SlideShare a Scribd company logo

Webinar dnssec for cnrs - 20120209

SURFnet
SURFnet
TechnologyBusiness
1 of 62
DNSSEC webinar for CNRS February 9th 2012 Roland van Rijswijk roland.vanrijswijk@surfnet.nl
About SURFnet National Research and Education Network (NREN) - like RENATER Founded in 1986 >11000 km of fibre-optic cables for an ultra high-bandwidth network ‘Shared ICT innovation centre’ ≥ 160 connected institutions ±1 million end-users 2 SURFnet. We make innovation work cb
Agenda - Introduction - Vulnerabilities in DNS - What is DNSSEC and how does it work? - Deploying DNSSEC: where to start - Perils & pitfalls: what have we learned? - DNSSEC at SURFnet: what have we done? - Conclusion & questions 3 SURFnet. We make innovation work cb
DNS: TomTom™ for the Internet 4 SURFnet. We make innovation work cb
Why attack DNS? - DNS is everywhere: - In your phone, in your laptop, in your PC… - But also in your car, in an ATM, in your elevator, … - It is very hard to protect plain DNS against attacks - It is very easy to attack a lot of users SURFnet. We make innovation work cb
DNS attack vectors Zone file Dy ies Primary na er m ic Qu up da Zone transfers te s Queries Stub resolver Qu Caching resolver e rie s Secondaries Man in the Cache Data Data Spoofed Corrupt data 6 SURFnet. We make innovation work middle poisoning modification modification updates cb
Cache poisoning 7 SURFnet. We make innovation work cb
Bad news... http://lambicpeach.files.wordpress.com/2008/10/badnewspup.jpg 8 SURFnet. We make innovation work cb
Good news :-) 9 SURFnet. We make innovation work cb
What is DNSSEC? - DNSSEC was first devised in 1997 - We are at the third generation of the protocol - DNSSEC (ca. 2000) - DNSSECbis (2005) - NSEC3 (2008) - Some 20 (!) active RFCs - That’s excluding the ‘normal’ DNS RFCs - Protocol is mature - Changes are mainly new algorithms 10 SURFnet. We make innovation work cb
What is DNSSEC? - Digital Signatures guarantee authenticity of DNS records - Like a wax seal - Resolvers validate the signatures and discard records with bogus signatures - DNSSEC only provides authenticity - So no confidentiality - nor protection against DDoS - or typosquatting, phishing, etc. 11 SURFnet. We make innovation work cb Photo courtesy of UK National Archive cat. no. C202/194/8
DNS attack vectors revisited Zone file Dy ies Primary na er m ic Qu up C C da Zone transfers te SE SE s S S Queries Stub resolver D N Qu D N Caching resolver e rie s C S SE N Secondaries D EC S S 12 Man in the SURFnet. We make innovation work middle Cache poisoning D N Data modification Data modification Spoofed updates Corrupt data cb
Deployment status - Root was signed on July 15th 2010 - Signed generic TLDs: .asia, .biz, .cat, .com, .edu, .gov, .info, .museum, .net, .org, .pro, .mil - Signed ccTLDs: 60 countries & counting - Includes .fr, .de, .uk, .nl - Registrars are starting to support DNSSEC e.g. 41 .org registrars, source: PIR, http://pir.org/get/registrars 13 SURFnet. We make innovation work cb
Validation rate - We measure validation on our resolvers: 14 SURFnet. We make innovation work cb
Operating a validating resolver 15 SURFnet. We make innovation work cb
Software - The majority of DNS resolvers support DNSSEC out-of-the box: Product DNSSEC RFC 5011 ISC BIND Yes Yes Unbound Yes Yes djbdns No n/a MaraDNS No n/a Microsoft DNS (W2K8 R2) Yes, but* No* Simple DNS Plus Yes No** Nominum Vantio Yes No** * Seriously limited -- DO NOT USE! ** Not specified in product documentation 16 SURFnet. We make innovation work cb
Chain of trust Root KSK public key trust anchor Root KSK private key nl nl zone signs Root ZSK public key root (.) root zone contains surfnet.nl DS record signs Root ZSK private key reference to contains nl DS record surfnet.nl KSK public key reference to surfnet.nl KSK private key nl KSK public key signs nl KSK private key surfnet.nl ZSK public key surfnet surfnet zone signs signs surfnet.nl ZSK private key nl ZSK public key contains nl nl zone www signed record for signs 'www.surfnet.nl' nl ZSK private key
Trust anchor configuration - You should seriously consider using a resolver that supports RFC 5011 - Check the validity of your trust anchor(s) at regular intervals - Validate a trust anchor before using it! . IN DS 19036 8 2 ! 49AAC11D7B6F6446702E54A160737160 ! ! ! ! ! ! ! 7A1A41855200FD2CE1CDDE32F24E8FB5 ! ! ! ! ! ! ! xidep-pybec-tyvak-zonag-kesud- ! ! ! ! ! ! ! vohip-cumul-fysuk-bivac-pubam- ! ! ! ! ! ! ! hugeb-buzud-symes-tylaf-dosog- ! ! ! ! ! ! ! vufor-huxax 18 SURFnet. We make innovation work cb
Setting up a validating resolver - HOWTO instructions for BIND: https://dnssec.surfnet.nl/?p=402 - HOWTO instructions for Unbound: https://dnssec.surfnet.nl/?p=212 - Shameless advert: use (or try) Unbound! http://unbound.net 19 SURFnet. We make innovation work cb
Checking your setup (1) - Perform a lookup of a record known to be signed, for instance: www.surfnet.nl $ dig +dnssec +noauth www.surfnet.nl @your-resolver ... ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6193 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 13 ... ;; ANSWER SECTION: www.surfnet.nl.! 3541! IN! A! 145.0.2.10 www.surfnet.nl.! 3541! IN! RRSIG! A 8 3 3600 20120209210255 20120202092011 65233 surfnet.nl. jBv79k4EvXt3bN6moWuY5Sr8KuUW4rDodso3SMMrbMgg9uBT7kdVRRzW veMF6vZBTxtaacefbMud41G... ... 20 SURFnet. We make innovation work cb
Checking your setup (2) - Visit one of the DNSSEC test sites such as: http://www.nic.cz/dnssec http://www.dnssec-failed.org http://test.dnssec-or-not.org/ <-- funny - And verify the result: source: nic.cz 21 SURFnet. We make innovation work cb
Dealing with validation failures - Validation failures will lead to the resolver returning SERVFAIL - Clients will try all configured resolvers - If one of them doesn’t validate, the query will succeed and the user probably only notices a slight delay - In our experience, users don’t call the helpdesk - So no: “The Internet is broken” - Nevertheless: if you see validation failures then try to alert the zone owner http://xkcd.com/386/ 22 SURFnet. We make innovation work cb
Impact on resource use - DNSSEC relies on public key cryptography - Crypto eats CPU cycles, right? - We’ve been running with full validation enabled for almost 3 years - The impact on CPU load is negligible - Measuring doesn’t show a significant difference - Remember: DNS resolving is all about caching results 23
Troubleshooting - DNSSEC relies on the EDNS0 extension (RFC 2671) - For larger messages (signatures) - For the DO-bit (DNSSEC OK) - Some network hardware has problems with DNSSEC traffic - Firewalls are notorious for blocking: - UDP packets over 512 bytes in size - Fragmented UDP packets - TCP on port 53 - CPE/SOHO routers also cause trouble - Buggy DNS implementations that interfere with your traffic -- Nominet report: http://bit.ly/cfQBMu 24
UDP fragmentation issues - Late 2010 we experienced problems with a large ISP in The Netherlands - surfnet.nl had just gotten a DS in .nl - Colleagues started complaining that they could not log on to their mail from home - It turned out to be a firewall at the ISP that discarded UDP fragments - Even though they did not do validation, they could not resolve our records! 25 SURFnet. We make innovation work cb
UDP fragmentation issues Authoritative Name Server ➀ ➁ min(MTU) = 1500 bytes Internet (somewhere in transit) ➂ ➄ Firewall ➃ ➅ Recursive Caching Name Server 26 (resolver)
All is well that ends well? - We talked to their engineers - They could not replace the firewall - Keep in mind: all modern resolvers (BIND, Unbound) have EDNS0 + DO=1 enabled by default - In the end, they lowered the EDNS0 buffer size on their resolver to 512 bytes - Problem solved, right? 27 SURFnet. We make innovation work cb
The saga continues - Everything worked well until in March 2011 we suddenly started getting complaints from some companies trying to e-mail us - Lo and behold, they were customers of this same ISP 28 SURFnet. We make innovation work cb
The firewall strikes back - It turned out that only customers using the hosted MS Exchange service had issues - After talking to engineers at the ISP we discovered the problem - They had upgraded the dedicated resolvers in their hosted exchange environment to Windows 2008 R2 which does EDNS0 and sets DO=1 - Solution: tweak an arcane registry setting (see https://dnssec.surfnet.nl/?p=684) 29 SURFnet. We make innovation work cb
