TLS und SMTP - Strotmann.de

DNSSEC und Dane
TLS Transportverschlüsselung mit DNSSEC Unterstützung
Jörg Zimmermann, Patrick Kötter, Carsten Strotmann
© Men & Mice http://menandmice.com Thursday 30 October 14
About me
© Men & Mice http://menandmice,com Thursday 30 October 14
About me
DNS
© Men & Mice http://menandmice,com Thursday 30 October 14
About me
DNS
DHCP
© Men & Mice http://menandmice,com Thursday 30 October 14
About me
DNS
DHCP
IPv6
© Men & Mice http://menandmice,com Thursday 30 October 14
About me
DNS
DHCP
DNSSEC
IPv6
© Men & Mice http://menandmice,com Thursday 30 October 14
About me
DNS
DHCP
DNSSEC
Unix
IPv6
© Men & Mice http://menandmice,com Thursday 30 October 14
About me
DNS
Windows
DHCP
DNSSEC
Unix
IPv6
© Men & Mice http://menandmice,com Thursday 30 October 14
About me
DNS
Windows
DHCP
DNSSEC
Men & Mice, Iceland
Unix
IPv6
© Men & Mice http://menandmice,com Thursday 30 October 14
About me
DNS
Windows
DHCP
DNSSEC
Men & Mice, Iceland
Sys4
Unix
IPv6
© Men & Mice http://menandmice,com Thursday 30 October 14
About me
DNS
Windows
DHCP
DNSSEC
Men & Mice, Iceland
Sys4
LinuxHotel
Unix
IPv6
© Men & Mice http://menandmice,com Thursday 30 October 14
DA(e)NEn lügen nicht
Thursday 30 October 14
TLS und SMTP
4
Thursday 30 October 14
TLS und SMTP
4
Thursday 30 October 14
TLS und SMTP
4
Thursday 30 October 14
TLS und SMTP
4
Thursday 30 October 14
TLS und SMTP
5
Thursday 30 October 14
TLS und SMTP
5
Thursday 30 October 14
TLS und SMTP
5
Thursday 30 October 14
TLS und SMTP
STARTTLS?
5
Thursday 30 October 14
TLS und SMTP
STARTTLS?
6
Thursday 30 October 14
TLS und SMTP
STARTTLS!
6
Thursday 30 October 14
STARTTLS?
TLS und SMTP
STARTTLS!
6
Thursday 30 October 14
STARTTLS?
TLS und SMTP
STARTTLS!
6
Thursday 30 October 14
STARTTLS?
TLS und SMTP
STARTTLS!
6
Thursday 30 October 14
STARTTLS?
TLS und SMTP
Fälschung
7
Thursday 30 October 14
TLS und SMTP
Fälschung
7
Thursday 30 October 14
TLS und SMTP
STARTTLS?
Fälschung
7
Thursday 30 October 14
TLS und SMTP
STARTTLS?
Fälschung
7
Thursday 30 October 14
TLS und SMTP
STARTTLS?
STARTTLS!
Fälschung
7
Thursday 30 October 14
TLS und SMTP
STARTTLS?
STARTTLS!
Fälschung
7
Thursday 30 October 14
TLS und SMTP
STARTTLS?
STARTTLS!
Fälschung
7
Thursday 30 October 14
TLS und SMTP
Men in the
Middle
8
Thursday 30 October 14
TLS und SMTP
Men in the
Middle
8
Thursday 30 October 14
TLS und SMTP
STARTTLS?
Men in the
Middle
8
Thursday 30 October 14
TLS und SMTP
STARTTLS?
Men in the
Middle
8
Thursday 30 October 14
TLS und SMTP
STARTTLS?
STARTTLS!
Men in the
Middle
8
Thursday 30 October 14
TLS und SMTP
STARTTLS?
STARTTLS!
Men in the
Middle
8
Thursday 30 October 14
TLS und SMTP
STARTTLS?
STARTTLS?
STARTTLS!
Men in the
Middle
8
Thursday 30 October 14
TLS und SMTP
STARTTLS?
STARTTLS?
STARTTLS!
Men in the
Middle
8
Thursday 30 October 14
TLS und SMTP
STARTTLS?
STARTTLS?
STARTTLS!
STARTTLS!
Men in the
Middle
8
Thursday 30 October 14
TLS und SMTP
STARTTLS?
STARTTLS?
STARTTLS!
STARTTLS!
Men in the
Middle
8
Thursday 30 October 14
TLS und SMTP
STARTTLS?
STARTTLS?
STARTTLS!
STARTTLS!
Men in the
Middle
8
Thursday 30 October 14
TLS und SMTP
Men in the
Middle
9
Thursday 30 October 14
TLS und SMTP
Men in the
Middle
9
Thursday 30 October 14
TLS und SMTP
STARTTLS?
Men in the
Middle
9
Thursday 30 October 14
TLS und SMTP
STARTTLS?
NEIN!
Men in the
Middle
9
Thursday 30 October 14
TLS und SMTP
STARTTLS?
NEIN!
Men in the
Middle
9
Thursday 30 October 14
TLS und SMTP
STARTTLS?
STARTTLS?
NEIN!
Men in the
Middle
9
Thursday 30 October 14
TLS und SMTP
STARTTLS?
NEIN!
STARTTLS?
NEIN!
Men in the
Middle
9
Thursday 30 October 14
TLS und SMTP
STARTTLS?
NEIN!
STARTTLS?
NEIN!
Men in the
Middle
9
Thursday 30 October 14
TLS und SMTP
STARTTLS?
NEIN!
STARTTLS?
NEIN!
Men in the
Middle
9
Thursday 30 October 14
TLS != PGP
TLS
10
Thursday 30 October 14
TLS != PGP
TLS
PGP
10
Thursday 30 October 14
TLSA/SMTP
•
Absicherung von TLS Zertifikaten über DNS(SEC)
•
Hash des Zertifikates (oder das ganze Zertifikat) werden im DNS
gespeichert
•
Annahme: der Besitzer der DNS-Domain ist auch Besitzer des
Zertifikates
11
Thursday 30 October 14
TLSA/SMTP
•
Sicherheitslevel ist vergleichbar mit Domain-(E-Mail) validierten
Zertifikaten
•
TLSA kann self-signed Zertifikate absichern
•
TLSA kann X509 Zertifikate von Certification Authorities (Symantec,
Comodo, StartSSL, CACert …) absichern
12
Thursday 30 October 14
TLS und SMTP
DNS
DNS
STARTTLS?
STARTTLS!
SMTP
MTA
TLS Zertifikat
13
Thursday 30 October 14
SMTP
MTA
TLS und SMTP
DNS
DNS
STARTTLS?
STARTTLS!
SMTP
MTA
TLS Zertifikat
13
Thursday 30 October 14
SMTP
MTA
TLS und SMTP
DNS
DNS
TLSA?
STARTTLS?
STARTTLS!
SMTP
MTA
TLS Zertifikat
13
Thursday 30 October 14
SMTP
MTA
TLS und SMTP
DNS
DNS
TLSA?
STARTTLS?
STARTTLS!
SMTP
MTA
TLS Zertifikat
13
Thursday 30 October 14
SMTP
MTA
TLS und SMTP
DNS
DNS
SMTP
MTA
SMTP
MTA
14
Thursday 30 October 14
TLS und SMTP
DNS
DNS
SMTP
MTA
SMTP
MTA
14
Thursday 30 October 14
TLS und SMTP
DNS
DNS
STARTTLS?
SMTP
MTA
SMTP
MTA
14
Thursday 30 October 14
TLS und SMTP
DNS
DNS
STARTTLS?
STARTTLS!
SMTP
MTA
SMTP
MTA
14
Thursday 30 October 14
TLS und SMTP
DNS
DNS
STARTTLS?
STARTTLS!
SMTP
MTA
SMTP
MTA
14
Thursday 30 October 14
TLS und SMTP
DNS
DNS
STARTTLS?
STARTTLS!
SMTP
MTA
TLS Zertifikat
14
Thursday 30 October 14
SMTP
MTA
TLS und SMTP
DNS
DNS
STARTTLS?
STARTTLS!
SMTP
MTA
SMTP
MTA
15
Thursday 30 October 14
TLS und SMTP
DNS
DNS
TLSA!
STARTTLS?
STARTTLS!
SMTP
MTA
SMTP
MTA
15
Thursday 30 October 14
TLS und SMTP
DNS
DNS
TLSA!
STARTTLS?
STARTTLS!
SMTP
MTA
SMTP
MTA
15
Thursday 30 October 14
DNSSEC
check
TLS und SMTP
DNS
DNS
TLSA!
STARTTLS?
STARTTLS!
SMTP
MTA
SMTP
MTA
15
Thursday 30 October 14
DNSSEC
check
TLS und SMTP
DNS
DNS
STARTTLS!
STARTTLS!
SMTP
MTA
SMTP
MTA
16
Thursday 30 October 14
TLS und SMTP
DNS
DNS
STARTTLS!
STARTTLS!
SMTP
MTA
SMTP
MTA
16
Thursday 30 October 14
TLS und SMTP
DNS
DNS
STARTTLS!
STARTTLS!
SMTP
MTA
SMTP
MTA
16
Thursday 30 October 14
TLS und SMTP
DNS
DNS
SMTP
MTA
SMTP
MTA
Men in the
Middle
17
Thursday 30 October 14
TLS und SMTP
DNS
DNS
SMTP
MTA
SMTP
MTA
Men in the
Middle
17
Thursday 30 October 14
TLS und SMTP
DNS
DNS
STARTTLS?
SMTP
MTA
Men in the
Middle
17
Thursday 30 October 14
SMTP
MTA
TLS und SMTP
DNS
DNS
STARTTLS?
NEIN!
SMTP
MTA
Men in the
Middle
17
Thursday 30 October 14
SMTP
MTA
TLS und SMTP
DNS
DNS
STARTTLS?
NEIN!
SMTP
MTA
Men in the
Middle
17
Thursday 30 October 14
SMTP
MTA
TLS und SMTP
DNS
DNS
TLSA?
STARTTLS?
NEIN!
SMTP
MTA
Men in the
Middle
17
Thursday 30 October 14
SMTP
MTA
TLS und SMTP
DNS
DNS
STARTTLS?
NEIN!
SMTP
MTA
Men in the
Middle
18
Thursday 30 October 14
SMTP
MTA
TLS und SMTP
DNS
DNS
TLSA!
STARTTLS?
NEIN!
SMTP
MTA
Men in the
Middle
18
Thursday 30 October 14
SMTP
MTA
TLS und SMTP
DNS
DNS
TLSA!
STARTTLS?
NEIN!
SMTP
MTA
Men in the
Middle
18
Thursday 30 October 14
SMTP
MTA
DNSSEC
check
TLS und SMTP
DNS
DNS
TLSA!
STARTTLS?
NEIN!
SMTP
MTA
Men in the
Middle
18
Thursday 30 October 14
SMTP
MTA
DNSSEC
check
TLS und SMTP
DNSSEC
check
DNS
DNS
TLSA!
STARTTLS?
NEIN!
SMTP
MTA
Men in the
Middle
18
Thursday 30 October 14
SMTP
MTA
ALARM!
MITM Angriff
TLS und SMTP
DNS
DNS
SMTP
MTA
SMTP
MTA
Fälschung
Thursday 30 October 14
TLS und SMTP
DNS
DNS
SMTP
MTA
SMTP
MTA
Fälschung
Thursday 30 October 14
TLS und SMTP
DNS
DNS
STARTTLS?
SMTP
MTA
SMTP
MTA
Fälschung
Thursday 30 October 14
TLS und SMTP
DNS
DNS
STARTTLS?
SMTP
MTA
SMTP
MTA
STARTTLS!
Fälschung
Thursday 30 October 14
TLS und SMTP
DNS
DNS
STARTTLS?
SMTP
MTA
SMTP
MTA
STARTTLS!
Fälschung
Thursday 30 October 14
TLS und SMTP
DNS
DNS
TLSA?
STARTTLS?
SMTP
MTA
SMTP
MTA
STARTTLS!
Fälschung
Thursday 30 October 14
TLS und SMTP
DNS
DNS
STARTTLS?
SMTP
MTA
SMTP
MTA
STARTTLS!
Fälschung
Thursday 30 October 14
TLS und SMTP
DNS
DNS
TLSA!
STARTTLS?
SMTP
MTA
SMTP
MTA
STARTTLS!
Fälschung
Thursday 30 October 14
TLS und SMTP
DNS
DNS
TLSA!
STARTTLS?
SMTP
MTA
SMTP
MTA
STARTTLS!
Fälschung
Thursday 30 October 14
DNSSEC
check
TLS und SMTP
DNS
DNS
TLSA!
STARTTLS?
SMTP
MTA
SMTP
MTA
STARTTLS!
Fälschung
Thursday 30 October 14
DNSSEC
check
TLS und SMTP
DNSSEC
check
DNS
DNS
TLSA!
STARTTLS?
SMTP
MTA
SMTP
MTA
STARTTLS!
Fälschung
Thursday 30 October 14
ALARM!
Falscher
Server!
Infrastruktur DNS
•
DNSSEC Validierung (Caching DNS Resolver)
•
•
BIND 9, Unbound, dnsmasq, Windows 2012
DNSSEC signierte Zonen (Authoritativer DNS Server)
•
BIND 9, NSD, Knots, Y.A.D.I.F.A., PowerDNS, Bundy-DNS, Windows 2012*
21
Thursday 30 October 14
* Windows 2012(R2) unterstützt derzeit nicht den TLSA Record Typ
Infrastruktur Mail
•
MTA mit TLSA Unterstützung
•
•
Postfix 2.11, Exim (in Vorbereitung)
TLS Zertifikate
•
EV-Zertifikat (Extended Validation)
•
DV-Zertifikat (Domain Validation)
•
Self-signed Zertifikat
22
Thursday 30 October 14
BIND 9.9.x DNSSEC
•
DNSSEC Validierung einschalten:
options {
…
dnssec-validation auto;
dnssec-lookaside auto;
};
23
Thursday 30 October 14
TLSA-Record
•
TLSA hash manuell erstellen:
$ openssl x509 -in mail.example.de.crt -outform DER | openssl sha256 (stdin)=
8cb0fc6c527506a053f4f14c8464bebbd6dede2738d11468dd953d7d6a3021f1
•
TLSA Record:
_25._tcp.mail.example.de.
