Docstoc

DNSSEC DNSSEC Brought

Document Sample
DNSSEC DNSSEC Brought Powered By Docstoc
					DNSSEC
Brought to you by ISC-BIND, SUNYCT, and:
Nick Merante – SUNYIT Comp Sci SysAdmin
Nick Gasparovich – SUNYIT Campus SysAdmin
Paul Brennan – SUNYIT Student Assistant SysAdmin
Wait… I thought you were from
          SUNYIT?
DNSSEC TIMELINE
Selective Timeline of DNSSEC
• 1987 – DNS Ratified to replace hosts.txt
• 1990 – DNS Security Flaws Found
• 1997 – First try at DNSSEC - RFC2065
• 1999 – Second try at DNSSEC - RFC2535
           BIND9 is first DNSSEC capable implementation
•   2005 – Finalized RFCs Published
•   July 2008 – Kaminsky exploit announced
•   July 2010 – Root signed
•   August 2010 – .edu TLD is signed
•   March 2011 – .com TLD is signed
                  ARIN signed for Reverse DNS
DNS BASICS
A refresher to get us all on the same page…
DNS Records
• DNS comprised of various resource record (RR) types
• Primary types:
  • A – map hostnames to IP addresses
  • MX – map a host or domain to a list of mail servers
  • CNAME – specifies an alias for a host
  • PTR – map a IP address to a host name
  • NS – Specifies authoritative name servers for a zone
  • SOA – Specifies authoritative information about a zone
    • Primary name server
    • Domain administrator email
    • Serial number
    • Timers related to refreshing the zone

• DNSSEC will introduce several new record types
DNS Security Issues
• Original DNS specifications did not account for security
• DNS Spoofing
  • No data integrity checks
  • Anyone can answer a request intended for another name server
  • Attacks against query ID numbers
• Cache Poisoning
  • A result of DNS spoofing
  • Trick a DNS server into caching false information
  • Nodes querying this name server will obtain false cached data
• Consequences:
  • Clients misdirected to alternate locations
  • Compromise host-based authentication systems
DNSSEC CONCEPTS
4 Security Objectives of DNSSEC

      1. Key Distribution


      2. Origin Authentication


      3. Data Integrity


      4. Authenticated Denial of Existence
New Record Types
• DNSKEY
  • Public side of Private/Public Keyset
  • Key Signing Key
  • Zone Signing Key
• RRSIG
  • Signed Validation of Resource Record Set
• DS
  • Delegation Signer
  • Builds Chain of Trust
• NSEC/NSEC3
  • Certified Non-existence record
Traditional DNS Lookup (un-cached)
                            Iterative calls
  Client looking for:                                  root
 fang.cs.sunyct.edu
                                               edu

                        1
                                                        edu
         Recursive
                                              sunyct
           DNS
          Server

                                                       sunyct
                        8
                                                cs



                                                        cs
                                               fang
DNS Lookup Under Attack
                               Iterative calls
     Client looking for:                                  root
    fang.cs.sunyct.edu
                                                  edu

                           1
                                                           edu
            Recursive
                                                 sunyct
              DNS
             Server

                                                          sunyct
                           8
                                                   cs
  Targeted by
cache poisoning

                                                           cs
                                                  fang
Keys
• Public/Private Keyset
  • Private Key used to sign records
    • Should be kept in a secure location (not on live DNS servers)
  • Public Key used to check signatures
  • Must be 512 to 4096 bits for DNSSEC
  • Several Algorithms available
• Zone Signing Key used to sign zones
• Key Signing Key used to sign ZSK record
  • Generally larger & more secure
• Cryptographic Digest of KSK is sent upstream
  • DS Record
  • Verifies Authority of KSK
 Key Flow
             (edu)


             DS

ampere               (sunyct.edu)
             KSK
nagios
  logit
             ZSK


               DS                            DS
                       (cs.sunyct.edu)
      fang    KSK                            KSK   maryann
     yoshi                                         gilligan
                       (island.sunyct.edu)
    spuds      ZSK                           ZSK   professor
Chain of Trust / Tower of Authority
                               Iterative calls
     Client looking for:                                  root
    fang.cs.sunyct.edu                                             Crushes you
                                                  edu
                                                                    when your
                                                                   data is bad
                           1
                                                           edu
            Recursive
                                                 sunyct
              DNS
             Server

                                                          sunyct
                           8
                                                   cs
  Targeted by
cache poisoning

                                                           cs
                                                  fang
Key Rollover
• Changing ZSK:
  • Recommended monthly to quarterly
• Changing KSK
  • Recommended annually
• Why Rollover
  • Reduced window of key exposure
  • ZSKs sign many records
  • Keys become more vulnerable with use
NSEC/NSEC3 Comparison
• Presented as evidence of non-existence
ldns-walk of berkeley.edu
What’s all this RRSIG stuff?
                                                   Signature
             Key tag of                            expiration
                                       Algorithm
             signing key




                                         Starting TTL
   Date of
   signing                     The
                           signature
                              itself
Gotchas
• DoS Danger
• Load Increase
                                                    Performance!
• Signed zone can be 4x LARGER than unsigned
• Bigger record size = more network traffic
• Key Security
• Dynamic DNS = fail
  (Have to keep private keys loaded to resign, no support
  for that)
• Network Gear must support EDNS0 for UDP packets
IMPLEMENTATION
Our Test Environment


        3 VM’s running OEL (sunyct.edu)

     3 Hosts running FreeBSD (cs.sunyct.edu)

                 BIND 9.8.0-P2
BIND Versions/Restrictions
• We recommend using the most up-to-date version of your
 preferred DNS software
  • Updates often pertain to security issues
• Preliminary DNSSEC support introduced in BIND 8.2
• Recommended version of BIND 9.7 for all capabilities
• Windows Server 2003 has preliminary support
  • Slave support only
  • Must be activated in Registry
• Windows Server 2008 R2 has full support
Key Generation
                                Algorithm         Name Type
                    Specifies
                    Key Type                Key Size     Zone Name




               ZSK is                Smaller
               default               Key Size

    Key tag added
Signing the Zone
                   NSEC3
                   Hex Salt   Zone   Zone File




   Generated
   Zone File
named.conf Edits – Authoritative Servers


• Add “dnssec-enable yes” to the options section
• For your first time signing, make sure you increment your
  serial number!
• After signing your zones, point to the new signed zones
  • Same names as your old zone files, but with “.signed” appended
named.conf Edits – Recursive Servers

To start validating results add: “dnssec-validation yes”
You also need to get the KSK for root into your config.
As of this presentation, it would look like this for
BIND >= 9.7:

    managed-keys {
      "." initial-key 257 3 8
        "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
         FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
         bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
         X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
         W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
         Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
         QxA+Uk1ihz0=";
    };
Determine Your DS Info
                                   Specify
                                  SHA1 Hash   Key File
            Key Tag




  Domain   Algorithm and Digest     Digest
               Type Fields
Send Your Digest to EDUCAUSE
Key rotation - ZSK
1. Generate and publish new ZSK one TTL before planned
   rotation, but don’t sign the zone with it!

2. After TTL expiration, sign with new ZSK
  1. Leave old DNSKEY record in zone for 1 TTL cycle
  2. Allows cached signed records to be verified
     (Signatures created with old key need time to expire)


Here’s one option:
  • Have 3 ZSK’s in your zone. The previous, current and next.
   Your zones will always contain the necessary keys.
Key rotation - KSK
1. Generate and publish new KSK at least one TTL before
   planned rotation and sign ZSK records with both the old
   and the new keys.
2. Make sure you send your new DS record upstream!
3. After TTL expiration, remove the old DS record from
   your upstream provider and remove the old KSK from
   your zone files
VERIFICATION
Verification – dnsviz.net
      All Clear             Trust Issue
DNSSEC Debugger – Verisign Labs
             Everything looks good




       This shows a problem with the keys
dig – Points of Interest
                           DNSSEC
                         Enabled Search            Record Type
             DNS Server Name          Host to query for




       ad flag = authenticated data
 (this means it’s been confirmed valid)
    dig – Points of Interest




       aa flag = authoritative answer
(if you’re querying the authoritative server,
you won’t see the ad flag, just the aa flag)
QUESTIONS?
Get a copy of the slides @ http://www.cs.sunyit.edu/stc
References
• 7 Things You Should Know About DNSSEC
• Microsoft DNSSEC Deployment Guide
• DNSSEC Debugger – Verisign Labs
• DNSViz – DNS Visualization Tool
• Firefox DNSSEC Validator Plugin
• DNSSEC for Beginners
• DNSSEC Zone Key Tool
• DNSSEC in 6 Minutes
• DNSSEC Reference Card
• ISC Steps for setting up a validating server

				
DOCUMENT INFO