OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 1*
OpenDNSSEC*training*
Opening*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 1*
Agenda*• Introduc5on*to*DNSSEC*and*Cryptography*• OpenDNSSEC*Architecture*• Installing*OpenDNSSEC*• Hardware*Security*Modules*• OpenDNSSEC*Configura5on*• Key*States*&*Rollovers*• Migra5on*• Tes5ng*• Integra5on*• Monitoring*• Disaster*Recovery*Plan*• Opera5onal*prac5ces*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 2*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 2*
Introduc5on*
• Who*am*I?*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 3*
Introduc5on*
• Who*are*you?*• What*is*your*$DAYJOB*• Any*experience*with*DNSSEC?*• What*are*your*expecta5ons?*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 4*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 3*
Goals*
• Understanding*of*DNSSEC*• OpenDNSSEC*• Install*• Configure*• Sign*zones*
• Integrate*with*your*environment*• Basic*troubleshoo5ng*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 5*
OpenDNSSEC*training*
DNSSEC*introduc5on*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 8*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 4*
The*DNS*Hierarchy*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 9*
.*(root)*
. NS a.root-servers.net. a.root-servers.net. A 198.41.0.4
. NS d.root-servers.net. d.root-servers.net. A 128.8.10.90
. NS m.root-servers.net. m.root-servers.net. A 202.12.27.33
.net* .com*
.org*
org. NS b0.org.afilias-nst.org. b0.org.afilias-nst.org. A 199.19.54.1 org. NS d0.org.afilias-nst.org.
d0.org.afilias-nst.org. AAAA 2001:500:f::1
opendnssec.org*
opendnssec.org. NS ns.kirei.se.
opendnssec.org. NS primary.se.
opendnssec.org. NS secondary.se.
www.opendnssec.org. A 91.206.174.13
Resolving*DNS*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 10*
Client*computer*
DHCP*server*
Caching*resolver*
1.*www.opendnssec.org?*
.*(root)*
.org*
opendnssec.org*
2.*www.opendnssec.org?*
4.*www.opendnssec.org?*
6.*www.opendnssec.org?*
3.*Ask*a0.org.afilias4nst.info*
5.*Ask*ns.kirei.se*
7.*www.opendnssec.org*has*address*91.206.174.13*
8.*www.opendnssec.org*has*address*91.206.174.13*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 5*
Vulnerabili5es*
• You*cannot*trust*the*DNS*answer*• Various*categories*of*threats*• Denial*of*Service*• Data*integrity*
• Protocol*issues*–*Cache*poisoning,*Query*predic5on*• System*corrup5on*• Repository*corrup5on*
• Privacy*• Cache*snooping*• NSEC*walk*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 11*
What*is*DNSSEC?*
• Domain*Name*System*Security*Extension*• An*extension*that*is*placed*on*top*of*DNS*• DNSSEC*provides:*• Data*Origin*Authen5ca5on*• Data*Integrity*• Denial*of*Existence*
• By*using*digital*signatures*• Fixes*some*of*the*protocol*issues*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 12*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 6*
CRYPTOGRAPHY*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 13*
Cryptography*
• In*most*cases,*we*want*to*protect*a*message*when*it*travels*from*point*A*to*point*B.*
• A*message*can*be*protected*in*various*ways:*• No*one*can*read*the*message*(confiden5ality)*• You*can*prove*who*is*the*sender*(authen5ca5on)*• You*can*detect*if*the*message*has*been*altered*(integrity)*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 14*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 7*
The*history*
• Protec5ng*your*message*was*primarily*about*altering*your*message*so*that*any*eavesdropper*cannot*understand*its*content*• Steganography*• Transposi5on*(e.g.*Scytale)*• Subs5tu5on*(e.g.*Ceasar,*Vigenère)*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 15*
The*key*
• The*informa5on*needed*in*order*to*encrypt*and*decrypt*the*message*• Scytale:*A*cylinder*where*the*parchment*can*be*wrapped*around*
• Ceasar:*How*many*steps*the*alphabet*should*be*shijed*• Vigenère:*A*keyword*describing*how*the*alphabet*should*be*shijed*for*each*posi5on*
• The*key*must*be*exchanged*between*the*sender*and*the*receiver*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 16*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 8*
Stronger*algorithms*
• Security*by*Obscurity*• Kerckhoffs’s*principle*says*that*the*key*should*be*secret*but*not*the*algorithm*
• Frequency*analysis*• Some*characters*are*more*common*than*others*
• Brute4force*• Is*it*possible*to*test*each*key?*
• Demands*algorithms*which*uses*complex*keys*and*reveals*as*li;le*as*possible*about*the*key*and*the*plain*text*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 17*
Symmetric*algorithms*
• Sender*and*recipient*shares*a*common*key*• Requires*a*secure*channel*when*distribu5ng*the*key*• Symmetric*Block*ciphers*• DES*/*3DES*• Blowfish*• AES*(aka*Rijndael)*
• Symmetric*Stream*ciphers*• RC4*• Salsa20*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 18*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 9*
Asymmetric*algorithms*
• A*key*pair*is*used*when*processing*the*message*• A*public*key*for*encryp6on*• A*private*key*for*decryp6on*
• The*public*key*can*be*distributed.*The*sender*uses*the*recipient’s*public*key*to*encrypt*the*message.*
• Only*the*recipient*–*who*has*the*private*key*–*can*decrypt*the*message.*
• Asymmetric*Algorithms*• RSA,*DSA,*ECC*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 19*
Public*&*Private*Keys*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 20*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 10*
