DENIC DNSSEC Testbed Software support for DNSSEC Ralf Weber

Similar documents
DNSSEC in Switzerland 2 nd DENIC Testbed Meeting

Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder. System and Network Engineering July 2014

DNSSEC Trust tree: (A) ---dnslab.org. (DS keytag: 9247 dig (DNSKEY keytag. ---org. (DS keytag: d

Assessing and Improving the Quality of DNSSEC

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

Root Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail

SecSpider: Distributed DNSSEC Monitoring and Key Learning

DNS SECurity Extensions technical overview

Algorithm for DNSSEC Trusted Key Rollover

The impact of DNSSEC on k.root-servers.net and ns-pri.ripe.net

RSA and ECDSA. Geoff Huston APNIC. #apricot2017

Some Internet exploits target name resolution servers. DNSSEC uses cryptography to protect the name resolution

An Overview of DNSSEC. Cesar Diaz! lacnic.net!

BIND-USERS and Other Debugging Experiences. Mark Andrews Internet Systems Consortium

Harness Your Internet Activity

A paper on DNSSEC - NSEC3 with Opt-Out

2017 DNSSEC KSK Rollover. Guillermo Cicileo LACNIC March 22, 2017

Hands-on DNSSEC with DNSViz. Casey Deccio, Verisign Labs RIPE 72, Copenhagen May 23, 2016

3. The DNSSEC Primer. Data Integrity (hashes) Authenticated Denial of Existence (NSEC,

DNSSEC operational experiences and recommendations. Antti Ristimäki, CSC/Funet

The State and Challenges of the DNSSEC Deployment. Eric Osterweil Michael Ryan Dan Massey Lixia Zhang

DNSSEC All You Need To Know To Get Started

DNSSec Operation Manual for the.cz and e164.arpa Registers

DNS security. Karst Koymans & Niels Sijm. Tuesday, September 18, Informatics Institute University of Amsterdam

DNS Mark Kosters Carlos Martínez ARIN - LACNIC

Packet Traces from a Simulated Signed Root

Rolling the Root KSK. Geoff Huston. APNIC Labs. September 2017

Table of Contents. DNS security. Alternative DNS security mechanism. DNSSEC specification. The long (and winding) road to the DNSSEC specification

2017 DNSSEC KSK Rollover. DSSEC KSK Rollover

Some DNSSEC thoughts. DNSOPS.JP BOF Interop Japan Geoff Huston Chief Scientist, APNIC June 2007

A Look at RFC 8145 Trust Anchor Signaling for the 2017 KSK Rollover

DNS Security and DNSSEC in the root zone Luzern, Switzerland February 2010

Implementing DNSSEC with DynDNS and GoDaddy

Root Zone DNSSEC KSK Rollover

CS 356 Using Cryptographic Tools to Secure the Domain Name System (DNS) Spring 2017

Keeping DNS parents and children in sync at Internet Speed! Ólafur Guðmundsson

That KSK Roll. Geoff Huston APNIC Labs

Operational Challenges when Implementing DNSSEC

Scott Rose, NIST Winter JointTechs Meeting Jan 30, 2011 Clemson University

12 DNS Security Extensions DNS resolution via recursive nameserver DNS request/response format Simple DNS cache poisoning The Dan Kaminsky DNS

Table of Contents. DNS security basics. What DNSSEC has to offer. In what sense is DNS insecure? Why DNS needs to be secured.

DNSSEC. Lutz Donnerhacke. db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec e164.arpa. naptr

Step by step DNSSEC deployment in.se. Anne-Marie Eklund Löwinder Quality & Security

DS TTL shortening experience in.jp

What's so hard about DNSSEC? Paul Ebersman May 2016 RIPE72 Copenhagen

ARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN

Rolling the Root Zone DNSSEC Key Signing Key Edward Lewis AFRINIC25 November 2016

DNS Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO

DNSSEC for the Root Zone. ICANN 37 Nairobi March 2010

DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION

Understanding and Deploying DNSSEC. Champika Wijayatunga SANOG29 - Pakistan Jan 2017

