contentdns瘫痪

DNSandDNSSECShumonHuqueUniversityofPennsylvaniaProfessionalITCommunityConferenceNewBrunswick,NewJersey,May12th20121[DNSandDNSSEC,LOPSAPICC12]2DNSandDNSSEC2012ShumonHuque.
ThistutorialwaspresentedatthePICC2012ConferenceheldinNewBrunswick,NJ,onMay12th2012.
Feedback,critique,suggestionsontheseslidesgladlyreceivedatVersion:2012-05-12-01Reminder:Pleasellouttheevaluationformsforthiscourse!
[DNSandDNSSEC,LOPSAPICC12]3CourseblurbfromPICCconferencebrochure:ThistutorialwillprovidesystemadministratorsanunderstandingoftheDNSprotocol,includingadvancedtopicssuchasDNSSEC(DNSSecurity).
ItwillprovidepracticalinformationaboutconguringDNSservicesusingexamplesfromthepopularISCBINDDNSsoftwareplatform.
Topicsinclude:theDNSprotocolandhowitworks,DNSmasterzoneleformat,alookatavarietyofservercongurationsandrecommendations,DNSSEC(DNSSecurityExtensions)andhowtodeployit,manyexamplesofDNSqueryanddebuggingusingthe"dig"tool,DNSandIPv6,andmore.
[DNSandDNSSEC,LOPSAPICC12]WhoamIAnI.
T.
DirectorattheUniversityofPennsylvaniaHavealsobeen:Programmer(C,Perl,Python,Lisp)UNIXSystemsAdministratorNetworkEngineerEducation:B.
S.
andM.
S.
(ComputerScience)fromPennAlsoteachaLabcourseonNetworkProtocolsatPenn'sSchoolofEngineering&AppliedScience4[DNSandDNSSEC,LOPSAPICC12]CourseTopics51.
DNSTutorial2.
ConguringDNSinBIND3.
Livequeriesusing'dig'[.
.
.
break.
.
.
]4.
DNSSECTutorial5.
ConguringDNSSECinBIND6.
ApplicationusesofDNSSEC7.
DNSSECdeploymentstatus[DNSandDNSSEC,LOPSAPICC12]DNSTutorial6[DNSandDNSSEC,LOPSAPICC12]DNSDomainNameSystemOriginalspecicationsinRFCs1034and1035DistributedglobaldatabaseIndexedby"domainnames"(togetherwithatypeandclass)Adomainnameisasequenceoflabels,eg.
www.
amazon.
com.
DomainNamesarecaseinsensitive,butcasepreservingTransportprotocol:UDPandTCPport537[DNSandDNSSEC,LOPSAPICC12]DNS(Seediagramonnextslide)DNScanberepresentedasatreeoflabelsSiblingnodesmusthaveuniquelabelsDomainnameataparticularlabelcanbeformedbythesequenceoflabelstraversedbywalkingupthetreefromthatlabeltotherootZone-autonomouslymanagedsubtreeDelegations:boundariesbetweenzones8[DNSandDNSSEC,LOPSAPICC12]9.
orgedunetarpain-addrip612891ietfupenn130comamazonwww91.
130.
in-addr.
arpaZoneupenn.
eduZonesmtprootZonewwwsmtpamazon.
comZone[DNSandDNSSEC,LOPSAPICC12]RootandTLDsRootoftheDNS("emptylabel")NextlevelofnamesarecalledTopLevelDomains(TLDs)Untilrecently3primaryclassesofTLDsGTLD:GenericTopLevelDomains(.
com,.
net,.
edu,.
orgetc)CCTLD:CountryCodeTLD(2lettercodesforeachcountry,eg.
.
us,.
fr,.
jp,.
de,.
.
.
)Infrastructure:eg.
.
arpaetc(uses:reverseDNSe164,etc)IDNcctld(InternationalizeddomainnameccTLD)ThenewgTLDs-thewildwest(newgtlds.
icann.
org)10[DNSandDNSSEC,LOPSAPICC12]DNSmaincomponentsServerSide:AuthoritativeServersResolvers(RecursiveResolvers)ClientSide:Stubresolvers(usuallyonDNSclientmachines)11[DNSandDNSSEC,LOPSAPICC12]AuthoritativeServerAserverthatdirectlyservesdataforaparticularzoneSaidtobe"authoritative"forthatzoneTheseserversaretheonesspeciedinNSrecords12[DNSandDNSSEC,LOPSAPICC12]ResolverAka"RecursiveResolver","Cache"etcUsedbyendsystems(stubresolvers)toquery("resolve")arbitrarydomainnamesReceives"recursive"queriesfromtheseendsystemsResolversqueryauthoritativeservers,followingDNSdelegationsuntiltheyobtaintheanswertheyneed(thisprocessiscalled"iterative"resolution)Resolvers"cache"(remember)queryresultsforthespecied"TTL"(alsosomenegativeresultsarecached)13[DNSandDNSSEC,LOPSAPICC12]StubResolverTheDNSclientsoftwarecomponentthatresidesonmostendsystemsCommonlyimplementedbytheOperatingSystemasasetoflibraryroutinesHasaconguredsetofaddressesoftheRecursiveResolversthatshouldbeusedtolookup("resolve")domainnamesusuallybymanualconguration,ordynamicallylearnedviaDHCP14[DNSandDNSSEC,LOPSAPICC12]Stubresolverconguration15$cat/etc/resolv.
confsearchfinance.
example.
comexample.
com;;nameserver10.
