SlideShare a Scribd company logo
© Men & Mice http://menandmice.com
DNSSEC signing tutorial
1
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
Agenda
Why DNSSEC
Decisions:
Algorithm
key-size
NSEC(3)
DNSSEC with BIND 9
DNSSEC with Knot
2
© Men & Mice http://menandmice.com
DNSSEC
"One Key to rule them all,
one Key to find them,
one Key to bring them all
and in the Resolver bind them."
—Modified from Lord of the Rings
Miek Gieben.
3
© Men & Mice http://menandmice.com
DNSSEC Does and Does Not...
DNSSEC signs data to guarantee authenticity and
integrity.
It assures a client that a RRSet is from the proper
authoritative server and has not changed.
DNSSEC does not encrypt data to provide privacy.
Anyone can find out the RRSets you request.
4
© Men & Mice http://menandmice.com
Why DNSSEC
Protects DNS data
against cache spoofing
against "Man in the Middle" (MITM) attacks
against take-over of authoritative server
against rogue secondaries
Protects DNS server
against denial of service attacks (in the near future)
5
© Men & Mice http://menandmice.com
Why DNSSEC
Enables new functions
Mail transport security (SMTP/TLSA)
Mail end-to-end encryption (OPENPGPKEY/SMIMEA)
opportunistic IPSec encryption (IPSECKEY)
SSH server authentication (SSHFP)
x509 Certification Authority Authorisation (CAA)
6
© Men & Mice http://menandmice.com
DNS Security Extensions
DNSSEC deployment
7
http://www.internetsociety.org/deploy360/dnssec/maps

http://en.wikipedia.org/wiki/List_of_Internet_top-level_domains
© Men & Mice http://menandmice.com
DNSSEC Fundamentals
8
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
9
RRSet
(plain
DNS data)
hash
finger-
print
RRSIG
encrypt with
private key k
Zonefile
authoritative
server
resolving/validating
server
parent
zone
DNSSEC in a Nutshell
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
10
RRSet
(plain
DNS data)
hash
finger-
print
RRSIG
encrypt with
private key k
Zonefile
RRSet
RRSIG
authoritative
server
resolving/validating
server
DNSKEY

(public key)
parent
zone
DNSSEC in a Nutshell (DS RR Added)
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
11
RRSet
(plain
DNS data)
hash
finger-
print
RRSIG
encrypt with
private key k
Zonefile
RRSet
RRSIG
authoritative
server
resolving/validating
server
DNSKEY

(public key)
parent
zone
DS record
hash
DNSSEC in a Nutshell (DS RR Added)
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
12
RRSet
(plain
DNS data)
hash
finger-
print
RRSIG
encrypt with
private key k
Zonefile
RRSet
RRSIG
authoritative
server
resolving/validating
server
DNSKEY

(public key)
RRSet
RRSIG
decrypt with
public key k
finger-
print
parent
zone
DS record
hash
DNSSEC in a Nutshell (DS RR Added)
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
13
RRSet
(plain
DNS data)
hash
finger-
print
RRSIG
encrypt with
private key k
Zonefile
RRSet
RRSIG
authoritative
server
resolving/validating
server
DNSKEY

(public key)
RRSet
RRSIG
decrypt with
public key k
finger-
print
parent
zone
DS record
hash verify
DNSSEC in a Nutshell (DS RR Added)
© Men & Mice http://menandmice.com 

© ISC http://www.isc.org
14
RRSet
(plain
DNS data)
hash
finger-
print
RRSIG
encrypt with
private key k
Zonefile
RRSet
RRSIG
authoritative
server
resolving/validating
server
DNSKEY

(public key)
RRSet
RRSIG
decrypt with
public key k
finger-
print
hash
finger-
printcompare
parent
zone
DS record
hash
DNSSEC in a Nutshell (DS RR Added)
© Men & Mice http://menandmice.com
DNS Servers for DNSSEC
•BIND 9.6 and up: Authoritative server and validating resolver
•NSD from NlNetLabs: Fast authoritative server
•Windows 2012/2016 DNS Server: Authoritative server and validating
resolver with a GUI
•PowerDNS: Authoritative DNS Server with many backends, including
SQL Databases
•Knot-DNS: fast authoritative DNS Server with DNSSEC key-rollover
automation
15
© Men & Mice http://menandmice.com
DNSSEC Keys Fundamentals
16
© Men & Mice http://menandmice.com
DNSSEC Key Algorithms
RSAMD5 (deprecated, not implemented)
RSASHA1 (not recommended anymore)
RSASHA256 (recommended)
RSASHA512 (large keys)
DSA (slow validation, no extra security)
ECC-GOST (used in Russia)
ECDSA (small signatures and keys, fast crypto, recommended)
ED25519 (Curve developed by Dan "djb" Bernstein, 

https://ed25519.cr.yp.to/)
ED448 (448-bit Edwards curve with a 223-bit conjectured security level)
17
© Men & Mice http://menandmice.com
DNSSEC Signing Algorithms
18
Number Algorithm Mnemonic
1 RSA/MD5 (deprecated) RSAMD5
5 RSA/SHA-1 RSASHA1
6 DSA-NSEC3-SHA1 DSA-NSEC3-SHA1
7 RSASHA1-NSEC3-SHA1 RSASHA1-NSEC3-SHA1
8 RSA/SHA-256 RSASHA256
10 RSA/SHA-512 RSASHA512
12 GOST R 34.10-2001 ECC-GOST
13 ECDSA Curve P-256 with SHA-256 ECDSAP256SHA256
14 ECDSA Curve P-384 with SHA-384 ECDSAP384SHA384
15 Ed25519 ED25519
16 Ed448 ED448
http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml
© Men & Mice http://menandmice.com
ECDSA vs. RSA in .COM
19
https://schd.ws/hosted_files/icann58copenhagen2017/b9/Roland%20Van%20Rijswijk-Surfnet-ECDSA%20Adoption%20in%20DNSSEC.pdf
© Men & Mice http://menandmice.com
Key Size for RSA algorithms
20
© Men & Mice http://menandmice.com
Key Sizes (for RSASHA256)
be aware of DNS packet size limits 