Documentation. Name Server Predelegation Check

Domain Name System Security

Expires: June 16, 2004 VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST December 17, 2003

A Case for Comprehensive DNSSEC Monitoring and Analysis Tools

APNIC DNSSEC APNIC DNSSEC. Policy and Practice Statement. DNSSEC Policy and Practice Statement Page 1 of 12

Session J9: DNSSEC and DNS Security

DNSSECbis Lookaside Validation. Peter Losher Internet Systems Consortium (November 2006)

GDS Resource Record: Generalization of the Delegation Signer Model

DNSSEC KSK-2010 Trust Anchor Signal Analysis

Root Zone DNSSEC KSK Rollover. DSSEC KSK Rollover

Expires: November 15, 2004 VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST May 17, 2004

Migrating an OpenDNSSEC signer (February 2016)

CIRA DNSSEC PRACTICE STATEMENT

Rolling the Root. Geoff Huston APNIC Labs March 2016

A Longitudinal, End-to-End View of the DNSSEC Ecosystem

Domain Name System Security

Ebook: DNS FUNDAMENTALS. From a Technical Dow Street, Manchester, NH USA

Re-engineering the DNS One Resolver at a Time. Paul Wilson Director General APNIC channeling Geoff Huston Chief Scientist

DNSSEC Validators Requirements

Rolling with Confidence: Managing the Complexity of DNSSEC Operations

I certify that this DNS record set is correct Problem: how to certify a negative response, i.e. that a record doesn t exist?

DNSSEC for ISPs workshop João Damas

Measuring the effects of DNSSEC deployment on query load

DNS. Introduction To. everything you never wanted to know about IP directory services

A Security Evaluation of DNSSEC with NSEC Review

Domain Name System Security

THE BRUTAL WORLD OF DNSSEC

SOFTWARE USER MANUAL (SUM): TRAINING, PROCEDURAL, AND DEVELOPMENT DOCUMENTATION

Network Working Group

DNSSEC for the Root Zone. IETF 76 Hiroshima November 2009

DNSSEC HOWTO. A Tutorial in Disguise. Olaf Kolkman, RIPE NCC Published September, $Revision: $

DNSSEC the.se way: Overview, deployment and lessons learned. Anne-Marie Eklund Löwinder Quality & Security Manager

RIPE Network Coordination Centre. K-root and DNSSEC. Wolfgang Nagele RIPE NCC.

DNSSEC en.mx. Network Information Center México

Ordinary DNS: A? k.root-servers.net. com. NS a.gtld-servers.net a.gtld-servers.net A Client's Resolver

Advanced Caching DNS Server

In the Domain Name System s language, rcode 0 stands for: no error condition.

ICANN DNSSEC Workshop Comcast s Operational Experiences 14 March 2012

Root KSK Roll Delay Update

DNSSEC at ORNL. Paige Stafford Joint Techs Conference, Fairbanks July 2011

By Paul Wouters

Internet Engineering Task Force (IETF) Request for Comments: Category: Best Current Practice. Parsons November 2016

F5 and Infoblox DNS Integrated Architecture: Offering a Complete Scalable, Secure DNS Solution

Lab 6 Implementing DNSSEC

DNSSEC deployment. Phil Regnauld Hervey Allen

Resilient OpenDNSSEC

Troubleshooting DNSSEC Visually

DNSSEC for the Root Zone. NZNOG Hamilton, NZ January 2010

Securing Domain Name Resolution with DNSSEC

Transcription:

DENIC DNSSEC Testbed Software support for DNSSEC Ralf Weber (ralf.weber@nominum.com)

Who is Nominum? Mission Product Leadership Industry Expertise Deliver the Trusted Internet Experience Strategic Partners: Best DNS Security Highest Scalability Highest Reliability All Open Standards Pioneered Intelligent DNS Enabling rules and policies for every DNS request to protect end-users and ensure they reach their intended destination Dr. Paul Mockapetris Inventor of DNS, IETF Chair: 1994-1996 Lifetime award: ACM SIGCOMM 2005 Bob Halley Co-Architect of BIND8 Architect of BIND9 Ted Lemon Developer of ISC-DHCP Co-author of DHCP Handbook Over 30 Standards authored or co-authored Securing the Worlds Largest Carriers DNS Infrastructure with Over 170M Broadband Households 2

