Title: Welcome to the DNS for LIRs RIPE NCC Training Course
1Welcome to theDNS for LIRsRIPE NCC Training
Course
2Course Outline
- Securing Host-to-Host Communication
- DNSSEC
- New RRs
- Signing a zone
- Building chains of trust
- Key rollovers
- Operational Concerns
- RIPE NCCs DNSSEC Set-up
- Introduction
- RIPE and RIPE NCC
- DNSMON
- K-root
- Hostcount
- RIPE Whois Database
- Reverse Delegations
- DNS Vulnerabilities
3Who Are We?
- Trainers
- Know about RIPE NCC procedures
- Know about DNSSEC
- Not DNS server operators!
- We expect you to know about DNS.
- Please fill in your expectations in the
questionnaire.
4RIPE and RIPE NCC
5RIPE and RIPE NCC
- Réseaux IP Européens (1989)
- Collaborative operators community for
coordinating IP infrastructure development - Open to all
- Developing policies input to the RIPE NCC
- RIPE Network Coordination Centre (1992)
- Independent not-for-profit membership
organisation - One of five Regional Internet Registries (RIRs)
6RIR Service Regions
7How RIPE Works
- Open forum
- Voluntary participation
- Decisions by consensus
- Working groups
- Not a legal entity
- Does not develop Internet standards
- RIPE chair chair_at_ripe.net
- ripe-list_at_ripe.net
8Bottom-up Process
9Policy Development Process
- Proposal (from anyone)
- Discussion in RIPE Working Group (WG)
- Review by WG
- Consensus? Chair announces decision
- Concluding phase
- Last call for comments
10Your Participation is Needed!
- What can you do?
- Propose new policy
- we can help draft it
- Comment on other proposals
- Check the drafts and recent changes web page
- How to take part?
- Subscribe to mailing lists
- Come to the meetings
- or watch webcast and use Jabber / irc
11Internet Registry System Goals
12Hierarchical Distribution
13RIPE NCC Services
- Public Services
- RIPE Whois Database
- Routing Registry
- RIPE support
- Spreading information
- ENUM (e164.arpa)
- K-root name server
- Test Traffic Measurements
- DNSMON
- E-learning
- Member Services
- IP resources
- IPv4
- IPv6
- AS Numbers
- Reverse DNS delegation
- Training courses
- LIR
- Routing Registry Tools
- DNS for LIRs
14(No Transcript)
15K-root
- One of 13 DNS root servers
- Operated by the RIPE NCC
- Runs NSD
- IPv4 anycasted
- 11 local nodes
- 5 global nodes
- http//k.root-servers.org/
16K-root AS25152 Peering Policy
- We advertise only our own routes in AS25152
- We will update our aut-num object in the RIPE
Whois Db - We secure peerings with passwords
- We will not to enter into a formal peering
contract - We accept any routes offered including transit
- Only at our global mirror instances
- Aut-num object AS25152 has
- the authoritative list of locations at which
AS25152 peers - which of those locations is considered global or
local - k-peerings_at_ripe.net for more information
17DNSMON
- Quality of service of DNS servers
- Currently TLD and root servers
- Uses Test Traffic probes
- Detailed information publicly available
- http//dnsmon.ripe.net/
18Hostcount
- Data collected from TLDs in the RIPE region
- Every month
- First hostcount was in October 1990
- Involved 19 TLDs
- Now the hostcount includes around 100 TLDs
- Hostcount is provided as an informational service
- Currently undergoing overhaul
- http//www.ripe.net/info/stats/hostcount/
19Summary
- The RIPE NCC is not RIPE
- Subscribe to Policy Announce mailing list
- Services E-Learning, K-root, DNSMON, hostcount
Questions?
