Upload
zigoto2n
View
228
Download
0
Embed Size (px)
Citation preview
7/28/2019 SANOG21 Dnssec Tutorial
1/64
7/28/2019 SANOG21 Dnssec Tutorial
2/64
Overview
Whatwewillcover
lTheproblemsth
atDNSSEC
addresses
lTheprotocolandimplemen
tations
lThingstotakein
toaccount
todeployD
NSSEC
lThepracticalproblemstied
toreal-wor
lddeployment
7/28/2019 SANOG21 Dnssec Tutorial
3/64
Contents
lScop
eofthepro
blem
lDNS
reminders
lDNSSECconce
pts
lDeployment&o
perations
lIssue
s(whatisn
'tsolved)&
otheraspe
cts
lStatu
sofDNSSECtoday
lLivedemonstrat
ion
7/28/2019 SANOG21 Dnssec Tutorial
4/64
Sco
peofth
eproble
m
Sowh
ataretheissues?
DNSC
achePoisoning
lInjectforgedd
ataintothe
cachebyeither:
a)returningadditional(forged)
dataoutside
thescopeof
the
origingalquery
b)respondingtothecachingserv
erwithforged
databeforeth
e
autho
ritativeserver
'sanswerisre
ceived
Firstissuefixed20yearsago
Sec
ondissuetheoreticallyverydifficult
.
untilDanKamins
kyin2008
7/28/2019 SANOG21 Dnssec Tutorial
5/64
Sco
peofth
eproble
m
What
risks?
Misd
irectionofqu
eriesforane
ntiredomain
Resp
onsetonon-existentdom
ains
MXh
ijacking
Makealargedom
ain(SLDorTLD)domain
disappear
from
anISP'scac
heDoS
IdentitytheftusingSSLstrippin
gattacks(ba
nks,
eGovernance)
More
funstuff...
These
havebeens
pottedinthe
wild,andcodeISavailable...
SeeD
anKaminsky
'sslidesfora
moredetails&scenarios
lAgre
atillustrate
dguide
http://unixwiz.net/techtips/iguid
e-kaminsky-d
ns-vuln.html
7/28/2019 SANOG21 Dnssec Tutorial
6/64
Refre
sher
7/28/2019 SANOG21 Dnssec Tutorial
7/64
7/28/2019 SANOG21 Dnssec Tutorial
8/64
DNSrem
inders
lReco
rdstructure
:
NAME
[TTL
]
TYPE
DATA
(type
specifi
c
)
-----
----------
---------
----------
---------
-
host.
zon
e.
360
0
A
10.2
0.30.4
0
sub.z
one.
864
0
0
MX
5ser
ver
.o
th
erz
on
e.
7/28/2019 SANOG21 Dnssec Tutorial
9/64
DNSrem
inders
lMultipleresourcerecordsw
ithsamena
meandtyp
e
areg
roupedinto
Resource
RecordSets(RRsets):
mail.
zone.
MX
5
se
rver1.zone
.
mail.
zone.
MX
10
s
erver2.zon
e.
serve
r1.zone.
A
10.2
0.30.40
serve
r1.zone.
A
10.2
0.30.41
serve
r1.zone.
A
10.2
0.30.42
serve
r1.zone.
AAAA
2001
:123:456::
1
serve
r1.zone.
AAAA
2001
:123:456::
2
serve
r2.zone.
A
11.2
2.33.44
RRset
RRset
RRset
RRset
7/28/2019 SANOG21 Dnssec Tutorial
10/64
DNS
pointsofatt
ack
7/28/2019 SANOG21 Dnssec Tutorial
11/64
DNSDataFlow
Pointsof
attack
STUB
resolver
STUB
resolver
cach
ing
resolver
(recur
sive)
caching
resolv
er
(recurs
ive)
M
ASTER
MA
STER
SLAVES
S
LAVES
SL
AVES
zone
file
(text,
DB)
dynamic
updates
m
aninthe
middle
cache
poisoning
modified
data
Zo
ne
Transfer
spoofing
master
(routing/DoS)
spoofed
updates
corrupted
data
ATTACK
VECTORS
DATA
7/28/2019 SANOG21 Dnssec Tutorial
12/64
7/28/2019 SANOG21 Dnssec Tutorial
13/64
DNS
SECin
anutshell
lDa
taauthenticityandintegritybysig
ningthe
Re
sourceRecordsSetswithaprivatekey
lPu
blicDNSKEYspublish
ed,usedto
verifythe
RR
SIGs
lCh
ildrensign
theirzones
withtheirp
rivatekey
Authenticityof
thatkeyestablishedbypar
entsigning
hash(DS)ofth
echild
zone'skey
lRe
peatforpa
rent...