DNSSEC in one slide Traversing the chain of trust 2. bear.zoo.com Authorita3ve Servers. (root) Establishing the chain of trust. NS. DNSKEY com. NS com. DS com. RRSIG(DS) DS Record (hashed com DNSKEY) Caching Servers 1. bear.zoo.com 12. A for bear.zoo.com (no DNSSEC) 3. NS, DS, RRSIG(DS) for com 5. NS,DS,RRSIG(DS) for zoo.com* Van3o 7. DNSKEY, RRSIG (DNSKEY) for com 9. A, RRSIG(A) for bear.zoo.com** 4. bear.zoo.com 6. DNSKEY com. com. NS com. DNSKEY zoo.com. NS zoo.com. DS zoo.com. RRSIG(DS) DS Record (hashed zoo.com DNSKEY) 11. DNSKEY, RRSIG (DNSKEY) for zoo.com 8. bear.zoo.com 10. DNSKEY zoo.com. zoo.com. NS zoo.com. DNSKEY bear.zoo.com. A bear.zoo.com. RRSIG(A) If verifica3on is successful the DNS cache is populated with the A record, otherwise SERVFAIL is returned to clients * An appropriate NSEC record and RRSIG(NSEC) are sent if the domain does not exist or is not signed ** An appropriate NSEC record and RRSIG(NSEC) are sent if the domain does not exist 3

What can go wrong Every error in the chain of trust cause resolutions to fail Cryptography requires constant changes Signatures and keys have limited lifetimes DNS data becomes dynamic with static content Cryptographic algorithm may change Software has to be kept up to date or may fail DNS Data becomes bigger A lot of people still believe DNS packets have a maximum size of 512 Bytes and UDP only DNS UDP packets with EDNS0 can get bigger and fragment If that s not enough DNS will switch to TCP Not all network devices might understand this 4

DNS and network devices Van3o Van3o Van3o Van3o 5

DNSSEC network problems Van3o Van3o Van3o Van3o 6

DNSSEC and the network Clients are fine They don t do DNSSEC validation at the moment Windows and MacOSX don t have a validator Only Fedora has and they screw it The home gateway (9 out of 38) discussion only affects geeks Home gateways have gotten better (Thanks AVM) Don t run DNS servers behind firewalls It is possible but it usually requires configuration Firewalls are not made for high qps throughput (to much state) They often break DNS servers defenses Load balancers should not alter DNS packets Mostly applies for Global Server Load Balancing You can use them for pure load distribution 7

Some DNSSEC statistics Number of DNSSEC domains (log scale) 100000 10000 1000 100 10 1 Nov 09 Jan 10 Apr 10 Jun 10.bg.cz.bg.se.cz 8

Some DNSSEC statistics Number of Domains that fail validation 500 400 300 200 100 0.cz.se.bg.bg.se.cz Nov 09 Jan 10 Apr 10 Jun 10 9

Statistics Summary DNSSEC is gaining momentum It s good to see some large registrar taking it in CZ. Some problems they might think about All signatures expire at same time Do not resign or roll everything at once Validation failures will be a problem We need to get operators the tools to mitigate them An insecure domain that resolves might be better than no resolving Who would customers call when amazon.com failed 10

Validation failures How do validation failures happen? The data on the authoritative side is wrong Signatures expired (arpa) New keys without DS delegation at parent Domain owner doesn t care about DNSSEC any longer (register.bg ;-) What can we do that they not happen? Don t require 70 pages documents for people to setup DNSSEC Make the operator interface the same as it used to be Automate the resigning Automate the key rollover Automate the parent/child key relationship 11

