• No results found

DNSSEC update TF Mobility, Vienna

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "DNSSEC update TF Mobility, Vienna"

Copied!
17
0
0

Loading.... (view fulltext now)

Download now ( 17 Page )

Full text

(1)

DNSSEC update

TF Mobility, Vienna Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl

(2)

SURFnet. We make innovation work

Overview

- Introduction

- DNSSEC validation on resolvers

- Update on what we’ve learned so far - What you can do

- DNSSEC signing

- Status of the root zone & (g)TLD’s - Our plans for 2010

- Status of OpenDNSSEC - What you can do

- One more thing... (or maybe two ;-)

(3)

Current validation rates

(4)

- Strange validation failures:

- We’re in constant contact with NLnetLabs to solve these issues

Validation running amok

4

Feb 4 14:28:25 ns0 unbound: [18112:0] info: validation failure <time-a.nist.gov. A IN>: no signatures from 132.163.4.9 for key nist.gov. while building chain of trust

Feb 4 14:30:32 ns0 unbound: [18112:0] info: validation failure <time.nist.gov. A IN>: no signatures from 129.6.13.2 for key nist.gov. while building chain of trust

(5)

The ARIN incident

- Around September 4th ’09 we noticed that lot’s of reverse lookups (PTR) suddenly

failed to validate

- At first we thought it was an Unbound issue - We worked with the guys from NLnetLabs for

5 days in a row

- We analysed over 500MB of DNS queries (packets are usually just 512 bytes!)

(6)

SURFnet. We make innovation work

The ARIN incident

- chia.arin.net was the culprit

- It has both an IPv4 as well as an IPv6 address - IPv4 (A) could be queried for

- IPv6 (AAAA) could not be queried for

- But the glue for arin.net contained an AAAA record

- Once that AAAA record was cached, IPv6 is also used to access this server

- The server gave DNSSEC answers on IPv4 but not on IPv6

- Made about 1 in 12 reverse validations fail

- At first, ARIN’s hostmaster ignored our

message... but pulling some strings helped - Issue was quietly solved on Sep. 15th ’09

(7)

Common validation failures

Feb 10 04:16:43 ns0 unbound: [5973:1] info: validation failure <USPTO.GOV. MX IN>: no signatures from 151.207.246.51 for key USPTO.GOV. while building chain of trust

Feb 10 04:53:00 ns0 unbound: [5973:0] info: validation failure <gk-w-mail.srvs.usps.gov. A IN>: no signatures over NSEC3s from 56.0.141.25 for DS gk-w-mail.srvs.usps.gov. while... Feb 10 14:21:48 ns0 unbound: [5973:1] info: validation failure <www.hud.gov. A IN>: no DS...

Feb 10 13:47:35 ns0 unbound: [5973:0] info: validation failure <www.atol.bg. A IN>: No DNSK... Feb 10 13:37:17 ns0 unbound: [5973:0] info: validation failure <ns.unicycle.cz. A IN>: no k...

- Some US government agencies seem unable to get DNSSEC right:

- Others include .cz and .bg domains:

- Anybody here from the University of Lissabon? - And of course there was the “.se” or rather the

not “.se.” incident last year

Feb 15 19:10:25 ns0 unbound: [5973:1] info: validation failure <FM.UL.PT. MX IN>: no NSEC3 records from 2001:690:21c0:b::150 for DS FM.UL.PT. while building chain of trust

(8)

SURFnet. We make innovation work

Getting rid of interim solutions

- Currently most people that validate use either ITAR or DLV to obtain trust anchors - Stock distributions have pre-packaged

configurations for common resolvers that contain trust anchors

- Unfortunately, these are not kept up-to-date!

http://www.potaroo.net/ispcol/2010-02/rollover.pdf

- Lesson learned:

When the root gets signed, make sure you purge old trust anchors!

(9)

Firewalls and other M-i-t-M

- DNSSEC uses the EDNS0 extension (RFC 2671)

- For larger messages (signature RRs!) - For the DO-bit (DNSSEC OK)

- Some network hardware blocks DNSSEC traffic - Firewalls stop UDP packets:

- Over 512 bytes in size on port 53 - Blocking fragmented UDP packets

- People block TCP on port 53 on their firewall - SOHO routers interfere with DNS traffic

- Many broken DNS implementations

- Read the Nominet report: http://download.nominet.org.uk/ dnssec-cpe/DNSSEC-CPE-Report.pdf

(10)

SURFnet. We make innovation work

What you can do

- Start validating on your resolvers

- Use BIND, Unbound or even Windows Server 2008 R2

- Advantages:

- Your users immediately profit from signed domains - Gain real-life DNSSEC experience

- Find out and solve issues before the root is signed

- Disadvantages:

- Badly managed domains (US gov?) “disappear” - Nasty firewall issues become apparent

- Root not yet signed so you have to rely on DLV or ITAR

- B.T.W.: BIND ≥ 9.5 sets the DO-bit by default so

most of you already ask for DNSSEC answers

(11)

Signing: the status

- Root to be signed July 1st 2010

- L-root and A-root now serve DNSSEC records - J-root is the last planned on May 5th

- Follow the project on www.root-dnssec.org

- Lot’s of new TLD’s have been signed: .ch, .li, .pt, .tm, .us, .na, .th

- Lot’s of TLD’s have announced dates: .cl, .my, .nl, .uk, .edu, .com, .net

- And there are testbeds: .de, .eu

(12)

SURFnet. We make innovation work

Our plans for 2010

- DNSSEC as part of our managed DNS service:

(13)

Our plans for 2010

- Project approved and started on Feb. 1st - Will use 2x Safenet Luna SA HSM to store

key material

- Will use OpenDNSSEC as signer engine - Project runs until the end of Q3

(14)

SURFnet. We make innovation work

Status of OpenDNSSEC

- OpenDNSSEC 1.0 has been released

- Packages for distributions are being prepared

- Is a real “first release”, i.e. your mileage may vary (it works but there’s room for improvement)

- Used by .uk and .se to sign their zones

- OpenDNSSEC 1.1 (±March 2010)

- Performance improvements - EPP plugin

- Changes to auditing process

- OpenDNSSEC 1.2 (±May 2010)

- Signer engine in C instead of Python

- OpenDNSSEC 2.0

- Lot’s of new features (IXFR, web interface, continuous signing, ...)

(15)

What you can do

- Test OpenDNSSEC and give lots of feedback - Plan for the future:

- Are you going to sign your domains?

- Do you want/need to offer signing services to your customers?

- Plan for problem situations (e.g. when the root is signed)

- Share your experiences with the rest of us! - ...attend DNSSEC BoF at TNC 2010?

(16)

SURFnet. We make innovation work

One more thing...

- Should eduroam.org be signed?

- There was some discussion about this at the TNC 2009 DNSSEC BoF

- DNSSEC strictly speaking not needed for RADSEC - Who should be responsible?

- If it’s done, who will be involved?

- DNSSEC monitoring/auditing

- External tool to check zone integrity - Checks DNSSEC stuff

- Based on existing tools? - http://dnscheck.iis.se

(17)

That’s all folks... Questions?

?

Thank you for your attention!

Roland van Rijswijk

roland.vanrijswijk [at] surfnet.nl

Presentation released under Creative Commons

References

Download now ( PDF - 17 Page - 2.20 MB )

Related documents

1.3. Please make sure that you:

6.6.2 If two periods of accident or sickness (each resulting from the same or a related condition) are separated by less than 6 consecutive months of full-time employment, we

WHEN THE GOING GETS TOUGH, RODA GETS TOUGHER.

The standard version of the Panther DE13 and DS13 can be extended at any time with Fischer military round connectors. A wide range of interfaces is available as

Post-Western World Orders and East Asian Future

Between 2013 and 2015, the establishment of new initiatives, such as the AIIB or the Silk Road Fund, has grown in parallel with China’s consistent engagement with other

27th session 20 December Resolution A.1045(27) Adopted on 30 November 2011 (Agenda item 9) PILOT TRANSFER ARRANGEMENTS

Means should be provided to ensure safe, convenient and unobstructed passage for any person embarking on, or disembarking from, the ship between the head of the pilot ladder, or

ISY994 Series Network Security Configuration Guide Requires firmware version Requires Java 1.7+

If you wish to create a self signed certificate, make sure to enter and/or update (in case you are working on an existing certificate) all the necessary information in the fields

from the Retiree Activities Office

You will receive an email about 10 days before your password expires to make sure you know to update your password and avoid any delays when you need to access your account. Make

Introduction, descriptive statistics, R and data visualization

The reason for most often measuring “mean deviation” NOT by the Mean Absolute Deviation statistics but rather by the sample standard deviation s anyhow, is the so-called

485558-Step-By-step Installing ESXi as a Virtual Machine

If any virtual machines of any significance are to be run on the virtual ESXi server, consider using 4 GB or more for the virtual machine's RAM configuration.. Be sure to ensure