfp.py -T nsupdate.template --foreman-url=https://foreman.example -D a.aa.
ConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusion Licensed under a Creative Commons Attribution 2.0 License https://www.flickr.com/photos/haslamdigital/17191280202/sizes/h/
DNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocks • NNNNNNNNNNNNNNNNNeeded everywhere • DDDDDDDDDDDDDDDDDistributed • CCCCCCCCCCCCCCCCContains lots of data • MMMMMMMMMMMMMMMMMakes our life easier
DNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implement • AAAAAAAAAAAAAAAAAutomation is key • IIIIIIIIIIIIIIIIImplemented in most of the tools • AAAAAAAAAAAAAAAAAnd most of the DNS servers
DANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more security • SSSSSSSSSSSSSSSSSSH fingerprint • IIIIIIIIIIIIIIIIIRC, SMTP certificates hashes • EEEEEEEEEEEEEEEEExisting client-side implementations
DNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANE • DDDDDDDDDDDDDDDDDNSSec and Dane are more useful together • MMMMMMMMMMMMMMMMMake sure your resolver supports DNSsec! • TTTTTTTTTTTTTTTTThe power to check certificates without CA
ContactContactContactContactContactContactContactContactContactContactContactContactContactContactContactContactContact Julien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien Pivotto julien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eu @roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie inuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuits https://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.eu info@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.eu +32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636
1 of 71

DNSSec

Download to read offline
Technology

Talk given at RMLL Security Track 2016, about DNS and security, DNSSEC and DANE. Focusing on bind and Puppet.

Julien Pivotto
Julien PivottoOpen Source Consultant at Inuits

Recommended

Diving Into Puppet Providers Development: The Puppet-Corosync Module by
Diving Into Puppet Providers Development: The Puppet-Corosync ModuleDiving Into Puppet Providers Development: The Puppet-Corosync Module
Diving Into Puppet Providers Development: The Puppet-Corosync ModuleJulien Pivotto
2.1K views82 slides
systemd and configuration management by
systemd and configuration managementsystemd and configuration management
systemd and configuration managementJulien Pivotto
2.9K views56 slides
Puppet and software delivery by
Puppet and software deliveryPuppet and software delivery
Puppet and software deliveryJulien Pivotto
2K views48 slides
CentOS Config Management SIG by
CentOS Config Management SIGCentOS Config Management SIG
CentOS Config Management SIGJulien Pivotto
2.4K views20 slides
Getting the maximum out of systemd by
Getting the maximum out of systemdGetting the maximum out of systemd
Getting the maximum out of systemdJulien Pivotto
8.6K views75 slides
An introduction to the Pulp project by
An introduction to the Pulp projectAn introduction to the Pulp project
An introduction to the Pulp projectJulien Pivotto
9.6K views86 slides

More Related Content

What's hot

Managing a R&D Lab with Foreman by
Managing a R&D Lab with ForemanManaging a R&D Lab with Foreman
Managing a R&D Lab with ForemanJulien Pivotto
1.6K views91 slides
Enhance OpenSSH for fun and security by
Enhance OpenSSH for fun and securityEnhance OpenSSH for fun and security
Enhance OpenSSH for fun and securityJulien Pivotto
1.8K views72 slides
Managing a R&D Lab with Foreman by
Managing a R&D Lab with ForemanManaging a R&D Lab with Foreman
Managing a R&D Lab with ForemanJulien Pivotto
1K views91 slides
Puppet and Software Delivery by
Puppet and Software DeliveryPuppet and Software Delivery
Puppet and Software DeliveryJulien Pivotto
2.2K views50 slides
A call to give back puppetlabs-corosync to the community by
A call to give back puppetlabs-corosync to the communityA call to give back puppetlabs-corosync to the community
A call to give back puppetlabs-corosync to the communityJulien Pivotto
2K views25 slides
Dive into Puppet 4 by
Dive into Puppet 4Dive into Puppet 4
Dive into Puppet 4Julien Pivotto
2.7K views84 slides

What's hot(20)

