towards set and forget dnssec
play

Towards Set and Forget DNSSEC The beginning of the end of key - PowerPoint PPT Presentation

Sep 18, 2022 •266 likes •463 views

Towards Set and Forget DNSSEC The beginning of the end of key management? (The Poor Mans HSM Part 2) ccNSO Tech Day, 15 July 2013, Durban, ZA, Richard Lamb, slamb@xtcn.com Typical Signer (I am not a graphic artist!) time signer zone

  1. Towards Set and Forget DNSSEC The beginning of the end of key management? (The Poor Man’s HSM Part 2) ccNSO Tech Day, 15 July 2013, Durban, ZA, Richard Lamb, slamb@xtcn.com

  2. Typical Signer (I am not a graphic artist!) time signer zone [Pre-gen data s/w signed DNSKEY RRsets] digital hash(inception/ ZSK signature expiration time, [KSK] valid for RRset data…) (HSM) ~week validity=~week (RRSIG)

  3. Compromise: not if but when time signer zone [Pre-gen data s/w signed DNSKEY RRsets] hash(10 years ZSK digital from now, signature [KSK] RRset data…) (HSM) good for 10 years!

  4. Safe Signer signer zone data s/w inception/ digital time source, expiration time, signature maximum RRset data… valid for < validity ~week ~week, ZSK, KSK

  5. Can always recover w/o dealing with parent (no KSK roll) signer zone data s/w 10 years from digital now, RRset time source, signature maximum data… valid for < validity ~week ~week, ZSK, KSK

  6. Further simplification signer zone s/w ZSK data s/w “Push button to roll zsk” inception/ digital time source, expiration time, signature maximum RRset data… valid for < validity ~week ~week, KSK, RNG

  7. Problem: HSM’s do not work this way • Nothing stopping me from building it – we have the technology precision RTC wire mesh /w LP SRAM battery tamper IC /w for keys temp and 3.3V reg voltage det TPM 32bit-ARM (ATSC3204 ) (128K/64K ) photo vibration detector sensor card magnetometer usb reader

  10. Features • Tamper IC (STM1404) “supports” FIPS 140-2 level 4 • TPM ~20 1024 RSA/sec • RNG • 2-factor M-of-N using built-in card reader or Google Authenticator Token for setting parameters (e.g., max validity), key generation, backup/migration • Remote M-of-N capability • modified BIND 9.9.2 RRSIG interface or pkcs11 driver • 2048bit RSA keyed firmware loader • Tamper protected precision temperature compensated RTC (PCF2127) • Low cost

  11. Authentication example # screen /dev/ttyUSB0 115200 > version Cryptobat firmware version 0.60.51D8207C (c) KLW rst:software rtt:2296/4294967295 rstc: sr:00010300 mr:00000001 > date Y:13 M:07 D:06 h:14 m:14 s:02 ok 1373120042 > colist > coadd lamb ***write***read Added CO: lamb Secret: HZ5KNVA3KA3UYD2U https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/lamb?secret=HZ5KNVA 3KA3UYD2U > colist |lamb| not present > cologin lamb 192498 checkpin: del=0 CO lamb Ok > colist |lamb| present > setmaxval 3600 Configuration disabled

  12. Cont.. > coadd jakob ***write***read Added CO: jakob Secret: 7MZDTPOU4JWESYFO .... > colist |lamb| present |jakob| not present > cologin jakob 061612 Failed > cologin jakob 107712 CO jakob Ok > colist |lamb| present |jakob| present > setmaxval 3600 Maximum validity period set to +3600 seconds > coreset > colist |lamb| not present |jakob| not present > date Y:13 M:07 D:06 h:14 m:20 s:07 ok 1373120407

  13. Signing using modified dnssec-signzone # bind-9.9.2-P2/bin/dnssec/dnssec-signzone -s now -e +300 -v 5 -x -o testzone -k Ktestzone.+008+35407 testzone Ktestzone.+008+58968 dnssec-signzone: debug 3: pkcs11_parse: Start dnssec-signzone: debug 3: pkcs11: pkcs11_login: start dnssec-signzone: debug 3: pkcs11: pkcs11_initlib Start C_GetFunctionList+1636: C_Initialize+1519: serial_init+1872:Openned /dev/ttyUSB0 |> v2on| |TWI_ConfigureMaster()| |Using CKDIV = 1 and CLDIV/CHDIV = 158 CWGR=00019E9E| C_GetSlotList+1414: C_OpenSession+1430: dnssec-signzone: debug 3: pkcs11: C_Login 1 C_Login+1394: dnssec-signzone: debug 3: pkcs11: pkcs11_parse Ktestzone.+008+35407 C_FindObjectsInit+816: C_FindObjects+943: MATCHED 00000002 C_FindObjectsFinal+844: C_FindObjectsInit+816: C_FindObjects+943: MATCHED 00000003 C_FindObjectsFinal+844: C_GetAttributeValue+1014: C_GetAttributeValue+1014: dnssec-signzone: testzone/NSEC: dnssec-signzone: signing with dnskey testzone/RSASHA256/58968 dnssec-signzone: testzone/DNSKEY: dnssec-signzone: signing with dnskey testzone/RSASHA256/35407 dnssec-signzone: debug 3: pkcs11: rick_thsm doing pkcs11_RSA_sign TIMED C_SignInit+673: writecryptolcmd: |tpmloadkey| 559