Nominum products for DNSSEC All our software has been supporting DNSSEC for years We support NSEC, NSEC3 and all production algorithms Different software for caching and authoritative functions Vantio for DNS caching services Fastest caching server with or without DNSSEC for DNS authoritative services In memory versioning database Configuration All configuration is done on the running server and instantly active No restart or file reload necessary 12

DNS Caching Server Challenges with DNSSEC Seamless resolution of signed and unsigned zones Validation enabled for all domains under a defined trust anchor Add one line to configuration for ITAR trust-anchor-file "/var/nom/vantio/anchors.mf"; Possible to add more keys for islands of trust trusted-keys { a0.com.invalid. 257 3 5 \ "AQO6Cl+slAf +iuiedim9l3kujfhqd7s/ioj03clmopkyctxtk4mrpuul VfvWxDi9Ew/ gj0xlnnx7z9ojhixli+dsrahd8dm0xfbeatvtjsn70gapz gnlmw1rk5ap2dseowk=" }; Possible to remove domains from validation if domain owners screw it negative-trust-anchors { arpa.; register.bg.; }; 13

Authoritative Server Challenges with DNSSEC Signing/resigning zones is CPU intensive leverages multi-core CPUs to sign most zones online, but out of fast path Database size can increase by 6x or more uses optimized database technology to handle large increases in data required by DNSSEC Key Administration Managing Signing of Zones Updating Zones When Data Changes Manual zone file re-signing when records are added, changed or deleted from a zone (via DDNS or edits) Solution is Nominum DNSSEC Packs 14

Nominum DNSSEC Packs An administrative bundle that manages DNSSEC lifecycle automation Automatically sign/resign zones online Automatically rollover keys (e.g. update after 60 days) based on policy All activities done via single command utility ( ans_dnssectool ) (Optionally) Encrypted DNSSEC configuration (ans_dnssectool) (Optionally) Store on removable media (e.g. USB drive) DNSSEC Pack Database Manage lifecycle based on configuration 15

Securing a zone To secure a previously insecure zone, create a pack for it. ans_dnssectool create-pack --name initial example.com What this does: Creates a KSK for the zone. The default is a 2048-bit RSA/SHA1 key. Creates a ZSK for the zone. The default is a 1024-bit RSA/SHA1 key. Gives the initial signing-data the name "initial (used in logging) Result: The server will immediately begin signing the zone Publishes it when signing completes Server logs the publishing progress Automatically resigns zone before signatures expire New records are automatically signed with current keys Online signing support is key to allowing tools to handle signing as transparently as possible 16

What we mean by transparency The hostmasters view Insecure zone @ 300 IN SOA ( ns1 hostmaster 1265702400 3600 600 2592000 300 ) @ 300 IN NS ns1 @ 300 IN NS ns2 ns1 300 IN A 192.0.2.1 ns2 300 IN A 192.0.2.2 www 300 IN A 192.0.2.3 Secure zone @ 300 IN SOA ( ns1 hostmaster 1265702400 3600 600 2592000 300 ) @ 300 IN NS ns1 @ 300 IN NS ns2 ns1 300 IN A 192.0.2.1 ns2 300 IN A 192.0.2.2 www 300 IN A 192.0.2.3 17

