tools for deployment of dnssec
play

Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC - PowerPoint PPT Presentation

Dec 14, 2022 •344 likes •979 views

COBHAM Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions (aka: SPARTA, Inc. ) 08 December 2010 COBHAM Simple Illustration I need to have a of DNS Components WWW record Zone Administrator

  1. COBHAM Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions (aka: SPARTA, Inc. ) 08 December 2010

  2. COBHAM Simple Illustration I need to have a of DNS Components WWW record Zone Administrator Authoritative Server Administrator Zone Authoritative Add publish Data Server 3. www is 1.2.3.4 End 2. Request www User 1. Request www Client Recursive 4. www is 1.2.3.4 Server Recursive Server russ.mundy@cobham.com Administrator 2

  3. Simple Addition COBHAM I need to have a of DNSSEC signed WWW record (there are both much more and less complex setups than this) ‏ Zone Administrator Authoritative Server Administrator Zone Signed Authoritative Add sign publish Data Data Server 3. www is 1.2.3.4 End 2. Request www User new 1. Request www Client Validating Recursive 4. www is 1.2.3.4 Server Recursive Server russ.mundy@cobham.com Administrator 3

  4. COBHAM DNSSEC-Tools Suite • Suite of tools developed by SPARTA – Open Source project sponsored by DHS S&T – http://www.dnssec-tools.org/ – Free! (BSD License) ‏ • Status – Designed to make DNSSEC “easy” – Many tools: Pick what you need – Grouping of Tools provided on project web site: http://www.dnssec-tools.org/ russ.mundy@cobham.com

  5. COBHAM russ.mundy@cobham.com 5

  6. COBHAM DNS Today with SEC I need to add a (there are both much more and less complex setups than this) ‏ WWW record Zone Administrator Authoritative Server Administrator Zone Signed Authoritative Add sign publish Data Data Server 3. www is 1.2.3.4 End 2. Request www User new 1. Request www Client Validating Recursive 4. www is 1.2.3.4 Server Recursive Server russ.mundy@cobham.com Administrator

  7. COBHAM Some New Aspects With DNSSEC • Key maintenance • Zone Signing Operation • Provisioning: Memory, CPU, bandwidth • Parent-child communication of DNSSEC- related information • Trust Anchor Maintenance • New error codes in applications • Additional Troubleshooting russ.mundy@cobham.com 7

  8. COBHAM DNSSEC-Tools Components russ.mundy@cobham.com

  9. COBHAM Zone Administration Tools • DNSSEC Maintenance: – Zonesigner – Rollerd • Zone Data Quality Assurance: – Donuts – Mapper russ.mundy@cobham.com

  10. COBHAM Zone Admin Tools I need to add a WWW mapper record donuts rollerd Zone Administrator Authoritative Server Administrator Zone Signed Authoritative Add sign publish Data Data Server 3. www is 1.2.3.4 End 2. Request www User zonesigner 1. Request www Client Validating Recursive 4. www is 1.2.3.4 Server Recursive Server russ.mundy@cobham.com Administrator

  11. COBHAM zonesigner • Signs zones in one step • Defaults do the “right thing” • Wraps around the bind tools • Keeps track of state, keys, etc • Getting started: First time: zonesigner --genkeys example.com There after: zonesigner example.com russ.mundy@cobham.com

  12. COBHAM rollerd • Automatic key-rollover and signing daemon – Follows a defined policy for how often to roll keys – Handles both ZSK and KSK keys • Regular scheduled calls to zonesigner • Runs as a Daemon • Includes a separate utility to talk to the daemon – Check status – Start something “now” russ.mundy@cobham.com

  13. COBHAM donuts • DNS Zonefile error/lint checker – Validates all DNSSEC records – donutsd for running on a regular basis • Extendible: – Easily create your own site-specific rules (see tutorial) ‏ – Site specific configuration – Add/Remove specific types of features/checks • Expects the data to be readable – Zone data must be parsible – Doesn't report syntax errors russ.mundy@cobham.com

  14. COBHAM donuts: Browsable GUI example russ.mundy@cobham.com

  15. COBHAM mapper • Graphical map generator of zone data • Color codes zone data and relationships • Understands DNSSEC record types – Currently doesn't validate data – Just checks for existence and dates russ.mundy@cobham.com

  16. COBHAM mapper: example test.dnssec-tools.org russ.mundy@cobham.com

  17. COBHAM Authoritative Server Tools A subset of the Zone owner tools: • Zone Data Quality Assurance: – donuts – mapper • Other tools, discused later may be useful too: – logwatch – dnspktflow russ.mundy@cobham.com

  18. COBHAM Auth Server Tools I need to add a WWW mapper record donuts Zone Administrator Authoritative Server Administrator Zone Signed Authoritative Add sign publish Data Data Server 3. www is 1.2.3.4 End 2. Request www User 1. Request www Client Validating Recursive 4. www is 1.2.3.4 Server Recursive Server russ.mundy@cobham.com Administrator

