Abstract image of a woman sitting on books and studying on a laptop

DNSSec: Internet achter de schermen

Devnology, profile picture
Devnology

The document discusses DNSSEC and efforts to secure the Domain Name System (DNS). It describes common DNS security threats like cache poisoning, where an attacker provides false data to a caching name server by guessing query IDs. The Kaminsky attack exploited a flaw that made it possible to guess IDs and poison caches without prior knowledge of the target domain's cache contents. DNSSEC aims to prevent such attacks by digitally signing DNS data to verify its integrity and authenticity.

Technology
1 of 64
Downloaded 25 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
DNS at NLnet Labs Matthijs Mekking
Topics • NLnet Labs • DNS • DNSSEC • Recent events http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
NLnet • Internet Provider until 1997 – The first internet backbone in Holland • Funding research and software projects that aid the Internet community – 1999, NLnet Labs http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
NLnet Labs • Founded in 1999, DNSSEC • DNS, DNSSEC, IPv6, routing • Software development – NSD, Unbound, ldns, OpenDNSSEC –C • Work on open standards (IETF) – RFCs 3750, 3904, 4641, 5702, ... • Education – DNS courses, student projects http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
IETF • Internet Engineering Task Force • “The goal of the IETF is to make the Internet work better” • Technical documents (RFC) • http://www.ietf.org http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Topics • NLnet Labs • DNS • DNSSEC • Recent events http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
What is DNS? • Domain Name System • We want to refer machines by name – devnology.nl instead of 62.212.74.133 • In the beginning there was HOSTS.TXT... • ... but then the Internet grew • Problems with traffic and load, name collisions http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
What is DNS? • DNS was created in 1983 by Paul Mockapetris – RFCs 822 and 823 • IETF Full Standard in 1987 – RFCs 1034 and 1035 • Enhanced, updated, modified – RFCs 1123, 1982, 2181, 2308, 2671 (EDNS0), 2672, 3425, 4343, 4592, 5001 (NSID), 5452, 5936 and more http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
DNS at IETF • Internet Engineering Task Force • “The goal of the IETF is to make the Internet work better” • Technical documents (RFC) • http://www.ietf.org http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
DNS Features • A lookup mechanism for translating objects into other objects • A globally, distributed, loosely coherent, scalable, reliable, dynamic database • Comprised of three components – Name space – Servers making the name space available – Clients who perform the name resolution http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Name space http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Name space • Database of DNS Resource Records NAME TYPE CLASS TTL RDLEN RDATA devnology.nl A IN 3600 1 RDATA_A devnology.nl NS IN 3600 1 RDATA_NS • Different RDATA format Domain name ns1.transip.net IPv4 62.212.74.133 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Resource records • SOA: Source of Authority • A: IPv4 Address • AAAA: IPv6 Address • MX: Mail Server • NS: Name Server (delegation) • PTR: Reverse Lookup • TXT: Arbitrary Text • ... http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Example zonefile devnology.nl. IN SOA ( ns0.transip.net. hostmaster.transip.nl. 2010032002 14400 1800 604800 86400 ) devnology.nl. IN NS ns0.transip.net. devnology.nl. IN NS ns1.transip.net. devnology.nl. IN NS ns2.transip.net. devnology.nl. IN MX 10 ASPMX.L.GOOGLE.COM. devnology.nl. IN MX 30 ASPMX3.GOOGLEMAIL.COM. ... devnology.nl. IN TXT ( "v=spf1 ip4:62.212.74.133 a mx a:devnology.nl include:aspmx.googlemail.com ~all" ) devnology.nl. IN A 62.212.74.133 www.devnology.nl. IN CNAME devnology.nl. http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Reverse zone 74.212.62.in-addr.arpa. IN SOA ( ns1.leaseweb.nl. postmaster.leaseweb.nl. 2002111068 14400 7200 604800 86400 ) 74.212.62.in-addr.arpa. IN NS ns2.leaseweb.nl. 74.212.62.in-addr.arpa. IN NS ns3.leaseweb.org. 74.212.62.in-addr.arpa. IN NS ns1.leaseweb.nl. 1.74.212.62.in-addr.arpa. IN PTR hosted-by.leaseweb.com. 2.74.212.62.in-addr.arpa. IN PTR tiltbox.com. ... 133.74.212.62.in-addr.arpa. IN PTR devnology.nl. ... http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Name resolution http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Name resolution ;; QUESTION SECTION: ;www.devnology.nl. IN A ;; AUTHORITY SECTION: nl. 172800 IN NS ns1.nic.nl. nl. 172800 IN NS ns-nl.nic.fr. ;; ADDITIONAL SECTION: ns1.nic.nl. 172800 IN A 193.176.144.2 ns-nl.nic.fr. 172800 IN A 192.93.0.4 ns1.nic.nl. 172800 IN AAAA 2a00:d78:0:102:193:176:144:2 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Name resolution ;; QUESTION SECTION: ;www.devnology.nl. IN A ;; AUTHORITY SECTION: devnology.nl. 7200 IN NS ns0.transip.net. devnology.nl. 7200 IN NS ns1.transip.net. devnology.nl. 7200 IN NS ns2.transip.net. ;; ADDITIONAL SECTION: • Additional section is empty, need to query for ns{0,1,2}.transip.net http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Name resolution ;; QUESTION SECTION: ;www.devnology.nl. IN A ;; ANSWER SECTION: www.devnology.nl. 86400 IN CNAME devnology.nl. devnology.nl. 86400 IN A 62.212.74.133 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Reverse zone ; <<>> DiG 9.7.0-P1 <<>> -x 62.212.74.133 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:23068 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;133.74.212.62.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 74.212.62.in-addr.arpa. 77364 IN SOA ns1.leaseweb.nl. postmaster.leaseweb.nl. 2002111068 14400 7200 604800 86400 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
DNS on the wire +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ID | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |QR| Opcode |AA|TC|RD|RA| Z | RCODE | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | QDCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ANCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | NSCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ARCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Authoritative NS • Makes the name space available – Zone files vs Database backends – Master vs. Slaves – Zone transfers • Incremental zone transfers – RFC 1995 • DNS NOTIFY – RFC 1996 • TSIG and SIG(0) – RFC 2845 and 2931 – Dynamic updates (DHCP) – RFC 2136 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Topics • NLnet Labs • DNS • DNSSEC • Recent events http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