Managing a R&D Lab with Foreman by Julien Pivotto
Managing a R&D Lab with ForemanManaging a R&D Lab with Foreman
Managing a R&D Lab with Foreman
Julien Pivotto1.6K views
Enhance OpenSSH for fun and security by Julien Pivotto
Enhance OpenSSH for fun and securityEnhance OpenSSH for fun and security
Enhance OpenSSH for fun and security
Julien Pivotto1.8K views
Managing a R&D Lab with Foreman by Julien Pivotto
Managing a R&D Lab with ForemanManaging a R&D Lab with Foreman
Managing a R&D Lab with Foreman
Julien Pivotto1K views
Puppet and Software Delivery by Julien Pivotto
Puppet and Software DeliveryPuppet and Software Delivery
Puppet and Software Delivery
Julien Pivotto2.2K views
A call to give back puppetlabs-corosync to the community by Julien Pivotto
A call to give back puppetlabs-corosync to the communityA call to give back puppetlabs-corosync to the community
A call to give back puppetlabs-corosync to the community
Julien Pivotto2K views
Dive into Puppet 4 by Julien Pivotto
Dive into Puppet 4Dive into Puppet 4
Dive into Puppet 4
Julien Pivotto2.7K views
Monitoring at Cloud Scale by Julien Pivotto
Monitoring at Cloud ScaleMonitoring at Cloud Scale
Monitoring at Cloud Scale
Julien Pivotto8.5K views
Coworking with git by Julien Pivotto
Coworking with gitCoworking with git
Coworking with git
Julien Pivotto2.7K views
Hands-on VeriFast with STM32 microcontroller by Kiwamu Okabe
Hands-on VeriFast with STM32 microcontrollerHands-on VeriFast with STM32 microcontroller
Hands-on VeriFast with STM32 microcontroller
Kiwamu Okabe1.6K views
Functional IoT: Hardware and Platform by Kiwamu Okabe
Functional IoT: Hardware and PlatformFunctional IoT: Hardware and Platform
Functional IoT: Hardware and Platform
Kiwamu Okabe1.6K views
Testing your puppet code by Julien Pivotto
Testing your puppet codeTesting your puppet code
Testing your puppet code
Julien Pivotto5.3K views
Metasepi team meeting #20: Start! ATS programming on MCU by Kiwamu Okabe
Metasepi team meeting #20: Start! ATS programming on MCUMetasepi team meeting #20: Start! ATS programming on MCU
Metasepi team meeting #20: Start! ATS programming on MCU
Kiwamu Okabe14.8K views
Functional IoT: Introduction by Kiwamu Okabe
Functional IoT: IntroductionFunctional IoT: Introduction
Functional IoT: Introduction
Kiwamu Okabe1.4K views
ATS Programming Tutorial by Kiwamu Okabe
ATS Programming TutorialATS Programming Tutorial
ATS Programming Tutorial
Kiwamu Okabe15.3K views
Metasepi team meeting #14: ATS programming on MCU by Kiwamu Okabe
Metasepi team meeting #14: ATS programming on MCUMetasepi team meeting #14: ATS programming on MCU
Metasepi team meeting #14: ATS programming on MCU
Kiwamu Okabe15.2K views
Start! ATS programming by Kiwamu Okabe
Start! ATS programmingStart! ATS programming
Start! ATS programming
Kiwamu Okabe16.3K views
Real-time OS system state captured by ATS language by Kiwamu Okabe
Real-time OS system state captured by ATS languageReal-time OS system state captured by ATS language
Real-time OS system state captured by ATS language
Kiwamu Okabe7.1K views
Past and today of Metasepi project by Kiwamu Okabe
Past and today of Metasepi projectPast and today of Metasepi project
Past and today of Metasepi project
Kiwamu Okabe666 views
Adventures in Accidental Human Architecture by Michelle Brush
Adventures in Accidental Human ArchitectureAdventures in Accidental Human Architecture
Adventures in Accidental Human Architecture
Michelle Brush1K views
Functional IoT: Programming Language and OS by Kiwamu Okabe
Functional IoT: Programming Language and OSFunctional IoT: Programming Language and OS
Functional IoT: Programming Language and OS
Kiwamu Okabe1.6K views

Viewers also liked

Deployment and Continous Integration of a Zope/Plone application by
Deployment and Continous Integration of a Zope/Plone applicationDeployment and Continous Integration of a Zope/Plone application
Deployment and Continous Integration of a Zope/Plone applicationJulien Pivotto
4.2K views41 slides
Community tools to fight against DDoS, SANOG 27 by
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27APNIC
1.4K views29 slides
Community tools to fight against DDoS by
Community tools to fight against DDoSCommunity tools to fight against DDoS
Community tools to fight against DDoSFakrul Alam
616 views28 slides
Keeping DNS server up-and-running with “runit by
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitMen and Mice
1.5K views23 slides
Windows 2012 and DNSSEC by
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSECMen and Mice
3.2K views137 slides
Fighting Abuse with DNS by
Fighting Abuse with DNSFighting Abuse with DNS
Fighting Abuse with DNSMen and Mice
2.1K views45 slides

Viewers also liked(14)

