Implementing DNSSEC with DynDNS and GoDaddy

Similar documents
Testing IPv6 address records in the DNS root

RSA and ECDSA. Geoff Huston APNIC. #apricot2017

BIND-USERS and Other Debugging Experiences. Mark Andrews Internet Systems Consortium

DNS Mark Kosters Carlos Martínez ARIN - LACNIC

DNS Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO

ECE 435 Network Engineering Lecture 7

Measuring DNS Vulnerabilities and DNSSEC Challenges from an Irish Perspective. SATIN Conference, NPL, London, 04 th April 2011

Root Zone DNSSEC KSK Rollover. DSSEC KSK Rollover

2017 DNSSEC KSK Rollover. DSSEC KSK Rollover

Troubleshooting DNSSEC Visually

Authoritative-only server & TSIG

FortiNAC SRV Records on Production DNS

Defeating DNS Amplification Attacks. UKNOF Manchester Central, UK January Ralf Weber Senior Infrastructure Architect

Lab 6 Implementing DNSSEC

DNSSEC operational experiences and recommendations. Antti Ristimäki, CSC/Funet

DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION

An Overview of DNSSEC. Cesar Diaz! lacnic.net!

Is your DNS server up-to-date? Pieter Lexis Senior PowerDNS Engineer April 22 nd 2018

DNS over IPv6 - A Study in Fragmentation

page 1 Plain Old DNS WACREN, DNS/DNSSEC Regional Workshop Ouagadougou, October 2016

ARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN

The accidental hacker DNS Amplifica7on Norid registrar seminar Registrarseminar 2013 Oslo, NO wed, december 4th, 2013 Marco Davids

Creating Your Virtual Data Center

DANE Demonstration! Duane Wessels, Verisign! ICANN 49 DNSSEC Workshop! March 26, 2014!

How to Enable Internet for Guest Virtual Machine using Datacard Tata Photon.

6.033 Computer System Engineering

The impact of DNSSEC on k.root-servers.net and ns-pri.ripe.net

Preparation Test AAAA and EDNS0 support Share Your Results Results Reported Testing Period

Crear un centro de datos virtual en AWS

Measuring the effects of DNSSEC deployment on query load

Domain Name System (DNS) Session-1: Fundamentals. Joe Abley AfNOG Workshop, AIS 2017, Nairobi

Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder. System and Network Engineering July 2014

DNSSEC in Switzerland 2 nd DENIC Testbed Meeting

ENUM Dialing on Cisco Expressway

DENIC DNSSEC Testbed Software support for DNSSEC Ralf Weber

Domain Name System (DNS) Session-1: Fundamentals. Computers use IP addresses. Why do we need names? hosts.txt does not scale

Cisco Expressway ENUM Dialing

Goal of this session

Domain Name System (DNS) DNS Fundamentals. Computers use IP addresses. Why do we need names? hosts.txt does not scale. The old solution: HOSTS.

Objectives. Upon completion you will be able to:

Assessing and Improving the Quality of DNSSEC

Information Network I: The Application Layer. Doudou Fall Internet Engineering Laboratory Nara Institute of Science and Technique

CS118 Discussion 1A, Week 3. Zengwen Yuan Dodd Hall 78, Friday 10:00 11:50 a.m.

Toward Unspoofable Network Identifiers. CS 585 Fall 2009

DNSSEC Trust tree: (A) ---dnslab.org. (DS keytag: 9247 dig (DNSKEY keytag. ---org. (DS keytag: d

Deploying New DNSSEC Algorithms

Some DNSSEC thoughts. DNSOPS.JP BOF Interop Japan Geoff Huston Chief Scientist, APNIC June 2007

DNSSEC HOWTO. A Tutorial in Disguise. Olaf Kolkman, RIPE NCC Published September, $Revision: $

DNSSEC All You Need To Know To Get Started

Worst Current Practice. Lutz Donnerhacke IKS GmbH

Hands-on DNSSEC with DNSViz. Casey Deccio, Verisign Labs RIPE 72, Copenhagen May 23, 2016

Table of Contents. DNS security. Alternative DNS security mechanism. DNSSEC specification. The long (and winding) road to the DNSSEC specification

Expires: June 16, 2004 VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST December 17, 2003

CS 356 Using Cryptographic Tools to Secure the Domain Name System (DNS) Spring 2017

This time. Digging into. Networking. Protocols. Naming DNS & DHCP

Response Differences between NSD and other DNS Servers

Domain Name Service. DNS Overview. October 2009 Computer Networking 1

Internet Engineering. DNS Message Format. Contents. Robert Elz.

DNSSEC for ISPs workshop João Damas

Applicability Statement: DNS Security (DNSSEC) DNSKEY Algorithm Implementation Status

I certify that this DNS record set is correct Problem: how to certify a negative response, i.e. that a record doesn t exist?

