DNSSEC best practices Webinar

©!Men!&!Mice!!http://menandmice.com!

DNSSEC!Best!Practice

28!April!2015

1


What!is!DNSSECa!security!extension!to!authenticate!DNS!data!

DNS!data!is!cryptographically!signed!by!the!owner!of!the!DNS!zone!

the!recipient!of!the!data!can!validate!the!signature!to!ensure!that!

the!data!has!not!been!changed!since!signing!

that!the!data!comes!from!the!owner!of!the!private!key!for!the!domain!

A!recipient!of!DNS!data!can!be!a!DNS!resolver,!an!operating!system!stub-resolver!or!an!application

2

©!Men!&!Mice!!http://menandmice.com!3

plain DNS data

hash

finger-print

RRsig

encrypt!with!!private!key k

Zonefile

plain DNS data

RRsig

authoritative!server

resolving/validating!server

public key

plain DNS data

RRsig

decrypt!with!!public!key k

finger-print

hash

finger-printcompare

parent!zone

DS record

hash verify

DNSSEC!in!a!nutshell


DNSSEC!MYTH

4


DNSSEC!myth!busting!1

Myth:!DNSSEC!enables!DNS!reflection!attacks!

Fact:!DNSSEC!records!are!large!and!can!be!used!for!reflection!attacks!

Fact:!non-DNSSEC!records!can!also!be!large!and!used!for!reflection!attacks!(DKIM,!DMARC,!SPF,!SSHFP!…)!

DNS!reflection!attacks!are!an!generic!issue!in!the!DNS!protocol.!The!issue!is!largely!solved!by!response!rate!limiting!(RRL)!and!sane!default!configurations!(preventing!open!DNS!resolver)

5


DNSSEC!myth!busting!2Myth:!DNSSEC!cannot!be!trusted!

Fact:!the!US!government!has!some!influence!on!the!DNS!root!zone!(incl.!the!DNSSEC!keys)!

Fact:!changes!in!the!Internet!DNS!root-zone!are!highly!visible!and!cannot!be!done!in!secret!

Fact:!local!DNS!spoofing!of!ROOT-Zone!data!is!possible,!but!would!require!to!simulate!large!parts!of!the!public!Internet!

DNSSEC!users!can!configure!additional!trust-anchors!(on!ccTLD!or!2n-level-domain).!The!truly!paranoid!run!a!local!DNS-root!zone!signed!with!their!own!key(s):https://tools.ietf.org/html/draft-ietf-dnsop-root-loopback-01

6


DNSSEC!myth!busting!3

Myth:!DNSSEC!makes!DNS!slow!

Fact:!with!todays!CPUs!and!hardware,!DNSSEC!validation!is!cheap!

Fact:!DNSSEC!data!is!still!cached.!Once!validated,!the!data!will!be!stored!in!the!DNS!cache!for!the!TTL!lifetime!

watch!Video:!Geoff!Huston!–!what!if!everyone!did!DNSSEC?!(APNIC!38)

7

https://youtu.be/5T2-e5535fM


DNSSEC!parameter

8


Why!DNSSEC

•prevents!DNS!cache!poisoning!

•Man-in-the-middle!(MITM)!attacks!are!detected!

•detects!DNS!data!corruption/manipulation!on!authoritative!DNS!servers!

•to!bootstrap!trust!for!other!security!protocols!

SSH,!TLS,!PGP,!S/MIME,!DKIM,!email!transport!security!

new!security!protocols!require!DNSSEC!(e.g.!DANE)

9


DNSSEC!algorithms

MD5!!!!!!!!!!(deprecated,!not!implemented)!

SHA1!!!!!!!!!!(deprecated,!implemented)!

SHA256!!!!!!(recommended)!

SHA512!!!!!!(large!signatures!and!keys)!

DSA!!!!!!!!!!!!(slow!validation,!no!extra!security)!

ECC-GOST!(used!in!Russia)!

ECDSA!!!!!!!(small!signatures,!read!ECDSA!and!DNSSEC)

10

http://blog.apnic.net/2014/10/23/ecdsa-and-dnssec/


Key!sizes!(for!RSASHA256)

be!aware!of!DNS!packet!size!limits!(IPv6!fragmentation!issues)!

Recommendations:!

RFC!6781:!1024!bits!

