dnssec mozilla
play

DNSSEC @ Mozilla OSCON, 2011 Shyam Mani shyam@mozilla.com - PowerPoint PPT Presentation

Apr 25, 2023 •137 likes •783 views

DNSSEC @ Mozilla OSCON, 2011 Shyam Mani shyam@mozilla.com about:mozilla Agenda The Basics Implementation What we I messed up The Future What and the Why DNS Security Extensions Based on public key crypto RFC

  1. DNSSEC @ Mozilla OSCON, 2011 Shyam Mani shyam@mozilla.com

  2. about:mozilla

  3. Agenda • The Basics • Implementation • What we I messed up • The Future

  4. What and the Why • DNS Security Extensions • Based on public key crypto • RFC 4033/34/35 • Validates • Ensures data is unchanged • DNS wasn’t created for today’s world

  5. What’s new? • 4 new RRs - rfc 4034 • DNSKEY • DS • NSEC/NSEC3 • RRSIG

  6. What’s new? • Keys - Public and Private • Key Signing Key - KSK • Zone Signing Key - ZSK • Key Tag • Algorithms • Rollovers • Operational Practices - rfc 4641

  7. Chain of Trust

  8. Chain of Trust

  9. DNSKEY

  10. DNSKEY

  11. DNSKEY Zone Name

  12. DNSKEY Zone Name

  13. DNSKEY Zone Name TTL

  14. DNSKEY Zone Name TTL

  15. DNSKEY Zone Name TTL 257 = KSK

  16. DNSKEY Zone Name TTL 257 = KSK 256 = ZSK

  17. DNSKEY Zone Name TTL 257 = KSK 256 = ZSK

  18. DNSKEY Zone Name TTL Key Algorithm 257 = KSK 256 = ZSK

  19. DNSKEY Zone Name TTL Key Algorithm 7 = RSASHA1-NSEC3-SHA1 257 = KSK 256 = ZSK

  20. DS

  21. DS

  22. DS Zone Name

  23. DS Zone Name

  24. DS Zone Name TTL

  25. DS Zone Name TTL

  26. DS Zone Name TTL Key Tag

  27. DS Zone Name TTL Key Tag

  28. DS Zone Name TTL Key Tag 7 = Algo

  29. DS Zone Name TTL Key Tag 7 = Algo 1 = Checksum (SHA1)

  30. DS Zone Name TTL Key Tag 7 = Algo 1 = Checksum (SHA1) 2 = Checksum (SHA256)

  31. DS Zone Name TTL Key Tag 7 = Algo 1 = Checksum (SHA1) 2 = Checksum (SHA256)

  32. DS Zone Name TTL Key Tag Checksum 7 = Algo 1 = Checksum (SHA1) 2 = Checksum (SHA256)

  33. RRSIG

  34. RRSIG

  35. RRSIG (Sub)Domain

  36. RRSIG (Sub)Domain

  37. RRSIG (Sub)Domain A = Record Type

  38. RRSIG (Sub)Domain A = Record Type 7 = Algo

  39. RRSIG (Sub)Domain A = Record Type 7 = Algo 3 = Labels

  40. RRSIG (Sub)Domain A = Record Type 7 = Algo 3 = Labels

  41. RRSIG (Sub)Domain A = Record Type Inception 7 = Algo 3 = Labels

  42. RRSIG YYYYMMDDHHMMSS (Sub)Domain A = Record Type Inception 7 = Algo 3 = Labels

  43. RRSIG YYYYMMDDHHMMSS (Sub)Domain A = Record Type Inception 7 = Algo 3 = Labels

  44. RRSIG YYYYMMDDHHMMSS (Sub)Domain A = Record Type Expiry Inception 7 = Algo 3 = Labels

  45. RRSIG YYYYMMDDHHMMSS (Sub)Domain A = Record Type Expiry Inception 7 = Algo 3 = Labels

  46. RRSIG YYYYMMDDHHMMSS (Sub)Domain A = Record Type Expiry Inception 7 = Algo Key Tag 3 = Labels

  47. RRSIG YYYYMMDDHHMMSS (Sub)Domain A = Record Type Expiry Inception 7 = Algo Key Tag 3 = Labels

  48. RRSIG YYYYMMDDHHMMSS (Sub)Domain A = Record Type Expiry Inception Signer Name 7 = Algo Key Tag 3 = Labels

  49. Before you leap... • Check if your TLD has been signed • Else you’re an Island of Trust • .org/.net/.com are all signed now • Check with your registrar about DNSSEC • You might have to poke a bit • http://bit.ly/dnssecorg • Make sure your software works • bind, unbound, opendnssec • own signer?

