Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DNSSEC v2

Avatar for Andreas Pfohl Andreas Pfohl
July 27, 2015
Technology
0
55

DNSSEC v2

My second talk about DNSSEC at the Netz39 hackerspace.

Avatar for Andreas Pfohl

Andreas Pfohl

July 27, 2015
Tweet

More Decks by Andreas Pfohl

See All by Andreas Pfohl
The Event Language
Avatar for Andreas Pfohl apfohl
0
570
Kore
Avatar for Andreas Pfohl apfohl
0
230
DNSSEC
Avatar for Andreas Pfohl apfohl
0
170
Domain Name System
Avatar for Andreas Pfohl apfohl
1
230
FreeBSD
Avatar for Andreas Pfohl apfohl
0
260

Other Decks in Technology

See All in Technology
Bedrock PolicyでAmazon Bedrock Guardrails利用を強制してみた
Avatar for Yudai Jinno yuu551
0
180
Deno・Bunの標準機能やElysiaJSを使ったWebSocketサーバー実装 / ラーメン屋を貸し切ってLT会! IoTLT 2026新年会
Avatar for you(@youtoy) you
PRO
0
300
10Xにおける品質保証活動の全体像と改善 #no_more_wait_for_test
Avatar for nihonbuson nihonbuson
PRO
2
230
こんなところでも(地味に)活躍するImage Modeさんを知ってるかい?- Image Mode for OpenShift -
Avatar for Masataka Tsukamoto tsukaman
0
120
AIエージェントを開発しよう!-AgentCore活用の勘所-
Avatar for YukiOgawa yukiogawa
0
100
2人で作ったAIダッシュボードが、開発組織の次の一手を照らした話― Cursor × SpecKit × 可視化の実践 ― Qiita AI Summit
Avatar for NOBORU ITOU noalisaai
1
380
Sansan Engineering Unit 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
1
3.8k
インフラエンジニア必見!Kubernetesを用いたクラウドネイティブ設計ポイント大全
Avatar for 高棹大樹 daitak
0
340
今日から始める Amazon Bedrock AgentCore
Avatar for Har1101 har1101
4
400
ClickHouseはどのように大規模データを活用したAIエージェントを全社展開しているのか
Avatar for Miki Matsumoto mikimatsumoto
0
210
usermode linux without MMU - fosdem2026 kernel devroom
Avatar for Hajime Tazaki thehajime
0
230
Introduction to Sansan, inc / Sansan Global Development Center, Inc.
Avatar for Sansan, Inc. sansan33
PRO
0
3k

Featured

See All Featured
Designing for Performance
Avatar for Lara Hogan lara
610
70k
The Success of Rails: Ensuring Growth for the Next 100 Years
Avatar for Eileen M. Uchitelle eileencodes
47
7.9k
Dealing with People You Can't Stand - Big Design 2015
Avatar for Cassini Nazir cassininazir
367
27k
Lightning talk: Run Django tests with GitHub Actions
Avatar for Sarah Abderemane sabderemane
0
110
Digital Projects Gone Horribly Wrong (And the UX Pros Who Still Save the Day) - Dean Schuster
Avatar for UX Y'all uxyall
0
320
Design in an AI World
Avatar for tapps tapps
0
140
The Art of Programming - Codeland 2020
Avatar for Erika Heidi erikaheidi
57
14k
How to build an LLM SEO readiness audit: a practical framework
Avatar for Nick Samuel nmsamuel
1
640
The Straight Up "How To Draw Better" Workshop
Avatar for Dennis Kardys denniskardys
239
140k
The SEO Collaboration Effect
Avatar for Kristina Bergwall kristinabergwall1
0
350
Designing Dashboards & Data Visualisations in Web Apps
Avatar for Des Traynor destraynor
231
54k
Done Done
Avatar for chrislema chrislema
186
16k

Transcript

  1. DNSSEC von Andreas Pfohl

  2. Überblick • Wiederholung DNS • Was ist DNSSEC? • Was

    kann ich mit DNSSEC machen? • Was sind die Probleme von DNSSEC? • Was muss ich tun, um DNSSEC zu nutzen?

  3. • Domain Name System • Namensauflösung • Zone Records DNS

  4. Namensauflösung - DNS www.netz39.de. 78.46.22.20

  5. Records - DNS netz39.de. A 78.46.22.20 netz39.de. MX 10 mail

    netz39.de. NS ns1.domain… mail A 78.46.22.20 www CNAME @

  6. DNSSEC • DNS Security Extensions • Authentizität • Integrität

  7. Man in the Middle - DNSSEC Client Nameserver Provider netz39.de.?

    netz39.de.? 78.46.22.20 17.142.160.59

  8. Key Man in the Middle - DNSSEC Client Nameserver Provider

    netz39.de.? netz39.de.? 78.46.22.20 + Signatur 17.142.160.59 + Signatur Key failed

  9. Schlüssel - DNSSEC • Public Key Cryptography • Zone-Signing-Key •

    Key-Signing-Key • Chain of Trust

  10. Chain of Trust - DNSSEC . ZSK DS com. KSK

    ZSK DS example.com. KSK ZSK Trust Anchor KSK KSK A

  11. Anwendungen • Sicherer Verbindungsaufbau • Mail Exchange • SSH Fingerprints

    • GnuPG Schlüssel • DANE

  12. Mail - Anwendungen • MX Record • Mailserver gehört zur

    Domain

  13. SSH - Anwendungen • SSHFP Record • Korrekte SSH-Keys •

    Überprüfung bei Verbindungsaufbau

  14. GnuPG - Anwendungen • OPENPGPKEY Record • Public-Keys im DNS

    • Domain-Verifizierung

  15. DANE - Anwendungen • DNS-based Auth. of Named Entities •

    TLSA Record • Fingerprints von Zertifikaten • Zertifikat gehört zu Server/Port

  16. Probleme • Denial of Service Angriffe • DNS Amplification Attacks

    • Zone Walking • Verifizierung

  17. Probleme • Root-Key von USA verwaltet • Hohe Fehlerrate bei

    Implementierung • Schwer zu verstehen • Alte Kryptographie

  18. Voraussetzungen • Registrar unterstützt DNSSEC • Registrar trägt DS-Records ein

    • Eigene Domain • Eigene Nameserver

  19. OwnDNS.io • Eigene Experimentier-Domain • [email protected] • Besseres Verständnis des

    DNS • Verbreitung von DNSSEC • Tutorials

  20. Workshop • September 2015 • Eigener Nameserver • Eigene Domain

    • DNSSEC

  21. Danke E-Mail: [email protected] Twitter: @andreaspfohl