SlideShare ist ein Scribd-Unternehmen logo

DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]

APNIC
APNIC

DNSSEC Tutorial, by Champika Wijayatunga. A tutorial presented at APNIC 38.

Internet
1 von 38
DNSSEC Tutorial champika.wijayatunga@icann.org
Acknowledgements • Rick Lamb – Senior Program Manager, DNSSEC @ICANN • APNIC Training
DNS Basics • DNS converts names (www.icann.org) to numbers (192.0.32.7) • ..to idenOfy services such as www and e-­‐mail • ..that idenOfy and link customers to business and visa versa
Reminder: DNS Resolving Question: www.example.net A 1" 2" www.example.net A ? Resolver www.example.net A ? Caching forwarder (recursive) “go ask net server @ X.gtld-servers.net” (+ glue) gtld-server www.example.net A ? “go ask ripe server @ ns.example.net” (+ glue) www.example.net A ? example-server “x.y.z.1” x.y.z.1 3" 4" 5" 6" 7" 9" 8" Add to cache 10" TTL root-server
DNS: Data Flow master Caching forwarder Zone administrator Zone file Dynamic updates 1" 2" 3" slaves 4" 5" resolver
DNS VulnerabiliOes Corrupting data" Impersonating master" Cache impersonation" master Caching forwarder Zone administrator Zone file Dynamic updates 1" 2" 3" slaves 4" 5" resolver Unauthorized updates" Cache pollution by" Data spoofing" Server protection! Data protection!
+1-­‐202-­‐709-­‐5262 VoIP US-­‐NSTIC effort DNS is a part of all IT ecosystems lamb@xtcn.com mydomainname.com Smart Electrical Grid OECS ID effort
Where DNSSEC fits in • ..but CPU and bandwidth advances make legacy DNS vulnerable to MITM aWacks • DNS Security Extensions (DNSSEC) introduces digital signatures into DNS to cryptographically protect contents • With DNSSEC fully deployed a business can be sure a customer gets un-­‐modified data (and visa versa)
The Bad: DNSChanger -­‐ ‘Biggest Cybercriminal Takedown in History’ – 4M machines, 100 countries, $14M Nov 2011 h[p://krebsonsecurity.com/2011/11/malware-­‐click-­‐fraud-­‐kingpins-­‐arrested-­‐in-­‐estonia/ End-­‐2-­‐end DNSSEC valida_on would have avoided the problems
The Internet’s Phone Book -­‐ Domain Name System (DNS) www.majorbank.se=? Get page webserver www @ 1.2.3.4 Username / Password Account Data DNS Hierarchy DNS Resolver root se com majorbank.se www.majorbank.se www.majorbank.se = 1.2.3.4 DNS 1.2.3.4 Server Login page ISP Majorbank (Registrant)
Caching Responses for Efficiency www.majorbank.se=? Get page webserver www @ 1.2.3.4 Username / Password Account Data DNS Resolver www.majorbank.se = 1.2.3.4 DNS 1.2.3.4 Server Login page
The Problem: DNS Cache Poisoning AWack www.majorbank.se=? DNS Resolver www.majorbank.se = 1.2.3.4 DNS 5.6.7.8 Server Get page Attacker webserver www @ 5.6.7.8 Username / Password Error Attacker www.majorbank.se = 5.6.7.8 Login page Password database
Argghh! Now all ISP customers get sent to aWacker. www.majorbank.se=? DNS Resolver www.majorbank.se = 1.2.3.4 DNS 5.6.7.8 Server Get page Attacker webserver www @ 5.6.7.8 Login page Username / Password Error Password database
Securing The Phone Book -­‐ DNS Security Extensions (DNSSEC) www.majorbank.se=? DNS Resolver with DNSSEC Attacker’s record does not validate – drop it www.majorbank.se = 1.2.3.4 DNS Server with DNSSEC 1.2.3.4 Get page webserver www @ 1.2.3.4 Login page Username / Password Account Data Attacker www.majorbank.se = 5.6.7.8
Resolver only caches validated records www.majorbank.se=? DNS Resolver with DNSSEC www.majorbank.se = 1.2.3.4 DNS Server with DNSSEC 1.2.3.4 Get page webserver www @ 1.2.3.4 Login page Username / Password Account Data
The Bad: Other DNS hijacks* • 25 Dec 2010 -­‐ Russian e-­‐Payment Giant ChronoPay Hacked • 18 Dec 2009 – Twi[er – “Iranian cyber army” • 13 Aug 2010 -­‐ Chinese gmail phishing a[ack • 25 Dec 2010 Tunisia DNS Hijack • 2009-­‐2012 google.* – April 28 2009 Google Puerto Rico sites redirected in DNS a[ack – May 9 2009 Morocco temporarily seize Google domain name • 9 Sep 2011 -­‐ Diginotar cer_ficate compromise for Iranian users • SSL / TLS doesn't tell you if you've been sent to the correct site, it only tells you if the DNS matches the name in the cer_ficate. Unfortunately, majority of Web site cer_ficates rely on DNS to validate iden_ty. • DNS is relied on for unexpected things though insecure. *A Brief History of DNS Hijacking -­‐ Google h[p://costarica43.icann.org/mee_ngs/sanjose2012/presenta_on-­‐dns-­‐hijackings-­‐marquis-­‐boire-­‐12mar12-­‐en.pdf