What's the threat? • DNS Threat Analysis (RFC 3833) – Packet interception • Confidentiality, Integrity, Availability – ID Guessing & Query prediction • devnology.nl IN A 6.6.6.6 – Name chaining • devnology.nl IN NS ns0.evilguy.com – Denial of service (flooding name servers) • Slave servers http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
What's the threat? • Confidentiality? – DNS is public data – IPSec • Availability? – As with any network service – DNSSEC does not prevent Denial of Service (in fact it makes it worse) • Integrity – DNSSEC will ensure integrity http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Cache poisoning • Provide false data to a caching name server (query prediction, id guessing) • Based on a flaw in the DNS, first answer is the correct one, ignore duplicates http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Cache poisoning • How does a resolver know a response is expected? – Arrives on the same UDP port – Question section matches – Query ID matches – The Authority and Additional sections represent names that are within the same domain as the question: this is known as "bailiwick checking". http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Kaminsky attack • Based on ID guessing (16 bits) • Prerequisite is that the data is not in the cache • High TTL is sort of defense mechanism (but not against the Kaminsky attack) http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Real response ;; QUESTION SECTION: ;111.nlnetlabs.nl. IN NS ;; AUTHORITY SECTION: nlnetlabs.nl. 3600 IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2010080100 28800 7200 604800 3600 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Real response ;; QUESTION SECTION: ;www.nlnetlabs.nl. IN A ;; ANSWER SECTION: www.nlnetlabs.nl. 9888 IN A 213.154.224.1 ;; AUTHORITY SECTION: nlnetlabs.nl. 10117 IN NS open.nlnetlabs.nl. nlnetlabs.nl. 10117 IN NS ns3.domain-registry.nl. ;; ADDITIONAL SECTION: open.nlnetlabs.nl. 528 IN A 213.154.224.1 open.nlnetlabs.nl. 9162 IN AAAA 2001:7b8:206:1::53 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Fake response ;; QUESTION SECTION: ;111.nlnetlabs.nl. IN A ;; ANSWER SECTION: 111.nlnetlabs.nl. 9888 IN A 6.6.6.1 ;; AUTHORITY SECTION: nlnetlabs.nl. 10117 IN NS ns1.evilguy.com. nlnetlabs.nl. 10117 IN NS ns2.transip.net. ;; ADDITIONAL SECTION: open.nlnetlabs.nl. 528 IN A 213.154.224.1 open.nlnetlabs.nl. 9162 IN AAAA 2001:7b8:206:1::53 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Kaminsky attack 1.foo.nl? foo.nl SOA 1.foo.nl! 1.foo.nl! 6.6.6.1 NXDOMAIN ­ Invalid ID ­ Duplicate http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Kaminsky attack foo.nl SOA 9.foo.nl A 6.6.6.1 9.foo.nl? foo.nl NS ns.evil 9.foo.nl! 9.foo.nl! 6.6.6.1 NXDOMAIN ­ Duplicate http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Kaminsky attack • Solution 1: add more randomness – UDP source port randomization – 2^16 * 2^11 = 2^27 = 134 million – Short term solution • Solution 2: DNSSEC http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
DNSSEC • DNS Security Extensions – RFC 4034, 4035 • Data origin authentication, data integrity • Public key cryptography – The DNSKEY Record • Adds signatures to responses – The RRSIG Record http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
DNSSEC RRs • DNSSEC Resource Records NAME TYPE CLASS TTL RDLEN RDATA devnology.nl DNSKEY IN 3600 1 RDATA_DNSKEY devnology.nl RRSIG IN 3600 1 RDATA_RRSIG ORIG TYPE ALGO. LABELS ORIG TTL SIG EXPIRE SIG START SOA RSASHA1 2 3600 01/09/2010 01/08/2010 KEY TAG SIGNER NAME SIGNATURE 12345 devnology.nl AwEE3dF0... FLAGS PROTOCOL ALGORITHM PUBLIC KEY 257 3 RSASHA1 AQPSKmy... http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
DNSSEC RRs • DNSKEY: Public key • RRSIG: Signature • DS: Delegation Signer – Provides a secure path at the delegation (between parent zone and child zone) • NSEC: Denial of Existence – broodjeaap.nl is proven not to exist • NSEC3: Hashed Denial of Existence http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
DNSSEC RRs devnology.nl. IN RRSIG SOA 5 2 3600 ( 20100831131949 20100803131949 46792 devnology.nl. RYY.../yik= ) ... devnology.nl. IN DNSKEY 257 3 5 AwE...htWV devnology.nl. IN RRSIG DNSKEY 5 2 3600 ... devnology.nl. IN NSEC www.devnology.nl. A NS SOA MX TXT ( RRSIG NSEC DNSKEY ) devnology.nl. IN RRSIG NSEC 5 2 86400 ... www.devnology.nl. IN CNAME devnology.nl. www.devnology.nl. IN RRSIG CNAME 5 3 360 ... www.devnology.nl. IN NSEC devnology.nl. CNAME RRSIG NSEC www.devnology.nl. IN RRSIG NSEC 5 3 86400 ... http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
DNSSEC query ;; ANSWER SECTION: devnology.nl. 3600 IN A 62.212.74.133 devnology.nl. 3600 IN RRSIG A 5 2 3600 20100831131949 20100803131949 46792 devnology.nl. TO+EysNigcB/rXBZ89mv31OKZnX3/2xp6ClOr96cUg10qNXU11RCoHQteeW705AF tqV0e8WK7QMVFSPu0TRTnXNwcEDIP/qvzBu7bMSjcM7XejDg1ff+WgfJ5Ra4C1Dv rYq4Rj03kKzQPSBiE9DiKO3zcQgUCEVEdJ03YrY+NbY= ;{id = 46792} ;; AUTHORITY SECTION: devnology.nl. 3600 IN NS ns0.transip.net. devnology.nl. 3600 IN NS ns1.transip.net. devnology.nl. 3600 IN RRSIG NS 5 2 3600 20100831131949 20100803131949 46792 devnology.nl. LTqB1Pmq0C3YaBYedq6sHM3tssVwtAx8M1O6I2y0NynCcY2oRyRK4Mti19eJ/0H9 8JOen0j6u9KQtzEUGXb0Ik+MLIBntNwxF1CTBEyvmJp9U+9E6RtOtvt1Np1cH3Ls f+UXaXajPxkeFJpuE/Q6YQsNwP2zqtGkQl/IO9XPWvU= ;{id = 46792} http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
DNSSEC Status • A response can now be – Secure – Insecure – Bogus – Indeterminate • Up to local policy how to handle these states http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
How to validate? • Resolver needs to know the public key – Trust Anchor • Key distribution is difficult • Solution: Sign the delegation – The DS Record – DNS Root Trust Anchor: “one key to rule them all” • Luckily, the root has been signed:) – As of 15 July 2010 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
DNS Root Trust Anchor . IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhV VLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0Ez rAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaU eVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkj f5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1a pAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCT MjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXf Z57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqr AmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ; {id = 19036 (ksk), size = 2048b} http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
