SlideShare a Scribd company logo

OpenDNSSEC RIPE58

pawal
pawal

Presentation of OpenDNSSEC at the DNS wg at RIPE58

TechnologyTravel
1 of 22
OpenDNSSEC Patrik Wallström, .SE R&D RIPE 58, Amsterdam
Who? John A Dickinson 2 RIPE 58, Amsterdam
This is OpenDNSSEC OpenDNSSEC unsigned zones signed zones automatic zone signing from hidden to public, authoritative authoritative name servers name servers 3 RIPE 58, Amsterdam
Description OpenDNSSEC is a complete DNSSEC zone signer that automates the process of keeping track of DNSSEC keys and the signing of zones. 4 RIPE 58, Amsterdam
Components There are three major components of OpenDNSSEC: 1. KASP - Key and Signing Policy, a policy describing how to sign a zone. The KASP is enforced by the KASP Enforcer and communicated to the Signer with a Signer Config. 2. The Signer - the component that does the automatic signing of zones. 3. An HSM - a key store component that is either a hardware device or the software SoftHSM component supplied by OpenDNSSEC. 5 RIPE 58, Amsterdam
Additional components There are more needed though: 4. KASP Auditor - monitors that the signing works the way it is supposed to. 5. Input and Output adapters - provides for AXFR, IXFR and other protocols. 6. libhsm - abstracts all PKCS#11 functionality. 6 RIPE 58, Amsterdam
HSMs What is a HSM? - Stores keys (master keys) in hardware - Performs operations with those keys Why use one? - Security (FIPS) - Private key never allowed outside the HSM - You know where your keys are - Performance - 1 – 14,000 signatures per second Are they expensive? - $50 - $50,000 7 RIPE 58, Amsterdam
SoftHSM SoftHSM is an implementation of a cryptographic store accessible through a PKCS#11 interface. You can use it to explore PKCS#11 without having a Hardware Security Module. SoftHSM is being developed as a part of the OpenDNSSEC project. Uses Botan for its cryptographic operations and SQLite to store its key material. SoftHSM allows OpenDNSSEC to only provide one interface for all crypto operations. 8 RIPE 58, Amsterdam
Key states and transitions Published Ready Active Retired Generated Removed not used for signing not used for signing used for signing not used for signing Revoked revoke bit set Keys included in the zonefile derived from draft-morris-dnsop-dnssec-key-timing-00.txt 9 RIPE 58, Amsterdam
Key metadata in KASP Data for the keys stored in “Metastore” are dates such as when the key was created, when it was backed up, when it was retired and so on. Also which HSM the key is stored in. A unique locator id is designated to all keys, which is referred to by the Locator tag in configuration files. 10 RIPE 58, Amsterdam
KASP commands The only command that an administrator should be able to issue is remove key. However, not CLI or GUI interface has not been defined yet. There is a CLI for testing purposes which lets you modify keys. 11 RIPE 58, Amsterdam
Signer Engine The Signer Engine does the following tasks: Sorts RRsets Signer Creates NSEC-chains RRset Signer Signer RRset Sorter Engine Signs RRSets NSEC-ifier Keeps the RRSIGs up to date 12 RIPE 58, Amsterdam
Architecture KASP KASP KASP Key and Signing Importer Database Policy libksm Key Generator libhsm PKCS#11 Zone List PKCS#11 PKCS#11 Communicator General Signer Configs Configuration One file per zone Signer RRset Signer Unsigned Signer RRset Sorter Zones Engine KASP NSEC-ifier Auditor Signed Zones 13 RIPE 58, Amsterdam
Configuration First you need a HSM. To configure SoftHSM you need to create a token like this: softhsm --init-token /home/user/my.db --label quot;My token 1quot; And add the token to your SoftHSM slots in softhsm.conf: 0:/home/user/my.db 14 RIPE 58, Amsterdam
conf.xml <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <Configuration> <RepositoryList> <Repository> <Name>softHSM</Name> <Module>/usr/local/lib/libsofthsm.so</Module> <PIN>1234</PIN> </Repository> </RepositoryList> <Enforcer> <Interval>PT3600S</Interval> <KeygenInterval>P3M</KeygenInterval> <BackupDelay>P3D</BackupDelay> </Enforcer> <Signer> <WorkingDirectory>/var/dnssec/tmp</WorkingDirectory> <ZoneListFile>/var/dnssec/zonelist.xml</ZoneListFile> <!-- toolsdir will be removed, but is used for testing atm --> <ToolsDirectory>/usr/local/bin</ToolsDirectory> </Signer> </Configuration> 15 RIPE 58, Amsterdam
kasp.xml <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <KASP> <Policy name=quot;defaultquot;> <Description>A default policy that will amaze you and your friends</Description> <Signatures> <Resign>PT2H</Resign> <Refresh>P3D</Refresh> <Validity> <Default>P7D</Default> <Denial>P14D</Denial> </Validity> ... <KSK> <Algorithm length=quot;2048quot;>5</Algorithm> <Lifetime>P1Y</Lifetime> <Repository>softHSM</Repository> <Emergency>2</Emergency> <RFC5011/> </KSK> <ZSK> <Algorithm length=quot;1024quot;>5</Algorithm> <Lifetime>P14D</Lifetime> <Repository>softHSM</Repository> ... 16 RIPE 58, Amsterdam
zonelist.xml <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <ZoneList> <Zone name=quot;opendnssec.sequot;> <Policy>default</Policy> <SignerConfiguration>/var/opendnssec/config/opendnssec.se.xml</ SignerConfiguration> <Adapters> <Input> <File>/var/dnssec/unsigned/opendnssec.se</File> </Input> <Output> <File>/var/dnssec/signed/opendnssec.se</File> </Output> </Adapters> </Zone> </ZoneList> 17 RIPE 58, Amsterdam
opendnssec.se.xml ... <Keys> <TTL>PT3600S</TTL> <Key> <Flags>257</Flags> <Algorithm>5</Algorithm> <Locator>DFE7265B783F418685380AA784C2F31D</Locator> <KSK/> <Publish/> </Key> <Key> <Flags>256</Flags> <Algorithm>5</Algorithm> <Locator>8D76C0C49FEB4A97B8E920C7552401CE</Locator> <ZSK/> <Publish/> </Key> </Keys> <SOA> <TTL>PT3600S</TTL> <Minimum>PT3600S</Minimum> <Serial>unixtime</Serial> </SOA> ... 18 RIPE 58, Amsterdam
Todo - System integration - Install guide - User guide - Peer reviewing - Make OpenDNSSEC one package - System testing - Performance testing - Durability testing - User testing 19 RIPE 58, Amsterdam
When? Alpha version real soon now... Version 1.0 for the IETF in Stockholm. Maybe. 20 RIPE 58, Amsterdam
http://www.opendnssec.se/ 21 RIPE 58, Amsterdam
Thank you! Questions? 22 RIPE 58, Amsterdam

