Tutorial: DNSSEC

Presented by Phil Regnauld (NSRC) [bio] and Hervey Allen (NSRC) [bio]

Download the DNSSEC deployment slides (383.3 KB) and DNSSEC Cryptography Review slides (661.8 KB) for this tutorial.

While DNS is, perhaps, one of the most fundamental components of a healthy and safe Internet it is also vulnerable to a number of different types of attacks.

As the revelation of the Kaminsky Exploit in 2008 showed the traditional DNS trust model leaves this core piece of Internet infrastructure open to potentially devastating attacks.

DNSSEC is an update to the traditional DNS system. DNSSEC uses public-key cryptography to update the DNS trust model to ensure verifiable DNS responses to requests from clients.

In this 1/2 day tutorial we will cover the following:

  • Problems with DNS:
    • DNS cache poisoning
    • Nameserver hijacking
  • The basics of DNSSEC, one solution available now.
    • New DNS Resource Records (DNSKEY, RRSIG, NSEC and NS).
    • Two new packet headers (CD, AD)
  • How to sign DNS data:
    • KSK and ZSK keys.
  • Operational Aspects:
    • Signing the root
    • Trust anchors
    • DLV and ITAR
    • Key management
    • Key rollover
    • Zone crawling issues
    • Available toolsets
  • Registry-registrar aspects:
    • EPP or other extensions to support DS records
    • Support for authenticated key updates.
    • Turning on/off DNSSEC and the impact
  • What isn't solved:
    • Man-in-the-middle attacks where everything is spoofed.
    • Need to trust the resolver
    • DoS attacks
    • Data is not encrypted
  • Application side:
    • Up-the-stack notification. How do we handle failures?
    • Need more info from the stub resolver
    • More than one protocol available.
  • Status today
    • Root signing discussion (NTIA NOI)
    • Signed TLDs include .br, .cz, .gov, .museum, .org, .pr, .se, etc.
  • Summary

Attendees will see a hands-on demonstration of securing a zone using DNSSEC. This will include key generation, updating of the zone file, configuration of a forwarding resolver, publishing the zone and verification of the newly signed zone. Step-by-step instructions using a DNSSEC toolset (tbd) will be made available to all attendees.

We are likely going to use a vmware setup to allow attendees to participate in the zone signing and key rollover demonstration.

About the Instructors

Phil Regnauld

Phil Regnauld works for the Network Startup Resource Center (NSRC). On the side, Phil is a partne at bluepipe a/s; a small company doing development, network monitoring and DNS consultancy.

At NSRC, Phil is helping with workshop planning, material development, teaching and Direct Engineering & Assistance. Phil is currently a member of the AFNIC's Technical Advisory Committee. Since 1997, Phil has been participating in workshops around the world, including INET Workshops, AfNOG, APRICOT, PacNOG, ccTLD trainings, and other events in Asia and Africa.

Phil holds a bachelor degree of Computer Science from Université Paris. Before founding bluepipe and joining NSRC, Phil was a system and networks administrator for the Copenhagen Kingdom Hospital. Since then he has designed large DNS and mail platforms for organizations in the Danish private and public sectors (healthcare, pharmaceutical and ISPs). He participates in a number of open forums and advisory committees for TLD administrators.

Hervey Allen

Hervey Allen works for the Network Startup Resource Center (NSRC). The NSRC provides technical information, engineering assistance, training, equipment, and educational materials to network operators at research and education institutions and Internet Service Providers in countries with limited Internet infrastructure. Over the past few years Hervey has done extensive organizing, coordinating and teaching in network workshops and tutorials covering topics such as network monitoring and management, Unix system administration, security best practices, DNSSEC, scalable network services, and campus network design. These workshops have been held in over 20 countries around the world and have been part of events such as APRICOT, SANOG, AfNOG, PacNOG, WALC and multiple ccTLD trainings.

Before joining the NSRC Hervey graduated from the University of Oregon in Computer Science. He has run and built help desks at Pomona College and the University of Oregon, was a System Engineer with Turbolinux, Inc. and worked with several non-profit organizations building their technical infrastructure. Hervey is a member of several coordinating and planning committees for larger Network Operator Group events, including the Pacific Network Operators Group (PacNOG), South Asian Network Operators Group (SANOG) and the African Network Operators Group (AfNOG).