DNSSEC @ Mozilla OSCON, 2011 Shyam Mani shyam@mozilla.com - - PowerPoint PPT Presentation

dnssec mozilla
SMART_READER_LITE
LIVE PREVIEW

DNSSEC @ Mozilla OSCON, 2011 Shyam Mani shyam@mozilla.com - - PowerPoint PPT Presentation

Apr 25, 2023 137 likes •789 views

DNSSEC @ Mozilla OSCON, 2011 Shyam Mani shyam@mozilla.com about:mozilla Agenda The Basics Implementation What we I messed up The Future What and the Why DNS Security Extensions Based on public key crypto RFC

slide-1
SLIDE 1

DNSSEC @ Mozilla

Shyam Mani shyam@mozilla.com

OSCON, 2011

slide-2
SLIDE 2

about:mozilla

slide-3
SLIDE 3

Agenda

  • The Basics
  • Implementation
  • What we I messed up
  • The Future
slide-4
SLIDE 4

What and the Why

  • DNS Security Extensions
  • Based on public key crypto
  • RFC 4033/34/35
  • Validates
  • Ensures data is unchanged
  • DNS wasn’t created for today’s world
slide-5
SLIDE 5

What’s new?

  • 4 new RRs - rfc 4034
  • DNSKEY
  • DS
  • NSEC/NSEC3
  • RRSIG
slide-6
SLIDE 6

What’s new?

  • Keys - Public and Private
  • Key Signing Key - KSK
  • Zone Signing Key - ZSK
  • Key Tag
  • Algorithms
  • Rollovers
  • Operational Practices - rfc 4641
slide-7
SLIDE 7

Chain of Trust

slide-8
SLIDE 8

Chain of Trust

slide-9
SLIDE 9

DNSKEY

slide-10
SLIDE 10

DNSKEY

slide-11
SLIDE 11

DNSKEY

Zone Name

slide-12
SLIDE 12

DNSKEY

Zone Name

slide-13
SLIDE 13

DNSKEY

Zone Name TTL

slide-14
SLIDE 14

DNSKEY

Zone Name TTL

slide-15
SLIDE 15

DNSKEY

Zone Name TTL 257 = KSK

slide-16
SLIDE 16

DNSKEY

Zone Name TTL 257 = KSK 256 = ZSK

slide-17
SLIDE 17

DNSKEY

Zone Name TTL 257 = KSK 256 = ZSK

slide-18
SLIDE 18

DNSKEY

Zone Name TTL 257 = KSK Key Algorithm 256 = ZSK

slide-19
SLIDE 19

DNSKEY

Zone Name TTL 257 = KSK Key Algorithm 256 = ZSK 7 = RSASHA1-NSEC3-SHA1

slide-20
SLIDE 20

DS

slide-21
SLIDE 21

DS

slide-22
SLIDE 22

DS

Zone Name

slide-23
SLIDE 23

DS

Zone Name

slide-24
SLIDE 24

DS

Zone Name TTL

slide-25
SLIDE 25

DS

Zone Name TTL

slide-26
SLIDE 26

DS

Zone Name TTL Key Tag

slide-27
SLIDE 27

DS

Zone Name TTL Key Tag

slide-28
SLIDE 28

DS

Zone Name TTL Key Tag 7 = Algo

slide-29
SLIDE 29

DS

Zone Name TTL Key Tag 7 = Algo 1 = Checksum (SHA1)

slide-30
SLIDE 30

DS

Zone Name TTL Key Tag 7 = Algo 1 = Checksum (SHA1) 2 = Checksum (SHA256)

slide-31
SLIDE 31

DS

Zone Name TTL Key Tag 7 = Algo 1 = Checksum (SHA1) 2 = Checksum (SHA256)

slide-32
SLIDE 32

DS

Zone Name TTL Key Tag 7 = Algo Checksum 1 = Checksum (SHA1) 2 = Checksum (SHA256)

