OpenDNSSEC training Opening 2 March 2012 Creative Commons Attribution-ShareAlike 3.0 Unported License 1 Agenda Time: Day 1: 10:00 – 17:00, Day 2: 09:00 – 16:00 • Introduction to DNSSEC and the OpenDNSSEC application • Prerequisites for running OpenDNSSEC and description of the lab environment • Hardware Security Modules • SoftHSM installation and initialization • Configuration files for ODS, conf.xml , kasp.xml and zonelist.xml • Running OpenDNSSEC • Testing • Integration • Monitoring • Recovery planning • Operational practices 2 March 2012 Creative Commons Attribution-ShareAlike 3.0 Unported License 2 Introduction • Who am I? 2 March 2012 Creative Commons Attribution-ShareAlike 3.0 Unported License 3 Introduction • Who are you? • Any experience with DNSSEC? • What are your expectations? 2 March 2012 Creative Commons Attribution-ShareAlike 3.0 Unported License 4 Goals • Understanding of DNSSEC • OpenDNSSEC • Install • Configure • Sign zones • Integrate with your environment • Basic troubleshooting 2 March 2012 Creative Commons Attribution-ShareAlike 3.0 Unported License 5 Lab environment • Amazon Elastic Compute Cloud (EC2) • One teacher server running odslab.se • Two servers per group • Resolver – resolverX.odslab.se • Name server – nsX.odslab.se • One domain per group • groupX.odslab.se 2 March 2012 Creative Commons Attribution-ShareAlike 3.0 Unported License 6 The lab • Handouts with lab instructions • Most of the labs are introduced by a presentation • Group numbers and login credentials are handed out by the teacher 2 March 2012 Creative Commons Attribution-ShareAlike 3.0 Unported License 7 OpenDNSSEC training Uploading the DS RR 2 March 2012 Creative Commons Attribution-ShareAlike 3.0 Unported License 8 Head start • We need to create a chain-of-trust to our test domain, odslab.se. • .SE distributes its zone every second hour (but are allowed to take up to five days). • Need to this so that you can validate your subzones later in this lab. 2 March 2012 Creative Commons Attribution-ShareAlike 3.0 Unported License 9 Uploading the DS RR • Creates a chain-of-trust. • You do this when your zone is signed. • We have prepared odslab.se, it is already signed. • How you upload the DS RR depends on your registrar. • Various APIs and web interfaces, some does not even support DNSSEC. 2 March 2012 Creative Commons Attribution-ShareAlike 3.0 Unported License 10 Live demo • odslab.se is using the registrar SE Direkt. • https://domanhanteraren.iis.se/lang/?set=en 2 March 2012 Creative Commons Attribution-ShareAlike 3.0 Unported License 11 OpenDNSSEC training DNSSEC introduction 2 March 2012 Creative Commons Attribution-ShareAlike 3.0 Unported License 12 The DNS Hierarchy . NS d.root-servers.net. NS a.rootd.root-servers.net.