BIND!9!default:!KSK!-!2048!bits,!ZSK!-!1024!bits!

mildly!paranoid:!KSK!-!2560!bits,!ZSK!-!1536!bits!

truly!paranoid:!KSK!-!4096!bits,!ZSK!-!2048!bits

11


impact!of!Key!sizes!(for!RSASHA256)

a!larger!key!increases!the!computing!resources!to!sign!a!zone!and!to!validate!the!signatures!

doubling!the!key!size!in!bits!increases!...!

...!the!time!needed!to!create!signatures!(signing)!by!a!factor!of!8!

...!the!time!needed!to!validate!signatures! by!a!factor!of!4!

but!every!extra!bit!in!a!key!doubles!the!amount!of!work!for!an!attacker!to!brute-force!crack!the!key!

12


Key!sizes!(BIND!9)

only!sign!the!DNSKEY!resource!record!set!(RRSet)!with!the!Key-Signing-Key!to!reduce!the!size!of!the!DNSKEY!answer:!options { […] dnssec-dnskey-kskonly yes; };

13


IPv6!and!Fragmentation!(1)

The!DNS!protocol!as!designed!in!1983!(RFC!1035ff)!had!a!limitation!of!512-Byte!DNS!payload!over!UDP!transport.!

The!512-Byte!limitation!has!since!been!lifted!with!the!EDNS0!extension,!RFC!2671!(Aug!1999)!and!RFC!6891!(April!2013).!

UDP!DNS!answers!>!1280!byte!can!cause!fragmentation!

IPv6!fragmentation!is!broken!in!the!Internet

14

https://www.ietf.org/id/draft-gont-v6ops-ipv6-ehs-in-real-world-02.txt


IPv6!and!Fragmentation!(2)

Based!on!the!research!by!Roland!van!Rijswijk!(SURFnet)!the!recommendation!is:!!

•!at!least!50%!of!all!authoritative!DNS!servers!for!a!zone!should!limit!the!advertised!EDNS0!payload!to!1232!bytes!!

•!at!least!50%!of!all!in-zone!authoritative!DNS!server!for!a!zone!should!limit!the!advertised!EDNS0!payload!to!1232!!

•!authoritative!DNS!servers!for!the!zone!MUST!respond!to!queries!over!TCP!transport!protocol!!

15

https://dnssec.surfnet.nl/wp-content/uploads/2012/09/Recommendations-for-dealing-with-fragmentation-in-DNS-v3.pdf


DNSSEC!Key!Rollover

16


Key-Rollover!(1)

DNSSEC!keys!are!vulnerable!

can!be!broken!(unlikely!for!keys!>!1536!bits)!

can!be!stolen!(more!likely)!

changing!the!DNSSEC!key!material!in!a!signed!zone!is!called!"key-rollover"!

a!DNSSEC!key-rollover!requires!planning,!timing!and!careful!work!

17


Key-Rollover!(2)

the!DNSSEC!best-practice!documents!recommend!to!exercise!a!key-rollover!often!

to!gain!operational!experience!

today,!key-rollover!can!be!automated!(BIND!9,!Windows!2012,!OpenDNSSEC,!Knot!…)!

make!sure!that!the!DNS!administrators!gain!operational!experience!with!key!rollovers,!not!only!your!DNS!software!

18


Key-Rollover!(3)Rollover!times!varies!depending!on!security!requirements!and!key!sizes!

in!the!DNS!community,!there!are!different!schools!of!thought!on!rolling!a!KSK!

•It!should!be!done!frequently!and!regularly!(possibly!every!few!months)!so!that!a!key!rollover!remains!an!operational!routine!

•It!should!be!done!frequently!but!irregularly.!Frequently!meaning!!!!!!!every!few!months,!again!based!on!the!argument!that!a!rollover!is!a!practiced!and!common!operational!routine!

•It!should!only!be!done!when!it!is!known!or!strongly!suspected!that!the!key!can!be,!or!has!been,!compromised

19


ZSKold

ZSKnew

create new ZSK

ZSKold

ZSKnew ZSKuse new ZSK for signing

zone transfer + TTL of DNSKEY-RRset

zone transfer + max TTL of zone

remove old ZSK

key active

key published

ZSK!Key!Rollover!(pre-publish)


KSKoldcreate new KSK

KSKnew KSK

zone transfer + TTL of DNSKEY RR

remove old KSK

key active

key published

send new DS set to parent

KSKold

KSKnew

TTL of DS recordsset in parent

new DS record in parent

KSK!Key!Rollover!(double-sign)


NSEC!vs.!NSEC3

22


NSEC!vs.!NSEC3

DNSSEC!requires!"authenticated!denial!of!existence"!

a!way!to!prove!that!DNS!data!does!not!exist!

two!!options:!NSEC!and!NSEC3!

in!discussion:!NSEC5!