DNSSEC RRs • In the root zone: – dk. IN DS 26887 8 2 A1AB8546B80E438A7DFE0EC559A7088EC 5AED3C4E0D26B1B60ED3735F853DFD7 – dk. IN RRSIG DS 8 1 172800 20100810000000 20100802230000 41248 . o23Xc... • Points to the DNSKEY in the dk zone: – dk. IN DNSKEY 256 3 8 AwEAA... ; keytag=55594 – dk. IN DNSKEY 257 3 8 AwEAA... ; keytag=26887 – dk. IN RRSIG DNSKEY 8 1 86400 20100805191323 20100729141045 26887 dk. WLuD3... • Resolver can now build chain of trust http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Name resolution ;dnssec.dk. IN A @k.root-servers.net ;; AUTHORITY SECTION: dk. 172800 IN NS a.nic.dk. dk. 172800 IN NS b.nic.dk. ... dk. 172800 IN DS 26887 8 2 A1AB8546B80E438A7DFE0EC559A 7088EC5AED3C4E0D26B1B60ED3735 F853DFD7 dk. 172800 IN RRSIG DS 8 1 172800 20100810000000 20100802230000 41248 . o23Xc... ; signed with root key ;; ADDITIONAL SECTION: a.nic.dk. 172800 IN A 212.88.78.122 b.nic.dk. 172800 IN A 193.163.102.222 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Name resolution ;dnssec.dk. IN A @a.nic.dk ;; AUTHORITY SECTION: dnssec.dk. IN NS ns1.gratisdns.dk. dnssec.dk. IN NS ns2.gratisdns.dk. 8afgsvl5sgurhqbipm0fdbvr5jq1frp2.dk. 3600 IN NSEC3 1 1 17 FAC981985022A210 8AFHAQVUPD0DDIRUTFL1NE5QONPO1CJ5 A NS SOA TXT RRSIG DNSKEY NSEC3PARAM 8afgsvl5sgurhqbipm0fdbvr5jq1frp2.dk. 3600 IN RRSIG NSEC3 isab28efbcpglup6uanh61dnolc8g0tq.dk. 3600 IN NSEC3 1 1 17 FAC981985022A210 ISAH6L4MDDHLR8KHCHFHC6SG7N6TG708 isab28efbcpglup6uanh61dnolc8g0tq.dk. 3600 IN RRSIG NSEC3 ;; ADDITIONAL SECTION: ns1.gratisdns.dk. 86400 IN A 109.238.48.13 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Name resolution ;dnssec.dk. IN A @ns1.gratisdns.dk ;; ANSWER SECTION: dnssec.dk. 43200 IN A 193.3.157.13 dnssec.dk. 43200 IN RRSIG A 5 2 43200 20100901114809 ;; AUTHORITY SECTION: dnssec.dk. 43200 IN NS ns4.gratisdns.dk. dnssec.dk. 43200 IN NS ns3.gratisdns.dk. dnssec.dk. 43200 IN NS ns5.gratisdns.dk. dnssec.dk. 43200 IN NS ns2.gratisdns.dk. dnssec.dk. 43200 IN NS ns1.gratisdns.dk. dnssec.dk. 43200 IN RRSIG NS 5 2 43200 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Name resolution ;; Number of trusted keys: 1 ;; Domain: . [T] . 86400 IN DNSKEY 256 3 8 ;{id = 41248 (zsk), ...} . 86400 IN DNSKEY 257 3 8 ;{id = 19036 (ksk), ...} [T] dk. 172800 IN DS 26887 8 2 a1ab8546b80e438a7dfe0ec55 9a7088ec5aed3c4e0d26b1b60ed3735f853dfd7 ;; Domain: dk. [T] dk. 86400 IN DNSKEY 257 3 8 ;{id = 26887 (ksk), ...} dk. 86400 IN DNSKEY 256 3 8 ;{id = 55594 (zsk), ...} ;; Domain: dnssec.dk. [S] dnssec.dk. 43200 IN DNSKEY 257 3 5 ;{id = 58693...} dnssec.dk. 43200 IN DNSKEY 256 3 5 ;{id = 26751...} [S] dnssec.dk. 43200 IN A 193.3.157.13 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Denial of existence ;miss.nlnetlabs.nl. IN A @open.nlnetlabs.nl ;; AUTHORITY SECTION nlnetlabs.nl. 3473 IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2010080100 28800 7200 604800 3600 nlnetlabs.nl. 3473 IN RRSIG SOA 5 2 10200 20100829005003 nlnetlabs.nl. 1543 IN NSEC _jabber._tcp.nlnetlabs.nl. A NS SOA MX TXT AAAA NAPTR RRSIG NSEC DNSKEY nlnetlabs.nl. 1543 IN RRSIG NSEC 5 2 3600 20100829005003 mirre.nlnetlabs.nl. 3596 IN NSEC moby-dick.nlnetlabs.nl. A AAAA RRSIG NSEC mirre.nlnetlabs.nl. 3596 IN RRSIG NSEC 5 3 3600 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
NSEC Issues • More signatures needed • Zone walking • Solution: Hashed version of Denial of Existence – The NSEC3 Record – RFC 5155 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Hashed version • Simplified ;miss.nlnetlabs.nl. IN A @open.nlnetlabs.nl h(www.nlnetlabs.nl.) = 11 h(miss.nlnetlabs.nl.) = 12 h(_jabber._tcp.nlnetlabs.nl.) = 13 11.nlnetlabs.nl. 1543 IN NSEC3 13.nlnetlabs.nl. A AAAA http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Hashed version ;dnssec.dk. IN DS @a.nic.dk ;; AUTHORITY SECTION: ... 8afgsvl5sgurhqbipm0fdbvr5jq1frp2.dk. 3600 IN NSEC3 1 1 17 FAC981985022A210 8AFHAQVUPD0DDIRUTFL1NE5QONPO1CJ5 A NS SOA TXT RRSIG DNSKEY NSEC3PARAM 8afgsvl5sgurhqbipm0fdbvr5jq1frp2.dk. 3600 IN RRSIG NSEC3 isab28efbcpglup6uanh61dnolc8g0tq.dk. 3600 IN NSEC3 1 1 17 FAC981985022A210 ISAH6L4MDDHLR8KHCHFHC6SG7N6TG708 isab28efbcpglup6uanh61dnolc8g0tq.dk. 3600 IN RRSIG NSEC3 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Operational practices • RFC 4641 • Re-signing – Signatures have a lifetime to prevent replay attacks – Signature validity period should be long enough to last the weekend • Key rollover – Crypto analysis – Operational practices http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Key rollover • Be aware of DNS caches! – Old DNSKEY might still be in the cache – Old RRSIGs might still be in the cache – Switching without care might take your zone offline • Be aware of your delegation! – DS Record in the parent must match your DNSKEY – ZSK / KSK split (Flags: 256 / 257) http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
ZSK vs KSK +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 ?| Protocol | Algorithm | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / / / Public Key / / / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ • SEP (Security Entry Point) bit – 0: 'ZSK' – 1: 'KSK' (Only sign DNSKEY set) – DS record must match a SEP http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Key rollover • Double sign your zone – Until old key expires from the cache – Remove old key – Drawback: Increased zone size • Pre-publish your new key – Introduce new key, unused – Retire old key, use new key – Remove old key – Drawback: Increased rollover duration http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
DNSSEC weaknesses • Increased DNS response packet size • Increased workload for the resolvers • Hierarchical trust level • Time synchronization • Complex to implement and operate – OpenDNSSEC http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
The whole picture Bind9 NSD Bind9 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Topics • NLnet Labs • DNS • DNSSEC • Recent events http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Recent events • The root is signed! – DS in the root: .bg, .br, .cat, .cz, .dk, .edu, .lk, .na, .org, .tm, .uk – Coming: .arpa, .fr, .nl, .se, ... • http://www.youtube.com/watch?v=b9j-sfP9GUU http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Recent events • Trust anchor distribution is a pain • Automatic updating of Trust Anchors (at the resolver) – RFC 5011 – Regular polling of SEP keys – Introduces the REVOKED bit – Not meant for those who have a secure delegation – Autotrust: RFC 5011 implementation http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Recent events • Algorithm Rollover – RFC 5702 introduces RSASHA2 – DNSSEC says that all RRsets need to be signed with each algorithm – DNSKEY may expire from the cache before its signatures do http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
Recent events • Algorithm Rollover and Automatic Updating of Trust Anchors – We need to double sign (because of use of multiple algorithms) – We need to revoke http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
? • http://www.nlnetlabs.nl • http://www.opendnssec.org • http://blog.nominet.org.uk/tech/2010/ 05/24/436 • http://www.root-dnssec.org/ http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs

More Related Content

PPT
Tutorial 1
VIKAS_1705212
 
PPTX
ION Durban - DNSSEC, and Why We Can't Avoid It
Deploy360 Programme (Internet Society)
 
PPT
Code inspecties
Devnology
 
PDF
What do we really know about the differences between static and dynamic types?
Devnology
 
PDF
DNS Measurement Activity on ITB 2010
Affan Basalamah
 
PDF
ION Santiago: What's Happening at the IETF? Internet Standards and How to Get...
Deploy360 Programme (Internet Society)
 
PPTX
ROTLD DNSSEC Implementation
Deploy360 Programme (Internet Society)
 
PPTX
ROTLD DNSSEC Implementation
Kevin Meynell
 
Tutorial 1
VIKAS_1705212
 
ION Durban - DNSSEC, and Why We Can't Avoid It
Deploy360 Programme (Internet Society)
 
Code inspecties
Devnology
 
What do we really know about the differences between static and dynamic types?
Devnology
 
DNS Measurement Activity on ITB 2010
Affan Basalamah
 
ION Santiago: What's Happening at the IETF? Internet Standards and How to Get...
Deploy360 Programme (Internet Society)
 
ROTLD DNSSEC Implementation
Deploy360 Programme (Internet Society)
 
ROTLD DNSSEC Implementation
Kevin Meynell
 

Similar to DNSSec: Internet achter de schermen (20)

PDF
How to send DNS over anything encrypted
Men and Mice
 
PDF
VietOpenStack Boston recap 2017
Vietnam Open Infrastructure User Group
 
PPTX
ION Cape Town - IETF Update and How to Get Involved
Deploy360 Programme (Internet Society)
 
PDF
RIPE 71 and IETF 94 reports webinar
Men and Mice
 
PDF
ION Belfast - IETF Update - Chris Grundemann
Deploy360 Programme (Internet Society)
 
PPTX
After summit catch up
Thanassis Parathyras
 
PDF
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
APNIC
 
PDF
DNSSEC Made Easy, presented at PHNOG 2025
APNIC
 
PDF
OAS SSIG 2016 - IETF-LAC & LACNOG - Alvaro Retana - Cisco
Rogerio Mariano
 
PDF
.EDU DNSSEC Testbed
Shumon Huque
 
PDF
ION Toronto - Deploying DNSSEC: A .CA Case Study
Deploy360 Programme (Internet Society)
 
PPTX
How the Internet works...and why
APNIC
 
PDF
Tech 2 Tech IPv6 presentation
Jisc
 
PPTX
Introduction to Orchestration and DevOps with OpenStack
Abderrahmane TEKFI
 
PDF
DNSSEC and DANE Deployment: Trends, Tools and Challenges
Deploy360 Programme (Internet Society)
 
PDF
Learn OpenStack from trystack.cn
OpenCity Community
 
PDF
DNSDiag - Then and Now (9 years in life of a FOSS Project)
Babak Farrokhi
 
PDF
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
Splend
 
PDF
DNS resolver 1.1.1.1 from Cloudflare
APNIC
 
PDF
Developing on OpenStack Startup Edmonton
serverascode
 
How to send DNS over anything encrypted
Men and Mice
 
VietOpenStack Boston recap 2017
Vietnam Open Infrastructure User Group
 
ION Cape Town - IETF Update and How to Get Involved
Deploy360 Programme (Internet Society)
 
RIPE 71 and IETF 94 reports webinar
Men and Mice
 
ION Belfast - IETF Update - Chris Grundemann
Deploy360 Programme (Internet Society)
 
After summit catch up
Thanassis Parathyras
 
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
APNIC
 
DNSSEC Made Easy, presented at PHNOG 2025
APNIC
 
OAS SSIG 2016 - IETF-LAC & LACNOG - Alvaro Retana - Cisco
Rogerio Mariano
 
.EDU DNSSEC Testbed
Shumon Huque
 
ION Toronto - Deploying DNSSEC: A .CA Case Study
Deploy360 Programme (Internet Society)
 
How the Internet works...and why
APNIC
 
Tech 2 Tech IPv6 presentation
Jisc
 
Introduction to Orchestration and DevOps with OpenStack
Abderrahmane TEKFI
 
DNSSEC and DANE Deployment: Trends, Tools and Challenges
Deploy360 Programme (Internet Society)
 
Learn OpenStack from trystack.cn
OpenCity Community
 
DNSDiag - Then and Now (9 years in life of a FOSS Project)
Babak Farrokhi
 
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
Splend
 
DNS resolver 1.1.1.1 from Cloudflare
APNIC
 
Developing on OpenStack Startup Edmonton
serverascode
 
Ad

More from Devnology (20)