Diffie*Hellman*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 21*
Digital*signatures*
• Encryp5on*is*not*always*necessary,*but*you*s5ll*want*to*know*who*sent*the*message.*
• You*create*a*hash*(checksum)*of*the*message.*The*hash*is*then*signed*using*the*sender’s*private*key.*
• The*recipient*uses*the*sender’s*public*key*to*verify*the*message*by*comparing*the*hashes.*
• The*recipient*knows*• If*the*message*was*from*the*correct*sender*• If*the*message*hasn’t*been*altered*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 22*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 11*
Distribu5ng*the*public*key*
• The*problem*is*to*distribute*the*public*key*and*being*able*to*trust*it*
• Usually*done*by*using*cer5ficates*in*a*PKI*
• But*DNSSEC*is*not*like*a*regular*PKI*• Keys*are*published*in*DNS*• The*following*slides*will*present*how*DNS*can*be*trusted*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 23*
DNSSEC,*CONT’D*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 24*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 12*
Add*crypto*to*the*mixture*
• Asymmetric*Crypto*• Asymmetric*key*pairs*have*a*public*and*private*key*• Protect*the*private*keys*• Publish*the*public*keys*
• KSK*–*Key*Signing*Key*• Signs*other*key*records*only*
• ZSK*–*Zone*Signing*Key*• Signs*all*other*records*in*the*zone*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 25*
Signatures?*
• A*signature*is*an*encrypted*hash*of*data.*• The*key*used*for*encryp5on*is*the*private*key,*and*the*signature*can*be*verified*by*decryp5ng*the*hash*with*the*public*key.*
• A*hash*is*a*checksum*of*a*set*of*data.*Example*of*hash*algorithms*are*MD5,*SHA41*and*SHA4256.*• N.B.*MD5*is*considered*vulnerable*and*should*not*be*used*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 26*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 13*
DNSKEY*algorithms*• RSAMD5*• DSA*• RSASHA1*• DSA4NSEC34SHA1*• RSASHA14NSEC34SHA1*• RSASHA256*• RSASHA512*• ECC4GOST*• ECDSAP256SHA256*• ECDSAP384SHA384*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 27*
• RSAMD5*–*obsolete*• DSA*–*legacy*• RSASHA1*–*legacy*• DSA4NSEC34SHA1*–*legacy*• RSASHA14NSEC34SHA1*–*legacy*• RSASHA256*–*used*for*new*deployments*• RSASHA512*–*rarely*used*• ECC4GOST*–*only*used*within*Russia?*• ECDSAP256SHA256*–*up*and*coming*• ECDSAP384SHA384*–*up*and*coming*
DNSKEY*algorithms*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 28*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 14*
DNSKEY*and*RRSIG*opendnssec.org. IN DNSKEY 257 3 8 (
AwEAAb45Pf7pIdhDHICun30O21BTE8x7fEOklKGh0zeK OPI6P9n68IWPNPdsm8Jrhcu7G6qrdnHLldD5d7Y+QsQi 0YA5FPM9pYnx+VXkmedBIHMKKde4PoFdmSP0OaoXJd0J u0Kprm+hiZAkjuQnODFukjsQdUwDSpyKd/oePXKRdNCz 2petiwA2MLjEDWgNYu9QH7J6ga83v4MqAnUl7hJpblu7 6W4lgl47lCTTglheXGAGDtoD1qQ1PARR4OeumWeK2wMo qkIWhKmubgVKPMgfjrLwc040YqqWoTvFKZbefHt2ZJj1 c1mjRM5DW3QTIo4rduu7sFmMDElIRluRokkz8jk= ) ; key id = 59395
opendnssec.org. IN DNSKEY 256 3 8 ( AwEAAcCzuYuuIVyArJ154kne+spwCDJYAGKlhG4U23lG 3XMp0vAv6HSzm/fhedoKEUgvlyHSHfg+1woJ8v2jtpoz bVkv8VG11f3TmUHYOHqUDZkltVkKp4v2TLa5BuCIJJSE SRbM3YPEC7ZHce/+ACLhXsHTvxzPXzUyfvCfNTeyMmdH ) ; key id = 18798
opendnssec.org. IN RRSIG DNSKEY 8 2 3600 20131022071035 (
20131008071035 59395 opendnssec.org. ZcOs195bLWvsE7WMZDlpQX1Siq7ueZU8aq4mgYRuLpd9 /SgJ0B7xzHiwhVjVsq98MwIlx0pZZ9QIjzAVVz1OVJcF T5FFDTrxE8OP0k0bvO6cwQSpGOjFKBfuEczE28ZtqJXI JeinZj0wBaj6REhp0SOho/wgMu9AkoWrgrxgeFnhx6wz h1ycOXFZf9JGacBimNoUhjYSfLWMX/5AYmSaJyyneDXw F0zawc6E2kV1CimQ4KIjPj0zfevHi+4nqKzay4WuHXOO psyGtvVuxHZUfO4syZmhxc98azdLk3OWE0oJGuRggp1j JkA1O+bn3BY8EPJyW/NdL5E0foFAsWpugw== )
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 29*
Not*aKer*
2013410422*07:10:35*
Not*before*
2013410408*07:10:35*
NSEC*
• Proof*of*non4existence*• X*NSEC*Z*proves*that*there*are*no*other*names*between*X*and*Z*
*mail.opendnssec.org. IN NSEC svn.opendnssec.org. CNAME RRSIG NSEC
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 30*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 15*
NSEC3*
• NSEC*makes*zone*walking*possible*• NSEC3*use*the*hash*of*the*domain*name*• Requires*more*resources*from*resolver*and*the*authorita5ve*name*server.*• Please*keep*the*number*of*NSEC3*itera5ons*sane!*
7oreb1sb9elhfqfp53bqqde6bcdm5eo3.groupx.odslab.se. IN NSEC3 1 0 5 3A5BF749D1330DE3OTANAROMKJB00QC2G6K2IT2GU2SB4DOA CNAME RRSIG
*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 31*
NSEC3PARAM*
• Used*in*NSEC34calcula5ons*• Hash*algorithm*• Flags*–*OptOut*• Number*of*Itera5ons*• Salt*
*opendnssec.org. IN NSEC3PARAM 1 0 15 BA5EBA11
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 32*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 16*
Zone*file*without*DNSSEC*$ORIGIN groupX.odslab.se. $TTL 60 @ SOA nsX.odslab.se. test.odslab.se. ( 2011062100 ; serial 360 ; refresh (6 minutes) 360 ; retry (6 minutes) 1800 ; expire (30 minutes) 60 ; minimum (1 minute) ) @ NS nsX.odslab.se. www CNAME nsX.odslab.se.
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 33*
Zone*file*with*DNSSEC*groupX.odslab.se. 60 IN SOA nsx.odslab.se. test.odslab.se. ( 2011062145 ; serial 360 ; refresh (6 minutes)
360 ; retry (6 minutes)
1800 ; expire (30 minutes) 60 ; minimum (1 minute)
)
groupX.odslab.se. 60 IN RRSIG SOA 8 3 60 20110628103724 ( 20110628083552 44494 groupx.odslab.se.
NJ5lIdcdw3TJlSjTd5W/Gk1CtgZu2VfXAVIF49em/jdm pA1JnejkwPAfb0TjdcXBUH6cQ2XIHobjgEJEpWRM9G/W
W7DYJZmdo6o09YrMexTLCZLcq6eyjTpS8TmwmconuNEN
FiCkBztqgHlyw0Teg9sw/1E0UVwGKKgd0SOv8Nw= ) groupX.odslab.se. 60 IN NS nsx.odslab.se.