(IPv6 fragmentation issues discussed below)
Recommendations:
RFC 6781: 1024 bits
BIND 9 default: KSK - 2048 bits, ZSK - 1024 bits
mildly paranoid: KSK - 2560 bits, ZSK - 1536 bits
truly paranoid: KSK - 4096 bits, ZSK - 2048 bits
21
© Men & Mice http://menandmice.com
RSA-Key Size
Modern cryptanalysis finds RSA keys less than 700
bits breakable.
2012 calculations indicate that 1024bit RSASHA1
keys may be broken within 5 years.
It is recommended to move away from SHA1.
SHA256 or SHA512 with 2048bit keys will be safe
for decades based on current cryptanalysis.
22
© Men & Mice http://menandmice.com
RSA-Key Length Impact
A larger key significantly increases the computing
resources to sign a zone and to validate the RRSets.
Remember that the validation will be done in real time.
Doubling the key size in bits increases the time:
To create signatures (signing) by a factor of 8.
To validate a signature by a factor of 4.
Every extra bit in a key doubles the amount of work for
an attacker to brute-force crack the key!
23
© Men & Mice http://menandmice.com
Key Size in BIND
Only sign the DNSKEY resource record set (RRSet)
with the Key-Signing-Key to reduce the size of the
DNSKEY answer:
options {

[…]

dnssec-dnskey-kskonly yes;

};
24
© Men & Mice http://menandmice.com
IPv6 and Fragmentation
As designed in 1983, DNS had a 512-Byte payload
limit over UDP.
The limitation was raised to 4096B with EDNS0,
RFC 2671(1999-08) and RFC 6891(2013-04).
UDP/DNS answers>1280B may fragment
IPv6 fragmentation is broken in the Internet: 

RFC 7872 - "Observations on the Dropping of Packets with
IPv6 Extension Headers in the Real World"

https://www.rfc-editor.org/rfc/rfc7872.txt
25
© Men & Mice http://menandmice.com
NSEC vs. NSEC3 (vs. NSEC5)
26
© Men & Mice http://menandmice.com
authenticated denial of existence
DNSSEC provides multiple implementations of
"authenticated denial of existence"
a way to proof negative answers from DNS
each implementation has its pros and cons
if in doubt, choose NSEC
27
© Men & Mice http://menandmice.com
authenticated denial of existence
28
Implementation Pros Cons
NSEC
fast
human debug-able
allows zone walking
NSEC3
makes zone walking
harder
requires hash operations
for every negative answer
slow(er)
NSEC5 prevents zone walking
Internet draft, not
available at this time
© Men & Mice http://menandmice.com
Tutorial
29
© Men & Mice http://menandmice.com
DNSSEC signing
in this tutorial we will use
ECDSA256P256 and NSEC3 with BIND 9.10
RSASHA256 and NSEC with Knot 2.4.1
template files for this tutorial can be found in