Maybe we should give the DNSSEC OK bit another name 30 SURFnet. We make innovation work cb
How many people validate? 31
Operating a signed zone 32 SURFnet. We make innovation work cb
Why sign your zone? - Because your website represents a valuable asset for your organisation - To prevent redirection of Internet traffic to your domain (think: VoIP, e-mail, etc.) - To protect your users - To leverage the trust that DNSSEC can establish Ho - DNSSEC is a PKI - store SSH fingerprints in DNS (SSHFP record) ts - store SSL/TLS certificates in DNS (DANE initiative) tuff - Because your competitor does it too :-) :-) 33
User study - We did a user study among our constituency - 169 persons asked to participate - 38 responded representing 37 organisations (academia, research institutions, teaching hospitals) - Two-thirds of users feel - > 75% plan to sign their DNSSEC is important: domain: ! ! 34 SURFnet. We make innovation work cb
When to sign your zone? - Your infrastructure should be ready - Remember the firewall trouble mentioned when resolving was discussed - You should have a clear mandate - DNS affects everything on your network so DNSSEC does too - Think before you act :-) - The way back is harder than the way forward 35 SURFnet. We make innovation work cb
Advice for getting started - Make use of available tooling - OSS: OpenDNSSEC, BIND - Commercial signer solutions - Make sure you have good monitoring - Write down policies and procedures - Carefully think about your design - Make your users’ life easy! - Check with your secondaries for DNSSEC support 36 SURFnet. We make innovation work cb
Signer software (1) - OpenDNSSEC - BIND 9.x - Key storage in the clear on disk - HSM support only through patched OpenSSL - No automated key rollover (scriptable though) - BIND 10 - Still heavily under development (5 year project) - Alpha versions have been released - PowerDNSSEC - Standard starting from PowerDNS 3.0 (July 1st 2011) - ZKT (Zone Key Tool) 37 SURFnet. We make innovation work cb
Signer software (2) - Secure64 DNS signer http://www.secure64.com - Xelerance DNS-X signer http://www.xelerance.com - IPAM vendors - Men & Mice - Infoblox - BlueCat networks - ... - Microsoft Windows Server 2008 R2* - *Severely broken, do not use! Wait for W8 Server 38 SURFnet. We make innovation work cb
Monitoring - Monitoring helps to detect problems early-on - When monitoring a signed zone, look for: - Signature expiry - MTU problems (firewalls!) - Continuous validation - Also monitor from outside your own network - Many tools are available, for example: http://www.dnssecmonitor.org http://www.dnsviz.net 39 SURFnet. We make innovation work cb
How to sign your zone: case study SURFnet - SURFnet operates a managed DNS environment called ‘SURFdomeinen’ - We ran a project in 2010 from Q1 to Q3 to implement DNSSEC in SURFdomeinen - Our goals: - To make it easy for our connected institutions to operate signed zones - To make it easy for ourselves to operate signed zones - We enabled DNSSEC for surfnet.nl at the end of September 2010 40 SURFnet. We make innovation work cb
SURFdomeinen 41 SURFnet. We make innovation work cb
Requirements - DNSSEC should be a ‘box to tick’ - DNS is already considered to be complex by many users, something that doesn’t improve if you add DNSSEC - The integrity of zones should be guaranteed - SURFdomeinen should not be the ‘weakest link’ in the attack chain - Monitoring is of great importance (more on that later) - Turning DNSSEC on or off should not take too long - Ideally less than 1 hour - Once DNSSEC is turned on, customers should not notice any difference 42 SURFnet. We make innovation work cb
Design decision: using HSMs - HSM = Hardware Security Module - Secure and robust way to store DNSSEC key material - We can never access the raw key material - Role separation - Standard API (PKCS #11) - Disadvantage: expensive 43 SURFnet. We make innovation work cb
Design decision: OpenDNSSEC - SURFnet participates in the project - Other partners are: IIS (.se), Nominet (.uk), Kirei, SIDN (.nl), NLnet Labs en Sinodun - Goal: push-the-button signing - Functions like a ‘bump-in-the-wire’ - Possibility to have different policies for different customers - Possibility to share keys (e.g. one set of keys per customer rather than per zone) 44 SURFnet. We make innovation work cb
Design decision: OpenDNSSEC - OpenDNSSEC 1.1 - Current version; used in production by a number of top-level domains and also for our deployment - Used - for instance - by .uk, .fr, .se and .nl - OpenDNSSEC 1.2 - Faster signer engine in C - Better support for ‘key-sharing’ - OpenDNSSEC 1.3 (Q3 2011) - Multi-threaded signer for better performance - Currently in release-candidate status - OpenDNSSEC 1.4 (±Q1 2012) - Adapters for AXFR/IXFR & MySQL - OpenDNSSEC 1.5 (±Q2 2012) 45 SURFnet. We make innovation work cb
OpenDNSSEC architecture 46 SURFnet. We make innovation work cb
Design: bump-in-the-wire DNS zone DNS transfer Internet Hidden primary Public primary ! DNS DNS zone zone DNS transfer DNS transfer Internet Hidden primary OpenDNSSEC Public primary ! 47 SURFnet. We make innovation work cb
Design: data flow DNS DNS zone zone scp DNS transfer SURFdomeinen DNSSEC signer ns1.surfnet.nl DNS transfer ns2.surfnet.nl Internet DNS zone ns3.surfnet.nl ns1.zurich.surf.net 48 SURFnet. We make innovation work cb
Design: network security Colocation DNS VLAN HSM VLAN admin Network HSM Authoritative OpenDNSSEC DNS signer SSL HSM firewall firewall local router Admin VLAN Internet SURFnet WAN firewall 49 SURFnet. We make innovation work SURFdomeinen cb server
Design: redundancy Signer: - Warm standby system in a different co-location - MySQL master-slave replication - Failover is a manual process (not time critical) HSM: - Two HSMs in two different locations - High-availability mode - Offline secure backup on a third location - Keys will only be used after a backup 50 SURFnet. We make innovation work cb
Enabling DNSSEC: user perspective - Push-the-button signing: - Unsigned to signed in 15 minutes 51 SURFnet. We make innovation work cb
When things go wrong... 52 Photo courtesy of jeffwilcox@FlickR
Admitting mistakes 53 Photo © 2003 philg@mit.edu
AXFR bug in OpenDNSSEC - surfnet.nl was signed for the first time in September 2010 (on a Monday) - everything went smoothly until Thursday Quickly diagnose - then suddenly... the problem no more mail no more website no more VoIP I think you’ve got diarrhea... - D’oh!!! - Garbage In == Garbage Out 54
Stories from the trenches... - .cz and .us became ‘bogus’ because of a mistake during an algorithm rollover - ISOC & .org nearly had a PR disaster at ICANN 38 in Brussels - .uk became ‘bogus’ because of a glitch during a signer failover - .be forgot to update critical signatures - mozilla.org and nasa.gov published a DS while their zone wasn’t signed yet 55 SURFnet. We make innovation work cb
If you’re lucky... - this is what users will see: 56 many thanks to Marco Davids of SIDN for the screenshot
But in most cases... - this is what users will see: 57 - (and this is better IMHO!)
Contacting domain owners is hard 58
Further reading http://bit.ly/sn-dnssec-2008 http://bit.ly/sn-dnssec-val http://bit.ly/sn-cryptoweb 59 SURFnet. We make innovation work cb
Online resources - http://dnssec.surfnet.nl - With lots of information about the choices we made while deploying DNSSEC - http://dnssec.net - Comprehensive and up-to-date links to information on DNSSEC - http://www.dnssec-deployment.org - Tracks DNSSEC deployment across the net - http://www.practicesafedns.org - PIR (.org) initiative with user stories 60 SURFnet. We make innovation work cb
Conclusions - DNSSEC deployment is in full swing - The ball is now in your court! - Seriously consider enabling validation on your resolver You should enable validation, there’s really no excuse not to do it :-) - Start planning for signing - Once it works, you don’t notice it’s there 61 SURFnet. We make innovation work cb
roland.vanrijswijk@surfnet.nl Questions? Comments? nl.linkedin.com/in/rolandvanrijswijk @reseauxsansfil

