Co-‐loca5on • Online Backup • Domain Names • Universal Groupware Schedule -‐ Recap: how DNS works -‐ What DNSSEC does -‐ How DNSSEC works -‐ How we implement it -‐ Why it’s a bitch to configure.
Co-‐loca5on • Online Backup • Domain Names • Universal Groupware End user ISP Q: www.dexia.be Let’s go to www.dexia.be Where the f*#} is that? Root nameservers
Co-‐loca5on • Online Backup • Domain Names • Universal Groupware End user ISP Q: www.dexia.be Let’s go to www.dexia.be Where the f*#} is that? Root nameservers Dnow. Ask .BE
Co-‐loca5on • Online Backup • Domain Names • Universal Groupware End user ISP Q: www.dexia.be Let’s go to www.dexia.be Where the f*#} is that? Root nameservers TLD -‐ .BE name Q: www.dexia.be Dnow. Ask .BE
Co-‐loca5on • Online Backup • Domain Names • Universal Groupware End user ISP Q: www.dexia.be Let’s go to www.dexia.be Where the f*#} is that? Root nameservers TLD -‐ .BE name Q: www.dexia.be Dnow. Ask .BE A: Check with Nucleus Get lost. Ask Nucleus.
Co-‐loca5on • Online Backup • Domain Names • Universal Groupware End user ISP Q: www.dexia.be Let’s go to www.dexia.be Where the f*#} is that? Root nameservers TLD -‐ .BE name Q: www.dexia.be Dnow. Ask .BE A: Check with Nucleus Get lost. Ask Nucleus. ns1.nucleus.be
Co-‐loca5on • Online Backup • Domain Names • Universal Groupware End user ISP Q: www.dexia.be Let’s go to www.dexia.be Where the f*#} is that? Root nameservers TLD -‐ .BE name Q: www.dexia.be Dnow. Ask .BE A: Check with Nucleus Get lost. Ask Nucleus. ns1.nucleus.be Here ya go.
Co-‐loca5on • Online Backup • Domain Names • Universal Groupware End user ISP Q: www.dexia.be Let’s go to www.dexia.be Where the f*#} is that? Root nameservers TLD -‐ .BE name Q: www.dexia.be Dnow. Ask .BE A: Check with Nucleus Get lost. Ask Nucleus. ns1.nucleus.be Here ya go. A: 212.63.232.38
Co-‐loca5on • Online Backup • Domain Names • Universal Groupware DNSSEC DNS Security Extensions Secures the DATA returned by nameservers Created in 1997
Co-‐loca5on • Online Backup • Domain Names • Universal Groupware This must be magic?! Resource Record (A, CNAME, TXT, MX, …): signed with RRSIG Record Public key gets published in DNSKEY record Parent zone publishes public key of child zone in DS records Non-‐exis5ng entries signed with NSEC3
Co-‐loca5on • Online Backup • Domain Names • Universal Groupware Keys? Keys! Key rota5on for public keys Zone Signing Key (ZSK): sign records in a zone Key Signing Key (KSK): sign the ZSK and link to parent zone
Co-‐loca5on • Online Backup • Domain Names • Universal Groupware Show me the money! $TTL 1D @ IN SOA ns1.nucleus.be. dnsmaster.nucleus.be. ( 2010073002 ; serial 1H; refresh 30M ; retry 4W ; expire 1D ) ; minimum IN NS ns1.nucleus.be. IN NS ns2.nucleus.be. IN NS ns3.nucleus.be. IN NS ns4.nucleus.be. 3600 IN MX 10 asav01.bru.nucleus.be. 3600 IN MX 10 asav02.ant.nucleus.be. nucleus.eu. 3600 IN A 188.93.153.72 mail 3600 IN CNAME mail.nucleus.be. * 3600 IN CNAME nucleus.eu. www 3600 IN CNAME lin1.nucleus.be. blah 3600 IN CNAME www.nucleus.be. nucleus.eu: normal, unsigned zone
Co-‐loca5on • Online Backup • Domain Names • Universal Groupware Let’s analyze. RRSIG’s. 3600 RRSIG A 8 2 3600 20101026151414 ( 20101012141414 22506 nucleus.eu. Oj465TVbJ/c1yieAzwOwLEh3qyRjmjr8+s8f JjseIRX4DiKj5sbS8dF/1mYwVyFRfXhqzrS5 hRS/j3RMx7WKXs2x4PoR6HzUqyWVBtMosyIC g/6tm9l3JsBjHHUwSS2b7Pe8aHLns1wb8eY5 XpEukb3aTPt6sbW7bpbmZVFzhSQ= ) 3600 : TTL RRSIG : Resource Record A: Type of signed record 8: Algoritme (RSA-‐SHA256) 2: # labels of signed record 3600: TTL of signed record 20101026151414: Signature expiraEon 20101012141414: Signature creaEon 22506: Key ID
mattiasgeniar
tetsuyaooooo
nagix
sansantech
yhana
yasumuusan
yajihum
rinchsan
egmc
ham0215
ryysud
oracle4engineer
uhyo
destraynor
jennybc
malarkey
holman
mongodb
mza
jakevdp
caitiem20
ddemaree
davidbonilla
chrislema
mthomps