3600 IN TLSA 3 0 1 (
8cb0fc6c527506a053f4f14c8464bebbd6dede
2738d11468dd953d7d6a3021f1 )
24
Thursday 30 October 14
TLSA-Record
•
TLSA Record mit ldns-dane erstellen:
$ ldns-dane create www.bund.de 443
_443._tcp.www.bund.de. 3600IN TLSA3 0 1
8f28b062eaa9f917042a63d35d99e017c68d89eaa314c49a3ef94b6e770b0a49
•
TLSA Record mit ldns-dane prüfen:
$ ldns-dane verify www.bund.de 443
77.87.229.48 dane-validated successfully
25
Thursday 30 October 14
TLSA-Record testen
shell> dig _25._tcp.mail.example.de. +dnssec +m
; <<>> DiG 9.9.5 <<>> _25._tcp.mail.example.de TLSA +dnssec +m
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13973
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;_25._tcp.mail.example.de. IN TLSA
;; ANSWER SECTION:
_25._tcp.mail.example.de.
_25._tcp.mail.example.de.
;;
;;
;;
;;
3588 IN TLSA 3 1 1 (
8cb0fc6c527506a053f4f14c8464bebbd6dede
2738d11468dd953d7d6a3021f1 )
3588 IN RRSIG TLSA 8 5 3600 (
20140324063111 20140317121843 4390 example.de.
RBgAAzQx3gks0KKJHuJ7qKd61jpY8E6dwDM6inPPa6Ee
xV8OBnAzhF4RMKSabHF0LNwRzWqE5xNfPibMQFDoDRKJ
/QiNgux/IXti3JqtH4BkT0w7Ooi+8DZsil9BTjg6WkaX
1FuJ4rJ2r3hXS7eIOFWtOF7pPVPdIIaRB6xp+1A= )
Query time: 9 msec
SERVER: 127.0.0.1#53(127.0.0.1)
WHEN: Mon Mar 17 19:29:45 CET 2014
MSG SIZE rcvd: 142
26
Thursday 30 October 14
TLSA-Record testen
DNSSEC
shell> dig _25._tcp.mail.example.de. +dnssec +m
check OK
; <<>> DiG 9.9.5 <<>> _25._tcp.mail.example.de
;;
;;
;;
;;
TLSA +dnssec +m
global options: +cmd
Got answer:
->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13973
flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;_25._tcp.mail.example.de. IN TLSA
;; ANSWER SECTION:
_25._tcp.mail.example.de.
_25._tcp.mail.example.de.
;;
;;
;;
;;
3588 IN TLSA 3 1 1 (
8cb0fc6c527506a053f4f14c8464bebbd6dede
2738d11468dd953d7d6a3021f1 )
3588 IN RRSIG TLSA 8 5 3600 (
20140324063111 20140317121843 4390 example.de.
RBgAAzQx3gks0KKJHuJ7qKd61jpY8E6dwDM6inPPa6Ee
xV8OBnAzhF4RMKSabHF0LNwRzWqE5xNfPibMQFDoDRKJ
/QiNgux/IXti3JqtH4BkT0w7Ooi+8DZsil9BTjg6WkaX
1FuJ4rJ2r3hXS7eIOFWtOF7pPVPdIIaRB6xp+1A= )
Query time: 9 msec
SERVER: 127.0.0.1#53(127.0.0.1)
WHEN: Mon Mar 17 19:29:45 CET 2014
MSG SIZE rcvd: 142
26
Thursday 30 October 14
TLSA-Record testen
DNSSEC
shell> dig _25._tcp.mail.example.de. +dnssec +m
check OK
; <<>> DiG 9.9.5 <<>> _25._tcp.mail.example.de
;;
;;
;;
;;
TLSA +dnssec +m
global options: +cmd
Got answer:
->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13973
flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
TLSA
Record
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;_25._tcp.mail.example.de. IN TLSA
;; ANSWER SECTION:
_25._tcp.mail.example.de.
_25._tcp.mail.example.de.
;;
;;
;;
;;
3588 IN TLSA 3 1 1 (
8cb0fc6c527506a053f4f14c8464bebbd6dede
2738d11468dd953d7d6a3021f1 )
3588 IN RRSIG TLSA 8 5 3600 (
20140324063111 20140317121843 4390 example.de.
RBgAAzQx3gks0KKJHuJ7qKd61jpY8E6dwDM6inPPa6Ee
xV8OBnAzhF4RMKSabHF0LNwRzWqE5xNfPibMQFDoDRKJ
/QiNgux/IXti3JqtH4BkT0w7Ooi+8DZsil9BTjg6WkaX
1FuJ4rJ2r3hXS7eIOFWtOF7pPVPdIIaRB6xp+1A= )
Query time: 9 msec
SERVER: 127.0.0.1#53(127.0.0.1)
WHEN: Mon Mar 17 19:29:45 CET 2014
MSG SIZE rcvd: 142
26
Thursday 30 October 14
TLSA-Record testen
DNSSEC
shell> dig _25._tcp.mail.example.de. +dnssec +m
check OK
; <<>> DiG 9.9.5 <<>> _25._tcp.mail.example.de
;;
;;
;;
;;
TLSA +dnssec +m
global options: +cmd
Got answer:
->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13973
flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
TLSA
Record
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;_25._tcp.mail.example.de. IN TLSA
;; ANSWER SECTION:
_25._tcp.mail.example.de.
_25._tcp.mail.example.de.
;;
;;
;;
;;
3588 IN TLSA 3 1 1 (
8cb0fc6c527506a053f4f14c8464bebbd6dede
2738d11468dd953d7d6a3021f1 )
3588 IN RRSIG TLSA 8 5 3600 (
20140324063111 20140317121843 4390 example.de.
RBgAAzQx3gks0KKJHuJ7qKd61jpY8E6dwDM6inPPa6Ee
xV8OBnAzhF4RMKSabHF0LNwRzWqE5xNfPibMQFDoDRKJ
/QiNgux/IXti3JqtH4BkT0w7Ooi+8DZsil9BTjg6WkaX
1FuJ4rJ2r3hXS7eIOFWtOF7pPVPdIIaRB6xp+1A= )
Query time: 9 msec
SERVER: 127.0.0.1#53(127.0.0.1)
WHEN: Mon Mar 17 19:29:45 CET 2014
MSG SIZE rcvd: 142
26
Thursday 30 October 14
DNSSEC
Signatur
Postfix Konfiguration
•
TLSA Prüfung in der Postfix Konfiguration:
shell> postconf -e "smtpd_use_tls = yes"
shell> postconf -e "smtp_dns_support_level = dnssec"
shell> postconf -e "smtp_tls_security_level = dane"
27
Thursday 30 October 14
STARTTLS testen
•
Test einer STARTTLS-Verbindung zum Mailserver:
shell> openssl s_client -connect mail1.example.de:25 -starttls smtp
CONNECTED(00000003)
--Certificate chain
0 s:/C=DE/ST=State/L=City/O=Company/OU=Mailserver/CN=mail1.example.de
i:/C=DE/ST=State/L=City/O=Company/OU=Mailserver/CN=mail1.example.de
--Server certificate
-----BEGIN CERTIFICATE----[..]
Start Time: 1394991261
Timeout
: 300 (sec)
Verify return code: 18 (self signed certificate)
--221 2.0.0 Bye
closed
shell>
28
Thursday 30 October 14
Postfix log
(ungesichertes TLS)
•
Postfix log TLS ohne DNSSEC TLSA Prüfung (DANE):
Mar 16 19:10:55 m3 postfix/qmgr[25923]: 2B1A680337:
from=<[email protected]>, size=291, nrcpt=1 (queue active)
Mar 16 19:11:03 m3 postfix/smtp[25929]: Untrusted TLS connection established to
mail1.example.de[2001:db8:100::25]:25: TLSv1 with cipher ECDHE-RSA-AES256-SHA
(256/256 bits)
Mar 16 19:11:05 m3 postfix/smtp[25929]: 2B1A680337: to=<[email protected]>,
relay=mail1.example.de[2001:db8:100::25]:25, delay=16, delays=6.2/0.01/7.9/2.1,
dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3fn80C2DP5zTT)
Mar 16 19:11:05 m3 postfix/qmgr[25923]: 2B1A680337: removed
29
Thursday 30 October 14
Postfix log
(DNSSEC gesichertes TLS)
•
Postfix log TLS mit DNSSEC TLSA Prüfung (DANE):
Mar 16 19:20:01 m3 postfix/qmgr[26122]: 8FBEE80337:
from=<[email protected]>, size=285, nrcpt=1 (queue active)
Mar 16 19:20:01 m3 postfix/smtp[26131]: Verified TLS connection established to
mail.example.de[2001:db8:100::25]:25: TLSv1 with cipher ECDHE-RSA-AES256-SHA
(256/256 bits)
Mar 16 19:20:03 m3 postfix/smtp[26131]: 8FBEE80337: to=<[email protected]>,
relay=mail.example.de[2001:db8:100::25]:25, delay=149, delays=147/0.03/0.13/1.8,
dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3fn8BY3ltPzTT)
Mar 16 19:20:03 m3 postfix/qmgr[26122]: 8FBEE80337: removed
30
Thursday 30 October 14
posttls-finger
(DNSSEC gesichertes TLS)
•
Posttls-finger TLSA Prüfung (ab Postfix 2.11):
$ posttls-finger mail.bund.de
posttls-finger: using DANE RR: _25._tcp.mx2.bund.de IN TLSA 3 0 1 59:E3:CF:5F:A1:51:55:3F:45:76:C9:4C:
25:00:D7:05:EF:DD:D8:55:B6:A5:9D:88:D2:8D:03:28:87:6A:04:CB
posttls-finger: Connected to mx2.bund.de[77.87.228.110]:25
posttls-finger: < 220 mx2.bund.de ESMTP
posttls-finger: > EHLO m3.myinfrastructure.org
posttls-finger: < 250-bn4-node11.sc.bund.de
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 20961280
posttls-finger: < 250-ETRN
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250 8BITMIME
posttls-finger: > STARTTLS
posttls-finger: < 220 2.0.0 Ready to start TLS
posttls-finger: mx2.bund.de[77.87.228.110]:25: depth=0 matched end entity certificate sha256 digest 59:E3:CF:5F:A1:51:55:3F:
45:76:C9:4C:25:00:D7:05:EF:DD:D8:55:B6:A5:9D:88:D2:8D:03:28:87:6A:04:CB
posttls-finger: mx2.bund.de[77.87.228.110]:25: Matched subjectAltName: mx2.bund.de
posttls-finger: mx2.bund.de[77.87.228.110]:25 CommonName mx2.bund.de
posttls-finger: mx2.bund.de[77.87.228.110]:25: subject_CN=mx2.bund.de, issuer_CN=CA IVBB Deutsche Telekom AG 11,
fingerprint=72:78:BE:C8:3E:61:A0:12:BE:BF:3B:79:F0:CE:9A:A2:8C:26:24:FF, pkey_fingerprint=3A:3E:5F:A4:50:F8:DD:FC:56:35:FF:
08:2A:F9:ED:82:B9:AB:7B:82
posttls-finger: Verified TLS connection established to mx2.bund.de[77.87.228.110]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256
bits)
posttls-finger: > EHLO m3.myinfrastructure.org
posttls-finger: < 250-bn4-node11.sc.bund.de
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 20961280
posttls-finger: < 250-ETRN
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250 8BITMIME
posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 Bye
31
Thursday 30 October 14
TLSA-Info Webseite
http://tlsa.info
Thursday 30 October 14
DANE TLSA Vorteile
•
Verschlüsselte Verbindung zwischen Server wird authentisiert
•
STARTTLS "downgrade" Angriffe werden verhindert
•
TLS/SSL Zertifikate sind gegen Fälschung abgesichert
•
CRL/OCSP wird nicht benötigt, um TLS/SSL Zertifikate auszutauschen
Thursday 30 October 14
Mehr als nur SMTP
•
TLSA für HTTPS
•
OPENPGPKEY — PGP Schlüssel im DNS
•
IPSECKEY — IPSEC Schlüssel im DNS
•
SSHFP — SSH Server Fingerprints
•
Prosody Jabber Server
http://bridge.grumpy-troll.org/2014/05/xmpp-dane-with-prosody/
•
Gajim Jabber Client
https://github.com/irl/gajim
•
S/MIME
•
SRV — DNS Service Discovery
Thursday 30 October 14
www.dnssec-validator.cz
Thursday 30 October 14
www.dnssec-validator.cz
Thursday 30 October 14
Internet “in der Box”
Authoritative DNS
“.”, “org”, “dnslab.org”
recursive DNS
.252
.251
192.168.53/24
student workstations
192.168.53.128-148 (DHCP)
10.0.0.0/24 (WLAN “dns-training”)
virtual servers
192.168.53.101, 102, 103 ...
