DNSSec - Intro
Wolfgang Jung (post@wolfgang-jung.net)whoami
- einer der Micromata Gründer
- arbeite derzeit bei Polyas
- Schwerpunkte: Security, Infrastruktur, Linux, Scala
DNS-Intro 1
- Hierarchisches System
- „Liefere IP zu symbolischem Namen”
- UDP-basiert
- RFC-1034 - Nov.1987
- Zone file:
m451.de. 86400 SOA ns.inwx.de. # Start Of Authority hostmaster.m451.de. # Mail-Addresse 2018090901 # Serialnumber 10800 # refresh 3600 # retry 604800 # expire 3600 # TTL m451.de. 86400 NS ns.inwx.de. # Nameserver m451.de. 86400 NS ns2.inwx.de. # Nameserver m451.de. 3600 IN A 185.11.138.5 m451.de. 3600 MX 100 mail.ideas-in-logic.de.
DNS-Intro 2
- Abfrage: www.m451.de (ohne qname-minimisation):
NS für www.m451.de -> x.root-server.net?: ".de -> NS a.nic.de" NS für www.m451.de -> a.nic.de?: "m451.de -> NS ns.inwx.de" A für www.m451.de -> ns.inwx.de?: "www.m451.de -> IN A 185.11.138.5" - Nachteile: UDP basiert, nicht signiert
- Antwort kann von jedem geliefert werden
- Antwort muss nichts mit der Frage zu tun haben (MitM)
DNS-Intro 3
- Ursprüngliche RRs: SOA, NS, MX, A, PTR, HINFO?
- Referenzimplementierung BIND
- später Erweiterungen wie SPF, TXT, RRSIG, CDS, DNSKEY, TLSA... Siehe RRTypes
- RFCs liefern die Spec auf 2781 Seiten, siehe auch dieser
Rant:
RFC 1034, Domain Names - Concepts and Facilities
RFC 1035, Domain Names - Implementation and Specification
RFC 1123, Requirements for Internet Hosts—Application and Support
RFC 1995, Incremental Zone Transfer in DNS
RFC 1996, A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)
RFC 2136, Dynamic Updates in the domain name system (DNS UPDATE)
RFC 2181, Clarifications to the DNS Specification
RFC 2308, Negative Caching of DNS Queries (DNS NCACHE)
RFC 2672, Non-Terminal DNS Name Redirection
RFC 2845, Secret Key Transaction Authentication for DNS (TSIG)
RFC 3225, Indicating Resolver Support of DNSSEC
RFC 3226, DNSSEC and IPv6 A6 aware server/resolver message size requirements
RFC 3596, DNS Extensions to Support IP Version 6
RFC 3597, Handling of Unknown DNS Resource Record (RR) Types
RFC 4343, Domain Name System (DNS) Case Insensitivity Clarification
RFC 4592, The Role of Wildcards in the Domain Name System
RFC 4635, HMAC SHA TSIG Algorithm Identifiers
RFC 5001, DNS Name Server Identifier (NSID) OptionRFC 5452, Measures for Making DNS More Resilient against Forged Answers
RFC 5890, Internationalized Domain Names for Applications (IDNA):Definitions and Document Framework
RFC 5891, Internationalized Domain Names in Applications (IDNA): Protocol
RFC 5892, The Unicode Code Points and Internationalized Domain Names for Applications (IDNA)
RFC 5893, Right-to-Left Scripts for Internationalized Domain Names for Applications (IDNA)
RFC 6891, Extension Mechanisms for DNS (EDNS0)
RFC 7766, DNS Transport over TCP - Implementation Requirements
Security
RFC 4033, DNS Security Introduction and Requirements
RFC 4034, Resource Records for the DNS Security Extensions
RFC 4035, Protocol Modifications for the DNS Security Extensions
RFC 4509, Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records
RFC 4470, Minimally Covering NSEC Records and DNSSEC On-line Signing
RFC 5011, Automated Updates of DNS Security (DNSSEC) Trust Anchors
RFC 5155, DNS Security (DNSSEC) Hashed Authenticated Denial of Existence
RFC 5702, Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC
RFC 5910, Domain Name System (DNS) Security Extensions Mapping for the Extensible Provisioning Protocol (EPP)
RFC 5933, Use of GOST Signature Algorithms in DNSKEY and RRSIG Resource Records for DNSSEC
RFC 7858, Specification for DNS over Transport Layer Security (TLS)Experimental