lNo
tthatdifficultonpaper
Operationally,itisabitmorecomplicated
DS
KEYK
EY
signs
zonedat
a
7/28/2019 SANOG21 Dnssec Tutorial
14/64
Concepts
lNew
ResourceR
ecords(DNSKEY,RR
SIG,
NSEC/NSEC3a
ndDS)
lNew
packetoptions(CD,AD,DO)
lSettingupaSec
ureZone
lDelegatingSigningAuthorit
y
lKeyRollovers
7/28/2019 SANOG21 Dnssec Tutorial
15/64
DN
SSECc
oncepts
lChan
gesDNStrustmodelfromoneof
openand
trustingtoone
ofverifiable
lUseofpublicke
ycryptogra
phytoprov
ide:
Authenticationoforigin
Data
integrity
Authenticatedden
ialofexisten
ce
lNoattempttopr
ovideconfidentiality(N
Oencryption)
lDNSSECdoesnotnormallyplacecom
putational
load
ontheauth
oritativeservers(!=th
osesigning
thez
one)
lNom
odificationstothecoreprotocol
Can
coexistwithtoday'sinfrastructure(EDN
S0)
7/28/2019 SANOG21 Dnssec Tutorial
16/64
DN
SSECc
oncepts
lBuild
achainof
trustusingtheexisting
delegation
-
base
dmodelof
distribution
thatistheDNS
lDon'tsigntheentirezone,signaRRset
lNote:theparentDOESNO
Tsignthec
hildzone.
The
parentsignsapointer
(hash)tot
hekey
usedto
sign
thedataofchild
zone
(DSrecord
)
.
ORG
NSRC
WS
SIGNED
SIGNE
D
SIGNEDS
IGNED
7/28/2019 SANOG21 Dnssec Tutorial
17/64
NewResourceRec
ords
7/28/2019 SANOG21 Dnssec Tutorial
18/64
DN
SSEC:newRRs
AddsfivenewDNSResourceRecords*:
1DNSKEY:Publickeyu
sedinzonesigning
operations.
2RRSIG:R
Rsetsignatu
re
3NSEC&
4NSEC3:R
eturnedasv
erifiableevid
encethatthe
nameand
/orRRtypedoesnotexis
t
5DS:DelegationSigner.Containsthehash
ofthe
publickey
usedtosign
thekeywhichitselfwillbe
usedtosignthezonedata.FollowDSRR'suntila
trustedzoneisreach
ed(ideallytheroot).
* S
G
ffH
t
'di
i
thtt//i
l
i
/200608
/d
htl
7/28/2019 SANOG21 Dnssec Tutorial
19/64
DNS
SEC:DNSKEYRR
MYZONE
.
600
DNSKEY
256
3
5
(
AwEAAdevJXb4NxFnD
FT0Jg9d/jR
hJwzM/YTu
PJqpvjRl14WabhabS
6vioBX8Vz6
XvnCzhlAx
...)
;
key
id
=
5
538
TY
PE
FLAGS
OWNER
PROTOCOL
-FLAGSdeterminestheusageofthekey(mo
reonthis...)
-PROTOCO
Lisalways3(DNSSEC(
-ALGORITH
Mcanbe:
0reserve
d
5RSA/SHA-1(mandatoryin
validator)
1RSA/MD5(deprecated)
8RSA/SHA-256
2Diffie/H
ellman
3DSA/SHA-1(optional)
4reserve
d
AL
GORITHMPU
BLICKEY
(BASE64
)
KEY
ID
h
/ /
i
/
i
/ d
l
b
/ d
l
b
l
7/28/2019 SANOG21 Dnssec Tutorial
20/64
7/28/2019 SANOG21 Dnssec Tutorial
21/64
DNSSEC:KS
KandZ
SK
lKeySigningKey
(KSK)
poin
tedtobyparentzoneintheform
ofDS
(DelegationSig
ner).AlsocalledSecureEntryPo
int
usedtosigntheZoneSigningKey(ZSK)
lZone
SigningKe
y(ZSK)
sign
edbytheK
eySigning
Key
usedtosignthezonedata
RRsets
lThis
decoupling
allowsforindependen
tupdatingo
f
theZ
SKwithout
havingtou
pdatetheK
SK,and
involvetheparentlessad
ministrative
interaction
.
