Intro to DNSSEC

Video thumbnail (Frame 0) Video thumbnail (Frame 1486) Video thumbnail (Frame 5180) Video thumbnail (Frame 14952) Video thumbnail (Frame 18865) Video thumbnail (Frame 28446) Video thumbnail (Frame 31483) Video thumbnail (Frame 33503) Video thumbnail (Frame 35155) Video thumbnail (Frame 38091) Video thumbnail (Frame 39705) Video thumbnail (Frame 41950) Video thumbnail (Frame 43652) Video thumbnail (Frame 44990) Video thumbnail (Frame 48577) Video thumbnail (Frame 50878) Video thumbnail (Frame 56797) Video thumbnail (Frame 58768) Video thumbnail (Frame 60484) Video thumbnail (Frame 61972) Video thumbnail (Frame 65691) Video thumbnail (Frame 69115) Video thumbnail (Frame 74964) Video thumbnail (Frame 77751) Video thumbnail (Frame 79280) Video thumbnail (Frame 80564) Video thumbnail (Frame 82064) Video thumbnail (Frame 84278) Video thumbnail (Frame 86215) Video thumbnail (Frame 87502) Video thumbnail (Frame 89242) Video thumbnail (Frame 91053) Video thumbnail (Frame 92395) Video thumbnail (Frame 94317) Video thumbnail (Frame 96065)
Video in TIB AV-Portal: Intro to DNSSEC

Formal Metadata

Intro to DNSSEC
Title of Series
CC Attribution - NonCommercial - ShareAlike 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this license.
Release Date

Content Metadata

Subject Area
This presentation will introduce the DNS Security Extensions which extend standard DNS to add resource records and algorithms to provide source authentication. We will cover the need, signing, validating, and troubleshooting DNSSEC signed zones. The presentation will also introduce EDNS0, new resource records, and DNSSEC related tools. Some examples will be shown using ISC BIND.
Time zone Software developer Projective plane System programming Electronic mailing list Authorization Source code Student's t-test Videoconferencing Open set
Web page Point (geometry) Server (computing) Building Presentation of a group Code System administrator View (database) Time zone Content (media) Direct numerical simulation Different (Kate Ryan album) Forest Software testing Information security Form (programming) Time zone Broadcast programming Validity (statistics) Software developer Projective plane Special unitary group Bit Reduced instruction set computing Message passing Internetworking System programming Software testing Whiteboard Simulation Communications protocol
Axiom of choice Standard deviation Randomization Multiplication sign Source code Time zone Set (mathematics) Client (computing) Mereology Direct numerical simulation Sign (mathematics) Spherical cap Core dump Query language Information Series (mathematics) Recursion Social class Physical system Data integrity Area Covering space Predictability Presentation of a group Source code Moment (mathematics) Bit Maxima and minima Control flow 10 (number) Connected space Type theory In-System-Programmierung Prediction Chain Direct numerical simulation Pattern language Information security Writing Recursion E-learning Thomas Bayes Row (database) Reverse engineering Point (geometry) Server (computing) Mobile app Game controller Dependent and independent variables Connectivity (graph theory) Authentication MIDI Control flow Paradox Content (media) Regular graph 2 (number) Cache (computing) Computational fluid dynamics Authorization Configuration space Address space Metropolitan area network Window Beat (acoustics) Dependent and independent variables Information Server (computing) Cellular automaton Forcing (mathematics) Paradox Moisture Client (computing) Denial-of-service attack Line (geometry) Component-based software engineering Cache (computing) Number Personal digital assistant Query language Revision control Intercept theorem Resolvent formalism Extension (kinesiology) Address space
Email System administrator Source code Time zone Client (computing) Direct numerical simulation Sign (mathematics) Type theory Different (Kate Ryan album) Repository (publishing) Website Information security Descriptive statistics Physical system Public key certificate View (database) Block (periodic table) Bit Arithmetic mean Message passing Root Software repository Order (biology) System programming Patch (Unix) Firewall (computing) Regular graph DNSSEC Authorization Computer worm Communications protocol Router (computing) Distribution (mathematics) Information Server (computing) Weight Content (media) Moisture Plastikkarte Coma Berenices Client (computing) Computer network Multilateration Web browser Field extension Integrated development environment Software Personal digital assistant Information retrieval Video game Formal verification Wireless LAN Fingerprint Window Standard deviation Musical ensemble State of matter Multiplication sign ACID Set (mathematics) Public key certificate Military operation Formal verification Cuboid Flag Information UDP <Protokoll> Scripting language Source code Curve Service Pack Email Closed set Transport Layer Security System administrator Menu (computing) Mechanism design Type theory Exterior algebra Direct numerical simulation Website Encryption Block (periodic table) Row (database) Associative property Software engineering Server (computing) Service (economics) Codierung <Programmierung> Authentication MIDI Web browser Content (media) Field extension Root Internetworking Well-formed formula Natural number Operator (mathematics) Software Computational fluid dynamics Software repository Gastropod shell Message passing Fingerprint Time zone Validity (statistics) Sine Routing
Musical ensemble Multiplication sign Source code Range (statistics) Time zone 1 (number) Set (mathematics) Mereology Electronic signature Direct numerical simulation Pointer (computer programming) Mathematics Sign (mathematics) Cryptography Type theory Very-high-bit-rate digital subscriber line Hash function Formal verification Query language Row (database) Physical system Social class Digitizing Bit Public-key cryptography Entire function Electronic signature Type theory Hash function Direct numerical simulation Right angle Information security Row (database) Point (geometry) Implementation Server (computing) Addition MIDI Content (media) DNSSEC Latent heat Field extension Communications protocol Implementation Hydraulic jump Time zone Standard deviation Key (cryptography) Validity (statistics) Information Server (computing) Moisture Cryptography Existence Software Personal digital assistant Query language Sheaf (mathematics) Revision control Formal verification Key (cryptography) Communications protocol
Existential quantification Algorithm View (database) Multiplication sign System administrator MIDI Sheaf (mathematics) Content (media) Mereology Regular graph Electronic signature Sega Enterprises Ltd. Number Direct numerical simulation Sign (mathematics) Query language Authorization Flag Row (database) Multiplication Address space Sanitary sewer Default (computer science) Data type Covering space Algorithm Matching (graph theory) Slide rule Information Key (cryptography) Server (computing) Cellular automaton Moisture Plastikkarte Coma Berenices Bit Binary file Electronic signature Type theory Computer configuration Personal digital assistant Order (biology) Revision control Figurate number Row (database) Flag Address space
Point (geometry) Inheritance (object-oriented programming) Algorithm View (database) System administrator Time zone Set (mathematics) Content (media) Electronic signature Direct numerical simulation Chain Sign (mathematics) Hash function Row (database) Communications protocol Time zone Link (knot theory) Key (cryptography) Validity (statistics) Weight Bit Public-key cryptography Electronic signature Direct numerical simulation Row (database) Flag
Point (geometry) Inheritance (object-oriented programming) Multiplication sign MIDI Time zone Content (media) Mereology Indian Remote Sensing Direct numerical simulation Chain Sign (mathematics) Goodness of fit Hash function Query language Multiplication Window Time zone Key (cryptography) Information Inheritance (object-oriented programming) Moisture Bit Public-key cryptography Electronic signature Hash function Personal digital assistant Chain Key (cryptography) Row (database)
Execution unit Inheritance (object-oriented programming) Multiplication sign MIDI Moisture Content (media) Host Identity Protocol Personal digital assistant Query language Core dump Address space Row (database) Flag
