SANOG21 Dnssec Tutorial

7/28/2019 SANOG21 Dnssec Tutorial

1/64


2/64

Overview

Whatwewillcover

lTheproblemsth

atDNSSEC

addresses

lTheprotocolandimplemen

tations

lThingstotakein

toaccount

todeployD

NSSEC

lThepracticalproblemstied

toreal-wor

lddeployment


3/64

Contents

lScop

eofthepro

blem

lDNS

reminders

lDNSSECconce

pts

lDeployment&o

perations

lIssue

s(whatisn

'tsolved)&

otheraspe

cts

lStatu

sofDNSSECtoday

lLivedemonstrat

ion


4/64

Sco

peofth

eproble

m

Sowh

ataretheissues?

DNSC

achePoisoning

lInjectforgedd

ataintothe

cachebyeither:

a)returningadditional(forged)

dataoutside

thescopeof

the

origingalquery

b)respondingtothecachingserv

erwithforged

databeforeth

e

autho

ritativeserver

'sanswerisre

ceived

Firstissuefixed20yearsago

Sec

ondissuetheoreticallyverydifficult

.

untilDanKamins

kyin2008


5/64

Sco

peofth

eproble

m

What

risks?

Misd

irectionofqu

eriesforane

ntiredomain

Resp

onsetonon-existentdom

ains

MXh

ijacking

Makealargedom

ain(SLDorTLD)domain

disappear

from

anISP'scac

heDoS

IdentitytheftusingSSLstrippin

gattacks(ba

nks,

eGovernance)

More

funstuff...

These

havebeens

pottedinthe

wild,andcodeISavailable...

SeeD

anKaminsky

'sslidesfora

moredetails&scenarios

lAgre

atillustrate

dguide

http://unixwiz.net/techtips/iguid

e-kaminsky-d

ns-vuln.html


6/64

Refre

sher


7/64


8/64

DNSrem

inders

lReco

rdstructure

:

NAME

[TTL

]

TYPE

DATA

(type

specifi

c

)

-----

----------

---------

----------

---------

-

host.

zon

e.

360

0

A

10.2

0.30.4

0

sub.z

one.

864

0

0

MX

5ser

ver

.o

th

erz

on

e.


9/64

DNSrem

inders

lMultipleresourcerecordsw

ithsamena

meandtyp

e

areg

roupedinto

Resource

RecordSets(RRsets):

mail.

zone.

MX

5

se

rver1.zone

.

mail.

zone.

MX

10

s

erver2.zon

e.

serve

r1.zone.

A

10.2

0.30.40

serve

r1.zone.

A

10.2

0.30.41

serve

r1.zone.

A

10.2

0.30.42

serve

r1.zone.

AAAA

2001

:123:456::

1

serve

r1.zone.

AAAA

2001

:123:456::

2

serve

r2.zone.

A

11.2

2.33.44

RRset

RRset

RRset

RRset


10/64

DNS

pointsofatt

ack


11/64

DNSDataFlow

Pointsof

attack

STUB

resolver

STUB

resolver

cach

ing

resolver

(recur

sive)

caching

resolv

er

(recurs

ive)

M

ASTER

MA

STER

SLAVES

S

LAVES

SL

AVES

zone

file

(text,

DB)

dynamic

updates

m

aninthe

middle

cache

poisoning

modified

data

Zo

ne

Transfer

spoofing

master

(routing/DoS)

spoofed

updates

corrupted

data

ATTACK

VECTORS

DATA


12/64


13/64

DNS

SECin

anutshell

lDa

taauthenticityandintegritybysig

ningthe

Re

sourceRecordsSetswithaprivatekey

lPu

blicDNSKEYspublish

ed,usedto

verifythe

RR

SIGs

lCh

ildrensign

theirzones

withtheirp

rivatekey

Authenticityof

thatkeyestablishedbypar

entsigning

hash(DS)ofth

echild

zone'skey

lRe

peatforpa

rent...

lNo

tthatdifficultonpaper

Operationally,itisabitmorecomplicated

DS

KEYK

EY

signs

zonedat

a


14/64

Concepts

lNew

ResourceR

ecords(DNSKEY,RR

SIG,

NSEC/NSEC3a

ndDS)

lNew

packetoptions(CD,AD,DO)

lSettingupaSec

ureZone

lDelegatingSigningAuthorit

y

lKeyRollovers


15/64

DN

SSECc

oncepts

lChan

gesDNStrustmodelfromoneof

openand

trustingtoone

ofverifiable

lUseofpublicke

ycryptogra

phytoprov

ide:

