Beruflich Dokumente
Kultur Dokumente
Agenda
Why should I care about DNSSEC? High-level overview of DNSSEC Using RHEL 6 / BIND 9.7 to validate secured zones Using RHEL 6 / BIND 9.7 to publish secure zones Troubleshooting DNS in a DNSSEC world Learning more....
Expected Background
This session is targeted at an audience already familiar with standard DNS operation To get the most out of this session, participants should already be familiar with
The basic operation and terminology of DNS The configuration of nameservers using BIND 9 System administration with Red Hat Enterprise Linux
How we map human-friendly names to IP addresses, mail exchangers, and other critical information
Bad guys forge DNS to map names to their IP addresses, mail exchangers, and forged information Cache poisoning attacks and pharming
Authentic responses can be validated Forged responses will fail to validate, can be ignored
Public key encryption is used to sign zones We have four (well, five) new resource records
Signs all resource records with the same name and type
For example, all A records for www.redhat.com The resulting signature is stored in a RRSIG record The public part of the ZSK is in a DNSKEY record Signs all Zone Signing Keys in the zone Public KSK is also stored in a DNSKEY record in the zone Hash of the KSK is stored in a DS record in the parent zone
DNSKEY records for ZSK and KSK RRSIG records for resource record signatures NSEC or NSEC3 records to validate NXDOMAIN responses
DS record for the KSK for the signed child zone Its own normal records and DNSSEC records
Have local copy of KSK for root zone (trust anchor) In root zone
Verify KSK is still present as a DNSKEY in . and is still valid Get other DNSKEYs (ZSKs) for . and validate with root KSK Get DS for .org and validate with a DNSKEY (ZSK) from . Get DNSKEY (KSK) matching the DS for .org Get DNSKEYs (ZSKs) for .org and validate with .org KSK Get RRSIG for www.org A records and validate with the right DNSKEY (ZSK)
In .org zone
Planned to happen July 15, 2010! RHEL 6 will ship the correct key when it is published
Many TLDs are now signed .org registrars expected to accept DS records very soon
If your TLD isn't signed or accepting DS records yet, there is a temporary workaround (DLV) which we'll talk about in a bit....
Deploying DNSSEC
Recursive nameserver that validates DNSSEC zones Authoritative nameserver that serves DNSSEC zones
Insecure: from a normal unsigned zone Secure: from a signed zone, validates correctly Bogus: signature fails to validate, or zone is unsigned but parent says it should be signed
Insecure and Secure results are returned normally Bogus results are suppressed: SERVFAIL
Will auto-update to current key on startup if this is valid RHEL 6 expected to set this when the root key is available (after July 15)
Edit /etc/named.conf
listen-on port 53 { any; }; listen-on-v6 port 53 { any; }; allow-query { any; };
Create a normal DNS zone file Generate the zone-signing key and key-signing key Add DNSKEY records for both keys to the zone file Sign the zone (creates RRSIG and NSEC/NSEC3) Point /etc/named.conf at the signed zone file Reload the zone Provide DS record for zone's KSK to your parent zone
(We'll talk about what to do if your parent zone is not yet signed in a moment....)
/etc/named.conf is the main configuration file /var/named contains zone content and supporting files Easiest to set up DNSSEC if each signed zone has its own directory, and zone file has same name as zone
/var/named/example.com/example.com would be the zone file for the zone example.com Directory and zone file needs to be readable by group named, have SELinux type named_zone_t
Both dnssec-keygen commands should add the -3 option if you want to use NSEC3 records
Kexample.com+005+00000.{key,private}
dnssec-signzone example.com
Add -3 option if you want NSEC3 records Active keys in the zone are automatically used Creates example.com.signed file
BIND 9.7 has a number of new features to support automatic signing on dynamic update, key rotation management, and so on...see the documentation in /usr/share/doc/bind-9.7*/arm/
or
rndc reload
If the parent zone is DNSSEC signed and ready, provide your zone's DS record to your registrar You can generate it from your zone file if necessary
When the registrar for your parent zone is NOT ready to accept DS records, you can temporarily register your DNSSEC public keys with ISC's DLV registry
Opt-in service to allow validation by recursive resolvers before there is a signed DNSSEC chain from the root to your zone
RHEL 6 BIND validating resolver configuration uses this service by default See https://dlv.isc.org/ for more information
Troubleshooting
Validation is done by its nameserver; if validation fails the server simply sends no records
dig can be used to determine if you're not getting records because the zone is bogus
Add +cd to the dig command line; if you weren't getting records before but that works, the records are being suppressed because the zone is failing validation
The response for the name invalid.example.com is being reported as bogus here. By adding the +cd flag we get to see the bogus information which failed validation.
You can clear your nameserver's cache if you think it has been cache poisoned
Mismatch between your zone's DS in parent zone and your zone's DNSKEY for KSK Your key may have expired
If your DNSKEYs expire, your zone vanishes Replacing the ZSK DNSKEY is easy
Start using it at least (TTL + replication delay) before removing the old one!
You have to update the parent zone DS record too Otherwise rules for ZSKs also apply
You are running NTP, right? If your time synchronization is bad, DNS messages may not properly validate due to replay protection
Network Filters
Filtering firewalls, routers, and load balancers may break DNSSEC traffic
Must allow EDNS0 UDP packets over 512 B in size Must allow TCP DNS traffic Must not rewrite the DNS packets
BIND 9.7 has many more features to simplify DNSSEC zone management
When creating keys, you can set parameters to indicate when they should start being used to sign and when they expire and should be removed You can set zones to automatically sign dynamically added records, and to automatically rotate keys The key for the root zone and other trust anchors can be updated automatically (RFC 5011)
References
Supporting Material
One of two record types are used to validate that a name does not exist:
NSEC records are smaller, but allows all names in the zone to be discovered efficiently through DNS lookups NSEC3 makes zone enumeration harder, but requires larger records (performance impact) and are newer
You can also set a trust anchor for your own zone if you are using DNSSEC but your parent is not signed
Good practice even if you have a DS record at your parent so that you aren't dependent on it The trusted-keys directive in this example will need to be manually updated when the ZSK changes