Windows 2012 and DNSSEC

© Men & Mice http://menandmice.com
Windows 2012 and DNSSEC
1

Agenda
•DNS threats
•What is DNSSEC?
•DNSSEC in Windows
2012 Server
•DNSSEC validation with
Windows 2012
•Signing zones
2

DNS Threats
3

DNS Cache Spoofing
Episode I
the Kaspureff attacks
12. July 1997
4

The Kashpureff Attack
•In July, 1997, Eugene Kashpureff used a direct triggered
cache poisoning attack against the InterNIC's web site
ISP
resolving
DNS Server
“alternic.net”
authoritative DNS
Server
Recursive query for
www.alternic.net/A Cache
Interative query for
www.alternic.net/A
response including bogus
www.internic.net/A RR
Recursive query for
www.internic.net/A
bogus
response
evil resolver
unsuspecting
resolver
5

DNS 'bailiwick' checking
• The fix
• The credibility checking when replacing cache entries
• Check for “in bailiwick” in response data. Answer records must be from the same
domain as the requested name.
$ dig @ns1.example.com www.example.com
;; ANSWER SECTION:
www.example.com. 120 IN A 192.0.2.10
;; AUTHORITY SECTION:
example.com. 86400 IN NS ns1.example.com.
example.com. 86400 IN NS ns2.example.com.
;; ADDITIONAL SECTION:
ns1.example.com. 604800 IN A 192.0.2.120
ns2.example.com. 604800 IN A 192.0.2.130
www.mybank.com. 604800 IN A 1.2.3.4
Data not in
'bailiwick'
will not be
accepted
6

DNS Cache Spoofing
Episode II
the Amit Klein findings
March-June 2007
7

The Amit Klein findings (1)
• In 2007 Amit Klein found that the randomizers used in most DNS Servers
are not truly random: The next message ID's could be pre-calculated
ISP
resolving
DNS Server
“mybank.net”
authoritative DNS
Server
Recursive query for
www.mybank.net/A Cache
Interative query for
www.mybank.net/A
evil resolver
unsuspecting
resolver
8

The Amit Klein findings (2)
• In 2007 Amit Klein found that the randomizers used in most DNS Servers
are not truly random: The next message ID's could be pre-calculated
ISP
resolving
DNS Server
“mybank.net”
authoritative DNS
Server
Cache
evil resolver
unsuspecting
resolver
response for
www.mybank.net/A RR
flood of responses for www.mybank.net with pre-calculated IDs
Recursive query for
www.mybank.net/A
bogus
response
9

DNS Cache Spoofing
Episode III
the Dan Kaminsky findings
March-August 2008
10

The Dan Kaminsky findings (1)
resolving
DNS Server
“mybank.com”
authoritative DNS
Servers
Cache
evil resolver
unsuspecting
resolver
evil
web-server
HTTP
request
Webpage with thousands
of fake image links
<img src=”aaaaa.mybank.com”..
<img src=”aaaab.mybank.com”..
<img src=”aaaac.mybank.com”..
<img src=”aaaad.mybank.com”..
....
11

resolving
DNS Server
“mybank.com”
authoritative DNS
Servers
Cache
evil resolver
unsuspecting
resolver
evil
web-server
Each
Image Tag will
trigger one
DNS lookup
DNS lookups
will be send to
the
authoritative
DNS Servers
12

resolving
DNS Server
“mybank.com”
authoritative DNS
Servers
Cache
evil resolver
unsuspecting
resolver
evil
web-server
Some good
answers will
loose the race
Attacker will
swamp
caching DNS Server
with fake responses
Fake response
will be
cached
13

resolving
DNS Server
“mybank.com”
authoritative DNS
Servers
Cache
evil resolver
unsuspecting
resolver
evil
web-server
Client is
connecting to a
“pharming”
website
request for www.mybank.com./A RR
false answer from poisoned cache
HTTP
request
DNSSEC
HELPS!
14

the Dan Kaminsky “bug”
•Attackers try to overwrite or place a NS record in the cache
;; ANSWER SECTION:
aaaa.mybank.com. 120 IN A 1.2.3.4
mybank.com. 86400 IN NS ns1.mybank.com.
mybank.com. 86400 IN NS ns2.mybank.com.
ns1.mybank.com. 604800 IN A 192.0.2.20
ns2.mybank.com. 604800 IN A 192.0.2.30
high TTL for
maximum
damage
Here is the
fake data
15