12.
3.
1nameserver10.
254.
23.
71nameserver10.
15.
18.
9;;optionstimeout:1attempts:2rotate[DNSandDNSSEC,LOPSAPICC12]16.
(root).
eduupenn.
eduwww.
upenn.
edureferralto.
edurecursiveresolverendstation(usesDNSstubresolver)12345687referraltoupenn.
eduanswer1.
2.
3.
4www.
upenn.
eduRecursiveResolverisprepopulatedwithrootDNSserveraddresses[DNSandDNSSEC,LOPSAPICC12]PartsofaDNSqueryEachDNSqueryneedsaqueryname,type,andclassqname:adomainname,eg.
www.
upenn.
eduqtype:A,AAAA,MX,CNAME,PTR,SRV,TXT,NS,SOA,.
.
.
qclass:IN,CH,HS(only"IN"iscommonlyused)Variousags:QR,RD,EDNSOpt,DOetc17[DNSandDNSSEC,LOPSAPICC12]LifeofatypicalDNSqueryType"www.
amazon.
com"intobrowserBrowsercallsanamelookupfunction(eg.
getaddrinfo())DNSmaynotbetheonlynamelookupserviceinuse.
Thelookupfunctionmightconsultanameserviceswitchtabletogureoutwhatorderofservicestoconsult(eg.
/etc/nsswitch.
conf--atle,LDAP,NIS,DNSetc)If/whenDNSisused,thencallDNSspeciccallsinstubresolverres_ninit(),res_nquery(),res_nsearch()18[DNSandDNSSEC,LOPSAPICC12]LifeofatypicalDNSqueryStubresolverformulatesandmakesDNSquery:qnamewww.
amazon.
com,qtype=A,qclass=INNote:IPv6enabledresolversmighttryAAAA,thenASendsquerytoDNSservers(resolvers)speciedinstubresolverconguration(eg.
/etc/resolv.
conf)intheorderspecieduntilitgetsasuccessfulresponse,failure,ortimesoutIfa"search"domainlistiscongured,onlookupfailure,thestubretriesquerieswithdomainsufxesfromthislistappendedtotheoriginalquery19[DNSandDNSSEC,LOPSAPICC12]LifeofatypicalDNSqueryDNSresolverswillgettheanswer:fromtheirauthoritativezonesiftheyhaveanyrelevantonesfromtheircacheiftheanswerisalreadytherebyiterativequeriesoftheDNStree,asnecessary,eg.
rootservers,amazon.
comservers,.
.
.
20[DNSandDNSSEC,LOPSAPICC12]ResourceRecords(RR)21www.
example.
com.
86400INA10.
253.
12.
7name,orownernamettlclasstyperdataThefundamentalunitofdataintheDNSdatabaseAgroupingofa{domainname,type,class},aTTL(time-to-live),andtheassociated"resourcedata"Hasadenedtext"presentationformat"[DNSandDNSSEC,LOPSAPICC12]ResourceRecordSets22www.
ucla.
edu.
300INA169.
232.
33.
224www.
ucla.
edu.
300INA169.
232.
55.
224www.
ucla.
edu.
300INA169.
232.
56.
224AsetofRRswiththesamename,class,andtypeTherdata(resourcedata)associatedwitheachRRinthesetmustbedistinctTheTTLofallRRsinthesetalsomustmatchRRsetsaretreatedatomicallywhenreturningresponses[DNSandDNSSEC,LOPSAPICC12]ResourceRecordtypes23forfulllist,seewww.
iana.
org/assignments/dns-parametersTypeDescriptionSOAmarksStartOfazoneofAuthorityNSNameServerrecordAIPv4AddressrecordAAAAIPv6AddressrecordCNAMECanonicalname(ie.
analias)MXMailExchangerrecordSRVServiceLocationrecordPTRPointer(mostcommonlyforreverseDNS)TXTTextrecord(freeformtextwithnosemantics)NAPTRNamingAuthorityPointerRecord[DNSandDNSSEC,LOPSAPICC12]OtherspecialRRtypes24forfulllist,seewww.
iana.
org/assignments/dns-parametersTypeDescriptionTSIGTransactionSignature(RFC2845)TKEYTransactionKey(RFC2930)-estabsecretkeysAXFRZoneTransferIXFRIncrementalZoneTransfer(RFC1995)OPTOptpseudoRR(RFC2671-EDNS0)[DNSandDNSSEC,LOPSAPICC12]SOArecord25google.
com.
!
!
86400INSOAns1.
google.
com.
(dns-admin.
google.
com.
!
!
!
!
2012042000;serialnumber!
!
!
!
7200;refresh(2hours)!
!
!
!
1800;retry(30minutes)!
!
!
!
1209600;expire(2weeks)!
!
!
!
300;minimum(5minutes)Denesthestartofanewzone;andimportantparametersforthezoneAlwaysappearsattheapexofthezoneSerialnumbershouldbeincrementedonzonecontentupdates[DNSandDNSSEC,LOPSAPICC12]NSrecord26upenn.
edu.
!
!
86400!
IN!
NS!
noc3.
dccs.
upenn.
edu.
upenn.
edu.
!
!
86400!
IN!
NS!
noc2.
dccs.
upenn.
edu.
upenn.
edu.
