DNSSEC best practices Webinar

©!Men!&!Mice!!http://menandmice.com!

DNSSEC!Best!Practice

28!April!2015

What!is!DNSSECa!security!extension!to!authenticate!DNS!data!

DNS!data!is!cryptographically!signed!by!the!owner!of!the!DNS!zone!

the!recipient!of!the!data!can!validate!the!signature!to!ensure!that!

the!data!has!not!been!changed!since!signing!

that!the!data!comes!from!the!owner!of!the!private!key!for!the!domain!

A!recipient!of!DNS!data!can!be!a!DNS!resolver,!an!operating!system!stub-resolver!or!an!application

©!Men!&!Mice!!http://menandmice.com!3

plain DNS data

finger-print

encrypt!with!!private!key k

Zonefile

plain DNS data

authoritative!server

resolving/validating!server

public key

plain DNS data

decrypt!with!!public!key k

finger-print

finger-printcompare

parent!zone

DS record

hash verify

DNSSEC!in!a!nutshell

DNSSEC!MYTH

DNSSEC!myth!busting!1

Myth:!DNSSEC!enables!DNS!reflection!attacks!

Fact:!DNSSEC!records!are!large!and!can!be!used!for!reflection!attacks!

Fact:!non-DNSSEC!records!can!also!be!large!and!used!for!reflection!attacks!(DKIM,!DMARC,!SPF,!SSHFP!…)!

DNS!reflection!attacks!are!an!generic!issue!in!the!DNS!protocol.!The!issue!is!largely!solved!by!response!rate!limiting!(RRL)!and!sane!default!configurations!(preventing!open!DNS!resolver)

DNSSEC!myth!busting!2Myth:!DNSSEC!cannot!be!trusted!

Fact:!the!US!government!has!some!influence!on!the!DNS!root!zone!(incl.!the!DNSSEC!keys)!

Fact:!changes!in!the!Internet!DNS!root-zone!are!highly!visible!and!cannot!be!done!in!secret!

Fact:!local!DNS!spoofing!of!ROOT-Zone!data!is!possible,!but!would!require!to!simulate!large!parts!of!the!public!Internet!

DNSSEC!users!can!configure!additional!trust-anchors!(on!ccTLD!or!2n-level-domain).!The!truly!paranoid!run!a!local!DNS-root!zone!signed!with!their!own!key(s):https://tools.ietf.org/html/draft-ietf-dnsop-root-loopback-01

DNSSEC!myth!busting!3

Myth:!DNSSEC!makes!DNS!slow!

Fact:!with!todays!CPUs!and!hardware,!DNSSEC!validation!is!cheap!

Fact:!DNSSEC!data!is!still!cached.!Once!validated,!the!data!will!be!stored!in!the!DNS!cache!for!the!TTL!lifetime!

watch!Video:!Geoff!Huston!–!what!if!everyone!did!DNSSEC?!(APNIC!38)

DNSSEC!parameter

Why!DNSSEC

•prevents!DNS!cache!poisoning!

•Man-in-the-middle!(MITM)!attacks!are!detected!

•detects!DNS!data!corruption/manipulation!on!authoritative!DNS!servers!

•to!bootstrap!trust!for!other!security!protocols!

SSH,!TLS,!PGP,!S/MIME,!DKIM,!email!transport!security!

new!security!protocols!require!DNSSEC!(e.g.!DANE)

DNSSEC!algorithms

MD5!!!!!!!!!!(deprecated,!not!implemented)!

SHA1!!!!!!!!!!(deprecated,!implemented)!

SHA256!!!!!!(recommended)!

SHA512!!!!!!(large!signatures!and!keys)!

DSA!!!!!!!!!!!!(slow!validation,!no!extra!security)!

ECC-GOST!(used!in!Russia)!

ECDSA!!!!!!!(small!signatures,!read!ECDSA!and!DNSSEC)

Key!sizes!(for!RSASHA256)

be!aware!of!DNS!packet!size!limits!(IPv6!fragmentation!issues)!

Recommendations:!

RFC!6781:!1024!bits!

BIND!9!default:!KSK!-!2048!bits,!ZSK!-!1024!bits!

mildly!paranoid:!KSK!-!2560!bits,!ZSK!-!1536!bits!

truly!paranoid:!KSK!-!4096!bits,!ZSK!-!2048!bits

impact!of!Key!sizes!(for!RSASHA256)

a!larger!key!increases!the!computing!resources!to!sign!a!zone!and!to!validate!the!signatures!

doubling!the!key!size!in!bits!increases!...!