groupX.odslab.se. 60 IN RRSIG NS 8 3 60 20110628103609 (
20110628083552 44494 groupx.odslab.se. K3Yxcz25nv0m8SZDHkh0YXPBrZ0+78hVsT7FD4A9GZ9m
3sHpkpfzjZ/Bee+lgwZZGIJKmMfyRtQQon7oCa2Z9xe9
L/D9KQzPzZbZCMrOxG/usSZ+LhwYuN3b0Kl2BIhklji5 fBN6aEsyhw+hiV9ibobzqKe5bMnxaa9IfMscV1c= )
groupX.odslab.se. 120 IN DNSKEY 256 3 8 ( AwEAAasv0uyeTp5kIaw/fwPyQncY06YMn370lczC5SCx
veUNQXLhihm+tV/lTvkWd5GHg/ebjTPSR6mqB/jTu7CH
/iNhprxdnh3lVW7FjFpC5tDfFiHyDM97q8A+4lnBmiB4 SZJR1qOGmeoiU2BP2uyTlv31KJPDm08GwmPTTX8fi3LV
) ; key id = 44494
groupX.odslab.se. 120 IN DNSKEY 257 3 8 ( AwEAAc6Wk/UqaEMaytXWL2y25I0Z8UuubnkrufaJEEBw
niObHaNGMscp5I5207ScB6L70DJS46S9bA4k8mbcRNPA
Vi0OQVz1kFTTNt45XzYQ7yaQJyobQdFtVq8TXtaFPiFP S7nz7ga8/HVW8VNRp4H5iajsgh4LCX+399tJX+rk613R
tbnHVvZPOUiuZNFqZLOkbzGtNRbl4UvoRQi5q+tjV/ow
cUkn8tljQGPpTe/HLImUT+MrftnY6m8jvgO+qhd2o/1Z 6XZcVBuDB+UGrhFcU72HmeKfQHMtCuGZhmWOcOymPcDJ
12ONkBqgj28Cu/4Kr44DMTu4q2ax07dDOfSyKqM= ) ; key id = 62246
groupX.odslab.se. 120 IN RRSIG DNSKEY 8 3 120 20110628103715 (
20110628083552 62246 groupx.odslab.se. Tw32FOW95e86g0FYxyXu3nDQNTdAELxVhg4BVoRA2RWx
iAgkZk/XQRUfozjd/qNNjrIA2+a9wwrvLWokRB6xzSTR
bwx199Mu8Xj9p9Q8CbzCvbvHPtRqPgf6Mto9jjlUaSK4 NlNQWg/qfsLvkvxRpdE4g9Xac3b71TPuylQSovvARR0v 4rJ4zmBdomdQHjtwOuQ4GeVfpgKqFCqa8HFK8D20Kmjk
56a7rbe6UWt5hHMjQfys3NfvulFAdCTW0Rbikss7YQMw
j6msmsRS8Zj+IlBbmku6RwxVxNF/ca09fuz4NhyOOSRP 2mBTBIwk+XcybA6vK5ofnrBTCSSoJOt4+g== )
groupX.odslab.se. 60 IN NSEC3PARAM 1 0 5 3A5BF749D1330DE3
groupX.odslab.se. 60 IN RRSIG NSEC3PARAM 8 3 60 20110628103502 ( 20110628083552 44494 groupx.odslab.se.
Gvy1AOrm6dENvVUke1Ck3KmjB5W1mbvIsFdvm2p2MfZa msgUJNJ0sT6R3jIyRIvc+6T3jADDHGpvr6ILLnWySFRb
9efAn/SDt060N3YsU6emv5iAh/TRbo7g8UNtokm1TAds
5rZ187cOo3yqQ05qBSTVo8wCcF1HS6+htEt+vQs= ) www.groupX.odslab.se. 60 IN CNAME nsx.odslab.se.
www.groupX.odslab.se. 60 IN RRSIG CNAME 8 4 60 20110628103414 (
20110628083552 44494 groupx.odslab.se. BAs7KPVdwoPeC9isn/N00dV2OB62sSjbQS65r6h8EOGF
ToRqd6wRpd8OhNSNrJNn7ycH61m2j71WhE00fsMLA1T6
vxGKVcK6IeH+7Vpu4bgnH93jq8f3TftaiR22bYNl+Y9Q Y7PHNFcmZ0PmoqVmilmtJdpn+YNjUJ5a+Riwojo= )
7oreb1sb9elhfqfp53bqqde6bcdm5eo3.groupx.odslab.se. 60 IN NSEC3 1 0 5 3A5BF749D1330DE3 OTANAROMKJB00QC2G6K2IT2GU2SB4DOA CNAME RRSIG
7oreb1sb9elhfqfp53bqqde6bcdm5eo3.groupx.odslab.se. 60 IN RRSIG NSEC3 8 4 60 20110628103552 (
20110628083552 44494 groupx.odslab.se. azU2yBsLQNXANwyTxosI4hwf6JPfV5XKNdPtQzGprShE
w6N/sDG9QzMJjlQrPW82rY2SYl7xGJMBGdfsGVBZJJQ4 nXBmwnjT5Grm9k/a0hyCmYYAHzoq4ixV5fLDYrH8af/u
uvoFs90vJlN4OMbHNJUrNSsCsJRzps/k0/aH+0w= )
otanaromkjb00qc2g6k2it2gu2sb4doa.groupx.odslab.se. 60 IN NSEC3 1 0 5 3A5BF749D1330DE3 7OREB1SB9ELHFQFP53BQQDE6BCDM5EO3 NS SOA RRSIG DNSKEY NSEC3PARAM
otanaromkjb00qc2g6k2it2gu2sb4doa.groupx.odslab.se. 60 IN RRSIG NSEC3 8 4 60 20110628103526 ( 20110628083552 44494 groupx.odslab.se.
QLlN/6CjlkU609P9/AntqRFHWAKJ8PUIS53HOZfN9D6P
PZEr/7dd+jlv2sgXmIYx/0VXySr4Bafgm8+k0fwEU+JY TjmfkLUOD6O9DOQ/RqNtLp5HFH6TLMZxO7VdFr9vEZq1
5UIUQjIFT2+aQR3Dd/QMq26ysHGqOApSH/wkq6Y= )
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 34*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 17*
Fingerprints*• A*fingerprint*is*a*hash*of*a*key.*Fingerprints*are*ojen*published*
instead*of*a*key*because*it*is*much*shorter*than*a*key,*and*more*easy*to*read.*
*BEAAAAPFUp17Etwawvfg7DV5k7mkdLGn42PcFcXyXOWr rStBNWF2q6af2WOxMwlPqPb8bBKmm5QZErTZLuhgDVE8 KuPdnsxF90+pV2y9eB3+FIjDjQfo1xKcxAjRMaKkSrCA WRA0PplQu2AfZW7q/MZK3O6uCwqp7xv4/nblU2PoVKpn KXX6xkIhfbM/K/jnBJqprmBfzR+WcFLuP56Bf49/Vdv7 LRnDjuXWoRQ7gu7/W72fzXwOwy5DqRf0G7iKIltEZOjp M8nROvp3w35naNLC6o0bbgw1MlE3sOAn8IiLLw+Kn7kJ
kfB1uGPUzqdf1wSx0wcfBaRnnPQdlnH80OGRBdDN
A1B8B850CAA2D3C595D5617DB5ADE18989CC542CD15B9B0236E7D3752AAC2946
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 35*
DS*records*
• DS*4*Delega5on*Signer*• A*DS*record*(the*hash*of*the*DNSKEY)*is*published*at*the*parent*zone*to*delegate*trust*to*the*child*zone.*
• This*is*what*is*published*for*opendnssec.se*at*.se:*opendnssec.se. IN DS 27295 5 1 5AEF372D65BC594A7AF5E0E77CDDA55E0C43A56A opendnssec.se. IN DS 27295 5 2 A1B8B850CAA2D3C595D5617DB5ADE18989CC542CD15B9B0236E7D3752AAC2946
• Several*DS*algorithms*possible,*example*above*uses*SHA41*(1)*and*SHA4256*(2)*
• The*DS*records*are*signed*by*the*parent*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 36*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 18*
Key*rollovers*
• Key*can*be*removed*and*added*• The*rollover*process*must*follow*a*set*of*rules*• Different*states*• E.g.*pre4published,*ac5ve,*and*post4published*
• Sojware*may*assist*you*(if*you*have*chosen*wisely)*• OpenDNSSEC*Enforcer*• ZKT*• …*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 37*
Components*in*DNS*
• Authorita5ve*Name*Server*• The*signer*can*be*integrated*in*the*name*server*or*act*as*a*separate*component*in*the*distribu5on*chain.*
• Resolver*• Needs*to*understand*DNSSEC*and*be*configured*with*a*trust*anchor.*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 38*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 19*
Resolver*
• Unbound*• ISC*BIND*9.7*and*later*• Windows*Server*2012*• Nominum*Van5o*Caching*DNS*
• N.B.*Microsoj*Windows*Server*2008*R2*does*not*support*current*algorithms*(e.g.*RSA/SHA256,*NSEC3,*…)*–*not*recommended!*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 39*
Authorita5ve*Name*Server*
• NSD*• ISC*BIND*9.7*(and*later)*• Microsoj*Windows*Server*2012*• PowerDNS*Authorita5ve*Server*• Nominum*Authorita5ve*Name*Server*
• N.B.*Microsoj*Windows*Server*2008*R2*does*not*support*current*algorithms*(e.g.*RSA/SHA256,*NSEC3,*…)*–*not*recommended!*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 40*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 20*
DNSSEC*signing*sojware*
• ISC*BIND*• OpenDNSSEC*• PowerDNS*• …*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 41*
DNSSEC*appliances*
• Secure64*(extended*NSD)*• Infoblox*(BIND)*• Xelerance*(BIND)*• Men*&*Mice*(various)*• BlueCat*Networks*(BIND)*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 42*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 21*
Start*verifying*signatures*
• Get*the*root*trust*anchor*from*IANA*and*verify*its*authen5city*(op5onal,*trust*anchor*also*shipped*with*BIND)*