-servers.net. A 128.8.10.90 a.root-servers.net. NS m.root. A 198.41.0.4-servers.net. m.root-servers.net. A 202.12.27.33 . (root) org. NS b0.org.afilias-nst.org. b0.org.afilias-nst.org. A 199.19.54.1 org. NS d0.org.afilias-nst.org. .net d0.org.afilias-nst.org. AAAA 2001:500:f::1 .com .org opendnssec.org. NS primary.se. opendnssec.org. NS ns.kirei.se. opendnssec.org. NS secondary.se. opendnssec.org www.opendnssec.org. A 91.206.174.13 2 March 2012 Creative Commons Attribution-ShareAlike 3.0 Unported License 13 . (root) Resolving DNS DHCP server 2. www.opendnssec.org? 3. Ask a0.org.afilias-nst.info .org Caching resolver 1. www.opendnssec.org? 4. www.opendnssec.org? 5. Ask ns.kirei.se 8. www.opendnssec.org has address 91.206.174.13 Client computer 6. www.opendnssec.org? opendnssec.org 7. www.opendnssec.org has address 91.206.174.13 2 March 2012 Creative Commons Attribution-ShareAlike 3.0 Unported License 14 Vulnerabilities • You cannot trust the DNS answer • Various categories of threats • Denial of Service • Data integrity • Protocol issues – Cache poisoning, Query prediction • System corruption • Repository corruption • Privacy • Cache snooping • NSEC walk 2 March 2012 Creative Commons Attribution-ShareAlike 3.0 Unported License 15 What is DNSSEC? • Domain Name System Security Extension • An extension that is placed on top of DNS • It gives: • Data Origin Authentication • Data Integrity • Denial of Existence • By using digital signatures • Fixes some of the protocol issues 2 March 2012 Creative Commons Attribution-ShareAlike 3.0 Unported License 16 Add crypto to the mixture • Asymmetric crypto: • Asymmetric key pairs have a public and private key • Protect the private keys • Publish the public keys • KSK: • The Key Signing Key - what you trust • Signs the Zone Signing Keys, ZSK • ZSK: • The Zone Signing Key • Creates signatures of records in the zone - RRSIG 2 March 2012 Creative Commons Attribution-ShareAlike 3.0 Unported License 17 DNSKEY and RRSIG opendnssec.org. IN DNSKEY 256 3 5 BQEAAAAB2WMDxqWR7cCadFXQmmR3jhfHekKf5uhUVxBFyzHGyHc1vVi0 u4w3Z+/96anmn+oTzuxGmYOPm3j+3AfatV3USD8b4DdkM35aNZ2iMyXd lMFb+OgPUODl71nnxp2KGFu8oWtILLJMOAo5giitUpMFWmGAKJH/BbWh WydF1fKwLuk= opendnssec.org. IN DNSKEY 257 3 5 BEAAAAOhdFlVHeivG77Zos6htgLyIkBOn18ujX4Q7Xs6U7SDQdi6FBE5 OQ8754ppfuF3Lg1ywNLHQ5bjibquSG7TuCT6DWL3kw+hESYmWTeEev9K RnxqTA+FVIfhJaPjMh7y+AsX39b8KVQ32IYdttOiz30sMhHHPBvL4dLC 4eCQXwUbinHRWSnKpKDXwuaUUtQkPqkEc4rEy/cZ3ld408vMlcc73OcK t+ttJeyQR1dJ0LoYHvH0WBzIWg3jUPmz/hSWrZ+V2n0TISQz0qdVGzhJ vahGvRstNk4pWG1MjwVgCvnc18+QiEV4leVU7B4XjM9dRpIMzJvLaq+B d8CxiWvjpSu/ opendnssec.org. IN RRSIG DNSKEY 5 2 3600 20110705003007 20110625003007 40957 opendnssec.org. PXW2Zj3HM2annBMGGHormcyIUZF4s+KZIKynoNfSyqHmiTghUDxVUStF tzp88ZlHLV+0CYQU4zY20RI9kGg7Iwc+jF8BGjoJfIrNtt6ado9sBrqD znK/fal6fsFl7HuhRke68P5mwQETKOTV3S0Tcfz6krmqofbTAq5qwkqf CBX4Wm6csZHWVF+pUlNhPumJpbnI6mHNcRvVSx07D3TGRT4ZF/1s38md GaFkSKc2zxgGCOSyWfUml93AQ5Zox+l1hfGr3NZd7MAynklwZSrY/JzK mUN24n2wmjrNNFaQuXbjO2T+Mqm2PB3yweYxyh2kKryf5Oc3tkglr1jP zsuoWg== opendnssec.org. IN RRSIG DNSKEY 5 2 3600 20110705003007 20110625003007 49829 opendnssec.org. BlZZUWXTpQ8Ur0MBJxgHASarKfWREOTABaW+d/zIaFtUjhicQUjm2IUx 4O84gxslKvk/uhwfm0qYII+Mlz3IX93e6Ml8EC+O/0zFPEXjwQRmHplC +qjyOAONHOfyqG0El+da33tr+E+VBtigTN5GyqSDfZ/zuPRkiYr8Uxzg CJ0= 2 March 2012 Creative Commons Attribution-ShareAlike 3.0 Unported License 18 Signatures? • A signature is an encrypted hash of data. • The key used for encryption is the private key, and the signature can be verified by decrypting the hash with the public key. • A hash is a checksum of a set of data. Typical checksum algorithms are MD5, SHA-1 and SHA-256. MD5 is considered vulnerable. 