20RIPE Whois Database
21RIPE Whois Database
- Public Network Management Database
- All LIRs must have
- person object
- maintainer (mntner) object
- organisation object
- role object is convenient
22DB Object Syntax
Attribute name
Attribute value
Comment (after )
person John Smith address Singel
258 Amsterdam phone 31 20 535 1234
9-17 CET nic-hdl JS1-RIPE changed
john_at_example.net 20030306 source RIPE
Continuation (line starts with white character)
23Querying Whois DB
- Object types
- Resource info
- Contact info
- Protection
- Command-line client
- Web interface
- https//www.ripe.net/whois
- Glimpse full text search
- http//www.ripe.net/db/whois-free.html
24Updating Objects
- Updating creating, modifying, deleting
- Web, sync, e-mail
- Mind the primary key!
- Use new for creating objects
- Add changed line
- Ack, error and warning messages returned
25Protection of DB Objects
- mnt-by attribute refers to mntner object
- Checked at every update
- Password
- CRYPT-PW, MD5-PW,
- https//www.ripe.net/cgi-bin/cgicrypt.pl.cgi
- Private key/Public key
- PGPKEY-ltidgt key-cert object
- X.509-ltidgt key-cert object
- Multiple auth / mnt-by / mntner-s are OR-ed
26Multiple Protection Illustrated
aut-num AS3003 mnt-by ONE-MNT mnt-by TWO-MNT
mntner TWO-MNT
mntner ONE-MNT
auth MD5-PW bla34bla.
auth CRYPT-PW bla34
auth PGPKEY-AE6FBBF7
- In order to update the object AS3003, need to
have - Either the (crypt) password
- Or the MD5 password
- Or the PGP key
- If you forget pwd write to ripe-dbm_at_ripe.net
27Hierarchical Authorisation
inetnum 10.0.0.0 - 10.255.255.255 mnt-lower
MNT1 mnt-by MNT2
inetnum 10.10.0.0 - 10.10.255.255 mnt-by MNT3
inetnum 10.0.0.0 10.255.255.255 mnt-by
MNT1 mnt-by MNT4 mnt-domains MNT3
28TEST Database
- Playground Database source TEST
- whois h test-whois.ripe.net
- mailto test-dbm_at_ripe.net
- http//www.ripe.net/db/syncupdates/syncupdate-test
-minimal.html - http//www.ripe.net/webupdates-test
- Differences from RIPE Database
- Can create ASN objects automatically
- Does not contain same info as operational RIPE
Database
29Summary
- RIPE Database
- Maintainers
- Hierarchical authorisation
Questions?
30Reverse Delegations
31Why Reverse DNS?
- Mapping IP numbers to domain names
- Needed for applications (mail, IRC, ftp)
- troubleshooting (traceroute)
- LIRs responsibility
32inet(6)num and Domain Objects
inet6num 20010888/32 status
ALLOCATED-BY-RIR mnt-by RIPE-NCC-HM-MNT mnt-domai
ns LIR-MNT
domain 8.8.8.0.1.0.0.2.ip6.arpa mnt-by LIR-MNT
inetnum 81.3.10.0/24 status ASSIGNED PA mnt-by
LIR-MNT mnt-domains END-USER-MNT
domain 10.3.81.in-addr.arpa mnt-by END-USER-MNT
33Preparations
- Decide on the address range
- Whole allocation? Assignment?
- IPv4 One or more /24, /16
- IPv6 One or more /36, /32
- Decide who will be responsible
- LIR?
- End User? (create mntner)
- Allow hierarchical authorisation
- add appropriate mntner in the mnt-domains of
the inetnum object
34Sizes Other Than /24
- Multiple /24 delegations
- can be requested as one domain object
- use shorthand notation for consecutive zones
- broken and registered as multiple objects
- Smaller than /24 delegation
- End User can run own primary name server
- LIR requests delegation for whole /24
- LIR uses CNAME (RFC 2317)
35Setup and Request
- Configure DNS server for chosen zones
- ns.ripe.net mandatory for IPv4 /16
- To request delegation
- submit domain object to Whois Database
- Delegation checker starts checks
- Uses points system
36Delegation Checker Points System
- DNS issues awarded points
- 20 points or more Error
- Delegation not accepted
- Some issues awarded 20 points
- Unreachable servers, etc.