RFC 1183, New DNS RR Definitions
Best Current Practices
RFC 2182, Selection and Operation of Secondary DNS Servers (BCP 16)
RFC 2317, Classless IN-ADDR.ARPA delegation (BCP 20)
RFC 5625, DNS Proxy Implementation Guidelines (BCP 152)
RFC 6895, Domain Name System (DNS) IANA Considerations (BCP 42)
RFC 7720, DNS Root Name Service Protocol and Deployment Requirements (BCP 40)
Informational
RFC 1178, Choosing a Name for Your Computer (FYI 5)
RFC 1591, Domain Name System Structure and Delegation
RFC 1912, Common DNS Operational and Configuration Errors
RFC 2100, The Naming of Hosts
RFC 3696, Application Techniques for Checking and Transformation of Names
RFC 4892, Requirements for a Mechanism Identifying a Name Server Instance
RFC 5894, Internationalized Domain Names for Applications (IDNA):Background, Explanation, and Rationale
RFC 5895, Mapping Characters for Internationalized Domain Names in Applications (IDNA) 2008
RFC 7626, DNS Privacy Considerations
RFC 7706, Decreasing Access Time to Root Servers by Running One on Loopback
DNSSec - RFC 4033
- Jeder Nameserver signiert seine Antworten
- Jeder Nameserver kennt die Public Keys der untergeordneten Zone
- Neue RRs: DS, DNSKEY, RRSIG, NSEC, NSEC3, NSEC3PARAM
- Zwei Schlüssel pro Zone:
ZSK (volatil, 14d Lebensdauer) &
KSK (wird dem Parent mitgeteilt) - KSK signiert sich selbst und ZSK. ZSK signiert alle Records (RRSIG)
- Vorteil: ZSK Key-Rollover kann ohne Mitarbeit der übergeordneten Zone erfolgen
- Vorteil: ZSK kann kurz sein (wichtig für schnelle Antworten)
- Nachteil: An der Root-Zone hängt alles
DNSSec - Rootzone/Trustanchor des Internets
Hier gibt es das 3h15m(!) Video der Zeremonie.
DNSSec - Abfrage
> delv +vtrace +mtrace A www.m451.de
;; fetch: www.m451.de/A
;; received packet from 192.168.1.4#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10286
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1252
;; QUESTION SECTION:
;www.m451.de. IN A
;; ANSWER SECTION:
;www.m451.de. 2796 IN A 185.11.138.5
;www.m451.de. 2796 IN RRSIG A 13 3 3600 (
; 20180922125042 20180908112042 13461 m451.de.
; FwYUGXWl6ThYkFBWH4z3fSyMO3yv
; O0HGRhb/tWYmCqxMsLQKVLAqfLX+
; r1DTmueRHs+WCvmA0UCN15CfySmf
; Wg== )
;; validating www.m451.de/A: starting
;; validating www.m451.de/A: attempting positive response validation
;; fetch: m451.de/DNSKEY
;; received packet from 192.168.1.4#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26443
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1252
;; QUESTION SECTION:
;m451.de. IN DNSKEY
;; ANSWER SECTION:
;m451.de. 83644 IN DNSKEY 257 3 13 (
; rr05gqdmgNBHZ40bBIMR9VocgwBF
; CZcgrCR7Gb87Y4YeIHDty8/IYVbr
; xAytrCuc8VG85Rc9Kjq+hDSjpc6f
; Qw==
; ) ; KSK; alg = ECDSAP256SHA256 ; key id = 16944
;m451.de. 83644 IN DNSKEY 256 3 13 (
; 0dNuGSiNHq66qU8s2Rf+Iiv5+/t+
; aJE3tupLEbHqRZTHT4vIyhStGIrF
; XOZRiXpt2bZuQOnsFazmyb5hxMVn
; 1A==
; ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 13461
;m451.de. 83644 IN RRSIG DNSKEY 13 2 86400 (
; 20180922135042 20180908122042 16944 m451.de.
; smH5bxe/ifa7xkTAIZrxkUrSKXdF
; 262xL+YS/jtalQhxEQAeYIZ+sJyg
; 0bWLO6Tg56TMz/TSRMEiL+FLOV+y
; fA== )
;; validating m451.de/DNSKEY: starting
;; validating m451.de/DNSKEY: attempting positive response validation
;; fetch: m451.de/DS
;; received packet from 192.168.1.4#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50609
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1252
;; QUESTION SECTION:
;m451.de. IN DS
;; ANSWER SECTION:
;m451.de. 83644 IN DS 16944 13 2 (
; CFFEF6FB4C83737E5B5F2DE77FA8
; 40149E09BD2721DE0F72EDB0C946
; 9DC20CAE )
;m451.de. 83644 IN RRSIG DS 8 2 86400 (
; 20180918200125 20180911200125 33364 de.
; GDDxfC969C9VMleiJYQ6xi4TBJXo
; C/m9kZ3qGqXXGoLbq/F6eG0dyjb2
; oXuzssfTRK/jxfvWpvvU9I1RA9ry
; lbgz4ZsTp+GpHCRcu4Qm5whYRNjG
; zauoJ/pNYIDi0ziEgwTAV01Pve6S
; 8SLktYaEsk/XKtXrgeASfo2vF28C
; RZg= )
;; validating m451.de/DS: starting
;; validating m451.de/DS: attempting positive response validation
;; fetch: de/DNSKEY
;; received packet from 192.168.1.4#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3899
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1252
;; QUESTION SECTION:
;de. IN DNSKEY
;; ANSWER SECTION:
;de. 4314 IN DNSKEY 257 3 8 (
; AwEAAaZEsxM26e8MgLuWsLAeRd7B
; zNdJjvhfGbqQ1xxtYd4TPPqYr7Qc
; K9Em18VyYEnjqXOqVWBuOhCWnrij
; P5GiumIliap+LerHjTk3QCgim1qv
; w3k7UFOgwMe8yOl7hghG8Nbgw6Un
; VfmUD71TaGSwj1C5EO2guiXZkFPU
; p2UzmUmoe5EWwtzCni7L0RDl5MaR
; VhjUBEkPrAVI603GDTuwtRKZLTiy
; fc3Qmq/u83/6Knxot5pHp3reRcsp
; 0vk2G+RQubgDKsmaXCql4mPzR911
; Di68vwbBfSyLZ0EOwVkrO7VJgr/R
; JJ37JlydfQfGmQ3Dkvw1h8ifZhRC
; 8oOkv8ynUXM=
; ) ; KSK; alg = RSASHA256 ; key id = 39227
;de. 4314 IN DNSKEY 256 3 8 (
; AwEAAbg/JmxwVhcxVUCgUIIywYIB
; rDpEgSeFIL9xwU7XmJgcgsF6/t0c
; LLnUydK/e/dam2pDyllUqaCZFRf9
; qagYmgMIoZbvAylIcUqjjv7PjXLs
; aWC/Ir3ioXFEAUzXfNlsSOeyf3eS
; wz+DEOafc8+iwuPl5l3V2onV34Q8
; x3i2CSlj
; ) ; ZSK; alg = RSASHA256 ; key id = 33364
;de. 4314 IN RRSIG DNSKEY 8 1 7200 (
; 20180927120000 20180906120000 39227 de.
; J5ATKKj37fEkKUsJVcsZGgZGa4ec
; nrTx5MYcq1OgBTuPXY4l83YTq7vy
; onUlLw+QU0hR4HnbPf4wz875VpgT
; NZaS8MpzgSfnZFoVrGQiHOLkIHzU
; 7Penf1NhEDip/R6UkvHiS/x747iD
; WjOc9MwV0XDDzngNftd5iyxfmAnB
; Pbjah5aX56C0+Wov1WXDXjnbOtop
; pbACwy3j40/hTcaHnNgRoE7K/c2n
; hwiHn9skSMxwlB1EsUcHa/Jvflba
; u5Jcqp0IlYEqwQt/BrtWFiTLOc2K
; G7/mmSc2Kv5//4odTL6jBIjT0Oi0
; /cYD1oOiRTJpHgd08OqcOEuVvls+
; sXFNZA== )
;; validating de/DNSKEY: starting
;; validating de/DNSKEY: attempting positive response validation
;; fetch: de/DS
;; received packet from 192.168.1.4#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47427
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1252
;; QUESTION SECTION:
;de. IN DS
;; ANSWER SECTION:
;de. 83507 IN DS 39227 8 2 (
; AAB73083B9EF70E4A5E94769A418
; AC12E887FC3C0875EF206C3451DC
; 40B6C4FA )
;de. 83507 IN RRSIG DS 8 1 86400 (
; 20180924190000 20180911180000 41656 .