https://github.com/menandmice-services/dnssec-signing-tutorial
30
© Men & Mice http://menandmice.com
BIND 9
31
© Men & Mice http://menandmice.com
BIND configuration
32
options {
directory "/var/named";
key-directory "keys";
recursion no;
dnssec-enable yes;
};
logging {
channel named { file "named.log" versions 10 size 20M; print-time yes; print-category yes; };
channel security { file "security.log" versions 10 size 20M; print-time yes; };
channel query_log { file "query.log" versions 10 size 20M; severity debug; print-time yes; };
channel query_error { file "query-errors.log" versions 10 size 20M; severity info; print-time yes; };
channel transfer { file "transfer.log" versions 10 size 10M; print-time yes; };
category default { default_syslog; named; };
category general { default_syslog; named; };
category security { security; };
category queries { query_log; };
category config { named; };
category xfer-in { transfer; };
category xfer-out { transfer; };
category notify { transfer; };
};
zone "dnssec.example.com" {
type master;
file "dnssec.example.com";
inline-signing yes;
auto-dnssec maintain;
};
global
configuration
logging
zone
definition
© Men & Mice http://menandmice.com
Zonefile "dnssec.example.com"
33
$TTL 3600
@ IN SOA ns1 hostmaster 1001 2h 30m 41d 30m
IN NS ns1
IN NS ns2
IN TXT "Zone for DNSSEC signing tutorial"
ns1 IN A 192.0.2.53
ns2 IN A 192.0.2.153
www IN A 192.0.2.80
IN AAAA 2001:db8:100::80
© Men & Mice http://menandmice.com
Test the unsigned zone
34
# dig @localhost dnssec.example.com soa +dnssec
; <<>> DiG 9.10.4-P6-RedHat-9.10.4-4.P6.fc25 <<>> @localhost dnssec.example.com soa +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51944
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssec.example.com. IN SOA
;; ANSWER SECTION:
dnssec.example.com. 3600 IN SOA ns1.dnssec.example.com. hostmaster.dnssec.example.com. 1001 7200 1800 3542400 1800
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Mar 23 09:07:21 CET 2017
;; MSG SIZE rcvd: 98
© Men & Mice http://menandmice.com
Generating the DNSSEC keys
35
# mkdir /var/named/keys
# chown named /var/named/keys
# dnssec-keygen -a ECDSAP256SHA256 -K /var/named/keys/ -n ZONE dnssec.example.com
Generating key pair.
Kdnssec.example.com.+013+22834
# dnssec-keygen -f KSK -a ECDSAP256SHA256 -K /var/named/keys/ -n ZONE dnssec.example.com
Generating key pair.
Kdnssec.example.com.+013+38320
# chown named /var/named/keys/*
ZSK
directory for
keys
KSK
adjust permissions, the BIND process
must be able to read the key files
© Men & Mice http://menandmice.com
signing the zone
36
# rndc sign dnssec.example.com
# rndc signing -nsec3param 1 0 100 A5F7B1CD dnssec.example.com
request queued
# journalctl -eu named | tail
Mar 23 09:09:58 named[2175]: received control channel command 'sign'
Mar 23 09:09:58 named[2175]: zone dnssec.example.com/IN (signed): reconfiguring zone keys
Mar 23 09:09:58 named[2175]: zone dnssec.example.com/IN (signed): next key event: 23-Mar-2017 10:09:58.
sign the zone
add NSEC3
© Men & Mice http://menandmice.com
testing the signed zone
37
# dig @localhost dnssec.example.com soa +dnssec +multi
; <<>> DiG 9.10.4-P6-RedHat-9.10.4-4.P6.fc25 <<>> @localhost dnssec.example.com soa +dnssec +multi
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12949
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssec.example.com. IN SOA
;; ANSWER SECTION:
dnssec.example.com. 3600 IN SOA ns1.dnssec.example.com. hostmaster.dnssec.example.com. (
1004 ; serial
7200 ; refresh (2 hours)
1800 ; retry (30 minutes)
3542400 ; expire (5 weeks 6 days)
1800 ; minimum (30 minutes)
)
dnssec.example.com. 3600 IN RRSIG SOA 13 3 3600 (
20170422080958 20170323070958 22834 dnssec.example.com.
d1Uqw9l2zNAPV9YHEVdOL07+0KKFW7eTPRK6b1kZVkPK
d7Tp80OJ5phHaDoTc8KUWSQFeRJqcAcYBLVs8mvRXw== )
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Mar 23 09:23:20 CET 2017
;; MSG SIZE rcvd: 212
© Men & Mice http://menandmice.com
generating the DS-Record
38
# dnssec-dsfromkey -2 /var/named/keys/Kdnssec.example.com.+013+38320.key
dnssec.example.com. IN DS 38320 13 2 3E762F32EDC681F851518874763486BE8C8136DD9B258B1C558B20DC837A7143
© Men & Mice http://menandmice.com
Knot-DNS
39
© Men & Mice http://menandmice.com
Knot DNS-Server configuration
40
server:
# Listen on all configured IPv4 interfaces.
listen: 0.0.0.0@53
# Listen on all configured IPv6 interfaces.
listen: ::@53
# User for running the server.
user: knot:knot
log:
# Log info and more serious events to syslog.
- target: syslog
any: info
policy:
- id: rsasha256
algorithm: RSASHA256
ksk-size: 2560
zsk-size: 2048
zone:
# Master zone.
- domain: dnssec.example.com
storage: /var/lib/knot/zones/
file: "dnssec.example.com.zone"
dnssec-signing: on
dnssec-policy: rsasha256
global
configuration
logging
DNSSEC
signing policy
zone
definition
© Men & Mice http://menandmice.com
Zonefile
41
$TTL 3600
@ IN SOA ns1 hostmaster 1001 2h 30m 41d 30m
IN NS ns1
IN NS ns2
IN TXT "Zone for DNSSEC signing tutorial"
ns1 IN A 192.0.2.53
ns2 IN A 192.0.2.153
www IN A 192.0.2.80
IN AAAA 2001:db8:100::80
© Men & Mice http://menandmice.com
reloading and signing
42
# knotc reload
# journalctl -e | tail
Mar 23 09:56:32 knot[3546]: info: control, received command 'reload'
Mar 23 09:56:32 knot[3546]: info: reloading configuration file '/usr/local/etc/knot/
knot.conf'
Mar 23 09:56:32 knot[3546]: info: configuration reloaded
Mar 23 09:56:32 knot[3546]: info: [dnssec.example.com.] DNSSEC, executing event 'generate
initial keys'
Mar 23 09:56:33 knot[3546]: info: [dnssec.example.com.] DNSSEC, loaded key, tag 3110,
algorithm 8, KSK yes, ZSK no, public yes, active yes
Mar 23 09:56:33 knot[3546]: info: [dnssec.example.com.] DNSSEC, loaded key, tag 53466,
algorithm 8, KSK no, ZSK yes, public yes, active yes
Mar 23 09:56:33 knot[3546]: info: [dnssec.example.com.] DNSSEC, signing started
Mar 23 09:56:33 knot[3546]: info: [dnssec.example.com.] DNSSEC, successfully signed
Mar 23 09:56:34 knot[3546]: info: [dnssec.example.com.] loaded, serial 1002
Mar 23 09:56:34 knot[3546]: info: [dnssec.example.com.] DNSSEC, next signing at
2017-03-30T10:56:32
reload configuration
and sign
Key information
© Men & Mice http://menandmice.com
test the signed zone
43
# dig @localhost soa dnssec.example.com +dnssec +multi
[…]
;; ANSWER SECTION:
dnssec.example.com. 3600 IN SOA ns1.dnssec.example.com. hostmaster.dnssec.example.com. (
1003 ; serial
7200 ; refresh (2 hours)
1800 ; retry (30 minutes)
3542400 ; expire (5 weeks 6 days)
1800 ; minimum (30 minutes)
)
dnssec.example.com. 3600 IN RRSIG SOA 8 3 3600 (
20170406090136 20170323090136 53466 dnssec.example.com.
NUK5mspkQY6dTRPAuXn0gwhghHiZQIGqvbUxfNoM1ykd
kRVY/vRwqYhAZHC8Jogrj9Whr+kCV9Iv/0pNuAItp1ld
W1Ar2F9sfRpmDXyFt6qVcXKdzH88SnftAlIkdHulL4UG
xzyBxp6aHLgTkDij/5c8pyjHIgBgr5e/RHIxKtQ32gbl
XGQaVIG62oith1fQz6nnAZKcgnvvwe4qgQatVEXyKfM4
tU8kK9qxiUkL+S4lohGxJ+pGN81BbBaNSErmnCWBqEoj
ckkdQkp5oOM/a1Y/ncyK1JU22P/L6I25Jw0l1uPh9/lx
aelUZq4A5SFe7ASpoIvKJlL2VHtkgx7HMg== )
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Mar 23 10:10:27 CET 2017
;; MSG SIZE rcvd: 404
© Men & Mice http://menandmice.com
generate the DS-record
44
# dig @localhost dnskey dnssec.example.com +dnssec | grep 257 > dnssec.example.com.ksk
# ldns-key2ds -2 -n dnssec.example.com.ksk
dnssec.example.com. 3600 IN DS 3110 8 2 (

8d2f37875063fd1a16ffbbd07bff8788f58411c77d3d5e3fa2fe8030cdbd7029 )
© Men & Mice http://menandmice.com
And now?
45
© Men & Mice http://menandmice.com
next steps
publish the DS-record via your registrar
test DNSSEC validation of your zone (for example
via https://dnsviz.net/)
decide if you want/need key rollover
a DNSSEC signed zone without key-rollover is still
more secure than a plain, non-DNSSEC zone!
Men & Mice will cover key-rollover (automation) in an
upcoming webinar
46
© Men & Mice http://menandmice.com
Next
47
© Men & Mice http://menandmice.com
Men & Mice DNS Training
•Introduction to DNS & BIND Hands-On Class
•April 3 – 5, 2017, Redwood City (CA), USA
•May 1 – 3, 2017, Boston (MA), USA
48
https://www.menandmice.com/training/
© Men & Mice http://menandmice.com
Men & Mice DNS Training
•Introduction & Advanced DNS and BIND Topics
Hands-On Class
•April 3 – 7, 2017, Redwood City (CA), USA
•May 1 – 5, 2017, Boston (MA), USA
49
https://www.menandmice.com/training/
© Men & Mice http://menandmice.com
Men & Mice DNS Training
•DNS & BIND (German Language)
•May 22 – 24, 2017, Essen, DE
•DNSSEC and DANE (German Language)
•December 4-12, 2017, Essen, DE
50
http://linuxhotel.de/
© Men & Mice http://menandmice.com
our next webinar 

