View
704
Download
4
Category
Preview:
Citation preview
DNSSEC
. . .
1
, IV 2016, UNLICENSE
DIPHOST
, IV 2016 , UNLICENSE
DNSSEC
DNSSEC
DIPHOST
, IV 2016 , UNLICENSE
DNSSEC
.
, .
.
DIPHOST
, IV 2016 , UNLICENSE
. , , , NS .
DNSSEC . , .
. , DNSSEC.
DIPHOST
, IV 2016 , UNLICENSE
DIPHOST
, IV 2016 , UNLICENSE
. . RRSIG . , , DNSKEY .
, , , .
DIPHOST
, IV 2016 , UNLICENSE
. .
. ( DNSKEY) KSK (Key-signing key).
KSK . KSK .
DIPHOST
, IV 2016 , UNLICENSE
DNSKEYAAAANSSOA
Key-signing key (KSK)
KSK KSK
DIPHOST
, IV 2016 , UNLICENSE
KSK ZSK (Zone-signing key).
ZSK KSK KSK.
ZSK.
ZSK . ZSK . ZSK .
DIPHOST
, IV 2016 , UNLICENSE
DNSKEYAAAANSSOA
Key-signing key (KSK)
KSK KSK ZSK
DNSKEY
Zone-signing key (ZSK)
ZSK
KSK
DIPHOST
, IV 2016 , UNLICENSE
KSK. KSK KSK.
KSK ZSK. ZSK KSK KSK. ZSK.
KSK .
DIPHOST
, IV 2016 , UNLICENSE
KSK ZSK . KSK . ZSK KSK.
. .
DIPHOST
, IV 2016 , UNLICENSE
,
DIPHOST
, IV 2016 , UNLICENSE
. , .
, .
KSK . .
DIPHOST
, IV 2016 , UNLICENSE
KSK , DS (Delegation Signer).
DS .
DS .
DIPHOST
, IV 2016 , UNLICENSE
DNSKEY (KSK)example DS.tld
example.tld
KSK
DS example.tld
DS KSK
DIPHOST
, IV 2016 , UNLICENSE
.
DS
, , , , .
DIPHOST
, IV 2016 , UNLICENSE
DNSKEY (KSK)example DS.tld
DNSKEY (KSK)sub.example DSexample.tld
DNSKEY (KSK)sub.example.tld
DIPHOST
, IV 2016 , UNLICENSE
KSK KSK . DNSKEY DS.
DNSKEY (KSK)example DS.tld
example.tld
DS example.tld
DS KSK
DIPHOST
, IV 2016 , UNLICENSE
DIPHOST
, IV 2016 , UNLICENSE
API
KSK (DNSKEY-) DS KSK.
DS (DS-) DS. , KSK DS.
DIPHOST
, IV 2016 , UNLICENSE
EPP. DNSSEC RFC 5910https://tools.ietf.org/html/rfc5910
DNSKEY DS.
RFC 5910 .
EPP
DIPHOST
, IV 2016 , UNLICENSE
(.RU, ., .SU, ., .TATAR) DS DNSSEC EPP DNSKEY . http://tcinet.ru/documents/
Eesti Interneti SA (.EE) DNSKEY DNSSEC EPP. DS .https://www.internet.ee/dnssec-ru
DIPHOST
, IV 2016 , UNLICENSE
DNSKEY DS
DIPHOST
, IV 2016 , UNLICENSE
DNSKEY
example.com. IN DNSKEY 257 3 13 (6a81escFb5QysOzJop VCPslEyldHjxOLNIq3 ol0xZPeLn6HBLwdRIa xz1aYpefJHPaj+seBt i4j5gLWYetY3vA==)
. KSK 257 DNSSEC. 3 . 1 14 base64
DIPHOST
, IV 2016 , UNLICENSE
5RSA/SHA-17RSASHA1-NSEC3-SHA1
8RSA/SHA-25610RSA/SHA-51212GOST R 34.10-2001
13ECDSA Curve P-256 with SHA-25614ECDSA Curve P-384 with SHA-384
DNSKEY
DIPHOST
, IV 2016 , UNLICENSE
8 , 8 10 2048
8 (RSA/SHA-256), 10 (RSA/SHA-512), 12 (GOST R 34.10-2001), 13 (ECDSA Curve P-256 with SHA-256), 14 (ECDSA Curve P-384 with SHA-384)
8 10 256 (2048 ) 512 (4096 ) 12 13 64 14 96
DNSKEY
DIPHOST
, IV 2016 , UNLICENSE
DS
example.com. IN DS 20545 13 1 (40bd7cf025eeb433f9 e74127009bd0af8c16 f449)
DNSKEY . 1 14 . 1 4 DNSKEY
DS DNSKEY ,
DIPHOST
, IV 2016 , UNLICENSE
,
1SHA-1
2SHA-2563GOST R 34.10-2001
4SHA-384
DS
DIPHOST
, IV 2016 , UNLICENSE
2 , , 1
2
2 (SHA-256), 3 (GOST R 34.11-94), 4 (SHA-384)
2 64 , 3 64 , 4 96
DS
DIPHOST
, IV 2016 , UNLICENSE
DS
DS
DIPHOST
, IV 2016 , UNLICENSE
DNSKEY,
DNSKEY
, DNSKEY
DS
DIPHOST
, IV 2016 , UNLICENSE
DS RFC 4034, , . .
