Painless DNSSEC-signing

Transcript

1. Painless DNSSEC Signing LOAD12 Antwerp, BE March 2012 Jan-Piet Mens

   mens.de

2. DNS used to be easy Set up a name server.

   Any name server. Add a zone or two @ 3600 IN SOA u.example.net. noc.example.net. ( 1 86400 10800 3600000 3600 ) 86400 IN NS c.example.net. 86400 IN NS a.example.net. 3600 IN MX 10 mail.example.org. www 3600 IN A 10.0.1.2 mail 3600 IN A 10.0.1.3 Done If it worked, it worked for ever and a day

3. DNS has become a wee more complex DNSSEC is DNS

   with signatures "www.example.net is at 10.0.1.2 (TM)" Set up a server which supports DNSSEC Create a zone (or two) Create private and public keys Sign the zone Submit DS to parent Monitor Rinse and repeat

4. New DNS records DNSKEY Public key Key algorithm and data

   DS Signature of the DNSKEY Contains key tag and hash Located in parent zone RRSIG Signature of an RRset Valid for a particular time only (inception, expiry) NSEC/NSEC3 Prove non-existence (NXDOMAIN)

5. NSEC vs NSEC3 NSEC3 NSEC www mail imap smtp imap

   mail smtp www www mail imap smtp 117f d4f1 626a 2d7c 117f 2d7c 626a d4f1 sort hash sort

6. Authenticated denial of existence NSEC Proves non-existence using signed record

   that indicates nothing between "ldap" and "mail". NSEC data generated for the whole zone Zone becomes "walkable". (Privacy policy?) NSEC3 opt-in Proves non-existence using signed record that indicates nothing is between H("ldap") and H("mail") in hash order. NSEC3 opt-in data is generated for the whole zone NSEC3 opt-out Same as opt-in, but NSEC3 opt-out is not generted for whole zone but only for authoritative data and for delegation to signed zones. e.g. .FR has around 4M records but only handful of signatures

7. Open-Source Signers BIND smart-signing auto-sign DNSSHIM OpenDNSSEC PowerDNS (>= 3.0)

   Other utilities

8. BIND Create keys $ mkdir /var/named/e; cd /var/named/e/ $ dnssec-keygen

   example.org $ dnssec-keygen -f KSK example.org

9. BIND: Configure server for auto-sign Automatic zone signing (BIND >=

   9.7) zone "example.org" in { type master; file "e/example.org"; auto-dnssec maintain; key-directory "/var/named/e"; update-policy local; }; BIND daemon (named) automatically signs zone "maintain" means sign as new records are updated (RFC 2136) If keys are available in key-directory, adding DNSKEY records, performs key rollover

10. BIND: Inline signing BIND >= 9.9 zone "example.org" in {

    type master; file "example.org/zone.db"; auto-dnssec maintain; inline-signing yes; key-directory "/var/named/e"; }; master zone.db zone.db .signed slave slave

11. PowerDNS Supports pre-signed zones or live-signing operations Otherwise zone data

    and keys/signatures separate Some changes in database schema Small change in configuration launch=gpgsql gpgsql-dnssec gpgsql-host=127.0.0.1 gpgsql-user=powerdns gpgsql-password=secret gpgsql-dbname=powerdns Off we go: $ pdnssec secure-zone example.org That’s it. Honest!

12. PowerDNS (cont’d) Can import existing (BIND) keys (v1.2) Keys are

    in back-end database (gmysql, gpgsql, gsqlite) and need to be protected It’s a bit like a private key for your HTTPS server Alternatively run in pre-signed mode Encrypted file system Supports NSEC and NSEC3 Signatures (RRSIG records) are calculated on the fly Inception: previous Thursday Expiration: Thursday two weeks later No issue if PDNS is authoritative, but watch out if hidden master No DNSSEC relevance: PDNS 3.x also has TSIG for AXFR

13. PowerDNS: modes of operation Authoritative In-line signer DB Slave signed

    PDNS Master unsigned clients clients NOTIFY AXFR Lua Lua script on AXFR Consistent SOA, NS RRset Timestamp http://mens.de/:/c8