Recommended

Cloud Foundry for Java devs
Cloud Foundry for Java devsCloud Foundry for Java devs
Cloud Foundry for Java devsPeter Ledbrook
 
Positioning seminar 2012
Positioning seminar 2012Positioning seminar 2012
Positioning seminar 2012Giuseppe Destino
 
Dnssec
DnssecDnssec
Dnssecguest3131f85
 
Understanding DNSSEC in Windows DNS Server
Understanding DNSSEC in Windows DNS Server Understanding DNSSEC in Windows DNS Server
Understanding DNSSEC in Windows DNS Server Kumar Ashutosh
 
Hands On CloudFoundry
Hands On CloudFoundryHands On CloudFoundry
Hands On CloudFoundryEric Bottard
 
Portrait of the developer as The Artist - SpringOne India 2012
Portrait of the developer as The Artist - SpringOne India 2012Portrait of the developer as The Artist - SpringOne India 2012
Portrait of the developer as The Artist - SpringOne India 2012Patrick Chanezon
 
Cloud Foundry Architecture and Overview
Cloud Foundry Architecture and OverviewCloud Foundry Architecture and Overview
Cloud Foundry Architecture and Overviewrajdeep
 
Breaking through the Clouds
Breaking through the CloudsBreaking through the Clouds
Breaking through the CloudsAndy Piper
 

Recommended

Cloud Foundry for Java devs
Cloud Foundry for Java devsCloud Foundry for Java devs
Cloud Foundry for Java devsPeter Ledbrook
 
Positioning seminar 2012
Positioning seminar 2012Positioning seminar 2012
Positioning seminar 2012Giuseppe Destino
 
Dnssec
DnssecDnssec
Dnssecguest3131f85
 
Understanding DNSSEC in Windows DNS Server
Understanding DNSSEC in Windows DNS Server Understanding DNSSEC in Windows DNS Server
Understanding DNSSEC in Windows DNS Server Kumar Ashutosh
 
Hands On CloudFoundry
Hands On CloudFoundryHands On CloudFoundry
Hands On CloudFoundryEric Bottard
 
Portrait of the developer as The Artist - SpringOne India 2012
Portrait of the developer as The Artist - SpringOne India 2012Portrait of the developer as The Artist - SpringOne India 2012
Portrait of the developer as The Artist - SpringOne India 2012Patrick Chanezon
 
Cloud Foundry Architecture and Overview
Cloud Foundry Architecture and OverviewCloud Foundry Architecture and Overview
Cloud Foundry Architecture and Overviewrajdeep
 
Breaking through the Clouds
Breaking through the CloudsBreaking through the Clouds
Breaking through the CloudsAndy Piper
 
Cloud Foundry Introduction - Canada - October 2012
Cloud Foundry Introduction - Canada - October 2012Cloud Foundry Introduction - Canada - October 2012
Cloud Foundry Introduction - Canada - October 2012Patrick Chanezon
 
PaaS Parade - Cloud Foundry
PaaS Parade - Cloud FoundryPaaS Parade - Cloud Foundry
PaaS Parade - Cloud Foundrymartinlippert
 
Cloud Foundry bootcamp at ContributingCode
Cloud Foundry bootcamp at ContributingCodeCloud Foundry bootcamp at ContributingCode
Cloud Foundry bootcamp at ContributingCodeChris Richardson
 
Migrating to CloudFoundry
Migrating to CloudFoundryMigrating to CloudFoundry
Migrating to CloudFoundryGR8Conf
 
Visual Sorage Intelligence™ Product Guide
Visual Sorage Intelligence™ Product GuideVisual Sorage Intelligence™ Product Guide
Visual Sorage Intelligence™ Product GuideClear Technologies
 
