DNSSEC - A small overview

DNSSEC
The Good, The Bad & The Secure

Nucleus.be Windows & Linux Webhosting Dedicated servers Co-location Online Backup Domain Names ● Universal Groupware

Schedule
- Recap: how DNS works

- What DNSSEC does

- How DNSSEC works

- How we implement it

- Why it’s a bitch to configure.


RECAP
DNS – The Basics


SETUP

Stel dat …

Domain: dexia.be
- ns1.nucleus.be
- ns2.nucleus.be
- ns3.nucleus.be
- ns4.nucleus.be


I should really
pay my bill …

End user


Let’s go to
www.dexia.be

End user ISP
Q: www.dexia.be


Let’s go to
www.dexia.be Where the
f*#} is that?

End user ISP
Q: www.dexia.be


Root nameservers

Let’s go to
f*#} is that?

End user ISP
Q: www.dexia.be


Dnow.
Ask .BE
Root nameservers

Let’s go to
f*#} is that?

End user ISP
Q: www.dexia.be


Dnow.
Ask .BE
Root nameservers

Let’s go to
f*#} is that?

End user ISP
TLD - .BE name
Q: www.dexia.be
Q: www.dexia.be


Dnow.
Ask .BE
Root nameservers

Let’s go to
f*#} is that?

End user ISP
TLD - .BE name
Q: www.dexia.be
Q: www.dexia.be

A: Check with Nucleus

Get lost.
Ask Nucleus.


Dnow.
Ask .BE
Root nameservers

Let’s go to
f*#} is that?

End user ISP
TLD - .BE name
Q: www.dexia.be
Q: www.dexia.be


Get lost.
Ask Nucleus.

ns1.nucleus.be


Dnow.
Ask .BE
Root nameservers

Let’s go to
f*#} is that?

End user ISP
TLD - .BE name
Q: www.dexia.be
Q: www.dexia.be


Get lost.
Ask Nucleus.

ns1.nucleus.be
Here ya go.


Dnow.
Ask .BE
Root nameservers

Let’s go to
f*#} is that?

End user ISP
TLD - .BE name
Q: www.dexia.be
Q: www.dexia.be

A: 212.63.232.38 A: Check with Nucleus

Get lost.
Ask Nucleus.

ns1.nucleus.be
Here ya go.


Mkay. What’s the problem, Doc?


Vewwy vewwy old.


It works. Leave it.


Security is not a requirement


Here’s how we break it.


Security: don’t trust anyone.
End user ISP
Q: www.dexia.be


Security: everybody lies.
End user ISP
Q: www.dexia.be

A: 193.239.211.1
My secret server.


I’m scared. Save me.


DNSSEC
DNS Security Extensions

Secures the DATA returned by nameservers

Created in 1997


DNSSEC

Backwards compatible.


DNSSEC

Signs data, does not encrypt.
(private vs public keys)


DNSSEC

Publish the public key part.


DNSSEC

NSEC/NSEC3: Denial of Existence


Root nameservers

End user ISP
TLD - .BE name
Q: www.dexia.be
Q: www.dexia.be

A: 212.63.232.38 A: Check with Nucleus

ns1.nucleus.be


This must be magic?!
Resource Record (A, CNAME, TXT, MX, …): signed with RRSIG Record

Public key gets published in DNSKEY record

Parent zone publishes public key of child zone in DS records

Non-existing entries signed with NSEC3


Keys? Keys!
Key rotation for public keys

Zone Signing Key (ZSK): sign records in a zone

Key Signing Key (KSK): sign the ZSK and link to parent zone


Show me the money!
nucleus.eu: normal, unsigned zone
$TTL 1D
@ IN SOA ns1.nucleus.be. dnsmaster.nucleus.be. (
2010073002 ; serial
1H; refresh
30M ; retry
4W ; expire
1D ) ; minimum

IN NS ns1.nucleus.be.