DNS security. Karst Koymans & Niels Sijm. Tuesday, September 18, Informatics Institute University of Amsterdam

Expires: November 15, 2004 VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST May 17, 2004

DNS SECurity Extensions technical overview

CNAME-based Redirection Design Notes

CSE 127: Computer Security Network Security. Kirill Levchenko

Transaction oriented DNS flow analysis (WIP)

CPSC 441 COMPUTER COMMUNICATIONS MIDTERM EXAM SOLUTION

DNSSEC at Penn. Shumon Huque University of Pennsylvania ESCC/Internet2 Joint Techs Conference July 20th 2009

Step by step DNSSEC deployment in.se. Anne-Marie Eklund Löwinder Quality & Security

Evaluation and consideration of multiple responses. Kazunori Fujiwara, JPRS OARC 28

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC. Wes Hardaker

Root Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail

Internet Engineering Task Force (IETF) Request for Comments: 6725 Category: Standards Track August 2012 ISSN:

Internet Engineering Task Force (IETF) Request for Comments: Category: Best Current Practice. Parsons November 2016

Table of Contents. DNS security basics. What DNSSEC has to offer. In what sense is DNS insecure? Why DNS needs to be secured.

EDNS Compliance. Mark Andrews

Chapter 19. Domain Name System (DNS)

DNSSEC at Scale. Dani Grant CloudFlare

DNSSEC for ISPs workshop.! João Damas

DNS: Useful tool or just a hammer? Paul DNS-OARC 06 Oct 2013, Phoenix

CS 3640: Introduction to Networks and Their Applications

Monitoring DNSSEC. Martin Leucht Julien Nyczak Supervisor: Rick van Rein

Qwest IPv6. Engineering & Certification 1/31/2011. Government Services

4. Performance Specifications. 4.1 Goals and intentions of Service Level Agreements and Public Service Monitoring. Goals of Service Level Agreements:

CS 3640: Introduction to Networks and Their Applications

Domain Name System (DNS)

Independent Submission Request for Comments: ISSN: January 2014

Network Working Group

Keeping DNS parents and children in sync at Internet Speed! Ólafur Guðmundsson

In This Issue. From The Editor

You can t do that with nslookup: A DNS(SEC) troubleshooting tutorial. Michael Sinatra Energy Sciences Network NANOG 53

DNSSEC. Lutz Donnerhacke. db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec e164.arpa. naptr

Identifier Technology Health Indicators (ITHI) Alain Durand, Christian Huitema 13 March 2018

Attacks on DNS: Risks of Caching

WE POWER YOUR MOBILE WORLD ENUM INTEGRATION MANUAL

Internet Engineering Task Force (IETF) Request for Comments: Category: Best Current Practice ISSN: March 2017

Reference manual. version 2.3.8

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. 2.1 Install and configure the DNS server. SEED Labs Local DNS Attack Lab 1

DNS. Karst Koymans & Niels Sijm. Friday, September 14, Informatics Institute University of Amsterdam

Transcription:

Implementing DNSSEC with DynDNS and GoDaddy Lawrence E. Hughes Sixscape Communications 27 December 2017 DNSSEC is an IETF standard for adding security to the DNS system, by digitally signing every resource record in a zone. This was specified in RFC 4033, DNS Security Introduction and Requirements, March 2005. The signing of records is done only in the authoritative server for a given zone, but caching servers and client resolvers need to be able to process the signature (RRSIG) record to determine the validity of the corresponding record. The signature is created using a private key on the signing server, and is verified using the corresponding public key (from a published certificate). Our domains happen to be hosted at DynDNS (Managed DNS). They have an option to digitally sign any zone(s) managed by them. I will show the steps involved in this. There is another step related to publishing the certificates needed to verify the signature which must be done on the domain registrar from whom you obtained the domain (in our case GoDaddy). This involves adding one or two DS records at the domain registrar. There are tools to verify the correct deployment of DNSSEC from VeriSignLabs, which we will show how to use. Our main domain (Sixscape.com) has already been signed and validated. You can verify this using the VeriSignLab tools if you like. I will add DNSSEC to another of our domains, sixscape.net in this writeup. At the start of this process it is not currently secured:

As you can see from the above, the DNS root is signed, and the TLD.net has been signed, but our domain sixscape.net has not been signed. First, we bring up the DynDNS management tool. The basic records for Sixscape.net look like this:

There are A and AAAA records for one node, www.sixscape.net: We click on the Zone Options, then select the DNSSEC tab:

Select options and click Add DNSSEC. No DNSSEC records show up in the editor, but a small orange key now denotes that this is a signed zone:

Now if you go to Zone Options, DNSSEC there will be various information about the DNSSEC setup:

The same orange key indicates that the node www.sixscape.net is now signed. You can use dig to verify the zone and A record are signed: C:\Users\lhughes>dig sixscape.net +dnssec ; <<>> DiG 9.10.6 <<>> sixscape.net +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55843 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;sixscape.net. IN A ;; AUTHORITY SECTION: sixscape.net. 1800 IN SOA ns1.p10.dynect.net. lhughes.sixscape.com. 2 3600 600 604800 1800 sixscape.net. 1800 IN RRSIG SOA 5 2 3600 20180126065443 20171227065443 15537 sixscape.net. DPY39b8jlLTV7I4Ep59AUrjMQJY+U2DTYnCAt3Qoqx8MLTuaPHRn6z3P umlhntj1tcbtu+rjdb8otay4wqxhhicqtny+xi+cl4b2yxr1mgp0vnks Q3pfkuwcqJS+usXUqbq+wLrh8b1uwu7xlY7Ex77exqxRS1N8zmkolXhs C6M= sixscape.net. 1800 IN NSEC www.sixscape.net. NS SOA RRSIG NSEC DNSKEY sixscape.net. 1800 IN RRSIG NSEC 5 2 1800 20180126065443 20171227065443 15537 sixscape.net. M191VmyVBE+qBkqt3oNPxyMOH0TemgTnmJSMkU38WN5Bi+hGXEROMIXV 4kPlTtnVYTGntHvGWl0TGNBhpU4pk+quNHBLyVZP4HgefdyTRtbK0Xk/ Lj5wftOdcl/QBnoV9BYos6TI2XbJ/pwlGZyzTr4/YBSrDffWZAXzntyr UaE= ;; Query time: 311 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Wed Dec 27 15:57:57 Malay Peninsula Standard Time 2017 ;; MSG SIZE rcvd: 495 You can use dig to verify the zone and AAAA record are also signed: C:\Users\lhughes>dig sixscape.net AAAA +dnssec ; <<>> DiG 9.10.6 <<>> sixscape.net AAAA +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21372 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;sixscape.net. IN AAAA ;; AUTHORITY SECTION: sixscape.net. 1800 IN SOA ns1.p10.dynect.net. lhughes.sixscape.com. 2 3600 600 604800 1800 sixscape.net. 1800 IN RRSIG SOA 5 2 3600 20180126065443 20171227065443 15537 sixscape.net.

DPY39b8jlLTV7I4Ep59AUrjMQJY+U2DTYnCAt3Qoqx8MLTuaPHRn6z3P umlhntj1tcbtu+rjdb8otay4wqxhhicqtny+xi+cl4b2yxr1mgp0vnks Q3pfkuwcqJS+usXUqbq+wLrh8b1uwu7xlY7Ex77exqxRS1N8zmkolXhs C6M= sixscape.net. 1800 IN NSEC www.sixscape.net. NS SOA RRSIG NSEC DNSKEY sixscape.net. 1800 IN RRSIG NSEC 5 2 1800 20180126065443 20171227065443 15537 sixscape.net. M191VmyVBE+qBkqt3oNPxyMOH0TemgTnmJSMkU38WN5Bi+hGXEROMIXV 4kPlTtnVYTGntHvGWl0TGNBhpU4pk+quNHBLyVZP4HgefdyTRtbK0Xk/ Lj5wftOdcl/QBnoV9BYos6TI2XbJ/pwlGZyzTr4/YBSrDffWZAXzntyr UaE= ;; Query time: 56 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Wed Dec 27 16:00:22 Malay Peninsula Standard Time 2017 ;; MSG SIZE rcvd: 495

But if we test Sixscape.net with the VeriSignLabs tool, we find errors: The error indicates that the required DS records are missing. These must be created not at DynDNS, but at the domain registrar where you obtained the domain. In my case, this is GoDaddy. I go to the GoDaddy domain manager, and bring up info on Sixscape.net. At the bottom of this page there is a link for Manage DNS. On that page, under Advanced Features, there is a DNSSEC link. Click that:

Click the ADD button to add DS record(s). You will see the following form to create them: The information needed for this is in the DNSSEC details from DynDNS (see above). Fill in the information for the first DS record (for RSA/SHA1):

Click Update. Now add another DS record (for RSA/SHA256):

Click Update again. You should now have two DS records in GoDaddy: Now recheck the DNSSEC for www.sixscape.net with the VeriSignLab tool:

No more errors! Now click on the link to get a second opinion from DNSViz:

Click on the Analyse button. When analysis is complete, click on the Continue button. A detailed map of the domain will be shown.

You can now see that the root zone is signed, and the.net zone is signed:

Below that, the Sixscape.net domain is now signed: If you mouse over the AAAA and A records, it will show that they are secured.

If you look at the lower level for sixscape.net (the domain, not the node) you will see that the domain records are also secure: Your domain is now secured with DNSSEC. If a hacker tampers with the records in this zone, it will be detected and you will be prevented from connecting to the bogus server.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback