Mens jan piet_dnssec-in-practice
-
Upload
kuchinskaya -
Category
Technology
-
view
298 -
download
1
Transcript of Mens jan piet_dnssec-in-practice
DNSSEC in Practice
Mail.Ru Technology Forum 2012 Moscow, RU
April 2012
Jan-Piet Mens $ dig 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa naptr
DNSSEC in Practice
Mail.Ru Technology Forum 2012 Moscow, RU
April 2012
Jan-Piet Mens $ dig 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa naptr
DNS is easy
Ask a question, get a reply or a referral.
Resolution
The problem
DNS is insecure: one packet for query, one packet for response; easily spoofed
DNS Spoofing & cache poisoning DNS server accepts and uses data from a host which shouldn’t have been
allowed to provide reply
The solution
DNSSEC Eliminates known cache-poisoning attacks & cache-manipulation
Public key cryptography and digital signatures provide data origin authentication
provide data integrity
Doesn’t encrypt data -- that would be stupid
But: not end-to-end. (From validating cache to auth. server only.) Install validating cache "close" to you
auth
servers
validating
resolverclient
The solution
DNSSEC Eliminates known cache-poisoning attacks & cache-manipulation
Public key cryptography and digital signatures provide data origin authentication
provide data integrity
Doesn’t encrypt data -- that would be stupid
But: not end-to-end. (From validating cache to auth. server only.) Install validating cache "close" to you
auth
servers
validating
resolverclient
auth
serversresolverclient
valid.
resolv
New DNS records
DNSKEY DS RRSIG NSEC/NSEC3
Authenticated Data
dig +dnssec and watch for AD flag indicating successful validation
$ dig +dnssec @127.0.0.1 localhost.jpmens.org a ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, [...]
Problem: At work
At $WORK resolution doesn’t work; validating resolver
No problem: At home
At home it works; ISP doesn’t (yet) do DNSSEC
Proof
Does it exist or doesn’t it? Validating query
$ dig +dnssec www.dnssec-failed.org ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL ;; flags: qr rd ra; QUERY: 1, ANSWER: 0
Checking Disabled
$ dig +cd +dnssec www.dnssec-failed.org ;; ->>HEADER<<- opcode: QUERY, status: NOERROR ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2 ;; ANSWER SECTION: www.dnssec-failed.org. 5620 IN A 68.87.64.48
Proof (2)
$ dig +cd +dnssec +multiline www.dnssec-failed.org ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2 ;; ANSWER SECTION: www.dnssec-failed.org. 3202 IN A 68.87.64.48 www.dnssec-failed.org. 4751 IN RRSIG A 5 3 7200 20090201000000 ( 20090101000000 48621 dnssec-failed.org. gM8IbzE3N4xx4DQog+W2UvY+BwnLIJojFmuQUdUb7FAm wtD3k673q+005FDCW8xf88b+9QtvslrpNyi5ZLUq4v9k Xdya9Je0O2ByYjfrgjYqk4Qu37lfPe+iGvl9aSSMyGeu UHv9NWWY10nXjCp2rTdCSpXc7xt3CSMW7pFNFg0= )
Signing and validation
Signing Create keys and add to zone
Sign zone
Enable DNSSEC and load signed zones
Submit DS-RR to parent zone
Alternatively: use DLV
Validation Configure trust anchor
Enable DNSSEC
Unbound as a DNS cache
Unbound is a secure, caching-only, portable DNS server Maintained by NLNetlabs under BSD license Designed with DNSSEC and IPv6 from the ground up Trusts nothing Good security Many "distros" have packages I recommend newest version
http://unbound.net/
Lightweight, fast, and easy to configure No split-personalities (And I was first to write about Unbound :-)
Configuration
One file (but we’ll add more later on) $ cat /etc/unbound/unbound.conf server: access-control: 127.0.0.1/8 allow verbosity: 1
Launch unbound (and watch your syslog) # unbound
Query it $ dig +short @127.0.0.1 techforum.jpmens.org txt "Moscow"
That’s it!
Enable DNSSEC validation
Needs root DNSSEC trust anchor Utility retrieves root zone’s DNSSEC key securely $ unbound-anchor -a /etc/unbound/root.key
Configure trust anchor in unbound.conf auto-trust-anchor-file: "/etc/unbound/root.key"
Ensure unbound-anchor in start-up scripts Reload $ unbound-control reload
Did that work? $ dig +dnssec @127.0.0.1 techforum.jpmens.org txt
Your own DNSSEC testbed
Set up your own trust anchors in a file "my.keys", which contains DS or DNSKEY records
example.org IN DS 47534 8 1 74526d3f57... example.org IN DS 47534 8 2 82512fb4ad... example.com IN DS 47534 8 3 296fc89ee0...