Authentication Time zone MIDI Heat transfer Content (media) Disk read-and-write head Regular graph Chain Mathematics Type theory Independent set (graph theory) Computer multitasking Row (database) Physical system Proof theory Time zone Slide rule Information Point (geometry) Existence Type theory Word Hash function Chain Order (biology) Formal verification Negative number Row (database)
Email Code INTEGRAL Multiplication sign Source code Time zone Coma Berenices Electronic signature Direct numerical simulation Mechanism design Cryptography Different (Kate Ryan album) Single-precision floating-point format Hash function Set (mathematics) Information security Physical system Data integrity Source code Link (knot theory) System administrator Bit Mereology Public-key cryptography Windows Registry Electronic signature Data mining Message passing Root Exterior algebra Hash function Chain Direct numerical simulation Encryption Physical system Flux Recursion Session Initiation Protocol Row (database) Point (geometry) Server (computing) Inheritance (object-oriented programming) Link (knot theory) Authentication MIDI Streaming media Content (media) Rule of inference Event horizon Time domain Session Initiation Protocol Chain Root Energy level Software testing Message passing Authentication Addition Information Validity (statistics) Key (cryptography) Inheritance (object-oriented programming) Sine Server (computing) Operator (mathematics) Client (computing) Coma Berenices Cryptography Cache (computing) Wind tunnel Query language Personal digital assistant Formal verification Key (cryptography) Resolvent formalism
Inheritance (object-oriented programming) Multiplication sign System administrator Source code MIDI Content (media) Electronic signature Time domain Direct numerical simulation Frequency Chain Mechanism design Configuration space Physical system Email Inheritance (object-oriented programming) Validity (statistics) System administrator Shared memory Stress (mechanics) Operator (mathematics) Bit Mereology Windows Registry Word Root Query language Order (biology) Chain Direct numerical simulation Physical system Session Initiation Protocol Row (database)
Asynchronous Transfer Mode Touchscreen Scripting language Multiplication sign Computer-generated imagery Disintegration Cursor (computers) Content (media) Mereology Electronic signature 2 (number) 19 (number) Direct numerical simulation Chain Field extension Spacetime Configuration space Multiplication World Wide Web Consortium Rule of inference Source code Scale (map) Presentation of a group Computer font Slide rule Key (cryptography) View (database) Server (computing) Web page Coma Berenices Color management Control flow Markup language Power (physics) Web browser Element (mathematics) Word Root Sheaf (mathematics) Chain Key (cryptography) Family Electric current Row (database)
Point (geometry) Slide rule Server (computing) Key (cryptography) Inheritance (object-oriented programming) Time zone Parameter (computer programming) Content (media) Direct numerical simulation Chain Sign (mathematics) Personal digital assistant Chain Hill differential equation Multiplication
Point (geometry) Algorithm Multiplication sign View (database) System administrator Time zone Content (media) Icosahedron Electronic signature Dimensional analysis Direct numerical simulation Chain Latent heat Website Traffic reporting Multiplication Proof theory Algorithm Dependent and independent variables Slide rule Inheritance (object-oriented programming) Validity (statistics) Key (cryptography) Stress (mechanics) Special unitary group Perturbation theory Existence Electronic signature Proof theory Personal digital assistant Chain Resultant Resolvent formalism
Email Presentation of a group Multiplication sign Time zone Coma Berenices Direct numerical simulation Semiconductor memory Thumbnail Physical system Covering space Price index Electronic signature Band matrix Mechanism design Type theory Root Exterior algebra Hash function Chain Direct numerical simulation MiniDisc Software testing Volume Physical system Spacetime Row (database) Server (computing) Service (economics) Computer file Dependent and independent variables Real number Streaming media Content (media) Rule of inference Product (business) Revision control Goodness of fit Field extension Internetworking Band matrix Ideal (ethics) Software testing Configuration space Message passing Default (computer science) Time zone Default (computer science) Dependent and independent variables Slide rule Information Key (cryptography) Validity (statistics) Inheritance (object-oriented programming) Server (computing) Planning Computer network Limit (category theory) Word Bootstrap aggregating Software Query language Personal digital assistant Revision control Key (cryptography) Resolvent formalism
Point (geometry) Implementation Variety (linguistics) Multiplication sign Time zone Content (media) Mereology Disk read-and-write head Data management Direct numerical simulation Sign (mathematics) Different (Kate Ryan album) Computer hardware Information security Physical system Module (mathematics) Time zone Curve Key (cryptography) Validity (statistics) Structural load Fitness function Electronic mailing list Electronic signature Data management Word In-System-Programmierung Order (biology) Software testing Key (cryptography) Family Physical system Row (database)
Implementation Server (computing) Inheritance (object-oriented programming) Multiplication sign Time zone Electronic mailing list Content (media) Rule of inference Direct numerical simulation Chain Coefficient of determination Cryptography Query language Error message 5 (number) Email Slide rule Key (cryptography) Validity (statistics) Server (computing) Electronic mailing list Electronic signature Root Error message Personal digital assistant Query language Website Key (cryptography) Row (database)
Randomization System administrator Multiplication sign Time zone 1 (number) Set (mathematics) Mereology Electronic signature Computer programming Software maintenance Direct numerical simulation Sign (mathematics) Cryptography Different (Kate Ryan album) Hash function Set (mathematics) Endliche Modelltheorie Physical system Randomization Moment (mathematics) Entire function Electronic signature Root Exterior algebra Direct numerical simulation Physical system Row (database) Point (geometry) Slide rule Server (computing) Inheritance (object-oriented programming) Content (media) Computational fluid dynamics Computer hardware Default (computer science) Module (mathematics) Scale (map) Time zone Matching (graph theory) Scaling (geometry) Slide rule Key (cryptography) Validity (statistics) Online help Server (computing) Software maintenance Cryptography Computer hardware Computational fluid dynamics Key (cryptography) Communications protocol
Decision tree learning Computer file Algorithm Time zone Set (mathematics) Ellipse Directory service Content (media) Direct numerical simulation Ultimatum game Sign (mathematics) Cryptography Computer configuration Time zone Execution unit Slide rule Key (cryptography) View (database) Server (computing) Gender Directory service Line (geometry) Data management Root Fluid statics Data conversion Hill differential equation Key (cryptography) Task (computing) RSA (algorithm)
Axiom of choice Slide rule Random number Randomization Computer file Link (knot theory) Algorithm Multiplication sign View (database) Time zone Archaeological field survey Content (media) Direct numerical simulation Sign (mathematics) Macro (computer science) Default (computer science) Execution unit Algorithm Slide rule Key (cryptography) Inheritance (object-oriented programming) Validity (statistics) Point (geometry) Length Mass Electronic signature Inclusion map Data management Key (cryptography) Row (database)
Time zone Slide rule Computer file Inheritance (object-oriented programming) View (database) Multiplication sign Time zone Content (media) Revision control Sign (mathematics) Field extension Sign (mathematics) Root Personal digital assistant Query language Configuration space Configuration space Row (database)
