dnssec mozilla
play

DNSSEC @ Mozilla OSCON, 2011 Shyam Mani shyam@mozilla.com - PowerPoint PPT Presentation

DNSSEC @ Mozilla OSCON, 2011 Shyam Mani shyam@mozilla.com about:mozilla Agenda The Basics Implementation What we I messed up The Future What and the Why DNS Security Extensions Based on public key crypto RFC


  1. DNSSEC @ Mozilla OSCON, 2011 Shyam Mani shyam@mozilla.com

  2. about:mozilla

  3. Agenda • The Basics • Implementation • What we I messed up • The Future

  4. What and the Why • DNS Security Extensions • Based on public key crypto • RFC 4033/34/35 • Validates • Ensures data is unchanged • DNS wasn’t created for today’s world

  5. What’s new? • 4 new RRs - rfc 4034 • DNSKEY • DS • NSEC/NSEC3 • RRSIG

  6. What’s new? • Keys - Public and Private • Key Signing Key - KSK • Zone Signing Key - ZSK • Key Tag • Algorithms • Rollovers • Operational Practices - rfc 4641

  7. Chain of Trust

  8. Chain of Trust

  9. DNSKEY

  10. DNSKEY

  11. DNSKEY Zone Name

  12. DNSKEY Zone Name

  13. DNSKEY Zone Name TTL

  14. DNSKEY Zone Name TTL

  15. DNSKEY Zone Name TTL 257 = KSK

  16. DNSKEY Zone Name TTL 257 = KSK 256 = ZSK

  17. DNSKEY Zone Name TTL 257 = KSK 256 = ZSK

  18. DNSKEY Zone Name TTL Key Algorithm 257 = KSK 256 = ZSK

  19. DNSKEY Zone Name TTL Key Algorithm 7 = RSASHA1-NSEC3-SHA1 257 = KSK 256 = ZSK

  20. DS

  21. DS

  22. DS Zone Name

  23. DS Zone Name

  24. DS Zone Name TTL

  25. DS Zone Name TTL

  26. DS Zone Name TTL Key Tag

  27. DS Zone Name TTL Key Tag

  28. DS Zone Name TTL Key Tag 7 = Algo

  29. DS Zone Name TTL Key Tag 7 = Algo 1 = Checksum (SHA1)

  30. DS Zone Name TTL Key Tag 7 = Algo 1 = Checksum (SHA1) 2 = Checksum (SHA256)

  31. DS Zone Name TTL Key Tag 7 = Algo 1 = Checksum (SHA1) 2 = Checksum (SHA256)

  32. DS Zone Name TTL Key Tag Checksum 7 = Algo 1 = Checksum (SHA1) 2 = Checksum (SHA256)

  33. RRSIG

  34. RRSIG

  35. RRSIG (Sub)Domain

  36. RRSIG (Sub)Domain

  37. RRSIG (Sub)Domain A = Record Type

  38. RRSIG (Sub)Domain A = Record Type 7 = Algo

  39. RRSIG (Sub)Domain A = Record Type 7 = Algo 3 = Labels

  40. RRSIG (Sub)Domain A = Record Type 7 = Algo 3 = Labels

  41. RRSIG (Sub)Domain A = Record Type Inception 7 = Algo 3 = Labels

  42. RRSIG YYYYMMDDHHMMSS (Sub)Domain A = Record Type Inception 7 = Algo 3 = Labels

  43. RRSIG YYYYMMDDHHMMSS (Sub)Domain A = Record Type Inception 7 = Algo 3 = Labels

  44. RRSIG YYYYMMDDHHMMSS (Sub)Domain A = Record Type Expiry Inception 7 = Algo 3 = Labels

  45. RRSIG YYYYMMDDHHMMSS (Sub)Domain A = Record Type Expiry Inception 7 = Algo 3 = Labels

  46. RRSIG YYYYMMDDHHMMSS (Sub)Domain A = Record Type Expiry Inception 7 = Algo Key Tag 3 = Labels

  47. RRSIG YYYYMMDDHHMMSS (Sub)Domain A = Record Type Expiry Inception 7 = Algo Key Tag 3 = Labels

  48. RRSIG YYYYMMDDHHMMSS (Sub)Domain A = Record Type Expiry Inception Signer Name 7 = Algo Key Tag 3 = Labels

  49. Before you leap... • Check if your TLD has been signed • Else you’re an Island of Trust • .org/.net/.com are all signed now • Check with your registrar about DNSSEC • You might have to poke a bit • http://bit.ly/dnssecorg • Make sure your software works • bind, unbound, opendnssec • own signer?

  50. Setup

  51. Setup

  52. Commands • dnssec-keygen (-f KSK) • dnssec-settime • dnssec-signzone (-S) Fetching ZSK 17852/NSEC3RSASHA1 from key repository. Fetching KSK 51618/NSEC3RSASHA1 from key repository. Verifying the zone using the following algorithms: NSEC3RSASHA1. Zone signing complete: Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked ZSKs: 1 active, 1 stand-by, 0 revoked mozilla.org.signed Signatures generated: 5999 Signatures retained: 0 Signatures dropped: 0 Signatures successfully verified: 5999 Signatures unsuccessfully verified: 0 Runtime in seconds: 5.068 Signatures per second: 1183.636

  53. Changes to bind dnssec-enable yes; dnssec-validation yes; zone "mozilla.org" IN { type master; file "mozilla.org.signed"; }

  54. Steps • Upgrade bind across the board • Kick off signer • DNS servers pick up changes and restart • Profit!!oneone!! • Send/Upload your DS records

  55. Verify!

  56. http://dnsviz.net/d/mozilla.org/dnssec/ Sandia National Labs

  57. Things to be aware of • Keys are everything, protect them • Make sure you have a backup plan • Eventually, you run the risk of your entire domain being unreachable • Sign (zones), publish (zones) then push (DS) • Network equipment might need changes policy-map global policy class inspection_default inspect dns maximum-length 4096 • Answer abuse email (hellz yeah!)

  58. boo-boo(s) • DS was live, no signed zones • aka “Security Lameness” • Log levels

  59. boo-boo(s) • Of course, everyone on twitter notices and #fails you.

  60. boo-boo(s)

  61. Moving forward...

  62. Adoption - Mozilla

  63. Adoption - Worldwide http://secspider.cs.ucla.edu/ SecSpider - the DNSSEC monitoring project

  64. Thanks! http://people.mozilla.org/~shyam/presentations/oscon-2011.pdf

Recommend


More recommend