DNSSEC with SmartcardHSM Not as Easy as One Thinks Eberhard W Lisse - - PowerPoint PPT Presentation

dnssec with smartcardhsm
SMART_READER_LITE
LIVE PREVIEW

DNSSEC with SmartcardHSM Not as Easy as One Thinks Eberhard W Lisse - - PowerPoint PPT Presentation

Aug 11, 2023 627 likes •739 views

DNSSEC with SmartcardHSM Not as Easy as One Thinks Eberhard W Lisse Namibian Network Information Centre 2015-06-24 Lisse (NA-NiC) SmartcardHSM 2015-06-24 1 / 10 Introduction Why? So, what are we looking for? Easy off the shelf DNSSEC

slide-1
SLIDE 1

DNSSEC with SmartcardHSM

Not as Easy as One Thinks Eberhard W Lisse

Namibian Network Information Centre

2015-06-24

Lisse (NA-NiC) SmartcardHSM 2015-06-24 1 / 10

slide-2
SLIDE 2

Introduction

Why?

DNSSEC is Easy!

Is it Secure?

Secure DNSSEC is Expensive!

Is it really?

So, what are we looking for? Easy

  • ff the shelf

Secure

hardware based

Cheap Solution for small (cc)TLDs individual domains

Lisse (NA-NiC) SmartcardHSM 2015-06-24 2 / 10

slide-3
SLIDE 3

Workflow

Registry System with BIND

Registry System Database Bind style tables Sign files BIND dnssec-signzone SW keys HW Keys OpenDNSSEC Sofu HSM HSM Proper SmartcardHSM Update serial Reload signed zone

Lisse (NA-NiC) SmartcardHSM 2015-06-24 3 / 10

slide-4
SLIDE 4

Hardware Keys

From the Esoteric to the Expensive

HW keys

HSM TPM Smardcards SmartcardHSM Athena ASE

Lisse (NA-NiC) SmartcardHSM 2015-06-24 4 / 10

slide-5
SLIDE 5

Smartcard

Many Brands

SmartcardHSM

Linux and OS X Key Signing Scripts

Rick Lamb

Flexible number of Crypto Officers

generate backup cards

Speed is not an issue

2 signings per second = 7200 per hour (reload)

Lisse (NA-NiC) SmartcardHSM 2015-06-24 5 / 10

slide-6
SLIDE 6

dnssec-signzone

BIND Needs a Patch

Works quite well with a Software Key

Security Issue

Requires a Patch for SmartcardHSM

Works well

Rick Lamb

Not in the repositories

manual re-patching of source after each update does not scale

ISC has looked at it

Lisse (NA-NiC) SmartcardHSM 2015-06-24 6 / 10

slide-7
SLIDE 7
  • penDNSSEC

Ubuntu 12.04 LTS and 14.04 LTS

Special Repository

Maintainer: Ondřej Surý

OpenSC

v0.14.0 (14.04 LTS) v0.15.0 (source)

pcscd

daemon to interface to the reader(s)

Choice of Database

MySQL SQLite3

Lisse (NA-NiC) SmartcardHSM 2015-06-24 7 / 10

slide-8
SLIDE 8
  • penDNSSEC

SmartcardHSM Requirements

Nontrivial Configuration for SmartcardHSM

conf.xml

<TokenLabel>SmartCard-HSM (UserPIN)</TokenLabel>

pkcs15-tool -D

PKCS#15 Card [SmartCard-HSM] PIN [UserPIN]

Significant Learning Curve

short RRSIG <Validity> Interval

Lisse (NA-NiC) SmartcardHSM 2015-06-24 8 / 10

slide-9
SLIDE 9

Conclusion

Not Ready for Prime Time Yet

There were no hardware issues

Once inserted the cards were always visible if pcscd was working

Significant software issues

pcscd stopped working all the time

different readers (different brands) different cards (same brand) cause not yet found developers not yet contacted

  • penDNSSEC then failed to sign

short RRSIG Validity caused resolution to fail

heartbeat script resolved this to some extent

not acceptable for production

Lisse (NA-NiC) SmartcardHSM 2015-06-24 9 / 10

slide-10
SLIDE 10

Back to the Drawing Board

PowerDNS to the Rescue?

http://jpmens.net/2015/03/30/powerdns-with-a-smartcard-hsm-for- dnssec/

not yet studied

Approach perhaps:

Stealth Server

  • n uncommon port
  • nly accessible from local host

Notify Master on local host

which does AXFER of signed zone

A number of CoCCA users seem to use OpenDNSSEC

Usually with SoftHSM CoCCA has support for PowerDNS built in

Might just be what the doctor ordered...

Lisse (NA-NiC) SmartcardHSM 2015-06-24 10 / 10