Inheritance (object-oriented programming) Slide rule Inheritance (object-oriented programming) Information Validity (statistics) Server (computing) Multiplication sign Login Content (media) Electronic signature Supersonic speed Mechanism design Tablet computer Sample (statistics) Computer configuration Personal digital assistant Direct numerical simulation Query language Moving average Flag Software testing Quantum Row (database)
Point (geometry) Default (computer science) Execution unit Slide rule Validity (statistics) Line (geometry) Server (computing) Direction (geometry) View (database) System administrator Flash memory Time zone Computer network Online help Line (geometry) Content (media) Computer cluster Abelian category Traffic reporting Exception handling Default (computer science)
Service (economics) Key (cryptography) Dependent and independent variables Server (computing) Multiplication sign Web page System administrator Time zone Electronic signature Arm Number Mietserver Root Cache (computing) Term (mathematics) Direct numerical simulation Query language Information Information security UDP <Protokoll> Sanitary sewer Flag
Inheritance (object-oriented programming) Computer file Time zone Boom (sailing) Control flow Online help Coma Berenices Content (media) Revision control Direct numerical simulation Sign (mathematics) Cryptography Cache (computing) Synchronization Computer worm Row (database) World Wide Web Consortium Time zone Continuum hypothesis Validity (statistics) Key (cryptography) Server (computing) Interior (topology) Parameter (computer programming) Sign (mathematics) Chain Direct numerical simulation Row (database)
I I guess his started can you guys hear me OK and several tumor refined cool by the way for it started this list Odyssey this is a zone that I created manually because that predates the author is not mine but those are the 1st guy guys that started buying and student projects that of but the a 3 or 4 of them for student projects than a few other a developers that came right after them that's a different story when so at the end we talking
about the DNS that and DNS security protocols I'm not going to be talking about he said 6 0 and to me talking about at the sun zones in related to that I have a few questions for his started I'm curious at any of you have deployed DNS sect on the hands of pragmatic questions I get it done in authoritative server and you well I guess another question has anybody enabled the validator to start verification in that they are at students and we'll see later on that it's a pretty easy to get started with and also it's very difficult to with him so just just for fun and this is the NSF forest sees only so this is not the DNS sees but just the intersect with that's a pretty thick over 300 pages and some of its and there is maybe another hundred pages that to this because this is a couple years old well I worked for RISC how work on the Byington project release engineer technical writers and maintain our building test farm and before that I was a support engineer C for 1 year at this pre dated most of the intersect use but we did have some customers that were testing the in a 2nd there last inside a love troubleshooting work at earlier today I went to a presentation about logging about using the same log messages in different places in code you know it's a nightmare to track down where all we have is exact same problem in by 9 and you know you have the form where which might be turned into a Cerf fell or immersive fell we like over 50 places with the exact same log message and from the user point of view there's nothing about it and so the administrator but then again there was nothing they could do about it either so as a little bit of work differ by 9 is just adding unique logging I won't get into that a little bit though and also on that yes the developer and I'm on the on the board not
as a few things out we will cover also I'm not gonna cover a dynamic updates and with signing and this will you guys have some basic the inner cell if I experience so how many of you have admin and blind server how about other DNS servers so it would basically got almost everybody here such that but in my example the abusing by 9 but there are other inescapable of resolvers and also authoritative servers that now I've
this talk about some of the threats to DNS and we'll talk about later on how the these apply to signing whether they help or not so we have packet interception the man in the middle attacks but people your wire who might be all the modified questions or responses that eavesdropping to spoof responses will talk at the moment ID guessing inquiry prediction unnamed chaining where a returned part of an answer like the they'd give you pardon answer L point you to their own authority of name server and then once you start wearing the authoritative name server they saw a guy Khot for other things the IRS these might accidentally or purposely provide different answers and we know this is an ongoing debate where IS these purse loosely could provide their own answers and yet even ISP in my area Verizon they do that so OK I don't use their names are reversed madam that's their choice and a denial of service attacks signing does it help that in signing actually can could add to the problem and will talk with briefly later of another type of attack is not modifying data but is actually removing dead and then easy example here is if you remove Annex records most smells reversal drawback this just use the the regular address record in so what if that system is already controlled by the attacker is less example a few things about DNS components and the query information has a source address in the port of the query and that's from the other recursive server or it might not even be a recursive server idea stub that client as a destination address of you know 453 this also asking then they identifier to keep everything has a unique is a core idea but it's only 16 bits now then there's a query name the class in our case we disease Internet class in the type where there's an address record you're asking for an MX record SSH FPU things like that and they don't command and bringing shows you all these things except the source What's interesting is the response it comes back it needs a provide the same original information and as part of the pattern or the way to synchronize all the responses it receives so as original query ID class name in the type and they also should come back from the same by address imports now originally used so now we give you a few examples how you can in the break it yourself and I I I have use some tools and some strips to poison caches in this give you some ideas so you need to know the query and the source for and the other information is generally easy to control or no in you can control it by of flooding your own series a queries to it so now you know which questions can ask seeking control a lot of it I had as a race but again in many ways it is a technique and of course it's obvious if you have a pack a packet sniffer somewhere along the line and it's really easy for you and brute force or random chance was a brute force if you flood responses no tens of thousands or hundreds of thousands responses nods aria never match in your overall the poison is to be the real response back and to the resolver and then once it's in the resolver let's say your Big-ISP and you have a million customers and then from then on until that time to live expires they're feeding your answer solar customers a few years ago I may so you remember there's a lot of by news but is mormon but just binders is DNS news but Kaminsky at techniques for predicting in forging a DNS response and he showed ways where he did spoofer cash in like 30 seconds and so just the very basics of it you get the cash to ask a question you get the resolver ask a question and it might be as simple as doing SMTP connection over and over and over again because most SMTP servers of my respond you can give it you know some information SMTP having you started their DNS queries now based on the birthday paradox you realized it didn't matter if you went through a whole series a query it it matter if you went through a whole series of source sports just keep on flying the same ones over and over again as a small pool news able to do in 30 seconds and this set of providing just an answer he gave him a question that we're apps for further information so he provides something that delegated to his or her own authoritative server and then you just give it a huge time to live and now a lot of name servers will have a cap of the maximum time to live what say Kapor's a week and then they die you cash for a week but I guess I don't cover another slides the whether some Goals with this whole they could point you to there a spoof of your bay or spoof writings anything you log in yeah am I look the same in my redirected the real 1 but they might really capture some information and I potentially use that is still from your FIL all types of things and the DNS
changer warm this was in the news starting a think in November the FBI at working with some other governments they Khot cited 6 out of 8 people there were involved with this they had over a hundred name servers and that they had traffic appointed to in this case over 4 million systems were pointed to just the name servers is via someone's on Windows boxes and also they targeted at a cheaper white wireless routers that actually millions of people have the United States and now redirected and rogue websites and they know that they earned at least 14 million dollars just by pointing into the sites with advertising is 49 dollars but in some cases they also build still money other ways now that's also called Operation ghost collect what's interesting about it now or IIsi runs the name servers now in slowly of other groups are trying to convince all of the I S P's to clean up you know it is just it's all the customers and so I think at least 500 thousand compromise systems or so so using it or turn off was in many but now we got a court order to keep it running until I think July server interesting and maybe some of you might know somebody that has a Windows boxes pointing to the wrong a name servers the answer when they come from in close all right so the the reason while the although I don't know not us but the alternative is as we don't provide any means service and I so a million computers would actually think that the Internet is down 5th you know it is Israeli true that's formulae and that Windows systems now that we don't know the inner security would help in many cases but some browsers and clients have validation built into them the so they chose to use DNS capable client then they could see if they're going to their own website and if it's the not of fire and the very quick short description as DNS set offers as stated the an acid it proves that the dad is not modified and came from the official source and we'll get into detail
know I just before we didn't do setting up DNS sect but talk about some other use cases in some are pretty interesting by dating or DNS-based Authentication of Named Entities and some clients in there hasn't patches for chromium already they can use the and asked a federal initial keying information and so this is something to re- place a certificate authorities is more light weight than the regular HTTP st exchange and so it's alternative way using DNS and it's pretty interesting but also 1 other thing is I'm using it for I SMT piece of smart start TLS in it's also stops it from being compromised there's known attacks another thing is for BGP rout origin verification it announces which routs that it prefers announces these verses the VAD an acid that's been signed would be an asset and so that's the whole rover and do any of you uses secure shell fingerprints in a DNS record and so when you log in via SSH to new boxer does no you are it'll show your fingerprint this is a way to automate or verify the year hitting the box you really wanted to log into but it is not as logging in you might you you know remotely running commands are all types of things on a system and so you could do it I fear that but also that the new pg and maybe PGP does also but it can retrieve certificates and public information of the DNS and so you could have that you'd unisex sign and then some people and use it to make sure that they're hitting their were correct of packages repos in so I have heard of 1 and a distribution of Linux I think it's called 0 c Dad uses that in so those are some interesting cases the over there the state I have not heard of progress on many I would have heard about this this article you guys can invent some more ideas some more users I still get into this a little bit more so the in sack actually adds new resource record types it also as the message header bits and these are used to verify the data matches with his own administrator actually put into the zone in the 1st place in nature hasn't altered entrances it does not provide a secure tunnel as in the DNS world you can use to sing others also a DNS script DNS curve there's some other ideas not for tunneling and DNS traffic but it also does not hide the data so as not encrypting the data whatsoever this design backwards compatibility in mind but saved not 100 per cent but very close in so if if you are do not want be validator then you can just continue to use the NS a saying even if they if you're upstream provides DNS set records and basically when you ask them they will send Mt will be fine it also if the destination content but I mentioned about appointing you to a spoof website a lot of people may not even check if the SSL certificate is in place to be they may not care of the TPS a http a general users of but if you wanted to make sure that have continent there's other technologies but the 1st thing about DNS sectors there requires DNS 0 down these extensions to DNS and this allows you have new flags new return codes new label types it also provides ways to announce it nobody bites you could receive and send it in this is important because historically been asked to usually small packets usually less than 512 and many of now firewalls rather operators kept that in mind and likely DNS has been around for over 10 years and all servers supported and all in all the root servers supported in most infrastructure supports it but I have seen over the last years some big customers rollout set life and then a day later left to turn it off because something between their production environment in someplace else on the Internet and some routers or something your squashing the diene asec traffic and because they're validators enabled it it was incomplete and in so that actually breaking their DNS and will tell examples that later so in your case nature firewalls don't have block these packets no larger 512 bytes and yes there are some broken servers or network devices that poems I don't notice sleeping here on campus but many times I go to differ hotels motels in I see often but it's not just the NS sack is DNS in general may do all types of weird things and wanted the NS might not work will see this slow bit later but 1 of the new header bits is DNS sack OK and basically this means that you're validator and yes all understand sector related traffic coming back to me all understand those doesn't mean I'm gonna do anything with it is just saying OK to receive and just a back up a little bit just
a case some of you have seen documentation for of encountered the SIG record key record next record of those old and outdated or obsolete those are not used and so the new standards are 2005 and on those ones are all showing a few minutes by interesting you know also on here is on some of the threats were documented I was starting maybe 19 89 and then in the early nineties so these threats and documented in announced in different places like this over the years and it wasn't until Komansky's I showed some different ways to do that it came out really big news all Bessel 1 of his ways to limit it is to make sure that the now the source for range was large and so as 1 ways to alleviate the problem the problem still exists so if you are a network with very high speed band with you can still undo this stay Metaxas spoof this the thing is not fixed and so you need you need a solution work around it such as and that's because we're ever ones using DNS it's harder change protocol that the entire world users so we're just extending not very briefly I uses public key crypto there's a private part which you keep on your own systems and you might keep in an HSM use that to sign crater signatures then there's a public key they shared at other people and they're using that just for the verification parts and you will see that upcoming jump though the new resource record types are essentially the NS key DS insect in insect 3 of this lecture I will not cover insect 3 at all Zenger briefly in insect judges of a little bit in the ass get into some detail right so the