More DNS issues
16

Men in the middle attack
•an attacker en-route can change DNS data unnoticed
ISP
resolving
DNS Server
authoritative DNS
Server
Cache
attacker
client
resolver
query for
www.example.com.
query for
www.example.com.
www.example.com.
A 192.0.2.10
www.example.com.
A 192.0.2.10
www.example.com.
A 10.1.2.3
DNSSEC
HELPS!
17

Betrayal of a trusted name
server
•someone in control of an resolving DNS Server has full
control over the data returned
insecure/compromised
resolving
DNS Server
authoritative DNS
Server
Cache
attacker
client
resolver
query for
www.example.com.
query for
www.example.com.
www.example.com.
A 192.0.2.10
www.example.com.
A 10.1.2.3
DNSSEC
HELPS!
18

attacker changes the local
resolver settings
•the local resolver settings are changed without the client
user noticing, returning bad data
ISP/company
resolving
DNS Server
authoritative DNS
Server
client
resolver
query for
www.example.com.
www.example.com.
A 10.1.2.3
attacker has control
over this resolving DNS
Server
attackers
resolving DNS Server
attacker
attacker changes
DNS resolver
configuration on the
client
DNSSEC
HELPS!
19

attack on an authoritative DNS
Server
•an attacker changes the authoritative data on the DNS
Server
resolving
DNS Server
authoritative DNS
Server
Cache
attacker
client
resolver
query for
www.example.com.
query for
www.example.com. www.example.com.
A 10.1.2.3
www.example.com.
A 10.1.2.3
Cache
DNSSEC
HELPS!
20

DNSSEC
21

A Little Bit of History
•The original DNS protocol wasn't designed with security in mind
•It has very few built-in security mechanisms
•As the Internet became wilder and woollier, the IETF realized
this would be a problem
•DNS spoofing was too easy, for example
•DNSSEC and later TSIG were developed to help address this
problem
22

History of DNSSEC
DNS
invented
DNS being
used in the
Internet
Steve Bellovin
discovers flaw
in DNS
work on
DNSSEC
started in
the IETF
RFC2535
DNSSEC v1
is ready
work on
DNSSECbis
started
March 2005:
RFC4033-4035
are published:
DNSSEC v2
October
2005: .SE
signed
RFC 5155:
NSEC3
DNSSEC
1983 1988 1999 20081990 1995 2001 2005 2010
root zone is
signed
Windows 2012
DNSSEC
DANE RFC
2012
23

DNS Security Extensions
•DNSSEC deployment (http://www.xelerance.com/dnssec/)
http://en.wikipedia.org/wiki/List_of_Internet_top-level_domains
24

DNS Security Extensions
•DNSSEC growth http://secspider.cs.ucla.edu
25

DNS Server for DNSSEC
• BIND 9.6 and up: Authoritative server and validating resolver
• NSD from NlNetLabs: Fast authoritative server
• Unbound from NlNetLabs :Fast and secure validating resolver
• Windows 2012 DNS Server: Authoritative server and validating
resolver
• PowerDNS: Authoritative DNS Server with SQL Database backend
• BIND 10: the next generation of the BIND nameserver
26

Public Key Cryptography
Illustrated
plain
text
cipher
text
encrypt
k1
plain
text
cipher
text
decrypt
k2
27

PK and The Key Pair:
Public and Private
• In practice
• One key of the pair is kept private
• The other key is made public, by uploading it to a key server,
publishing it via a directory, or having a certification authority sign it
into a certificate
28

DNSSEC on one slide
plain
DNS data
hash
finger-
print
RRsig
encrypt with
private key k
Zonefile
plain DNS data
RRsig
authoritative
server
resolving/validating
server
public key
plain DNS data
RRsig
decrypt with
public key k
finger-
print
hash
finger-
printcompare
29

DNSSEC validation with
Windows 2012
30

DNSSEC in DNS Messages
00 01
0
2
03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Identification (ID)
Q
R
Opcode
A
A
T
C
R
D
R
A
Z
A
D
C
D
RCode
Total Number of Question Resource Records Total Number of Answer Resource Records
Total Number of Authority Resource Records Total Number of Additional Resource Records
Question Resource Records
Answer Resource Records
Authority Resource Records
Additional Resource Records
AD = Authenticated
Data
CD = Checking
disabled
EDNS:
EDNS: version: 0,
flags: do;
udp: 4096
31

