dnssec security without maintenance
play

DNSSEC security without maintenance ... with the right software and - PowerPoint PPT Presentation

Aug 25, 2022 •167 likes •433 views

DNSSEC security without maintenance ... with the right software and registry Petr paek petr.spacek@nic.cz 2019-02-03 1w Redraw max 1y 6m 3m 1m 5d 1h 1d 30 ~ 19 % DNSSEC? Who cares? DNSSEC Validation Capability Metrics

  1. DNSSEC security without maintenance ... with the right software and registry Petr Špaček • petr.spacek@nic.cz • 2019-02-03

  2. 1w Redraw max 1y 6m 3m 1m 5d 1h 1d 30 ~ 19 % DNSSEC? Who cares? DNSSEC Validation Capability Metrics https://stats.labs.apnic.net/dnssec/XA?hc=XA&hx=1&hg=1&hr=1&w=30&g=0 Use of DNSSEC Validation for World (XA) Zoom: Validating : 18.71 | 01:00 January 26, 2019 16 14 Average Interval (days) 12 Show Google 10 PDNS Use Hide Regional 8 Use 6 4 https://stats.labs.apnic.net/dnssec/XA 2 0 2014 Apr Jul Oct 2015 Apr Jul Oct 2016 Apr Jul Oct 2017 Apr Jul Oct 2018 Apr Jul Oct 2019 2014 Apr Jul Oct 2015 Apr Jul Oct 2016 Apr Jul Oct 2017 Apr Jul Oct 2018 Apr Jul Oct 1 of 5 1/29/19, 4:49 PM

  3. 1h Redraw max 1y 6m 3m 1m 30 1w 5d 1d ~ 24 % DNSSEC? Who cares in Europe? DNSSEC Validation Capability Metrics https://stats.labs.apnic.net/dnssec/XE?o=cCZw30x1g0r1 Use of DNSSEC Validation for Europe (XE) Zoom: Validating : 23.99 | 01:00 January 26, 2019 25 20 Average Interval (days) 15 Show Google PDNS Use Hide Regional Use 10 5 https://stats.labs.apnic.net/dnssec/XE 0 2014 Apr Jul Oct 2015 Apr Jul Oct 2016 Apr Jul Oct 2017 Apr Jul Oct 2018 Apr Jul Oct 2019 2014 Apr Jul Oct 2015 Apr Jul Oct 2016 Apr Jul Oct 2017 Apr Jul Oct 2018 Apr Jul Oct Region Map for Europe (150) 1 of 4 1/29/19, 4:54 PM

  4. 1h Redraw max 1y 6m 3m 1m 30 1w 5d 1d ~ 63 % DNSSEC? Who cares in CZ? DNSSEC Validation Capability Metrics https://stats.labs.apnic.net/dnssec/CZ?o=cXEw30x1g0r1 Use of DNSSEC Validation for Czech Republic (CZ) Zoom: Validating : 62.54 | 01:00 January 28, 2019 60 Average Interval (days) 50 40 Hide country ASN List 30 Show Google PDNS Use Hide Regional 20 Use https://stats.labs.apnic.net/dnssec/CZ 10 0 2014 Apr Jul Oct 2015 Apr Jul Oct 2016 Apr Jul Oct 2017 Apr Jul Oct 2018 Apr Jul Oct 2019 2014 Apr Jul Oct 2015 Apr Jul Oct 2016 Apr Jul Oct 2017 Apr Jul Oct 2018 Apr Jul Oct Region Map for Eastern Europe (151) 1 of 3 1/29/19, 4:53 PM

  5. Where is a problem? ● DNSSEC requires zone content maintenance ● more work compared to insecure DNS ● Signatures with timestamps . RRSIG DNSKEY 8 0 172800 2019 0211 000000 2019 0121 000000 … ● Key propagation ● cz. DS 20237 13 2 CFF0F3ECDBC52…

  6. Maintenance?!

  7. DNSSEC maintenance: signatures ● Refreshing signatures (timestamps) ● fully automated Knot DNS, BIND, PowerDNS, OpenDNSSEC, ...

  8. DNSSEC maintenance: keys DS ● Key propagation ● harder problem – multiple parties registry ● sub-optimal support from registrars (parent) ● DNS providers have no relationship with registrar/registry child ● Domain holders do not care DNSKEY

  9. Standards to the rescue ● RFC 7344 - Automating DNSSEC Delegation Trust Maintenance - September 2014 ● cz. CDS 20237 13 2 CFF0F3ECDBC52… ● RFC 8078 - Managing DS Records from the Parent via CDS/CDNSKEY – March 2017 ● cz. CDS 0 0 0 00 ● draft-ietf-regext-dnsoperator-to-rrr-protocol - Third Party DNS operator to Registrars/Registries Protocol

  10. Standards to the rescue DS parent child DNSKEY CDS

  11. DNSSEC Trust Maintenance: registry 1 1 2 3 4 6 5 Image attribution: Cloudflare

  12. Implementation in registries ● Supported by ● .ch ● .cr ● .cz ● .li ● More coming ● Ask your registry! Image attribution: Mozilla

  13. Implementation in software ● OpenDNSSEC – planned ● PowerDNS – generates CDS RR, manual rollover using pdnsutil ● BIND 9.13 – generates CDS RR, manual rollover using dnssec-keymgr ● BIND 9.15 – more automation planned ● Knot DNS 2.6+ – generates CDS RR, rolls automatically (as configured)

  14. Key propagation in ● KSK submission via CDS/CDNSKEY ● Periodic checks for DS existence via set of configured nameservers ● Authoritative nameservers ● And/or DNSSEC validating resolver ● (all must see DS) ● Alternative: simple timeout

  15. Configuration example remote: policy: - id: auth - id: ecdsa address: [ 198.51.100.5 ] ksk-lifetime: 14d # resolvers ksk-submission: upstream - id: local address: [ 192.0.2.1 ] template: - id: foreign - id: "default" address: [ 1.1.1.1 ] dnssec-signing: on dnssec-policy: ecdsa submission: - id: upstream parent: [ auth, local, foreign ] check-interval: 600 s zones: - domain: dnssec.cz

  16. Configuration example remote: policy: - id: auth - id: ecdsa address: [ 198.51.100.5 ] ksk-lifetime: 14d # resolvers ksk-submission: upstream - id: local address: [ 192.0.2.1 ] template: - id: foreign - id: "default" address: [ 1.1.1.1 ] dnssec-signing: on dnssec-policy: ecdsa submission: - id: upstream parent: [ auth, local, foreign ] check-interval: 600 s zones: - domain: dnssec.cz

  17. Configuration example remote: policy: - id: auth - id: ecdsa address: [ 198.51.100.5 ] ksk-lifetime: 14d # resolvers ksk-submission: upstream - id: local address: [ 192.0.2.1 ] template: - id: foreign - id: "default" address: [ 1.1.1.1 ] dnssec-signing: on dnssec-policy: ecdsa submission: - id: upstream parent: [ auth, local, foreign ] check-interval: 600 s zones: - domain: dnssec.cz

  18. Key maintenance: logging 1)2017-10-24T15:41:22 notice: [dnssec.cz.] DNSSEC, KSK submission, waiting for confirmation _ 2) Knot detects the updated parent’s DS record ● + waits for DS’s TTL before retiring the old key 3)2017-10-24T20:00:00 notice: [dnssec.cz.] DNSSEC, KSK submission, confirmed

  19. Other relevant features ● DS deletion via CDS 0 0 0 00 ● Structured logging for key events ● custom hooks ● Automatic algorithm rollovers ● Push for DS RR (DNS Update) coming ...

  20. Summary ● DNSSEC is becoming easy (finally!) ● Ask your registry or registrar for CDS/CDNSKEY support ● Update your software ● Sign your zones, please ;-)

  21. Backup slides CDS/CDNSKEY implementation in CZ

  22. CDNSKEY scanning ● Daily scanning all domains in zone for CDNSKEY records ● Takes about 3 hours for .CZ ● Three categories of domains: ● Without KeySet ● With automatically generated KeySet ● With legacy KeySet created by a registrar

  23. Domains without KeySet ● Scanning all authoritative nameservers from registry database via TCP queries ● When CDNSKEY is found, technical contact is informed via e-mail ● Keep scanning for 7 more days ● If results are always the same (and it is not DS deletion), new KeySet is created and linked to a domain ● Domain holder (via notify e-mail) and registrar (via EPP) are notified

  24. Domains with automatic KeySet ● Scan for CDNSKEY via local resolver, DNSSEC is validated inside scanner ● If CDNSKEY is found, do as requested ● Update KeySet with new DNSKEY or ● Remove KeySet (notification of domain holder and registrar) ● Technical contact is informed via e-mail

  25. Domains with legacy KeySet ● Scan for CDNSKEY via local resolver, DNSSEC is validated inside scanner ● If CDNSKEY is found, do as requested ● Create new automatic KeySet and swap it in domain or ● Remove KeySet ● Technical contact is informed via e-mail ● Domain holder (via notify e-mail) and registrar (via EPP) are notified

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

609 views • 34 slides
Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education

Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education

Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education System and Network Engineering June 30, 2011 Agenda Introduction DNSSEC security IPv6 security Conclusion Questions Security of IPv6

625 views • 33 slides
DNS/DNSSEC/DPRIVE IETF 96 Hackathon Problem Solved DNS security and

DNS/DNSSEC/DPRIVE IETF 96 Hackathon Problem Solved DNS security and

DNS/DNSSEC/DPRIVE IETF 96 Hackathon Problem Solved DNS security and privacy enhancements and interoperabilty Method of Solution multiple user stories, multiple open source prototypes Highlight 1: DNSSEC

246 views • 12 slides
TLS and DNSSEC wrap-up CS 161: Computer Security Prof. David Wagner April 14, 2013 DNSSEC

TLS and DNSSEC wrap-up CS 161: Computer Security Prof. David Wagner April 14, 2013 DNSSEC

TLS and DNSSEC wrap-up CS 161: Computer Security Prof. David Wagner April 14, 2013 DNSSEC Mallory attacks! www.google.com A? Clients ns1.evil.com www.google.com. A 6.6.6.6 Resolver DNSSEC Mallory attacks! www.google.com A?