The Business Case for DNSSEC • Cyber security is becoming a greater concern to enterprises, government, and end users. DNSSEC is a key tool and differenOator. • DNSSEC is the biggest security upgrade to Internet infrastructure in over 20 years. It is a pla`orm for new security applicaOons (for those that see the opportunity). • DNSSEC infrastructure deployment has been brisk but requires experOse. Gecng ahead of the curve is a compeOOve advantage.
• DNSSEC -­‐ Where we are Deployed on 462/654 TLDs (29 July 2014 70% .com .hr .es .in .af .ee .lb .bg .tm .cz .nl .uk .de .jp .cn .ru .р ф .my مليسيا .asia .tw 台灣, .kr 한국 .net, .org, .post, +gtlds) • Root signed** and audited • Required in new gTLDs. Basic support by ICANN registrars • Growing ISP support*. • 3rd party signing soluOons*** • Growing S/W H/W support: NLNetLabs, ISC, Microsop, PowerDNS, Secure64…? openssl, pos`ix, XMPP, mozilla: early DANE support • IETF standard on DNSSEC SSL cerOficates (RFC6698) • Growing support from major players…(Apple iPhone/iPad, Google 8.8.8.8,…) * COMCAST /w 20M and others; most ISPs in SE ,CZ. AND ~12% of resolvers validate using DNSSEC **Int’l bo[om-­‐up trust model /w 21 TCRs from: TT, BF, RU, CN, US, SE, NL, UG, BR, Benin, PT, NP, Mauri_us, CZ, CA, JP, UK, NZ… *** Par_al list of registrars: h[ps://www.icann.org/en/news/in-­‐focus/dnssec/deployment
But… • But deployed on ~1-­‐2% (3.5M) of 2nd level domains. Many have plans. Few have taken the step (e.g., yandex.com, paypal.com*, comcast.com). • DNSChanger and other aWacks highlight today’s need. (e.g end-­‐2-­‐end DNSSEC validaOon would have avoided the problems) • InnovaOve security soluOons (e.g., DANE) highlight tomorrow’s value. * h[p://fedv6-­‐deployment.antd.nist.gov/cgi-­‐bin/generate-­‐com h[p://www.thesecurityprac_ce.com/ the_security_prac_ce/2011/12/all-­‐paypal-­‐domains-­‐are-­‐now-­‐using-­‐dnssec.html h[p://www.nacion.com/2012-­‐03-­‐15/Tecnologia/Si_os-­‐web-­‐de-­‐bancos-­‐_cos-­‐podran-­‐ser-­‐mas-­‐seguros.aspx
DNSSEC: So what’s the problem? • Not enough IT departments know about it or are too busy pucng out other security fires. • When they do look into it they hear old stories of lack of turnkey soluOons. • Registrars*/DNS providers see no demand leading to “chicken-­‐and-­‐egg” problems. *but required by new ICANN registrar agreement
Too many CAs. Which one can we trust? DNSSEC to the rescue…. CA CerOficate roots ~1482 DNSSEC root -­‐ 1 Login security SSHFP RFC4255 Content security Commercial SSL CerOficates for Web and e-­‐mail DANE and other yet to be discovered security innovaOons, enhancements, and synergies Content security “Free SSL” cerOficates for Web and e-­‐mail and “trust agility” Network security IPSECKEY RFC4025 Cross-­‐ organizaOonal and trans-­‐naOonal idenOty and authenOcaOon E-­‐mail security DKIM RFC4871 Securing VoIP Domain Names hWps://www.eff.org/observatory hWp://royal.pingdom.com/2011/01/12/internet-­‐2010-­‐in-­‐numbers/
• For What you can do Companies: – Sign your corporate domain names – Just turn on validaOon on corporate DNS resolvers • For Users: – Ask ISP to turn on validaOon on their DNS resolvers • For All: – Take advantage of organizaOons offering DNSSEC educaOon and training
DNSSEC ImplementaOon
DNSSEC Resource Records • 3 Public key crypto related RRs – RRSIG = Signature over RRset made using private key – DNSKEY = Public key, needed for verifying a RRSIG – DS = DelegaOon Signer; ‘Pointer’ for building chains of authenOcaOon • One RR for internal consistency – NSEC = Next Secure; indicates which name is the next one in the zone and which typecodes are available for the current name • authenOcated non-­‐existence of data RFC 4034
