4. Domain Name System (DNS)
•! Internet works with IP addresses (similar to
telephone numbers)
–! Example: 200.1.123.3
•! A DNS server is like a “Phone guide to
remember the IP address”
–! Example: www.nic.cl ! 200.1.123.3
•! This guide or database is hierarchical and
distributed
4
5. How DNS works
Authoritative
http://www.uchile.cl/index.html Resolver Root
DNS Server ¿cl?
¿www.uchile.cl?
ns.nic.cl -#(($!$!#)$&.'
#(($+%$($&' !"#$%$%$#&!'
#(($*"$+($!**'
!"($",$&*$!),'
Authoritative
Cache ns.nic.cl
GET index.html #(($*"$+($!**'
/'
000$123456$25''#(($*"$+($!**'778'
/'
¿www.uchile.cl?
www.uchile.cl Expiration #(($!$!#)$&'
ns1.uchile.cl
Authoritative
#(($*"$+($!**'
#(($*"$+($)'
5
7. Motivation to implement security into
DNS
•! “Normal” DNS doesn’t have means to
guaranty the authenticity of the information
•! Neither can guaranty the information
integrity
•! It’s a higly distributed database
–! There isn’t a centralized agent for verification
–! There are several failure points
7
8. Security problems in DNS
http://www.uchile.cl/index.html Root
DNS Server ¿cl?
¿www.uchile.cl?
ns.nic.cl -#(($!$!#)$&.'
#(($+%$($&' !"#$%$%$#&!'
!$#$)$&'
!"($",$&*$!),'
ns.nic.cl
GET index.html !$#$)$&'
www.uchile.cl #(($!$!#)$&'
ns1.uchile.cl
evil.uchile.cl (6.6.6.0)
!$#$)$&' “from 200.1.123.4”
,$,$,$('
#(($*"$+($!**' #(($*"$+($)'
8
9. DNS data flow
Zone generation Master Resolvers
/'
;42'''''''''''9:';<$;42$25'
;<$;42$25'''''=''#(($!$!#)$&'
123456''''''''9:';<!$123456$25'
;<!$123456$25'=''#(($*"$+($)'
/'
Dynamic update
/'
/'
;42'''''''''''9:'>$;42$25'
/';42'''''''''''9:'>$;42$25'
/'
Secondaries Stub Resolver
(application library)
9
10. Vulnerabilities
DNSSEC
Zone generation Master Resolvers
/'
;42'''''''''''9:';<$;42$25' Data
;<$;42$25'''''=''#(($!$!#)$&'
123456''''''''9:';<!$123456$25'corruption
;<!$123456$25'=''#(($*"$+($)' Cache
/'
poisoning
Unauthorized
Dynamic update Update
/'
/'
;42'''''''''''9:'>$;42$25'
/';42'''''''''''9:'>$;42$25'
/'
Supplanting
Secondaries Stub Resolver
10
Server Security Data Security
11. DNS Security Extensions
(DNSSEC)
•! Guaranties the data authenticity and
integrity
–! Introduces digital signatures
•! It uses trust chains from the root to the
requested domain
•! It introduces a considerable extra
complexity into the processes
11
12. Digital Signature
Bob Bob
Private Key
Public Key Verify Public Key
Alice Creates Bob
I love you!
Bob creates a
mmm… ¿How may I be key pair
sure that the message
comes from Bob?
(and that nobody has
changed it)
12
13. How DNSSEC works?
root root
http://www.uchile.cl/ Root
index.html DNS Server cl
ns.nic.cl -#(($!$!#)$&.'
¿www.uchile.cl? DS Record
¿cl? !"#$%$%$#&!'
#(($*"$+($!**' #(($+%$($&'
!"($",$&*$!),' -=1B36;B42>B6C.'
#(($*"$+($!**'
ns.nic.cl
GET index.html
uchile.cl
uchile.cl
DS Record cl
¿www.uchile.cl?
?
www.uchile.cl #(($!$!#)$&'
ns1.uchile.cl
cl
uchile.cl
#(($*"$+($!**'
#(($*"$+($)'
13
14. Some facts about digital signatures
•! All the security resides in the private key
•! The strength of a key is defined by the time to
break it
–! As bigger is the key, longer is the time it lives (harder to
break it)
•! It’s computational consuming to create a key pair
•! It’s computational consuming to generate a digital
signature (expotentially to the key key size)
–! The existing domains are pre-signed
–! What about the non existing domains?