Deployment and Continous Integration of a Zope/Plone application by Julien Pivotto
Deployment and Continous Integration of a Zope/Plone applicationDeployment and Continous Integration of a Zope/Plone application
Deployment and Continous Integration of a Zope/Plone application
Julien Pivotto4.2K views
Community tools to fight against DDoS, SANOG 27 by APNIC
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27
APNIC1.4K views
Community tools to fight against DDoS by Fakrul Alam
Community tools to fight against DDoSCommunity tools to fight against DDoS
Community tools to fight against DDoS
Fakrul Alam616 views
Keeping DNS server up-and-running with “runit by Men and Mice
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runit
Men and Mice1.5K views
Windows 2012 and DNSSEC by Men and Mice
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSEC
Men and Mice3.2K views
Fighting Abuse with DNS by Men and Mice
Fighting Abuse with DNSFighting Abuse with DNS
Fighting Abuse with DNS
Men and Mice2.1K views
Linux14 Dynamic DNS by Jainul Musani
Linux14 Dynamic DNSLinux14 Dynamic DNS
Linux14 Dynamic DNS
Jainul Musani807 views
Linux15 dynamic dns-2 by Jainul Musani
Linux15 dynamic dns-2Linux15 dynamic dns-2
Linux15 dynamic dns-2
Jainul Musani707 views
DNS High-Availability Tools - Open-Source Load Balancing Solutions by Men and Mice
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
Men and Mice4.7K views
What is new in BIND 9.11? by Men and Mice
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?
Men and Mice3.9K views
BIND 9 logging best practices by Men and Mice
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practices
Men and Mice17.4K views
DDoS Attacks : Preparation Detection Mitigation by Fakrul Alam
DDoS Attacks : Preparation Detection MitigationDDoS Attacks : Preparation Detection Mitigation
DDoS Attacks : Preparation Detection Mitigation
Fakrul Alam2.1K views
Puppet DSL: back to the basics by Julien Pivotto
Puppet DSL: back to the basicsPuppet DSL: back to the basics
Puppet DSL: back to the basics
Julien Pivotto2.2K views
CI on large open source software : Plone & Plone 5 is here! by Ramon Navarro
CI on large open source software : Plone & Plone 5 is here!CI on large open source software : Plone & Plone 5 is here!
CI on large open source software : Plone & Plone 5 is here!
Ramon Navarro1.8K views

Similar to DNSSec

DNSSEC and VoIP: Who are you really calling? by
DNSSEC and VoIP: Who are you really calling?DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?Deploy360 Programme (Internet Society)
2.8K views54 slides
The internet for SEOs by Roxana Stingu by
The internet for SEOs by Roxana StinguThe internet for SEOs by Roxana Stingu
The internet for SEOs by Roxana StinguRoxana Stingu
965 views57 slides
DNSSEC for Registrars by .ORG & Afilias by
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasORG, The Public Interest Registry
608 views39 slides
"The Sorry State of SSL" Hynek Schlawack, PyConRu 2014 by
"The Sorry State of SSL" Hynek Schlawack, PyConRu 2014"The Sorry State of SSL" Hynek Schlawack, PyConRu 2014
"The Sorry State of SSL" Hynek Schlawack, PyConRu 2014it-people
1.3K views193 slides
Is DNS a Part of Your Cyber Security Strategy? by
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Digital Transformation EXPO Event Series
234 views23 slides
Distributed systems in practice, in theory by
Distributed systems in practice, in theoryDistributed systems in practice, in theory
Distributed systems in practice, in theoryAysylu Greenberg
2.1K views111 slides

Similar to DNSSec(20)

DNSSEC and VoIP: Who are you really calling? by Deploy360 Programme (Internet Society)
DNSSEC and VoIP: Who are you really calling?DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?
Deploy360 Programme (Internet Society)2.8K views
The internet for SEOs by Roxana Stingu by Roxana Stingu
The internet for SEOs by Roxana StinguThe internet for SEOs by Roxana Stingu
The internet for SEOs by Roxana Stingu
Roxana Stingu965 views
DNSSEC for Registrars by .ORG & Afilias by ORG, The Public Interest Registry
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & Afilias
ORG, The Public Interest Registry608 views
"The Sorry State of SSL" Hynek Schlawack, PyConRu 2014 by it-people
"The Sorry State of SSL" Hynek Schlawack, PyConRu 2014"The Sorry State of SSL" Hynek Schlawack, PyConRu 2014
"The Sorry State of SSL" Hynek Schlawack, PyConRu 2014
it-people1.3K views
Is DNS a Part of Your Cyber Security Strategy? by Digital Transformation EXPO Event Series
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
Digital Transformation EXPO Event Series234 views
Distributed systems in practice, in theory by Aysylu Greenberg
Distributed systems in practice, in theoryDistributed systems in practice, in theory
Distributed systems in practice, in theory
Aysylu Greenberg2.1K views
Introduction DNSSec by AFRINIC
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
AFRINIC353 views
IGF 2023: DNS Privacy by APNIC
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS Privacy
APNIC436 views
Passive DNS Collection – Henry Stern, Cisco by Henry Stern
Passive DNS Collection – Henry Stern, CiscoPassive DNS Collection – Henry Stern, Cisco
Passive DNS Collection – Henry Stern, Cisco
Henry Stern1K views
Hardening the Core of the Internet by RIPE NCC
Hardening the Core of the InternetHardening the Core of the Internet
Hardening the Core of the Internet
RIPE NCC72 views
通信の秘密とブロッキング by 751c74dc
通信の秘密とブロッキング通信の秘密とブロッキング
通信の秘密とブロッキング
751c74dc73 views
DNS Survival Guide. by Qrator Labs
DNS Survival Guide.DNS Survival Guide.
DNS Survival Guide.
Qrator Labs102 views
DNS Survival Guide by APNIC
DNS Survival GuideDNS Survival Guide
DNS Survival Guide
APNIC403 views
How to Backdoor Diffie-Hellman by David Wong
How to Backdoor Diffie-HellmanHow to Backdoor Diffie-Hellman
How to Backdoor Diffie-Hellman
David Wong733 views
DANE and Application Uses of DNSSEC by Shumon Huque
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
Shumon Huque854 views
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion by APNIC
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
APNIC385 views
Qunog12-DNS暗号化 by Manabu Sonoda
Qunog12-DNS暗号化Qunog12-DNS暗号化
Qunog12-DNS暗号化
Manabu Sonoda72 views
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ... by DTM Security
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
DTM Security243 views
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A... by MITRE - ATT&CKcon
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE - ATT&CKcon3K views
DNS как линия защиты/DNS as a Defense Vector by Positive Hack Days
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense Vector
Positive Hack Days900 views