. RFC .
, DNS. , DNS .
DS
DIPHOST
, IV 2016 , UNLICENSE
DS. . .
PHP, Perl, Python 2 3, Go Java GitHub:https://github.com/diphost/ds-calc
DS
DIPHOST
, IV 2016 , UNLICENSE
#!/usr/bin/env python3# -*- coding: utf-8 -*-
import struct, hashlib, base64# $domain # $algorithm $publickey base64 ( DNSKEY)# keytag SHA256def calc_ds_sha256(owner, algorithm, publickey): flags, protocol = 257, 3 # DNSKEY RDATA dnskey_rdata = struct.pack('!HBB', int(flags), int(protocol), int(algorithm)) dnskey_rdata += base64.b64decode(publickey) # keytag crc = 0 for i in range(len(dnskey_rdata)): b = struct.unpack('B', dnskey_rdata[i:i+1])[0] crc += b if i & 1 else b > 16) & 0xFFFF)) & 0xFFFF # domain_wire_format = b'' for part in bytes(owner,'ascii').split(b'.'): domain_wire_format += struct.pack('B', len(part)) + part # digest = hashlib.sha256(domain_wire_format + dnskey_rdata) return (keytag, digest.hexdigest().upper())
Python 3
DIPHOST
, IV 2016 , UNLICENSE
use MIME::Base64;use Digest::SHA;# $domain # $algorithm $publickey base64 ( DNSKEY)# keytag SHA256sub calc_ds_sha256($$$) { my ($domain, $algorithm, $publickey) = @_; my ($flags, $protocol) = (257,3); # DNSKEY RDATA my $dnskey_rdata = pack('nCC', $flags, $protocol, $algorithm);$dnskey_rdata .= decode_base64($publickey); # keytagmy $crc = 0;for(my $i = 0; $i < length($dnskey_rdata); $i++) {my $b = ord(substr $dnskey_rdata, $i, 1);$crc += ($i & 1) ? $b : $b > 16) & 0xffff )) & 0xffff; # my @parts = split(/\./, $domain, -1);my $domain_wire_format = '';foreach my $part (@parts) {$domain_wire_format .= pack('C', length $part ) . $part;}; # my $digest = uc Digest::SHA::sha256_hex($domain_wire_format . $dnskey_rdata); return $keytag, $digest;};
DS Perl
DIPHOST
, IV 2016 , UNLICENSE
package mainimport "encoding/base64"import "strings"import "crypto/sha256"import "encoding/hex"func calc_ds_sha256(owner string, algorithm uint8, publickey string) (uint16,[]byte) { var flags uint16 = 257 var protocol uint8 = 3 var keytag uint32 dnskey_rdata := []byte{byte(flags >> 8), byte(flags), byte(protocol), byte(algorithm)} decoded_publickey, _ := base64.StdEncoding.DecodeString(publickey) dnskey_rdata = append(dnskey_rdata, decoded_publickey...) for i, b := range dnskey_rdata { if i&1 != 0 { keytag += int(b) } else { keytag += int(b) > 16) & 0xFFFF)) & 0xFFFF domain_wire_format := make([]byte, 0, 256) for _, part := range strings.Split(owner, ".") { domain_wire_format = append(domain_wire_format, byte(len(part))) domain_wire_format = append(domain_wire_format, part[:]...) } hasher := sha256.New() hasher.Write(append(domain_wire_format, dnskey_rdata[:]...)) digest := make([]byte, 2 * hasher.Size()) hex.Encode(digest, hasher.Sum(nil)) return uint16(keytag), digest}
DS Go
DIPHOST
, IV 2016 , UNLICENSE
DS DNSKEY
DIPHOST
, IV 2016 , UNLICENSE
https://www.dnssec-tools.org/
. ISC BIND. UNIX- dnssec-tools
KSK$ dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com.Generating key pair.Kexample.com.+013+34607
DS 2$ dnssec-dsfromkey -a SHA-256 Kexample.com.+013+34607example.com. IN DS 34607 13 2 3F6ED17BBCAAD567619C0D43F05DD9BD0...
