SlideShare ist ein Scribd-Unternehmen logo

DNSSEC

RIPE NCC
RIPE NCC

Presentation made by Florian Obser at NONOG 4 in Oslo, Norway on 21 September 2022

Technologie
1 von 19
Downloaden Sie, um offline zu lesen
DNSSEC Florian Obser | NONOG-4 | 2022-09-21
Florian Obser | NONOG-4 | 2022-09-21 About me • Senior system engineer - k.root-servers.net (AS25152) - AuthDNS (AS197000) - pri.authdns.ripe.net - f-reverse - ripe.net - Various ccTLDs • OpenBSD developer - author of unwind(8) - validating resolver, based on unbound 2
Florian Obser | NONOG-4 | 2022-09-21 About DNS • Globally distributed, scalable, hierarchical database • Everything on the Internet uses it for federation - Visiting a website - Sending an Email - Requesting a TLS certificate - “Forgot my password” links 3
Florian Obser | NONOG-4 | 2022-09-21 Problems with DNS • No data integrity • No authenticated data origin • No authenticated denial of existence • No privacy / confidentiality - Not this talk 4
Florian Obser | NONOG-4 | 2022-09-21 DNSSEC • Public-key cryptography (DNSKEY) • Signatures over authoritative data (RRSIG) • Well known trust-anchor - Key Signing Key of the root zone • Delegate cryptographic authority (DS) • Signing on zone change or RRSIG expiry, not per query 5
Florian Obser | NONOG-4 | 2022-09-21 6 DNSViz - ripe.net
Florian Obser | NONOG-4 | 2022-09-21 7 DNSViz - root and .net
Florian Obser | NONOG-4 | 2022-09-21 8 DNSViz - ripe.net
Florian Obser | NONOG-4 | 2022-09-21 DNSSEC Operations • General DNS hygiene - No lame delegations - Keep name servers in sync • Time - Synchronised clocks on signers & validators - TTLs - Usually long in parent zones, ~ 1+ days in TLDs • RRSIG expiration - Align RRSIG expiration with expire time in SOA record 9
Florian Obser | NONOG-4 | 2022-09-21 Large answers • IP Fragmentation - DNS Flag Day 2020: limit UDP answers to 1232 bytes • Amplification attacks - Response Rate Limiting (RRL) - Elliptic curves signatures are smaller than RSA - NSEC answers are smaller than NSEC3 answers 10
Florian Obser | NONOG-4 | 2022-09-21 Signing considerations • ECDSAP256SHA256 (13) or RSASHA256 (8) - RFC 8624: Algorithm Implementation Requirements and Usage Guidance for DNSSEC • KSK/ZSK vs. CSK - KSK / ZSK - KSK can be offline - (Emergency) ZSK rollovers are faster - CSK - Zone is smaller - Fewer moving parts if keys are online anyway - Rollovers need to interact with parent zone 11
Florian Obser | NONOG-4 | 2022-09-21 NSEC vs. NSEC3 vs. white-lies • Provides authenticated denial of existence • DNS records for “nothing exists in this interval” • NSEC: labels are in the clear - trivial zone enumeration • NSEC3: labels are hashed - susceptible to offline dictionary attacks • white-lies: minimal interval is calculated per query - Requires online, per-query signing - Nothing is learned about zone contents 12
Florian Obser | NONOG-4 | 2022-09-21 DNSSEC signing • Fiendishly clever perl one-liner • FOSS (alphabetical order) - BIND - Knot DNS - OpenDNSSEC - PowerDNS 13
Florian Obser | NONOG-4 | 2022-09-21 14 AuthDNS design Hidden Signer Distribution Server Distribution Server Anycast constellation Zones (RIPE DB, git) Warm standby Hidden Signer
Florian Obser | NONOG-4 | 2022-09-21 Enabling DNSSEC • Add DS record to parent zone - Manual at the registrar - API - Inline using CDS / CDNSKEY 15
Florian Obser | NONOG-4 | 2022-09-21 Debugging DNSSEC • Step away from the computer and panic • Online tools - dnsviz.net - dnssec-analyzer.verisignlabs.com • cli tools - dig +dnssec +multiline +nocrypto - delv • DNS-OARC - dns-operations mailing list - Mattermost server 16
Florian Obser | NONOG-4 | 2022-09-21 Validation • All public quad-x resolvers validate • FOSS (alphabetical order) - BIND - Knot Resolver - PowerDNS recursor - Unbound 17
Florian Obser | NONOG-4 | 2022-09-21 Validator operations • Time - Synchronised clocks - Make sure NTP does not depend on DNSSEC • Monitor SERVFAIL rate • Be prepared to put Negative Trust Anchors (NTA) in place • Make sure middle boxes don’t interfere 18
Questions? fobser@ripe.net @florian@bsd.network