•DO Flag in EDNS pseudo record: DNSSEC OK
•this client can handle DNSSEC records
•in addition, each client signaling “DNSSEC OK” also
signals that it can handle UDP DNS responses larger
512 byte
32

•AD Flag:
•a validating resolver signaling to the client
•that it has successfully validated the DNSSEC data
•invalid DNSSEC data will not be send to a
downstream resolver (client), instead the resolver will
send a SERVFAIL error condition
33

•CD Flag:
•an Application can signal to the resolving DNS Server
that it will validate the DNSSEC information
•the resolving DNS Server does not need to validate
itself, but is free to do so
34

dig ripe.net +dnssec
; <<>> DiG 9.7.1-P2 <<>> ripe.net +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62183
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ripe.net. IN A
;; ANSWER SECTION:
ripe.net. 172800 IN A 193.0.6.139
ripe.net. 172800 IN RRSIG A 5 2 172800 20101108100147 20101009090147 42006 ripe.net. Jzyeu9MUjNbk[...]5eY=
ripe.net. 172800 IN NS sns-pb.isc.org.
ripe.net. 172800 IN NS sunic.sunet.se.
ripe.net. 172800 IN NS ns-pri.ripe.net.
ripe.net. 172800 IN NS ns3.nic.fr.
ripe.net. 172800 IN RRSIG NS 5 2 172800 20101108100147 20101009090147 42006 ripe.net. I7+d5+U3683o[...]r4U=
ns-pri.ripe.net. 172800 IN A 193.0.0.195
ns-pri.ripe.net. 172800 IN AAAA 2001:610:240:0:53::3
ns-pri.ripe.net. 172800 IN RRSIG A 5 3 172800 20101108100147 20101009090147 42006 ripe.net. VVZ[...]jwg=
ns-pri.ripe.net. 172800 IN RRSIG AAAA 5 3 172800 20101108100147 20101009090147 42006 ripe.net. UP/t1m[...]k3k=
;; Query time: 454 msec
;; SERVER: 192.0.2.10#53(192.0.2.10)
;; WHEN: Sat Oct 9 22:39:45 2010
;; MSG SIZE rcvd: 870
EDNS0
information
including the DO
flag
AD flag:
secure
answer
35

DNSSEC Name resolution
(simplified)
36

DNSSEC Name Resolution
http://www.example.org.
“”
org.
example.org.
local caching
+ validating
DNS Server
What is the address
of
www.example.org.
37

http://www.example.com.
“”
org.
example.org.
What is the address
of
www.example.org.
local caching
+ validating
DNS Server
38

“”
org.
example.org.
Here is a list of “org.”
Name Servers
local caching
+ validating
DNS Server
39

“”
org.
example.org.
What is the address
of
www.example.org.
local caching
+ validating
DNS Server
40

“”
org.
example.org.
Here is a list of
“example.org.” Name
Servers
local caching
+ validating
DNS Server
41

“”
org.
example.org.
What is the address
of
www.example.org.
local caching
+ validating
DNS Server
42

“”
org.
example.org.
Here is the
address of
“www.example.org.”
plus RRSIG
(signatures)
Record Function
www.example.org.A IPv4 Address
www.example.org. RRSIG signature ↑
local caching
+ validating
DNS Server
43

“”
org.
example.org.
What is the public
key of
example.org.
local caching
+ validating
DNS Server
Record Function
44

“”
org.
example.org.
Here is the DNSKEY
of “example.org.” plus
RRSIG (signatures)
Record Function
example.org. DNSKEY public key
example.org. RRSIG signature ↑
local caching
+ validating
DNS Server
45

“”
org.
example.org.
What is the DS of
example.org.
local caching
+ validating
DNS Server
Record Function
46

“”
org.
example.org.
Here is the
“delegation signer
(DS)” of
“example.org.” +
RRSIG
Record Function
example.org. DS hash of public key
org. RRSIG signature ↑
local caching
+ validating
DNS Server
47

“”
org.
example.org.
local caching
+ validating
DNS Server
Record Function
What is the public
key (DNSKEY) of
“org.”
48