Spring Data and MongoDB
Spring Data and MongoDBSpring Data and MongoDB
Spring Data and MongoDBOliver Gierke
 
Rorotika VAS products
Rorotika VAS productsRorotika VAS products
Rorotika VAS productsFrans_Joubert
 
Rorotika VAS products
Rorotika VAS productsRorotika VAS products
Rorotika VAS productsRorotika Technologies (Pty) Ltd
 
Spain Getting Ready For Cloud Computing
Spain Getting Ready For Cloud ComputingSpain Getting Ready For Cloud Computing
Spain Getting Ready For Cloud ComputingCarlos Domingo
 
7-minute-speeches. Deel 3.
7-minute-speeches. Deel 3.7-minute-speeches. Deel 3.
7-minute-speeches. Deel 3.SURFnet
 
The mobile evolution of the employee and student pass
The mobile evolution of the employee and student passThe mobile evolution of the employee and student pass
The mobile evolution of the employee and student passSURFnet
 
Location-based services: van theorie naar praktijk. Deel 2
Location-based services: van theorie naar praktijk. Deel 2Location-based services: van theorie naar praktijk. Deel 2
Location-based services: van theorie naar praktijk. Deel 2SURFnet
 
Automatisering en orkestratie: update en toekomstplannen
Automatisering en orkestratie: update en toekomstplannenAutomatisering en orkestratie: update en toekomstplannen
Automatisering en orkestratie: update en toekomstplannenSURFnet
 
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 2
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 2Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 2
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 2SURFnet
 
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 1
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 1Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 1
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 1SURFnet
 
RUGnet, een service oriented internationaal netwerk van Fryslân tot China
RUGnet, een service oriented internationaal netwerk van Fryslân tot ChinaRUGnet, een service oriented internationaal netwerk van Fryslân tot China
RUGnet, een service oriented internationaal netwerk van Fryslân tot ChinaSURFnet
 
Opening en netwerkvisie SURF
Opening en netwerkvisie SURFOpening en netwerkvisie SURF
Opening en netwerkvisie SURFSURFnet
 
Trends in unwired communications
Trends in unwired communicationsTrends in unwired communications
Trends in unwired communicationsSURFnet
 
Netwerkfunctievirtualisatie: proof-of-concept en demo
Netwerkfunctievirtualisatie: proof-of-concept en demoNetwerkfunctievirtualisatie: proof-of-concept en demo
Netwerkfunctievirtualisatie: proof-of-concept en demoSURFnet
 
SURF-dienstenportfolio: draadvrije netwerk. Deel 4
SURF-dienstenportfolio: draadvrije netwerk. Deel 4SURF-dienstenportfolio: draadvrije netwerk. Deel 4
SURF-dienstenportfolio: draadvrije netwerk. Deel 4SURFnet
 
SURF-dienstenportfolio: draadvrije netwerk. Deel 3
SURF-dienstenportfolio: draadvrije netwerk. Deel 3SURF-dienstenportfolio: draadvrije netwerk. Deel 3
SURF-dienstenportfolio: draadvrije netwerk. Deel 3SURFnet
 
SURF-dienstenportfolio: draadvrije netwerk. Deel 2
SURF-dienstenportfolio: draadvrije netwerk. Deel 2SURF-dienstenportfolio: draadvrije netwerk. Deel 2
SURF-dienstenportfolio: draadvrije netwerk. Deel 2SURFnet
 

More Related Content

Similar to Webinar dnssec for cnrs - 20120209

Cloud Foundry Introduction - Canada - October 2012
Cloud Foundry Introduction - Canada - October 2012Cloud Foundry Introduction - Canada - October 2012
Cloud Foundry Introduction - Canada - October 2012Patrick Chanezon
 
PaaS Parade - Cloud Foundry
PaaS Parade - Cloud FoundryPaaS Parade - Cloud Foundry
PaaS Parade - Cloud Foundrymartinlippert
 
Cloud Foundry bootcamp at ContributingCode
Cloud Foundry bootcamp at ContributingCodeCloud Foundry bootcamp at ContributingCode
Cloud Foundry bootcamp at ContributingCodeChris Richardson
 
Migrating to CloudFoundry
Migrating to CloudFoundryMigrating to CloudFoundry
Migrating to CloudFoundryGR8Conf
 
Visual Sorage Intelligence™ Product Guide
Visual Sorage Intelligence™ Product GuideVisual Sorage Intelligence™ Product Guide
Visual Sorage Intelligence™ Product GuideClear Technologies
 
Spring Data and MongoDB
Spring Data and MongoDBSpring Data and MongoDB
Spring Data and MongoDBOliver Gierke
 
Rorotika VAS products
Rorotika VAS productsRorotika VAS products
Rorotika VAS productsFrans_Joubert
 
Spain Getting Ready For Cloud Computing
Spain Getting Ready For Cloud ComputingSpain Getting Ready For Cloud Computing
Spain Getting Ready For Cloud ComputingCarlos Domingo
 

Similar to Webinar dnssec for cnrs - 20120209 (9)

Cloud Foundry Introduction - Canada - October 2012
Cloud Foundry Introduction - Canada - October 2012Cloud Foundry Introduction - Canada - October 2012
Cloud Foundry Introduction - Canada - October 2012
 
PaaS Parade - Cloud Foundry
PaaS Parade - Cloud FoundryPaaS Parade - Cloud Foundry
PaaS Parade - Cloud Foundry
 
Cloud Foundry bootcamp at ContributingCode
Cloud Foundry bootcamp at ContributingCodeCloud Foundry bootcamp at ContributingCode
Cloud Foundry bootcamp at ContributingCode
 
Migrating to CloudFoundry
Migrating to CloudFoundryMigrating to CloudFoundry
Migrating to CloudFoundry
 
Visual Sorage Intelligence™ Product Guide
Visual Sorage Intelligence™ Product GuideVisual Sorage Intelligence™ Product Guide
Visual Sorage Intelligence™ Product Guide
 
Spring Data and MongoDB
Spring Data and MongoDBSpring Data and MongoDB
Spring Data and MongoDB
 
Rorotika VAS products
Rorotika VAS productsRorotika VAS products
Rorotika VAS products
 
Rorotika VAS products
Rorotika VAS productsRorotika VAS products
Rorotika VAS products
 
Spain Getting Ready For Cloud Computing
Spain Getting Ready For Cloud ComputingSpain Getting Ready For Cloud Computing
Spain Getting Ready For Cloud Computing
 

More from SURFnet

7-minute-speeches. Deel 3.
7-minute-speeches. Deel 3.7-minute-speeches. Deel 3.
7-minute-speeches. Deel 3.SURFnet
 
The mobile evolution of the employee and student pass
The mobile evolution of the employee and student passThe mobile evolution of the employee and student pass
The mobile evolution of the employee and student passSURFnet
 
Location-based services: van theorie naar praktijk. Deel 2
Location-based services: van theorie naar praktijk. Deel 2Location-based services: van theorie naar praktijk. Deel 2
Location-based services: van theorie naar praktijk. Deel 2SURFnet
 
