dnssec trust tree: . (a) |---dnslab.org ... tutori… · (dnskey keytag: 33655 alg: 8 flags: 256)...
TRANSCRIPT
![Page 1: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/1.jpg)
DNSSEC Trust tree: www.dnslab.org. (A) |---dnslab.org. (DNSKEY keytag: 7308 alg: 8 flags: 256) |---dnslab.org. (DNSKEY keytag: 9247 alg: 8 flags: 257) |---dnslab.org. (DS keytag: 9247 digest type: 2) |---org. (DNSKEY keytag: 24209 alg: 7 flags: 256) |---org. (DNSKEY keytag: 9795 alg: 7 flags: 257) |---org. (DNSKEY keytag: 21366 alg: 7 flags: 257) |---org. (DS keytag: 21366 digest type: 1) | |---. (DNSKEY keytag: 33655 alg: 8 flags: 256) | |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) |---org. (DS keytag: 21366 digest type: 2) |---. (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful
DNSSEC Domain Name System Security Extensions
NANOG 6714 June 2016
![Page 2: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/2.jpg)
DNSSEC Introduction
How much trust do we put in the Internet?
13.5% of all purchases were done over the internet in 2010, according to BCG, and this is projected to rise to 23% by 2016. [UK - http://www.bbc.com/news/business-17405016 ]
How much of that trust relies on DNS?
If DNS were to become unreliable or untrustworthy, what would the result be?
2
![Page 3: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/3.jpg)
DNSSEC Introduction
In the simplest terms:
DNSSEC provides digital signatures that allow validating clients to prove that DNS data was not modified in transit
3
![Page 4: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/4.jpg)
DNSSEC Introduction
Sources of DNS data generate signatures for data that they are authoritative for
Recursive servers check the signatures for correctness and signal to their clients the results of those checks
If data is provably good, the AD (Authenticated Data) bit may be set in response headers
If queried data is unable to be validated, yet is signaled to be signed, SERVFAIL responses are generated
4
![Page 5: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/5.jpg)
Background Knowledge
Before delving into DNSSEC
DNS resolution mechanics
The Delegation Chain
Some Cryptography Fundamentals
Digital Signatures
5
![Page 6: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/6.jpg)
DNS Resolution
Resolution is the process of obtaining answers from the DNS database in response to queries
Answers
are provided by authoritative servers
are cached by both recursive servers and clients
6
![Page 7: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/7.jpg)
DNS Resolution
Resolution is the process of obtaining answers from the DNS database in response to queries
Queries
originate within applications
are handled on clients by stub resolvers
are sent to and processed by recursive servers
7
![Page 8: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/8.jpg)
DNS Resolution
www.example.com ?
Local caching DNS server
What is the address of www.example.com?
8
![Page 9: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/9.jpg)
DNS Resolution
www.example.com ?
At this point, the local server knows nothing except the addresses of the
root servers from "root hints"
Do I have the address of www.example.com
in cache?Local caching DNS server
9
![Page 10: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/10.jpg)
DNS Resolution
.(root)
What is the address of www.example.com?
Local caching DNS server
www.example.com ?10
![Page 11: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/11.jpg)
DNS Resolution
.(root)
That record isn't in my list of "known zones", but it is closest to com.Local caching
DNS server
www.example.com ?11
![Page 12: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/12.jpg)
DNS Resolution
Here's a list of the com. name servers
Local caching DNS server
www.example.com ?
.(root)
12
![Page 13: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/13.jpg)
DNS Resolution
.(root)
com.
What is the address of www.example.com?
Local caching DNS server
www.example.com ?13
![Page 14: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/14.jpg)
DNS Resolution
.(root)
com.
Here's a list of the example.com. name servers.
Local caching DNS server
www.example.com ?14
![Page 15: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/15.jpg)
DNS Resolution
.(root)
com.
example.com.
Local caching DNS server
www.example.com ?
What is the address of www.example.com.
15
![Page 16: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/16.jpg)
DNS Resolution
.(root)
com.
example.com.
Here is the address of www.example.com.
Local caching DNS server
www.example.com ?16
![Page 17: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/17.jpg)
DNS Resolution
.(root)
com.
example.com.
Local caching DNS server
www.example.com ?
Here is the address of www.example.com.
17
![Page 18: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/18.jpg)
DNS Data Flow Vulnerabilities
18
Cache Poisoning
What if someone were able to insert data into a server’s cache That information would be returned to clients instead of "real" data
![Page 19: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/19.jpg)
DNS Data Flow Vulnerabilities
19
Servers can send irrelevant information in the Additional Section
By definition, the additional section should contain answers to questions that have yet to be asked
![Page 20: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/20.jpg)
DNS Data Flow Vulnerabilities
20
Authority
QuestionAnswer
Header
Additional
www.isc.org. A ?
www.isc.org. IN A 204.152.184.88
www.bank.com. IN A 204.152.184.88
![Page 21: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/21.jpg)
DNS Data Flow Vulnerabilities
Cache Poisoning
DNS uses UDP by default
Sender can fabricate anything in the packet
including source address
21
![Page 22: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/22.jpg)
DNS Data Flow Vulnerabilities
If I know a question that is about to be asked
I can flood responses containing my data, but a legitimate source
22
![Page 23: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/23.jpg)
Background Knowledge
Before delving into DNSSEC
DNS resolution mechanics
The Delegation Chain
Some Cryptography Fundamentals
Digital Signatures
23
![Page 24: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/24.jpg)
Cryptographic Fundamentals
Cryptography has four purposes:
Confidentiality Keeping data secret
Integrity Is it "as sent"?
Authenticity Did it come from the right place?
Non-Repudiation Don’t tell me you didn’t say that.
24
![Page 25: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/25.jpg)
Cryptographic Fundamentals
DNSSEC uses cryptography for two purposes:
Confidentiality Keeping data secret
Integrity Is it "as sent"?
Authenticity Did it come from the right place?
Non-Repudiation Don’t tell me you didn’t say that.
25
![Page 26: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/26.jpg)
Cryptography for DNS admins
To provide Authenticity and Integrity, we use:
Asymmetric Cryptography
Digital Signatures
26
![Page 27: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/27.jpg)
Asymmetric Cryptography
Keypairs – Public and Private Key Portions
Data encrypted with one piece of a key can be decrypted or checked for integrity with the other
It is unlikely that a person holding the public key will be able to reverse engineer the private key
27
![Page 28: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/28.jpg)
Asymmetric Cryptography
Data that can be decrypted is guaranteed to have been unaltered since encryption
Integrity
Since the data was decrypted with a public portion of a known key pair, the private portion must have been the one to encrypt the data
Authenticity
28
![Page 29: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/29.jpg)
Digital Signatures
Since we don't care about encrypting the entire content of the message...
Create a hash of the data to be sent, encrypt the hash with our private key and transmit it with the message
Anyone holding public key can authenticate and confirm integrity of the message
Anyone without the public key can still see the data
29
![Page 30: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/30.jpg)
Digital Signatures in DNSSEC
K1
DNS Data
Hashing Hash Encrypt
DNS Data
Signature
DNSData
Signature Decrypt
Hashing Hash
Hash
Transmit
If the two hashes match we know that the DNS data
has not been modified in transit, and that it was
created by the owner of K1
K2
30
![Page 31: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/31.jpg)
Digital Signatures for those that don't care
K1
DNS Data
Hashing Hash Encrypt
DNS Data
Signature
DNSData
Signature
Transmit
31
If the client does not care about, or is not able to do
the math required for validation, the signature can
be ignored
![Page 32: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/32.jpg)
DNSSEC Trust tree: www.dnslab.org. (A) |---dnslab.org. (DNSKEY keytag: 7308 alg: 8 flags: 256) |---dnslab.org. (DNSKEY keytag: 9247 alg: 8 flags: 257) |---dnslab.org. (DS keytag: 9247 digest type: 2) |---org. (DNSKEY keytag: 24209 alg: 7 flags: 256) |---org. (DNSKEY keytag: 9795 alg: 7 flags: 257) |---org. (DNSKEY keytag: 21366 alg: 7 flags: 257) |---org. (DS keytag: 21366 digest type: 1) | |---. (DNSKEY keytag: 33655 alg: 8 flags: 256) | |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) |---org. (DS keytag: 21366 digest type: 2) |---. (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful
Deploying DNSSEC Zone
Administrative Decisions
32
![Page 33: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/33.jpg)
Administrative Decisions about DNSSEC
There are decisions that need to be made prior to deployment:
What algorithm will be used?
What bit-length for keying material?
NSEC or NSEC3 for proof of non-existence?
Two keys per zone? Yes, a Key-Signing Key (KSK) & a Zone-Signing Key (ZSK).
33
![Page 34: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/34.jpg)
What Algorithm Should Be Used?
Choice of algorithm depends on a number of criteria:
Interoperability with "legacy" systems
Requires use of RSASHA1 algorithm
Legality issues
GOST vs. RSA
Wide spread ability to validate chosen algorithm34
![Page 35: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/35.jpg)
ALG# Name Mnemonic 1 RSA/MD5 Deprecated 3 DSA/SHA1 DSA 5 RSA/SHA-1 RSASHA1 6 DSA-NSEC3-SHA1 NSEC3DSA 7 RSASHA1-NSEC3-SHA1 NSEC3RSASHA1 8 RSA/SHA-256 RSASHA25610 RSA/SHA-512 RSASHA51212 GOST R 34.10-2001 ECCGOST13 ECDSA Curve P-256 w/ SHA-256 ECDSAP256SHA256 14 ECDSA Curve P-384 with SHA-384 ECDSAP384SHA384
35
![Page 36: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/36.jpg)
Key Bit Length
The choice of bit-length for keying material is based on the algorithm being used and the purpose of the key
Algorithm requirements
RSA keys must be between 512 and 2048 bits
DSA keys must be between 512 and 1024 bits and an exact multiple of 64
NIST recommends 1024 bit ZSK and 2048 bit KSK
36
![Page 37: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/37.jpg)
NSEC vs. NSEC3 denial of existence
The NSEC method of proof-of-nonexistence allows "zone walking", as it proves negative responses by enumerating positive responses
NSEC3 disallows "zone walking", but it requires additional processing on both authoritative servers providing negative responses and on recursive servers doing validation
If you disallow zone transfers, you will want to deploy NSEC3
37
![Page 38: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/38.jpg)
DS Resource Records - Talking to our Parent…
To create chains of trust "in-protocol," the Key Signing Key of a zone is hashed and that hash is placed into the parent
This record is known as the Delegation Signing (DS) record
The DS record in the parent creates a secure linkage that an external attacker would have to overcome to forge keying material in the child
38
![Page 39: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/39.jpg)
DNSSEC Trust tree: www.dnslab.org. (A) |---dnslab.org. (DNSKEY keytag: 7308 alg: 8 flags: 256) |---dnslab.org. (DNSKEY keytag: 9247 alg: 8 flags: 257) |---dnslab.org. (DS keytag: 9247 digest type: 2) |---org. (DNSKEY keytag: 24209 alg: 7 flags: 256) |---org. (DNSKEY keytag: 9795 alg: 7 flags: 257) |---org. (DNSKEY keytag: 21366 alg: 7 flags: 257) |---org. (DS keytag: 21366 digest type: 1) | |---. (DNSKEY keytag: 33655 alg: 8 flags: 256) | |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) |---org. (DS keytag: 21366 digest type: 2) |---. (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful
Deploying DNSSEC Zones
Technical Decisions
39
![Page 40: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/40.jpg)
Preparing for DNSSEC Deployment
There are a number of methods of deploying DNSSEC into existing zones:
Manual zone signing (In 2016, DDT - Don’t Do That!)
Automatic zone signing of dynamic zones
Automatic in-line signing "on-box"
Automatic in-line signing "bump-in-the-wire"
40
![Page 41: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/41.jpg)
Manual Zone Signing
Only do this if you are running BIND older than 9.9
BIND 9.7 ("DNSSEC for Humans") made life easier
Key rollover is painful when done manually
Manual insertion and deletion of keying material from zone files is fraught with danger
Requires manual signing and re-signing of zones upon zone changes and signature expiration
41
![Page 42: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/42.jpg)
Automatic Zone Signing of Dynamic Zones
BIND 9.7 and newer provide automation of zone signing of dynamic zones
Keying material contains timing "meta-data" that can allow automation of key rollover
Making a zone dynamic is significantly easier in recent versions of BIND
Dynamic zones are not always appropriate or allowed
42
![Page 43: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/43.jpg)
Automatic In-Line Signing
BIND 9.9 introduced In-Line signing
Signing of zones without knowledge of / changes to existing processes and procedures
On-Box in-line signing DNSSEC signs zones in memory on the same system on which they are mastered
Bump In The Wire signing provides signing on an intermediate system
Use this where existing infrastructure can't be modified
43
![Page 44: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/44.jpg)
DNSSEC Trust tree: www.dnslab.org. (A) |---dnslab.org. (DNSKEY keytag: 7308 alg: 8 flags: 256) |---dnslab.org. (DNSKEY keytag: 9247 alg: 8 flags: 257) |---dnslab.org. (DS keytag: 9247 digest type: 2) |---org. (DNSKEY keytag: 24209 alg: 7 flags: 256) |---org. (DNSKEY keytag: 9795 alg: 7 flags: 257) |---org. (DNSKEY keytag: 21366 alg: 7 flags: 257) |---org. (DS keytag: 21366 digest type: 1) | |---. (DNSKEY keytag: 33655 alg: 8 flags: 256) | |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) |---org. (DS keytag: 21366 digest type: 2) |---. (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful
Deploying DNSSEC Zones
Abbreviated Technical Steps
44
![Page 45: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/45.jpg)
DNSSEC Signing - The Short List
Generate keys for zone
Insert public portions of keys Into zone
Sign zone with appropriate keys
Publish signed zone
DS in the parent zone
Validate! 45
![Page 46: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/46.jpg)
Signing a Zone
#!/bin/bash if [[ -z "$1" ]]; then exit fi echo Generating initial key for $1 ZONE=$1 echo Creating ZSK dnssec-keygen -K /etc/namedb/keys -a rsasha256 -b 1024 $ZONEecho Creating KSK dnssec-keygen -K /etc/namedb/keys -a rsasha256 -b 2048 -f ksk $ZONESALT=`printf "%04x" $RANDOM $RANDOM` echo Informing BIND that the zone $ZONE is to beecho NSEC3 signed - salt is $SALT rndc signing -nsec3param 1 1 10 $SALT $ZONE rndc sign $ZONE
46
![Page 47: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/47.jpg)
Insert Public Keying Material into Zone
If using in-line signing, inserting keying material into the zone is automatic
zone "dnslab.org" { type master; file "master/dnslab.org"; inline-signing yes; auto-dnssec maintain; };
In-line signing keeps a separate copy of the zone in memory and adds records to that zone, not modifying the zone on disk
47
![Page 48: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/48.jpg)
"Bump In The Wire" In-Line Signing
If there is a reason that your provisioning infrastructure can't be touched, consider “bump in the wire” in-line signing…
Master
Slave
Slave
Slave48
![Page 49: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/49.jpg)
"Bump In The Wire" In-Line Signing
If there is a reason that your provisioning infrastructure can't be touched, consider “bump in the wire” in-line signing…
Master
Slave
Slave
Slave
In-Line Signer
49
![Page 50: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/50.jpg)
"Bump In The Wire" In-Line Signing
UnsignedZone
UnsignedZone File
rndc reload
notifyixfr
data
UnsignedZone
SignedZone
notifyixfr
data
rndc sign
SignedZone File
rndc sync15 minutes
50
![Page 51: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/51.jpg)
"Bump In The Wire" In-Line Signing
zone "dnslab.org" { type slave; masters { true-master; }; also-notify { list-of-slaves; }; file "slave/dnslab.org"; inline-signing yes; auto-dnssec maintain; };
The master must be modified to only send notifies and allow zone transfers from the signing server
The slave servers must be modified to accept notifies and perform zone transfers from the signing server
51
![Page 52: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/52.jpg)
"Bump In The Wire" In-Line Signing
In-line signing, automatically inserts keying material into the zone
dnssec-keygen -K ./keys -a rsasha512 -b 1024 dnslab.orgdnssec-keygen -K ./keys -a rsasha512 -b 2048 -f ksk dnslab.org rndc signing -nsec3param 1 1 10 bad5a170 rndc retransfer dnslab.org rndc sign dnslab.org
52
![Page 53: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/53.jpg)
DNSSEC Trust tree: www.dnslab.org. (A) |---dnslab.org. (DNSKEY keytag: 7308 alg: 8 flags: 256) |---dnslab.org. (DNSKEY keytag: 9247 alg: 8 flags: 257) |---dnslab.org. (DS keytag: 9247 digest type: 2) |---org. (DNSKEY keytag: 24209 alg: 7 flags: 256) |---org. (DNSKEY keytag: 9795 alg: 7 flags: 257) |---org. (DNSKEY keytag: 21366 alg: 7 flags: 257) |---org. (DS keytag: 21366 digest type: 1) | |---. (DNSKEY keytag: 33655 alg: 8 flags: 256) | |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) |---org. (DS keytag: 21366 digest type: 2) |---. (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful
Enabling DNSSEC Validation
53
![Page 54: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/54.jpg)
Validating DNSSEC
Authoritative Servers (master/slave) never do validation nor provide signaling of validation to clients
If a DNS response has the AA (authoritative answer) bit set, it will never have the AD (authenticated data) bit set
It is the job of the recursive (validating) server to do the work required to prove data is unmodified
54
![Page 55: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/55.jpg)
Validating DNSSEC
To validate DNSSEC, a recursive server must be able to track back to a trust anchor
Even if there is no trust anchor in place, a server may return signature data to the client in case the client can do validation itself
DNSSEC data (RRSIGS) are returned if the DO bit is set in the EDNS0 header
The AD bit is returned if validation to a trust anchor succeeded
55
![Page 56: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/56.jpg)
Validating DNSSEC
BIND uses trust anchors from "trusted-keys" statements:
trusted-keys { "." 257 3 8 "AwEAA[...]ihz0="; };
But what happens if the key changes? RFC-5011!
managed-keys { "." initial-key 257 3 8 "AwE[..]ihz0=";};
56
![Page 57: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/57.jpg)
Validating DNSSEC
RFC-5011 covers the problem of validating servers having to be reconfigured when trust-anchor material changes
If a trust anchor KSK RRSET adds a new key and that key remains published in the zone for 30 days, that key may be considered as a trust anchor for the zone
If the REVOKE bit is then set in the old KSK, the new KSK should be employed as the new trust-anchor for the zone
57
![Page 58: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/58.jpg)
The Root KSK will be rolled! Use managed-keys!
options { dnssec-enable yes; dnssec-validation yes; }; managed-keys { "." initial-key [.....]; };
58
![Page 59: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/59.jpg)
DNSSEC Trust tree: www.dnslab.org. (A) |---dnslab.org. (DNSKEY keytag: 7308 alg: 8 flags: 256) |---dnslab.org. (DNSKEY keytag: 9247 alg: 8 flags: 257) |---dnslab.org. (DS keytag: 9247 digest type: 2) |---org. (DNSKEY keytag: 24209 alg: 7 flags: 256) |---org. (DNSKEY keytag: 9795 alg: 7 flags: 257) |---org. (DNSKEY keytag: 21366 alg: 7 flags: 257) |---org. (DS keytag: 21366 digest type: 1) | |---. (DNSKEY keytag: 33655 alg: 8 flags: 256) | |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) |---org. (DS keytag: 21366 digest type: 2) |---. (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful
Deep Diving DNSSEC
59
![Page 60: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/60.jpg)
DNSSEC Changes to DNS
To provide security to DNS, a number of new resource record types were introduced:
DNSKEY - Public portion of cryptographic key
RRSIG - Resource Record Signature
NSEC / NSEC3 - Proof of non-existance
NSEC3PARAM - NSEC3 parameter hint
DS - Delegation Signer 60
![Page 61: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/61.jpg)
DNSKEY Resource Records
The DNSKEY Resource Record provides the public portion of the key used to create signatures
Key type (ZSK or KSK)
Algorithm used
Key tag
Keying material
61
![Page 62: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/62.jpg)
DNSKEY Resource Records
dnslab.org. 3600 IN DNSKEY 256 3 8 ( AwEAAavBUcpNl+jBynAU3DCtX4gmKDCayF23sI0Yn434 LgLABSpfA8cPtW1SX3ukBRYPM0N5YerJec1xjPr+6e7O Ec+R2f+NvLzfChxorgQa2cOijDlqBUuSDlz+5kA+Mr4+ INHpmjGZFQzRTy1kPZI9/HaW/U8o9sUL7D2vA8kxS2Hl ) ; ZSK; alg = RSASHA256; key id = 7308
Label
TTL
Class
62
![Page 63: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/63.jpg)
DNSKEY Resource Records
dnslab.org. 3600 IN DNSKEY 256 3 8 ( AwEAAavBUcpNl+jBynAU3DCtX4gmKDCayF23sI0Yn434 LgLABSpfA8cPtW1SX3ukBRYPM0N5YerJec1xjPr+6e7O Ec+R2f+NvLzfChxorgQa2cOijDlqBUuSDlz+5kA+Mr4+ INHpmjGZFQzRTy1kPZI9/HaW/U8o9sUL7D2vA8kxS2Hl ) ; ZSK; alg = RSASHA256; key id = 7308
Type
Flags Protocol
Protocol is always 3 for DNSSECFlags: 256 for ZSK Flags: 257 for KSK 63
![Page 64: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/64.jpg)
DNSKEY Resource Records
dnslab.org. 3600 IN DNSKEY 256 3 8 ( AwEAAavBUcpNl+jBynAU3DCtX4gmKDCayF23sI0Yn434 LgLABSpfA8cPtW1SX3ukBRYPM0N5YerJec1xjPr+6e7O Ec+R2f+NvLzfChxorgQa2cOijDlqBUuSDlz+5kA+Mr4+ INHpmjGZFQzRTy1kPZI9/HaW/U8o9sUL7D2vA8kxS2Hl ) ; ZSK; alg = RSASHA256; key id = 7308
Key Material
Algorithm
Algorithm is determined during key generation 64
![Page 65: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/65.jpg)
DNSKEY Resource Records
dnslab.org. 3600 IN DNSKEY 256 3 8 ( AwEAAavBUcpNl+jBynAU3DCtX4gmKDCayF23sI0Yn434 LgLABSpfA8cPtW1SX3ukBRYPM0N5YerJec1xjPr+6e7O Ec+R2f+NvLzfChxorgQa2cOijDlqBUuSDlz+5kA+Mr4+ INHpmjGZFQzRTy1kPZI9/HaW/U8o9sUL7D2vA8kxS2Hl ) ; ZSK; alg = RSASHA256; key id = 7308
CommentsComments are created by specifying +multi on dig command line 65
![Page 66: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/66.jpg)
RRSIG Resource Records
RRSIG Resource Records provide signatures across a resource record set
Algorithm used
Number of labels covered
Original TTL
Key Tag and Key Origin
Digital Signature66
![Page 67: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/67.jpg)
RRSIG Resource Records
www.dnslab.org. 11 IN A 50.19.120.198 www.dnslab.org. 11 IN RRSIG A 8 3 30 ( 20140324123008 20140222115153 7308 dnslab.org. CteKosqUJRLer5p6py+d9L3I1djQwzTruiSOYeOc1Qkp SvvP3cJKWsNbNgcrGh3Uz+Ms0V1+4AdUbNSgwR4rhsKG mSxrc4H0uuM/8uLAWKuAIYJnqOTD45ASc3FnttPIKdED Y1R2pvIn+jIvuxQ4w7z44/ZvF/ETayHk9GRagaE= )
Label
TTL
Class
67
![Page 68: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/68.jpg)
RRSIG Resource Records
www.dnslab.org. 11 IN A 50.19.120.198 www.dnslab.org. 11 IN RRSIG A 8 3 30 ( 20140324123008 20140222115153 7308 dnslab.org. CteKosqUJRLer5p6py+d9L3I1djQwzTruiSOYeOc1Qkp SvvP3cJKWsNbNgcrGh3Uz+Ms0V1+4AdUbNSgwR4rhsKG mSxrc4H0uuM/8uLAWKuAIYJnqOTD45ASc3FnttPIKdED Y1R2pvIn+jIvuxQ4w7z44/ZvF/ETayHk9GRagaE= )
Covered RRSET typeType
Covered Type shows the RRSET that this signature validates 68
![Page 69: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/69.jpg)
RRSIG Resource Records
www.dnslab.org. 11 IN A 50.19.120.198 www.dnslab.org. 11 IN RRSIG A 8 3 30 ( 20140324123008 20140222115153 7308 dnslab.org. CteKosqUJRLer5p6py+d9L3I1djQwzTruiSOYeOc1Qkp SvvP3cJKWsNbNgcrGh3Uz+Ms0V1+4AdUbNSgwR4rhsKG mSxrc4H0uuM/8uLAWKuAIYJnqOTD45ASc3FnttPIKdED Y1R2pvIn+jIvuxQ4w7z44/ZvF/ETayHk9GRagaE= )
Algorithm
Algorithm provides the alg# that was used to produce the signature 69
![Page 70: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/70.jpg)
RRSIG Resource Records
www.dnslab.org. 11 IN A 50.19.120.198 www.dnslab.org. 11 IN RRSIG A 8 3 30 ( 20140324123008 20140222115153 7308 dnslab.org. CteKosqUJRLer5p6py+d9L3I1djQwzTruiSOYeOc1Qkp SvvP3cJKWsNbNgcrGh3Uz+Ms0V1+4AdUbNSgwR4rhsKG mSxrc4H0uuM/8uLAWKuAIYJnqOTD45ASc3FnttPIKdED Y1R2pvIn+jIvuxQ4w7z44/ZvF/ETayHk9GRagaE= )
Depth of labels
covered
Depth tells the number of labels in the name that is signed (used in wildcard validation) 70
![Page 71: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/71.jpg)
RRSIG Resource Records
www.dnslab.org. 11 IN A 50.19.120.198 www.dnslab.org. 11 IN RRSIG A 8 3 30 ( 20140324123008 20140222115153 7308 dnslab.org. CteKosqUJRLer5p6py+d9L3I1djQwzTruiSOYeOc1Qkp SvvP3cJKWsNbNgcrGh3Uz+Ms0V1+4AdUbNSgwR4rhsKG mSxrc4H0uuM/8uLAWKuAIYJnqOTD45ASc3FnttPIKdED Y1R2pvIn+jIvuxQ4w7z44/ZvF/ETayHk9GRagaE= )
Original TTL of the covered RRSET
Original TTL allows validation of data where the TTL in cache does not match authoritative data 71
![Page 72: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/72.jpg)
RRSIG Resource Records
www.dnslab.org. 11 IN A 50.19.120.198 www.dnslab.org. 11 IN RRSIG A 8 3 30 ( 20140324123008 20140222115153 7308 dnslab.org. CteKosqUJRLer5p6py+d9L3I1djQwzTruiSOYeOc1Qkp SvvP3cJKWsNbNgcrGh3Uz+Ms0V1+4AdUbNSgwR4rhsKG mSxrc4H0uuM/8uLAWKuAIYJnqOTD45ASc3FnttPIKdED Y1R2pvIn+jIvuxQ4w7z44/ZvF/ETayHk9GRagaE= )
Expiration and Inception Dates
Expiration and Inception Dates prevent replay attacks using signatures for changed data 72
![Page 73: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/73.jpg)
RRSIG Resource Records
www.dnslab.org. 11 IN A 50.19.120.198 www.dnslab.org. 11 IN RRSIG A 8 3 30 ( 20140324123008 20140222115153 7308 dnslab.org. CteKosqUJRLer5p6py+d9L3I1djQwzTruiSOYeOc1Qkp SvvP3cJKWsNbNgcrGh3Uz+Ms0V1+4AdUbNSgwR4rhsKG mSxrc4H0uuM/8uLAWKuAIYJnqOTD45ASc3FnttPIKdED Y1R2pvIn+jIvuxQ4w7z44/ZvF/ETayHk9GRagaE= )
Key ID and Key Label provide information about the key used to create (and validate) the signature
Key IDKey Label
73
![Page 74: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/74.jpg)
RRSIG Resource Records
www.dnslab.org. 11 IN A 50.19.120.198 www.dnslab.org. 11 IN RRSIG A 8 3 30 ( 20140324123008 20140222115153 7308 dnslab.org. CteKosqUJRLer5p6py+d9L3I1djQwzTruiSOYeOc1Qkp SvvP3cJKWsNbNgcrGh3Uz+Ms0V1+4AdUbNSgwR4rhsKG mSxrc4H0uuM/8uLAWKuAIYJnqOTD45ASc3FnttPIKdED Y1R2pvIn+jIvuxQ4w7z44/ZvF/ETayHk9GRagaE= )
Signature
74
![Page 75: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/75.jpg)
RRSIG Resource Records
www.dnslab.org. 11 IN A 50.19.120.198 www.dnslab.org. 11 IN RRSIG A 8 3 30 ( 20140324123008 20140222115153 7308 dnslab.org. CteKosqUJRLer5p6py+d9L3I1djQwzTruiSOYeOc1Qkp SvvP3cJKWsNbNgcrGh3Uz+Ms0V1+4AdUbNSgwR4rhsKG mSxrc4H0uuM/8uLAWKuAIYJnqOTD45ASc3FnttPIKdED Y1R2pvIn+jIvuxQ4w7z44/ZvF/ETayHk9GRagaE= )
Here is a resource record and its associated signature:
75
![Page 76: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/76.jpg)
DS Resource Records
To create chains of trust "in-protocol," the Key Signing Key of a zone is hashed and that hash is placed into the parent
This record is known as the Delegation Signing (DS) record
The DS record in the parent creates a secure linkage that an external attacker would have to overcome to forge keying material in the child
76
![Page 77: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/77.jpg)
DS Resource Records
The DS record contains:
The key tag of the key in the child
The algorithm number of the key
The hashing algorithm number used to create the DS
1 SHA-1 2 SHA-256 3 GOST R 34.11-94 4 SHA-384
The hash of the key77
![Page 78: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/78.jpg)
DS Records
dnslab.org. 86400 IN DS 9247 8 2 ( F788167DCF705C97D0CB1FD61F7B8EA807E61D8077FA 2F50660B871FF9D8DE24 )
LabelTTL
Class
78
![Page 79: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/79.jpg)
DS Records
dnslab.org. 86400 IN DS 9247 8 2 ( F788167DCF705C97D0CB1FD61F7B8EA807E61D8077FA 2F50660B871FF9D8DE24 )
TypeKey Tag
Key Alg#
79
![Page 80: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/80.jpg)
DS Records
dnslab.org. 86400 IN DS 9247 8 2 ( F788167DCF705C97D0CB1FD61F7B8EA807E61D8077FA 2F50660B871FF9D8DE24 )
Hash
Hash Alg
80
![Page 81: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/81.jpg)
DS Records
dnslab.org. 86394 IN DS 9247 8 2 ( F788167DCF705C97D0CB1FD61F7B8EA807E61D8077FA 2F50660B871FF9D8DE24 ) dnslab.org. 86394 IN RRSIG DS 7 2 86400 ( 20140318154949 20140225144949 24209 org. VWhUKxm+ig+yA/gV5kpEKB/Tb91R7b8dZTjpBtt4ZJFN AI7OVFT6wlEL9TlZGYsOX8bYB5VQhK6ZOMATIodIS/gG hQKGtC8sJG3I4ktuU/nMnyK/0FBCLnUpcGfk+A0E2ECj GLOLu6N/0cst9UH01+1oh30hMoMQVfpL9UOse+c= )
81DS record lives in the parent and is signed with parent ZSK
![Page 82: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/82.jpg)
DS Records
Parent:
dnslab.org. 86400 IN DS 9247 8 2 ( F788167DCF705C97D0CB1FD61F7B8EA807E61D8077FA 2F50660B871FF9D8DE24 )
Child:
dnslab.org. 3600 IN DNSKEY 257 3 8 ( AwEAAaHaqpWsLOXTNKdaYa9kQcK/HTaYYsT05rKzPHsY [...] BFlYBHoDZ6HHf5RmSYWUSXr3YYCpf9DwYnqT6Rc= ) ; KSK; alg = RSASHA256; key id = 9247
82
![Page 83: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/83.jpg)
DNSSEC Trust tree: www.dnslab.org. (A) |---dnslab.org. (DNSKEY keytag: 7308 alg: 8 flags: 256) |---dnslab.org. (DNSKEY keytag: 9247 alg: 8 flags: 257) |---dnslab.org. (DS keytag: 9247 digest type: 2) |---org. (DNSKEY keytag: 24209 alg: 7 flags: 256) |---org. (DNSKEY keytag: 9795 alg: 7 flags: 257) |---org. (DNSKEY keytag: 21366 alg: 7 flags: 257) |---org. (DS keytag: 21366 digest type: 1) | |---. (DNSKEY keytag: 33655 alg: 8 flags: 256) | |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) |---org. (DS keytag: 21366 digest type: 2) |---. (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful
DNSSEC in the real world
83
![Page 84: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/84.jpg)
DNSSEC in the real world
Sandia National Labs & Verisign provide a web page that performs DNSSEC chain testing
http://www.dnsviz.net
84
![Page 85: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/85.jpg)
DNSSEC in the real world - what about the clients?
run your own validating resolver… NLNetLab’s dnssec-trigger
do validation in the browser… cz.nic’s DNSSEC Validator for Chrome
85
![Page 86: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/86.jpg)
More Real-World… Key Rollover Schedule
There is not “one answer” as to how often you should roll your keys.