!
!
86400!
IN!
NS!
dns2.
udel.
edu.
upenn.
edu.
!
!
86400!
IN!
NS!
dns1.
udel.
edu.
upenn.
edu.
!
!
86400!
IN!
NS!
sns-pb.
isc.
org.
NameServerrecord:owneristhezonenameDelegatesaDNSsubtreefromparent(ie.
createnewzone)ListstheauthoritativeserversforthezoneAppearsinbothparentandchildzonesrdatacontainshostnameoftheDNSserver[DNSandDNSSEC,LOPSAPICC12]Arecord27www.
example.
com.
!
86400!
IN!
A!
192.
0.
43.
10IPv4AddressRecordrdatacontainsanIPv4address[DNSandDNSSEC,LOPSAPICC12]AAAArecord28www.
example.
com.
!
86400!
IN!
AAAA!
2001:500:88:200::10IPv6AddressRecordrdatacontainsanIPv6addressNote:therewasanotherrecordcalledA6,whichdidn'tcatchon,andwhichhasnowbeendeclaredhistoric(RFC6563)[DNSandDNSSEC,LOPSAPICC12]CNAMErecord29www.
example.
com.
!
86400!
IN!
CNAME!
worf.
example.
com.
An"alias",ie.
mapsonenametoanother(regardlessoftype)Putanotherway,"thisisanothernameforthisname"rdatacontainsthemappeddomainname("canonicalname")CNAMErecordshavespecialrules[DNSandDNSSEC,LOPSAPICC12]CNAMEspecialrules30[fromRFC1034,Section3.
6.
2]>>>CNAMEandnootherdatarule:ACNAMERRidentifiesitsownernameasanalias,andspecifiesthecorrespondingcanonicalnameintheRDATAsectionoftheRR.
IfaCNAMERRispresentatanode,nootherdatashouldbepresent;thisensuresthatthedataforacanonicalnameanditsaliasescannotbedifferent.
ThisrulealsoinsuresthatacachedCNAMEcanbeusedwithoutcheckingwithanauthoritativeserverforotherRRtypes.
[Note:thereisnowanexceptiontothisbecauseofDNSSECmetadatarecords,whichareallowedtoappearwithCNAMEs]>>>CNAMEspecialactionprocessing:CNAMERRscausespecialactioninDNSsoftware.
WhenanameserverfailstofindadesiredRRintheresourcesetassociatedwiththedomainname,itcheckstoseeiftheresourcesetconsistsofaCNAMErecordwithamatchingclass.
Ifso,thenameserverincludestheCNAMErecordintheresponseandrestartsthequeryatthedomainnamespecifiedinthedatafieldoftheCNAMErecord.
TheoneexceptiontothisruleisthatquerieswhichmatchtheCNAMEtypearenotrestarted.
[DNSandDNSSEC,LOPSAPICC12]CNAMEspecialrules31IllustrationofspecialactionprocessingofCNAMEs:$digwww.
sas.
upenn.
eduA;;QUESTIONSECTION:;www.
sas.
upenn.
edu.
!
!
IN!
A;;ANSWERSECTION:www.
sas.
upenn.
edu.
!
300!
IN!
CNAME!
virgo.
sas.
upenn.
edu.
virgo.
sas.
upenn.
edu.
!
900!
IN!
A!
128.
91.
55.
21[DNSandDNSSEC,LOPSAPICC12]PTRrecord32PointerrecordThemostcommonuseistomapIPaddressesbacktodomainnames(reverseDNSmappings)IPv4usesin-addr.
arpa,andIPv6usesip6.
arpasubtrees[DNSandDNSSEC,LOPSAPICC12]IPv4PTRrecordsUses"in-addr.
arpa"subtreeTheLHSofthePTRrecord("ownername")isconstructedbythefollowingmethod:ReversealloctetsintheIPv4addressMakeeachoctetaDNSlabelAppend"in-addr.
arpa.
"tothedomainname33[DNSandDNSSEC,LOPSAPICC12]IPv4PTRexample34host1.
example.
com.
INA192.
0.
2.
17192.
0.
2.
17(origIPv4address)17.
2.
0.
192(reverseoctets)17.
2.
0.
192.
in-addr.
arpa.
(appendin-addr.
arpa.
)ResultingPTRrecord:17.
2.
0.
192.
in-addr.
arpa.
INPTRhost1.
example.
com.
[DNSandDNSSEC,LOPSAPICC12]IPv6addresses128-bits(fourtimesaslarge)8eldsof16bitseach(4hexdigits)separatedbycolons(:)[Hexdigitsare:0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f]2128possibleaddresses(anincomprehensiblylargenumber)352001:0db8:3902:00c2:0000:0000:0000:fe04(2128=340,282,366,920,938,463,463,374,607,431,768,211,456)[DNSandDNSSEC,LOPSAPICC12]IPv6addressesZerosuppression&compressionformorecompactformatSuppress(omit)leadingzerosineacheldReplaceconsecutiveeldsofallzeroswithadoublecolon(::)-onlyonesequenceofzeroeldscanbecompressedthisway362001:db8:3902:c2::fe042001:db8:3902:c2::fe04[DNSandDNSSEC,LOPSAPICC12]IPv6PTRrecordsUses"ip6.
arpa"subtreeTheLHSofthePTRrecord("ownername")isconstructedbythefollowingmethod:ExpandallthezerosintheIPv6addressReverseallthehexdigitsMakeeachhexdigitaDNSlabelAppend"ip6.
arpa.
