DNS has issues. - No guarantee that you’re talking to a authentic name server - Me - Q: “What’s the IP for www.google.com” - Evil ISP Server - A: 1.0.0.1
DNS has more issues DNS Responses can be tampered with in flight. - Me - Q: “What’s the IP for www.google.com” - DNS Nameserver - A: “74.125.135.147” - Evil ISP Server - A: “74.125.135.148”
But how?? “digitally signing records for DNS lookup using public-key cryptography” “authenticated via a chain of trust” “you trust the root, then use the root to verify the rest of the chain”
Setup for Domain owners. - generate own public/private key pair. - upload public key to registrar, - registrar pushes the keys via secDNS to the zone operator (e.g.: Verisign for .com) - zone operator signs and publishes them in DNS.
What if my registrar/root doesn’t DNSSEC? - DNSSEC Lookaside Validation - Internet Systems Consortium DLV Registry. - an additional entry point (besides the root zone) to obtain DNSSEC validation information
What are we doing? - Generate and verify DNSSEC root key - Generate and verify DLV key - Add the keys into bind configuration - Enable DNSSEC in bind configuration dnssec-enable yes; dnssec-validation yes; dnssec-lookaside "." trust-anchor dlv.isc.org.;
Setup Bind Make sure it only listens to YOU! listen-on { 127.0.0.1; }; Run Bind as a Daemon. sudo launchctl load -w /System/Library/LaunchDaemons/org.isc.named.plist