More from Julien Pivotto

The O11y Toolkit by
The O11y ToolkitThe O11y Toolkit
The O11y ToolkitJulien Pivotto
38 views24 slides
What's New in Prometheus and Its Ecosystem by
What's New in Prometheus and Its EcosystemWhat's New in Prometheus and Its Ecosystem
What's New in Prometheus and Its EcosystemJulien Pivotto
12 views42 slides
Prometheus: What is is, what is new, what is coming by
Prometheus: What is is, what is new, what is comingPrometheus: What is is, what is new, what is coming
Prometheus: What is is, what is new, what is comingJulien Pivotto
43 views27 slides
What's new in Prometheus? by
What's new in Prometheus?What's new in Prometheus?
What's new in Prometheus?Julien Pivotto
15 views10 slides
Introduction to Grafana Loki by
Introduction to Grafana LokiIntroduction to Grafana Loki
Introduction to Grafana LokiJulien Pivotto
201 views11 slides
Why you should revisit mgmt by
Why you should revisit mgmtWhy you should revisit mgmt
Why you should revisit mgmtJulien Pivotto
10 views46 slides

More from Julien Pivotto(20)

The O11y Toolkit by Julien Pivotto
The O11y ToolkitThe O11y Toolkit
The O11y Toolkit
Julien Pivotto38 views
What's New in Prometheus and Its Ecosystem by Julien Pivotto
What's New in Prometheus and Its EcosystemWhat's New in Prometheus and Its Ecosystem
What's New in Prometheus and Its Ecosystem
Julien Pivotto12 views
Prometheus: What is is, what is new, what is coming by Julien Pivotto
Prometheus: What is is, what is new, what is comingPrometheus: What is is, what is new, what is coming
Prometheus: What is is, what is new, what is coming
Julien Pivotto43 views
What's new in Prometheus? by Julien Pivotto
What's new in Prometheus?What's new in Prometheus?
What's new in Prometheus?
Julien Pivotto15 views
Introduction to Grafana Loki by Julien Pivotto
Introduction to Grafana LokiIntroduction to Grafana Loki
Introduction to Grafana Loki
Julien Pivotto201 views
Why you should revisit mgmt by Julien Pivotto
Why you should revisit mgmtWhy you should revisit mgmt
Why you should revisit mgmt
Julien Pivotto10 views
Observing the HashiCorp Ecosystem From Prometheus by Julien Pivotto
Observing the HashiCorp Ecosystem From PrometheusObserving the HashiCorp Ecosystem From Prometheus
Observing the HashiCorp Ecosystem From Prometheus
Julien Pivotto37 views
Monitoring in a fast-changing world with Prometheus by Julien Pivotto
Monitoring in a fast-changing world with PrometheusMonitoring in a fast-changing world with Prometheus
Monitoring in a fast-changing world with Prometheus
Julien Pivotto33 views
5 tips for Prometheus Service Discovery by Julien Pivotto
5 tips for Prometheus Service Discovery5 tips for Prometheus Service Discovery
5 tips for Prometheus Service Discovery
Julien Pivotto38 views
Prometheus and TLS - an Introduction by Julien Pivotto
Prometheus and TLS - an IntroductionPrometheus and TLS - an Introduction
Prometheus and TLS - an Introduction
Julien Pivotto15 views
Powerful graphs in Grafana by Julien Pivotto
Powerful graphs in GrafanaPowerful graphs in Grafana
Powerful graphs in Grafana
Julien Pivotto12 views
YAML Magic by Julien Pivotto
YAML MagicYAML Magic
YAML Magic
Julien Pivotto4.3K views
HAProxy as Egress Controller by Julien Pivotto
HAProxy as Egress ControllerHAProxy as Egress Controller
HAProxy as Egress Controller
Julien Pivotto2.9K views
Improved alerting with Prometheus and Alertmanager by Julien Pivotto
Improved alerting with Prometheus and AlertmanagerImproved alerting with Prometheus and Alertmanager
Improved alerting with Prometheus and Alertmanager
Julien Pivotto4.5K views
SIngle Sign On with Keycloak by Julien Pivotto
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
Julien Pivotto10K views
Monitoring as an entry point for collaboration by Julien Pivotto
Monitoring as an entry point for collaborationMonitoring as an entry point for collaboration
Monitoring as an entry point for collaboration
Julien Pivotto1.3K views
Incident Resolution as Code by Julien Pivotto
Incident Resolution as CodeIncident Resolution as Code
Incident Resolution as Code
Julien Pivotto818 views
Monitor your CentOS stack with Prometheus by Julien Pivotto
Monitor your CentOS stack with PrometheusMonitor your CentOS stack with Prometheus
Monitor your CentOS stack with Prometheus
Julien Pivotto712 views
Monitor your CentOS stack with Prometheus by Julien Pivotto
Monitor your CentOS stack with PrometheusMonitor your CentOS stack with Prometheus
Monitor your CentOS stack with Prometheus
Julien Pivotto704 views
An introduction to Ansible by Julien Pivotto
An introduction to AnsibleAn introduction to Ansible
An introduction to Ansible
Julien Pivotto581 views