3600 IN MX 10 asav01.bru.nucleus.be.
3600 IN MX 10 asav02.ant.nucleus.be.

nucleus.eu. 3600 IN A 188.93.153.72
mail 3600 IN CNAME mail.nucleus.be.
* 3600 IN CNAME nucleus.eu.
www 3600 IN CNAME lin1.nucleus.be.
blah 3600 IN CNAME www.nucleus.be.


Show me the money!
nucleus.eu: DNSSEC signed
nucleus.eu. 86400 IN SOA ns1.nucleus.be. dnsmaster.nucleus.be. ( 3600 RRSIG A 8 2 3600 20101026151414 (
2010073002 ; serial 20101012141414 22506 nucleus.eu.
3600 ; refresh (1 hour) Oj465TVbJ/c1yieAzwOwLEh3qyRjmjr8+s8f
1800 ; retry (30 minutes) JjseIRX4DiKj5sbS8dF/1mYwVyFRfXhqzrS5
2419200 ; expire (4 weeks) hRS/j3RMx7WKXs2x4PoR6HzUqyWVBtMosyIC
86400 ; minimum (1 day) g/6tm9l3JsBjHHUwSS2b7Pe8aHLns1wb8eY5
) XpEukb3aTPt6sbW7bpbmZVFzhSQ= )
86400 RRSIG SOA 8 2 86400 20101026151414 ( 3600 MX 10 asav01.bru.nucleus.be.
20101012141414 22506 nucleus.eu. 3600 MX 10 asav02.ant.nucleus.be.
j6n9E/xC2q+72sEIoWZhykBU3ZZ6mUtYMMfk 3600 RRSIG MX 8 2 3600 20101026151414 (
PTbv5wlSdGQtiBlUK1xCux4BVBov/TQU3B1B 20101012141414 22506 nucleus.eu.
hO0LaSOdgMhCnenmnxtUX6KwV2U+4JxR8PFy OFLT2VKX0Y/GIzHUlsSxD976iHZDLp77mf4p
2f0C+0EOlHU8xZ2oIaNWOZH71rl9EYVCO3Ya CanC5OMaA9dLlVEwIp2xdwqOAauluozmQAUJ
fl3eyD2dSITz2xT77WarLrbnul8= ) Y7Y6Hb9g811MPcaU5wHyjVQR9cXZqk9KrzBE
86400 NS ns1.nucleus.be. oOHMz3fprdH0pYAmcHhyixSs9ohLLTvwG37X
86400 NS ns2.nucleus.be. GZcmMnu2qQgaqTyZfSe5T4wHFKA= )
86400 NS ns3.nucleus.be. 86400 DNSKEY 256 3 8 (
86400 NS ns4.nucleus.be. AwEAAbi/ArlDrarlPiu4PAt6HBnA+CsaP4Xa
86400 RRSIG NS 8 2 86400 20101026151414 ( h0Uc8UGLNSPPtT/yiOR3zj9yHpkENsctIDzC
20101012141414 22506 nucleus.eu. bg8IWH1UdMnj19kvDIPHC9Diwngdl2meENm3
QBN5NLbkijUGIky583MWmEm15vxVWkgksQvf w9pZb7JiVkQAbrUJgYG21ldk4XdPd+Sratf6
T/cTzn+10JKHgm4Wzt8qjZdPrKH2OIPT3VVT ZB0ool6fTl3+6Rr2xwbGbFSJfcXCmKyl
rP7WI2+O6EMR+jRf6J1G/on4jNg+3fKG7ZO/ ) ; key id = 22506
OsOj9HLZNzBQYDzGoO6lXe6fdsJNBNOvIFju …
wyhziw89bCzal/Hyb3VIPwV8Zpw= )
3600 A 188.93.153.72


