DNSSEC made simple. DNSSEC made simple ~]$ whoami Emil Natan, CTO, ISOC-IL.

Slides:



Advertisements
Similar presentations
Review iClickers. Ch 1: The Importance of DNS Security.
Advertisements

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
Domain Name System Security Extensions (DNSSEC) Hackers 2.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Peter Janssen, EURid.eu Ljubljana, RIPE 64, April
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Tony Kombol ITIS Who knows this? Who controls this? DNS!
IIT Indore © Neminath Hubballi
Geoff Huston APNIC Labs
Test cases for domain checks – a step towards a best practice Mats Dufberg,.SE Sandoche Balakrichenan, AFNIC.
Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Troubleshooting.
Introduction to DNSSEC AROC Bamako, Mali, What is DNSSEC?
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Module 8 DNS Tools & Diagnostics. Objectives Understand dig and nslookup Understand BIND toolset Understand BIND logs Understand wire level messages.
Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Practicalities.
Tony Kombol ITIS DNS! overview history features architecture records name server resolver dnssec.
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
Module 8 DNS Tools & Diagnostics. Dig always available with BIND (*nix) and windows Nslookup available on windows and *nix Dig on windows – unpack zip,
DNS DNS overview DNS operation DNS zones. DNS Overview Name to IP address lookup service based on Domain Names Some DNS servers hold name and address.
OpenDNSSEC Deployment Tianyi Xing. Roadmap By mid-term – Establish a DNSSEC server within the mobicloud system (Hopfully be done by next week) Successfully.
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.
Web Server Administration Chapter 4 Name Resolution.
1 CMPT 471 Networking II DNS © Janice Regan,
OPTION section It is the first section of the named.conf User can use only one option statement and many option-value pair under the section. Syntax is.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.
Deploying DNSSEC. Pulling yourself up by your bootstraps João Damas ISC.
Key management issues in PGP
Security Issues with Domain Name Systems
Lecture 20 DNS Sec Slides adapted from Olag Kampman
In collaboration with HKCERT and HKIRC July 2016
DNS Security.
Domain Name System Tony Kombol ITIS 3110.
Module 5: Resolving Host Names by Using Domain Name System (DNS)
DNS Security Issues SeongHo Cho DPNM Lab., POSTECH
Cryptography and Network Security
Geoff Huston APNIC Labs
Living on the Edge: (Re)focus DNS Efforts on the End-Points
DNSSEC Operations in .gov
Geoff Huston APNIC Labs September 2017
DNS Cache Poisoning Attack
CZ.NIC in a nutshell Domain, DNSSEC, Turris Project and others
DNSSEC Iván González Montemayor A
A Longitudinal, End-to-End View of the DNSSEC Ecosystem
DNS security.
DNSSEC Basics, Risks and Benefits
Information Security message M one-way hash fingerprint f = H(M)
Managing Name Resolution
What DNSSEC Provides Cryptographic signatures in the DNS
A New Approach to DNS Security (DNSSEC)
NET 536 Network Security Lecture 8: DNS Security
Casey Deccio Sandia National Laboratories
NET 536 Network Security Lecture 6: DNS Security
Geoff Huston APNIC Labs
The Curious Case of the Crippling DS record
ECDSA P-256 support in DNSSEC-validating Resolvers
National Trust Platform
Neda Kianpour - Lead Network Engineer - Salesforce
Presentation transcript:

DNSSEC made simple

[e@ninj4v9 ~]$ whoami Emil Natan, CTO, ISOC-IL

DNS

DNS Authoritative nameserver (.) Authoritative nameserver (com.) (il.) Authoritative nameserver (isoc.org.il) Resolver home/company Resolver Public (8.8.8.8) Resolver ISP STUB (client) STUB (client) STUB (client)