• Configure*BIND:**managed-keys { <INSERT KEY> }; options { dnssec-enable yes; dnssec-validation auto; };
*10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 43*
Resolving*DNS*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 44*
Client*computer*
DHCP*server*
Caching*resolver*using*DNSSEC*
1.*www.opendnssec.org?*
.*(root)*
.org*
opendnssec.org*
2.*www.opendnssec.org?*+do*
4.*www.opendnssec.org?*+do*
6.*www.opendnssec.org?*+do*
3.*Ask*a0.org.afilias4nst.info*
5.*Ask*ns.kirei.se*
7.*www.opendnssec.org*has*address*91.206.174.13*
8.*www.opendnssec.org*has*address*91.206.174.13*
DS*DNSKEY*
RRSIG*
DNSKEY*DS*RRSIG*
RRSIG*DNSKEY*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 22*
OpenDNSSEC*training*
OpenDNSSEC*Architecture*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 48*
What?*
• OpenDNSSEC*is*a*zone*signer*that*automates*the*process*of*keeping*track*of*DNSSEC*keys*and*the*signing*of*zones.*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 49*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 23*
Why?*
• The*available*DNSSEC*tools*were*lacking:*• Good*key*management*• Policy*handling*• HSM*support*(storage*&*accelera5on)*
• Goal:*• DNSSEC*should*be*easy*to*deploy*• Increase*the*number*of*DNSSEC*users*• Build*upon*experience*from*DNSSEC*opera5on*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 50*
Who?*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 51*
(The*logos*belongs*to*the*individual*organiza5ons*and*are*not*covered*by*this*CC*license)*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 24*
About*OpenDNSSEC*
• Simplifies*the*process*of*signing*one*or*more*zones*• Reducing*the*work*load*on*the*system*administrator**• Open*source*sojware*with*a*BSD*license*• Simple*to*integrate*into*exis5ng*infrastructure*• HSM*support*(storage*and*accelera5on)*via*PKCS#11*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 52*
Bump4in4the4Wire*
• In*many*cases,*an5cipate*that*OpenDNSSEC*will*be*employed*on*a*system*between*a*hidden*and*public*master.*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 53*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 25*
Architecture*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 54*
Key*and*Signing*Policy*
• How*to*sign*a*zone*is*described*by*a*policy*• Allows*choice*of*key*strengths,*algorithm,*key*and*signature*life5mes,*NSEC/NSEC3,*etc.*
• Can*have*anything*between*one*policy*for*all*zones*to*one*policy*per*zone.*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 55*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 26*
KASP*Enforcer*
• Handles*the*management*of*keys*• Key*crea5on*using*HSM*• Key*rolling*
• Chooses*keys*used*to*sign*the*zone*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 56*
Signer*Engine*
• Automa5c*signing*of*the*zones*• Can*reuse*signatures*that*are*not*too*old*• Can*spread*signature*expira5on*5me*over*5me*(ji;er)*
• Maintains*the*NSEC/NSEC3*chain*• Updates*SOA*serial*number*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 57*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 27*
KASP*Auditor*
• Checks*that*the*Signer*and*Enforcer*work*the*way*they*are*supposed*to,*e.g.*• Non*DNSSEC*RRs*are*not*added*or*removed*• Policy*is*being*followed*
• Can*stop*the*zone*distribu5on*if*needed*• Wri;en*independently*from*the*Signer*and*Enforcer*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 58*
Remove
d*in*
OpenD
NSSEC*
1.4*
Daemons*
• Enforcer*• ods4enforcerd*
• Signer*Engine*• ods4signerd*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 59*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 28*
CLI*
• General*• ods4control*• ods4kasp2html*
• Enforcer*• ods4ksmu5l*
• Signer*Engine*• ods4signer*
• Auditor*• ods4auditor*• ods4kaspcheck*
• HSM*• ods4hsmspeed*• ods4hsmu5l*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 60*
HSMs*
• Why*should*you*use*one?*• Security*
• The*private*keys*never*leave*the*HSM*• Easy*to*know*if*you*have*the*keys*under*your*control*or*not*
• Speed*• 1*–*13,000*signatures*per*second*
• Are*they*expensive?*• Yes,*and*no*–*between*€50*4*€50,000*
• Remember*to*protect*the*host*• GIGO*applies;*Garbage*In*!*Garbage*Out*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 61*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 29*
• SojHSM*is*a*sojware4only*implementa5on*of*an*HSM*using*the*PKCS#11*interface*
• Can*be*used*to*test*the*PKCS#11*interface*without*buying*a*real*HSM.*
• Uses*Botan*and*SQLite.*• SojHSM*makes*it*possible*to*use*OpenDNSSEC*in*a*sojware4only*environment.*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 62*
Input*and*Output*Adapters*
• Input*and*output*adapters*provides*support*for*incoming*and*outgoing*zone*transfer*(AXFR/IXFR),*respond*to*NOTIFY*etc.*
• Any*preferred*nameserver*can*be*used*instead*if*file*output*is*preferred*• A*command*to*be*used*to*reload*zone*can*be*configured.*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 63*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 30*
OpenDNSSEC*training*
Installing*OpenDNSSEC*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 64*
Hardware*Requirements*
• CPU*• Worker*threads*–*Handle*mul5ple*zones*at*a*5me*• Signer*threads*–*Maximum*performance*from*the*HSM*
• Memory*• The*signed*zones*are*stored*in*memory*• May*be*doubled*temporarily*before*the*changes*are*commi;ed*
• Persistent*Storage*• Backup*copy*of*the*unsigned*and*the*signed*zones*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 65*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 31*
Playorm*support*
• OpenDNSSEC*has*been*tested*on*various*playorms*• Linux*
• Debian*/*Ubuntu*• Red*Hat*Enterprise*Linux*/*Fedora*
• FreeBSD*• NetBSD*• OpenBSD*• Mac*OS*X*• Solaris*
*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 66*
Pre4built*binaries*
• OpenDNSSEC*are*available*as*binary*packages*for*the*following*systems*• Debian*/*Ubuntu*• Fedora*• Gentoo*• FreeBSD*• NetBSD*
• N.B.*the*latest*version*may*not*be*packaged*yet!*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 67*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 32*
Dependencies*
• OpenDNSSEC*• LDNS*• libxml2*• SQLite3*or*MySQL*
• SojHSM*• Botan**• SQLite3*