D
SKSKKSK
signs
ZSK
signs
RRsets
7/28/2019 SANOG21 Dnssec Tutorial
22/64
DNSSEC:Re
sourceRecordSIGnatu
re
RRsetsigned
usingZ
SK
test.m
yz
o
ne.
600
RR
SI
G
A
5
2
600
20
09031
71
82441
(
2009021
51
82441
553
8
myz
on
e.
rOX
jsOwdIr
576VRA
oI
Bf
bk
0TP
tx
v
p+1PI
0XH
p1m
VwfR
3u+Z
uLB
Gxk
a
Jk
orEn
gX
uv
ThV9egB
C
...
)
TYPE
TYPE
COVEREDALGO
#LABELS
ORIG.TTL
SIG.EXPIR.
2
1
SIG.INCEP.
KEY
ID
SIGNERNAM
E
SIGNAT
URE=SIG(
+
)
RRSIG-DATA
SIG
test.m
yz
on
e.
600
A
1.2
.3.4
test.m
yz
on
e.
600
A
2.3.4
.5RR
set
7/28/2019 SANOG21 Dnssec Tutorial
23/64
D
NSSEC:RRSIG
lTypic
aldefaultv
alues(notastandard,
butBP):
Signatureinceptio
ntimeis1
ho
urbefore
Signatureexpirationis30days
fromnow
Prop
ertimekeeping(NTP)isre
quired
lWhathappensw
henthesig
naturesrunout?
SERVFAIL...
Your
domaineffec
tivelydisapp
earsfromthe
Internetfor
validatingresolvers
lNote
thatthekey
sdonote
xpire.
lTherefore,regula
rre-signin
gispartof
theoperations
process(notonlywhencha
ngesoccur
)
lNota
llRRsetsn
eedberesignedatthe
sametime
7/28/2019 SANOG21 Dnssec Tutorial
24/64
DNSSEC:NS
EC/NSE
C3
lProofofnon-existenceusin
gNSEC&NSEC3
lRemember,the
authoritativeserversareserving
precalculatedre
cords.Noon-the-flygeneratio
NSE
Cprovides
apointertotheNextS
ECurerec
ord
inth
echainofrecords.
therearenootherrecord
sbetween
thisonean
d
the
next,sign
ed.
The
entirezoneissortedlexicographically:
illus
tratem
yz
on
e.
NS
...
ace.m
yz
o
ne.
A
...
bob.m
yz
o
ne.
CNA
ME
...
cat.m
yz
o
ne.
A
...
eel
myzo
ne
MX
7/28/2019 SANOG21 Dnssec Tutorial
25/64
7/28/2019 SANOG21 Dnssec Tutorial
26/64
DNSSEC:NS
EC/NSE
C3
lIfthe
serverrespondsNXD
OMAIN:
One
ormoreNSE
CRRsindica
tethatthename(ora
wildc
ardexpansio
n)doesnote
xist
lIfthe
server'sre
sponseisN
OERROR:
...an
dtheansw
ersectionisempty
TheNSECprovesthatth
eTYPEdid
notexist
7/28/2019 SANOG21 Dnssec Tutorial
27/64
DNSSEC:NS
EC/NSE
C3
lWhataboutNSE
C3?
Wew
on'tgetinto
detailshere:
Don
'tsignthenam
eoftheNext
SECurerecor
d,butahashofit
.
Stillpossibletoprovenon-existence,withoutrevealing
name.
This
isasimplified
explanation.
RFC5155co
veringNSEC3
is
long
!
Also
introducesth
econceptof
opt-out(seesection6of
theR
FC)fordelegation-centric
zones
Don'tbothersigningRRsetsfo
rdelegations
whichyouknow
don'timplementD
NSSEC.
7/28/2019 SANOG21 Dnssec Tutorial
28/64
DNSSE
C:DS
lDelegationSigner
lHash
oftheKSK
ofthechildzone
lStore
dintheparentzone,t
ogetherwiththeNSRRs
indicatingadele
gationofth
echildzone
lTheDSrecordforthechild
zoneissignedtogether
withtherestoftheparentz
onedata
NSrecordsareNO
Tsigned(the
yareahint/pointer)
myz
on
e.
