DNSSEC in Practice

Mail.Ru Technology Forum 2012 Moscow, RU

April 2012

Jan-Piet Mens $ dig 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa naptr

DNSSEC in Practice

Mail.Ru Technology Forum 2012 Moscow, RU

April 2012

Jan-Piet Mens $ dig 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa naptr

DNS is easy

Ask a question, get a reply or a referral.

Resolution

The problem

DNS is insecure: one packet for query, one packet for response; easily spoofed

DNS Spoofing & cache poisoning DNS server accepts and uses data from a host which shouldn’t have been

allowed to provide reply

The solution

DNSSEC Eliminates known cache-poisoning attacks & cache-manipulation

Public key cryptography and digital signatures provide data origin authentication

provide data integrity

Doesn’t encrypt data -- that would be stupid

But: not end-to-end. (From validating cache to auth. server only.) Install validating cache "close" to you

auth

servers

validating

resolverclient

The solution

DNSSEC Eliminates known cache-poisoning attacks & cache-manipulation

Public key cryptography and digital signatures provide data origin authentication

provide data integrity

Doesn’t encrypt data -- that would be stupid

But: not end-to-end. (From validating cache to auth. server only.) Install validating cache "close" to you

auth

servers

validating

resolverclient

auth

serversresolverclient

valid.

resolv

New DNS records

DNSKEY DS RRSIG NSEC/NSEC3

Authenticated Data

dig +dnssec and watch for AD flag indicating successful validation

$ dig +dnssec @127.0.0.1 localhost.jpmens.org a ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, [...]

Problem: At work

At $WORK resolution doesn’t work; validating resolver

No problem: At home

At home it works; ISP doesn’t (yet) do DNSSEC

Proof

Does it exist or doesn’t it? Validating query

$ dig +dnssec www.dnssec-failed.org ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL ;; flags: qr rd ra; QUERY: 1, ANSWER: 0

Checking Disabled

$ dig +cd +dnssec www.dnssec-failed.org ;; ->>HEADER<<- opcode: QUERY, status: NOERROR ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2 ;; ANSWER SECTION: www.dnssec-failed.org. 5620 IN A 68.87.64.48

Proof (2)

$ dig +cd +dnssec +multiline www.dnssec-failed.org ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2 ;; ANSWER SECTION: www.dnssec-failed.org. 3202 IN A 68.87.64.48 www.dnssec-failed.org. 4751 IN RRSIG A 5 3 7200 20090201000000 ( 20090101000000 48621 dnssec-failed.org. gM8IbzE3N4xx4DQog+W2UvY+BwnLIJojFmuQUdUb7FAm wtD3k673q+005FDCW8xf88b+9QtvslrpNyi5ZLUq4v9k Xdya9Je0O2ByYjfrgjYqk4Qu37lfPe+iGvl9aSSMyGeu UHv9NWWY10nXjCp2rTdCSpXc7xt3CSMW7pFNFg0= )

Signing and validation

Signing Create keys and add to zone

Sign zone

Enable DNSSEC and load signed zones

Submit DS-RR to parent zone

Alternatively: use DLV

Validation Configure trust anchor

Enable DNSSEC

Unbound as a DNS cache

Unbound is a secure, caching-only, portable DNS server Maintained by NLNetlabs under BSD license Designed with DNSSEC and IPv6 from the ground up Trusts nothing Good security Many "distros" have packages I recommend newest version

http://unbound.net/

Lightweight, fast, and easy to configure No split-personalities (And I was first to write about Unbound :-)

Configuration

One file (but we’ll add more later on) $ cat /etc/unbound/unbound.conf server: access-control: 127.0.0.1/8 allow verbosity: 1

Launch unbound (and watch your syslog) # unbound

Query it $ dig +short @127.0.0.1 techforum.jpmens.org txt "Moscow"

That’s it!

Enable DNSSEC validation

Needs root DNSSEC trust anchor Utility retrieves root zone’s DNSSEC key securely $ unbound-anchor -a /etc/unbound/root.key

Configure trust anchor in unbound.conf auto-trust-anchor-file: "/etc/unbound/root.key"

Ensure unbound-anchor in start-up scripts Reload $ unbound-control reload

Did that work? $ dig +dnssec @127.0.0.1 techforum.jpmens.org txt

Your own DNSSEC testbed

Set up your own trust anchors in a file "my.keys", which contains DS or DNSKEY records

example.org IN DS 47534 8 1 74526d3f57... example.org IN DS 47534 8 2 82512fb4ad... example.com IN DS 47534 8 3 296fc89ee0...

