Post on 18-Aug-2015
DNSSEC 101 with a pinch of salt
Todor Genovtodor@subnet.co.za
Sunday 17 October 2010
Who is this guy?
Sunday 17 October 2010
Who is this guy?
Unix geek/sysadmin
Sunday 17 October 2010
Who is this guy?
Unix geek/sysadmin
Works at a yellow-branded ISP
Sunday 17 October 2010
Who is this guy?
Unix geek/sysadmin
Works at a yellow-branded ISP
Does a lot of DNS as a result
Sunday 17 October 2010
What is DNSSEC?
Sunday 17 October 2010
What is DNSSEC?
DNS + public key crypto
Sunday 17 October 2010
What is DNSSEC?
DNS + public key crypto
Implemented as an extension to current DNS protocol
Sunday 17 October 2010
What is DNSSEC good for?
Sunday 17 October 2010
What is DNSSEC good for?
Authenticating response origin
Sunday 17 October 2010
What is DNSSEC good for?
Authenticating response origin
Authenticating denial of existence
Sunday 17 October 2010
What is DNSSEC good for?
Authenticating response origin
Authenticating denial of existence
Not much else
Sunday 17 October 2010
How it works(simplified)
Sunday 17 October 2010
How it works(simplified)
Each zone has public/private key
Sunday 17 October 2010
How it works(simplified)
Each zone has public/private key
All RRs are signed
Sunday 17 October 2010
How it works(simplified)
Each zone has public/private key
All RRs are signed
Crypto signature and public key published in DNS alongside RR
Sunday 17 October 2010
A few new RRs
Sunday 17 October 2010
A few new RRsRRSIG - crypto signature of RR data
Sunday 17 October 2010
A few new RRs
DNSKEY - zone public keys-Key-signing key (KSK) - used to sign own ZSK
-Zone-signing key (ZSK) - used to sign all other RRs
RRSIG - crypto signature of RR data
Sunday 17 October 2010
A few new RRs
DNSKEY - zone public keys-Key-signing key (KSK) - used to sign own ZSK
-Zone-signing key (ZSK) - used to sign all other RRs
RRSIG - crypto signature of RR data
DS - delegation signer-Secure pointer to (checksum of) child KSK
Sunday 17 October 2010
A few new RRs
DNSKEY - zone public keys-Key-signing key (KSK) - used to sign own ZSK
-Zone-signing key (ZSK) - used to sign all other RRs
RRSIG - crypto signature of RR data
DS - delegation signer-Secure pointer to (checksum of) child KSK
NSEC and NSEC3 - authenticated denial of existence (NXDOMAIN)
Sunday 17 October 2010
RR set - the building block of DNSSEC
RR (A, PTR, MX, NS etc) + RRSIG (crypto signature)
RR sets
Sunday 17 October 2010
RR setsRR set - the building block of DNSSEC
RR (A, PTR, MX, NS etc)
Sunday 17 October 2010
Vanilla DNS org. 79810 IN NS d0.org.afilias-nst.org.org. 79810 IN NS c0.org.afilias-nst.info.org. 79810 IN NS a2.org.afilias-nst.info.org. 79810 IN NS b2.org.afilias-nst.org.org. 79810 IN NS a0.org.afilias-nst.info.org. 79810 IN NS b0.org.afilias-nst.org.
RR setsRR set - the building block of DNSSEC
RR (A, PTR, MX, NS etc)
Sunday 17 October 2010
DNSSECorg. 79810 IN NS d0.org.afilias-nst.org.org. 79810 IN NS c0.org.afilias-nst.info.org. 79810 IN NS a2.org.afilias-nst.info.org. 79810 IN NS b2.org.afilias-nst.org.org. 79810 IN NS a0.org.afilias-nst.info.org. 79810 IN NS b0.org.afilias-nst.org.org. 79810 IN RRSIG NS 7 1 86400 20101015154542 20101001144542 245 org. Uy6dZ09BwvRmQHbzlK8gbflhQT1TVkEEYqrpff7W+uHn5Sz1jwqpNpIH LIgs5M6sHgURvzzdEn8C
RR setsRR set - the building block of DNSSEC
RR (A, PTR, MX, NS etc)
Sunday 17 October 2010
Query validation
Sunday 17 October 2010
Query validation
Query result - A,MX,NS,PTR etc
Sunday 17 October 2010
Query validation
Query result - A,MX,NS,PTR etc
Cryptographic signature - RRSIG
Sunday 17 October 2010
Query validation
Query result - A,MX,NS,PTR etc
Cryptographic signature - RRSIG
Public key - DNSKEY
Sunday 17 October 2010
Query validation
Query result - A,MX,NS,PTR etc
Cryptographic signature - RRSIG
Public key - DNSKEY <- Why should I trust you?
