SlideShare a Scribd company logo

DNSSec

Julien Pivotto
Julien Pivotto

Talk given at RMLL Security Track 2016, about DNS and security, DNSSEC and DANE. Focusing on bind and Puppet.

1 of 71
Download to read offline
DNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and Security Julien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien Pivotto RMLL Security Track July 5th, 2016
whoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhois Julien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien Pivotto • Sysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.eu • From small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgs • Automation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & Monitoring • @roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie on irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/github
inuits.eu
DNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNS
What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS? • TTTTTTTTTTTTTTTTTL;DR Translates domain name to IP • IIIIIIIIIIIIIIIIIn facto, stores much more data than IP
How it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it works Licensed under a Creative Commons Attribution-ShareAlike 2.0 License https://www.flickr.com/photos/frans16611/6139595092
Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
DNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-critical • HHHHHHHHHHHHHHHHHolds IP addresses • HHHHHHHHHHHHHHHHHolds service definitions • HHHHHHHHHHHHHHHHHolds hostnames, TXT records
DNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practices • DDDDDDDDDDDDDDDDDo not mix Authoritative and Recursive servers • MMMMMMMMMMMMMMMMMix your DNS server `brand' • HHHHHHHHHHHHHHHHHide your DNS masters • DDDDDDDDDDDDDDDDDo not invent new TLD
Data stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNS • AAAAAAAAAAAAAAAAA records: IP addresses • CCCCCCCCCCCCCCCCCNAME: Cannonical names • SSSSSSSSSSSSSSSSSRV: Service record • MMMMMMMMMMMMMMMMMX: Mail servers • TTTTTTTTTTTTTTTTTXT: Text record
SRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV records _xmpp−client._tcp.inuits.eu. IN SRV 0 5 5222 xmpp.inuits.eu.
TXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT Records • SSSSSSSSSSSSSSSSSPF record: Sender Policy Framework • DDDDDDDDDDDDDDDDDKIM • KKKKKKKKKKKKKKKKKeybase.io • LLLLLLLLLLLLLLLLLet's Encrypt DNS challenge
Not secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by design • 11111111111111111983 • DDDDDDDDDDDDDDDDDesigned for scale, not security • EEEEEEEEEEEEEEEEEarly 2000: birth of DNSSec
DNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSec • 22222222222222222000's DNSSec RFC • DDDDDDDDDDDDDDDDDNSSec hit DNS root in 2010 • MMMMMMMMMMMMMMMMMultiple iteration of RFC
The Domain Name System Security Extensions (DNSSEC) add data origin authentication and data integrity to the Domain Name System. RFC 4033
What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec? • PPPPPPPPPPPPPPPPProof of origin and integrity • ZZZZZZZZZZZZZZZZZones and records signing • PPPPPPPPPPPPPPPPProof of non-existence
Two types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keys • ZZZZZZZZZZZZZZZZZSK: Zone Signing Key • KKKKKKKKKKKKKKKKKSK: Key Signing Key
Zone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing key • PPPPPPPPPPPPPPPPPrivate/Public key pair • SSSSSSSSSSSSSSSSSign the Records • eeeeeeeeeeeeeeeee.g sign the A records, the MX records … • RRRRRRRRRRRRRRRRRolled out frequently
Key Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing Key • PPPPPPPPPPPPPPPPPrivate/Public key pair • SSSSSSSSSSSSSSSSSign the ZSK • DDDDDDDDDDDDDDDDDesigned to be stronger than the ZSK • IIIIIIIIIIIIIIIIIts fingerprint is stored in parent zone
DNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records types • RRRRRRRRRRRRRRRRRRSIG: Signature • DDDDDDDDDDDDDDDDDNSKEY: Public key • DDDDDDDDDDDDDDDDDS: Hash of a DNSKEY (parent zone)
DNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records types • NNNNNNNNNNNNNNNNNSEC: Next secure • RRRRRRRRRRRRRRRRReturns the next secure entry • RRRRRRRRRRRRRRRRReturned when next secure is not found • NNNNNNNNNNNNNNNNNSEC/NSEC3 records are signed • NNNNNNNNNNNNNNNNNSEC3 prevents zone walking
In PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn Practice
BindBindBindBindBindBindBindBindBindBindBindBindBindBindBindBindBind • RRRRRRRRRRRRRRRRReference DNS Server • DDDDDDDDDDDDDDDDDeveloped by the Internet Systems Consortium • CCCCCCCCCCCCCCCCCurrent version: bind9 • bbbbbbbbbbbbbbbbbind10 project is abandoned
Bind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind features • SSSSSSSSSSSSSSSSSupports everything • RRRRRRRRRRRRRRRRRecurive, Authoritative • DDDDDDDDDDDDDDDDDynamic updates • DDDDDDDDDDDDDDDDDNSSec
Bind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSec • FFFFFFFFFFFFFFFFFull support + NSEC3 • MMMMMMMMMMMMMMMMManual signing • AAAAAAAAAAAAAAAAAutomated signing • DDDDDDDDDDDDDDDDDNSSec and dynamic zones
Generating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keys mkdir /etc/bind/keys cd /etc/bind/keys dnssec−keygen rmll.example dnssec−keygen −f KSK rmll.example
Generating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keys dnssec−keygen −a NSEC3RSASHA1 −b 2048 rmll .example dnssec−keygen −a NSEC3RSASHA1 −b 4096 −f KSK rmll.example
Generating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keys dnssec−dsfromkey −f /var/bind/rmll. example −K /etc/bind/keys/ rmll.example rmll.example. IN DS 18025 8 1 E223065EE5EE66F08CA1C89D8 rmll.example. IN DS 18025 8 2 522 D8EA3287FFF41186169A30
Enable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bind options { dnssec−enable yes; dnssec−validation yes; }
Enable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zone Manually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signed zone "rmll.example" IN { type master; file "rmll.example.zone.signed"; };
Enable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zone Auto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto Signing zone "rmll.example" IN { type master; file "rmll.example.zone"; key−directory "/etc/bind/keys"; auto−dnssec maintain; inline−signing yes; };
Manually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zone dnssec−signzone −S −o rmll.example −K /etc /bind/keys/ /var/bind/master/rmll. example.zone • Creates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone file
DANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANE
DANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANE • DDDDDDDDDDDDDDDDDNS-based Authentication of Named Entities • NNNNNNNNNNNNNNNNNew record types to store public keys hashes • IIIIIIIIIIIIIIIIIndependant from DNSSec (!)
TLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA records • HHHHHHHHHHHHHHHHHash the fingerprint of a TLS key • """""""""""""""""Replacement" for the CA (https) • NNNNNNNNNNNNNNNNNot implemented natively in browsers • IIIIIIIIIIIIIIIIImplemented in IRC clients (irssi)
TLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA records _443._tcp IN TLSA 3 0 1 2 bfa3214fda53315b140e65fe66 _443._tcp.www IN TLSA 3 0 1 2 bfa3214fda53315b140e65 _6697._tcp.irc IN TLSA 3 0 1 2 bfa3214fda53315b140e6
Generating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hash openssl x509 −in cert.pem −outform DER | openssl sha256
SSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSH
TOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFU • TTTTTTTTTTTTTTTTTrust on first use • WWWWWWWWWWWWWWWWWorks on slowly moving env's • NNNNNNNNNNNNNNNNNowadays we populate new hosts all the time • NNNNNNNNNNNNNNNNNowadays we rebuild existing hosts
SSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP records • HHHHHHHHHHHHHHHHHash the fingerprint of a SSH server • IIIIIIIIIIIIIIIIImplemented in OpenSSH • UUUUUUUUUUUUUUUUUses DNS to recognize SSH key
IN SSHFP 1 1 e0fd9112d2fc6974597fe8968665ad6b420c IN SSHFP 1 2 9 de5bc066a898733420bcfaae8f43e80e532 IN SSHFP 2 1 223 e89447a53a3178be02fee6fdd5b44228a IN SSHFP 2 2 2644 fcbd2a1b179091a195207e395d009b16
VerifyHostKeyDNS no VerifyHostKeyDNS yes VerifyHostKeyDNS ask
$ ssh −o VerifyHostKeyDNS=yes rmll.example The authenticity of host 'rmll.example (1.2.3.4)' can't be established. ECDSA key fingerprint is SHA256: f8zwQD3RU62PXgwCw5WRk2OIyVY. Matching host key fingerprint found in DNS Are you sure you want to continue?
Populating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fields • WWWWWWWWWWWWWWWWWhat if we have a single source of truth? • SSSSSSSSSSSSSSSSSomething that can scale, and be quick enough?
Config ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig Management • QQQQQQQQQQQQQQQQQuickly moving env often use Cfgmgmt Tools • TTTTTTTTTTTTTTTTThey know the env, store data • WWWWWWWWWWWWWWWWWe use Puppet+The foreman
PuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppet • AAAAAAAAAAAAAAAAA Config Management Tool • DDDDDDDDDDDDDDDDDeclarative • EEEEEEEEEEEEEEEEEnforces a desired state
Puppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet Facts • VVVVVVVVVVVVVVVVValues collected on the host • OOOOOOOOOOOOOOOOOS version, Uptime, kernel • SSSSSSSSSSSSSSSSSSH fingerprints • SSSSSSSSSSSSSSSSSent back to master
facts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfp • hhhhhhhhhhhhhhhhhttps://github.com/jpmens/facts2sshfp • PPPPPPPPPPPPPPPPPython script • RRRRRRRRRRRRRRRRRead facts yaml files • CCCCCCCCCCCCCCCCConverts Puppet facts to SSHFP records • UUUUUUUUUUUUUUUUUses Puppet as single source of truth • fffffffffffffffffacts2sshfp.py -T nsupdate.template -D a.aa. • OOOOOOOOOOOOOOOOOutput to templates, nsupdate commands…
The Foreman
The Foreman Provisioning
The Foreman Provisioning Configuration
The Foreman Provisioning Configuration Monitoring
The Foreman Provisioning Configuration Monitoring Reporting
Foreman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman Proxies • FFFFFFFFFFFFFFFFForeman works with a GUI + Proxies • DDDDDDDDDDDDDDDDDHCP proxy, Puppet Proxy, DNS proxy… • DDDDDDDDDDDDDDDDDNS Proxy is pluggable: bind9, powerdns…
Foreman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is great • OOOOOOOOOOOOOOOOOpen Source • BBBBBBBBBBBBBBBBBacked by Red Hat • TTTTTTTTTTTTTTTTThe main brick behind Red Hat Satellite 6 • PPPPPPPPPPPPPPPPProvides a REST API
Building a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) host • CCCCCCCCCCCCCCCCCreate/update DNS entries • CCCCCCCCCCCCCCCCCreate/update DHCP entries • CCCCCCCCCCCCCCCCCreate the VM in libvirt • BBBBBBBBBBBBBBBBBoot the VM • SSSSSSSSSSSSSSSSServe a kickstart • RRRRRRRRRRRRRRRRRun Puppet
The Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxy • PPPPPPPPPPPPPPPPPuppet Collects and save Facts on the machines • IIIIIIIIIIIIIIIIIt can send it back to the Foreman • FFFFFFFFFFFFFFFFForeman can graph them, query them…
facts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfp • hhhhhhhhhhhhhhhhhttps://github.com/jpmens/facts2sshfp • fffffffffffffffffacts2sshfp.py -T nsupdate.template --foreman-url=https://foreman.example -D a.aa.
ConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusion Licensed under a Creative Commons Attribution 2.0 License https://www.flickr.com/photos/haslamdigital/17191280202/sizes/h/
DNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocks • NNNNNNNNNNNNNNNNNeeded everywhere • DDDDDDDDDDDDDDDDDistributed • CCCCCCCCCCCCCCCCContains lots of data • MMMMMMMMMMMMMMMMMakes our life easier
DNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implement • AAAAAAAAAAAAAAAAAutomation is key • IIIIIIIIIIIIIIIIImplemented in most of the tools • AAAAAAAAAAAAAAAAAnd most of the DNS servers
DANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more security • SSSSSSSSSSSSSSSSSSH fingerprint • IIIIIIIIIIIIIIIIIRC, SMTP certificates hashes • EEEEEEEEEEEEEEEEExisting client-side implementations
DNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANE • DDDDDDDDDDDDDDDDDNSSec and Dane are more useful together • MMMMMMMMMMMMMMMMMake sure your resolver supports DNSsec! • TTTTTTTTTTTTTTTTThe power to check certificates without CA
ContactContactContactContactContactContactContactContactContactContactContactContactContactContactContactContactContact Julien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien Pivotto julien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eu @roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie inuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuits https://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.eu info@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.eu +32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636

