fedoraproject org pgp keys now in dnssec
play

*.fedoraproject.org PGP keys now in DNSSEC All Fedora Account System - PowerPoint PPT Presentation

Nov 30, 2023 •244 likes •380 views

New DNSSEC Technologies Paul Wouters Senior software engineer, Red Hat February 9, 2015 1 Paul Wouters <pwouters@redhat.com> *.fedoraproject.org PGP keys now in DNSSEC All Fedora Account System users have a user@fedoraproject.org

  1. New DNSSEC Technologies Paul Wouters Senior software engineer, Red Hat February 9, 2015 1 Paul Wouters <pwouters@redhat.com>

  2. *.fedoraproject.org PGP keys now in DNSSEC ● All Fedora Account System users have a user@fedoraproject.org email ● FAS web interface allows uploading PGP keyid (soon public keys itself) ● Publish PGP keys using DNSSEC ● draft-ietf-openpgpkey ● Retrieve from DNSSEC using dig dig +short +vc type61 `printf paul|sha224sum|cut -f1 -d\ `._openpgpkey.nohats.ca|sed 's/ [^ ]*//;s/\W//g'|xxd -r -p|gpg --import -n 2 Paul Wouters <pwouters@redhat.com>

  3. Managing PGP keys in DNS for humans ● openpgpkey command from the hash-slinger package ● create, verify and download keys ● missing features: ● punycode support missing :) ● DNSSEC root key location confusion ● wrap long lines using ( braces ) syntax 3 Paul Wouters <pwouters@redhat.com>

  4. openpgpkey –fetch to download a PGP key 4 Paul Wouters <pwouters@redhat.com>

  5. openpgpkey –create to create DNS record 5 Paul Wouters <pwouters@redhat.com>

  6. openpgpkey –verify to compare DNS with keyring 6 Paul Wouters <pwouters@redhat.com>

  7. TODO: publishing Fedora distribution key ● Use DNSSEC to publish the PGP used to sign all packages ● Problem: ● Each version uses a different key ● But using fedora@fedoraproject.org 7 Paul Wouters <pwouters@redhat.com>

  8. The hash-slinger package ● openpgpkey: create, verify and download PGP keys using OPENPGPKEY records ● sshfp: create and verify SSH host keys using SSHFP records ● tlsa: create and verify SSL certificates using TLSA records (missing STARTTLS support) ● ipseckey: create IPSECKEY records for Libreswan IPsec (Opportunistic Encryption) 8 Paul Wouters <pwouters@redhat.com>

  9. openpgpkey-milter – A reference implementation ● A sendmail and postfix plugin to auto-encrypt email ● Uses OPENPGPKEY to find encryption key ● yum install openpgpkey-milter ● service openpgpkey-milter start ● add to /etc/postfix/main.cf: smtpd_milters = inet:127.0.0.1:8890 ● service postfix restart ● Biggest problem: it works (my email is routed from mx.nohats.ca to my own local mail server) 9 Paul Wouters <pwouters@redhat.com>

  10. DNSSEC experience on laptops / phones ● dnssec-trigger + unbound per default in Fedora 22 ● Still need better integration with Network-Manager ● Roaming / switching networks, split-DNS and TTL ● Cache management (Should I stay or should I flush) ● More than 1 domain in split-DNS cannot be conveyed with DHCP or VPN (XAUTH) ● Touch “search domains” in /etc/resolv.org or not ? ● DNS over port 80/443 needs to maintain TCP connction (i.e via draft-ietf-dnsop-ens-chain-query) ● When do we trust the AD bit ? 10 Paul Wouters <pwouters@redhat.com>

  11. DNSSEC design for servers, virtual machines and containers ● Very much a work in progress ● Avoid using a single caching resolver per container ● Avoid DNSSEC validation inside every application ? ● Problems with trusting the hypervisor/host for AD bit ? ● Root KSK rollover 11 Paul Wouters <pwouters@redhat.com>

