DNSSEC Deployment Made Simple and Secure

1
DNSSEC Deployment Made Simple and Secure

• FISC, Colorado Springs

2
Problems With DNS

• Authoritative server
• Malware
• Unauthorized zone transfers
• Domain hijacking
• Caching server
• Cache poisoning
• Birthday attack
• Network
• Man-in-the-middle
• Packet interception
• Client
• Corrupted hosts file
• Corrupted DNS resolution path

www.robbers-r-us.com
Caching Server
Authoritative Server
Client
With DNS, we can only hope that a response is
correct
3
What Is DNSSEC?

• What does it do?
• Validates the source of the DNS response
• Ensures the response has not been altered in
  transit
• Authenticates replies of non-existence
• How does it work?
• Adds digital signatures to DNS responses
• Uses chains of trust to validate responses
• Identifies bogus responses

www.robbers-r-us.com
Caching Server
Authoritative Server
Digitally Signed Response
Digitally Signed Response
Client
Bogus Response
Bogus Response
With DNSSEC, we are certain that a response is
correct
4
DNSSEC Deployment Challenges

• Complexity
• Education, development, QA required
• Security
• General purpose OS cannot protect keys
• Crypto cards are complicated
• Offline keys labor intensive
• Auditability
• What zones are signed?
• What keys are about to expire?
• Scalability
• Signing performance with large or numerous zones
• Offline key management
• Meeting update interval SLAs

Early adopters invest 4-6 man-months to deploy,
½ full time person to maintain
5
DNSSEC Deployment Options
6
DNSSEC Requires Process Discipline

• Generate Public/Private Key Pairs
• Insert Keys into Zone Files
• Sign the zones
• Periodically Re-sign the zones (daily/weekly)
• Re-sign the zone each time data changes
• Roll the keys regularly (monthly)
• (out with the old, in with the new)
• Keep the private keys safe dont let a forger
  compromise the keys, especially with dynamic data
• scripts, tools, automation
• secure key management

7
Other Operational Issues

• ITIL processes best practices for operations
  include disaster recovery business continuity
• Backing up the keys / high availability
• Documented Processes in the likely event of
  personnel change
• New contractors, new employees
• Oh no. I lost the recipe..

8
Manual Deployment Example Swedbank
9
DNSSEC Resource Information
10
Do-It-Yourself Method

• BIND programs
• DNSSEC-Keygen DNSSEC-Signzone
• Visit www.nlnetlabs.nl
• LDNS library
• Examples include a zone-walker (follows NSEC
  records) and DNSSEC validation tools to check
  signatures, etc.
• Also contain programs to manually sign zones and
  generate keys (alternative to BIND tools)
• DRILL (an interesting version of DIG)
• Visit www.dnssec-tools.org
• Tools and programs from SPARTA labs created with
  DHS funding assistance to validate, error-check,
  sign zones, rollkeys
• Key signer and roller
• Donuts (LINT-like error checking tool)
• Validation tools to check signatures, etc.

11
DNSSEC Deployment Options
12
Do-It-Yourself HSM
13
DNSSEC Deployment Options
14
Secure64 DNS Signer
Funded by DHS Grant

• DNSSEC Made Simple and Secure
• Simple
• Automated key management, rollover, signing,
  re-signing
• Secure
• Malware-immune OS
• FIPS 140-2 compliant (pending)
• Auditable
• Key and zone status reports, alerts
• Scalable
• High performance signing algorithms
• Incremental zone signing

Secure64 DNS Signer makes it easy to deploy
DNSSEC correctly and securely
15
Secure64 Software Corporation

• Privately funded, Colorado-based corporation,
  founded in 2002.
• Focused on building Genuinely Secure
  systems.
• DNS Authority DNS Signer are products based
  on this genuinely secure operating system.
• The automated DNSSEC appliance was partially
  funded by the US Department of Homeland Security.