Recommended

Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
AFRINIC
 
Introduction to TLS-1.3
Introduction to TLS-1.3 Introduction to TLS-1.3
Introduction to TLS-1.3
Vedant Jain
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
Peter R. Egli
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
Pina Parmar
 
Intro to DNS
Intro to DNSIntro to DNS
Intro to DNS
ThousandEyes
 
Dns(Domain name system)
Dns(Domain name system)Dns(Domain name system)
Dns(Domain name system)
Fâhém Ähmêd
 
Privacy Protection Technologies: Introductory Overview
Privacy Protection Technologies: Introductory OverviewPrivacy Protection Technologies: Introductory Overview
Privacy Protection Technologies: Introductory Overview
Hiroshi Nakagawa
 
Ssh (The Secure Shell)
Ssh (The Secure Shell)Ssh (The Secure Shell)
Ssh (The Secure Shell)
Mehedi Farazi
 

Recommended

Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
AFRINIC
 
Introduction to TLS-1.3
Introduction to TLS-1.3 Introduction to TLS-1.3
Introduction to TLS-1.3
Vedant Jain
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
Peter R. Egli
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
Pina Parmar
 
Intro to DNS
Intro to DNSIntro to DNS
Intro to DNS
ThousandEyes
 
Dns(Domain name system)
Dns(Domain name system)Dns(Domain name system)
Dns(Domain name system)
Fâhém Ähmêd
 
Privacy Protection Technologies: Introductory Overview
Privacy Protection Technologies: Introductory OverviewPrivacy Protection Technologies: Introductory Overview
Privacy Protection Technologies: Introductory Overview
Hiroshi Nakagawa
 
Ssh (The Secure Shell)
Ssh (The Secure Shell)Ssh (The Secure Shell)
Ssh (The Secure Shell)
Mehedi Farazi
 
TLS v1.3
TLS v1.3TLS v1.3
TLS v1.3
Siddhartha Rao
 
DNS (Domain Name System)
DNS (Domain Name System)DNS (Domain Name System)
DNS (Domain Name System)
Shashidhara Vyakaranal
 
key management
key management key management
key management
VIRAJRATHOD8
 
Dns server
Dns server Dns server
Dns server
kajal sood
 
XML Encryption
XML EncryptionXML Encryption
XML Encryption
Prabath Siriwardena
 
Radius1
Radius1Radius1
Radius1
balamurugan.k Kalibalamurugan
 
DNS Attacks
DNS AttacksDNS Attacks
DNS AttacksHimanshu Prabhakar
 
Transport layer security
Transport layer securityTransport layer security
Transport layer securityHrudya Balachandran
 
Domain name system (dns)
Domain name system (dns)Domain name system (dns)
Domain name system (dns)
Atikur Rahman
 
Active Directory Trusts
Active Directory TrustsActive Directory Trusts
Active Directory Trusts
n|u - The Open Security Community
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSHHemant Shah
 
Hash Function
Hash FunctionHash Function
Hash Function
stalin rijal
 
Active directory slides
Active directory slidesActive directory slides
Active directory slides
Timothy Moffatt
 
Radius vs. Tacacs+
Radius vs. Tacacs+Radius vs. Tacacs+
Radius vs. Tacacs+
Netwax Lab
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS Protocols
Peter R. Egli
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
Stephane Potier
 
AAA server
AAA serverAAA server
AAA server
hetvi naik
 
What is active directory
What is active directoryWhat is active directory
What is active directory
Adeel Khurram
 
SSL
SSLSSL
SSL
theekuchi
 
Cryptography
CryptographyCryptography
Cryptography
jayashri kolekar
 
Deployment and Continous Integration of a Zope/Plone application
Deployment and Continous Integration of a Zope/Plone applicationDeployment and Continous Integration of a Zope/Plone application
Deployment and Continous Integration of a Zope/Plone application
Julien Pivotto
 
Managing a R&D Lab with Foreman
Managing a R&D Lab with ForemanManaging a R&D Lab with Foreman
Managing a R&D Lab with Foreman
Julien Pivotto
 

More Related Content

What's hot

TLS v1.3
TLS v1.3TLS v1.3
TLS v1.3
Siddhartha Rao
 
DNS (Domain Name System)
DNS (Domain Name System)DNS (Domain Name System)
DNS (Domain Name System)
Shashidhara Vyakaranal
 
key management
key management key management
key management
VIRAJRATHOD8
 
Dns server
Dns server Dns server
Dns server
kajal sood
 
XML Encryption
XML EncryptionXML Encryption
XML Encryption
Prabath Siriwardena
 
Radius1
Radius1Radius1
Radius1
balamurugan.k Kalibalamurugan
 
Domain name system (dns)
Domain name system (dns)Domain name system (dns)
Domain name system (dns)
Atikur Rahman
 