NIST recommends:
KSK should be rolled once a year
ZSK should be rolled every 3 months
86
![Page 87: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/87.jpg)
Root Zone
KSK 19036 RSASHA256
ZSK 33655 RSASHA256
87
DS Record org zone
sha1 hash & sha256 hash
![Page 88: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/88.jpg)
88
ORG Zone
KSK 21366 NSEC3RSASHA1
ZSK 24209 NSEC3RSASHA1
![Page 89: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/89.jpg)
89
DNSLAB.ORG Zone
KSK 9247 RSASHA256
ZSK 7308 RSASHA256
![Page 90: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/90.jpg)
With a trust anchor for the root...
We trust . (root) KSK We trust . (root) ZSK We trust org DS
We trust org KSK We trust org ZSK We trust dnslab.org DS
We trust dnslab.org KSK We trust dnslab.org ZSK We trust dnslab.org RRsets
Or we can have a trust anchor for
any KSK90
![Page 91: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/91.jpg)
DNSSEC Trust tree: www.dnslab.org. (A) |---dnslab.org. (DNSKEY keytag: 7308 alg: 8 flags: 256) |---dnslab.org. (DNSKEY keytag: 9247 alg: 8 flags: 257) |---dnslab.org. (DS keytag: 9247 digest type: 2) |---org. (DNSKEY keytag: 24209 alg: 7 flags: 256) |---org. (DNSKEY keytag: 9795 alg: 7 flags: 257) |---org. (DNSKEY keytag: 21366 alg: 7 flags: 257) |---org. (DS keytag: 21366 digest type: 1) | |---. (DNSKEY keytag: 33655 alg: 8 flags: 256) | |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) |---org. (DS keytag: 21366 digest type: 2) |---. (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful
Key Rollover
91
![Page 92: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/92.jpg)
Key Rollover
Key Rollover is by far the most terrifying part of DNSSEC
If rollover is done incorrectly, the zone affected "goes dark" and is unavailable to clients of validating servers
Having a zone "go insecure" is also not a good idea
This could easily be a "career ending" move
So....
Let's get to it 92
![Page 93: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/93.jpg)
Key Rollover
The difficulty with key rollover is caused (mostly) by the "loose coherence" in the DNS caused by caching
At no point can a signature exist for which the public portion of the key is not available
At no point can the DS in the parent not match an active KSK in the child
Taking the TTL into account (and not rushing anything), rollover is actually very easy
93
![Page 94: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/94.jpg)
Key Rollover
Remember:
KSK signs only the DNSKEY RRset in a zone
ZSK signs all authoritative RRsets in the zone
Everything except delegation NS records and glue
Initial signing of a zone causes it to expand anywhere up to 10x in size
When we roll keys, we don't want to double it again94
![Page 95: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/95.jpg)
Key Rollover
For KSK, we don't mind creating "double signatures" since doubling one signature is inconsequential
For ZSK, we don't want to create "double signatures" since doubling signatures on every RRSet in the zone will cause an unnecessary "ballooning" of the zone
There are two mechanisms for rolling keys:
KSK ---> Double Signing
ZSK ---> Pre-publication95
![Page 96: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/96.jpg)
ZSK Rollover -- Pre-Publication
1. Generate a new ZSK
2. Publish both keys, use only the old one for signing
3. Wait at least propagation time + TTL of the DNSKEY RR
4. Use new key for zone signing; leave old one published
5. Wait at least propagation time + maximum TTL of the old zone
6. Remove old key & re-sign96
![Page 97: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/97.jpg)
KSK Rollover -- Double Signature
1. Generate new KSK
2. Publish both old and new KSK, using both keys for signing
3. Send new DS record to the parent
4. Wait until the DS is propagated + TTL of the old DS
5. Remove the old key & re-sign
97
![Page 98: DNSSEC Trust tree: . (A) |---dnslab.org ... Tutori… · (DNSKEY keytag: 33655 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Deploying DNSSEC](https://reader034.vdocuments.us/reader034/viewer/2022051322/600cd951d48a193fd47a1210/html5/thumbnails/98.jpg)
Key Rollover Schedule
There is not “one answer” as to how often you should roll your keys.
NIST recommends:
KSK should be rolled once a year
ZSK should be rolled every 3 months
98