ION Hangzhou - How to Deploy DNSSEC
Download as PPTX, PDF0 likes583 views
This document discusses DNSSEC deployment. It provides an introduction to DNSSEC and outlines the preparation, process, strategy, and potential influences of a DNSSEC deployment. Key aspects include setting up a test environment, upgrading systems, training staff, signing zones and managing keys, implementing the deployment in stages, and dealing with increased size of packets and potential for larger DDoS attacks. Regular key rollover is part of the long-term strategy. Resources for further information are also provided.
ION Hangzhou - How to Deploy DNSSEC
- 4. 1.1. DNSSEC • DNS Security Extensions • A system to verify the authenticity of DNS “Data” • Detecting cache poisoning, MITM… • Data origin authentication and data integrity • Authenticating name and type non-existence
- 5. 1.2. Progress • 1378 TLDs in the root zone in total • 1223 TLDs are signed • 1213 TLDs have trust anchors published as DS records in the root zone • 5 TLDs have trust anchors published in the ISC DLV Repository
- 6. 1.3. Timeline Experimental Announced Partial DS in Root Operational Internal experimentation Public commitment to deploy Zone is signed but not in operation Zone is signed and its DS has been published Accepting signed delegations and DS in root
- 7. 1.3. Timeline • 2010-12~ 2013-03 Experimental • 2013-04 Announced • 2013-08 Partial • 2013-09 DS in Root • 2013-12 Operational Experimental: Software development Risk analysis Announced: Hardware & software deployment Training and drills Partial: Signed & roller Observation & verification DS in Root: Generation & submission Observation & verification Operational: Development and upgrades Debugging
- 9. 2.1. Test-bed 1. Simulate the real environment 2. DNS system 3. EPP 4. Sign zone 5. Key rotation 6. Emergency response 7. … HSM FW FW USER REGISTRAR RT FW LB SW SW DB SERVER SERVERs
- 10. 2.2. Upgrading & Survey 1. Data packet increase 2. Insufficient memory 3. Network bandwidth 4. EDNS0 5. TCP 6. … 1. DNS server 2. Router 3. Firewall 4. Switch 5. Load-balance 6. …
- 11. 2.3. Documents & Training 1. Deployment scheme a) Make technical details clear b) Arrange every task to people c) Promote the work by time 2. Emergency plan 3. DPS 4. … 1. Basic knowledges about DNSSEC 2. Operational skills 3. Emergency response 4. … AnnouncedExperimental
- 13. 3.1. Keys • Key type, algorithm and lens Key Type Function Algorithm Lens NSEC/NSEC3 ZSK Sign RRSET RSA-SHA256 1024 NSEC3 KSK Sign DNSKEY RRSET 2048 • Key rollover cycle and RRSIG period Key Type Period Roll Overlap RRSIG Period ZSK 100 day 90 day 10 day 30 day KSK 13 month 12 month 30 day • Different types of zones use different key pairs
- 14. 3.2. DNSSEC Environment HSM FW FW RT FW LB SW SW DB SERVER SITEs SERVERs SERVERs
- 15. 3.3. Switching Scheme 1. Several sites using anycast 2. On-line switching 3. Immediate verification a) Part of servers received DNSSEC zone data b) Verify data c) Online d) No-dnssec off-line e) Repeat
- 16. 3.4. Emergency Response Strategy 1. Emergency response strategy for every step; 2. Anycast ensure the availability of service; 3. If DNSSEC service in the main operation center is down, secondary operation center can take over the service shortly; 4. If DNSSEC service in sites is down, DNS service (without DNSSEC) can take over the service in 10 minute; 5. Comprehensive checking mechanism.