1st part is the validator when it sends its query skinny user deal bit you say OK I understand the intersect go ahead and send me where you have if if they have something on the server side there enabled with Indian a 2nd the zones already have this information so it'll recent turn 80 that a signature that's already been set up ahead of time so generally I've never seen the implementation does on the fly so it's generally done had a time but provide a signature that goes along with the answer now all summer you know seeing it also still have other information at the same point as it that's 1 thing it's been modified by the specification you'd never signature was seen in for example but the signature is a house of the entire record set just not envisaged individual record but entire set it's encrypted the hashes encrypted using that's as own key in so that's a that's your signature digital signature and a lotta mention it but if you have 4 NS records that same label same class in tight build the set 1 are sick for that and again it's automatically sent back to answer and so look
at some examples here and you could see the 1st thing here is not all talk about later about if indicated out a bit but the 1st thing you should notice serious answers to and we were using 80-ns 0 you can see this in this figure out that because see the flags was passed that the you know the the question now we're getting to the part where there's 2 answers there's an address record in a corresponding signature and also your already section you might have other sections of information to get back to you they might have also correspond signatures to that records being provided and notice in this case it was signed information is still less than 512 bytes this is the view that all yes what will see that and
so where quickly will go over the different parts of just our C so a lotta Sega identifies a record type the algorithm used and the number of labels whether it's www dot 1 dot to dot 3 you know has a number of labels the original time to live because these are regular is a regular DNS records they have their own time the lives and so it's nice to see what the initial time to live was it just in case cells modified also yeah the expiration time of the signatures and you haven't inception time when it when it should begin earlier the key tag also called a key idea this is used for the administrator or forming as purposes just so you could look to compare things visually but without having a tool to validate or verify for you you should not rely on it is just for your authors just a match things up then we'll see examples the signers name and the name of his own that sign this record and then the digital signature the what I just explained we see that information there and see the inception time expiration time that if it's a shorter value then it would be at that time the 1 thing to note is the expiration is the 4 the inception time when you when you read and that's a lot of people they look at it and go all this something's wrong here is that the reading it out of order and this example here the says labels 3 is because 3 labels that we did indeed IIsi don't over I 1 thing to know this lecture will cover wild cards but wildcards is also covered with this that you could sign wild cards right so DNS key
in this is generated with the key gentle that is for the zone and not for the individual labels like you would create a different key for every single record or a record set and so again the signatures generated with the secret key the private key and then the DNS he is a public key nets user validate the signatures there also a half of the DNS key that's called the DST they will look at that a little bit
but there's some flights 257 and 256 the key signing key in the zone signing key from the validators point of view this does not matter this is only 4 are the convenience of the tools of maintaining a zones It's for convenience for the administrators to set it up and will see out know that so
will look at some examples here so we wanna look at the key tag 4 4 0 1 6 then it's right here in the signature then will go a little bit further doing another day this time I'm asking for the DNS Q record it came back with a couple of DNS keys and seeing this 1 matches up and so in this case it matches up it would valid the the public key used to validate the previous signature and now on top of the the key idea in the world I was in and they want to know is everything sign is just not your original questions but as other information to accuse themselves are assigned to you know do we need every single part of the sign and so the public is assigned to you can see that there are also and this that of others example here is now the signature ASCII signature identifies which 1 was signed with the D N sky of of all original timeless yeah 36 hundred because it's been the cash to for a certain amount of time it's RT killing down
by so the DS record is used to start building a chain of trust between other appear zone in your own zone and apparent might be here's some third-party and usually this it contains a hash of at what's called a key signing key this 1 is the keys 2 of the DS record is created by the signs tool see that the DS itself is also signed that means it has its own signature posted in the Hairer zone can you provide it to the parent zone and this is important point is returned with delegation records so when you ask a parent I have for information is as well OK I don't have this zone good last someplace else you know by giving NS records at the same time it also provide UDS records and all the signatures for this information now the NS records themselves and or not sign the delegation is not signed but the DS records are and
but look at TCP dump hopefully this is fine for you guys and had some other examples a lot with TCP double so we see a address request to apparent and so it's a normal request you seen this happen in knowing time every 2nd but in this case Lady of it was set so in a return answer or here the delegations the last them instead enhanced lessons said by the way there's a DS our record also associated with it by
here's another example this is just a dump of occassion by 9 and this is from a simple query had NS record and then is show the additional that DS did so those sent automatically you can also query from them and ask for them all there would do that skip through
that know the insect record this
is to indicate that a resource record does not exist or word to indicate what I if over a certain individual record type does not exist and the 1st thing that's important with the DNS signed zone is the entire zone is sorted in the canonical order so here is also ordered an order so then it came creates a need these new records insect records in creating entire chain representing every single record in his own and how it works is 1 label will refer to the next label all in order and so by asking for something you could simply see ball is indeed between this label sorry in between this and 2nd that insects there will know that there's a gap something missing in the zone also the insect record identifies the types and so then you can see you on know the MX record is gone someone has done something for example so since there is a change some people were concerned that OK well I don't want anybody to know what's in my zone also using now there's achieve insect records they can call it and so they can know everything in his own it's very simple then sold alternative technology for that is insect 3 which creates a hash instead of using a regular label name but hashes for each 1 and so yeah you can call it also but you don't know the you don't know the original names anymore took all our fault by the following its users generally by before so I think everybody would just use insect most people don't care if you're zone information is called the yeah it's already in the public and but some people do care who helped the people you care like they turn off the zone transfers for example only allowed it from certain systems and so but whatever your head your own desires but so the