23

https://youtu.be/t4tro7BP6CA


NSEC

NSEC!creates!a!linked!list!of!all!existing!names!and!record-types!for!domain-names!in!a!DNS!zone!

this!maps!the!"gaps",!the!names!and!records!that!do!not!exist!

in!negative!answers,!the!part!of!the!list!is!returned!that!proves!that!non-existence!of!the!data!requested!

24


NSEC!exampleexample.com. IN SOA ns1 hostmaster 100 3h 1h 41d 1hexample.com. IN NS ns1example.com. IN NS ns2example.com. IN MX 10 mail1example.com. IN MX 20 mail2ns1.example.com. IN A 192.0.2.10ns2.example.com. IN A 192.0.2.20mx1.example.com. IN A 192.0.2.25mx2.example.com. IN A 192.0.2.50www.example.com. IN A 192.0.2.80acc.example.com. IN A 192.0.2.77

25


NSEC!exampleexample.com. IN SOA ns1 hostmaster 100 3h 1h 41d 1hexample.com. IN NS ns1example.com. IN NS ns2example.com. IN MX 10 mail1example.com. IN MX 20 mail2example.com. IN NSEC acc.example.com. SOA NS MX NSECacc.example.com. IN A 192.0.2.77acc.example.com. IN NSEC mx1.example.com. A NSEC mx1.example.com. IN A 192.0.2.25mx1.example.com. IN NSEC mx2.example.com. A NSECmx2.example.com. IN A 192.0.2.50mx2.example.com. IN NSEC ns1.example.com. A NSECns1.example.com. IN A 192.0.2.10ns1.example.com. IN NSEC ns2.example.com. A NSECns2.example.com. IN A 192.0.2.20ns2.example.com. IN NSEC www.example.com. A NSECwww.example.com. IN A 192.0.2.80www.example.com. IN NSEC example.com. A NSEC

26


Facts!about!NSEC

NSEC!enables!"zone-walking"!

the!full!zone!content!can!be!listed!from!the!outside!

DNS!data!is!"public",!there!should!be!no!real!"secrets"!in!DNS!

but!sometimes,!having!the!full!zone!"in!the!open"!is!not!desirable!!

enter!NSEC3!…

27


NSEC3

NSEC3!inhibits!easy!zone!walking!by!using!a!linked-list!of!hashed!domain!names!

same!principle!than!NSEC,!but!with!SHA1!hashed!names!instead!of!plain!text!domain!names!

NSEC3!makes!zone-walking!harder!(but!not!impossible)

28


example!NSEC3-chain0QRAALUF61VMOMIK3RIQAN2NCR710TQG.example.com. 900 IN NSEC3 1 0 250 50F16BB95384A61F 240H3VFO0ALTPQC8ROU351HC6ECBJ2VD NS

240H3VFO0ALTPQC8ROU351HC6ECBJ2VD.example.com. 900 IN NSEC3 1 0 250 50F16BB95384A61F 5B9SF40PUQB0PG1BKB149GI90K2Q2B9E AAAA RRSIG

5B9SF40PUQB0PG1BKB149GI90K2Q2B9E.example.com. 900 IN NSEC3 1 0 250 50F16BB95384A61F 737JCML7GM5S19URLJ2SM567GAPNC2RK NS

737JCML7GM5S19URLJ2SM567GAPNC2RK.example.com. 900 IN NSEC3 1 0 250 50F16BB95384A61F 7EORHUNRJ8ANN410GCQ0J5TL5FC4T16H RRSIG TYPE65200

7EORHUNRJ8ANN410GCQ0J5TL5FC4T16H.example.com. 900 IN NSEC3 1 0 250 50F16BB95384A61F 9RFJ1DUL878M5HSFHIKSEFFUREGNGT2G NS

9RFJ1DUL878M5HSFHIKSEFFUREGNGT2G.example.com. 900 IN NSEC3 1 0 250 50F16BB95384A61F DG9O30TFDTK57CJT31SHCVIF3USVNM0R NS

DG9O30TFDTK57CJT31SHCVIF3USVNM0R.example.com. 900 IN NSEC3 1 0 250 50F16BB95384A61F H8Q9FUJ2BP35V6U66THCJ9QQITC08K78 A RRSIG