Authenticationoforigin

Data

integrity

Authenticatedden

ialofexisten

ce

lNoattempttopr

ovideconfidentiality(N

Oencryption)

lDNSSECdoesnotnormallyplacecom

putational

load

ontheauth

oritativeservers(!=th

osesigning

thez

one)

lNom

odificationstothecoreprotocol

Can

coexistwithtoday'sinfrastructure(EDN

S0)


16/64

DN

SSECc

oncepts

lBuild

achainof

trustusingtheexisting

delegation

-

base

dmodelof

distribution

thatistheDNS

lDon'tsigntheentirezone,signaRRset

lNote:theparentDOESNO

Tsignthec

hildzone.

The

parentsignsapointer

(hash)tot

hekey

usedto

sign

thedataofchild

zone

(DSrecord

)

.

ORG

NSRC

WS

SIGNED

SIGNE

D

SIGNEDS

IGNED


17/64

NewResourceRec

ords


18/64

DN

SSEC:newRRs

AddsfivenewDNSResourceRecords*:

1DNSKEY:Publickeyu

sedinzonesigning

operations.

2RRSIG:R

Rsetsignatu

re

3NSEC&

4NSEC3:R

eturnedasv

erifiableevid

encethatthe

nameand

/orRRtypedoesnotexis

t

5DS:DelegationSigner.Containsthehash

ofthe

publickey

usedtosign

thekeywhichitselfwillbe

usedtosignthezonedata.FollowDSRR'suntila

trustedzoneisreach

ed(ideallytheroot).

* S

G

ffH

t

'di

i

thtt//i

l

i

/200608

/d

htl


19/64

DNS

SEC:DNSKEYRR

MYZONE

.

600

DNSKEY

256

3

5

(

AwEAAdevJXb4NxFnD

FT0Jg9d/jR

hJwzM/YTu

PJqpvjRl14WabhabS

6vioBX8Vz6

XvnCzhlAx

...)

;

key

id

=

5

538

TY

PE

FLAGS

OWNER

PROTOCOL

-FLAGSdeterminestheusageofthekey(mo

reonthis...)

-PROTOCO

Lisalways3(DNSSEC(

-ALGORITH

Mcanbe:

0reserve

d

5RSA/SHA-1(mandatoryin

validator)

1RSA/MD5(deprecated)

8RSA/SHA-256

2Diffie/H

ellman

3DSA/SHA-1(optional)

4reserve

d

AL

GORITHMPU

BLICKEY

(BASE64

)

KEY

ID

h

/ /

i

/

i

/ d

l

b

/ d

l

b

l


20/64


21/64

DNSSEC:KS

KandZ

SK

lKeySigningKey

(KSK)

poin

tedtobyparentzoneintheform

ofDS

(DelegationSig

ner).AlsocalledSecureEntryPo

int

usedtosigntheZoneSigningKey(ZSK)

lZone

SigningKe

y(ZSK)

sign

edbytheK

eySigning

Key

usedtosignthezonedata

RRsets

lThis

decoupling

allowsforindependen

tupdatingo

f

theZ

SKwithout

havingtou

pdatetheK

SK,and

involvetheparentlessad

ministrative

interaction

.

D

SKSKKSK

signs

ZSK

signs

RRsets


22/64

DNSSEC:Re

sourceRecordSIGnatu

re

RRsetsigned

usingZ

SK

test.m

yz

o

ne.

600

RR

SI

G

A

5

2

600

20

09031

71

82441

(

2009021

51

82441

553

8

myz

on

e.

rOX

jsOwdIr

576VRA

oI

Bf

bk

0TP

tx

v

p+1PI

0XH

p1m

VwfR

3u+Z

uLB

Gxk

a

Jk

orEn

gX

uv

ThV9egB

C

...

)

TYPE

TYPE

COVEREDALGO

#LABELS

ORIG.TTL

SIG.EXPIR.

2

1

SIG.INCEP.

KEY

ID

SIGNERNAM

E

SIGNAT

URE=SIG(

+

)

RRSIG-DATA

SIG

test.m

yz

on

e.

600

A

1.2

.3.4

test.m

yz

on

e.

600

A

2.3.4

.5RR

set


23/64

D

NSSEC:RRSIG

lTypic

aldefaultv

alues(notastandard,

butBP):

Signatureinceptio

ntimeis1

ho

urbefore

Signatureexpirationis30days

fromnow

Prop

ertimekeeping(NTP)isre

quired

lWhathappensw

henthesig

naturesrunout?

