monitoring dnssec
play

Monitoring DNSSEC Martin Leucht <martin.leucht@os3.nl> Julien - PowerPoint PPT Presentation

Jan 19, 2023 •272 likes •468 views

Monitoring DNSSEC Martin Leucht <martin.leucht@os3.nl> Julien Nyczak <julien.nyczak@os3.nl> Supervisor: Rick van Rein System and Network Engineering 2015 Introduction DNSSEC becomes more and more popular Expired RRSIG RR

  1. Monitoring DNSSEC Martin Leucht <martin.leucht@os3.nl> Julien Nyczak <julien.nyczak@os3.nl> Supervisor: Rick van Rein System and Network Engineering 2015

  2. Introduction ¤ DNSSEC becomes more and more popular ¤ Expired RRSIG RR might result that zone not available ¤ Need for monitoring ¤ Monitoring systems exist but are too specific to be widely deployed ¤ Solution: Monitoring DNSSEC through SNMP

  3. SNMP ¤ standard application protocol to manage and monitor devices running on IP network ¤ can be implemented for applications as well ¤ agent-manager architecture ¤ structure of the management information and SNMP variables defined in a Management Information Base (MIB) ¤ SNMP variables are assigned to Object Identifiers (OID) in a hierarchical manner

  4. Research Questions ¤ What are vital life signs for monitoring DNSSEC? ¤ How to construct a MIB module for DNSSEC? ¤ How to conduct monitoring based on such a MIB? ¤ How do architectures for monitoring DNSSEC compare?

  5. Approach (1/2) ¤ To be independent on other software components (only AXFR and authoritative queries) ¤ Vital life signs for DNSSEC ¤ Availability of a zone from a resolver point of view (initial check) ¤ Verify DNSKEY RRSIG against published KSK ¤ DS record count = delegation count (in a parent zone) ¤ TTL checks ¤ List of name servers for a zone ¤ Expiration date of RRSIG for SOA, NS, DNSKEY ¤ Discrepancies in serial numbers between slave and master (slave serving expired data)

  6. Approach (2/2) ¤ Construct the MIB based on vital life signs ¤ Write the SNMP subagent (python-netsnmpagent) ¤ How data is retrieved from zones? ¤ From a central repository: XML ¤ DNSSEC data collected via AXFR requests, DNS queries to authorities and resolvers

  7. DNSSEC MIB implementation (1/4) ¤ OID entry point inside ARPA2 OID tree (enterprise OID 44469): ¤ ARPA2-Experimental-DNSSEC-MIBv1 ¤ .1.3.6.1.4.1.44469.666.53.46.161.1

  8. DNSSEC MIB implementation (2/4) ¤ Objects are defined using a subset of Abstract Syntax Notation One (ASN.1) called "Structure of Management Information Version 2 (SMIv2)" RFC 2578 ¤ Objects organized in columnar (conceptual tables) or scalar objects. ¤ Four tables indexed by domain name (OCTET-STRING) ¤ dnssecZoneGlobalTable, dnssecZoneAuthNSTable, dnssecZoneSigTable, dnssecZoneDiffTable ¤ Datatype INTEGER to represent boolean and numeric values, OCTET- STRING to represent strings (e.g domain names) ¤ Usage of Textual conventions to customize object-types

  9. DNSSEC MIB implementation (3/4) +--arpa2experimentaldnssecMIBv1(1) | +--dnssecObjects(1) | | | +--dnssecGeneral(1) | | | | +--dnssecZoneGlobal(2) | | | | | +--dnssecZoneGlobalTable(2) | | | | | +--dnssecZoneGlobalEntry(1) | | | Index: dnssecZoneGlobalIndex | | | +--dnssecZoneAuthNS(3) | | | | | +--dnssecZoneAuthNSTable(3) | | | | | +--dnssecZoneAuthNSEntry(1) | | | Index: dnssecZoneGlobalIndex | | | | +--dnssecZoneSig(4) | | | | | +--dnssecZoneSigTable(4) | | | | | +--dnssecZoneSigEntry(1) | | | Index: dnssecZoneGlobalIndex | | | | +--dnssecZoneDiff(5) | | | +--dnssecZoneDiffTable(5) | | | +--dnssecZoneDiffEntry(1) | | Index: dnssecZoneGlobalIndex | | +--dnssecMIBConformance(2) | +--dnssecMIBGroups(1) | | | +--dnssecMIBScalarGroup(1) | +--dnssecMIBTableGroup(2) | +--dnssecMIBCompliances(2)