- Some issues awarded 0 points
- May be misconfigurations, may be conscious
choices - Full list of issues
- http//www.ripe.net/rs/reverse/delcheck/delcheck_d
escr.html
37Delegation Checker Issues (score 2)
- Could not lookup MX records
- PROBLEM_MAILCHECK_MX_LOOKUP
- Could not lookup A records for MTA
- PROBLEM_MAILCHECK_A_LOOKUP
- A reverse domain found in the RNAME field
- PROBLEM_REVERSE_DOMAIN_IN_RNAME
38Delegation Checker Issues (scores 45)
- TTL on NS set is too short
- PROBLEM_NS_TTL_TOO_SHORT
- DS records points to a DNSKEY without SEP flag
- PROBLEM_DS_POINTING_TO_NON_SEP_DNSKEY
- TTLs for the NS RRs in the NS RR set not equal
- PROBLEM_RRSET_TTLS_NOT_EQUAL
39Delegation Checker Issues (scores 710)
- SOA expire parameter is too small
- PROBLEM_EXPIRE_LESS_THAN_REFRESH_RETRY_SUM
- Duplicated name in the SOA e-mail field
- PROBLEM_RNAME_DUPLICATE_ZONE
- SOA serial numbers differ between servers
- PROBLEM_SERIAL_NUMBERS_DIFFER
40Other Checks
- Whois database syntax
- Authentication
- mnt-domains in corresponding inetnum
- and
- mnt-by in domain
- Errors / warnings ask ripe-dbm_at_ripe.net
- Success RIPE NCC updates parent zone
41Summary
- Set-up servers
- Domain object is delegation request
- Zone delegation checker
Questions?
42DNS Vulnerabilities
43DNS Data Flow
Master
Caching forwarder
Dynamic updates
Resolver
44DNS Vulnerabilities
Corrupting data
Impersonating master
Cache impersonation
Master
Caching forwarder
Dynamic updates
Resolver
Cache pollution by data spoofing
Unauthorised updates
Altered zone data
Server protection
Data protection
45DNS Exploit Example
- Mail gets delivered to the MTA listed in the MX
RR - Man in the middle attack
Blackhat
MX RR
Resolver
MX RR
MX RR
Sending MTA
Receiving MTA
46Other Possible DNS Targets
- SPF, DomainKey and family
- Technologies that use the DNS to mitigate spam
and phishing value for the black hats - StockTickers, RSS feeds
- Usually no source authentication but supplying
false stock information through a stockticker and
a news feed can have value - ENUM
- Mapping telephone numbers to services in the DNS
- As soon as there is some incentive
47Mitigate by Deploying SSL?
- Claim SSL is not the magic bullet
- (Neither is DNSSEC)
- Problem Users are offered a choice
- Far too often
- Users are annoyed
- Implementation and use make SSL vulnerable
- Not the technology
48Confused?
49Where Does DNSSEC Come In?
- DNSSEC secures the name to address mapping
- Before the certificates are needed
- DNSSEC provides an independent trust path
- The person administering https is most probably
a different from person from the one that does
DNSSEC - The chains of trust are most probably different
- See acmqueue.org article Is Hierarchical
Public-Key Certification the Next Target for
Hackers?
50DNSSEC Provides
- Data Origin Authentication
- Data Integrity
- Authenticating Name and Type Non-Existence
- DNSSEC
- Is not designed to provide confidentiality
- Provides no protection against denial of service
attacks
51DNSSEC Components
- TSIG/SIG(0) provides mechanisms to authenticate
communication between machines - DNSKEY/RRSIG/NSEC provides mechanisms to
establish authenticity and integrity of data - DS provides a mechanism to delegate trust to
public keys of third parties - A secure DNS will be used as an infrastructure
with public keys - However it is NOT a PKI
52Summary
- DNS introduction
- DNS vulnerabilities
- SSL not the complete answer
Questions?