SMTP STS (Strict Transport Security) vs. SMTP with DANE
The Internet Public Key Infrastructure (PKIX) is broken, but several
solutions exist to fix some of the issues around transport encryption
with TLS and x509 certificates.
This webinar will take a deeper look at two solutions: RFC 7672
“SMTP with DANE” and draft-ietf-uta-mta-sts “SMTP MTA Strict
Transport Security (MTA-STS)”. What problems are solved with these
solutions? What is needed to implement MTA-STS and SMTP-DANE?
Is one solution preferable over the other, or should you deploy both?
Join us for a 45 minutes webinar with a Q&A session at the end, on
Thursday, April 13th, 2017 at 5:00 PM CEST/ 3:00 PM GMT/ 11:00
AM EDT / 8:00 AM PDT.
51
https://www.menandmice.com/resources/webinar-smtp-sts-strict-transport-security-vs-smtp-with-dane/
© Men & Mice http://menandmice.com
Thank you!
Questions? Comments?
52

More Related Content

What's hot

2019.06.27 Intro to Ceph
2019.06.27 Intro to Ceph2019.06.27 Intro to Ceph
2019.06.27 Intro to Ceph
Ceph Community
 
Challenges In Implementing SRE
Challenges In Implementing SREChallenges In Implementing SRE
Challenges In Implementing SRE
Tu Pham
 
Dns ppt
Dns pptDns ppt
Taller Redis
Taller RedisTaller Redis
Taller Redis
betabeers
 
The History of DNS
The History of DNSThe History of DNS
The History of DNS
Michael McLean
 
redis basics
redis basicsredis basics
redis basics
Manoj Kumar
 
Active Directory
Active DirectoryActive Directory
Active Directory
Small World Group L.L.C
 
DNS - Domain Name System
DNS - Domain Name SystemDNS - Domain Name System
DNS - Domain Name System
Peter R. Egli
 
jmp206 - Lotus Domino Web Services Jumpstart
jmp206 - Lotus Domino Web Services Jumpstartjmp206 - Lotus Domino Web Services Jumpstart
jmp206 - Lotus Domino Web Services Jumpstart
Bill Buchan
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
Splunk: How to Design, Build and Map IT Services
Splunk: How to Design, Build and Map IT ServicesSplunk: How to Design, Build and Map IT Services
Splunk: How to Design, Build and Map IT Services
Splunk
 
Cassandra Virtual Node talk
Cassandra Virtual Node talkCassandra Virtual Node talk
Cassandra Virtual Node talk
Patrick McFadin
 
The Ultimate Administrator’s Guide to HCL Nomad Web
The Ultimate Administrator’s Guide to HCL Nomad WebThe Ultimate Administrator’s Guide to HCL Nomad Web
The Ultimate Administrator’s Guide to HCL Nomad Web
panagenda
 
NVIDIA vGPU - Introduction to NVIDIA Virtual GPU
NVIDIA vGPU - Introduction to NVIDIA Virtual GPUNVIDIA vGPU - Introduction to NVIDIA Virtual GPU
NVIDIA vGPU - Introduction to NVIDIA Virtual GPU
Lee Bushen
 
Active Directory
Active Directory Active Directory
Active Directory
Sandeep Kapadane
 
DNS Configuration
DNS ConfigurationDNS Configuration
DNS Configuration
Vinod Gour
 
Nimble storage
Nimble storageNimble storage
Nimble storage
dvmug1
 
Microsoft Remote Desktop Services
Microsoft Remote Desktop ServicesMicrosoft Remote Desktop Services
Microsoft Remote Desktop Services
Ronnie Isherwood
 
Domain Name Server
Domain Name ServerDomain Name Server
Domain Name Server
vipulvaid
 

What's hot (20)

2019.06.27 Intro to Ceph
2019.06.27 Intro to Ceph2019.06.27 Intro to Ceph
2019.06.27 Intro to Ceph
 
Challenges In Implementing SRE
Challenges In Implementing SREChallenges In Implementing SRE
Challenges In Implementing SRE
 
Dns ppt
Dns pptDns ppt
Dns ppt
 
Taller Redis
Taller RedisTaller Redis
Taller Redis
 
The History of DNS
The History of DNSThe History of DNS
The History of DNS
 
redis basics
redis basicsredis basics
redis basics
 
Active Directory
Active DirectoryActive Directory
Active Directory
 
DNS - Domain Name System
DNS - Domain Name SystemDNS - Domain Name System
DNS - Domain Name System
 
jmp206 - Lotus Domino Web Services Jumpstart
jmp206 - Lotus Domino Web Services Jumpstartjmp206 - Lotus Domino Web Services Jumpstart
jmp206 - Lotus Domino Web Services Jumpstart
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
Splunk: How to Design, Build and Map IT Services
Splunk: How to Design, Build and Map IT ServicesSplunk: How to Design, Build and Map IT Services
Splunk: How to Design, Build and Map IT Services
 
Cassandra Virtual Node talk
Cassandra Virtual Node talkCassandra Virtual Node talk
Cassandra Virtual Node talk
 
The Ultimate Administrator’s Guide to HCL Nomad Web
The Ultimate Administrator’s Guide to HCL Nomad WebThe Ultimate Administrator’s Guide to HCL Nomad Web
The Ultimate Administrator’s Guide to HCL Nomad Web
 
NVIDIA vGPU - Introduction to NVIDIA Virtual GPU
NVIDIA vGPU - Introduction to NVIDIA Virtual GPUNVIDIA vGPU - Introduction to NVIDIA Virtual GPU
NVIDIA vGPU - Introduction to NVIDIA Virtual GPU
 
Active Directory
Active Directory Active Directory
Active Directory
 
DNS Configuration
DNS ConfigurationDNS Configuration
DNS Configuration
 
Nimble storage
Nimble storageNimble storage
Nimble storage
 
Microsoft Remote Desktop Services
Microsoft Remote Desktop ServicesMicrosoft Remote Desktop Services
Microsoft Remote Desktop Services
 
Domain Name Server
Domain Name ServerDomain Name Server
Domain Name Server
 

Similar to DNSSEC signing Tutorial

8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
DNS Entrepreneurship Center
 
DNSTap Webinar
DNSTap WebinarDNSTap Webinar
DNSTap Webinar
Men and Mice
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
Michael Earls
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
Men and Mice
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rolls
Men and Mice
 
Hardening the Core of the Internet
Hardening the Core of the InternetHardening the Core of the Internet
Hardening the Core of the Internet
RIPE NCC
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski -  DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski -  DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PROIDEA
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
Deploy360 Programme (Internet Society)
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
APNIC
 
Domain Name System (DNS)
Domain Name System (DNS)Domain Name System (DNS)
Domain Name System (DNS)
Venkatesh Jambulingam
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
APNIC
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSEC
Men and Mice
 
2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover
APNIC
 
Quad9 and DNS Privacy
Quad9 and DNS PrivacyQuad9 and DNS Privacy
dns-sec-4-slides
dns-sec-4-slidesdns-sec-4-slides
dns-sec-4-slides
kj teoh
 
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 HackathonDNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
Dan York
 