  12. Current project: IPsec with DNSSEC Opportunistic IPsec to protect against pervasive monitoring ● Anonymous IPsec (march 2015) (draft-ietf-ipsecme-authnull) ● Single side DNSSEC authenticated IPsec using DNS triggers (april 2015) ● Cloud encryption using reverse-DNS (may 2015) ● Mutual authenticated IPsec (june 2015) ● End result: draft-opportunistic-ipsec 12 Paul Wouters <pwouters@redhat.com>

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins

Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins

Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins July 2013 ZSK - Zone Signing Keys ZSK - Zone Signing Keys Its a security key - use secure algorithms Create it to be flexible in use

255 views • 7 slides
Fedora and DNSSEC Presented by Paul Wouters Fedora Packager, DNSSEC Advisor Creative Commons

Fedora and DNSSEC Presented by Paul Wouters Fedora Packager, DNSSEC Advisor Creative Commons

Fedora and DNSSEC Presented by Paul Wouters Fedora Packager, DNSSEC Advisor Creative Commons Attribution 3.0 https://fedoraproject.org/ What is Fedora Fedora is a fast, stable, and powerful

671 views • 7 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
Securing DNSSEC Keys via Threshold ECDSA From Generic MPC Kris Shrishak TU Darmstadt, Germany

Securing DNSSEC Keys via Threshold ECDSA From Generic MPC Kris Shrishak TU Darmstadt, Germany

Securing DNSSEC Keys via Threshold ECDSA From Generic MPC Kris Shrishak TU Darmstadt, Germany November 6, 2020 NIST Workshop on Multi-Party Threshold Schemes 2020 Based on work published at ESORICS20 with Anders Dalskov, Marcel Keller,

775 views • 63 slides
DNSSEC Keys in SmartcardHSM OpenSC on Mac OS Luis D Espinoza Sanchez &amp; Eberhard W Lisse

DNSSEC Keys in SmartcardHSM OpenSC on Mac OS Luis D Espinoza Sanchez &amp; Eberhard W Lisse

DNSSEC Keys in SmartcardHSM OpenSC on Mac OS Luis D Espinoza Sanchez &amp; Eberhard W Lisse University of Costa Rica &amp; Namibian Network Information Centre 2015-02-09 Espinoza &amp; Lisse (NA-NiC) SmartcardHSM 2015-02-09 1 / 19

202 views • 19 slides
.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
DNSSEC ROLLING KEYS Presented by Olaf Kolkman (NLnet Labs) and Alain Aina(TRS) Rabat,

DNSSEC ROLLING KEYS Presented by Olaf Kolkman (NLnet Labs) and Alain Aina(TRS) Rabat,

DNSSEC ROLLING KEYS Presented by Olaf Kolkman (NLnet Labs) and Alain Aina(TRS) Rabat, Morocco, 1 June 2008 http://www.nlnetlabs.nl/ Rabat, Morocco, June 1 2008 page 2 DNSKEY in flavours Zone Signin Key (ZSK) Key Signing Key (KSK)

155 views • 13 slides
DNSSEC Tutorial: Public / Private Key Refresher Hervey Allen Phil Regnauld 26 February 2009

DNSSEC Tutorial: Public / Private Key Refresher Hervey Allen Phil Regnauld 26 February 2009

DNSSEC Tutorial: Public / Private Key Refresher Hervey Allen Phil Regnauld 26 February 2009 Manila, Philippines http://nsrc.org/tutorials/2009/apricot/dnssec/ Public-Private Keys Refresher Ciphers Ciphertext Symmetric Cipher /

465 views • 20 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

609 views • 34 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
A Threshold Cryptographic Backend for DNSSEC Francisco Cifuentes francisco@niclabs.cl 1 Key

A Threshold Cryptographic Backend for DNSSEC Francisco Cifuentes francisco@niclabs.cl 1 Key

A Threshold Cryptographic Backend for DNSSEC Francisco Cifuentes francisco@niclabs.cl 1 Key Management Implementations Back to ICANN 40 2 Key Management Implementations Needs Zones need to be re-signed PKCS#11 periodically. Keys

507 views • 14 slides
Overview of The Governors Workforce Cabinet Created in 2018 Structure Matters: Leaders

Overview of The Governors Workforce Cabinet Created in 2018 Structure Matters: Leaders

Governors Workforce Cabinet June 5, 2019 Overview of The Governors Workforce Cabinet Created in 2018 Structure Matters: Leaders within state government, higher education, non-profits AND industry sector leaders Charged to

114 views • 9 slides
By By th the e end of of th this s sessio ion we w will l hav ave an an unders rstan

By By th the e end of of th this s sessio ion we w will l hav ave an an unders rstan

By By th the e end of of th this s sessio ion we w will l hav ave an an unders rstan andin ing of of th the fol ollo lowin ing: A model el f for tea eacher er ev evaluation based ed o on curren ent res esea earch

1.01k views • 27 slides
Rene newi wing ng You our Licens ense e and nd The he Prof ofessi ession onal l Grow

Rene newi wing ng You our Licens ense e and nd The he Prof ofessi ession onal l Grow

Rene newi wing ng You our Licens ense e and nd The he Prof ofessi ession onal l Grow owth th Plan Thr hree ee Wa Ways ys to to R Ren enew ew Your our Tea eachi ching ng Li License ense Six (6) semester hours of

520 views • 15 slides
ELISA data Human PD-L1 ELISA Kit [28-8] (ab214565) October 2016 Standard ELISA 25 October 2016

ELISA data Human PD-L1 ELISA Kit [28-8] (ab214565) October 2016 Standard ELISA 25 October 2016

Calculating and evaluating ELISA data Human PD-L1 ELISA Kit [28-8] (ab214565) October 2016 Standard ELISA 25 October 2016 One-step ELISA 25 October 2016 Choosing the standard and preparing the plate 25 October 2016 Cell Cell Culture

671 views • 30 slides
Cost Comparison of Spent Fuel Storage and Deep Geological Disposal p g p Graham Smith Graham

Cost Comparison of Spent Fuel Storage and Deep Geological Disposal p g p Graham Smith Graham

Commercial Nuclear Energy in an Unstable, C Carbon Constrained World b C i d W ld Cost Comparison of Spent Fuel Storage and Deep Geological Disposal p g p Graham Smith Graham Smith GMS Abingdon Ltd gmsabingdon@btinternet.com Commercial

477 views • 29 slides
1 This is the way that TEC 28.0212 previously read.. 2 Additions are bolded and underlined and

1 This is the way that TEC 28.0212 previously read.. 2 Additions are bolded and underlined and

These are some revisions to TEC that took effect September 1, 2014. Need ESC help in spreading the word to districts as many of them have shared with specialists that they have not started meeting with students to discuss PGPs. Curriculum division

273 views • 11 slides
Opportunity Day Q1 : 2019 Mission : To make investments, develop, and operate the renewable

Opportunity Day Q1 : 2019 Mission : To make investments, develop, and operate the renewable

Opportunity Day Q1 : 2019 Mission : To make investments, develop, and operate the renewable energy business for the utmost benefits of all stakeholders and environment. TPC POWER HOLDING PUBLIC MWE has begun its COMPANY LIMITED commercial

309 views • 16 slides
Personal Graduation Plans (PGPs) Planning Your High School Years Handouts Please pick up

Personal Graduation Plans (PGPs) Planning Your High School Years Handouts Please pick up

Personal Graduation Plans (PGPs) Planning Your High School Years Handouts Please pick up handout packet if you lost yours. PGP letter RISD Personal How many credits Graduation Plan do I need to practice sheet,

360 views • 21 slides

More recommend