“”
org.
example.org.
Here is the public
key (DNSKEY) of
“org.” + RRSIG
Record Function
org DNSKEY public key
org RRSIG signature ↑
local caching
+ validating
DNS Server
49

“”
org.
example.org.
What is the DS of
“org.”
local caching
+ validating
DNS Server
Record Function
50

“”
org.
example.org.
Here is the
“delegation signer
(DS)” of “org.” +
RRSIG
Record Function
org DS hash of public key
. RRSIG signature ↑
local caching
+ validating
DNS Server
51

“”
org.
example.org.
local caching
+ validating
DNS Server
Record Function
What is the public
key (DNSKEY) of
“.”
52

“”
org.
example.org.
Here is the
public key
(DNSKEY) of “.”
+ RRSIG
Record Function
. DNSKEY public key
local caching
+ validating
DNS Server
53

“”
org.
example.org.
Trush Anchor for
“.” (root zone) from
configuration file
Record Function
. DNSKEY public key
Trust Anchor for “.” hash of public key
local caching
+ validating
DNS Server
54

“”
org.
example.org.
Here is the
address of
“www.example.org.”
“Authenticated
Data”
local caching
+ validating
DNS Server
55

Validation
•the steps on the previous slides are simplified
•they only show validation on the last DNS query
•but DNSSEC validation will be done for every query down
to the requested domain
•it only shows validation of one key per zone
•in reality, we have ZSK and KSK, so twice the amount of
checking
56

DNS clients and DNSSEC
resolvers
legacy DNS
resolver
classic DNS
stub resolver
DNSSEC
validating
resolver
classic DNS
stub resolver
DNSSEC
validating
resolver
DNSSEC aware
non-validating
stub-resolver
DNSSEC
validating
resolver
DNSSEC
validating
Application
insecure.com
(not compromised)
RD
AA
RA RD
AA
RA
DO
RD
DO
AA
RA
DO
RD
DO
CD
AA
RA
DO
57

resolvers
legacy DNS
resolver
classic DNS
stub resolver
DNSSEC
validating
resolver
classic DNS
stub resolver
DNSSEC
validating
resolver
DNSSEC aware
non-validating
stub-resolver
DNSSEC
validating
resolver
DNSSEC
validating
Application
insecure.com
(compromised)
RD
AA
RA RD
AA
RA
DO
RD
DO
AA
RA
DO
RD
DO
CD
AA
RA
DO
58

resolvers
legacy DNS
resolver
classic DNS
stub resolver
DNSSEC
validating
resolver
classic DNS
stub resolver
DNSSEC
validating
resolver
DNSSEC aware
non-validating
stub-resolver
DNSSEC
validating
resolver
DNSSEC
validating
Application
secure.org
(not compromised)
RD
AA
RA RD
AA
RRSIG
RA
DO
RD
DO
AA
RRSIG
RA
AD
DO
RD
DO
CD
AA
RRSIG
DO
RA
RRSIG
59

resolvers
legacy DNS
resolver
classic DNS
stub resolver
DNSSEC
validating
resolver
classic DNS
stub resolver
DNSSEC
validating
resolver
DNSSEC aware
non-validating
stub-resolver
DNSSEC
validating
resolver
DNSSEC
validating
Application
secure.org
(compromised)
RD
AA
RA RD
AA
RRSIG
SRVFAIL
DO
RD
DO
AA
RRSIG
SRVFAIL
DO
RD
DO
CD
AA
RRSIG
DO
RA
RRSIG
60

Windows 7 / 8
legacy DNS
resolver
DNSSEC aware
non-validating
stub-resolver
secure.org
(compromised)
RD
DO
AA
RA
DO
AD-Flag missing
on secure zone
= insecure DNS resolver
IPsec
tunnel
61

DNSSEC validation in Windows
2012
62

DNSSEC validation in
Microsoft DNS Server 2012
•The DNS Server in Windows 2012 now supports all bits
and pieces necessary to validate DNSSEC signatures and
keys in the Internet (including SHA256 and NSEC3).
•Windows 2008 only supports SHA1 and NSEC, and was
not able to validate the Internet root zone
63

