* Posts by Matt34

4 publicly visible posts • joined 3 Nov 2016

Internet-wide security update put on hold over fears 60 million people would be kicked offline

Matt34
Facepalm

What a load of cow pats

Having just completed a training course which covered DNSSEC, the Root Key Signing Keys are using algorithm 8 which RSA/SHA256 and is compatible with Bind 9.10.3 which is available for MintLinux and Ubuntu Mate for Raspberry Pi. The new KSK works just fine. After five years of giving training on DNSSEC, 99% of students who were familiar with DNS had never heard of DNSSEC (despite it being 16 years old).

For those unfamilar with DNSSEC at present there is a double Key Rollover, both the KSK and Zone Signing Key (ZSK) are rolling over to a new key.

dig @8.8.8.8 . dnskey +multiline

; <<>> DiG 9.10.6 <<>> @8.8.8.8 . dnskey +multiline

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5983

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 512

;; QUESTION SECTION:

;. IN DNSKEY

;; ANSWER SECTION:

. 166290 IN DNSKEY 257 3 8 (

AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ

bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh

/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA

JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp

oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3

LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO

Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc

LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=

) ; KSK; alg = RSASHA256 ; key id = 19036

. 166290 IN DNSKEY 256 3 8 (

AwEAAYvxrQOOujKdZz+37P+oL4l7e35/0diH/mZITGjl

p4f81ZGQK42HNxSfkiSahinPR3t0YQhjC393NX4TorSi

TJy76TBWddNOkC/IaGqcb4erU+nQ75k2Lf0oIpA7qTCk

3UkzYBqhKDHHAr2UditE7uFLDcoX4nBLCoaH5FtfxhUq

yTlRu0RBXAEuKO+rORTFP0XgA5vlzVmXtwCkb9G8GknH

uO1jVAwu3syPRVHErIbaXs1+jahvWWL+Do4wd+lA+TL3

+pUk+zKTD2ncq7ZbJBZddo9T7PZjvntWJUzIHIMWZRFA

jpi+V7pgh0o1KYXZgDUbiA1s9oLAL1KLSdmoIYM=

) ; ZSK; alg = RSASHA256 ; key id = 15768

. 166290 IN DNSKEY 256 3 8 (

AwEAAcRIZfxskdElMKgjwvWQO2bQe7EGAvX6zgIaqmbs

aMqmMrIpd1+bP7nyULLuL8jWnKAqcaVfal2yJD50gg5z

Fl5yW/F9dKNXXEFI7VEcGrPyG6/OrA9RBU8pGWm0qxps

Nm5UIgTU5IX7pb/0rBj67c/R7qln8sjH1ylsr4f1Y3R6

p/druiEalKasEjGKA9L2w9jzUQusWxM7fQx/T8c/3x3b

sjveD1dleQ6MJaCx4bpPXYZpqXmSvGn+T2v5350cBVAF

qVKhGbjxEyXAweem8cTU4L1p+DV7Ua11a1tMf0Tlu8pk

pLwh7NQIggIEhJwEhPeXE3E4C6Q2/PFENcoFERc=

) ; ZSK; alg = RSASHA256 ; key id = 46809

. 166290 IN DNSKEY 257 3 8 (

AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTO

iW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN

7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5

LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8

efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7

pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLY

A4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws

9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=

) ; KSK; alg = RSASHA256 ; key id = 20326

;; Query time: 9 msec

;; SERVER: 8.8.8.8#53(8.8.8.8)

;; WHEN: Fri Sep 29 19:51:13 BST 2017

;; MSG SIZE rcvd: 1128

DNSSEC is used to digitally sign DNS records by adding a RRSIG record which is cryptographically signed hash of a set of records within a Zone. So the NS records inside a Zone would have a single RRSIG to allow authentication and validation of all the NS records as if you query the NS records all will be returned.

In terms of handling the new KSK, if the DNS Server supports RFC5011 the KSK rollover is handled automatically BIND has support this for a couple of years. RFC7344 allows the automatic update of the Child Zone Delegated Signer Record using the CDS Record and CDNSKEY record both supported in Bind 9.11

Unfortunately many commercial DNS providers do not support RFC5011, nor do they support RFC7344.

The Root KSK should have been replaced in June 2015 under the contract ICANN operated under here we are seven years later and the its going to be delayed again.

Personally the root key change should not be delayed... A competent DNS Architect/Administrator should have planned for this two years ago.

In the three years since IETF said pervasive monitoring is an attack, what's changed?

Matt34

With the reported growth in IPv6 adoption ( http://6lab.cisco.com/stats/ ), utilising IPv6 IPSec Transport Mode for all traffic including DNS queries and would protect data component without utilising TLS and all the attendant issues of SSL library problems.

DNSSEC would have be used to publish host certificate information which could be then be used with RFC 4025 and RFC 4322 compliant devices to ensure that all the communication is IPSec encrypted so that certificates can be obtained dynamically and thus the encrypted communication could place automatically. The RFCs are over ten years old now.

RFC 4025 - A method of storing IPSec Phase 1 Keying Material in DNS published 2005 which uses the DNS IPSECKEY record

RFC 4322 - Opportunistic Encryption using the Internet Key Exchange for Phase 2 IPSec published 2005

Uncle Sam emits DNS email security guide – now speak your brains

Matt34

Re: Cliff Notes please

In order to implement DNSSEC using Bind 9.9.X or 9.10.X would require scripts to sign and re-sign every time you change your zone files. Bind 9.11.X includes a degree of automation, policy enforcement and a soft HSM to store the Private portions of your Key Signing Keys and Zone Signing Keys. If you are a commercial organisation I would suggest you consider using Infoblox which makes DNSSEC zone signing a single button press, and you can integrate with hardware HSMs so the signing process is off the box.

Using a Cloud based DNS service provider would allow you sign your Zones, add TLSA records to validate your Self Signed CA Public Certificate and Server Certificates, add SSH Fingerprints (SSHFP records), Certificate records (CERT records), CDKEY and CDS records. Unfortunately as a prime target for compromise, the provider will get hacked.