53Securing Host-Host Communication
54TSIG Protected Vulnerabilities
Impersonating master
Zone administrator
Zone file
Master
Caching forwarder
Dynamic updates
Slaves
Resolver
Unauthorised updates
55Transaction Signature TSIG
- TSIG (RFC 2845)
- Authorising dynamic updates and zone transfers
- Authentication of caching forwarders
- Independent from other features of DNSSEC
- One-way hash function
- DNS question or answer and timestamp
- Traffic signed with shared secret key
- Used in configuration, NOT in zone file
56TSIG Example
Query AXFR
Master
Slave
KEYsgs!f23f
KEYsgs!f23f
Response Zone
57TSIG for Zone Transfers
- Generate secret
- Communicate secret
- Configure servers
- Test
58Importance of the Time Stamp
- TSIG/SIG(0) signs a complete DNS request /
response with time stamp - To prevent replay attacks
- Currently hardcoded at five minutes
- Operational problems when comparing times
- Make sure your local time zone is properly
defined - date -u will give UTC time, easy to compare
between the two systems - Use NTP synchronisation!
59Authenticating Servers Using SIG(0)
- Alternatively, it is possible to use SIG(0)
- Not yet widely used
- Works well in dynamic update environment
- Public key algorithm
- Authentication against a public key published in
the DNS - SIG(0) specified in RFC 2931
60Summary
- TSIG/Sig(0)
- Generate secret
- Configure servers
Questions?
61DNSSEC Mechanisms
- New Resource Records
- Setting Up a Secure Zone
- Delegating Signing Authority
- Key Rollovers
62DNSSEC Protected Vulnerabilities
Cache impersonation
Zone administrator
Zone file
Master
Caching forwarder
Dynamic updates
Slaves
Resolver
Cache pollution by data spoofing
Altered zone data
63DNSSEC hypersummary
- Data authenticity and integrity by signing the
Resource Records Sets with private key - Public DNSKEYs used to verify the RRSIGs
- Children sign their zones with their private key
- Authenticity of that key established by
signature/checksum by the parent (DS) - Ideal case one public DNSKEY distributed
64The DNS is Not a PKI
- All key procedures are based on local policy
- A PKI is as strong as its weakest link
- Certificate Authorities control this through SLAs
- The DNS does not have Certificate Revocation
Lists - If the domain is under one administrative control
you might be able to enforce policy
65Public Key Crypto
- Key pair a private (secret) key and a
corresponding public key - Simplified
- If you know the public key, you can verify a
signature created with the private key - If you know the public key, you can encrypt data
that can only be decrypted with the private key - DNSSEC only uses signatures
- PGP uses both methods
66Security Status of Data (RFC4035)
- Secure
- Resolver is able to build a chain of signed
DNSKEY and DS RRs from a trusted security anchor
to the RRset - Insecure
- Resolver knows that it has no chain of signed
DNSKEY and DS RRs from any trusted starting point
to the RRset - Bogus
- Resolver believes that it ought to be able to
establish a chain of trust but for which it is
unable to do so - May indicate an attack but may also indicate a
configuration error or some form of data
corruption - Indeterminate
- Resolver is not able to determine whether the
RRset should be signed
67New Resource Records
68RRs and RRSets
- Resource Record
- name TTL class type rdata
- www.ripe.net. 7200 IN A 192.168.10.3
- RRset RRs with same name, class and type
- www.ripe.net. 7200 IN A 192.168.10.3
- A 10.0.0.3
- A 172.25.215.2
- RRSets are signed, not the individual RRs
69New Resource Records
- Three Public key crypto related RRs
- RRSIG Signature over RRset made using private
key - DNSKEY Public key, needed for verifying a RRSIG
- DS Delegation Signer Pointer for building
