dnssec for everybody: a beginner s guide
TRANSCRIPT
![Page 1: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/1.jpg)
DNSSEC for Everybody: A Beginner s Guide
!"#$%&'()*&+,(-&.%/01+(23(4%5&(2672(
![Page 2: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/2.jpg)
The Schedule
!"
![Page 3: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/3.jpg)
![Page 4: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/4.jpg)
This is Ugwina. She lives in a cave on the edge of the Grand Canyon...
![Page 5: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/5.jpg)
This is Og. He lives in a cave on the other side of the Grand Canyon...
![Page 6: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/6.jpg)
It’s a long way down and a long way round. Ugwina and Og don’t get to talk much...
![Page 7: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/7.jpg)
On one of their rare visits, they notice the smoke coming from Og’s fire
![Page 8: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/8.jpg)
...and soon they are chatting regularly using smoke signals
![Page 9: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/9.jpg)
until one day, mischievous caveman Kaminsky moves in next door to Ug and starts sending smoke signals too...
![Page 10: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/10.jpg)
Now Ugwina is really confused. She doesn’t know which smoke to believe...
![Page 11: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/11.jpg)
So Ugwina sets off down the canyon to try and sort out the mess...
![Page 12: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/12.jpg)
Ugwina and Og consult the wise village elders. Caveman Diffie thinks that he might have a cunning idea...
![Page 13: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/13.jpg)
And in a flash, jumps up and runs into Ug’s cave...!
![Page 14: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/14.jpg)
Right at the back, he finds a pile of strangely coloured sand that has only ever been found in Ug’s cave...
![Page 15: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/15.jpg)
And with a skip, he rushes out and throws some of the sand onto the fire. The smoke turns a magnificent blue...
![Page 16: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/16.jpg)
Now Ugwina and Og can chat happily again, safe in the knowledge that nobody can interfere with their conversation…
![Page 17: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/17.jpg)
Introduction to DNSSEC
Roy Arends, Nominet UK
![Page 18: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/18.jpg)
#$%&"'()('"*+,*(-."+/"012"
3++."
4" 56"
*+756"
*+8"
9$%9:,67*+8"
;,"
,$*7;,"
4"
![Page 19: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/19.jpg)
#$%&"'()('"*+,*(-."+/"012"
•! <"3(;+')(3"6,+=;"=&(3(".&("3++.>?+,("$;"•! @3:)(3;(;".&("012"&$(3:3*&A"•! B:*&"'()('"3(/(3;".&("3(;+')(3".+".&(",(C."'()('"•! D,E'".&("F5(;E+,"&:;"9((,":,;=(3(G"•! @&("3(;+')(3"*:*&(;":''".&:."$,/+38:E+,"/+3"
/5.53("5;(7"
![Page 20: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/20.jpg)
…Ugwina, the resolver, chatting with Og, the server…
![Page 21: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/21.jpg)
#$%&"'()('"*+,*(-."+/"012"
3++."
56" *+8"
9$%9:,67*+8"H===I"
;,"
![Page 22: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/22.jpg)
#$%&"'()('"*+,*(-."+/"012"
•! @&(3("$;",+";(*53$.A"•! 1:8(;":3("(:;$'A";-++/(G"•! J:*&(;":3("(:;$'A"-+$;+,(G"
![Page 23: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/23.jpg)
…Ugwina, the resolver is confused. She doesn’t know who the real Og is…
![Page 24: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/24.jpg)
#$%&"'()('"*+,*(-."+/"012"
3++."
