Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
DNSSEC and Bind
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Chinmay Pendharkar
May 21, 2014
Technology
170
1
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
DNSSEC and Bind
Basics of DNS and DNSSEC. Setting up Bind locally.
Chinmay Pendharkar
May 21, 2014
More Decks by Chinmay Pendharkar
See All by Chinmay Pendharkar
Audio Fundamentals - Pd
notthetup
0
110
Garageband And Podcasting
notthetup
0
74
Audio Fundamentals - HTML5 Audio
notthetup
0
140
Audio Fundamentals - Oscillators
notthetup
0
80
Audio Fundamentals - Basics
notthetup
0
140
Robots and Pi
notthetup
2
130
Auralization of road vehicles using spectral modeling synthesis
notthetup
0
240
What I’ve learnt about Environmental Sound Design
notthetup
0
280
Audio Editing with Audacity
notthetup
0
86
Other Decks in Technology
See All in Technology
Comment regagner la souveraineté de vos données tout en étant payé grâce à Nostr !
rlifchitz
0
210
[AWS Summit Japan 2026]迷っているあなたへ_小さな一歩が、やがて自分を助けてくれる
sh_fk2
2
430
4人目のSREはAgent
tanimuyk
0
270
Hatena Engineer Seminar 37 jj1uzh
jj1uzh
0
140
トークン最適化のためのユーザーストーリー分析 / User Story Analysis for Token Optimization
oomatomo
0
120
【FinOps】データドリブンな意思決定を目指して
z63d
2
470
Amazon Redshift zero-ETL 統合を活用した軽量なマルチプロダクトデータ可視化基盤 / Lightweight Multi-Product Data Visualization with Amazon Redshift Zero-ETL
kaminashi
0
110
Agile and AI Redmine Japan 2026
hiranabe
4
500
MySQL & MySQL HeatWave Report - June 2026
freshdaz
0
190
クラウドファンディング版StackChan 3体(4体)をインタラクティブな体験型作品にして展示もした話 / スタックチャンお誕生日会2026
you
PRO
0
200
Oracle Cloud Infrastructure:2026年6月度サービス・アップデート
oracle4engineer
PRO
1
370
感情と身体を置き去りにしない、エンジニアの生きのこり方 ──いまから、ここから「自分の状態」を扱うという選択
saorimurooka
0
360
Featured
See All Featured
SEO for Brand Visibility & Recognition
aleyda
0
4.6k
The World Runs on Bad Software
bkeepers
PRO
72
12k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
27k
The Art of Programming - Codeland 2020
erikaheidi
57
14k
Visualization
eitanlees
152
17k
The Illustrated Guide to Node.js - THAT Conference 2024
reverentgeek
1
400
Raft: Consensus for Rubyists
vanstee
141
7.6k
Become a Pro
speakerdeck
PRO
31
6k
We Analyzed 250 Million AI Search Results: Here's What I Found
joshbly
1
1.4k
Navigating the moral maze — ethical principles for Al-driven product design
skipperchong
2
400
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
141
35k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
47
8.2k
Transcript
DNSSEC + Bind Chinmay Pendharkar
Disclaimer - Crypto Noob! - Developer ==> Please correct me
if I’m wrong!
What shall we talk about? - DNS - DNSSEC
What is DNS? - Domain Name System - Translate URLs
to IP Addresses (and more) www.google.com => 74.125.135.147
Why? Humans like letter addresses (URLs) - www.google.com Computers prefers
numbers - 74.125.135.147
How does it work?
No really... - UDP - User Datagram Protocol (mostly) -
Me - Q: “What’s the IP for www.google.com” - DNS - A: “74.125.135.147”
In Action
Actual Response
Who is this DNS you speak of?
Nameservers!
Iterative query + Caching
Everything is AWESOME! NOT SO FAST!!!
DNS has issues. - No guarantee that you’re talking to
a authentic name server - Me - Q: “What’s the IP for www.google.com” - Evil ISP Server - A: 1.0.0.1
How? Send a request generally in the direction of the
assigned DNS name server. Anyone in between can respond to that query!!
DNS has more issues DNS Responses can be tampered with
in flight. - Me - Q: “What’s the IP for www.google.com” - DNS Nameserver - A: “74.125.135.147” - Evil ISP Server - A: “74.125.135.148”
DNSSEC to the Rescue Domain Name System Security Extensions “provide
origin authentication, authenticated denial of existence, and data integrity”
But how?? “digitally signing records for DNS lookup using public-key
cryptography” “authenticated via a chain of trust” “you trust the root, then use the root to verify the rest of the chain”
None
Example Requesting IP of bursar.university.edu
Setup for Domain owners. - generate own public/private key pair.
- upload public key to registrar, - registrar pushes the keys via secDNS to the zone operator (e.g.: Verisign for .com) - zone operator signs and publishes them in DNS.
What if my registrar/root doesn’t DNSSEC? - DNSSEC Lookaside Validation
- Internet Systems Consortium DLV Registry. - an additional entry point (besides the root zone) to obtain DNSSEC validation information
How can I use this stuff? We need. 1. A
Name server that speaks DNSSEC 2. All clients speak DNSSEC
#2
What can we do? Run our own Name server!
But but but... HTTP Stack -> Local Name server (DNS)
Local Name server Server -> DNS (DNSSEC)
Introducing... BIND - Berkeley Internet Name Domain - Default Name
server software used by many
Get bound? http://www.bind9.net/ Your favourite package manager should have it
apt-get bind9; pacman -S bind9 port install bind9
Configure bind - Linux : http://haller.ws/projects/bind/dnssec/ - OSX: https://gist.github. com/notthetup/5381693
- Win: http://alex.charrett.com/bind-on-windows
What are we doing? - Generate and verify DNSSEC root
key - Generate and verify DLV key - Add the keys into bind configuration - Enable DNSSEC in bind configuration dnssec-enable yes; dnssec-validation yes; dnssec-lookaside "." trust-anchor dlv.isc.org.;
Setup Bind Make sure it only listens to YOU! listen-on
{ 127.0.0.1; }; Run Bind as a Daemon. sudo launchctl load -w /System/Library/LaunchDaemons/org.isc.named.plist
Use Bind Use Bind as your default DNS Server instead.
Now you can haz DNSSEC
Has it worked out? - No noticeable delay in queries.
- No noticeable increase in CPU usage. - Rare domains don’t work (yimg/yahoo WTH??)
Go get your DNS SEC today!