chains of authentication - One RR for internal consistency
- NSEC Indicates which name is the next one in the
- zone and which typecodes are available for
the current name - authenticated non-existence of data
70DNSKEY RDATA
- 16 bits FLAGS
- 8 bits protocol
- 8 bits algorithm
- N32 bits public key
- Example
- ripe.net. 3600 IN DNSKEY 256 3 5 (
- AQOvhvXXU61Pr8sCwELcqqq1g4JJ
- CALG4C9EtraBKVd vGIF/unwigfLOA
- O3nHp/cgGrG6gJYe8OWKYNgq3kDChN)
71RRSIG RDATA
- 16 bits - type covered
- 8 bits - algorithm
- 8 bits - nr. labels covered
- 32 bits - original TTL
ripe.net. 3600 IN RRSIG A 5 2
3600 ( 20050611144523 20050511144523 3112
ripe.net. VJ8ijXvbrTLeoAiEk/q
MrdudRnYZM1VlqhN
vhYuAcYKe2X/jqYfMfjfSUrmhPo0/GOZjW
66DJubZPmNSYXw )
signature field
- 32 bit - signature expiration
- 32 bit - signature inception
- 16 bit - key tag
- signers name
72Delegation Signer (DS)
- Delegation Signer (DS) RR indicates that
- delegated zone is digitally signed
- indicated key is used for the delegated zone
- Parent is authorative for the DS of the childs
zone - Not for the NS record delegating the childs
zone! - DS should not be in the childs zone
73DS RDATA
- 16 bits key tag
- 8 bits algorithm
- 8 bits digest type
- 20 bytes SHA-1 Digest
ORIGIN ripe.net. disi.ripe.net. 3600 IN NS
ns.disi.ripe.net disi.ripe.net. 3600 IN DS
3112 5 1 (
239af98b923c023371b52
1g23b92da12f42162b1a9
)
74NSEC RDATA
- Points to the next domain name in the zone
- also lists what are all the existing RRs for
name - NSEC record for last name wraps around to first
name in zone - N32 bit type bit map
- Used for authenticated denial-of-existence of
data - authenticated non-existence of TYPEs and labels
- Example
- www.ripe.net. 3600 IN NSEC ripe.net. A RRSIG
NSEC
75NSEC Records
- NSEC RR provides proof of non-existence
- If the servers response is NXDOMAIN
- One or more NSEC RRs indicate that the name or a
wildcard expansion does not exist - If the servers response is NOERROR
- And empty answer section
- The NSEC proves that the QTYPE did not exist
- More than one NSEC may be required in response
- Wildcards
- NSEC records are generated by tools
- Tools also order the zone
76NSEC Walk
- NSEC records allow for zone enumeration
- Providing privacy was not a requirement
- Zone enumeration is a deployment barrier
- Work has started to study solutions
- Requirements are gathered
- If and when a solution is developed, it will
co-exist with DNSSEC-BIS !
77Current Developments
- NSEC3 being tested
- All RR names hashed
- Hashed names are ordered
- opt-in for unsecured delegations possibilities
- SHA1 to be deprecated
- New hash for DS records
- Overlap, no flag day
78Other Keys in the DNS
- DNSKEY RR can only be used for DNSSEC
- Keys for other applications need to use other RR
types - CERT
- For X.509 certificates
- Application keys under discussion/development
- IPSECKEY
- SSHFP
79Summary
- DNSSEC not a PKI
- Zone status
- New RRs DNSKEY, RRSIG, NSEC, DS
Questions?
80Setting Up a secure Zone
81Securing a Zone Step 1
- Generate keypair
- Include public key (DNSKEY) in zone file
- dnssec-keygen tool comes with BIND
82Securing a Zone Step 2
- Sign your zone
- Signing will
- Sort the zone
- Insert
- NSEC records
- RRSIG records (signature over each RRset)
- DS records (optional)
- Generate key-set and ds-set files
83Securing a Zone Step 3
- Publish signed zone
- Signed zone is regular zonefile format
- With extra resource records
- Make sure all your servers are DNSSEC capable!
84Securing a Zone Step 4
- Configure forwarding resolver
- Test
- DNSSEC verification only done in resolver!
85Securing a Zone Step 5
- Distribute your public key (DNSKEY)
- To parent zone (key-set or ds-set can be used)
- To everyone that wants/needs you as SEP
- Make sure to inform everyone of key rollovers!