56" *+8"
9$%9:,67*+8"H===I"
9$%9:,67*+8"H===I"
;,"
![Page 25: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/25.jpg)
0122BJ"$;".&(";+'5E+,"
•! 0122BJ"5;(;"!"#"$%&'("#)%$*+,('.+":;;53(".&:."$,/+38:E+,"$;"*+33(*.":,G"*:8("/3+8".&("3$%&."-':*(7"
•! @&("6(A;":,G";$%,:.53(;".+")(3$/A".&("$,/+38:E+,K"$;";.+3(G"$,".&("012":;"=(''"
•! 2$,*("012"$;":"'++65-";A;.(8K"6(A;"*:,";$8-'A"9("'++6(G"5-K"'$6(":,A"G:.:7"
![Page 26: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/26.jpg)
…Ugwina, the resolver, can verify that the real Og sends the message…
![Page 27: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/27.jpg)
#$%&"'()('"*+,*(-."+/"0122BJ"
•! <"3(;+')(3"6,+=;"=&:.".&("3++.>6(A"$;"•! L."95$'G;":"J&:$,"+/"@35;.M"
–!B:*&"'()('";$%,;".&("6(A"+/".&(",(C."'()('"–!D,E'".&("*&:$,"$;"*+8-'(.("
![Page 28: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/28.jpg)
#$%&"'()('"*+,*(-."+/"0122BJ"
! 3++."
56" ! *+8"
! 9$%9:,67*+8"
H===I"
" 9$%9:,67*+8"
H===I"
;,"
![Page 29: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/29.jpg)
A Sample DNSSEC Implementation &
Guide to Deployment Options
Russ Mundy, SPARTA
![Page 30: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/30.jpg)
DNSSEC Implementation Samples •! DNSSEC implementation depends upon & is
mostly driven by an activity s DNS functions –!DNS is made up of many parts, e.g., name
server operators, applications users, name holders ( owners ), DNS provisioning
–!Activities with large, complex DNS functions are more likely to have more complex DNSSEC implementation activities
•! Also more likely to have DNS knowledgeable staff
![Page 31: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/31.jpg)
DNSSEC Implementation Samples, Continued •! DNS size and complexity examples:
–!Registry responsible for a large TLD operation, e.g., .com
–! Substantial enterprise with many components with many geographic locations, e.g., hp.com
–! Internet-based businesses with a number of business critical zones, e.g., www.verisign.com
–!Activities with non-critical DNS zones, e.g., net-snmp.org
–! Proverbial Internet end users (all of us here)
![Page 32: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/32.jpg)
Zones " "
orgcc com nettv name info
verisign cnn hp
www corp hplwww moneywww
holmes winnie www
![Page 33: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/33.jpg)
General Principle:
•! If an activity does a lot with their DNS functions and operations then they probably will want to do a lot with the associated DNSSEC pieces;
•! If an activity does little or nothing with their DNS functions and operations then they probably will want to do little or nothing with the associated DNSSEC pieces.
![Page 34: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/34.jpg)
34
DNS Zone Content Flow (for example, www.icann.org or www.cnn.com)
-.),'/%0,'1,+2,+('
3/1'4,(.&2,+('
5(,+'677&"8%9.)('4,#"($+%)$('
4,#"($+%+('
4,#"($+",('
:+.2"(".)")#'6+,%' :*;&"8%9.)'6+,%'
<.)$,)$'1$%+$('=,+,'
<.)$,)$'5(,!'=,+,'
<.)$,)$'>)7*$' <.)$,)$'
?*$7*$'3/1'
<.)$,)$':"8$*+, '
![Page 35: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/35.jpg)
N5(;E+,;"/+3"B)(3A+,("777"
•! 0+"A+5"6,+="O#BPB"A+5"%(."A+53"012",:8(H;I"/3+8Q"
•! 0+"A+5"6,+="O#R"+-(3:.(;".&("012",:8(";(3)(3;"/+3"A+53",:8(H;IQ"
![Page 36: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/36.jpg)
36
End User
Simple Illustration of DNS Components
Zone Data
Authoritative Server
Recursive Server
Client
I need to have a WWW record
Add publish
1. Request www
4. www is 1.2.3.4
2. Request w
ww
3. ww
w is 1.2.3.4
![Page 37: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/37.jpg)
Name Resolution 4..$'/%0,'1,+2,+('
3++.>;(3)(3;7,(.'