DS
611
3
8
5
1
F6CD
025B
3F
5D03
04089505354A
011
5584
B56D683
myz
on
e.
DS
611
3
8
5
2
CCB
C
0B55751
0E4
256E
88C01B
0B1
336A
C4
ED6FE
08C82
6
8CC1
AA5FBF
00
5
DCE
321
0
digest
=
hash(
canonic
al
FQDN
on
KEY
R
R
|
KEY_RR_rdat
a)
Digest
type
1
=
S
HA-1,
2
=
SHA-256
7/28/2019 SANOG21 Dnssec Tutorial
29/64
DNSSE
C:DS
lTwohashesgen
eratedbyd
efault:
1
SHA-1
Mandatorysupportforvalidator
2
SHA-256
Mandatorysupportforvalidator
l
Newalgorithmsarebe
ingstandardise
dupon
l
Thiswillhappencontin
uallyasalgorithmsarebroken/proventobe
unsafe
7/28/2019 SANOG21 Dnssec Tutorial
30/64
DNSS
EC:new
fields/flags
l
Upda
tesDNSpro
tocolatthe
packetlevel
l
Non-compliantDNSrecursive
serverssho
uld
ignore
these
:
CD:C
heckingDisabled(askrecu
rsingserverto
notperform
validation,evenifD
NSSECsigna
turesareavailableand
verifiable,i.e.:aSe
cureEntryPointcanbefoun
d)
AD:A
uthenticatedData,setonth
eanswerbythevalidating
serve
riftheanswercouldbevalidated,andthe
clientrequested
validation
l
Anew
EDNS0option
DO:DNSSECOK(
EDNS0OPTheader)toindicateclient
supportforDNSSE
Coptions
7/28/2019 SANOG21 Dnssec Tutorial
31/64
Demo
:then
ewrec
ords
7/28/2019 SANOG21 Dnssec Tutorial
32/64
Secu
rityStatusofData
(RFC40335&40354.3)
l
Secure
ResolverisabletobuildachainofsignedDNSKEYand
DSRRsfromat
rusted
securityanchortotheRRset
l
Insecure
Resolverknowsthatit
hasnochainofs
ignedDNSKEYandDSRRsfrom
any
trustedstartingpointto
theRRset
l
Bogus
Resolverbelievesthat
itoughttobeabletoestablishac
hainoftrustbutfor
which
itisunabletodo
so
Mayindicateanattack
butmayalsoind
icateaconfigurationerrororsomeform
ofdatacorruption
l
Indete
rminate
Notru
stanchortoindic
ateifthezoneandchildrenshouldbesecure.
Resolverisnotableto
determinewheth
ertheRRsetsho
uldbesigned.
7/28/2019 SANOG21 Dnssec Tutorial
33/64
Signingazone...
7/28/2019 SANOG21 Dnssec Tutorial
34/64
EnablingDNSSEC
l
Multip
lesystemsinvolved
Stubresolvers
Noth
ingtobedon
e...butmore
onthatlater
Cachingresolvers
(recursive)
EnableDNSSEC
validation
Configuretrustanchorsmanually(orDLV)
Autho
ritativeserve
rs
EnableDNSSEC
code(ifrequ
ired)
.
Sig
ning&servin
gneednotb
eperformedonsame
ma
chine
.
Sig
ningsystemcanbeoffline
7/28/2019 SANOG21 Dnssec Tutorial
35/64
S
igningt
hezone
(usingtheB
INDtoo
ls)
1.Generatekeypa
irs
2.Inclu
depublicD
NSKEYsin
zonefile
3.Sign
thezoneusingthesecretkeyZSK
4.Publishingthez
one
5.Push
DSrecord
uptoyour
parent
6.Wait...
7/28/2019 SANOG21 Dnssec Tutorial
36/64
1.G
eneratin
gthekeys
#
Generat
e
ZSK
dnssec-ke
ygen
[-a
r
sasha1
-b
1024]
-n
ZO
NE
myzone
#
Generat
e
KSK
dnssec-ke
ygen
[-a
r
sasha1
-b
2048]
-n
ZO
NE
-f
KSK
myzone
Thisgenerates4files:
Kmyzone
.+005+id_o
f_zsk.key
Kmyzone
.+005+id_o
f_zsk.private
Kmyzone
.+005+id_o
f_ksk.key
Kmyzone
.+005+id_o
f_ksk.private
7/28/2019 SANOG21 Dnssec Tutorial
37/64
2.Includingthekeysinto
thezon
e
Include
theDNSKE
Yrecordsfo
rtheZSKandKSKinto
the
zone,
tobesigned
withtheres
tofthedata
:
cat
Kmyzone*k
ey
>>myzon
e
oraddtotheendofthezonefile:
$INC
LUDE
Kmy
zone.+005+
id_of_zsk
.key
$INC
LUDE
Kmy
zone.+005+
id_of_ksk
.key
7/28/2019 SANOG21 Dnssec Tutorial
38/64
3.
