Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DNSSEC v2

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Andreas Pfohl Andreas Pfohl
July 27, 2015
Technology
0
58

DNSSEC v2

My second talk about DNSSEC at the Netz39 hackerspace.

Avatar for Andreas Pfohl

Andreas Pfohl

July 27, 2015
Tweet

More Decks by Andreas Pfohl

See All by Andreas Pfohl
The Event Language
Avatar for Andreas Pfohl apfohl
0
570
Kore
Avatar for Andreas Pfohl apfohl
0
230
DNSSEC
Avatar for Andreas Pfohl apfohl
0
180
Domain Name System
Avatar for Andreas Pfohl apfohl
1
230
FreeBSD
Avatar for Andreas Pfohl apfohl
0
260

Other Decks in Technology

See All in Technology
ReactのdangerouslySetInnerHTMLは“dangerously”だから危険 / Security.any #09 卒業したいセキュリティLT
Avatar for GMO Flatt Security flatt_security
0
350
社内レビューは機能しているのか
Avatar for Jun Matsuba matsuba
0
160
Lambda Web AdapterでLambdaをWEBフレームワーク利用する
Avatar for arakawsh sahou909
0
180
Claude Code のコード品質がばらつくので AI に品質保証させる仕組みを作った話 / A story about building a mechanism to have AI ensure quality, because the code quality from Claude Code was inconsistent
Avatar for nrs nrslib
13
8.7k
Tebiki Engineering Team Deck
Avatar for Tebiki, Inc. tebiki
0
27k
Windows ファイル共有(SMB)を再確認する
Avatar for Murachi Akira murachiakira
PRO
0
200
NewSQL_ ストレージ分離と分散合意を用いたスケーラブルアーキテクチャ
Avatar for hacomono Inc. hacomono
PRO
4
410
中央集権型を脱却した話 分散型をやめて、連邦型にたどり着くまで
Avatar for SansanTech sansantech
PRO
1
110
Google系サービスで文字起こしから勝手にカレンダーを埋めるエージェントを作った話
Avatar for RisaTube risatube
0
200
新規事業×QAの挑戦:不確実性を乗りこなす!フェーズごとに求められるQAの役割変革
Avatar for hacomono Inc. hacomono
PRO
0
130
わからなくて良いなら、わからなきゃだめなの?
Avatar for kota oue kotaoue
1
370
フロントエンド刷新 4年間の軌跡
Avatar for nus3 yotahada3
0
510

Featured

See All Featured
Save Time (by Creating Custom Rails Generators)
Avatar for Garrett Dimon garrettdimon
PRO
32
2.5k
The SEO identity crisis: Don't let AI make you average
Avatar for Varn varn
0
420
Un-Boring Meetings
Avatar for Sebastian Deterding codingconduct
0
230
Building Flexible Design Systems
Avatar for Yesenia Perez-Cruz yeseniaperezcruz
330
40k
Crafting Experiences
Avatar for Bethany Jepchumba bethany
1
90
<Decoding/> the Language of Devs - We Love SEO 2024
Avatar for Nikki Halliwell nikkihalliwell
1
160
The #1 spot is gone: here's how to win anyway
Avatar for Tamara Novitovic tamaranovitovic
2
990
Conquering PDFs: document understanding beyond plain text
Avatar for Ines Montani inesmontani
PRO
4
2.5k
The Illustrated Guide to Node.js - THAT Conference 2024
Avatar for David Neal reverentgeek
1
310
Designing for Performance
Avatar for Lara Hogan lara
611
70k
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
Avatar for Akash Hashmi akashhashmi
0
290
Java REST API Framework Comparison - PWX 2021
Avatar for Matt Raible mraible
34
9.2k

Transcript

  1. DNSSEC von Andreas Pfohl

  2. Überblick • Wiederholung DNS • Was ist DNSSEC? • Was

    kann ich mit DNSSEC machen? • Was sind die Probleme von DNSSEC? • Was muss ich tun, um DNSSEC zu nutzen?

  3. • Domain Name System • Namensauflösung • Zone Records DNS

  4. Namensauflösung - DNS www.netz39.de. 78.46.22.20

  5. Records - DNS netz39.de. A 78.46.22.20 netz39.de. MX 10 mail

    netz39.de. NS ns1.domain… mail A 78.46.22.20 www CNAME @

  6. DNSSEC • DNS Security Extensions • Authentizität • Integrität

  7. Man in the Middle - DNSSEC Client Nameserver Provider netz39.de.?

    netz39.de.? 78.46.22.20 17.142.160.59

  8. Key Man in the Middle - DNSSEC Client Nameserver Provider

    netz39.de.? netz39.de.? 78.46.22.20 + Signatur 17.142.160.59 + Signatur Key failed

  9. Schlüssel - DNSSEC • Public Key Cryptography • Zone-Signing-Key •

    Key-Signing-Key • Chain of Trust

  10. Chain of Trust - DNSSEC . ZSK DS com. KSK

    ZSK DS example.com. KSK ZSK Trust Anchor KSK KSK A

  11. Anwendungen • Sicherer Verbindungsaufbau • Mail Exchange • SSH Fingerprints

    • GnuPG Schlüssel • DANE

  12. Mail - Anwendungen • MX Record • Mailserver gehört zur

    Domain

  13. SSH - Anwendungen • SSHFP Record • Korrekte SSH-Keys •

    Überprüfung bei Verbindungsaufbau

  14. GnuPG - Anwendungen • OPENPGPKEY Record • Public-Keys im DNS

    • Domain-Verifizierung

  15. DANE - Anwendungen • DNS-based Auth. of Named Entities •

    TLSA Record • Fingerprints von Zertifikaten • Zertifikat gehört zu Server/Port

  16. Probleme • Denial of Service Angriffe • DNS Amplification Attacks

    • Zone Walking • Verifizierung

  17. Probleme • Root-Key von USA verwaltet • Hohe Fehlerrate bei

    Implementierung • Schwer zu verstehen • Alte Kryptographie

  18. Voraussetzungen • Registrar unterstützt DNSSEC • Registrar trägt DS-Records ein

    • Eigene Domain • Eigene Nameserver

  19. OwnDNS.io • Eigene Experimentier-Domain • [email protected] • Besseres Verständnis des

    DNS • Verbreitung von DNSSEC • Tutorials

  20. Workshop • September 2015 • Eigener Nameserver • Eigene Domain

    • DNSSEC

  21. Danke E-Mail: [email protected] Twitter: @andreaspfohl