PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600...
Transcript of PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600...
![Page 1: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/1.jpg)
© 2006-2008 NLnet Labs
The detailsPresented by
Olaf Kolkman (NLnet Labs)
![Page 2: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/2.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
DNSSEC Mechanisms
• New Resource Records• Setting Up a Secure Zone• Delegating Signing Authority
![Page 3: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/3.jpg)
© 2006-2008 NLnet Labs
SecondaryDNS
primaryDNS
Registrars& Registrants
Registry
SecondaryDNS
Data flow through the DNSWhere are the vulnerablepoints?
Server vulnarability
Man in the Middle
spoofing&
Man in the Middle
![Page 4: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/4.jpg)
© 2006-2008 NLnet Labs
SecondaryDNS
primaryDNS
Registrars& Registrants
Registry
SecondaryDNS
Data flow through the DNS
![Page 5: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/5.jpg)
© 2006-2008 NLnet Labs
primaryDNS
SecondaryDNS
Registrars& Registrants
Registry
SecondaryDNS
Data flow through the DNS
![Page 6: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/6.jpg)
© 2006-2008 NLnet Labs
primaryDNS
SecondaryDNS
Registrars& Registrants
Registry
SecondaryDNS
Data flow through the DNSEnd to end security
OO
![Page 7: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/7.jpg)
© 2006-2008 NLnet Labs
The DNSSECRRs
![Page 8: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/8.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
RRs and RRSets
• Resource Record:– name TTL class type rdata
www.nlnetlabs.nl. 7200 IN A 192.168.10.3
• RRset: RRs with same name, class and type:www.nlnetlabs.nl. 7200 IN A 192.168.10.3 A 10.0.0.3 A 172.25.215.2
• RRSets are signed, not the individual RRs
![Page 9: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/9.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
New Resource Records
• Three Public key crypto related RRs– RRSIG Signature over RRset made using private key – DNSKEY Public key, needed for verifying a RRSIG– DS Delegation Signer; ‘Pointer’ for building chains of authentication
• One RR for internal consistency – NSEC Indicates which name is the next one in the– zone and which typecodes are available for the current name
• authenticated non-existence of data
![Page 10: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/10.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
DNSKEY RDATA– 16 bits: FLAGS– 8 bits: protocol– 8 bits: algorithm– N*32 bits: public key
Example:nlnetlabs.nl. 3600 IN DNSKEY 256 3 5 (
AQOvhvXXU61Pr8sCwELcqqq1g4JJ CALG4C9EtraBKVd+vGIF/unwigfLOA O3nHp/cgGrG6gJYe8OWKYNgq3kDChN)
![Page 11: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/11.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
DNSKEY RDATA– 16 bits: FLAGS– 8 bits: protocol– 8 bits: algorithm– N*32 bits: public key
Example:nlnetlabs.nl. 3600 IN DNSKEY 256 3 5 (
AQOvhvXXU61Pr8sCwELcqqq1g4JJ CALG4C9EtraBKVd+vGIF/unwigfLOA O3nHp/cgGrG6gJYe8OWKYNgq3kDChN)
![Page 12: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/12.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
DNSKEY RDATA– 16 bits: FLAGS– 8 bits: protocol– 8 bits: algorithm– N*32 bits: public key
Example:nlnetlabs.nl. 3600 IN DNSKEY 256 3 5 (
AQOvhvXXU61Pr8sCwELcqqq1g4JJ CALG4C9EtraBKVd+vGIF/unwigfLOA O3nHp/cgGrG6gJYe8OWKYNgq3kDChN)
![Page 13: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/13.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
DNSKEY RDATA– 16 bits: FLAGS– 8 bits: protocol– 8 bits: algorithm– N*32 bits: public key
Example:nlnetlabs.nl. 3600 IN DNSKEY 256 3 5 (
AQOvhvXXU61Pr8sCwELcqqq1g4JJ CALG4C9EtraBKVd+vGIF/unwigfLOA O3nHp/cgGrG6gJYe8OWKYNgq3kDChN)
![Page 14: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/14.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
DNSKEY RDATA– 16 bits: FLAGS– 8 bits: protocol– 8 bits: algorithm– N*32 bits: public key
Example:nlnetlabs.nl. 3600 IN DNSKEY 256 3 5 (
AQOvhvXXU61Pr8sCwELcqqq1g4JJ CALG4C9EtraBKVd+vGIF/unwigfLOA O3nHp/cgGrG6gJYe8OWKYNgq3kDChN)
![Page 15: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/15.jpg)
nlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 ( 20050611144523 20050511144523 3112 nlnetlabs.nl.
VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW 66DJubZPmNSYXw== )
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
RRSIG RDATA• 16 bits - type covered• 8 bits - algorithm• 8 bits - nr. labels covered• 32 bits - original TTL
• 32 bit - signature expiration• 32 bit - signature inception• 16 bit - key tag• signer’s name
signature field
![Page 16: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/16.jpg)
nlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 ( 20050611144523 20050511144523 3112 nlnetlabs.nl.
VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW 66DJubZPmNSYXw== )
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
RRSIG RDATA• 16 bits - type covered• 8 bits - algorithm• 8 bits - nr. labels covered• 32 bits - original TTL
• 32 bit - signature expiration• 32 bit - signature inception• 16 bit - key tag• signer’s name
signature field
![Page 17: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/17.jpg)
nlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 ( 20050611144523 20050511144523 3112 nlnetlabs.nl.
VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW 66DJubZPmNSYXw== )
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
RRSIG RDATA• 16 bits - type covered• 8 bits - algorithm• 8 bits - nr. labels covered• 32 bits - original TTL
• 32 bit - signature expiration• 32 bit - signature inception• 16 bit - key tag• signer’s name
signature field
![Page 18: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/18.jpg)
nlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 ( 20050611144523 20050511144523 3112 nlnetlabs.nl.
VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW 66DJubZPmNSYXw== )
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
RRSIG RDATA• 16 bits - type covered• 8 bits - algorithm• 8 bits - nr. labels covered• 32 bits - original TTL
• 32 bit - signature expiration• 32 bit - signature inception• 16 bit - key tag• signer’s name
signature field
![Page 19: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/19.jpg)
nlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 ( 20050611144523 20050511144523 3112 nlnetlabs.nl.
VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW 66DJubZPmNSYXw== )
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
RRSIG RDATA• 16 bits - type covered• 8 bits - algorithm• 8 bits - nr. labels covered• 32 bits - original TTL
• 32 bit - signature expiration• 32 bit - signature inception• 16 bit - key tag• signer’s name
signature field
![Page 20: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/20.jpg)
nlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 ( 20050611144523 20050511144523 3112 nlnetlabs.nl.
VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW 66DJubZPmNSYXw== )
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
RRSIG RDATA• 16 bits - type covered• 8 bits - algorithm• 8 bits - nr. labels covered• 32 bits - original TTL
• 32 bit - signature expiration• 32 bit - signature inception• 16 bit - key tag• signer’s name
signature field
![Page 21: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/21.jpg)
nlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 ( 20050611144523 20050511144523 3112 nlnetlabs.nl.
VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW 66DJubZPmNSYXw== )
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
RRSIG RDATA• 16 bits - type covered• 8 bits - algorithm• 8 bits - nr. labels covered• 32 bits - original TTL
• 32 bit - signature expiration• 32 bit - signature inception• 16 bit - key tag• signer’s name
signature field
![Page 22: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/22.jpg)
nlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 ( 20050611144523 20050511144523 3112 nlnetlabs.nl.
VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW 66DJubZPmNSYXw== )
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
RRSIG RDATA• 16 bits - type covered• 8 bits - algorithm• 8 bits - nr. labels covered• 32 bits - original TTL
• 32 bit - signature expiration• 32 bit - signature inception• 16 bit - key tag• signer’s name
signature field
![Page 23: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/23.jpg)
nlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 ( 20050611144523 20050511144523 3112 nlnetlabs.nl.
VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW 66DJubZPmNSYXw== )
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
RRSIG RDATA• 16 bits - type covered• 8 bits - algorithm• 8 bits - nr. labels covered• 32 bits - original TTL
• 32 bit - signature expiration• 32 bit - signature inception• 16 bit - key tag• signer’s name
signature field
![Page 24: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/24.jpg)
nlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 ( 20050611144523 20050511144523 3112 nlnetlabs.nl.
VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW 66DJubZPmNSYXw== )
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
RRSIG RDATA• 16 bits - type covered• 8 bits - algorithm• 8 bits - nr. labels covered• 32 bits - original TTL
• 32 bit - signature expiration• 32 bit - signature inception• 16 bit - key tag• signer’s name
signature field
![Page 25: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/25.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
Delegation Signer (DS)
• Delegation Signer (DS) RR indicates that:– delegated zone is digitally signed– indicated key is used for the delegated zone
• Parent is authorative for the DS of the child’s zone– Not for the NS record delegating the child’s zone!– DS should not be in the child’s zone
![Page 26: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/26.jpg)
• 16 bits: key tag• 8 bits: algorithm• 8 bits: digest type• 20 bytes: SHA-1 Digest
$ORIGIN nlnetlabs.nl.lab.nlnetlabs.nl. 3600 IN NS ns.lab.nlnetlabs.nllab.nlnetlabs.nl. 3600 IN DS 3112 5 1 ( 239af98b923c023371b52 1g23b92da12f42162b1a9 )
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
DS RDATA
![Page 27: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/27.jpg)
• 16 bits: key tag• 8 bits: algorithm• 8 bits: digest type• 20 bytes: SHA-1 Digest
$ORIGIN nlnetlabs.nl.lab.nlnetlabs.nl. 3600 IN NS ns.lab.nlnetlabs.nllab.nlnetlabs.nl. 3600 IN DS 3112 5 1 ( 239af98b923c023371b52 1g23b92da12f42162b1a9 )
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
DS RDATA
![Page 28: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/28.jpg)
• 16 bits: key tag• 8 bits: algorithm• 8 bits: digest type• 20 bytes: SHA-1 Digest
$ORIGIN nlnetlabs.nl.lab.nlnetlabs.nl. 3600 IN NS ns.lab.nlnetlabs.nllab.nlnetlabs.nl. 3600 IN DS 3112 5 1 ( 239af98b923c023371b52 1g23b92da12f42162b1a9 )
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
DS RDATA
![Page 29: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/29.jpg)
• 16 bits: key tag• 8 bits: algorithm• 8 bits: digest type• 20 bytes: SHA-1 Digest
$ORIGIN nlnetlabs.nl.lab.nlnetlabs.nl. 3600 IN NS ns.lab.nlnetlabs.nllab.nlnetlabs.nl. 3600 IN DS 3112 5 1 ( 239af98b923c023371b52 1g23b92da12f42162b1a9 )
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
DS RDATA
![Page 30: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/30.jpg)
• 16 bits: key tag• 8 bits: algorithm• 8 bits: digest type• 20 bytes: SHA-1 Digest
$ORIGIN nlnetlabs.nl.lab.nlnetlabs.nl. 3600 IN NS ns.lab.nlnetlabs.nllab.nlnetlabs.nl. 3600 IN DS 3112 5 1 ( 239af98b923c023371b52 1g23b92da12f42162b1a9 )
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
DS RDATA
![Page 31: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/31.jpg)
• Points to the next domain name in the zone– also lists what are all the existing RRs for “name”– NSEC record for last name “wraps around” to first
name in zone
• N*32 bit type bit map• Used for authenticated denial-of-existence of data
– authenticated non-existence of TYPEs and labels
• Example:www.nlnetlabs.nl. 3600 IN NSEC nlnetlabs.nl. A RRSIG NSEC
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
NSEC RDATA
![Page 32: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/32.jpg)
• Points to the next domain name in the zone– also lists what are all the existing RRs for “name”– NSEC record for last name “wraps around” to first
name in zone
• N*32 bit type bit map• Used for authenticated denial-of-existence of data
– authenticated non-existence of TYPEs and labels
• Example:www.nlnetlabs.nl. 3600 IN NSEC nlnetlabs.nl. A RRSIG NSEC
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
NSEC RDATA
![Page 33: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/33.jpg)
• Points to the next domain name in the zone– also lists what are all the existing RRs for “name”– NSEC record for last name “wraps around” to first
name in zone
• N*32 bit type bit map• Used for authenticated denial-of-existence of data
– authenticated non-existence of TYPEs and labels
• Example:www.nlnetlabs.nl. 3600 IN NSEC nlnetlabs.nl. A RRSIG NSEC
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
NSEC RDATA
![Page 34: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/34.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
NSEC Records
• NSEC RR provides proof of non-existence• If the servers response is Name Error (NXDOMAIN):
– One or more NSEC RRs indicate that the name or a wildcard expansion does not exist
• If the servers response is NOERROR:– And empty answer section– The NSEC proves that the QTYPE did not exist
• More than one NSEC may be required in response– Wildcards
• NSEC records are generated by tools– Tools also order the zone
![Page 35: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/35.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
NSEC Walk
• NSEC records allow for zone enumeration• Providing privacy was not a requirement at the
time• Zone enumeration is a deployment barrier
• Solution is developed: NSEC3– RFC 5155– Complicated piece of protocol work– Hard to troubleshoot– Only to be used over Delegation Centric Zones
![Page 36: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/36.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
Current Developments
• SHA1 to be deprecated– New hash for DS records– Overlap, no flag day
• Introduction of SHA256
![Page 37: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/37.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
Other Keys in the DNS
• DNSKEY RR can only be used for DNSSEC– Keys for other applications need to use other RR types
• CERT– For X.509 certificates
• Application keys under discussion/development– IPSECKEY
– SSHFPSummary for now
![Page 38: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/38.jpg)
page
© 2006-2008 NLnet Labs
Summary and questions
• You have seen the new RRs and learned what is their content
![Page 39: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/39.jpg)
© 2006-2008 NLnet Labs
Delegating Signing Authority
Chains of Trust
![Page 40: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/40.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
Locally Secured Zones
• Key distribution does not scale!
