13 things to consider before dnssec
play

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com - PowerPoint PPT Presentation

Jan 06, 2024 •223 likes •543 views

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff Team Cymru 1 Where is the DNSSEC? We make no endorsement of DNSSEC here We offer no repudiation of DNSSEC here The considerations herein

  1. 13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff – Team Cymru 1

  2. Where is the DNSSEC? • We make no endorsement of DNSSEC here • We offer no repudiation of DNSSEC here • The considerations herein are DNSSEC agnostic • We argue: • From a operational perspective • There are 13 DNS questions that must be asked • Each answer should be documented FIRST 2010 John Kristoff – Team Cymru 2

  3. Guidance, not proclamation • We offer guidance in available choices • Your posture follows from choices you make • Your outcome may differ from someone else's • This may be perfectly reasonable and rational • Thought is required to make choices intelligently FIRST 2010 John Kristoff – Team Cymru 3

  4. One of two critical systems Routing (BGP) and naming (DNS) are by far the two most critical subsystems of the Internet infrastructure. And in the case of DNS, practically all Internet hosts participate directly in the DNS as a client, server or both. As a result, DNS is one of the most unencumbered protocols in use throughout the Internet. This can be good, bad or interesting depending on your perspective. FIRST 2010 John Kristoff – Team Cymru 4

  5. How many NS RRs for your zone? FIRST 2010 John Kristoff – Team Cymru 5

  6. Authoritative name server RRset • Two is the de facto minimum • Depending on design, more may be better • Anycast service may be worth your consideration • Some people use hardware-based load balancing • Miscreants invented fast flux • Then legitimate providers said, “Hmm...” FIRST 2010 John Kristoff – Team Cymru 6

  7. Where are your name servers? FIRST 2010 John Kristoff – Team Cymru 7

  8. DNS Server Diversity • Consider physical and topological proximity • All servers in the same building is suboptimal • As are all servers behind a shared upstream link • Shorter prefixes mitigate route hijacks • Diverse routing paths can improve resiliency • Diverse origin AS for routes not strictly necessary • Just ask the DNS anycast service providers FIRST 2010 John Kristoff – Team Cymru 8

  9. Are parent and children consistent? FIRST 2010 John Kristoff – Team Cymru 9

  10. Delegation Consistency • Things may work if inconsistent, but sub-optimally • You're not getting full resiliency at best • Delays, timeouts and errors may be occurring • Domain name hijacks possible at worst • Recent measurement showed: • 18% of domains in edu. have lame delegations • Only 0.1% were REN-ISAC institutions • Or less than 5% of all REN-ISAC institutions FIRST 2010 John Kristoff – Team Cymru 10

  11. Does your server answer anything from anyone? FIRST 2010 John Kristoff – Team Cymru 11

  12. Open Resolvers • Rarely necessary • May be used for DDoS reflection and amplification • Can facilitate cache poisoning attacks • Can facilitate cache leaks • We'll tell you about open resolvers on your net: http://www.team-cymru.org/Services/Resolvers/ FIRST 2010 John Kristoff – Team Cymru 12

  13. How easily can returning answers be spoofed? What is the rdata/ttl for ... ? HERE IT IS!! Mmwuahaha... FIRST 2010 John Kristoff – Team Cymru 13

  14. Answer Spoofing Protection • Implementations need to consider IETF RFC 5452 • Limit recursion (see the open resolvers slide) • Ideally anti-spoofing is widely deployed • See IETF BCP 38 and IETF BCP 84 FIRST 2010 John Kristoff – Team Cymru 14

  15. Is your name registration secure? Please transfer domain.example.org Mmwuahaha... to... FIRST 2010 John Kristoff – Team Cymru 15

  16. Domain Name Registration • Do not let your name(s) expire needlessly • Safeguard registrar accounts and passwords • Some registrars offer additional safeguards • Ask about them, know what is available • Make this part of a disaster recovery plan FIRST 2010 John Kristoff – Team Cymru 16

  17. What is on your name server? httpd snmpd ftpd proxyd dhcpd FIRST 2010 John Kristoff – Team Cymru 17

  18. Co-mingling Services • SSH and NTP are reasonable standard services • Most others are not • Even these should generally be inaccessible • Consider isolating some zones from others • e.g. put DDoS risk zones on a separate platform FIRST 2010 John Kristoff – Team Cymru 18

