Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
DNSSEC and Bind
Search
Chinmay Pendharkar
May 21, 2014
Technology
1
140
DNSSEC and Bind
Basics of DNS and DNSSEC. Setting up Bind locally.
Chinmay Pendharkar
May 21, 2014
Tweet
Share
More Decks by Chinmay Pendharkar
See All by Chinmay Pendharkar
Audio Fundamentals - Pd
notthetup
0
77
Garageband And Podcasting
notthetup
0
51
Audio Fundamentals - HTML5 Audio
notthetup
0
100
Audio Fundamentals - Oscillators
notthetup
0
49
Audio Fundamentals - Basics
notthetup
0
100
Robots and Pi
notthetup
2
120
Auralization of road vehicles using spectral modeling synthesis
notthetup
0
180
What I’ve learnt about Environmental Sound Design
notthetup
0
220
Audio Editing with Audacity
notthetup
0
57
Other Decks in Technology
See All in Technology
CDKコード品質UP!ナイスな自作コンストラクタを作るための便利インターフェース
harukasakihara
2
230
モニタリング統一への道のり - 分散モニタリングツール統合のためのオブザーバビリティプロジェクト
niftycorp
PRO
1
520
cdk initで生成されるあのファイル達は何なのか/cdk-init-generated-files
tomoki10
1
670
Rethinking Incident Response: Context-Aware AI in Practice
rrreeeyyy
2
940
AIでテストプロセス自動化に挑戦する
sakatakazunori
1
530
IPA&AWSダブル全冠が明かす、人生を変えた勉強法のすべて
iwamot
PRO
2
230
AWS CDK 入門ガイド これだけは知っておきたいヒント集
anank
5
750
united airlines ™®️ USA Contact Numbers: Complete 2025 Support Guide
flyunitedhelp
1
470
How to Quickly Call American Airlines®️ U.S. Customer Care : Full Guide
flyaahelpguide
0
240
Amplify Gen2から知るAWS CDK Toolkit Libraryの使い方/How to use the AWS CDK Toolkit Library as known from Amplify Gen2
fossamagna
1
350
Figma Dev Mode MCP Serverを用いたUI開発
zoothezoo
0
230
安定した基盤システムのためのライブラリ選定
kakehashi
PRO
3
130
Featured
See All Featured
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
26k
Building Applications with DynamoDB
mza
95
6.5k
The Language of Interfaces
destraynor
158
25k
How to Ace a Technical Interview
jacobian
278
23k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
16k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
126
53k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
29
9.6k
Why You Should Never Use an ORM
jnunemaker
PRO
58
9.5k
Practical Orchestrator
shlominoach
189
11k
Building Better People: How to give real-time feedback that sticks.
wjessup
367
19k
Code Reviewing Like a Champion
maltzj
524
40k
Git: the NoSQL Database
bkeepers
PRO
430
65k
Transcript
DNSSEC + Bind Chinmay Pendharkar
Disclaimer - Crypto Noob! - Developer ==> Please correct me
if I’m wrong!
What shall we talk about? - DNS - DNSSEC
What is DNS? - Domain Name System - Translate URLs
to IP Addresses (and more) www.google.com => 74.125.135.147
Why? Humans like letter addresses (URLs) - www.google.com Computers prefers
numbers - 74.125.135.147
How does it work?
No really... - UDP - User Datagram Protocol (mostly) -
Me - Q: “What’s the IP for www.google.com” - DNS - A: “74.125.135.147”
In Action
Actual Response
Who is this DNS you speak of?
Nameservers!
Iterative query + Caching
Everything is AWESOME! NOT SO FAST!!!
DNS has issues. - No guarantee that you’re talking to
a authentic name server - Me - Q: “What’s the IP for www.google.com” - Evil ISP Server - A: 1.0.0.1
How? Send a request generally in the direction of the
assigned DNS name server. Anyone in between can respond to that query!!
DNS has more issues DNS Responses can be tampered with
in flight. - Me - Q: “What’s the IP for www.google.com” - DNS Nameserver - A: “74.125.135.147” - Evil ISP Server - A: “74.125.135.148”
DNSSEC to the Rescue Domain Name System Security Extensions “provide
origin authentication, authenticated denial of existence, and data integrity”
But how?? “digitally signing records for DNS lookup using public-key
cryptography” “authenticated via a chain of trust” “you trust the root, then use the root to verify the rest of the chain”
None
Example Requesting IP of bursar.university.edu
Setup for Domain owners. - generate own public/private key pair.
- upload public key to registrar, - registrar pushes the keys via secDNS to the zone operator (e.g.: Verisign for .com) - zone operator signs and publishes them in DNS.
What if my registrar/root doesn’t DNSSEC? - DNSSEC Lookaside Validation
- Internet Systems Consortium DLV Registry. - an additional entry point (besides the root zone) to obtain DNSSEC validation information
How can I use this stuff? We need. 1. A
Name server that speaks DNSSEC 2. All clients speak DNSSEC
#2
What can we do? Run our own Name server!
But but but... HTTP Stack -> Local Name server (DNS)
Local Name server Server -> DNS (DNSSEC)
Introducing... BIND - Berkeley Internet Name Domain - Default Name
server software used by many
Get bound? http://www.bind9.net/ Your favourite package manager should have it
apt-get bind9; pacman -S bind9 port install bind9
Configure bind - Linux : http://haller.ws/projects/bind/dnssec/ - OSX: https://gist.github. com/notthetup/5381693
- Win: http://alex.charrett.com/bind-on-windows
What are we doing? - Generate and verify DNSSEC root
key - Generate and verify DLV key - Add the keys into bind configuration - Enable DNSSEC in bind configuration dnssec-enable yes; dnssec-validation yes; dnssec-lookaside "." trust-anchor dlv.isc.org.;
Setup Bind Make sure it only listens to YOU! listen-on
{ 127.0.0.1; }; Run Bind as a Daemon. sudo launchctl load -w /System/Library/LaunchDaemons/org.isc.named.plist
Use Bind Use Bind as your default DNS Server instead.
Now you can haz DNSSEC
Has it worked out? - No noticeable delay in queries.
- No noticeable increase in CPU usage. - Rare domains don’t work (yimg/yahoo WTH??)
Go get your DNS SEC today!