...!the!time!needed!to!create!signatures!(signing)!by!a!factor!of!8!

...!the!time!needed!to!validate!signatures! by!a!factor!of!4!

but!every!extra!bit!in!a!key!doubles!the!amount!of!work!for!an!attacker!to!brute-force!crack!the!key!

Key!sizes!(BIND!9)

only!sign!the!DNSKEY!resource!record!set!(RRSet)!with!the!Key-Signing-Key!to!reduce!the!size!of!the!DNSKEY!answer:!options { […] dnssec-dnskey-kskonly yes; };

IPv6!and!Fragmentation!(1)

The!DNS!protocol!as!designed!in!1983!(RFC!1035ff)!had!a!limitation!of!512-Byte!DNS!payload!over!UDP!transport.!

The!512-Byte!limitation!has!since!been!lifted!with!the!EDNS0!extension,!RFC!2671!(Aug!1999)!and!RFC!6891!(April!2013).!

UDP!DNS!answers!>!1280!byte!can!cause!fragmentation!

IPv6!fragmentation!is!broken!in!the!Internet

IPv6!and!Fragmentation!(2)

Based!on!the!research!by!Roland!van!Rijswijk!(SURFnet)!the!recommendation!is:!!

•!at!least!50%!of!all!authoritative!DNS!servers!for!a!zone!should!limit!the!advertised!EDNS0!payload!to!1232!bytes!!

•!at!least!50%!of!all!in-zone!authoritative!DNS!server!for!a!zone!should!limit!the!advertised!EDNS0!payload!to!1232!!

•!authoritative!DNS!servers!for!the!zone!MUST!respond!to!queries!over!TCP!transport!protocol!!

DNSSEC!Key!Rollover

Key-Rollover!(1)

DNSSEC!keys!are!vulnerable!

can!be!broken!(unlikely!for!keys!>!1536!bits)!

can!be!stolen!(more!likely)!

changing!the!DNSSEC!key!material!in!a!signed!zone!is!called!"key-rollover"!

a!DNSSEC!key-rollover!requires!planning,!timing!and!careful!work!

Key-Rollover!(2)

the!DNSSEC!best-practice!documents!recommend!to!exercise!a!key-rollover!often!

to!gain!operational!experience!

today,!key-rollover!can!be!automated!(BIND!9,!Windows!2012,!OpenDNSSEC,!Knot!…)!

make!sure!that!the!DNS!administrators!gain!operational!experience!with!key!rollovers,!not!only!your!DNS!software!

Key-Rollover!(3)Rollover!times!varies!depending!on!security!requirements!and!key!sizes!

in!the!DNS!community,!there!are!different!schools!of!thought!on!rolling!a!KSK!

•It!should!be!done!frequently!and!regularly!(possibly!every!few!months)!so!that!a!key!rollover!remains!an!operational!routine!

•It!should!be!done!frequently!but!irregularly.!Frequently!meaning!!!!!!!every!few!months,!again!based!on!the!argument!that!a!rollover!is!a!practiced!and!common!operational!routine!

•It!should!only!be!done!when!it!is!known!or!strongly!suspected!that!the!key!can!be,!or!has!been,!compromised

ZSKold

ZSKnew

create new ZSK

ZSKold

ZSKnew ZSKuse new ZSK for signing

zone transfer + TTL of DNSKEY-RRset

zone transfer + max TTL of zone

remove old ZSK

key active

key published

ZSK!Key!Rollover!(pre-publish)

KSKoldcreate new KSK

KSKnew KSK

zone transfer + TTL of DNSKEY RR

remove old KSK

key active

key published

send new DS set to parent

KSKold

KSKnew

TTL of DS recordsset in parent

new DS record in parent

KSK!Key!Rollover!(double-sign)

NSEC!vs.!NSEC3

DNSSEC!requires!"authenticated!denial!of!existence"!

a!way!to!prove!that!DNS!data!does!not!exist!

two!!options:!NSEC!and!NSEC3!

in!discussion:!NSEC5!

NSEC!creates!a!linked!list!of!all!existing!names!and!record-types!for!domain-names!in!a!DNS!zone!

this!maps!the!"gaps",!the!names!and!records!that!do!not!exist!

in!negative!answers,!the!part!of!the!list!is!returned!that!proves!that!non-existence!of!the!data!requested!