  19. How are servers administered? pictures from techrepublic, Bill Detwiler OR FIRST 2010 John Kristoff – Team Cymru 19

  20. Administrative Processes • We see a lot of successful SSH brute force attacks • Limit physical access to facilities and hardware • If it looks lousy, it probably is • When in doubt, consult Occam's Razor • Use revision control for configs and zone files • As important as a backup plan is the restore plan • Secure BIND Template http://www.team-cymru.org/ReadingRoom/Templates/ FIRST 2010 John Kristoff – Team Cymru 20

  21. How much RAM, CPU, disk and network capacity is available? FIRST 2010 John Kristoff – Team Cymru 21

  22. Physical Resources • Don't have enough, have way more than enough • Resolvers can demand lots of RAM • CPU may be important, especially for crypto • Hard drives usually less important • Isolating partitions and directories may be useful • Try to offload data collection to another system • Network capacity usually not an issue until DDoS FIRST 2010 John Kristoff – Team Cymru 22

  23. Are you filtering DNS over TCP? TCP TCP OR FIRST 2010 John Kristoff – Team Cymru 23

  24. TCP • Don't assume you have no DNS over TCP • TCP isn't just for zone transfers • Large DNS messages may use TCP • Some operators may force TCP during DdoS • TCP tuning may be required for some DoS threats FIRST 2010 John Kristoff – Team Cymru 24

  25. What queries do you see/make? FIRST 2010 John Kristoff – Team Cymru 25

  26. Monitoring and Auditing • Troubleshooting with query insight is very helpful • Consider learning answers from your resolvers too • AKA passive DNS • Minimally, trend DNS query/answer statistics • Monitor servers, answers and routes from outside http://www.team-cymru.org/Monitoring/DNS/ http://www.team-cymru.org/Monitoring/BGP/ FIRST 2010 John Kristoff – Team Cymru 26

  27. Are name server clocks accurate? FIRST 2010 John Kristoff – Team Cymru 27

  28. Time Synchronization • This probably means running NTP properly • Troubleshooting works best with good timestamps • Collected data is practically useless if time is off • Some protocols require coordinated time • e.g. TSIG • Consider setting clocks to UTC • Helpful for correlation across timezones FIRST 2010 John Kristoff – Team Cymru 28

  29. Have you read IETF RFC 2870? Network Working Group R. Bush Request for Comments: 2870 Verio Obsoletes: 2010 D. Karrenberg BCP: 40 RIPE NCC Category: Best Current Practice M. Kosters Network Solutions R. Plzak SAIC June 2000 Root Name Server Operational Requirements FIRST 2010 John Kristoff – Team Cymru 29

  30. IETF RFC 2870 • Its a BCP, you should be familiar with it • Its a bit dated and written for a specific audience • But it contains sound advice for most everyone • A newer, generalized version may soon appear FIRST 2010 John Kristoff – Team Cymru 30

  31. How can Team Cymru help? • Secure BIND template • Open resolver feed • DNS and BGP monitoring • Returning soon: Lame delegation report • Coming soon: Netnames • Coming soon: DNS Report • Preso feedback or questions to: jtk@cymru.com • Everything else is @ http://www.team-cymru.org FIRST 2010 John Kristoff – Team Cymru 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

609 views • 34 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry experienced 30th April 2015-- Longest mornings I have ever had. Day started as usual but takes a turn at 9:30am Great day turns to a

449 views • 11 slides
DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010 Sara Monteiro Technical Infrastructure Service of DNS.PT Agenda ! About us ! Scope ! Goals ! Initiatives and Support ! Developments on .pt ! Next Steps

468 views • 11 slides
DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes Hardaker <wes.hardaker@parsons.com> Overview Business Model Changes Relationship Requirements Relationship with your DNS parent

407 views • 25 slides
DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek petr.spacek@nic.cz 2019-02-03 1w Redraw max 1y 6m 3m 1m 5d 1h 1d 30 ~ 19 % DNSSEC? Who cares? DNSSEC Validation Capability Metrics

433 views • 25 slides
DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC

DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC

DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC history Defined by RFCs 4033-4035 March 2005 Root zone signed July 2010 March 2011 the biggest zone .com signed New GTLD