H8Q9FUJ2BP35V6U66THCJ9QQITC08K78.example.com. 900 IN NSEC3 1 0 250 50F16BB95384A61F IETT5ENPFJI144A1E4M2MMOS27N6HP4N A NS SOA MX RRSIG DNSKEY NSEC3PARAM TYPE65534

IETT5ENPFJI144A1E4M2MMOS27N6HP4N.example.com. 900 IN NSEC3 1 0 250 50F16BB95384A61F IJHIKA346TN2M40KGJ6BQAKP2T9DICGS TXT RRSIG

IJHIKA346TN2M40KGJ6BQAKP2T9DICGS.example.com. 900 IN NSEC3 1 0 250 50F16BB95384A61F 0QRAALUF61VMOMIK3RIQAN2NCR710TQG TXT RRSIG

29


NSEC3!Parameter

30

•Example!NSEC3PARAM!record:dnssec.example. 0 IN NSEC3PARAM 1 0 20 ABBACAFE !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

zone!origin Hash!algorithm!used Flags Iterations

Salt


NSEC3!Parameter

Flags:!Opt-Out!to!"skip"!delegations!for!non-DNSSEC!signed!zones!(insecure!zones)!

Salt:!prevents!rainbow!table!creation!

recommended!salt!sizes!are!32-64bit!(8-16!hex-chars)!

change!salt!every!ZSK!rollover!

Iterations:!adapt!difficulty!of!brute-force!breaking!to!advanced!in!CPU!technology!(bitcoin!mining!hardware)!

recommendation:!50-500!iterations!(see!RFC!5155!for!guidance)

31


NSEC!vs.!NSEC3•use!NSEC3!for!zones!where!the!changes!inside!the!zone!need!to!be!protected!for!some!time!

•NSEC3!negative!answers!require!the!authoritative!DNS!server!to!calculate!the!NSEC3!hashes!➜!more!CPU!load!

•use!NSEC3!for!zones!with!many!(possibly!insecure)!delegations!

•use!NSEC!for!everything!else!

•if!you!are!worried!about!DNS!zone!walking,!use!"minimal!coverage!NSEC/NSEC3"!(implemented!in!PowerDNS!as!"narrow"!mode)

32


DNSSEC!software

33


DNSSEC!authoritative!server

•BIND!9!

•good!coverage!of!the!protocol!

•decent!speed!

•dynamic!DNSSEC!signing!

•inline!DNSSEC!signing!

•almost!full!DNSSEC!key!rollover!automation!with!timing!events!stored!in!keys!

•response!rate!limiting

34



•PowerDNS!

•Database!backend!

•"remote"!(web-RPC)!backend!

•NSEC3!"narrow"!mode!

•response!rate!limiting!

•Lua!scripting

35



•Knot-DNS!

•DNSSEC!signing!automation!

•response!rate!limiting!

•scales!well!on!modern!multi-core!hardware

36



•NSD!4!

•simple!to!setup!

•fast!

•secure!

•response!rate!limiting

37



•Microsoft!DNS!(Windows!2012!and!later)!

•GUI!with!DNSSEC!wizard!

•full!DNSSEC!rollover!automation

38


DNSSEC!resolver

•NLnetLabs!Unbound!

•fast,!secure,!many!features!

•BIND!9!

•RPZ-Zones,!many!features!

•Windows!2012!

•GUI

39


DNSSEC!monitoring

40


DNSSEC!monitoring

once!a!DNSSEC!signed!zone!becomes!"bogus",!the!zone!disappears!for!all!validating!DNS!resolver!

currently,!around!15%!of!all!DNS!resolvers!do!DNSSEC!validation!

=!a!large!part!of!the!Internet!population!(millions!of!users)!

41


DNSSEC!monitoring

monitoring!a!DNSSEC!signed!zone!is!important!

•DS-Record!matching!the!KSK!

•Signature!on!the!DNSKEY-Set!!

•Signature!validity!

•Key-Rollover!

42


DNSSEC!monitoringNagios/Icinga!plugin!to!check!validity!of!one!or!more!DNSSEC!domains!

https://github.com/jpmens/nagval DNSSEC!key!rollover!monitor!and!checker!

https://github.com/bortzmeyer/key-checker OpenDNSSEC!monitor!

https://github.com/opendnssec/dnssec-monitor .SE!DNSSEC!monitor!