NSEC!exampleexample.com. IN SOA ns1 hostmaster 100 3h 1h 41d 1hexample.com. IN NS ns1example.com. IN NS ns2example.com. IN MX 10 mail1example.com. IN MX 20 mail2ns1.example.com. IN A 192.0.2.10ns2.example.com. IN A 192.0.2.20mx1.example.com. IN A 192.0.2.25mx2.example.com. IN A 192.0.2.50www.example.com. IN A 192.0.2.80acc.example.com. IN A 192.0.2.77

NSEC!exampleexample.com. IN SOA ns1 hostmaster 100 3h 1h 41d 1hexample.com. IN NS ns1example.com. IN NS ns2example.com. IN MX 10 mail1example.com. IN MX 20 mail2example.com. IN NSEC acc.example.com. SOA NS MX NSECacc.example.com. IN A 192.0.2.77acc.example.com. IN NSEC mx1.example.com. A NSEC mx1.example.com. IN A 192.0.2.25mx1.example.com. IN NSEC mx2.example.com. A NSECmx2.example.com. IN A 192.0.2.50mx2.example.com. IN NSEC ns1.example.com. A NSECns1.example.com. IN A 192.0.2.10ns1.example.com. IN NSEC ns2.example.com. A NSECns2.example.com. IN A 192.0.2.20ns2.example.com. IN NSEC www.example.com. A NSECwww.example.com. IN A 192.0.2.80www.example.com. IN NSEC example.com. A NSEC

Facts!about!NSEC

NSEC!enables!"zone-walking"!

the!full!zone!content!can!be!listed!from!the!outside!

DNS!data!is!"public",!there!should!be!no!real!"secrets"!in!DNS!

but!sometimes,!having!the!full!zone!"in!the!open"!is!not!desirable!!

enter!NSEC3!…

NSEC3!inhibits!easy!zone!walking!by!using!a!linked-list!of!hashed!domain!names!

same!principle!than!NSEC,!but!with!SHA1!hashed!names!instead!of!plain!text!domain!names!

NSEC3!makes!zone-walking!harder!(but!not!impossible)

example!NSEC3-chain0QRAALUF61VMOMIK3RIQAN2NCR710TQG.example.com. 900 IN NSEC3 1 0 250 50F16BB95384A61F 240H3VFO0ALTPQC8ROU351HC6ECBJ2VD NS

240H3VFO0ALTPQC8ROU351HC6ECBJ2VD.example.com. 900 IN NSEC3 1 0 250 50F16BB95384A61F 5B9SF40PUQB0PG1BKB149GI90K2Q2B9E AAAA RRSIG

5B9SF40PUQB0PG1BKB149GI90K2Q2B9E.example.com. 900 IN NSEC3 1 0 250 50F16BB95384A61F 737JCML7GM5S19URLJ2SM567GAPNC2RK NS

737JCML7GM5S19URLJ2SM567GAPNC2RK.example.com. 900 IN NSEC3 1 0 250 50F16BB95384A61F 7EORHUNRJ8ANN410GCQ0J5TL5FC4T16H RRSIG TYPE65200

7EORHUNRJ8ANN410GCQ0J5TL5FC4T16H.example.com. 900 IN NSEC3 1 0 250 50F16BB95384A61F 9RFJ1DUL878M5HSFHIKSEFFUREGNGT2G NS

9RFJ1DUL878M5HSFHIKSEFFUREGNGT2G.example.com. 900 IN NSEC3 1 0 250 50F16BB95384A61F DG9O30TFDTK57CJT31SHCVIF3USVNM0R NS

DG9O30TFDTK57CJT31SHCVIF3USVNM0R.example.com. 900 IN NSEC3 1 0 250 50F16BB95384A61F H8Q9FUJ2BP35V6U66THCJ9QQITC08K78 A RRSIG

H8Q9FUJ2BP35V6U66THCJ9QQITC08K78.example.com. 900 IN NSEC3 1 0 250 50F16BB95384A61F IETT5ENPFJI144A1E4M2MMOS27N6HP4N A NS SOA MX RRSIG DNSKEY NSEC3PARAM TYPE65534

IETT5ENPFJI144A1E4M2MMOS27N6HP4N.example.com. 900 IN NSEC3 1 0 250 50F16BB95384A61F IJHIKA346TN2M40KGJ6BQAKP2T9DICGS TXT RRSIG

IJHIKA346TN2M40KGJ6BQAKP2T9DICGS.example.com. 900 IN NSEC3 1 0 250 50F16BB95384A61F 0QRAALUF61VMOMIK3RIQAN2NCR710TQG TXT RRSIG

NSEC3!Parameter

•Example!NSEC3PARAM!record:dnssec.example. 0 IN NSEC3PARAM 1 0 20 ABBACAFE !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

zone!origin Hash!algorithm!used Flags Iterations

NSEC3!Parameter

Flags:!Opt-Out!to!"skip"!delegations!for!non-DNSSEC!signed!zones!(insecure!zones)!