14. PowerDNS: pdnssec New utility: pdnssec $ pdnssec secure-zone $z #

    creates 3 keys $ pdnssec show-zone $z # output formatted Zone has NSEC semantics Zone is not presigned keys: ID = 7 (KSK), tag = 41120, algo = 8, bits = 2048 KSK DNSKEY = example.org IN DNSKEY 257 3 8 Aw..5uc8= DS = example.org IN DS 41120 8 1 3296abd...b93 DS = example.org IN DS 41120 8 2 4bb00a5...fa1b78b DS = example.org IN DS 41120 8 3 3c01686...50be3e4 ID = 8 (ZSK),tag = 50853,algo = 8,bits = 1024 Active: 1 ID = 9 (ZSK),tag = 8751,algo = 8,bits = 1024 Active: 0

15. Verify your zones! DNSViz http://dnsviz.net/

16. Testing & verification Configure island of trust in Unbound (or

    BIND) to test your authoritative server DNScheck http://dnscheck.iis.se/ ZoneCheck http://zonecheck.fr DNSSEC Debugger http://dnssec-debugger.verisignlabs.com/ YAZVS (Yet Another Zone Validation Script) http://yazvs.verisignlabs.com/ DeNIC NAST http://www.denic.de/en/background/nast.html SURFnet DNSSEC monitor http://www.dnssecmonitor.org/

17. How to choose a signing system Define required level of

    automation Number and size of zones Required security Keys on file system Hardware Security Module Define Policies Key lengths & algorithms Signature lifetimes Key rollovers

18. Lessons learned Always use recent software releases, even if it

    means building your own Monitor. More than you ever did When choosing your signing platform, throw things at it You need lots of random data (hw dongles) Get a good calendar & reminder program Choosing an HSM is a PITA DNSSEC means more data, more CPU, and more traffic. Oh, and more problems Keep your system clocks in sync You can’t just turn DNSSEC "off" Did I say use recent software releases?

19. #FAILs Date TLD Signer Reason 20080528 NL OpenDNSSEC Partial zone

    published 20091013 SE ODS+BIND Corrupt zone published (not DNSSEC) [2] 20101007 BE Homebrew Expired signatures [4] 20100604 ARPA ? Expired signatures [5] 20100913 UK OpenDNSSEC Signing failure upon failover (HSM) [3] 20100512 DE Java Partial zone published (not DNSSEC) [1] 20110212 FR ODS+BIND Invalid sigs on NSEC3 disprove DS (BIND bug) 20110215 e164 Secure64 No RRSIG on KSK [6] 20110222 KG ? RRSIG inception times hours in future [7] 20120118 NASA.GOV ? KSK rollover w/o DS submission [8] @npua: Extrapolation: If you don't hit an operational snag, DNSSEC will get you 1: http://www.denic.de/denic-im-dialog/mailinglisten/public-l.html?url=msg04454.xml 2: http://royal.pingdom.com/2009/10/13/sweden%E2%80%99s-internet-broken-by-dns-mistake/ 3: http://www.nominet.org.uk/registrars/systems/serviceannouncements/?contentId=7872 4: https://lists.dns-oarc.net/pipermail/dns-operations/2010-October/006166.html 5: http://dnssec-deployment.org/pipermail/dnssec-deployment/2010-June/003881.html 6: http://dnssec-deployment.org/pipermail/dnssec-deployment/2011-March/004842.html 7: http://dnssec-deployment.org/pipermail/dnssec-deployment/2011-February/004816.html 8: http://www.dnssec.comcast.net/DNSSEC_Validation_Failure_NASAGOV_20120118_FINAL.pdf @nerdybits

20. Further reading DNSSEC Operational Practices, version 2 http://tools.ietf.org/html/ \ draft-ietf-dnsop-rfc4641bis-06

    ENISA Good Practices Guide http://www.enisa.europa.eu/act/res/ \ technologies/tech/gpgdnssec NIST Secure Domain Name System (DNS) Deployment Guide http://csrc.nist.gov/publications/PubsSPs.html

21. Further reading Alternative DNS Servers, UIT, 2009, Jan-Piet Mens http://mens.de/:/altdns

22. Thank you Questions?

23. Whoami $ dig 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa naptr ;; ANSWER SECTION: 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575

    IN NAPTR 3 10 "u" "E2U+http" "!^.*$!http:mens.de!" . 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 3 20 "u" "E2U+http" "!^.*$!http:jpmens.net!" . 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 4 10 "u" "E2U+mailto" "!^.*$!mailto:[email protected]!" . 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 1 10 "u" "E2U+sip" "!^.*$!sip:[email protected]!" . 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa. 3575 IN NAPTR 2 10 "u" "E2U+tel" "!^.*$!tel:+491718033011!" .