  50. Setup

  51. Setup

  52. Commands • dnssec-keygen (-f KSK) • dnssec-settime • dnssec-signzone (-S) Fetching ZSK 17852/NSEC3RSASHA1 from key repository. Fetching KSK 51618/NSEC3RSASHA1 from key repository. Verifying the zone using the following algorithms: NSEC3RSASHA1. Zone signing complete: Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked ZSKs: 1 active, 1 stand-by, 0 revoked mozilla.org.signed Signatures generated: 5999 Signatures retained: 0 Signatures dropped: 0 Signatures successfully verified: 5999 Signatures unsuccessfully verified: 0 Runtime in seconds: 5.068 Signatures per second: 1183.636

  53. Changes to bind dnssec-enable yes; dnssec-validation yes; zone "mozilla.org" IN { type master; file "mozilla.org.signed"; }

  54. Steps • Upgrade bind across the board • Kick off signer • DNS servers pick up changes and restart • Profit!!oneone!! • Send/Upload your DS records

  55. Verify!

  56. http://dnsviz.net/d/mozilla.org/dnssec/ Sandia National Labs

  57. Things to be aware of • Keys are everything, protect them • Make sure you have a backup plan • Eventually, you run the risk of your entire domain being unreachable • Sign (zones), publish (zones) then push (DS) • Network equipment might need changes policy-map global policy class inspection_default inspect dns maximum-length 4096 • Answer abuse email (hellz yeah!)

  58. boo-boo(s) • DS was live, no signed zones • aka “Security Lameness” • Log levels

  59. boo-boo(s) • Of course, everyone on twitter notices and #fails you.

  60. boo-boo(s)

  61. Moving forward...

  62. Adoption - Mozilla

  63. Adoption - Worldwide http://secspider.cs.ucla.edu/ SecSpider - the DNSSEC monitoring project

  64. Thanks! http://people.mozilla.org/~shyam/presentations/oscon-2011.pdf

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

609 views • 34 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
a Ten-Year Retrospective Li Gong Mozilla Online Ltd. lgong@mozilla.com www.mozillaonline.com

a Ten-Year Retrospective Li Gong Mozilla Online Ltd. lgong@mozilla.com www.mozillaonline.com

Java Security: a Ten-Year Retrospective Li Gong Mozilla Online Ltd. lgong@mozilla.com www.mozillaonline.com December 10, 2009 300~ Pages of Meeting Notes 1000~ Meetings in 30 months Why Security Technologies Seldom Make Into Actual

608 views • 21 slides
The Daala Video Codec: Research Update Nathan Egge <negge@mozilla.com> (Xiph.org, Mozilla)

The Daala Video Codec: Research Update Nathan Egge <negge@mozilla.com> (Xiph.org, Mozilla)

The Daala Video Codec: Research Update Nathan Egge <negge@mozilla.com> (Xiph.org, Mozilla) FOSDEM: Open Media devroom 31 January 2015 Mozilla Why Free Codecs Matter ...that's Free with a capital F Free refers to

366 views • 19 slides
.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry experienced 30th April 2015-- Longest mornings I have ever had. Day started as usual but takes a turn at 9:30am Great day turns to a

449 views • 11 slides
DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010 Sara Monteiro Technical Infrastructure Service of DNS.PT Agenda ! About us ! Scope ! Goals ! Initiatives and Support ! Developments on .pt ! Next Steps

468 views • 11 slides
13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff Team Cymru 1 Where is the DNSSEC? We make no endorsement of DNSSEC here We offer no repudiation of DNSSEC here The considerations herein

543 views • 31 slides
DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes Hardaker <wes.hardaker@parsons.com> Overview Business Model Changes Relationship Requirements Relationship with your DNS parent

407 views • 25 slides
DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek petr.spacek@nic.cz 2019-02-03 1w Redraw max 1y 6m 3m 1m 5d 1h 1d 30 ~ 19 % DNSSEC? Who cares? DNSSEC Validation Capability Metrics

433 views • 25 slides
DNSSEC for Everybody: A Beginners Guide | ICANN 55 | March 2016 The Schedule

DNSSEC for Everybody: A Beginners Guide | ICANN 55 | March 2016 The Schedule

DNSSEC for Everybody: A Beginners Guide | ICANN 55 | March 2016 The Schedule Outline(Concept( Segment( Duration( Speaker( Welcome'and'Introduction' 2'mins' Dan' (((((((((((((((((((((((((Welcome( Caveman''DNSSEC'5000BC' 3'mins'

667 views • 48 slides
retaining wall & regrading of slope The Futurist, Scarborough Overview of site This slide

retaining wall & regrading of slope The Futurist, Scarborough Overview of site This slide

The Futurist Theatre, Scarborough Methodology for demolition of the theatre, construction of new retaining wall & regrading of slope The Futurist, Scarborough Overview of site This slide indicates the key features and Kings Street

416 views • 22 slides
Shenandoah High School CONSTRUCTION BUDGET PRESENTATION 7/22/2019 Project Definition

Shenandoah High School CONSTRUCTION BUDGET PRESENTATION 7/22/2019 Project Definition

Shenandoah High School CONSTRUCTION BUDGET PRESENTATION 7/22/2019 Project Definition Budget Basis Renovations Overview ew Independent Renovations Additions & Repurposing Project Delivery Schedule Scope Details

489 views • 19 slides
TH D ECEMBER 2019 C ONFERENCE T RACK : B IG D ATA D ATE : 6 T IME : 2.30 PM 5.30 PM V ENUE : E

TH D ECEMBER 2019 C ONFERENCE T RACK : B IG D ATA D ATE : 6 T IME : 2.30 PM 5.30 PM V ENUE : E

I NTERNATIONAL C ONFERENCE ON B IG D ATA AND C LOUD C OMPUTING (ICBDCC19 ) 6 7 D ECEMBER , 2019 K ARUNYA I NSTITUTE OF T ECHNOLOGY & S CIENCES , C OIMBATORE 641 114, T AMILNADU , I NDIA TH D ECEMBER 2019 C ONFERENCE T RACK : B IG D

670 views • 10 slides
The iLab Experience a blended learning hands-on course concept you set the focus WWW Security /

The iLab Experience a blended learning hands-on course concept you set the focus WWW Security /

The iLab Experience a blended learning hands-on course concept you set the focus WWW Security / Your Exercise Topic Pitch 2018-05-8 10.4. Kick Off, IPv6 1 IPv6 BGP 17.4. 2 Minilab 1 2 mini labs Advanced Wireless Playground BGP 24.4.

646 views • 40 slides
ICANN Update Champika Wijayatunga <champika.wijayatunga@icann.org> Regional Security

ICANN Update Champika Wijayatunga <champika.wijayatunga@icann.org> Regional Security

ICANN Update Champika Wijayatunga <champika.wijayatunga@icann.org> Regional Security Engagement Manager Asia Pacific TWNIC OPM / TWNOG 27-28 November 2018 | 1 Overview Coordinating with our partners, we help make the Internet work.

555 views • 24 slides
A versatile platform for DNS metrics with its application to IPv6 St ephane Bortzmeyer AFNIC

A versatile platform for DNS metrics with its application to IPv6 St ephane Bortzmeyer AFNIC

A versatile platform for DNS metrics with its application to IPv6 St ephane Bortzmeyer AFNIC bortzmeyer@nic.fr RIPE 57 - Dubai - October 2008 1 A versatile platform for DNS metrics with its application to IPv6 Where are we in the talk?

821 views • 54 slides
ICANN's New Generic Top Level Domains Strategies for Domain Name Registration and Brand Protection

ICANN's New Generic Top Level Domains Strategies for Domain Name Registration and Brand Protection

ICANN's New Generic Top Level Domains Strategies for Domain Name Registration and Brand Protection presents presents A Live 90-Minute Teleconference/Webinar with Interactive Q&A Today's panel features: Today s panel features: J. Scott

469 views • 30 slides

More recommend