ION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSEC
Deploy360 Programme (Internet Society)
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinar
Men and Mice
 
DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & Afilias
ORG, The Public Interest Registry
 
getdns PyCon presentation
getdns PyCon presentationgetdns PyCon presentation
getdns PyCon presentation
Melinda Shore
 

Similar to DNSSEC signing Tutorial (20)

8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
DNSTap Webinar
DNSTap WebinarDNSTap Webinar
DNSTap Webinar
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rolls
 
Hardening the Core of the Internet
Hardening the Core of the InternetHardening the Core of the Internet
Hardening the Core of the Internet
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski -  DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski -  DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
Domain Name System (DNS)
Domain Name System (DNS)Domain Name System (DNS)
Domain Name System (DNS)
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSEC
 
2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover
 
Quad9 and DNS Privacy
Quad9 and DNS PrivacyQuad9 and DNS Privacy
Quad9 and DNS Privacy
 
dns-sec-4-slides
dns-sec-4-slidesdns-sec-4-slides
dns-sec-4-slides
 
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 HackathonDNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
DNS / DNSSEC / DANE / DPRIVE Results at IETF93 Hackathon
 
ION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSEC
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinar
 
DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & Afilias
 
getdns PyCon presentation
getdns PyCon presentationgetdns PyCon presentation
getdns PyCon presentation
 

More from Men and Mice

Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network Strategies
Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network StrategiesCisco Live 2019: New Best Practices for Hybrid and Multicloud Network Strategies
Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network Strategies
Men and Mice
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Men and Mice
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
Men and Mice
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local Networks
Men and Mice
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encrypted
Men and Mice
 
The CAA-Record for increased encryption security
The CAA-Record for increased encryption securityThe CAA-Record for increased encryption security
The CAA-Record for increased encryption security
Men and Mice
 
SMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANESMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANE
Men and Mice
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?
Men and Mice
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the root
Men and Mice
 
Kea DHCP – the new open source DHCP server from ISC
Kea DHCP – the new open source DHCP server from ISCKea DHCP – the new open source DHCP server from ISC
Kea DHCP – the new open source DHCP server from ISC
Men and Mice
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runit
Men and Mice
 
PowerDNS Webinar - Part 2
PowerDNS Webinar - Part 2PowerDNS Webinar - Part 2
PowerDNS Webinar - Part 2
Men and Mice
 
PowerDNS Webinar
PowerDNS Webinar PowerDNS Webinar
PowerDNS Webinar
Men and Mice
 
IETF 93 Review Webinar
IETF 93 Review WebinarIETF 93 Review Webinar
IETF 93 Review Webinar
Men and Mice
 
RIPE 70 Report Webinar
RIPE 70 Report WebinarRIPE 70 Report Webinar
RIPE 70 Report Webinar
Men and Mice
 
DNSSEC best practices Webinar
DNSSEC best practices WebinarDNSSEC best practices Webinar
DNSSEC best practices Webinar
Men and Mice
 
IETF 92 Webinar
IETF 92 WebinarIETF 92 Webinar
IETF 92 Webinar
Men and Mice
 
The KNOT DNS Server
The KNOT DNS ServerThe KNOT DNS Server
The KNOT DNS Server
Men and Mice
 
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
Men and Mice
 
DNSSEC and DANE – E-Mail security reloaded
DNSSEC and DANE – E-Mail security reloadedDNSSEC and DANE – E-Mail security reloaded
DNSSEC and DANE – E-Mail security reloaded
Men and Mice
 

More from Men and Mice (20)

Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network Strategies
Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network StrategiesCisco Live 2019: New Best Practices for Hybrid and Multicloud Network Strategies
Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network Strategies
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local Networks
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encrypted
 
The CAA-Record for increased encryption security
The CAA-Record for increased encryption securityThe CAA-Record for increased encryption security
The CAA-Record for increased encryption security
 
SMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANESMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANE
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the root
 
Kea DHCP – the new open source DHCP server from ISC
Kea DHCP – the new open source DHCP server from ISCKea DHCP – the new open source DHCP server from ISC
Kea DHCP – the new open source DHCP server from ISC
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runit
 
PowerDNS Webinar - Part 2
PowerDNS Webinar - Part 2PowerDNS Webinar - Part 2
PowerDNS Webinar - Part 2
 
PowerDNS Webinar
PowerDNS Webinar PowerDNS Webinar
PowerDNS Webinar
 
IETF 93 Review Webinar
IETF 93 Review WebinarIETF 93 Review Webinar
IETF 93 Review Webinar
 
RIPE 70 Report Webinar
RIPE 70 Report WebinarRIPE 70 Report Webinar
RIPE 70 Report Webinar
 
DNSSEC best practices Webinar
DNSSEC best practices WebinarDNSSEC best practices Webinar
DNSSEC best practices Webinar
 
IETF 92 Webinar
IETF 92 WebinarIETF 92 Webinar
IETF 92 Webinar
 
The KNOT DNS Server
The KNOT DNS ServerThe KNOT DNS Server
The KNOT DNS Server
 
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
 
DNSSEC and DANE – E-Mail security reloaded
DNSSEC and DANE – E-Mail security reloadedDNSSEC and DANE – E-Mail security reloaded
DNSSEC and DANE – E-Mail security reloaded
 

Recently uploaded

Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
Brian Pichman
 
kk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdfkk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdf
KIRAN KV
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
bhumivarma35300
 
Camunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptxCamunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptx
ZachWylie3
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
alexjohnson7307
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
Google Developer Group - Harare
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
David Wilson
 
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdfLeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
SelfMade bd
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
Bhajan Mehta
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
ldtexsolbl
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
SynapseIndia
 
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
alexjohnson7307
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
ssuser1915fe1
 
Zaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdfZaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdf
AmandaCheung15
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
sunilverma7884
 
Retrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with RagasRetrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with Ragas
Zilliz
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
DianaGray10
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
shanihomely
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
DianaGray10
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
ankush9927
 

Recently uploaded (20)

Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
 
kk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdfkk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdf
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
 
Camunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptxCamunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptx
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
 
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdfLeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
 
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
 
Zaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdfZaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdf
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
 
Retrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with RagasRetrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with Ragas
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
 