811 views • 32 slides
DNSSEC at Scale Dani Grant | DNS @ CloudFlare CloudFlare - Authoritative DNS provider (includes

DNSSEC at Scale Dani Grant | DNS @ CloudFlare CloudFlare - Authoritative DNS provider (includes

DNSSEC at Scale Dani Grant | DNS @ CloudFlare CloudFlare - Authoritative DNS provider (includes DNSSEC for free) - 4M+ domains - 40+ billion queries per day - 76 edge locations in 40 countries (growing) DNSSEC at Scale 1. Elliptic

597 views • 34 slides
Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based

Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based

Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based on current DNSSEC deployments in .com, .net and .org Introduction DNSSEC deployment has taken off, but there are still operational issues

408 views • 16 slides
Multi Provider DNSSEC draft-huque-dnsop-multi-provider-dnssec-02 Shumon Huque March 22 nd 2018

Multi Provider DNSSEC draft-huque-dnsop-multi-provider-dnssec-02 Shumon Huque March 22 nd 2018

Multi Provider DNSSEC draft-huque-dnsop-multi-provider-dnssec-02 Shumon Huque March 22 nd 2018 DNSOP Working Group, IETF101, London, U.K. Note to the DNS Camel* This document does not propose any new extensions to the DNS protocol. It

663 views • 16 slides
Securing Internet Communication: TLS & DNSSEC CS 161: Computer Security Prof. Vern Paxson

Securing Internet Communication: TLS & DNSSEC CS 161: Computer Security Prof. Vern Paxson

Securing Internet Communication: TLS & DNSSEC CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula, David Fifield, Mia Gil Epner, David Hahn, Warren He, Grant Ho, Frank Li, Nathan Malkin, Mitar Milutinovic,

1.51k views • 92 slides
Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van

Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van

Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van Rijswijk-Deij, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Christo Wilson 1 DNSSEC 101 example.com's Authoritative DNS Resolver DNS

1.54k views • 119 slides
An Extensible Platform for Evaluating Security Protocols Seny Kamara joint with L. Ballard, R.

An Extensible Platform for Evaluating Security Protocols Seny Kamara joint with L. Ballard, R.

An Extensible Platform for Evaluating Security Protocols Seny Kamara joint with L. Ballard, R. Caudy, D.Davis, F. Monrose Outline Objectives High-level architecture Plugin architecture Case studies Objectives Security

1k views • 47 slides
From DNS to DPKI a.k.a. Why secure decentralized namespaces are the future A presentation

From DNS to DPKI a.k.a. Why secure decentralized namespaces are the future A presentation

From DNS to DPKI a.k.a. Why secure decentralized namespaces are the future A presentation by Greg Slepak at Greg Slepak @taoe ff ect DNSChain / DPKI okTurtles GroupIncome Espionage Group Currency Target Audience (You) Most of

959 views • 85 slides
Elliptical Curves in DNSSEC Dmitry Kohmanyuk Hostmaster Ltd #EEDNSUA 2016 Kyiv, Ukraine

Elliptical Curves in DNSSEC Dmitry Kohmanyuk Hostmaster Ltd #EEDNSUA 2016 Kyiv, Ukraine

Elliptical Curves in DNSSEC Dmitry Kohmanyuk Hostmaster Ltd #EEDNSUA 2016 Kyiv, Ukraine Elliptic Curve Cryptography (ECC) y^2 = x^3 + ax + b http://en.wikipedia.org/wiki/Elliptic_curve

151 views • 13 slides
ilab Lab 5 DNS and DNSSec History and Motivation of DNS Problem: The Internet needs IP

ilab Lab 5 DNS and DNSSec History and Motivation of DNS Problem: The Internet needs IP

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen ilab Lab 5 DNS and DNSSec History and Motivation of DNS Problem: The Internet needs IP addresses. Human beings do not memorize IP

779 views • 23 slides
DANE/DNSSEC/TLS Tes-ng in the Go6lab Jan or, ISOC/Go6

DANE/DNSSEC/TLS Tes-ng in the Go6lab Jan or, ISOC/Go6

DANE/DNSSEC/TLS Tes-ng in the Go6lab Jan or, ISOC/Go6 Ins-tute, Slovenia jan@go6.si zorz@isoc.org Acknowledgement I would like to thank Internet

980 views • 28 slides

More recommend