86Summary
- Generating keys
- Signing and publishing the zone
- Resolver configuration
- Testing the secure zone
Questions?
87Delegating Signing Authority
88Locally Secured Zones
- Key distribution does not scale!
.
com.
net.
os.net.
money.net.
kids.net.
Secure entry points
corp
dop
unix
mac
nt
marnick
dev
market
dilbert
Out of band key-exchanges
89Using the DNS to Distribute Keys
- Secured islands make key distribution problematic
- Distributing keys through DNS
- Use one trusted key to establish authenticity of
other keys - Building chains of trust from the root down
- Parents need to sign the keys of their children
- Only the root key needed in ideal world
- Parents always delegate security to child
90Key Problem
- Interaction with parent administratively
expensive - Should only be done when needed
- Bigger keys are better
- Signing zones should be fast
- Memory restrictions
- Space and time concerns
- Smaller keys with short lifetimes are better
91Key Functions
- Large keys are more secure
- Can be used longer ?
- Large signatures gt large zonefiles ?
- Signing and verifying computationally expensive ?
- Small keys are fast
- Small signatures ?
- Signing and verifying less expensive ?
- Short lifetime ?
92Key solution More Than One Key
- RRsets are signed, not RRs
- DS points to specific key
- Signature from that key over DNSKEY RRset
transfers trust to all keys in DNSKEY RRset - Key that DS points to only signs DNSKEY RRset
- Key Signing Key (KSK)
- Other keys in DNSKEY RRset sign entire zone
- Zone Signing Key (ZSK)
93Initial Key Exchange
- Child needs to
- Send key signing keyset to parent
- Parent needs to
- Check childs zone
- for DNSKEY RRSIGs
- Verify if key can be trusted
- Generate DS RR
94Walking the Chain of Trust
2
95Chain of Trust Verification, Summary
- Data in zone can be trusted if signed by a
Zone-Signing-Key - Zone-Signing-Keys can be trusted if signed by a
Key-Signing-Key - Key-Signing-Key can be trusted if pointed to by
trusted DS record - DS record can be trusted
- if signed by the parents Zone-Signing-Key
- or
- DS or DNSKEY records can be trusted if exchanged
out-of-band and locally stored (Secure entry
point)
96Summary
- Scaling problem secure islands
- Zone signing key, key signing key
- Chain of trust
Questions?
97Key Rollovers
98Private Key Compromise
- You have to keep your private key secret
- Private key can be stolen
- Put the key on stand alone machines or on bastion
hosts behind firewalls and strong access control - Private key reconstruction (crypto analysis)
- Random number not random
- Leakage of key material (DSA)
- Brute force attacks
99Key Rollovers
- Try to minimise impact
- Short validity of signatures
- Regular key rollover
- Remember DNSKEYs do not have timestamps
- the RRSIG over the DNSKEY has the timestamp
- Key rollover involves second party or parties
- State to be maintained during rollover
- Operationally expensive
100Timing of the Scheduled Key Rollover
- Dont remove the old key while there servers are
still handing out the old DS RR - New DS needs to be distributed to the slaves
- Max time set by the SOA expiration time
- Old DS needs to have expired from caches
- Set by the TTL of the original DS RR
- You (or your tool) can check if the master and
slave have picked up the change
101Unscheduled Rollover Problems
- Needs out of band communication
- With parent and pre-configured resolvers
- The parent needs to establish your identity again
- How to protect child delegations?
- Unsecured?
- There will be a period that the stolen key can be
used to generate seemingly secure data - There is no revoke key mechanism
- Emergency procedure must be on the shelf
102Key Rollover - Summary
- Generate new KSK
- Sign with old and new KSKs
- Wait for your servers TTL of old DNSKEY RRset
- Inform resolvers of the new key
- that have you as a trusted entry point
- Query for the parental DS and remember the TTL
- Upload the new KSK or DS to the parent
- Check if all parental servers have new DS
- Wait another TTL before removing the old key
103Summary
- Key size and signature lifetimes
- Key rollovers
- Emergency procedure
Questions?