DNSSEC signing Tutorial

  • 1. © Men & Mice http://menandmice.com DNSSEC signing tutorial 1
  • 2. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org Agenda Why DNSSEC Decisions: Algorithm key-size NSEC(3) DNSSEC with BIND 9 DNSSEC with Knot 2
  • 3. © Men & Mice http://menandmice.com DNSSEC "One Key to rule them all, one Key to find them, one Key to bring them all and in the Resolver bind them." —Modified from Lord of the Rings Miek Gieben. 3
  • 4. © Men & Mice http://menandmice.com DNSSEC Does and Does Not... DNSSEC signs data to guarantee authenticity and integrity. It assures a client that a RRSet is from the proper authoritative server and has not changed. DNSSEC does not encrypt data to provide privacy. Anyone can find out the RRSets you request. 4
  • 5. © Men & Mice http://menandmice.com Why DNSSEC Protects DNS data against cache spoofing against "Man in the Middle" (MITM) attacks against take-over of authoritative server against rogue secondaries Protects DNS server against denial of service attacks (in the near future) 5
  • 6. © Men & Mice http://menandmice.com Why DNSSEC Enables new functions Mail transport security (SMTP/TLSA) Mail end-to-end encryption (OPENPGPKEY/SMIMEA) opportunistic IPSec encryption (IPSECKEY) SSH server authentication (SSHFP) x509 Certification Authority Authorisation (CAA) 6
  • 7. © Men & Mice http://menandmice.com DNS Security Extensions DNSSEC deployment 7 http://www.internetsociety.org/deploy360/dnssec/maps
 http://en.wikipedia.org/wiki/List_of_Internet_top-level_domains
  • 8. © Men & Mice http://menandmice.com DNSSEC Fundamentals 8
  • 9. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org 9 RRSet (plain DNS data) hash finger- print RRSIG encrypt with private key k Zonefile authoritative server resolving/validating server parent zone DNSSEC in a Nutshell
  • 10. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org 10 RRSet (plain DNS data) hash finger- print RRSIG encrypt with private key k Zonefile RRSet RRSIG authoritative server resolving/validating server DNSKEY
 (public key) parent zone DNSSEC in a Nutshell (DS RR Added)
  • 11. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org 11 RRSet (plain DNS data) hash finger- print RRSIG encrypt with private key k Zonefile RRSet RRSIG authoritative server resolving/validating server DNSKEY
 (public key) parent zone DS record hash DNSSEC in a Nutshell (DS RR Added)
  • 12. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org 12 RRSet (plain DNS data) hash finger- print RRSIG encrypt with private key k Zonefile RRSet RRSIG authoritative server resolving/validating server DNSKEY
 (public key) RRSet RRSIG decrypt with public key k finger- print parent zone DS record hash DNSSEC in a Nutshell (DS RR Added)
  • 13. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org 13 RRSet (plain DNS data) hash finger- print RRSIG encrypt with private key k Zonefile RRSet RRSIG authoritative server resolving/validating server DNSKEY
 (public key) RRSet RRSIG decrypt with public key k finger- print parent zone DS record hash verify DNSSEC in a Nutshell (DS RR Added)
  • 14. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org 14 RRSet (plain DNS data) hash finger- print RRSIG encrypt with private key k Zonefile RRSet RRSIG authoritative server resolving/validating server DNSKEY
 (public key) RRSet RRSIG decrypt with public key k finger- print hash finger- printcompare parent zone DS record hash DNSSEC in a Nutshell (DS RR Added)
  • 15. © Men & Mice http://menandmice.com DNS Servers for DNSSEC •BIND 9.6 and up: Authoritative server and validating resolver •NSD from NlNetLabs: Fast authoritative server •Windows 2012/2016 DNS Server: Authoritative server and validating resolver with a GUI •PowerDNS: Authoritative DNS Server with many backends, including SQL Databases •Knot-DNS: fast authoritative DNS Server with DNSSEC key-rollover automation 15
  • 16. © Men & Mice http://menandmice.com DNSSEC Keys Fundamentals 16
  • 17. © Men & Mice http://menandmice.com DNSSEC Key Algorithms RSAMD5 (deprecated, not implemented) RSASHA1 (not recommended anymore) RSASHA256 (recommended) RSASHA512 (large keys) DSA (slow validation, no extra security) ECC-GOST (used in Russia) ECDSA (small signatures and keys, fast crypto, recommended) ED25519 (Curve developed by Dan "djb" Bernstein, 
 https://ed25519.cr.yp.to/) ED448 (448-bit Edwards curve with a 223-bit conjectured security level) 17
  • 18. © Men & Mice http://menandmice.com DNSSEC Signing Algorithms 18 Number Algorithm Mnemonic 1 RSA/MD5 (deprecated) RSAMD5 5 RSA/SHA-1 RSASHA1 6 DSA-NSEC3-SHA1 DSA-NSEC3-SHA1 7 RSASHA1-NSEC3-SHA1 RSASHA1-NSEC3-SHA1 8 RSA/SHA-256 RSASHA256 10 RSA/SHA-512 RSASHA512 12 GOST R 34.10-2001 ECC-GOST 13 ECDSA Curve P-256 with SHA-256 ECDSAP256SHA256 14 ECDSA Curve P-384 with SHA-384 ECDSAP384SHA384 15 Ed25519 ED25519 16 Ed448 ED448 http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml
  • 19. © Men & Mice http://menandmice.com ECDSA vs. RSA in .COM 19 https://schd.ws/hosted_files/icann58copenhagen2017/b9/Roland%20Van%20Rijswijk-Surfnet-ECDSA%20Adoption%20in%20DNSSEC.pdf
  • 20. © Men & Mice http://menandmice.com Key Size for RSA algorithms 20
  • 21. © Men & Mice http://menandmice.com Key Sizes (for RSASHA256) be aware of DNS packet size limits 
 (IPv6 fragmentation issues discussed below) Recommendations: RFC 6781: 1024 bits BIND 9 default: KSK - 2048 bits, ZSK - 1024 bits mildly paranoid: KSK - 2560 bits, ZSK - 1536 bits truly paranoid: KSK - 4096 bits, ZSK - 2048 bits 21
  • 22. © Men & Mice http://menandmice.com RSA-Key Size Modern cryptanalysis finds RSA keys less than 700 bits breakable. 2012 calculations indicate that 1024bit RSASHA1 keys may be broken within 5 years. It is recommended to move away from SHA1. SHA256 or SHA512 with 2048bit keys will be safe for decades based on current cryptanalysis. 22
  • 23. © Men & Mice http://menandmice.com RSA-Key Length Impact A larger key significantly increases the computing resources to sign a zone and to validate the RRSets. Remember that the validation will be done in real time. Doubling the key size in bits increases the time: To create signatures (signing) by a factor of 8. To validate a signature by a factor of 4. Every extra bit in a key doubles the amount of work for an attacker to brute-force crack the key! 23
  • 24. © Men & Mice http://menandmice.com Key Size in BIND Only sign the DNSKEY resource record set (RRSet) with the Key-Signing-Key to reduce the size of the DNSKEY answer: options {
 […]
 dnssec-dnskey-kskonly yes;
 }; 24
  • 25. © Men & Mice http://menandmice.com IPv6 and Fragmentation As designed in 1983, DNS had a 512-Byte payload limit over UDP. The limitation was raised to 4096B with EDNS0, RFC 2671(1999-08) and RFC 6891(2013-04). UDP/DNS answers>1280B may fragment IPv6 fragmentation is broken in the Internet: 
 RFC 7872 - "Observations on the Dropping of Packets with IPv6 Extension Headers in the Real World"
 https://www.rfc-editor.org/rfc/rfc7872.txt 25
  • 26. © Men & Mice http://menandmice.com NSEC vs. NSEC3 (vs. NSEC5) 26
  • 27. © Men & Mice http://menandmice.com authenticated denial of existence DNSSEC provides multiple implementations of "authenticated denial of existence" a way to proof negative answers from DNS each implementation has its pros and cons if in doubt, choose NSEC 27
  • 28. © Men & Mice http://menandmice.com authenticated denial of existence 28 Implementation Pros Cons NSEC fast human debug-able allows zone walking NSEC3 makes zone walking harder requires hash operations for every negative answer slow(er) NSEC5 prevents zone walking Internet draft, not available at this time
  • 29. © Men & Mice http://menandmice.com Tutorial 29
  • 30. © Men & Mice http://menandmice.com DNSSEC signing in this tutorial we will use ECDSA256P256 and NSEC3 with BIND 9.10 RSASHA256 and NSEC with Knot 2.4.1 template files for this tutorial can be found in
 
