Get documents about "DNSSEC in
Description
DNS Security Extensions, is a series provided by the IETF DNS security authentication mechanisms (refer to RFC2535). It provides a source of identification and data integrity of the extensions, but do not guarantee availability, encryption, and proven domain name does not exist.
Document Sample
DNSSEC in .ie
HEAnet Annual Conference, Kilkenny November 2010
Introduction
• Billy Glynn (IEDR Techie)
• M.Sc MIS in TCD
• Distinction
• Thesis based on DNSSEC in Ireland
• IEDR operate the ccTLD for Ireland (dot IE)
•DNS vulnerabilities
•DNSSEC in dot IE
Glynn, B :: IEDR :: 11/11/2010
• Packet Interception
• Query ID guessing or prediction
• Betrayal by a trusted server
• Cache Poisoning
• Kaminsky’s Cache Poisoning
• Still poses a risk! - Evgeniy Polyakov **
* http://www.dnssec.net/dns-threats
* http://www.ietf.org/rfc/rfc3833.txt
** http://bit.ly/a7dR62
Glynn, B :: IEDR :: 11/11/2010
DNS Vulnerabilities
Glynn, B :: IEDR :: 11/11/2010
DNS Vulnerabilities
Glynn, B :: IEDR :: 11/11/2010
Vulnerable Name Server Versions
Glynn, B :: IEDR :: 11/11/2010
DNSSEC
• Authenticated DNS Messages
• PKI
• KSK, ZSK (pub+priv)
• New RRs
• DS, DNSKEY, RRSIG, NSEC, NSEC3
• When?
• Root Zone “.” is signed since July 15th 2010
• dot IE ?
Glynn, B :: IEDR :: 11/11/2010
Glynn, B :: IEDR :: 11/11/2010
Glynn, B :: IEDR :: 11/11/2010
Glynn, B :: IEDR :: 11/11/2010
dot IE DNSSEC Testbed
Glynn, B :: IEDR :: 11/11/2010
DNSSEC
•Task Force
• http://www.dnssec.ie
• Operational Guidelines
• Policy
• Mailing List - dnssec-tf@iedr.ie
• Subscribe at: dnssec-tf-subscribe@iedr.ie
Glynn, B :: IEDR :: 11/11/2010
Example DNSSEC Query Response
; <<>> DiG <<>> +norec +dnssec @sec1.iedr.ie ie. DNSKEY
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3961
;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ie. IN DNSKEY
;; ANSWER SECTION:
ie. 3600 IN DNSKEY 256 3 10 AwEAAd70huFUJUr9XTkl1bXu/Ykrk2jXvyj9lfi2dkrYUucDL9e0LsHH
uU/Eibr/06jjnOt88Tp8r3Pr8o6sNtoNpNuOhEemXeMnkXFDOoeqnvbS a09ASjh77KYGrVZCCKcErlNn1nGiBvoexmYUIFvhBeN8gNMwV4b9U3q/ soWKCFED
ie. 3600 IN DNSKEY 257 3 10 AwEAAdaEXv6yFAwUvbiFEaVSG0aNjWzhEGi0AocYUieuYtNialOOIww2
p+fCJjl+MSbDY9YEyxVSAIukIPMgIDnWPRNGqBIEzu1ZFSA7HffNUN9u NSPIFICXIIBkHXa4O8jZXMnSSuQVipccy8vFu4+Oa4+VVOtX9x6wTX9V