Signing
thezon
e
Signy
ourzone
#
dnssec-signzone
myz
one
l
dnssec-signzonewillberunwithalldefaultsforsignatureduration,
theserialwillnotbeincrementedby
default,andtheprivatekey
sto
usefor
signingwillbe
automatically
determined.
l
Signing
will:
Sortth
ezone(lexico
graphically)
Insert:
.
NSECrecords(N
SECisdefault)
.
RRSIGrecords(s
ignatureofea
chRRset)
.
DS
recordsfromchildkeysetfiles(forparent:
-goption)
Gener
atekey-setan
dDS-setfiles,tobecommu
nicatedtothe
parent
7/28/2019 SANOG21 Dnssec Tutorial
39/64
3.S
igningt
hezone
(2)
lISC
BIND
Sinc
eversion9.7.0,automatedzonesigning
Makeslifemuchea
sier
Keygeneration,management&rolloverstillne
edstobedone
sepa
rately
Vers
ion9.8.0introducesinlinesigning
Easierintegrationinexistingchainofproduction
7/28/2019 SANOG21 Dnssec Tutorial
40/64
4.Publishingth
esignedzone
lPub
lishsignedzonebyreconfiguringthen
ameserverto
load
thesignedz
onefile.
l...butyoustillne
edtocommu
nicatetheDSRRsetina
securefashionto
yourparent,otherwisenoonewill
knowyouuseDN
SSEC
7/28/2019 SANOG21 Dnssec Tutorial
41/64
5.PushingDSrecordto
parent
l
Nee
dtosecurely
communicatetheKSKde
rivedDS
reco
rdsettothe
parent
RF
Cs4310,5011
l
...butwhatifyou
rparentisn't
DNSSEC-en
abled?
DL
V
7/28/2019 SANOG21 Dnssec Tutorial
42/64
Enabling
DNSSECinthe
resolver
l
Configureforwardingresolve
rtovalidateD
NSSEC
l
Tes
t...
l
Remember,validationisonly
doneintheresolver
l
Oth
ersneedtoenableDNSS
ECvalidationitdoesn't
helpifyouaretheonlyoned
oingit!
7/28/2019 SANOG21 Dnssec Tutorial
43/64
Questionssofar?
Summary
Generatingke
ys
Sig
ningandp
ublishingthezone
Resolverconfiguration
Tes
tingthese
curezone
7/28/2019 SANOG21 Dnssec Tutorial
44/64
Sig
natureexpiratio
n
l
Signaturesarepe
rdefault30d
ays(BIND)
l
Need
forregularr
esigning:
Tomaintainaco
nstantwindowofvalidityforthe
sign
aturesofthe
existingRRset
Tosignnewand
updatedRrsets
Use
ofjittertoav
oidhavingto
resignallex
piringRRsets
atthesametime
l
ThekeysthemselvesdoNOTexpire...
But
theymayneedtoberolle
dover...
7/28/2019 SANOG21 Dnssec Tutorial
45/64
KeyRollovers
l
Trytominimiseim
pact
Sho
rtvalidityofsignatures
Reg
ularkeyrollo
ver
l
Rem
ember:DNSKEYsdonothavetimestamps
the
RRSIGover
theDNSKEY
hasthetime
stamp
l
Keyrolloverinvolvessecondpartyorparties:
Statetobemain
tainedduring
rollover
Operationallyexpensive
l
RFC5011+BIND
support
l
Seehttp://www.po
taroo.net/isp
col/2010-02/rollover.html
7/28/2019 SANOG21 Dnssec Tutorial
46/64
7/28/2019 SANOG21 Dnssec Tutorial
47/64
7/28/2019 SANOG21 Dnssec Tutorial
48/64
KeyRollovers
l
KSK
RolloverUsin
gtheDouble
SignatureMethod
1.wa
itforoldzone
datatoexpire
fromcaches
2.generateanew(
published)KS
K
3.wa
itfortheoldD
NSKEYRRse
ttoexpirefrom
caches
4.rolltheKSKs
5.transfernewDSkeysettotheparent
6.wa
itforparentto
publishthenewDSrecord
7.reloadthezone
Itisals
opossibletousedualDSin
theparentzo
ne
7/28/2019 SANOG21 Dnssec Tutorial
49/64
Au
tomatedtoolkits
lLuckily,anumberoftoolkits
alreadyex
isttomake
DNSSECoperationsassm
oothaspos
sible
lDoes
n'tsolveallproblemsyet,suchasinteraction
withparentand
children(DSmanagem
ent,),but
take
careofalltheroughedgesofrunningaPKI
(yes,that'swhatitis...)
