SlideShare ist ein Scribd-Unternehmen logo
1 von 45
Downloaden Sie, um offline zu lesen
DNSSEC
DNS Security Extensions

          FIRST Technical Colloquium
          Victor Ramiro
          NIC Labs
          vramiro@niclabs.cl
Agenda

    •!   What is DNSSEC?
    •!   DNSSEC implementation
    •!   DNSSEC in NIC Chile
    •!   DNSSEC in Authoritative Servers




2
DNSSEC… What?!

    WHAT IS
    DNSSEC?

3
Domain Name System (DNS)

    •! Internet works with IP addresses (similar to
       telephone numbers)
       –! Example: 200.1.123.3
    •! A DNS server is like a “Phone guide to
       remember the IP address”
       –! Example: www.nic.cl ! 200.1.123.3
    •! This guide or database is hierarchical and
       distributed

4
How DNS works
                                                                                    Authoritative
     http://www.uchile.cl/index.html             Resolver                                    Root
                                           DNS Server                     ¿cl?
                              ¿www.uchile.cl?
                                                                  ns.nic.cl -#(($!$!#)$&.'

                                                 #(($+%$($&'                             !"#$%$%$#&!'
                              #(($*"$+($!**'
            !"($",$&*$!),'

                                                                                      Authoritative
                                                               Cache                     ns.nic.cl
    GET index.html               #(($*"$+($!**'
                                           /'
                                                000$123456$25''#(($*"$+($!**'778'
                                                /'
                                                         ¿www.uchile.cl?

            www.uchile.cl                                        Expiration                  #(($!$!#)$&'

                                                ns1.uchile.cl


                                                                   Authoritative
             #(($*"$+($!**'
                                                  #(($*"$+($)'
5
DNS Hierarchy
                            /'
                            25''''''''''''''''9:';<$;42$25' ROOT
                            ;<$;42$25'''''''''='#(($!$!#)$&'
                            25''''''''''''''''='>$;42$25'
                            >$;42$25''''''''''='#(($!$!#!$!('
                            ?@A'''''''''''''''9:'B5C!$15B@>C;<$;6B''
                            75C!$15B@>C;<$;6B'='#(&$+&$!!#$!'
                            /'




                                                            /'
     /'
                                ORG                         ;42'''''''''''9:';<$;42$25'
                                                                                         CL
     2>4C>'''''''''''9:';<!$12<C$6C1'                       ;<$;42$25'''''=''#(($!$!#)$&'
     ;<!$12<C$6C1'''''=''!#*$%&$!,$#'                       123456''''''''9:';<!$123456$25'
     /'                                                     ;<!$123456$25'=''#(($*"$+($)'
                                                            /'



                                        /'
                                                      UCHILE.CL           /'
                                                                                              NIC.CL
    H=KG=$MNO'                          000'=''#(($*"$+($!**'             000'''=''#(($!$!#)$)'
                                        C22'9:';<$C22$123456$25''         ''''''DE'F>45$;42$25''
                                        ;<''=''!"#$*($#&$#'               F>45''=''#(($!$!#)$*'
                                        /'                                /'



                            GHH$IHJK8L$H8'
6
Motivation to implement security into
    DNS
    •! “Normal” DNS doesn’t have means to
       guaranty the authenticity of the information
    •! Neither can guaranty the information
       integrity
    •! It’s a higly distributed database
       –! There isn’t a centralized agent for verification
       –! There are several failure points



7
Security problems in DNS
    http://www.uchile.cl/index.html                                                       Root
                                          DNS Server                   ¿cl?
                            ¿www.uchile.cl?
                                                               ns.nic.cl -#(($!$!#)$&.'

                                               #(($+%$($&'                            !"#$%$%$#&!'
                               !$#$)$&'
           !"($",$&*$!),'



                                                                                          ns.nic.cl
          GET index.html                        !$#$)$&'



           www.uchile.cl                                                                  #(($!$!#)$&'
                                              ns1.uchile.cl
                                                                                evil.uchile.cl (6.6.6.0)
                               !$#$)$&'                                         “from 200.1.123.4”
                                                                    ,$,$,$('
           #(($*"$+($!**'                       #(($*"$+($)'
8
DNS data flow
          Zone generation             Master            Resolvers
    /'
    ;42'''''''''''9:';<$;42$25'
    ;<$;42$25'''''=''#(($!$!#)$&'
    123456''''''''9:';<!$123456$25'
    ;<!$123456$25'=''#(($*"$+($)'
    /'




        Dynamic update
    /'
      /'
    ;42'''''''''''9:'>$;42$25'
    /';42'''''''''''9:'>$;42$25'
      /'




                                      Secondaries   Stub Resolver
                                                    (application library)

9
Vulnerabilities
                                                            DNSSEC
         Zone generation                          Master                       Resolvers
     /'
     ;42'''''''''''9:';<$;42$25'      Data
     ;<$;42$25'''''=''#(($!$!#)$&'
     123456''''''''9:';<!$123456$25'corruption
     ;<!$123456$25'=''#(($*"$+($)'                               Cache
     /'
                                                                poisoning

                                   Unauthorized
        Dynamic update               Update
 /'
   /'
 ;42'''''''''''9:'>$;42$25'
 /';42'''''''''''9:'>$;42$25'
   /'
                                                                Supplanting



                                                  Secondaries               Stub Resolver



10
                          Server Security                  Data Security
DNS Security Extensions
     (DNSSEC)
     •! Guaranties the data authenticity and
        integrity
        –! Introduces digital signatures
     •! It uses trust chains from the root to the
        requested domain
     •! It introduces a considerable extra
        complexity into the processes



11
Digital Signature
          Bob                                                             Bob
                                                      Private Key
       Public Key         Verify                                    Public Key
         Alice                                   Creates            Bob




                                   I love you!




                                                             Bob creates a
      mmm… ¿How may I be                                       key pair
      sure that the message
         comes from Bob?
       (and that nobody has
            changed it)
12
How DNSSEC works?
                                             root                                                 root
       http://www.uchile.cl/                                                               Root
             index.html                  DNS Server                   cl
                                                              ns.nic.cl -#(($!$!#)$&.'
                           ¿www.uchile.cl?                          DS Record

                                                                          ¿cl?           !"#$%$%$#&!'
                           #(($*"$+($!**' #(($+%$($&'
         !"($",$&*$!),'    -=1B36;B42>B6C.'

                               #(($*"$+($!**'
                                                                                           ns.nic.cl
 GET index.html
                                                          uchile.cl
                                       uchile.cl

                                                    DS Record             cl
                                                     ¿www.uchile.cl?


                                                                                 ?
         www.uchile.cl                                                                     #(($!$!#)$&'

                                             ns1.uchile.cl
                                                                                                  cl

                                                              uchile.cl

          #(($*"$+($!**'
                                               #(($*"$+($)'
13
Some facts about digital signatures

     •! All the security resides in the private key
     •! The strength of a key is defined by the time to
        break it
        –! As bigger is the key, longer is the time it lives (harder to
           break it)
     •! It’s computational consuming to create a key pair
     •! It’s computational consuming to generate a digital
        signature (expotentially to the key key size)
        –! The existing domains are pre-signed
        –! What about the non existing domains?



14
Non existing domains
                                 DNSSEC
                                 Normal DNS

                                                           ns.nic.cl
                                                     /'
                           ¿existsfake.nic.cl?       >$;42$25'
                                                     6P4<B<$;42$25'
                             NXDOMAIN                6P4<B<B??$;42$25'
                                                     000$;42$25'
                                                     /'
              ] exists.nic.cl , existstoo.nic.cl [          Alphabetic order


      ¡Consequence!, with several request
        for domains we can learn the full
             zone (walking the zone)

15
Non existing domains
          New extension: NSEC3, solves “walking the zone”

                      H(m)
             m                      635EA8F7CD9A76EEF610B1
                       X
                                                            ns.nic.cl
                             H(exitstsfake.nic.cl)
                                                     /'
                      ¿exitstsfake.nic.cl?           J->;?B36@$;42$25.'
                                                     >$;42$25'
                                                     J-000$;42$25.'
                                                     6P4<B<$;42$25'
                        NXDOMAIN                     J-F>45$;42$25.'
                                                     6P4<B<B??$;42$25'
                                                     J->$;42$25.'
                                                     000$;42$25'
                                                     /'
          ] H(www.nic.cl) , H(mail.nic.cl) [         Alphabetic order with the
                                                             Alphabetic order
                                                     hash

16
Piece by piece…

     DNSSEC
     IMPLEMENTATION

17
Implementation

       •! Resources DNS (Resource Records)
     Name
                         TTL      Class   Type               Value

     www.niclabs.cl. !   !86400   !IN     !A      !200.27.115.130!

     niclabs.cl.     !   !3579    !IN     !NS     !ns.niclabs.cl.!

     niclabs.cl.     !   !86400   !IN     !MX     !10 smtp.niclabs.cl.!

     www.niclabs.cl. !   !86400   !IN     !AAAA   !2001:1398:16:4:100::2!




18
New resource records

     •! Digital signature records
       –! RRSIG: Signature of a RRset
       –! DNSKEY: Public key
       –! DS: Delegation Signer
     •! Consistency records
       –! NSEC/NSEC3




19
Implementation

         •! DNSSEC Introduces 4 new records
              –! 1) RRSIG (Digital Signature)
                                            Algorithm
                                 RR sign.          Labels
                                 type                   Original      Expiration
     www.niclabs.cl. !       !19 IN   A !212.247.7.218! TTL           Time

     www.niclabs.cl. !       !19 IN RRSIG A 5 3 60 20091019132001 (!
             !       !     !         !20091009132001 51428 niclabs.cl.!
             !     Inception
                     !     !         !W1PycCseBhS9doaTgqETt2xyaD5psVf0uCdoa6MLqliW!
             !     Time
                     !     !         !L4T05B5wYobl/+IMIFxaHyEPqZIzezUCQEMD5L1QJCK6!
             !       !     !         !Fp/HHTJOPsfgHvGP5pKc2SjzQvJ+5Tx6BIKSnrwCduAl!
             !       !     !         !4yWGRSMhXiMArz4nUfVymzFjYfepMlhXbupycps= )!


                             Key Tag                               Digital
                                                  Signer’s         Signature
20
                                                  name
Implementation                                Protocol
                                                      (fixed)
                                   Flags: Zone
                                   Key (ZSK)
        •! DNSSEC Introduces 4 new records
                                                                 Algorithm
            –! 2) DNSKEY (Public Key)
     niclabs.cl.     !        !    !3600 IN !DNSKEY 256 3 5 (!
             !     !      !       !BQEAAAABwHjOzI7/4vXsmQGSDPSHSCJqVhpQNtyFgETJ!
             !     !      !       !ymEatCPKqC43zahNmucNVMURGXhzz31jRQXdriMAryqK!
             !     !      !       !dDHgS36/4ZsFMLSOZSXlR+O9rnmtpVtsTICoXprgBy6h!
             !     !      !       !GIYiIx6m8C+e9c9EfQjQW7E/216Wzoo2qE7UuR0XReaP!
             ! Key !
                   Tag    !       !980=!
             !
     niclabs.cl.
                   !
                     !
                          !
                              !
                                  !) ; key id = 51428!
                                   !3600 IN !DNSKEY 257 3 5 (!
                                                               Public Key
             !     !      !       !AwEAAdhJAx197qFpGGXuQn8XH0tQpQSfjvLKMcreRvJy!
             !     !      !       !O+f3F3weIHR36E8DObolHFp+m1YkxsgnHYjUFN4E9sKa!
             !     !      !       !38ZXU0oHTSsB3adExJkINA/tINDlKrzUDn4cIbyUCqHN!
             !     !      !       !Ge0et+lHmjmfZdj62GJlHgVmxizYkoBd7Rg0wxzEOo7C!
           Flags: Entry
             !     !      !       !A3ZadaHuqmVJ2HvqRCoe+5NDsYpnDia7WggvLTe0vorV!
           Point (KSK)
             !     !      !       !6kDcu6d5N9AUPwBsR7YUkbetfXMtUebux71kHCGUJdmz!
             !     !      !       !p84MeDi9wXYIssjRoTC5wUF2H3I2Mnj5GqdyBwQCdj5o!
             !     !      !       !tFbRAx3jiMD+ROxXJxOFdFq7fWi1yPqUf1jpJ+8=!
             !     !      !       !) ; key id = 16696!
21
Implementation
        •! DNSSEC Introduces 4 new records
                                                   Key Tag
           –! 3) DS (Delegation)
                                                              Hash Type
niclabs.cl.        !       !     !1007 IN !DS 16696 5 1 (!        Hash Value
        !      !       !        !EF5D421412A5EAF1230071AFFD4F585E3B2B1A60 )!

niclabs.cl.        !       !     !1007 IN !RRSIG DS 5 1 3600 20091022230530 (!
        !      !       !        !20091016022314 12075 cl.!
        !      !       !        !HAqB5XoFsakxjmzk6YvRvJFXHyXvBMfjjPbd0u4RXojV!
        !      !       !        !fGGrHtBgt5eIh/c6X8p+JDONf5nypt7cFatUCRm2M4N3!
        !      !       !        !ZbBKOJyYonFU4LIEQ5CjmHVFCJHBOxKLDAWe2P3jX4/a!
        !      !       !        !kQ3JUy5SKztkoGn4GFhQnjCgWyf+n1GqAwTgD6A= )!


     Signature from
     the father

                           Algorithm

22
Implementation
      •! DNSSEC Introduces 4 new records
          –! 4) NSEC (Non existing domain: none.niclabs.cl)
lists.niclabs.cl.       !    !3536 IN !NSEC ns.niclabs.cl. A MX RRSIG NSEC!

lists.niclabs.cl.       !    !3536 IN !RRSIG NSEC 5 3 3600 20091026132001 (!
        !      !      !     !20091016132001 51428 niclabs.cl.!
        !      !      !     !npxr6gaJtvrdYFndtKa8rJYcIdonp6q/Nrklaf6xoMN9!
        !      !      !     !xDbIqem0HzzM5qPStXWbG3TGSWJfIwqOeY6FMAaXER/e!
        !      !      !     !hlg+eFyRd5Zb/EAxSIx4NMUkKrWMkdsj49GZhHO9yEtB!
        Next existing !
        !      !            !5yRU1T4Ii2GULiX233DwvWt/+ZLaJfEODU0kVTk= )!
       domain



                                           Asociated
                                           resources to
                                           list.niclabs.cl.
23
Key issues

     •! Interaction with parent is administratively
        expensive
        –! Should only be done when needed
        –! Bigger keys with long lifetime are better
     •! Signing zones should be fast
        –! Memory restrictions
        –! Space and time concerns
        –! Smaller keys with short lifetimes are better


24
Key solution

     •! Operate with two keys
       –! KSK: Key Signing Key
          •! Bigger Key
          •! Create bigger signatures (just signs ZSK DNSKEY)
          •! Long lifetime (years)
       –! ZSK: Zone Signing Key
          •! Smaller Key
          •! Create smaller signatures
          •! Short lifetime (months)
     •! Flag Entry Point (256/257)
25
Walking the trust chain
                                                                  CL. KSK signs ZSK
          Root KSK signs ZSK


                . DNSKEY (id = 11) ; KSK!         cl. DNSKEY (id = 33) ; KSK !
                  DNSKEY (id = 22) ; ZSK!             DNSKEY (id = 44) ; ZSK!
                  RRSIG DNSKEY (11)!                  RRSIG DNSKEY (33)!

                CL. DS 33!                        nic.cl. DS 55!
                RRSIG DS (...) (22)!              RRSIG DS (...) (44)!



                               nic.cl. DNSKEY (id = 55) ; KSK !
     Root ZSK sign                     DNSKEY (id = 66) ; ZSK!
                                                                         CL. ZSK sign
     authoritative data                RRSIG DNSKEY (55)!                authoritative data
     (SOA, NS, DS, etc)                                                  (SOA, NS, DS, etc)
                               www.nic.cl. A 200.1.123.3!
                               RRSIG A (...) (66)!


26
Verify the trust chain

     •! Data in zone can be trusted if signed by a ZSK
     •! ZSK can be trusted if signed by a KSK
     •! KSK can be trusted if pointed to by a trusted
        DS record
     •! DS record can be trusted:
       –! If signed by the parent ZSK
       –! DS or DNSKEY can be trusted if they are a Secure
          Entry Point (SEP)


27
Lifetime for signatures and keys




28
Or… how to implement
     dnssec in a TLD?

     DNSSEC IN
     NIC CHILE

29
DNSSEC in the world




30
DNSSEC in the world

     •! Operative TLDs:
       –! .se .org .gov .br .bg .cz .pr .na .th
     •! Root zone:
       –! fully deployed by July 2010
       –! So, no more excuses to implement it!
     •! And Chile…?




31
NIC Chile

     •! Working on DNSSEC since
       –! 2004/xx: First toy tests...
       –! 2008/07: Niclabs start formal research
       –! 2008/11: Internal Working Group
       –! 2009/06: Internal resolver with iTAR & DLV
          (BIND + Unbound)
       –! 2009/07: Testbed .CL + DNSSEC
       –! 2009/08: Public resolver resolversec.niclabs.cl



32
NIC Chile

     •! Short term solution
        –! Signing differences
        –! DS registry by hand
        –! Currently in test


     •! Long term solution
        –! DS exchange integrated with EPP
        –! Distributed crypto
        –! Open generic solution for the community

33
Long term solution in NIC Chile




34
Securing the key
     •! Threshold
        Cryptography




35
yes, your servers…

     AUTHORITATIVE
                          DNSSEC
     SERVERS

36
What do I need?

     •! You want to do it! (really)
     •! Define signature and keys lifetime
       –! RRSIG 1 month
       –! ZSK 3 months / KSK 1 year
     •! Define keys sizes
       –! KSK>= 2048 and ZSK>=1024
     •! Define your process and policy
       –! Documentation (emergency recovery)
       –! Training

37
Key creation

     •! KSK
      dnssec-keygen -a RSASHA1 -r /dev/urandom !
      -b 2048 -f KSK -n ZONE cl.!

     •! ZSK
      dnssec-keygen -a NSEC3RSASHA1 -r /dev/urandom
      -b 2048 -n ZONE cl.!




38
Zone-signing
      •! NSEC
      dnssec-signzone -o cl -N INCREMENT !
      -k Kcl.+005+28753 -r /dev/random !
      cl.Zone Kcl.+005+31320!

      •! NSEC3
        –! Algorithm NSEC3RSASHA1
        –! -3 “salt” for hash computation
        –! -A: Opt-Out
      dnssec-signzone -o cl -N INCREMENT !
      -k Kcl.+005+28753 -r /dev/random -3 “123” -A
      cl.zone Kcl.+005+31320!

39
Zone-resigning

      •! -i interval: keep “old” signatures
      •! default cycle interval = (end time - start
         times)/4.
      •! Replace with a new RRSIG if it expires in
         the last cycle interval




40
CONCLUSIONS


41
Decisions for DNSSEC

     •! NSEC or NSEC3?
     •! Key sizes?
        –! KSK (Key Signing Key) and ZSK (Zone Signing Key)
     •! Life time for keys/signatures?
     •! Sign all at once? Opt-out?
     •! Revoke keys
        –! Normal rollover, key compromise, key lost.
        –! Overlap of keys (old ones sign new ones) ?
        –! Father, Sons ?

42
Other issues

•! Resolver behaviour
  –! Domain secure, unsecure, bogus,
     undeterminated


•! How much cost DNSSEC
  –! CPU, memory, time, bandwidth, effort,
     development
DNSSEC…

     •! Solves authenticity and integrity problems
     •! Introduces a lot of operational overhead
        –! Key management must be improved
        –! Needs practice
     •! Is it worth it?
        –! Open discussion…




44
45

Weitere ähnliche Inhalte

Was ist angesagt?

2018 PyCon Korea - Ring
2018 PyCon Korea - Ring2018 PyCon Korea - Ring
2018 PyCon Korea - RingYunWon Jeong
 
4069180 Caching Performance Lessons From Facebook
4069180 Caching Performance Lessons From Facebook4069180 Caching Performance Lessons From Facebook
4069180 Caching Performance Lessons From Facebookguoqing75
 
Propel sfugmd
Propel sfugmdPropel sfugmd
Propel sfugmdiKlaus
 
Solr & Lucene @ Etsy by Gregg Donovan
Solr & Lucene @ Etsy by Gregg DonovanSolr & Lucene @ Etsy by Gregg Donovan
Solr & Lucene @ Etsy by Gregg DonovanGregg Donovan
 
Introduction to devsecdotio
Introduction to devsecdotioIntroduction to devsecdotio
Introduction to devsecdotioBram Vogelaar
 
23ประชาคมอาเซียนมีผลอย่างไรต่อชีวิตของเรา
23ประชาคมอาเซียนมีผลอย่างไรต่อชีวิตของเรา23ประชาคมอาเซียนมีผลอย่างไรต่อชีวิตของเรา
23ประชาคมอาเซียนมีผลอย่างไรต่อชีวิตของเราพัน พัน
 
Power Shell Commands
Power Shell CommandsPower Shell Commands
Power Shell CommandsSushree Nanda
 
Facebook的缓存系统
Facebook的缓存系统Facebook的缓存系统
Facebook的缓存系统yiditushe
 
HirshHorn theme: how I created it
HirshHorn theme: how I created itHirshHorn theme: how I created it
HirshHorn theme: how I created itPaul Bearne
 
PuppetCamp SEA @ Blk 71 - Nagios in under 10 mins with Puppet
PuppetCamp SEA @ Blk 71 -  Nagios in under 10 mins with PuppetPuppetCamp SEA @ Blk 71 -  Nagios in under 10 mins with Puppet
PuppetCamp SEA @ Blk 71 - Nagios in under 10 mins with PuppetWalter Heck
 
PuppetCamp SEA @ Blk 71 - Nagios in under 10 mins with Puppet
PuppetCamp SEA @ Blk 71 -  Nagios in under 10 mins with PuppetPuppetCamp SEA @ Blk 71 -  Nagios in under 10 mins with Puppet
PuppetCamp SEA @ Blk 71 - Nagios in under 10 mins with PuppetOlinData
 
The jews role in the world
The jews role in the worldThe jews role in the world
The jews role in the worldAaron Steinberg
 

Was ist angesagt? (20)

2018 PyCon Korea - Ring
2018 PyCon Korea - Ring2018 PyCon Korea - Ring
2018 PyCon Korea - Ring
 
Nubilus Perl
Nubilus PerlNubilus Perl
Nubilus Perl
 
4069180 Caching Performance Lessons From Facebook
4069180 Caching Performance Lessons From Facebook4069180 Caching Performance Lessons From Facebook
4069180 Caching Performance Lessons From Facebook
 
Propel sfugmd
Propel sfugmdPropel sfugmd
Propel sfugmd
 
Perl Web Client
Perl Web ClientPerl Web Client
Perl Web Client
 
InnoDB Magic
InnoDB MagicInnoDB Magic
InnoDB Magic
 
Solr & Lucene @ Etsy by Gregg Donovan
Solr & Lucene @ Etsy by Gregg DonovanSolr & Lucene @ Etsy by Gregg Donovan
Solr & Lucene @ Etsy by Gregg Donovan
 
Introduction to devsecdotio
Introduction to devsecdotioIntroduction to devsecdotio
Introduction to devsecdotio
 
Zendcon 09
Zendcon 09Zendcon 09
Zendcon 09
 
wget.pl
wget.plwget.pl
wget.pl
 
Solr @ Etsy - Apache Lucene Eurocon
Solr @ Etsy - Apache Lucene EuroconSolr @ Etsy - Apache Lucene Eurocon
Solr @ Etsy - Apache Lucene Eurocon
 
23ประชาคมอาเซียนมีผลอย่างไรต่อชีวิตของเรา
23ประชาคมอาเซียนมีผลอย่างไรต่อชีวิตของเรา23ประชาคมอาเซียนมีผลอย่างไรต่อชีวิตของเรา
23ประชาคมอาเซียนมีผลอย่างไรต่อชีวิตของเรา
 
Power Shell Commands
Power Shell CommandsPower Shell Commands
Power Shell Commands
 
Facebook的缓存系统
Facebook的缓存系统Facebook的缓存系统
Facebook的缓存系统
 
HirshHorn theme: how I created it
HirshHorn theme: how I created itHirshHorn theme: how I created it
HirshHorn theme: how I created it
 
Database api
Database apiDatabase api
Database api
 
Living with garbage
Living with garbageLiving with garbage
Living with garbage
 
PuppetCamp SEA @ Blk 71 - Nagios in under 10 mins with Puppet
PuppetCamp SEA @ Blk 71 -  Nagios in under 10 mins with PuppetPuppetCamp SEA @ Blk 71 -  Nagios in under 10 mins with Puppet
PuppetCamp SEA @ Blk 71 - Nagios in under 10 mins with Puppet
 
PuppetCamp SEA @ Blk 71 - Nagios in under 10 mins with Puppet
PuppetCamp SEA @ Blk 71 -  Nagios in under 10 mins with PuppetPuppetCamp SEA @ Blk 71 -  Nagios in under 10 mins with Puppet
PuppetCamp SEA @ Blk 71 - Nagios in under 10 mins with Puppet
 
The jews role in the world
The jews role in the worldThe jews role in the world
The jews role in the world
 

Andere mochten auch

AEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSECAEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSECChin Wan Lim
 
DNSSEC: What a Registrar Needs to Know
DNSSEC:  What a Registrar Needs to KnowDNSSEC:  What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Knowlaurenrprice
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsPeter R. Egli
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Dan York
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondSam Bowne
 
Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC PilotShumon Huque
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECShumon Huque
 

Andere mochten auch (11)

AEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSECAEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSEC
 
ION Toronto - Why Implement DNSSEC?
ION Toronto - Why Implement DNSSEC? ION Toronto - Why Implement DNSSEC?
ION Toronto - Why Implement DNSSEC?
 
DNSSEC: What a Registrar Needs to Know
DNSSEC:  What a Registrar Needs to KnowDNSSEC:  What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Know
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyond
 
Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC Pilot
 
MCSA 70-412 Chapter 01
MCSA 70-412 Chapter 01MCSA 70-412 Chapter 01
MCSA 70-412 Chapter 01
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
 
DNSSEC at Penn
DNSSEC at PennDNSSEC at Penn
DNSSEC at Penn
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
 

Ähnlich wie DNSSEC FIRST

R57php 1231677414471772-2
R57php 1231677414471772-2R57php 1231677414471772-2
R57php 1231677414471772-2ady36
 
Designing Opeation Oriented Web Applications / YAPC::Asia Tokyo 2011
Designing Opeation Oriented Web Applications / YAPC::Asia Tokyo 2011Designing Opeation Oriented Web Applications / YAPC::Asia Tokyo 2011
Designing Opeation Oriented Web Applications / YAPC::Asia Tokyo 2011Masahiro Nagano
 
Drupal - dbtng 25th Anniversary Edition
Drupal - dbtng 25th Anniversary EditionDrupal - dbtng 25th Anniversary Edition
Drupal - dbtng 25th Anniversary Editionddiers
 
Drush. Secrets come out.
Drush. Secrets come out.Drush. Secrets come out.
Drush. Secrets come out.Alex S
 
Massive device deployment - EclipseCon 2011
Massive device deployment - EclipseCon 2011Massive device deployment - EclipseCon 2011
Massive device deployment - EclipseCon 2011Angelo van der Sijpt
 
Redis for the Everyday Developer
Redis for the Everyday DeveloperRedis for the Everyday Developer
Redis for the Everyday DeveloperRoss Tuck
 
What the !@#$ is UX? A fun and concise introduction
What the !@#$ is UX? A fun and concise introductionWhat the !@#$ is UX? A fun and concise introduction
What the !@#$ is UX? A fun and concise introductionSean Buch
 
Adventures in Optimization
Adventures in OptimizationAdventures in Optimization
Adventures in OptimizationDavid Golden
 
Teaching Your Machine To Find Fraudsters
Teaching Your Machine To Find FraudstersTeaching Your Machine To Find Fraudsters
Teaching Your Machine To Find FraudstersIan Barber
 
DNSSEC: там и здесь
DNSSEC: там и здесьDNSSEC: там и здесь
DNSSEC: там и здесьDmitry Kohmanyuk
 
Getting Other People to Care - Social Media Breakfast CT
Getting Other People to Care - Social Media Breakfast CTGetting Other People to Care - Social Media Breakfast CT
Getting Other People to Care - Social Media Breakfast CTCauseShift
 
Slow Database in your PHP stack? Don't blame the DBA!
Slow Database in your PHP stack? Don't blame the DBA!Slow Database in your PHP stack? Don't blame the DBA!
Slow Database in your PHP stack? Don't blame the DBA!Harald Zeitlhofer
 
Blog Indiana09
Blog Indiana09Blog Indiana09
Blog Indiana09MediaSauce
 

Ähnlich wie DNSSEC FIRST (20)

R57php 1231677414471772-2
R57php 1231677414471772-2R57php 1231677414471772-2
R57php 1231677414471772-2
 
Designing Opeation Oriented Web Applications / YAPC::Asia Tokyo 2011
Designing Opeation Oriented Web Applications / YAPC::Asia Tokyo 2011Designing Opeation Oriented Web Applications / YAPC::Asia Tokyo 2011
Designing Opeation Oriented Web Applications / YAPC::Asia Tokyo 2011
 
Drupal - dbtng 25th Anniversary Edition
Drupal - dbtng 25th Anniversary EditionDrupal - dbtng 25th Anniversary Edition
Drupal - dbtng 25th Anniversary Edition
 
Csharp intsight
Csharp intsightCsharp intsight
Csharp intsight
 
Csharp intsight[1]
Csharp intsight[1]Csharp intsight[1]
Csharp intsight[1]
 
PHP Tips & Tricks
PHP Tips & TricksPHP Tips & Tricks
PHP Tips & Tricks
 
Drush. Secrets come out.
Drush. Secrets come out.Drush. Secrets come out.
Drush. Secrets come out.
 
Massive device deployment - EclipseCon 2011
Massive device deployment - EclipseCon 2011Massive device deployment - EclipseCon 2011
Massive device deployment - EclipseCon 2011
 
Redis for the Everyday Developer
Redis for the Everyday DeveloperRedis for the Everyday Developer
Redis for the Everyday Developer
 
Pimp your data
Pimp your dataPimp your data
Pimp your data
 
Device deployment
Device deploymentDevice deployment
Device deployment
 
What the !@#$ is UX? A fun and concise introduction
What the !@#$ is UX? A fun and concise introductionWhat the !@#$ is UX? A fun and concise introduction
What the !@#$ is UX? A fun and concise introduction
 
Adventures in Optimization
Adventures in OptimizationAdventures in Optimization
Adventures in Optimization
 
Teaching Your Machine To Find Fraudsters
Teaching Your Machine To Find FraudstersTeaching Your Machine To Find Fraudsters
Teaching Your Machine To Find Fraudsters
 
DNSSEC: там и здесь
DNSSEC: там и здесьDNSSEC: там и здесь
DNSSEC: там и здесь
 
Getting Other People to Care - Social Media Breakfast CT
Getting Other People to Care - Social Media Breakfast CTGetting Other People to Care - Social Media Breakfast CT
Getting Other People to Care - Social Media Breakfast CT
 
DOS
DOSDOS
DOS
 
Nop2
Nop2Nop2
Nop2
 
Slow Database in your PHP stack? Don't blame the DBA!
Slow Database in your PHP stack? Don't blame the DBA!Slow Database in your PHP stack? Don't blame the DBA!
Slow Database in your PHP stack? Don't blame the DBA!
 
Blog Indiana09
Blog Indiana09Blog Indiana09
Blog Indiana09
 

Kürzlich hochgeladen

Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 

Kürzlich hochgeladen (20)

Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 

DNSSEC FIRST

  • 1. DNSSEC DNS Security Extensions FIRST Technical Colloquium Victor Ramiro NIC Labs vramiro@niclabs.cl
  • 2. Agenda •! What is DNSSEC? •! DNSSEC implementation •! DNSSEC in NIC Chile •! DNSSEC in Authoritative Servers 2
  • 3. DNSSEC… What?! WHAT IS DNSSEC? 3
  • 4. Domain Name System (DNS) •! Internet works with IP addresses (similar to telephone numbers) –! Example: 200.1.123.3 •! A DNS server is like a “Phone guide to remember the IP address” –! Example: www.nic.cl ! 200.1.123.3 •! This guide or database is hierarchical and distributed 4
  • 5. How DNS works Authoritative http://www.uchile.cl/index.html Resolver Root DNS Server ¿cl? ¿www.uchile.cl? ns.nic.cl -#(($!$!#)$&.' #(($+%$($&' !"#$%$%$#&!' #(($*"$+($!**' !"($",$&*$!),' Authoritative Cache ns.nic.cl GET index.html #(($*"$+($!**' /' 000$123456$25''#(($*"$+($!**'778' /' ¿www.uchile.cl? www.uchile.cl Expiration #(($!$!#)$&' ns1.uchile.cl Authoritative #(($*"$+($!**' #(($*"$+($)' 5
  • 6. DNS Hierarchy /' 25''''''''''''''''9:';<$;42$25' ROOT ;<$;42$25'''''''''='#(($!$!#)$&' 25''''''''''''''''='>$;42$25' >$;42$25''''''''''='#(($!$!#!$!(' ?@A'''''''''''''''9:'B5C!$15B@>C;<$;6B'' 75C!$15B@>C;<$;6B'='#(&$+&$!!#$!' /' /' /' ORG ;42'''''''''''9:';<$;42$25' CL 2>4C>'''''''''''9:';<!$12<C$6C1' ;<$;42$25'''''=''#(($!$!#)$&' ;<!$12<C$6C1'''''=''!#*$%&$!,$#' 123456''''''''9:';<!$123456$25' /' ;<!$123456$25'=''#(($*"$+($)' /' /' UCHILE.CL /' NIC.CL H=KG=$MNO' 000'=''#(($*"$+($!**' 000'''=''#(($!$!#)$)' C22'9:';<$C22$123456$25'' ''''''DE'F>45$;42$25'' ;<''=''!"#$*($#&$#' F>45''=''#(($!$!#)$*' /' /' GHH$IHJK8L$H8' 6
  • 7. Motivation to implement security into DNS •! “Normal” DNS doesn’t have means to guaranty the authenticity of the information •! Neither can guaranty the information integrity •! It’s a higly distributed database –! There isn’t a centralized agent for verification –! There are several failure points 7
  • 8. Security problems in DNS http://www.uchile.cl/index.html Root DNS Server ¿cl? ¿www.uchile.cl? ns.nic.cl -#(($!$!#)$&.' #(($+%$($&' !"#$%$%$#&!' !$#$)$&' !"($",$&*$!),' ns.nic.cl GET index.html !$#$)$&' www.uchile.cl #(($!$!#)$&' ns1.uchile.cl evil.uchile.cl (6.6.6.0) !$#$)$&' “from 200.1.123.4” ,$,$,$(' #(($*"$+($!**' #(($*"$+($)' 8
  • 9. DNS data flow Zone generation Master Resolvers /' ;42'''''''''''9:';<$;42$25' ;<$;42$25'''''=''#(($!$!#)$&' 123456''''''''9:';<!$123456$25' ;<!$123456$25'=''#(($*"$+($)' /' Dynamic update /' /' ;42'''''''''''9:'>$;42$25' /';42'''''''''''9:'>$;42$25' /' Secondaries Stub Resolver (application library) 9
  • 10. Vulnerabilities DNSSEC Zone generation Master Resolvers /' ;42'''''''''''9:';<$;42$25' Data ;<$;42$25'''''=''#(($!$!#)$&' 123456''''''''9:';<!$123456$25'corruption ;<!$123456$25'=''#(($*"$+($)' Cache /' poisoning Unauthorized Dynamic update Update /' /' ;42'''''''''''9:'>$;42$25' /';42'''''''''''9:'>$;42$25' /' Supplanting Secondaries Stub Resolver 10 Server Security Data Security
  • 11. DNS Security Extensions (DNSSEC) •! Guaranties the data authenticity and integrity –! Introduces digital signatures •! It uses trust chains from the root to the requested domain •! It introduces a considerable extra complexity into the processes 11
  • 12. Digital Signature Bob Bob Private Key Public Key Verify Public Key Alice Creates Bob I love you! Bob creates a mmm… ¿How may I be key pair sure that the message comes from Bob? (and that nobody has changed it) 12
  • 13. How DNSSEC works? root root http://www.uchile.cl/ Root index.html DNS Server cl ns.nic.cl -#(($!$!#)$&.' ¿www.uchile.cl? DS Record ¿cl? !"#$%$%$#&!' #(($*"$+($!**' #(($+%$($&' !"($",$&*$!),' -=1B36;B42>B6C.' #(($*"$+($!**' ns.nic.cl GET index.html uchile.cl uchile.cl DS Record cl ¿www.uchile.cl? ? www.uchile.cl #(($!$!#)$&' ns1.uchile.cl cl uchile.cl #(($*"$+($!**' #(($*"$+($)' 13
  • 14. Some facts about digital signatures •! All the security resides in the private key •! The strength of a key is defined by the time to break it –! As bigger is the key, longer is the time it lives (harder to break it) •! It’s computational consuming to create a key pair •! It’s computational consuming to generate a digital signature (expotentially to the key key size) –! The existing domains are pre-signed –! What about the non existing domains? 14
  • 15. Non existing domains DNSSEC Normal DNS ns.nic.cl /' ¿existsfake.nic.cl? >$;42$25' 6P4<B<$;42$25' NXDOMAIN 6P4<B<B??$;42$25' 000$;42$25' /' ] exists.nic.cl , existstoo.nic.cl [ Alphabetic order ¡Consequence!, with several request for domains we can learn the full zone (walking the zone) 15
  • 16. Non existing domains New extension: NSEC3, solves “walking the zone” H(m) m 635EA8F7CD9A76EEF610B1 X ns.nic.cl H(exitstsfake.nic.cl) /' ¿exitstsfake.nic.cl? J->;?B36@$;42$25.' >$;42$25' J-000$;42$25.' 6P4<B<$;42$25' NXDOMAIN J-F>45$;42$25.' 6P4<B<B??$;42$25' J->$;42$25.' 000$;42$25' /' ] H(www.nic.cl) , H(mail.nic.cl) [ Alphabetic order with the Alphabetic order hash 16
  • 17. Piece by piece… DNSSEC IMPLEMENTATION 17
  • 18. Implementation •! Resources DNS (Resource Records) Name TTL Class Type Value www.niclabs.cl. ! !86400 !IN !A !200.27.115.130! niclabs.cl. ! !3579 !IN !NS !ns.niclabs.cl.! niclabs.cl. ! !86400 !IN !MX !10 smtp.niclabs.cl.! www.niclabs.cl. ! !86400 !IN !AAAA !2001:1398:16:4:100::2! 18
  • 19. New resource records •! Digital signature records –! RRSIG: Signature of a RRset –! DNSKEY: Public key –! DS: Delegation Signer •! Consistency records –! NSEC/NSEC3 19
  • 20. Implementation •! DNSSEC Introduces 4 new records –! 1) RRSIG (Digital Signature) Algorithm RR sign. Labels type Original Expiration www.niclabs.cl. ! !19 IN A !212.247.7.218! TTL Time www.niclabs.cl. ! !19 IN RRSIG A 5 3 60 20091019132001 (! ! ! ! !20091009132001 51428 niclabs.cl.! ! Inception ! ! !W1PycCseBhS9doaTgqETt2xyaD5psVf0uCdoa6MLqliW! ! Time ! ! !L4T05B5wYobl/+IMIFxaHyEPqZIzezUCQEMD5L1QJCK6! ! ! ! !Fp/HHTJOPsfgHvGP5pKc2SjzQvJ+5Tx6BIKSnrwCduAl! ! ! ! !4yWGRSMhXiMArz4nUfVymzFjYfepMlhXbupycps= )! Key Tag Digital Signer’s Signature 20 name
  • 21. Implementation Protocol (fixed) Flags: Zone Key (ZSK) •! DNSSEC Introduces 4 new records Algorithm –! 2) DNSKEY (Public Key) niclabs.cl. ! ! !3600 IN !DNSKEY 256 3 5 (! ! ! ! !BQEAAAABwHjOzI7/4vXsmQGSDPSHSCJqVhpQNtyFgETJ! ! ! ! !ymEatCPKqC43zahNmucNVMURGXhzz31jRQXdriMAryqK! ! ! ! !dDHgS36/4ZsFMLSOZSXlR+O9rnmtpVtsTICoXprgBy6h! ! ! ! !GIYiIx6m8C+e9c9EfQjQW7E/216Wzoo2qE7UuR0XReaP! ! Key ! Tag ! !980=! ! niclabs.cl. ! ! ! ! !) ; key id = 51428! !3600 IN !DNSKEY 257 3 5 (! Public Key ! ! ! !AwEAAdhJAx197qFpGGXuQn8XH0tQpQSfjvLKMcreRvJy! ! ! ! !O+f3F3weIHR36E8DObolHFp+m1YkxsgnHYjUFN4E9sKa! ! ! ! !38ZXU0oHTSsB3adExJkINA/tINDlKrzUDn4cIbyUCqHN! ! ! ! !Ge0et+lHmjmfZdj62GJlHgVmxizYkoBd7Rg0wxzEOo7C! Flags: Entry ! ! ! !A3ZadaHuqmVJ2HvqRCoe+5NDsYpnDia7WggvLTe0vorV! Point (KSK) ! ! ! !6kDcu6d5N9AUPwBsR7YUkbetfXMtUebux71kHCGUJdmz! ! ! ! !p84MeDi9wXYIssjRoTC5wUF2H3I2Mnj5GqdyBwQCdj5o! ! ! ! !tFbRAx3jiMD+ROxXJxOFdFq7fWi1yPqUf1jpJ+8=! ! ! ! !) ; key id = 16696! 21
  • 22. Implementation •! DNSSEC Introduces 4 new records Key Tag –! 3) DS (Delegation) Hash Type niclabs.cl. ! ! !1007 IN !DS 16696 5 1 (! Hash Value ! ! ! !EF5D421412A5EAF1230071AFFD4F585E3B2B1A60 )! niclabs.cl. ! ! !1007 IN !RRSIG DS 5 1 3600 20091022230530 (! ! ! ! !20091016022314 12075 cl.! ! ! ! !HAqB5XoFsakxjmzk6YvRvJFXHyXvBMfjjPbd0u4RXojV! ! ! ! !fGGrHtBgt5eIh/c6X8p+JDONf5nypt7cFatUCRm2M4N3! ! ! ! !ZbBKOJyYonFU4LIEQ5CjmHVFCJHBOxKLDAWe2P3jX4/a! ! ! ! !kQ3JUy5SKztkoGn4GFhQnjCgWyf+n1GqAwTgD6A= )! Signature from the father Algorithm 22
  • 23. Implementation •! DNSSEC Introduces 4 new records –! 4) NSEC (Non existing domain: none.niclabs.cl) lists.niclabs.cl. ! !3536 IN !NSEC ns.niclabs.cl. A MX RRSIG NSEC! lists.niclabs.cl. ! !3536 IN !RRSIG NSEC 5 3 3600 20091026132001 (! ! ! ! !20091016132001 51428 niclabs.cl.! ! ! ! !npxr6gaJtvrdYFndtKa8rJYcIdonp6q/Nrklaf6xoMN9! ! ! ! !xDbIqem0HzzM5qPStXWbG3TGSWJfIwqOeY6FMAaXER/e! ! ! ! !hlg+eFyRd5Zb/EAxSIx4NMUkKrWMkdsj49GZhHO9yEtB! Next existing ! ! ! !5yRU1T4Ii2GULiX233DwvWt/+ZLaJfEODU0kVTk= )! domain Asociated resources to list.niclabs.cl. 23
  • 24. Key issues •! Interaction with parent is administratively expensive –! Should only be done when needed –! Bigger keys with long lifetime are better •! Signing zones should be fast –! Memory restrictions –! Space and time concerns –! Smaller keys with short lifetimes are better 24
  • 25. Key solution •! Operate with two keys –! KSK: Key Signing Key •! Bigger Key •! Create bigger signatures (just signs ZSK DNSKEY) •! Long lifetime (years) –! ZSK: Zone Signing Key •! Smaller Key •! Create smaller signatures •! Short lifetime (months) •! Flag Entry Point (256/257) 25
  • 26. Walking the trust chain CL. KSK signs ZSK Root KSK signs ZSK . DNSKEY (id = 11) ; KSK! cl. DNSKEY (id = 33) ; KSK ! DNSKEY (id = 22) ; ZSK! DNSKEY (id = 44) ; ZSK! RRSIG DNSKEY (11)! RRSIG DNSKEY (33)! CL. DS 33! nic.cl. DS 55! RRSIG DS (...) (22)! RRSIG DS (...) (44)! nic.cl. DNSKEY (id = 55) ; KSK ! Root ZSK sign DNSKEY (id = 66) ; ZSK! CL. ZSK sign authoritative data RRSIG DNSKEY (55)! authoritative data (SOA, NS, DS, etc) (SOA, NS, DS, etc) www.nic.cl. A 200.1.123.3! RRSIG A (...) (66)! 26
  • 27. Verify the trust chain •! Data in zone can be trusted if signed by a ZSK •! ZSK can be trusted if signed by a KSK •! KSK can be trusted if pointed to by a trusted DS record •! DS record can be trusted: –! If signed by the parent ZSK –! DS or DNSKEY can be trusted if they are a Secure Entry Point (SEP) 27
  • 28. Lifetime for signatures and keys 28
  • 29. Or… how to implement dnssec in a TLD? DNSSEC IN NIC CHILE 29
  • 30. DNSSEC in the world 30
  • 31. DNSSEC in the world •! Operative TLDs: –! .se .org .gov .br .bg .cz .pr .na .th •! Root zone: –! fully deployed by July 2010 –! So, no more excuses to implement it! •! And Chile…? 31
  • 32. NIC Chile •! Working on DNSSEC since –! 2004/xx: First toy tests... –! 2008/07: Niclabs start formal research –! 2008/11: Internal Working Group –! 2009/06: Internal resolver with iTAR & DLV (BIND + Unbound) –! 2009/07: Testbed .CL + DNSSEC –! 2009/08: Public resolver resolversec.niclabs.cl 32
  • 33. NIC Chile •! Short term solution –! Signing differences –! DS registry by hand –! Currently in test •! Long term solution –! DS exchange integrated with EPP –! Distributed crypto –! Open generic solution for the community 33
  • 34. Long term solution in NIC Chile 34
  • 35. Securing the key •! Threshold Cryptography 35
  • 36. yes, your servers… AUTHORITATIVE DNSSEC SERVERS 36
  • 37. What do I need? •! You want to do it! (really) •! Define signature and keys lifetime –! RRSIG 1 month –! ZSK 3 months / KSK 1 year •! Define keys sizes –! KSK>= 2048 and ZSK>=1024 •! Define your process and policy –! Documentation (emergency recovery) –! Training 37
  • 38. Key creation •! KSK dnssec-keygen -a RSASHA1 -r /dev/urandom ! -b 2048 -f KSK -n ZONE cl.! •! ZSK dnssec-keygen -a NSEC3RSASHA1 -r /dev/urandom -b 2048 -n ZONE cl.! 38
  • 39. Zone-signing •! NSEC dnssec-signzone -o cl -N INCREMENT ! -k Kcl.+005+28753 -r /dev/random ! cl.Zone Kcl.+005+31320! •! NSEC3 –! Algorithm NSEC3RSASHA1 –! -3 “salt” for hash computation –! -A: Opt-Out dnssec-signzone -o cl -N INCREMENT ! -k Kcl.+005+28753 -r /dev/random -3 “123” -A cl.zone Kcl.+005+31320! 39
  • 40. Zone-resigning •! -i interval: keep “old” signatures •! default cycle interval = (end time - start times)/4. •! Replace with a new RRSIG if it expires in the last cycle interval 40
  • 42. Decisions for DNSSEC •! NSEC or NSEC3? •! Key sizes? –! KSK (Key Signing Key) and ZSK (Zone Signing Key) •! Life time for keys/signatures? •! Sign all at once? Opt-out? •! Revoke keys –! Normal rollover, key compromise, key lost. –! Overlap of keys (old ones sign new ones) ? –! Father, Sons ? 42
  • 43. Other issues •! Resolver behaviour –! Domain secure, unsecure, bogus, undeterminated •! How much cost DNSSEC –! CPU, memory, time, bandwidth, effort, development
  • 44. DNSSEC… •! Solves authenticity and integrity problems •! Introduces a lot of operational overhead –! Key management must be improved –! Needs practice •! Is it worth it? –! Open discussion… 44
  • 45. 45