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Sicherheitsprobleme
© Men & Mice http://menandmice.com Thursday 30 October 14
“Triggered” Cache Poisioning
Cache
ISP
resolving DNS Server
evil resolver
“alternic.net”
authoritative DNS
Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
“Triggered” Cache Poisioning
Recursive query for
www.alternic.net/A
Cache
ISP
resolving DNS Server
evil resolver
“alternic.net”
authoritative DNS
Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
“Triggered” Cache Poisioning
Recursive query for
www.alternic.net/A
evil resolver
“alternic.net”
authoritative DNS
Server
Cache
ISP
resolving DNS Server
Interative query for
www.alternic.net/A
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
“Triggered” Cache Poisioning
Recursive query for
www.alternic.net/A
evil resolver
Cache
ISP
resolving DNS Server
Interative query for
www.alternic.net/A
response including bogus
www.internic.net/A RR
“alternic.net”
authoritative DNS
Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
“Triggered” Cache Poisioning
Recursive query for
www.alternic.net/A
evil resolver
Cache
ISP
resolving DNS Server
Interative query for
www.alternic.net/A
response including bogus
www.internic.net/A RR
“alternic.net”
authoritative DNS
Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
“Triggered” Cache Poisioning
Recursive query for
www.alternic.net/A
evil resolver
Cache
ISP
resolving DNS Server
Interative query for
www.alternic.net/A
response including bogus
www.internic.net/A RR
“alternic.net”
authoritative DNS
Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
“Triggered” Cache Poisioning
Recursive query for
www.alternic.net/A
evil resolver
ISP
resolving DNS Server
Interative query for
www.alternic.net/A
response including bogus
www.internic.net/A RR
“alternic.net”
authoritative DNS
Server
Cache
Recursive query for
www.internic.net/A
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
“Triggered” Cache Poisioning
Recursive query for
www.alternic.net/A
evil resolver
ISP
resolving DNS Server
Interative query for
www.alternic.net/A
response including bogus
www.internic.net/A RR
“alternic.net”
authoritative DNS
Server
Cache
Recursive query for
www.internic.net/A
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
“Triggered” Cache Poisioning
Recursive query for
www.alternic.net/A
evil resolver
ISP
resolving DNS Server
Interative query for
www.alternic.net/A
response including bogus
www.internic.net/A RR
“alternic.net”
authoritative DNS
Server
Cache
Recursive query for
www.internic.net/A
bogus
response
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Probleme mit den Zufallszahlen
• Die Query-IDs in DNS Anfragen sind nicht immer zufällig gewählt
Cache
ISP
resolving DNS Server
evil resolver
“mybank.net”
authoritative DNS
Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Probleme mit den Zufallszahlen
• Die Query-IDs in DNS Anfragen sind nicht immer zufällig gewählt
Recursive query for
www.mybank.net/A
Cache
ISP
resolving DNS Server
evil resolver
“mybank.net”
authoritative DNS
Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Probleme mit den Zufallszahlen
• Die Query-IDs in DNS Anfragen sind nicht immer zufällig gewählt
Recursive query for
www.mybank.net/A
evil resolver
“mybank.net”
authoritative DNS
Server
Cache
ISP
resolving DNS Server
Interative query for
www.mybank.net/A
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Probleme mit den Zufallszahlen
• Dies kann von Angreifern ausgenutzt werden
Cache
ISP
resolving DNS Server
evil resolver
“mybank.net”
authoritative DNS
Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Probleme mit den Zufallszahlen
• Dies kann von Angreifern ausgenutzt werden
flood of responses for www.mybank.net with pre-calculated IDs
Cache
ISP
resolving DNS Server
evil resolver
response for
www.mybank.net/A RR
“mybank.net”
authoritative DNS
Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Probleme mit den Zufallszahlen
• Dies kann von Angreifern ausgenutzt werden
flood of responses for www.mybank.net with pre-calculated IDs
Cache
ISP
resolving DNS Server
evil resolver
response for
www.mybank.net/A RR
“mybank.net”
authoritative DNS
Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Probleme mit den Zufallszahlen
• Dies kann von Angreifern ausgenutzt werden
flood of responses for www.mybank.net with pre-calculated IDs
Cache
ISP
resolving DNS Server
evil resolver
response for
www.mybank.net/A RR
“mybank.net”
authoritative DNS
Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Probleme mit den Zufallszahlen
• Dies kann von Angreifern ausgenutzt werden
flood of responses for www.mybank.net with pre-calculated IDs
Cache
ISP
resolving DNS Server
evil resolver
response for
www.mybank.net/A RR
“mybank.net”
authoritative DNS
Server
Recursive query for
www.mybank.net/A
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Probleme mit den Zufallszahlen
• Dies kann von Angreifern ausgenutzt werden
flood of responses for www.mybank.net with pre-calculated IDs
Cache
ISP
resolving DNS Server
evil resolver
response for
www.mybank.net/A RR
“mybank.net”
authoritative DNS
Server
Recursive query for
www.mybank.net/A
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Probleme mit den Zufallszahlen
• Dies kann von Angreifern ausgenutzt werden
flood of responses for www.mybank.net with pre-calculated IDs
Cache
ISP
resolving DNS Server
evil resolver
response for
www.mybank.net/A RR
“mybank.net”
authoritative DNS
Server
Recursive query for
www.mybank.net/A
bogus
response
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Sommer 2008: Dan Kaminski
evil web-server
evil resolver
“mybank.com”
authoritative DNS
Servers
Cache
resolving DNS Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Sommer 2008: Dan Kaminski
evil web-server
HTTP
request
evil resolver
“mybank.com”
authoritative DNS
Servers
Cache
resolving DNS Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Sommer 2008: Dan Kaminski
evil web-server
HTTP
request
evil resolver
Webpage with thousands
of fake image links
<img
<img
<img
<img
....
Cache
src=”aaaaa.mybank.com”..
src=”aaaab.mybank.com”..
src=”aaaac.mybank.com”..
src=”aaaad.mybank.com”..
“mybank.com”
authoritative DNS
Servers
resolving DNS Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Sommer 2008: Dan Kaminski
evil web-server
evil resolver
“mybank.com”
authoritative DNS
Servers
Cache
resolving DNS Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Sommer 2008: Dan Kaminski
evil web-server
evil resolver
“mybank.com”
authoritative DNS
Servers
Cache
resolving DNS Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Sommer 2008: Dan Kaminski
evil web-server
“mybank.com”
authoritative DNS
Servers
evil resolver
Cache
resolving DNS Server
Each
Image Tag will trigger one DNS lookup
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Sommer 2008: Dan Kaminski
evil web-server
“mybank.com”
authoritative DNS
Servers
evil resolver
Cache
resolving DNS Server
Each
Image Tag will trigger one DNS lookup
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Sommer 2008: Dan Kaminski
evil web-server
DNS lookups will be send to the authoritative DNS Servers
evil resolver
“mybank.com”
authoritative DNS
Servers
Cache
resolving DNS Server
Each
Image Tag will trigger one DNS lookup
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Sommer 2008: Dan Kaminski
evil web-server
evil resolver
“mybank.com”
authoritative DNS
Servers
Cache
resolving DNS Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Sommer 2008: Dan Kaminski
evil web-server
evil resolver
“mybank.com”
authoritative DNS
Servers
Cache
resolving DNS Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Sommer 2008: Dan Kaminski
evil web-server
Attacker will swamp
caching DNS Server
with fake responses
evil resolver
“mybank.com”
authoritative DNS
Servers
Cache
resolving DNS Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Sommer 2008: Dan Kaminski
evil web-server
Attacker will swamp
caching DNS Server
with fake responses
evil resolver
“mybank.com”
authoritative DNS
Servers
Cache
resolving DNS Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Sommer 2008: Dan Kaminski
evil web-server
Attacker will swamp
caching DNS Server
with fake responses
Some good answers will loose the race
evil resolver
“mybank.com”
authoritative DNS
Servers
Cache
resolving DNS Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Sommer 2008: Dan Kaminski
evil web-server
Attacker will swamp
caching DNS Server
with fake responses
Some good answers will loose the race
evil resolver
“mybank.com”
authoritative DNS
Servers
Cache
resolving DNS Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Sommer 2008: Dan Kaminski
evil web-server
Attacker will swamp
caching DNS Server
with fake responses
Some good answers will loose the race
“mybank.com”
authoritative DNS
Servers
evil resolver
Cache
resolving DNS Server
Fake response
will be cached
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Sommer 2008: Dan Kaminski
evil web-server
evil resolver
“mybank.com”
authoritative DNS
Servers
Cache
resolving DNS Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Sommer 2008: Dan Kaminski
evil web-server
“mybank.com”
authoritative DNS
Servers
evil resolver
Cache
request for www.mybank.com./A RR
resolving DNS Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Sommer 2008: Dan Kaminski
evil web-server
“mybank.com”
authoritative DNS
Servers
evil resolver
Cache
request for www.mybank.com./A RR
resolving DNS Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Sommer 2008: Dan Kaminski
evil web-server
“mybank.com”
authoritative DNS
Servers
evil resolver
Cache
resolving DNS Server
request for www.mybank.com./A RR
false answer from poisoned cache
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Sommer 2008: Dan Kaminski
evil web-server
HTTP
request
“mybank.com”
authoritative DNS
Servers
evil resolver
Cache
resolving DNS Server
request for www.mybank.com./A RR
false answer from poisoned cache
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Sommer 2008: Dan Kaminski
evil web-server
Client is connecting to a “pharming” website
“mybank.com”
authoritative DNS
Servers
evil resolver
Cache
resolving DNS Server
HTTP
request
request for www.mybank.com./A RR
false answer from poisoned cache
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Sommer 2008: Dan Kaminski
• Angreifer plazieren falsche Delegationsinformationen in einen DNS Cache
;; ANSWER SECTION:
aaaa.mybank.com.
120
IN
A
1.2.3.4
;; AUTHORITY SECTION:
mybank.com.
86400
mybank.com.
86400
IN
IN
NS
NS
ns1.mybank.com.
ns2.mybank.com.
;; ADDITIONAL SECTION:
ns1.mybank.com.
604800
ns2.mybank.com.
604800
IN
IN
A
A
192.0.2.20
192.0.2.30
© Men & Mice http://menandmice.com Thursday 30 October 14
Sommer 2008: Dan Kaminski
• Angreifer plazieren falsche Delegationsinformationen in einen DNS Cache
;; ANSWER SECTION:
aaaa.mybank.com.
120
IN
A
1.2.3.4
;; AUTHORITY SECTION:
mybank.com.
86400
mybank.com.
86400
IN
IN
NS
NS
ns1.mybank.com.
ns2.mybank.com.
;; ADDITIONAL SECTION:
ns1.mybank.com.
604800
ns2.mybank.com.
604800
IN
IN
A
A
192.0.2.20
192.0.2.30
hohe TTL
© Men & Mice http://menandmice.com Thursday 30 October 14
Sommer 2008: Dan Kaminski
• Angreifer plazieren falsche Delegationsinformationen in einen DNS Cache
;; ANSWER SECTION:
aaaa.mybank.com.
120
IN
A
1.2.3.4
;; AUTHORITY SECTION:
mybank.com.
86400
mybank.com.
86400
IN
IN
NS
NS
ns1.mybank.com.
ns2.mybank.com.
;; ADDITIONAL SECTION:
ns1.mybank.com.
604800
ns2.mybank.com.
604800
IN
IN
A
A
192.0.2.20
192.0.2.30
hohe TTL
falsche IP Adressen der DNS Server
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS poisoning durch IP Fragmente
• Ein neuer Angriff, vorgestellt auf der IETF 87 in Berlin August 2013
• benötigt große DNS-Antwort-Pakete, welche auf dem Transportweg fragmentiert werden (z. B. große TXT-Record-Sets - SPF etc)
• dieser Angriff wirkt speziell bei DNSSEC signierten Zonen (große Antworten), wenn der DNS Resolver die Daten nicht validiert!