PDF
Meetup at SIG: Meten is weten
Devnology
 
PDF
Software Operation Knowledge
Devnology
 
PPTX
Slides Felienne Hermans Symposium EWI
Devnology
 
PDF
Devnology auteursrecht en open source 20130205
Devnology
 
PDF
The top 10 security issues in web applications
Devnology
 
PDF
Hacking Smartcards & RFID
Devnology
 
PDF
Learn a language : LISP
Devnology
 
PDF
Learn a language : LISP
Devnology
 
PDF
Devnology Back to School: Empirical Evidence on Modeling in Software Development
Devnology
 
PDF
Devnology Back to School IV - Agility en Architectuur
Devnology
 
PDF
Devnology Back to School III : Software impact
Devnology
 
PDF
Devnology back toschool software reengineering
Devnology
 
PDF
Introduction to Software Evolution: The Software Volcano
Devnology
 
PPT
Devnology Workshop Genpro 2 feb 2011
Devnology
 
PPT
Devnology Coding Dojo 05-01-2011
Devnology
 
PDF
Spoofax: ontwikkeling van domeinspecifieke talen in Eclipse
Devnology
 
PDF
Experimenting with Augmented Reality
Devnology
 
PPTX
Unit testing and MVVM in Silverlight
Devnology
 
PDF
mobl: Een DSL voor mobiele applicatieontwikkeling
Devnology
 
PPTX
Devnology Fitnesse workshop
Devnology
 
Meetup at SIG: Meten is weten
Devnology
 
Software Operation Knowledge
Devnology
 
Slides Felienne Hermans Symposium EWI
Devnology
 
Devnology auteursrecht en open source 20130205
Devnology
 
The top 10 security issues in web applications
Devnology
 
Hacking Smartcards & RFID
Devnology
 
Learn a language : LISP
Devnology
 
Learn a language : LISP
Devnology
 
Devnology Back to School: Empirical Evidence on Modeling in Software Development
Devnology
 
Devnology Back to School IV - Agility en Architectuur
Devnology
 
Devnology Back to School III : Software impact
Devnology
 
Devnology back toschool software reengineering
Devnology
 
Introduction to Software Evolution: The Software Volcano
Devnology
 
Devnology Workshop Genpro 2 feb 2011
Devnology
 
Devnology Coding Dojo 05-01-2011
Devnology
 
Spoofax: ontwikkeling van domeinspecifieke talen in Eclipse
Devnology
 
Experimenting with Augmented Reality
Devnology
 
Unit testing and MVVM in Silverlight
Devnology
 
mobl: Een DSL voor mobiele applicatieontwikkeling
Devnology
 
Devnology Fitnesse workshop
Devnology
 
Ad

Recently uploaded (20)

PPTX
TEXTILE technology diploma scope and career opportunities
kriti38
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PDF
Flame analysis and combustion estimation using large language and vision assi...
IAESIJAI
 
PDF
Consumable AI The What, Why & How for Small Teams.pdf
Vivek Sai
 
PPTX
Build Your First AI Agent with UiPath.pptx
suhanisingh58689
 
PDF
Improvisation in detection of pomegranate leaf disease using transfer learni...
IAESIJAI
 
PPTX
Microsoft Excel 365/2024 Beginner's training
frank yeboah
 
PDF
UiPath Agentic Automation session 1: RPA to Agents
suhanisingh58689
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PPTX
GROUP4NURSINGINFORMATICSREPORT-2 PRESENTATION
ClarisejaneSartillo1
 
PDF
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
PDF
How IoT Sensor Integration in 2025 is Transforming Industries Worldwide
Rejig Digital
 
PDF
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
PPTX
AI IN MARKETING- PRESENTED BY ANWAR KABIR 1st June 2025.pptx
HiraJay1
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PDF
Five Habits of High-Impact Board Members
OnBoard
 
PPT
Geologic Time for studying geology for geologist
ssuser738f5a
 
TEXTILE technology diploma scope and career opportunities
kriti38
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
Flame analysis and combustion estimation using large language and vision assi...
IAESIJAI
 
Consumable AI The What, Why & How for Small Teams.pdf
Vivek Sai
 
Build Your First AI Agent with UiPath.pptx
suhanisingh58689
 
Improvisation in detection of pomegranate leaf disease using transfer learni...
IAESIJAI
 
Microsoft Excel 365/2024 Beginner's training
frank yeboah
 
UiPath Agentic Automation session 1: RPA to Agents
suhanisingh58689
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
GROUP4NURSINGINFORMATICSREPORT-2 PRESENTATION
ClarisejaneSartillo1
 
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
How IoT Sensor Integration in 2025 is Transforming Industries Worldwide
Rejig Digital
 
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
AI IN MARKETING- PRESENTED BY ANWAR KABIR 1st June 2025.pptx
HiraJay1
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
Five Habits of High-Impact Board Members
OnBoard
 