• OpenDNSSEC*Auditor*(removed*in*1.4)*• Ruby,*Rubygems,*DNS*Ruby,*OpenSSL*Ruby*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 68*
Obtaining*the*source*code*
• Releases*are*available*as*tarballs*• h;ps://www.opendnssec.org/*• h;ps://dist.opendnssec.org/**
• Development*code*are*available*via*Subversion*• h;ps://svn.opendnssec.org/*
• SojHSM*v2*via*github*• h;ps://github.com/opendnssec/*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 69*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 33*
Building*the*code*
• Follow*the*lab*instruc5ons*on*how*to*build*the*code*• Most*(if*not*all)*dependencies*are*installed*as*binary*packages*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 70*
OpenDNSSEC*training*
Hardware*Security*Modules*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 71*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 34*
OpenDNSSEC*training*
OpenDNSSEC*configura5on*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 97*
XML4files*
• conf.xml*Used*for*overall*configura5on*of*the*system*
• kasp.xml*Defines*the*various*policies*for*signing*zones*
• zonelist.xml*Zones*that*will*be*signed*using*a*policy*
• addns.xml*Used*for*inbound/outbound*zone*transfer*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 98*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 35*
XML4files*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 99*
/etc/opendnssec/conf.xml*
kasp.xml* zonelist.xml* addns.xml*
P[n]Y[n]M[n]DT[n]H[n]M[n]S*
• OpenDNSSEC*is*about*dura5ons*(periods),*not*about*absolute*5mes.*
• The*format*of*periods*is*as*above*• P1DT12H*is*1*day*and*12*hours*
• No*clue*about*Gregorian*Calendar*• P1M*is*considered*1*month*(always*31*days)*• P1Y*is*considered*1*year*(always*365*days)*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 100*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 36*
conf.xml*
• Preamble...*It’s*what*you*get*when*you*use*XML*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 101*
<?xml version="1.0" encoding="UTF-8"?> <!-- $Id: conf.xml.in 5227 2011-06-12 08:51:24Z jakob $ -->
conf.xml*
• Configura5on*contains*• RepositoryList*• Common*• Enforcer*• Signer*• Auditor*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 102*
<Configuration> <RepositoryList> .... <RepositoryList> <Common> .... </Common> <Enforcer> .... </Enforcer> <Signer> .... </Signer> <Auditor> .... </Auditor> </Configuration>
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 37*
conf.xml*
• Defines*where*private*keys*live*• You*need*at*least*one*but*you*can*have*more*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 103*
<RepositoryList> <Repository name=”SoftHSM”> <Module>/usr/local/lib/libsofthsm.so</Module> <TokenLabel>OpenDNSSEC</TokenLabel> <PIN>1234</PIN> <!-- <Capacity>1000</Capacity> --> <!-- <RequireBackup/> --> <SkipPublicKey/> <Repository> ... </RepositoryList>
name,*also*used*in*kasp.xml*
conf.xml*
• This*elements*provides*pointers*to*other*configura5on*files*and*some*se|ngs*shared*by*all*components*such*as*logging*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 104*
<Common> <Logging> <Verbosity>3</Verbosity> <Syslog><Facility>local0</Facility></Syslog> </Logging> <PolicyFile>/etc/opendnssec/kasp.xml</PolicyFile> <ZoneListFile>/etc/opendnssec/zonelist.xml</ZoneListFile> <!— <ZoneFetchFile>/etc/opendnssec/zonefetch.xml</ZoneFetchFile> --> </Common>
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 38*
conf.xml*
• Can*also*use*MySQL*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 105*
<Enforcer> <!— <Privileges> <User>opendnssec</User> <Group>opendnssec</Group> </Privileges> --> <Datastore><SQLite>/var/opendnssec/kasp.db</SQLite></Datastore> <Interval>PT3600S</Interval> <!-- <ManualKeyGeneration/> --> <!-- <RolloverNotification>P14D</RolloverNotification> --> <!-- <DelegationSignerSubmitCommand>/usr/local/sbin/eppclient </DelegationSignerSubmitCommand> --> </Enforcer>
conf.xml*
• The*Signer*will*need*a*place*to*put*temporary*files*and*may*start*mul5ple*threads.*
• Ajer*the*Signer*is*done*you*may*want**to*kick*your*name*server*for*a*reload*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 106*
<Signer> <!-- <Privileges> <User>opendnssec</User> <Group>opendnssec</Group> </Privileges> --> <WorkingDirectory>/var/opendnssec/tmp</WorkingDirectory> <WorkerThreads>8</WorkerThreads> <SignerThreads>8</SignerThreads> <!-- <NotifyCommand>rndc reload %zone</NotifyCommand> --> </Signer>
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 39*
kasp.xml*
• Key*and*Signature*Policy*is*documented*in*here*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 108*
<?xml version="1.0" encoding="UTF-8"?> <!-- $Id: kasp.xml.in 5227 2011-06-12 08:51:24Z jakob $ -->
kasp.xml*
• KASP*contain*one*or*more*policies*
• Policy*contains*• Descrip5on*• Signatures*• Denial*• Keys*• Zone*• Parent*• Audit*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 109*
<KASP> <Policy> <Description> .... </Description> <Signatures> ... </Signatures> <Denial> ... </Denial> <Keys> ... </Keys> <Zone> ... </Zone> <Parent> ... </Parent> <!-- <Audit/> --> </Policy> <Policy> .... </Policy> </KASP>
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 40*
kasp.xml*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 110*
<Signatures> <Resign>PT2H</Resign> <Refresh>P3D</Refresh> <Validity> <Default>P7D</Default> <Denial>P7D</Denial> </Validity> <Jitter>PT12H</Jitter> <InceptionOffset>PT3600S</InceptionOffset> </Signatures>
kasp.xml*
• Denials*defines*parameters*for*Denial*of*Existence*• Use*<NSEC/>*for*NSEC*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 111*
<Denial> <NSEC3> <!-- <OptOut/> --> <Resalt>P100D</Resalt> <Hash> <Algorithm>1</Algorithm> <Iterations>5</Iterations> <Salt length="8"/> </Hash> </NSEC3> </Denial>
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 41*
kasp.xml*
• The*KEYS*element*defines*the*life5mes*of*keys*• The*TTL*ends*up*in*the*DNSKEY*RRset*• Re5re*and*Publish*Safety*are*safety*margins*for*during*key*rollover*
• Purge*is*when*to*remove*keys*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 112*
<KEYS> <TTL>PT3600S</TTL> <RetireSafety>PT3600S</RetireSafety> <PublishSafety>PT3600S</PublishSafety> <!-- <ShareKeys/> --> <Purge>P14D</Purge> ......