2 March 2012 Creative Commons Attribution-ShareAlike 3.0 Unported License 19 DNSKEY algorithms • Different DNSSEC algorithms: • RSAMD5 • DSA • RSASHA1 • DSA-NSEC3-SHA1 • RSASHA1-NSEC3-SHA1 • RSASHA256 • RSASHA512 • ECC-GOST 2 March 2012 Creative Commons Attribution-ShareAlike 3.0 Unported License 20 NSEC • Proof of non-existence • You want to protect anybody from performing a DoS attack against a name in DNS. That is done with NSEC. mail.opendnssec.org. IN NSEC svn.opendnssec.org. CNAME RRSIG NSEC 2 March 2012 Creative Commons Attribution-ShareAlike 3.0 Unported License 21 NSEC3 • NSEC makes zone walking possible • Uses the hash of the domain name • Requires more resources from resolver and the name server. 7oreb1sb9elhfqfp53bqqde6bcdm5eo3.groupx.odslab.se. IN NSEC3 1 0 5 3A5BF749D1330DE3OTANAROMKJB00QC2G6K2IT2GU2SB4DOA CNAME RRSIG 2 March 2012 Creative Commons Attribution-ShareAlike 3.0 Unported License 22 Zone file without DNSSEC $TTL 60 @ IN SOA nsX.odslab.se. test.odslab.se. ( 2011062100 ; serial 360 ; refresh (6 minutes) 360 ; retry (6 minutes) 1800 ; expire (30 minutes) 60 ; minimum (1 minute) ) IN NS nsX.odslab.se. www IN CNAME nsX.odslab.se. 2 March 2012 Creative Commons Attribution-ShareAlike 3.0 Unported License 23 Zone file with DNSSEC groupX.odslab.se. 60 IN SOA nsx.odslab.se. test.odslab.se. ( bwx199Mu8Xj9p9Q8CbzCvbvHPtRqPgf6Mto9jjlUaSK4 2011062145 ; serial NlNQWg/qfsLvkvxRpdE4g9Xac3b71TPuylQSovvARR0v 360 ; refresh (6 minutes) 4rJ4zmBdomdQHjtwOuQ4GeVfpgKqFCqa8HFK8D20Kmjk 360 ; retry (6 minutes) 56a7rbe6UWt5hHMjQfys3NfvulFAdCTW0Rbikss7YQMw 1800 ; expire (30 minutes) j6msmsRS8Zj+IlBbmku6RwxVxNF/ca09fuz4NhyOOSRP 60 ; minimum (1 minute) 2mBTBIwk+XcybA6vK5ofnrBTCSSoJOt4+g== ) ) groupX.odslab.se. 60 IN NSEC3PARAM 1 0 5 3A5BF749D1330DE3 groupX.odslab.se. 60 IN RRSIG SOA 8 3 60 20110628103724 ( groupX.odslab.se. 60 IN RRSIG NSEC3PARAM 8 3 60 20110628103502 ( 20110628083552 44494 groupx.odslab.se. 20110628083552 44494 groupx.odslab.se. NJ5lIdcdw3TJlSjTd5W/Gk1CtgZu2VfXAVIF49em/jdm Gvy1AOrm6dENvVUke1Ck3KmjB5W1mbvIsFdvm2p2MfZa pA1JnejkwPAfb0TjdcXBUH6cQ2XIHobjgEJEpWRM9G/W msgUJNJ0sT6R3jIyRIvc+6T3jADDHGpvr6ILLnWySFRb W7DYJZmdo6o09YrMexTLCZLcq6eyjTpS8TmwmconuNEN 9efAn/SDt060N3YsU6emv5iAh/TRbo7g8UNtokm1TAds FiCkBztqgHlyw0Teg9sw/1E0UVwGKKgd0SOv8Nw= ) 5rZ187cOo3yqQ05qBSTVo8wCcF1HS6+htEt+vQs= ) groupX.odslab.se. 60 IN NS nsx.odslab.se. www.groupX.odslab.se. 60 IN CNAME nsx.odslab.se. groupX.odslab.se. 60 IN RRSIG NS 8 3 60 20110628103609 ( www.groupX.odslab.se. 60 IN RRSIG CNAME 8 4 60 20110628103414 ( 20110628083552 44494 groupx.odslab.se. 20110628083552 44494 groupx.odslab.se. K3Yxcz25nv0m8SZDHkh0YXPBrZ0+78hVsT7FD4A9GZ9m BAs7KPVdwoPeC9isn/N00dV2OB62sSjbQS65r6h8EOGF 3sHpkpfzjZ/Bee+lgwZZGIJKmMfyRtQQon7oCa2Z9xe9 ToRqd6wRpd8OhNSNrJNn7ycH61m2j71WhE00fsMLA1T6 L/D9KQzPzZbZCMrOxG/usSZ+LhwYuN3b0Kl2BIhklji5 vxGKVcK6IeH+7Vpu4bgnH93jq8f3TftaiR22bYNl+Y9Q fBN6aEsyhw+hiV9ibobzqKe5bMnxaa9IfMscV1c= ) Y7PHNFcmZ0PmoqVmilmtJdpn+YNjUJ5a+Riwojo= ) groupX.odslab.se. 120 IN DNSKEY 256 3 8 ( 7oreb1sb9elhfqfp53bqqde6bcdm5eo3.groupx.odslab.se. 60 IN NSEC3 1 0 5 3A5BF749D1330DE3 AwEAAasv0uyeTp5kIaw/fwPyQncY06YMn370lczC5SCx