And that is what other software or the wire give you example.com. 300 IN SOA ns1.example.com. hostmaster.example.com. 1265702401 3600 600 2592000 300 example.com. 300 IN RRSIG SOA 5 2 300 20100427203428 20100420172928 2790 example.com. RMzVVs/ uv227uaby9bmsvbtpeeau5ai8oa0lsq82/s1e96ak15jkqpof OaUuIUwGLPf3UMO63sK2cx5SjkbRl7tQyVRD6T2dpVoSlBi75+ys1eKV HqE5e0cVVSYS7SZWdlLcpLEZ/fjBYlwqakFIBdaIWiCis1Ebmls7VZy9 r7m= example.com. 300 IN NS ns1.example.com. example.com. 300 IN NS ns2.example.com. example.com. 300 IN RRSIG NS 5 2 300 20100427203428 20100420172928 2790 example.com. Zxt7LBFIExK2a+HV7e+E+noft1JRQfnB0ZOydM1v84Q9sNOR9/ioZQ+3 21hOirE92fYrPj6Qe5fHWH+3Ti1PwWz65+JnvokulBHk3OPn+au7/CUc Va20jLAZ47vs7GmDLURnBN1OU/pes1pSbqoqDAtFjwoUrmcGtCwUAqe8 YkI= example.com. 300 IN NSEC ns1.example.com. NS SOA RRSIG NSEC DNSKEY example.com. 300 IN RRSIG NSEC 5 2 300 20100427203428 20100420172928 2790 example.com. SVAmmyja6s1du6nn8eQkYbfinjiVFpJXeWsmkarq0qqVHbfU9mkhmAqJ tgehqxnxduhkcbbyntd4xlioxxm6lueveb7sbsejigwauh0pni95q8rx YFM +hj+bh7dtxubzoo1f+jyhtk3jguhr1dn9y+d3i4122pzyohfvplhp KKA= example.com. 3600 IN DNSKEY 257 3 5 AwEAAaEIqFpfKtDclyTsxFkudKjAnKq6bBfAbEG8SrlrhN8tryRRqOdE cdpmsrefmgpjjwbkz9i39tjbycznwchym/gpr96vcztsuzaepohovu+x 9hG5qCG/Luy45shp3UFkVvURCqevYj6uj7ru5uHsAYZewwzcQoUvmVgl aikxfe+j8th0pjf/+5bnarbxws1gkrxrjlvcuswoptehzz6zlcgsqao2 ak5fk9b3qx1hioq64tgabkdlgbwf8pyy3noxk5vcjlnxyvabrfabnfog V7xm44JGaET8LniMJhrLEFlVW6Z0a0ytHUOAiN2cYw0P/mLGqqu9OAGJ Cxuu3y07bmU= example.com. 3600 IN DNSKEY 256 3 5 AwEAAdeD9EWc5olFuUhbW0xp06Zb3C+Lym+8UrpjAB0kdtSTeXr7v5Ww ffqfuu8bu6ac6ljfnaa2spyzthsjk+t71nqaabn3ilsqxjvmqeiyemrx rbymk+/qkodjus/excabepolnry6joez4musamu8nal2nxfhm8jqc9vn 3LugB0ez example.com. 3600 IN RRSIG DNSKEY 5 2 3600 20100427203428 20100420172928 2790 example.com. HnJGACrWQDEiphiZPtJ5q2Ar01glwe8znrkq9uhnM5wr+NDGzQz93utt 1MGrd6P9b81VgeIbCGMoc7E1dKfDc9uch4/mzMkDhDDszSDVS5zke84n 9ZCKnRiz/4pNLkLW32ktNgsMT5/oJ2UXla2gspTgohu/CQi4ZZdnXv2k 6ZY= example.com. 3600 IN RRSIG DNSKEY 5 2 3600 20100818173428 20100420133428 13426 example.com. N +UsDZ8B04S51Y6Ujt/o+MQ5HtxdkRQEaCNEpoMq6WG0QEUvxmrCWAvH cg9x9p12d0gjz36as53cnrcdgmn5bept6d/exihpro9ebtk+zphaoncq a3bjikz3j3hegivirz2y5oexcxly4j0w86c8drpgm5j0w0yxve0raexp RRSIG NSEC ns1.example.com. 300 IN RRSIG NSEC 5 3 300 20100427203428 20100420172928 2790 example.com. Q6VyE0WGs7jUN5qder4f9WpVG9oWsaJ2v07FPwmIxa9uwcefISX6QgMN HIBsRA2YPLYBobNeN9TFMmAVpHPerG5UD45DA4hO2JwLptiU56D2o5AN FsQoTt4WEQ7o1L70NsZ+NfdXj+C6oKTJYlzIQ7u2dH1e2f1Y/yDwwZyl C44= ns2.example.com. 300 IN A 192.0.2.2 ns2.example.com. 300 IN RRSIG A 5 3 300 20100427203428 20100420172928 2790 example.com. BbEKmp2Lb/ Mt9cZtkQ/4H5rZQpy9sTPrEYcfjSKqf324gSd5abwWK47+ VY1WT2WWo2WWXCW1Ir6gJgR5MUuIrw1gEaW7iMHhHctIaAdkDT0Z3gJT Fbl7TqfpiaA2g+xl5d9GdgN3B7EnpLpHZ2asTAmbRoO7F40JrTt+pZ7o bai= ns2.example.com. 300 IN NSEC www.example.com. A RRSIG NSEC ns2.example.com. 300 IN RRSIG NSEC 5 3 300 20100427203428 20100420172928 2790 example.com. MXC2zhyPkQAWPFaL9Y/bZ5U9wDC0goHLa6MEU5nYsEZTjBe52Txxo1j/ kxbcuv0tufetvblc194rtjoo7mwlxk1v1mi0b13vr8v2d9ltryat4px1 IlaV2clQ2NVmI0ERFZSWeEEti4iBfXg2bBuAq2s/vzlEZ5SMqJSSCDV4 GXo= www.example.com. 300 IN A 192.0.2.3 www.example.com. 300 IN RRSIG A 5 3 300 20100427203428 20100420172928 2790 example.com. vakuvf6lrncyzuvwdyfd0j5yepvm+kx9/85blvyegvmimrvgccizrxt5 fbgkgs1+4tqz7if2gahsxsyfufr4e3+z++efnsvgjpujh4bgkjxxg1lo RQWL2HNlocKeyY7hGhSxPX1hP+so7GRd4fZ2UDazQ5wiC7sSTX7xrL9l soq= www.example.com. 300 IN NSEC example.com. A RRSIG NSEC www.example.com. 300 IN RRSIG NSEC 5 3 300 20100427203428 20100420172928 2790 example.com. JnYMUFvVMKxoU9XWI+wD13oSzLkeh7b5QB88n4SKSF4QGZRseTOmCjzq / ntiwm1vis4e3zs09y5evrhb3e8o0gguxdcmi2pausn0j1pdfhkl++yt bzhqtjiis+2cgd0qtjqx4juvkiu1iomlbcijeri28jp6rr5mcurfwwnu 0x4= 18