  14. Cont… |> tpmloadkey| |***write| |***read| |***write| |***read| |tpm_loadkey: handle = 3285047210 hex: 0xC3CDD7AA| |ok: key loaded handle=C3CDD7AA| C_SignInit+728:|ok: key loaded handle=C3CDD7AA| C_SignInit+736:tpmhandle:C3CDD7AA hsmhandle:00000003 dnssec-signzone: debug 3: pkcs11: pkcs11_RSA_sign TimedSign C_Sign 1 C_Sign+748: |> tpmtimedsign| | checking expiration time 1373120022 < 1373123348 and algorithm 8| | computing hash of 468 bytes:| |***write| |***read| |tpm_sign: handle = C3CDD7AA| |***write| |***read| |ok: signature| | 69 35 47 56 E5 0E A6 B2 26 29 50 59 40 1C FD 4E |… |DONE| C_Sign+782:signature:

  15. Cont… dnssec-signzone: testzone/SOA: dnssec-signzone: signing with dnskey testzone/RSASHA256/58968 dnssec-signzone: testzone/NS: dnssec-signzone: signing with dnskey testzone/RSASHA256/58968 dnssec-signzone: www.testzone/NSEC: dnssec-signzone: signing with dnskey testzone/RSASHA256/58968 dnssec-signzone: www.testzone/A: dnssec-signzone: signing with dnskey testzone/RSASHA256/58968 Verifying the zone using the following algorithms: RSASHA256. Zone fully signed: Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked ZSKs: 1 active, 0 present, 0 revoked testzone.signed dnssec-signzone: debug 3: pkcs11: pkcs11_logout: C_Logout 1 C_Logout+1402: C_CloseSession+1470: |> tpmflush C3CDD7AA| |***write| |***read| |> tpmreset| |***write| |***read| C_CloseSession: done dnssec-signzone: debug 3: pkcs11: pkcs11_logout: done C_Finalize+1504

  16. Cont…validity period too long # bind-9.9.2-P2/bin/dnssec/dnssec-signzone -s now -e +3700 -v 5 -x -o testzone -k Ktestzone.+008+35407 testzone Ktestzone.+008+58968 dnssec-signzone: debug 3: pkcs11: pkcs11_login: start dnssec-signzone: debug 3: pkcs11: pkcs11_initlib Start C_GetFunctionList+1636: C_Initialize+1519: serial_init+1872:Openned /dev/ttyUSB0 |> v2on| |TWI_ConfigureMaster()| |Using CKDIV = 1 and CLDIV/CHDIV = 158 CWGR=00019E9E| C_GetSlotList+1414: C_OpenSession+1430: dnssec-signzone: debug 3: pkcs11: C_Login 1 C_Login+1394: dnssec-signzone: debug 3: pkcs11: pkcs11_parse Ktestzone.+008+35407 C_FindObjectsInit+816: C_FindObjects+943: MATCHED 00000002 C_FindObjectsFinal+844: C_FindObjectsInit+816: C_FindObjects+943: MATCHED 00000003 C_FindObjectsFinal+844: C_GetAttributeValue+1014: C_GetAttributeValue+1014: dnssec-signzone: testzone/NSEC: dnssec-signzone: signing with dnskey testzone/RSASHA256/58968 dnssec-signzone: testzone/DNSKEY: dnssec-signzone: signing with dnskey testzone/RSASHA256/35407 dnssec-signzone: debug 3: pkcs11: rick_thsm doing pkcs11_RSA_sign TIMED C_SignInit+673: writecryptolcmd: |tpmloadkey| 559 |> tpmloadkey| |***write| |***read| |***write| |***read| |tpm_loadkey: handle = 1815518807 hex: 0x6C369E57| |ok: key loaded handle=6C369E57|

  17. Cont… C_SignInit+728:|ok: key loaded handle=6C369E57| C_SignInit+736:tpmhandle:6C369E57 hsmhandle:00000003 dnssec-signzone: debug 3: pkcs11: pkcs11_RSA_sign TimedSign C_Sign 1 C_Sign+748: |> tpmtimedsign| | checking expiration time 1373123496 < 1373123422 and algorithm 8| |fail: RRSIG expiration time exceeds HSM policy| C_Sign+782:signature: dnssec-signzone: fatal: dnskey 'testzone/RSASHA256/35407' failed to sign data: ran out of space C_Finalize+1504: C_CloseSession+1470: |> tpmflush 6C369E57| |***write| |***read| |> tpmreset| |***write| |***read| C_CloseSession: done

  18. I’ll have some ZnS with that please (gamma ray scintillation detector)

  19. Thanks to Jakob Schlyter, Frederico Neves, Roy Arends, David Miller, and so many others

Recommend

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

609 views • 34 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
They may forget what you said, but they will never forget how you made them feel .