authoritative on sorry them the some new additional matter message at events are the indicated data the validating resolver it check to make sure chain accessible see in detail examples of this shortly and if they can verify all this it it said ADB in return it back to you you the common bean like if you're asking authoritative server will send you an 8 bit so now I will if you're asking occur recursive server again Adi will here's another 1 may even now let's say you wanted troubleshooting your testing or simply it doesn't work because it but there is a problem and you could turn off the checking so in your original query I today plus CD and basically it means I turn off the checking just send me the information in the good advice if you ignored the that that's because you're trusting whoever you ask it was in between you and there's no rule at this time no problem anyway to secure the 80 bit itself on less use a different tunneling or other mechanism so you do the validation on your own or you can use a t save between your style of in your resolver for example how or if it's on your local system between your 7 years over there that but we find a very quick
summary n of the keys by the keys are used to prove the integrity of the DNS data and in the private key is used in crypt the private key is not shared via DNS but the signature trade with it is shared via DNS with our said the public key used to verify that is an Indian ASCII this used cryptic there's a hash of that key which is stored in DS record which is stored in your pair there's 2 are associated to a DNS in a DS or associated they can verify that there they can they can have should be an ASCII and verified the same 1 in of signatures also so this is the chain which begins the chain trust the authentication chain now your validating resolve needs a starting point there is depending on how far along this chain that alternative is what's called islands of trust which are not covering but if you need a starting point and also example that little bit later but of the starting point 0 trust anchors Indian asking your DS record you retrieve it securely from a trusted source in let's say you use on unbound you trust the source code so you'll trust them to rook provide you a starting point or this trust inca with the code and if you don't trust them enough to use the key that they provide event have why user code the 1st place and we then will say the same thing about mine but a broken chain and in some cases if there's a broken chain where the there is a DS record in new parent but the child does not have DNS have set or it's or it's wrong then he just made everything underneath the invisible as server fails and so if they've chains broken high let's say it's broken at a level of like dot com or died at each p dot com you know all the labs and reach beyond conquered disappear the Chair trust must be from data of all remember the gene trust maybe from Dad on a caching name-server all a resource records they had time to lives they're gonna live in your caches for a while and so it doesn't need a recreate the stream the trust each time has this information and so and they may not be getting it from authoritative server every single time is already cached again the weakest link defines a strength by so our trust data is the DNS root itself it's been signed since July 15th 2010 there's more than 80 secure delegations provisions in the root of for example dot org but there's many have of Brazil and on and on and on no let's of signed for the registering registrar how you should share the information to provision in the root is by giving them a DS record in so a lot of that is still in flux there's not a consistent way to share this information if you need it hurry up by encouraging your apparent to provide a mechanism for you to get this information to them because of it is manual every single time let's say 6 hours or something like that if you're in an emergency situation it no manual or way to recover is not fast enough so look at this trust chain example here yeah talk
was signed turn a little bit more so I use Joker dot com and so the contact and a few times and yes they genus 2nd enabled but they did not have any mechanism for for me share it would word and things like that the way I got into daughter or was via e-mails to DOD orders administrators and so now I feel like I'm really have a lot there's no way I can maintain it that way a luckily Joker recently enabled some new mechanisms and so on to figure out the Joker's API eyes and see if I can work with those of some of my coworkers use go Daddy and they're able to get there and ideas records came to their parents be a good idea and so there's others to then if any of you know of any go ahead and share so I look at this this entire
chain starting from rate and so I could see it's really with the period as the DNS is that DNS he's are signed this is the beginning so they in by 9 or another validator you have a stress thinkers stored on your system but then it also does a real query I had to make sure he gets it from the real source no
sorry just make sure that there's something from there and
then the next part of the chain is not a word it has a DS record in that notice the 21 hour 21 thousand 366 so remember like he ID but then if you ask them for
their idea and asking only family have like these in 1 of these keys matches it and the reason there's lot accuses someone might be all right using them in the anymore or some of them might be planning for the future which is good advice if 1 a year keys gets attacked and it is the 1 that you use it would be nice to already have a DNS already available c can begin signing with it this important again is because while OK it 900 seconds is not very long but with your time live these things are cash you know ahead of time you plan ahead of time the children and
so all going down further down the chain goes on and on and so in this case we have a DS with 1 2 8 9 2 but then we have a DNS
keys but also the same key IT 1 2 8 9 2 and so you're going to the child has led the and ask you for that now this next slide this is a bad example because the parents and the child are served from the exact same server so when you ask it it's not giving you the in between hoppers argument in between delegation is just going to
give you the answer and so my point is we have a signature and at its key there was used sign it was 39 47 but it
is not associated with the parent that I asked of previously so in this case you would figure this out by
we we see this on the full name is for labels and this 1 has 3 labels this is buying T and IIsi dot org that was a signer of it so you can ask it for its DNS I keep is seeking get the enemy hot in the validator does all the steps for you 20 minutes left dot sole attacker results
you get from the validation if as a stress data if-as Uchena trust and everything's check with signatures hinder DNS keys national DS in the parents all the signatures are verified then that's called verifiably secure in the it could be marked with f indicated data it might be considered verifiably insecure you have a reason you verify you have a reason for the other trust inca chain trust the you have proof they you're not providing the DS in so I don't talk about that here but if you have some way to prove it 1 way is insect 3 you can opt out things out of other DNS sex I mean we have some proof that proves that doesn't exist views using insect for example well if you simply don't have achieved a trust now in the case of a chain of trust is broken it's supposed to be there and then you get what's called bogus but bogus has so many different reasons I could be expires signature unsupported algorithms some missing data something is missing the insects that should have been there I may be a mistake corruption and might be summary spoofing in might be attacked there's so many different reasons but sadly it's the only response to get the Onassis whole served fell so from administrators point of view harder troubleshoot for end user's point of view but say it's impossible unheeded unless they have some tools that do it for them then dimension invisible subdomains for example at this time there is no easy way for the resolve report specific filler reasons I believe there some drastic to expect stand in the sun so the all the have a way to report to specific reasons right so you want to set up the in