Delegation org.il zonefile org.il. SOA 2017102549 1800 900 3628800 NS nsa.ns.il. NS ns1.ns.il NS ns2.ns.il. NS nsb.ns.il. org.il zonefile isoc.org.il. NS ns1.isoc.org.il. isoc.org.il. NS sns-pb.isc.org. isoc.org.il. NS ns3.isoc.org.il. isoc.org.il. NS aristo.tau.ac.il. ns1.isoc.org.il. A 192.115.211.52 ns3.isoc.org.il. A 192.115.4.131 isoc.org.il. SOA 2017102500 21600 3600 2419200 isoc.org.il. MX 100 mx1.isoc.org.il. isoc.org.il. MX 200 mx2.isoc.org.il. www.isoc.org.il. A 192.115.211.55 Delegation information is passed over non-DNS channel isoc.org.il. NS ns1.isoc.org.il. isoc.org.il. NS sns-pb.isc.org. isoc.org.il. NS ns3.isoc.org.il. isoc.org.il. NS aristo.tau.ac.il. ns1.isoc.org.il. A 192.115.211.52 ns3.isoc.org.il. A 192.115.4.131 Delegation Information isoc.org.il zonefile

PKI (Digital signing) Digital Signing (!= Encryption) Authentication (authenticate the signer) Integrity Digital signatures employ asymmetric cryptography. A digital signature scheme typically consists of 3 algorithms: Key generation algorithm Signing algorithm Signature verifying algorithm A key generation algorithm. The algorithm outputs the private key and a corresponding public key. A signing algorithm that, given a message and a private key, produces a signature. A signature verifying algorithm that, given the message, public key and signature, either accepts or rejects the message's claim to authenticity. The authenticity of a signature generated from a fixed message and fixed private key can be verified by using the corresponding public key

Why DNSSEC DNS spoofing question section + transaction ID Source address Destination address + destination port DNSSEC protects your clients DNSSEC vs. HTTPS Redirect to attackers server which forces insecure HTTP SSL certificate validation relies on DNS validation (email, file on webserver) Non Web resources Single trust authority vs. thousands Makes DNS safer environment for DKIM, DANE, CAA Extended Validation (EV) DNS-based Authentication of Named Entities (DANE) DNS Certification Authority Authorization (CAA)

DNSSEC DNSSEC uses public key cryptography to sign and authenticate DNS resource record sets (RRsets). A zone signs its authoritative RRsets by using a private key and stores the corresponding public key in a DNSKEY RR. A resolver uses the public key to validate signatures covering the RRsets and thus to authenticate them.

DNSSEC DNSSEC SOA A SOA A RRSIG RRSIG AAAA AAAA NS NS RRSIG MX RRSIG Unsigned zonefile Signed zonefile

DNSSEC The first time I’m confronted with DNSSEC

What’s new New record types: DNSKEY RRSIG NSEC/NSEC3 + NSEC3PARAM DS New flags: AD CD DO (extended flag, requires EDNS) EDNS

What’s new DS DO CD DNSKEY RRSIG NSEC/NSEC3 Parent zonefile Child zonefile DO CD Request AD Response EDNS

DNSKEY, RRSIG, DS isoc.org.il. 3600 IN DNSKEY 257 3 13 PBue9Mk2QpEumMqrJ4kduOkHeOZHkVcB/YQk0TTp8GpdY14G1+pgDHd0 b5ZLoP+a+ICUAVdSdZ+uOnGMJ+yF0A== isoc.org.il. 3600 IN DNSKEY 256 3 13 CWxgsu82Hslrozc5+hHLkzoI/bX0IxfVmUjCrrGhCBLVyYpiALqVrY0c 2B+xFlCVoOSgyXARf1Nr38+BQ4gSrQ== isoc.org.il. 3600 IN RRSIG DNSKEY 13 3 3600 20171113190950 20171023180950 48693 isoc.org.il. 5i2+WJxNsL9dl1cWLLZAkdsHQMZYtgd0QI+DZOwpVQke8DYNkOiLzg1b Ory7M8+zSAuqeX+laplEdUqmAVeOdg== isoc.org.il. 4977 IN DS 48693 13 2 941C5E5CBDA733BED4E2DE3AB453AC5D789A9205281A6F8A706FA99D 83B10DE5

