DNSSEC security without maintenance ... with the right software and - - PowerPoint PPT Presentation

dnssec security without maintenance
SMART_READER_LITE
LIVE PREVIEW

DNSSEC security without maintenance ... with the right software and - - PowerPoint PPT Presentation

Aug 25, 2022 167 likes •434 views

DNSSEC security without maintenance ... with the right software and registry Petr paek petr.spacek@nic.cz 2019-02-03 1w Redraw max 1y 6m 3m 1m 5d 1h 1d 30 ~ 19 % DNSSEC? Who cares? DNSSEC Validation Capability Metrics

slide-1
SLIDE 1

DNSSEC security without maintenance

... with the right software and registry

Petr Špaček • petr.spacek@nic.cz • 2019-02-03

slide-2
SLIDE 2

DNSSEC? Who cares?

Use of DNSSEC Validation for World (XA)

Average Interval (days)

30

Show Google PDNS Use Hide Regional Use

Redraw

Zoom:

1h 1d 5d 1w 1m 3m 6m 1y max

Validating : 18.71 | 01:00 January 26, 2019

2014 2015 2016 2017 2018 2019 Apr Jul Oct Apr Jul Oct Apr Jul Oct Apr Jul Oct Apr Jul Oct

2 4 6 8 10 12 14 16

2014 Apr Jul Oct 2015 Apr Jul Oct 2016 Apr Jul Oct 2017 Apr Jul Oct 2018 Apr Jul Oct

DNSSEC Validation Capability Metrics https://stats.labs.apnic.net/dnssec/XA?hc=XA&hx=1&hg=1&hr=1&w=30&g=0 1 of 5 1/29/19, 4:49 PM

~ 19 %

https://stats.labs.apnic.net/dnssec/XA

slide-3
SLIDE 3

DNSSEC? Who cares in Europe?

Use of DNSSEC Validation for Europe (XE)

Average Interval (days)

30

Show Google PDNS Use Hide Regional Use

Redraw Region Map for Europe (150)

Zoom:

1h 1d 5d 1w 1m 3m 6m 1y max

Validating : 23.99 | 01:00 January 26, 2019

2014 2015 2016 2017 2018 2019 Apr Jul Oct Apr Jul Oct Apr Jul Oct Apr Jul Oct Apr Jul Oct

5 10 15 20 25

2014 Apr Jul Oct 2015 Apr Jul Oct 2016 Apr Jul Oct 2017 Apr Jul Oct 2018 Apr Jul Oct

DNSSEC Validation Capability Metrics https://stats.labs.apnic.net/dnssec/XE?o=cCZw30x1g0r1 1 of 4 1/29/19, 4:54 PM

https://stats.labs.apnic.net/dnssec/XE

~ 24 %

slide-4
SLIDE 4

DNSSEC? Who cares in CZ?

Use of DNSSEC Validation for Czech Republic (CZ)

Average Interval (days)

30

Hide country ASN List Show Google PDNS Use Hide Regional Use

Redraw Region Map for Eastern Europe (151)

Zoom:

1h 1d 5d 1w 1m 3m 6m 1y max

Validating : 62.54 | 01:00 January 28, 2019

2014 2015 2016 2017 2018 2019 Apr Jul Oct Apr Jul Oct Apr Jul Oct Apr Jul Oct Apr Jul Oct

10 20 30 40 50 60

2014 Apr Jul Oct 2015 Apr Jul Oct 2016 Apr Jul Oct 2017 Apr Jul Oct 2018 Apr Jul Oct

DNSSEC Validation Capability Metrics https://stats.labs.apnic.net/dnssec/CZ?o=cXEw30x1g0r1 1 of 3 1/29/19, 4:53 PM

https://stats.labs.apnic.net/dnssec/CZ

~ 63 %

slide-5
SLIDE 5

Where is a problem?

  • DNSSEC requires zone content maintenance
  • more work compared to insecure DNS
  • Signatures with timestamps

. RRSIG DNSKEY 8 0 172800 20190211000000 20190121000000 …

  • Key propagation
  • cz. DS

20237 13 2 CFF0F3ECDBC52…

slide-6
SLIDE 6

Maintenance?!

slide-7
SLIDE 7

DNSSEC maintenance: signatures

  • Refreshing signatures (timestamps)
  • fully automated

Knot DNS, BIND, PowerDNS, OpenDNSSEC, ...

slide-8
SLIDE 8

DNSSEC maintenance: keys

DS DNSKEY

registry (parent) child

  • Key propagation
  • harder problem – multiple parties
  • sub-optimal support from registrars
  • DNS providers

have no relationship with registrar/registry

  • Domain holders do not care
slide-9
SLIDE 9

Standards to the rescue

  • RFC 7344 - Automating DNSSEC Delegation

Trust Maintenance - September 2014

  • cz. CDS 20237 13 2 CFF0F3ECDBC52…
  • RFC 8078 - Managing DS Records from the

Parent via CDS/CDNSKEY – March 2017

  • cz. CDS 0 0 0 00
  • draft-ietf-regext-dnsoperator-to-rrr-protocol
  • Third Party DNS operator to

Registrars/Registries Protocol

slide-10
SLIDE 10

Standards to the rescue

DS DNSKEY

parent child

CDS

slide-11
SLIDE 11

DNSSEC Trust Maintenance: registry

Image attribution: Cloudflare 1 2 1 3 4 5 6

slide-12
SLIDE 12

Implementation in registries

  • Supported by
  • .ch
  • .cr
  • .cz
  • .li
  • More coming
  • Ask your registry!