14
15. Non existing domains
DNSSEC
Normal DNS
ns.nic.cl
/'
¿existsfake.nic.cl? >$;42$25'
6P4<B<$;42$25'
NXDOMAIN 6P4<B<B??$;42$25'
000$;42$25'
/'
] exists.nic.cl , existstoo.nic.cl [ Alphabetic order
¡Consequence!, with several request
for domains we can learn the full
zone (walking the zone)
15
16. Non existing domains
New extension: NSEC3, solves “walking the zone”
H(m)
m 635EA8F7CD9A76EEF610B1
X
ns.nic.cl
H(exitstsfake.nic.cl)
/'
¿exitstsfake.nic.cl? J->;?B36@$;42$25.'
>$;42$25'
J-000$;42$25.'
6P4<B<$;42$25'
NXDOMAIN J-F>45$;42$25.'
6P4<B<B??$;42$25'
J->$;42$25.'
000$;42$25'
/'
] H(www.nic.cl) , H(mail.nic.cl) [ Alphabetic order with the
Alphabetic order
hash
16
18. Implementation
•! Resources DNS (Resource Records)
Name
TTL Class Type Value
www.niclabs.cl. ! !86400 !IN !A !200.27.115.130!
niclabs.cl. ! !3579 !IN !NS !ns.niclabs.cl.!
niclabs.cl. ! !86400 !IN !MX !10 smtp.niclabs.cl.!
www.niclabs.cl. ! !86400 !IN !AAAA !2001:1398:16:4:100::2!
18
19. New resource records
•! Digital signature records
–! RRSIG: Signature of a RRset
–! DNSKEY: Public key
–! DS: Delegation Signer
•! Consistency records
–! NSEC/NSEC3
19
20. Implementation
•! DNSSEC Introduces 4 new records
–! 1) RRSIG (Digital Signature)
Algorithm
RR sign. Labels
type Original Expiration
www.niclabs.cl. ! !19 IN A !212.247.7.218! TTL Time
www.niclabs.cl. ! !19 IN RRSIG A 5 3 60 20091019132001 (!
! ! ! !20091009132001 51428 niclabs.cl.!
! Inception
! ! !W1PycCseBhS9doaTgqETt2xyaD5psVf0uCdoa6MLqliW!
! Time
! ! !L4T05B5wYobl/+IMIFxaHyEPqZIzezUCQEMD5L1QJCK6!
! ! ! !Fp/HHTJOPsfgHvGP5pKc2SjzQvJ+5Tx6BIKSnrwCduAl!
! ! ! !4yWGRSMhXiMArz4nUfVymzFjYfepMlhXbupycps= )!
Key Tag Digital
Signer’s Signature
20
name
22. Implementation
•! DNSSEC Introduces 4 new records
Key Tag
–! 3) DS (Delegation)
Hash Type
niclabs.cl. ! ! !1007 IN !DS 16696 5 1 (! Hash Value
! ! ! !EF5D421412A5EAF1230071AFFD4F585E3B2B1A60 )!
niclabs.cl. ! ! !1007 IN !RRSIG DS 5 1 3600 20091022230530 (!
! ! ! !20091016022314 12075 cl.!
! ! ! !HAqB5XoFsakxjmzk6YvRvJFXHyXvBMfjjPbd0u4RXojV!
! ! ! !fGGrHtBgt5eIh/c6X8p+JDONf5nypt7cFatUCRm2M4N3!
! ! ! !ZbBKOJyYonFU4LIEQ5CjmHVFCJHBOxKLDAWe2P3jX4/a!
! ! ! !kQ3JUy5SKztkoGn4GFhQnjCgWyf+n1GqAwTgD6A= )!
Signature from
the father
Algorithm
22
23. Implementation
•! DNSSEC Introduces 4 new records
–! 4) NSEC (Non existing domain: none.niclabs.cl)
lists.niclabs.cl. ! !3536 IN !NSEC ns.niclabs.cl. A MX RRSIG NSEC!
lists.niclabs.cl. ! !3536 IN !RRSIG NSEC 5 3 3600 20091026132001 (!
! ! ! !20091016132001 51428 niclabs.cl.!
! ! ! !npxr6gaJtvrdYFndtKa8rJYcIdonp6q/Nrklaf6xoMN9!
! ! ! !xDbIqem0HzzM5qPStXWbG3TGSWJfIwqOeY6FMAaXER/e!
! ! ! !hlg+eFyRd5Zb/EAxSIx4NMUkKrWMkdsj49GZhHO9yEtB!
Next existing !
! ! !5yRU1T4Ii2GULiX233DwvWt/+ZLaJfEODU0kVTk= )!
domain
Asociated
resources to
list.niclabs.cl.
23
24. Key issues
•! Interaction with parent is administratively
expensive
–! Should only be done when needed
–! Bigger keys with long lifetime are better
•! Signing zones should be fast
–! Memory restrictions
–! Space and time concerns
–! Smaller keys with short lifetimes are better
24
25. Key solution
•! Operate with two keys
–! KSK: Key Signing Key
•! Bigger Key
•! Create bigger signatures (just signs ZSK DNSKEY)
•! Long lifetime (years)
–! ZSK: Zone Signing Key
•! Smaller Key
•! Create smaller signatures
•! Short lifetime (months)
•! Flag Entry Point (256/257)
25
26. Walking the trust chain
CL. KSK signs ZSK
Root KSK signs ZSK
. DNSKEY (id = 11) ; KSK! cl. DNSKEY (id = 33) ; KSK !
DNSKEY (id = 22) ; ZSK! DNSKEY (id = 44) ; ZSK!
RRSIG DNSKEY (11)! RRSIG DNSKEY (33)!
CL. DS 33! nic.cl. DS 55!
RRSIG DS (...) (22)! RRSIG DS (...) (44)!
nic.cl. DNSKEY (id = 55) ; KSK !
Root ZSK sign DNSKEY (id = 66) ; ZSK!
CL. ZSK sign
authoritative data RRSIG DNSKEY (55)! authoritative data
(SOA, NS, DS, etc) (SOA, NS, DS, etc)
www.nic.cl. A 200.1.123.3!
RRSIG A (...) (66)!
26
27. Verify the trust chain
•! Data in zone can be trusted if signed by a ZSK
•! ZSK can be trusted if signed by a KSK
•! KSK can be trusted if pointed to by a trusted
DS record
•! DS record can be trusted:
–! If signed by the parent ZSK
–! DS or DNSKEY can be trusted if they are a Secure
Entry Point (SEP)
27
31. DNSSEC in the world
•! Operative TLDs:
–! .se .org .gov .br .bg .cz .pr .na .th
•! Root zone:
–! fully deployed by July 2010
–! So, no more excuses to implement it!
•! And Chile…?
31
32. NIC Chile
•! Working on DNSSEC since
–! 2004/xx: First toy tests...
–! 2008/07: Niclabs start formal research
–! 2008/11: Internal Working Group
–! 2009/06: Internal resolver with iTAR & DLV
(BIND + Unbound)
–! 2009/07: Testbed .CL + DNSSEC
–! 2009/08: Public resolver resolversec.niclabs.cl
32
33. NIC Chile
•! Short term solution
–! Signing differences
–! DS registry by hand
–! Currently in test
•! Long term solution
–! DS exchange integrated with EPP
–! Distributed crypto
–! Open generic solution for the community
33
37. What do I need?
•! You want to do it! (really)
•! Define signature and keys lifetime
–! RRSIG 1 month
–! ZSK 3 months / KSK 1 year
•! Define keys sizes
–! KSK>= 2048 and ZSK>=1024
•! Define your process and policy
–! Documentation (emergency recovery)
–! Training
37
38. Key creation
•! KSK
dnssec-keygen -a RSASHA1 -r /dev/urandom !
-b 2048 -f KSK -n ZONE cl.!
•! ZSK
dnssec-keygen -a NSEC3RSASHA1 -r /dev/urandom
-b 2048 -n ZONE cl.!
38
40. Zone-resigning
•! -i interval: keep “old” signatures
•! default cycle interval = (end time - start
times)/4.
•! Replace with a new RRSIG if it expires in
the last cycle interval
40
42. Decisions for DNSSEC
•! NSEC or NSEC3?
•! Key sizes?
–! KSK (Key Signing Key) and ZSK (Zone Signing Key)
•! Life time for keys/signatures?
•! Sign all at once? Opt-out?
•! Revoke keys
–! Normal rollover, key compromise, key lost.
–! Overlap of keys (old ones sign new ones) ?
–! Father, Sons ?
42
43. Other issues
•! Resolver behaviour
–! Domain secure, unsecure, bogus,
undeterminated
•! How much cost DNSSEC
–! CPU, memory, time, bandwidth, effort,
development
44. DNSSEC…
•! Solves authenticity and integrity problems
•! Introduces a lot of operational overhead
–! Key management must be improved
–! Needs practice
•! Is it worth it?
–! Open discussion…
44