Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

DNSSEC in

VIEWS: 23 PAGES: 17

DNS Security Extensions, is a series provided by the IETF DNS security authentication mechanisms (refer to RFC2535). It provides a source of identification and data integrity of the extensions, but do not guarantee availability, encryption, and proven domain name does not exist.

More Info
									               DNSSEC in .ie




HEAnet Annual Conference, Kilkenny November 2010
                                 Introduction



       • Billy Glynn (IEDR Techie)

       • M.Sc MIS in TCD
          • Distinction
          • Thesis based on DNSSEC in Ireland

       • IEDR operate the ccTLD for Ireland (dot IE)

       •DNS vulnerabilities

       •DNSSEC in dot IE
Glynn, B :: IEDR :: 11/11/2010
       • Packet Interception

       • Query ID guessing or prediction

       • Betrayal by a trusted server

       • Cache Poisoning

       • Kaminsky’s Cache Poisoning
          • Still poses a risk! - Evgeniy Polyakov **
                                                  * http://www.dnssec.net/dns-threats
                                                  * http://www.ietf.org/rfc/rfc3833.txt
                                                               ** http://bit.ly/a7dR62



Glynn, B :: IEDR :: 11/11/2010
                                 DNS Vulnerabilities




Glynn, B :: IEDR :: 11/11/2010
                                 DNS Vulnerabilities




Glynn, B :: IEDR :: 11/11/2010
                                 Vulnerable Name Server Versions




Glynn, B :: IEDR :: 11/11/2010
                                 DNSSEC

       • Authenticated DNS Messages

       • PKI
          • KSK, ZSK (pub+priv)

       • New RRs
          • DS, DNSKEY, RRSIG, NSEC, NSEC3

       • When?
          • Root Zone “.” is signed since July 15th 2010
          • dot IE ?

Glynn, B :: IEDR :: 11/11/2010
Glynn, B :: IEDR :: 11/11/2010
Glynn, B :: IEDR :: 11/11/2010
Glynn, B :: IEDR :: 11/11/2010
                                 dot IE DNSSEC Testbed




Glynn, B :: IEDR :: 11/11/2010
                                 DNSSEC



       •Task Force
          • http://www.dnssec.ie
          • Operational Guidelines
          • Policy
          • Mailing List - dnssec-tf@iedr.ie
              • Subscribe at: dnssec-tf-subscribe@iedr.ie




Glynn, B :: IEDR :: 11/11/2010
                                                     Example DNSSEC Query Response


; <<>> DiG <<>> +norec +dnssec @sec1.iedr.ie ie. DNSKEY
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3961
;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ie.               IN DNSKEY

