DNSSEC 101 with a pinch of salt

Todor Genovtodor@subnet.co.za

Sunday 17 October 2010

Who is this guy?

Sunday 17 October 2010

Who is this guy?

Unix geek/sysadmin

Sunday 17 October 2010

Who is this guy?

Unix geek/sysadmin

Works at a yellow-branded ISP

Sunday 17 October 2010

Who is this guy?

Unix geek/sysadmin

Works at a yellow-branded ISP

Does a lot of DNS as a result

Sunday 17 October 2010

What is DNSSEC?

Sunday 17 October 2010

What is DNSSEC?

DNS + public key crypto

Sunday 17 October 2010

What is DNSSEC?

DNS + public key crypto

Implemented as an extension to current DNS protocol

Sunday 17 October 2010

What is DNSSEC good for?

Sunday 17 October 2010

What is DNSSEC good for?

Authenticating response origin

Sunday 17 October 2010

What is DNSSEC good for?

Authenticating response origin

Authenticating denial of existence

Sunday 17 October 2010

What is DNSSEC good for?

Authenticating response origin

Authenticating denial of existence

Not much else

Sunday 17 October 2010

How it works(simplified)

Sunday 17 October 2010

How it works(simplified)

Each zone has public/private key

Sunday 17 October 2010

How it works(simplified)

Each zone has public/private key

All RRs are signed

Sunday 17 October 2010

How it works(simplified)

Each zone has public/private key

All RRs are signed

Crypto signature and public key published in DNS alongside RR

Sunday 17 October 2010

A few new RRs

Sunday 17 October 2010

A few new RRsRRSIG - crypto signature of RR data

Sunday 17 October 2010

A few new RRs

DNSKEY - zone public keys-Key-signing key (KSK) - used to sign own ZSK

-Zone-signing key (ZSK) - used to sign all other RRs

RRSIG - crypto signature of RR data

Sunday 17 October 2010

A few new RRs

DNSKEY - zone public keys-Key-signing key (KSK) - used to sign own ZSK

-Zone-signing key (ZSK) - used to sign all other RRs

RRSIG - crypto signature of RR data

DS - delegation signer-Secure pointer to (checksum of) child KSK

Sunday 17 October 2010

A few new RRs

DNSKEY - zone public keys-Key-signing key (KSK) - used to sign own ZSK

-Zone-signing key (ZSK) - used to sign all other RRs

RRSIG - crypto signature of RR data

DS - delegation signer-Secure pointer to (checksum of) child KSK

NSEC and NSEC3 - authenticated denial of existence (NXDOMAIN)

Sunday 17 October 2010

RR set - the building block of DNSSEC

RR (A, PTR, MX, NS etc) + RRSIG (crypto signature)

RR sets

Sunday 17 October 2010

RR setsRR set - the building block of DNSSEC

RR (A, PTR, MX, NS etc)

Sunday 17 October 2010

Vanilla DNS org. 79810 IN NS d0.org.afilias-nst.org.org. 79810 IN NS c0.org.afilias-nst.info.org. 79810 IN NS a2.org.afilias-nst.info.org. 79810 IN NS b2.org.afilias-nst.org.org. 79810 IN NS a0.org.afilias-nst.info.org. 79810 IN NS b0.org.afilias-nst.org.

RR setsRR set - the building block of DNSSEC

RR (A, PTR, MX, NS etc)

Sunday 17 October 2010

DNSSECorg. 79810 IN NS d0.org.afilias-nst.org.org. 79810 IN NS c0.org.afilias-nst.info.org. 79810 IN NS a2.org.afilias-nst.info.org. 79810 IN NS b2.org.afilias-nst.org.org. 79810 IN NS a0.org.afilias-nst.info.org. 79810 IN NS b0.org.afilias-nst.org.org. 79810 IN RRSIG NS 7 1 86400 20101015154542 20101001144542 245 org. Uy6dZ09BwvRmQHbzlK8gbflhQT1TVkEEYqrpff7W+uHn5Sz1jwqpNpIH LIgs5M6sHgURvzzdEn8C

RR setsRR set - the building block of DNSSEC

RR (A, PTR, MX, NS etc)

Sunday 17 October 2010

Query validation

Sunday 17 October 2010

Query validation

Query result - A,MX,NS,PTR etc

Sunday 17 October 2010

Query validation

Query result - A,MX,NS,PTR etc

Cryptographic signature - RRSIG

Sunday 17 October 2010

Query validation

Query result - A,MX,NS,PTR etc

Cryptographic signature - RRSIG

Public key - DNSKEY

Sunday 17 October 2010

Query validation

Query result - A,MX,NS,PTR etc

Cryptographic signature - RRSIG

Public key - DNSKEY <- Why should I trust you?