Active Directory Trusts
Active Directory TrustsActive Directory Trusts
Active Directory Trusts
n|u - The Open Security Community
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSHHemant Shah
 
Hash Function
Hash FunctionHash Function
Hash Function
stalin rijal
 
Active directory slides
Active directory slidesActive directory slides
Active directory slides
Timothy Moffatt
 
Radius vs. Tacacs+
Radius vs. Tacacs+Radius vs. Tacacs+
Radius vs. Tacacs+
Netwax Lab
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS Protocols
Peter R. Egli
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
Stephane Potier
 
AAA server
AAA serverAAA server
AAA server
hetvi naik
 
What is active directory
What is active directoryWhat is active directory
What is active directory
Adeel Khurram
 
SSL
SSLSSL
SSL
theekuchi
 
Cryptography
CryptographyCryptography
Cryptography
jayashri kolekar
 

What's hot (20)

TLS v1.3
TLS v1.3TLS v1.3
TLS v1.3
 
DNS (Domain Name System)
DNS (Domain Name System)DNS (Domain Name System)
DNS (Domain Name System)
 
key management
key management key management
key management
 
Dns server
Dns server Dns server
Dns server
 
XML Encryption
XML EncryptionXML Encryption
XML Encryption
 
Radius1
Radius1Radius1
Radius1
 
DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
 
Transport layer security
Transport layer securityTransport layer security
Transport layer security
 
Domain name system (dns)
Domain name system (dns)Domain name system (dns)
Domain name system (dns)
 
Active Directory Trusts
Active Directory TrustsActive Directory Trusts
Active Directory Trusts
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSH
 
Hash Function
Hash FunctionHash Function
Hash Function
 
Active directory slides
Active directory slidesActive directory slides
Active directory slides
 
Radius vs. Tacacs+
Radius vs. Tacacs+Radius vs. Tacacs+
Radius vs. Tacacs+
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS Protocols
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
 
AAA server
AAA serverAAA server
AAA server
 
What is active directory
What is active directoryWhat is active directory
What is active directory
 
SSL
SSLSSL
SSL
 
Cryptography
CryptographyCryptography
Cryptography
 

Viewers also liked

Deployment and Continous Integration of a Zope/Plone application
Deployment and Continous Integration of a Zope/Plone applicationDeployment and Continous Integration of a Zope/Plone application
Deployment and Continous Integration of a Zope/Plone application
Julien Pivotto
 
Managing a R&D Lab with Foreman
Managing a R&D Lab with ForemanManaging a R&D Lab with Foreman
Managing a R&D Lab with Foreman
Julien Pivotto
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27
APNIC
 
Community tools to fight against DDoS
Community tools to fight against DDoSCommunity tools to fight against DDoS
Community tools to fight against DDoS
Fakrul Alam
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runit
Men and Mice
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSEC
Men and Mice
 
Fighting Abuse with DNS
Fighting Abuse with DNSFighting Abuse with DNS
Fighting Abuse with DNS
Men and Mice
 
Linux14 Dynamic DNS
Linux14 Dynamic DNSLinux14 Dynamic DNS
Linux14 Dynamic DNS
Jainul Musani
 
Linux15 dynamic dns-2
Linux15 dynamic dns-2Linux15 dynamic dns-2
Linux15 dynamic dns-2
Jainul Musani
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
Men and Mice
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?
Men and Mice
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practices
Men and Mice
 
DDoS Attacks : Preparation Detection Mitigation
DDoS Attacks : Preparation Detection MitigationDDoS Attacks : Preparation Detection Mitigation
DDoS Attacks : Preparation Detection Mitigation
Fakrul Alam
 
Puppet DSL: back to the basics
Puppet DSL: back to the basicsPuppet DSL: back to the basics
Puppet DSL: back to the basics
Julien Pivotto
 
CI on large open source software : Plone & Plone 5 is here!
CI on large open source software : Plone & Plone 5 is here!CI on large open source software : Plone & Plone 5 is here!
CI on large open source software : Plone & Plone 5 is here!
Ramon Navarro
 

Viewers also liked (15)

Deployment and Continous Integration of a Zope/Plone application
Deployment and Continous Integration of a Zope/Plone applicationDeployment and Continous Integration of a Zope/Plone application
Deployment and Continous Integration of a Zope/Plone application
 
Managing a R&D Lab with Foreman
Managing a R&D Lab with ForemanManaging a R&D Lab with Foreman
Managing a R&D Lab with Foreman
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27
 
Community tools to fight against DDoS
Community tools to fight against DDoSCommunity tools to fight against DDoS
Community tools to fight against DDoS
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runit
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSEC
 
Fighting Abuse with DNS
Fighting Abuse with DNSFighting Abuse with DNS
Fighting Abuse with DNS
 
Linux14 Dynamic DNS
Linux14 Dynamic DNSLinux14 Dynamic DNS
Linux14 Dynamic DNS
 
Linux15 dynamic dns-2
Linux15 dynamic dns-2Linux15 dynamic dns-2
Linux15 dynamic dns-2
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practices
 
DDoS Attacks : Preparation Detection Mitigation
DDoS Attacks : Preparation Detection MitigationDDoS Attacks : Preparation Detection Mitigation
DDoS Attacks : Preparation Detection Mitigation
 
Puppet DSL: back to the basics
Puppet DSL: back to the basicsPuppet DSL: back to the basics
Puppet DSL: back to the basics
 
CI on large open source software : Plone & Plone 5 is here!
CI on large open source software : Plone & Plone 5 is here!CI on large open source software : Plone & Plone 5 is here!
CI on large open source software : Plone & Plone 5 is here!
 

Similar to DNSSec

Enhance OpenSSH for fun and security
Enhance OpenSSH for fun and securityEnhance OpenSSH for fun and security
Enhance OpenSSH for fun and security
Julien Pivotto
 
DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?
Deploy360 Programme (Internet Society)
 
The internet for SEOs by Roxana Stingu
The internet for SEOs by Roxana StinguThe internet for SEOs by Roxana Stingu
The internet for SEOs by Roxana Stingu
Roxana Stingu
 
DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & Afilias
ORG, The Public Interest Registry
 
"The Sorry State of SSL" Hynek Schlawack, PyConRu 2014
"The Sorry State of SSL" Hynek Schlawack, PyConRu 2014"The Sorry State of SSL" Hynek Schlawack, PyConRu 2014
"The Sorry State of SSL" Hynek Schlawack, PyConRu 2014it-people
 
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
Digital Transformation EXPO Event Series
 
Distributed systems in practice, in theory
Distributed systems in practice, in theoryDistributed systems in practice, in theory
Distributed systems in practice, in theory
Aysylu Greenberg
 
systemd and configuration management
systemd and configuration managementsystemd and configuration management
systemd and configuration management
Julien Pivotto
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS Privacy
APNIC
 
Passive DNS Collection – Henry Stern, Cisco
Passive DNS Collection – Henry Stern, CiscoPassive DNS Collection – Henry Stern, Cisco
Passive DNS Collection – Henry Stern, CiscoHenry Stern
 
Hardening the Core of the Internet
Hardening the Core of the InternetHardening the Core of the Internet
Hardening the Core of the Internet
RIPE NCC
 
通信の秘密とブロッキング
通信の秘密とブロッキング通信の秘密とブロッキング
通信の秘密とブロッキング
751c74dc
 
DNS Survival Guide
DNS Survival GuideDNS Survival Guide
DNS Survival Guide
APNIC
 
DNS Survival Guide.
DNS Survival Guide.DNS Survival Guide.
DNS Survival Guide.
Qrator Labs
 
How to Backdoor Diffie-Hellman
How to Backdoor Diffie-HellmanHow to Backdoor Diffie-Hellman
How to Backdoor Diffie-Hellman
David Wong
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
Shumon Huque
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
APNIC
 
Qunog12-DNS暗号化
Qunog12-DNS暗号化Qunog12-DNS暗号化
Qunog12-DNS暗号化
Manabu Sonoda
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
DTM Security
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE - ATT&CKcon
 

Similar to DNSSec (20)

Enhance OpenSSH for fun and security
Enhance OpenSSH for fun and securityEnhance OpenSSH for fun and security
Enhance OpenSSH for fun and security
 
DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?
 
The internet for SEOs by Roxana Stingu
The internet for SEOs by Roxana StinguThe internet for SEOs by Roxana Stingu
The internet for SEOs by Roxana Stingu
 
DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & Afilias
 
"The Sorry State of SSL" Hynek Schlawack, PyConRu 2014
"The Sorry State of SSL" Hynek Schlawack, PyConRu 2014"The Sorry State of SSL" Hynek Schlawack, PyConRu 2014
"The Sorry State of SSL" Hynek Schlawack, PyConRu 2014
 
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
 
Distributed systems in practice, in theory
Distributed systems in practice, in theoryDistributed systems in practice, in theory
Distributed systems in practice, in theory
 
systemd and configuration management
systemd and configuration managementsystemd and configuration management
systemd and configuration management
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS Privacy
 
Passive DNS Collection – Henry Stern, Cisco
Passive DNS Collection – Henry Stern, CiscoPassive DNS Collection – Henry Stern, Cisco
Passive DNS Collection – Henry Stern, Cisco
 
Hardening the Core of the Internet
Hardening the Core of the InternetHardening the Core of the Internet
Hardening the Core of the Internet
 
通信の秘密とブロッキング
通信の秘密とブロッキング通信の秘密とブロッキング
通信の秘密とブロッキング
 
DNS Survival Guide
DNS Survival GuideDNS Survival Guide
DNS Survival Guide
 
DNS Survival Guide.
DNS Survival Guide.DNS Survival Guide.
DNS Survival Guide.
 
How to Backdoor Diffie-Hellman
How to Backdoor Diffie-HellmanHow to Backdoor Diffie-Hellman
How to Backdoor Diffie-Hellman
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
 
Qunog12-DNS暗号化
Qunog12-DNS暗号化Qunog12-DNS暗号化
Qunog12-DNS暗号化
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
 

More from Julien Pivotto

The O11y Toolkit
The O11y ToolkitThe O11y Toolkit
The O11y Toolkit
Julien Pivotto
 
What's New in Prometheus and Its Ecosystem
What's New in Prometheus and Its EcosystemWhat's New in Prometheus and Its Ecosystem
What's New in Prometheus and Its Ecosystem
Julien Pivotto
 
Prometheus: What is is, what is new, what is coming
Prometheus: What is is, what is new, what is comingPrometheus: What is is, what is new, what is coming
Prometheus: What is is, what is new, what is coming
Julien Pivotto
 
What's new in Prometheus?
What's new in Prometheus?What's new in Prometheus?
What's new in Prometheus?
Julien Pivotto
 
Introduction to Grafana Loki
Introduction to Grafana LokiIntroduction to Grafana Loki
Introduction to Grafana Loki
Julien Pivotto
 
Why you should revisit mgmt
Why you should revisit mgmtWhy you should revisit mgmt
Why you should revisit mgmt
Julien Pivotto
 
Observing the HashiCorp Ecosystem From Prometheus
Observing the HashiCorp Ecosystem From PrometheusObserving the HashiCorp Ecosystem From Prometheus
Observing the HashiCorp Ecosystem From Prometheus
Julien Pivotto
 
Monitoring in a fast-changing world with Prometheus
Monitoring in a fast-changing world with PrometheusMonitoring in a fast-changing world with Prometheus
Monitoring in a fast-changing world with Prometheus
Julien Pivotto
 