- 17. 3.5. Submit DS in Root 1. Email 2. Online system 3. Check, check, check… 4. Validation Partial DS in Root
- 18. 3.6. Commands • Recursive • Authority options { dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto; }; trusted-keys { . 257 3 8 “AwEAAag……1ihz0=”; }; options { dnssec-enable yes; }; dnssec-keygen …… dnssec-signzone …… >***.zone.signed zone “example.com” { type master; file “zones/example.com/***.zone.signed”; key-directory “keys/”; };
- 20. • Zone signing is recommended to be executed in the HSM, the basic procedures are as follows: a) The primary master obtains RR from the registration database and generates the original zone file; b) The hidden primary master sends the original zone file to HSM; c) HSM read the right keys; d) HSM sign zone using keys; e) HSM sends the signed zone back to the hidden primary master; f) The signed zone are loaded onto hidden primary master, which will update to secondary master servers. 4.1. Zone Signing
- 21. 4.2. Key Rollover ZSK • To prevent the keys from being cracked or leaked out, ZSK should be replaced and rotated on a regular basis; • The ZSK roll-over policy is to adopt a pre- publish mechanism (RFC4641); • The validity period of each ZSK generated is 100 days and the roll-over cycle is 90 days. KSK • To prevent the keys from being cracked or leaked out, ZSK should be replaced and rotated on a regular basis; • The ZSK roll-over policy is to adopt a pre- publish mechanism (RFC4641); • The validity period of each ZSK generated is 100 days and the roll-over cycle is 90 days.
- 22. 4.2. Key Rollover • Steps (KSK) • New KSK generation, resigning the zone with ZSK, KSK_old and KSK_new • Submit new DS to root & delete old DS • KSK_old Revoke • KSK_old delete KSK_1 KSK_old KSK_new Active KSK_old Revoke KSK_new KSK_old Delete KSK_new 300 days KSK_new KSK_new_2 Active 35 days 30 days 1 2 3
- 23. 4.3. Key management 1. Key pairs generation offline 2. Key pairs backup online/offline 3. Private key protection 4. Key pairs management document/system
- 24. 4.4. Security consideration 1. Physical Controls Electromagnetic shielding Physical access management Different roles for different tasks Teamwork Procedural Controls 2. Technical Controls Certifications Network controls: FW, ACL, VLAN Software controls: Versions, Bugs, documents
- 26. 5.1. Size • Zone Size − Opt-out − Increased a little (7%) • Packet Size − RRSIG − 2.5 times larger in average Zone Size No DNSSEC 700 DNSSEC 750 1 201 401 601 No DNSSEC DNSSEC Mb Packet size No DNSSEC 170 DNSSEC 423 1 201 401 601 No DNSSEC DNSSEC Byte• 73% DNSSEC query in usual • After sub-domain and recursive nameservers implemented DNSSEC, bandwidth costs will be much larger
- 27. 5.2. Challenge DDoS Attack • QpS increased to 2.4 times larger • Packet size increased to 700 Byte average (1.65 times) • Bandwidth reach 4 (2.4*1.65) times larger than usual Packet size Usual 423 Attack 700 423 700 1 101 201 301 401 501 601 701 Usual Attack Byte
- 28. Sharing • http://www.internetsociety.org/deploy360/dnssec/ • http://www.nlnetlabs.nl/publications/dnssec_howto/ • http://stats.research.icann.org/dns/tld_report/ • http://www.nlnetlabs.nl/projects/dnssec/ • http://www.dnssec-deployment.org/ • https://www.iana.org/dnssec/ • http://dnssec-debugger.verisignlabs.com/ • https://www.opendnssec.org/ • zhaoqi@cnnic.cn
Editor's Notes
- #2: Project Planning and Design Group Responsible for the DNSSEC deployment of “.CN” and “.中国” Hope we have a great time
- #3: Seminar Now, let me introduce the OUTLINE of this seminar First,
- #4: Seminar Now, let me introduce the OUTLINE of this seminar First,
- #9: Seminar Now, let me introduce the OUTLINE of this seminar First,
- #13: Seminar Now, let me introduce the OUTLINE of this seminar First,
- #14: All pairs of keys (ZSK and KSK) in use are generated in the HSM in a secure way. The cryptographic module meets the standard of Chinese authorities and relevant international standards. Five key administrators account are generated during the HSM initialization process, and only more than half of them have passed identity authentication can the HSM be accessed. Generation of keys is performed by well-trained key administrators. At least three key administrators (Appointing at least two system administrators and at least one System operator is allowed in an emergency situation) will be involved in the entire process of key generation and designated auditing personnel will be present to supervise and record the process.