DNSSEC validation
•DNSSEC validation can be
enabled in the DNS Servers
global properties
(Advanced - enable DNSSEC
validation for remote
responses)
64

import or add a public DNSKEY
for the root zone
•add the public DNSSEC key (the key signing key, or KSK,
flag field value 257) for the root zone as a trust anchor
(trust point) into the system. There are two way to enter
the trust anchor:
•by importing from a file
•manually adding the key material
65

Importing the trust anchor
from a file
•The Windows 2012 DNS Server is picky about the format
of the trust anchor file to be used.
•It must be in the same format as the keyset files created by
the DNS server when signing a DNS zone.
•The format is the same as produced with the BIND 'dig'
tool in the versions 9.6 and 9.7 (using the '+multi'
switch), but the Windows 2012 DNS Server will not take
the format produced by 'dig' from BIND 9.9+.
66

from a file
• Here is the content of the trust anchor file to be imported:
. 172800 IN DNSKEY 257 3 8 (
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
) ; key id = 19036
67

from a file
•Right click on
the 'Trust
Points' folder in
the Windows
2012 DNS
management
console and
select 'Import -
DNSKEY' ...
68

from a file
•... and select the key-file:
69

Manual adding the key material
•Right click on
the 'Trust
Points' folder in
the Windows
2012 DNS
Server console,
select 'Add -
DNSKEY'
70

•enter "." (dot) as the name for the root zone, and paste the
public KSK key (base64 encoded) into the public key field.
The DNS server is again very picky about the format of
the key material, it must be all in one line without any
spaces or line-breaks
AwEAAagAIKlVZrpC6Ia7gEzahOR
+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/
RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/
Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ
8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu
+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
71

72

The root zone public key in the
trust points folder
73

testing the DNSSEC validation
•The PowerShell in Windows 2012 includes a command
(resolve-dnsname) to resolve DNS names, including
DNSSEC records.
•However, this command unfortunately does not display
the state of the AD (Authenticated Data) Flag in the DNS
response header.
•This AD flag will tell us if DNSSEC validation is working
or not.
74

75

•the BIND for Windows distribution from ISC includes
'dig' (among other tools) for Windows.
•With 'dig' we can see the AD flag on DNSSEC signed
DNS domains, and therefore validate that DNSSEC
validation is indeed working for the Windows 2012
DNS Server
76

77

DNSSEC validation in Firefox
•Install the Firefox
DNSSEC Add-On
(http://www.dnssec-validator.cz/)
•and then go to
http://www.root-dnssec.org
or http://www.ripe.net
and you should see a nice green key icon in the URL bar
telling you that this DNS information was DNSSEC validated.
78

DNSSEC validation in Internet
Explorer
•CZ.NIC Labs offers a
DNSSEC validation plugin
for Internet Explorer 7-9
• https://labs.nic.cz/page/1031/rozsireni-dnssec-validator-pro-internet-explorer/
79

http://dnssec-or-not.org
80

http://dnssectest.sidn.nl
81

enabling DNSSEC using
'dnscmd'
• it is also possible to enable DNSSEC validation from the commandline
using the command
dnscmd /RetrieveRootTrustAnchors
• This command will first fetch the delegation signer (DS-record) using
https from IANA (https://data.iana.org/root-anchors/root-anchors.xml).
• The server will then fetch the public key signing key from the root
zone during an active refresh cycle
(RFC 5011) and validate the KSK using the delegation signer record.
82

enabling DNSSEC using
'dnscmd'
83

DNSSEC zone signing with
Windows 2012
84

Windows 2012 DNSSEC
85

Windows 2012 DNSSEC
86

Windows 2012 DNSSEC
87

Windows 2012 DNSSEC
88

ZSK and KSK
• One issue in cryptography in general is that keys can be stolen or
cracked
• the longer the key is used, the higher the probability that the key can
be replicated by a brute force attack or is stolen and used (without
notice)
• the selection of the key algorithm and key length influence the
probability of breaking a key
• the availability of cleartext and the crypto-data in DNS makes is
easy for attackers to validate a cracked key
89

ZSK and KSK
• Therefore, it is common practice for operational flexibility to have multiple key
pairs:
• A ZSK (Zone Signing Key), to sign the contents of the zone
• Except possibly not the DNSKEY RRSet
• A KSK (Key Signing Key), to sign just the DNSKEY records
• A spare KSK, in case the active KSK is compromised
• Repeat all of the above for each key algorithm used
• The parent zone has a DS record for the active KSK
90

