DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be...
Transcript of DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be...
![Page 1: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/1.jpg)
| 1
Champika WijayatungaRegional Security Engagement Manager – Asia Pacific<[email protected]>
11 Sep 2017
DNS/DNSSECAPNIC44 – Taichung - Taiwan
![Page 2: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/2.jpg)
| 2
Domain Name System (DNS)
TLDs gTLDs ccTLDs IDNs
![Page 3: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/3.jpg)
| 3
Root Server Operation
![Page 4: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/4.jpg)
| 4
How Secure are the Root Servers?
• Physically protected • Tested operational procedures • Experienced, professional, trusted staff• Defense against major operational threat – i.e. DDoS.
– Anycast• Setting up identical copies of existing servers • Same IP address• Exactly the same data. • Standard Internet routing will bring the queries to the nearest server• Provides better service to more users.
![Page 5: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/5.jpg)
| 5
DNS Servers
• Root Servers• DNS Authoritative
– Primary / Master – Secondary / Slaves
• DNS Resolver– Recursive– Cache– Stub resolver
5
![Page 6: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/6.jpg)
| 6
Who’s who in the DNS Ecosystem?
6
![Page 7: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/7.jpg)
| 7
Domain Name Registration
How to register a domain:•Choose a string e.g., example•Visit a registrar to check string availability in a TLD•Pay a fee to register the name•Submit registration information•Registrar and registries manage:
– “string” + TLD (managed in registry DB)
– Contacts, DNS (managed in Whois)
– DNS, status (managed in Whois DBs)
– Payment information
![Page 8: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/8.jpg)
| 8
Registration Data Directory Services
• Domain Whois– Sponsoring Registrar– Domain Name Servers– Domain Status– Creation/Expiry dates– Point of Contact– DNSSEC data
• Address Whois– Regional Internet Registry– IPv4/v6 address allocation– ASN allocation– Creation/Expiry dates– Point of Contact
WHOISDatabases containing records of registrations
![Page 9: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/9.jpg)
| 9
WHOIS Inaccuracy Complaint
Filing Tips:• Responds to ICANN requests for more
information in the requested time frame.
• If you think the contact email address for the domain is incorrect, give evidence that emails you sent to the email address were undeliverable.
• Make sure your complaint is valid – e.g., a contact telephone doesn’t need to be in the same geographic location as the mailing address.
![Page 10: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/10.jpg)
| 10
What is a DNS zone data?
• DNS zone data are hosted atan authoritative name server• Each “cut” has zone data
(root, TLD, delegations) • DNS zones contain resource
records that describe• name servers,• IP addresses, • Hosts, • Services • Cryptographic
keys & signatures…Only US ASCII-7 letters, digits, and hyphens
can be used as zone data.
In a zone, IDNs strings begin with XN--
![Page 11: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/11.jpg)
| 11
How DNS Works
![Page 12: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/12.jpg)
| 12
DNS: Data Flow
12
Primary Caching Servers
Resolvers
Zone administrator
Zone file
Dynamicupdates
1
2
Secondaries
3
4
5
![Page 13: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/13.jpg)
| 13
DNS Vulnerabilities
13
Primary Caching Servers
Resolver
Zone administrator
Zone file
Dynamicupdates
1
2
Secondaries
3
Server protection
4
5
Corrupting data Impersonating master
Unauthorized updates
Cache impersonation
Cache pollution byData spoofing
Data protection
Altered zone data
![Page 14: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/14.jpg)
| 14
The Bad
• Cache Poisoning Attacks– Vulnerable resolvers add malicious data to local caches
• DNS Hijacking– A man in the middle (MITM) or spoofing attack forwards DNS queries to a name server that
returns forge responses• E.g. DNSChanger
– One of the biggest cybercriminal takedown in history• And many other DNS hijacks in recent times• SSL / TLS doesn't tell you if you've been sent to the correct site, it only tells you
if the DNS matches the name in the certificate. • DNS is relied on for unexpected things though insecure.
![Page 15: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/15.jpg)
| 15
Securing DNS
• There are two aspects when considering DNS Security– Server protection– Data protection
• Server protection– Protecting servers
• Make sure your DNS servers are protected (i.e. physical security, latest DNS server software, proper security policies, Server redundancies etc.)
– Protecting server transactions• Deployment of TSIG, ACLs etc. (To secure transactions against server impersonations, secure
zone transfers, unauthorized updates etc.)
• Data protection– Authenticity and Integrity of Data
• Deployment of DNSSEC (Protect DNS data against cache poisoning, cache impersonations, spoofing etc.)
![Page 16: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/16.jpg)
| 16
Name Server Considerations
• Support technical standards
• Handle load multiple times the measured peak
• Diverse bandwidth to support above
• Must answer authoritatively
• Turn off recursion!
• Should “NOT” block access from a valid Internet hosts
![Page 17: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/17.jpg)
| 17
Secondary Name Server Choice
Diversity, Diversity and Diversity!
•Don’t place all on the same LAN/building/segment
•Network diversity
•Geographical diversity
•Institutional diversity
•Software and hardware diversity
![Page 18: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/18.jpg)
| 18
When It All Goes Wrong
• DNS is a known target for hackers.
• You will be targeted at some point!