SERVFAIL...

Your

domaineffec

tivelydisapp

earsfromthe

Internetfor

validatingresolvers

lNote

thatthekey

sdonote

xpire.

lTherefore,regula

rre-signin

gispartof

theoperations

process(notonlywhencha

ngesoccur

)

lNota

llRRsetsn

eedberesignedatthe

sametime


24/64

DNSSEC:NS

EC/NSE

C3

lProofofnon-existenceusin

gNSEC&NSEC3

lRemember,the

authoritativeserversareserving

precalculatedre

cords.Noon-the-flygeneratio

NSE

Cprovides

apointertotheNextS

ECurerec

ord

inth

echainofrecords.

therearenootherrecord

sbetween

thisonean

d

the

next,sign

ed.

The

entirezoneissortedlexicographically:

illus

tratem

yz

on

e.

NS

...

ace.m

yz

o

ne.

A

...

bob.m

yz

o

ne.

CNA

ME

...

cat.m

yz

o

ne.

A

...

eel

myzo

ne

MX


25/64


26/64

DNSSEC:NS

EC/NSE

C3

lIfthe

serverrespondsNXD

OMAIN:

One

ormoreNSE

CRRsindica

tethatthename(ora

wildc

ardexpansio

n)doesnote

xist

lIfthe

server'sre

sponseisN

OERROR:

...an

dtheansw

ersectionisempty

TheNSECprovesthatth

eTYPEdid

notexist


27/64

DNSSEC:NS

EC/NSE

C3

lWhataboutNSE

C3?

Wew

on'tgetinto

detailshere:

Don

'tsignthenam

eoftheNext

SECurerecor

d,butahashofit

.

Stillpossibletoprovenon-existence,withoutrevealing

name.

This

isasimplified

explanation.

RFC5155co

veringNSEC3

is

long

!

Also

introducesth

econceptof

opt-out(seesection6of

theR

FC)fordelegation-centric

zones

Don'tbothersigningRRsetsfo

rdelegations

whichyouknow

don'timplementD

NSSEC.


28/64

DNSSE

C:DS

lDelegationSigner

lHash

oftheKSK

ofthechildzone

lStore

dintheparentzone,t

ogetherwiththeNSRRs

indicatingadele

gationofth

echildzone

lTheDSrecordforthechild

zoneissignedtogether

withtherestoftheparentz

onedata

NSrecordsareNO

Tsigned(the

yareahint/pointer)

myz

on

e.

DS

611

3

8

5

1

F6CD

025B

3F

5D03

04089505354A

011

5584

B56D683

myz

on

e.

DS

611

3

8

5

2

CCB

C

0B55751

0E4

256E

88C01B

0B1

336A

C4

ED6FE

08C82

6

8CC1

AA5FBF

00

5

DCE

321

0

digest

=

hash(

canonic

al

FQDN

on

KEY

R

R

|

KEY_RR_rdat

a)

Digest

type

1

=

S

HA-1,

2

=

SHA-256


29/64

DNSSE

C:DS

lTwohashesgen

eratedbyd

efault:

1

SHA-1

Mandatorysupportforvalidator

2

SHA-256

Mandatorysupportforvalidator

l

Newalgorithmsarebe

ingstandardise

dupon

l

Thiswillhappencontin

uallyasalgorithmsarebroken/proventobe

unsafe


30/64

DNSS

EC:new

fields/flags

l

Upda

tesDNSpro

tocolatthe

packetlevel

l

Non-compliantDNSrecursive

serverssho

uld

ignore

these

:

CD:C

heckingDisabled(askrecu

rsingserverto

notperform

validation,evenifD

NSSECsigna

turesareavailableand

verifiable,i.e.:aSe

cureEntryPointcanbefoun

d)

AD:A

uthenticatedData,setonth

eanswerbythevalidating

serve

riftheanswercouldbevalidated,andthe

clientrequested

validation

l

Anew

EDNS0option

DO:DNSSECOK(

EDNS0OPTheader)toindicateclient

supportforDNSSE

Coptions


31/64

Demo

:then

ewrec

ords


32/64

Secu

rityStatusofData

(RFC40335&40354.3)

l

Secure

ResolverisabletobuildachainofsignedDNSKEYand

DSRRsfromat

rusted

securityanchortotheRRset

l

Insecure

Resolverknowsthatit

hasnochainofs

ignedDNSKEYandDSRRsfrom

any

trustedstartingpointto

theRRset

l

Bogus

Resolverbelievesthat

itoughttobeabletoestablishac

hainoftrustbutfor

which

itisunabletodo

so

Mayindicateanattack

butmayalsoind

icateaconfigurationerrororsomeform

ofdatacorruption

l

Indete

rminate

Notru

stanchortoindic

ateifthezoneandchildrenshouldbesecure.