DNSKEY • Contains the zone’s public key • Uses public key cryptography to sign and authenOcate DNS resource record sets (RRsets). • Example: myzone.net. IN DNSKEY 256 3 5 ( AwEAAagrVFd9xyFMQRjO4DlkL0dgUCtogviS+FG9Z6Au3h1ERe4EIi3L X49Ce1OFahdR2wPZyVeDvH6X4qlLnMQJsd7oFi4S9Ng+hLkgpm/n+otE kKiXGZzZn4vW0okuC0hHG2XU5zJhkct73FZzbmBvGxpF4svo5PPWZqVb H48T5Y/9 ) ; key id = 3510 Public key (base64)
RRSIG • The private part of the key-­‐pair is used to sign the resource record set (RRset) per zone • The digital signature per RRset is saved in an RRSIG record myzone.net. 86400 NS ns.myzone.net. 86400 NS ns.yourzone.net. 86400 RRSIG NS 5 2 86400 ( 20121202010528 20121102010528 3510 myzone.net. Y2J2+CVqQRjQvcWY256ffiw5mp0OQTQUF8vUHSHyUbbhmE56eJimqDh Xb8qwlFjl40kmlzmQC5CmgugBqjgLHZbuvSfd9+Ucwkxbwx3HonAPr3 +0HVqP8rSqGRqSq0VbR7LzNeaylBkumLDoriQxceV4z3d2jFv4ArnM= )
Types of Keys • Zone Signing Key (ZSK) – Sign the RRsets within the zone – Public key of ZSK is defined by a DNSKEY RR • Key Signing Key (KSK) – Signed the keys which includes ZSK and KSK and may also be used outside the zone • Using a single key or both keys is an operaOonal choice (RFC allows both methods)
NSEC Record example $ORIGIN myzone.net.! @!SOA …! ! !NS !NS.myzone.net.! ! !DNSKEY !…! ! !NSEC mailbox.myzone.net. SOA NS NSEC DNSKEY RRSIG! ! mailbox !A !192.168.10.2 !! ! ! !NSEC www.myzone.net. A NSEC RRSIG! WWW ! !A !192.168.10.3 !! ! ! !TXT !Public webserver! ! ! !NSEC myzone.net. A NSEC RRSIG TXT!
DelegaOon Signer (DS) • Establishes the chain of trust from parent to child zones • Found in the parent’s zone file • In this example, myzone.net has been delegated from .net. This is how it looks like in .net zone file myzone.net. IN NS ns1.myzone.net. NS ns2.myzone.net. IN DS 19996 5 1 ( CF96B018A496CD1A68EE7 C80A37EDFC6ABBF8175 ) IN DS 19996 5 2 ( 6927A531B0D89A7A4F13E11031 4C722EC156FF926D2052C7D8D70C50 14598CE9 )
DelegaOon Signer (DS) • DelegaOon Signer (DS) RR indicates that: – delegated zone is digitally signed – indicated key is used for the delegated zone • Parent is authoraOve for the DS of the childs zone – Not for the NS record delegaOng the childs zone! – DS should not be in the childs zone
DNSSEC ValidaOon • Recursive servers that are dnssec-­‐enabled can validate signed zones • The AD bit in the message flag shows if validated • Other opOons if you don’t have a validaOng resolver – Use a validator add-­‐on for your web browser • ex: hWps://www.dnssec-­‐validator.cz/ – Online web tools • hWp://dnsviz.net/ • hWp://dnssec-­‐debugger.verisignlabs.com/ – Use an open DNSSEC-­‐validaOng resolver • Some open validaOng resolvers – DNS-­‐OARC’s ODVR (link) • 149.20.64.20 (BIND9), 149.20.64.21 (Unbound) – Google Public DNS • 8.8.8.8 or 8.8.4.4
DNSSEC -­‐ Secng up a Secure Zone • Enable DNSSEC in the configuraOon file (named.conf) dnssec-enable yes; dnssec-validation yes; • Create key pairs (KSK and ZSK) dnssec-keygen -a rsasha1 -b 1024 -n zone myzone.net • Publish your public key • Signing the zone • Update the config file – Modify the zone statement, replace with the signed zone file • Test with dig
Signing the Zone • Sign the zone using the secret keys: dnssec-signzone –o <zonename> -N INCREMENT -f <output-file> -k <KSKfile> <zonefile> <ZSKfile> dnssec-signzone –o myzone.net db.myzone.net Kmyzone.net.+005+33633 • Once you sign the zone a file with a .signed extension will be created – db.myzone.net.signed
TesOng with dig: an example dig @localhost www.apnic.net +dnssec +multiline
Pushing the DS record • The DS record must be published by the parent zone. • Contact the parent zone to communicate the KSK to them.
Ways to Deploy DNSSEC • As part of the DNS sopware used – Manual key management – Can be quite complex – For staOc environment – Some means of automaOon using • opOon commands and scripts • Use DNSSEC tools for BIND, NSD, PowerDNS, etc with a hardware security module (HSM) – Semi-­‐automaOc – Good for dynamic environment • Using an external appliance – ‘dnssec-­‐in-­‐a-­‐box’ – Fully HSM, OpenDNSSEC DNS Appliance automates key generaOon, signing and rollover
DNSSEC: Internet infrastructure upgrade to help address today’s needs and create tomorrow’s opportunity.
Thank you!