slide-33
SLIDE 33

RRSIG

slide-34
SLIDE 34

RRSIG

slide-35
SLIDE 35

RRSIG

(Sub)Domain

slide-36
SLIDE 36

RRSIG

(Sub)Domain

slide-37
SLIDE 37

RRSIG

(Sub)Domain A = Record Type

slide-38
SLIDE 38

RRSIG

(Sub)Domain A = Record Type 7 = Algo

slide-39
SLIDE 39

RRSIG

(Sub)Domain A = Record Type 7 = Algo 3 = Labels

slide-40
SLIDE 40

RRSIG

(Sub)Domain A = Record Type 7 = Algo 3 = Labels

slide-41
SLIDE 41

RRSIG

(Sub)Domain A = Record Type Inception 7 = Algo 3 = Labels

slide-42
SLIDE 42

RRSIG

(Sub)Domain A = Record Type Inception

YYYYMMDDHHMMSS

7 = Algo 3 = Labels

slide-43
SLIDE 43

RRSIG

(Sub)Domain A = Record Type Inception

YYYYMMDDHHMMSS

7 = Algo 3 = Labels

slide-44
SLIDE 44

RRSIG

(Sub)Domain A = Record Type Expiry Inception

YYYYMMDDHHMMSS

7 = Algo 3 = Labels

slide-45
SLIDE 45

RRSIG

(Sub)Domain A = Record Type Expiry Inception

YYYYMMDDHHMMSS

7 = Algo 3 = Labels

slide-46
SLIDE 46

RRSIG

(Sub)Domain A = Record Type Expiry Inception

YYYYMMDDHHMMSS

7 = Algo 3 = Labels Key Tag

slide-47
SLIDE 47

RRSIG

(Sub)Domain A = Record Type Expiry Inception

YYYYMMDDHHMMSS

7 = Algo 3 = Labels Key Tag

slide-48
SLIDE 48

RRSIG

(Sub)Domain A = Record Type Expiry Inception Signer Name

YYYYMMDDHHMMSS

7 = Algo 3 = Labels Key Tag

slide-49
SLIDE 49

Before you leap...

  • Check if your TLD has been signed
  • Else you’re an Island of Trust
  • .org/.net/.com are all signed now
  • Check with your registrar about DNSSEC
  • You might have to poke a bit
  • http://bit.ly/dnssecorg
  • Make sure your software works
  • bind, unbound, opendnssec
  • own signer?
slide-50
SLIDE 50

Setup

slide-51
SLIDE 51

Setup

slide-52
SLIDE 52

Commands

  • dnssec-keygen (-f KSK)
  • dnssec-settime
  • dnssec-signzone (-S)

Fetching ZSK 17852/NSEC3RSASHA1 from key repository. Fetching KSK 51618/NSEC3RSASHA1 from key repository. Verifying the zone using the following algorithms: NSEC3RSASHA1. Zone signing complete: Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked ZSKs: 1 active, 1 stand-by, 0 revoked mozilla.org.signed Signatures generated: 5999 Signatures retained: 0 Signatures dropped: 0 Signatures successfully verified: 5999 Signatures unsuccessfully verified: 0 Runtime in seconds: 5.068 Signatures per second: 1183.636

slide-53
SLIDE 53

Changes to bind

dnssec-enable yes; dnssec-validation yes; zone "mozilla.org" IN { type master; file "mozilla.org.signed"; }

slide-54
SLIDE 54

Steps

  • Upgrade bind across the board
  • Kick off signer
  • DNS servers pick up changes and restart
  • Profit!!oneone!!
  • Send/Upload your DS records
slide-55
SLIDE 55

Verify!

slide-56
SLIDE 56

http://dnsviz.net/d/mozilla.org/dnssec/ Sandia National Labs

slide-57
SLIDE 57

Things to be aware of

  • Keys are everything, protect them
  • Make sure you have a backup plan
  • Eventually, you run the risk of your entire

domain being unreachable

  • Sign (zones), publish (zones) then push (DS)
  • Network equipment might need changes

policy-map global policy class inspection_default inspect dns maximum-length 4096

  • Answer abuse email (hellz yeah!)
slide-58
SLIDE 58

boo-boo(s)

  • DS was live, no signed zones
  • aka “Security Lameness”
  • Log levels
slide-59
SLIDE 59

boo-boo(s)

  • Of course, everyone on twitter notices and

#fails you.

slide-60
SLIDE 60

boo-boo(s)

slide-61
SLIDE 61

Moving forward...

slide-62
SLIDE 62

Adoption - Mozilla

slide-63
SLIDE 63

Adoption - Worldwide

http://secspider.cs.ucla.edu/ SecSpider - the DNSSEC monitoring project

slide-64
SLIDE 64

Thanks!

http://people.mozilla.org/~shyam/presentations/oscon-2011.pdf