• DNSSEC Resolver validieren und antworten mit “SERVFAIL”, aber die Client-Maschine hat auch einen DNS-Server in der Konfiguration, welcher nicht DNSSEC validiert, und die gefälschte Antwort kommt durch
• laut Forschungen von Geoff Huston (APNIC) sind diese Situationen häufig
© Men & Mice http://menandmice.com Thursday 30 October 14
IP-Fragment-Angriff (1)
evil web-server
evil resolver
“mybank.com”
authoritative DNS
Servers
Cache
resolving DNS Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
IP-Fragment-Angriff (1)
evil web-server
HTTP
request
evil resolver
“mybank.com”
authoritative DNS
Servers
Cache
resolving DNS Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
IP-Fragment-Angriff (1)
evil web-server
HTTP
request
evil resolver
Webpage with that triggers DNS requests with large DNS answers
“mybank.com”
authoritative DNS
Servers
Cache
resolving DNS Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
IP-Fragment-Angriff (2)
evil web-server
evil resolver
“mybank.com”
authoritative DNS
Servers
Cache
resolving DNS Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
IP-Fragment-Angriff (2)
evil web-server
evil resolver
“mybank.com”
authoritative DNS
Servers
Cache
resolving DNS Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
IP-Fragment-Angriff (2)
evil web-server
“mybank.com”
authoritative DNS
Servers
evil resolver
Cache
resolving DNS Server
DNS lookup for the domain name
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
IP-Fragment-Angriff (2)
evil web-server
“mybank.com”
authoritative DNS
Servers
evil resolver
Cache
resolving DNS Server
DNS lookup for the domain name
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
IP-Fragment-Angriff (2)
evil web-server
DNS lookups will be send to the authoritative DNS Servers
evil resolver
“mybank.com”
authoritative DNS
Servers
Cache
resolving DNS Server
DNS lookup for the domain name
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
IP-Fragment-Angriff (3)
evil web-server
evil resolver
“mybank.com”
authoritative DNS
Servers
Cache
resolving DNS Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
IP-Fragment-Angriff (3)
evil web-server
evil resolver
“mybank.com”
authoritative DNS
Servers
Cache
resolving DNS Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
IP-Fragment-Angriff (3)
evil web-server
Answer with Fragment part 1
evil resolver
“mybank.com”
authoritative DNS
Servers
Cache
resolving DNS Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
IP-Fragment-Angriff (4)
evil web-server
evil resolver
“mybank.com”
authoritative DNS
Servers
Cache
resolving DNS Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
IP-Fragment-Angriff (4)
evil web-server
evil resolver
“mybank.com”
authoritative DNS
Servers
Cache
resolving DNS Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
IP-Fragment-Angriff (4)
Attacker will swamp
caching DNS Server
with fake fragment 2 packets
evil resolver
evil web-server
“mybank.com”
authoritative DNS
Servers
Cache
resolving DNS Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
IP-Fragment-Angriff (4)
Attacker will swamp
caching DNS Server
with fake fragment 2 packets
evil web-server
Answer with Fragment part 2
evil resolver
“mybank.com”
authoritative DNS
Servers
Cache
resolving DNS Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
IP-Fragment-Angriff (4)
Attacker will swamp
caching DNS Server
with fake fragment 2 packets
evil web-server
Answer with Fragment part 2
evil resolver
“mybank.com”
authoritative DNS
Servers
Cache
resolving DNS Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
IP-Fragment-Angriff (4)
Attacker will swamp
caching DNS Server
with fake fragment 2 packets
evil web-server
Answer with Fragment part 2
“mybank.com”
authoritative DNS
Servers
evil resolver
Cache
resolving DNS Server
Fake response
will be cached
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
IP-Fragment-Angriff (5)
evil web-server
evil resolver
“mybank.com”
authoritative DNS
Servers
Cache
resolving DNS Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
IP-Fragment-Angriff (5)
evil web-server
“mybank.com”
authoritative DNS
Servers
evil resolver
Cache
request for www.mybank.com./A RR
resolving DNS Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
IP-Fragment-Angriff (5)
evil web-server
“mybank.com”
authoritative DNS
Servers
evil resolver
Cache
request for www.mybank.com./A RR
resolving DNS Server
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
IP-Fragment-Angriff (5)
evil web-server
“mybank.com”
authoritative DNS
Servers
evil resolver
Cache
resolving DNS Server
request for www.mybank.com./A RR
false answer from poisoned cache
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
IP-Fragment-Angriff (5)
evil web-server
HTTP
request
“mybank.com”
authoritative DNS
Servers
evil resolver
Cache
resolving DNS Server
request for www.mybank.com./A RR
false answer from poisoned cache
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
IP-Fragment-Angriff (5)
evil web-server
Client is connecting to a “pharming” website
“mybank.com”
authoritative DNS
Servers
evil resolver
Cache
resolving DNS Server
HTTP
request
request for www.mybank.com./A RR
false answer from poisoned cache
unsuspecting
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
IP-Fragment-Angriff
• Angreifer versuchen falsche Delegations-NS-Records in den Cache zu bringen
;; ANSWER SECTION:
mybank.com.
120
IN
SPF
"v=spf1, a: 192.0.2.10, 192.0.2.22 ..."
;; AUTHORITY SECTION:
mybank.com.
86400
mybank.com.
86400
IN
IN
NS
NS
ns1.mybank.com.
ns2.mybank.com.
;; ADDITIONAL SECTION:
ns1.mybank.com.
604800
ns2.mybank.com.
604800
IN
IN
A
A
192.0.2.20
192.0.2.30
Fragment 1
Fragment 2
© Men & Mice http://menandmice.com Thursday 30 October 14
IP-Fragment-Angriff
• Angreifer versuchen falsche Delegations-NS-Records in den Cache zu bringen
;; ANSWER SECTION:
mybank.com.
120
IN
SPF
"v=spf1, a: 192.0.2.10, 192.0.2.22 ..."
;; AUTHORITY SECTION:
mybank.com.
86400
mybank.com.
86400
IN
IN
NS
NS
ns1.mybank.com.
ns2.mybank.com.
;; ADDITIONAL SECTION:
ns1.mybank.com.
604800
ns2.mybank.com.
604800
IN
IN
A
A
192.0.2.20
192.0.2.30
grosse Antwort erzwingt Fragmentierung
Fragment 1
Fragment 2
© Men & Mice http://menandmice.com Thursday 30 October 14
IP-Fragment-Angriff
• Angreifer versuchen falsche Delegations-NS-Records in den Cache zu bringen
;; ANSWER SECTION:
mybank.com.
120
IN
SPF
"v=spf1, a: 192.0.2.10, 192.0.2.22 ..."
;; AUTHORITY SECTION:
mybank.com.
86400
mybank.com.
86400
IN
IN
NS
NS
ns1.mybank.com.
ns2.mybank.com.
;; ADDITIONAL SECTION:
ns1.mybank.com.
604800
ns2.mybank.com.
604800
IN
IN
A
A
192.0.2.20
192.0.2.30
hohe TTL
grosse Antwort erzwingt Fragmentierung
Fragment 1
Fragment 2
© Men & Mice http://menandmice.com Thursday 30 October 14
IP-Fragment-Angriff
• Angreifer versuchen falsche Delegations-NS-Records in den Cache zu bringen
;; ANSWER SECTION:
mybank.com.
120
IN
SPF
"v=spf1, a: 192.0.2.10, 192.0.2.22 ..."
;; AUTHORITY SECTION:
mybank.com.
86400
mybank.com.
86400
IN
IN
NS
NS
ns1.mybank.com.
ns2.mybank.com.
;; ADDITIONAL SECTION:
ns1.mybank.com.
604800
ns2.mybank.com.
604800
IN
IN
A
A
192.0.2.20
192.0.2.30
hohe TTL
falsche IP Adressen
grosse Antwort erzwingt Fragmentierung
Fragment 1
Fragment 2
© Men & Mice http://menandmice.com Thursday 30 October 14
IP-Fragment-Angriff
• einige Betriebssysteme (Windows, FreeBSD) benutzen eine sequentielle Fragment-ID
• die nächste Fragment-ID kann vom Angreifer erraten werden
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC to the rescue ...
© Men & Mice http://menandmice.com Thursday 30 October 14
“Men in the middle” Angriffe
• ein Angrifer kann DNS-Daten auf dem Weg ändern
www.example.com.
A 192.0.2.10
ISP
resolving DNS Server
www.example.com.
A 192.0.2.10
authoritative DNS
Server
attacker
query for
www.example.com.
www.example.com.
A 10.1.2.3
Cache
query for
www.example.com.
client
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
“Verrat” des lokalen DNS Resolvers
• der Betreiber des DNS Resolvers (öffentliches WLAN) hat volle Kontrolle über die DNS Namensauflösung
www.example.com.
A 192.0.2.10
insecure/compromised
resolving DNS Server
attacker
authoritative DNS
Server
query for
www.example.com.
www.example.com.
A 10.1.2.3
Cache
query for
www.example.com.
client
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Angreifer kann lokale DNS Resolver Einstellungen ändern
• wie z.B. beim “Ghostclick-Network” geschehen
attackers
resolving DNS Server
attacker has control over this resolving DNS Server
authoritative DNS
Server
attacker changes DNS resolver configuration on the client
attacker
www.example.com.
A 10.1.2.3
ISP/company
resolving
DNS Server
query for
www.example.com.
client
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
Angriffe auf den authoritativen DNS Server
• Der Angreifer kann die Daten auf dem authoritativen DNS Server ändern
www.example.com.
A 10.1.2.3
resolving DNS Server
authoritative DNS
Server
query for
www.example.com.
www.example.com.
A 10.1.2.3
Cache
attacker
query for
www.example.com.
client
resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC
© Men & Mice http://menandmice.com Thursday 30 October 14
History of DNSSEC
© Men & Mice http://menandmice.com Thursday 30 October 14
History of DNSSEC
1983
1988
1990 1995
1999 2001
2005
2008
2010
DNSSEC
© Men & Mice http://menandmice.com Thursday 30 October 14
History of DNSSEC
1983
1988
1990 1995
1999 2001
2005
2008
2010
DNSSEC
DNS
invented
© Men & Mice http://menandmice.com Thursday 30 October 14
History of DNSSEC
1983
1988
1990 1995
1999 2001
2005
2008
2010
DNSSEC
DNS
invented
DNS being used in the Internet
© Men & Mice http://menandmice.com Thursday 30 October 14
History of DNSSEC
Steve Bellovin discovers flaw in DNS
1983
1988
1990 1995
1999 2001
2005
2008
2010
DNSSEC
DNS
invented
DNS being used in the Internet
© Men & Mice http://menandmice.com Thursday 30 October 14
History of DNSSEC
Steve Bellovin discovers flaw in DNS
1983
1988
1990 1995
1999 2001
2005
2008
2010
DNSSEC
DNS
invented
work on DNSSEC started in the IETF
DNS being used in the Internet
© Men & Mice http://menandmice.com Thursday 30 October 14
History of DNSSEC
Steve Bellovin discovers flaw in DNS
1983
1988
1990 1995
1999 2001
2005
2008
2010
DNSSEC
DNS
invented
work on DNSSEC started in the IETF
DNS being used in the Internet
RFC2535
DNSSEC v1 is ready
© Men & Mice http://menandmice.com Thursday 30 October 14
History of DNSSEC
Steve Bellovin discovers flaw in DNS
1983
1988
work on DNSSECbis started
1990 1995
1999 2001
2005
2008
2010
DNSSEC
DNS
invented
work on DNSSEC started in the IETF
DNS being used in the Internet
RFC2535
DNSSEC v1 is ready
© Men & Mice http://menandmice.com Thursday 30 October 14
History of DNSSEC
Steve Bellovin discovers flaw in DNS
1983
1988
work on DNSSECbis started
1990 1995
1999 2001
2005
2008
2010
DNSSEC
DNS
invented
work on DNSSEC started in the IETF
DNS being used in the Internet
RFC2535
DNSSEC v1 is ready
March 2005:
RFC4033-4035 are published: DNSSEC v2
© Men & Mice http://menandmice.com Thursday 30 October 14
History of DNSSEC
Steve Bellovin discovers flaw in DNS
1983
1988
work on DNSSECbis started
1990 1995
October 2005: .SE signed
1999 2001
2005
2008
2010
DNSSEC
DNS
invented
work on DNSSEC started in the IETF
DNS being used in the Internet
RFC2535
DNSSEC v1 is ready
March 2005:
RFC4033-4035 are published: DNSSEC v2
© Men & Mice http://menandmice.com Thursday 30 October 14
History of DNSSEC
Steve Bellovin discovers flaw in DNS
1983
1988
work on DNSSECbis started
1990 1995
October 2005: .SE signed
1999 2001
2005
2008
2010
DNSSEC
DNS
invented
work on DNSSEC started in the IETF
DNS being used in the Internet
RFC2535
DNSSEC v1 is ready
March 2005:
RFC4033-4035 are published: DNSSEC v2
RFC 5155: NSEC3
© Men & Mice http://menandmice.com Thursday 30 October 14
History of DNSSEC
Steve Bellovin discovers flaw in DNS
1983
1988
work on DNSSECbis started
1990 1995
October 2005: .SE signed
1999 2001
2005
2008
2010
DNSSEC
DNS
invented
work on DNSSEC started in the IETF
DNS being used in the Internet
root zone is signed
RFC2535
DNSSEC v1 is ready
March 2005:
RFC4033-4035 are published: DNSSEC v2
RFC 5155: NSEC3
© Men & Mice http://menandmice.com Thursday 30 October 14
History of DNSSEC
Steve Bellovin discovers flaw in DNS
1983
1988
work on DNSSECbis started
1990 1995
October 2005: .SE signed
1999 2001
2005
2008
2010
2012
DNSSEC
DNS
invented
work on DNSSEC started in the IETF
DNS being used in the Internet
root zone is signed
Windows 2012 DNSSEC
DANE RFC
RFC2535
DNSSEC v1 is ready
March 2005:
RFC4033-4035 are published: DNSSEC v2
RFC 5155: NSEC3
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Security Extensions
• DNSSEC deployment (http://www.internetsociety.org/deploy360/dnssec/maps)
http://en.wikipedia.org/wiki/List_of_Internet_top-level_domains
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Security Extensions
• DNSSEC growth http://secspider.cs.ucla.edu/pix/growth.png
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Security Extensions
• DNSSEC delegations in NL:
https://xs.powerdns.com/dnssec-nl-graph/
© Men & Mice http://menandmice.com Thursday 30 October 14
Public-Key Kryptographie
© Men & Mice http://menandmice.com Thursday 30 October 14
Public-Key Kryptographie
k1
k2
© Men & Mice http://menandmice.com Thursday 30 October 14
Public-Key Kryptographie
plain
text
k1
k2
© Men & Mice http://menandmice.com Thursday 30 October 14
Public-Key Kryptographie
plain
text
encrypt
k1
k2
© Men & Mice http://menandmice.com Thursday 30 October 14
Public-Key Kryptographie
plain
text
cipher
text
encrypt
k1
k2
© Men & Mice http://menandmice.com Thursday 30 October 14
Public-Key Kryptographie
plain
text
cipher
text
encrypt
k1
k2
© Men & Mice http://menandmice.com Thursday 30 October 14
Public-Key Kryptographie
plain
text
cipher
text
encrypt
k1
cipher
text
k2
© Men & Mice http://menandmice.com Thursday 30 October 14
Public-Key Kryptographie
plain
text
cipher
text
encrypt
k1
cipher
text
decrypt
k2
© Men & Mice http://menandmice.com Thursday 30 October 14
Public-Key Kryptographie
plain
text
cipher
text
encrypt
k1
cipher
text
plain
text
decrypt
k2
© Men & Mice http://menandmice.com Thursday 30 October 14
Öffentlicher und Privater Schlüssel
• Der private Schlüssel wird sicher gespeichert (nicht auf einem Server mit direktem Kontakt zum Internet!)
• Der öffentliche Schlüssel wird als DNSKEY Record in der DNS Zone veröffentlicht
© Men & Mice http://menandmice.com Thursday 30 October 14
Öffentlicher und Privater Schlüssel
• Der private Schlüssel wird sicher gespeichert (nicht auf einem Server mit direktem Kontakt zum Internet!)