  10. DNSSEC MIB implementation (3/4) +--arpa2experimentaldnssecMIBv1(1) | +--dnssecObjects(1) | | | +--dnssecGeneral(1) | | | | +--dnssecZoneGlobal(2) | | | | | +--dnssecZoneGlobalTable(2) | | | | | +--dnssecZoneGlobalEntry(1) | | | Index: dnssecZoneGlobalIndex | | | +--dnssecZoneAuthNS(3) | | | | | +--dnssecZoneAuthNSTable(3) | | | | | +--dnssecZoneAuthNSEntry(1) | | | Index: dnssecZoneGlobalIndex | | | | +--dnssecZoneSig(4) | | | | | +--dnssecZoneSigTable(4) | | | | | +--dnssecZoneSigEntry(1) | | | Index: dnssecZoneGlobalIndex | | | | +--dnssecZoneDiff(5) | | | +--dnssecZoneDiffTable(5) | | | +--dnssecZoneDiffEntry(1) | | Index: dnssecZoneGlobalIndex | | +--dnssecMIBConformance(2) | +--dnssecMIBGroups(1) | | | +--dnssecMIBScalarGroup(1) | +--dnssecMIBTableGroup(2) | +--dnssecMIBCompliances(2)

  11. DNSSEC MIB implementation (4/4) dnssecZoneGlobalIndex OBJECT-TYPE DomainOctetString ::= TEXTUAL-CONVENTION SYNTAX DomainOctetString DISPLAY-HINT "255t" MAX-ACCESS not-accessible STATUS current STATUS current DESCRIPTION "An octet string containing characters in UTF-8 DESCRIPTION "Reference index for each observed zone" encoding." ::= { dnssecZoneGlobalEntry 1 } SYNTAX OCTET STRING (SIZE (1..255)) ARPA2-Experimental-DNSSEC-MIBv1::dnssecZoneGlobalServFail. " derby.practicum.os3.nl" = INTEGER: noerror(1) dnssecZoneGlobalServFail OBJECT-TYPE SYNTAX CustomInteger CustomInteger ::= TEXTUAL-CONVENTION MAX-ACCESS read-only STATUS current STATUS current DESCRIPTION "Convention for return values of Integer variables." DESCRIPTION "Indicates that ..." SYNTAX INTEGER { noerror(1), error(2), unknown(3) } ::= { dnssecZoneGlobalEntry 2 }

  12. DNSSEC MIB implementation (4/4) dnssecZoneGlobalIndex OBJECT-TYPE DomainOctetString ::= TEXTUAL-CONVENTION SYNTAX DomainOctetString DISPLAY-HINT "255t" MAX-ACCESS not-accessible STATUS current STATUS current DESCRIPTION "An octet string containing characters in UTF-8 DESCRIPTION "Reference index for each observed zone" encoding." ::= { dnssecZoneGlobalEntry 1 } SYNTAX OCTET STRING (SIZE (1..255)) ARPA2-Experimental-DNSSEC-MIBv1::dnssecZoneGlobalServFail. " derby.practicum.os3.nl" = INTEGER: noerror(1) dnssecZoneGlobalServFail OBJECT-TYPE SYNTAX CustomInteger CustomInteger ::= TEXTUAL-CONVENTION MAX-ACCESS read-only STATUS current STATUS current DESCRIPTION "Convention for return values of Integer variables." DESCRIPTION "Indicates that ..." SYNTAX INTEGER { noerror(1), error(2), unknown(3) } ::= { dnssecZoneGlobalEntry 2 } .1.3.6.1.4.1.44469.666.53.46.161.1.1.2.2.1.2 . 22 . 100.101.114.98.121.46.112.114.97.99.116.105.99.117.109.46.111.115.51.46.110.108 = INTEGER: 1

  13. SNMP subagent implementation (1/4) ¤ NET-SNMP toolkit à de-facto standard for SNMP implementations on most OS ¤ Includes applications (snmpget, snmpwalk, etc.) and libraries ¤ Includes C API to write own AgentX subagents RFC 2741 ¤ Subagents register to snmpd master agent via Unix socket

  14. SNMP subagent implementation (2/4) ¤ AgentX SNMP subagent based on Python NET-SNMP API module “netsnmpagent” written by Pieter Hollants licensed under GPLv3 Warning: Consider this when using our prototype ! ¤ UpdateSNMPObject() function is self written ¤ Subagent is capable of most SNMP data types ¤ Handles requests for our DNSSEC MIB ¤ Allows to register, update and clear table rows and scalar values ¤ Subagent works asynchronously, data update thread is decoupled from data providing thread ¤ Data for subagent is provided by two main wrapper scripts (dnspython)

  15. SNMP subagent implementation (3/4)

  16. SNMP subagent implementation (4/4)

  17. Conclusion / Future Work ¤ Proof of concept based on SNMP to cover critical data of DNSSEC signed zones ¤ Conduct monitoring based on proof of concept ¤ SNMP Notifications/Traps ¤ Expand MIB to cover more DNSSEC related data ¤ Validation of all RRSIG RR (expired/non validated) ¤ Check for broken NSEC3 chain ¤ …

  18. Demo

Recommend

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes Hardaker &lt;wes.hardaker@parsons.com&gt; Overview Business Model Changes Relationship Requirements Relationship with your DNS parent

407 views • 25 slides
.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

609 views • 34 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry experienced 30th April 2015-- Longest mornings I have ever had. Day started as usual but takes a turn at 9:30am Great day turns to a

