Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DNSSEC v2

Avatar for Andreas Pfohl Andreas Pfohl
July 27, 2015
Technology
0
55

DNSSEC v2

My second talk about DNSSEC at the Netz39 hackerspace.

Avatar for Andreas Pfohl

Andreas Pfohl

July 27, 2015
Tweet

More Decks by Andreas Pfohl

See All by Andreas Pfohl
The Event Language
Avatar for Andreas Pfohl apfohl
0
570
Kore
Avatar for Andreas Pfohl apfohl
0
230
DNSSEC
Avatar for Andreas Pfohl apfohl
0
170
Domain Name System
Avatar for Andreas Pfohl apfohl
1
230
FreeBSD
Avatar for Andreas Pfohl apfohl
0
260

Other Decks in Technology

See All in Technology
M&A 後の統合をどう進めるか ─ ナレッジワーク × Poetics が実践した組織とシステムの融合
Avatar for KNOWLEDGE WORK / 株式会社ナレッジワーク kworkdev
PRO
1
410
IaaS/SaaS管理における SREの実践 - SRE Kaigi 2026
Avatar for Shun bbqallstars
4
1.7k
セキュリティについて学ぶ会 / 2026 01 25 Takamatsu WordPress Meetup
Avatar for Rocket Martue rocketmartue
1
290
Sansan Engineering Unit 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
1
3.8k
顧客との商談議事録をみんなで読んで顧客解像度を上げよう
Avatar for shibayu36 shibayu36
0
170
2026年、サーバーレスの現在地 -「制約と戦う技術」から「当たり前の実行基盤」へ- /serverless2026
Avatar for Serverless Operations slsops
2
210
2人で作ったAIダッシュボードが、開発組織の次の一手を照らした話― Cursor × SpecKit × 可視化の実践 ― Qiita AI Summit
Avatar for NOBORU ITOU noalisaai
1
370
Azure Durable Functions で作った NL2SQL Agent の精度向上に取り組んだ話/jat08
Avatar for TonyTonyKun thara0402
0
140
学生・新卒・ジュニアから目指すSRE
Avatar for Hiroya Onoe hiroyaonoe
2
550
ファインディの横断SREがTakumi byGMOと取り組む、セキュリティと開発スピードの両立
Avatar for adachi.ryo rvirus0817
1
1.2k
What happened to RubyGems and what can we learn?
Avatar for Mike McQuaid mikemcquaid
0
250
データの整合性を保ちたいだけなんだ
Avatar for ShoheiMitani shoheimitani
8
2.9k

Featured

See All Featured
4 Signs Your Business is Dying
Avatar for Josh Pigford shpigford
187
22k
Sharpening the Axe: The Primacy of Toolmaking
Avatar for Bryan Cantrill bcantrill
46
2.7k
WCS-LA-2024
Avatar for Leonardo Collado-Torres lcolladotor
0
450
The Straight Up "How To Draw Better" Workshop
Avatar for Dennis Kardys denniskardys
239
140k
Impact Scores and Hybrid Strategies: The future of link building
Avatar for Tamara Novitovic tamaranovitovic
0
200
Breaking role norms: Why Content Design is so much more than writing copy - Taylor Woolridge
Avatar for UX Y'all uxyall
0
160
Joys of Absence: A Defence of Solitary Play
Avatar for Sebastian Deterding codingconduct
1
290
The Organizational Zoo: Understanding Human Behavior Agility Through Metaphoric Constructive Conversations (based on the works of Arthur Shelley, Ph.D)
Avatar for Dr. Kim W Petersen kimpetersen
PRO
0
230
New Earth Scene 8
Avatar for Sydney Stone popppiees
1
1.5k
Fashionably flexible responsive web design (full day workshop)
Avatar for Andy Clarke malarkey
408
66k
Accessibility Awareness
Avatar for Sarah Abderemane sabderemane
0
49
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
Avatar for Eileen M. Uchitelle eileencodes
141
34k

Transcript

  1. DNSSEC von Andreas Pfohl

  2. Überblick • Wiederholung DNS • Was ist DNSSEC? • Was

    kann ich mit DNSSEC machen? • Was sind die Probleme von DNSSEC? • Was muss ich tun, um DNSSEC zu nutzen?

  3. • Domain Name System • Namensauflösung • Zone Records DNS

  4. Namensauflösung - DNS www.netz39.de. 78.46.22.20

  5. Records - DNS netz39.de. A 78.46.22.20 netz39.de. MX 10 mail

    netz39.de. NS ns1.domain… mail A 78.46.22.20 www CNAME @

  6. DNSSEC • DNS Security Extensions • Authentizität • Integrität

  7. Man in the Middle - DNSSEC Client Nameserver Provider netz39.de.?

    netz39.de.? 78.46.22.20 17.142.160.59

  8. Key Man in the Middle - DNSSEC Client Nameserver Provider

    netz39.de.? netz39.de.? 78.46.22.20 + Signatur 17.142.160.59 + Signatur Key failed

  9. Schlüssel - DNSSEC • Public Key Cryptography • Zone-Signing-Key •

    Key-Signing-Key • Chain of Trust

  10. Chain of Trust - DNSSEC . ZSK DS com. KSK

    ZSK DS example.com. KSK ZSK Trust Anchor KSK KSK A

  11. Anwendungen • Sicherer Verbindungsaufbau • Mail Exchange • SSH Fingerprints

    • GnuPG Schlüssel • DANE

  12. Mail - Anwendungen • MX Record • Mailserver gehört zur

    Domain

  13. SSH - Anwendungen • SSHFP Record • Korrekte SSH-Keys •

    Überprüfung bei Verbindungsaufbau

  14. GnuPG - Anwendungen • OPENPGPKEY Record • Public-Keys im DNS

    • Domain-Verifizierung

  15. DANE - Anwendungen • DNS-based Auth. of Named Entities •

    TLSA Record • Fingerprints von Zertifikaten • Zertifikat gehört zu Server/Port

  16. Probleme • Denial of Service Angriffe • DNS Amplification Attacks

    • Zone Walking • Verifizierung

  17. Probleme • Root-Key von USA verwaltet • Hohe Fehlerrate bei

    Implementierung • Schwer zu verstehen • Alte Kryptographie

  18. Voraussetzungen • Registrar unterstützt DNSSEC • Registrar trägt DS-Records ein

    • Eigene Domain • Eigene Nameserver

  19. OwnDNS.io • Eigene Experimentier-Domain • [email protected] • Besseres Verständnis des

    DNS • Verbreitung von DNSSEC • Tutorials

  20. Workshop • September 2015 • Eigener Nameserver • Eigene Domain

    • DNSSEC

  21. Danke E-Mail: [email protected] Twitter: @andreaspfohl