set but luckily I an unbounded by 9 they are your DNS capable and make sure your network and even up streams or whatever that a loser squash the NS 0 traffic member I mention is 10 years and most devices handle it also you want them to squash other related traffic like I've seen many devices were do a query for DNS key and the device will lock up it just won't even response could it be that it it doesn't know what to do and so this is common Thom also there is a increase in traffic size there's would be a lot more requested a lot larger responses it was a lot more requests if it's not cast already in use the build that trust chain of high-volume DNS traffic prepare for increased bandwidth needs at this time most people are not hitting any type of problems with the resolvers words using up their disk space or using of the traffic or memory but if you're a larger validators let's say concasse or something like that yes they're they're they're hitting their limits and there have to roll out new validators all the time but and so they should prepare to be prepared I think it a good rule of thumb with plane for 10 times more traffic in 10 times larger zone files but that but when I say traffic depending on how you set details and things like that but that's a one-time hit and it's not going to be continuous another thing is the in a separate sensitive to time issues be really off but so if it's within an hour it should be fine and you set up the tools to manage reciting the signatures if you sign up 10 days in advance could then you have a lot leeway but I am if your system clocks are easily actors you find that that is a bootstrapping problem if you want to use NTP when you 1st start up your system while hurrying to get that information if you don't have the in a 2nd so that's the of bootstrapping issue by so using
by 9 is as examples will be in a 2nd enable is already on by the fall validation is also already on the fault in all of the current stable versions there is also a way to trigger on and off using in DC tool validation on validation off the so these are enabled by default but just because the enabled by default doesn't mean any of you heard you validation it now you might be doing the very 1st step it is you need have trusting and so if you have not configure a trusting for manually then then I'll stop there so by 9 does include a trust thinker and if you wanted you could copy and paste it into your name dot com file or you just use the syntax here DNS asset validation auto and it will use what's called 511 updates and you'll manage this in our manners it'll try to keep it up up-to-date and I don't know anything about the rollovers will if it's even happened yet but look at that later also you could use alternative I called the LVT unisex look aside this is where we used for testing we might use it real production not properly Internet real production in your offices or with your customers what it does is it provides a way to look someplace else all you've looked at your parents they don't have information all let's look someplace else and they all serve a record colored the record which is just like the DS record so apparel provides a hash and there's never services that were provide ideal the a DNS hosting an I does provide 1 and I don't know how many people we have an there might be over a balza nor a couple thousand and so it's a good way for you guys to start testing if you wanted to see his ideal the before you can kick could convince your parents to gear DS records and placing indices deals Our testing validation all the 1st thing to note is once you trust anchors and placing you do query regardless of using the NSX which your validator might already have it enabled the surgeon validation but if you wanna do from the command line you can use the plus the innocent and then this answer came back it has extra flag and in this case the 85 authenticated data and I mentioned also earlier you can disable the checking by using the CD and you get Cerf fell back try is a CD if applied CV get information cruising along a lot of information a cover here enabling it on the server side then it's already enabled by default it's ready to go if someone since a query with the deal BITSET saying that built 70-ns sec traffic you're buying servers already ready go if you're buying server has signatures it's Gunnison among of this important note make sure your 2nd here is also have it enabled and supported and I have seen this is a real problem if you have a DS parents saying now yes assigned but then a whole year secondary is that will provide information then it's also you return Seville's and make it invisible so amateurs secondary supporters' test all of by so here's a
fun part of the real problems in the world and so other family and troubleshooting it for around for years I see different situations and troubleshooting as as much as I can but then there's also mailing lists a people of point out whenever they see problems it's interesting and there of variety of different reasons but so go through these very quickly by a 1 64 seining toll had above so the new signatures were not published or that expiration dates and on the lost the diene set or the lost the DNS fit for whoever was validating of expired they had a known failure so they turned off the monitoring then the real thing came along and they did notice it IP 6 Taupo then a mismatch between the DS and the DNS icky dodgy I got E-Signatures expiring dot kg dot th head start times in the future and has had to do that that you know at times some adjustments the use the tools correctly they should use UTC time in something was often so they started serving so validators there were set up then they would like to lose everything that this thing is now is there's not a lot of the zones using DNS sex so does I heard a lot of people but potentially it can be really bad by that U.S. expires signatures that key management system was automated but remove the old key from use but they never assigned the records previously using it and so what happened is they caches at a mismatch curve of signatures and he's the
UK had a similar thing that a failure in their hardware security module and so it fell over 2 alternative way it is do signing and different signing key so that a mismatch now UK another mismatch in their fell over and that were announced animals a load of word was signed but Mozilla dot org was not signed yet so he published in the wrong order and so DNS EC implementers they can get the MOZAL at Ottawa as an example and in these examples I didn't put the time the on these things were saying you're using somebody else's validated and this time to live was 2 days year in year out I can't the year it out a lot less years you know what to do the switchover it for a regular user they would have no idea what to even begin with a thing called the ISP they were know the it's it's pretty tough now as more
examples of that go of it as this is a real important that dog of when they 1st started they shared the keys to many people who manually configured in 1 place they had gone and some government rules were everybody had a deployed dog of but it wasn't in the room and so everybody in dot gov had configured in their validators manually so then start rolling keys and yes for breaking things this is all manual vs. Automated us some crypto errors generating signatures time provided DS based on a key there wasn't even available via DNS can in no way a weather dog of whole onslaught a dog of sites of had problems over the past couple years and NASA signed with an old key I I I C had some