• Der öffentliche Schlüssel wird als DNSKEY Record in der DNS Zone veröffentlicht
© Men & Mice http://menandmice.com Thursday 30 October 14
Öffentlicher und Privater Schlüssel
• Der private Schlüssel wird sicher gespeichert (nicht auf einem Server mit direktem Kontakt zum Internet!)
• Der öffentliche Schlüssel wird als DNSKEY Record in der DNS Zone veröffentlicht
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC in einem Bild
authoritativer
DNS Server
DNS Resolver / Cache
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC in einem Bild
authoritativer
DNS Server
DNS Resolver / Cache
plain
DNS data
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC in einem Bild
authoritativer
DNS Server
DNS Resolver / Cache
plain
DNS data
hash
fingerprint
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC in einem Bild
authoritativer
DNS Server
DNS Resolver / Cache
plain
DNS data
hash
fingerprint
Verschlüsselung
mit privatem
Schlüssel
k
RRsig
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC in einem Bild
authoritativer
DNS Server
plain
DNS data
DNS Resolver / Cache
Zonefile
hash
fingerprint
Verschlüsselung
mit privatem
Schlüssel
k
RRsig
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC in einem Bild
authoritativer
DNS Server
plain
DNS data
Zonefile
hash
DNS Daten
fingerprint
Verschlüsselung
mit privatem
Schlüssel
DNS Resolver / Cache
RRsig
k
RRsig
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC in einem Bild
authoritativer
DNS Server
plain
DNS data
Zonefile
hash
DNS Daten
fingerprint
Verschlüsselung
mit privatem
Schlüssel
DNS Resolver / Cache
RRsig
k
öff. Schlüssel
RRsig
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC in einem Bild
authoritativer
DNS Server
plain
DNS data
Zonefile
hash
fingerprint
Verschlüsselung
mit privatem
Schlüssel
DNS Resolver / Cache
k
DNS Daten
plain DNS data
RRsig
RRsig
öff. Schlüssel
RRsig
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC in einem Bild
authoritativer
DNS Server
plain
DNS data
Zonefile
hash
fingerprint
Verschlüsselung
mit privatem
Schlüssel
RRsig
DNS Resolver / Cache
k
DNS Daten
plain DNS data
RRsig
RRsig
öff. Schlüssel
entschlüsseln
mit öff. Schlüssel
k
fingerprint
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC in einem Bild
authoritativer
DNS Server
plain
DNS data
Zonefile
hash
fingerprint
Verschlüsselung
mit privatem
Schlüssel
RRsig
DNS Resolver / Cache
k
DNS Daten
plain DNS data
RRsig
RRsig
öff. Schlüssel
entschlüsseln
mit öff. Schlüssel
fingerprint
k
hash
fingerprint
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC in einem Bild
authoritativer
DNS Server
plain
DNS data
Zonefile
hash
fingerprint
Verschlüsselung
mit privatem
Schlüssel
RRsig
DNS Resolver / Cache
k
DNS Daten
plain DNS data
RRsig
RRsig
öff. Schlüssel
entschlüsseln
mit öff. Schlüssel
fingerprint
k
vergleichen
hash
fingerprint
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC Vertrauenskette
de. Zone
.DE zone privater Schlüssel
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC Vertrauenskette
de. Zone
de.
de.
.DE zone privater Schlüssel
IN SOA (soa param)
IN RRSIG (SOA->DE-Key)
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC Vertrauenskette
de. Zone
.DE zone privater Schlüssel
de.
de.
IN SOA (soa param)
IN RRSIG (SOA->DE-Key)
de.
de.
IN DNSKEY de-Key
IN RRSIG (DNSKEY->DE-Key)
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC Vertrauenskette
de. Zone
.DE zone privater Schlüssel
de.
de.
IN SOA (soa param)
IN RRSIG (SOA->DE-Key)
de.
de.
IN DNSKEY de-Key
IN RRSIG (DNSKEY->DE-Key)
DNSKEY Record der .de Zone © Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC Vertrauenskette
de. Zone
.DE zone privater Schlüssel
de.
de.
IN SOA (soa param)
IN RRSIG (SOA->DE-Key)
de.
de.
IN DNSKEY de-Key
IN RRSIG (DNSKEY->DE-Key)
sub.de..
sub.de.
sub.de.
IN NS ns.example.de.
DNSKEY Record der .de Zone IN DS (hash->sub.DE-Key)
IN RRSIG (DS->DE-Key)
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC Vertrauenskette
de. Zone
.DE zone privater Schlüssel
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC Vertrauenskette
de. Zone
.DE zone privater Schlüssel
.de zone
Signaturen werden vom privaten Schlüssel erzeugt
(“DE”-Zone-Key)
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC Vertrauenskette
Signatures
de. Zone
.DE zone privater Schlüssel
.de zone
Signaturen werden vom privaten Schlüssel erzeugt
(“DE”-Zone-Key)
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC Vertrauenskette
Signatures
de. Zone
.DE zone privater Schlüssel
.de zone
Signaturen werden vom privaten Schlüssel erzeugt
(“DE”-Zone-Key)
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC Vertrauenskette
Signatures
de. Zone
.DE zone privater Schlüssel
.de zone
Signaturen werden vom privaten Schlüssel erzeugt
(“DE”-Zone-Key)
.de Zone
nicht-authoritative Daten werden nicht signiert
(Delegation von sub.de)
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC Vertrauenskette
Signatures
de. Zone
de.
de.
.DE zone privater Schlüssel
IN SOA (soa param)
IN RRSIG (SOA->DE-Key)
.de zone
Signaturen werden vom privaten Schlüssel erzeugt
(“DE”-Zone-Key)
.de Zone
nicht-authoritative Daten werden nicht signiert
(Delegation von sub.de)
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC Vertrauenskette
Signatures
de. Zone
.DE zone privater Schlüssel
de.
de.
IN SOA (soa param)
IN RRSIG (SOA->DE-Key)
de.
de.
IN DNSKEY de-Key
IN RRSIG (DNSKEY->DE-Key)
.de zone
Signaturen werden vom privaten Schlüssel erzeugt
(“DE”-Zone-Key)
.de Zone
nicht-authoritative Daten werden nicht signiert
(Delegation von sub.de)
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC Vertrauenskette
Signatures
de. Zone
.DE zone privater Schlüssel
de.
de.
IN SOA (soa param)
IN RRSIG (SOA->DE-Key)
de.
de.
IN DNSKEY de-Key
IN RRSIG (DNSKEY->DE-Key)
sub.de..
sub.de.
sub.de.
IN NS ns.example.de.
IN DS (hash->sub.DE-Key)
IN RRSIG (DS->DE-Key)
.de zone
Signaturen werden vom privaten Schlüssel erzeugt
(“DE”-Zone-Key)
.de Zone
nicht-authoritative Daten werden nicht signiert
(Delegation von sub.de)
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC Vertrauenskette
de. Zone
sub.de. Zone
sub.de privater DNSSEC Schlüssel signiert die Zonen-Daten
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC Vertrauenskette
de. Zone
sub.de. Zone
sub.de privater DNSSEC Schlüssel signiert die Zonen-Daten
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC Vertrauenskette
de. Zone
sub.de. Zone
sub.de privater DNSSEC Schlüssel signiert die Zonen-Daten
sub.de.
sub.de.
IN SOA (soa param)
IN RRSIG (SOA->SUB.DE-Key)
sub.de.
sub.de.
IN DNSKEY SUB.DE-Key
IN RRSIG (DNSKEY->SUB.DE-Key)
sub.de.
sub.de.
IN NS ns.example.de.
IN RRSIG (NS->SUB.DE-Key)
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC Vertrauenskette
de. Zone
sub.de. Zone
sub.de privater DNSSEC Schlüssel signiert die Zonen-Daten
sub.de.
sub.de.
IN SOA (soa param)
IN RRSIG (SOA->SUB.DE-Key)
sub.de.
sub.de.
IN DNSKEY SUB.DE-Key
IN RRSIG (DNSKEY->SUB.DE-Key)
sub.de.
sub.de.
IN NS ns.example.de.
IN RRSIG (NS->SUB.DE-Key)
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC Vertrauenskette
de. Zone
sub.de. Zone
sub.de privater DNSSEC Schlüssel signiert die Zonen-Daten
sub.de.
sub.de.
IN SOA (soa param)
IN RRSIG (SOA->SUB.DE-Key)
sub.de.
sub.de.
IN DNSKEY SUB.DE-Key
IN RRSIG (DNSKEY->SUB.DE-Key)
sub.de.
sub.de.
IN NS ns.example.de.
IN RRSIG (NS->SUB.DE-Key)
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC Vertrauenskette
de. Zone
sub.de. Zone
sub.de privater DNSSEC Schlüssel signiert die Zonen-Daten
sub.de.
sub.de.
IN SOA (soa param)
IN RRSIG (SOA->SUB.DE-Key)
sub.de.
sub.de.
IN DNSKEY SUB.DE-Key
IN RRSIG (DNSKEY->SUB.DE-Key)
sub.de.
sub.de.
IN NS ns.example.de.
IN RRSIG (NS->SUB.DE-Key)
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC Vertrauenskette
de. Zone
der DS-Record in der DE-Zone validiert den öffentlichen Schlüssel
sub.de. Zone
sub.de privater DNSSEC Schlüssel signiert die Zonen-Daten
sub.de.
sub.de.
IN SOA (soa param)
IN RRSIG (SOA->SUB.DE-Key)
sub.de.
sub.de.
IN DNSKEY SUB.DE-Key
IN RRSIG (DNSKEY->SUB.DE-Key)
sub.de.
sub.de.
IN NS ns.example.de.
IN RRSIG (NS->SUB.DE-Key)
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC Vertrauenskette
de. Zone
de.
de.
IN SOA (soa param)
IN RRSIG (SOA->DE-Key)
der DS-Record in der DE-Zone validiert den öffentlichen Schlüssel
sub.de. Zone
sub.de privater DNSSEC Schlüssel signiert die Zonen-Daten
sub.de.
sub.de.
IN SOA (soa param)
IN RRSIG (SOA->SUB.DE-Key)
sub.de.
sub.de.
IN DNSKEY SUB.DE-Key
IN RRSIG (DNSKEY->SUB.DE-Key)
sub.de.
sub.de.
IN NS ns.example.de.
IN RRSIG (NS->SUB.DE-Key)
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC Vertrauenskette
de. Zone
de.
de.
IN SOA (soa param)
IN RRSIG (SOA->DE-Key)
de.
de.
IN DNSKEY de-Key
IN RRSIG (DNSKEY->DE-Key)
der DS-Record in der DE-Zone validiert den öffentlichen Schlüssel
sub.de. Zone
sub.de privater DNSSEC Schlüssel signiert die Zonen-Daten
sub.de.
sub.de.
IN SOA (soa param)
IN RRSIG (SOA->SUB.DE-Key)
sub.de.
sub.de.
IN DNSKEY SUB.DE-Key
IN RRSIG (DNSKEY->SUB.DE-Key)
sub.de.
sub.de.
IN NS ns.example.de.
IN RRSIG (NS->SUB.DE-Key)
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC Vertrauenskette
de. Zone
de.
de.
IN SOA (soa param)
IN RRSIG (SOA->DE-Key)
de.
de.
IN DNSKEY de-Key
IN RRSIG (DNSKEY->DE-Key)
sub.de..
sub.de.
sub.de.
IN NS ns.example.de.
IN DS (hash->sub.DE-Key)
IN RRSIG (DS->DE-Key)
der DS-Record in der DE-Zone validiert den öffentlichen Schlüssel
sub.de. Zone
sub.de privater DNSSEC Schlüssel signiert die Zonen-Daten
sub.de.
sub.de.
IN SOA (soa param)
IN RRSIG (SOA->SUB.DE-Key)
sub.de.
sub.de.
IN DNSKEY SUB.DE-Key
IN RRSIG (DNSKEY->SUB.DE-Key)
sub.de.
sub.de.
IN NS ns.example.de.