Recommended

SCI F28x
SCI F28xSCI F28x
SCI F28xPantech ProLabs India Pvt Ltd
 
CDP Indicator
CDP IndicatorCDP Indicator
CDP Indicatornpsg
 
Configuring Secure Shell on Routers and Switches Running Cisco IO
Configuring Secure Shell on Routers and Switches Running Cisco IOConfiguring Secure Shell on Routers and Switches Running Cisco IO
Configuring Secure Shell on Routers and Switches Running Cisco IOHoàng Hải Nguyễn
 
Txt Introduction
Txt IntroductionTxt Introduction
Txt IntroductionLogic Solutions, Inc.
 
Remote offices survival
Remote offices survivalRemote offices survival
Remote offices survivalPaloSanto Solutions
 
Flash Programming F28x
Flash Programming F28xFlash Programming F28x
Flash Programming F28xPantech ProLabs India Pvt Ltd
 
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPKrzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPPROIDEA
 
Aceleração em Hardware para OpenSSL em Sistemas Embarcados: Introdução e conc...
Aceleração em Hardware para OpenSSL em Sistemas Embarcados: Introdução e conc...Aceleração em Hardware para OpenSSL em Sistemas Embarcados: Introdução e conc...
Aceleração em Hardware para OpenSSL em Sistemas Embarcados: Introdução e conc...Bruno Castelucci
 

Recommended

SCI F28x
SCI F28xSCI F28x
SCI F28xPantech ProLabs India Pvt Ltd
 
CDP Indicator
CDP IndicatorCDP Indicator
CDP Indicatornpsg
 
Configuring Secure Shell on Routers and Switches Running Cisco IO
Configuring Secure Shell on Routers and Switches Running Cisco IOConfiguring Secure Shell on Routers and Switches Running Cisco IO
Configuring Secure Shell on Routers and Switches Running Cisco IOHoàng Hải Nguyễn
 
Txt Introduction
Txt IntroductionTxt Introduction
Txt IntroductionLogic Solutions, Inc.
 