KSK
•The KSK signs the DNSKEY records in the zone
•The KSK has always an odd flag number (257 for an valid KSK)
•when the KSK is “rolled” (renewed), the DS record in the parent
zone needs to be updated
•The KSK should be created with a large key size to be 'robust'
against brute force attacks
•the KSK has a long lifetime
91

ZSK
• The ZSK signs the all records in the Zone (possibly including the
DNSKEYs)
• The ZSK has always an even flag number (256 for an valid ZSK)
• The ZSK can be rolled without the need to change the DS record in
the parent
• So the operator of the zone is more flexible with key rollovers for
the zone
• The ZSK has a short lifetime and is “rolled” often
92

Generating/Selecting the KSK
93

Generating the KSK
94

The DNSKEY Record
• There are different algorithms defined for DNSSEC:
• RSAMD5 (deprecated and insecure, not available in Windows 2012)
• RSASHA1 (mandatory to implement, but SHA1 is seen as a weak protocol)
• RSASHA256 (used to sign the ROOT-Zone)
• RSASHA512
• ECCGOST (used in Russia, not implemented in
Windows 2012)
• DSA (slow for validation, not used in practice, not available in Windows 2012)
• ECDSA (SHA-256 and SHA384, RFC 6605 - April 2012, not widely deployed in validators)
95

Key length
•current cryptanalysis finds RSA keys less than 700 bits as
breakable (although with huge amounts of resources)
•Recent (2012) calculations indicate that 1024bit RSASHA1 keys
could be broken in 5 years time
•it is generally recommended to move away from SHA1 in the
next years
•SHA256 or SHA512 with 2048bit key length are safe for the next
decades based on current cryptanalysis
96

Impact of key length
•a larger key increases the computing resources to sign a
zone and to validate the signatures
•doubling the key size in bits increases ...
•... the time needed to create signatures (signing) by a
factor of 8
•... the time needed to validate signatures by a factor of 4
97

Selection of key length
•the default in Windows 2012 for the Key signing key
(KSK) is 2048bit RSA/SHA256
98

Selection of key length
•the “DNSKEY RRSET signature validity period” defines the
lifetime of the signatures (RRSIG) on the DNSSEC public
keys (KSK and ZSK)
•Windows 2012 DNS server signed the DNSKEY record set
with both keys (ZSK and KSK)
•the default value is 168 hours (= 7 days = 1 week)
99

KSK rollover
•Windows 2012 can perform automatic rollovers
•the default rollover interval for the KSK is 755 days
(approx. 2 year)
100

KSK Key Rollover (double-sign)
KSKoldcreate
new KSK
KSKnew KSK
zone transfer +
max TTL of zone
remove old
KSK
key active
key published
send new DS
set to
parent
KSKold
KSKnew
TTL of DS records
set in parent
new DS
record in
parent
101

KSK defined
102

Selecting/Generating a ZSK
103

104

105

ZSK Key parameters
•for the ZSK, it is recommended to use the same cryptographic
algorithm as for the KSK
•the key length of a ZSK is usually lower, as the ZSK is rolled
on shorter intervals
•RSA/SHA-256 with 1024bit key are the defaults in Windows
2012
106

signature lifetimes
•“DNSKEY signature validity period” defines the lifetime of
the signatures created by the ZSK over the public
DNSSEC keys in the zone (DNSKEY records)
•default is 168 hours (= 7 days = 1 week)
107

signature lifetimes
•“DS signature validity period” defines the lifetime of the
signatures created by the ZSK over a delegation signer
record (DS-Record) that establishes the trust to a child
zone of this zone
•default is 168 hours (= 7 days = 1 week)
108

signature lifetimes
•“Zone record validity period” defines the lifetime of the
signatures created by the ZSK over all other resource
records in the zone (SOA, NS, A, AAAA, MX, TXT, SRV ...)
•default is 240 hours (= 10 days)
109

ZSK rollover
•the default rollover interval for the ZSK is 90 days
(approx. 3 month)
110

ZSK Key Rollover (pre-publish)
ZSKold
ZSKnew
create
new ZSK
ZSKold
ZSKnew ZSK
use new
ZSK for
signing
zone transfer +
TTL of DNSKEY-RRset
zone transfer +
max TTL of zone
remove old
ZSK
key active
key published
111