; QOoEXnZGx6/uVqle8BODQWPhwb+b
; MT3SNTGRSWNc54JDkwsRilPfF29E
; zqyL7KDzoKdQ+nF063SHDf+PrOkh
; wgprZ2XGj+yp2FSiWiu2LfjkiOJ2
; DLFzO4niUSvQTX/Px3RG/ctYLMuf
; 7PK3KtkN1h8FeN1/j7QrJZiFnqYp
; /fdgh8CREY5vkzNPdBOcBqdmvO9e
; se2NXWUlIf1KD+iqE3a5Gh7+OYI0
; VCXiywB1sFSpIU8CKsDBcxCeRF7k
; XkRHbLqMWPaQQeod+NARo4xQsi+D
; 3SoShqi3zbkRLSnFbCxH1caLVBqI
; MOxybsb4quyi3zVDmkmhrnYxWLbn
; 9wLe+w== )
;; validating de/DS: starting
;; validating de/DS: attempting positive response validation
;; fetch: ./DNSKEY
;; received packet from 192.168.1.4#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5555
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1252
;; QUESTION SECTION:
;. IN DNSKEY
;; ANSWER SECTION:
;. 169897 IN DNSKEY 257 3 8 (
; AwEAAaz/tAm8yTn4Mfeh5eyI96WS
; VexTBAvkMgJzkKTOiW1vkIbzxeF3
; +/4RgWOq7HrxRixHlFlExOLAJr5e
; mLvN7SWXgnLh4+B5xQlNVz8Og8kv
; ArMtNROxVQuCaSnIDdD5LKyWbRd2
; n9WGe2R8PzgCmr3EgVLrjyBxWezF
; 0jLHwVN8efS3rCj/EWgvIWgb9tar
; pVUDK/b58Da+sqqls3eNbuv7pr+e
; oZG+SrDK6nWeL3c6H5Apxz7LjVc1
; uTIdsIXxuOLYA4/ilBmSVIzuDWfd
; RUfhHdY6+cn8HFRm+2hM8AnXGXws
; 9555KrUB5qihylGa8subX2Nn6UwN
; R1AkUTV74bU=
; ) ; KSK; alg = RSASHA256 ; key id = 20326
;. 169897 IN DNSKEY 257 3 8 (
; AwEAAagAIKlVZrpC6Ia7gEzahOR+
; 9W29euxhJhVVLOyQbSEW0O8gcCjF
; FVQUTf6v58fLjwBd0YI0EzrAcQqB
; GCzh/RStIoO8g0NfnfL2MTJRkxoX
; bfDaUeVPQuYEhg37NZWAJQ9VnMVD
; xP/VHL496M/QZxkjf5/Efucp2gaD
; X6RS6CXpoY68LsvPVjR0ZSwzz1ap
; AzvN9dlzEheX7ICJBBtuA6G3LQpz
; W5hOA2hzCTMjJPJ8LbqF6dsV6DoB
; Qzgul0sGIcGOYl7OyQdXfZ57relS
; Qageu+ipAdTTJ25AsRTAoub8ONGc
; LmqrAmRLKBP1dfwhYB4N7knNnulq
; QxA+Uk1ihz0=
; ) ; KSK; alg = RSASHA256 ; key id = 19036
;. 169897 IN DNSKEY 256 3 8 (
; AwEAAfaifSqh+9ItxYRCwuiY0FY2
; NkaEwd/zmyVvakixDgTOkgG/PUzl
; EauAiKzlxGwezjqbKFPSwrY3qHmb
; bsSTY6G8hZtna8k26eCwy59Chh57
; 3cu8qtBkmUIXMYG3fSdlUReP+uhB
; WBfKI2aGwhRmQYR0zSmg7PGOde34
; c/rOItK1ebJhjTAJ6TmnON7qMfk/
; lKvH4qOvYtzstLhr7Pn9ZOVLx/WU
; KQpU/nEyFyTduRbz1nZqkp6yMuHw
; WVsABK8lUYXSaUrDAsuMSldhafmR
; /A15BxNhv9M7mzJj7UH2RVME9JbY
; inBEzWwW9GpnY+ZmBWgZiRVTaDue
; mCTJ5ZJWLRs=
; ) ; ZSK; alg = RSASHA256 ; key id = 41656
;. 169897 IN RRSIG DNSKEY 8 0 172800 (
; 20180930000000 20180909000000 19036 .