Image attribution: Mozilla

slide-13
SLIDE 13

Implementation in software

  • OpenDNSSEC – planned
  • PowerDNS – generates CDS RR,

manual rollover using pdnsutil

  • BIND 9.13 – generates CDS RR,

manual rollover using dnssec-keymgr

  • BIND 9.15 – more automation planned
  • Knot DNS 2.6+ – generates CDS RR,

rolls automatically (as configured)

slide-14
SLIDE 14

Key propagation in

  • KSK submission via CDS/CDNSKEY
  • Periodic checks for DS existence via set of

configured nameservers

  • Authoritative nameservers
  • And/or DNSSEC validating resolver
  • (all must see DS)
  • Alternative: simple timeout
slide-15
SLIDE 15

Configuration example

policy:

  • id: ecdsa

ksk-lifetime: 14d ksk-submission: upstream template:

  • id: "default"

dnssec-signing: on dnssec-policy: ecdsa zones:

  • domain: dnssec.cz

remote:

  • id: auth

address: [ 198.51.100.5 ] # resolvers

  • id: local

address: [ 192.0.2.1 ]

  • id: foreign

address: [ 1.1.1.1 ] submission:

  • id: upstream

parent: [ auth, local, foreign ] check-interval: 600 s

slide-16
SLIDE 16

Configuration example

policy:

  • id: ecdsa

ksk-lifetime: 14d ksk-submission: upstream template:

  • id: "default"

dnssec-signing: on dnssec-policy: ecdsa zones:

  • domain: dnssec.cz

remote:

  • id: auth

address: [ 198.51.100.5 ] # resolvers

  • id: local

address: [ 192.0.2.1 ]

  • id: foreign

address: [ 1.1.1.1 ] submission:

  • id: upstream

parent: [ auth, local, foreign ] check-interval: 600 s

slide-17
SLIDE 17

Configuration example

policy:

  • id: ecdsa

ksk-lifetime: 14d ksk-submission: upstream template:

  • id: "default"

dnssec-signing: on dnssec-policy: ecdsa zones:

  • domain: dnssec.cz

remote:

  • id: auth

address: [ 198.51.100.5 ] # resolvers

  • id: local

address: [ 192.0.2.1 ]

  • id: foreign

address: [ 1.1.1.1 ] submission:

  • id: upstream

parent: [ auth, local, foreign ] check-interval: 600 s

slide-18
SLIDE 18

Key maintenance: logging

1)2017-10-24T15:41:22 notice: [dnssec.cz.] DNSSEC, KSK submission, waiting for confirmation

_

2) Knot detects the updated parent’s DS record

  • + waits for DS’s TTL before retiring the old key

3)2017-10-24T20:00:00 notice: [dnssec.cz.] DNSSEC, KSK submission, confirmed

slide-19
SLIDE 19

Other relevant features

  • DS deletion via CDS 0 0 0 00
  • Structured logging for key events
  • custom hooks
  • Automatic algorithm rollovers
  • Push for DS RR (DNS Update) coming ...
slide-20
SLIDE 20

Summary

  • DNSSEC is becoming easy (finally!)
  • Ask your registry or registrar

for CDS/CDNSKEY support

  • Update your software
  • Sign your zones, please ;-)
slide-21
SLIDE 21

Backup slides CDS/CDNSKEY implementation in CZ

slide-22
SLIDE 22

CDNSKEY scanning

  • Daily scanning all domains in zone for

CDNSKEY records

  • Takes about 3 hours for .CZ
  • Three categories of domains:
  • Without KeySet
  • With automatically generated KeySet
  • With legacy KeySet created by a registrar
slide-23
SLIDE 23

Domains without KeySet

  • Scanning all authoritative nameservers from

registry database via TCP queries

  • When CDNSKEY is found, technical contact is

informed via e-mail

  • Keep scanning for 7 more days
  • If results are always the same (and it is not DS

deletion), new KeySet is created and linked to a domain

  • Domain holder (via notify e-mail) and registrar (via

EPP) are notified

slide-24
SLIDE 24

Domains with automatic KeySet

  • Scan for CDNSKEY via local resolver, DNSSEC

is validated inside scanner

  • If CDNSKEY is found, do as requested
  • Update KeySet with new DNSKEY or
  • Remove KeySet (notification of domain holder and

registrar)

  • Technical contact is informed via e-mail
slide-25
SLIDE 25

Domains with legacy KeySet

  • Scan for CDNSKEY via local resolver, DNSSEC

is validated inside scanner

  • If CDNSKEY is found, do as requested
  • Create new automatic KeySet and swap it in

domain or

  • Remove KeySet
  • Technical contact is informed via e-mail
  • Domain holder (via notify e-mail) and registrar

(via EPP) are notified