net.
money.net. kids.net.
dopcorp
dev market dilbert
unixmacmarnick
nt
os.net.
com.
.
Out of band key-exchanges
![Page 41: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/41.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
Locally Secured Zones
• Key distribution does not scale!
net.
money.net. kids.net.
dopcorp
dev market dilbert
unixmacmarnick
nt
os.net.
com.
.
Out of band key-exchanges
Secure entry points
![Page 42: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/42.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
Using the DNS to Distribute Keys
• Secured islands make key distribution problematic
• Distributing keys through DNS:– Use one trusted key to establish authenticity of other
keys– Building chains of trust from the root down– Parents need to sign the keys of their children
• Only the root key needed in ideal world– Parents always delegate security to child
![Page 43: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/43.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
Key Problem
• Interaction with parent administratively expensive– Should only be done when needed– Bigger keys are better
• Signing zones should be fast– Memory restrictions– Space and time concerns– Smaller keys with short lifetimes are better
![Page 44: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/44.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
Key Functions
• Large keys are more secure– Can be used longer – Large signatures => large zonefiles – Signing and verifying computationally expensive
• Small keys are fast– Small signatures – Signing and verifying less expensive – Short lifetime
![Page 45: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/45.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
Key solution: More Than One Key
• RRsets are signed, not RRs• DS points to specific key
– Signature from that key over DNSKEY RRset transfers trust to all keys in DNSKEY RRset
• Key that DS points to only signs DNSKEY RRset– Key Signing Key (KSK)
• Other keys in DNSKEY RRset sign entire zone– Zone Signing Key (ZSK)
![Page 46: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/46.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
Initial Key Exchange
• Child needs to:– Send key signing keyset to parent
• Parent needs to:– Check childs zone
• for DNSKEY & RRSIGs
– Verify if key can be trusted– Generate DS RR
![Page 47: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/47.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
$ORIGIN .. DNSKEY (…) 5TQ3s… (8907) ; KSK DNSKEY (…) lasE5… (2983) ; ZSK
1
Walking the Chain of Trust Locally configured
Trusted key: . 8907
2RRSIG DNSKEY (…) 8907 . 69Hw9..
![Page 48: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/48.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
$ORIGIN .. DNSKEY (…) 5TQ3s… (8907) ; KSK DNSKEY (…) lasE5… (2983) ; ZSK
1
Walking the Chain of Trust Locally configured
Trusted key: . 8907
2RRSIG DNSKEY (…) 8907 . 69Hw9..
net. DS 7834 3 1ab15… RRSIG DS (…) . 2983 3
![Page 49: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/49.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
$ORIGIN .. DNSKEY (…) 5TQ3s… (8907) ; KSK DNSKEY (…) lasE5… (2983) ; ZSK
1
$ORIGIN net.
net. DNSKEY (…) q3dEw… (7834) ; KSK DNSKEY (…) 5TQ3s… (5612) ; ZSK
4
Walking the Chain of Trust Locally configured
Trusted key: . 8907
2RRSIG DNSKEY (…) 8907 . 69Hw9..
net. DS 7834 3 1ab15… RRSIG DS (…) . 2983 3
![Page 50: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/50.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
$ORIGIN .. DNSKEY (…) 5TQ3s… (8907) ; KSK DNSKEY (…) lasE5… (2983) ; ZSK
1
$ORIGIN net.
net. DNSKEY (…) q3dEw… (7834) ; KSK DNSKEY (…) 5TQ3s… (5612) ; ZSK
4
Walking the Chain of Trust Locally configured
Trusted key: . 8907
2RRSIG DNSKEY (…) 8907 . 69Hw9..
net. DS 7834 3 1ab15… RRSIG DS (…) . 2983 3
5RRSIG DNSKEY (…) 7834 net. cMas...