Show me the money!
nucleus.eu: DNSSEC signed
86400 RRSIG DNSKEY 8 2 86400 20101026151414 ( *.nucleus.eu. 3600 IN CNAME nucleus.eu.
20101012141414 22225 nucleus.eu. 3600 RRSIG CNAME 8 2 3600 20101026151414 (
GrlJYgv9OIaWHKw2csLeSZw151WB4wFMchM3 20101012141414 22506 nucleus.eu.
syGq8tcV7p6V50w/wGDMoEshkQI0CdEILgxa EBe1hfvY1Skm3YZXm/h/X6YmuV02vQwthXNa
F2NtmnUniy4hfafKcVHPg25rj0kQio79l0Rs ieYmbkVZmoeWzxFQWoAqPmgJ8RKsThQXNY0n
QQPjDmXGIdkyWbRbK7M/ptnfjfq6v37NMVLP s5/Naf866yhxLGv+3dL+kie4YAT44IxTtk3a
Rv7BQ27u/NATI89tj6l45pOa6nB53RfRRfLM hzd8ORdbSEU/LtX7/deKbfkKMYaqEsYLAM9f
nVEumTzYdQi3YTiewfP2DrmL/qJoaSZVC/BR tsk8QindoiXkNKXGd0Z5XusJhFI= )
9jRg36F6FLHez3nxdEBP8YFnJi1CukRaJA8e blah.nucleus.eu. 3600 IN CNAME www.nucleus.be.
zHUFeUcMhPG3X0LRFdBxpI3eNaOv5T5AGvKw 3600 RRSIG CNAME 8 3 3600 20101026151414 (
ODMD1qmVPsi/doakRu93WIk+hVt1B0y5jAe+ 20101012141414 22506 nucleus.eu.
1pErKmKcH6Pf4N28wA== ) KY4dsjePG1i5akcN4q/JvQHjC9l6/kgkQX02
86400 RRSIG DNSKEY 8 2 86400 20101026151414 ( cjz3990hhsUghMbxJrdL+dCndXj65Kh7YuDa
20101012141414 22506 nucleus.eu. IYXNgkyLzooRYnRq74XLd8/yWrhrlQMGRZJH
VX49z+fLmab6Nno5jdISGd6PhTi0ovMmjwfL gpdv+HrTY0Bex9S2eO+1E1UISY8i/g7ND4hn
7jQIGHl3Jsbbtw2TMFvuROPIXlSWcN2L6ixr gBaWQrA3rKz5wA2662jPhjV06jQ= )
t5PJoFFlYQl3qsCUZQjHsbvvQNGDQN2i0zCK mail.nucleus.eu. 3600 IN CNAME mail.nucleus.be.
qWaC0aui7LhdXCPrv8Gf2KskANNoTk0NmAuu 3600 RRSIG CNAME 8 3 3600 20101026151414 (
Ke60oX4P00x4NeT1xpFnZnsgXbw= ) 20101012141414 22506 nucleus.eu.
0 NSEC3PARAM 1 0 5 46AF2E27 sw4UsLjt9Car++ZXsSby1Lqa1XmWeyOZFsiF
0 RRSIG NSEC3PARAM 8 2 0 20101026151414 ( oHAT6HAUzYK19qwPz5nJc6aQoLzvH3F6PjqJ
20101012141414 22506 nucleus.eu. Kwek4SJUGMPpZOLOqGtguerNUxAK7XIHxgaJ
jhayx2h6g0gsJb/oe5m0F3bRxd4GtRPhbfKX REpF6u77NqAmTxYafmkXnUVzA9QeYS49ocQ5
4I5934SoF5/ofnYlxOTyV4ey/m/9dnxS5IIq GpB8iVd7zwNYDo1LmZzBszjmOMo= )
ej7Kzjv8HB6e7yTgr2zzrhTshtcZaJIhBRar
zIAVny60xDpCz/V/qtjEZw1+SwjrE3aPaFDQ
NyMZetYK4LL8uiT3szi4f+L/peo= )


