Neda Kianpour - Lead Network Engineer - Salesforce

Slides:

Advertisements

Similar presentations

Suchin Rengan Principal Technical Architect Salesforce.com

Advertisements

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

CSE 1302 Lecture 8 Inheritance Richard Gesick Figures from Deitel, “Visual C#”, Pearson.

© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, Jelte Jansen, Antoin Verschuren.

Tony Kombol ITIS Who knows this? Who controls this? DNS!

IIT Indore © Neminath Hubballi

Lecture 8 Inheritance Richard Gesick. 2 OBJECTIVES How inheritance promotes software reusability. The concepts of base classes and derived classes. To.

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.

Architectural Considerations for GEOPRIV/ECRIT Presentation given by Hannes Tschofenig.

1 Software Development Configuration management. \ 2 Software Configuration  Items that comprise all information produced as part of the software development.

Remedy – Customer Portal Fiona Gregory McKesson CRM 1.

Tony Kombol ITIS DNS! overview history features architecture records name server resolver dnssec.

1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

Rolling the Root Geoff Huston APNIC Labs. Use of DNSSEC in Today’s Internet.

OpenDNSSEC Deployment Tianyi Xing. Roadmap By mid-term – Establish a DNSSEC server within the mobicloud system (Hopfully be done by next week) Successfully.

What if Everyone Did It? Geoff Huston APNIC Labs.

By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

Authentication Presenter Meteor Advisory Team Member Version 1.1.

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

SaudiNIC Experience in Deploying DNSSec AbdulRahman Al-Ghadir SaudiNIC - CITC MENOG 16.

DNSSec.TLD is signed! What next? V.Dolmatov November 2011.

Rolling the Root Geoff Huston APNIC Labs March 2016.

Increasing the Zone Signing Key Size for the Root Zone

BIND 10 DNS Project Status + DNS Resolver Status/Plans Shane Kerr 23 January 2013.

Application program interface (API)

Security Issues with Domain Name Systems

KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting

Introduction to CAST Technical Support

Welcome POS Synchronize Concept 08 Sept 2015.

A longitudinal, End-to-End View of the DNSSEC Ecosystem

SaudiNIC Riyadh, Saudi Arabia May 2017

DNS Team IETF 99 Hackathon.

In collaboration with HKCERT and HKIRC July 2016

KSK Rollover Update David Conrad, CTO ICANN 59 – GAC 29 June 2017.

Domain Name System Tony Kombol ITIS 3110.

DNS Security Issues SeongHo Cho DPNM Lab., POSTECH

Network Load Balancing Functionality

DNSSEC Operations in .gov

Geoff Huston APNIC Labs September 2017

DNS Session 5 Additional Topics

DNS Cache Poisoning Attack

CPS 512 midterm exam #1, 10/5/17 Your name please: NetID:_______ Sign for your honor:____________________________.

RFC 7706: Decreasing Access Time to Root Servers by Running One on Loopback A good idea or not? Petr Špaček • •

DNSSEC Iván González Montemayor A

A Longitudinal, End-to-End View of the DNSSEC Ecosystem

DNSSEC Basics, Risks and Benefits

TRA, UAE May 2017 DNSSEC Introduction TRA, UAE May 2017

Managing Name Resolution

Introduction to CAST Technical Support

Root KSK Roll Update DNS-OARC 27 Matt Larson, VP of Research

Lecture 22 Inheritance Richard Gesick.

What DNSSEC Provides Cryptographic signatures in the DNS

A New Approach to DNS Security (DNSSEC)

NET 536 Network Security Lecture 8: DNS Security

NET 536 Network Security Lecture 6: DNS Security

Geoff Huston APNIC Labs

The Curious Case of the Crippling DS record

System Center Configuration Manager Cloud Services – Cloud Distribution Point Presented By: Ginu Tausif.

Trust Anchor Signals from Custom Applications

ECDSA P-256 support in DNSSEC-validating Resolvers

What part of “NO” is so hard for the DNS to understand?

Presentation transcript:

Challenges and Successes of DNSSEC Signing an F5 BIG-IP DNS Hosted Zone Neda Kianpour - Lead Network Engineer - Salesforce Tyler Shaw - Sr. Systems Engineer - F5

Abstract Due to compliance requirements from our customers, determined to sign the whole footprint and that involved signing the BIG-IP DNS hosted zones. The BIG-IP DNS devices in our infrastructure listen and respond to DNS queries to the zones hosted on them. Signing the BIG-IP DNS hosted zones had its own challenges. Only Two Engineering Hotfixes later and plenty of testing and now DNSSEC can be deployed on the BIG-IP DNS devices.

