ION Hangzhou - How to Deploy DNSSEC
-
Upload
deploy360-programme-internet-society -
Category
Technology
-
view
267 -
download
5
Transcript of ION Hangzhou - How to Deploy DNSSEC
DNSSEC Deployment Introduction
2016-07
中国信息社会重要的基础设施建设者、运行者和管理者
OUTLINE
DNSSEC Deployment Introduction
1、 Brief Introduction
2、 Preparation
3、 Process
4、 Strategy
5、 Influence
中国信息社会重要的基础设施建设者、运行者和管理者
OUTLINE
DNSSEC Deployment Introduction
1、 Brief Introduction
2、 Preparation
3、 Process
4、 Strategy
5、 Influence
中国信息社会重要的基础设施建设者、运行者和管理者
1.1. DNSSEC
• DNS Security Extensions• A system to verify the authenticity of DNS “Data”• Detecting cache poisoning, MITM…• Data origin authentication and data integrity• Authenticating name and type non-existence
中国信息社会重要的基础设施建设者、运行者和管理者
1.2. Progress
• 1378 TLDs in the root zone in total
• 1223 TLDs are signed• 1213 TLDs have trust anchors
published as DS records in the root zone
• 5 TLDs have trust anchors published in the ISC DLV Repository
中国信息社会重要的基础设施建设者、运行者和管理者
1.3. Timeline
Experimental Partial Operational
Internal experimentation
Public commitment to deploy
Zone is signed but not in operation
Zone is signed and its DS has been published
Accepting signed delegations and DS in root
中国信息社会重要的基础设施建设者、运行者和管理者
1.3. Timeline
• 2010-12~ 2013-03
Experimental
• 2013-04
Announced
• 2013-12
Operational
Experimental: Software
development Risk analysis
Announced: Hardware & software
deployment Training and drills
Partial: Signed & roller Observation &
verification
DS in Root: Generation & submission Observation &
verification
Operational: Development and
upgrades Debugging
中国信息社会重要的基础设施建设者、运行者和管理者
OUTLINE
DNSSEC Deployment Introduction
1、 Brief Introduction
2、 Preparation
3、 Process
4、 Strategy
5、 Influence
中国信息社会重要的基础设施建设者、运行者和管理者
2.1. Test-bed
1. Simulate the real environment
2. DNS system3. EPP4. Sign zone5. Key rotation6. Emergency
response7. …
HSM
FW
FW
USER REGISTRAR RT
FW
LB
SWSW
DB SERVER
SERVERs
中国信息社会重要的基础设施建设者、运行者和管理者
2.2. Upgrading & Survey
1. Data packet increase2. Insufficient memory3. Network bandwidth4. EDNS05. TCP6. …
1. DNS server2. Router3. Firewall4. Switch5. Load-balance6. …
中国信息社会重要的基础设施建设者、运行者和管理者
2.3. Documents & Training
1. Deployment schemea) Make technical details clearb) Arrange every task to peoplec) Promote the work by time
2. Emergency plan3. DPS4. …
1. Basic knowledges about DNSSEC
2. Operational skills3. Emergency response4. …
AnnouncedExperimental
中国信息社会重要的基础设施建设者、运行者和管理者
OUTLINE
DNSSEC Deployment Introduction
1、 Brief Introduction
2、 Preparation
3、 Process
4、 Strategy
5、 Influence
中国信息社会重要的基础设施建设者、运行者和管理者
3.1. Keys
• Key type, algorithm and lens
Key Type Function Algorithm Lens NSEC/NSEC3
ZSK Sign RRSETRSA-SHA256
1024NSEC3
KSK Sign DNSKEY RRSET 2048
• Key rollover cycle and RRSIG period
Key Type Period Roll Overlap RRSIG Period
ZSK 100 day 90 day 10 day30 day
KSK 13 month 12 month 30 day
• Different types of zones use different key pairs
中国信息社会重要的基础设施建设者、运行者和管理者
3.2. DNSSEC Environment
HSM
FW
FW
RT
FW
LB
SWSW
DB SERVER
SITEs
SERVERs
SERVERs
中国信息社会重要的基础设施建设者、运行者和管理者
3.3. Switching Scheme
1. Several sites using anycast2. On-line switching3. Immediate verification
a) Part of servers received DNSSEC zone data
b) Verify datac) Onlined) No-dnssec off-linee) Repeat
中国信息社会重要的基础设施建设者、运行者和管理者
3.4. Emergency Response Strategy
1. Emergency response strategy for every step;2. Anycast ensure the availability of service;3. If DNSSEC service in the main operation center is
down, secondary operation center can take over the service shortly;
