34
x x Prac’cal DNSSEC (in less than 90 minutes) ccTLD Techday – Mexico City – March 2, 2009 Ondrej Filip (CZ NIC) Jeremy Hitchcock (Dynamic Network Services)
x x
Prac'cal DNSSEC (in less than 90 minutes)
ccTLD Techday – Mexico City – March 2, 2009
Ondrej Filip (CZ NIC)
Jeremy Hitchcock (Dynamic Network Services)
x x
What We’re Covering
• Big picture on DNSSEC • Some highlights on how it works
• Trust anchors • DNSSEC at .CZ • Future of DNSSEC
x x
Why DNSSEC
• Secure DNS, true verifica'on of answers • Kaminsky aPack to trick recursive DNS servers • Lot of money in tricking users • Why is this hard? – Security not originally in DNS – Lot of actors to achieve results
• Silver lining: we’re prePy fair along – End‐to‐end DNSSEC already here (.se, .cz, etc.) – First open gTLDS to come this year .org
• .gov and .museum are signed
x x
DNSSEC Resolu'on Chain
x x
DNSSEC Records
• Keys to sign the zone (KSK/ZSK) – Those are used to create a “signed” zone
• Key data in the zone – DNSKEY – public key – RSIG – record digest – NSEC – Proof of non‐existence (NSEC3)
• Keys to go to the parent registry (DS) – Signature RR that the recursive verifies against
x x
DNSSEC Key Chain
x x
Keys [Should] Start at the Root
• We all trust named.hints (and rotate them) • Need to trust the keys, star'ng at the top • NTIA request for comments – hPp://www.n'a.doc.gov/dns/dnssec.html
• S'll not signed but TLDs are signed • That’s a problem…
x x
ITAR/DLV
• VePed, accepted keys, think trusted root hints • ITAR – IANA run trust anchor, set of trusted DS records to include in local recursive DNS servers ‐ hPps://itar.iana.org/
• DLV – ISC run dynamic trust anchor to verify lookup ‐ hPps://www.isc.org/solu'ons/dlv
• One verifies against the real NS, other on ISC • Both work, different flavors
x x
(Ondrej slides)
2
FRED
● In-house created registry system● Released as open source project: http://fred.nic.cz● Registrar interface – EPP protocol● Primary objects: domains, contacts, nameserver sets● Zone generation every 30 minutes● Used for .CZ since 2007● Used by Angola
3
DNSSEC preprations & plans
● Main project for 2008– DNSSEC is important technology for DNS
● Meetings with registrars– Explanation of DNSSEC principles
– Exploring Sweden experiences
– Presentation of our solution● Coding started at 2Q● Kaminsky discovery● Zone signing first● Full deployment 30.9.2008
4
Zone walking
● Zone data enumeration and disclosure● Is it a problem?● List of all .cz domains + technical information● NSEC3 not supported yet● Approved: no personal data disclosed, OK to
implement
5
DNSSEC solution at registry
● Accept public keys from domain registrants● Publishing them into generated zone ● Our own key pair generation and maintainance ● Zone signing with our private key● Public key publishing
6
DNSSEC solution – step 1Accepting public keys from registrants
● Significant registry modification● EPP extended for new primary object - KeySet● Support sharing between domains ● Support multiple keys for easy key exchange● Registration of KeySet is free
Domain Reg / Admin-c
NS SET
NS
Tech-c
Key SET
DNSSEC
Tech-c
7
DNSSEC solution – step 2Publishing them in zone
● Minor registry modification● New type DS records generated into zone file● DS records data counted from public keys in KeySet● Creating “chaing of trust”
8
DNSSEC solution – step 3Own private & public key generation
● Using Bind tool dnssec-keygen● Zone signing key – weaker – 1024 bits● Key signing key – stronger – 2048 bits● Alternative tool – ldns● Key storage, key management
9
DNSSEC solution – step 4Zone signing
● Using Bind tool dnssec-signzone● Huge increase in zone size, from 40MB to 180MB
– Transfering zone to 19 secondary locations
– Memory and bandwidth problems● Solved with reusing signatures
– Own scripts based on ldns tools ● Initial tests of HSM machine failed
– Software bugs● Every 30 minutes
10
DNSSEC solution – step 5Own public key publishing
● Root zone still unsigned ● Public key available on our web pages:
http://www.dnssec.cz● Mailing list for notification of changes● DLV registry of ISC● ITAR solution from IANA● Waiting for root...