kasp.xml*
• KSK*sets*KSK*parameters*for*the*current*policy*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 113*
<KEYS> ...... <KSK> <Algorithm length="2048">7</Algorithm> <Lifetime>P1Y</Lifetime> <Repository>SoftHSM</Repository> </KSK> ...... </KEYS>
Repository*from*conf.xml*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 42*
kasp.xml*
• ZSK*sets*ZSK*parameters*for*the*current*policy*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 114*
<KEYS> ...... <ZSK> <Algorithm length="1024">7</Algorithm> <Lifetime>P30D</Lifetime> <Repository>SoftHSM</Repository> <!-- <ManualRollover/> --> </ZSK> </KEYS>
Repository*from*conf.xml*
kasp.xml*
• The*propaga5on*delay*is*the*5me*it*takes*for*a*zone*to*get*to*the*complete*set*of*name*servers.*Should*be*larger*than*the*SOA*refresh*and*not*be*larger*than*the*SOA*expiry*parameter*
• keep,*unix5me,*datecounter,*counter*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 115*
<Zone> <PropagationDelay>PT43200S</PropagationDelay> <SOA> <TTL>PT3600S</TTL> <Minimum>PT3600S</Minimum> <Serial>unixtime</Serial> </SOA> </Zone>
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 43*
kasp.xml*
• Parent*5ming*is*important*for*maintaining*the*Chain*of*Trust.*
• Look*at*the*parental*parameters*and*configure*them*in*here*
• Note*that*your*parent*may*change*its**se|ngs*so*now*and*then*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 116*
<Parent> <PropagationDelay>PT9999S</PropagationDelay> <DS> <TTL>PT3600S</TTL> </DS> <SOA> <TTL>PT3600S</TTL> <Minimum>PT3600S</Minimum> </SOA> </Parent>
Configura5on*
• We*configured*conf.xml*and*kasp.xml*• Remember*that*you*can*have*mul5ple*policies*• One*HSM*slot*serving*100*sta5c*zones*with*1*private*key*• A*SojHSM*for*zone*signing*and*a*HSM*for*key*signing*• Zones*with*or*without*parents*• Zones*with*different*parents*(.se*and*.org)*
• We*have*to*5e*the*policies*defined*in*kasp.xml*to*the*zones*we*want*to*sign*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 118*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 44*
zonelist.xml*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 119*
<ZoneList> <Zone name="example.com"> <Policy>default</Policy> <SignerConfiguration>/var/opendnssec/signconf/example.com.xml </SignerConfiguration> <Adapters> <Input> <File>/var/opendnssec/unsigned/example.com</File> </Input> <Output> <File>/var/opendnssec/signed/example.com</File> </Output> </Adapters> </Zone> ... </ZoneList>
addns.xml*
• The*configura5on*to*use*if*the*zones*will*be*fetched*by*using*AXFR*
• This*is*documented*online.*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 120*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 45*
OpenDNSSEC*training*
Key*states*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 121*
Key*states*
• Extra*precau5on*needs*to*be*taken*because*of*the*DNS*caches*
• TTL*and*other*5ming*a;ributes*creates*a*delay*before*all*informa5on*has*propagated*
• Use*key*states*to*get*control*of*this*process*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 122*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 46*
Key*states*
• Publish*• Ready*• Ac5ve*• Re5re*• Dead*
• DSSub*• DSPublish*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 123*
OpenDNSSEC*training*
Key*rollovers*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 124*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 47*
Rollover*mechanisms*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 126*
ZSK*Method* KSK*Method* Descrip6on*
PreRPublica6on* N/A* Publish*DNSKEY*before*the*RRSIG*
Double4Signature* DoubleRSignature* Publish*DNSKEY*and*RRSIG*at*the*same*5me.*For*a*KSK,*this*happens*before*the*DS*is*published*
Double4RRSIG* N/A* Publish*RRSIG*before*the*DNSKEY*
N/A* Double4DS* Publish*DS*before*DNSKEY*
N/A* Double4RRset* Publish*DNSKEY*and*DS*in*parallel.*
Pre4Publica5on*ZSK*rollover*
• First*key:*Ipub*=*Dprp*+*min(TTLsoa,*SOAmin)*• Future*keys:*Ipub*=*Dprp*+*TTLkey*• TpubS*<=*Tact*+*Lzsk*4*Ipub*• Iret*=*Dsgn*+*Dprp*+*TTLsig*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 127*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 48*
Double4Signature*KSK*rollover*
• Ipub*=*Dprp*+*TTLkey*• TpubS*<=*Tact*+*Lksk*4*Dreg*4*Ipub*• Iret*=*DprpP*+*TTLds*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 128*
Default*KASP*
• The*default*KASP*will*work*in*many*cases*• But*verify*that*the*values*works*in*your*environment*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 129*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 49*
Algorithm*rollover*
• Not*currently*supported*• Will*be*supported*in*OpenDNSSEC*2.x*
• Must*prepublish*signatures*before*the*DNSKEY*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 130*
OpenDNSSEC*training*
Migra5on*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 131*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 50*
Migra5on*
• How*to*move*a*DNSSEC*signed*zone*• Export*the*private*keys*• Prepublish*the*new*DNSKEY*record*in*the*old*zone*• Go*insecure*(unsigned)*while*moving*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 132*
OpenDNSSEC*training*
Tes5ng*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 133*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 51*
Tes5ng*
• Always*verify*that*the*zone*works*before*publishing*your*first*DS.*
• There*are*various*tools*that*can*help.*• Can*also*troubleshoot*any*problems*you*might*have.*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 134*
Zone*File*Validators*
• ValiDNS*• h;p://www.validns.net/*
• CreDNS*• AXFR/IXFR*frontend*for*standalone*zone*file*validators*• h;p://www.nlnetlabs.nl/*
• dnssec4verify*• Part*of*ISC*BIND*9.9.x*
• OpenDNSSEC*Auditor*• Legacy*code*–*not*ac5vely*maintained*• h;p://svn.opendnssec.org/trunk/auditor/*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 135*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 52*
DNSCheck*
• DNSCheck*is*a*program*that*was*designed*to*help*people*check,*measure*and*hopefully*also*understand*the*workings*of*the*Domain*Name*System,*DNS.*• Open*source*sojware*wri;en*in*Perl*• Available*online*and*as*a*CLI*
• Demo:*h;p://dnscheck.iis.se/?setLanguage=en*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 136*
DNSViz*
• DNSViz*is*a*tool*for*visualizing*the*status*of*a*DNS*zone.*
• Demo:*h;p://dnsviz.net/*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 137*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 53*
OARC's*DNS*Reply*Size*Test*Server*
• DNSSEC*required*resolvers*and*the*network*to*handle*large*packets*
• This*tool*can*show*you*what*limita5ons*there*are*
• Demo:*dig +short rs.dns-oarc.net TXT
• h;ps://www.dns4oarc.net/oarc/services/replysizetest*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 138*
OARC’s*source*port*test*
• Some*resolvers*do*not*randomize*the*source*port*of*the*DNS*query*
• Demo:*dig +short porttest.dns-oarc.net TXT
• h;ps://www.dns4oarc.net/oarc/services/por;est
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 139*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 54*
DNSSEC4debugger*
• An*online*tool*to*verify*the*trust*chain*
• Demo:*h;p://dnssec4debugger.verisignlabs.com/*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 140*
OpenDNSSEC*training*
Integra5on*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 141*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 55*