Remote offices survival
Remote offices survivalRemote offices survival
Remote offices survivalPaloSanto Solutions
 
Flash Programming F28x
Flash Programming F28xFlash Programming F28x
Flash Programming F28xPantech ProLabs India Pvt Ltd
 
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPKrzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPPROIDEA
 
Aceleração em Hardware para OpenSSL em Sistemas Embarcados: Introdução e conc...
Aceleração em Hardware para OpenSSL em Sistemas Embarcados: Introdução e conc...Aceleração em Hardware para OpenSSL em Sistemas Embarcados: Introdução e conc...
Aceleração em Hardware para OpenSSL em Sistemas Embarcados: Introdução e conc...Bruno Castelucci
 
Gestire la Variabilità
Gestire la Variabilità Gestire la Variabilità
Gestire la Variabilità Antonio Tresca
 
DNSSEC Grunderna
DNSSEC GrundernaDNSSEC Grunderna
DNSSEC Grundernapawal
 
Türkiye'de toplumsal eşitsizlik issp may-26-2010-vs3
Türkiye'de toplumsal eşitsizlik issp may-26-2010-vs3Türkiye'de toplumsal eşitsizlik issp may-26-2010-vs3
Türkiye'de toplumsal eşitsizlik issp may-26-2010-vs3Istanbul Bilgi University
 
PGP Aurkezpena
PGP AurkezpenaPGP Aurkezpena
PGP Aurkezpenaamaiora
 
Imperialism -Part I.
Imperialism -Part I.Imperialism -Part I.
Imperialism -Part I.ljhsblog
 
Branding - leggi fondamentali
Branding - leggi fondamentaliBranding - leggi fondamentali
Branding - leggi fondamentaliAntonio Tresca
 
Modelli Comunicativi
Modelli ComunicativiModelli Comunicativi
Modelli ComunicativiAntonio Tresca
 
Symmetric Crypto for DPDK - Declan Doherty
Symmetric Crypto for DPDK - Declan DohertySymmetric Crypto for DPDK - Declan Doherty
Symmetric Crypto for DPDK - Declan Dohertyharryvanhaaren
 
Code Red Security
Code Red SecurityCode Red Security
Code Red SecurityAmr Ali
 
Arm Lecture
Arm LectureArm Lecture
Arm Lectureanishgoel
 
RISC V in Spacer
RISC V in SpacerRISC V in Spacer
RISC V in Spacerklepsydratechnologie
 
Codescape Debugger 8
Codescape Debugger 8Codescape Debugger 8
Codescape Debugger 8Damien Ruscoe
 
Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Using SoC Vendor HALs in the Zephyr Project - SFO17-112Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Using SoC Vendor HALs in the Zephyr Project - SFO17-112Linaro
 
LogRhythm Appliance Data Sheet
LogRhythm Appliance Data SheetLogRhythm Appliance Data Sheet
LogRhythm Appliance Data Sheetjordagro
 
DPDK IPSec performance benchmark ~ Georgii Tkachuk
DPDK IPSec performance benchmark ~ Georgii TkachukDPDK IPSec performance benchmark ~ Georgii Tkachuk
DPDK IPSec performance benchmark ~ Georgii TkachukIntel
 
Software Defined Data Centers - June 2012
Software Defined Data Centers - June 2012Software Defined Data Centers - June 2012
Software Defined Data Centers - June 2012Brent Salisbury
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXBangladesh Network Operators Group
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N NessusUtkarsh Verma
 
The Potential Impact of Software Defined Networking SDN on Security
The Potential Impact of Software Defined Networking SDN on SecurityThe Potential Impact of Software Defined Networking SDN on Security
The Potential Impact of Software Defined Networking SDN on SecurityBrent Salisbury
 