104Operational Concerns
105RIPE NCC Tests
- Traces from production servers
- k.root-servers.net
- ns-pri.ripe.net
- Test servers configured like production machines
- ns-pri.ripe.net
- Loaded with all 133 zones.
- k.root-servers.net
- Only loaded with the root zone.
106Zone Signing
- 1 Key Signing Key 2048 bit RSASHA1
- 2 Zone Signing Keys of equal length
- Length varied between 512 and 2048
- Only one ZSK used for signing
- Pre-publish KSK to aid rollovers
- 3 DNSKEY RRs in each zone
- 1 RRSIG per RR set
- 2 RRSIGs over the DNSKEY RR set
107Memory Usage
- On ns-pri.ripe.net factor four increase
- From ca. 30MB to 150MB
- No problem for a 1GB of memory machine
- On k.root-servers.net
- Increase by circa 150KB
- Total footprint 4.4 MB
- Memory usage can be calculated in advance
- For authoritative servers
- No surprises necessary
108Serving the Zones Query Properties
- Clients set the DO flag to request DNSSEC data
- EDNS size determines maximum packet size
- DNSSEC requires EDNS
- EDNS/DO properties determine which fraction of
the replies contain DNSSEC information
109EDNS Properties
110Serving the Zones
- Measured for different key sizes.
- Named for ns-pri.ripe.net
- NSD and named for ns-pri.ripe.net and
k.root-servers.net - We also wanted to study worst caseWhat if all
queries have the DO bit set? - Modified the servers to think that queries had
EDNS 2048 octets size and DO bit set
111CPU
- trace server ZSK size WCPU
- ns-pri BIND 9.3.1 0000 ca 14
- ns-pri BIND 9.3.1 2048 ca 18
- k.root BIND 9.3.1 0000 ca 38
- k.root BIND 9.3.1 2048 ca 42
- k.root BIND 9.3.1 mod 2048 ca 50
- k.root NSD 2.3.0 0000 ca 4
- k.root NSD 2.3.0 2048 ca 4
- k.root NSD 2.3.0 mod 2048 ca 5
112Bandwidth Factors
- Fraction of queries with DO bit
- Seen in difference between ns-pri and k.root
result - Seen in difference between modified and
unmodified servers - Including DNSKEY RR in additional section.
- Seen in difference between k.root traces from
modified nsd and modified named - Difference in answer patterns
- Name errors vs positive answers
- Difficult to asses from our data
113(No Transcript)
114(No Transcript)
115Upper Bound
116Upper Bound
117Notes On Bandwidth Usage
- DNSKEY RRset with RRSIG in additional section
- Fairly big chunk of data
- None of the clients today validate the data
- Clients that need the data will query for it
- Servers MAY include the DNSKEY RRset
- NSD does not include the DNSKEY RRset
- Named (BIND) does include the DNSKEY RRset
118Bandwidth Increase
- Significant for ns-pri.ripe.net
- Well within provisioned specs
- Insignificant for for k.root-servers.net
- Upper bound well within provisioning specs
- Even when including DNSKEY RR set in additional
section - Key size influences bandwidth but bandwidth
should not influence your key size!
119Not Measured
- Our experiment was done in a closed environment
- What about the behavior of clients that do expect
DNSSEC information, but do no not receive it? - Firewalls dropping packets with DNSSEC
- BIND behavior is well understood
- What about implementations that set the DO bit,
but cannot handle DNSSEC data that is returned?
120Conclusion of These Measurements
- CPU, memory and bandwidth usage increase are not
prohibitive for deployment of DNSSEC on
k.root-servers.net and ns-pri.ripe.net - Bandwidth increase is caused by many factors
- Fraction of DO bits in the queries is an
important factor - CPU impact is small
- Memory impact can be calculated
121Signing the Root
- Three Organisations check root zone who signs?
- IANA/ICANN
- Department of Commerce
- Verisign
- How many keys?
- N of M system for trust?