Challenges Signature Inception Offset Issue F5 BIG-IP DNSSEC vulnerability Master Key changes on an F5 BIG-IP DNS (code upgrades, RMAs,etc) ECDSA support (Algorithm 13) - (Feature Request Submitted) Implementing DNSSEC on Active/Active standalone BIG-IP DNS

Signature Inception Offset After implementing DNSSEC on our F5 BIG-IP DNS, we noticed that every time we queried an F5 hosted zone, the signature inception date returned was set to 0 seconds in the past. Certain resolvers could treat the zones as invalid due to clock skew. Major impact to clients behind those resolvers (bogus responses). $ date && dig na107.inst.siteforce.com A +dnssec | grep RRSIG Sat 23 Mar 2019 19:37:42 GMT na107-hio.hio.r.inst.siteforce.com. 30 IN RRSIG A 8 6 30 20190330193742 20190323193742 Sat 23 Mar 2019 19:38:17 GMT na107-hio.hio.r.inst.siteforce.com. 30 IN RRSIG A 8 6 30 20190330193817 20190323193817 57048

Signature Inception Offset (continued) RFC 6781 allows a parameter called the inception offset: "The validity of the signature starts shortly before the signing time. That is done to deal with validators that might have some clock skew. This is called the inception offset, and it should be chosen so that false negatives are minimized to a reasonable level."

Signature Inception Offset (continued) A feature request was made with F5 to add inception offset. New code now sets the inception offset for the DNSSEC signatures to a configured time before the signature creation (default of 60 mins). This is available in Version 15.1 due approximately Q1 2020, but can be backported as far as version 12.1.X Bug ID 767989 should be referenced if needed in versions earlier than 15.1

2. F5 BIG-IP DNSSEC vulnerability July 2019: CZ.NIC( Petr Špaček and Jan Vcelak of NS1) published this article Error-in-dnssec-implementation-on-f5-big-ip-load-balancers about the issue. Can be exploited to perform a denial-of-service (DoS). ISSUE: F5 returns an incorrect NSEC3 record for a DNS query for an RR type, which does not exist at given name. This indicates that only one of TXT/HINFO/RP RR types exists at given name, even if A or AAAA types actually exist and are returned if a client queried for them. IMPACT: If resolver uses Aggressive Negative caching it can incorrectly infer non-existence of other record types at the NSEC3 record name

2. F5 BIG-IP DNSSEC vulnerability Aug 2019: F5 team acknowledged and published a KB advising of the following workaround: https://support.f5.com/csp/article/K00724442 After discussions with the F5 team, they provided us with a permanent fix in a form of Engineering Hotfix.

3. Master Key changes on an F5 BIG-IP DNS BIG-IP DNS devices that are configured with DNSSEC use their own master key to decrypt the DNSSEC keys. ISSUE: We observed an issue where after a code upgrade, the BIG-IP DNS device fails to load the configuration due to a master key change. That results in a DNSSEC Key set to also fail to decrypt!! CURRENT WORKAROUND: User has to manually take a copy of the master key prior to any code upgrade and manually use this key to restore the configuration file in case of a master key change. https://support.f5.com/csp/article/K13542

4. ECDSA support (Algorithm 13) We have officially requested code support for the Elliptic Curve Digital Signature Algorithm on the F5 BIG-IP DNS. F5 has indicated that this will be available in TMOS V15.1 with the current ETA being calendar Q1 of 2020. Backport to the previous version of TMOS ie V12.1.x and v13.1.x will not be possible. RFE ID 672374 was already filed by another F5 customer F5 has attached our request to RFE

5. Implementing DNSSEC on Active/Active standalone BIG-IP DNS Active/Active F5 pair BIG-IP DNS Instance A BIG-IP DNS Instance B Caching Resolver This is analogous to a multi-signer DNSSEC model using unique key sets: Two signing entities must SHARE the ZSK for a chain of trust to exist Without this, responses from different entities could be treated as bogus ‘Normal’ active/active config cannot support this key sharing, but can be done using DNS sync group in active/active

questions?

Thank you!