© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Practicalities.

Slides:



Advertisements
Similar presentations
Testing IPv6 Address Records in the DNS Root APNIC 23 February 2007 Geoff Huston Chief Scientist APNIC.
Advertisements

Authoritative-only server & TSIG cctld-workshop Nairobi,12-15 october 2005
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Introduction.
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.
DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.
Introduction to the DNS AfCHIX 2011 Blantyre, Malawi.
DNS. DNS is a network service that enables clients to resolve names to IP address and vice-versa. Allows machines to be logically grouped by domain names.
6.033 Lecture 14 DNS and Content Delivery Networks Sam Madden Key ideas: Domain name service Content delivery networks Network overlays.
RNDC & TSIG. What is RNDC? Remote Name Daemon Controller Command-line control of named daemon Usually on same host, can be across hosts –Locally or remotely.
Recursive Server. Overview Recursive Service Root server list localhost in-addr.arpa named.conf.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
Domain Name System Security Extensions (DNSSEC) Hackers 2.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Linux Networking Commands
Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Peter Janssen, EURid.eu Ljubljana, RIPE 64, April
Domain Name System (DNS) Ayitey Bulley Session-1: Fundamentals.
Tony Kombol ITIS Who knows this? Who controls this? DNS!
DNSSEC Introduction to Concepts Bill Manning
Geoff Huston APNIC Labs
Test cases for domain checks – a step towards a best practice Mats Dufberg,.SE Sandoche Balakrichenan, AFNIC.
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Troubleshooting.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Domain Names Implementation and specification 陳怡良 RFC #1035.
Module 8 DNS Tools & Diagnostics. Objectives Understand dig and nslookup Understand BIND toolset Understand BIND logs Understand wire level messages.
Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for.
© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking DNS 0.
© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.
Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License The details.
Tony Kombol ITIS DNS! overview history features architecture records name server resolver dnssec.
1 Internet Network Services. 2 Module - Internet Network Services ♦ Overview This module focuses on configuring and customizing the servers on the network.
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
A study of caching behavior with respect to root server TTLs Matthew Thomas, Duane Wessels October 3 rd, 2015.
Module 8 DNS Tools & Diagnostics. Dig always available with BIND (*nix) and windows Nslookup available on windows and *nix Dig on windows – unpack zip,
Linux Operations and Administration
AfNOG-2003 Domain Name System (DNS) Ayitey Bulley
1 CMPT 471 Networking II DNS © Janice Regan,
OPTION section It is the first section of the named.conf User can use only one option statement and many option-value pair under the section. Syntax is.
Olaf M. Kolkman. IETF58, Minneapolis, November DNSSEC Operational Practices draft-ietf-dnsop-dnssec-operational-practices-00.txt.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
Domain Name System (DNS) Joe Abley AfNOG Workshop, AIS 2014, Djibouti Session-1: Fundamentals.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
DRAFT STEP-BY-STEP DNS SECURITY ILLUSTRATIVE GUIDE Version 0.2 Sparta, Inc Samuel Morse Dr. Columbia MD Ph:
Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average
Defeating DNS Amplification Attacks UKNOF Manchester Central, UK January Ralf Weber Senior Infrastructure Architect.
What's so hard about DNSSEC? Paul Ebersman – May 2016 RIPE72 – Copenhagen 1.
1 Lecture A.3: DNS Security r Domain Name Service r Security Problems in DNS.
Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
Track E0 AfNOG workshop April Abuja, Nigeria Introduction to the DNS.
Phil Regnauld ccTLD workshop November Amman, Jordan DNS Operations.
1 CMPT 471 Networking II DNS © Janice Regan,
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved
Introduction to the DNS
Lecture 20 DNS Sec Slides adapted from Olag Kampman
In collaboration with HKCERT and HKIRC July 2016
Domain Name System Tony Kombol ITIS 3110.
BIND Part 2 pschiu.
Data Communications and Networking DNS
DNSSEC made simple. DNSSEC made simple ~]$ whoami Emil Natan, CTO, ISOC-IL.
Managing Name Resolution
Phil Regnauld ccTLD workshop November Amman, Jordan
A New Approach to DNS Security (DNSSEC)
DNSSEC Status Update in UA
ECDSA P-256 support in DNSSEC-validating Resolvers
Presentation transcript:

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Practicalities

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Bind with DNSSEC? $./configure --with-openssl $ head config.log This file contains any messages produced by compilers whilerunning configure, to aid debugging if configure makes a mistake.It was created by configure, which wasgenerated by GNU Autoconf Invocation command line was $./configure --prefix=/usr/local -- with-openssl $./configure --with-openssl $ head config.log This file contains any messages produced by compilers whilerunning configure, to aid debugging if configure makes a mistake.It was created by configure, which wasgenerated by GNU Autoconf Invocation command line was $./configure --prefix=/usr/local -- with-openssl