  19. COBHAM Validating Recursive Server Tools • Trust Anchor Management – Trustman • Debugging – dnspktflow • Name Server Error Reporting – logwatch russ.mundy@cobham.com

  20. COBHAM I need to Validating Recursive Server Tools ‏ add a WWW record Zone Administrator Authoritative Server Administrator Zone Signed Authoritative Add sign publish Data Data Server 3. www is 1.2.3.4 End 2. Request www User trustman 1. Request www Client Validating Recursive 4. www is 1.2.3.4 Server dnspktflow Recursive Server russ.mundy@cobham.com logwatch Administrator

  21. COBHAM trustman • Manages validating resolver trust anchors – Detects new keys being deployed – Updates/Notifies when new zone keys are detected • RFC5011 compliant • Runs as a Daemon – has a run-once mode russ.mundy@cobham.com

  22. COBHAM dnspktflow • Analyzes DNS packets within tcpdump files • Requires wireshark – More importantly: tshark • Draws a diagram with: – Numbered requests/responses – Request/response contents – Circles, arrows and implements of destruction russ.mundy@cobham.com

  23. COBHAM dnspktFlow: example russ.mundy@cobham.com

  24. COBHAM www.dnssec-tools.org

  25. COBHAM www.cnn.com

  26. COBHAM logwatch • Summarizes DNSSEC related output from bind • Now included in logwatch 7.1 and beyond russ.mundy@cobham.com

  27. COBHAM End-User Tools • Libraries – Libval: a validating library for developers – Libval_shim: • system wide shim library • Forces all apps to be DNSSEC capable • Perl modules • Command-line troubleshooting utilities • DNSSEC-enabled applications russ.mundy@cobham.com

  28. COBHAM End-User Tools I need to add a WWW record Zone Administrator Authoritative Server Administrator Zone Signed Authoritative Add sign publish Data Data Server 3. www is 1.2.3.4 End 2. Request www User 1. Request www Client Validating Recursive 4. www is 1.2.3.4 Server Recursive Server openssh .. russ.mundy@cobham.com Administrator . firefox

  29. COBHAM DNSSEC-Tools: Libraries • DNSSEC validating resolver library - libval – Verifies DNS(SEC) data at the library layer – Portable-ish (getting more so) ‏ – Based on libbind – Thread-safe – Reentrant – Ca n p ull data directly or from a local caching resolver – BSD Licensed russ.mundy@cobham.com

  30. Libval_shim • LD_PRELOAD-based approach for adding DNSSEC capability to existing applications • The shim library implements most of the commonly-used resolver functions – Applications that use these functions can automatically become DNSSEC-capable if they run within an LD_PRELOAD environment with libval_shim. – Many applications are known to work out of the box with libval_shim

  31. COBHAM DNSSEC-Aware Applications • DNSSEC-Tools contains patches to: – firefox – thunderbird – postfix, sendmail, LibSPF – wget, lftp, ncftp, proftpd – OpenSSH – OpenSWAN (opportunistic encryption) ‏ – Jabberd • DNSSEC support provide through libval russ.mundy@cobham.com

  32. COBHAM Developer Resources • Test zone test.dnssec-tools.org – Contains many DNSSEC “errors” to test against • Developers guide to using the validator and resolver libraries - work in progress • PERL modules • Net::DNS::SEC::Tools • Net::DNS::SEC::Validator • Net::DNS::Zonefile::Fast • Net::addrinfo russ.mundy@cobham.com

  33. COBHAM Validation Library API • draft-hayatnagarkar-dnsext-validator-api-07.txt – Defines an API for interfacing with a validation library – Allows clients to state their policy – Allows clients to get DNS and validation results • High-level: val_gethostbyname • Low-level: val_resolve_and_check • Policy: val_istrusted – Implemented in DNSSEC-Tool's libval • Not yet an IETF Working Group document russ.mundy@cobham.com

  34. COBHAM firefox russ.mundy@cobham.com 34

  35. COBHAM thunderbird russ.mundy@cobham.com

  36. COBHAM DNSSEC Aware Phone N900 Users: it's “lookup” in extras-testing

  37. COBHAM postfix/sendmail/libspf • Protects various attributes of mail processing – MX record lookups – SPF record lookups russ.mundy@cobham.com

  38. COBHAM wget/lftp/ncftp • Protects address lookup russ.mundy@cobham.com

  39. COBHAM OpenSSH • Protects address lookup • Provides key discovery – Removes need for leap-of-faith – Protects against key reuse for key changes russ.mundy@cobham.com

  40. COBHAM Documentation • Step-by-step guide for DNSSEC operation using DNSSEC-Tools • Step-by-step guide for DNSSEC operation using BIND tools • Tutorials • Wiki • Manual pages • User Documentation russ.mundy@cobham.com

Recommend

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010 Sara Monteiro Technical Infrastructure Service of DNS.PT Agenda ! About us ! Scope ! Goals ! Initiatives and Support ! Developments on .pt ! Next Steps