![Page 51: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/51.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
$ORIGIN .. DNSKEY (…) 5TQ3s… (8907) ; KSK DNSKEY (…) lasE5… (2983) ; ZSK
1
$ORIGIN net.
net. DNSKEY (…) q3dEw… (7834) ; KSK DNSKEY (…) 5TQ3s… (5612) ; ZSK
4
Walking the Chain of Trust Locally configured
Trusted key: . 8907
2RRSIG DNSKEY (…) 8907 . 69Hw9..
net. DS 7834 3 1ab15… RRSIG DS (…) . 2983 3
foo.net. DS 4252 3 1ab15… RRSIG DS (…) net. 5612
6
5RRSIG DNSKEY (…) 7834 net. cMas...
![Page 52: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/52.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
$ORIGIN .. DNSKEY (…) 5TQ3s… (8907) ; KSK DNSKEY (…) lasE5… (2983) ; ZSK
1
$ORIGIN net.
net. DNSKEY (…) q3dEw… (7834) ; KSK DNSKEY (…) 5TQ3s… (5612) ; ZSK
4
$ORIGIN foo.net.
foo.net. DNSKEY (…) rwx002… (4252) ; KSK DNSKEY (…) sovP42… (1111) ; ZSK
7
Walking the Chain of Trust Locally configured
Trusted key: . 8907
2RRSIG DNSKEY (…) 8907 . 69Hw9..
net. DS 7834 3 1ab15… RRSIG DS (…) . 2983 3
foo.net. DS 4252 3 1ab15… RRSIG DS (…) net. 5612
6
5RRSIG DNSKEY (…) 7834 net. cMas...
![Page 53: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/53.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
$ORIGIN .. DNSKEY (…) 5TQ3s… (8907) ; KSK DNSKEY (…) lasE5… (2983) ; ZSK
1
$ORIGIN net.
net. DNSKEY (…) q3dEw… (7834) ; KSK DNSKEY (…) 5TQ3s… (5612) ; ZSK
4
$ORIGIN foo.net.
foo.net. DNSKEY (…) rwx002… (4252) ; KSK DNSKEY (…) sovP42… (1111) ; ZSK
7
Walking the Chain of Trust Locally configured
Trusted key: . 8907
2RRSIG DNSKEY (…) 8907 . 69Hw9..
net. DS 7834 3 1ab15… RRSIG DS (…) . 2983 3
foo.net. DS 4252 3 1ab15… RRSIG DS (…) net. 5612
6
5RRSIG DNSKEY (…) 7834 net. cMas...
8 RRSIG DNSKEY (…) 4252 foo.net. 5t...
![Page 54: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/54.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
$ORIGIN .. DNSKEY (…) 5TQ3s… (8907) ; KSK DNSKEY (…) lasE5… (2983) ; ZSK
1
$ORIGIN net.
net. DNSKEY (…) q3dEw… (7834) ; KSK DNSKEY (…) 5TQ3s… (5612) ; ZSK
4
$ORIGIN foo.net.
foo.net. DNSKEY (…) rwx002… (4252) ; KSK DNSKEY (…) sovP42… (1111) ; ZSK
7
Walking the Chain of Trust Locally configured
Trusted key: . 8907
2RRSIG DNSKEY (…) 8907 . 69Hw9..
net. DS 7834 3 1ab15… RRSIG DS (…) . 2983 3
foo.net. DS 4252 3 1ab15… RRSIG DS (…) net. 5612
6
5RRSIG DNSKEY (…) 7834 net. cMas...
8 RRSIG DNSKEY (…) 4252 foo.net. 5t...
www.foo.net. A 193.0.0.202 RRSIG A (…) 1111 foo.net. a3...
9
![Page 55: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/55.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
• Data in zone can be trusted if signed by a Zone-Signing-Key
• Zone-Signing-Keys can be trusted if signed by a Key-Signing-Key
• Key-Signing-Key can be trusted if pointed to by trusted DS record
• DS record can be trusted – if signed by the parents Zone-Signing-Key or– DS or DNSKEY records can be trusted if exchanged out-
of-band and locally stored (Secure entry point)
Chain of Trust Verification, Summary
![Page 56: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/56.jpg)
page
© 2006-2008 NLnet Labs
Summary
• Scaling problem: secure islands
• Zone signing key, key signing key
• Chain of trust
![Page 57: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/57.jpg)
page
© 2006-2008 NLnet Labs
Questions?