Empfohlen

Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
Dnssec
DnssecDnssec
Dnssecguest3131f85
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSECMen and Mice
 
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAILDNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAILUtah Networxs Consultoria e Treinamento
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamMyNOG
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local NetworksMen and Mice
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsMen and Mice
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSMen and Mice
 

Empfohlen

Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
Dnssec
DnssecDnssec
Dnssecguest3131f85
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSECMen and Mice
 
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAILDNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAILUtah Networxs Consultoria e Treinamento
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamMyNOG
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local NetworksMen and Mice
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsMen and Mice
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSMen and Mice
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksMen and Mice
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial Men and Mice
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootMen and Mice
 
The CAA-Record for increased encryption security
The CAA-Record for increased encryption securityThe CAA-Record for increased encryption security
The CAA-Record for increased encryption securityMen and Mice
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsMen and Mice
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 WebinarMen and Mice
 
DNS Security
DNS SecurityDNS Security
DNS Securityjohnmcclure00
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practicesMen and Mice
 
DNSTap Webinar
DNSTap WebinarDNSTap Webinar
DNSTap WebinarMen and Mice
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNIJisc
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningChristopher Grayson
 
DNS Cache Poisoning
DNS Cache PoisoningDNS Cache Poisoning
DNS Cache PoisoningChristiaan Ottow
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?Men and Mice
 
Fighting Abuse with DNS
Fighting Abuse with DNSFighting Abuse with DNS
Fighting Abuse with DNSMen and Mice
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encryptedMen and Mice
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitMen and Mice
 
A study of our DNS full-resolvers
A study of our DNS full-resolversA study of our DNS full-resolvers
A study of our DNS full-resolversBangladesh Network Operators Group
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4DNS Entrepreneurship Center
 
ION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECDeploy360 Programme (Internet Society)
 

Weitere ähnliche Inhalte

Was ist angesagt?

Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksMen and Mice
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial Men and Mice
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootMen and Mice
 
The CAA-Record for increased encryption security
The CAA-Record for increased encryption securityThe CAA-Record for increased encryption security
The CAA-Record for increased encryption securityMen and Mice
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsMen and Mice
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 WebinarMen and Mice
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practicesMen and Mice
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNIJisc
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?Men and Mice
 
Fighting Abuse with DNS
Fighting Abuse with DNSFighting Abuse with DNS
Fighting Abuse with DNSMen and Mice
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encryptedMen and Mice
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitMen and Mice
 

Was ist angesagt? (20)

Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the root
 
The CAA-Record for increased encryption security
The CAA-Record for increased encryption securityThe CAA-Record for increased encryption security
The CAA-Record for increased encryption security
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
 
DNS Security
DNS SecurityDNS Security
DNS Security
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practices
 
DNSTap Webinar
DNSTap WebinarDNSTap Webinar
DNSTap Webinar
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNI
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
 
DNS Cache Poisoning
DNS Cache PoisoningDNS Cache Poisoning
DNS Cache Poisoning
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?
 