Salt:!prevents!rainbow!table!creation!

recommended!salt!sizes!are!32-64bit!(8-16!hex-chars)!

change!salt!every!ZSK!rollover!

Iterations:!adapt!difficulty!of!brute-force!breaking!to!advanced!in!CPU!technology!(bitcoin!mining!hardware)!

recommendation:!50-500!iterations!(see!RFC!5155!for!guidance)

NSEC!vs.!NSEC3•use!NSEC3!for!zones!where!the!changes!inside!the!zone!need!to!be!protected!for!some!time!

•NSEC3!negative!answers!require!the!authoritative!DNS!server!to!calculate!the!NSEC3!hashes!➜!more!CPU!load!

•use!NSEC3!for!zones!with!many!(possibly!insecure)!delegations!

•use!NSEC!for!everything!else!

•if!you!are!worried!about!DNS!zone!walking,!use!"minimal!coverage!NSEC/NSEC3"!(implemented!in!PowerDNS!as!"narrow"!mode)

DNSSEC!software

DNSSEC!authoritative!server

•BIND!9!

•good!coverage!of!the!protocol!

•decent!speed!

•dynamic!DNSSEC!signing!

•inline!DNSSEC!signing!

•almost!full!DNSSEC!key!rollover!automation!with!timing!events!stored!in!keys!

•response!rate!limiting

•PowerDNS!

•Database!backend!

•"remote"!(web-RPC)!backend!

•NSEC3!"narrow"!mode!

•response!rate!limiting!

•Lua!scripting

•Knot-DNS!

•DNSSEC!signing!automation!

•response!rate!limiting!

•scales!well!on!modern!multi-core!hardware

•NSD!4!

•simple!to!setup!

•fast!

•secure!

•response!rate!limiting

•Microsoft!DNS!(Windows!2012!and!later)!

•GUI!with!DNSSEC!wizard!

•full!DNSSEC!rollover!automation

DNSSEC!resolver

•NLnetLabs!Unbound!

•fast,!secure,!many!features!

•BIND!9!

•RPZ-Zones,!many!features!

•Windows!2012!

•GUI

DNSSEC!monitoring

once!a!DNSSEC!signed!zone!becomes!"bogus",!the!zone!disappears!for!all!validating!DNS!resolver!

currently,!around!15%!of!all!DNS!resolvers!do!DNSSEC!validation!

=!a!large!part!of!the!Internet!population!(millions!of!users)!

DNSSEC!monitoring

monitoring!a!DNSSEC!signed!zone!is!important!

•DS-Record!matching!the!KSK!

•Signature!on!the!DNSKEY-Set!!

•Signature!validity!

•Key-Rollover!

DNSSEC!monitoringNagios/Icinga!plugin!to!check!validity!of!one!or!more!DNSSEC!domains!

https://github.com/jpmens/nagval DNSSEC!key!rollover!monitor!and!checker!

https://github.com/bortzmeyer/key-checker OpenDNSSEC!monitor!

https://github.com/opendnssec/dnssec-monitor .SE!DNSSEC!monitor!

!!!!!!!!!https://github.com/dotse/dnssec-monitor

Online!DNSSEC!checkerDNSViz!-!http://dnsviz.net

Online!DNSSEC!checkerZonemaster!-!http://zonemaster.net

DNSSEC!books,!videos,!tutorials

DNSSEC!book

Michael!W.!Lucas!

DNSSEC!Mastery:securing!the!domain!name!system!with!BIND*!

https://www.michaelwlucas.com/nonfiction/dnssec-mastery

*Disclaimer:!the!presenter!was!a!technical!reviewer!on!this!book

DNSSEC!videos•ISOC!ION!Conferencehttp://www.internetsociety.org/deploy360/blog/category/dnssec/videos-dnssec/!