Configure keys into Unbound trust-anchor-file: "/etc/unbound/my.keys"
Alternatively use trust-anchor configuration statements Configure the zone stub-zone: name: "example.org" stub-addr: 10.81.0.1 stub-addr: 10.2.14.3
Serve local data
Unbound can serve "local" data to its clients For example, a static "zone": local-zone: "techforum." static local-data: "pc.techforum. IN A 192.168.1.12" local-data: ’kate.techforum. TXT "Hi Kate!"’ local-data-ptr: "192.168.1.12 beamer.techforum"
Will it work? $ dig +short @127.0.0.1 kate.techforum txt "Hi Kate!"
local data can be added on-the-fly with unbound-control
More local data
Override a single name (all others resolved normally) local-data: "foo.jpmens.org A 127.0.0.1"
Redirect a whole domain to an IP local-zone: "example.aa" redirect local-data: "example.aa A 127.0.0.9"
DNSSEC-Trigger
Monitors changes to local network configuration (DHCP) Reconfigures local Unbound Forward to caches if possible
Fallback to authoritative servers
Fallback to NLnetLabs server via port 443
dnssec-
trigger
Unbound
NLnetLabs
Unbound
publicDNS
caching
DNS
A
B
C
DNSSEC-Trigger (2)
Works on Linux, Mac OS/X and Windows Installer http://www.nlnetlabs.nl/projects/dnssec-trigger/
Status bar
PowerDNS
Supports pre-signed zones or live-signing operations Otherwise zone data and keys/signatures separate Some changes in database schema Small change in configuration launch=gpgsql gpgsql-dnssec gpgsql-host=127.0.0.1 gpgsql-user=powerdns gpgsql-password=secret gpgsql-dbname=powerdns
Off we go: $ pdnssec secure-zone example.org
That’s it. Honest!
PowerDNS (cont’d)
Can import existing (BIND) keys (v1.2) Keys are in back-end database (gmysql, gpgsql, gsqlite)
and need to be protected
It’s a bit like a private key for your HTTPS server
Alternatively run in pre-signed mode
Encrypted file system
Supports NSEC and NSEC3 Signatures (RRSIG records) are calculated on the fly Inception: previous Thursday
Expiration: Thursday two weeks later
No issue if PDNS is authoritative, but watch out if hidden master
No DNSSEC relevance: PDNS 3.x also has TSIG for AXFR
PowerDNS: pdnssec
New utility: pdnssec $ pdnssec secure-zone $z # creates 3 keys $ pdnssec show-zone $z # output formatted Zone has NSEC semantics Zone is not presigned keys: ID = 7 (KSK), tag = 41120, algo = 8, bits = 2048 KSK DNSKEY = example.org IN DNSKEY 257 3 8 Aw..5uc8= DS = example.org IN DS 41120 8 1 3296abd...b93 DS = example.org IN DS 41120 8 2 4bb00a5...fa1b78b DS = example.org IN DS 41120 8 3 3c01686...50be3e4 ID = 8 (ZSK),tag = 50853,algo = 8,bits = 1024 Active: 1 ID = 9 (ZSK),tag = 8751,algo = 8,bits = 1024 Active: 0
Testing & verification
Configure island of trust in Unbound (or BIND) to test your authoritative server
Check: DNSSEC or not? http://dnssectest.sidn.nl/
DNSViz http://dnsviz.net/
DNScheck http://dnscheck.iis.se/
ZoneCheck http://zonecheck.fr
DNSSEC Debugger http://dnssec-debugger.verisignlabs.com/
SURFnet DNSSEC monitor http://www.dnssecmonitor.org/
Applications for DNSSEC
Interesting new uses for DNS now that it’s secure DNS-based Authentication of Named Entities (dane)
https://datatracker.ietf.org/wg/dane/charter/ SSL certificate validation and DNSSEC (also: Phreeload)
http://mens.de/:/bo SSHFP
http://mens.de/:/bt
Thank you
Questions?
Further reading
Alternative DNS Servers, UIT, 2009, Jan-Piet Mens http://mens.de/:/altdns
Whoami
$ dig 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa naptr
;; ANSWER SECTION:
1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 3 10 "u" "E2U+http" "!^.*$!http:mens.de!" .
1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 3 20 "u" "E2U+http" "!^.*$!http:jpmens.net!" .
1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 4 10 "u" "E2U+mailto" "!^.*$!mailto:[email protected]!" .
1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 1 10 "u" "E2U+sip" "!^.*$!sip:[email protected]!" .
1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 2 10 "u" "E2U+tel" "!^.*$!tel:+491718033011!" .