They may forget what you said, but they will never forget how you made them feel .

They may forget what you said, but they will never forget how you made them feel . @ModestRobert @BunnyfootSays 1 Emotional Design 2 Technology moves from utilitarian to higher needs including emotion 3 Technology moves from

918 views • 55 slides
.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry experienced 30th April 2015-- Longest mornings I have ever had. Day started as usual but takes a turn at 9:30am Great day turns to a

449 views • 11 slides
DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010 Sara Monteiro Technical Infrastructure Service of DNS.PT Agenda ! About us ! Scope ! Goals ! Initiatives and Support ! Developments on .pt ! Next Steps

468 views • 11 slides
13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff Team Cymru 1 Where is the DNSSEC? We make no endorsement of DNSSEC here We offer no repudiation of DNSSEC here The considerations herein

543 views • 31 slides
DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes Hardaker &lt;wes.hardaker@parsons.com&gt; Overview Business Model Changes Relationship Requirements Relationship with your DNS parent

407 views • 25 slides
DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek petr.spacek@nic.cz 2019-02-03 1w Redraw max 1y 6m 3m 1m 5d 1h 1d 30 ~ 19 % DNSSEC? Who cares? DNSSEC Validation Capability Metrics

433 views • 25 slides
DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC

DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC

DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC history Defined by RFCs 4033-4035 March 2005 Root zone signed July 2010 March 2011 the biggest zone .com signed New GTLD

811 views • 32 slides
DNSSEC at Scale Dani Grant | DNS @ CloudFlare CloudFlare - Authoritative DNS provider (includes

DNSSEC at Scale Dani Grant | DNS @ CloudFlare CloudFlare - Authoritative DNS provider (includes

DNSSEC at Scale Dani Grant | DNS @ CloudFlare CloudFlare - Authoritative DNS provider (includes DNSSEC for free) - 4M+ domains - 40+ billion queries per day - 76 edge locations in 40 countries (growing) DNSSEC at Scale 1. Elliptic

597 views • 34 slides
Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based

Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based

Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based on current DNSSEC deployments in .com, .net and .org Introduction DNSSEC deployment has taken off, but there are still operational issues

408 views • 16 slides
Lest we forget The tumult and the shouting dies; The Captains and the Kings depart: Still stands

Lest we forget The tumult and the shouting dies; The Captains and the Kings depart: Still stands

Lest we forget The tumult and the shouting dies; The Captains and the Kings depart: Still stands Thine ancient sacrifice, An humble and a contrite heart. Lord God of Hosts, be with us yet, Lest we forget lest we forget! Far-called our

507 views • 11 slides
Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions

Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions

COBHAM Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions (aka: SPARTA, Inc. ) 08 December 2010 COBHAM Simple Illustration I need to have a of DNS Components WWW record Zone Administrator

979 views • 62 slides
TLS and DNSSEC wrap-up CS 161: Computer Security Prof. David Wagner April 14, 2013 DNSSEC

TLS and DNSSEC wrap-up CS 161: Computer Security Prof. David Wagner April 14, 2013 DNSSEC

TLS and DNSSEC wrap-up CS 161: Computer Security Prof. David Wagner April 14, 2013 DNSSEC Mallory attacks! www.google.com A? Clients ns1.evil.com www.google.com. A 6.6.6.6 Resolver DNSSEC Mallory attacks! www.google.com A?

510 views • 30 slides
DNSSEC.CZ CZ.NIC - http://www.nic.cz Ondrej Filip / ondrej.filip @nic.cz Oct 26 2011, Dakar,

DNSSEC.CZ CZ.NIC - http://www.nic.cz Ondrej Filip / ondrej.filip @nic.cz Oct 26 2011, Dakar,

DNSSEC.CZ CZ.NIC - http://www.nic.cz Ondrej Filip / ondrej.filip @nic.cz Oct 26 2011, Dakar, ICANN DNSSEC WS 1 DNSSEC penetration About 17% domains is signed That means ~ 145.000 domains! (of 856.000) Check numbers at

180 views • 17 slides
DNSSEC resolving at SURFnet ICANN38, DNSSEC panel discussion, Brussels Roland van Rijswijk

DNSSEC resolving at SURFnet ICANN38, DNSSEC panel discussion, Brussels Roland van Rijswijk

DNSSEC resolving at SURFnet ICANN38, DNSSEC panel discussion, Brussels Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl June 23rd 2010 woensdag 2 juni 2010 About SURFnet National Research and Educational Network in The Netherlands

154 views • 11 slides
Dont forget the past Dont forget the concerns of citizens 1- Information TRUST NIMBY

Dont forget the past Dont forget the concerns of citizens 1- Information TRUST NIMBY

May 5, 2006 Dont forget the past Dont forget the concerns of citizens 1- Information TRUST NIMBY as an excuse to minimize reality Give fair, correct first hand information directly to the Locals: technologies, security,

334 views • 4 slides

More recommend