"tothedomainname(note:theolder"ip6.
int"wasformallydeprecatedin2005,RFC4159)37[DNSandDNSSEC,LOPSAPICC12]IPv6PTRexample38host1.
example.
com.
INAAAA2001:db8:3902:7b2::fe042001:db8:3902:7b2::fe04(origIPv6address)2001:0db8:3902:07b2:0000:0000:0000:fe04(expandzeros)20010db8390207b2000000000000fe04(deletecolons)40ef0000000000002b7020938bd01002(reversedigits)4.
0.
e.
f.
0.
0.
0.
0.
0.
0.
0.
0.
0.
0.
0.
0.
2.
b.
7.
0.
2.
0.
9.
3.
8.
b.
d.
0.
1.
0.
0.
2(makeDNSlabels)4.
0.
e.
f.
0.
0.
0.
0.
0.
0.
0.
0.
0.
0.
0.
0.
2.
b.
7.
0.
2.
0.
9.
3.
8.
b.
d.
0.
1.
0.
0.
2.
ip6.
arpa.
(appendip6.
arpa.
)4.
0.
e.
f.
0.
0.
0.
0.
0.
0.
0.
0.
0.
0.
0.
0.
2.
b.
7.
0.
2.
0.
9.
3.
8.
b.
d.
0.
1.
0.
0.
2.
ip6.
arpa.
INPTRhost1.
example.
com.
[DNSandDNSSEC,LOPSAPICC12]MXrecord39example.
com.
86400INMX10mail1.
example.
com.
example.
com.
86400INMX20mail2.
example.
com.
MailExchanger:denesthehostreceivingmailrdataconsistsofapreferenceeldandthehostnameofthemailreceiverLowerpreference=higherprioritypreferencemailservername[DNSandDNSSEC,LOPSAPICC12]SRVrecord40ServiceLocationrecord(RFC2782)Allowsdesignationofserver(s)providingserviceforaparticularapplicationandtransportatadomainnameOwnernamehasspecialform:_service.
_transport.
rdatacontainspriority,weight,portandserverhostnameSomeapplicationsusingSRVrecordsinclude:LDAP,Kerberos,XMPP,SIP,WindowsAD,.
.
.
[DNSandDNSSEC,LOPSAPICC12]SRVrecord41_ldap.
_tcp.
example.
com600INSRV10389ldap1.
example.
com_ldap.
_tcp.
example.
com600INSRV21389ldap2.
example.
com_ldap.
_tcp.
example.
com600INSRV22389ldap3.
example.
com_ldap.
_tcp.
example.
com600INSRV21289ldap4.
example.
comPrioritydenestheorderinwhichtoqueryservers(lowernumber=higherpriority)Weightdenestheproportioninwhichtosendqueriestoserversatthesameprioritylevel(loaddistribution)servicenametransportpriorityweightportservername[DNSandDNSSEC,LOPSAPICC12]TXTrecord42blah.
example.
com.
300INTXT"HelloWorld""Goodbye"freeformdescriptivetextstrings,withnodenedsemanticsAlthoughsomeapplicationshavedenedstandardizedmeanings(eg.
DKIM)rdata:oneormorecharacterstrings[DNSandDNSSEC,LOPSAPICC12]NAPTRrecord43*.
freenumINNAPTR(10010"u""E2U+sip"sip:\\1@sip.
magpi.
org!
".
)NamingAuthorityPointerRecord(RFC3403-DDDS)Verycomplexrecord,andinducesadditionalcomplexprocessingonresolver(lookupandrewrite)Uses:URLresolverdiscoveryservice,E164,SIP,.
.
.
[DNSandDNSSEC,LOPSAPICC12]Wildcards44mail.
example.
com.
300INA10.
1.
1.
1www.
example.
com.
300INA10.
1.
1.
2*.
example.
com.
300INA10.
1.
1.
7Here,queryforblah.
example.
comreturns:blah.
example.
com.
300INA10.
1.
1.
7RRswithownernamesstartingwiththelabel"*"(asterisk)Whenthewildcardismatched,theDNSserverreturnsaresponsewith:querynamereturnedasownernamerestofRRcontenttakenfromthewildcardrecord[DNSandDNSSEC,LOPSAPICC12]ANYquerytype45ApseudorecordtypeusedinDNSqueriesonlyUsedtomatchanyrecordtypeforthequerieddomainnameServerwillreturnallrecordsofalltypesforthatdomainnamethatitpossesses(note:cachesmayreturnincompletedata;toobtainalldataforthename,youneedtoissueANYquerytoauthoritativeservers)Fordebuggingandtroubleshootingpurposesonly;donotuseinproductioncode[DNSandDNSSEC,LOPSAPICC12]MasterZoneleformatRFC1035,Section5fordetailsEntriesinthemasterzoneleareDNSresourcerecordsintheirtextual"presentationformat"46[TCOM504,Spring2012]ZoneleexampleZone:example.
com@3600INSOAmaster.
example.
com.
hostmaster.
example.
com.
(1001514808;serial10800;refresh(3hours)3600;retry(1hour)604800;expire(1week)3600;minimum(1hour))86400INNSns1.
example.
com.
86400INNSns2.
example.
com.
86400INMX10mail1.
example.
com.
86400INMX20mail2.
example.
com.
ns186400INA10.
1.
1.
1ns286400INA10.
1.
1.
2www900INA10.
1.
2.
2mail13600INA10.
3.
3.
3mail23600INA10.
3.
3.
447[DNSandDNSSEC,LOPSAPICC12]MasterZoneleformat48@Denotescurrentorigin;defaultingtozonenameAppendedtoanydomainnamenotendinginaperiod.
()Parensusedtogroupdatathatcrossesalineboundary;Startsacomment$ORIGINResetstheoriginforsubsequentrelativenamesRRsbeginningwithwhitespaceimplicitlyinheritlastownername.
TTLandClassfieldsareoptional(defaulttolastexplicitlystated)ExtensionsusableinBINDmasterfiles:$TTLDefineTTLparameterforsubsequentrecords$GENERATEProgrammaticallygeneraterecords,eg.
eg.
$GENERATE10-90client-$A10.
4.
4.
$$GENERATE0-62blah-${0,3,x}A192.
168.
154.
${+64,0,d}[DNSandDNSSEC,LOPSAPICC12]SizerestrictionsLabel:63octetsmaxDomainName:255octetsmaxTTL:positivesigned32-bitintegerEntireDNSmessage:512bytes(UDP)-plainDNSMessageslargerthan512bytesrequires:UseofTCP(oftentruncatedUDPresponsefollowedbyTCPretry)EDNS0-aDNSextensionmechanismallowingnegotiationoflargerUDPmessagebuffers49[DNSandDNSSEC,LOPSAPICC12]TextualvswireformatThehumanreadable"textualrepresentation"or"presentationformat"ofadomainnameisdifferentfromthethedomainnameasitactuallyappearsinDNSprotocolmessages("onthewire"or"wireformat")Textformat:labelswritteninASCIIdelimitedbyperiodsWireformat:labelbytesoneaftertheother,alwaysendingwiththeemptylabel.
eachlabeliscomposedofalabellengthfollowedbythelabelbytes50[DNSandDNSSEC,LOPSAPICC12].
www.
upennedu.
www.
upennedu.
Labels(digdig@serverdig-xdig+trace[DNSandDNSSEC,LOPSAPICC12]DNSSECTutorial77[DNSandDNSSEC,LOPSAPICC12]DNSSECataglance"DNSSecurityExtensions"AsystemtoverifytheauthenticityofDNS"data"usingpublickeysignaturesSpecs:RFC4033,4034,4035,5155(andmore)HelpsdetectDNSspoong,misdirection,cachepoisoning.
.
Recallthe"Kaminskyattack"Additionalbenets:AbilitytostoreandusecryptographickeyingmaterialintheDNS,eg.
SSHFP,IPSECKEY,CERT,DKIM,TLSA,etc.
.
78[DNSandDNSSEC,LOPSAPICC12]DNSSECataglanceEachzonehasapublicandprivatekeypairThezoneownerusestheprivatekeytosignthezonedata,producingdigitalsignaturesforeachresourcerecordsetPublickeyisusedbyothers(DNSresolvers)tovalidatethesignatures(proofofauthenticity)PublickeyispublishedinthezoneitselfsothatresolverscannditZonepublickeysareorganizedinachainoftrustfollowingthenormalDNSdelegationpath79[DNSandDNSSEC,LOPSAPICC12]DNSSECRecords80DNSKEYContainszonepublickeyRRSIGContainsDNSSECsignatureNSECPointstonextnameinzone(usedforauthenticateddenialofexistence)DSDelegationSigner(certiespublickeyforsubordinatezone)NSEC3EnhancedversionofNSEC(provideszoneenumerationprotectionandopt-out)NSEC3PARAMNSEC3parameters[DNSandDNSSEC,LOPSAPICC12]SignedzoneadditionsOneormoreDNSKEYatthezoneapexOneormoreNSECforeveryDNSnameOneormoreRRSIGforeveryRRsetOneormoreDSrecordsforeverysecuredelegationExceptions:non-authoritativedatalikedelegationNSrecordsandgluehavenosignatures(RRSIG)81.
(root).
eduupenn.
eduwww.
upenn.
edureferralto.
edurecursiveresolverendstation(usesDNSstubresolver)12345687referraltoupenn.
eduanswer1.
2.
3.
4www.
upenn.
eduRecursiveResolverisprepopulatedwithrootDNSserveraddresses.
(root).
eduupenn.
eduwww.
upenn.
edureferralto.
edu+DS,RRSIGrecursiveresolverendstation(usesDNSstubresolver)12345687referraltoupenn.
edu+DS,RRSIGanswer1.
2.
3.