Sunday 17 October 2010
Trust anchor
A DNSKEY that we trust to be correct
Confirmed from sources other than DNS
Enables us to validate data in a specific zone
Sunday 17 October 2010
Chain of trust
Starts at a trust anchor
Sunday 17 October 2010
Chain of trust
Starts at a trust anchor
Can be delegated to child zones- Name server delegation with NS records (NS RR set)
- Trust delegation with DS records (DS RR set)
Sunday 17 October 2010
Trust anchor
Sunday 17 October 2010
Trust anchor
ROOT
.COM .ORG
google.com insecure.org
.ZA
Sunday 17 October 2010
Trust anchor
ROOT
.COM .ORG
google.com insecure.org
.ZA
.CO
Sunday 17 October 2010
Trust anchor
.COM .ORG
google.com insecure.org
.ZA
.CO
ROOT
Sunday 17 October 2010
Chain of trust
Sunday 17 October 2010
As of July 2010 a trust anchor exists for the ROOT KSK
Chain of trust
Sunday 17 October 2010
As of July 2010 a trust anchor exists for the ROOT KSK
Chain of trust
. 84500INDNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=. 84500INDNSKEY 256 3 8 AwEAAcAPhPM4CQHqg6hZ49y2P3IdKZuF44QNCc50vjATD7W+je4va6dj Y5JpnNP0pIohKNYiCFap/b4Y9jjJGSOkOfkfBR8neI7X5LisMEGUjwRc rG8J9UYP1S1unTNqRcWyDYFH2q3KnIO08zImh5DiFt8yfCdKoqZUN1du p5hy0UWz
Sunday 17 October 2010
As of July 2010 a trust anchor exists for the ROOT KSK
Chain of trust
. 84500INDNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=. 84500INDNSKEY 256 3 8 AwEAAcAPhPM4CQHqg6hZ49y2P3IdKZuF44QNCc50vjATD7W+je4va6dj Y5JpnNP0pIohKNYiCFap/b4Y9jjJGSOkOfkfBR8neI7X5LisMEGUjwRc rG8J9UYP1S1unTNqRcWyDYFH2q3KnIO08zImh5DiFt8yfCdKoqZUN1du p5hy0UWz
Less than 20 signed TLDs
Sunday 17 October 2010
DS.org
tld.org
tld.org NS ns1.tld.orgtld.org DS checksum(KSK)
tld.org NS ns1.tld.orgtld.org DNSKEY KSK
Sunday 17 October 2010
Chain of trust
Sunday 17 October 2010
Chain of trustDelegating tld. to ns1.tld
Sunday 17 October 2010
Chain of trust. IN DNSKEY ROOT-KSK-key (trust anchor)
ROOT zone
Delegating tld. to ns1.tld
Sunday 17 October 2010
Chain of trust. IN DNSKEY ROOT-KSK-key (trust anchor)
ROOT zone
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
Delegating tld. to ns1.tld
Sunday 17 October 2010
Chain of trust. IN DNSKEY ROOT-KSK-key (trust anchor)
ROOT zone
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
Delegating tld. to ns1.tld
(trusted)
Sunday 17 October 2010
Chain of trust. IN DNSKEY ROOT-KSK-key (trust anchor)
ROOT zone
tld. IN NS ns1.tld.tld. IN RRSIG NS (ROOT-KSK-key signature)
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
Delegating tld. to ns1.tld
(trusted)
Sunday 17 October 2010
Chain of trust. IN DNSKEY ROOT-KSK-key (trust anchor)
ROOT zone
tld. IN NS ns1.tld.tld. IN RRSIG NS (ROOT-KSK-key signature)
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