16
Genuinely Secure vs. Hardened
Required to protect DNSSEC Keys
For more information, see our whitepaper
Eliminating Malware and Rootkits Six Essential
Characteristics of a Genuinely Secure OS,
available at www.secure64.com
17
Simple to Configure
1-line automation
Optional parameters to override defaults Can be
applied system-wide or zone by zone
Configuration file
DNSSEC can be deployed in days, not months
18
Compatible With Current Infrastructure
Secure64 DNS Slave
Unsigned Zone Data
Signed Zone Data
BIND Slave
Provisioning System (IPAM, Registry, Hidden
Master, Etc.)
NSD Slave
Microsoft DNS Slave
Just plug it into your existing provisioning
system
19
Simple to Deploy
Signing Server and Visible Master
Hidden Signing Server
Signed Query Responses
Slave
Slave
AXFR/IXFR
Secure64 DNS Signer
Unsigned Zones
Secure64 DNS Signer
Signed Query Responses
AXFR/IXFR
Signed Query Responses
AXFR/ IXFR
Keys
Signed Zones
Slave
Keys
Signed Zones
Unsigned Zones
Just plug it into your existing provisioning
system
20
Simplified Key Rollover

• Currently
• Manual transmission of DS record to parent
• Automated DS detection and rollover
• Next
• Automated transmission of DS record to parent

.gov
DS RR
DS
Are you there, yet?
example.gov
Public KSK
DS RR
DS
Are you there, yet?
sub.example.gov
Public KSK
Offline, secureprocess
21
Secure From Compromise
Protects the keys
Protects the data
Protect both signing keys and DNS data from
compromise
22
Fast Signing Performance
Configuration HP Integrity rx2660 server, 1 dual
core Itanium 1.4 Ghz processor 4 GB RAM 1 zones,
177,005 records, 344,010 signatures
Optimized code for 1024 bits outperforms many
hardware cryptography accelerators
23
Incremental Signing

• Challenge
• How fast can zone changes be signed?
• Can you still meet your target update interval?
• Solution
• Accept changes via DDNS or IXFR
• Only sign changes
• Update slaves via IXFR

Secure64 DNS Signer
DDNS, IXFR
IXFR
Signing Policy
20 updates/second, regardless of zones, zone
size
Even the largest, most dynamic environments can
be updated quickly
24
Easy to Audit

• Event notification
• Normal zones signed or resigned, key rollover
  initiated
• Warnings keys nearing expiration
• Errors keys expired
• On demand reporting
• Key sizes, algorithms, inception time, expiration
  time, rollover time

Email Server
Syslog Server
Network Mgmt. System
Secure64 DNS Signer
Reports
You always know the status of your keys
25
Secure Key Backup and Restore
Secure64 DNS Signer
Master key backup
Standby signer
Secure64 DNS Signer
Active signer
Meta-data Repository

• Meta-data Repository
• Contains KSKs, ZSKs, system state
• Stored on any networked device
• Automatically updated after every re-signing
  event
• Encrypted with master key

• Master key
• Backed up to another trusted platform
• Restores meta-data repository to any other
  trusted platform

Allows quick failover to backup signer
26
DNSSEC Deployment Options
27
Benefits Summary

• For management
• Quicker implementation
• Reduced cost
• For staff
• Simple. Less to learn
• Timely. Deploy in days, not months
• Correct. Eliminates errors that can take you
  offline
• Secure. Protects the signing keys
• For users
• Internet is safer to access

versus
Secure64 DNS Signer makes it easy to deploy
DNSSEC correctly and securely
28
Secure64 The DNSSEC Leader

• Agencies we have trained with NIST
• US Department of Commerce
• National Telecommunication Information
  Administration
• Economic and Statistics Administration
• Bureau of Statistics
• Bureau of Economic Analysis
• International Trade Administration
• US Patent and Trademark Office
• National Oceanic and Atmospheric Administration
• US Department of Health and Human Services
• National Institute of Health
• Federal Aviation Administration
• US Department of Housing and Urban Development
• US Department of Energy
• US Department of Agriculture
• US Antarctic Program
• US Department of the Interior
• National Park Service

29
Thank You! For More Information

• Secure64 web site www.secure64.com
• Search YouTube for Secure64 to view some useful
  DNSSEC tutorials
• Sign up to access to an online signing engine to
  try it out with your own data