2014 carlos gzlez florido nksip the erlang sip application server
2014 carlos gzlez florido nksip the erlang sip application server2014 carlos gzlez florido nksip the erlang sip application server
2014 carlos gzlez florido nksip the erlang sip application serverVOIP2DAY
 
2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...
2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...
2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...Salem Trabelsi
 
Processor types
Processor typesProcessor types
Processor typesAmr Aboelgood
 

More Related Content

Viewers also liked

Gestire la Variabilità
Gestire la Variabilità Gestire la Variabilità
Gestire la Variabilità Antonio Tresca
 
DNSSEC Grunderna
DNSSEC GrundernaDNSSEC Grunderna
DNSSEC Grundernapawal
 
Türkiye'de toplumsal eşitsizlik issp may-26-2010-vs3
Türkiye'de toplumsal eşitsizlik issp may-26-2010-vs3Türkiye'de toplumsal eşitsizlik issp may-26-2010-vs3
Türkiye'de toplumsal eşitsizlik issp may-26-2010-vs3Istanbul Bilgi University
 
PGP Aurkezpena
PGP AurkezpenaPGP Aurkezpena
PGP Aurkezpenaamaiora
 
Imperialism -Part I.
Imperialism -Part I.Imperialism -Part I.
Imperialism -Part I.ljhsblog
 
Branding - leggi fondamentali
Branding - leggi fondamentaliBranding - leggi fondamentali
Branding - leggi fondamentaliAntonio Tresca
 

Viewers also liked (7)

Gestire la Variabilità
Gestire la Variabilità Gestire la Variabilità
Gestire la Variabilità
 
DNSSEC Grunderna
DNSSEC GrundernaDNSSEC Grunderna
DNSSEC Grunderna
 
Türkiye'de toplumsal eşitsizlik issp may-26-2010-vs3
Türkiye'de toplumsal eşitsizlik issp may-26-2010-vs3Türkiye'de toplumsal eşitsizlik issp may-26-2010-vs3
Türkiye'de toplumsal eşitsizlik issp may-26-2010-vs3
 
PGP Aurkezpena
PGP AurkezpenaPGP Aurkezpena
PGP Aurkezpena
 
Imperialism -Part I.
Imperialism -Part I.Imperialism -Part I.
Imperialism -Part I.
 
Branding - leggi fondamentali
Branding - leggi fondamentaliBranding - leggi fondamentali
Branding - leggi fondamentali
 
Modelli Comunicativi
Modelli ComunicativiModelli Comunicativi
Modelli Comunicativi
 

Similar to OpenDNSSEC RIPE58

Symmetric Crypto for DPDK - Declan Doherty
Symmetric Crypto for DPDK - Declan DohertySymmetric Crypto for DPDK - Declan Doherty
Symmetric Crypto for DPDK - Declan Dohertyharryvanhaaren
 
Code Red Security
Code Red SecurityCode Red Security
Code Red SecurityAmr Ali
 
Codescape Debugger 8
Codescape Debugger 8Codescape Debugger 8
Codescape Debugger 8Damien Ruscoe
 
Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Using SoC Vendor HALs in the Zephyr Project - SFO17-112Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Using SoC Vendor HALs in the Zephyr Project - SFO17-112Linaro
 
LogRhythm Appliance Data Sheet
LogRhythm Appliance Data SheetLogRhythm Appliance Data Sheet
LogRhythm Appliance Data Sheetjordagro
 
DPDK IPSec performance benchmark ~ Georgii Tkachuk
DPDK IPSec performance benchmark ~ Georgii TkachukDPDK IPSec performance benchmark ~ Georgii Tkachuk
DPDK IPSec performance benchmark ~ Georgii TkachukIntel
 
Software Defined Data Centers - June 2012
Software Defined Data Centers - June 2012Software Defined Data Centers - June 2012
Software Defined Data Centers - June 2012Brent Salisbury
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N NessusUtkarsh Verma
 
The Potential Impact of Software Defined Networking SDN on Security
The Potential Impact of Software Defined Networking SDN on SecurityThe Potential Impact of Software Defined Networking SDN on Security
The Potential Impact of Software Defined Networking SDN on SecurityBrent Salisbury
 
2014 carlos gzlez florido nksip the erlang sip application server
2014 carlos gzlez florido nksip the erlang sip application server2014 carlos gzlez florido nksip the erlang sip application server
2014 carlos gzlez florido nksip the erlang sip application serverVOIP2DAY
 
2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...
2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...
2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...Salem Trabelsi
 
Enhance Virtualization Stack with Intel CET and MPX
Enhance Virtualization Stack with Intel CET and MPXEnhance Virtualization Stack with Intel CET and MPX
Enhance Virtualization Stack with Intel CET and MPXPriyanka Aash
 
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS NetProtocol Xpert
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linuxmariuszantal
 
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community) [발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community) 동현 김
 

Similar to OpenDNSSEC RIPE58 (20)

Symmetric Crypto for DPDK - Declan Doherty
Symmetric Crypto for DPDK - Declan DohertySymmetric Crypto for DPDK - Declan Doherty
Symmetric Crypto for DPDK - Declan Doherty
 
Code Red Security
Code Red SecurityCode Red Security
Code Red Security
 
Arm Lecture
Arm LectureArm Lecture
Arm Lecture
 
RISC V in Spacer
RISC V in SpacerRISC V in Spacer
RISC V in Spacer
 
Codescape Debugger 8
Codescape Debugger 8Codescape Debugger 8
Codescape Debugger 8
 
Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Using SoC Vendor HALs in the Zephyr Project - SFO17-112Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Using SoC Vendor HALs in the Zephyr Project - SFO17-112
 
LogRhythm Appliance Data Sheet
LogRhythm Appliance Data SheetLogRhythm Appliance Data Sheet
LogRhythm Appliance Data Sheet
 
DPDK IPSec performance benchmark ~ Georgii Tkachuk
DPDK IPSec performance benchmark ~ Georgii TkachukDPDK IPSec performance benchmark ~ Georgii Tkachuk
DPDK IPSec performance benchmark ~ Georgii Tkachuk
 
Software Defined Data Centers - June 2012
Software Defined Data Centers - June 2012Software Defined Data Centers - June 2012
Software Defined Data Centers - June 2012
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N Nessus
 
The Potential Impact of Software Defined Networking SDN on Security
The Potential Impact of Software Defined Networking SDN on SecurityThe Potential Impact of Software Defined Networking SDN on Security
The Potential Impact of Software Defined Networking SDN on Security
 
2014 carlos gzlez florido nksip the erlang sip application server
2014 carlos gzlez florido nksip the erlang sip application server2014 carlos gzlez florido nksip the erlang sip application server
2014 carlos gzlez florido nksip the erlang sip application server
 
2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...
2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...
2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...
 
Processor types
Processor typesProcessor types
Processor types
 
Enhance Virtualization Stack with Intel CET and MPX
Enhance Virtualization Stack with Intel CET and MPXEnhance Virtualization Stack with Intel CET and MPX
Enhance Virtualization Stack with Intel CET and MPX
 
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linux
 
Linux Porting
Linux PortingLinux Porting
Linux Porting
 
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community) [발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
 

More from pawal

Tor Cryptoparty 2016
Tor Cryptoparty 2016Tor Cryptoparty 2016
Tor Cryptoparty 2016pawal
 
Du läcker data
Du läcker dataDu läcker data
Du läcker datapawal
 
Zonemaster Lightning talk, DNS-OARC Spring meeting 2014
Zonemaster Lightning talk, DNS-OARC Spring meeting 2014Zonemaster Lightning talk, DNS-OARC Spring meeting 2014
Zonemaster Lightning talk, DNS-OARC Spring meeting 2014pawal
 
TLS, lite status från #MeraKrypto
TLS, lite status från #MeraKryptoTLS, lite status från #MeraKrypto
TLS, lite status från #MeraKryptopawal
 
Wifi Cryptoparty 2013
Wifi Cryptoparty 2013Wifi Cryptoparty 2013
Wifi Cryptoparty 2013pawal
 
Köpa crypto
Köpa cryptoKöpa crypto
Köpa cryptopawal
 
RIPE64 - DNS and DNSSEC in the .se Zone
RIPE64 - DNS and DNSSEC in the .se ZoneRIPE64 - DNS and DNSSEC in the .se Zone
RIPE64 - DNS and DNSSEC in the .se Zonepawal
 
DNSSEC in .SE
DNSSEC in .SEDNSSEC in .SE
DNSSEC in .SEpawal
 

More from pawal (8)

Tor Cryptoparty 2016
Tor Cryptoparty 2016Tor Cryptoparty 2016
Tor Cryptoparty 2016
 
Du läcker data
Du läcker dataDu läcker data
Du läcker data
 
Zonemaster Lightning talk, DNS-OARC Spring meeting 2014
Zonemaster Lightning talk, DNS-OARC Spring meeting 2014Zonemaster Lightning talk, DNS-OARC Spring meeting 2014
Zonemaster Lightning talk, DNS-OARC Spring meeting 2014
 
TLS, lite status från #MeraKrypto
TLS, lite status från #MeraKryptoTLS, lite status från #MeraKrypto
TLS, lite status från #MeraKrypto
 
Wifi Cryptoparty 2013
Wifi Cryptoparty 2013Wifi Cryptoparty 2013
Wifi Cryptoparty 2013
 
Köpa crypto
Köpa cryptoKöpa crypto
Köpa crypto
 
RIPE64 - DNS and DNSSEC in the .se Zone
RIPE64 - DNS and DNSSEC in the .se ZoneRIPE64 - DNS and DNSSEC in the .se Zone
RIPE64 - DNS and DNSSEC in the .se Zone
 