•Matt!Larson!DNSSEC!Intro!(englisch)https://www.youtube.com/watch?v=yzET8Px_JEE!

•DNSSEC!in!50!Minutes!(Michael!Lucas)https://www.youtube.com/watch?v=lY6HgZmAfqchttps://www.youtube.com/watch?v=Hm93GhenqXo!

•Peter!Losher!(ISC):!Closing!the!DNS!Security!Loop!with!DNSSEC https://www.youtube.com/watch?v=LRi9swVQ_5A!

•VUC!434!-!DNSSEC!with!Dan!York!(ISOC)https://www.youtube.com/watch?v=hLeTkip-Tf8!

•ICANN!51!-!DNSSEC!for!everybody http://la51.icann.org/en/schedule/mon-dnssec-everybody

DNSSEC!tutorials

•ISC!DNSSEC!Guidehttps://www.isc.org/downloads/bind/dnssec/http://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html

•DNSSEC!tutorialhttp://www.huque.com/talks/2013-11-dnssec-tutorial-huque.pdf!

•DNSSEC!in!6!minutes https://kb.isc.org/article/AA-00820/0/DNSSEC-in-6-minutes.html

don't!miss!our!next!trainings/webinar

•Upcoming!DNS,!DNSSEC!and!IPv6!Training:!

•2015-06-29!>!2015-07-03!IPv6.!Amsterdam/Europe!

•2015-08-24!>!2015-08-28!IPv6.!New!York.!

•2015-09-07!>!2015-09-11!IPv6.!Europe.!Amsterdam!and/or!London,!

•2015-09-21!>!2015-09-25!DNS!Intro/Advanced.!US!West!Coast.!

•2015-09-28!>!2015-10-02!DNS!Intro/Advanced.!US!East!Coast.!

•2015-10-12!>!2015-10-16!DNS!Intro/Advanced.!Amsterdam/Europe.!

•Next!webinar:!RIPE!70!review!2!June!2015!!

•Signup!@!https://www.menandmice.com/resources/educational-resources/webinars/

?2015!Schedule,!Slides,!Links,!Recording!and!errata!

can!be!found!@https://www.menandmice.com/resources/educational-resources/webinars/

DNSSEC best practices Webinar

Documents

Transcript of DNSSEC best practices Webinar

DNSSEC operational practices for authoritative name … · Why We have: RFC4641DNSSEC Operational Practices RFC6781DNSSEC Operational Practices, version 2 RIPE64Looking at TLD DNSSEC

WHITEPAPER A Best Practices Architecture for DNSSEC · PDF file · 2017-10-24WHITEPAPER A Best Practices Architecture for DNSSEC ... the DNS Security Extensions, ... DNSSEC is a set

DNSSEC for the Root Zone · DNSSEC Policy & Practice Statement • States the practices and provisions that are employed in root zone signing and zone distribution services ‣ Issuing,

Webinar: Deployment Best Practices

Webinar Best Practices - IT Glue

Webinar Planning & Execution Best Practices

DNSSEC in Practice: Using DNSSEC- Tools to Deploy DNSSEC · DNSSEC in Practice: Using DNSSEC-Tools to Deploy DNSSEC Wes Hardaker. Russ Mundy. Suresh Krishnaswamy {hardaker,mundy,suresh}@sparta.com.

Verisign DNSSEC Practice Statement for TLD/GTLD …INTRODUCTION This document is the Verisign DNSSEC Practice Statement (DPS) for the TLD/GTLD zone. It states the practices and provisions

Box Office Best Practices [Webinar]

WACTC PROMISING PRACTICES WEBINAR

Customer Webinar - Email Best Practices

Telemedicine Best Practices Webinar

Online Intake Best Practices Webinar

DNSSEC Operational Practices: The Good, The Bad and The Ugly · B. Evaluation of DNSSEC deployment security Although there is no universal agreement on criteria for secure DNSSEC

A Best Practices Architecture for DNSSEC - · PDF file · 2012-12-20A Best Practices Architecture for DNSSEC CRICKET LIU, VICE PRESIDENT OF ARCHITECTURE WHITE PAPER ```

Effective Practices Webinar Series

5 Marketplace Best Practices Webinar

EMR Best Practices Radiant Webinar

Webinar Next Practices

DNSSEC for the Root Zone · DPS DNSSEC Policy & Practice Statement • States the practices and provisions that are employed in root zone signing and zone distribution services ‣