; GvFso1C76Dk79nt07sVCwGm/Hw3Q
; ytVpQ0VnxEc2uI3iJnD7Bls2cmyA
; egT1USX4qY/j+1+j88xhwDVnM21w
; 8fyAppbbea0Ri4gfM4562KNIrUBD
; JCybijL+4GbTwwq8Z2RKqDjTkEHx
; vQ7KCV+9ldtzcpzF7FE4ct3rzaEQ
; T6APVR70dxH+lc/JL1PVdM9zeclh
; tmRBrfRJHdU9XfqY3PycubLxWtZL
; NOUqB2gBxwvfK6zg1VCZ8JQCDIfE
; VyWae1WEooBvHAq4obNJs6rF9JC3
; qnc5WxIqBZnWD41NkZMbOqvBxJvk
; Liwvp98qOCkvbKTbneFA0q3ZGtwN
; OBhajA== )
;; validating ./DNSKEY: starting
;; validating ./DNSKEY: attempting positive response validation
;; validating ./DNSKEY: verify rdataset (keyid=19036): success
;; validating ./DNSKEY: signed by trusted key; marking as secure
;; validating de/DS: in fetch_callback_validator
;; validating de/DS: keyset with trust secure
;; validating de/DS: resuming validate
;; validating de/DS: verify rdataset (keyid=41656): success
;; validating de/DS: marking as secure, noqname proof not needed
;; validating de/DNSKEY: in dsfetched
;; validating de/DNSKEY: dsset with trust secure
;; validating de/DNSKEY: verify rdataset (keyid=39227): success
;; validating de/DNSKEY: marking as secure (DS)
;; validating m451.de/DS: in fetch_callback_validator
;; validating m451.de/DS: keyset with trust secure
;; validating m451.de/DS: resuming validate
;; validating m451.de/DS: verify rdataset (keyid=33364): success
;; validating m451.de/DS: marking as secure, noqname proof not needed
;; validating m451.de/DNSKEY: in dsfetched
;; validating m451.de/DNSKEY: dsset with trust secure
;; validating m451.de/DNSKEY: verify rdataset (keyid=16944): success
;; validating m451.de/DNSKEY: marking as secure (DS)
;; validating www.m451.de/A: in fetch_callback_validator
;; validating www.m451.de/A: keyset with trust secure
;; validating www.m451.de/A: resuming validate
;; validating www.m451.de/A: verify rdataset (keyid=13461): success
;; validating www.m451.de/A: marking as secure, noqname proof not needed
; fully validated
www.m451.de. 2796 IN A 185.11.138.5
www.m451.de. 2796 IN RRSIG A 13 3 3600
20180922125042 20180908112042 13461 m451.de. Fw...g==
DNSSec - Antwort
www.m451.de. 3297 IN A 185.11.138.5
www.m451.de. 3297 IN RRSIG A # Signatur zum A-Record
13 # Signaturverfahren -> ECDSAP256SHA256
3 # Name besteht aus 3 Komponenten
3600 # TTL der Antwort
20180922125042 # not valid before
20180908112042 # not valid after
13461 # Schlüssel ID
m451.de. # Name des Signierers
FwYUGXWl6ThYk...SmfWg== # base64 signatur
DNSSec - Was bringt es denn nun?
- DNS Betreiber kann signierte Informationen zu seiner Domain liefern.
- IP-Adressauflösung als Standard
- Falls signiert, dann auch ok
- Beim MitM fehlt die Signatur oder löst nicht zum Root-Schlüssel auf
- MX Records zur Domain
- Aber auch: welche Namenseinträge gibt es nicht (NSEC3)
- Bester Anwendungsfall: DANE
DANE - Domain-authenticated named entities
- DNSSec stellt sicher, dass die Antwort von dem Inhaber des DNS der Domain kommt
- Publizieren des Fingerprints von Zertifikaten!
- Via TLSA Record:
_25._tcp.mail.ideas-in-logic.de. 3600 IN TLSA 3 1 1 AD1...28 _25._tcp.mail.ideas-in-logic.de. 3600 IN TLSA 2 1 1 60B...18
- Liefert den Fingerprint des Zertifikats des TLS Servers auf Port 25
- Domain-Validated Zertifikat ohne CA!
- Funktioniert nur mit DNSSec (ansonsten ist ja ein MitM möglich), Pflicht für EmiG.
- Lösung für Postfix: https://www.cs-ware.de/blog/archives/175
DNSSec - Ok, aber wie?
- Durch den DNS-Dienstleister (Private-Key liegt dann aber auch bei dem)
- Betrieb eigener DNS-Server, oder als hidden-primary
- BIND, powerdns oder knotdns
- knot:
policy: - id: "default" algorithm: "ecdsap256sha256" nsec3: "on" nsec3-iterations: "100" template: - id: "default" storage: "/var/lib/knot/zones" notify: "slave" acl: [ "acl_slave", "deny_all" ] dnssec-signing: "on" dnssec-policy: "default" serial-policy: "dateserial"
Debugging
Fragen?
