Presentation is loading. Please wait.

Presentation is loading. Please wait.

What's so hard about DNSSEC? Paul Ebersman – 23-27 May 2016 RIPE72 – Copenhagen 1.

Published byWilfrid Watts Modified over 8 years ago

Similar presentations

Presentation on theme: "What's so hard about DNSSEC? Paul Ebersman – 23-27 May 2016 RIPE72 – Copenhagen 1."— Presentation transcript:

1 What's so hard about DNSSEC? Paul Ebersman – Paul_Ebersman@cable.comcast.comPaul_Ebersman@cable.comcast.com 23-27 May 2016 RIPE72 – Copenhagen 1

2 Why use DNSSEC

3 What does it solve? Helps against cache poisoning Identifies DNS “lying” Enables DANE and other PKIs 3

4 Naysayers’ story It’s “hard” It only breaks things It doesn’t solve anything We’re trusting ICANN/root servers 4

5 My experience Automate or it is hard It does help prevent cache poisoning We are using DANE already for email We’re already trusting ICANN/root servers Customers starting to expect security of DNSSEC 5

6 How to start?

7 The two halves Validation Zone signing 7

8 Validation Easy to enable But you pay (a little) for others’ mistakes All major open sources packages support this. 8

9 Signing Automation is not an option Automation ease and quality varies widely Setting up isn’t trivial Beware of key rollovers 9

10 Validation issues

11 “But it’s an ISP support nightmare” Other folks screw up, you get the call “Why are you blocking site ‘X’?” It’s your resolver, you fix it! 11

12 Dunno… I sleep at night. Comcast & Google validate (20% of public resolvers) Comcast validates and signs 2 dozen failures a month is a bad month and this is improving (even.GOV…) NTAs (RFC 7646) single digits a month 12

13 What do we see? Expired signatures Incorrect removal of signing Inadvertent signing Bad key rollovers (KSK) 13

14 Signing issues

15 What do we see? Initial signing works but rollovers don’t Mis-matches of DS in parent and KSK in child Forget to put DS in parent 15

16 How do we deal with failures?

17 Education Training 1 st tier Teach customers as we explain outage dnsviz.net invaluable 17

18 Outreach Get.mil/.gov and other large NOC contacts in advance Get contacts at large hosting/registries serving auth zones Explain to your mgmt why this is important 18

19 Negative trust anchors Follow the RFC (7646) Try to get the zone owner to fix the problem Educate them in how to avoid this NTA should be last resort 19

20 Q & A

21 Thank you!

22 Appendix A: further reading https://tools.ietf.org/html/rfc6781 https://tools.ietf.org/html/rfc7583 https://tools.ietf.org/html/rfc7646 http://www.internetsociety.org/deploy 360/dnssec/ 22

23 Appendix B: example configs To enable DNSSEC validation in BIND // In named.conf, add: managed-keys { "." 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0="; }; // in options section, add: dnssec-enable yes; dnssec-validation yes; 23

24 Appendix B: example configs To enable DNSSEC signing of example.com in BIND # create dir with permissions for bind to rwx by group cd mkdir example.com chmod 2775 example.com chown bind:bind example.com cd example.com # create ksk dnssec-keygen -a NSEC3RSASHA1 -b 2048 -f KSK example.com # create zsk dnssec-keygen -a NSEC3RSASHA1 -b 1024 example.com # create DS records grep key-s *.key dnssec-dsfromkey Kexample.com.+007+42963.key > ds-records # add DNSKEY records to zone file # edit named.conf & reload zone rndc reload example.com # sign zone rndc sign example.com # set to NSEC3 (assuming you want that) rndc signing -nsec3param 1 0 10 auto example.com rndc reload example.com # update registrar w/DS records or DNSKEY per your registrar instructions 24

25 Appendix B: example configs Sample zone statement in named.conf zone "example.com" { type master; file "dynamic/example.com"; key-directory "keys/example.com"; auto-dnssec maintain; allow-query { any; }; allow-transfer { key example-slave-key; 192.168.1.1; }; }; 25

26 Appendix B: example configs To enable DNSSEC validation in Knot resolver: -http://knot-resolver.readthedocs.io/en/latest/daemon.htmlhttp://knot-resolver.readthedocs.io/en/latest/daemon.html To enable DNSSEC validation in Unbound: -https://www.unbound.net/documentation/howto_anchor.htmlhttps://www.unbound.net/documentation/howto_anchor.html 26

27 Appendix B: example configs To DNSSEC sign zones in Knot: -https://www.knot-dns.cz/docs/2.x/html/configuration.html#automatic- dnssec-signinghttps://www.knot-dns.cz/docs/2.x/html/configuration.html#automatic- dnssec-signing To DNSSEC sign zones in Unbound: -(manually) http://www.nlnetlabs.nl/publications/dnssec_howto/http://www.nlnetlabs.nl/publications/dnssec_howto/ -(automated) https://www.opendnssec.org/ 27

Download ppt "What's so hard about DNSSEC? Paul Ebersman – 23-27 May 2016 RIPE72 – Copenhagen 1."

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
Microsoft ® Office 2007 Training Security II: Turn off the Message Bar and run code safely P J Human Resources Pte Ltd presents:

Microsoft ® Office 2007 Training Security II: Turn off the Message Bar and run code safely P J Human Resources Pte Ltd presents:
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.

DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
Securing the Government’s DNS Infrastructure with DNSSEC

Securing the Government’s DNS Infrastructure with DNSSEC
DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.

DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.
1.ORG DNSSEC Testbed Deployment Edmon Chung Creative Director Afilias Perth, AU 2 March, 2006.

1.ORG DNSSEC Testbed Deployment Edmon Chung Creative Director Afilias Perth, AU 2 March, 2006.
DNS. DNS is a network service that enables clients to resolve names to IP address and vice-versa. Allows machines to be logically grouped by domain names.

DNS. DNS is a network service that enables clients to resolve names to IP address and vice-versa. Allows machines to be logically grouped by domain names.
Survey of DNSSEC Lutz Donnerhacke DNSSEC Meeting (2008-01-16)

Survey of DNSSEC Lutz Donnerhacke DNSSEC Meeting ( )
RNDC & TSIG. What is RNDC? Remote Name Daemon Controller Command-line control of named daemon Usually on same host, can be across hosts –Locally or remotely.

RNDC & TSIG. What is RNDC? Remote Name Daemon Controller Command-line control of named daemon Usually on same host, can be across hosts –Locally or remotely.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Peter Janssen, EURid.eu Ljubljana, RIPE 64, April 18 2012.

Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Peter Janssen, EURid.eu Ljubljana, RIPE 64, April
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Module 10 Advanced Topics. DNS and DHCP DHCP can be configured to auto- update (using DDNS) the forward and reverse map zones Can be secured using allow-update.

Module 10 Advanced Topics. DNS and DHCP DHCP can be configured to auto- update (using DDNS) the forward and reverse map zones Can be secured using allow-update.
DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.

DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.
Tony Kombol ITIS 3110. www.teacherstalk.com Who knows this? Who controls this? DNS!

Tony Kombol ITIS Who knows this? Who controls this? DNS!
Advanced Module 3 Stealth Configurations.

Advanced Module 3 Stealth Configurations.

Similar presentations

Ads by Google