Empfohlen

Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing Key
APNIC
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
APNIC
 
AFRINIC DNSSEC Infrastructure and Signer Migration
AFRINIC DNSSEC Infrastructure and Signer MigrationAFRINIC DNSSEC Infrastructure and Signer Migration
AFRINIC DNSSEC Infrastructure and Signer Migration
AFRINIC
 
PLNOG 5: Merike Kaeo - Something Old Is New Again
PLNOG 5: Merike Kaeo - Something Old Is New AgainPLNOG 5: Merike Kaeo - Something Old Is New Again
PLNOG 5: Merike Kaeo - Something Old Is New Again
PROIDEA
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyond
Sam Bowne
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
DNS Entrepreneurship Center
 
Honeypots and Security
Honeypots and SecurityHoneypots and Security
Honeypots and Security
APNIC
 
The New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSKThe New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSK
APNIC
 

Empfohlen

Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing Key
APNIC
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
APNIC
 
AFRINIC DNSSEC Infrastructure and Signer Migration
AFRINIC DNSSEC Infrastructure and Signer MigrationAFRINIC DNSSEC Infrastructure and Signer Migration
AFRINIC DNSSEC Infrastructure and Signer Migration
AFRINIC
 
PLNOG 5: Merike Kaeo - Something Old Is New Again
PLNOG 5: Merike Kaeo - Something Old Is New AgainPLNOG 5: Merike Kaeo - Something Old Is New Again
PLNOG 5: Merike Kaeo - Something Old Is New Again
PROIDEA
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyond
Sam Bowne
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
DNS Entrepreneurship Center
 
Honeypots and Security
Honeypots and SecurityHoneypots and Security
Honeypots and Security
APNIC
 
The New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSKThe New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSK
APNIC
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 
2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover
APNIC
 
BIND 9 - making a modern DNS server
BIND 9 - making a modern DNS serverBIND 9 - making a modern DNS server
BIND 9 - making a modern DNS server
Jisc
 
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
North Texas Chapter of the ISSA
 
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 SecurityFernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
EdgeUno
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling Roots
APNIC
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
Alex Mayrhofer
 
Troubleshooting DNS with dig
Troubleshooting DNS with digTroubleshooting DNS with dig
Troubleshooting DNS with dig
Andreas Taudte
 
Leveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker ActivityLeveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker Activity
Sqrrl
 
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno OvereinderHSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
Splend
 
Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC Pilot
Shumon Huque
 
Hardening the Core of the Internet
Hardening the Core of the InternetHardening the Core of the Internet
Hardening the Core of the Internet
RIPE NCC
 
Scalable Storage for Massive Volume Data Systems
Scalable Storage for Massive Volume Data SystemsScalable Storage for Massive Volume Data Systems
Scalable Storage for Massive Volume Data Systems
Lars Nielsen
 
File server-info
File server-infoFile server-info
File server-info
Rubén Orellana Flores
 
DNSSEC in UA Domain (ENOG2)
DNSSEC in UA Domain (ENOG2)DNSSEC in UA Domain (ENOG2)
DNSSEC in UA Domain (ENOG2)
Dmitry Kohmanyuk
 
MAGPI: Advanced Services: IPv6, Multicast, DNSSEC
MAGPI: Advanced Services: IPv6, Multicast, DNSSECMAGPI: Advanced Services: IPv6, Multicast, DNSSEC
MAGPI: Advanced Services: IPv6, Multicast, DNSSEC
Shumon Huque
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinar
Men and Mice
 
Mo and Tao 魔与道
Mo and Tao 魔与道Mo and Tao 魔与道
Mo and Tao 魔与道
Austin Chou
 
An Overview of DNSSEC
An Overview of DNSSECAn Overview of DNSSEC
An Overview of DNSSEC
Carlos Martinez Cagnazzo
 
Navigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryNavigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet Registry
RIPE NCC
 
Traces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionTraces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate Action
RIPE NCC
 

Weitere ähnliche Inhalte

Ähnlich wie DNSSEC

Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
North Texas Chapter of the ISSA
 
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 SecurityFernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
EdgeUno
 

Ähnlich wie DNSSEC (20)

CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover
 
BIND 9 - making a modern DNS server
BIND 9 - making a modern DNS serverBIND 9 - making a modern DNS server
BIND 9 - making a modern DNS server
 
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
 
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 SecurityFernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling Roots
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
 
Troubleshooting DNS with dig
Troubleshooting DNS with digTroubleshooting DNS with dig
Troubleshooting DNS with dig
 
Leveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker ActivityLeveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker Activity
 
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno OvereinderHSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
 
Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC Pilot
 
Hardening the Core of the Internet
Hardening the Core of the InternetHardening the Core of the Internet
Hardening the Core of the Internet
 
Scalable Storage for Massive Volume Data Systems
Scalable Storage for Massive Volume Data SystemsScalable Storage for Massive Volume Data Systems
Scalable Storage for Massive Volume Data Systems
 
File server-info
File server-infoFile server-info
File server-info
 
DNSSEC in UA Domain (ENOG2)
DNSSEC in UA Domain (ENOG2)DNSSEC in UA Domain (ENOG2)
DNSSEC in UA Domain (ENOG2)
 
MAGPI: Advanced Services: IPv6, Multicast, DNSSEC
MAGPI: Advanced Services: IPv6, Multicast, DNSSECMAGPI: Advanced Services: IPv6, Multicast, DNSSEC
MAGPI: Advanced Services: IPv6, Multicast, DNSSEC
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinar
 
Mo and Tao 魔与道
Mo and Tao 魔与道Mo and Tao 魔与道
Mo and Tao 魔与道
 
An Overview of DNSSEC
An Overview of DNSSECAn Overview of DNSSEC
An Overview of DNSSEC
 

Mehr von RIPE NCC

Mehr von RIPE NCC (20)

Navigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryNavigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet Registry
 
Traces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionTraces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate Action
 
Governing Environmental Sustainability in Tech
Governing Environmental Sustainability in TechGoverning Environmental Sustainability in Tech
Governing Environmental Sustainability in Tech
 
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfGerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
 
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISLIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
 
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopIntro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
 
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfIGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
 
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfOpportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
 
RIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement ToolsRIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement Tools
 
IPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsIPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the Baltics
 
RPKI For Routing Security
RPKI For Routing SecurityRPKI For Routing Security
RPKI For Routing Security
 
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdfSEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
 
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE AtlasKnow Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
 
Minimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE AtlasMinimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE Atlas
 
RIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement Services
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure
 
The RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in SwedenThe RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in Sweden
 

Kürzlich hochgeladen

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Kürzlich hochgeladen (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 

DNSSEC

  • 1. DNSSEC Florian Obser | NONOG-4 | 2022-09-21
  • 2. Florian Obser | NONOG-4 | 2022-09-21 About me • Senior system engineer - k.root-servers.net (AS25152) - AuthDNS (AS197000) - pri.authdns.ripe.net - f-reverse - ripe.net - Various ccTLDs • OpenBSD developer - author of unwind(8) - validating resolver, based on unbound 2
  • 3. Florian Obser | NONOG-4 | 2022-09-21 About DNS • Globally distributed, scalable, hierarchical database • Everything on the Internet uses it for federation - Visiting a website - Sending an Email - Requesting a TLS certificate - “Forgot my password” links 3
  • 4. Florian Obser | NONOG-4 | 2022-09-21 Problems with DNS • No data integrity • No authenticated data origin • No authenticated denial of existence • No privacy / confidentiality - Not this talk 4
  • 5. Florian Obser | NONOG-4 | 2022-09-21 DNSSEC • Public-key cryptography (DNSKEY) • Signatures over authoritative data (RRSIG) • Well known trust-anchor - Key Signing Key of the root zone • Delegate cryptographic authority (DS) • Signing on zone change or RRSIG expiry, not per query 5
  • 6. Florian Obser | NONOG-4 | 2022-09-21 6 DNSViz - ripe.net
  • 7. Florian Obser | NONOG-4 | 2022-09-21 7 DNSViz - root and .net
  • 8. Florian Obser | NONOG-4 | 2022-09-21 8 DNSViz - ripe.net
  • 9. Florian Obser | NONOG-4 | 2022-09-21 DNSSEC Operations • General DNS hygiene - No lame delegations - Keep name servers in sync • Time - Synchronised clocks on signers & validators - TTLs - Usually long in parent zones, ~ 1+ days in TLDs • RRSIG expiration - Align RRSIG expiration with expire time in SOA record 9
  • 10. Florian Obser | NONOG-4 | 2022-09-21 Large answers • IP Fragmentation - DNS Flag Day 2020: limit UDP answers to 1232 bytes • Amplification attacks - Response Rate Limiting (RRL) - Elliptic curves signatures are smaller than RSA - NSEC answers are smaller than NSEC3 answers 10
  • 11. Florian Obser | NONOG-4 | 2022-09-21 Signing considerations • ECDSAP256SHA256 (13) or RSASHA256 (8) - RFC 8624: Algorithm Implementation Requirements and Usage Guidance for DNSSEC • KSK/ZSK vs. CSK - KSK / ZSK - KSK can be offline - (Emergency) ZSK rollovers are faster - CSK - Zone is smaller - Fewer moving parts if keys are online anyway - Rollovers need to interact with parent zone 11
  • 12. Florian Obser | NONOG-4 | 2022-09-21 NSEC vs. NSEC3 vs. white-lies • Provides authenticated denial of existence • DNS records for “nothing exists in this interval” • NSEC: labels are in the clear - trivial zone enumeration • NSEC3: labels are hashed - susceptible to offline dictionary attacks • white-lies: minimal interval is calculated per query - Requires online, per-query signing - Nothing is learned about zone contents 12
  • 13. Florian Obser | NONOG-4 | 2022-09-21 DNSSEC signing • Fiendishly clever perl one-liner • FOSS (alphabetical order) - BIND - Knot DNS - OpenDNSSEC - PowerDNS 13
  • 14. Florian Obser | NONOG-4 | 2022-09-21 14 AuthDNS design Hidden Signer Distribution Server Distribution Server Anycast constellation Zones (RIPE DB, git) Warm standby Hidden Signer
  • 15. Florian Obser | NONOG-4 | 2022-09-21 Enabling DNSSEC • Add DS record to parent zone - Manual at the registrar - API - Inline using CDS / CDNSKEY 15
  • 16. Florian Obser | NONOG-4 | 2022-09-21 Debugging DNSSEC • Step away from the computer and panic • Online tools - dnsviz.net - dnssec-analyzer.verisignlabs.com • cli tools - dig +dnssec +multiline +nocrypto - delv • DNS-OARC - dns-operations mailing list - Mattermost server 16
  • 17. Florian Obser | NONOG-4 | 2022-09-21 Validation • All public quad-x resolvers validate • FOSS (alphabetical order) - BIND - Knot Resolver - PowerDNS recursor - Unbound 17
  • 18. Florian Obser | NONOG-4 | 2022-09-21 Validator operations • Time - Synchronised clocks - Make sure NTP does not depend on DNSSEC • Monitor SERVFAIL rate • Be prepared to put Negative Trust Anchors (NTA) in place • Make sure middle boxes don’t interfere 18