Resolverisnotableto

determinewheth

ertheRRsetsho

uldbesigned.


33/64

Signingazone...


34/64

EnablingDNSSEC

l

Multip

lesystemsinvolved

Stubresolvers

Noth

ingtobedon

e...butmore

onthatlater

Cachingresolvers

(recursive)

EnableDNSSEC

validation

Configuretrustanchorsmanually(orDLV)

Autho

ritativeserve

rs

EnableDNSSEC

code(ifrequ

ired)

.

Sig

ning&servin

gneednotb

eperformedonsame

ma

chine

.

Sig

ningsystemcanbeoffline


35/64

S

igningt

hezone

(usingtheB

INDtoo

ls)

1.Generatekeypa

irs

2.Inclu

depublicD

NSKEYsin

zonefile

3.Sign

thezoneusingthesecretkeyZSK

4.Publishingthez

one

5.Push

DSrecord

uptoyour

parent

6.Wait...


36/64

1.G

eneratin

gthekeys

#

Generat

e

ZSK

dnssec-ke

ygen

[-a

r

sasha1

-b

1024]

-n

ZO

NE

myzone

#

Generat

e

KSK

dnssec-ke

ygen

[-a

r

sasha1

-b

2048]

-n

ZO

NE

-f

KSK

myzone

Thisgenerates4files:

Kmyzone

.+005+id_o

f_zsk.key

Kmyzone

.+005+id_o

f_zsk.private

Kmyzone

.+005+id_o

f_ksk.key

Kmyzone

.+005+id_o

f_ksk.private


37/64

2.Includingthekeysinto

thezon

e

Include

theDNSKE

Yrecordsfo

rtheZSKandKSKinto

the

zone,

tobesigned

withtheres

tofthedata

:

cat

Kmyzone*k

ey

>>myzon

e

oraddtotheendofthezonefile:

$INC

LUDE

Kmy

zone.+005+

id_of_zsk

.key

$INC

LUDE

Kmy

zone.+005+

id_of_ksk

.key


38/64

3.

Signing

thezon

e

Signy

ourzone

#

dnssec-signzone

myz

one

l

dnssec-signzonewillberunwithalldefaultsforsignatureduration,

theserialwillnotbeincrementedby

default,andtheprivatekey

sto

usefor

signingwillbe

automatically

determined.

l

Signing

will:

Sortth

ezone(lexico

graphically)

Insert:

.

NSECrecords(N

SECisdefault)

.

RRSIGrecords(s

ignatureofea

chRRset)

.

DS

recordsfromchildkeysetfiles(forparent:

-goption)

Gener

atekey-setan

dDS-setfiles,tobecommu

nicatedtothe

parent


39/64

3.S

igningt

hezone

(2)

lISC

BIND

Sinc

eversion9.7.0,automatedzonesigning

Makeslifemuchea

sier

Keygeneration,management&rolloverstillne

edstobedone

sepa

rately

Vers

ion9.8.0introducesinlinesigning

Easierintegrationinexistingchainofproduction


40/64

4.Publishingth

esignedzone

lPub

lishsignedzonebyreconfiguringthen

ameserverto

load

thesignedz

onefile.

l...butyoustillne

edtocommu

nicatetheDSRRsetina

securefashionto

yourparent,otherwisenoonewill

knowyouuseDN

SSEC


41/64

5.PushingDSrecordto

parent

l

Nee

dtosecurely

communicatetheKSKde

rivedDS

reco

rdsettothe

parent

RF

Cs4310,5011

l

...butwhatifyou

rparentisn't

DNSSEC-en

abled?

DL

V


42/64

Enabling

DNSSECinthe

resolver

l

Configureforwardingresolve

rtovalidateD

NSSEC

l

Tes

t...

l

Remember,validationisonly

doneintheresolver

l

Oth

ersneedtoenableDNSS

ECvalidationitdoesn't

helpifyouaretheonlyoned

oingit!


43/64

Questionssofar?