122Resolver Issues
- DNSSEC is not in POSIX yet
- e.g. gethostbyname()or getnameinfo()
- RRSIG verification only done by caching
forwarders - To test DNSSEC set-ups, you have to work with
dig, or use the BIND lwresolver library - Alternatively write some tools
- (for PERL NetDNS and NetDNSSEC)
123End User Side
- Local verifying/recursive server trusted?
- TSIG for queries?
- IPSec?
- Enhance stub resolver functionality?
- How much information needed?
- AD bit enough?
- Verifier built in to programs?
124Wish List
- Public and private key management tools
- Provisioning tools
- Secure Islands public keys distribution
- API and protocol to communicate validation
results - Killer app that relies on DNSSEC
- Documentation/training/tools in order to reduce
costs
125Summary
- Increased memory and bandwidth demands
- Political issues
Questions?
126RIPE NCCs DNSSEC Deployment
127Old Server Set-up
- ns.ripe.net
- - Primary for various zones such as ripe.net
- - Primary for /8 v4 and /16 v6 reverses
- - Secondary for /16 v4 and /32 v6 reverses
- - Secondary for around 70 ccTLD zones
- - Secondary for lots of other misc zones
- Machine had heavy load
- Provisioning was not optimal
128New Servers - Status
- Most zones have moved to their new homes
- Currently zones are distributed as follows
- ns-pri 150 zones
- ns-sec 282 zones
- ns-tld 179 zones
- ns.ripe.net 3057 zones
129RIPE NCC DNS Server Setup
130DNSSEC Architecture Modifications
Zone signer
Primary DNS
ZoneGeneration
Whois
Secondary DNS
Customerinterfaces
DelChecker
131DNSSEC Deployment Tasks
- Key maintenance policies and tools
- Private key use and protection
- Public key distribution
- Zone signing and integration into the
provisioning chain - DNS server infrastructure
- Secure delegation registry changes
- Interfacing with customers
132Public Key Dissemination at RIPE NCC
- Until we have a signed parent zone
- Keys for all zones
- Published on a secured website
- https//www.ripe.net/projects/disi/keys/ripe-ncc-d
nssec-keys.txt - Are signed with the RIPE NCC public keys
- https//www.ripe.net/projects/disi/keys/ripe-ncc-d
nssec-keys.txt.asc - https//www.ripe.net/rs/pgp/ncc-pgpkey-2006.asc
- Will be rolled twice a year (initially)
- Announcements are always signed
133Maintaining Keys and Signing Zones
- The KeyDB maintains the private keys
- It knows rollover scenarios
- UI that can create, delete, roll keys
- without access to the key material
- Physically secured
- The signer ties the Key DB to a zone
- Inserts the appropriate DNSKEYs
- Signs the the zone with appropriate keys
134Private Key Maintenance Software
- Perl front-end to the BIND tools
- Key pairs are kept on disc in BIND format
- Files contain human readable information
- Possible to bail out and sign manually
- Works in the RIPE NCC environment
- No warranties
- Available https//www.ripe.net/projects/disi/dnss
ec_maint_tool/
135Securing the Delegations
- The DS exchange is the same process as the NS
exchange - Same authentication/authorisation model
- Integrate the key exchange into existing
interfaces - Customers are used to those
- Include checks on configuration errors
- DNSSEC is picky
- Provide tools
- To prevent errors and guide customers
136Changes to the Delegation Procedure
- ds-rdata attribute was added
- Zone generation tool uses ds-rdata contents
- For unsigned zones ds-rdata is blocked
- Added a number of DelChecker checks
- Web-interface to create domain object
- Does all the delegation checker checks
- https//www.ripe.net/cgi-bin/delcheck/delcheck2.cg
i
137Summary
- Server changes
- Delegation changes
- Web interface for domain objects
Questions?
138The End!
Finis
?????
K???
Sfârsit
Ki????
Konec
Ende
Kraj
The End
Son!
Fine
Lõpp
Kpaj
Vége
Fund
Fin
Einde
?????
Baigti
The End
Slutt
???????
Fim
Koniec
Loppu