Presentation is loading. Please wait.

Presentation is loading. Please wait.

Neda Kianpour - Lead Network Engineer - Salesforce

Published bySucianty Dharmawijaya Modified over 4 years ago

Similar presentations

Presentation on theme: "Neda Kianpour - Lead Network Engineer - Salesforce"— Presentation transcript:

1 Challenges and Successes of DNSSEC Signing an F5 BIG-IP DNS Hosted Zone
Neda Kianpour - Lead Network Engineer - Salesforce Tyler Shaw - Sr. Systems Engineer - F5

2 Abstract Due to compliance requirements from our customers, determined to sign the whole footprint and that involved signing the BIG-IP DNS hosted zones. The BIG-IP DNS devices in our infrastructure listen and respond to DNS queries to the zones hosted on them. Signing the BIG-IP DNS hosted zones had its own challenges. Only Two Engineering Hotfixes later and plenty of testing and now DNSSEC can be deployed on the BIG-IP DNS devices.

3 Challenges Signature Inception Offset Issue
F5 BIG-IP DNSSEC vulnerability Master Key changes on an F5 BIG-IP DNS (code upgrades, RMAs,etc) ECDSA support (Algorithm 13) - (Feature Request Submitted) Implementing DNSSEC on Active/Active standalone BIG-IP DNS

4 Signature Inception Offset
After implementing DNSSEC on our F5 BIG-IP DNS, we noticed that every time we queried an F5 hosted zone, the signature inception date returned was set to 0 seconds in the past. Certain resolvers could treat the zones as invalid due to clock skew. Major impact to clients behind those resolvers (bogus responses). $ date && dig na107.inst.siteforce.com A +dnssec | grep RRSIG Sat 23 Mar :37:42 GMT na107-hio.hio.r.inst.siteforce.com. 30 IN RRSIG A Sat 23 Mar :38:17 GMT na107-hio.hio.r.inst.siteforce.com. 30 IN RRSIG A

5 Signature Inception Offset (continued)
RFC 6781 allows a parameter called the inception offset: "The validity of the signature starts shortly before the signing time. That is done to deal with validators that might have some clock skew. This is called the inception offset, and it should be chosen so that false negatives are minimized to a reasonable level."

6 Signature Inception Offset (continued)
A feature request was made with F5 to add inception offset. New code now sets the inception offset for the DNSSEC signatures to a configured time before the signature creation (default of 60 mins). This is available in Version 15.1 due approximately Q1 2020, but can be backported as far as version 12.1.X Bug ID should be referenced if needed in versions earlier than 15.1

7 2. F5 BIG-IP DNSSEC vulnerability
July 2019: CZ.NIC( Petr Špaček and Jan Vcelak of NS1) published this article Error-in-dnssec-implementation-on-f5-big-ip-load-balancers about the issue. Can be exploited to perform a denial-of-service (DoS). ISSUE: F5 returns an incorrect NSEC3 record for a DNS query for an RR type, which does not exist at given name. This indicates that only one of TXT/HINFO/RP RR types exists at given name, even if A or AAAA types actually exist and are returned if a client queried for them. IMPACT: If resolver uses Aggressive Negative caching it can incorrectly infer non-existence of other record types at the NSEC3 record name

8 2. F5 BIG-IP DNSSEC vulnerability
Aug 2019: F5 team acknowledged and published a KB advising of the following workaround: After discussions with the F5 team, they provided us with a permanent fix in a form of Engineering Hotfix.

9 3. Master Key changes on an F5 BIG-IP DNS
BIG-IP DNS devices that are configured with DNSSEC use their own master key to decrypt the DNSSEC keys. ISSUE: We observed an issue where after a code upgrade, the BIG-IP DNS device fails to load the configuration due to a master key change. That results in a DNSSEC Key set to also fail to decrypt!! CURRENT WORKAROUND: User has to manually take a copy of the master key prior to any code upgrade and manually use this key to restore the configuration file in case of a master key change.

10 4. ECDSA support (Algorithm 13)
We have officially requested code support for the Elliptic Curve Digital Signature Algorithm on the F5 BIG-IP DNS. F5 has indicated that this will be available in TMOS V15.1 with the current ETA being calendar Q1 of 2020. Backport to the previous version of TMOS ie V12.1.x and v13.1.x will not be possible. RFE ID was already filed by another F5 customer F5 has attached our request to RFE

11 5. Implementing DNSSEC on Active/Active standalone BIG-IP DNS
Active/Active F5 pair BIG-IP DNS Instance A BIG-IP DNS Instance B Caching Resolver This is analogous to a multi-signer DNSSEC model using unique key sets: Two signing entities must SHARE the ZSK for a chain of trust to exist Without this, responses from different entities could be treated as bogus ‘Normal’ active/active config cannot support this key sharing, but can be done using DNS sync group in active/active

12

13 questions?

14 Thank you!

Download ppt "Neda Kianpour - Lead Network Engineer - Salesforce"

Similar presentations

Suchin Rengan Principal Technical Architect Salesforce.com

Suchin Rengan Principal Technical Architect Salesforce.com
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
CSE 1302 Lecture 8 Inheritance Richard Gesick Figures from Deitel, “Visual C#”, Pearson.

CSE 1302 Lecture 8 Inheritance Richard Gesick Figures from Deitel, “Visual C#”, Pearson.
© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:

© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, 2013 1 Jelte Jansen, Antoin Verschuren.

DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, Jelte Jansen, Antoin Verschuren.
Tony Kombol ITIS 3110. www.teacherstalk.com Who knows this? Who controls this? DNS!

Tony Kombol ITIS Who knows this? Who controls this? DNS!
IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi
Lecture 8 Inheritance Richard Gesick. 2 OBJECTIVES How inheritance promotes software reusability. The concepts of base classes and derived classes. To.

Lecture 8 Inheritance Richard Gesick. 2 OBJECTIVES How inheritance promotes software reusability. The concepts of base classes and derived classes. To.
Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman
Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.

Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.
Architectural Considerations for GEOPRIV/ECRIT Presentation given by Hannes Tschofenig.

Architectural Considerations for GEOPRIV/ECRIT Presentation given by Hannes Tschofenig.
1 Software Development Configuration management. \ 2 Software Configuration  Items that comprise all information produced as part of the software development.

1 Software Development Configuration management. \ 2 Software Configuration  Items that comprise all information produced as part of the software development.
Remedy – Customer Portal Fiona Gregory McKesson CRM 1.

Remedy – Customer Portal Fiona Gregory McKesson CRM 1.
Tony Kombol ITIS 3110. DNS! overview history features architecture records name server resolver dnssec.

Tony Kombol ITIS DNS! overview history features architecture records name server resolver dnssec.
1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.

1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

Similar presentations

Ads by Google