Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
DNSSEC and Bind
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
Chinmay Pendharkar
May 21, 2014
Technology
1
160
DNSSEC and Bind
Basics of DNS and DNSSEC. Setting up Bind locally.
Chinmay Pendharkar
May 21, 2014
Tweet
Share
More Decks by Chinmay Pendharkar
See All by Chinmay Pendharkar
Audio Fundamentals - Pd
notthetup
0
98
Garageband And Podcasting
notthetup
0
64
Audio Fundamentals - HTML5 Audio
notthetup
0
120
Audio Fundamentals - Oscillators
notthetup
0
62
Audio Fundamentals - Basics
notthetup
0
120
Robots and Pi
notthetup
2
120
Auralization of road vehicles using spectral modeling synthesis
notthetup
0
210
What I’ve learnt about Environmental Sound Design
notthetup
0
240
Audio Editing with Audacity
notthetup
0
70
Other Decks in Technology
See All in Technology
JuliaTokaiとしてはこれが最後かもしれない(仮) for NGK2026S
antimon2
0
130
Databricks Free Edition講座 データサイエンス編
taka_aki
0
230
一番人に近いコードレビューア CodeRabbit
kinopeee
0
110
日本語テキストと音楽の対照学習の技術とその応用
lycorptech_jp
PRO
1
350
開発メンバーが語るFindy Conferenceの裏側とこれから
sontixyou
2
320
人はいかにして 確率的な挙動を 受け入れていくのか
vaaaaanquish
4
3k
AI開発の落とし穴 〜馬には乗ってみよAIには添うてみよ〜
sansantech
PRO
10
5k
ゼロから始めたFindy初のモバイルアプリ開発
grandbig
2
400
Web Intelligence and Visual Media Analytics
weblyzard
PRO
1
6.8k
ドメイン駆動セキュリティへの道しるべ
pandayumi
0
180
サイボウズ 開発本部採用ピッチ / Cybozu Engineer Recruit
cybozuinsideout
PRO
10
72k
Mosaic AI Gatewayでコーディングエージェントを配るための運用Tips / JEDAI 2026 新春 Meetup! AIコーディング特集
genda
0
120
Featured
See All Featured
How to make the Groovebox
asonas
2
1.9k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
122
21k
AI in Enterprises - Java and Open Source to the Rescue
ivargrimstad
0
1.1k
HDC tutorial
michielstock
1
330
AI Search: Implications for SEO and How to Move Forward - #ShenzhenSEOConference
aleyda
1
1.1k
Building AI with AI
inesmontani
PRO
1
660
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
37
6.2k
Navigating Algorithm Shifts & AI Overviews - #SMXNext
aleyda
0
1.1k
Testing 201, or: Great Expectations
jmmastey
46
8k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.7k
From Legacy to Launchpad: Building Startup-Ready Communities
dugsong
0
130
Imperfection Machines: The Place of Print at Facebook
scottboms
269
14k
Transcript
DNSSEC + Bind Chinmay Pendharkar
Disclaimer - Crypto Noob! - Developer ==> Please correct me
if I’m wrong!
What shall we talk about? - DNS - DNSSEC
What is DNS? - Domain Name System - Translate URLs
to IP Addresses (and more) www.google.com => 74.125.135.147
Why? Humans like letter addresses (URLs) - www.google.com Computers prefers
numbers - 74.125.135.147
How does it work?
No really... - UDP - User Datagram Protocol (mostly) -
Me - Q: “What’s the IP for www.google.com” - DNS - A: “74.125.135.147”
In Action
Actual Response
Who is this DNS you speak of?
Nameservers!
Iterative query + Caching
Everything is AWESOME! NOT SO FAST!!!
DNS has issues. - No guarantee that you’re talking to
a authentic name server - Me - Q: “What’s the IP for www.google.com” - Evil ISP Server - A: 1.0.0.1
How? Send a request generally in the direction of the
assigned DNS name server. Anyone in between can respond to that query!!
DNS has more issues DNS Responses can be tampered with
in flight. - Me - Q: “What’s the IP for www.google.com” - DNS Nameserver - A: “74.125.135.147” - Evil ISP Server - A: “74.125.135.148”
DNSSEC to the Rescue Domain Name System Security Extensions “provide
origin authentication, authenticated denial of existence, and data integrity”
But how?? “digitally signing records for DNS lookup using public-key
cryptography” “authenticated via a chain of trust” “you trust the root, then use the root to verify the rest of the chain”
None
Example Requesting IP of bursar.university.edu
Setup for Domain owners. - generate own public/private key pair.
- upload public key to registrar, - registrar pushes the keys via secDNS to the zone operator (e.g.: Verisign for .com) - zone operator signs and publishes them in DNS.
What if my registrar/root doesn’t DNSSEC? - DNSSEC Lookaside Validation
- Internet Systems Consortium DLV Registry. - an additional entry point (besides the root zone) to obtain DNSSEC validation information
How can I use this stuff? We need. 1. A
Name server that speaks DNSSEC 2. All clients speak DNSSEC
#2
What can we do? Run our own Name server!
But but but... HTTP Stack -> Local Name server (DNS)
Local Name server Server -> DNS (DNSSEC)
Introducing... BIND - Berkeley Internet Name Domain - Default Name
server software used by many
Get bound? http://www.bind9.net/ Your favourite package manager should have it
apt-get bind9; pacman -S bind9 port install bind9
Configure bind - Linux : http://haller.ws/projects/bind/dnssec/ - OSX: https://gist.github. com/notthetup/5381693
- Win: http://alex.charrett.com/bind-on-windows
What are we doing? - Generate and verify DNSSEC root
key - Generate and verify DLV key - Add the keys into bind configuration - Enable DNSSEC in bind configuration dnssec-enable yes; dnssec-validation yes; dnssec-lookaside "." trust-anchor dlv.isc.org.;
Setup Bind Make sure it only listens to YOU! listen-on
{ 127.0.0.1; }; Run Bind as a Daemon. sudo launchctl load -w /System/Library/LaunchDaemons/org.isc.named.plist
Use Bind Use Bind as your default DNS Server instead.
Now you can haz DNSSEC
Has it worked out? - No noticeable delay in queries.
- No noticeable increase in CPU usage. - Rare domains don’t work (yimg/yahoo WTH??)
Go get your DNS SEC today!
notthetup
antimon2
taka_aki
kinopeee
lycorptech_jp
.jpeg){kind=avatar}
sontixyou
vaaaaanquish
sansantech
grandbig
weblyzard
pandayumi
cybozuinsideout
genda
asonas
panda_program
ivargrimstad
michielstock
aleyda
inesmontani
kevinliebholz
jmmastey
marktimemedia
dugsong
scottboms