Integra5on*into*an*exis5ng*system*
• Adding/removing*zones*• Zone*distribu5on*• Send*the*public*keys*to*the*parent*zone*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 142*
Adding/removing*zones*
• Edit*the*zone*list*• Update*the*informa5on*in*zonelist.xml*• Trigger*OpenDNSSEC*to*re4read*the*zonelist*(ods4ksmu5l*update*zonelist)*
• Or*only*use*CLI*• ods4ksmu5l*zone*add*44zone*<name*of*zone>*• ods4ksmu5l*zone*delete*44zone*<name*of*zone>*• If*the*extra*arguments*are*not*used,*then*the*system*defaults*will*be*used*
• Will*edit*the*zonelist.xml*for*you*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 143*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 56*
Zone*distribu5on*
• OpenDNSSEC*currently*only*support*AXFR*in,**file*in,*and*file*out*
• Remember*to*trigger*OpenDNSSEC*to*re4read*the*zone*file*if*you*use*file*in*
• Future*versions*will*have*be;er*support*• You*can*use*your*favorite*nameserver*to*serve*the*signed*zone*file*
• Use*<No5fyCommand>rndc*reload*%zone</No5fyCommand>**in*conf.xml*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 144*
Sending*keys*to*the*parent*zone*
• Manually*• Extract*the*keys*from*OpenDNSSEC*or*the*signed*zone*
• Automa5c*• Use*<Delega5onSignerSubmitCommand>*in*conf.xml*• OpenDNSSEC*sends*the*current*set*of*DNSKEY*RR*which*should*have*a*corresponding*DS*RR*in*the*parent*zone*
• A*command*which*can*receive*DNSKEY*RRset*on*STDIN*• The*command*has*to*do*its*own*conversion*to*DS*RR*• Write*your*own*plugin*or*use*the*ones*provided*by*OpenDNSSEC*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 145*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 57*
Plugins*
• EPP*client*• simple4dnskey4mailer*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 146*
OpenDNSSEC*training*
Monitoring*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 147*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 58*
Why?*
• We*must*have*a*zone*with*valid*signatures*and*no*missing*data.*
• Can*be*caused*by*various*issues:*• Configura5on*errors*• Name*servers*not*receiving*updates*• Unsynchronized*clocks*• Sojware*bugs*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 148*
What*to*monitor*
• Signatures*that*are*about*to*expire*or*is*invalid*• Missing*zone*data*• Availability*• SOA*Serial*• Policy*compliance*• Etc.*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 149*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 59*
Keep*an*eye*on*your*system*
• Ac5ve*• Is*part*of*your*distribu5on*chain*• Can*stop*the*distribu5on*
• Passive*• External*monitoring*• Can*view*the*system*from*different*points*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 150*
Ac5ve*monitoring*
• The*Auditor*• Internal*scripts*which*check*the*zone*before*pushing*the*zone*to*the*public*name*servers*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 151*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 60*
Passive*monitoring*
• Monitor*the*system*health*• CPU*load*• Memory*• Etc.*
• Regularly*perform*queries*against*the*public*name*server*
• There*are*e.g.*DNSSEC*monitoring*available*for*Nagios*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 152*
OpenDNSSEC*training*
Disaster*Recovery*Plan*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 153*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 61*
Disaster*Recovery*Plan*
• DNSSEC*requires*more*from*your*DNS*opera5ons.*• The*5me*in*DNSSEC*is*absolute*and*not*rela5ve.*• If*something*happens,*you*need*to*be*able*to*act.*• You*need*to*have*a*plan*for*different*scenarios.*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 154*
Backup*
• Remember*to*create*a*backup*of*your*environment.*• KASP*database*• Keys*
• The*KASP*database*can*be*par5ally*recreated,*but*requires*a*lot*of*work.*Be;er*to*have*a*backup.*
• Consult*your*HSM*documenta5on*on*how*to*backup*your*keys.*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 155*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 62*
Documenta5on*
• Always*have*documenta5on*on*your*environment.*• System*• Rou5nes*• Commands*
• Easier*for*you*to*remember.*• Easier*for*others*to*work*with*the*system.*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 156*
Shared*responsibility*
• Share*your*knowledge*with*others*in*your*organiza5on.*
• More*should*know*how*DNSSEC*works.*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 157*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 63*
Have*a*sane*KASP*
• It*is*good*to*have*short*life5me*on*signatures*from*a*security*perspec5ve.*
• But*can*you*fix*the*problem*before*the*signatures*expires?*
• It*is*a*trade4off*between*availability*and*integrity.*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 158*
Going*unsigned*
• In*the*worst*case*scenario*you*might*need*to*go*unsigned.*• Lost*your*keys,*etc.*
• Remove*the*DS*from*the*parent*zone.*• Must*be*done*before*the*signatures*expires.*• Remember*to*take*TTL*and*propaga5on*delay*into*account.*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 159*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 64*
OpenDNSSEC*training*
Opera5onal*Prac5ces*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 160*
Algorithm*
• SHA1*is*becoming*weaker*• SHA256*used*by*the*root*
• Recommenda6on:*RSA/SHA4256*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 161*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 65*
Rolling*KSK*
• Different*thoughts*• Every*12*month*• Roll*when*you*“need”*to*
• Root*will*roll*when*needed*or*every*5*years*
• Recommenda6on:*Roll*when*needed*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 162*
Rolling*ZSK*
• Commonly*rolled*every*month*• Root*is*rolling*every*3rd*month*
• Recommenda6on:*Roll*every*90*days**
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 163*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 66*
Combined*Signing*Key*
• One*key*ac5ng*as*both*KSK*and*ZSK*• Can*be*used*when:*
• The*exposure*to*risk*is*low*(e.g.*when*keys*are*stored*on*HSMs).*• One*can*be*certain*that*a*key*is*not*used*as*a*trust4anchor.*• Maintenance*of*the*various*keys*cannot*be*performed*through*tools.*
• The*interac5on*through*the*registrar4registry*provisioning*chain,*in*par5cular*the*5mely*appearance*of*a*new*DS*record*in*the*2011*parent*zone*in*emergency*situa5ons,*is*predictable.*
• Not*yet*supported*by*OpenDNSSEC*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 164*
NSEC*or*NSEC3*
• NSEC*• When*zone*content*is*not*highly*structured*or*trivially*guessable*• ENUM*–*e164.arpa*• IPv4*reverse*–*in4addr.arpa*
• Ease*the*work*required*by*signers*and*valida5ng*resolvers*• NSEC3*• Preven5on*of*zone*enumera5on?*• Opt4out*when*the*number*of*secure*delega5ons*is*low*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 165*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 67*
SOA*Expire*
• Always*have*valid*signatures*in*your*zone*• The*zone*should*expire*before*the*signatures*• SOA*Expire*<*Signature*Refresh*Period*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 166*
DNSSEC*Policy*&*Prac5ce*Statement*
• A*framework*for*describing*your*DNSSEC*Policy*and*opera5ons*
• Useful*for*relying*par5es*when*trus5ng*your*zone*• Also*a*good*check*list*when*deploying*DNSSEC*