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC aware config options {... dnssec-enable yes;.... }; BIND: dnssec-enable NSD: As default

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Usage: dnssec-keygen -a alg -b bits [-n type] [options] nameVersion: 9.6-ESVRequired options: -a algorithm: RSA | RSAMD5 | DH | DSA | RSASHA1 | RSASHA256 | RSASHA512 | NSEC3DSA | NSEC3RSASHA1 | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | HMAC- SHA256 | HMAC-SHA384 | HMAC-SHA512 -b key size, in bits: RSAMD5:[ ] RSASHA1: [ ] NSEC3RSASHA1:[ ] RSASHA256:[ ] RSASHA512: [ ] DH:[ ] DSA:[ ] and divisible by 64 NSEC3DSA: [ ] and divisible by 64 HMAC-MD5:[1..512] HMAC-SHA1:[1..160] HMAC- SHA224:[1..224] HMAC-SHA256:[1..256] HMAC-SHA384:[1..384] HMAC-SHA512:[1..512] -n nametype: ZONE | HOST | ENTITY | USER | OTHER (DNSKEY generation defaults to ZONE name: owner of the keyOther options: - c (default: IN) -d (0 => max, default) -e use large exponent (RSAMD5/RSASHA1 only) -f keyflag: KSK -g use specified generator (DH only) -t : AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF (default: AUTHCONF) -p : default: 3 [dnssec] -s strength value this key signs DNS records with (default: 0) -r : a file containing random data -v -k : generate a TYPE=KEY keyOutput: K + +.key, K + +.private Generate keys

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Generate two keys Generate a Key Signing Key and Zone Signing Key $ dnssec-keygen -a RSASHA1 -b n zone -f KSK example.comKexample.com $ dnssec-keygen -a RSASHA1 -b n zone example.comKexample.com

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License $include the keys $TTL 100 IN SOA ns ( zonemaster ; ; These values 200 ; are to unrealistic for ; production zones 100 ) NS ns ns A demo A $include Kexample.com key $include Kexample.com key

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Sign the lot $ dnssec-signzone -o example.com zonefile.txt Creates a ds-set as a bonus!

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Serve your zone Just point to it in your masterfile zone "example.com" { type master; file "example.com.signed";};

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License TEST!!! $ example.com SOA +dnssec ; > DiG P2 example.com SOA +dnssec ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;example.com.IN SOA ;; AUTHORITY SECTION: example.com.100IN SOAns.example.com. zonemaster.example.com. ( ; serial 100 ; refresh (1 minute 40 seconds) 200 ; retry (3 minutes 20 seconds) ; expire (1 week) 100 ; minimum (1 minute 40 seconds) ) example.com.100RRSIGSOA ( example.com. mMS8by7lO9SKFv+zQHB/dd0czsmZpsvwrwil gBh12tqK/9kGtuID8f5OvERqwSDhE4e462yF sS8839JlKYndgMJu/cCY1qGIW34tad83P/yu lPWdZO0bDGB8d0BeE4Sj8TbUtSrnJb1ZvByG 0IIB0JKZHRe009SBQAKfXqUnr/E= ) example.com.100NSECdemo.example.com. NS SOA RRSIG NSEC DNSKEY example.com.100RRSIGNSEC ( example.com. ROta6SMQWFoRrmEAdPaHIbViqNJAWYsPZYCG iGodUKVDxGPw/E77rkMdwIKJZk3n/IMHleM+ ce/8v2zU3cBXtJ2BjFKiJ3quDWaJRb33DGWH +SaIOJgc4lHMwcTGzdogGdznCJ0xpbYmV9g8 rCZV59qWJ3sferRYTvRMbEokBh0= ) 100DNSKEY ( AwEAAbMW4ddT7IZ+xHcPkbyimnQEVd/h4lPm VI2ghRdMoy3vY+Y4m0jg4YKL6DSRaWppZpF4 YGVvrL/jWngKUaUOeEDjDLx3e79K9t4ncL66 jKFgB1pOxUKxNSKda9nm4JbjoGZwU+AH4aGc 94fKVb12+jwSx6Y9UNN4E13JHIMeQvnt ) ; key id = 58803;; Query time: 1 msec ;; SERVER: #53( ) ;; WHEN: Wed Sep 17 22:36: ;; MSG SIZE rcvd: 452

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Publish at Parent

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License This was the essence Now Automate

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Automate using Bind Configure your zones to work with dynamic update (IMPORTANT) Add “auto-dnssec” to you configuration allow: use the keys when told to sign (in combination with cron maintained rndc resign) maintain: have the name daemon maintain the signatures (recommended) Use dnssec-settime to prepare your keys

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Or But first let us try to understand keys and timing