lhttp://www.dnssec.net/softw
are
www
.opendnssec
.org
www
.dnssec-tools
.org
http://www.hznet.de/dns/zkt/
7/28/2019 SANOG21 Dnssec Tutorial
50/64
So,whatdoesDN
SSECp
rotect?
STUB
resolver
STUB
resolver
cach
ing
resolver
(recur
sive)
caching
resolv
er
(recurs
ive)
M
ASTER
MA
STER
SLAVES
S
LAVES
SL
AVES
zone
file
(text,
DB)
dynamic
updates
m
aninthe
middle
cache
poisoning
modified
data
Zo
ne
Transfer
spoofing
master
(routing/DoS)
spoofed
updates
corrupted
data
PR
OTE
CTIO
N
BY
DNS
SEC
ATTACK
VECTORS
DATA
(TSIG)
7/28/2019 SANOG21 Dnssec Tutorial
51/64
What
doesn'titprote
ct?
lConfidentiality
The
dataisno
tencrypted
lCom
municationbetween
thestubre
solver(i.e:
your
OS/desktop)andthe
cachingresolver.
For
this,youw
ouldhave
touseTSIG,SIG(0),or
you
willhavetotrustyou
rresolver
Itperformsallvalidation
onyourbe
half
lStillneedtodo
validation
yourselfif
youdon't
trust
yourupstream'snam
eservers
7/28/2019 SANOG21 Dnssec Tutorial
52/64
Validatingthe
chaino
ftrust
7/28/2019 SANOG21 Dnssec Tutorial
53/64
Whyt
helong
timeframe?
Many
differentreasons...
lLack
ofbestpractice.Opsexperiencescarce
lRisk
soffailure
(failureto
sign,failuretoupdate)
whic
hwillresultinyourzonedisapp
earing
lSpecificationhaschangedseveraltimes
NS
ECallows
forzonee
numeratio
n
lUntil2008,DNSSECasolutionw/o
problem
lDela
yingettingtheroots
igned(politics)
lIncre
asedfragilityresolutionlesstolerantto
brok
enness!
lFaile
dvalidatio
npenalize
sclient,no
towner
7/28/2019 SANOG21 Dnssec Tutorial
54/64
Walkin
gtheC
hainofTrust
(slidecourtesyRIP
E)
(root).
Tr
usted
Key
.
89
07
org.
nsrc.org.
LocallyConfigured
n
sr
c.or
g.
DN
SKEY
()
rw
x002
(42
52
)
;
KSK
DN
SKEY
()
so
vP42
(1111
)
;
ZSK
RR
SI
G
DN
SKEY
()
42
52
nsr
c.or
g.
5t...
www
.n
sr
c.or
g.
A
202
.12
.2
9.5
RR
SI
G
A
()
1111
nsr
c.or
g.
a3.
..
or
g.
DN
SKEY
()
q3
dEw
(7834
)
;
KSK
DN
SKEY
()
5T
Q3s
(5612
)
;
ZSK
RR
SI
G
DN
SKEY
()
7834
or
g.
cM
as
n
sr
c.or
g.
DS
42
52
3
1
ab1
5
RR
SI
G
DS
()
or
g.
5612
.
DN
SKEY
()
5T
Q3s
(8907)
;
KSK
DN
SKEY
()
la
sE5
(2
983)
;
ZSK
RR
SI
G
DN
SKEY
()
8907
.
69Hw
9
or
g.
DS
7834
3
1
ab1
5
RR
SI
G
DS
(
).