4+RRSIGwww.
upenn.
edusetDObitroot'spubkey(hasroot'spubkey)edupubkeyupennpubkeyRecursiveResolverisprepopulatedwithrootDNSserveraddressesandtheroot'spublickey[DNSandDNSSEC,LOPSAPICC12]MultipleDNSKEYsTypically,a2-levelhierarchyofDNSKEYsisemployedKSK:KeySigningKeySignsotherkeys(canbelarger,ie.
stronger,andkeptofine;usedasthetrustanchorandcertiedbytheparentzoneintheDS)ZSK:ZoneSigningKeySignsalldatainthezone(canbelowerstrengthandimposelesscomputationaloverhead;canbechangedwithoutco-ordinationwithparentzone)84[DNSandDNSSEC,LOPSAPICC12]ProtectionofsigningkeysKeepofineProblemswithdynamicsigningKeeponlyKSKofineButneedtobringthemonlineforkeyrollovers(evenonlyZSKrollovers)Ifkeepingonline,lockdownhousingserverrigorously,asyoumightdoacriticalauthenticationserver,likeaKDCPhysicallysecuredmachineroom&racksTamperresistantHSM(HardwareSecurityModule)85[DNSandDNSSEC,LOPSAPICC12]$digjabber.
upenn.
eduAAAA;;->>HEADER>HEADER>HEADER>HEADER100[DNSandDNSSEC,LOPSAPICC12]ConguringDNSSECinBIND101[DNSandDNSSEC,LOPSAPICC12]GeneraladviceUsethelatestpossibleversionofBIND(currentisv9.
9)ManymorefeaturesthatmakeDNSSECcongurationmuchmucheasier,andalmostautomated.
.
.
102[DNSandDNSSEC,LOPSAPICC12]ValidatingResolver103Innamed.
conf(thiswilluseBIND'sbuilt-inkeysfortherootandtheISCDLVregistry,andwillautomaticallyrolloverkeysastheyaredetected:options{[.
.
.
]dnssec-enableyes;dnssec-validationauto;dnssec-lookasideauto;[.
.
.
]};[DNSandDNSSEC,LOPSAPICC12]ValidatingResolver104Manuallyconfiguredkeys(ifneeded):#manuallyconfiguredstatickeytrusted-keys{.
25738"AwE.
.
.
jlsdjfld=";};#managedkeys(withautomatedrollover)managed-keys{".
"initial-key25738"Awlsdjflkdjfl";};[DNSandDNSSEC,LOPSAPICC12]Signingzones105GeneratingKeys:dnssec-keygendnssec-keygen-fKSKdnssec-keygen-3#NSEC3zoneCreatesK+mmm+nnnn.
keyandK+mmm+nnnn.
privatefilesSigningZone:dnssec-signzone-ozone-S-S:smartsigning[DNSandDNSSEC,LOPSAPICC12]AuthoritativeServer106options{[.
.
.
]dnssec-enableyes;[.
.
.
]};[DNSandDNSSEC,LOPSAPICC12]DynamicUpdate+DNSSEC107Theeasiestway,inmyopinion.
*Configuredynamiczones(ie.
zonesupdatedonlywiththeDynamicUpdateprotocol,eg.
withthensupdateprogram)*MakeDNSSECkeysavailabletonamed*Whendynamicupdatesaremade,namedwillautomaticallysigntherecordsandgenerateorre-generaterelatedDNSSECmetadata*LatestBINDversionsincludespecialoptionstomakethisreallyeasy.
[DNSandDNSSEC,LOPSAPICC12]108LiveexampleofsigningazonewithDNSSEC(Timepermitting!
)[DNSandDNSSEC,LOPSAPICC12]Signingazone109#Createzonefor"example.
com"andconfigurenamed[.
.
.
]#GenerateKSKandZSK(inthisexampleRSASHA2562048/1024bit)dnssec-keygen-aRSASHA256-b2048-nZONE-fKSKexample.
comdnssec-keygen-aRSASHA256-b1024-nZONEexample.
com#Signzone(willgenerate"zonefile.
signed")dnssec-signzone-oexample.
com-Szonefile#Reconfigurenamed.
conftoserve"zonefile.
signed"[.
.
.
]Stepsforreference.
We'lldothislive(hopefully)[DNSandDNSSEC,LOPSAPICC12]Signingazone(dynamic)110#GenerateKSKandZSKasbefore,butdon'tusednssec-signzone[.
.
.
]#Setupnamed.
confwiththe"auto-dnssec"optionforthezonezone"example.
com"{typemaster;update-policylocal;#allow-updateforexplkeyauto-dnssecallow;#alsosee"maintain"file"zones/example.
com/zonefile";key-directory"zones/example.
com";};#Tellnamedtosignthezonerndcsignexample.
com#Fromnow,usedynamicupdate(eg.
viansupdate)toupdate#zonecontents.
[DNSandDNSSEC,LOPSAPICC12]Signingazone(dynamic)111#Exampleofusingdynamicupdatetoaddanldap.
example.
com#ARRtothezone.
.
Thiswillcausenametoautomatically#computeandaddRRSIGsandNSEC/NSEC3sasneeded.
$nsupdate-lttl86400zoneexample.
com.
updateaddldap.
example.
com.
A10.
4.
4.
4send^D$[DNSandDNSSEC,LOPSAPICC12]Othermethods112NewestversionsofBINDhavesomeotherwaysthatmightmakeiteasiertodeployDNSSECinsomeenvironmentswhereit'snoteasytomodifythemasterserver.
.
.
*InlineSigning(BIND9.
9)ThisfeaturegreatlysimplifiesthedeploymentofDNSSECbyallowingcompletelyautomatic,fullytransparentsigningofzones.
Usingthenew'inline-signing'optioninamasterserverallowsnamedtoswitchonDNSSECinazonewithoutmodifyingtheoriginalzonefileinanyway.
Usingitinaslaveserverallowsazonetobesignedevenifit'sservedfromamasterdatabasethatdoesn'tsupportDNSSEC.
