Docstoc

Management of DNS and DNSsec in IPv6

Document Sample
Management of DNS and DNSsec in IPv6 Powered By Docstoc
					                                         Álvaro Vives
                                         Consulintel
                                       IPv6 R&D Team




Madrid 2003 Global IPv6 Summit – May 12th               -1
                               • DNSv6
                               • DNSsecv6
                               • Euro6IX Work
                               • Open Issues
                               • Conclusions




Madrid 2003 Global IPv6 Summit – May 12th       -2
       • 1995: AAAA, nibble and IP6.INT (RFC1886)
       • 2000: A6, bit-string and IP6.ARPA (RFC2874)
       • 2002: A6 and bit-string -> Experimental
         (RFC3363)
       • Servers and resolvers with IPv6 MUST
         support EDNS0 (RFC3226)




Madrid 2003 Global IPv6 Summit – May 12th           -3
       • Difference between transport and content
                    IPv6 User       Local      euro6ix.org.      org.     root
                                    Server       Server         Server   server



                        www.euro6ix.org
                                                    www.euro6ix.org



                                              www.euro6ix.org




                                      www.euro6ix.org

                            AAAA             AAAA




Madrid 2003 Global IPv6 Summit – May 12th                                         -4
       • What does these all means?
       • AAAA as easy as A records
       • Reverse lookups are little bit more difficult to
         manage
       • Be aware of the lack of IPv6 transport up to
         the root servers -> need of IPv4 connectivity




Madrid 2003 Global IPv6 Summit – May 12th                   -5
        • Provide integrity and authentication to security aware
          DNS entities: for both queries and zone transfers
        • Defined independently of the IP version used
        • DNS resolvers and servers with DNSsec MUST
          support EDNS0 (RFC3226)
        • Storage of authenticated public keys in the DNS
          (support for general public key distribution services as
          well as DNS security)
        • Use cryptographic digital signatures which are
          included in secured zones as RRs
        • TSIG (Transaction signatures) to secure DNS
          messages. Private shared keys. Simple and
          lightweight. (RFC 2845)
Madrid 2003 Global IPv6 Summit – May 12th                       -6
       • Each node in the DNS tree is associated with a public
         key.
       • Each key is authenticated by the parent zone, up to the
         root (globally secure)
       • Or up to a security security root (locally secure)
       • Handling of DNSsec keys
       • The querier will receive signatures of RRs and the
         public key, for signatures the private key associated with
         the public key of the domain is used
       • A DNSsec aware resolver will follow the “chain of trust”
         of public keys, until it reaches a trusted one.


Madrid 2003 Global IPv6 Summit – May 12th                      -7
              IPv6 User       Local         euro6ix.org.         org.     root
                              Server          Server            Server   server



                  www.euro6ix.org
                                                www.euro6ix.org

                                          www.euro6ix.org


                                    www.euro6ix.org

                              AAAA + SIG (euro6ix.org)
                               KEY (euro6ix.org) + SIG (org)

                                              KEY(org)

                      AAAA               KEY(org) + SIG(root)




Madrid 2003 Global IPv6 Summit – May 12th                                         -8
               • DNSsec pilot
               • Locally secured domain: sigz.euro6ix.org
               • TSIG for zone transfers (symmetric keys)
               • DNSsec for secure queries




Madrid 2003 Global IPv6 Summit – May 12th               -9
               • DNSsec pilot


                Forward                       euro6ix.org.
                 server


                             Security Root
                                             sigz.euro6ix.org




                                     umu.          upm.         consulintel.




Madrid 2003 Global IPv6 Summit – May 12th                                      - 10
               • DNSsec emulator tool
               • OBJECTIVE: creation of complex DNS
                 scenarios made of complete name server
                 hierarchies inside one computer, in order
                 to test different scenarios and
                 configuration alternatives before
                 deploying the service to real servers.




Madrid 2003 Global IPv6 Summit – May 12th                - 11
               • Certificates management with DNSsec
               • Study the use of a secure DNS service to
                 publish digital certificates in cooperation
                 with a PKI
               • The CERT RR can be used to store
                 certificates in the DNS. The types of
                 certificates currently defined are X.509,
                 SPKI and PGP certificates. It is intended
                 that personal public keys should be
                 stored in the DNS using the CERT record,
                 and not by using the KEY record.

Madrid 2003 Global IPv6 Summit – May 12th                  - 12
               • DNSv6
                    – Autoconfiguration: DHCPv6, RA, others?
                    – Reverse lookups: IP6.INT -> IP6.ARPA
                    – Root servers with IPv6


               • DNSsec
                    – Key management
                    – root servers with DNSsec



Madrid 2003 Global IPv6 Summit – May 12th                      - 13
               • DNSv6
                    – Use AAAA, IP6.ARPA and nibble format
                    – IPv4 transport still needed for recursive queries from
                      the root
                    – Easy to add DNSv6 support to an DNSv4 existent
                      infrastructure
               • DNSsecv6
                    – TSIG for zone transfers (fully operational)
                    – DNSsec still improving the software support, deploying
                      and definition
                    – Administration of DNSsec is more difficult than DNS


Madrid 2003 Global IPv6 Summit – May 12th                                      - 14
                                            More information at:
                                            alvaro.vives@consulintel.es
                                            http://www.consulintel.euro6ix.org
                                            http://www.euro6ix.org




Madrid 2003 Global IPv6 Summit – May 12th                                    - 15

				
DOCUMENT INFO
Shared By:
Stats:
views:71
posted:1/30/2011
language:Galician
pages:15
Description: DNS Security Extensions, is a series provided by the IETF DNS security authentication mechanisms (refer to RFC2535). It provides a source of identification and data integrity of the extensions, but do not guarantee availability, encryption, and proven domain name does not exist.