1 / 38

DNSSEC

DNSSEC. Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT Student Assistant SysAdmin. Wait… I thought you were from SUNYIT?. DNSSEC Timeline. Selective Timeline of DNSSEC.

monifa
Télécharger la présentation

DNSSEC

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT Student Assistant SysAdmin

  2. Wait… I thought you were from SUNYIT?

  3. DNSSEC Timeline

  4. Selective Timeline of DNSSEC • 1987 – DNS Ratified to replace hosts.txt • 1990 – DNS Security Flaws Found • 1997 – First try at DNSSEC - RFC2065 • 1999 – Second try at DNSSEC - RFC2535 BIND9 is first DNSSEC capable implementation • 2005 – Finalized RFCs Published • July 2008 – Kaminsky exploit announced • July 2010 – Root signed • August 2010 – .edu TLD is signed • March 2011 – .com TLD is signed ARIN signed for Reverse DNS

  5. DNS Basics A refresher to get us all on the same page…

  6. DNS Records • DNS comprised of various resource record (RR) types • Primary types: • A – map hostnames to IP addresses • MX – map a host or domain to a list of mail servers • CNAME – specifies an alias for a host • PTR – map a IP address to a host name • NS – Specifies authoritative name servers for a zone • SOA – Specifies authoritative information about a zone • Primary name server • Domain administrator email • Serial number • Timers related to refreshing the zone • DNSSEC will introduce several new record types

  7. DNS Security Issues • Original DNS specifications did not account for security • DNS Spoofing • No data integrity checks • Anyone can answer a request intended for another name server • Attacks against query ID numbers • Cache Poisoning • A result of DNS spoofing • Trick a DNS server into caching false information • Nodes querying this name server will obtain false cached data • Consequences: • Clients misdirected to alternate locations • Compromise host-based authentication systems

  8. DNSSEC Concepts

  9. 4 Security Objectives of DNSSEC • Key Distribution • Origin Authentication • Data Integrity • Authenticated Denial of Existence

  10. New Record Types • DNSKEY • Public side of Private/Public Keyset • Key Signing Key • Zone Signing Key • RRSIG • Signed Validation of Resource Record Set • DS • Delegation Signer • Builds Chain of Trust • NSEC/NSEC3 • Certified Non-existence record

  11. Traditional DNS Lookup (un-cached) Iterative calls root Client looking for: fang.cs.sunyct.edu edu 1 edu Recursive DNS Server sunyct sunyct 8 cs cs fang

  12. DNS Lookup Under Attack Iterative calls root Client looking for: fang.cs.sunyct.edu edu 1 edu Recursive DNS Server sunyct sunyct 8 cs Targeted by cache poisoning cs fang

  13. Keys • Public/Private Keyset • Private Key used to sign records • Should be kept in a secure location (not on live DNS servers) • Public Key used to check signatures • Must be 512 to 4096 bits for DNSSEC • Several Algorithms available • Zone Signing Key used to sign zones • Key Signing Key used to sign ZSK record • Generally larger & more secure • Cryptographic Digest of KSK is sent upstream • DS Record • Verifies Authority of KSK

  14. Key Flow (edu) DS (sunyct.edu) ampere nagios logit KSK ZSK maryann gilligan professor DS DS (island.sunyct.edu) (cs.sunyct.edu) KSK KSK fang yoshi spuds ZSK ZSK

  15. Chain of Trust / Tower of Authority Iterative calls root Client looking for: fang.cs.sunyct.edu Crushes you when your data is bad edu 1 edu Recursive DNS Server sunyct sunyct 8 cs Targeted by cache poisoning cs fang

  16. Key Rollover • Changing ZSK: • Recommended monthly to quarterly • Changing KSK • Recommended annually • Why Rollover • Reduced window of key exposure • ZSKs sign many records • Keys become more vulnerable with use

  17. NSEC/NSEC3 Comparison • Presented as evidence of non-existence

  18. ldns-walk of berkeley.edu

  19. What’s all this RRSIG stuff? Signature expiration Key tag of signing key Algorithm Starting TTL Date of signing The signature itself

  20. Gotchas • DoS Danger • Load Increase • Signed zone can be 4x LARGER than unsigned • Bigger record size = more network traffic • Key Security • Dynamic DNS = fail(Have to keep private keys loaded to resign, no support for that) • Network Gear must support EDNS0 for UDP packets Performance!

  21. Implementation

  22. Our Test Environment 3 VM’s running OEL (sunyct.edu) 3 Hosts running FreeBSD (cs.sunyct.edu) BIND 9.8.0-P2

  23. BIND Versions/Restrictions • We recommend using the most up-to-date version of your preferred DNS software • Updates often pertain to security issues • Preliminary DNSSEC support introduced in BIND 8.2 • Recommended version of BIND 9.7 for all capabilities • Windows Server 2003 has preliminary support • Slave support only • Must be activated in Registry • Windows Server 2008 R2 has full support

  24. Key Generation Algorithm Name Type Specifies Key Type Key Size Zone Name Smaller Key Size ZSK is default Key tag added

  25. Signing the Zone NSEC3 Hex Salt Zone Zone File Generated Zone File

  26. named.conf Edits – Authoritative Servers • Add “dnssec-enable yes” to the options section • For your first time signing, make sure you increment your serial number! • After signing your zones, point to the new signed zones • Same names as your old zone files, but with “.signed” appended

  27. named.conf Edits – Recursive Servers To start validating results add: “dnssec-validation yes” You also need to get the KSK for root into your config.As of this presentation, it would look like this forBIND >= 9.7:

  28. Determine Your DS Info Specify SHA1 Hash Key File Key Tag Domain Digest Algorithm and Digest Type Fields

  29. Send Your Digest to EDUCAUSE

  30. Key rotation - ZSK • Generate and publish new ZSK one TTL before planned rotation, but don’t sign the zone with it! • After TTL expiration, sign with new ZSK • Leave old DNSKEY record in zone for 1 TTL cycle • Allows cached signed records to be verified(Signatures created with old key need time to expire) Here’s one option: • Have 3 ZSK’s in your zone. The previous, current and next.Your zones will always contain the necessary keys.

  31. Key rotation - KSK • Generate and publish new KSK at least one TTL before planned rotation and sign ZSK records with both the old and the new keys. • Make sure you send your new DS record upstream! • After TTL expiration, remove the old DS record from your upstream provider and remove the old KSK from your zone files

  32. Verification

  33. Verification – dnsviz.net All Clear Trust Issue

  34. DNSSEC Debugger – Verisign Labs Everything looks good This shows a problem with the keys

  35. dig – Points of Interest DNSSEC Enabled Search Record Type Host to query for DNS Server Name ad flag = authenticated data (this means it’s been confirmed valid)

  36. dig – Points of Interest aa flag = authoritative answer (if you’re querying the authoritative server, you won’t see the ad flag, just the aa flag)

  37. Questions? Get a copy of the slides @ http://www.cs.sunyit.edu/stc

  38. References • 7 Things You Should Know About DNSSEC • Microsoft DNSSEC Deployment Guide • DNSSEC Debugger – Verisign Labs • DNSViz – DNS Visualization Tool • Firefox DNSSEC Validator Plugin • DNSSEC for Beginners • DNSSEC Zone Key Tool • DNSSEC in 6 Minutes • DNSSEC Reference Card • ISC Steps for setting up a validating server

More Related