Automatisering en orkestratie: update en toekomstplannen
Automatisering en orkestratie: update en toekomstplannenAutomatisering en orkestratie: update en toekomstplannen
Automatisering en orkestratie: update en toekomstplannenSURFnet
 
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 2
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 2Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 2
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 2SURFnet
 
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 1
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 1Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 1
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 1SURFnet
 
RUGnet, een service oriented internationaal netwerk van Fryslân tot China
RUGnet, een service oriented internationaal netwerk van Fryslân tot ChinaRUGnet, een service oriented internationaal netwerk van Fryslân tot China
RUGnet, een service oriented internationaal netwerk van Fryslân tot ChinaSURFnet
 
Opening en netwerkvisie SURF
Opening en netwerkvisie SURFOpening en netwerkvisie SURF
Opening en netwerkvisie SURFSURFnet
 
Trends in unwired communications
Trends in unwired communicationsTrends in unwired communications
Trends in unwired communicationsSURFnet
 
Netwerkfunctievirtualisatie: proof-of-concept en demo
Netwerkfunctievirtualisatie: proof-of-concept en demoNetwerkfunctievirtualisatie: proof-of-concept en demo
Netwerkfunctievirtualisatie: proof-of-concept en demoSURFnet
 
SURF-dienstenportfolio: draadvrije netwerk. Deel 4
SURF-dienstenportfolio: draadvrije netwerk. Deel 4SURF-dienstenportfolio: draadvrije netwerk. Deel 4
SURF-dienstenportfolio: draadvrije netwerk. Deel 4SURFnet
 
SURF-dienstenportfolio: draadvrije netwerk. Deel 3
SURF-dienstenportfolio: draadvrije netwerk. Deel 3SURF-dienstenportfolio: draadvrije netwerk. Deel 3
SURF-dienstenportfolio: draadvrije netwerk. Deel 3SURFnet
 
SURF-dienstenportfolio: draadvrije netwerk. Deel 2
SURF-dienstenportfolio: draadvrije netwerk. Deel 2SURF-dienstenportfolio: draadvrije netwerk. Deel 2
SURF-dienstenportfolio: draadvrije netwerk. Deel 2SURFnet
 
SURF-dienstenportfolio: draadvrije netwerk. Deel 1
SURF-dienstenportfolio: draadvrije netwerk. Deel 1SURF-dienstenportfolio: draadvrije netwerk. Deel 1
SURF-dienstenportfolio: draadvrije netwerk. Deel 1SURFnet
 
De toekomst van netwerkinfrastructuur op de campus: in gesprek!
De toekomst van netwerkinfrastructuur op de campus: in gesprek!De toekomst van netwerkinfrastructuur op de campus: in gesprek!
De toekomst van netwerkinfrastructuur op de campus: in gesprek!SURFnet
 
Research data zone: veilige en geoptimaliseerde netwerkomgeving voor onderzoe...
Research data zone: veilige en geoptimaliseerde netwerkomgeving voor onderzoe...Research data zone: veilige en geoptimaliseerde netwerkomgeving voor onderzoe...
Research data zone: veilige en geoptimaliseerde netwerkomgeving voor onderzoe...SURFnet
 
7-minute-speeches. Deel 2
7-minute-speeches. Deel 27-minute-speeches. Deel 2
7-minute-speeches. Deel 2SURFnet
 
Nieuwe mogelijkheden van het SURFnet-netwerk Dashboard
Nieuwe mogelijkheden van het SURFnet-netwerk DashboardNieuwe mogelijkheden van het SURFnet-netwerk Dashboard
Nieuwe mogelijkheden van het SURFnet-netwerk DashboardSURFnet
 
7-minute-speeches
7-minute-speeches7-minute-speeches
7-minute-speechesSURFnet
 
Winnende voorstellen location-based services - deel 2
Winnende voorstellen location-based services - deel 2Winnende voorstellen location-based services - deel 2
Winnende voorstellen location-based services - deel 2SURFnet
 

More from SURFnet (20)

7-minute-speeches. Deel 3.
7-minute-speeches. Deel 3.7-minute-speeches. Deel 3.
7-minute-speeches. Deel 3.
 
The mobile evolution of the employee and student pass
The mobile evolution of the employee and student passThe mobile evolution of the employee and student pass
The mobile evolution of the employee and student pass
 
Location-based services: van theorie naar praktijk. Deel 2
Location-based services: van theorie naar praktijk. Deel 2Location-based services: van theorie naar praktijk. Deel 2
Location-based services: van theorie naar praktijk. Deel 2
 
Automatisering en orkestratie: update en toekomstplannen
Automatisering en orkestratie: update en toekomstplannenAutomatisering en orkestratie: update en toekomstplannen
Automatisering en orkestratie: update en toekomstplannen
 
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 2
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 2Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 2
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 2
 
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 1
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 1Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 1
Welke nieuwe mogelijkheden biedt het SURFnet8-netwerk? Deel 1
 
RUGnet, een service oriented internationaal netwerk van Fryslân tot China
RUGnet, een service oriented internationaal netwerk van Fryslân tot ChinaRUGnet, een service oriented internationaal netwerk van Fryslân tot China
RUGnet, een service oriented internationaal netwerk van Fryslân tot China
 
Opening en netwerkvisie SURF
Opening en netwerkvisie SURFOpening en netwerkvisie SURF
Opening en netwerkvisie SURF
 
Trends in unwired communications
Trends in unwired communicationsTrends in unwired communications
Trends in unwired communications
 
Netwerkfunctievirtualisatie: proof-of-concept en demo
Netwerkfunctievirtualisatie: proof-of-concept en demoNetwerkfunctievirtualisatie: proof-of-concept en demo
Netwerkfunctievirtualisatie: proof-of-concept en demo
 
SURF-dienstenportfolio: draadvrije netwerk. Deel 4
SURF-dienstenportfolio: draadvrije netwerk. Deel 4SURF-dienstenportfolio: draadvrije netwerk. Deel 4
SURF-dienstenportfolio: draadvrije netwerk. Deel 4
 
SURF-dienstenportfolio: draadvrije netwerk. Deel 3
SURF-dienstenportfolio: draadvrije netwerk. Deel 3SURF-dienstenportfolio: draadvrije netwerk. Deel 3
SURF-dienstenportfolio: draadvrije netwerk. Deel 3
 
SURF-dienstenportfolio: draadvrije netwerk. Deel 2
SURF-dienstenportfolio: draadvrije netwerk. Deel 2SURF-dienstenportfolio: draadvrije netwerk. Deel 2
SURF-dienstenportfolio: draadvrije netwerk. Deel 2
 
SURF-dienstenportfolio: draadvrije netwerk. Deel 1
SURF-dienstenportfolio: draadvrije netwerk. Deel 1SURF-dienstenportfolio: draadvrije netwerk. Deel 1
SURF-dienstenportfolio: draadvrije netwerk. Deel 1
 
De toekomst van netwerkinfrastructuur op de campus: in gesprek!
De toekomst van netwerkinfrastructuur op de campus: in gesprek!De toekomst van netwerkinfrastructuur op de campus: in gesprek!
De toekomst van netwerkinfrastructuur op de campus: in gesprek!
 
