APNIC 29 APRICOT 2010 Banner

DNSSEC tutorial

Presented by Phil Regnauld (NSRC) [bio] and Hervey Allen (NSRC) [bio]

[slide pack 1]
[slide pack 2]
[slide pack 3]
[slide pack 4]

While DNS is, perhaps, one of the most fundamental components of a healthy and safe Internet it is also vulnerable to a number of different types of attacks.

As the revelation of the Kaminsky Exploit in 2008 showed the traditional DNS trust model leaves this core piece of Internet infrastructure open to potentially devastating attacks.

DNSSEC is an update to the traditional DNS system. DNSSEC uses public-key cryptography to update the DNS trust model to ensure verifiable DNS responses to requests from clients.

In this 1/2 day tutorial we will cover the following:

  • Problems with DNS:
    • DNS cache poisoning
    • Nameserver hijacking
  • The basics of DNSSEC, one solution available now.
    • New DNS Resource Records (DNSKEY, RRSIG, NSEC and NS).
    • Two new packet headers (CD, AD)
  • How to sign DNS data:
    • KSK and ZSK keys.
  • Operational Aspects:
    • Signing the root
    • Trust anchors
    • DLV and ITAR
    • Key management
    • Key rollover
    • Zone crawling issues
    • Available toolsets
  • Registry-registrar aspects:
    • EPP or other extensions to support DS records
    • Support for authenticated key updates.
    • Turning on/off DNSSEC and the impact
  • What isn't solved:
    • Man-in-the-middle attacks where everything is spoofed.
    • Need to trust the resolver
    • DoS attacks
    • Data is not encrypted
  • Application side:
    • Up-the-stack notification. How do we handle failures?
    • Need more info from the stub resolver
    • More than one protocol available.
  • Status today
    • Root signing discussion (NTIA NOI)
    • Signed TLDs include .br, .cz, .gov, .museum, .org, .pr, .se, etc.
  • Summary

Attendees will see a hands-on demonstration of securing a zone using DNSSEC. This will include key generation, updating of the zone file, configuration of a forwarding resolver, publishing the zone and verification of the newly signed zone. Step-by-step instructions using a DNSSEC toolset (tbd) will be made available to all attendees.

We are likely going to use a vmware setup to allow attendees to participate in the zone signing and key rollover demonstration.