Geologic Time for studying geology for geologist
ssuser738f5a
 

DNSSec: Internet achter de schermen

  • 1. DNS at NLnet Labs Matthijs Mekking
  • 2. Topics • NLnet Labs • DNS • DNSSEC • Recent events http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 3. NLnet • Internet Provider until 1997 – The first internet backbone in Holland • Funding research and software projects that aid the Internet community – 1999, NLnet Labs http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 4. NLnet Labs • Founded in 1999, DNSSEC • DNS, DNSSEC, IPv6, routing • Software development – NSD, Unbound, ldns, OpenDNSSEC –C • Work on open standards (IETF) – RFCs 3750, 3904, 4641, 5702, ... • Education – DNS courses, student projects http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 5. IETF • Internet Engineering Task Force • “The goal of the IETF is to make the Internet work better” • Technical documents (RFC) • http://www.ietf.org http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 6. http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 7. Topics • NLnet Labs • DNS • DNSSEC • Recent events http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 8. What is DNS? • Domain Name System • We want to refer machines by name – devnology.nl instead of 62.212.74.133 • In the beginning there was HOSTS.TXT... • ... but then the Internet grew • Problems with traffic and load, name collisions http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 9. What is DNS? • DNS was created in 1983 by Paul Mockapetris – RFCs 822 and 823 • IETF Full Standard in 1987 – RFCs 1034 and 1035 • Enhanced, updated, modified – RFCs 1123, 1982, 2181, 2308, 2671 (EDNS0), 2672, 3425, 4343, 4592, 5001 (NSID), 5452, 5936 and more http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 10. DNS at IETF • Internet Engineering Task Force • “The goal of the IETF is to make the Internet work better” • Technical documents (RFC) • http://www.ietf.org http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 11. DNS Features • A lookup mechanism for translating objects into other objects • A globally, distributed, loosely coherent, scalable, reliable, dynamic database • Comprised of three components – Name space – Servers making the name space available – Clients who perform the name resolution http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 12. Name space http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 13. Name space • Database of DNS Resource Records NAME TYPE CLASS TTL RDLEN RDATA devnology.nl A IN 3600 1 RDATA_A devnology.nl NS IN 3600 1 RDATA_NS • Different RDATA format Domain name ns1.transip.net IPv4 62.212.74.133 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 14. Resource records • SOA: Source of Authority • A: IPv4 Address • AAAA: IPv6 Address • MX: Mail Server • NS: Name Server (delegation) • PTR: Reverse Lookup • TXT: Arbitrary Text • ... http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 15. Example zonefile devnology.nl. IN SOA ( ns0.transip.net. hostmaster.transip.nl. 2010032002 14400 1800 604800 86400 ) devnology.nl. IN NS ns0.transip.net. devnology.nl. IN NS ns1.transip.net. devnology.nl. IN NS ns2.transip.net. devnology.nl. IN MX 10 ASPMX.L.GOOGLE.COM. devnology.nl. IN MX 30 ASPMX3.GOOGLEMAIL.COM. ... devnology.nl. IN TXT ( "v=spf1 ip4:62.212.74.133 a mx a:devnology.nl include:aspmx.googlemail.com ~all" ) devnology.nl. IN A 62.212.74.133 www.devnology.nl. IN CNAME devnology.nl. http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 16. Reverse zone 74.212.62.in-addr.arpa. IN SOA ( ns1.leaseweb.nl. postmaster.leaseweb.nl. 2002111068 14400 7200 604800 86400 ) 74.212.62.in-addr.arpa. IN NS ns2.leaseweb.nl. 74.212.62.in-addr.arpa. IN NS ns3.leaseweb.org. 74.212.62.in-addr.arpa. IN NS ns1.leaseweb.nl. 1.74.212.62.in-addr.arpa. IN PTR hosted-by.leaseweb.com. 2.74.212.62.in-addr.arpa. IN PTR tiltbox.com. ... 133.74.212.62.in-addr.arpa. IN PTR devnology.nl. ... http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 17. Name resolution http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 18. Name resolution ;; QUESTION SECTION: ;www.devnology.nl. IN A ;; AUTHORITY SECTION: nl. 172800 IN NS ns1.nic.nl. nl. 172800 IN NS ns-nl.nic.fr. ;; ADDITIONAL SECTION: ns1.nic.nl. 172800 IN A 193.176.144.2 ns-nl.nic.fr. 172800 IN A 192.93.0.4 ns1.nic.nl. 172800 IN AAAA 2a00:d78:0:102:193:176:144:2 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 19. Name resolution ;; QUESTION SECTION: ;www.devnology.nl. IN A ;; AUTHORITY SECTION: devnology.nl. 7200 IN NS ns0.transip.net. devnology.nl. 7200 IN NS ns1.transip.net. devnology.nl. 7200 IN NS ns2.transip.net. ;; ADDITIONAL SECTION: • Additional section is empty, need to query for ns{0,1,2}.transip.net http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 20. Name resolution ;; QUESTION SECTION: ;www.devnology.nl. IN A ;; ANSWER SECTION: www.devnology.nl. 86400 IN CNAME devnology.nl. devnology.nl. 86400 IN A 62.212.74.133 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 21. Reverse zone ; <<>> DiG 9.7.0-P1 <<>> -x 62.212.74.133 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:23068 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;133.74.212.62.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 74.212.62.in-addr.arpa. 77364 IN SOA ns1.leaseweb.nl. postmaster.leaseweb.nl. 2002111068 14400 7200 604800 86400 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 22. DNS on the wire +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ID | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |QR| Opcode |AA|TC|RD|RA| Z | RCODE | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | QDCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ANCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | NSCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ARCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 23. Authoritative NS • Makes the name space available – Zone files vs Database backends – Master vs. Slaves – Zone transfers • Incremental zone transfers – RFC 1995 • DNS NOTIFY – RFC 1996 • TSIG and SIG(0) – RFC 2845 and 2931 – Dynamic updates (DHCP) – RFC 2136 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 24. Topics • NLnet Labs • DNS • DNSSEC • Recent events http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 25. What's the threat? • DNS Threat Analysis (RFC 3833) – Packet interception • Confidentiality, Integrity, Availability – ID Guessing & Query prediction • devnology.nl IN A 6.6.6.6 – Name chaining • devnology.nl IN NS ns0.evilguy.com – Denial of service (flooding name servers) • Slave servers http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 26. What's the threat? • Confidentiality? – DNS is public data – IPSec • Availability? – As with any