Tuesday, June 14, 2016

DNSSEC Tutorial

Eddie Winstead from ISC -- tutorial on DNSSEC.

Root has been signed as of July 2010 ("Layer 9 issue") so only need one trust anchor in your configuration

As of 2016 DNSSEC deployment is much easier. 



"Everyone has their own NS provisioning scripts"  Good news: don't have to change these scripts for DNSSEC deployment. "Bump in the wire signing" avoids having to futz with local provisioning scripts.

Tip: Make sure NTP is correctly configured - DNSSEC is very time dependent.
A lot of people converted to dynamic zones to make DNSSEC easier

Two keys per zone, Zone Signing Key and Key Signing Key. ZSK gets changed every quarter or whatever. KSK has to get parent permission to change and probably never changes.  

"The Root KSK will be rolled! Use managed-keys!"

"dig +multi" to see more info on keys
https://deepthought.isc.org/article/AA-00610/0/Can-I-extract-the-key-tag-from-a-DNSKEY-obtained-via-dig.html 

 dnsviz.net "is your friend"

 Useful tool to maintain dnssec access for your client:
https://www.nlnetlabs.nl/projects/dnssec-trigger/


https://www.nanog.org/sites/default/files/Winstead_DNSSEC%20Tutorial.pdf
DS Resource Records - Talking to our Parent...
To create chains of trust "in-protocol," the Key Signing Key of a zone is
hashed and that hash is placed into the parent
This record is known as the Delegation Signing (DS) record
The DS record in the parent creates a secure linkage that an external
attacker would have to overcome to forge keying material in the child
Preparing for DNSSEC Deployment
There are a number of methods of deploying DNSSEC into existing zones:
Manual zone signing (In 2016, DDT - Don’t Do That!)
Automatic zone signing of dynamic zones
Automatic in-line signing "on-box"
Automatic in-line signing "bump-in-the-wire"
Automatic Zone Signing of Dynamic Zones
BIND 9.7 and newer provide automation of zone signing of dynamic zones
Keying material contains timing "meta-data" that can allow automation of
key rollover
Making a zone dynamic is significantly easier in recent versions of BIND
Dynamic zones are not always appropriate or allowed
Active Directory Dynamic DNS --Automatic In-Line Signing
BIND 9.9 introduced In-Line signing
Signing of zones without knowledge of / changes to existing processes
and procedures
On-Box in-line signing DNSSEC signs zones in memory on the same
system on which they are mastered
Bump In The Wire signing provides signing on an intermediate system
Use this where existing infrastructure can't be modified

In this list can do the first four elements to get experience without going live. When DS in the parent zone then that's when it all goes live.
DNSSEC Signing - The Short List
Generate keys for zone
Insert public portions of keys Into zone
Sign zone with appropriate keys
Publish signed zone
DS in the parent zone
Validate!



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)