5 tips for Prometheus Service Discovery
5 tips for Prometheus Service Discovery5 tips for Prometheus Service Discovery
5 tips for Prometheus Service Discovery
Julien Pivotto
 
Prometheus and TLS - an Introduction
Prometheus and TLS - an IntroductionPrometheus and TLS - an Introduction
Prometheus and TLS - an Introduction
Julien Pivotto
 
Powerful graphs in Grafana
Powerful graphs in GrafanaPowerful graphs in Grafana
Powerful graphs in Grafana
Julien Pivotto
 
YAML Magic
YAML MagicYAML Magic
YAML Magic
Julien Pivotto
 
HAProxy as Egress Controller
HAProxy as Egress ControllerHAProxy as Egress Controller
HAProxy as Egress Controller
Julien Pivotto
 
Improved alerting with Prometheus and Alertmanager
Improved alerting with Prometheus and AlertmanagerImproved alerting with Prometheus and Alertmanager
Improved alerting with Prometheus and Alertmanager
Julien Pivotto
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
Julien Pivotto
 
Monitoring as an entry point for collaboration
Monitoring as an entry point for collaborationMonitoring as an entry point for collaboration
Monitoring as an entry point for collaboration
Julien Pivotto
 
Incident Resolution as Code
Incident Resolution as CodeIncident Resolution as Code
Incident Resolution as Code
Julien Pivotto
 
Monitor your CentOS stack with Prometheus
Monitor your CentOS stack with PrometheusMonitor your CentOS stack with Prometheus
Monitor your CentOS stack with Prometheus
Julien Pivotto
 
Monitor your CentOS stack with Prometheus
Monitor your CentOS stack with PrometheusMonitor your CentOS stack with Prometheus
Monitor your CentOS stack with Prometheus
Julien Pivotto
 
An introduction to Ansible
An introduction to AnsibleAn introduction to Ansible
An introduction to Ansible
Julien Pivotto
 

More from Julien Pivotto (20)

The O11y Toolkit
The O11y ToolkitThe O11y Toolkit
The O11y Toolkit
 
What's New in Prometheus and Its Ecosystem
What's New in Prometheus and Its EcosystemWhat's New in Prometheus and Its Ecosystem
What's New in Prometheus and Its Ecosystem
 
Prometheus: What is is, what is new, what is coming
Prometheus: What is is, what is new, what is comingPrometheus: What is is, what is new, what is coming
Prometheus: What is is, what is new, what is coming
 
What's new in Prometheus?
What's new in Prometheus?What's new in Prometheus?
What's new in Prometheus?
 
Introduction to Grafana Loki
Introduction to Grafana LokiIntroduction to Grafana Loki
Introduction to Grafana Loki
 
Why you should revisit mgmt
Why you should revisit mgmtWhy you should revisit mgmt
Why you should revisit mgmt
 
Observing the HashiCorp Ecosystem From Prometheus
Observing the HashiCorp Ecosystem From PrometheusObserving the HashiCorp Ecosystem From Prometheus
Observing the HashiCorp Ecosystem From Prometheus
 
Monitoring in a fast-changing world with Prometheus
Monitoring in a fast-changing world with PrometheusMonitoring in a fast-changing world with Prometheus
Monitoring in a fast-changing world with Prometheus
 
5 tips for Prometheus Service Discovery
5 tips for Prometheus Service Discovery5 tips for Prometheus Service Discovery
5 tips for Prometheus Service Discovery
 
Prometheus and TLS - an Introduction
Prometheus and TLS - an IntroductionPrometheus and TLS - an Introduction
Prometheus and TLS - an Introduction
 
Powerful graphs in Grafana
Powerful graphs in GrafanaPowerful graphs in Grafana
Powerful graphs in Grafana
 
YAML Magic
YAML MagicYAML Magic
YAML Magic
 
HAProxy as Egress Controller
HAProxy as Egress ControllerHAProxy as Egress Controller
HAProxy as Egress Controller
 
Improved alerting with Prometheus and Alertmanager
Improved alerting with Prometheus and AlertmanagerImproved alerting with Prometheus and Alertmanager
Improved alerting with Prometheus and Alertmanager
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
 
Monitoring as an entry point for collaboration
Monitoring as an entry point for collaborationMonitoring as an entry point for collaboration
Monitoring as an entry point for collaboration
 
Incident Resolution as Code
Incident Resolution as CodeIncident Resolution as Code
Incident Resolution as Code
 
Monitor your CentOS stack with Prometheus
Monitor your CentOS stack with PrometheusMonitor your CentOS stack with Prometheus
Monitor your CentOS stack with Prometheus
 
Monitor your CentOS stack with Prometheus
Monitor your CentOS stack with PrometheusMonitor your CentOS stack with Prometheus
Monitor your CentOS stack with Prometheus
 
An introduction to Ansible
An introduction to AnsibleAn introduction to Ansible
An introduction to Ansible
 

Recently uploaded

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 

Recently uploaded (20)