ns1.tld. IN A 10.10.10.5ns1.tld. IN RRSIG A (ROOT-ZSK-key signature)
Delegating tld. to ns1.tld
(trusted)
Sunday 17 October 2010
Chain of trust. IN DNSKEY ROOT-KSK-key (trust anchor)
ROOT zone
tld. IN NS ns1.tld.tld. IN RRSIG NS (ROOT-KSK-key signature)
tld. IN DS crypto_hash(tld-KSK)tld. IN RRSIG DS (ROOT-ZSK-key signature)
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
ns1.tld. IN A 10.10.10.5ns1.tld. IN RRSIG A (ROOT-ZSK-key signature)
Delegating tld. to ns1.tld
(trusted)
Sunday 17 October 2010
Chain of trust. IN DNSKEY ROOT-KSK-key (trust anchor)
tld. IN DNSKEY tld-KSK tld. IN RRSIG DNSKEY (tld-KSK-self-signed-signature)
ROOT zone
tld zone (ns1.tld - 10.10.10.5)
tld. IN NS ns1.tld.tld. IN RRSIG NS (ROOT-KSK-key signature)
tld. IN DS crypto_hash(tld-KSK)tld. IN RRSIG DS (ROOT-ZSK-key signature)
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
ns1.tld. IN A 10.10.10.5ns1.tld. IN RRSIG A (ROOT-ZSK-key signature)
Delegating tld. to ns1.tld
(trusted)
Sunday 17 October 2010
Chain of trust. IN DNSKEY ROOT-KSK-key (trust anchor)
tld. IN DNSKEY tld-KSK tld. IN RRSIG DNSKEY (tld-KSK-self-signed-signature)
ROOT zone
tld zone (ns1.tld - 10.10.10.5)
tld. IN NS ns1.tld.tld. IN RRSIG NS (ROOT-KSK-key signature)
tld. IN DS crypto_hash(tld-KSK)tld. IN RRSIG DS (ROOT-ZSK-key signature)
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
ns1.tld. IN A 10.10.10.5ns1.tld. IN RRSIG A (ROOT-ZSK-key signature)
Delegating tld. to ns1.tld
(trusted)
(trusted from DS in ROOT)
Sunday 17 October 2010
Chain of trust. IN DNSKEY ROOT-KSK-key (trust anchor)
tld. IN DNSKEY tld-KSK tld. IN RRSIG DNSKEY (tld-KSK-self-signed-signature)
ROOT zone
tld zone (ns1.tld - 10.10.10.5)
tld. IN NS ns1.tld.tld. IN RRSIG NS (ROOT-KSK-key signature)
tld. IN DS crypto_hash(tld-KSK)tld. IN RRSIG DS (ROOT-ZSK-key signature)
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
ns1.tld. IN A 10.10.10.5ns1.tld. IN RRSIG A (ROOT-ZSK-key signature)
Delegating tld. to ns1.tld
(trusted)
tld. IN DNSKEY tld-ZSKtld. IN RRSIG DNSKEY (tld-KSK-signature)
(trusted from DS in ROOT)
Sunday 17 October 2010
Chain of trust. IN DNSKEY ROOT-KSK-key (trust anchor)
tld. IN DNSKEY tld-KSK tld. IN RRSIG DNSKEY (tld-KSK-self-signed-signature)
ROOT zone
tld zone (ns1.tld - 10.10.10.5)
tld. IN NS ns1.tld.tld. IN RRSIG NS (ROOT-KSK-key signature)
tld. IN DS crypto_hash(tld-KSK)tld. IN RRSIG DS (ROOT-ZSK-key signature)
. IN DNSKEY ROOT-ZSK-KEY
. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)
ns1.tld. IN A 10.10.10.5ns1.tld. IN RRSIG A (ROOT-ZSK-key signature)
Delegating tld. to ns1.tld
(trusted)
tld. IN DNSKEY tld-ZSKtld. IN RRSIG DNSKEY (tld-KSK-signature)
(trusted from DS in ROOT)
(trusted)
Sunday 17 October 2010