!!!!!!!!!https://github.com/dotse/dnssec-monitor

43

https://github.com/jpmens/nagval

https://github.com/bortzmeyer/key-checker

https://github.com/opendnssec/dnssec-monitor

https://github.com/dotse/dnssec-monitor


Online!DNSSEC!checkerDNSViz!-!http://dnsviz.net

44

http://dnsviz.net


Online!DNSSEC!checkerZonemaster!-!http://zonemaster.net

45

http://zonemaster.net


DNSSEC!books,!videos,!tutorials

46


DNSSEC!book

Michael!W.!Lucas!

DNSSEC!Mastery:securing!the!domain!name!system!with!BIND*!

https://www.michaelwlucas.com/nonfiction/dnssec-mastery

47

*Disclaimer:!the!presenter!was!a!technical!reviewer!on!this!book

https://www.michaelwlucas.com/nonfiction/dnssec-mastery


DNSSEC!videos•ISOC!ION!Conferencehttp://www.internetsociety.org/deploy360/blog/category/dnssec/videos-dnssec/!

•Matt!Larson!DNSSEC!Intro!(englisch)https://www.youtube.com/watch?v=yzET8Px_JEE!

•DNSSEC!in!50!Minutes!(Michael!Lucas)https://www.youtube.com/watch?v=lY6HgZmAfqchttps://www.youtube.com/watch?v=Hm93GhenqXo!

•Peter!Losher!(ISC):!Closing!the!DNS!Security!Loop!with!DNSSEC https://www.youtube.com/watch?v=LRi9swVQ_5A!

•VUC!434!-!DNSSEC!with!Dan!York!(ISOC)https://www.youtube.com/watch?v=hLeTkip-Tf8!

•ICANN!51!-!DNSSEC!for!everybody http://la51.icann.org/en/schedule/mon-dnssec-everybody

48

http://www.internetsociety.org/deploy360/blog/category/dnssec/videos-dnssec/

https://www.youtube.com/watch?v=yzET8Px_JEE

https://www.youtube.com/watch?v=lY6HgZmAfqc

https://www.youtube.com/watch?v=Hm93GhenqXo

https://www.youtube.com/watch?v=LRi9swVQ_5A

https://www.youtube.com/watch?v=hLeTkip-Tf8

http://la51.icann.org/en/schedule/mon-dnssec-everybody


DNSSEC!tutorials

•ISC!DNSSEC!Guidehttps://www.isc.org/downloads/bind/dnssec/http://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html

•DNSSEC!tutorialhttp://www.huque.com/talks/2013-11-dnssec-tutorial-huque.pdf!

•DNSSEC!in!6!minutes https://kb.isc.org/article/AA-00820/0/DNSSEC-in-6-minutes.html

49

https://www.isc.org/downloads/bind/dnssec/

http://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html

http://www.huque.com/talks/2013-11-dnssec-tutorial-huque.pdf

https://kb.isc.org/article/AA-00820/0/DNSSEC-in-6-minutes.html


don't!miss!our!next!trainings/webinar

•Upcoming!DNS,!DNSSEC!and!IPv6!Training:!

•2015-06-29!>!2015-07-03!IPv6.!Amsterdam/Europe!

•2015-08-24!>!2015-08-28!IPv6.!New!York.!

•2015-09-07!>!2015-09-11!IPv6.!Europe.!Amsterdam!and/or!London,!

•2015-09-21!>!2015-09-25!DNS!Intro/Advanced.!US!West!Coast.!

•2015-09-28!>!2015-10-02!DNS!Intro/Advanced.!US!East!Coast.!

•2015-10-12!>!2015-10-16!DNS!Intro/Advanced.!Amsterdam/Europe.!

•Next!webinar:!RIPE!70!review!2!June!2015!!

•Signup!@!https://www.menandmice.com/resources/educational-resources/webinars/

50

https://www.menandmice.com/resources/educational-resources/webinars/


Q/A

51

?2015!Schedule,!Slides,!Links,!Recording!and!errata!

can!be!found!@https://www.menandmice.com/resources/educational-resources/webinars/

https://www.menandmice.com/resources/educational-resources/webinars/

DNSSEC best practices Webinar

Documents

Transcript of DNSSEC best practices Webinar