4. If DNSSEC service in sites is down, DNS service (without DNSSEC) can take over the service in 10 minute;
5. Comprehensive checking mechanism.
中国信息社会重要的基础设施建设者、运行者和管理者
3.5. Submit DS in Root
1. Email2. Online system3. Check, check, check…4. Validation
Partial DS in Root
中国信息社会重要的基础设施建设者、运行者和管理者
3.6. Commands
• Recursive • Authority
options {
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;
};
trusted-keys {
. 257 3 8 “AwEAAag……1ihz0=”;
};
options {
dnssec-enable yes;
};
dnssec-keygen ……
dnssec-signzone ……
>***.zone.signed
zone “example.com” {
type master;
file “zones/example.com/***.zone.signed”;
key-directory “keys/”;
};
中国信息社会重要的基础设施建设者、运行者和管理者
OUTLINE
DNSSEC Deployment Introduction
1、 Brief Introduction
2、 Preparation
3、 Process
4、 Strategy
5、 Influence
中国信息社会重要的基础设施建设者、运行者和管理者
• Zone signing is recommended to be executed in the HSM, the basic procedures are as follows:a) The primary master obtains RR from the registration database and
generates the original zone file;b) The hidden primary master sends the original zone file to HSM;c) HSM read the right keys;d) HSM sign zone using keys;e) HSM sends the signed
zone back to the hidden primary master;
f) The signed zone are loaded onto hidden primary master, which will update to secondary master servers.
4.1. Zone Signing
中国信息社会重要的基础设施建设者、运行者和管理者
4.2. Key RolloverZSK• To prevent the keys from being cracked or
leaked out, ZSK should be replaced and rotated on a regular basis;
• The ZSK roll-over policy is to adopt a pre-publish mechanism (RFC4641);
• The validity period of each ZSK generated is 100 days and the roll-over cycle is 90 days.
KSK• To prevent the keys from being cracked or
leaked out, ZSK should be replaced and rotated on a regular basis;
• The ZSK roll-over policy is to adopt a pre-publish mechanism (RFC4641);
• The validity period of each ZSK generated is 100 days and the roll-over cycle is 90 days.
中国信息社会重要的基础设施建设者、运行者和管理者
4.2. Key Rollover
• Steps (KSK)• New KSK generation, resigning the zone with ZSK, KSK_old and
KSK_new• Submit new DS to root & delete old DS• KSK_old Revoke• KSK_old delete
KSK_1 KSK_oldKSK_new Active
KSK_old RevokeKSK_new
KSK_old DeleteKSK_new
300 days
KSK_newKSK_new_2 Active35
days30 days
1 2 3
中国信息社会重要的基础设施建设者、运行者和管理者
4.3. Key management
1. Key pairs generation offline
2. Key pairs backup online/offline
3. Private key protection
4. Key pairs management document/system
中国信息社会重要的基础设施建设者、运行者和管理者
4.4. Security consideration
1. Physical Controls Electromagnetic shielding Physical access management Different roles for different tasks Teamwork Procedural Controls
2. Technical Controls Certifications Network controls: FW, ACL, VLAN Software controls: Versions, Bugs, documents
中国信息社会重要的基础设施建设者、运行者和管理者
OUTLINE
DNSSEC Deployment Introduction
1、 Brief Introduction
2、 Preparation
3、 Process
4、 Strategy
5、 Influence
中国信息社会重要的基础设施建设者、运行者和管理者
5.1. Size
• Zone Size− Opt-out− Increased a little (7%)
• Packet Size− RRSIG− 2.5 times larger in average
Zone Size1
101201301401501601701
No DNSSEC DNSSEC
Mb
Packet size1
101201301401501601701
No DNSSEC DNSSEC
Byte• 73% DNSSEC query in usual
• After sub-domain and recursive nameservers
implemented DNSSEC, bandwidth costs will
be much larger
中国信息社会重要的基础设施建设者、运行者和管理者
5.2. Challenge
DDoS Attack
• QpS increased to 2.4 times larger
• Packet size increased to 700 Byte average (1.65 times)
• Bandwidth reach 4 (2.4*1.65) times larger than usual
Packet size1
101201301401501601701
423
700
Usual Attack
Byte
中国信息社会重要的基础设施建设者、运行者和管理者
Sharing
• http://www.internetsociety.org/deploy360/dnssec/• http://www.nlnetlabs.nl/publications/dnssec_howto
/• http://stats.research.icann.org/dns/tld_report/• http://www.nlnetlabs.nl/projects/dnssec/• http://www.dnssec-deployment.org/• https://www.iana.org/dnssec/• http://dnssec-debugger.verisignlabs.com/• https://www.opendnssec.org/
中国信息社会重要的基础设施建设者、运行者和管理者
Information Sharing
Thank you!Questions?
中国信息社会重要的基础设施建设者、运行者和管理者
北京市海淀区中关村南四街四号中科院软件园 邮编 : 100190www.cnnic.cn