(as lots of other internet things) • Protocol design without security in mind, or even UDP packets more than 512 bytes • Lots of stuff rely on DNS, hostnames everywhere. How about IPv6? • Many of them will break with forged/malicious/faked DNS answers • Dan Kaminsky in 2008 showed protocol is flawed • glibc + DNS, universal library + universal protocol bug • Is DNSSEC the solution?
records) • i.e. authentication + integrity of zone’s records with public key cryptography • DNSSEC is based on trust anchors forming an hierarchical trust chain. • ∀ zone 2 key pairs: key-signing-key (KSK) and zone-signing-key ∃ (ZSK) DNSSEC RRs: • RRSIG – resource record signatures • DNSKEY – public keys (KSK and ZSK) for the zone • DS – fingerprint of the public key, placed in parent zone • NSEC or NSEC3 – not found response
(public-private): – KSK, will sign the ZSKs – ZSK, sign every RR producing RRSIG • Get the DS, fingerprint of KSK, to the parent zone, e.g. the gr (which is DNSSEC enabled) Easy? Not quite… • Mind the timers, RRSIG expiration, TTLs • Also take care of key rollovers • Find dnssec validating clients • Handle(?) zone/RRsigs validitation failure
capistrano • https://repo.grnet.gr/diffusion/WEBDNS/ • Operates on the PowerDNS SQL database • Resource management: – Super-admins – Users belong to one or more groups (assigned manually by super-admins) – Domain belongs to single group • Users authenticate with Shibboleth • Creates jobs for dnsworker, domain/zone related actions • One-click away DNSSEC enable for domain • Notifications within a group • API, pending • Can expose private interfaces
Signature Policy, security params and timers • ods-enforcerd, enforces the policy for each zone • ods-signerd, crypto operations on the zone • Provides a set of cli utils to handle DNSSEC enabled zones (e.g. ods-ksmutil) • Provides key rollover mechanisms (KSK, ZSK) • Needs a MySQL database (keys metadata, zones, policies) • Uses PKCS 11 to to access keys stored in hardware security module. SoftHSM, software alternative.
systemd service • Deployed with fabric • Operates on the ods box • Interacts with the app (trigger_event, pull/push jobs) • Interacts with opendnssec (wait_for_ready_to_push_ds) • Interacts with bind (opendnssec_add, wait_for_active) • Interacts with papaki API (publish_ds) • ds-monitor , ds-schedule