DNSSEC update TF Mobility, Vienna

Size: px

Start display at page:

Download "DNSSEC update TF Mobility, Vienna"

Walter Lang
8 years ago
Views:

1 DNSSEC update TF Mobility, Vienna Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl February 18th 2010

2 Overview - Introduction - DNSSEC validation on resolvers - Update on what we ve learned so far - What you can do - DNSSEC signing - Status of the root zone & (g)tld s - Our plans for Status of OpenDNSSEC - What you can do - One more thing... (or maybe two ;-) 2

Status of the root zone & (g)tld s - Our plans for 2010 - Status

3 Current validation rates - Validation rates are around 1-2%: 3

4 Validation running amok - Strange validation failures: Feb 4 14:28:25 ns0 unbound: [18112:0] info: validation failure <time-a.nist.gov. A IN>: no signatures from for key nist.gov. while building chain of trust Feb 4 14:30:32 ns0 unbound: [18112:0] info: validation failure <time.nist.gov. A IN>: no signatures from for key nist.gov. while building chain of trust 4 - We re in constant contact with NLnetLabs to solve these issues

A IN>: no signatures from 132.163.4.9 for key nist.gov.

5 The ARIN incident - Around September 4th 09 we noticed that lot s of reverse lookups (PTR) suddenly failed to validate - At first we thought it was an Unbound issue - We worked with the guys from NLnetLabs for 5 days in a row - We analysed over 500MB of DNS queries (packets are usually just 512 bytes!) - It was not a bug in Unbound... 5

worked with the guys from NLnetLabs for 5 days in a row - We analysed over 500MB of

6 The ARIN incident - chia.arin.net was the culprit - It has both an IPv4 as well as an IPv6 address - IPv4 (A) could be queried for - IPv6 (AAAA) could not be queried for - But the glue for arin.net contained an AAAA record - Once that AAAA record was cached, IPv6 is also used to access this server - The server gave DNSSEC answers on IPv4 but not on IPv6 - Made about 1 in 12 reverse validations fail - At first, ARIN s hostmaster ignored our message... but pulling some strings helped - Issue was quietly solved on Sep. 15th 09 6

7 7 Common validation failures - Some US government agencies seem unable to get DNSSEC right: Feb 10 04:16:43 ns0 unbound: [5973:1] info: validation failure <USPTO.GOV. MX IN>: no signatures from for key USPTO.GOV. while building chain of trust Feb 10 04:53:00 ns0 unbound: [5973:0] info: validation failure <gk-w-mail.srvs.usps.gov. A IN>: no signatures over NSEC3s from for DS gk-w-mail.srvs.usps.gov. while... Feb 10 14:21:48 ns0 unbound: [5973:1] info: validation failure < A IN>: no DS... - Others include.cz and.bg domains: Feb 10 13:47:35 ns0 unbound: [5973:0] info: validation failure < A IN>: No DNSK... Feb 10 13:37:17 ns0 unbound: [5973:0] info: validation failure <ns.unicycle.cz. A IN>: no k... - Anybody here from the University of Lissabon? Feb 15 19:10:25 ns0 unbound: [5973:1] info: validation failure <FM.UL.PT. MX IN>: no NSEC3 records from 2001:690:21c0:b::150 for DS FM.UL.PT. while building chain of trust - And of course there was the.se or rather the not.se. incident last year

25 for DS gk-w-mail.srvs.usps.gov. while... Feb 10 14:21:48 ns0 unbound: [5973:1] info: validation failure <www.hud.gov. A IN>: no DS... - Others include.cz and.

8 Getting rid of interim solutions - Currently most people that validate use either ITAR or DLV to obtain trust anchors - Stock distributions have pre-packaged configurations for common resolvers that contain trust anchors - Unfortunately, these are not kept up-to-date! - Lesson learned: When the root gets signed, make sure you purge old trust anchors! 8

contain trust anchors - Unfortunately, these are not kept up-to-date! http://www.potaroo.

9 Firewalls and other M-i-t-M - DNSSEC uses the EDNS0 extension (RFC 2671) - For larger messages (signature RRs!) - For the DO-bit (DNSSEC OK) - Some network hardware blocks DNSSEC traffic - Firewalls stop UDP packets: - Over 512 bytes in size on port 53 - Blocking fragmented UDP packets - People block TCP on port 53 on their firewall 9 - SOHO routers interfere with DNS traffic - Many broken DNS implementations - Read the Nominet report: dnssec-cpe/dnssec-cpe-report.pdf

in size on port 53 - Blocking fragmented UDP packets - People block TCP on port 53 on their firewall 9 - SOHO routers

10 What you can do - Start validating on your resolvers - Use BIND, Unbound or even Windows Server 2008 R2 - Advantages: - Your users immediately profit from signed domains - Gain real-life DNSSEC experience - Find out and solve issues before the root is signed - Disadvantages: - Badly managed domains (US gov?) disappear - Nasty firewall issues become apparent - Root not yet signed so you have to rely on DLV or ITAR - B.T.W.: BIND 9.5 sets the DO-bit by default so most of you already ask for DNSSEC answers 10

signed - Disadvantages: - Badly managed domains (US gov?

11 Signing: the status - Root to be signed July 1st L-root and A-root now serve DNSSEC records - J-root is the last planned on May 5th - Follow the project on - Lot s of new TLD s have been signed:.ch,.li,.pt,.tm,.us,.na,.th - Lot s of TLD s have announced dates:.cl,.my,.nl,.uk,.edu,.com,.net - And there are testbeds:.de,.eu 11

root-dnssec.org - Lot s of new TLD s have been signed:.ch,.li,.pt,.tm,.us,.na,.

12 Our plans for DNSSEC as part of our managed DNS service: 12

13 Our plans for Project approved and started on Feb. 1st - Will use 2x Safenet Luna SA HSM to store key material - Will use OpenDNSSEC as signer engine - Project runs until the end of Q3 - Our goal: 13

14 Status of OpenDNSSEC - OpenDNSSEC 1.0 has been released - Packages for distributions are being prepared - Is a real first release, i.e. your mileage may vary (it works but there s room for improvement) - Used by.uk and.se to sign their zones - OpenDNSSEC 1.1 (±March 2010) - Performance improvements - EPP plugin - Changes to auditing process - OpenDNSSEC 1.2 (±May 2010) - Signer engine in C instead of Python - OpenDNSSEC Lot s of new features (IXFR, web interface, continuous signing,...) 14

uk and.se to sign their zones - OpenDNSSEC 1.

15 What you can do - Test OpenDNSSEC and give lots of feedback - Plan for the future: - Are you going to sign your domains? - Do you want/need to offer signing services to your customers? - Plan for problem situations (e.g. when the root is signed) - Share your experiences with the rest of us! -...attend DNSSEC BoF at TNC 2010? 15

- Do you want/need to offer signing services to your customers?

16 One more thing... - Should eduroam.org be signed? - There was some discussion about this at the TNC 2009 DNSSEC BoF - DNSSEC strictly speaking not needed for RADSEC - Who should be responsible? - If it s done, who will be involved? - DNSSEC monitoring/auditing - External tool to check zone integrity - Checks DNSSEC stuff - Based on existing tools?

not needed for RADSEC - Who should be responsible? - If it s done, who will be involved?

17 That s all folks... Questions?? Thank you for your attention! Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl Presentation released under Creative Commons ( 17

DNSSEC Applying cryptography to the Domain Name System

DNSSEC Applying cryptography to the Domain Name System Gijs van den Broek Graduate Intern at SURFnet Overview First half: Introduction to DNS Attacks on DNS Second half: DNSSEC Questions: please ask! DNSSEC