11
Key management
● Keys managed manually● Privilege separation
– Separate server
– Logged access – individual accounts● Keys will move to HSM – KSK + ZSK● Four Solaris server● Sun Crypto Accelerator 6000 PCI● Bind 9.6.1 will merge necessary fixes
12
Domain name transfer
● Registrar change – slightly complicated
1) Transfer Domain, NSSET and KEYSET
2) Generate new keys
3) Add new keys to KEYSET
4) New zone publishing
5) Nameservers (NSSET) change
6) Delete old keys from KEYSET and delete old zone file
13
Statistics
● Time from deployment: 4 month● Domains signed: 500+● Registrars support: 80%+ market share (60% at day 1)● ISP support – slowly growing● Weekly statistic of signed domains:
2
What's new with DNSSEC?
● No visible change for End User● No visible change in DNS design
● So what is new?● We have secure public federative database● We can store new items into it● Everybody can verify that it was published by domain
administrator
3
Innovative example - SSHFP
● SSH login to unknown server – question● Everybody ignores and simply acknowledges● Idea – store fingerprint of ssh keys into DNS● New record – SSHFP – secure shell finger print● host.network.cz IN SSHFP 1 1
8c211d5b58e625cf61889ffe38b6d082b1c841a3
● Nice but quite limited usage● Any other things to store in DNS?
4
What about SSL-HTTPS certs?
● Currently – use some CA from the Firefox/Explorer list● You have to pay and prove you identity to third party● Why not store fingerprint of your self-signed SSL
certificate in DNS?● Can avoid use of CAs● Just in the beginning – idea
● Any other idea?– E-mail related information? ....
– SMTPs?
x x
DNSSEC in the Wild (auth)
• Root signing (NTIA, IANA) • IANA DNSSEC testbed – hPps://ns.iana.org/dnssec/
• IANA ITAR • ISC DLV
x x
DNSSEC in the Wild (recursive)
• Comcast DNSSEC test bed – hPp://www.dnssec.comcast.net/
• OARC DNSSEC test bed – hPps://www.dns‐oarc.net/oarc/services/odvr
• Dyn Inc. DNSSEC test bed – hPp://dynamicnetworkservices.com/dnssec
• ISPs are deploying it – Easy to do, lots of configs out there
x x
DNSSEC in the Applica'on
• S'll a bit of work to do • Microsoh and DNSSEC – hPp://cai.icann.org/files/mee'ngs/cairo2008/seshadri‐dnssec‐windows‐05nov08.pdf
– In Windows 7
• Drill and Mozilla plugin
x x
DNSSEC Coali'on
• Workgroup spearheaded by PIR (.org) • Group to streamline adop'on of DNSSEC
• gTLDs to rally around set standards (RFC 4310) • Discuss best prac'ces (like domain transfers)
• Teleconferences already happening • First mee'ng March 13
x x
DNSSEC Coali'on Members Group Chair: .ORG, The Public Interest Registry • Outreach Working Group • EDUCAUSE • Kirei AB • Internet Society • Internet Systems Consor'um, Inc. (ISC) • .ORG, The Public Interest Registry • Secure64 Sohware Corpora'on • SIDN
Registry Implementa=ons Working Group • Afilias Limited • Internet Systems Consor'um, Inc. (ISC) • Secure64 Sohware Corpora'on • Shinkuro • SIDN • VeriSign, Inc.
Educa=on Working Group • EDUCAUSE • Internet Society • Internet Systems Consor'um, Inc. (ISC) • NLnet Labs • Secure64 Sohware Corpora'on • Shinkuro • SIDN
Tools & Applica=ons Working Group • Afilias Limited • Internet Systems Consor'um, Inc. (ISC) • NeuStar, Inc. • NLnet Labs • Secure64 Sohware Corpora'on • .SE (the Internet Infrastructure Founda'on) • SIDN • VeriSign, Inc.
Registrars Working Group to come
x x
Tools and Support
• Added into BIND, NSD – Lots of opera'onal tes'ng
• Signing tools by Sparta – hPp://www.dnssec‐tools.org/
• DNSSEC in 6 minutes (ISC) – hPps://www.isc.org/files/DNSSEC_in_6_minutes.pdf
• General informa'on – hPp://www.dnssec‐deployment.org/
x x
Future of DNSSEC
• Unknown when the root is going to be signed – ITAR and DLV make it maPer less
• gTLDs are going to sign shortly – .com/net in 2011, .org in 2009
• Greater applica'on support • ISP/end users getng ready
x x
Closing Remarks
Any ques'ons?
Ondrej Filip – [email protected]
Jeremy Hitchcock – jeremy@dyn‐inc.com
