Dnssec Mcmc Amir

8/2/2019 Dnssec Mcmc Amir

1/39

March 2011

The Internet Society

Securing Internet with DNSSEC


2/39

Amir Haris Ahmad

[email protected](Msc, GSEC, GCIH, CNE6)


3/39

Today Agenda Introduction DNSSEC Implementation Idea

Authoritative Server Cache/Recursive Server

End Users DNSSEC + SSL Issue: Zone walking ISOC SIGDNSSEC


4/39

Introduction


5/39

DNS The original design of DNS did not include security RFC 3833 known threats Most applications using DNS DNS is not only for web

SMTP SSH NTP End User

DNS Server

Web or Application Server


6/39

DNSSEC Initial work was in 1997, RFC 2065 Securing DNS from known threats

Man-in-the-middle Cache Poisoning

Provide to DNS clients (resolvers) Origin authentication Data integrity Authenticated denial of existence

Using public key cryptography New resource records

NSEC/NSEC3/NSEC3PARAM RRSIG DNSKEY DS


7/39

Motivation for DNSSEC

DNSSEC protects against data spoofing andcorruption.

DNSSEC (TSIG) provides mechanisms toauthenticate servers.

DNSSEC (KEY/SIG/NXT) provides mechanismsto establish authenticity and integrity of data. Root server as domain key infrastructure (DKI).


8/39

Basic DNS ArchitectureStub Resolver/Application Cache/Recursive Root Server

Authoritative Server (master) Authoritative Server (slave)


9/39

DNSSEC Resolution


10/39

DNSSEC Implementation Idea


11/39

ResponsibilityStub Resolver/Application Cache/Recursive Root Server

Authoritative Server (master) Authoritative Server (slave)

Root (ICANN),Registry &Domainadministrator.

Internet serviceprovide (ISP),

Organizations,Registry &

End user

1

2

3


12/39

1. DNSSEC Authoritative Server Name server that gives answer in response to

questions about name in one or more zone. The first stage to enable DNSSEC. Responsibility: Root (ICANN), Registry & Domain

administrator. Root done Malaysia (.my) Registry done .my Domains v6.my, um.edu.my,

localhost.my, isoc.my and ?


13/39

1. DNSSEC Authoritative Server (cont

)

Stub Resolver/Application Cache/Recursive Root Server (.)

Authoritative Server (.my)

.my DS

Authoritative Server (isoc.my)

isoc.my DS


14/39

Tools

BIND http://www.isc.org/bind

OpenDNSSEC http://www.opendnssec.org

ZKT http://www.hznet.de/dns/zkt/


15/39

BIND - DNSSEC for human

Steps to sign your zone with DNSSEC using BIND-9.7

# dnssec-keygen b 1024 f KSK isoc.my

# dnssec-keygen b 1024 isoc.my

# dnssec-signzone S o isoc.my zone.db


16/39

BIND Automatic zone resigning

Another major new feature of BIND 9.7 is the integrationof smart signing in the named daemon.

options {

........

dnssec-enable yes;

....... };

Zone "isoc.my" {

auto-dnssec maintain;

type master;

update-policy local;

key-directory "dynamic/isoc.my";

};


17/39

BIND DNSSEC Metadata

Example: Kexample.com.+005+63982.key

; This is a key-signing key, keyid 63982,isoc.my.

; Created: Tue Jan 12 16:57:25 2010

; Publish: Tue Jan 12 16:57:25 2010

; Activate: Tue Jan 12 16:57:25 2010

; Revoke: Tue Jan 19 16:57:25 2010

; Inactive: Tue Jan 19 16:59:05 2010

; Delete: Tue Jan 19 17:00:45 2010

isoc.my. IN DNSKEY 257 3 5 AwEAAbop12N73aBYNiU7gvgty/QqQbYwcKhtVfBn4YOzYY0tuBOeUqWu

CKyx6mhndrarWm4sKsXaMJB8ftocSfiaWyLrUd3Ul98FuYK5B2Iv3eCn8QVtrj5/StsGhtI9+i/qnix/y3SmjP

17


18/39

2. DNSSEC Cache/recursive DNS server Cache server improve efficiency in the local

network. Recursive server (start query at root zone) Cache + Recursive (together)

Second stage for DNSSEC implementation Responsibility: Internet service provide (ISP),

Organizations, & Registry. TM Jaring Broadband provider Universities More?


19/39

2. DNSSEC Cache/recursive DNS server (cont..)

Stub Resolver/Application Cache/Recursive Root Server (.)

Authoritative Server (.my)

.my DS

ISP: TM, Jaring, Maxis, Digi,Celcom &


20/39

Tools BIND Software

http://www.isc.org/software/bind Autotrust

http://nlnetlabs.nl/projects/autotrust/


21/39

Enable DNSSEC at Recursive

BIND 9.7.0 introduces support for RFC 5011,dynamic trust anchor management.

Using this feature allows named to keep track of

changes to critical DNSSEC keys without anyneed for the operator to make changes toconguration les.


22/39

named.conf configuration for recursive

options {

........

dnssec-enable yes;

dnssec-validation yes;

....... };

managed-keys {

"." initial-key 257 3 8

"AwEAAa" };

trusted-keys

{".my 257 3 8

"KwBDDf" };

};


23/39

3. DNSSEC Stub resolver/Application Simple resolvers (called "stub resolvers") rely on a

recursive name server to perform the work of finding information for them.

Application check AD flag or contact DKI. End user

Organization Staffs Home Users Mobile Users


24/39

3. DNSSEC Stub resolver/Application (cont..)

Stub Resolver/Application Cache/Recursive Root Server

Authoritative Server (master)


25/39

Tools

Drill http://nlnetlabs.nl/projects/drill/

Mozilla DNSSEC plugins http://www.dnssec-validator.cz

http://nlnetlabs.nl/projects/drill/drill_extension.html


26/39

http://www.dnssec-validator.cz/


27/39


28/39


29/39


30/39

Secure bootstrapping of the SSH key through

the SSHFP record

% ssh ssh.example.com

The authenticity of host 'ssh.example.com

(192.168.1.1)' was validated via DNSSEC.

Warning: Permanently added 'ssh.example.com,192.168.1.1' (RSA) to the list of known

hosts.

Last login: Thu Sep 20 19:49:53 2007

Welcome to Darwin!

$


31/39

DNSSEC + SSL


32/39

DNSSEC: Complementing, not replacing SSL

32


33/39

SSL

End User

DNS


DNSSEC

SSL


34/39

DNSSEC: Complementing, not replacing SSL

End User

DNS


DNSSEC

SSL


35/39

Issue: Zone Walking


36/39

Zone Walking (NSEC)

At early DNSSEC implementation NSEC isvulnerable with zone walking.

NSEC3 is introduce to overcome the problem. NSEC3 map the NXT with hashes.

.my currently using NSEC3 Root & few registries still using NSEC NSEC3 available in two options

Opt-in Opt-out (registry)


37/39

DNSSEC SpecialInterest Group


38/39

For ISOC DNSSEC training & events

Please register at www.isoc.my and join SIGDNSSEC


39/39

39

Documents

Dnssec Mcmc Amir