Recently uploaded

"Package management in monorepos", Zoltan Kochan by
"Package management in monorepos", Zoltan Kochan"Package management in monorepos", Zoltan Kochan
"Package management in monorepos", Zoltan KochanFwdays
34 views18 slides
Choosing the Right Flutter App Development Company by
Choosing the Right Flutter App Development CompanyChoosing the Right Flutter App Development Company
Choosing the Right Flutter App Development CompanyFicode Technologies
13 views9 slides
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And... by
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...ShapeBlue
108 views12 slides
Netmera Presentation.pdf by
Netmera Presentation.pdfNetmera Presentation.pdf
Netmera Presentation.pdfMustafa Kuğu
22 views50 slides
Redefining the book supply chain: A glimpse into the future - Tech Forum 2023 by
Redefining the book supply chain: A glimpse into the future - Tech Forum 2023Redefining the book supply chain: A glimpse into the future - Tech Forum 2023
Redefining the book supply chain: A glimpse into the future - Tech Forum 2023BookNet Canada
44 views19 slides
Evaluation of Quality of Experience of ABR Schemes in Gaming Stream by
Evaluation of Quality of Experience of ABR Schemes in Gaming StreamEvaluation of Quality of Experience of ABR Schemes in Gaming Stream
Evaluation of Quality of Experience of ABR Schemes in Gaming StreamAlpen-Adria-Universität
38 views34 slides

Recently uploaded(20)

"Package management in monorepos", Zoltan Kochan by Fwdays
"Package management in monorepos", Zoltan Kochan"Package management in monorepos", Zoltan Kochan
"Package management in monorepos", Zoltan Kochan
Fwdays34 views
Choosing the Right Flutter App Development Company by Ficode Technologies
Choosing the Right Flutter App Development CompanyChoosing the Right Flutter App Development Company
Choosing the Right Flutter App Development Company
Ficode Technologies13 views
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And... by ShapeBlue
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...
ShapeBlue108 views
Netmera Presentation.pdf by Mustafa Kuğu
Netmera Presentation.pdfNetmera Presentation.pdf
Netmera Presentation.pdf
Mustafa Kuğu22 views
Redefining the book supply chain: A glimpse into the future - Tech Forum 2023 by BookNet Canada
Redefining the book supply chain: A glimpse into the future - Tech Forum 2023Redefining the book supply chain: A glimpse into the future - Tech Forum 2023
Redefining the book supply chain: A glimpse into the future - Tech Forum 2023
BookNet Canada44 views
Evaluation of Quality of Experience of ABR Schemes in Gaming Stream by Alpen-Adria-Universität
Evaluation of Quality of Experience of ABR Schemes in Gaming StreamEvaluation of Quality of Experience of ABR Schemes in Gaming Stream
Evaluation of Quality of Experience of ABR Schemes in Gaming Stream
Alpen-Adria-Universität38 views
Initiating and Advancing Your Strategic GIS Governance Strategy by Safe Software
Initiating and Advancing Your Strategic GIS Governance StrategyInitiating and Advancing Your Strategic GIS Governance Strategy
Initiating and Advancing Your Strategic GIS Governance Strategy
Safe Software184 views
Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De... by Moses Kemibaro
Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De...Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De...
Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De...
Moses Kemibaro35 views
"Node.js vs workers — A comparison of two JavaScript runtimes", James M Snell by Fwdays
"Node.js vs workers — A comparison of two JavaScript runtimes", James M Snell"Node.js vs workers — A comparison of two JavaScript runtimes", James M Snell
"Node.js vs workers — A comparison of two JavaScript runtimes", James M Snell
Fwdays14 views
GDSC GLAU Info Session.pptx by gauriverrma4
GDSC GLAU Info Session.pptxGDSC GLAU Info Session.pptx
GDSC GLAU Info Session.pptx
gauriverrma415 views
Deep Tech and the Amplified Organisation: Core Concepts by Holonomics
Deep Tech and the Amplified Organisation: Core ConceptsDeep Tech and the Amplified Organisation: Core Concepts
Deep Tech and the Amplified Organisation: Core Concepts
Holonomics17 views
The Power of Heat Decarbonisation Plans in the Built Environment by IES VE
The Power of Heat Decarbonisation Plans in the Built EnvironmentThe Power of Heat Decarbonisation Plans in the Built Environment
The Power of Heat Decarbonisation Plans in the Built Environment
IES VE84 views
Business Analyst Series 2023 - Week 4 Session 8 by DianaGray10
Business Analyst Series 2023 - Week 4 Session 8Business Analyst Series 2023 - Week 4 Session 8
Business Analyst Series 2023 - Week 4 Session 8
DianaGray10145 views
CryptoBotsAI by chandureddyvadala199
CryptoBotsAICryptoBotsAI
CryptoBotsAI
chandureddyvadala19942 views
Discover Aura Workshop (12.5.23).pdf by Neo4j
Discover Aura Workshop (12.5.23).pdfDiscover Aura Workshop (12.5.23).pdf
Discover Aura Workshop (12.5.23).pdf
Neo4j15 views
KubeConNA23 Recap.pdf by MichaelOLeary82
KubeConNA23 Recap.pdfKubeConNA23 Recap.pdf
KubeConNA23 Recap.pdf
MichaelOLeary8224 views
Measuring User on the web with the core web vitals - by @theafolayan.pptx by Oluwaseun Raphael Afolayan
Measuring User on the web with the core web vitals - by @theafolayan.pptxMeasuring User on the web with the core web vitals - by @theafolayan.pptx
Measuring User on the web with the core web vitals - by @theafolayan.pptx
Oluwaseun Raphael Afolayan14 views
MVP and prioritization.pdf by rahuldharwal141
MVP and prioritization.pdfMVP and prioritization.pdf
MVP and prioritization.pdf
rahuldharwal14139 views
Optimizing Communication to Optimize Human Behavior - LCBM by Yaman Kumar
Optimizing Communication to Optimize Human Behavior - LCBMOptimizing Communication to Optimize Human Behavior - LCBM
Optimizing Communication to Optimize Human Behavior - LCBM
Yaman Kumar38 views
Inawisdom IDP by PhilipBasford
Inawisdom IDPInawisdom IDP
Inawisdom IDP
PhilipBasford15 views

DNSSec

  • 1. DNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and Security Julien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien Pivotto RMLL Security Track July 5th, 2016
  • 2. whoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhois Julien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien Pivotto • Sysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.eu • From small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgs • Automation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & Monitoring • @roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie on irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/github
  • 5. What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS? • TTTTTTTTTTTTTTTTTL;DR Translates domain name to IP • IIIIIIIIIIIIIIIIIn facto, stores much more data than IP
  • 6. How it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it works Licensed under a Creative Commons Attribution-ShareAlike 2.0 License https://www.flickr.com/photos/frans16611/6139595092
  • 7. Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
  • 8. Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
  • 9. Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
  • 10. Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
  • 11. Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
  • 12. DNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-critical • HHHHHHHHHHHHHHHHHolds IP addresses • HHHHHHHHHHHHHHHHHolds service definitions • HHHHHHHHHHHHHHHHHolds hostnames, TXT records
  • 13. DNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practices • DDDDDDDDDDDDDDDDDo not mix Authoritative and Recursive servers • MMMMMMMMMMMMMMMMMix your DNS server `brand' • HHHHHHHHHHHHHHHHHide your DNS masters • DDDDDDDDDDDDDDDDDo not invent new TLD
  • 14. Data stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNS • AAAAAAAAAAAAAAAAA records: IP addresses • CCCCCCCCCCCCCCCCCNAME: Cannonical names • SSSSSSSSSSSSSSSSSRV: Service record • MMMMMMMMMMMMMMMMMX: Mail servers • TTTTTTTTTTTTTTTTTXT: Text record
  • 15. SRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV records _xmpp−client._tcp.inuits.eu. IN SRV 0 5 5222 xmpp.inuits.eu.
  • 16. TXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT Records • SSSSSSSSSSSSSSSSSPF record: Sender Policy Framework • DDDDDDDDDDDDDDDDDKIM • KKKKKKKKKKKKKKKKKeybase.io • LLLLLLLLLLLLLLLLLet's Encrypt DNS challenge
  • 17. Not secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by design • 11111111111111111983 • DDDDDDDDDDDDDDDDDesigned for scale, not security • EEEEEEEEEEEEEEEEEarly 2000: birth of DNSSec
  • 18. DNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSec • 22222222222222222000's DNSSec RFC • DDDDDDDDDDDDDDDDDNSSec hit DNS root in 2010 • MMMMMMMMMMMMMMMMMultiple iteration of RFC
  • 19. The Domain Name System Security Extensions (DNSSEC) add data origin authentication and data integrity to the Domain Name System. RFC 4033
  • 20. What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec? • PPPPPPPPPPPPPPPPProof of origin and integrity • ZZZZZZZZZZZZZZZZZones and records signing • PPPPPPPPPPPPPPPPProof of non-existence
  • 21. Two types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keys • ZZZZZZZZZZZZZZZZZSK: Zone Signing Key • KKKKKKKKKKKKKKKKKSK: Key Signing Key
  • 22. Zone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing key • PPPPPPPPPPPPPPPPPrivate/Public key pair • SSSSSSSSSSSSSSSSSign the Records • eeeeeeeeeeeeeeeee.g sign the A records, the MX records … • RRRRRRRRRRRRRRRRRolled out frequently
  • 23. Key Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing Key • PPPPPPPPPPPPPPPPPrivate/Public key pair • SSSSSSSSSSSSSSSSSign the ZSK • DDDDDDDDDDDDDDDDDesigned to be stronger than the ZSK • IIIIIIIIIIIIIIIIIts fingerprint is stored in parent zone
  • 24. DNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records types • RRRRRRRRRRRRRRRRRRSIG: Signature • DDDDDDDDDDDDDDDDDNSKEY: Public key • DDDDDDDDDDDDDDDDDS: Hash of a DNSKEY (parent zone)
  • 25. DNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records types • NNNNNNNNNNNNNNNNNSEC: Next secure • RRRRRRRRRRRRRRRRReturns the next secure entry • RRRRRRRRRRRRRRRRReturned when next secure is not found • NNNNNNNNNNNNNNNNNSEC/NSEC3 records are signed • NNNNNNNNNNNNNNNNNSEC3 prevents zone walking
  • 26. In PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn Practice
  • 27. BindBindBindBindBindBindBindBindBindBindBindBindBindBindBindBindBind • RRRRRRRRRRRRRRRRReference DNS Server • DDDDDDDDDDDDDDDDDeveloped by the Internet Systems Consortium • CCCCCCCCCCCCCCCCCurrent version: bind9 • bbbbbbbbbbbbbbbbbind10 project is abandoned
  • 28. Bind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind features • SSSSSSSSSSSSSSSSSupports everything • RRRRRRRRRRRRRRRRRecurive, Authoritative • DDDDDDDDDDDDDDDDDynamic updates • DDDDDDDDDDDDDDDDDNSSec
  • 29. Bind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSec • FFFFFFFFFFFFFFFFFull support + NSEC3 • MMMMMMMMMMMMMMMMManual signing • AAAAAAAAAAAAAAAAAutomated signing • DDDDDDDDDDDDDDDDDNSSec and dynamic zones
  • 30. Generating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keys mkdir /etc/bind/keys cd /etc/bind/keys dnssec−keygen rmll.example dnssec−keygen −f KSK rmll.example
  • 31. Generating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keys dnssec−keygen −a NSEC3RSASHA1 −b 2048 rmll .example dnssec−keygen −a NSEC3RSASHA1 −b 4096 −f KSK rmll.example
  • 32. Generating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keys dnssec−dsfromkey −f /var/bind/rmll. example −K /etc/bind/keys/ rmll.example rmll.example. IN DS 18025 8 1 E223065EE5EE66F08CA1C89D8 rmll.example. IN DS 18025 8 2 522 D8EA3287FFF41186169A30
  • 33. Enable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bind options { dnssec−enable yes; dnssec−validation yes; }
  • 34. Enable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zone Manually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signed zone "rmll.example" IN { type master; file "rmll.example.zone.signed"; };
  • 35. Enable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zone Auto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto Signing zone "rmll.example" IN { type master; file "rmll.example.zone"; key−directory "/etc/bind/keys"; auto−dnssec maintain; inline−signing yes; };
  • 36. Manually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zone dnssec−signzone −S −o rmll.example −K /etc /bind/keys/ /var/bind/master/rmll. example.zone • Creates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone file
  • 38. DANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANE • DDDDDDDDDDDDDDDDDNS-based Authentication of Named Entities • NNNNNNNNNNNNNNNNNew record types to store public keys hashes • IIIIIIIIIIIIIIIIIndependant from DNSSec (!)
  • 39. TLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA records • HHHHHHHHHHHHHHHHHash the fingerprint of a TLS key • """""""""""""""""Replacement" for the CA (https) • NNNNNNNNNNNNNNNNNot implemented natively in browsers • IIIIIIIIIIIIIIIIImplemented in IRC clients (irssi)
  • 40. TLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA records _443._tcp IN TLSA 3 0 1 2 bfa3214fda53315b140e65fe66 _443._tcp.www IN TLSA 3 0 1 2 bfa3214fda53315b140e65 _6697._tcp.irc IN TLSA 3 0 1 2 bfa3214fda53315b140e6
  • 41. Generating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hash openssl x509 −in cert.pem −outform DER | openssl sha256
  • 43. TOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFU • TTTTTTTTTTTTTTTTTrust on first use • WWWWWWWWWWWWWWWWWorks on slowly moving env's • NNNNNNNNNNNNNNNNNowadays we populate new hosts all the time • NNNNNNNNNNNNNNNNNowadays we rebuild existing hosts
  • 44. SSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP records • HHHHHHHHHHHHHHHHHash the fingerprint of a SSH server • IIIIIIIIIIIIIIIIImplemented in OpenSSH • UUUUUUUUUUUUUUUUUses DNS to recognize SSH key
  • 45. IN SSHFP 1 1 e0fd9112d2fc6974597fe8968665ad6b420c IN SSHFP 1 2 9 de5bc066a898733420bcfaae8f43e80e532 IN SSHFP 2 1 223 e89447a53a3178be02fee6fdd5b44228a IN SSHFP 2 2 2644 fcbd2a1b179091a195207e395d009b16
  • 47. $ ssh −o VerifyHostKeyDNS=yes rmll.example The authenticity of host 'rmll.example (1.2.3.4)' can't be established. ECDSA key fingerprint is SHA256: f8zwQD3RU62PXgwCw5WRk2OIyVY. Matching host key fingerprint found in DNS Are you sure you want to continue?
  • 48. Populating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fields • WWWWWWWWWWWWWWWWWhat if we have a single source of truth? • SSSSSSSSSSSSSSSSSomething that can scale, and be quick enough?
  • 49. Config ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig Management • QQQQQQQQQQQQQQQQQuickly moving env often use Cfgmgmt Tools • TTTTTTTTTTTTTTTTThey know the env, store data • WWWWWWWWWWWWWWWWWe use Puppet+The foreman
  • 50. PuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppet • AAAAAAAAAAAAAAAAA Config Management Tool • DDDDDDDDDDDDDDDDDeclarative • EEEEEEEEEEEEEEEEEnforces a desired state
  • 51. Puppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet Facts • VVVVVVVVVVVVVVVVValues collected on the host • OOOOOOOOOOOOOOOOOS version, Uptime, kernel • SSSSSSSSSSSSSSSSSSH fingerprints • SSSSSSSSSSSSSSSSSent back to master
  • 52. facts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfp • hhhhhhhhhhhhhhhhhttps://github.com/jpmens/facts2sshfp • PPPPPPPPPPPPPPPPPython script • RRRRRRRRRRRRRRRRRead facts yaml files • CCCCCCCCCCCCCCCCConverts Puppet facts to SSHFP records • UUUUUUUUUUUUUUUUUses Puppet as single source of truth • fffffffffffffffffacts2sshfp.py -T nsupdate.template -D a.aa. • OOOOOOOOOOOOOOOOOutput to templates, nsupdate commands…
  • 61. Foreman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman Proxies • FFFFFFFFFFFFFFFFForeman works with a GUI + Proxies • DDDDDDDDDDDDDDDDDHCP proxy, Puppet Proxy, DNS proxy… • DDDDDDDDDDDDDDDDDNS Proxy is pluggable: bind9, powerdns…
  • 62. Foreman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is great • OOOOOOOOOOOOOOOOOpen Source • BBBBBBBBBBBBBBBBBacked by Red Hat • TTTTTTTTTTTTTTTTThe main brick behind Red Hat Satellite 6 • PPPPPPPPPPPPPPPPProvides a REST API
  • 63. Building a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) host • CCCCCCCCCCCCCCCCCreate/update DNS entries • CCCCCCCCCCCCCCCCCreate/update DHCP entries • CCCCCCCCCCCCCCCCCreate the VM in libvirt • BBBBBBBBBBBBBBBBBoot the VM • SSSSSSSSSSSSSSSSServe a kickstart • RRRRRRRRRRRRRRRRRun Puppet
  • 64. The Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxy • PPPPPPPPPPPPPPPPPuppet Collects and save Facts on the machines • IIIIIIIIIIIIIIIIIt can send it back to the Foreman • FFFFFFFFFFFFFFFFForeman can graph them, query them…
  • 67. DNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocks • NNNNNNNNNNNNNNNNNeeded everywhere • DDDDDDDDDDDDDDDDDistributed • CCCCCCCCCCCCCCCCContains lots of data • MMMMMMMMMMMMMMMMMakes our life easier
  • 68. DNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implement • AAAAAAAAAAAAAAAAAutomation is key • IIIIIIIIIIIIIIIIImplemented in most of the tools • AAAAAAAAAAAAAAAAAnd most of the DNS servers
  • 69. DANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more security • SSSSSSSSSSSSSSSSSSH fingerprint • IIIIIIIIIIIIIIIIIRC, SMTP certificates hashes • EEEEEEEEEEEEEEEEExisting client-side implementations
  • 70. DNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANE • DDDDDDDDDDDDDDDDDNSSec and Dane are more useful together • MMMMMMMMMMMMMMMMMake sure your resolver supports DNSsec! • TTTTTTTTTTTTTTTTThe power to check certificates without CA
  • 71. ContactContactContactContactContactContactContactContactContactContactContactContactContactContactContactContactContact Julien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien Pivotto julien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eu @roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie inuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuits https://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.eu info@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.eu +32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636