Someexampleconfigurationsmaybefoundathttps://kb.
isc.
org/article/AA-00626/0/Inline-Signing-in-ISC-BIND-9.
9.
0-Examples.
html[DNSandDNSSEC,LOPSAPICC12]KeyRollover113[DNSandDNSSEC,LOPSAPICC12]KeyRolloverConventionalwisdomisthatDNSSECkeysshouldbechanged("rolledover")atregularintervals.
However,noteveryoneagrees,includingsomenotedsecurityexpertsIfyouchoosestrongenoughkeys,thereisnocryptographicreasontoroutinelyrollthemTherearegoodoperationalreasonstochangekeysafterspecicevents,eg.
turnoverofastaffmemberwhohadaccesstotheprivatekeys,orasystemcompromiseoftheserverSomeargueroutinekeyrolloverinstillspractice&condencethatyou'llbeabletodoitproperlywhenyoureallyneedto.
However,dowedothisforotherapplications(Kerberos,PKI/CAs,SSL)114[DNSandDNSSEC,LOPSAPICC12]KeyRolloverRFC4641:DNSSECOperationalPracticesCoversgeneralpractices,procedures,recommendationsUpdate:http://tools.
ietf.
org/html/draft-ietf-dnsop-rfc4641bis-11Mostcommonlyused:KSKrollover:doublesignaturepolicyZSKrollover:pre-publishpolicy115[DNSandDNSSEC,LOPSAPICC12]KSK:DoublesignatureGeneratenewKSK;publish(publicpart)inzoneSignDNSKEYRRsetwithbothkeysPublishadditionalDSrecordinparentfornewkeyWaituntilDSispropagatedandTTLoftheoldDSrecordRemovetheoldKSKandre-signDNSKEYRRsetwithonlynewkey116[DNSandDNSSEC,LOPSAPICC12]ZSK:Pre-publishGeneratenewZSK,andpublishtheDNSKEYinthezone,butdonotyetsignzonedatawithitWaitzonepropagationtime+TTLoftheDNSKEYRRsetUsenewZSKforsigningzonerecordsinsteadofoldZSK,butleavetheoldZSKpublishedinthezoneWaitzonepropagationtime+largestTTLofallrecordsinthezoneRemoveoldkey&re-signDNSKEYRRset117[DNSandDNSSEC,LOPSAPICC12]OtherDNSSECcaveats118[DNSandDNSSEC,LOPSAPICC12]GeneralDNSSECCaveatsZonesizeincreasessignicantlywhensignedMemoryandCPUusageincreaseDNSSECanswersarelargerServerside&querysideimpactsInterferencebyrewalls,proxies,andothermiddlebox,eg.
botchingEDNS0,largepackets,DNSSECmetadataetcFallbacktoTCPincreasesManymodernresolversalreadyaskforDNSSECbydefault(ie.
settheDNSSEC-OKbitintheirqueries)119[DNSandDNSSEC,LOPSAPICC12]SecuringthelasthopHowdoweprotectthestubresolverEmployachannelsecuritymechanismbetweenstubandtheupstreamrecursiveresolver:TSIG,SIG(0),IPSEC,etcHavethestubvalidateDNSSECresponsesSetCDbitandauthenticatesignaturesdirectlyGiveup,andrunafullserviceDNSResolveronclients120.
(root).
eduupenn.
eduwww.
upenn.
edureferralto.
edu+DS,RRSIGrecursiveresolverendstation(usesDNSstubresolver)12345687referraltoupenn.
edu+DS,RRSIGanswer1.
2.
3.
4+RRSIGwww.
upenn.
edusetDObitroot'spubkey(hasroot'spubkey)edupubkeyupennpubkeyStubtoRecursiveResolverchannel[DNSandDNSSEC,LOPSAPICC12]ChannelSecurityForstubchannelsecurity,simplesymmetrickeyTSIGwon'tworkCan'tdistributesameTSIGkeytomanyclients,becausethatallowsanyofthemtoforgeanswerstoallothersNeedperclientkeysandthusakeymanagementinfrastructureGSS-TSIGhasachicken-eggproblem,becauseDNSisoftenusedtolocateKerberosserversSIG(0)maybebetter-distributesinglepublickeytoclientsMicrosoftsupposedlyhasanimplementationofIPsec(GSSauthenticated)toprotectclienttorecursiveresolverpathDNSCurve122[DNSandDNSSEC,LOPSAPICC12]ApplicationuseofDNSSEC123[DNSandDNSSEC,LOPSAPICC12]ApplicationuseofDNSSECOneofthemoreexcitingprospectsforDNSSECDNSSECallowsapplicationstosecurelyobtain(authenticate)cryptographickeyingmaterialstoredintheDNSAvarietyofexistingandproposedrecordtypeshavebeendesignedtostorecryptomaterial:SSHFP,IPSECKEY,CERTDKIM_domainkeyTXTrecord(p=.
.
.
publickeydata)TLSA(upcoming,seeIETFDANEworkinggroup)124[DNSandDNSSEC,LOPSAPICC12]ApplicationuseofDNSSECSecurelyobtainingotherassertionsfromtheDNSDKIM/ADSPRouteOriginationAuthorizations(controversial-seeRPKI,thestandardizedmechanismtodothis,whichwillallowBGPpathvalidationalso)125[DNSandDNSSEC,LOPSAPICC12]SSHFPrecord126grodd.
magpi.
net.
!
86400!
IN!
SSHFP!
(11F60AE0994C0B02545D444F7996088E9EA7359CBA)SSHHostKeyFingerprint(RFC4255)AllowsyoutovalidateSSHhostkeysusingDNS(securelyusingDNSSEC)algorithmnumberngerprinttype(1=SHA-1)ngerprint[DNSandDNSSEC,LOPSAPICC12]IPSECKEYrecord12738.
2.
0.
192.
in-addr.
arpa.
7200INIPSECKEY(1012192.
0.
2.
38AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==)RFC4025:methodforstoringIPSECkeyingmaterialinDNSrdataformat:precedence,gateway-type,algorithm,gatewayaddress,publickey(base64encoded)[DNSandDNSSEC,LOPSAPICC12]PublicCAmodelproblemsApplicationsneedtotrustalargenumberofglobalcerticateauthorities,andthistrustappearstobeunfoundedNonamespaceconstraints!
AnyofthemcanissuecerticatesforanyentityontheInternet,whetheryouhaveabusinessrelationshipwiththemornotLeastcommondenominatorsecurity:ourcollectivesecurityisequivalenttoweakestoneFurthermore,manyofthemissuesubordinateCAcerticatestotheircustomers,againwithnonamingconstraintsMostareincapableofissuingcertswithanybutthemostbasiccapabilities(eg.
alternatenameformsorotherextensions)128[DNSandDNSSEC,LOPSAPICC12]DANE/TLSArecordTheDNS-BasedAuthenticationofNamedEntities(DANE)ProtocolforTransportLayerSecurity(TLS)draft-ietf-dane-protocol-20(almostpublishedasRFC)RRtypecodealreadyassignedUseDNSSECforbetter&moresecurewaystoauthenticateSSL/TLScerticates:byspecifyingauthorizedpublicCAs,allowableendentitycerts,authorizingnewnon-publicCAs,orevendirectlyauthenticatingcertswithoutinvolvingCAs!
129[DNSandDNSSEC,LOPSAPICC12]TLSArecordexample130_443.
_tcp.
www.
example.
com.
INTLSA(001d2abde240d7cd3ee6b4b28c54df034b97983a1d16e8a410e4561cb106618e971)port,transportproto&serverdomainnameTLSArrtypecerticateassociationdatausageselectormatchingtype[DNSandDNSSEC,LOPSAPICC12]TLSArdataparameters131Usagefield:0CAConstraint1ServiceCertificateConstraint2TrustAnchorAssertion3DomainIssuedCertificateSelectorfield:0Matchfullcertificate1MatchonlySubjectPublicKeyInfoMatchingtypefield:0Exactmatchonselectedcontent1SHA-256hashofselectedcontent2SHA-512hashofselectedcontentCertificateAssociationData:rawcertdatainhex[DNSandDNSSEC,LOPSAPICC12]TLSArecordexample132_443.
_tcp.
www.
example.
com.
INTLSA(11292003ba34942dc74152e2f2c408d29eca5a520e7f2e06bb944f4dca346baf63c1b177615d466f6c4b71c216a50292bd58c9ebdd2f74e38fe51ffd48c43326cbc)Usagetype1:Servicecerticateconstraint;matchanend-entitycerticate[DNSandDNSSEC,LOPSAPICC12]TLSArecordexample133_443.
_tcp.
www.
example.
com.
INTLSA(30030820307308201efa003020102020.
.
.
)Usagetype3:Fullcerticateassociation(NoCArequired)[DNSandDNSSEC,LOPSAPICC12]DNSSECDeploymentStatus134[DNSandDNSSEC,LOPSAPICC12]DeploymentstatusDNSSECRootsigned(July2010)ManyTLDssigned(94of313asofApr2012,andothersplanning):GTLD:edugovcomnetorgbizinfoarpaccTLD:acagatbgbgbrbzchclcocrczdedkeufrgiglgrhniniojpkrlalclilklumemmmnmynancnlnunzplpmprrescseshsisusxtfthtmtwugukuswfyt(58atlastcount,plussomeIDNcctlds)Seehttp://stats.
research.
icann.
org/dns/tld_report/Reversetrees:in-addr.
arpaip6.
arpaNote:notallTLDregistrarssupportDNSSECyet(ie.
abilitytoinstallaDSrecordintheTLD)135[DNSandDNSSEC,LOPSAPICC12]SecSpiderDNSSECzonemonitoringprojecthttp://secspider.
cs.
ucla.
edu/Over37,000signedzonesasofmidApril2012CrawlingandusersubmissionsDistributedpollingAlsoaDLVregistry136[DNSandDNSSEC,LOPSAPICC12]DNSSECTools137[DNSandDNSSEC,LOPSAPICC12]SomeusefultoolsCheckingcorrectoperation/deployment:DNSviz:http://dnsviz.
net/http://dnssec-debugger.
verisignlabs.
com/http://dnscheck.
iis.
se/3rdpartytoolsthatsomefolksusetodeploy/manageDNSSECwithBIND(mostlyeverythingcanbedoneinBINDitselfthesedays):OpenDNSSECzkt138[DNSandDNSSEC,LOPSAPICC12]Thankyou!
139ShumonHuqueshuque-@-upenn.
eduPleasellouttheTrainerEvaluationhttp://www.
picconf.
org/training-surveyRatePICC'12http://www.
picconf.
org/rate-picc-12@shuque