Delegation org.il. SOA 2017102549 1800 900 3628800 NS nsa.ns.il. NS ns1.ns.il NS nsb.ns.il. isoc.org.il. DS 48693 13 2 941C5E5...83B10DE5 isoc.org.il. NS ns1.isoc.org.il. isoc.org.il. NS sns-pb.isc.org. isoc.org.il. NS ns3.isoc.org.il. isoc.org.il. NS aristo.tau.ac.il. ns1.isoc.org.il. A 192.115.211.52 ns3.isoc.org.il. A 192.115.4.131 isoc.org.il. SOA 2017102500 21600 3600 2419200 isoc.org.il. DNSKEY 257 3 13 PBue9Mk2Q...MJ+yF0A== isoc.org.il. DNSKEY 256 3 13 CWxgsu82H...BQ4gSrQ== Isoc.org.il RRSIG DNSKEY 13 3 3600 20171113190... Delegation information is passed over non-DNS channel isoc.org.il. NS ns1.isoc.org.il. isoc.org.il. NS sns-pb.isc.org. isoc.org.il. NS ns3.isoc.org.il. isoc.org.il. NS aristo.tau.ac.il. ns1.isoc.org.il. A 192.115.211.52 ns3.isoc.org.il. A 192.115.4.131 Delegation Information

Chain of Trust Root zone Resolver . DNSKEY Trusted Key (.) il. DS il. RRSIG DS Validate DNSKEY . Resolver Trusted Key (.) Validate DS il. Validate DNSKEY il. Validate DS org.il. il. zone il. DNSKEY org.il. DS org.il. RRSIG DS Validate DNSKEY isoc.org.il. Validate A www.isoc.org.il. Validate DNSKEY org.il. Validate DS isoc.org.il. org.il. zone org.il. DNSKEY isoc.org.il. DS isoc.org.il. RRSIG DS isoc.org.il. zone isoc.org.il. DNSKEY www.isoc.org.il A www.isoc.org.il RRSIG A

Signing Keys KSK: Used to sign the DNSKEY record Message digest of the KSK is used as part of the DS record (at the parent) Rollover of KSK requires interaction with the parent domain Longer ZSK: Used to sign other records in the zonefile Rollover does not require interaction with the parent domain Can be done frequently - shorter key

(DNSSEC =) Amplification DNS amplification (and reflection) attacks existed well before DNSSEC UDP lacks source address validation meta-QTYPE ANY or specially crafted TXT RRs Response Rate Limit (RRL) DNS Cookies ECDSA (Elliptic Curve Digital Signature Algorithm) - reduce size of keys and signatures

Zone enumeration NSEC NSEC3 DNSSEC white lies NSEC5 For Registries it is a matter of policy Instead of holding sensetive information in publicly accessible zone, use views

Last mile problem Resolver performs validation, client trusts the resolver. Resolver is usually in the client’s network (ISP, University, Company) Browser plugins Linux, systemd-resolved performs caching and validation DNScrypt - authenticates communications between a DNS client and a DNS resolver

“Resolvers must feel sad, nobody calls them by their name."

Does my resolver support DNSSEC

Does my resolver support DNSSEC

Does my resolver support DNSSEC

http://dnsviz.net/

DNSSEC at Resolver Linux (BIND) dnssec-enable yes; // Default dnssec-validation yes; trusted-keys managed-keys DNSSEC Validation the Easy Way (ISC KB: AA-01182) Problem: You want your recursive BIND server to perform DNSSEC validation, but you don't have much time to invest. Solution: options { ... dnssec-validation auto; ... }; rndc reconfig Windows (Security-aware client) Operating systems that are DNSSEC aware can be configured to require DNSSEC validation. Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and later operating systems are Security-aware.