Research data zone: veilige en geoptimaliseerde netwerkomgeving voor onderzoe...
Research data zone: veilige en geoptimaliseerde netwerkomgeving voor onderzoe...Research data zone: veilige en geoptimaliseerde netwerkomgeving voor onderzoe...
Research data zone: veilige en geoptimaliseerde netwerkomgeving voor onderzoe...
 
7-minute-speeches. Deel 2
7-minute-speeches. Deel 27-minute-speeches. Deel 2
7-minute-speeches. Deel 2
 
Nieuwe mogelijkheden van het SURFnet-netwerk Dashboard
Nieuwe mogelijkheden van het SURFnet-netwerk DashboardNieuwe mogelijkheden van het SURFnet-netwerk Dashboard
Nieuwe mogelijkheden van het SURFnet-netwerk Dashboard
 
7-minute-speeches
7-minute-speeches7-minute-speeches
7-minute-speeches
 
Winnende voorstellen location-based services - deel 2
Winnende voorstellen location-based services - deel 2Winnende voorstellen location-based services - deel 2
Winnende voorstellen location-based services - deel 2
 

Recently uploaded

Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 

Recently uploaded (20)

Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 

Webinar dnssec for cnrs - 20120209

  • 1. DNSSEC webinar for CNRS February 9th 2012 Roland van Rijswijk roland.vanrijswijk@surfnet.nl
  • 2. About SURFnet National Research and Education Network (NREN) - like RENATER Founded in 1986 >11000 km of fibre-optic cables for an ultra high-bandwidth network ‘Shared ICT innovation centre’ ≥ 160 connected institutions ±1 million end-users 2 SURFnet. We make innovation work cb
  • 3. Agenda - Introduction - Vulnerabilities in DNS - What is DNSSEC and how does it work? - Deploying DNSSEC: where to start - Perils & pitfalls: what have we learned? - DNSSEC at SURFnet: what have we done? - Conclusion & questions 3 SURFnet. We make innovation work cb
  • 4. DNS: TomTom™ for the Internet 4 SURFnet. We make innovation work cb
  • 5. Why attack DNS? - DNS is everywhere: - In your phone, in your laptop, in your PC… - But also in your car, in an ATM, in your elevator, … - It is very hard to protect plain DNS against attacks - It is very easy to attack a lot of users SURFnet. We make innovation work cb
  • 6. DNS attack vectors Zone file Dy ies Primary na er m ic Qu up da Zone transfers te s Queries Stub resolver Qu Caching resolver e rie s Secondaries Man in the Cache Data Data Spoofed Corrupt data 6 SURFnet. We make innovation work middle poisoning modification modification updates cb
  • 7. Cache poisoning 7 SURFnet. We make innovation work cb
  • 8. Bad news... http://lambicpeach.files.wordpress.com/2008/10/badnewspup.jpg 8 SURFnet. We make innovation work cb
  • 9. Good news :-) 9 SURFnet. We make innovation work cb
  • 10. What is DNSSEC? - DNSSEC was first devised in 1997 - We are at the third generation of the protocol - DNSSEC (ca. 2000) - DNSSECbis (2005) - NSEC3 (2008) - Some 20 (!) active RFCs - That’s excluding the ‘normal’ DNS RFCs - Protocol is mature - Changes are mainly new algorithms 10 SURFnet. We make innovation work cb
  • 11. What is DNSSEC? - Digital Signatures guarantee authenticity of DNS records - Like a wax seal - Resolvers validate the signatures and discard records with bogus signatures - DNSSEC only provides authenticity - So no confidentiality - nor protection against DDoS - or typosquatting, phishing, etc. 11 SURFnet. We make innovation work cb Photo courtesy of UK National Archive cat. no. C202/194/8
  • 12. DNS attack vectors revisited Zone file Dy ies Primary na er m ic Qu up C C da Zone transfers te SE SE s S S Queries Stub resolver D N Qu D N Caching resolver e rie s C S SE N Secondaries D EC S S 12 Man in the SURFnet. We make innovation work middle Cache poisoning D N Data modification Data modification Spoofed updates Corrupt data cb
  • 13. Deployment status - Root was signed on July 15th 2010 - Signed generic TLDs: .asia, .biz, .cat, .com, .edu, .gov, .info, .museum, .net, .org, .pro, .mil - Signed ccTLDs: 60 countries & counting - Includes .fr, .de, .uk, .nl - Registrars are starting to support DNSSEC e.g. 41 .org registrars, source: PIR, http://pir.org/get/registrars 13 SURFnet. We make innovation work cb
  • 14. Validation rate - We measure validation on our resolvers: 14 SURFnet. We make innovation work cb
  • 15. Operating a validating resolver 15 SURFnet. We make innovation work cb
  • 16. Software - The majority of DNS resolvers support DNSSEC out-of-the box: Product DNSSEC RFC 5011 ISC BIND Yes Yes Unbound Yes Yes djbdns No n/a MaraDNS No n/a Microsoft DNS (W2K8 R2) Yes, but* No* Simple DNS Plus Yes No** Nominum Vantio Yes No** * Seriously limited -- DO NOT USE! ** Not specified in product documentation 16 SURFnet. We make innovation work cb
  • 17. Chain of trust Root KSK public key trust anchor Root KSK private key nl nl zone signs Root ZSK public key root (.) root zone contains surfnet.nl DS record signs Root ZSK private key reference to contains nl DS record surfnet.nl KSK public key reference to surfnet.nl KSK private key nl KSK public key signs nl KSK private key surfnet.nl ZSK public key surfnet surfnet zone signs signs surfnet.nl ZSK private key nl ZSK public key contains nl nl zone www signed record for signs 'www.surfnet.nl' nl ZSK private key
  • 18. Trust anchor configuration - You should seriously consider using a resolver that supports RFC 5011 - Check the validity of your trust anchor(s) at regular intervals - Validate a trust anchor before using it! . IN DS 19036 8 2 ! 49AAC11D7B6F6446702E54A160737160 ! ! ! ! ! ! ! 7A1A41855200FD2CE1CDDE32F24E8FB5 ! ! ! ! ! ! ! xidep-pybec-tyvak-zonag-kesud- ! ! ! ! ! ! ! vohip-cumul-fysuk-bivac-pubam- ! ! ! ! ! ! ! hugeb-buzud-symes-tylaf-dosog- ! ! ! ! ! ! ! vufor-huxax 18 SURFnet. We make innovation work cb
  • 19. Setting up a validating resolver - HOWTO instructions for BIND: https://dnssec.surfnet.nl/?p=402 - HOWTO instructions for Unbound: https://dnssec.surfnet.nl/?p=212 - Shameless advert: use (or try) Unbound! http://unbound.net 19 SURFnet. We make innovation work cb
  • 20. Checking your setup (1) - Perform a lookup of a record known to be signed, for instance: www.surfnet.nl $ dig +dnssec +noauth www.surfnet.nl @your-resolver ... ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6193 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 13 ... ;; ANSWER SECTION: www.surfnet.nl.! 3541! IN! A! 145.0.2.10 www.surfnet.nl.! 3541! IN! RRSIG! A 8 3 3600 20120209210255 20120202092011 65233 surfnet.nl. jBv79k4EvXt3bN6moWuY5Sr8KuUW4rDodso3SMMrbMgg9uBT7kdVRRzW veMF6vZBTxtaacefbMud41G... ... 20 SURFnet. We make innovation work cb
  • 21. Checking your setup (2) - Visit one of the DNSSEC test sites such as: http://www.nic.cz/dnssec http://www.dnssec-failed.org http://test.dnssec-or-not.org/ <-- funny - And verify the result: source: nic.cz 21 SURFnet. We make innovation work cb
  • 22. Dealing with validation failures - Validation failures will lead to the resolver returning SERVFAIL - Clients will try all configured resolvers - If one of them doesn’t validate, the query will succeed and the user probably only notices a slight delay - In our experience, users don’t call the helpdesk - So no: “The Internet is broken” - Nevertheless: if you see validation failures then try to alert the zone owner http://xkcd.com/386/ 22 SURFnet. We make innovation work cb
  • 23. Impact on resource use - DNSSEC relies on public key cryptography - Crypto eats CPU cycles, right? - We’ve been running with full validation enabled for almost 3 years - The impact on CPU load is negligible - Measuring doesn’t show a significant difference - Remember: DNS resolving is all about caching results 23
  • 24. Troubleshooting - DNSSEC relies on the EDNS0 extension (RFC 2671) - For larger messages (signatures) - For the DO-bit (DNSSEC OK) - Some network hardware has problems with DNSSEC traffic - Firewalls are notorious for blocking: - UDP packets over 512 bytes in size - Fragmented UDP packets - TCP on port 53 - CPE/SOHO routers also cause trouble - Buggy DNS implementations that interfere with your traffic -- Nominet report: http://bit.ly/cfQBMu 24
  • 25. UDP fragmentation issues - Late 2010 we experienced problems with a large ISP in The Netherlands - surfnet.nl had just gotten a DS in .nl - Colleagues started complaining that they could not log on to their mail from home - It turned out to be a firewall at the ISP that discarded UDP fragments - Even though they did not do validation, they could not resolve our records! 25 SURFnet. We make innovation work cb
  • 26. UDP fragmentation issues Authoritative Name Server ➀ ➁ min(MTU) = 1500 bytes Internet (somewhere in transit) ➂ ➄ Firewall ➃ ➅ Recursive Caching Name Server 26 (resolver)
  • 27. All is well that ends well? - We talked to their engineers - They could not replace the firewall - Keep in mind: all modern resolvers (BIND, Unbound) have EDNS0 + DO=1 enabled by default - In the end, they lowered the EDNS0 buffer size on their resolver to 512 bytes - Problem solved, right? 27 SURFnet. We make innovation work cb
