light traffic zones • Heavily distributed network (34 data centers) We would have to continuously distribute huge amounts of RRSIG data to the edges, or sign everything everywhere. 4
light traffic zones • Heavily distributed network (34 data centers) • Dynamically generated records CloudFlare generates dynamic records all the time, which can’t be predicted and signed offline! (think attacks rerouting, geolocation based answers) 5
light traffic zones • Heavily distributed network (34 data centers) • Dynamically generated records • Zone walking protection NSEC3 does not provide any actual confidentiality. NSEC5 is not here yet. 6
written in Go • Resilient against attacks and abuse • No zonefiles, records are pulled from a global distributed database • Full featured (dynamic answers, CNAME flattening, …) • DNSSEC is just a “filter” applied to the answer 9
are > 3x faster than RSA1024 Measured on OpenSSL 1.0.2 on our servers • We (Vlad Krasnov) ported OpenSSL ASM to Go 21X speedup for the sign: https://go-review.googlesource.com/#/c/8968/ • Bonus: small signatures, small keys, modern crypto! • Supported by most validators, working on registrars 10
for online signing: • Generate a NSEC on the name’s immediate predecessor, covering up to the successor (RFC4471) • Same with the wildcard • Solves: zone walking, database lookups • Still, 2 signatures to say one thing :( 15
difference between a NXDOMAIN and a empty non-terminal with a special RRType in the NSEC bitmap https://datatracker.ietf.org/doc/draft-ogud-fake-nxdomain-type/ 21
missing type on an existing name, we still need to query the database for the NSEC bitmap • That’s not even always possible! (Dynamic answers) 22 filippo.io. 3600 IN NSEC \003.filippo.io. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY
a NSEC? A denial of existence. • “The types not in the bitmap don’t exist” • So, let’s make a “minimally covering” one. By setting all possible bits in the bitmap! 23 filippo.io. 3600 IN NSEC \003.filippo.io. A NS SOA WKS HINFO MX TXT AAAA LOC SRV CERT SSHFP IPSECKEY RRSIG NSEC DNSKEY TLSA HIP OPENPGPKEY SPF
there’s no TXT? Set all the other bits that might exist. • The NSEC is a valid denial for TXT, and is useless for an attacker that wants to replay it for other queries. 24 filippo.io. 3600 IN NSEC \003.filippo.io. A NS SOA WKS HINFO MX TXT AAAA LOC SRV CERT SSHFP IPSECKEY RRSIG NSEC DNSKEY TLSA HIP OPENPGPKEY SPF
there’s no TXT? Set all the other bits that might exist. • No useless database lookups! Actually, no need to see the database from the signer at all. 25 filippo.io. 3600 IN NSEC \003.filippo.io. A NS SOA WKS HINFO MX TXT AAAA LOC SRV CERT SSHFP IPSECKEY RRSIG NSEC DNSKEY TLSA HIP OPENPGPKEY SPF
the ZSK at the edge (for now) • Protect the KSK: keep it in a safe central auditable machine, distribute the signed DNSKEY sets to edges • Short regular RRSIG validity, longer for DNSKEY • Prepared to roll the ZSK fast at any time 26
have millions of ZSKs and KSKs: all would be used/stored/rolled together • Use a single KSK and a single ZSK with multiple names filippo.io. 3600 IN DNSKEY 256 3 13 koPbw9wmYZ7ggcjnQ6ayHyhHaDNMYELKTqT+qRGrZpWSccr/lBcrm10Z 1PuQHB3Azhii+sb0PYFkH1ruxLhe5g== cloudflare-dnssec-auth.com. 3600 IN DNSKEY 256 3 13 koPbw9wmYZ7ggcjnQ6ayHyhHaDNMYELKTqT+qRGrZpWSccr/lBcrm10Z 1PuQHB3Azhii+sb0PYFkH1ruxLhe5g== 27
filosottile
kazushi_ohata
linkers_tech
sugiim
cyberagentdevelopers
soudai
kimujun
amixedcolor
yoshimi0227
bengo4com
oracle4engineer
phodgson
lauravandoore
reverentgeek
speakerdeck
morganepeng
tammielis
tammyeverts
palkan
wjessup
cassininazir
sferik
thekraken