network service – DNSSEC does not prevent Denial of Service (in fact it makes it worse) • Integrity – DNSSEC will ensure integrity http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 27. Cache poisoning • Provide false data to a caching name server (query prediction, id guessing) • Based on a flaw in the DNS, first answer is the correct one, ignore duplicates http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 28. Cache poisoning • How does a resolver know a response is expected? – Arrives on the same UDP port – Question section matches – Query ID matches – The Authority and Additional sections represent names that are within the same domain as the question: this is known as "bailiwick checking". http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 29. Kaminsky attack • Based on ID guessing (16 bits) • Prerequisite is that the data is not in the cache • High TTL is sort of defense mechanism (but not against the Kaminsky attack) http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 30. Real response ;; QUESTION SECTION: ;111.nlnetlabs.nl. IN NS ;; AUTHORITY SECTION: nlnetlabs.nl. 3600 IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2010080100 28800 7200 604800 3600 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 31. Real response ;; QUESTION SECTION: ;www.nlnetlabs.nl. IN A ;; ANSWER SECTION: www.nlnetlabs.nl. 9888 IN A 213.154.224.1 ;; AUTHORITY SECTION: nlnetlabs.nl. 10117 IN NS open.nlnetlabs.nl. nlnetlabs.nl. 10117 IN NS ns3.domain-registry.nl. ;; ADDITIONAL SECTION: open.nlnetlabs.nl. 528 IN A 213.154.224.1 open.nlnetlabs.nl. 9162 IN AAAA 2001:7b8:206:1::53 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 32. Fake response ;; QUESTION SECTION: ;111.nlnetlabs.nl. IN A ;; ANSWER SECTION: 111.nlnetlabs.nl. 9888 IN A 6.6.6.1 ;; AUTHORITY SECTION: nlnetlabs.nl. 10117 IN NS ns1.evilguy.com. nlnetlabs.nl. 10117 IN NS ns2.transip.net. ;; ADDITIONAL SECTION: open.nlnetlabs.nl. 528 IN A 213.154.224.1 open.nlnetlabs.nl. 9162 IN AAAA 2001:7b8:206:1::53 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 33. Kaminsky attack 1.foo.nl? foo.nl SOA 1.foo.nl! 1.foo.nl! 6.6.6.1 NXDOMAIN ­ Invalid ID ­ Duplicate http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 34. Kaminsky attack foo.nl SOA 9.foo.nl A 6.6.6.1 9.foo.nl? foo.nl NS ns.evil 9.foo.nl! 9.foo.nl! 6.6.6.1 NXDOMAIN ­ Duplicate http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 35. Kaminsky attack • Solution 1: add more randomness – UDP source port randomization – 2^16 * 2^11 = 2^27 = 134 million – Short term solution • Solution 2: DNSSEC http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 36. DNSSEC • DNS Security Extensions – RFC 4034, 4035 • Data origin authentication, data integrity • Public key cryptography – The DNSKEY Record • Adds signatures to responses – The RRSIG Record http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 37. DNSSEC RRs • DNSSEC Resource Records NAME TYPE CLASS TTL RDLEN RDATA devnology.nl DNSKEY IN 3600 1 RDATA_DNSKEY devnology.nl RRSIG IN 3600 1 RDATA_RRSIG ORIG TYPE ALGO. LABELS ORIG TTL SIG EXPIRE SIG START SOA RSASHA1 2 3600 01/09/2010 01/08/2010 KEY TAG SIGNER NAME SIGNATURE 12345 devnology.nl AwEE3dF0... FLAGS PROTOCOL ALGORITHM PUBLIC KEY 257 3 RSASHA1 AQPSKmy... http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 38. DNSSEC RRs • DNSKEY: Public key • RRSIG: Signature • DS: Delegation Signer – Provides a secure path at the delegation (between parent zone and child zone) • NSEC: Denial of Existence – broodjeaap.nl is proven not to exist • NSEC3: Hashed Denial of Existence http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 39. DNSSEC RRs devnology.nl. IN RRSIG SOA 5 2 3600 ( 20100831131949 20100803131949 46792 devnology.nl. RYY.../yik= ) ... devnology.nl. IN DNSKEY 257 3 5 AwE...htWV devnology.nl. IN RRSIG DNSKEY 5 2 3600 ... devnology.nl. IN NSEC www.devnology.nl. A NS SOA MX TXT ( RRSIG NSEC DNSKEY ) devnology.nl. IN RRSIG NSEC 5 2 86400 ... www.devnology.nl. IN CNAME devnology.nl. www.devnology.nl. IN RRSIG CNAME 5 3 360 ... www.devnology.nl. IN NSEC devnology.nl. CNAME RRSIG NSEC www.devnology.nl. IN RRSIG NSEC 5 3 86400 ... http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 40. DNSSEC query ;; ANSWER SECTION: devnology.nl. 3600 IN A 62.212.74.133 devnology.nl. 3600 IN RRSIG A 5 2 3600 20100831131949 20100803131949 46792 devnology.nl. TO+EysNigcB/rXBZ89mv31OKZnX3/2xp6ClOr96cUg10qNXU11RCoHQteeW705AF tqV0e8WK7QMVFSPu0TRTnXNwcEDIP/qvzBu7bMSjcM7XejDg1ff+WgfJ5Ra4C1Dv rYq4Rj03kKzQPSBiE9DiKO3zcQgUCEVEdJ03YrY+NbY= ;{id = 46792} ;; AUTHORITY SECTION: devnology.nl. 3600 IN NS ns0.transip.net. devnology.nl. 3600 IN NS ns1.transip.net. devnology.nl. 3600 IN RRSIG NS 5 2 3600 20100831131949 20100803131949 46792 devnology.nl. LTqB1Pmq0C3YaBYedq6sHM3tssVwtAx8M1O6I2y0NynCcY2oRyRK4Mti19eJ/0H9 8JOen0j6u9KQtzEUGXb0Ik+MLIBntNwxF1CTBEyvmJp9U+9E6RtOtvt1Np1cH3Ls f+UXaXajPxkeFJpuE/Q6YQsNwP2zqtGkQl/IO9XPWvU= ;{id = 46792} http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 41. DNSSEC Status • A response can now be – Secure – Insecure – Bogus – Indeterminate • Up to local policy how to handle these states http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 42. How to validate? • Resolver needs to know the public key – Trust Anchor • Key distribution is difficult • Solution: Sign the delegation – The DS Record – DNS Root Trust Anchor: “one key to rule them all” • Luckily, the root has been signed:) – As of 15 July 2010 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 43. DNS Root Trust Anchor . IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhV VLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0Ez rAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaU eVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkj f5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1a pAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCT MjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXf Z57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqr AmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ; {id = 19036 (ksk), size = 2048b} http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 44. DNSSEC RRs • In the root zone: – dk. IN DS 26887 8 2 A1AB8546B80E438A7DFE0EC559A7088EC 5AED3C4E0D26B1B60ED3735F853DFD7 – dk. IN RRSIG DS 8 1 172800 20100810000000 20100802230000 41248 . o23Xc... • Points to the DNSKEY in the dk zone: – dk. IN DNSKEY 256 3 8 AwEAA... ; keytag=55594 – dk. IN DNSKEY 257 3 8 AwEAA... ; keytag=26887 – dk. IN RRSIG DNSKEY 8 1 86400 20100805191323 20100729141045 26887 dk. WLuD3... • Resolver can now build chain of trust http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 45. Name resolution ;dnssec.dk. IN A @k.root-servers.net ;; AUTHORITY SECTION: dk. 172800 IN