Summary

Generatingke

ys

Sig

ningandp

ublishingthezone

Resolverconfiguration

Tes

tingthese

curezone


44/64

Sig

natureexpiratio

n

l

Signaturesarepe

rdefault30d

ays(BIND)

l

Need

forregularr

esigning:

Tomaintainaco

nstantwindowofvalidityforthe

sign

aturesofthe

existingRRset

Tosignnewand

updatedRrsets

Use

ofjittertoav

oidhavingto

resignallex

piringRRsets

atthesametime

l

ThekeysthemselvesdoNOTexpire...

But

theymayneedtoberolle

dover...


45/64

KeyRollovers

l

Trytominimiseim

pact

Sho

rtvalidityofsignatures

Reg

ularkeyrollo

ver

l

Rem

ember:DNSKEYsdonothavetimestamps

the

RRSIGover

theDNSKEY

hasthetime

stamp

l

Keyrolloverinvolvessecondpartyorparties:

Statetobemain

tainedduring

rollover

Operationallyexpensive

l

RFC5011+BIND

support

l

Seehttp://www.po

taroo.net/isp

col/2010-02/rollover.html


46/64


47/64


48/64

KeyRollovers

l

KSK

RolloverUsin

gtheDouble

SignatureMethod

1.wa

itforoldzone

datatoexpire

fromcaches

2.generateanew(

published)KS

K

3.wa

itfortheoldD

NSKEYRRse

ttoexpirefrom

caches

4.rolltheKSKs

5.transfernewDSkeysettotheparent

6.wa

itforparentto

publishthenewDSrecord

7.reloadthezone

Itisals

opossibletousedualDSin

theparentzo

ne


49/64

Au

tomatedtoolkits

lLuckily,anumberoftoolkits

alreadyex

isttomake

DNSSECoperationsassm

oothaspos

sible

lDoes

n'tsolveallproblemsyet,suchasinteraction

withparentand

children(DSmanagem

ent,),but

take

careofalltheroughedgesofrunningaPKI

(yes,that'swhatitis...)

lhttp://www.dnssec.net/softw

are

www

.opendnssec

.org

www

.dnssec-tools

.org

http://www.hznet.de/dns/zkt/


50/64

So,whatdoesDN

SSECp

rotect?

STUB

resolver

STUB

resolver

cach

ing

resolver

(recur

sive)

caching

resolv

er

(recurs

ive)

M

ASTER

MA

STER

SLAVES

S

LAVES

SL

AVES

zone

file

(text,

DB)

dynamic

updates

m

aninthe

middle

cache

poisoning

modified

data

Zo

ne

Transfer

spoofing

master

(routing/DoS)

spoofed

updates

corrupted

data

PR

OTE

CTIO

N

BY

DNS

SEC

ATTACK

VECTORS

DATA

(TSIG)


51/64

What

doesn'titprote

ct?

lConfidentiality

The

dataisno

tencrypted

lCom

municationbetween

thestubre

solver(i.e:

your

OS/desktop)andthe

cachingresolver.

For

this,youw

ouldhave

touseTSIG,SIG(0),or

you

willhavetotrustyou

rresolver

Itperformsallvalidation

onyourbe

half

lStillneedtodo

validation

yourselfif

youdon't

trust

yourupstream'snam

eservers


52/64

Validatingthe

chaino

ftrust


53/64

Whyt

helong

timeframe?

Many

differentreasons...

lLack

ofbestpractice.Opsexperiencescarce

lRisk

soffailure

(failureto

sign,failuretoupdate)

whic

hwillresultinyourzonedisapp

earing

lSpecificationhaschangedseveraltimes

NS

ECallows

forzonee

numeratio

n

lUntil2008,DNSSECasolutionw/o

problem

lDela

yingettingtheroots

igned(politics)

lIncre

asedfragilityresolutionlesstolerantto

brok

enness!

lFaile

dvalidatio

npenalize

sclient,no

towner


54/64

Walkin

gtheC

hainofTrust

(slidecourtesyRIP

E)

(root).

Tr

usted

Key

.

89

07

org.

nsrc.org.

LocallyConfigured

n

sr

c.or

g.

DN

SKEY

()

rw

x002

(42

52

)

;

KSK

DN

SKEY

()

so

vP42

(1111

)

;

ZSK

RR

SI

G

DN

SKEY

()

42

52

nsr

c.or

g.

5t...

www

.n

sr

c.or

g.

A

202

.12

.2

9.5

RR

SI

G

A

()

1111

nsr

c.or

g.

a3.

..

or

g.

DN

SKEY

()

q3

dEw

(7834

)

;

KSK

DN

SKEY

()

5T

Q3s

(5612

)

;

ZSK

RR

SI

G

DN

SKEY

()

7834

or

g.

cM

as

n

sr

c.or

g.

DS

42

52

3

1

ab1

5

RR

SI

G

DS

()

or

g.

5612

.

DN

SKEY

()

5T

Q3s

(8907)

;

KSK

DN

SKEY

()

la

sE5

(2

983)

;

ZSK

RR

SI

G

DN

SKEY

()

8907

.

69Hw

9

or

g.

DS

7834

3

1

ab1

5

RR

SI

G

DS

(

).

2983


55/64

DNS

SECDeploym

ent

&Oper

ations


56/64

De

ploying

DNSSEC

theboringbits

lADP

S(DNSSECPolicy&PracticeSta

tement)

http://tools.ietf.org/html/draft-ietf-dn

sop-dnssec-dp

s-framework-0

3

___

Detailsthedesign,implementation,methodsand

practices

gover

ningtheoperationofaDNSS

ECsignedzon

e

Helps

externalpartie

sreview/scrutinizetheprocessandevaluate

thetrustworthinessofthesystem.

lExistingoperatio

nalframew

orkinwhic

htoinsertt

he

DNSSECprocess

muc

hlargerch

anceofsho

otingones

elfinfootif

the

organisationdoesn'thaveproperoperational

proceduresint

hefirstplac

e.


57/64

serve

Whatd

oesittaketodeploy

DNSSEC?(2)

lMonitoring

DB

export

wwwA

1.2.3.4

xyz

A

2.3.4.5

wwwA

1.2.3.4

xyz

A

2.3.4.5

completeness

validate

SIGN

HSM

PUB

LISH

wwwA

1.2.3.4

xyz

A

2.3.4.5

a

a

a

a

wwwA

1.2.3.4

!


58/64

Dep

loymenthurdles

andothe

rissues


59/64

L

ackofo

peration

alexperience...

Everyonetalksabo

utDNSSEC

l...butfewpeop

lehaverea

lhands-on

experience

with

day-to-day

operations

lOne

can'tjustturnDNSSE

Conando

ff

no

longersign

ingthezon

eisn'tenou

gh

parentneedstostoppublishingDSrecord+

sig

natures

lFailuremodesarefairlywellknown,b

utrecovery

proc

edurescum

bersomea

ndneedm

anual

intervention


60/64

DSpub

lication

mechanisms

StandardizedwaytocommunicateDS

toparent,but

notwidelydeployed,ordifferentmeth

odused

SSLupload?

PGP/GPGsigne

dmail?

EPPextension(RFC4310)

l

Rem

ember,thisshouldhappensecurely

l

Rede

legationorc

hangeofregistrantwhenthezoneis

signe

d

Sha

rethekeydu

ringthetransition?

TurnoffDNSSECforthetime

?

Whatiftheorigin

aladministra

torisnotcoo

perative?

Po

licyissues


61/64

EDNS0

andbro

kenfire

walls,

DNSse

rvers

DNSSECimpliesEDNS0

LargerDNSpacketsmeans>

512bytes

EDNS0notalwa

ysrecognized/allowedby

firewall

TCPfiltering,overzealousadministrators...

l

Manyhotelnetwo

rkinfrastructures(maybethisoneasw

ell)

donotallowDNSSECrecords

through,orinterferewith

DNS

resolution

Cap

tiveportals,redirections


62/64

Application

awareness

l

Applicationsdon't

knowaboutDNSSEC,mostly

Use

rscannotseewhythings

failed

Pus

hsupportqu

estionsback

tonetworkstaff

Co

mparewithS

SLfailures(foruserswho

canread...)

lThe

reareAPIs

currently2

-http://tools.ietf.org/id/

draft-hayatnagarkar-dnsext-valida

tor-api-07.txt

-http:

//www.unbound.n

et/documentation/index.html

Firefoxplugin,Chromesupp

ort

Whatifapplicationsexplicitlyset+CD?


63/64

Sec

uringth

elastlink

lStub

resolversremainopen

tomaninthemiddle

attac

ks

Notmanywaysaroundthis

Eith

ertrustyour

resolver,use

TSIGorvalidateyourself

lWork

isbeingdonetoaddresstheseis

sues

DNSoverother

transportprotocolstoworkaround

exc

essivefilterin

g

dnss

ec-triggerpro

ject

(http://www.nlnetlabs.nl/projects/dnssec-trig

ger/)


64/64

OPCODE=0

?

Documents

SANOG21 Dnssec Tutorial