v2D1e5m4AAxvUL4i1ZPhPRI+SM3JjWbtlMcLv1vPKc/ah4oq2sYKg75j sj59NPifCQvUmu7Ebel4tHVbinjtF7Qh9CWzt6uDGs9Z97FyPTV8og43
dCHzoliwZy6+FMVSqQZK86XOra7dBoPdv9bnwP14xSQQN5td0a39l1z2 hVogW3jov/c=
ie. 3600 IN DNSKEY 256 3 10 AwEAAZt2lv8XNEQZzop2mvthQXh6HvTd107GxDZx3IhcKPwT7JY+PJmh
GYocSUQzf4ipmi9RqdPexX7XLJSvn/JJp5WkWozLKTeeskn9FJSq4Fle gH2HjF+g/F+h0rHnuwi7rT0+EuhK8MzhmhPacHB+GD9RzvPSo1OWUg/O osm4CXKv
ie. 3600 IN DNSKEY 256 3 10 AwEAAaLqy0t2GcQE9UAY9TtWCDWSfg5M5VEXh3SUQnlNLJx3oogIfwKQ
5rbwAA3qR99rgdgDDa9Hc9Y00tpWMepzQ0lcZpuc9CSJctHyCiqrLJTH +/0Jiddm8A3jEoxmcOO3sbyoIyItncjGA4dravHJs/L6evWwWq/m4YBP kH+cnZxv
ie. 3600 IN RRSIG DNSKEY 10 1 3600 20101210103959 20101109115513 63903 ie. VCPWxrQu/SD9gERo/jMMrT4ZEmJ+kQTVHJQhxtZmgyxAXP3YYCOjm5Mx
5O+69rVpDWYzArp1HPSmjLCe3PW99hyAiZQ94Vp53AHC4/DhhwC6s4qz 06VGvTuy3IgdmrcVUFsOqJQXY+5z9Uz2a8bAXd8l77RtxbC/v7bkHjxG
HSupA/ACulzvAWUElZB4DYqFP1KK9U+THHLoEjOClYuPuDT5cEqEB5v/ Z0/OMstyaL4rVyJUHLcCZUTeyitXa2vBmfOKioAMTdmj1IJe6HBvQwNA
0/xTu6K0EFYz4A2jwKy39GxiuQ3AHgTVqbwovVRThGHrZNhAfVuMzrQP TIrkkw==
;; Query time: 4 msec
;; SERVER: 193.1.32.45#53(193.1.32.45)
;; WHEN: Wed Nov 10 10:42:52 2010
;; MSG SIZE rcvd: 1041
Glynn, B :: IEDR :: 21/07/2010
Stephen M. Bellovin*
“Security mechanisms are not magic
pixie dust that can be sprinkled over
completed protocols”
*Author: “Using the Domain Name System for System Break-Ins” (Seminal DNS Threat Paper)
Questions ?
dnssec-tf-subscribe@iedr.ie
billy.glynn@iedr.ie
http://twitter.com/billyglynn
Backup Slide: Which TLDs are signed *
ccTLDs gTLDs IDN TLDs
be. biz. xn--zckzah. (テスト)
bg. cat. xn--0zwm56d. (测试)
br. edu. xn--deba0ad. ()טעסט
bz. gov. xn--g6w251d. (測試)
ch. org. xn--jxalpdlp. (δοκιμή)
cz. info. xn--kgbechtv. ()إختبار
dk. museum. xn--9t4b11yi5a. (테스트)
eu. xn--80akhbyknj4f. (испытание)
fi. xn--11b5bs3a9aj6g. (परीक्षा)
fr. xn--hgbk6aj7f53bba. ()آزمایشی
gi. xn--hlcj6aya9esc7a. (பரிட்சை)
hn.
lc.
li.
lk.
mn.
na.
nu.
pm.
pr.
pt.
re.
se.
tf.
th.
tm.
uk.
us.
yt.
dig @k.root-servers.net . axfr | awk '/^[a-zA-Z0-9-]+\.[[:space:]]/ { print $1, "DS"; }' | sort | uniq | dig -f - | awk '/^[a-zA-Z0-9].*DS/ { print $1; }' | uniq | awk '{ print length($0),$0 | "sort
-n"}' | awk '{print $2 }'
Glynn, B :: IEDR :: 21/07/2010 * Data as of: 10/11/2010
Backup Slide: Example of DNSSEC Validation
Glynn, B :: IEDR :: 11/11/2010