Auch, mi estómago


Let’s analyze. KSK vs ZSK.
86400 DNSKEY 256 3 8 (
AwEAAbi/ArlDrarlPiu4PAt6HBnA+CsaP4Xa
h0Uc8UGLNSPPtT/yiOR3zj9yHpkENsctIDzC
256: Zone Signing Key
bg8IWH1UdMnj19kvDIPHC9Diwngdl2meENm3
w9pZb7JiVkQAbrUJgYG21ldk4XdPd+Sratf6 - 1024 bit
ZB0ool6fTl3+6Rr2xwbGbFSJfcXCmKyl
) ; key id = 22506 - monthly rotated
86400 DNSKEY 257 3 8 (
AwEAAefl1K20cC22qiDnfGyA99lM8fmbGc/1
QHql63coA+hfbFGORPu716UfGxIJWazTTmQZ
0zpqNeXZeEZHPNqu6NdyctHAlIMLelX5/Brm
257: Key Signing Key
NCjB9OdmZuX0EGKKDePGh5JSwhYSnC89JeV7
nnD5b9SBANEbqsBALx6lQiTfbt0DMO8fD4yO - 2048 bit
OXmgknYP7u7vvsSzAmlXxpGA8ARFcWkgJvZv
bahT5DFR+GtoEWhU8+yyeX0MCIVyRCBEQAzH
cBQfhzE+aw/UDntij3of7LsFbBh38PNIrBO6
- yearly rotated
FrNFrdynlc8z5Ah6m1AxyxIbEFjfb5KSV4rx
9MZXN8iwZFZLRZeu9vJDuQ8=
) ; key id = 22225


Let’s analyze. KSK vs ZSK.
86400 DNSKEY 256 3 8 (
AwEAAbi/ArlDrarlPiu4PAt6HBnA+CsaP4Xa
h0Uc8UGLNSPPtT/yiOR3zj9yHpkENsctIDzC
256/257: Key flag (KSK or ZSK)
bg8IWH1UdMnj19kvDIPHC9Diwngdl2meENm3
w9pZb7JiVkQAbrUJgYG21ldk4XdPd+Sratf6 3: Protocol used
ZB0ool6fTl3+6Rr2xwbGbFSJfcXCmKyl
) ; key id = 22506 8: Algoritme used
86400 DNSKEY 257 3 8 (
AwEAAefl1K20cC22qiDnfGyA99lM8fmbGc/1
QHql63coA+hfbFGORPu716UfGxIJWazTTmQZ
0zpqNeXZeEZHPNqu6NdyctHAlIMLelX5/Brm
NCjB9OdmZuX0EGKKDePGh5JSwhYSnC89JeV7
nnD5b9SBANEbqsBALx6lQiTfbt0DMO8fD4yO
OXmgknYP7u7vvsSzAmlXxpGA8ARFcWkgJvZv
bahT5DFR+GtoEWhU8+yyeX0MCIVyRCBEQAzH
cBQfhzE+aw/UDntij3of7LsFbBh38PNIrBO6
FrNFrdynlc8z5Ah6m1AxyxIbEFjfb5KSV4rx
9MZXN8iwZFZLRZeu9vJDuQ8=
) ; key id = 22225


Let’s analyze. RRSIG’s.
3600 RRSIG A 8 2 3600 20101026151414 (
20101012141414 22506 nucleus.eu.
Oj465TVbJ/c1yieAzwOwLEh3qyRjmjr8+s8f
JjseIRX4DiKj5sbS8dF/1mYwVyFRfXhqzrS5
3600 : TTL
hRS/j3RMx7WKXs2x4PoR6HzUqyWVBtMosyIC
g/6tm9l3JsBjHHUwSS2b7Pe8aHLns1wb8eY5
RRSIG : Resource Record
XpEukb3aTPt6sbW7bpbmZVFzhSQ= )
A: Type of signed record
8: Algoritme (RSA-SHA256)
2: # labels of signed record
3600: TTL of signed record
20101026151414: Signature expiration
20101012141414: Signature creation
22506: Key ID


DNSSEC - A small overview

Recommended

Recommended

More Related Content

Similar to DNSSEC - A small overview

Similar to DNSSEC - A small overview (18)

Recently uploaded

Recently uploaded (20)

DNSSEC - A small overview