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 

DNSSec

  • 1. DNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and Security Julien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien Pivotto RMLL Security Track July 5th, 2016
  • 2. whoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhois Julien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien Pivotto • Sysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.eu • From small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgs • Automation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & Monitoring • @roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie on irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/github
  • 5. What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS? • TTTTTTTTTTTTTTTTTL;DR Translates domain name to IP • IIIIIIIIIIIIIIIIIn facto, stores much more data than IP
  • 6. How it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it works Licensed under a Creative Commons Attribution-ShareAlike 2.0 License https://www.flickr.com/photos/frans16611/6139595092
  • 7. Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
  • 8. Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
  • 9. Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
  • 10. Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
  • 11. Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
  • 12. DNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-critical • HHHHHHHHHHHHHHHHHolds IP addresses • HHHHHHHHHHHHHHHHHolds service definitions • HHHHHHHHHHHHHHHHHolds hostnames, TXT records
  • 13. DNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practices • DDDDDDDDDDDDDDDDDo not mix Authoritative and Recursive servers • MMMMMMMMMMMMMMMMMix your DNS server `brand' • HHHHHHHHHHHHHHHHHide your DNS masters • DDDDDDDDDDDDDDDDDo not invent new TLD
  • 14. Data stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNS • AAAAAAAAAAAAAAAAA records: IP addresses • CCCCCCCCCCCCCCCCCNAME: Cannonical names • SSSSSSSSSSSSSSSSSRV: Service record • MMMMMMMMMMMMMMMMMX: Mail servers • TTTTTTTTTTTTTTTTTXT: Text record
  • 15. SRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV records _xmpp−client._tcp.inuits.eu. IN SRV 0 5 5222 xmpp.inuits.eu.
  • 16. TXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT Records • SSSSSSSSSSSSSSSSSPF record: Sender Policy Framework • DDDDDDDDDDDDDDDDDKIM • KKKKKKKKKKKKKKKKKeybase.io • LLLLLLLLLLLLLLLLLet's Encrypt DNS challenge
  • 17. Not secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by design • 11111111111111111983 • DDDDDDDDDDDDDDDDDesigned for scale, not security • EEEEEEEEEEEEEEEEEarly 2000: birth of DNSSec
  • 18. DNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSec • 22222222222222222000's DNSSec RFC • DDDDDDDDDDDDDDDDDNSSec hit DNS root in 2010 • MMMMMMMMMMMMMMMMMultiple iteration of RFC
  • 19. The Domain Name System Security Extensions (DNSSEC) add data origin authentication and data integrity to the Domain Name System. RFC 4033
  • 20. What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec? • PPPPPPPPPPPPPPPPProof of origin and integrity • ZZZZZZZZZZZZZZZZZones and records signing • PPPPPPPPPPPPPPPPProof of non-existence
  • 21. Two types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keys • ZZZZZZZZZZZZZZZZZSK: Zone Signing Key • KKKKKKKKKKKKKKKKKSK: Key Signing Key
  • 22. Zone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing key • PPPPPPPPPPPPPPPPPrivate/Public key pair • SSSSSSSSSSSSSSSSSign the Records • eeeeeeeeeeeeeeeee.g sign the A records, the MX records … • RRRRRRRRRRRRRRRRRolled out frequently
  • 23. Key Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing Key • PPPPPPPPPPPPPPPPPrivate/Public key pair • SSSSSSSSSSSSSSSSSign the ZSK • DDDDDDDDDDDDDDDDDesigned to be stronger than the ZSK • IIIIIIIIIIIIIIIIIts fingerprint is stored in parent zone
  • 24. DNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records types • RRRRRRRRRRRRRRRRRRSIG: Signature • DDDDDDDDDDDDDDDDDNSKEY: Public key • DDDDDDDDDDDDDDDDDS: Hash of a DNSKEY (parent zone)
  • 25. DNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records types • NNNNNNNNNNNNNNNNNSEC: Next secure • RRRRRRRRRRRRRRRRReturns the next secure entry • RRRRRRRRRRRRRRRRReturned when next secure is not found • NNNNNNNNNNNNNNNNNSEC/NSEC3 records are signed • NNNNNNNNNNNNNNNNNSEC3 prevents zone walking
  • 26. In PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn Practice
  • 27. BindBindBindBindBindBindBindBindBindBindBindBindBindBindBindBindBind • RRRRRRRRRRRRRRRRReference DNS Server • DDDDDDDDDDDDDDDDDeveloped by the Internet Systems Consortium • CCCCCCCCCCCCCCCCCurrent version: bind9 • bbbbbbbbbbbbbbbbbind10 project is abandoned
  • 28. Bind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind features • SSSSSSSSSSSSSSSSSupports everything • RRRRRRRRRRRRRRRRRecurive, Authoritative • DDDDDDDDDDDDDDDDDynamic updates • DDDDDDDDDDDDDDDDDNSSec
  • 29. Bind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSec • FFFFFFFFFFFFFFFFFull support + NSEC3 • MMMMMMMMMMMMMMMMManual signing • AAAAAAAAAAAAAAAAAutomated signing • DDDDDDDDDDDDDDDDDNSSec and dynamic zones
  • 30. Generating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keys mkdir /etc/bind/keys cd /etc/bind/keys dnssec−keygen rmll.example dnssec−keygen −f KSK rmll.example
  • 31. Generating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keys dnssec−keygen −a NSEC3RSASHA1 −b 2048 rmll .example dnssec−keygen −a NSEC3RSASHA1 −b 4096 −f KSK rmll.example
  • 32. Generating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keys dnssec−dsfromkey −f /var/bind/rmll. example −K /etc/bind/keys/ rmll.example rmll.example. IN DS 18025 8 1 E223065EE5EE66F08CA1C89D8 rmll.example. IN DS 18025 8 2 522 D8EA3287FFF41186169A30
  • 33. Enable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bind options { dnssec−enable yes; dnssec−validation yes; }
  • 34. Enable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zone Manually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signed zone "rmll.example" IN { type master; file "rmll.example.zone.signed"; };