468 views • 11 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
Assessing and Improving the Quality of DNSSEC Deployment Deployment Casey Deccio, Ph.D. Sandia

Assessing and Improving the Quality of DNSSEC Deployment Deployment Casey Deccio, Ph.D. Sandia

Assessing and Improving the Quality of DNSSEC Deployment Deployment Casey Deccio, Ph.D. Sandia National Laboratories AIMS-4 CAIDA, SDSC, San Diego, CA Feb 9, 2012 Sandia is a multiprogram laboratory operated by Sandia Corporation, a

913 views • 37 slides
Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van

Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van

Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van Rijswijk-Deij, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Christo Wilson 1 DNSSEC 101 example.com's Authoritative DNS Resolver DNS

1.54k views • 119 slides
DNSSEC Deployment: From End-Customer to Content ION San Diego December 11, 2012

DNSSEC Deployment: From End-Customer to Content ION San Diego December 11, 2012

DNSSEC Deployment: From End-Customer to Content ION San Diego December 11, 2012 www.internetsociety.org/deploy360/ Our Panel Today Moderator: Dan York, Internet Society Panelists: Jim Galvin, Afilias Rick Lamb, ICANN Cricket Liu,

772 views • 41 slides
Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based

Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based

Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based on current DNSSEC deployments in .com, .net and .org Introduction DNSSEC deployment has taken off, but there are still operational issues

408 views • 16 slides
1 Overview Introduction DNSSEC mechanisms To authenticate servers (TSIG ) To

1 Overview Introduction DNSSEC mechanisms To authenticate servers (TSIG ) To

Welcome! DNS/DNSSEC Deployment tutorial Champika Wijayatunga <champika@apnic.net> 2 August 2006, Karachi, Pakistan In conjunction with SANOG 8 Background The original DNS protocol wasnt designed with security in mind It has

705 views • 15 slides
Measuring the Deployment of DNSSEC over the Internet System & Network Engineering Research

Measuring the Deployment of DNSSEC over the Internet System & Network Engineering Research

Introduction Methodology Results Measuring the Deployment of DNSSEC over the Internet System & Network Engineering Research Project Nicolas Canceill SNE RP2 Presentations July 2, 2014 1/19 Introduction Methodology Results

398 views • 19 slides
.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
Measuring the Deployment of DNSSEC over the Internet System & Network Engineering Research

Measuring the Deployment of DNSSEC over the Internet System & Network Engineering Research

Introduction Methodology Results Measuring the Deployment of DNSSEC over the Internet System & Network Engineering Research Project Nicolas Canceill RIPE68 May 14, 2014 1/20 Introduction Methodology Results Introduction 1

673 views • 20 slides
ECP SW deployment SDK / Spack in production environments Scalable tools Workshop 7/11/18

ECP SW deployment SDK / Spack in production environments Scalable tools Workshop 7/11/18

ECP SW deployment SDK / Spack in production environments Scalable tools Workshop 7/11/18 Breakout session The ECP SDK Deployment packaging for software areas in ECP and other Based on release cadence that includes Continuous

213 views • 4 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

610 views • 34 slides
.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry experienced 30th April 2015-- Longest mornings I have ever had. Day started as usual but takes a turn at 9:30am Great day turns to a

449 views • 11 slides
CONTINUOUS DEPLOYMENT WITH SINGULARITY Large Scale Mission-Critical Service and Job Deployment

CONTINUOUS DEPLOYMENT WITH SINGULARITY Large Scale Mission-Critical Service and Job Deployment

CONTINUOUS DEPLOYMENT WITH SINGULARITY Large Scale Mission-Critical Service and Job Deployment Gregory Chomatas @gchomatas PAAS TEAM Implement & maintain: the deploy & build tools the PAAS platform (mesos clusters) load balancer

623 views • 35 slides
Deployment Tools and Techniques Cengiz Gnay CS485/540 Software Engineering Fall 2014, some

Deployment Tools and Techniques Cengiz Gnay CS485/540 Software Engineering Fall 2014, some

Deployment Tools and Techniques Cengiz Gnay CS485/540 Software Engineering Fall 2014, some slides courtesy of J. Smith, R. Pressman, I. Sommerville, and the Internets Gnay (Emory MathCS) Deployment Fall 2014 1 / 6 (c) military.com The

408 views • 27 slides
13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff Team Cymru 1 Where is the DNSSEC? We make no endorsement of DNSSEC here We offer no repudiation of DNSSEC here The considerations herein

543 views • 31 slides
DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes Hardaker <wes.hardaker@parsons.com> Overview Business Model Changes Relationship Requirements Relationship with your DNS parent

407 views • 25 slides
DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek petr.spacek@nic.cz 2019-02-03 1w Redraw max 1y 6m 3m 1m 5d 1h 1d 30 ~ 19 % DNSSEC? Who cares? DNSSEC Validation Capability Metrics

433 views • 25 slides

More recommend