IN RRSIG (NS->SUB.DE-Key)
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC inline signing (aka BIND 9.9 Style)
© Men & Mice http://menandmice.com Thursday 30 October 14
Inline Signing
• BIND 9.9.0+ kann DNS Zonen während des Ladevorgangs signieren
• beim Laden der Zonendaten aus einer Datei
• beim Laden der Zonendaten per Zonentransfer von einem DNS Master Server
© Men & Mice http://menandmice.com Thursday 30 October 14
Inline Signing
DNSSERVER (master)
Zonendatei
(unsigniert)
© Men & Mice http://menandmice.com Thursday 30 October 14
Inline Signing
DNSSERVER (master)
rndc reconfig
Zonendatei
(unsigniert)
© Men & Mice http://menandmice.com Thursday 30 October 14
Inline Signing
DNSSERVER (master)
unsignierte
Zone
rndc reconfig
Zonendatei
(unsigniert)
© Men & Mice http://menandmice.com Thursday 30 October 14
Inline Signing
DNSSERVER (master)
unsignierte
Zone
rndc sign
rndc reconfig
Zonendatei
(unsigniert)
© Men & Mice http://menandmice.com Thursday 30 October 14
Inline Signing
DNSSERVER (master)
unsignierte
Zone
rndc sign
DNSSEC
signierte
Zone
rndc reconfig
Zonendatei
(unsigniert)
© Men & Mice http://menandmice.com Thursday 30 October 14
Inline Signing
DNSSERVER (master)
unsignierte
Zone
rndc sign
DNSSEC
signierte
Zone
rndc sync
rndc reconfig
Zonendatei
(unsigniert)
© Men & Mice http://menandmice.com Thursday 30 October 14
Inline Signing
DNSSERVER (master)
unsignierte
Zone
rndc sign
DNSSEC
signierte
Zone
rndc sync
rndc reconfig
Zonendatei
(unsigniert)
Zonendatei
signiert
(RAW-Format)
© Men & Mice http://menandmice.com Thursday 30 October 14
Inline Signing
DNSSERVER (master)
DNSSERVER (slave)
unsignierte
Zone
© Men & Mice http://menandmice.com Thursday 30 October 14
Inline Signing
DNSSERVER (slave)
DNSSERVER (master)
unsignierte
Zone
axfr/ixfr
Zonetransfer
© Men & Mice http://menandmice.com Thursday 30 October 14
Inline Signing
DNSSERVER (slave)
DNSSERVER (master)
unsignierte
Zone
axfr/ixfr
Zonetransfer
unsignierte
Zone
© Men & Mice http://menandmice.com Thursday 30 October 14
Inline Signing
DNSSERVER (slave)
DNSSERVER (master)
unsignierte
Zone
axfr/ixfr
Zonetransfer
unsignierte
Zone
rndc sign
© Men & Mice http://menandmice.com Thursday 30 October 14
Inline Signing
DNSSERVER (slave)
DNSSERVER (master)
unsignierte
Zone
axfr/ixfr
Zonetransfer
unsignierte
Zone
rndc sign
DNSSEC
signierte
Zone
© Men & Mice http://menandmice.com Thursday 30 October 14
Inline Signing
DNSSERVER (slave)
DNSSERVER (master)
unsignierte
Zone
axfr/ixfr
Zonetransfer
unsignierte
Zone
rndc sign
DNSSEC
signierte
Zone
rndc sync
© Men & Mice http://menandmice.com Thursday 30 October 14
Inline Signing
DNSSERVER (slave)
DNSSERVER (master)
unsignierte
Zone
axfr/ixfr
Zonetransfer
unsignierte
Zone
rndc sign
DNSSEC
signierte
Zone
rndc sync
Zonendatei
signiert
(RAW-Format)
© Men & Mice http://menandmice.com Thursday 30 October 14
Inline Signing
// enable inline signing on a zone
zone "dnssec.dnslab.org" IN {
type master;
auto-dnssec maintain;
inline-signing yes;
file "dnssec.dnslab.org";
};
© Men & Mice http://menandmice.com Thursday 30 October 14
Inline Signing
// enable inline signing on a zone
zone "dnssec.dnslab.org" IN {
type master;
auto-dnssec maintain;
inline-signing yes;
file "dnssec.dnslab.org";
Inline-Signing anschalten
};
© Men & Mice http://menandmice.com Thursday 30 October 14
Inline Signing
// enable inline signing on a zone
zone "dnssec.dnslab.org" IN {
automatische type master;
Signierung und Auffrischung der auto-dnssec maintain;
Signaturen
inline-signing yes;
file "dnssec.dnslab.org";
Inline-Signing anschalten
};
© Men & Mice http://menandmice.com Thursday 30 October 14
Erzeugen der DNSSEC Schlüssel
# dnssec-keygen -K ./keys -a rsasha256 -b 2048 -n ZONE dnssec.example.de
# dnssec-keygen -K ./keys -a rsasha256 -b 2560 -f KSK -n ZONE dnssec.example.de
© Men & Mice http://menandmice.com Thursday 30 October 14
Erzeugen der DNSSEC Schlüssel
Zone signing key (ZSK)
# dnssec-keygen -K ./keys -a rsasha256 -b 2048 -n ZONE dnssec.example.de
# dnssec-keygen -K ./keys -a rsasha256 -b 2560 -f KSK -n ZONE dnssec.example.de
© Men & Mice http://menandmice.com Thursday 30 October 14
Erzeugen der DNSSEC Schlüssel
Zone signing key (ZSK)
# dnssec-keygen -K ./keys -a rsasha256 -b 2048 -n ZONE dnssec.example.de
# dnssec-keygen -K ./keys -a rsasha256 -b 2560 -f KSK -n ZONE dnssec.example.de
Zone signing key (ZSK)
© Men & Mice http://menandmice.com Thursday 30 October 14
Erzeugen der DNSSEC Schlüssel
Pfad zum Verzeichnis der DNSSEC Schlüssel
Zone signing key (ZSK)
# dnssec-keygen -K ./keys -a rsasha256 -b 2048 -n ZONE dnssec.example.de
# dnssec-keygen -K ./keys -a rsasha256 -b 2560 -f KSK -n ZONE dnssec.example.de
Zone signing key (ZSK)
© Men & Mice http://menandmice.com Thursday 30 October 14
Erzeugen der DNSSEC Schlüssel
Pfad zum Verzeichnis der DNSSEC Schlüssel
Zone signing key (ZSK)
# dnssec-keygen -K ./keys -a rsasha256 -b 2048 -n ZONE dnssec.example.de
# dnssec-keygen -K ./keys -a rsasha256 -b 2560 -f KSK -n ZONE dnssec.example.de
Algorithmus
Zone signing key (ZSK)
© Men & Mice http://menandmice.com Thursday 30 October 14
Erzeugen der DNSSEC Schlüssel
Pfad zum Verzeichnis der DNSSEC Schlüssel
Zone signing key (ZSK)
Schlüssel-Stärke
# dnssec-keygen -K ./keys -a rsasha256 -b 2048 -n ZONE dnssec.example.de
# dnssec-keygen -K ./keys -a rsasha256 -b 2560 -f KSK -n ZONE dnssec.example.de
Algorithmus
Zone signing key (ZSK)
© Men & Mice http://menandmice.com Thursday 30 October 14
Erzeugen der DNSSEC Schlüssel
Pfad zum Verzeichnis der DNSSEC Schlüssel
Zone signing key (ZSK)
Schlüssel-Stärke
Name der Zone
# dnssec-keygen -K ./keys -a rsasha256 -b 2048 -n ZONE dnssec.example.de
# dnssec-keygen -K ./keys -a rsasha256 -b 2560 -f KSK -n ZONE dnssec.example.de
Algorithmus
Zone signing key (ZSK)
© Men & Mice http://menandmice.com Thursday 30 October 14
Die Zone signieren
# rndc sign dnssec.example.de
# tail -n2 /var/log/named.log
14-Nov-2011 21:58:37.945 zone dnssec.example.de/IN (unsigned): loaded serial 2
14-Nov-2011 21:58:37.946 zone dnssec.example.de/IN (signed): loaded serial 3 (DNSSEC signed)
© Men & Mice http://menandmice.com Thursday 30 October 14
Die Zone signieren
# rndc sign dnssec.example.de
unsignierte Zone wird geladen
# tail -n2 /var/log/named.log
14-Nov-2011 21:58:37.945 zone dnssec.example.de/IN (unsigned): loaded serial 2
14-Nov-2011 21:58:37.946 zone dnssec.example.de/IN (signed): loaded serial 3 (DNSSEC signed)
© Men & Mice http://menandmice.com Thursday 30 October 14
Die Zone signieren
# rndc sign dnssec.example.de
unsignierte Zone wird geladen
# tail -n2 /var/log/named.log
14-Nov-2011 21:58:37.945 zone dnssec.example.de/IN (unsigned): loaded serial 2
14-Nov-2011 21:58:37.946 zone dnssec.example.de/IN (signed): loaded serial 3 (DNSSEC signed)
signierte Zone wird geladen
© Men & Mice http://menandmice.com Thursday 30 October 14
Signierte Zonendatei lesbar machen
# rndc sync dnssec.example.de
# named-compilezone -f RAW
\
-o dnssec.example.de.txt \
dnssec.example.de dnssec.example.de.signed
© Men & Mice http://menandmice.com Thursday 30 October 14
Signierte Zonendatei lesbar machen
letzte Änderungen an der Zonendatei in die Datei schreiben
# rndc sync dnssec.example.de
# named-compilezone -f RAW
\
-o dnssec.example.de.txt \
dnssec.example.de dnssec.example.de.signed
© Men & Mice http://menandmice.com Thursday 30 October 14
Signierte Zonendatei lesbar machen
letzte Änderungen an der Zonendatei in die Datei schreiben
# rndc sync dnssec.example.de
# named-compilezone -f RAW
\
-o dnssec.example.de.txt \
dnssec.example.de dnssec.example.de.signed
Die Zonendatei vom Format RAW in das Text-Format umwandeln
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC Validierung
(vereinfacht)
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC Namensauflösung
“”
org.
example.org.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
org.
What is the address of
www.example.org.
example.org.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
What is the address of
www.example.org.
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
Here is a list of “org.” Name Servers
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
What is the address of
www.example.org.
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
Here is a list of “example.org.” Name Servers
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
org.
What is the address of
www.example.org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
Here is the address of “www.example.org.” plus RRSIG (signatures)
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
Here is the address of “www.example.org.” plus RRSIG (signatures)
Record
Function
www.example.org.A
IPv4 Address
www.example.org. RRSIG
signature ↑
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
org.
Record
Function
www.example.org.A
IPv4 Address
www.example.org. RRSIG
signature ↑
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
org.
What is the public key of
example.org.
Record
Function
www.example.org.A
IPv4 Address
www.example.org. RRSIG
signature ↑
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
Here is the DNSKEY of “example.org.” plus RRSIG (signatures)
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
Here is the DNSKEY of “example.org.” plus RRSIG (signatures)
Record
Function
www.example.org.A
IPv4 Address
www.example.org. RRSIG
signature ↑
example.org. DNSKEY
public key
example.org. RRSIG
signature ↑
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
org.
Record
Function
www.example.org.A
IPv4 Address
www.example.org. RRSIG
signature ↑
example.org. DNSKEY
public key
example.org. RRSIG
signature ↑
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
What is the DS of
example.org.
Record
Function
www.example.org.A
IPv4 Address
www.example.org. RRSIG
signature ↑
example.org. DNSKEY
public key
example.org. RRSIG
signature ↑
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
Here is the “delegation signer (DS)” of “example.org.” + RRSIG
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
Here is the “delegation signer (DS)” of “example.org.” + RRSIG
Record
Function
www.example.org.A
IPv4 Address
www.example.org. RRSIG
signature ↑
example.org. DNSKEY
public key
example.org. RRSIG
signature ↑
example.org. DS
hash of public key
org. RRSIG
signature ↑
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
org.
Record
Function
www.example.org.A
IPv4 Address
www.example.org. RRSIG
signature ↑
example.org. DNSKEY
public key
example.org. RRSIG
signature ↑
example.org. DS
hash of public key
org. RRSIG
signature ↑
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
What is the public key (DNSKEY) of
“org.”
Record
Function
www.example.org.A
IPv4 Address
www.example.org. RRSIG
signature ↑
example.org. DNSKEY
public key
example.org. RRSIG
signature ↑
example.org. DS
hash of public key
org. RRSIG
signature ↑
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
Here is the public key (DNSKEY) of “org.” + RRSIG
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
Here is the public key (DNSKEY) of “org.” + RRSIG
Record
Function
www.example.org.A
IPv4 Address
www.example.org. RRSIG
signature ↑
example.org. DNSKEY
public key
example.org. RRSIG
signature ↑
example.org. DS
hash of public key
org. RRSIG
signature ↑
org DNSKEY
public key
org RRSIG
signature ↑
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
Record
Function
www.example.org.A
IPv4 Address
www.example.org. RRSIG
signature ↑
example.org. DNSKEY
public key
example.org. RRSIG
signature ↑
example.org. DS
hash of public key
org. RRSIG
signature ↑
org DNSKEY
public key
org RRSIG
signature ↑
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
What is the DS of
“org.”
Record
Function
www.example.org.A
IPv4 Address
www.example.org. RRSIG
signature ↑
example.org. DNSKEY
public key
example.org. RRSIG
signature ↑
example.org. DS
hash of public key
org. RRSIG
signature ↑
org DNSKEY
public key
org RRSIG
signature ↑
“”
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
Here is the “delegation signer (DS)” of “org.” + RRSIG
“”
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
Record
Function
www.example.org.A
IPv4 Address
www.example.org. RRSIG
signature ↑
example.org. DNSKEY
public key
example.org. RRSIG
signature ↑
example.org. DS
hash of public key
org. RRSIG
signature ↑
org DNSKEY
public key
org RRSIG
signature ↑
org DS
hash of public key
. RRSIG
signature ↑
Here is the “delegation signer (DS)” of “org.” + RRSIG
“”
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
Record
Function
www.example.org.A
IPv4 Address
www.example.org. RRSIG
signature ↑
example.org. DNSKEY
public key
example.org. RRSIG
signature ↑
example.org. DS
hash of public key
org. RRSIG
signature ↑
org DNSKEY
public key
org RRSIG
signature ↑
org DS
hash of public key
. RRSIG
signature ↑
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
Record
www.example.org.A
What is the public key (DNSKEY) of
Function
“.”
IPv4 Address
www.example.org. RRSIG
signature ↑
example.org. DNSKEY
public key
example.org. RRSIG
signature ↑
example.org. DS
hash of public key
org. RRSIG
signature ↑
org DNSKEY
public key
org RRSIG
signature ↑
org DS
hash of public key
. RRSIG
signature ↑
“”
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
Record
Function
www.example.org.A
IPv4 Address
www.example.org. RRSIG
signature ↑
example.org. DNSKEY
public key
example.org. RRSIG
signature ↑
example.org. DS
hash of public key
org. RRSIG
signature ↑
org DNSKEY
public key
org RRSIG
signature ↑
org DS
hash of public key
. RRSIG
signature ↑
. DNSKEY
public key
. RRSIG
signature ↑
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
Record
Function
www.example.org.A
IPv4 Address
www.example.org. RRSIG
signature ↑
example.org. DNSKEY
public key
example.org. RRSIG
signature ↑
example.org. DS
hash of public key
org. RRSIG
signature ↑
org DNSKEY
public key
org RRSIG
signature ↑
org DS
hash of public key
. RRSIG
signature ↑
. DNSKEY
public key
. RRSIG
signature ↑
Here is the public key (DNSKEY) of “.” + RRSIG
“”
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
org.
example.org.
http://www.example.com.
http://www.example.org.