Fighting Abuse with DNS
Fighting Abuse with DNSFighting Abuse with DNS
Fighting Abuse with DNS
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encrypted
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runit
 
A study of our DNS full-resolvers
A study of our DNS full-resolversA study of our DNS full-resolvers
A study of our DNS full-resolvers
 

Ähnlich wie DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]

PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPROIDEA
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People SPC Adriatics
 
ICANN 51: Name Collision
ICANN 51: Name CollisionICANN 51: Name Collision
ICANN 51: Name CollisionICANN
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallGlenn McKnight
 
PLNOG 9: Adam Obszyński - DNS Caching
PLNOG 9: Adam Obszyński - DNS Caching PLNOG 9: Adam Obszyński - DNS Caching
PLNOG 9: Adam Obszyński - DNS Caching PROIDEA
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsOpenDNS
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS SecurityThousandEyes
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsAPNIC
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarMen and Mice
 

Ähnlich wie DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38] (20)

8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
ION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSEC
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
 
ION Trinidad and Tobago - The Business Case for DNSSEC
ION Trinidad and Tobago - The Business Case for DNSSECION Trinidad and Tobago - The Business Case for DNSSEC
ION Trinidad and Tobago - The Business Case for DNSSEC
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
 
ION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSECION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSEC
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
 
Domain Name System (DNS)
Domain Name System (DNS)Domain Name System (DNS)
Domain Name System (DNS)
 
ION Krakow - DNSSEC Panel Introduction
ION Krakow - DNSSEC Panel IntroductionION Krakow - DNSSEC Panel Introduction
ION Krakow - DNSSEC Panel Introduction
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People
 
ICANN 51: Name Collision
ICANN 51: Name CollisionICANN 51: Name Collision
ICANN 51: Name Collision
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
 
PLNOG 9: Adam Obszyński - DNS Caching
PLNOG 9: Adam Obszyński - DNS Caching PLNOG 9: Adam Obszyński - DNS Caching
PLNOG 9: Adam Obszyński - DNS Caching
 
ION Toronto - Deploying DNSSEC: A .CA Case Study
ION Toronto - Deploying DNSSEC: A .CA Case StudyION Toronto - Deploying DNSSEC: A .CA Case Study
ION Toronto - Deploying DNSSEC: A .CA Case Study
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS Security
 
Quad9 and DNS Privacy
Quad9 and DNS PrivacyQuad9 and DNS Privacy
Quad9 and DNS Privacy
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinar
 

Mehr von APNIC

IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6APNIC
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!APNIC
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023APNIC
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAPNIC
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAPNIC
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAPNIC
 
AFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAPNIC
 
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAfghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAPNIC
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsAPNIC
 
IDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemIDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemAPNIC
 

Mehr von APNIC (20)

IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressing
 
AFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & Development
 
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAfghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerations
 
IDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemIDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry System
 

Kürzlich hochgeladen

Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesLumiverse Solutions Pvt Ltd
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxAndrieCagasanAkio
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxMario
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxNIMMANAGANTI RAMAKRISHNA
 

Kürzlich hochgeladen (8)

Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best Practices
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptx
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptx
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptx
 

DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]

