DNSSEC

Kyle Rankin

Director of Engineering Operations

Artemis Internet, Inc.


http://greenfly.org/talks/devops/dnssec.html

Agenda

How DNS Works

Tracing a Recursive Query

  1. ns1.someisp.com to root: www.greenfly.org?
  2. root to ns1.someisp.com: I don't know, ask a org nameserver. Here are their addresses...
  3. ns1.someisp.com to org: www.greenfly.org?
  4. org to ns1.someisp.com: No clue, but ns1.greenfly.org and ns2.greenfly.org know about it. Here are their addresses...
  5. ns1.someisp.com to ns2.greenfly.org: www.greenfly.org?
  6. ns2.greenfly.org to ns1.someisp.com: 64.142.56.172
  7. ns1.someisp.com to OS: 64.142.56.172
  8. OS to browser: 64.142.56.172

DNS Security Issues

DNSSEC Addresses

How DNSSEC Works

Trust graph for www.google.com

DNSSEC Terminology

New DNSSEC Record Types:

DNSSEC Look-aside Validation

Trust graph for www.greenfly.org

Implementing DNSSEC

Implementing DNSSEC Continued

Sample DNSSEC Query Result

$ dig +dnssec www.greenfly.org

; <<>> DiG 9.8.1-P1 <<>> +dnssec www.greenfly.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13093
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.greenfly.org.              IN      A

;; ANSWER SECTION:
www.greenfly.org.       900     IN      A       64.142.56.172
www.greenfly.org.       900     IN      RRSIG   A 5 3 900 20130523213855 20130423213855 58317 greenfly.org. cZS1G2Jj3FNB0UrU4W+LbpCJlvVa+3yos1ni5V0pct4x4lWvXGQNoh1G /uFFJ62YRYXskL/c17wiAEIqsJ0O/wzek5KFWAoiJ3zW051l9c/8KPGF 7LzmEumdAVM2MmrPVu+PKGfilPlfofjwJLbgVhyYqepbbD8xv3bmg0Np YnM=

;; AUTHORITY SECTION:
greenfly.org.           900     IN      NS      ns2.greenfly.org.
greenfly.org.           900     IN      NS      ns1.greenfly.org.
greenfly.org.           900     IN      RRSIG   NS 5 2 900 20130523213855 20130423213855 58317 greenfly.org. d/7E3iCxzS/qBSOl/x7m/yMMqbl5mUGH7tVw/j7U/qyC7D9YZJIXNp3J uU8vueo09cZf+yjwHusdWDWgdW8mkAVoGR5K/azoY4o2xRBvt8Z5pf3a BqmNIHzROZkf6BOrx6Nqv65npSGoNLQBoEc90FvDFe/N5I27LBTIxCv4 3UQ=

;; ADDITIONAL SECTION:
ns1.greenfly.org.       900     IN      A       64.142.56.172
ns2.greenfly.org.       900     IN      A       75.101.46.232
ns1.greenfly.org.       900     IN      RRSIG   A 5 3 900 20130523213855 20130423213855 58317 greenfly.org. VDeJSlfEYRwHkjRnCvmDXFHneG3Fhw15mCSALT8m8fOtQkMroI8t0qu3 K8Tdt4q8/t1JYucpwQbpjsR3f+rmJc0t4L7HSVA/1LHajOqA+Wn2XH8L Rp01qVkeBIZ7g+K7LY2XRU3DGSzbeFUKrViqtakbTQxZ9o3Oj6ZqL0Pv 0nQ=
ns2.greenfly.org.       900     IN      RRSIG   A 5 3 900 20130523213855 20130423213855 58317 greenfly.org. dUU/6bbc6sHoSl+e2uGwoEXLMGyr4Qaedk3E74ArnUOb4VViBd3CxvGF SPG2QK3AggDv8z3+9Wm6NA11oTFcuIGnbBarxDQIrbERHFfcSQaekvSR UcSSD7wft9YO7UTIiQrc8LkItXZAKd72Gy1ZP4mhhLxwwOIhlHshQ9d2 uTY=

;; Query time: 196 msec
;; SERVER: 64.142.56.172#53(64.142.56.172)
;; WHEN: Fri Apr 26 16:13:22 2013
;; MSG SIZE  rcvd: 817

Current DNSSEC Adoption

DANE

Questions?

Additional Resources