Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DNSSEC v2

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Andreas Pfohl Andreas Pfohl
July 27, 2015
Technology
0
55

DNSSEC v2

My second talk about DNSSEC at the Netz39 hackerspace.

Avatar for Andreas Pfohl

Andreas Pfohl

July 27, 2015
Tweet

More Decks by Andreas Pfohl

See All by Andreas Pfohl
The Event Language
Avatar for Andreas Pfohl apfohl
0
570
Kore
Avatar for Andreas Pfohl apfohl
0
230
DNSSEC
Avatar for Andreas Pfohl apfohl
0
170
Domain Name System
Avatar for Andreas Pfohl apfohl
1
230
FreeBSD
Avatar for Andreas Pfohl apfohl
0
260

Other Decks in Technology

See All in Technology
モダンUIでフルサーバーレスなAIエージェントをAmplifyとCDKでサクッとデプロイしよう
Avatar for みのるん minorun365
4
180
Digitization部 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
1
6.8k
MCPでつなぐElasticsearchとLLM - 深夜の障害対応を楽にしたい / Bridging Elasticsearch and LLMs with MCP
Avatar for Sashimimochi sashimimochi
0
150
小さく始めるBCP ― 多プロダクト環境で始める最初の一歩
Avatar for kekke-n kekke_n
1
380
20260208_第66回 コンピュータビジョン勉強会
Avatar for KeiichiIto1978 keiichiito1978
0
110
Webhook best practices for rock solid and resilient deployments
Avatar for Guillaume Laforge glaforge
1
280
Claude_CodeでSEOを最適化する_AI_Ops_Community_Vol.2__マーケティングx_AIはここまで進化した.pdf
Avatar for 小笠原理久 riku_423
2
530
20260204_Midosuji_Tech
Avatar for Takuya Yonezawa takuyay0ne
1
140
予期せぬコストの急増を障害のように扱う――「コスト版ポストモーテム」の導入とその後の改善
Avatar for Masahiro Yoshizawa muziyoshiz
1
1.8k
All About Sansan – for New Global Engineers
Avatar for Sansan, Inc. sansan33
PRO
1
1.3k
30万人の同時アクセスに耐えたい!新サービスの盤石なリリースを支える負荷試験 / SRE Kaigi 2026
Avatar for GENDA genda
3
1.2k
M&A 後の統合をどう進めるか ─ ナレッジワーク × Poetics が実践した組織とシステムの融合
Avatar for KNOWLEDGE WORK / 株式会社ナレッジワーク kworkdev
PRO
1
430

Featured

See All Featured
ReactJS: Keep Simple. Everything can be a component!
Avatar for Pedro Nauck pedronauck
666
130k
Highjacked: Video Game Concept Design
Avatar for Ryan Kendrick rkendrick25
PRO
1
290
Thoughts on Productivity
Avatar for Jon Yablonski jonyablonski
74
5k
ラッコキーワード サービス紹介資料
Avatar for ラッコ株式会社 rakko
1
2.2M
Between Models and Reality
Avatar for mayunak mayunak
1
180
Accessibility Awareness
Avatar for Sarah Abderemane sabderemane
0
51
Mobile First: as difficult as doing things right
Avatar for Swwweet swwweet
225
10k
Stewardship and Sustainability of Urban and Community Forests
Avatar for Eric Wiseman pwiseman
0
110
What’s in a name? Adding method to the madness
Avatar for The Alliance productmarketing
PRO
24
3.9k
Game over? The fight for quality and originality in the time of robots
Avatar for Wayne Barker wayneb77
1
110
Building the Perfect Custom Keyboard
Avatar for Naoto Takai takai
2
680
AI: The stuff that nobody shows you
Avatar for John Nunemaker jnunemaker
PRO
2
250

Transcript

  1. DNSSEC von Andreas Pfohl

  2. Überblick • Wiederholung DNS • Was ist DNSSEC? • Was

    kann ich mit DNSSEC machen? • Was sind die Probleme von DNSSEC? • Was muss ich tun, um DNSSEC zu nutzen?

  3. • Domain Name System • Namensauflösung • Zone Records DNS

  4. Namensauflösung - DNS www.netz39.de. 78.46.22.20

  5. Records - DNS netz39.de. A 78.46.22.20 netz39.de. MX 10 mail

    netz39.de. NS ns1.domain… mail A 78.46.22.20 www CNAME @

  6. DNSSEC • DNS Security Extensions • Authentizität • Integrität

  7. Man in the Middle - DNSSEC Client Nameserver Provider netz39.de.?

    netz39.de.? 78.46.22.20 17.142.160.59

  8. Key Man in the Middle - DNSSEC Client Nameserver Provider

    netz39.de.? netz39.de.? 78.46.22.20 + Signatur 17.142.160.59 + Signatur Key failed

  9. Schlüssel - DNSSEC • Public Key Cryptography • Zone-Signing-Key •

    Key-Signing-Key • Chain of Trust

  10. Chain of Trust - DNSSEC . ZSK DS com. KSK

    ZSK DS example.com. KSK ZSK Trust Anchor KSK KSK A

  11. Anwendungen • Sicherer Verbindungsaufbau • Mail Exchange • SSH Fingerprints

    • GnuPG Schlüssel • DANE

  12. Mail - Anwendungen • MX Record • Mailserver gehört zur

    Domain

  13. SSH - Anwendungen • SSHFP Record • Korrekte SSH-Keys •

    Überprüfung bei Verbindungsaufbau

  14. GnuPG - Anwendungen • OPENPGPKEY Record • Public-Keys im DNS

    • Domain-Verifizierung

  15. DANE - Anwendungen • DNS-based Auth. of Named Entities •

    TLSA Record • Fingerprints von Zertifikaten • Zertifikat gehört zu Server/Port

  16. Probleme • Denial of Service Angriffe • DNS Amplification Attacks

    • Zone Walking • Verifizierung

  17. Probleme • Root-Key von USA verwaltet • Hohe Fehlerrate bei

    Implementierung • Schwer zu verstehen • Alte Kryptographie

  18. Voraussetzungen • Registrar unterstützt DNSSEC • Registrar trägt DS-Records ein

    • Eigene Domain • Eigene Nameserver

  19. OwnDNS.io • Eigene Experimentier-Domain • [email protected] • Besseres Verständnis des

    DNS • Verbreitung von DNSSEC • Tutorials

  20. Workshop • September 2015 • Eigener Nameserver • Eigene Domain

    • DNSSEC

  21. Danke E-Mail: [email protected] Twitter: @andreaspfohl