• RFC*6841*–*h;p://tools.iey.org/html/rfc6841*• h;ps://www.iana.org/dnssec/icann4dps.txt*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 167*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 68*
OpenDNSSEC*training*
Closing*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 168*
Discussion*
• Are*you*missing*any*func5onality*in*the*sojware?*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 169*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 69*
Discussion*
• Did*we*meet*your*expecta5ons?*• If*not,*what*more*would*you*like*to*know?*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 170*
Thank*you!*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 171*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 1*
OpenDNSSEC*training*
Hardware*Security*Modules*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 1*
WHAT%IS%A%HSM?%
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 2*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 2*
What*is*a*HSM?*
• Protected*keystore*• Private*keys*can*never*be*extracted*in*clear*(unencrypted)*
• Crypto*hardware*• Some5mes*increases*speed*(but*not*always)*
• Well4defined*soQware*interface*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 3*
Protected*keystore*
• Keys*stored*in*tamperproof*memory*• If*you*tamper*with*the*keystore,*the*device*will*(try*to)*detect*the*tamper*and*zeroize*(erase*all*key*material)*
• Implemented*using*• Covering*components*in*epoxy*• Covering*sensi5ve*components*in*mesh*• Environmental*sensors*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 4*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 3*
Crypto*hardware*
• Hardware*to*assist*accelerate*symmetric*and*asymmetric*crypto*• RSA,*DSA,*ECC*• AES,*3DES*• True*random*number*generator*(not*pseudo*random)*
• Hashing*is*oQen*implemented*in*the*host*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 5*
Applica5on*Program*Interface*(API)*
• PKCS#11*(aka*Cryptoki)*• OpenSSL*Engine*• MicrosoQ*CAPI*• Java*Cryptography*Extension*(JCE)*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 6*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 4*
Stacked*APIs*are*possible*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 7*
PKCS#11*
• E.g.:*• C_Ini5alize*• C_GetSlotList*• C_OpenSession*• C_Login*• C_GenerateKeyPair*• C_FindObjectsInit,*C_FindObjects,*C_FindObjectsFinal*• C_SignInit,*C_Sign*• C_Finalize*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 8*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 5*
WHY%USE%A%HSM?%
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 9*
What*is*the*risk?*
• Keys*can*be*compromised*by…*• Compromised*hosts*• Disgruntled*staff*• Math*(e.g.*calcula5ng*the*private*key*by*factoring)*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 10*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 6*
How*to*lower*the*risk?*
• Protect*the*host*itself*• Limit*incoming*traffic*(e.g.*packet*filtering)*• Remote*management*is*usually*needed*somehow*• Encrypted*storage*may*be*used*to*mi5gate*some*threats*
• Protect*the*private*keys*• Move*keys*to*a*HSM*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 11*
Residual*risk*
• Keys*can*s5ll*be*misused*• If*you*can*use*a*key,*you*can*also*misuse*it*
• Garbage*In*!*Garbage*Out*• If*you*feed*it*a*bad*zone*–*the*result*is*s5ll*a*signed*bad*zone*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 12*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 7*
Increase*trust?*
• Using*an*HSM*increases*trust*–*Why?*• Standards*compliance*• Well*defined*and*verifiable*security*–*e.g.*FIPS*14042*
• Also*provides*a*clean*cut*between*keystore*and*signing*soQware*• You*know*where*your*keys*are*(and*not*are)*
*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 13*
THE%BUYER’S%GUIDE%TO%HARDWARE%SECURITY%MODULES%
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 14*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 8*
Types*of*HSMs*
• Local*interface*–*e.g.*PCI*cards*• Remote*interface*–*e.g.*Ethernet*• May*be*used*by*several*hosts*• Not*dependent*on*low4level*kernel*drivers*
• Smart*cards*• USB*tokens*• Usually*a*smart*card*with*integrated*reader*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 15*
Algorithms*and*key*sizes*
• What*algorithms*are*supported*• RSA*recommended*• DSA*op5onal*• ECDSA*gelng*more*common*• GOST*not*very*common*
• What*key*sizes*are*supported*• Minimum*key*size*≤*1024*bits*recommended*• Maximum*key*size*≥*2048*bits*recommended*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 16*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 9*
Capacity*
• How*many*keys*can*be*stored?*• Where*are*the*keys*stored?*• Internal*keystore*• External*keystore*(encrypted*by*a*master*key*in*the*HSM)*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 17*
API*
• What*API*do*you*need?*• PKCS#11,*OpenSSL,*MS4CAPI,*JCE*
• What*plaoorms*are*supported?*• Note*details*like*kernel*versions,*specific*distribu5ons*etc.*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 18*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 10*
Speed*
• Signing*speed*–*RSA*• Usually*measured*in*10244bit*signing*opera5ons*(with*public*exponent*3*or*65537)*per*second.*
• Key*genera5on*speed*–*RSA*• Usually*the*average*key*genera5on*5me*for*10244bit*and*20484bit*keys*per*second.*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 19*
Security*cer5fica5ons*
• FIPS*14042*• Federal*Informa5on*Processing*Standard*
• CC4EAL*• Common*Criteria*Evalua5on*Assurance*Levels*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 20*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 11*
FIPS*14042*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 21*
Level% Requirement%
1* Basic*security*requirements*
2* Tamper*evidence,*user*authen5ca5on*
3* Tamper*detec5on/resistance,*data*zeroisa5on,*splilng*user*roles*
4* Very*high*tamper*detec5on/resistance,*Environmental*protec5on*
CC4EAL*
• What*Protec5on*Profile*(PP)*has*been*used*for*the*Target*of*Evalua5on*(TOE)?*• CMCKG4PP*–*Key*Genera5on*• CMCSO4PP*–*Signing*Opera5ons*
*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 22*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 12*
Key*backup*
• How*do*you*backup*your*keystore?*• Can*you*restore*a*backup*elsewhere?*• e.g.*on*a*hot4standby*site*
• Split*key*backup*possible?*• Well4known*backup*format?*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 23*
HSM%SUPPORT%IN%OPENDNSSEC%
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 24*
OpenDNSSEC*training* 2013412410*
Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License** 13*
Tested*HSM*
• The*following*Hardware*Security*Modules*(HSM)*has*been*confirmed*to*work*with*OpenDNSSEC:*• AEP*Keyper*• Aladdin*eToken*• Athena*Smartcard*Solu5ons*IDProtect*• OpenSC*Smart*Cards*• Safenet*Luna*SA*• Oracle*SCA/6000*(Sun*Crypto*Accelerator*6000)*• Thales*nShield*Connect*• U5maco*SafeGuard*CryptoServer*
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 25*
HSM*Review*
• Conducted*a*review*of*four*different*HSM:s*• AEP*Keyper*v2*• SafeNet*Luna*SA*4.4*• Thales*nShield*Connect*6000*• U5maco*CryptoServer*Se1000*
h;p://www.opendnssec.org/wp4content/uploads/2011/01/A4Review4of4Hardware4Security4Modules4Fall42010.pdf**
10*December*2013* Crea5ve*Commons*A;ribu5on4ShareAlike*3.0*Unported*License* 26*