NS a.nic.dk. dk. 172800 IN NS b.nic.dk. ... dk. 172800 IN DS 26887 8 2 A1AB8546B80E438A7DFE0EC559A 7088EC5AED3C4E0D26B1B60ED3735 F853DFD7 dk. 172800 IN RRSIG DS 8 1 172800 20100810000000 20100802230000 41248 . o23Xc... ; signed with root key ;; ADDITIONAL SECTION: a.nic.dk. 172800 IN A 212.88.78.122 b.nic.dk. 172800 IN A 193.163.102.222 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 46. Name resolution ;dnssec.dk. IN A @a.nic.dk ;; AUTHORITY SECTION: dnssec.dk. IN NS ns1.gratisdns.dk. dnssec.dk. IN NS ns2.gratisdns.dk. 8afgsvl5sgurhqbipm0fdbvr5jq1frp2.dk. 3600 IN NSEC3 1 1 17 FAC981985022A210 8AFHAQVUPD0DDIRUTFL1NE5QONPO1CJ5 A NS SOA TXT RRSIG DNSKEY NSEC3PARAM 8afgsvl5sgurhqbipm0fdbvr5jq1frp2.dk. 3600 IN RRSIG NSEC3 isab28efbcpglup6uanh61dnolc8g0tq.dk. 3600 IN NSEC3 1 1 17 FAC981985022A210 ISAH6L4MDDHLR8KHCHFHC6SG7N6TG708 isab28efbcpglup6uanh61dnolc8g0tq.dk. 3600 IN RRSIG NSEC3 ;; ADDITIONAL SECTION: ns1.gratisdns.dk. 86400 IN A 109.238.48.13 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 47. Name resolution ;dnssec.dk. IN A @ns1.gratisdns.dk ;; ANSWER SECTION: dnssec.dk. 43200 IN A 193.3.157.13 dnssec.dk. 43200 IN RRSIG A 5 2 43200 20100901114809 ;; AUTHORITY SECTION: dnssec.dk. 43200 IN NS ns4.gratisdns.dk. dnssec.dk. 43200 IN NS ns3.gratisdns.dk. dnssec.dk. 43200 IN NS ns5.gratisdns.dk. dnssec.dk. 43200 IN NS ns2.gratisdns.dk. dnssec.dk. 43200 IN NS ns1.gratisdns.dk. dnssec.dk. 43200 IN RRSIG NS 5 2 43200 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 48. Name resolution ;; Number of trusted keys: 1 ;; Domain: . [T] . 86400 IN DNSKEY 256 3 8 ;{id = 41248 (zsk), ...} . 86400 IN DNSKEY 257 3 8 ;{id = 19036 (ksk), ...} [T] dk. 172800 IN DS 26887 8 2 a1ab8546b80e438a7dfe0ec55 9a7088ec5aed3c4e0d26b1b60ed3735f853dfd7 ;; Domain: dk. [T] dk. 86400 IN DNSKEY 257 3 8 ;{id = 26887 (ksk), ...} dk. 86400 IN DNSKEY 256 3 8 ;{id = 55594 (zsk), ...} ;; Domain: dnssec.dk. [S] dnssec.dk. 43200 IN DNSKEY 257 3 5 ;{id = 58693...} dnssec.dk. 43200 IN DNSKEY 256 3 5 ;{id = 26751...} [S] dnssec.dk. 43200 IN A 193.3.157.13 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 49. Denial of existence ;miss.nlnetlabs.nl. IN A @open.nlnetlabs.nl ;; AUTHORITY SECTION nlnetlabs.nl. 3473 IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2010080100 28800 7200 604800 3600 nlnetlabs.nl. 3473 IN RRSIG SOA 5 2 10200 20100829005003 nlnetlabs.nl. 1543 IN NSEC _jabber._tcp.nlnetlabs.nl. A NS SOA MX TXT AAAA NAPTR RRSIG NSEC DNSKEY nlnetlabs.nl. 1543 IN RRSIG NSEC 5 2 3600 20100829005003 mirre.nlnetlabs.nl. 3596 IN NSEC moby-dick.nlnetlabs.nl. A AAAA RRSIG NSEC mirre.nlnetlabs.nl. 3596 IN RRSIG NSEC 5 3 3600 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 50. NSEC Issues • More signatures needed • Zone walking • Solution: Hashed version of Denial of Existence – The NSEC3 Record – RFC 5155 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 51. Hashed version • Simplified ;miss.nlnetlabs.nl. IN A @open.nlnetlabs.nl h(www.nlnetlabs.nl.) = 11 h(miss.nlnetlabs.nl.) = 12 h(_jabber._tcp.nlnetlabs.nl.) = 13 11.nlnetlabs.nl. 1543 IN NSEC3 13.nlnetlabs.nl. A AAAA http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 52. Hashed version ;dnssec.dk. IN DS @a.nic.dk ;; AUTHORITY SECTION: ... 8afgsvl5sgurhqbipm0fdbvr5jq1frp2.dk. 3600 IN NSEC3 1 1 17 FAC981985022A210 8AFHAQVUPD0DDIRUTFL1NE5QONPO1CJ5 A NS SOA TXT RRSIG DNSKEY NSEC3PARAM 8afgsvl5sgurhqbipm0fdbvr5jq1frp2.dk. 3600 IN RRSIG NSEC3 isab28efbcpglup6uanh61dnolc8g0tq.dk. 3600 IN NSEC3 1 1 17 FAC981985022A210 ISAH6L4MDDHLR8KHCHFHC6SG7N6TG708 isab28efbcpglup6uanh61dnolc8g0tq.dk. 3600 IN RRSIG NSEC3 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 53. Operational practices • RFC 4641 • Re-signing – Signatures have a lifetime to prevent replay attacks – Signature validity period should be long enough to last the weekend • Key rollover – Crypto analysis – Operational practices http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 54. Key rollover • Be aware of DNS caches! – Old DNSKEY might still be in the cache – Old RRSIGs might still be in the cache – Switching without care might take your zone offline • Be aware of your delegation! – DS Record in the parent must match your DNSKEY – ZSK / KSK split (Flags: 256 / 257) http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 55. ZSK vs KSK +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 ?| Protocol | Algorithm | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / / / Public Key / / / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ • SEP (Security Entry Point) bit – 0: 'ZSK' – 1: 'KSK' (Only sign DNSKEY set) – DS record must match a SEP http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 56. Key rollover • Double sign your zone – Until old key expires from the cache – Remove old key – Drawback: Increased zone size • Pre-publish your new key – Introduce new key, unused – Retire old key, use new key – Remove old key – Drawback: Increased rollover duration http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 57. DNSSEC weaknesses • Increased DNS response packet size • Increased workload for the resolvers • Hierarchical trust level • Time synchronization • Complex to implement and operate – OpenDNSSEC http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 58. The whole picture Bind9 NSD Bind9 http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 59. Topics • NLnet Labs • DNS • DNSSEC • Recent events http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 60. Recent events • The root is signed! – DS in the root: .bg, .br, .cat, .cz, .dk, .edu, .lk, .na, .org, .tm, .uk – Coming: .arpa, .fr, .nl, .se, ... • http://www.youtube.com/watch?v=b9j-sfP9GUU http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 61. Recent events • Trust anchor distribution is a pain • Automatic updating of Trust Anchors (at the resolver) – RFC 5011 – Regular polling of SEP keys – Introduces the REVOKED bit – Not meant for those who have a secure delegation – Autotrust: RFC 5011 implementation http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 62. Recent events • Algorithm Rollover – RFC 5702 introduces RSASHA2 – DNSSEC says that all RRsets need to be signed with each algorithm – DNSKEY may expire from the cache before its signatures do http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 63. Recent events • Algorithm Rollover and Automatic Updating of Trust Anchors – We need to double sign (because of use of multiple algorithms) – We need to revoke http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs
  • 64. ? • http://www.nlnetlabs.nl • http://www.opendnssec.org • http://blog.nominet.org.uk/tech/2010/ 05/24/436 • http://www.root-dnssec.org/ http://www.nlnetlabs.nl/ Devnology, NL, 4 August 2010 © 2010 Stichting NLnet Labs