;; ANSWER SECTION:
ie.          3600 IN DNSKEY 256 3 10 AwEAAd70huFUJUr9XTkl1bXu/Ykrk2jXvyj9lfi2dkrYUucDL9e0LsHH
uU/Eibr/06jjnOt88Tp8r3Pr8o6sNtoNpNuOhEemXeMnkXFDOoeqnvbS a09ASjh77KYGrVZCCKcErlNn1nGiBvoexmYUIFvhBeN8gNMwV4b9U3q/ soWKCFED
ie.          3600 IN DNSKEY 257 3 10 AwEAAdaEXv6yFAwUvbiFEaVSG0aNjWzhEGi0AocYUieuYtNialOOIww2
p+fCJjl+MSbDY9YEyxVSAIukIPMgIDnWPRNGqBIEzu1ZFSA7HffNUN9u NSPIFICXIIBkHXa4O8jZXMnSSuQVipccy8vFu4+Oa4+VVOtX9x6wTX9V
v2D1e5m4AAxvUL4i1ZPhPRI+SM3JjWbtlMcLv1vPKc/ah4oq2sYKg75j sj59NPifCQvUmu7Ebel4tHVbinjtF7Qh9CWzt6uDGs9Z97FyPTV8og43
dCHzoliwZy6+FMVSqQZK86XOra7dBoPdv9bnwP14xSQQN5td0a39l1z2 hVogW3jov/c=
ie.          3600 IN DNSKEY 256 3 10 AwEAAZt2lv8XNEQZzop2mvthQXh6HvTd107GxDZx3IhcKPwT7JY+PJmh
GYocSUQzf4ipmi9RqdPexX7XLJSvn/JJp5WkWozLKTeeskn9FJSq4Fle gH2HjF+g/F+h0rHnuwi7rT0+EuhK8MzhmhPacHB+GD9RzvPSo1OWUg/O osm4CXKv
ie.          3600 IN DNSKEY 256 3 10 AwEAAaLqy0t2GcQE9UAY9TtWCDWSfg5M5VEXh3SUQnlNLJx3oogIfwKQ
5rbwAA3qR99rgdgDDa9Hc9Y00tpWMepzQ0lcZpuc9CSJctHyCiqrLJTH +/0Jiddm8A3jEoxmcOO3sbyoIyItncjGA4dravHJs/L6evWwWq/m4YBP kH+cnZxv
ie.          3600 IN RRSIG DNSKEY 10 1 3600 20101210103959 20101109115513 63903 ie. VCPWxrQu/SD9gERo/jMMrT4ZEmJ+kQTVHJQhxtZmgyxAXP3YYCOjm5Mx
5O+69rVpDWYzArp1HPSmjLCe3PW99hyAiZQ94Vp53AHC4/DhhwC6s4qz 06VGvTuy3IgdmrcVUFsOqJQXY+5z9Uz2a8bAXd8l77RtxbC/v7bkHjxG
HSupA/ACulzvAWUElZB4DYqFP1KK9U+THHLoEjOClYuPuDT5cEqEB5v/ Z0/OMstyaL4rVyJUHLcCZUTeyitXa2vBmfOKioAMTdmj1IJe6HBvQwNA
0/xTu6K0EFYz4A2jwKy39GxiuQ3AHgTVqbwovVRThGHrZNhAfVuMzrQP TIrkkw==

;; Query time: 4 msec
;; SERVER: 193.1.32.45#53(193.1.32.45)
;; WHEN: Wed Nov 10 10:42:52 2010
;; MSG SIZE rcvd: 1041




  Glynn, B :: IEDR :: 21/07/2010
       Stephen M. Bellovin*

“Security mechanisms are not magic
pixie dust that can be sprinkled over
        completed protocols”

 *Author: “Using the Domain Name System for System Break-Ins” (Seminal DNS Threat Paper)
        Questions ?




dnssec-tf-subscribe@iedr.ie

    billy.glynn@iedr.ie

http://twitter.com/billyglynn
                                                      Backup Slide: Which TLDs are signed *
                                     ccTLDs                                         gTLDs                                                  IDN TLDs
                                         be.                                            biz.                                                xn--zckzah. (テスト)
                                         bg.                                            cat.                                                xn--0zwm56d. (测试)
                                         br.                                            edu.                                                xn--deba0ad. (‫)טעסט‬
                                         bz.                                            gov.                                                xn--g6w251d. (測試)
                                         ch.                                            org.                                                xn--jxalpdlp. (δοκιμή)
                                         cz.                                            info.                                               xn--kgbechtv. (‫)إختبار‬
                                         dk.                                            museum.                                             xn--9t4b11yi5a. (테스트)
                                         eu.                                                                                                xn--80akhbyknj4f. (испытание)
                                         fi.                                                                                                xn--11b5bs3a9aj6g. (परीक्षा)
                                         fr.                                                                                                xn--hgbk6aj7f53bba. (‫)آزمایشی‬
                                         gi.                                                                                                xn--hlcj6aya9esc7a. (பரிட்சை)
                                         hn.
                                         lc.
                                         li.
                                         lk.
                                         mn.
                                         na.
                                         nu.
                                         pm.
                                         pr.
                                         pt.
                                         re.
                                         se.
                                         tf.
                                         th.
                                         tm.
                                         uk.
                                         us.
                                         yt.
   dig @k.root-servers.net . axfr | awk '/^[a-zA-Z0-9-]+\.[[:space:]]/ { print $1, "DS"; }' | sort | uniq | dig -f - | awk '/^[a-zA-Z0-9].*DS/ { print $1; }' | uniq | awk '{ print length($0),$0 | "sort
   -n"}' | awk '{print $2 }'

Glynn, B :: IEDR :: 21/07/2010                                                                                                                                             * Data as of: 10/11/2010
                            Backup Slide: Example of DNSSEC Validation




Glynn, B :: IEDR :: 11/11/2010

								
To top