• Have plans in place to deal with attacks, failures and disasters.
• Test those plans regularly!
![Page 19: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/19.jpg)
| 19| 19
DNSSEC
19
![Page 20: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/20.jpg)
| 20
How DNSSEC Works
![Page 21: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/21.jpg)
| 21
DNSSEC ccTLD Map
![Page 22: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/22.jpg)
| 22
DNSSEC Deployment
![Page 23: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/23.jpg)
| 23
DNSSEC: So what’s the problem?
• Not enough IT departments know about it or are too busy putting out other security fires.
• When they do look into it they hear old stories of FUD and lack of turnkey solutions.
• Registrars*/DNS providers see no demand leading to “chicken-and-egg” problems.
*but required by new ICANN registrar agreement
![Page 24: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/24.jpg)
| 24
What you can do
• For Companies:– Sign your corporate domain names– Just turn on validation on corporate DNS resolvers
• For Users:– Ask ISP to turn on validation on their DNS resolvers
• For All:– Take advantage of DNSSEC education and training
![Page 25: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/25.jpg)
| 25| 25
2017 Root Zone DNSSEC KSK Rollover
25
![Page 26: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/26.jpg)
| 26
The Root Zone DNSSEC KSK
DATA
¤The Root Zone DNSSEC Key Signing Key “KSK” is the top most cryptographic key in the DNSSEC hierarchy
¤Public portion of the KSK is configuration parameter in DNS validating revolvers
KSK
![Page 27: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/27.jpg)
| 27
Rollover of the Root Zone DNSSEC KSK
¤There has been one functional, operational Root Zone DNSSEC KSK¤Called "KSK-2010"¤Since 2010, nothing before that
¤A new KSK will be put into production later this year¤Call it "KSK-2017"¤An orderly succession for continued smooth operations
¤Operators of DNSSEC recursive servers may have some work¤As little as review configurations¤As much as install KSK-2017
![Page 28: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/28.jpg)
| 28
Important Milestones
Event Date
Creation of KSK-2017 October 27, 2016
Production Qualified February 2, 2017
Out-of-DNS-band Publication July 11, 2017
In-band (Automated Updates) Publication July 11, 2017 and onwards
Sign (Production Use) October 11, 2017 and onwards
Revoke KSK-2010 January 11, 2018
Remove KSK-2010 from systems Aug, 2018
![Page 29: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/29.jpg)
| 29
Call to Action
¤All the work is for operators, developers and distributors of software that performs DNSSEC validation – keep reading/listening!
¤What if you’re not one of them? What if you’re an Internet user?¤Be aware that the root KSK rollover is happening on
11 October 2017¤Do you know a DNS operator, software developer or software
distributor?¤Ask them if they know about the root KSK rollover and if
they’re ready¤Direct them to ICANN’s educational and information resources
![Page 30: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/30.jpg)
| 30
What does an operator need to do?
¤Be aware whether DNSSEC is enabled in your servers
¤Be aware of how trust is evaluated in your operations
¤Test/verify your set ups
¤ Inspect configuration files, are they (also) up to date?
¤ If DNSSEC validation is enabled or planned in your system¤Have a plan for participating in the KSK rollover¤Know the dates, know the symptoms, solutions
![Page 31: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/31.jpg)
| 31
Three Steps to Recovery
1. Stop the tickets! It's OK to turn off DNSSEC validation while you fix (but do turn it back on!)
2. Debug. If the problem is the trust anchor, find out why it isn't correct
¤ Did RFC 5011 fail? Did configuration tools fail to update the key?
¤ If the problem is fragmentation related, make sure TCP is enabled and/or make other transport adjustments
3. Test the recovery. Make sure your fixes take hold
![Page 32: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/32.jpg)
| 32
Tools and Resources Provided by ICANN
¤A python-language script to retrieve KSK-2010 and KSK-2017¤get_trust_anchor.py
¤An Automated Updates testbed for production(test) servers¤https://automated-ksk-test.research.icann.org
¤Documentation¤https://www.icann.org/resources/pages/ksk-rollover
![Page 33: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/33.jpg)
| 33
When Does the Rollover Take Place?
The KSK rollover is a process, not a single event
The following dates are key milestones in the process when end users may experience interruption in Internet services:
![Page 34: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/34.jpg)
| 34
Be aware whether DNSSEC is enabled in your servers
Be aware of how trust is evaluated in your operations
Test/verify your set ups
Inspect configuration files, are they (also) up to date?
If DNSSEC validation is enabled or planned in your system
o Have a plan for participating in the KSK rollovero Know the dates, know the symptoms, solutions
What Do Operators Need to Do?
![Page 35: DNS/DNSSEC - wiki.apnictraining.net · ¤Be aware whether DNSSEC is enabled in your servers ¤Be aware of how trust is evaluated in your operations ¤Test/verify your set ups ¤Inspect](https://reader034.fdocuments.us/reader034/viewer/2022042309/5ed685beff0e593c0b640094/html5/thumbnails/35.jpg)
| 35
Engage with ICANN
Visit us at icann.org
Thank You and Questions
Email: [email protected]
flickr.com/icann
linkedin/company/icann
@icann
facebook.com/icannorg
youtube.com/icannnews
soundcloud/icann
slideshare/icannpresentations