DNSSEC @ Mozilla OSCON, 2011 Shyam Mani shyam@mozilla.com
about:mozilla
Agenda • The Basics • Implementation • What we I messed up • The Future
What and the Why • DNS Security Extensions • Based on public key crypto • RFC 4033/34/35 • Validates • Ensures data is unchanged • DNS wasn’t created for today’s world
What’s new? • 4 new RRs - rfc 4034 • DNSKEY • DS • NSEC/NSEC3 • RRSIG
What’s new? • Keys - Public and Private • Key Signing Key - KSK • Zone Signing Key - ZSK • Key Tag • Algorithms • Rollovers • Operational Practices - rfc 4641
Chain of Trust
Chain of Trust
DNSKEY
DNSKEY
DNSKEY Zone Name
DNSKEY Zone Name
DNSKEY Zone Name TTL
DNSKEY Zone Name TTL
DNSKEY Zone Name TTL 257 = KSK
DNSKEY Zone Name TTL 257 = KSK 256 = ZSK
DNSKEY Zone Name TTL 257 = KSK 256 = ZSK
DNSKEY Zone Name TTL Key Algorithm 257 = KSK 256 = ZSK
DNSKEY Zone Name TTL Key Algorithm 7 = RSASHA1-NSEC3-SHA1 257 = KSK 256 = ZSK
DS
DS
DS Zone Name
DS Zone Name
DS Zone Name TTL
DS Zone Name TTL
DS Zone Name TTL Key Tag
DS Zone Name TTL Key Tag
DS Zone Name TTL Key Tag 7 = Algo
DS Zone Name TTL Key Tag 7 = Algo 1 = Checksum (SHA1)
DS Zone Name TTL Key Tag 7 = Algo 1 = Checksum (SHA1) 2 = Checksum (SHA256)
DS Zone Name TTL Key Tag 7 = Algo 1 = Checksum (SHA1) 2 = Checksum (SHA256)
DS Zone Name TTL Key Tag Checksum 7 = Algo 1 = Checksum (SHA1) 2 = Checksum (SHA256)
RRSIG
RRSIG
RRSIG (Sub)Domain
RRSIG (Sub)Domain
RRSIG (Sub)Domain A = Record Type
RRSIG (Sub)Domain A = Record Type 7 = Algo
RRSIG (Sub)Domain A = Record Type 7 = Algo 3 = Labels
RRSIG (Sub)Domain A = Record Type 7 = Algo 3 = Labels
RRSIG (Sub)Domain A = Record Type Inception 7 = Algo 3 = Labels
RRSIG YYYYMMDDHHMMSS (Sub)Domain A = Record Type Inception 7 = Algo 3 = Labels
RRSIG YYYYMMDDHHMMSS (Sub)Domain A = Record Type Inception 7 = Algo 3 = Labels
RRSIG YYYYMMDDHHMMSS (Sub)Domain A = Record Type Expiry Inception 7 = Algo 3 = Labels
RRSIG YYYYMMDDHHMMSS (Sub)Domain A = Record Type Expiry Inception 7 = Algo 3 = Labels
RRSIG YYYYMMDDHHMMSS (Sub)Domain A = Record Type Expiry Inception 7 = Algo Key Tag 3 = Labels
RRSIG YYYYMMDDHHMMSS (Sub)Domain A = Record Type Expiry Inception 7 = Algo Key Tag 3 = Labels
RRSIG YYYYMMDDHHMMSS (Sub)Domain A = Record Type Expiry Inception Signer Name 7 = Algo Key Tag 3 = Labels
Before you leap... • Check if your TLD has been signed • Else you’re an Island of Trust • .org/.net/.com are all signed now • Check with your registrar about DNSSEC • You might have to poke a bit • http://bit.ly/dnssecorg • Make sure your software works • bind, unbound, opendnssec • own signer?
Setup
Setup
Commands • dnssec-keygen (-f KSK) • dnssec-settime • dnssec-signzone (-S) Fetching ZSK 17852/NSEC3RSASHA1 from key repository. Fetching KSK 51618/NSEC3RSASHA1 from key repository. Verifying the zone using the following algorithms: NSEC3RSASHA1. Zone signing complete: Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked ZSKs: 1 active, 1 stand-by, 0 revoked mozilla.org.signed Signatures generated: 5999 Signatures retained: 0 Signatures dropped: 0 Signatures successfully verified: 5999 Signatures unsuccessfully verified: 0 Runtime in seconds: 5.068 Signatures per second: 1183.636
Changes to bind dnssec-enable yes; dnssec-validation yes; zone "mozilla.org" IN { type master; file "mozilla.org.signed"; }
Steps • Upgrade bind across the board • Kick off signer • DNS servers pick up changes and restart • Profit!!oneone!! • Send/Upload your DS records
Verify!
http://dnsviz.net/d/mozilla.org/dnssec/ Sandia National Labs
Things to be aware of • Keys are everything, protect them • Make sure you have a backup plan • Eventually, you run the risk of your entire domain being unreachable • Sign (zones), publish (zones) then push (DS) • Network equipment might need changes policy-map global policy class inspection_default inspect dns maximum-length 4096 • Answer abuse email (hellz yeah!)
boo-boo(s) • DS was live, no signed zones • aka “Security Lameness” • Log levels
boo-boo(s) • Of course, everyone on twitter notices and #fails you.
boo-boo(s)
Moving forward...
Adoption - Mozilla
Adoption - Worldwide http://secspider.cs.ucla.edu/ SecSpider - the DNSSEC monitoring project
Thanks! http://people.mozilla.org/~shyam/presentations/oscon-2011.pdf
Recommend
More recommend