DNSSEC in .SE
DNSSEC in .SEDNSSEC in .SE
DNSSEC in .SE
 

Recently uploaded

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 

OpenDNSSEC RIPE58

  • 1. OpenDNSSEC Patrik Wallström, .SE R&D RIPE 58, Amsterdam
  • 2. Who? John A Dickinson 2 RIPE 58, Amsterdam
  • 3. This is OpenDNSSEC OpenDNSSEC unsigned zones signed zones automatic zone signing from hidden to public, authoritative authoritative name servers name servers 3 RIPE 58, Amsterdam
  • 4. Description OpenDNSSEC is a complete DNSSEC zone signer that automates the process of keeping track of DNSSEC keys and the signing of zones. 4 RIPE 58, Amsterdam
  • 5. Components There are three major components of OpenDNSSEC: 1. KASP - Key and Signing Policy, a policy describing how to sign a zone. The KASP is enforced by the KASP Enforcer and communicated to the Signer with a Signer Config. 2. The Signer - the component that does the automatic signing of zones. 3. An HSM - a key store component that is either a hardware device or the software SoftHSM component supplied by OpenDNSSEC. 5 RIPE 58, Amsterdam
  • 6. Additional components There are more needed though: 4. KASP Auditor - monitors that the signing works the way it is supposed to. 5. Input and Output adapters - provides for AXFR, IXFR and other protocols. 6. libhsm - abstracts all PKCS#11 functionality. 6 RIPE 58, Amsterdam
  • 7. HSMs What is a HSM? - Stores keys (master keys) in hardware - Performs operations with those keys Why use one? - Security (FIPS) - Private key never allowed outside the HSM - You know where your keys are - Performance - 1 – 14,000 signatures per second Are they expensive? - $50 - $50,000 7 RIPE 58, Amsterdam
  • 8. SoftHSM SoftHSM is an implementation of a cryptographic store accessible through a PKCS#11 interface. You can use it to explore PKCS#11 without having a Hardware Security Module. SoftHSM is being developed as a part of the OpenDNSSEC project. Uses Botan for its cryptographic operations and SQLite to store its key material. SoftHSM allows OpenDNSSEC to only provide one interface for all crypto operations. 8 RIPE 58, Amsterdam
  • 9. Key states and transitions Published Ready Active Retired Generated Removed not used for signing not used for signing used for signing not used for signing Revoked revoke bit set Keys included in the zonefile derived from draft-morris-dnsop-dnssec-key-timing-00.txt 9 RIPE 58, Amsterdam
  • 10. Key metadata in KASP Data for the keys stored in “Metastore” are dates such as when the key was created, when it was backed up, when it was retired and so on. Also which HSM the key is stored in. A unique locator id is designated to all keys, which is referred to by the Locator tag in configuration files. 10 RIPE 58, Amsterdam
  • 11. KASP commands The only command that an administrator should be able to issue is remove key. However, not CLI or GUI interface has not been defined yet. There is a CLI for testing purposes which lets you modify keys. 11 RIPE 58, Amsterdam
  • 12. Signer Engine The Signer Engine does the following tasks: Sorts RRsets Signer Creates NSEC-chains RRset Signer Signer RRset Sorter Engine Signs RRSets NSEC-ifier Keeps the RRSIGs up to date 12 RIPE 58, Amsterdam
  • 13. Architecture KASP KASP KASP Key and Signing Importer Database Policy libksm Key Generator libhsm PKCS#11 Zone List PKCS#11 PKCS#11 Communicator General Signer Configs Configuration One file per zone Signer RRset Signer Unsigned Signer RRset Sorter Zones Engine KASP NSEC-ifier Auditor Signed Zones 13 RIPE 58, Amsterdam
  • 14. Configuration First you need a HSM. To configure SoftHSM you need to create a token like this: softhsm --init-token /home/user/my.db --label quot;My token 1quot; And add the token to your SoftHSM slots in softhsm.conf: 0:/home/user/my.db 14 RIPE 58, Amsterdam
  • 15. conf.xml <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <Configuration> <RepositoryList> <Repository> <Name>softHSM</Name> <Module>/usr/local/lib/libsofthsm.so</Module> <PIN>1234</PIN> </Repository> </RepositoryList> <Enforcer> <Interval>PT3600S</Interval> <KeygenInterval>P3M</KeygenInterval> <BackupDelay>P3D</BackupDelay> </Enforcer> <Signer> <WorkingDirectory>/var/dnssec/tmp</WorkingDirectory> <ZoneListFile>/var/dnssec/zonelist.xml</ZoneListFile> <!-- toolsdir will be removed, but is used for testing atm --> <ToolsDirectory>/usr/local/bin</ToolsDirectory> </Signer> </Configuration> 15 RIPE 58, Amsterdam
  • 16. kasp.xml <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <KASP> <Policy name=quot;defaultquot;> <Description>A default policy that will amaze you and your friends</Description> <Signatures> <Resign>PT2H</Resign> <Refresh>P3D</Refresh> <Validity> <Default>P7D</Default> <Denial>P14D</Denial> </Validity> ... <KSK> <Algorithm length=quot;2048quot;>5</Algorithm> <Lifetime>P1Y</Lifetime> <Repository>softHSM</Repository> <Emergency>2</Emergency> <RFC5011/> </KSK> <ZSK> <Algorithm length=quot;1024quot;>5</Algorithm> <Lifetime>P14D</Lifetime> <Repository>softHSM</Repository> ... 16 RIPE 58, Amsterdam
  • 17. zonelist.xml <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <ZoneList> <Zone name=quot;opendnssec.sequot;> <Policy>default</Policy> <SignerConfiguration>/var/opendnssec/config/opendnssec.se.xml</ SignerConfiguration> <Adapters> <Input> <File>/var/dnssec/unsigned/opendnssec.se</File> </Input> <Output> <File>/var/dnssec/signed/opendnssec.se</File> </Output> </Adapters> </Zone> </ZoneList> 17 RIPE 58, Amsterdam
  • 18. opendnssec.se.xml ... <Keys> <TTL>PT3600S</TTL> <Key> <Flags>257</Flags> <Algorithm>5</Algorithm> <Locator>DFE7265B783F418685380AA784C2F31D</Locator> <KSK/> <Publish/> </Key> <Key> <Flags>256</Flags> <Algorithm>5</Algorithm> <Locator>8D76C0C49FEB4A97B8E920C7552401CE</Locator> <ZSK/> <Publish/> </Key> </Keys> <SOA> <TTL>PT3600S</TTL> <Minimum>PT3600S</Minimum> <Serial>unixtime</Serial> </SOA> ... 18 RIPE 58, Amsterdam
  • 19. Todo - System integration - Install guide - User guide - Peer reviewing - Make OpenDNSSEC one package - System testing - Performance testing - Durability testing - User testing 19 RIPE 58, Amsterdam
  • 20. When? Alpha version real soon now... Version 1.0 for the IETF in Stockholm. Maybe. 20 RIPE 58, Amsterdam
  • 21. http://www.opendnssec.se/ 21 RIPE 58, Amsterdam
  • 22. Thank you! Questions? 22 RIPE 58, Amsterdam

Editor's Notes