Configure keys into Unbound trust-anchor-file: "/etc/unbound/my.keys"

Alternatively use trust-anchor configuration statements Configure the zone stub-zone: name: "example.org" stub-addr: 10.81.0.1 stub-addr: 10.2.14.3

Serve local data

Unbound can serve "local" data to its clients For example, a static "zone": local-zone: "techforum." static local-data: "pc.techforum. IN A 192.168.1.12" local-data: ’kate.techforum. TXT "Hi Kate!"’ local-data-ptr: "192.168.1.12 beamer.techforum"

Will it work? $ dig +short @127.0.0.1 kate.techforum txt "Hi Kate!"

local data can be added on-the-fly with unbound-control

More local data

Override a single name (all others resolved normally) local-data: "foo.jpmens.org A 127.0.0.1"

Redirect a whole domain to an IP local-zone: "example.aa" redirect local-data: "example.aa A 127.0.0.9"

DNSSEC-Trigger

Monitors changes to local network configuration (DHCP) Reconfigures local Unbound Forward to caches if possible

Fallback to authoritative servers

Fallback to NLnetLabs server via port 443

dnssec-

trigger

Unbound

NLnetLabs

Unbound

publicDNS

caching

DNS

A

B

C

DNSSEC-Trigger (2)

Works on Linux, Mac OS/X and Windows Installer http://www.nlnetlabs.nl/projects/dnssec-trigger/

Status bar

PowerDNS

Supports pre-signed zones or live-signing operations Otherwise zone data and keys/signatures separate Some changes in database schema Small change in configuration launch=gpgsql gpgsql-dnssec gpgsql-host=127.0.0.1 gpgsql-user=powerdns gpgsql-password=secret gpgsql-dbname=powerdns

Off we go: $ pdnssec secure-zone example.org

That’s it. Honest!

PowerDNS (cont’d)

Can import existing (BIND) keys (v1.2) Keys are in back-end database (gmysql, gpgsql, gsqlite)

and need to be protected

It’s a bit like a private key for your HTTPS server

Alternatively run in pre-signed mode

Encrypted file system

Supports NSEC and NSEC3 Signatures (RRSIG records) are calculated on the fly Inception: previous Thursday

Expiration: Thursday two weeks later

No issue if PDNS is authoritative, but watch out if hidden master

No DNSSEC relevance: PDNS 3.x also has TSIG for AXFR

PowerDNS: pdnssec

New utility: pdnssec $ pdnssec secure-zone $z # creates 3 keys $ pdnssec show-zone $z # output formatted Zone has NSEC semantics Zone is not presigned keys: ID = 7 (KSK), tag = 41120, algo = 8, bits = 2048 KSK DNSKEY = example.org IN DNSKEY 257 3 8 Aw..5uc8= DS = example.org IN DS 41120 8 1 3296abd...b93 DS = example.org IN DS 41120 8 2 4bb00a5...fa1b78b DS = example.org IN DS 41120 8 3 3c01686...50be3e4 ID = 8 (ZSK),tag = 50853,algo = 8,bits = 1024 Active: 1 ID = 9 (ZSK),tag = 8751,algo = 8,bits = 1024 Active: 0

Testing & verification

Configure island of trust in Unbound (or BIND) to test your authoritative server

Check: DNSSEC or not? http://dnssectest.sidn.nl/

DNSViz http://dnsviz.net/

DNScheck http://dnscheck.iis.se/

ZoneCheck http://zonecheck.fr

DNSSEC Debugger http://dnssec-debugger.verisignlabs.com/

SURFnet DNSSEC monitor http://www.dnssecmonitor.org/

Applications for DNSSEC

Interesting new uses for DNS now that it’s secure DNS-based Authentication of Named Entities (dane)

https://datatracker.ietf.org/wg/dane/charter/ SSL certificate validation and DNSSEC (also: Phreeload)

http://mens.de/:/bo SSHFP

http://mens.de/:/bt

Thank you

Questions?

Further reading

Alternative DNS Servers, UIT, 2009, Jan-Piet Mens http://mens.de/:/altdns

Whoami

$ dig 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa naptr

;; ANSWER SECTION:

1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 3 10 "u" "E2U+http" "!^.*$!http:mens.de!" .

1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 3 20 "u" "E2U+http" "!^.*$!http:jpmens.net!" .

1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 4 10 "u" "E2U+mailto" "!^.*$!mailto:jp@mens.de!" .

1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 1 10 "u" "E2U+sip" "!^.*$!sip:5552064@sipgate.de!" .

1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 2 10 "u" "E2U+tel" "!^.*$!tel:+491718033011!" .