Trush Anchor for
“.” (root zone) from
configuration file
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
org.
example.org.
http://www.example.com.
http://www.example.org.
Trush Anchor for
“.” (root zone) from
configuration file
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
org.
example.org.
http://www.example.com.
http://www.example.org.
Trush Anchor for
“.” (root zone) from
configuration file
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
Record
Function
www.example.org.A
IPv4 Address
www.example.org. RRSIG
signature ↑
example.org. DNSKEY
public key
example.org. RRSIG
signature ↑
example.org. DS
hash of public key
org. RRSIG
signature ↑
org DNSKEY
public key
org RRSIG
signature ↑
org DS
hash of public key
. RRSIG
signature ↑
. DNSKEY
public key
. RRSIG
signature ↑
Trust Anchor for “.”
hash of public key
org.
example.org.
http://www.example.com.
http://www.example.org.
Trush Anchor for
“.” (root zone) from
configuration file
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
Record
Function
www.example.org.A
IPv4 Address
www.example.org. RRSIG
signature ↑
example.org. DNSKEY
public key
example.org. RRSIG
signature ↑
example.org. DS
hash of public key
org. RRSIG
signature ↑
org DNSKEY
public key
org RRSIG
signature ↑
org DS
hash of public key
. RRSIG
signature ↑
. DNSKEY
public key
. RRSIG
signature ↑
Trust Anchor for “.”
hash of public key
org.
example.org.
http://www.example.com.
http://www.example.org.
Trush Anchor for
“.” (root zone) from
configuration file
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
Record
Function
www.example.org.A
IPv4 Address
www.example.org. RRSIG
signature ↑
example.org. DNSKEY
public key
example.org. RRSIG
signature ↑
example.org. DS
hash of public key
org. RRSIG
signature ↑
org DNSKEY
public key
org RRSIG
signature ↑
org DS
hash of public key
. RRSIG
signature ↑
. DNSKEY
public key
. RRSIG
signature ↑
Trust Anchor for “.”
hash of public key
org.
example.org.
http://www.example.com.
http://www.example.org.
Trush Anchor for
“.” (root zone) from
configuration file
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
Record
Function
www.example.org.A
IPv4 Address
www.example.org. RRSIG
signature ↑
example.org. DNSKEY
public key
example.org. RRSIG
signature ↑
example.org. DS
hash of public key
org. RRSIG
signature ↑
org DNSKEY
public key
org RRSIG
signature ↑
org DS
hash of public key
. RRSIG
signature ↑
. DNSKEY
public key
. RRSIG
signature ↑
Trust Anchor for “.”
hash of public key
org.
example.org.
http://www.example.com.
http://www.example.org.
Trush Anchor for
“.” (root zone) from
configuration file
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
Record
Function
www.example.org.A
IPv4 Address
www.example.org. RRSIG
signature ↑
example.org. DNSKEY
public key
example.org. RRSIG
signature ↑
example.org. DS
hash of public key
org. RRSIG
signature ↑
org DNSKEY
public key
org RRSIG
signature ↑
org DS
hash of public key
. RRSIG
signature ↑
. DNSKEY
public key
. RRSIG
signature ↑
Trust Anchor for “.”
hash of public key
org.
example.org.
http://www.example.com.
http://www.example.org.
Trush Anchor for
“.” (root zone) from
configuration file
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
Record
Function
www.example.org.A
IPv4 Address
www.example.org. RRSIG
signature ↑
example.org. DNSKEY
public key
example.org. RRSIG
signature ↑
example.org. DS
hash of public key
org. RRSIG
signature ↑
org DNSKEY
public key
org RRSIG
signature ↑
org DS
hash of public key
. RRSIG
signature ↑
. DNSKEY
public key
. RRSIG
signature ↑
Trust Anchor for “.”
hash of public key
org.
example.org.
http://www.example.com.
http://www.example.org.
Trush Anchor for
“.” (root zone) from
configuration file
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
Record
Function
www.example.org.A
IPv4 Address
www.example.org. RRSIG
signature ↑
example.org. DNSKEY
public key
example.org. RRSIG
signature ↑
example.org. DS
hash of public key
org. RRSIG
signature ↑
org DNSKEY
public key
org RRSIG
signature ↑
org DS
hash of public key
. RRSIG
signature ↑
. DNSKEY
public key
. RRSIG
signature ↑
Trust Anchor for “.”
hash of public key
org.
example.org.
http://www.example.com.
http://www.example.org.
Trush Anchor for
“.” (root zone) from
configuration file
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
Record
Function
www.example.org.A
IPv4 Address
www.example.org. RRSIG
signature ↑
example.org. DNSKEY
public key
example.org. RRSIG
signature ↑
example.org. DS
hash of public key
org. RRSIG
signature ↑
org DNSKEY
public key
org RRSIG
signature ↑
org DS
hash of public key
. RRSIG
signature ↑
. DNSKEY
public key
. RRSIG
signature ↑
Trust Anchor for “.”
hash of public key
org.
example.org.
http://www.example.com.
http://www.example.org.
Trush Anchor for
“.” (root zone) from
configuration file
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
Record
Function
www.example.org.A
IPv4 Address
www.example.org. RRSIG
signature ↑
example.org. DNSKEY
public key
example.org. RRSIG
signature ↑
example.org. DS
hash of public key
org. RRSIG
signature ↑
org DNSKEY
public key
org RRSIG
signature ↑
org DS
hash of public key
. RRSIG
signature ↑
. DNSKEY
public key
. RRSIG
signature ↑
Trust Anchor for “.”
hash of public key
org.
example.org.
http://www.example.com.
http://www.example.org.
Trush Anchor for
“.” (root zone) from
configuration file
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
Record
Function
www.example.org.A
IPv4 Address
www.example.org. RRSIG
signature ↑
example.org. DNSKEY
public key
example.org. RRSIG
signature ↑
example.org. DS
hash of public key
org. RRSIG
signature ↑
org DNSKEY
public key
org RRSIG
signature ↑
org DS
hash of public key
. RRSIG
signature ↑
. DNSKEY
public key
. RRSIG
signature ↑
Trust Anchor for “.”
hash of public key
org.
example.org.
http://www.example.com.
http://www.example.org.
Trush Anchor for
“.” (root zone) from
configuration file
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
Record
Function
www.example.org.A
IPv4 Address
www.example.org. RRSIG
signature ↑
example.org. DNSKEY
public key
example.org. RRSIG
signature ↑
example.org. DS
hash of public key
org. RRSIG
signature ↑
org DNSKEY
public key
org RRSIG
signature ↑
org DS
hash of public key
. RRSIG
signature ↑
. DNSKEY
public key
. RRSIG
signature ↑
Trust Anchor for “.”
hash of public key
org.
example.org.
http://www.example.com.
http://www.example.org.
Trush Anchor for
“.” (root zone) from
configuration file
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
Record
Function
www.example.org.A
IPv4 Address
www.example.org. RRSIG
signature ↑
example.org. DNSKEY
public key
example.org. RRSIG
signature ↑
example.org. DS
hash of public key
org. RRSIG
signature ↑
org DNSKEY
public key
org RRSIG
signature ↑
org DS
hash of public key
. RRSIG
signature ↑
. DNSKEY
public key
. RRSIG
signature ↑
Trust Anchor for “.”
hash of public key
org.
example.org.
http://www.example.com.
http://www.example.org.
Trush Anchor for
“.” (root zone) from
configuration file
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
Record
Function
www.example.org.A
IPv4 Address
www.example.org. RRSIG
signature ↑
example.org. DNSKEY
public key
example.org. RRSIG
signature ↑
example.org. DS
hash of public key
org. RRSIG
signature ↑
org DNSKEY
public key
org RRSIG
signature ↑
org DS
hash of public key
. RRSIG
signature ↑
. DNSKEY
public key
. RRSIG
signature ↑
Trust Anchor for “.”
hash of public key
org.
example.org.
http://www.example.com.
http://www.example.org.
Trush Anchor for
“.” (root zone) from
configuration file
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
org.
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
org.
Here is the address of “www.example.org.”
“Authenticated Data”
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNSSEC Namensauflösung
“”
org.
Here is the address of “www.example.org.”
“Authenticated Data”
example.org.
http://www.example.com.
http://www.example.org.
local caching + validating DNS Server
Thursday 30 October 14
© Men & Mice http://menandmice.com DNS Clients und DNS Resolver Kombinationen
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
classic DNS
stub resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
legacy DNS
resolver
classic DNS
stub resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
legacy DNS
resolver
classic DNS
stub resolver
classic DNS
stub resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
legacy DNS
resolver
classic DNS
stub resolver
DNSSEC
validating
resolver
classic DNS
stub resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
legacy DNS
resolver
classic DNS
stub resolver
DNSSEC
validating
resolver
classic DNS
stub resolver
DNSSEC aware
non-validating
stub-resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
legacy DNS
resolver
classic DNS
stub resolver
DNSSEC
validating
resolver
classic DNS
stub resolver
DNSSEC
validating
resolver
DNSSEC aware
non-validating
stub-resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
legacy DNS
resolver
classic DNS
stub resolver
DNSSEC
validating
resolver
classic DNS
stub resolver
DNSSEC
validating
resolver
DNSSEC aware
non-validating
stub-resolver
DNSSEC
validating
Application
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
legacy DNS
resolver
classic DNS
stub resolver
DNSSEC
validating
resolver
classic DNS
stub resolver
DNSSEC
validating
resolver
DNSSEC aware
non-validating
stub-resolver
DNSSEC
validating
resolver
DNSSEC
validating
Application
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
insecure.com
(not compromised)
legacy DNS
resolver
classic DNS
stub resolver
DNSSEC
validating
resolver
classic DNS
stub resolver
DNSSEC
validating
resolver
DNSSEC aware
non-validating
stub-resolver
DNSSEC
validating
resolver
DNSSEC
validating
Application
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
insecure.com
(not compromised)
DNSSEC
validating
resolver
legacy DNS
resolver
DNSSEC
validating
resolver
DNSSEC
validating
resolver
RD
classic DNS
stub resolver
classic DNS
stub resolver
DNSSEC aware
non-validating
stub-resolver
DNSSEC
validating
Application
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
insecure.com
(not compromised)
DNSSEC
validating
resolver
legacy DNS
resolver
DNSSEC
validating
resolver
DNSSEC
validating
resolver
RD
classic DNS
stub resolver
classic DNS
stub resolver
DNSSEC aware
non-validating
stub-resolver
DNSSEC
validating
Application
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
insecure.com
(not compromised)
AA
DNSSEC
validating
resolver
legacy DNS
resolver
DNSSEC
validating
resolver
DNSSEC
validating
resolver
RD
classic DNS
stub resolver
classic DNS
stub resolver
DNSSEC aware
non-validating
stub-resolver
DNSSEC
validating
Application
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
insecure.com
(not compromised)
AA
DNSSEC
validating
resolver
legacy DNS
resolver
RD
classic DNS
stub resolver
DNSSEC
validating
resolver
DNSSEC
validating
resolver
RA
classic DNS
stub resolver
DNSSEC aware
non-validating
stub-resolver
DNSSEC
validating
Application
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
insecure.com
(not compromised)
AA
DNSSEC
validating
resolver
legacy DNS
resolver
RD
classic DNS
stub resolver
DNSSEC
validating
resolver
DNSSEC
validating
resolver
RA
classic DNS
stub resolver
DNSSEC aware
non-validating
stub-resolver
DNSSEC
validating
Application
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
insecure.com
(not compromised)
AA
DNSSEC
validating
resolver
legacy DNS
resolver
RD
classic DNS
stub resolver
DNSSEC
validating
resolver
DNSSEC
validating
resolver
RD
RA
classic DNS
stub resolver
DNSSEC aware
non-validating
stub-resolver
DNSSEC
validating
Application
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
insecure.com
(not compromised)
AA
DO
DNSSEC
validating
resolver
legacy DNS
resolver
RD
classic DNS
stub resolver
DNSSEC
validating
resolver
DNSSEC
validating
resolver
RD
RA
classic DNS
stub resolver
DNSSEC aware
non-validating
stub-resolver
DNSSEC
validating
Application
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
insecure.com
(not compromised)
AA
DO
DNSSEC
validating
resolver
legacy DNS
resolver
RD
classic DNS
stub resolver
AA
DNSSEC
validating
resolver