Example: ZSK rollover Periodically you will want to update your ZSK All that is required as input is the time to do the update ans_dnssectool rollover-zsk --name autumn-zsk --start 20100715211800 example.com Signatures using the new ZSK will be published at 21:18 UTC on July 15, 2010. New keys will be generated and start being used automatically You can provision multiple ZSK key rollovers that all will be stored in the database and executed appropriately 19

3 Levels of Security Default Security Increased Security High Security 20

Default Security zsk stored here Online updates of secure zones DNS queries DNS Authoritative Server DNSSEC configuration database optionally encrypted and optionally stored on removable media Private KSK not in readable format on disk Optionally stored on removable disk (e.g USB drive) 21

Increased Security ZSK is stored here Online updates of secure zones KSK is stored here DNSSEC configuration done here DNS queries manual transfer of DNSSEC pack DNS Authoritative Server DNSSEC pack data transferred by file Transfer over network or manually (e.g. USB drive) Secure Server (DNSSEC pack created here) 22

High Security No private keys stored here No DNSSEC configuration done here (zsk & ksk) All private keys All zone signing done here DNS queries No online updates of secure zones DNS Authoritative Server manual transfer of signed zone data if and secure server are network connected, do zone transfer else, dump contents and manually (e.g. USB drive) load on Secure Server (running copy of ) 23

A word on NSEC3 NSEC3 is not better than NSEC It solves two problems most people don t have Data privacy for zones Large delegation centric zones with only few secure delegations Data privacy is given by obfuscating the pointer to the next record The next entry is not the name but a hash of the name To make it even worse the hash can be called more than once Computation of hash functions use CPU time Opt out NSEC3 records make validation a bit more complicated They tell what parts of the zone are not secured Validator has to check this 24

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback