Download - DNSSEC FIRST
Agenda
•! What is DNSSEC?
•! DNSSEC implementation
•! DNSSEC in NIC Chile
•! DNSSEC in Authoritative Servers
2
WHAT IS
DNSSEC?
DNSSEC… What?!
3
Domain Name System (DNS)
•! Internet works with IP addresses (similar to
telephone numbers)
–! Example: 200.1.123.3
•! A DNS server is like a “Phone guide to
remember the IP address”
–! Example: www.nic.cl ! 200.1.123.3
•! This guide or database is hierarchical and
distributed
4
How DNS works
Root
!"#$%$%$#&!'
ns.nic.cl
#(($!$!#)$&'
ns1.uchile.cl
#(($*"$+($)'
DNS Server
#(($+%$($&'
!"($",$&*$!),'
¿www.uchile.cl?
¿cl?
¿www.uchile.cl?
ns.nic.cl -#(($!$!#)$&.'
#(($*"$+($!**'
www.uchile.cl
#(($*"$+($!**'
GET index.html
http://www.uchile.cl/index.html
#(($*"$+($!**'Cache
/'
000$123456$25''#(($*"$+($!**'778'
/'
Resolver
Authoritative
Authoritative
Authoritative
Expiration
5
DNS Hierarchy /'
25''''''''''''''''9:';<$;42$25'
;<$;42$25'''''''''='#(($!$!#)$&'
25''''''''''''''''='>$;42$25'
>$;42$25''''''''''='#(($!$!#!$!('
?@A'''''''''''''''9:'B5C!$15B@>C;<$;6B''
75C!$15B@>C;<$;6B'='#(&$+&$!!#$!'
/'
/'
;42'''''''''''9:';<$;42$25'
;<$;42$25'''''=''#(($!$!#)$&'
123456''''''''9:';<!$123456$25'
;<!$123456$25'=''#(($*"$+($)'
/'
/'
000'=''#(($*"$+($!**'
C22'9:';<$C22$123456$25''
;<''=''!"#$*($#&$#'
/'
/'
000'''=''#(($!$!#)$)'
''''''DE'F>45$;42$25''
F>45''=''#(($!$!#)$*'
/'
GHH$IHJK8L$H8'
/'
2>4C>'''''''''''9:';<!$12<C$6C1'
;<!$12<C$6C1'''''=''!#*$%&$!,$#'
/'
H=KG=$MNO'
ROOT
CL ORG
UCHILE.CL NIC.CL
6
Motivation to implement security into
DNS
•! “Normal” DNS doesn’t have means to
guaranty the authenticity of the information
•! Neither can guaranty the information
integrity
•! It’s a higly distributed database
–! There isn’t a centralized agent for verification
–! There are several failure points
7
Security problems in DNS
Root
!"#$%$%$#&!'
ns.nic.cl
#(($!$!#)$&'
DNS Server
#(($+%$($&'
!"($",$&*$!),'
¿www.uchile.cl?
¿cl?
ns.nic.cl -#(($!$!#)$&.'
!$#$)$&'
http://www.uchile.cl/index.html
ns1.uchile.cl
#(($*"$+($)'
evil.uchile.cl (6.6.6.0)
“from 200.1.123.4”
!$#$)$&'
www.uchile.cl
#(($*"$+($!**'
!$#$)$&'
GET index.html
,$,$,$('
8
DNS data flow
Master
Secondaries
Resolvers
Stub Resolver
(application library)
/'
;42'''''''''''9:';<$;42$25'
;<$;42$25'''''=''#(($!$!#)$&'
123456''''''''9:';<!$123456$25'
;<!$123456$25'=''#(($*"$+($)'
/'
Zone generation
/'
;42'''''''''''9:'>$;42$25'
/'
/'
;42'''''''''''9:'>$;42$25'
/'
Dynamic update
9
Vulnerabilities
Master
Secondaries
Resolvers
Stub Resolver
/'
;42'''''''''''9:';<$;42$25'
;<$;42$25'''''=''#(($!$!#)$&'
123456''''''''9:';<!$123456$25'
;<!$123456$25'=''#(($*"$+($)'
/'
Zone generation
/'
;42'''''''''''9:'>$;42$25'
/'
/'
;42'''''''''''9:'>$;42$25'
/'
Dynamic update
Data
corruption
Cache
poisoning
Unauthorized
Update
Supplanting
Server Security Data Security
DNSSEC
10
DNS Security Extensions
(DNSSEC)
•! Guaranties the data authenticity and
integrity
–! Introduces digital signatures
•! It uses trust chains from the root to the
requested domain
•! It introduces a considerable extra
complexity into the processes
11
Digital Signature
I love you!
Alice Bob
mmm… ¿How may I be
sure that the message comes from Bob?
(and that nobody has changed it)
Bob creates a
key pair
Bob
Public Key Private Key
Bob
Public Key
Creates
Verify
12
How DNSSEC works?
Root
!"#$%$%$#&!'
ns.nic.cl
#(($!$!#)$&'
ns1.uchile.cl
#(($*"$+($)'
DNS Server
#(($+%$($&'
!"($",$&*$!),'
¿www.uchile.cl?
¿cl?
¿www.uchile.cl?
ns.nic.cl -#(($!$!#)$&.'
#(($*"$+($!**'
-=1B36;B42>B6C.'
www.uchile.cl
#(($*"$+($!**'
GET index.html
http://www.uchile.cl/
index.html
root
cl
?
uchile.cl
root
cl
cl
#(($*"$+($!**'
uchile.cl
uchile.cl
DS Record
DS Record
13
Some facts about digital signatures
•! All the security resides in the private key
•! The strength of a key is defined by the time to break it –! As bigger is the key, longer is the time it lives (harder to
break it)
•! It’s computational consuming to create a key pair
•! It’s computational consuming to generate a digital signature (expotentially to the key key size) –! The existing domains are pre-signed
–! What about the non existing domains?
14
Non existing domains
¿existsfake.nic.cl?
NXDOMAIN
/'
>$;42$25'
6P4<B<$;42$25'
6P4<B<B??$;42$25'
000$;42$25'
/'
Alphabetic order
ns.nic.cl
] exists.nic.cl , existstoo.nic.cl [
Normal DNS DNSSEC
¡Consequence!, with several request
for domains we can learn the full zone (walking the zone)
15
/'
>$;42$25'
6P4<B<$;42$25'
6P4<B<B??$;42$25'
000$;42$25'
/'
Alphabetic order
ns.nic.cl
/'
J->;?B36@$;42$25.'
J-000$;42$25.'
J-F>45$;42$25.'
J->$;42$25.'
/'
Alphabetic order with the
hash
ns.nic.cl
Non existing domains
¿exitstsfake.nic.cl?
NXDOMAIN
] H(www.nic.cl) , H(mail.nic.cl) [
New extension: NSEC3, solves “walking the zone”
H(exitstsfake.nic.cl)
m 635EA8F7CD9A76EEF610B1
X H(m)
16
DNSSEC
IMPLEMENTATION
Piece by piece…
17
Implementation
•! Resources DNS (Resource Records)
www.niclabs.cl. ! !86400 !IN !A !200.27.115.130!
niclabs.cl. ! !3579 !IN !NS !ns.niclabs.cl.!
niclabs.cl. ! !86400 !IN !MX !10 smtp.niclabs.cl.!
www.niclabs.cl. ! !86400 !IN !AAAA !2001:1398:16:4:100::2!
Name
TTL Class Type Value
18
New resource records
•! Digital signature records
–! RRSIG: Signature of a RRset
–! DNSKEY: Public key
–! DS: Delegation Signer
•! Consistency records
–! NSEC/NSEC3
19
Implementation
•! DNSSEC Introduces 4 new records
–! 1) RRSIG (Digital Signature)
www.niclabs.cl. ! !19 IN A !212.247.7.218!
www.niclabs.cl. ! !19 IN RRSIG A 5 3 60 20091019132001 (!
! ! ! !20091009132001 51428 niclabs.cl.!
! ! ! !W1PycCseBhS9doaTgqETt2xyaD5psVf0uCdoa6MLqliW!
! ! ! !L4T05B5wYobl/+IMIFxaHyEPqZIzezUCQEMD5L1QJCK6!
! ! ! !Fp/HHTJOPsfgHvGP5pKc2SjzQvJ+5Tx6BIKSnrwCduAl!
! ! ! !4yWGRSMhXiMArz4nUfVymzFjYfepMlhXbupycps= )!
RR sign.
type
Algorithm
Labels
Original
TTL
Expiration
Time
Inception
Time
Key Tag Signer’s
name
Digital
Signature 20
Implementation
•! DNSSEC Introduces 4 new records
–! 2) DNSKEY (Public Key)
niclabs.cl. ! ! !3600 IN !DNSKEY 256 3 5 (!