Summary
• Scaling problem: secure islands
• Zone signing key, key signing key
• Chain of trust
![Page 58: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/58.jpg)
© 2006-2008 NLnet Labs
Securing Host-Host Communication
![Page 59: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/59.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
TSIG Protection
Registry DB
RegistrarsRegistrants
DNS ProtocolProvisioning dynamic updates
AXFR and IXFR
Queries to cachingforwarers
![Page 60: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/60.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
Transaction Signature: TSIG
• TSIG (RFC 2845)– Authorising dynamic updates and zone transfers– Authentication of caching forwarders– Independent from other features of DNSSEC
• One-way hash function– DNS question or answer and timestamp
• Traffic signed with “shared secret” key• Used in configuration, NOT in zone file
![Page 61: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/61.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
Master
TSIG Example
Slave
![Page 62: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/62.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
Master
TSIG Example
Slave
![Page 63: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/63.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
Master
TSIG Example
Slave
![Page 64: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/64.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
Master
TSIG Example
Slave
Query: AXFR
![Page 65: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/65.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
Master
AXFR
TSIG Example
Slave
Query: AXFR
![Page 66: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/66.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
Master
AXFR
TSIG Example
Slave
Query: AXFR
![Page 67: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/67.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
Master
AXFR
TSIG Example
Slave
Query: AXFR
![Page 68: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/68.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
Master
AXFR
TSIG Example
Slave
AXFR
Query: AXFR
![Page 69: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/69.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
Master
AXFR
TSIG Example
Slave
AXFR
Query: AXFR
![Page 70: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/70.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
Master
AXFR
TSIG Example
Slave
AXFR
Slave
Query: AXFR
![Page 71: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/71.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
Master
AXFR
TSIG Example
Slave
AXFR
Slave
verification
Query: AXFR
![Page 72: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/72.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
Master
AXFR
TSIG Example
Slave
AXFR
Slave
verification
Query: AXFR
Response: Zone
![Page 73: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/73.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
SOA …SOA
Master
AXFR
TSIG Example
Slave
AXFR
Slave
verification
Query: AXFR
Response: Zone
![Page 74: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/74.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
SOA …SOA
Master
AXFR
TSIG Example
Slave
AXFR
Slave
verification
Query: AXFR
Response: Zone
![Page 75: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/75.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
SOA …SOA
Master
AXFR
TSIG Example
Slave
AXFR
Slave
verification
Query: AXFR
Response: Zone
![Page 76: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/76.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
SOA …SOA
Master
AXFR
TSIG Example
Slave
AXFR
SOA …SOA
Slave
verification
Query: AXFR
Response: Zone
![Page 77: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/77.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
SOA …SOA
Master
AXFR
TSIG Example
Slave
AXFR
SOA …SOA
Slave
verification
verification
Query: AXFR
Response: Zone
![Page 78: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/78.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
TSIG for Zone Transfers
1. Generate secret2. Communicate secret3. Configure servers4. Test
![Page 79: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/79.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page Importance of the Time Stamp
• TSIG/SIG(0) signs a complete DNS request / response with time stamp– To prevent replay attacks– Currently hardcoded at five minutes
• Operational problems when comparing times– Make sure your local time zone is properly
defined– date -u will give UTC time, easy to compare
between the two systems– Use NTP synchronisation!
![Page 80: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/80.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
Authenticating Servers Using SIG(0)
• Alternatively, it is possible to use SIG(0)– Not yet widely used
– Works well in dynamic update environment
• Public key algorithm– Authentication against a public key published in the
DNS
• SIG(0) specified in RFC 2931
![Page 81: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/81.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
Cool Application
• Use TSIG-ed dynamic updates to configure configure your laptops name
• My laptop is know by the name of grover.secret-wg.org– http://ops.ietf.org/dns/dynupd/secure-ddns-howto.html
– Mac OS users: there is a bonjour based tool.• www.dns-sd.org
![Page 82: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/82.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
Questions?
![Page 83: PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW](https://reader033.fdocuments.in/reader033/viewer/2022060217/5f0670fd7e708231d41802eb/html5/thumbnails/83.jpg)
© 2006-2008 NLnet Labs
The Netherlands Sept-Oct 2008
page
Questions?