@8.0A@),$'/%0,'1,+2,+('%.'G>;(3)(3;7,(.'
8))@8.0'/%0,'1,+2,+('*,,7*+8'
4,8*+("2,'/%0,'1,+2,+'
>)$,+),$'5(,+'
www.cnn.com IP?
.com name servers
www.cnn.com IP?
cnn.comname servers
www.cnn.com IP?
www.cnn.com IP
www.cnn.com IP
www.cnn.com IP
8))@8.0'B,;'1"$,'===7*,,7*+8"
HTTP request
HTTP response
a b c d e f g h i j k l m
a b c d e f g h i j k l m
ns1
ns2
ns3
ns4
![Page 40: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/40.jpg)
DNS Basic Functions
•! DNS provides the translation from names to network addresses
•! Get the right DNS content to Internet users
!!IT S DNS ZONE DATA THAT MATTERS!
![Page 41: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/41.jpg)
41
How Does DNSSEC Fit?
•! DNSSEC required to thwart attacks on DNS CONTENT –!DNS attacks used to attack Internet users
applications
!!Protect DNS ZONE DATA as much as (or more than) any DNSSEC information !!Including DNSSEC private keys!!
![Page 42: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/42.jpg)
42
DNS Zone Content Flow (for example, www.icann.org or www.cnn.com)
-.),'/%0,'1,+2,+('
3/1'4,(.&2,+('
5(,+'677&"8%9.)('4,#"($+%)$('
4,#"($+%+('
4,#"($+",('
:+.2"(".)")#'6+,%' :*;&"8%9.)'6+,%'
<.)$,)$'1$%+$('=,+,'
<.)$,)$'5(,!'=,+,'
<.)$,)$'>)7*$' <.)$,)$'
?*$7*$'3/1'
<.)$,)$':"8$*+, '
0122BJ";-(*;"#BPB"
![Page 43: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/43.jpg)
Implementation Samples
•! In general, try to do DNSSEC in the same way that you are doing DNS
![Page 44: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/44.jpg)
44
End User
Simple Addition of DNSSEC (there are both much more and less complex setups than this)
Zone Data
Authoritative Server
Validating Recursive Server
Client
I need to have a signed WWW record
Add publish
1. Request www
4. www is 1.2.3.4
2. Request w
ww
3. ww
w is 1.2.3.4
Signed Data sign
new
![Page 45: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/45.jpg)
Implementation Samples
•! If you re running much or all of your DNS functions and operations, DNSSEC implementation could be based on: –!Extend DNS operation to incorporate DNSSEC; –!Use open source DNSSEC tools (e.g., from
www.dnssec-tools.org or opendnssec.org); –!Use commercial DNSSEC products; –!Use DNSSEC signing services; –!Mix elements from all of the above
![Page 46: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/46.jpg)
Implementation Samples
•! If DNS functions and operations are being done with one (or several) software & hardware products, find out if the product providers have (or will) incorporate DNSSEC to support your DNS functions and operations. –! If not, push them for adding DNSSEC to their
products; or –! Examine additional or different products or
services that will provide DNSSEC, e.g., DNSSEC signing services.
![Page 47: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/47.jpg)
Implementation Samples
•! If you are the holder ( owner ) of names but out-source DNS functions and operations,
e.g., to your registrar, then determine if the out-source offers DNSSEC capability. –! If not, push on them to develop and offer
DNSSEC capability –!Consider using a different out-source DNS
service –!Consider developing in-house DNS (and
DNSSEC) capabilities
![Page 48: DNSSEC for Everybody: A Beginner s Guide](https://reader031.vdocuments.mx/reader031/viewer/2022012418/6172f56e3ded193e092024c9/html5/thumbnails/48.jpg)
Thank You and Questions