dnssec mcmc amir
TRANSCRIPT
-
8/2/2019 Dnssec Mcmc Amir
1/39
March 2011
The Internet Society
Securing Internet with DNSSEC
-
8/2/2019 Dnssec Mcmc Amir
2/39
Amir Haris Ahmad
[email protected](Msc, GSEC, GCIH, CNE6)
-
8/2/2019 Dnssec Mcmc Amir
3/39
Today Agenda Introduction DNSSEC Implementation Idea
Authoritative Server Cache/Recursive Server
End Users DNSSEC + SSL Issue: Zone walking ISOC SIGDNSSEC
-
8/2/2019 Dnssec Mcmc Amir
4/39
Introduction
-
8/2/2019 Dnssec Mcmc Amir
5/39
DNS The original design of DNS did not include security RFC 3833 known threats Most applications using DNS DNS is not only for web
SMTP SSH NTP End User
DNS Server
Web or Application Server
-
8/2/2019 Dnssec Mcmc Amir
6/39
DNSSEC Initial work was in 1997, RFC 2065 Securing DNS from known threats
Man-in-the-middle Cache Poisoning
Provide to DNS clients (resolvers) Origin authentication Data integrity Authenticated denial of existence
Using public key cryptography New resource records
NSEC/NSEC3/NSEC3PARAM RRSIG DNSKEY DS
-
8/2/2019 Dnssec Mcmc Amir
7/39
Motivation for DNSSEC
DNSSEC protects against data spoofing andcorruption.
DNSSEC (TSIG) provides mechanisms toauthenticate servers.
DNSSEC (KEY/SIG/NXT) provides mechanismsto establish authenticity and integrity of data. Root server as domain key infrastructure (DKI).
-
8/2/2019 Dnssec Mcmc Amir
8/39
Basic DNS ArchitectureStub Resolver/Application Cache/Recursive Root Server
Authoritative Server (master) Authoritative Server (slave)
-
8/2/2019 Dnssec Mcmc Amir
9/39
DNSSEC Resolution
-
8/2/2019 Dnssec Mcmc Amir
10/39
DNSSEC Implementation Idea
-
8/2/2019 Dnssec Mcmc Amir
11/39
ResponsibilityStub Resolver/Application Cache/Recursive Root Server
Authoritative Server (master) Authoritative Server (slave)
Root (ICANN),Registry &Domainadministrator.
Internet serviceprovide (ISP),
Organizations,Registry &
End user
1
2
3
-
8/2/2019 Dnssec Mcmc Amir
12/39
1. DNSSEC Authoritative Server Name server that gives answer in response to
questions about name in one or more zone. The first stage to enable DNSSEC. Responsibility: Root (ICANN), Registry & Domain
administrator. Root done Malaysia (.my) Registry done .my Domains v6.my, um.edu.my,
localhost.my, isoc.my and ?
-
8/2/2019 Dnssec Mcmc Amir
13/39
1. DNSSEC Authoritative Server (cont
)
Stub Resolver/Application Cache/Recursive Root Server (.)
Authoritative Server (.my)
.my DS
Authoritative Server (isoc.my)
isoc.my DS
-
8/2/2019 Dnssec Mcmc Amir
14/39
Tools
BIND http://www.isc.org/bind
OpenDNSSEC http://www.opendnssec.org
ZKT http://www.hznet.de/dns/zkt/
-
8/2/2019 Dnssec Mcmc Amir
15/39
BIND - DNSSEC for human
Steps to sign your zone with DNSSEC using BIND-9.7
# dnssec-keygen b 1024 f KSK isoc.my
# dnssec-keygen b 1024 isoc.my
# dnssec-signzone S o isoc.my zone.db
-
8/2/2019 Dnssec Mcmc Amir
16/39
BIND Automatic zone resigning
Another major new feature of BIND 9.7 is the integrationof smart signing in the named daemon.
options {
........
dnssec-enable yes;
....... };
Zone "isoc.my" {
auto-dnssec maintain;
type master;
update-policy local;
key-directory "dynamic/isoc.my";
};
-
8/2/2019 Dnssec Mcmc Amir
17/39
BIND DNSSEC Metadata
Example: Kexample.com.+005+63982.key
; This is a key-signing key, keyid 63982,isoc.my.