  • 2. Acknowledgements • Rick Lamb – Senior Program Manager, DNSSEC @ICANN • APNIC Training
  • 3. DNS Basics • DNS converts names (www.icann.org) to numbers (192.0.32.7) • ..to idenOfy services such as www and e-­‐mail • ..that idenOfy and link customers to business and visa versa
  • 4. Reminder: DNS Resolving Question: www.example.net A 1" 2" www.example.net A ? Resolver www.example.net A ? Caching forwarder (recursive) “go ask net server @ X.gtld-servers.net” (+ glue) gtld-server www.example.net A ? “go ask ripe server @ ns.example.net” (+ glue) www.example.net A ? example-server “x.y.z.1” x.y.z.1 3" 4" 5" 6" 7" 9" 8" Add to cache 10" TTL root-server
  • 5. DNS: Data Flow master Caching forwarder Zone administrator Zone file Dynamic updates 1" 2" 3" slaves 4" 5" resolver
  • 6. DNS VulnerabiliOes Corrupting data" Impersonating master" Cache impersonation" master Caching forwarder Zone administrator Zone file Dynamic updates 1" 2" 3" slaves 4" 5" resolver Unauthorized updates" Cache pollution by" Data spoofing" Server protection! Data protection!
  • 7. +1-­‐202-­‐709-­‐5262 VoIP US-­‐NSTIC effort DNS is a part of all IT ecosystems lamb@xtcn.com mydomainname.com Smart Electrical Grid OECS ID effort
  • 8. Where DNSSEC fits in • ..but CPU and bandwidth advances make legacy DNS vulnerable to MITM aWacks • DNS Security Extensions (DNSSEC) introduces digital signatures into DNS to cryptographically protect contents • With DNSSEC fully deployed a business can be sure a customer gets un-­‐modified data (and visa versa)
  • 9. The Bad: DNSChanger -­‐ ‘Biggest Cybercriminal Takedown in History’ – 4M machines, 100 countries, $14M Nov 2011 h[p://krebsonsecurity.com/2011/11/malware-­‐click-­‐fraud-­‐kingpins-­‐arrested-­‐in-­‐estonia/ End-­‐2-­‐end DNSSEC valida_on would have avoided the problems
  • 10. The Internet’s Phone Book -­‐ Domain Name System (DNS) www.majorbank.se=? Get page webserver www @ 1.2.3.4 Username / Password Account Data DNS Hierarchy DNS Resolver root se com majorbank.se www.majorbank.se www.majorbank.se = 1.2.3.4 DNS 1.2.3.4 Server Login page ISP Majorbank (Registrant)
  • 11. Caching Responses for Efficiency www.majorbank.se=? Get page webserver www @ 1.2.3.4 Username / Password Account Data DNS Resolver www.majorbank.se = 1.2.3.4 DNS 1.2.3.4 Server Login page
  • 12. The Problem: DNS Cache Poisoning AWack www.majorbank.se=? DNS Resolver www.majorbank.se = 1.2.3.4 DNS 5.6.7.8 Server Get page Attacker webserver www @ 5.6.7.8 Username / Password Error Attacker www.majorbank.se = 5.6.7.8 Login page Password database
  • 13. Argghh! Now all ISP customers get sent to aWacker. www.majorbank.se=? DNS Resolver www.majorbank.se = 1.2.3.4 DNS 5.6.7.8 Server Get page Attacker webserver www @ 5.6.7.8 Login page Username / Password Error Password database
  • 14. Securing The Phone Book -­‐ DNS Security Extensions (DNSSEC) www.majorbank.se=? DNS Resolver with DNSSEC Attacker’s record does not validate – drop it www.majorbank.se = 1.2.3.4 DNS Server with DNSSEC 1.2.3.4 Get page webserver www @ 1.2.3.4 Login page Username / Password Account Data Attacker www.majorbank.se = 5.6.7.8
  • 15. Resolver only caches validated records www.majorbank.se=? DNS Resolver with DNSSEC www.majorbank.se = 1.2.3.4 DNS Server with DNSSEC 1.2.3.4 Get page webserver www @ 1.2.3.4 Login page Username / Password Account Data
  • 16. The Bad: Other DNS hijacks* • 25 Dec 2010 -­‐ Russian e-­‐Payment Giant ChronoPay Hacked • 18 Dec 2009 – Twi[er – “Iranian cyber army” • 13 Aug 2010 -­‐ Chinese gmail phishing a[ack • 25 Dec 2010 Tunisia DNS Hijack • 2009-­‐2012 google.* – April 28 2009 Google Puerto Rico sites redirected in DNS a[ack – May 9 2009 Morocco temporarily seize Google domain name • 9 Sep 2011 -­‐ Diginotar cer_ficate compromise for Iranian users • SSL / TLS doesn't tell you if you've been sent to the correct site, it only tells you if the DNS matches the name in the cer_ficate. Unfortunately, majority of Web site cer_ficates rely on DNS to validate iden_ty. • DNS is relied on for unexpected things though insecure. *A Brief History of DNS Hijacking -­‐ Google h[p://costarica43.icann.org/mee_ngs/sanjose2012/presenta_on-­‐dns-­‐hijackings-­‐marquis-­‐boire-­‐12mar12-­‐en.pdf
  • 17. The Business Case for DNSSEC • Cyber security is becoming a greater concern to enterprises, government, and end users. DNSSEC is a key tool and differenOator. • DNSSEC is the biggest security upgrade to Internet infrastructure in over 20 years. It is a pla`orm for new security applicaOons (for those that see the opportunity). • DNSSEC infrastructure deployment has been brisk but requires experOse. Gecng ahead of the curve is a compeOOve advantage.
  • 18. • DNSSEC -­‐ Where we are Deployed on 462/654 TLDs (29 July 2014 70% .com .hr .es .in .af .ee .lb .bg .tm .cz .nl .uk .de .jp .cn .ru .р ф .my مليسيا .asia .tw 台灣, .kr 한국 .net, .org, .post, +gtlds) • Root signed** and audited • Required in new gTLDs. Basic support by ICANN registrars • Growing ISP support*. • 3rd party signing soluOons*** • Growing S/W H/W support: NLNetLabs, ISC, Microsop, PowerDNS, Secure64…? openssl, pos`ix, XMPP, mozilla: early DANE support • IETF standard on DNSSEC SSL cerOficates (RFC6698) • Growing support from major players…(Apple iPhone/iPad, Google 8.8.8.8,…) * COMCAST /w 20M and others; most ISPs in SE ,CZ. AND ~12% of resolvers validate using DNSSEC **Int’l bo[om-­‐up trust model /w 21 TCRs from: TT, BF, RU, CN, US, SE, NL, UG, BR, Benin, PT, NP, Mauri_us, CZ, CA, JP, UK, NZ… *** Par_al list of registrars: h[ps://www.icann.org/en/news/in-­‐focus/dnssec/deployment
  • 19. But… • But deployed on ~1-­‐2% (3.5M) of 2nd level domains. Many have plans. Few have taken the step (e.g., yandex.com, paypal.com*, comcast.com). • DNSChanger and other aWacks highlight today’s need. (e.g end-­‐2-­‐end DNSSEC validaOon would have avoided the problems) • InnovaOve security soluOons (e.g., DANE) highlight tomorrow’s value. * h[p://fedv6-­‐deployment.antd.nist.gov/cgi-­‐bin/generate-­‐com h[p://www.thesecurityprac_ce.com/ the_security_prac_ce/2011/12/all-­‐paypal-­‐domains-­‐are-­‐now-­‐using-­‐dnssec.html h[p://www.nacion.com/2012-­‐03-­‐15/Tecnologia/Si_os-­‐web-­‐de-­‐bancos-­‐_cos-­‐podran-­‐ser-­‐mas-­‐seguros.aspx
  • 20. DNSSEC: So what’s the problem? • Not enough IT departments know about it or are too busy pucng out other security fires. • When they do look into it they hear old stories of lack of turnkey soluOons. • Registrars*/DNS providers see no demand leading to “chicken-­‐and-­‐egg” problems. *but required by new ICANN registrar agreement
  • 21. Too many CAs. Which one can we trust? DNSSEC to the rescue…. CA CerOficate roots ~1482 DNSSEC root -­‐ 1 Login security SSHFP RFC4255 Content security Commercial SSL CerOficates for Web and e-­‐mail DANE and other yet to be discovered security innovaOons, enhancements, and synergies Content security “Free SSL” cerOficates for Web and e-­‐mail and “trust agility” Network security IPSECKEY RFC4025 Cross-­‐ organizaOonal and trans-­‐naOonal idenOty and authenOcaOon E-­‐mail security DKIM RFC4871 Securing VoIP Domain Names hWps://www.eff.org/observatory hWp://royal.pingdom.com/2011/01/12/internet-­‐2010-­‐in-­‐numbers/
  • 22. • For What you can do Companies: – Sign your corporate domain names – Just turn on validaOon on corporate DNS resolvers • For Users: – Ask ISP to turn on validaOon on their DNS resolvers • For All: – Take advantage of organizaOons offering DNSSEC educaOon and training
  • 24. DNSSEC Resource Records • 3 Public key crypto related RRs – RRSIG = Signature over RRset made using private key – DNSKEY = Public key, needed for verifying a RRSIG – DS = DelegaOon Signer; ‘Pointer’ for building chains of authenOcaOon • One RR for internal consistency – NSEC = Next Secure; indicates which name is the next one in the zone and which typecodes are available for the current name • authenOcated non-­‐existence of data RFC 4034
  • 25. DNSKEY • Contains the zone’s public key • Uses public key cryptography to sign and authenOcate DNS resource record sets (RRsets). • Example: myzone.net. IN DNSKEY 256 3 5 ( AwEAAagrVFd9xyFMQRjO4DlkL0dgUCtogviS+FG9Z6Au3h1ERe4EIi3L X49Ce1OFahdR2wPZyVeDvH6X4qlLnMQJsd7oFi4S9Ng+hLkgpm/n+otE kKiXGZzZn4vW0okuC0hHG2XU5zJhkct73FZzbmBvGxpF4svo5PPWZqVb H48T5Y/9 ) ; key id = 3510 Public key (base64)
  • 26. RRSIG • The private part of the key-­‐pair is used to sign the resource record set (RRset) per zone • The digital signature per RRset is saved in an RRSIG record myzone.net. 86400 NS ns.myzone.net. 86400 NS ns.yourzone.net. 86400 RRSIG NS 5 2 86400 ( 20121202010528 20121102010528 3510 myzone.net. Y2J2+CVqQRjQvcWY256ffiw5mp0OQTQUF8vUHSHyUbbhmE56eJimqDh Xb8qwlFjl40kmlzmQC5CmgugBqjgLHZbuvSfd9+Ucwkxbwx3HonAPr3 +0HVqP8rSqGRqSq0VbR7LzNeaylBkumLDoriQxceV4z3d2jFv4ArnM= )
  • 27. Types of Keys • Zone Signing Key (ZSK) – Sign the RRsets within the zone – Public key of ZSK is defined by a DNSKEY RR • Key Signing Key (KSK) – Signed the keys which includes ZSK and KSK and may also be used outside the zone • Using a single key or both keys is an operaOonal choice (RFC allows both methods)
  • 28. NSEC Record example $ORIGIN myzone.net.! @!SOA …! ! !NS !NS.myzone.net.! ! !DNSKEY !…! ! !NSEC mailbox.myzone.net. SOA NS NSEC DNSKEY RRSIG! ! mailbox !A !192.168.10.2 !! ! ! !NSEC www.myzone.net. A NSEC RRSIG! WWW ! !A !192.168.10.3 !! ! ! !TXT !Public webserver! ! ! !NSEC myzone.net. A NSEC RRSIG TXT!
  • 29. DelegaOon Signer (DS) • Establishes the chain of trust from parent to child zones • Found in the parent’s zone file • In this example, myzone.net has been delegated from .net. This is how it looks like in .net zone file myzone.net. IN NS ns1.myzone.net. NS ns2.myzone.net. IN DS 19996 5 1 ( CF96B018A496CD1A68EE7 C80A37EDFC6ABBF8175 ) IN DS 19996 5 2 ( 6927A531B0D89A7A4F13E11031 4C722EC156FF926D2052C7D8D70C50 14598CE9 )
  • 30. DelegaOon Signer (DS) • DelegaOon Signer (DS) RR indicates that: – delegated zone is digitally signed – indicated key is used for the delegated zone • Parent is authoraOve for the DS of the childs zone – Not for the NS record delegaOng the childs zone! – DS should not be in the childs zone
  • 31. DNSSEC ValidaOon • Recursive servers that are dnssec-­‐enabled can validate signed zones • The AD bit in the message flag shows if validated • Other opOons if you don’t have a validaOng resolver – Use a validator add-­‐on for your web browser • ex: hWps://www.dnssec-­‐validator.cz/ – Online web tools • hWp://dnsviz.net/ • hWp://dnssec-­‐debugger.verisignlabs.com/ – Use an open DNSSEC-­‐validaOng resolver • Some open validaOng resolvers – DNS-­‐OARC’s ODVR (link) • 149.20.64.20 (BIND9), 149.20.64.21 (Unbound) – Google Public DNS • 8.8.8.8 or 8.8.4.4
  • 32. DNSSEC -­‐ Secng up a Secure Zone • Enable DNSSEC in the configuraOon file (named.conf) dnssec-enable yes; dnssec-validation yes; • Create key pairs (KSK and ZSK) dnssec-keygen -a rsasha1 -b 1024 -n zone myzone.net • Publish your public key • Signing the zone • Update the config file – Modify the zone statement, replace with the signed zone file • Test with dig
  • 33. Signing the Zone • Sign the zone using the secret keys: dnssec-signzone –o <zonename> -N INCREMENT -f <output-file> -k <KSKfile> <zonefile> <ZSKfile> dnssec-signzone –o myzone.net db.myzone.net Kmyzone.net.+005+33633 • Once you sign the zone a file with a .signed extension will be created – db.myzone.net.signed
  • 34. TesOng with dig: an example dig @localhost www.apnic.net +dnssec +multiline
  • 35. Pushing the DS record • The DS record must be published by the parent zone. • Contact the parent zone to communicate the KSK to them.
  • 36. Ways to Deploy DNSSEC • As part of the DNS sopware used – Manual key management – Can be quite complex – For staOc environment – Some means of automaOon using • opOon commands and scripts • Use DNSSEC tools for BIND, NSD, PowerDNS, etc with a hardware security module (HSM) – Semi-­‐automaOc – Good for dynamic environment • Using an external appliance – ‘dnssec-­‐in-­‐a-­‐box’ – Fully HSM, OpenDNSSEC DNS Appliance automates key generaOon, signing and rollover
  • 37. DNSSEC: Internet infrastructure upgrade to help address today’s needs and create tomorrow’s opportunity.