  • 28. The saga continues - Everything worked well until in March 2011 we suddenly started getting complaints from some companies trying to e-mail us - Lo and behold, they were customers of this same ISP 28 SURFnet. We make innovation work cb
  • 29. The firewall strikes back - It turned out that only customers using the hosted MS Exchange service had issues - After talking to engineers at the ISP we discovered the problem - They had upgraded the dedicated resolvers in their hosted exchange environment to Windows 2008 R2 which does EDNS0 and sets DO=1 - Solution: tweak an arcane registry setting (see https://dnssec.surfnet.nl/?p=684) 29 SURFnet. We make innovation work cb
  • 30. Maybe we should give the DNSSEC OK bit another name 30 SURFnet. We make innovation work cb
  • 31. How many people validate? 31
  • 32. Operating a signed zone 32 SURFnet. We make innovation work cb
  • 33. Why sign your zone? - Because your website represents a valuable asset for your organisation - To prevent redirection of Internet traffic to your domain (think: VoIP, e-mail, etc.) - To protect your users - To leverage the trust that DNSSEC can establish Ho - DNSSEC is a PKI - store SSH fingerprints in DNS (SSHFP record) ts - store SSL/TLS certificates in DNS (DANE initiative) tuff - Because your competitor does it too :-) :-) 33
  • 34. User study - We did a user study among our constituency - 169 persons asked to participate - 38 responded representing 37 organisations (academia, research institutions, teaching hospitals) - Two-thirds of users feel - > 75% plan to sign their DNSSEC is important: domain: ! ! 34 SURFnet. We make innovation work cb
  • 35. When to sign your zone? - Your infrastructure should be ready - Remember the firewall trouble mentioned when resolving was discussed - You should have a clear mandate - DNS affects everything on your network so DNSSEC does too - Think before you act :-) - The way back is harder than the way forward 35 SURFnet. We make innovation work cb
  • 36. Advice for getting started - Make use of available tooling - OSS: OpenDNSSEC, BIND - Commercial signer solutions - Make sure you have good monitoring - Write down policies and procedures - Carefully think about your design - Make your users’ life easy! - Check with your secondaries for DNSSEC support 36 SURFnet. We make innovation work cb
  • 37. Signer software (1) - OpenDNSSEC - BIND 9.x - Key storage in the clear on disk - HSM support only through patched OpenSSL - No automated key rollover (scriptable though) - BIND 10 - Still heavily under development (5 year project) - Alpha versions have been released - PowerDNSSEC - Standard starting from PowerDNS 3.0 (July 1st 2011) - ZKT (Zone Key Tool) 37 SURFnet. We make innovation work cb
  • 38. Signer software (2) - Secure64 DNS signer http://www.secure64.com - Xelerance DNS-X signer http://www.xelerance.com - IPAM vendors - Men & Mice - Infoblox - BlueCat networks - ... - Microsoft Windows Server 2008 R2* - *Severely broken, do not use! Wait for W8 Server 38 SURFnet. We make innovation work cb
  • 39. Monitoring - Monitoring helps to detect problems early-on - When monitoring a signed zone, look for: - Signature expiry - MTU problems (firewalls!) - Continuous validation - Also monitor from outside your own network - Many tools are available, for example: http://www.dnssecmonitor.org http://www.dnsviz.net 39 SURFnet. We make innovation work cb
  • 40. How to sign your zone: case study SURFnet - SURFnet operates a managed DNS environment called ‘SURFdomeinen’ - We ran a project in 2010 from Q1 to Q3 to implement DNSSEC in SURFdomeinen - Our goals: - To make it easy for our connected institutions to operate signed zones - To make it easy for ourselves to operate signed zones - We enabled DNSSEC for surfnet.nl at the end of September 2010 40 SURFnet. We make innovation work cb
  • 41. SURFdomeinen 41 SURFnet. We make innovation work cb
  • 42. Requirements - DNSSEC should be a ‘box to tick’ - DNS is already considered to be complex by many users, something that doesn’t improve if you add DNSSEC - The integrity of zones should be guaranteed - SURFdomeinen should not be the ‘weakest link’ in the attack chain - Monitoring is of great importance (more on that later) - Turning DNSSEC on or off should not take too long - Ideally less than 1 hour - Once DNSSEC is turned on, customers should not notice any difference 42 SURFnet. We make innovation work cb
  • 43. Design decision: using HSMs - HSM = Hardware Security Module - Secure and robust way to store DNSSEC key material - We can never access the raw key material - Role separation - Standard API (PKCS #11) - Disadvantage: expensive 43 SURFnet. We make innovation work cb
  • 44. Design decision: OpenDNSSEC - SURFnet participates in the project - Other partners are: IIS (.se), Nominet (.uk), Kirei, SIDN (.nl), NLnet Labs en Sinodun - Goal: push-the-button signing - Functions like a ‘bump-in-the-wire’ - Possibility to have different policies for different customers - Possibility to share keys (e.g. one set of keys per customer rather than per zone) 44 SURFnet. We make innovation work cb
  • 45. Design decision: OpenDNSSEC - OpenDNSSEC 1.1 - Current version; used in production by a number of top-level domains and also for our deployment - Used - for instance - by .uk, .fr, .se and .nl - OpenDNSSEC 1.2 - Faster signer engine in C - Better support for ‘key-sharing’ - OpenDNSSEC 1.3 (Q3 2011) - Multi-threaded signer for better performance - Currently in release-candidate status - OpenDNSSEC 1.4 (±Q1 2012) - Adapters for AXFR/IXFR & MySQL - OpenDNSSEC 1.5 (±Q2 2012) 45 SURFnet. We make innovation work cb
  • 46. OpenDNSSEC architecture 46 SURFnet. We make innovation work cb
  • 47. Design: bump-in-the-wire DNS zone DNS transfer Internet Hidden primary Public primary ! DNS DNS zone zone DNS transfer DNS transfer Internet Hidden primary OpenDNSSEC Public primary ! 47 SURFnet. We make innovation work cb
  • 48. Design: data flow DNS DNS zone zone scp DNS transfer SURFdomeinen DNSSEC signer ns1.surfnet.nl DNS transfer ns2.surfnet.nl Internet DNS zone ns3.surfnet.nl ns1.zurich.surf.net 48 SURFnet. We make innovation work cb
  • 49. Design: network security Colocation DNS VLAN HSM VLAN admin Network HSM Authoritative OpenDNSSEC DNS signer SSL HSM firewall firewall local router Admin VLAN Internet SURFnet WAN firewall 49 SURFnet. We make innovation work SURFdomeinen cb server
  • 50. Design: redundancy Signer: - Warm standby system in a different co-location - MySQL master-slave replication - Failover is a manual process (not time critical) HSM: - Two HSMs in two different locations - High-availability mode - Offline secure backup on a third location - Keys will only be used after a backup 50 SURFnet. We make innovation work cb
  • 51. Enabling DNSSEC: user perspective - Push-the-button signing: - Unsigned to signed in 15 minutes 51 SURFnet. We make innovation work cb
  • 52. When things go wrong... 52 Photo courtesy of jeffwilcox@FlickR
  • 53. Admitting mistakes 53 Photo © 2003 philg@mit.edu
  • 54. AXFR bug in OpenDNSSEC - surfnet.nl was signed for the first time in September 2010 (on a Monday) - everything went smoothly until Thursday Quickly diagnose - then suddenly... the problem no more mail no more website no more VoIP I think you’ve got diarrhea... - D’oh!!! - Garbage In == Garbage Out 54
  • 55. Stories from the trenches... - .cz and .us became ‘bogus’ because of a mistake during an algorithm rollover - ISOC & .org nearly had a PR disaster at ICANN 38 in Brussels - .uk became ‘bogus’ because of a glitch during a signer failover - .be forgot to update critical signatures - mozilla.org and nasa.gov published a DS while their zone wasn’t signed yet 55 SURFnet. We make innovation work cb
  • 56. If you’re lucky... - this is what users will see: 56 many thanks to Marco Davids of SIDN for the screenshot
  • 57. But in most cases... - this is what users will see: 57 - (and this is better IMHO!)
  • 59. Further reading http://bit.ly/sn-dnssec-2008 http://bit.ly/sn-dnssec-val http://bit.ly/sn-cryptoweb 59 SURFnet. We make innovation work cb
  • 60. Online resources - http://dnssec.surfnet.nl - With lots of information about the choices we made while deploying DNSSEC - http://dnssec.net - Comprehensive and up-to-date links to information on DNSSEC - http://www.dnssec-deployment.org - Tracks DNSSEC deployment across the net - http://www.practicesafedns.org - PIR (.org) initiative with user stories 60 SURFnet. We make innovation work cb
  • 61. Conclusions - DNSSEC deployment is in full swing - The ball is now in your court! - Seriously consider enabling validation on your resolver You should enable validation, there’s really no excuse not to do it :-) - Start planning for signing - Once it works, you don’t notice it’s there 61 SURFnet. We make innovation work cb
  • 62. roland.vanrijswijk@surfnet.nl Questions? Comments? nl.linkedin.com/in/rolandvanrijswijk @reseauxsansfil