problems to overlook some reported heirs and so a mailing list as server expired and they that's a list used by people playing with DNS 5th and so they can notice at all also some implementations of elevators checking all the DNS keys but checking the DS records it was so exhaustive in an aggressive it but it is certain scenarios in we call the roll over and die is ample frication attack over 40 thousand requests for the the 3rd a single query at a control and and also in some cases like when dot net introduced a new DNS of sorry DS records because validation problems until I cash there was expired in so somebody's Roco related but a learning experience but were not the only
ones and so just to summarize these are common problems automated maintenance program fillers not detected DS but does match idiot Neski signatures expired signatures for haven't even been start time yet slide servers not knowing DNS set the fell over systems using different keys work that were published yet Z so user differently but the key is not available that's I mean and to the public of the last point here is important as it time to lives versus expirations and so you might have signatures expire but 1 if it's time to live is that of a lot longer is cast for a long time the whole year validator wait time now if the expirations time no also but by so very quickly so the command line tools with key German signs zone set time revoke the from key key from label in insects rehashed not be covering all these and set time itself as something used by administrators not part of protocol but is to help manage on European a set parties that 2 tools you use for playing around Cocke Ji'nan signs
and from the server side without the tools some of the features you could add these via a dynamic pianist on also adding records via dynamic DNS can sign those on the fly also depending on the keys you provided consign entire zone via dynamic pianist we provide deal the full alternative trusting crime mentioned of 4 R A C 5 0 1 1 support also we have support for different crypto hardware or hardware and modules church models now we have automatic of reassigning an expiration of dynamic signatures so it doesn't wait till expires but can do it ahead of time publishing a removal of new old keys it a randomizer scale signature regeneration over time this important but say you have a hundred that the expire you know the exact same time so by 9 and will look at it and start the reassigning those scaled or randomize over time they go all that done before it's needed they you can't let a charter resined everything at the same moment a lot of work we have about
the wire line signing support they could automatically sign reassigned zones that you maintain with other tools but the other tools already use they don't know anything about the in set so you could use the online signing to do this for you and also if let's say you bring in as soon as a secondary and you can use online signing to sign it for you and so it's a nice way to deploy DNS set without learning at 1st not so I mentioned the gender generates the keys a private the public it generates local files so you should get into other policy of maybe having different directories for every single zone a lot of people already do that that is the way that clearly manager and just
very quickly you run the key June tool you can forget about options here but Intel at zone the name of the zone it creates a keys and so we have the originals on file very small we had a couple keys here and you can see looking at the public this is the key that you would put in the files to stop publishing and you
could put in the file also that's 1 slide ahead so then you also will create a key that will be used for that DS record and this it is not used for all of your individual signatures but it's only for what's called Apex views on and this is a born again this is only for management of validators don't care about this but let's say you want to change a key for all of your your own records well you would want that to be the same key that was used in your parents of polished DS because then you have to work with them and changing at the same time now if should imply
correctly civil go for 1 more minute so all uranium devices are adequate in some devices it takes so long I just use you random but there's something to consider here randomness devices by the algorithm choice visitors from the surveys so you can see that algorithm choices or that that links used by the 89 these that exist right now there are signs and so easy way to do it you can use the include macro but to loaded and or just manually put that DNS ASCII in 2 years on so that's a 1st step the 2nd
step is run design sign zone tool of the increment NASA SOA record hit increases it for you by the name of his own it creates new files a said DSA the DSA is where you get your parents and you have your views on file with its extension . signed by the original file was that 2 thousand bytes and this new file 24 thousand in
your own configuration well if you just have the file pointed to your previous 1 in my case I'm sitting without it would be the sign version so I get that new file name and so see just a few steps very easy to do that this time you could do and in DC reload his own name or in you know restart name-server if you wanted and was are working you start
troubleshooting financial DS records of this is what it looks like again you share this with your parents there's no standard mechanism yet for sharing with your parents well now time so let me just quickly look in yeah I just so very quickly here not yet have served fail I don't know what to
do so I could queered again using the
CD flag I get the information so even though the validator of failed CD allow you still get the information like signature in this case exceed the date it would already expired is just an example and I I did this just for fun for testing I have another thing
and from an industry point of view there is very very verbose logging after a
flash 1 look at 104 lines of logging but the thing is that as a help anybody except administrator and so Comcast for example has reports every single week now of cow validation problems so it's interesting point out them
is complex implement yes but you could implement something basic confided 20 minutes has a very steep learning curve but if the user defaults again it should be easy to do initial deployment of the resource requirements or not significant unless you were extremely it's getting your peak right now but there's several
our documents about it you might want look at them or 46 41 or the draft this replacing the operational practices an amount of time I had a bunch of TCP dumped at show 1 more example of that if anybody wanna look at that or is anybody have any questions at this time but yes I could put them only in there any other questions OK so of
or something I had a in the long run you might want to but in the short term you might deal get around it by just creating the keys only and then using that bump in the wire service in the you
know it's all Yau we have a blind version they are that Freebird is alternative than this example the very short and
quick are key gym twice 1 further your own keys in your own zone then 1 for the key for the chain interest for the DS then the name dot com because 2 more injuries here I'm in minus yes although the maintain once that's enabled boom it'll sign and you know may have journaling files before doing dynamic updates is the same concept as a drooling file a separate the zone file that it keeps in sync with your original that answers your question in others yeah I was less the DS record yeah but well there's no chain created yet until the parrot has yes record so you can set up inside all you want the she only exists when the DS record is there and so it doesn't break it is just it the DS record I've got removed outbreak and so you could just without it yes and no 1 way to test again is using the or I did show example here but my manually of pasting in your DNS the into your name dot com file on your validation so you can have a beginning I trust any other questions I will try to deploy DNS 2nd the next year within the next year cool cool and I'll fill freight issue many questions you want or if the use of mindless stuff for doing that but there's a lot of helpful people that could help you out troubleshooting thank you so much for listening my presentation and and and and