449 views • 11 slides
DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010 Sara Monteiro Technical Infrastructure Service of DNS.PT Agenda ! About us ! Scope ! Goals ! Initiatives and Support ! Developments on .pt ! Next Steps

468 views • 11 slides
13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff Team Cymru 1 Where is the DNSSEC? We make no endorsement of DNSSEC here We offer no repudiation of DNSSEC here The considerations herein

543 views • 31 slides
DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek petr.spacek@nic.cz 2019-02-03 1w Redraw max 1y 6m 3m 1m 5d 1h 1d 30 ~ 19 % DNSSEC? Who cares? DNSSEC Validation Capability Metrics

433 views • 25 slides
DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC

DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC

DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC history Defined by RFCs 4033-4035 March 2005 Root zone signed July 2010 March 2011 the biggest zone .com signed New GTLD

811 views • 32 slides
DNSSEC at Scale Dani Grant | DNS @ CloudFlare CloudFlare - Authoritative DNS provider (includes

DNSSEC at Scale Dani Grant | DNS @ CloudFlare CloudFlare - Authoritative DNS provider (includes

DNSSEC at Scale Dani Grant | DNS @ CloudFlare CloudFlare - Authoritative DNS provider (includes DNSSEC for free) - 4M+ domains - 40+ billion queries per day - 76 edge locations in 40 countries (growing) DNSSEC at Scale 1. Elliptic

597 views • 34 slides
Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based

Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based

Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based on current DNSSEC deployments in .com, .net and .org Introduction DNSSEC deployment has taken off, but there are still operational issues

408 views • 16 slides
Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions

Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions

COBHAM Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions (aka: SPARTA, Inc. ) 08 December 2010 COBHAM Simple Illustration I need to have a of DNS Components WWW record Zone Administrator

979 views • 62 slides
TLS and DNSSEC wrap-up CS 161: Computer Security Prof. David Wagner April 14, 2013 DNSSEC

TLS and DNSSEC wrap-up CS 161: Computer Security Prof. David Wagner April 14, 2013 DNSSEC

TLS and DNSSEC wrap-up CS 161: Computer Security Prof. David Wagner April 14, 2013 DNSSEC Mallory attacks! www.google.com A? Clients ns1.evil.com www.google.com. A 6.6.6.6 Resolver DNSSEC Mallory attacks! www.google.com A?

510 views • 30 slides
DNSSEC.CZ CZ.NIC - http://www.nic.cz Ondrej Filip / ondrej.filip @nic.cz Oct 26 2011, Dakar,

DNSSEC.CZ CZ.NIC - http://www.nic.cz Ondrej Filip / ondrej.filip @nic.cz Oct 26 2011, Dakar,

DNSSEC.CZ CZ.NIC - http://www.nic.cz Ondrej Filip / ondrej.filip @nic.cz Oct 26 2011, Dakar, ICANN DNSSEC WS 1 DNSSEC penetration About 17% domains is signed That means ~ 145.000 domains! (of 856.000) Check numbers at

180 views • 17 slides
DNSSEC resolving at SURFnet ICANN38, DNSSEC panel discussion, Brussels Roland van Rijswijk

DNSSEC resolving at SURFnet ICANN38, DNSSEC panel discussion, Brussels Roland van Rijswijk

DNSSEC resolving at SURFnet ICANN38, DNSSEC panel discussion, Brussels Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl June 23rd 2010 woensdag 2 juni 2010 About SURFnet National Research and Educational Network in The Netherlands

154 views • 11 slides
Fedora and DNSSEC Presented by Paul Wouters Fedora Packager, DNSSEC Advisor Creative Commons

Fedora and DNSSEC Presented by Paul Wouters Fedora Packager, DNSSEC Advisor Creative Commons

Fedora and DNSSEC Presented by Paul Wouters Fedora Packager, DNSSEC Advisor Creative Commons Attribution 3.0 https://fedoraproject.org/ What is Fedora Fedora is a fast, stable, and powerful

671 views • 7 slides
DNSSEC Impact on Registries Edward Lewis, Neustar Jakob Schlyter, .SE February 22, 2005 APRICOT

DNSSEC Impact on Registries Edward Lewis, Neustar Jakob Schlyter, .SE February 22, 2005 APRICOT

DNSSEC Impact on Registries Edward Lewis, Neustar Jakob Schlyter, .SE February 22, 2005 APRICOT Tutorial T11-3 1 Agenda What is a Registry, how is it run? Steps Towards Internal DNSSEC Steps Towards External DNSSEC Tough

898 views • 76 slides
DNS/DNSSEC/DPRIVE IETF 96 Hackathon Problem Solved DNS security and

DNS/DNSSEC/DPRIVE IETF 96 Hackathon Problem Solved DNS security and

DNS/DNSSEC/DPRIVE IETF 96 Hackathon Problem Solved DNS security and privacy enhancements and interoperabilty Method of Solution multiple user stories, multiple open source prototypes Highlight 1: DNSSEC

246 views • 12 slides

More recommend