- #15: All pairs of keys (ZSK and KSK) in use are generated in the HSM in a secure way. The cryptographic module meets the standard of Chinese authorities and relevant international standards. Five key administrators account are generated during the HSM initialization process, and only more than half of them have passed identity authentication can the HSM be accessed. Generation of keys is performed by well-trained key administrators. At least three key administrators (Appointing at least two system administrators and at least one System operator is allowed in an emergency situation) will be involved in the entire process of key generation and designated auditing personnel will be present to supervise and record the process.
- #19: All pairs of keys (ZSK and KSK) in use are generated in the HSM in a secure way. The cryptographic module meets the standard of Chinese authorities and relevant international standards. Five key administrators account are generated during the HSM initialization process, and only more than half of them have passed identity authentication can the HSM be accessed. Generation of keys is performed by well-trained key administrators. At least three key administrators (Appointing at least two system administrators and at least one System operator is allowed in an emergency situation) will be involved in the entire process of key generation and designated auditing personnel will be present to supervise and record the process.
- #20: Seminar Now, let me introduce the OUTLINE of this seminar First,
- #21: The hidden primary master obtains resource records from the “.CN” registration database and generates the original zone file; The hidden primary master securely sends the original zone file to HSM; HSM reads the configuration files for zone signing and generates the keys needed, including KSK and ZSK; HSM executes zone signing using ZSK and KSK; When zone signing is completed, HSM sends the files that have been signed back to the hidden primary master; The zone files that have been signed are loaded onto the hidden primary master, which will then update data to the secondary master servers.
- #24: All pairs of keys (ZSK and KSK) in use are generated in the HSM in a secure way. The cryptographic module meets the standard of Chinese authorities and relevant international standards. Five key administrators account are generated during the HSM initialization process, and only more than half of them have passed identity authentication can the HSM be accessed. Generation of keys is performed by well-trained key administrators. At least three key administrators (Appointing at least two system administrators and at least one System operator is allowed in an emergency situation) will be involved in the entire process of key generation and designated auditing personnel will be present to supervise and record the process.
- #25: All pairs of keys (ZSK and KSK) in use are generated in the HSM in a secure way. The cryptographic module meets the standard of Chinese authorities and relevant international standards. Five key administrators account are generated during the HSM initialization process, and only more than half of them have passed identity authentication can the HSM be accessed. Generation of keys is performed by well-trained key administrators. At least three key administrators (Appointing at least two system administrators and at least one System operator is allowed in an emergency situation) will be involved in the entire process of key generation and designated auditing personnel will be present to supervise and record the process.
- #26: Seminar Now, let me introduce the OUTLINE of this seminar First,
- #27: this slide shows the real change which occurred in .cn. DNSSEC bring us bigger zone size and packet size. luckly we use opt-out to reduce the zone size increase in the begging of deployment of .cn, it shows in picture1 that it only increase 50 Megabits; But because the rrsig of the record, the response packet size increased to 2.5 times than noDNSSEC! In order to make further inferences[ˈinfərənsiz] , we analysis the real traffic in CN, that there are already 68% dnssec query in usual! It’s the reason that the packet size increased to much larger than before! It can be deduced that After sub-domain and recursive nameservers having been implemented DNSSEC, bandwidth costs will be much larger But why there is so much dnssec query now? it requires us to do further research…
- #28: The last slide shows a small size ddos attack Recently The qps increased to 2.4 times larger than usual, and Packet size increased to 700 Byte average (which is 1.65 times larger than usual), so the Bandwidth reach 4 (2.4*1.65) times. It shows that After sub-domain and recursive nameservers having been implemented DNSSEC, the ddos attack Will cause a greater threat to cn. So there is 3 challenges that we must faced, How to push Second-tld open DNSSEC? How to push Recursive open DNSSEC? And How to face the pressure after 1) and 2)? We have much more work to do…