Sunday 17 October 2010

Trust anchor

A DNSKEY that we trust to be correct

Confirmed from sources other than DNS

Enables us to validate data in a specific zone

Sunday 17 October 2010

Chain of trust

Starts at a trust anchor

Sunday 17 October 2010

Chain of trust

Starts at a trust anchor

Can be delegated to child zones- Name server delegation with NS records (NS RR set)

- Trust delegation with DS records (DS RR set)

Sunday 17 October 2010

Trust anchor

Sunday 17 October 2010

Trust anchor

ROOT

.COM .ORG

google.com insecure.org

.ZA

Sunday 17 October 2010

Trust anchor

ROOT

.COM .ORG

google.com insecure.org

.ZA

.CO

.google

Sunday 17 October 2010

Trust anchor

.COM .ORG

google.com insecure.org

.ZA

.CO

.google

ROOT

Sunday 17 October 2010

Chain of trust

Sunday 17 October 2010

As of July 2010 a trust anchor exists for the ROOT KSK

Chain of trust

Sunday 17 October 2010

As of July 2010 a trust anchor exists for the ROOT KSK

Chain of trust

. 84500INDNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=. 84500INDNSKEY 256 3 8 AwEAAcAPhPM4CQHqg6hZ49y2P3IdKZuF44QNCc50vjATD7W+je4va6dj Y5JpnNP0pIohKNYiCFap/b4Y9jjJGSOkOfkfBR8neI7X5LisMEGUjwRc rG8J9UYP1S1unTNqRcWyDYFH2q3KnIO08zImh5DiFt8yfCdKoqZUN1du p5hy0UWz

Sunday 17 October 2010

As of July 2010 a trust anchor exists for the ROOT KSK

Chain of trust

. 84500INDNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=. 84500INDNSKEY 256 3 8 AwEAAcAPhPM4CQHqg6hZ49y2P3IdKZuF44QNCc50vjATD7W+je4va6dj Y5JpnNP0pIohKNYiCFap/b4Y9jjJGSOkOfkfBR8neI7X5LisMEGUjwRc rG8J9UYP1S1unTNqRcWyDYFH2q3KnIO08zImh5DiFt8yfCdKoqZUN1du p5hy0UWz

Less than 20 signed TLDs

Sunday 17 October 2010

DS.org

tld.org

tld.org NS ns1.tld.orgtld.org DS checksum(KSK)

tld.org NS ns1.tld.orgtld.org DNSKEY KSK

Sunday 17 October 2010

Chain of trust

Sunday 17 October 2010

Chain of trustDelegating tld. to ns1.tld

Sunday 17 October 2010

Chain of trust. IN DNSKEY ROOT-KSK-key (trust anchor)

ROOT zone

Delegating tld. to ns1.tld

Sunday 17 October 2010

Chain of trust. IN DNSKEY ROOT-KSK-key (trust anchor)

ROOT zone

. IN DNSKEY ROOT-ZSK-KEY

. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)

Delegating tld. to ns1.tld

Sunday 17 October 2010

Chain of trust. IN DNSKEY ROOT-KSK-key (trust anchor)

ROOT zone

. IN DNSKEY ROOT-ZSK-KEY

. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)

Delegating tld. to ns1.tld

(trusted)

Sunday 17 October 2010

Chain of trust. IN DNSKEY ROOT-KSK-key (trust anchor)

ROOT zone

tld. IN NS ns1.tld.tld. IN RRSIG NS (ROOT-KSK-key signature)

. IN DNSKEY ROOT-ZSK-KEY

. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)

Delegating tld. to ns1.tld

(trusted)

Sunday 17 October 2010

Chain of trust. IN DNSKEY ROOT-KSK-key (trust anchor)

ROOT zone

tld. IN NS ns1.tld.tld. IN RRSIG NS (ROOT-KSK-key signature)

. IN DNSKEY ROOT-ZSK-KEY

. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)

ns1.tld. IN A 10.10.10.5ns1.tld. IN RRSIG A (ROOT-ZSK-key signature)

Delegating tld. to ns1.tld

(trusted)

Sunday 17 October 2010

Chain of trust. IN DNSKEY ROOT-KSK-key (trust anchor)

ROOT zone

tld. IN NS ns1.tld.tld. IN RRSIG NS (ROOT-KSK-key signature)

tld. IN DS crypto_hash(tld-KSK)tld. IN RRSIG DS (ROOT-ZSK-key signature)

. IN DNSKEY ROOT-ZSK-KEY

. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)

ns1.tld. IN A 10.10.10.5ns1.tld. IN RRSIG A (ROOT-ZSK-key signature)

Delegating tld. to ns1.tld

(trusted)

Sunday 17 October 2010

Chain of trust. IN DNSKEY ROOT-KSK-key (trust anchor)

tld. IN DNSKEY tld-KSK tld. IN RRSIG DNSKEY (tld-KSK-self-signed-signature)

ROOT zone

tld zone (ns1.tld - 10.10.10.5)

tld. IN NS ns1.tld.tld. IN RRSIG NS (ROOT-KSK-key signature)

tld. IN DS crypto_hash(tld-KSK)tld. IN RRSIG DS (ROOT-ZSK-key signature)

. IN DNSKEY ROOT-ZSK-KEY

. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)

ns1.tld. IN A 10.10.10.5ns1.tld. IN RRSIG A (ROOT-ZSK-key signature)

Delegating tld. to ns1.tld

(trusted)

Sunday 17 October 2010

Chain of trust. IN DNSKEY ROOT-KSK-key (trust anchor)

tld. IN DNSKEY tld-KSK tld. IN RRSIG DNSKEY (tld-KSK-self-signed-signature)

ROOT zone

tld zone (ns1.tld - 10.10.10.5)

tld. IN NS ns1.tld.tld. IN RRSIG NS (ROOT-KSK-key signature)

tld. IN DS crypto_hash(tld-KSK)tld. IN RRSIG DS (ROOT-ZSK-key signature)

. IN DNSKEY ROOT-ZSK-KEY

. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)

ns1.tld. IN A 10.10.10.5ns1.tld. IN RRSIG A (ROOT-ZSK-key signature)

Delegating tld. to ns1.tld

(trusted)

(trusted from DS in ROOT)

Sunday 17 October 2010

Chain of trust. IN DNSKEY ROOT-KSK-key (trust anchor)

tld. IN DNSKEY tld-KSK tld. IN RRSIG DNSKEY (tld-KSK-self-signed-signature)

ROOT zone

tld zone (ns1.tld - 10.10.10.5)

tld. IN NS ns1.tld.tld. IN RRSIG NS (ROOT-KSK-key signature)

tld. IN DS crypto_hash(tld-KSK)tld. IN RRSIG DS (ROOT-ZSK-key signature)

. IN DNSKEY ROOT-ZSK-KEY

. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)

ns1.tld. IN A 10.10.10.5ns1.tld. IN RRSIG A (ROOT-ZSK-key signature)

Delegating tld. to ns1.tld

(trusted)

tld. IN DNSKEY tld-ZSKtld. IN RRSIG DNSKEY (tld-KSK-signature)

(trusted from DS in ROOT)

Sunday 17 October 2010

Chain of trust. IN DNSKEY ROOT-KSK-key (trust anchor)

tld. IN DNSKEY tld-KSK tld. IN RRSIG DNSKEY (tld-KSK-self-signed-signature)

ROOT zone

tld zone (ns1.tld - 10.10.10.5)

tld. IN NS ns1.tld.tld. IN RRSIG NS (ROOT-KSK-key signature)

tld. IN DS crypto_hash(tld-KSK)tld. IN RRSIG DS (ROOT-ZSK-key signature)

. IN DNSKEY ROOT-ZSK-KEY

. IN RRSIG DNSKEY (ROOT-KSK-KEY signature)

ns1.tld. IN A 10.10.10.5ns1.tld. IN RRSIG A (ROOT-ZSK-key signature)

Delegating tld. to ns1.tld

(trusted)

tld. IN DNSKEY tld-ZSKtld. IN RRSIG DNSKEY (tld-KSK-signature)

(trusted from DS in ROOT)

(trusted)

Sunday 17 October 2010

Caching DNS servers

Sunday 17 October 2010

Caching DNS serversValidating cache

- Performs crypto number-crunching on behalf of DNS client

- Affirms authenticity of data by setting AD bit in response

- Client session susceptible to spoofing (fake AD bit)

Sunday 17 October 2010

Caching DNS serversValidating cache

- Performs crypto number-crunching on behalf of DNS client

- Affirms authenticity of data by setting AD bit in response

- Client session susceptible to spoofing (fake AD bit)

Non-validating cache- Merely returns RR sets

- To ensure authenticity client must perform its own validation

Sunday 17 October 2010

Denial of existenceNSEC

Sunday 17 October 2010

Denial of existenceNSEC

NSEC record creates a chain of non-existence between RRs in a zone

Sunday 17 October 2010

Denial of existenceNSEC

NSEC record creates a chain of non-existence between RRs in a zoneC-3PO.com. IN A 10.10.10.1C-3PO.com. IN RRSIG jDDoe/x3r#

luke.com. IN A 10.10.10.2luke.com. IN RRSIG d<edNcd#?d

r2d2.com. IN A 10.10.10.3r2d2.com. IN RRSIG zDsc>\dybhDe

Sunday 17 October 2010

Denial of existenceNSEC

NSEC record creates a chain of non-existence between RRs in a zoneC-3PO.com. IN A 10.10.10.1C-3PO.com. IN RRSIG jDDoe/x3r#

luke.com. IN A 10.10.10.2luke.com. IN RRSIG d<edNcd#?d

r2d2.com. IN A 10.10.10.3r2d2.com. IN RRSIG zDsc>\dybhDe

C-3PO.com IN NSEC to luke.com.

luke.com. IN NSEC to r2d2.com.

Sunday 17 October 2010

Denial of existenceNSEC

Sunday 17 October 2010

Denial of existenceNSEC

dig doesnotexist.se NS

Sunday 17 October 2010

Denial of existenceNSEC

dig doesnotexist.se NSdoesithurt.se. 7200INNSECdof.se. NS RRSIG NSECdoesithurt.se. 7200INRRSIGNSEC 5 2 7200 20101007045252 20100930031234 26215 se. XH6itihRj7u/XJDNV0uaDfS72Ak8NL6A8xg1fa1vuOG8wrYLYf+iNO

Sunday 17 October 2010

Denial of existenceNSEC

dig doesnotexist.se NSdoesithurt.se. 7200INNSECdof.se. NS RRSIG NSECdoesithurt.se. 7200INRRSIGNSEC 5 2 7200 20101007045252 20100930031234 26215 se. XH6itihRj7u/XJDNV0uaDfS72Ak8NL6A8xg1fa1vuOG8wrYLYf+iNO

eg. there is nothing between doesithurt.se and dof.se

Sunday 17 October 2010

Denial of existenceNSEC

dig doesnotexist.se NSdoesithurt.se. 7200INNSECdof.se. NS RRSIG NSECdoesithurt.se. 7200INRRSIGNSEC 5 2 7200 20101007045252 20100930031234 26215 se. XH6itihRj7u/XJDNV0uaDfS72Ak8NL6A8xg1fa1vuOG8wrYLYf+iNO

eg. there is nothing between doesithurt.se and dof.se

Bad idea?

Sunday 17 October 2010

Denial of existenceNSEC3

NSEC3 creates a chain of non-existence between hashes of RRs in a zone03450ad8d88fa9bc8f22d9063328c08f52c0fa03 (hash of C-3PO.com.)

bc6ec803d77136128483bb220e449353a6a432a8 (hash of luke.com.)

f545de7360c432fcbfcfc1d80fa9b142cd359b79 (hash of r2d2.com.)

hash-of-C-3PO.com IN NSEC3 to hash-of-luke.com.

hash-of-luke.com. IN NSEC3 to hash-of-r2d2.com

NSEC3 response returns hash salt and number of iterations used

Sunday 17 October 2010

Denial of existenceNSEC3

dig idontexist.org NS Yrp8N36uMZUgWRLUi9xVMq2GylslnLD6ehEoRVecDnWxPumIPt8iXi8i oj1XrQ5k8Dg9RINp19rcuaRcecmEUedtmfIdPvGtwWSUsoWP5XiGF/nx 2/Y=d78ice6u9jvfjqtfsesaoek3rg81fshn.org. 833 IN RRSIG NSEC3 7 2 86400 20101015154542 20101001144542 245 org. Zaq/jsAGv/GxG/wPWgpjczhzeTdwIFLykxbxzap3lWRK16+Q64d4F31Z ady60BSEyErddv2oafewi+eE6IG7zX6QvLrXZlAE5KYD2P1SswfFf/n+ IenKtXyCfFv7q9FeOr7Ex6aqUShIPg2asL8mAWWWPxn4knRsmR9hoz/C udo=d78ice6u9jvfjqtfsesaoek3rg81fshn.org. 833 IN NSEC3 1 1 1 D399EAAB D7DM84D9Q90H2UV918MF4BGDUKR4S5NNh9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 833 IN RRSIG NSEC3 7 2 86400 20101016052757 20101002042757 245 org. IZESTR/sqJI/ZDega0df557XQ6JhK42TaAhYyeR7RI3f9XD7nyULE8nk WTZv38Um/wzVFu6haBmSb4iz5TmShL1pUqlwZbQzZ7mpbxaY4iPwVfZ6 9JSSCnwaTWpg/pS17dyP+MiB4/yffaJnXiAVlTp6FNO7IFz735mD717C 4yU=h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 833 IN NSEC3 1 1 1 D399EAAB H9RSFB7FPF2L8HG35CMPC765TDK23RP6 NS SOA RRSIG DNSKEY NSEC3PARAMvagq7rk03g3to127qkkhkn3vfmeivgpf.org. 833 IN RRSIG NSEC3 7 2 86400 20101015154542 20101001144542 245 org. 7KbiYKaNPtNIbTpDTAu+qcdiRrOn73qZztjEWL5/wc4HvCtp+ziIG9P1 nZ0fgBj7VFETp0P6V1+QVkjy5SoAennzEN9201v7f7e4iCPrqf/1q/k8 8cNNGvTk5/+/Me7qWEIYRUU3Dyy61rGaYZES8zAoR9TUhmubj8mIGzR+ MOE=vagq7rk03g3to127qkkhkn3vfmeivgpf.org. 833 IN NSEC3 1 1 1 D399EAAB VAPM2EIMJPEU2R3SNRILHGU61CHOC96A NS DS RRSIG

Sunday 17 October 2010

Denial of existenceNSEC3

NSEC3 adds additional workload on authoritative AND caching DNS servers

- Authoritative: Calculating NSEC3 hash of QUERY in order to return correct answer

- Caching: Calculating NSEC3 hash of QUERY in order to compare to authoritative answer

Sunday 17 October 2010

Pitfalls of DNSSEC

Sunday 17 October 2010

Pitfalls of DNSSECZone files no longer human-modifiable

-Abstraction/automation required to publish data in DNS

Sunday 17 October 2010

Pitfalls of DNSSECZone files no longer human-modifiable

-Abstraction/automation required to publish data in DNS

ZSK and KSK lifetime expiration - ZSK (30 days default)

- KSK (12 months default)

Sunday 17 October 2010

Pitfalls of DNSSECZone files no longer human-modifiable

-Abstraction/automation required to publish data in DNS

ZSK and KSK lifetime expiration - ZSK (30 days default)

- KSK (12 months default)

Requires parent (registrar) capable of DNSSEC

- zaDNA is not one of them and will not be within next 18 months

- Neither is Uniforum

Sunday 17 October 2010

Lookaside validation(DLV)

Sunday 17 October 2010

Lookaside validation(DLV)

DNSSEC Lookaside Validation (DLV) is a mechanism for publishing DNS Security (DNSSEC) trust anchors outside of the DNS delegation chain. It allows validating resolvers to validate DNSSEC-signed data from zones whose ancestors either aren't signed or don't publish Delegation Signer (DS) records for their children.

RFC5074

Sunday 17 October 2010

Lookaside validation(DLV)

DNSSEC Lookaside Validation (DLV) is a mechanism for publishing DNS Security (DNSSEC) trust anchors outside of the DNS delegation chain. It allows validating resolvers to validate DNSSEC-signed data from zones whose ancestors either aren't signed or don't publish Delegation Signer (DS) records for their children.

RFC5074

Requires manual DLV trust-anchor config on resolvers

Sunday 17 October 2010

https://dlv.isc.org

Useful cludge for early adopters

Already configured on at least one large ZA ISP’s caches

Workaround for zaDNA’s lack of DNSSEC

Sunday 17 October 2010

Questions?

Sunday 17 October 2010