DNSSEC
validating
resolver
RD
RA
classic DNS
stub resolver
DNSSEC aware
non-validating
stub-resolver
DNSSEC
validating
Application
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
insecure.com
(not compromised)
AA
DO
AA
DNSSEC
validating
resolver
legacy DNS
resolver
RD
classic DNS
stub resolver
DNSSEC
validating
resolver
RD
RA
classic DNS
stub resolver
DNSSEC
validating
resolver
RA
DNSSEC aware
non-validating
stub-resolver
DNSSEC
validating
Application
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
insecure.com
(not compromised)
AA
DO
AA
DNSSEC
validating
resolver
legacy DNS
resolver
RD
classic DNS
stub resolver
DNSSEC
validating
resolver
RD
RA
classic DNS
stub resolver
DNSSEC
validating
resolver
RA
DNSSEC aware
non-validating
stub-resolver
DNSSEC
validating
Application
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
insecure.com
(not compromised)
AA
DO
AA
DNSSEC
validating
resolver
legacy DNS
resolver
RD
classic DNS
stub resolver
DNSSEC
validating
resolver
RD
RA
classic DNS
stub resolver
RA
DNSSEC
validating
resolver
RD
DO
DNSSEC aware
non-validating
stub-resolver
DNSSEC
validating
Application
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
insecure.com
(not compromised)
AA
DO
AA
DNSSEC
validating
resolver
legacy DNS
resolver
RD
classic DNS
stub resolver
DNSSEC
validating
resolver
RD
RA
classic DNS
stub resolver
DO
RA
DNSSEC
validating
resolver
RD
DO
DNSSEC aware
non-validating
stub-resolver
DNSSEC
validating
Application
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
insecure.com
(not compromised)
AA
DO
AA
DNSSEC
validating
resolver
legacy DNS
resolver
RD
classic DNS
stub resolver
classic DNS
stub resolver
DO
DNSSEC
validating
resolver
RD
RA
AA
RA
DNSSEC
validating
resolver
RD
DO
DNSSEC aware
non-validating
stub-resolver
DNSSEC
validating
Application
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
insecure.com
(not compromised)
AA
DO
AA
DNSSEC
validating
resolver
legacy DNS
resolver
RD
classic DNS
stub resolver
classic DNS
stub resolver
DO
DNSSEC
validating
resolver
RD
RA
AA
RA
DNSSEC
validating
resolver
RD
DO
DNSSEC aware
non-validating
stub-resolver
RA
DNSSEC
validating
Application
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
insecure.com
(not compromised)
AA
DO
AA
DNSSEC
validating
resolver
legacy DNS
resolver
RD
classic DNS
stub resolver
classic DNS
stub resolver
DO
DNSSEC
validating
resolver
RD
RA
AA
RA
DNSSEC
validating
resolver
RD
DO
DNSSEC aware
non-validating
stub-resolver
RA
DNSSEC
validating
Application
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
insecure.com
(not compromised)
AA
DO
AA
DNSSEC
validating
resolver
legacy DNS
resolver
RD
classic DNS
stub resolver
classic DNS
stub resolver
DO
DNSSEC
validating
resolver
RD
RA
AA
RA
DNSSEC
validating
resolver
RD
DO
DNSSEC aware
non-validating
stub-resolver
RD
DO
CD
RA
DNSSEC
validating
Application
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
insecure.com
(not compromised)
AA
DO
AA
DNSSEC
validating
resolver
legacy DNS
resolver
RD
classic DNS
stub resolver
classic DNS
stub resolver
DO
DO
DNSSEC
validating
resolver
RD
RA
AA
RA
DNSSEC
validating
resolver
RD
DO
DNSSEC aware
non-validating
stub-resolver
RD
DO
CD
RA
DNSSEC
validating
Application
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
insecure.com
(not compromised)
AA
DO
AA
DNSSEC
validating
resolver
legacy DNS
resolver
RD
classic DNS
stub resolver
classic DNS
stub resolver
DO
AA
DO
DNSSEC
validating
resolver
RD
RA
AA
RA
DNSSEC
validating
resolver
RD
DO
DNSSEC aware
non-validating
stub-resolver
RD
DO
CD
RA
DNSSEC
validating
Application
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
insecure.com
(not compromised)
AA
DO
AA
DNSSEC
validating
resolver
legacy DNS
resolver
RD
classic DNS
stub resolver
classic DNS
stub resolver
DO
AA
DO
DNSSEC
validating
resolver
RD
RA
AA
RA
DNSSEC
validating
resolver
RD
DO
DNSSEC aware
non-validating
stub-resolver
RD
DO
CD
RA
RA
DNSSEC
validating
Application
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
insecure.com
(not compromised)
AA
DO
AA
DNSSEC
validating
resolver
legacy DNS
resolver
RD
classic DNS
stub resolver
classic DNS
stub resolver
DO
AA
DO
DNSSEC
validating
resolver
RD
RA
AA
RA
DNSSEC
validating
resolver
RD
DO
DNSSEC aware
non-validating
stub-resolver
RD
DO
CD
RA
RA
DNSSEC
validating
Application
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
insecure.com
(compromised)
AA
DO
AA
DNSSEC
validating
resolver
legacy DNS
resolver
RD
classic DNS
stub resolver
classic DNS
stub resolver
DO
AA
DO
DNSSEC
validating
resolver
RD
RA
AA
RA
DNSSEC
validating
resolver
RD
DO
DNSSEC aware
non-validating
stub-resolver
RD
DO
CD
RA
RA
DNSSEC
validating
Application
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
insecure.com
(compromised)
AA
DO
AA
DNSSEC
validating
resolver
legacy DNS
resolver
RD
classic DNS
stub resolver
classic DNS
stub resolver
DO
AA
DO
DNSSEC
validating
resolver
RD
RA
AA
RA
DNSSEC
validating
resolver
RD
DO
DNSSEC aware
non-validating
stub-resolver
RD
DO
CD
RA
RA
DNSSEC
validating
Application
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
insecure.com
(compromised)
AA
DO
AA
DNSSEC
validating
resolver
legacy DNS
resolver
RD
classic DNS
stub resolver
classic DNS
stub resolver
DO
AA
DO
DNSSEC
validating
resolver
RD
RA
AA
RA
DNSSEC
validating
resolver
RD
DO
DNSSEC aware
non-validating
stub-resolver
RD
DO
CD
RA
RA
DNSSEC
validating
Application
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
insecure.com
(compromised)
AA
DO
AA
DNSSEC
validating
resolver
legacy DNS
resolver
RD
classic DNS
stub resolver
classic DNS
stub resolver
DO
AA
DO
DNSSEC
validating
resolver
RD
RA
AA
RA
DNSSEC
validating
resolver
RD
DO
DNSSEC aware
non-validating
stub-resolver
RD
DO
CD
RA
RA
DNSSEC
validating
Application
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
insecure.com
(compromised)
AA
DO
AA
DNSSEC
validating
resolver
legacy DNS
resolver
RD
classic DNS
stub resolver
classic DNS
stub resolver
DO
AA
DO
DNSSEC
validating
resolver
RD
RA
AA
RA
DNSSEC
validating
resolver
RD
DO
DNSSEC aware
non-validating
stub-resolver
RD
DO
CD
RA
RA
DNSSEC
validating
Application
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
secure.org
(not compromised)
AA
DO
AA
RRSIG
DNSSEC
validating
resolver
legacy DNS
resolver
RD
classic DNS
stub resolver
classic DNS
stub resolver
DO
DNSSEC
validating
resolver
RD
RA
AA
RRSIG
RA
AA
RRSIG
DO
DNSSEC
validating
resolver
RD
DO
DNSSEC aware
non-validating
stub-resolver
RD
DO
CD
RA
AD
RA
RRSIG
DNSSEC
validating
Application
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
secure.org
(compromised)
AA
DO
AA
RRSIG
DNSSEC
validating
resolver
legacy DNS
resolver
RD
classic DNS
stub resolver
classic DNS
stub resolver
DO
SRVFAIL
AA
RRSIG
DO
DNSSEC
validating
resolver
RD
RA
AA
RRSIG
DNSSEC
validating
resolver
RD
DO
DNSSEC aware
non-validating
stub-resolver
RD
DO
CD
SRVFAIL
RA
RRSIG
DNSSEC
validating
Application
© Men & Mice http://menandmice.com Thursday 30 October 14
DNS Clients und DNS Resolver Kombinationen
secure.org
(compromised)
AA
DO
AA
RRSIG
DNSSEC
validating
resolver
legacy DNS
resolver
RD
classic DNS
stub resolver
classic DNS
stub resolver
DO
SRVFAIL
AA
RRSIG
DO
DNSSEC
validating
resolver
RD
RA
AA
RRSIG
DNSSEC
validating
resolver
RD
DO
DNSSEC aware
non-validating
stub-resolver
RD
DO
CD
SRVFAIL
RA
RRSIG
DNSSEC
validating
Application
© Men & Mice http://menandmice.com Thursday 30 October 14
Windows 7 / 8
secure.org
(compromised)
AA
DO
IPsec
tunnel
legacy DNS
resolver
RD
DO
DNSSEC aware
non-validating
stub-resolver
RA
AD-Flag missing
on secure zone
= insecure DNS resolver
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC Validierung im Internet
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC im Internet
•
die DNS Root-Zone ist seit Sommer 2010 signiert
•
die meisten
ccTLDs und gTLDs sind DNSSEC signiert
•
Messungen* zeigen das 10-14% der DNS Anfragen per DNSSEC validiert
werden können
* http://gronggrong.rand.apnic.net/cgi-bin/worldmap
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC Validierung im Webbrowser
• DNSSEC und DANE Erweiterung
für Firefox, Google-Chrome,
Opera und Internet Explorer
(http://www.dnssec-validator.cz/) © Men & Mice http://menandmice.com Thursday 30 October 14
http://dnssec-or-not.org
© Men & Mice http://menandmice.com Thursday 30 October 14
http://dnssectest.sidn.nl
© Men & Mice http://menandmice.com Thursday 30 October 14
DANE
• RFC 6394: Use Cases and Requirements for DNS-Based Authentication of Named Entities (DANE)
• RFC 6698: The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA
• SSL/TLS Zertifikate durch DNSSEC absichern
© Men & Mice http://menandmice.com Thursday 30 October 14
DNSSEC sichert verschiedene Internet-Protokolle ab
•
Protokolle die über DNSSEC abgesichert werden können :
•
TLSA – HTTPS Zertifikate
•
SSHFP – ssh known_hosts Schlüssel-Fingerprints in DNS (RFC 4255 - in OpenSSH implementiert)
•
IPSECKEY – IPsec öffentliche RSA Schlüssel in DNS
•
CERT - GnuPG/PGP Schlüssel (RFC 4398)
•
OPENPGPKEY - GnuPG/PGP Schlüssel (neuer Draft)
•
S/MIME – S/MIME Schlüssel in DNS •
SMTP/TLSA – STARTSSL Zertifikate in DNS
•
SRV - service discovery
© Men & Mice http://menandmice.com Thursday 30 October 14
DANE acronyms
• RFC 7218 “Adding
Acronyms to Simplify Conversations
about DNS-Based Authentication of Named Entities
(DANE)” (April 2014)
© Men & Mice http://menandmice.com Thursday 30 October 14
der TLSA Record
shell> dig _443._tcp.bundy-dns.de tlsa +m +noall +answer
; <<>> DiG 9.9.4-P2 <<>> _443._tcp.bundy-dns.de tlsa +m +noall +answer
;; global options: +cmd
_443._tcp.example.com. 3581 IN TLSA 3 0 1 (
DD1B43FFD9672EE612529A1619CA24D27E22E51B1143
7BDBE56068CB57AE957B )
hash
algorithm
Port
transport
protocol
host
certificate
usage
selector
certificate
or hash
© Men & Mice http://menandmice.com Thursday 30 October 14
TLSA Record - Certificate usage
Value
Acronym
Description
0
PKIX-TA
CA constraint
1
PKIX-EE
Service certificate constraint
2
DANE-TA
Trust anchor assertion
3
DANE-EE
Domain-issued certificate
4-254
--
Unassigned
255
PrivCrt
Private Use
© Men & Mice http://menandmice.com Thursday 30 October 14
TLSA Record - Selectors
Value
Acronym
Description
0
Cert
Full certificate
1
SPKI
SubjectPublicKeyInfo
2-254
--
Unassigned
255
PrivSel
Private Use
© Men & Mice http://menandmice.com Thursday 30 October 14
TLSA Record - Matching Types
Value
Acronym
Description
0
Full
No hash used
1
SHA2-256
SHA2 256 bit hash
2
SHA2-512
SHA2 512 bit hash
3-254
--
Unassigned
255
PrivMatch
Private Use
© Men & Mice http://menandmice.com Thursday 30 October 14
TLSA Record mit ldns-dane
• einen TLSA-Record mit ldns-dane erzeugen:
# ldns-dane create www.example.com 443
_443._tcp.www.example.com. 3600IN TLSA3 0 1
aa0914c30428d804e92e1b68b38afea5b0e5721793f15fea60cf31fe44e275b7
© Men & Mice http://menandmice.com Thursday 30 October 14
TLSA manuell mittels OpenSSL
• TLSA tutorial:
http://blog.huque.com/2012/10/dnssec-and-certificates.html
• TLSA hash manuell erzeugen:
$ openssl x509 -in www.example.com.crt -outform DER | openssl sha256 (stdin)=
8cb0fc6c527506a053f4f14c8464bebbd6dede2738d11468dd953d7d6a3021f1
• TLSA Record:
_443._tcp.www.example.com. IN TLSA ( 3 0 1
d2abde240d7cd3ee6b4b28c54df034b9
7983a1d16e8a410e4561cb106618e971 )
© Men & Mice http://menandmice.com Thursday 30 October 14
TLSA mittels hash slinger erzeugen
• einen TLSA Record mittels hash-slinger erzeugen:
$ tlsa --create --output rfc --usage 3 --certificate example.crt www.example.com
_443._tcp.www.example.com. IN TLSA 3 0 1 (
8cb0fc6c527506a053f4f14c8464bebbd6dede2738d11468dd953d7d6a3021f1 )
• oder:
$ tlsa www.example.com
_443._tcp.www.example.com. IN TLSA 3 0 1 (
8cb0fc6c527506a053f4f14c8464bebbd6dede2738d11468dd953d7d6a3021f1 )
© Men & Mice http://menandmice.com Thursday 30 October 14
generate TLSA records
• TLSA-Generator:
https://www.huque.com/bin/gen_tlsa
• ldns-dane aus dem “ldns” Projekt
https://www.nlnetlabs.nl/projects/ldns/
• “hash-slinger” von Paul Wouters (Red Hat/Fedora):
http://people.redhat.com/pwouters/hash-slinger/
© Men & Mice http://menandmice.com Thursday 30 October 14
Vielen Dank
E-Mail:
[email protected]
[email protected]
© Men & Mice http://menandmice.com Thursday 30 October 14