Caching DNS servers
Sunday 17 October 2010
Caching DNS serversValidating cache
- Performs crypto number-crunching on behalf of DNS client
- Affirms authenticity of data by setting AD bit in response
- Client session susceptible to spoofing (fake AD bit)
Sunday 17 October 2010
Caching DNS serversValidating cache
- Performs crypto number-crunching on behalf of DNS client
- Affirms authenticity of data by setting AD bit in response
- Client session susceptible to spoofing (fake AD bit)
Non-validating cache- Merely returns RR sets
- To ensure authenticity client must perform its own validation
Sunday 17 October 2010
Denial of existenceNSEC
Sunday 17 October 2010
Denial of existenceNSEC
NSEC record creates a chain of non-existence between RRs in a zone
Sunday 17 October 2010
Denial of existenceNSEC
NSEC record creates a chain of non-existence between RRs in a zoneC-3PO.com. IN A 10.10.10.1C-3PO.com. IN RRSIG jDDoe/x3r#
luke.com. IN A 10.10.10.2luke.com. IN RRSIG d<edNcd#?d
r2d2.com. IN A 10.10.10.3r2d2.com. IN RRSIG zDsc>\dybhDe
Sunday 17 October 2010
Denial of existenceNSEC
NSEC record creates a chain of non-existence between RRs in a zoneC-3PO.com. IN A 10.10.10.1C-3PO.com. IN RRSIG jDDoe/x3r#
luke.com. IN A 10.10.10.2luke.com. IN RRSIG d<edNcd#?d
r2d2.com. IN A 10.10.10.3r2d2.com. IN RRSIG zDsc>\dybhDe
C-3PO.com IN NSEC to luke.com.
luke.com. IN NSEC to r2d2.com.
Sunday 17 October 2010
Denial of existenceNSEC
Sunday 17 October 2010
Denial of existenceNSEC
dig doesnotexist.se NS
Sunday 17 October 2010
Denial of existenceNSEC
dig doesnotexist.se NSdoesithurt.se. 7200INNSECdof.se. NS RRSIG NSECdoesithurt.se. 7200INRRSIGNSEC 5 2 7200 20101007045252 20100930031234 26215 se. XH6itihRj7u/XJDNV0uaDfS72Ak8NL6A8xg1fa1vuOG8wrYLYf+iNO
Sunday 17 October 2010
Denial of existenceNSEC
dig doesnotexist.se NSdoesithurt.se. 7200INNSECdof.se. NS RRSIG NSECdoesithurt.se. 7200INRRSIGNSEC 5 2 7200 20101007045252 20100930031234 26215 se. XH6itihRj7u/XJDNV0uaDfS72Ak8NL6A8xg1fa1vuOG8wrYLYf+iNO
eg. there is nothing between doesithurt.se and dof.se
Sunday 17 October 2010
Denial of existenceNSEC
dig doesnotexist.se NSdoesithurt.se. 7200INNSECdof.se. NS RRSIG NSECdoesithurt.se. 7200INRRSIGNSEC 5 2 7200 20101007045252 20100930031234 26215 se. XH6itihRj7u/XJDNV0uaDfS72Ak8NL6A8xg1fa1vuOG8wrYLYf+iNO
eg. there is nothing between doesithurt.se and dof.se
Bad idea?
Sunday 17 October 2010
Denial of existenceNSEC3
NSEC3 creates a chain of non-existence between hashes of RRs in a zone03450ad8d88fa9bc8f22d9063328c08f52c0fa03 (hash of C-3PO.com.)
bc6ec803d77136128483bb220e449353a6a432a8 (hash of luke.com.)
f545de7360c432fcbfcfc1d80fa9b142cd359b79 (hash of r2d2.com.)
hash-of-C-3PO.com IN NSEC3 to hash-of-luke.com.