DNSSEC Resolver Public resolvers Validating: GPDNS (8.8.8.8, 8.8.4.4), UltraDNS (156.154.71.1, 156.154.70.1), Dyn (216.146.35.35, 216.146.36.36) Non-validating: OpenDNS (208.67.220.220, 208.67.222.222), Level3 (4.2.2.2, 4.2.2.1) Resolvers at Israeli ISPs Performance penalty End clients and DNSSEC - (they complain to the wrong party when something does not work because of broken DNSSEC) Mix of validating and non-validating resolvers Client behavior is application dependent (dig only queries the first resolver and does not retry if the validation fails, ping tries the second resolver if the first returns SERVFAIL). No added value. Oct 11th High performance penalty that is incurred when a domain name is signed, but when DNSSEC validation cannot validate the signature. the name resolution process then starts a process of launching the query to other DNS resolvers to see if they can resolve the name. In this case the search for a successful resolution can take a significant amount of time

DNSSEC validation stats 0.024417455630603564 % failed source: https://stats.labs.apnic.net/dnssec

DNSSEC validation stats source: https://stats.labs.apnic.net/dnssec

(Homegrown signing stacks with full key roll support) Implementing DNSSEC (Homegrown signing stacks with full key roll support)

Signing and resigning Signatures expiration il. 8386 IN RRSIG SOA 8 1 86400 20170117220201 20161217210201 30780 il. wYa9DEmpNI4+7Yse012411pr2iM9qLsHvkpBfnA1wsvvBjVzbKau02Tk ...== Through signature validity period, time in DNS becomes absolute (time dependent) Until you feel the process is robust, resign often, leave longer signature validity period (3-4 weeks) Check constantly - pre and after publishing Do frequently

Key rollover Why key rollover Compromise of existing key(s) Management policy (security and operational reasons) Algorithm/key length change HSM failure/ unrecoverable keys Written procedures in place Caching makes the process complicated “Offline” DS update Propagation delay Going Insecure Algorithm rollovers

Implementing DNSSEC dnssec-keygen to generate keys Zone configuration (named.conf) Master + Signer Slaves Signed zonefiles zone "isoc-il.net" { type master; file "isoc-il.net.zone"; allow-update { none; }; key-directory "/var/keys/isoc-il.net"; inline-signing yes; dnssec-dnskey-kskonly yes; serial-update-method date; auto-dnssec maintain; };

Implementing DNSSEC “Offline signer” “Bump in the wire” (good for existing environments) External DNS service provider - EasyDNS, NameCheap, name.com, Rage4, Gandi, Dyn, UltraDNS, Hover, no-ip.com, dnsimple (and others) support DNSSEC DNSSEC support at the Registrar Signer Master Slaves Signed zonefiles Signed zonefiles Master Signer Slaves Signed zonefiles Signed zonefiles

Picking a Signer Command line tools bind-tools, ldns manual/(scripts + cronjobs) automation for resigning and key rollovers “Batteries included” Automated and effective resigning and key management Open source: BIND, OpenDNSSEC, PowerDNS Commercial products: Infoblox, Secure64 Key material management HSM - PKCS#11, SoftHSM Files stored on disk/removable storage

Algorithms, response size, validation Source: https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml

Algorithms, response size, validation

Algorithms, response size, validation

Implementation tips Gradual implementation Test environment with local root zone, TLD, resolver configured to use the local authoritative servers Test with a signed zone with full path trusted chain Test all slaves Test network Sign, but not publish DS, use trusted key Publish DS Backup keys (DB, keydb)

Monitoring DNSSEC Pre-publication checks Signatures validation (one or more tools) Signatures expiry Chain of trust with parent Signed vs Unsigned ODS vs BIND (signing) Post-publication checks Real validating resolver check SOA between all authoritative nameservers Debugging problems {dig, drill} tools DNSviz (http://dnsviz.net) Zonemaster (https://www.zonemaster.net/) DNSSEC Analyzer (https://dnssec-debugger.verisignlabs.com/)

What the future holds? CDNSKEY, CDS (automating delegation) DANE, CAA, etc Validating STUB resolvers Secure the last mile (DNS over TLS)

“The best thing about DNSSEC jokes is that you can check if they were told wrong.”

QUESTIONS?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.