Editor's Notes

  1. \n
  2. \n
  3. \n
  4. We need DNS everywhere\n
  5. \n
  6. \n
  7. \n
  8. In 2008 this was bad news: how could you still trust the Internet?\n
  9. Luckily, some folks at the IETF found a way to solve this issue: DNSSEC\n
  10. Reference &amp;#x201C;after 10 years a protocol that hasn&amp;#x2019;t been picked up can be declared dead&amp;#x201D; of this morning\n
  11. \n
  12. \n
  13. \n
  14. \n
  15. Q: How many of you here already operate a validating resolver?\n
  16. \n
  17. \n
  18. Explain trust anchor concept (like a root certificate in SSL)\n
  19. \n
  20. ad = authenticated data\n
  21. \n
  22. \n
  23. You want many servers rather than one big one and loadbalance them so you can scale up\n
  24. \n
  25. \n
  26. \n
  27. \n
  28. \n
  29. \n
  30. \n
  31. \n
  32. \n
  33. \n
  34. \n
  35. \n
  36. \n
  37. \n
  38. \n
  39. Name example: HSM sync problem last week\n
  40. \n
  41. \n
  42. \n
  43. \n
  44. \n
  45. \n
  46. \n
  47. \n
  48. \n
  49. \n
  50. \n
  51. \n
  52. \n
  53. \n
  54. \n
  55. \n
  56. \n
  57. Explain why this is better, SSL pop-ups\n
  58. Hard to find zone owner (anon reg, SOA e-mail not working, cannot e-mail if MX record does not validate!) -- need to try nevertheless\n\nMention DNS health initiative?\n
  59. \n
  60. \n
  61. \n
  62. \n