; Created: Tue Jan 12 16:57:25 2010
; Publish: Tue Jan 12 16:57:25 2010
; Activate: Tue Jan 12 16:57:25 2010
; Revoke: Tue Jan 19 16:57:25 2010
; Inactive: Tue Jan 19 16:59:05 2010
; Delete: Tue Jan 19 17:00:45 2010
isoc.my. IN DNSKEY 257 3 5 AwEAAbop12N73aBYNiU7gvgty/QqQbYwcKhtVfBn4YOzYY0tuBOeUqWu
CKyx6mhndrarWm4sKsXaMJB8ftocSfiaWyLrUd3Ul98FuYK5B2Iv3eCn8QVtrj5/StsGhtI9+i/qnix/y3SmjP
17
-
8/2/2019 Dnssec Mcmc Amir
18/39
2. DNSSEC Cache/recursive DNS server Cache server improve efficiency in the local
network. Recursive server (start query at root zone) Cache + Recursive (together)
Second stage for DNSSEC implementation Responsibility: Internet service provide (ISP),
Organizations, & Registry. TM Jaring Broadband provider Universities More?
-
8/2/2019 Dnssec Mcmc Amir
19/39
2. DNSSEC Cache/recursive DNS server (cont..)
Stub Resolver/Application Cache/Recursive Root Server (.)
Authoritative Server (.my)
.my DS
ISP: TM, Jaring, Maxis, Digi,Celcom &
-
8/2/2019 Dnssec Mcmc Amir
20/39
Tools BIND Software
http://www.isc.org/software/bind Autotrust
http://nlnetlabs.nl/projects/autotrust/
-
8/2/2019 Dnssec Mcmc Amir
21/39
Enable DNSSEC at Recursive
BIND 9.7.0 introduces support for RFC 5011,dynamic trust anchor management.
Using this feature allows named to keep track of
changes to critical DNSSEC keys without anyneed for the operator to make changes toconguration les.
-
8/2/2019 Dnssec Mcmc Amir
22/39
named.conf configuration for recursive
options {
........
dnssec-enable yes;
dnssec-validation yes;
....... };
managed-keys {
"." initial-key 257 3 8
"AwEAAa" };
trusted-keys
{".my 257 3 8
"KwBDDf" };
};
-
8/2/2019 Dnssec Mcmc Amir
23/39
3. DNSSEC Stub resolver/Application Simple resolvers (called "stub resolvers") rely on a
recursive name server to perform the work of finding information for them.
Application check AD flag or contact DKI. End user
Organization Staffs Home Users Mobile Users
-
8/2/2019 Dnssec Mcmc Amir
24/39
3. DNSSEC Stub resolver/Application (cont..)
Stub Resolver/Application Cache/Recursive Root Server
Authoritative Server (master)
-
8/2/2019 Dnssec Mcmc Amir
25/39
Tools
Drill http://nlnetlabs.nl/projects/drill/
Mozilla DNSSEC plugins http://www.dnssec-validator.cz
http://nlnetlabs.nl/projects/drill/drill_extension.html
-
8/2/2019 Dnssec Mcmc Amir
26/39
http://www.dnssec-validator.cz/
-
8/2/2019 Dnssec Mcmc Amir
27/39
-
8/2/2019 Dnssec Mcmc Amir
28/39
-
8/2/2019 Dnssec Mcmc Amir
29/39
-
8/2/2019 Dnssec Mcmc Amir
30/39
Secure bootstrapping of the SSH key through
the SSHFP record
% ssh ssh.example.com
The authenticity of host 'ssh.example.com
(192.168.1.1)' was validated via DNSSEC.
Warning: Permanently added 'ssh.example.com,192.168.1.1' (RSA) to the list of known
hosts.
Last login: Thu Sep 20 19:49:53 2007
Welcome to Darwin!
$
-
8/2/2019 Dnssec Mcmc Amir
31/39
DNSSEC + SSL
-
8/2/2019 Dnssec Mcmc Amir
32/39
DNSSEC: Complementing, not replacing SSL
32
-
8/2/2019 Dnssec Mcmc Amir
33/39
SSL
End User
DNS
Web or Application Server
DNSSEC
SSL
-
8/2/2019 Dnssec Mcmc Amir
34/39
DNSSEC: Complementing, not replacing SSL
End User
DNS
Web or Application Server
DNSSEC
SSL
-
8/2/2019 Dnssec Mcmc Amir
35/39
Issue: Zone Walking
-
8/2/2019 Dnssec Mcmc Amir
36/39
Zone Walking (NSEC)
At early DNSSEC implementation NSEC isvulnerable with zone walking.
NSEC3 is introduce to overcome the problem. NSEC3 map the NXT with hashes.
.my currently using NSEC3 Root & few registries still using NSEC NSEC3 available in two options
Opt-in Opt-out (registry)
-
8/2/2019 Dnssec Mcmc Amir
37/39
DNSSEC SpecialInterest Group
-
8/2/2019 Dnssec Mcmc Amir
38/39
For ISOC DNSSEC training & events
Please register at www.isoc.my and join SIGDNSSEC
-
8/2/2019 Dnssec Mcmc Amir
39/39
39