DNSSEC Tools
DIPHOST
, IV 2016 , UNLICENSE
https://www.nlnetlabs.nl/projects/ldns/
Ldns. RIPE. UNIX- ldns-utils
KSK$ ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom example.comKexample.com.+013+09534
DS 2$ ldns-key2ds -n -2 Kexample.com.+013+09534.key example.com.3600INDS9534 13 2 1a7f795c11c3f0e3b74299e1e...
LDNS Utils
DIPHOST
, IV 2016 , UNLICENSE
. . .
DIPHOST
, IV 2016 , UNLICENSE
KSK . KSK .
KSK . , DNSSEC , . .
DIPHOST
, IV 2016 , UNLICENSE
DS KSK. DNS-.
DS , , . , DNSSEC , .
DS , . .
DIPHOST
, IV 2016 , UNLICENSE
. . , .
. DNSSEC .
DIPHOST
, IV 2016 , UNLICENSE
, ( 12 3 ) DNSSEC
. PHP Perl OpenSSL. .
PHP 5.6
Perl Digest::GOST::CryptoPro
Python https://pypi.python.org/pypi/pygost/
Go http://www.cypherpunks.ru/gogost/
Java http://www.bouncycastle.org/
DIPHOST
, IV 2016 , UNLICENSE
, . .
DNSSEC ECDSA ( 13). RSA. ECDSA RSA. ECDSA RSA . ECDSA DNS UDP .
SHA-256 ( 2).
DIPHOST
, IV 2016 , UNLICENSE
. , KSK.
KSK. , DNSKEY DS.
KSK KSK , DS.
API c DNSSEC DNSSEC
API
DIPHOST
, IV 2016 , UNLICENSE
API API DNSSEC , . API .
API ? .CA (CIRA) :https://github.com/CIRALabs/DSAP/
DNSSEC API,
DNSSEC API
DIPHOST
, IV 2016 , UNLICENSE
DNSSEC. API DNSKEY, DS .
DIPHOST
, IV 2016 , UNLICENSE
. : http://dnsviz.net/
.
DNSSEC .
.
DIPHOST
, IV 2016 , UNLICENSE
DIPHOST
, IV 2016 , UNLICENSE
KSK .
. 1
DNSKEY (KSK)example DS.tld
example.tld
DS example.tld
DS KSK
DIPHOST
, IV 2016 , UNLICENSE
DNSKEY DS. DNSKEY .
EPP EPP. DNSSEC RFC 5910
. 2
DIPHOST
, IV 2016 , UNLICENSE
KSK . DS , .
API API DS / DNSKEY. .
. 3
DIPHOST
, IV 2016 , UNLICENSE
, , :
phil@diphost.ru
DIPHOST
, IV 2016 , UNLICENSE
, . . , , , .
PayPal https://www.paypal.me/schors
. http://yasobe.ru/na/schors
Bitcoin
17V94QS4vaBwec1Qwqp2ow5b3tbrRGGcne
DIPHOST
, IV 2016 , UNLICENSE
. . , . . . , . , DNSSEC, .
DIPHOST
, IV 2016 , UNLICENSE
PHP, Perl, Python 2 3, Go Java GitHub:
https://github.com/diphost/ds-calc
DIPHOST
, IV 2016 , UNLICENSE
DNSSEC. OpenDNSSEChttps://www.opendnssec.org/
dnssec-toolshttps://www.dnssec-tools.org/
Ldnshttps://www.nlnetlabs.nl/projects/ldns/
DNS DNSSEChttp://dnsviz.net/
CIRA DShttps://github.com/CIRALabs/DSAP/
DIPHOST
, IV 2016 , UNLICENSE
Gohttp://www.cypherpunks.ru/gogost/
Pythonhttps://pypi.python.org/pypi/pygost/
Java BouncyCastlehttp://www.bouncycastle.org/
DNS Javahttp://www.dnsjava.org/
DNS Perlhttp://search.cpan.org/~nlnetlabs/Net-DNS/
DIPHOST
, IV 2016 , UNLICENSE
RFC 4033 DNSSECRFC 4034 DNSSECRFC 4035 DNS DNSSEC
RFC 3110 RSA/SHA-1 DNSRFC 4509 SHA-256 DSRFC 5702 SHA-2 DNSKEY RRSIGRFC 5933 DNSSECRFC 6605 ECDSA SHA-384 DNSSEC
RFC 5910 EPP DNSSEC
RFC 6781 DNSSECRFC 7583 DNSSEC
RFC DNSSEC
DIPHOST
, IV 2016 , UNLICENSE
, .
, , , , , .
DIPHOST
, IV 2016 , UNLICENSE
Recommended