  • 35. Enable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zone Auto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto Signing zone "rmll.example" IN { type master; file "rmll.example.zone"; key−directory "/etc/bind/keys"; auto−dnssec maintain; inline−signing yes; };
  • 36. Manually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zone dnssec−signzone −S −o rmll.example −K /etc /bind/keys/ /var/bind/master/rmll. example.zone • Creates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone file
  • 38. DANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANE • DDDDDDDDDDDDDDDDDNS-based Authentication of Named Entities • NNNNNNNNNNNNNNNNNew record types to store public keys hashes • IIIIIIIIIIIIIIIIIndependant from DNSSec (!)
  • 39. TLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA records • HHHHHHHHHHHHHHHHHash the fingerprint of a TLS key • """""""""""""""""Replacement" for the CA (https) • NNNNNNNNNNNNNNNNNot implemented natively in browsers • IIIIIIIIIIIIIIIIImplemented in IRC clients (irssi)
  • 40. TLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA records _443._tcp IN TLSA 3 0 1 2 bfa3214fda53315b140e65fe66 _443._tcp.www IN TLSA 3 0 1 2 bfa3214fda53315b140e65 _6697._tcp.irc IN TLSA 3 0 1 2 bfa3214fda53315b140e6
  • 41. Generating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hash openssl x509 −in cert.pem −outform DER | openssl sha256
  • 43. TOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFU • TTTTTTTTTTTTTTTTTrust on first use • WWWWWWWWWWWWWWWWWorks on slowly moving env's • NNNNNNNNNNNNNNNNNowadays we populate new hosts all the time • NNNNNNNNNNNNNNNNNowadays we rebuild existing hosts
  • 44. SSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP records • HHHHHHHHHHHHHHHHHash the fingerprint of a SSH server • IIIIIIIIIIIIIIIIImplemented in OpenSSH • UUUUUUUUUUUUUUUUUses DNS to recognize SSH key
  • 45. IN SSHFP 1 1 e0fd9112d2fc6974597fe8968665ad6b420c IN SSHFP 1 2 9 de5bc066a898733420bcfaae8f43e80e532 IN SSHFP 2 1 223 e89447a53a3178be02fee6fdd5b44228a IN SSHFP 2 2 2644 fcbd2a1b179091a195207e395d009b16
  • 47. $ ssh −o VerifyHostKeyDNS=yes rmll.example The authenticity of host 'rmll.example (1.2.3.4)' can't be established. ECDSA key fingerprint is SHA256: f8zwQD3RU62PXgwCw5WRk2OIyVY. Matching host key fingerprint found in DNS Are you sure you want to continue?
  • 48. Populating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fields • WWWWWWWWWWWWWWWWWhat if we have a single source of truth? • SSSSSSSSSSSSSSSSSomething that can scale, and be quick enough?
  • 49. Config ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig Management • QQQQQQQQQQQQQQQQQuickly moving env often use Cfgmgmt Tools • TTTTTTTTTTTTTTTTThey know the env, store data • WWWWWWWWWWWWWWWWWe use Puppet+The foreman
  • 50. PuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppet • AAAAAAAAAAAAAAAAA Config Management Tool • DDDDDDDDDDDDDDDDDeclarative • EEEEEEEEEEEEEEEEEnforces a desired state
  • 51. Puppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet Facts • VVVVVVVVVVVVVVVVValues collected on the host • OOOOOOOOOOOOOOOOOS version, Uptime, kernel • SSSSSSSSSSSSSSSSSSH fingerprints • SSSSSSSSSSSSSSSSSent back to master
  • 52. facts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfp • hhhhhhhhhhhhhhhhhttps://github.com/jpmens/facts2sshfp • PPPPPPPPPPPPPPPPPython script • RRRRRRRRRRRRRRRRRead facts yaml files • CCCCCCCCCCCCCCCCConverts Puppet facts to SSHFP records • UUUUUUUUUUUUUUUUUses Puppet as single source of truth • fffffffffffffffffacts2sshfp.py -T nsupdate.template -D a.aa. • OOOOOOOOOOOOOOOOOutput to templates, nsupdate commands…
  • 58.
  • 59.
  • 60.
  • 61. Foreman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman Proxies • FFFFFFFFFFFFFFFFForeman works with a GUI + Proxies • DDDDDDDDDDDDDDDDDHCP proxy, Puppet Proxy, DNS proxy… • DDDDDDDDDDDDDDDDDNS Proxy is pluggable: bind9, powerdns…
  • 62. Foreman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is great • OOOOOOOOOOOOOOOOOpen Source • BBBBBBBBBBBBBBBBBacked by Red Hat • TTTTTTTTTTTTTTTTThe main brick behind Red Hat Satellite 6 • PPPPPPPPPPPPPPPPProvides a REST API
  • 63. Building a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) host • CCCCCCCCCCCCCCCCCreate/update DNS entries • CCCCCCCCCCCCCCCCCreate/update DHCP entries • CCCCCCCCCCCCCCCCCreate the VM in libvirt • BBBBBBBBBBBBBBBBBoot the VM • SSSSSSSSSSSSSSSSServe a kickstart • RRRRRRRRRRRRRRRRRun Puppet
  • 64. The Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxy • PPPPPPPPPPPPPPPPPuppet Collects and save Facts on the machines • IIIIIIIIIIIIIIIIIt can send it back to the Foreman • FFFFFFFFFFFFFFFFForeman can graph them, query them…
  • 67. DNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocks • NNNNNNNNNNNNNNNNNeeded everywhere • DDDDDDDDDDDDDDDDDistributed • CCCCCCCCCCCCCCCCContains lots of data • MMMMMMMMMMMMMMMMMakes our life easier
  • 68. DNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implement • AAAAAAAAAAAAAAAAAutomation is key • IIIIIIIIIIIIIIIIImplemented in most of the tools • AAAAAAAAAAAAAAAAAnd most of the DNS servers
  • 69. DANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more security • SSSSSSSSSSSSSSSSSSH fingerprint • IIIIIIIIIIIIIIIIIRC, SMTP certificates hashes • EEEEEEEEEEEEEEEEExisting client-side implementations
  • 70. DNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANE • DDDDDDDDDDDDDDDDDNSSec and Dane are more useful together • MMMMMMMMMMMMMMMMMake sure your resolver supports DNSsec! • TTTTTTTTTTTTTTTTThe power to check certificates without CA
  • 71. ContactContactContactContactContactContactContactContactContactContactContactContactContactContactContactContactContact Julien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien Pivotto julien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eu @roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie inuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuits https://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.eu info@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.eu +32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636