510 views • 30 slides
.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
Outline SSL/TLS DNSSEC CSci 5271 Introduction to Computer Security Announcements intermission

Outline SSL/TLS DNSSEC CSci 5271 Introduction to Computer Security Announcements intermission

Outline SSL/TLS DNSSEC CSci 5271 Introduction to Computer Security Announcements intermission Day 19: Web security, part 1 The web from a security perspective Stephen McCamant University of Minnesota, Computer Science & Engineering SQL

492 views • 9 slides
Outline SSH SSL/TLS CSci 5271 DNSSEC Introduction to Computer Security Announcements

Outline SSH SSL/TLS CSci 5271 DNSSEC Introduction to Computer Security Announcements

Outline SSH SSL/TLS CSci 5271 DNSSEC Introduction to Computer Security Announcements intermission Protocols and web combined slides The web from a security perspective Stephen McCamant SQL injection University of Minnesota, Computer

490 views • 11 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
Outline DNSSEC, contd CSci 5271 SSH Introduction to Computer Security Announcements

Outline DNSSEC, contd CSci 5271 SSH Introduction to Computer Security Announcements

Outline DNSSEC, contd CSci 5271 SSH Introduction to Computer Security Announcements intermission Day 19: Web security, part 2 Stephen McCamant More crypto protocols University of Minnesota, Computer Science & Engineering More causes

433 views • 8 slides
1 Overview Introduction DNSSEC mechanisms To authenticate servers (TSIG ) To

1 Overview Introduction DNSSEC mechanisms To authenticate servers (TSIG ) To

Welcome! DNS/DNSSEC Deployment tutorial Champika Wijayatunga <champika@apnic.net> 2 August 2006, Karachi, Pakistan In conjunction with SANOG 8 Background The original DNS protocol wasnt designed with security in mind It has

705 views • 15 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins

Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins

Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins July 2013 ZSK - Zone Signing Keys ZSK - Zone Signing Keys Its a security key - use secure algorithms Create it to be flexible in use

255 views • 7 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
Debugging Distributed Systems Headline Goes Here Philip Zeyliger | philip@cloudera | @philz42 |

Debugging Distributed Systems Headline Goes Here Philip Zeyliger | philip@cloudera | @philz42 |

DO NOT USE PUBLICLY PRIOR TO 10/23/12 Debugging Distributed Systems Headline Goes Here Philip Zeyliger | philip@cloudera | @philz42 | Software Engineer Speaker Name or Subhead Goes Here Strata, February 27, 2013 $whoami; whois cloudera.com

713 views • 47 slides
Jesus The Miracle Worker This Pastor Was Caught Paying People To Fake

Jesus The Miracle Worker This Pastor Was Caught Paying People To Fake

Jesus The Miracle Worker This Pastor Was Caught Paying People To Fake Miracles If So Much Healing Is Going On, Then Why Do These Churches Have So Many Handicapped Parking

796 views • 61 slides
Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between

Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between

Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between NGFW and classic firewalls: Classic Firewall Next Generation Firewall Traffic filtering using Port, IP, and protocol Supported Supported VPN

1.23k views • 26 slides
Securing Internet Communication: TLS & DNSSEC CS 161: Computer Security Prof. Vern Paxson

Securing Internet Communication: TLS & DNSSEC CS 161: Computer Security Prof. Vern Paxson

Securing Internet Communication: TLS & DNSSEC CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula, David Fifield, Mia Gil Epner, David Hahn, Warren He, Grant Ho, Frank Li, Nathan Malkin, Mitar Milutinovic,

1.51k views • 92 slides
Multi Provider DNSSEC draft-huque-dnsop-multi-provider-dnssec-02 Shumon Huque March 22 nd 2018

Multi Provider DNSSEC draft-huque-dnsop-multi-provider-dnssec-02 Shumon Huque March 22 nd 2018

Multi Provider DNSSEC draft-huque-dnsop-multi-provider-dnssec-02 Shumon Huque March 22 nd 2018 DNSOP Working Group, IETF101, London, U.K. Note to the DNS Camel* This document does not propose any new extensions to the DNS protocol. It

663 views • 16 slides
13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff Team Cymru 1 Where is the DNSSEC? We make no endorsement of DNSSEC here We offer no repudiation of DNSSEC here The considerations herein

543 views • 31 slides
Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van

Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van

Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van Rijswijk-Deij, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Christo Wilson 1 DNSSEC 101 example.com's Authoritative DNS Resolver DNS

1.54k views • 119 slides
An Extensible Platform for Evaluating Security Protocols Seny Kamara joint with L. Ballard, R.

An Extensible Platform for Evaluating Security Protocols Seny Kamara joint with L. Ballard, R.

An Extensible Platform for Evaluating Security Protocols Seny Kamara joint with L. Ballard, R. Caudy, D.Davis, F. Monrose Outline Objectives High-level architecture Plugin architecture Case studies Objectives Security

1k views • 47 slides

More recommend