 https://github.com/menandmice-services/dnssec-signing-tutorial 30
  • 31. © Men & Mice http://menandmice.com BIND 9 31
  • 32. © Men & Mice http://menandmice.com BIND configuration 32 options { directory "/var/named"; key-directory "keys"; recursion no; dnssec-enable yes; }; logging { channel named { file "named.log" versions 10 size 20M; print-time yes; print-category yes; }; channel security { file "security.log" versions 10 size 20M; print-time yes; }; channel query_log { file "query.log" versions 10 size 20M; severity debug; print-time yes; }; channel query_error { file "query-errors.log" versions 10 size 20M; severity info; print-time yes; }; channel transfer { file "transfer.log" versions 10 size 10M; print-time yes; }; category default { default_syslog; named; }; category general { default_syslog; named; }; category security { security; }; category queries { query_log; }; category config { named; }; category xfer-in { transfer; }; category xfer-out { transfer; }; category notify { transfer; }; }; zone "dnssec.example.com" { type master; file "dnssec.example.com"; inline-signing yes; auto-dnssec maintain; }; global configuration logging zone definition
  • 33. © Men & Mice http://menandmice.com Zonefile "dnssec.example.com" 33 $TTL 3600 @ IN SOA ns1 hostmaster 1001 2h 30m 41d 30m IN NS ns1 IN NS ns2 IN TXT "Zone for DNSSEC signing tutorial" ns1 IN A 192.0.2.53 ns2 IN A 192.0.2.153 www IN A 192.0.2.80 IN AAAA 2001:db8:100::80
  • 34. © Men & Mice http://menandmice.com Test the unsigned zone 34 # dig @localhost dnssec.example.com soa +dnssec ; <<>> DiG 9.10.4-P6-RedHat-9.10.4-4.P6.fc25 <<>> @localhost dnssec.example.com soa +dnssec ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51944 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dnssec.example.com. IN SOA ;; ANSWER SECTION: dnssec.example.com. 3600 IN SOA ns1.dnssec.example.com. hostmaster.dnssec.example.com. 1001 7200 1800 3542400 1800 ;; Query time: 0 msec ;; SERVER: ::1#53(::1) ;; WHEN: Thu Mar 23 09:07:21 CET 2017 ;; MSG SIZE rcvd: 98
  • 35. © Men & Mice http://menandmice.com Generating the DNSSEC keys 35 # mkdir /var/named/keys # chown named /var/named/keys # dnssec-keygen -a ECDSAP256SHA256 -K /var/named/keys/ -n ZONE dnssec.example.com Generating key pair. Kdnssec.example.com.+013+22834 # dnssec-keygen -f KSK -a ECDSAP256SHA256 -K /var/named/keys/ -n ZONE dnssec.example.com Generating key pair. Kdnssec.example.com.+013+38320 # chown named /var/named/keys/* ZSK directory for keys KSK adjust permissions, the BIND process must be able to read the key files
  • 36. © Men & Mice http://menandmice.com signing the zone 36 # rndc sign dnssec.example.com # rndc signing -nsec3param 1 0 100 A5F7B1CD dnssec.example.com request queued # journalctl -eu named | tail Mar 23 09:09:58 named[2175]: received control channel command 'sign' Mar 23 09:09:58 named[2175]: zone dnssec.example.com/IN (signed): reconfiguring zone keys Mar 23 09:09:58 named[2175]: zone dnssec.example.com/IN (signed): next key event: 23-Mar-2017 10:09:58. sign the zone add NSEC3
  • 37. © Men & Mice http://menandmice.com testing the signed zone 37 # dig @localhost dnssec.example.com soa +dnssec +multi ; <<>> DiG 9.10.4-P6-RedHat-9.10.4-4.P6.fc25 <<>> @localhost dnssec.example.com soa +dnssec +multi ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12949 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dnssec.example.com. IN SOA ;; ANSWER SECTION: dnssec.example.com. 3600 IN SOA ns1.dnssec.example.com. hostmaster.dnssec.example.com. ( 1004 ; serial 7200 ; refresh (2 hours) 1800 ; retry (30 minutes) 3542400 ; expire (5 weeks 6 days) 1800 ; minimum (30 minutes) ) dnssec.example.com. 3600 IN RRSIG SOA 13 3 3600 ( 20170422080958 20170323070958 22834 dnssec.example.com. d1Uqw9l2zNAPV9YHEVdOL07+0KKFW7eTPRK6b1kZVkPK d7Tp80OJ5phHaDoTc8KUWSQFeRJqcAcYBLVs8mvRXw== ) ;; Query time: 0 msec ;; SERVER: ::1#53(::1) ;; WHEN: Thu Mar 23 09:23:20 CET 2017 ;; MSG SIZE rcvd: 212
  • 38. © Men & Mice http://menandmice.com generating the DS-Record 38 # dnssec-dsfromkey -2 /var/named/keys/Kdnssec.example.com.+013+38320.key dnssec.example.com. IN DS 38320 13 2 3E762F32EDC681F851518874763486BE8C8136DD9B258B1C558B20DC837A7143
  • 39. © Men & Mice http://menandmice.com Knot-DNS 39
  • 40. © Men & Mice http://menandmice.com Knot DNS-Server configuration 40 server: # Listen on all configured IPv4 interfaces. listen: 0.0.0.0@53 # Listen on all configured IPv6 interfaces. listen: ::@53 # User for running the server. user: knot:knot log: # Log info and more serious events to syslog. - target: syslog any: info policy: - id: rsasha256 algorithm: RSASHA256 ksk-size: 2560 zsk-size: 2048 zone: # Master zone. - domain: dnssec.example.com storage: /var/lib/knot/zones/ file: "dnssec.example.com.zone" dnssec-signing: on dnssec-policy: rsasha256 global configuration logging DNSSEC signing policy zone definition