2983
7/28/2019 SANOG21 Dnssec Tutorial
55/64
DNS
SECDeploym
ent
&Oper
ations
7/28/2019 SANOG21 Dnssec Tutorial
56/64
De
ploying
DNSSEC
theboringbits
lADP
S(DNSSECPolicy&PracticeSta
tement)
http://tools.ietf.org/html/draft-ietf-dn
sop-dnssec-dp
s-framework-0
3
___
Detailsthedesign,implementation,methodsand
practices
gover
ningtheoperationofaDNSS
ECsignedzon
e
Helps
externalpartie
sreview/scrutinizetheprocessandevaluate
thetrustworthinessofthesystem.
lExistingoperatio
nalframew
orkinwhic
htoinsertt
he
DNSSECprocess
muc
hlargerch
anceofsho
otingones
elfinfootif
the
organisationdoesn'thaveproperoperational
proceduresint
hefirstplac
e.
7/28/2019 SANOG21 Dnssec Tutorial
57/64
serve
Whatd
oesittaketodeploy
DNSSEC?(2)
lMonitoring
DB
export
wwwA
1.2.3.4
xyz
A
2.3.4.5
wwwA
1.2.3.4
xyz
A
2.3.4.5
completeness
validate
SIGN
HSM
PUB
LISH
wwwA
1.2.3.4
xyz
A
2.3.4.5
a
a
a
a
wwwA
1.2.3.4
!
7/28/2019 SANOG21 Dnssec Tutorial
58/64
Dep
loymenthurdles
andothe
rissues
7/28/2019 SANOG21 Dnssec Tutorial
59/64
L
ackofo
peration
alexperience...
Everyonetalksabo
utDNSSEC
l...butfewpeop
lehaverea
lhands-on
experience
with
day-to-day
operations
lOne
can'tjustturnDNSSE
Conando
ff
no
longersign
ingthezon
eisn'tenou
gh
parentneedstostoppublishingDSrecord+
sig
natures
lFailuremodesarefairlywellknown,b
utrecovery
proc
edurescum
bersomea
ndneedm
anual
intervention
7/28/2019 SANOG21 Dnssec Tutorial
60/64
DSpub
lication
mechanisms
StandardizedwaytocommunicateDS
toparent,but
notwidelydeployed,ordifferentmeth
odused
SSLupload?
PGP/GPGsigne
dmail?
EPPextension(RFC4310)
l
Rem
ember,thisshouldhappensecurely
l
Rede
legationorc
hangeofregistrantwhenthezoneis
signe
d
Sha
rethekeydu
ringthetransition?
TurnoffDNSSECforthetime
?
Whatiftheorigin
aladministra
torisnotcoo
perative?
Po
licyissues
7/28/2019 SANOG21 Dnssec Tutorial
61/64
EDNS0
andbro
kenfire
walls,
DNSse
rvers
DNSSECimpliesEDNS0
LargerDNSpacketsmeans>
512bytes
EDNS0notalwa
ysrecognized/allowedby
firewall
TCPfiltering,overzealousadministrators...
l
Manyhotelnetwo
rkinfrastructures(maybethisoneasw
ell)
donotallowDNSSECrecords
through,orinterferewith
DNS
resolution
Cap
tiveportals,redirections
7/28/2019 SANOG21 Dnssec Tutorial
62/64
Application
awareness
l
Applicationsdon't
knowaboutDNSSEC,mostly
Use
rscannotseewhythings
failed
Pus
hsupportqu
estionsback
tonetworkstaff
Co
mparewithS
SLfailures(foruserswho
canread...)
lThe
reareAPIs
currently2
-http://tools.ietf.org/id/
draft-hayatnagarkar-dnsext-valida
tor-api-07.txt
-http:
//www.unbound.n
et/documentation/index.html
Firefoxplugin,Chromesupp
ort
Whatifapplicationsexplicitlyset+CD?
7/28/2019 SANOG21 Dnssec Tutorial
63/64
Sec
uringth
elastlink
lStub
resolversremainopen
tomaninthemiddle
attac
ks
Notmanywaysaroundthis
Eith
ertrustyour
resolver,use
TSIGorvalidateyourself
lWork
isbeingdonetoaddresstheseis
sues
DNSoverother
transportprotocolstoworkaround
exc
essivefilterin
g
dnss
ec-triggerpro
ject
(http://www.nlnetlabs.nl/projects/dnssec-trig
ger/)
7/28/2019 SANOG21 Dnssec Tutorial
64/64
OPCODE=0
?