! ! ! !BQEAAAABwHjOzI7/4vXsmQGSDPSHSCJqVhpQNtyFgETJ!
! ! ! !ymEatCPKqC43zahNmucNVMURGXhzz31jRQXdriMAryqK!
! ! ! !dDHgS36/4ZsFMLSOZSXlR+O9rnmtpVtsTICoXprgBy6h!
! ! ! !GIYiIx6m8C+e9c9EfQjQW7E/216Wzoo2qE7UuR0XReaP!
! ! ! !980=!
! ! ! !) ; key id = 51428!
niclabs.cl. ! ! !3600 IN !DNSKEY 257 3 5 (!
! ! ! !AwEAAdhJAx197qFpGGXuQn8XH0tQpQSfjvLKMcreRvJy!
! ! ! !O+f3F3weIHR36E8DObolHFp+m1YkxsgnHYjUFN4E9sKa!
! ! ! !38ZXU0oHTSsB3adExJkINA/tINDlKrzUDn4cIbyUCqHN!
! ! ! !Ge0et+lHmjmfZdj62GJlHgVmxizYkoBd7Rg0wxzEOo7C!
! ! ! !A3ZadaHuqmVJ2HvqRCoe+5NDsYpnDia7WggvLTe0vorV!
! ! ! !6kDcu6d5N9AUPwBsR7YUkbetfXMtUebux71kHCGUJdmz!
! ! ! !p84MeDi9wXYIssjRoTC5wUF2H3I2Mnj5GqdyBwQCdj5o!
! ! ! !tFbRAx3jiMD+ROxXJxOFdFq7fWi1yPqUf1jpJ+8=!
! ! ! !) ; key id = 16696!
Algorithm
Public Key
Flags: Zone
Key (ZSK)
Flags: Entry
Point (KSK)
Protocol
(fixed)
Key Tag
21
•! DNSSEC Introduces 4 new records
–! 3) DS (Delegation)
Implementation
niclabs.cl. ! ! !1007 IN !DS 16696 5 1 (!
! ! ! !EF5D421412A5EAF1230071AFFD4F585E3B2B1A60 )!
niclabs.cl. ! ! !1007 IN !RRSIG DS 5 1 3600 20091022230530 (!
! ! ! !20091016022314 12075 cl.!
! ! ! !HAqB5XoFsakxjmzk6YvRvJFXHyXvBMfjjPbd0u4RXojV!
! ! ! !fGGrHtBgt5eIh/c6X8p+JDONf5nypt7cFatUCRm2M4N3!
! ! ! !ZbBKOJyYonFU4LIEQ5CjmHVFCJHBOxKLDAWe2P3jX4/a!
! ! ! !kQ3JUy5SKztkoGn4GFhQnjCgWyf+n1GqAwTgD6A= )!
Key Tag
Algorithm
Hash Type
Hash Value
Signature from
the father
22
•! DNSSEC Introduces 4 new records
–! 4) NSEC (Non existing domain: none.niclabs.cl)
Implementation
lists.niclabs.cl. ! !3536 IN !NSEC ns.niclabs.cl. A MX RRSIG NSEC!
lists.niclabs.cl. ! !3536 IN !RRSIG NSEC 5 3 3600 20091026132001 (!
! ! ! !20091016132001 51428 niclabs.cl.!
! ! ! !npxr6gaJtvrdYFndtKa8rJYcIdonp6q/Nrklaf6xoMN9!
! ! ! !xDbIqem0HzzM5qPStXWbG3TGSWJfIwqOeY6FMAaXER/e!
! ! ! !hlg+eFyRd5Zb/EAxSIx4NMUkKrWMkdsj49GZhHO9yEtB!
! ! ! !5yRU1T4Ii2GULiX233DwvWt/+ZLaJfEODU0kVTk= )!Next existing
domain
Asociated
resources to list.niclabs.cl.
23
Key issues
•! Interaction with parent is administratively
expensive
–! Should only be done when needed
–! Bigger keys with long lifetime are better
•! Signing zones should be fast
–! Memory restrictions
–! Space and time concerns
–! Smaller keys with short lifetimes are better
24
Key solution
•! Operate with two keys
–! KSK: Key Signing Key
•! Bigger Key
•! Create bigger signatures (just signs ZSK DNSKEY)
•! Long lifetime (years)
–! ZSK: Zone Signing Key
•! Smaller Key
•! Create smaller signatures
•! Short lifetime (months)
•! Flag Entry Point (256/257)
25
26
Walking the trust chain
. DNSKEY (id = 11) ; KSK!
DNSKEY (id = 22) ; ZSK!
RRSIG DNSKEY (11)!
CL. DS 33!
RRSIG DS (...) (22)!
cl. DNSKEY (id = 33) ; KSK !
DNSKEY (id = 44) ; ZSK!
RRSIG DNSKEY (33)!
nic.cl. DS 55!
RRSIG DS (...) (44)!
nic.cl. DNSKEY (id = 55) ; KSK !
DNSKEY (id = 66) ; ZSK!
RRSIG DNSKEY (55)!
www.nic.cl. A 200.1.123.3!
RRSIG A (...) (66)!
Root KSK signs ZSK
Root ZSK sign
authoritative data (SOA, NS, DS, etc)
CL. KSK signs ZSK
CL. ZSK sign
authoritative data (SOA, NS, DS, etc)
27
Verify the trust chain
•! Data in zone can be trusted if signed by a ZSK
•! ZSK can be trusted if signed by a KSK
•! KSK can be trusted if pointed to by a trusted
DS record
•! DS record can be trusted:
–! If signed by the parent ZSK
–! DS or DNSKEY can be trusted if they are a Secure
Entry Point (SEP)
Lifetime for signatures and keys
28
DNSSEC IN
NIC CHILE
Or… how to implement
dnssec in a TLD?
29
DNSSEC in the world
30
DNSSEC in the world
•! Operative TLDs:
–! .se .org .gov .br .bg .cz .pr .na .th
•! Root zone:
–! fully deployed by July 2010
–! So, no more excuses to implement it!
•! And Chile…?
31
NIC Chile
•! Working on DNSSEC since
–! 2004/xx: First toy tests...
–! 2008/07: Niclabs start formal research
–! 2008/11: Internal Working Group
–! 2009/06: Internal resolver with iTAR & DLV
(BIND + Unbound)
–! 2009/07: Testbed .CL + DNSSEC
–! 2009/08: Public resolver resolversec.niclabs.cl
32
NIC Chile
•! Short term solution
–! Signing differences
–! DS registry by hand
–! Currently in test
•! Long term solution
–! DS exchange integrated with EPP
–! Distributed crypto
–! Open generic solution for the community
33
Long term solution in NIC Chile
34
Securing the key
•! Threshold
Cryptography
35
AUTHORITATIVE
SERVERS
yes, your servers…
36
DNSSEC
What do I need?
•! You want to do it! (really)
•! Define signature and keys lifetime
–! RRSIG 1 month
–! ZSK 3 months / KSK 1 year
•! Define keys sizes
–! KSK>= 2048 and ZSK>=1024
•! Define your process and policy
–! Documentation (emergency recovery)
–! Training
37
Key creation
•! KSK
•! ZSK
dnssec-keygen -a RSASHA1 -r /dev/urandom !-b 2048 -f KSK -n ZONE cl.!
dnssec-keygen -a NSEC3RSASHA1 -r /dev/urandom -b 2048 -n ZONE cl.!
38
Zone-signing
•! NSEC
•! NSEC3
–! Algorithm NSEC3RSASHA1
–! -3 “salt” for hash computation
–! -A: Opt-Out
dnssec-signzone -o cl -N INCREMENT !-k Kcl.+005+28753 -r /dev/random !cl.Zone Kcl.+005+31320!
39
dnssec-signzone -o cl -N INCREMENT !-k Kcl.+005+28753 -r /dev/random -3 “123” -A cl.zone Kcl.+005+31320!
Zone-resigning
•! -i interval: keep “old” signatures
•! default cycle interval = (end time - start
times)/4.
•! Replace with a new RRSIG if it expires in
the last cycle interval
40
CONCLUSIONS
41
Decisions for DNSSEC
•! NSEC or NSEC3?
•! Key sizes?
–! KSK (Key Signing Key) and ZSK (Zone Signing Key)
•! Life time for keys/signatures?
•! Sign all at once? Opt-out?
•! Revoke keys
–! Normal rollover, key compromise, key lost.
–! Overlap of keys (old ones sign new ones) ?
–! Father, Sons ?
42
Other issues
•! Resolver behaviour
–! Domain secure, unsecure, bogus,
undeterminated
•! How much cost DNSSEC
–! CPU, memory, time, bandwidth, effort,
development
DNSSEC…
•! Solves authenticity and integrity problems
•! Introduces a lot of operational overhead
–! Key management must be improved
–! Needs practice
•! Is it worth it?
–! Open discussion…
44
45