DNSSEC with web DNS at GRNET NOC

Transcript

1. Managing DNS is easy. - said no one ever Alexandros

   Afentoulis May 2016, GRNET NOC

2. Shiny new webdns + DNSSEC Contents : • Why care?

   • DNSSEC primer • Setup overview • Roles • Web interface • OpenDNSSEC • dnsworker

3. Why care? • DNS created back in days of innocence(?)

   (as lots of other internet things) • Protocol design without security in mind, or even UDP packets more than 512 bytes • Lots of stuff rely on DNS, hostnames everywhere. How about IPv6? • Many of them will break with forged/malicious/faked DNS answers • Dan Kaminsky in 2008 showed protocol is flawed • glibc + DNS, universal library + universal protocol bug • Is DNSSEC the solution?

4. DNSSEC primer • DNSSEC == digital signatures for RRs (resource

   records) • i.e. authentication + integrity of zone’s records with public key cryptography • DNSSEC is based on trust anchors forming an hierarchical trust chain. • ∀ zone 2 key pairs: key-signing-key (KSK) and zone-signing-key ∃ (ZSK) DNSSEC RRs: • RRSIG – resource record signatures • DNSKEY – public keys (KSK and ZSK) for the zone • DS – fingerprint of the public key, placed in parent zone • NSEC or NSEC3 – not found response

5. How to DNSSEC a zone • Create 2 key pairs

   (public-private): – KSK, will sign the ZSKs – ZSK, sign every RR producing RRSIG • Get the DS, fingerprint of KSK, to the parent zone, e.g. the gr (which is DNSSEC enabled) Easy? Not quite… • Mind the timers, RRSIG expiration, TTLs • Also take care of key rollovers • Find dnssec validating clients • Handle(?) zone/RRsigs validitation failure

6. How to verify a RR

7. Setup Overview

8. Roles • The “app” role – Web interface (ShibSP, Apache,

   Unicorn, Rails) – PowerDNS – App database • The “ods” role – OpenDNSSEC daemons + SoftHSM – Ods database – Bind – dnsworker

9. Web app • Ruby on Rails + bootstrap, deployed with

   capistrano • https://repo.grnet.gr/diffusion/WEBDNS/ • Operates on the PowerDNS SQL database • Resource management: – Super-admins – Users belong to one or more groups (assigned manually by super-admins) – Domain belongs to single group • Users authenticate with Shibboleth • Creates jobs for dnsworker, domain/zone related actions • One-click away DNSSEC enable for domain • Notifications within a group • API, pending • Can expose private interfaces

10. OpenDNSSEC • Free software for DNSSEC • KASP, Key and

    Signature Policy, security params and timers • ods-enforcerd, enforces the policy for each zone • ods-signerd, crypto operations on the zone • Provides a set of cli utils to handle DNSSEC enabled zones (e.g. ods-ksmutil) • Provides key rollover mechanisms (KSK, ZSK) • Needs a MySQL database (keys metadata, zones, policies) • Uses PKCS 11 to to access keys stored in hardware security module. SoftHSM, software alternative.

11. OpenDNSSEC

12. OpenDNSSEC key states

13. dnsworker (the glue) • Set of ruby and python scripts/libs,

    systemd service • Deployed with fabric • Operates on the ods box • Interacts with the app (trigger_event, pull/push jobs) • Interacts with opendnssec (wait_for_ready_to_push_ds) • Interacts with bind (opendnssec_add, wait_for_active) • Interacts with papaki API (publish_ds) • ds-monitor , ds-schedule

14. Please gimme moar • https://blog.cloudflare.com/what-happened-next-the-deprecation-of- any/ • http://blog.apnic.net/2016/04/04/dns-zombies/ • Dan

    Kaminsky DNS Cache poisoning, https://youtu.be/7Pp72gUYx00 • https://www.dnsv6lab.net/2016/02/03/DNS-at-FOSDEM/ • https://dankaminsky.com/2016/02/20/skeleton • http://scoreboard.verisignlabs.com/ • http://stats.labs.apnic.net/dnssec • http://dnssec-debugger.verisignlabs.com/edet.gr • http://dnsviz.net/d/edet.gr/dnssec/

15. Thanks @yatiohi aka Χρήστος Τροχαλάκης