hash-of-luke.com. IN NSEC3 to hash-of-r2d2.com
NSEC3 response returns hash salt and number of iterations used
Sunday 17 October 2010
Denial of existenceNSEC3
dig idontexist.org NS Yrp8N36uMZUgWRLUi9xVMq2GylslnLD6ehEoRVecDnWxPumIPt8iXi8i oj1XrQ5k8Dg9RINp19rcuaRcecmEUedtmfIdPvGtwWSUsoWP5XiGF/nx 2/Y=d78ice6u9jvfjqtfsesaoek3rg81fshn.org. 833 IN RRSIG NSEC3 7 2 86400 20101015154542 20101001144542 245 org. Zaq/jsAGv/GxG/wPWgpjczhzeTdwIFLykxbxzap3lWRK16+Q64d4F31Z ady60BSEyErddv2oafewi+eE6IG7zX6QvLrXZlAE5KYD2P1SswfFf/n+ IenKtXyCfFv7q9FeOr7Ex6aqUShIPg2asL8mAWWWPxn4knRsmR9hoz/C udo=d78ice6u9jvfjqtfsesaoek3rg81fshn.org. 833 IN NSEC3 1 1 1 D399EAAB D7DM84D9Q90H2UV918MF4BGDUKR4S5NNh9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 833 IN RRSIG NSEC3 7 2 86400 20101016052757 20101002042757 245 org. IZESTR/sqJI/ZDega0df557XQ6JhK42TaAhYyeR7RI3f9XD7nyULE8nk WTZv38Um/wzVFu6haBmSb4iz5TmShL1pUqlwZbQzZ7mpbxaY4iPwVfZ6 9JSSCnwaTWpg/pS17dyP+MiB4/yffaJnXiAVlTp6FNO7IFz735mD717C 4yU=h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 833 IN NSEC3 1 1 1 D399EAAB H9RSFB7FPF2L8HG35CMPC765TDK23RP6 NS SOA RRSIG DNSKEY NSEC3PARAMvagq7rk03g3to127qkkhkn3vfmeivgpf.org. 833 IN RRSIG NSEC3 7 2 86400 20101015154542 20101001144542 245 org. 7KbiYKaNPtNIbTpDTAu+qcdiRrOn73qZztjEWL5/wc4HvCtp+ziIG9P1 nZ0fgBj7VFETp0P6V1+QVkjy5SoAennzEN9201v7f7e4iCPrqf/1q/k8 8cNNGvTk5/+/Me7qWEIYRUU3Dyy61rGaYZES8zAoR9TUhmubj8mIGzR+ MOE=vagq7rk03g3to127qkkhkn3vfmeivgpf.org. 833 IN NSEC3 1 1 1 D399EAAB VAPM2EIMJPEU2R3SNRILHGU61CHOC96A NS DS RRSIG
Sunday 17 October 2010
Denial of existenceNSEC3
NSEC3 adds additional workload on authoritative AND caching DNS servers
- Authoritative: Calculating NSEC3 hash of QUERY in order to return correct answer
- Caching: Calculating NSEC3 hash of QUERY in order to compare to authoritative answer
Sunday 17 October 2010
Pitfalls of DNSSEC
Sunday 17 October 2010
Pitfalls of DNSSECZone files no longer human-modifiable
-Abstraction/automation required to publish data in DNS
Sunday 17 October 2010
Pitfalls of DNSSECZone files no longer human-modifiable
-Abstraction/automation required to publish data in DNS
ZSK and KSK lifetime expiration - ZSK (30 days default)
- KSK (12 months default)
Sunday 17 October 2010
Pitfalls of DNSSECZone files no longer human-modifiable
-Abstraction/automation required to publish data in DNS
ZSK and KSK lifetime expiration - ZSK (30 days default)
- KSK (12 months default)
Requires parent (registrar) capable of DNSSEC
- zaDNA is not one of them and will not be within next 18 months
- Neither is Uniforum
Sunday 17 October 2010
Lookaside validation(DLV)
Sunday 17 October 2010
Lookaside validation(DLV)
DNSSEC Lookaside Validation (DLV) is a mechanism for publishing DNS Security (DNSSEC) trust anchors outside of the DNS delegation chain. It allows validating resolvers to validate DNSSEC-signed data from zones whose ancestors either aren't signed or don't publish Delegation Signer (DS) records for their children.
RFC5074
Sunday 17 October 2010
Lookaside validation(DLV)
DNSSEC Lookaside Validation (DLV) is a mechanism for publishing DNS Security (DNSSEC) trust anchors outside of the DNS delegation chain. It allows validating resolvers to validate DNSSEC-signed data from zones whose ancestors either aren't signed or don't publish Delegation Signer (DS) records for their children.
RFC5074
Requires manual DLV trust-anchor config on resolvers
Sunday 17 October 2010
https://dlv.isc.org
Useful cludge for early adopters
Already configured on at least one large ZA ISP’s caches
Workaround for zaDNA’s lack of DNSSEC
Sunday 17 October 2010
Questions?
Sunday 17 October 2010