Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DNSSEC v2

Sponsored · SiteGround - Reliable hosting with speed, security, and support you can count on.
Avatar for Andreas Pfohl Andreas Pfohl
July 27, 2015
Technology
0
55

DNSSEC v2

My second talk about DNSSEC at the Netz39 hackerspace.

Avatar for Andreas Pfohl

Andreas Pfohl

July 27, 2015
Tweet

More Decks by Andreas Pfohl

See All by Andreas Pfohl
The Event Language
Avatar for Andreas Pfohl apfohl
0
570
Kore
Avatar for Andreas Pfohl apfohl
0
230
DNSSEC
Avatar for Andreas Pfohl apfohl
0
170
Domain Name System
Avatar for Andreas Pfohl apfohl
1
230
FreeBSD
Avatar for Andreas Pfohl apfohl
0
260

Other Decks in Technology

See All in Technology
Tebiki Engineering Team Deck
Avatar for Tebiki, Inc. tebiki
0
24k
Oracle Cloud Observability and Management Platform - OCI 運用監視サービス概要 -
Avatar for oracle4engineer oracle4engineer
PRO
2
14k
ZOZOにおけるAI活用の現在 ~開発組織全体での取り組みと試行錯誤~
Avatar for ZOZO Developers zozotech
PRO
5
4.9k
Amazon Bedrock Knowledge Basesチャンキング解説!
Avatar for 野口碧生 aoinoguchi
0
130
IaaS/SaaS管理における SREの実践 - SRE Kaigi 2026
Avatar for Shun bbqallstars
4
1.8k
Frontier Agents (Kiro autonomous agent / AWS Security Agent / AWS DevOps Agent) の紹介
Avatar for msysh msysh
3
160
コスト削減から「セキュリティと利便性」を担うプラットフォームへ
Avatar for SansanTech sansantech
PRO
3
1.4k
レガシー共有バッチ基盤への挑戦 - SREドリブンなリアーキテクチャリングの取り組み
Avatar for Konishi tatsuhiro tatsukoni
0
210
Azure Durable Functions で作った NL2SQL Agent の精度向上に取り組んだ話/jat08
Avatar for TonyTonyKun thara0402
0
160
Bill One 開発エンジニア 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
4
17k
Bill One急成長の舞台裏 開発組織が直面した失敗と教訓
Avatar for SansanTech sansantech
PRO
2
320
データ民主化のための LLM 活用状況と課題紹介(IVRy の場合)
Avatar for 和田 悠佑 wxyzzz
2
690

Featured

See All Featured
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
Avatar for Stéphanie Walter stephaniewalter
287
14k
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
Avatar for Akash Hashmi akashhashmi
0
270
Building AI with AI
Avatar for Ines Montani inesmontani
PRO
1
690
HU Berlin: Industrial-Strength Natural Language Processing with spaCy and Prodigy
Avatar for Ines Montani inesmontani
PRO
0
200
Money Talks: Using Revenue to Get Sh*t Done
Avatar for Nikki Halliwell nikkihalliwell
0
150
How to Ace a Technical Interview
Avatar for Jacob Kaplan-Moss jacobian
281
24k
Digital Ethics as a Driver of Design Innovation
Avatar for Per Axbom axbom
PRO
1
170
Test your architecture with Archunit
Avatar for Yoan thirion
1
2.1k
Hiding What from Whom? A Critical Review of the History of Programming languages for Music
Avatar for Tomoya Matsuura tomoyanonymous
2
410
WCS-LA-2024
Avatar for Leonardo Collado-Torres lcolladotor
0
450
The Director’s Chair: Orchestrating AI for Truly Effective Learning
Avatar for Mike Taylor tmiket
1
96
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
Avatar for panda_program panda_program
122
21k

Transcript

  1. DNSSEC von Andreas Pfohl

  2. Überblick • Wiederholung DNS • Was ist DNSSEC? • Was

    kann ich mit DNSSEC machen? • Was sind die Probleme von DNSSEC? • Was muss ich tun, um DNSSEC zu nutzen?

  3. • Domain Name System • Namensauflösung • Zone Records DNS

  4. Namensauflösung - DNS www.netz39.de. 78.46.22.20

  5. Records - DNS netz39.de. A 78.46.22.20 netz39.de. MX 10 mail

    netz39.de. NS ns1.domain… mail A 78.46.22.20 www CNAME @

  6. DNSSEC • DNS Security Extensions • Authentizität • Integrität

  7. Man in the Middle - DNSSEC Client Nameserver Provider netz39.de.?

    netz39.de.? 78.46.22.20 17.142.160.59

  8. Key Man in the Middle - DNSSEC Client Nameserver Provider

    netz39.de.? netz39.de.? 78.46.22.20 + Signatur 17.142.160.59 + Signatur Key failed

  9. Schlüssel - DNSSEC • Public Key Cryptography • Zone-Signing-Key •

    Key-Signing-Key • Chain of Trust

  10. Chain of Trust - DNSSEC . ZSK DS com. KSK

    ZSK DS example.com. KSK ZSK Trust Anchor KSK KSK A

  11. Anwendungen • Sicherer Verbindungsaufbau • Mail Exchange • SSH Fingerprints

    • GnuPG Schlüssel • DANE

  12. Mail - Anwendungen • MX Record • Mailserver gehört zur

    Domain

  13. SSH - Anwendungen • SSHFP Record • Korrekte SSH-Keys •

    Überprüfung bei Verbindungsaufbau

  14. GnuPG - Anwendungen • OPENPGPKEY Record • Public-Keys im DNS

    • Domain-Verifizierung

  15. DANE - Anwendungen • DNS-based Auth. of Named Entities •

    TLSA Record • Fingerprints von Zertifikaten • Zertifikat gehört zu Server/Port

  16. Probleme • Denial of Service Angriffe • DNS Amplification Attacks

    • Zone Walking • Verifizierung

  17. Probleme • Root-Key von USA verwaltet • Hohe Fehlerrate bei

    Implementierung • Schwer zu verstehen • Alte Kryptographie

  18. Voraussetzungen • Registrar unterstützt DNSSEC • Registrar trägt DS-Records ein

    • Eigene Domain • Eigene Nameserver

  19. OwnDNS.io • Eigene Experimentier-Domain • [email protected] • Besseres Verständnis des

    DNS • Verbreitung von DNSSEC • Tutorials

  20. Workshop • September 2015 • Eigener Nameserver • Eigene Domain

    • DNSSEC

  21. Danke E-Mail: [email protected] Twitter: @andreaspfohl