ZSK is generated
112

NSEC or NSEC3?
113

The NSEC Record
• RRSIG records are fine for authenticating records
• But what about negative responses, like NXDOMAIN or NO DATA?
• These don't contain records to sign
• We can't just provide the SOA record and its signature
• That would allow replay attacks
• We must add a new RR type to prove negatives, which we can
then sign
114

The NSEC record
•Example:
foo.example. IN SOA [...]
foo.example. IN NS ns1.foo.example.
foo.example. IN MX 10 mail.foo.example.
foo.example. IN A 192.168.0.1
foo.example. IN NSEC mail.foo.example. SOA NS MX A NSEC
mail.foo.example. IN A 192.168.0.2
Pointer to
next owner
name in zone
115

The NSEC record
•Example:
foo.example. IN SOA [...]
foo.example. IN MX 10 mail.foo.example.
foo.example. IN A 192.168.0.1
foo.example. IN NSEC mail.foo.example. SOA NS MX A NSEC
mail.foo.example. IN A 192.168.0.2
List of RR
types for this
owner name
(foo.example)
116

The NSEC3 Record
•NSEC records allow a nosy stranger to obtain a complete
copy of your zone
•They enumerate that which exists, in order to prove that
which does not exist
•example: ldns-walk paypal.com
•Therefore, they can be used to build a list of queries to
obtain the whole zone
117

The NSEC3 Record
•NSEC3 uses hashed domain names to obscure the list of
names in the zone
•The owner name and next node name are now hashed
118

NSEC or NSEC3?
119

Trust Anchors
120

The Chain of Trust
•We already have a chain linking parent zones to child
zones – the chain of authority
•We create a parallel chain of trust linking signed parent
zones to signed child zones
•Enter the DS RR type
121

The DS (Delegation Signer)
Record
•The DS RR is used in the DNSKEY authentication process
•Answer to the question, is the zone's public key
(DNSKEY) valid?
•The DS RR is stored in the parent zone of the DNSKEY's
zone
•and is a hash-value on the zone's DNSKEY
122

The Chain of Trust Illustrated
(Part 1)
com. IN SOA (soa param)
com. IN RRSIG (SOA->COM-Key)
com. Zone
.com zone private Key
(stored secure)
com. IN DNSKEY COM-Key
com. IN RRSIG (DNSKEY->COM-Key)
.com zone public key
in zonefile
sub.com. IN NS ns.example.com.
sub.com. IN DS (hash->sub.com-Key)
sub.com. IN RRSIG (DS->COM-Key)
123

(Part 2)
com. Zone
.com zone private Key
(stored secure)
.com zone
Signatures created with private Zone-Key
(“COM”-Zone-Key)
Signatures
.com zone
there is no signature
on non-authorative
data (delegation of
sub.com)
124

(Part 3)
com. Zone
sub.com zone private Key
used to sign the zone-data
sub.com. IN SOA (soa param)
sub.com. IN RRSIG (SOA->SUB.COM-Key)
sub.com. IN DNSKEY SUB.COM-Key
sub.com. IN RRSIG (DNSKEY->SUB.COM-Key)
sub.com. IN RRSIG (NS->SUB.COM-Key)
sub.com. Zone
DS Record in
parent zone
validates DNSKEY
in child zone
125

DS-Records in Windows 2012
•Windows 2012 stores the DS-Record set and the DNSKEY
record sets in text files under C:WindowsSystem32dns
126

127

128

Signing and polling
129

Signing the zone
130

Zone is signed
131

signed zone in DNS manager
132

signed zone in the
Men & Mice Suite
133

signed zone in the
Men & Mice Suite
134

signed zone in the
Men & Mice Suite
135

Windows 2012 DNS and
DNSSEC Training
• 3 day “hands-on” training including
• a throughout introduction into DNSSEC
• DNSSEC key rollovers
• monitoring DNSSEC signed zones
• DNSSEC troubleshooting and tools
• many “hands-on” labs
• Dates and Prices
• go to http://menandmice.com/training/
136

Thank you!
E-Mail:
carsten@menandmice.com
137

Windows 2012 and DNSSEC

More Related Content

What's hot (20)

Viewers also liked (15)

Similar to Windows 2012 and DNSSEC (20)

More from Men and Mice (20)

Recently uploaded (20)

Windows 2012 and DNSSEC