  • 41. © Men & Mice http://menandmice.com Zonefile 41 $TTL 3600 @ IN SOA ns1 hostmaster 1001 2h 30m 41d 30m IN NS ns1 IN NS ns2 IN TXT "Zone for DNSSEC signing tutorial" ns1 IN A 192.0.2.53 ns2 IN A 192.0.2.153 www IN A 192.0.2.80 IN AAAA 2001:db8:100::80
  • 42. © Men & Mice http://menandmice.com reloading and signing 42 # knotc reload # journalctl -e | tail Mar 23 09:56:32 knot[3546]: info: control, received command 'reload' Mar 23 09:56:32 knot[3546]: info: reloading configuration file '/usr/local/etc/knot/ knot.conf' Mar 23 09:56:32 knot[3546]: info: configuration reloaded Mar 23 09:56:32 knot[3546]: info: [dnssec.example.com.] DNSSEC, executing event 'generate initial keys' Mar 23 09:56:33 knot[3546]: info: [dnssec.example.com.] DNSSEC, loaded key, tag 3110, algorithm 8, KSK yes, ZSK no, public yes, active yes Mar 23 09:56:33 knot[3546]: info: [dnssec.example.com.] DNSSEC, loaded key, tag 53466, algorithm 8, KSK no, ZSK yes, public yes, active yes Mar 23 09:56:33 knot[3546]: info: [dnssec.example.com.] DNSSEC, signing started Mar 23 09:56:33 knot[3546]: info: [dnssec.example.com.] DNSSEC, successfully signed Mar 23 09:56:34 knot[3546]: info: [dnssec.example.com.] loaded, serial 1002 Mar 23 09:56:34 knot[3546]: info: [dnssec.example.com.] DNSSEC, next signing at 2017-03-30T10:56:32 reload configuration and sign Key information
  • 43. © Men & Mice http://menandmice.com test the signed zone 43 # dig @localhost soa dnssec.example.com +dnssec +multi […] ;; ANSWER SECTION: dnssec.example.com. 3600 IN SOA ns1.dnssec.example.com. hostmaster.dnssec.example.com. ( 1003 ; serial 7200 ; refresh (2 hours) 1800 ; retry (30 minutes) 3542400 ; expire (5 weeks 6 days) 1800 ; minimum (30 minutes) ) dnssec.example.com. 3600 IN RRSIG SOA 8 3 3600 ( 20170406090136 20170323090136 53466 dnssec.example.com. NUK5mspkQY6dTRPAuXn0gwhghHiZQIGqvbUxfNoM1ykd kRVY/vRwqYhAZHC8Jogrj9Whr+kCV9Iv/0pNuAItp1ld W1Ar2F9sfRpmDXyFt6qVcXKdzH88SnftAlIkdHulL4UG xzyBxp6aHLgTkDij/5c8pyjHIgBgr5e/RHIxKtQ32gbl XGQaVIG62oith1fQz6nnAZKcgnvvwe4qgQatVEXyKfM4 tU8kK9qxiUkL+S4lohGxJ+pGN81BbBaNSErmnCWBqEoj ckkdQkp5oOM/a1Y/ncyK1JU22P/L6I25Jw0l1uPh9/lx aelUZq4A5SFe7ASpoIvKJlL2VHtkgx7HMg== ) ;; Query time: 0 msec ;; SERVER: ::1#53(::1) ;; WHEN: Thu Mar 23 10:10:27 CET 2017 ;; MSG SIZE rcvd: 404
  • 44. © Men & Mice http://menandmice.com generate the DS-record 44 # dig @localhost dnskey dnssec.example.com +dnssec | grep 257 > dnssec.example.com.ksk # ldns-key2ds -2 -n dnssec.example.com.ksk dnssec.example.com. 3600 IN DS 3110 8 2 (
 8d2f37875063fd1a16ffbbd07bff8788f58411c77d3d5e3fa2fe8030cdbd7029 )
  • 45. © Men & Mice http://menandmice.com And now? 45
  • 46. © Men & Mice http://menandmice.com next steps publish the DS-record via your registrar test DNSSEC validation of your zone (for example via https://dnsviz.net/) decide if you want/need key rollover a DNSSEC signed zone without key-rollover is still more secure than a plain, non-DNSSEC zone! Men & Mice will cover key-rollover (automation) in an upcoming webinar 46
  • 47. © Men & Mice http://menandmice.com Next 47
  • 48. © Men & Mice http://menandmice.com Men & Mice DNS Training •Introduction to DNS & BIND Hands-On Class •April 3 – 5, 2017, Redwood City (CA), USA •May 1 – 3, 2017, Boston (MA), USA 48 https://www.menandmice.com/training/
  • 49. © Men & Mice http://menandmice.com Men & Mice DNS Training •Introduction & Advanced DNS and BIND Topics Hands-On Class •April 3 – 7, 2017, Redwood City (CA), USA •May 1 – 5, 2017, Boston (MA), USA 49 https://www.menandmice.com/training/
  • 50. © Men & Mice http://menandmice.com Men & Mice DNS Training •DNS & BIND (German Language) •May 22 – 24, 2017, Essen, DE •DNSSEC and DANE (German Language) •December 4-12, 2017, Essen, DE 50 http://linuxhotel.de/
  • 51. © Men & Mice http://menandmice.com our next webinar 
 SMTP STS (Strict Transport Security) vs. SMTP with DANE The Internet Public Key Infrastructure (PKIX) is broken, but several solutions exist to fix some of the issues around transport encryption with TLS and x509 certificates. This webinar will take a deeper look at two solutions: RFC 7672 “SMTP with DANE” and draft-ietf-uta-mta-sts “SMTP MTA Strict Transport Security (MTA-STS)”. What problems are solved with these solutions? What is needed to implement MTA-STS and SMTP-DANE? Is one solution preferable over the other, or should you deploy both? Join us for a 45 minutes webinar with a Q&A session at the end, on Thursday, April 13th, 2017 at 5:00 PM CEST/ 3:00 PM GMT/ 11:00 AM EDT / 8:00 AM PDT. 51 https://www.menandmice.com/resources/webinar-smtp-sts-strict-transport-security-vs-smtp-with-dane/
  • 52. © Men & Mice http://menandmice.com Thank you! Questions? Comments? 52