ION Hangzhou - How to Deploy DNSSEC

DNSSEC Deployment Introduction

2016-07

中国信息社会重要的基础设施建设者、运行者和管理者

OUTLINE


1、 Brief Introduction

2、 Preparation

3、 Process

4、 Strategy

5、 Influence


1.1. DNSSEC

• DNS Security Extensions• A system to verify the authenticity of DNS “Data”• Detecting cache poisoning, MITM…• Data origin authentication and data integrity• Authenticating name and type non-existence


1.2. Progress

• 1378 TLDs in the root zone in total

• 1223 TLDs are signed• 1213 TLDs have trust anchors

published as DS records in the root zone

• 5 TLDs have trust anchors published in the ISC DLV Repository


1.3. Timeline

Experimental Partial Operational

Internal experimentation

Public commitment to deploy

Zone is signed but not in operation

Zone is signed and its DS has been published

Accepting signed delegations and DS in root


1.3. Timeline

• 2010-12～ 2013-03

Experimental

• 2013-04

Announced

• 2013-12

Operational

Experimental： Software

development Risk analysis

Announced： Hardware & software

deployment Training and drills

Partial： Signed & roller Observation &

verification

DS in Root： Generation & submission Observation &

verification

Operational： Development and

upgrades Debugging


OUTLINE



2、 Preparation

3、 Process

4、 Strategy

5、 Influence


2.1. Test-bed

1. Simulate the real environment

2. DNS system3. EPP4. Sign zone5. Key rotation6. Emergency

response7. …

HSM

FW

FW

USER REGISTRAR RT

FW

LB

SWSW

DB SERVER

SERVERs


2.2. Upgrading & Survey

1. Data packet increase2. Insufficient memory3. Network bandwidth4. EDNS05. TCP6. …

1. DNS server2. Router3. Firewall4. Switch5. Load-balance6. …


2.3. Documents & Training

1. Deployment schemea) Make technical details clearb) Arrange every task to peoplec) Promote the work by time

2. Emergency plan3. DPS4. …

1. Basic knowledges about DNSSEC

2. Operational skills3. Emergency response4. …

AnnouncedExperimental


OUTLINE



2、 Preparation

3、 Process

4、 Strategy

5、 Influence


3.1. Keys

• Key type, algorithm and lens

Key Type Function Algorithm Lens NSEC/NSEC3

ZSK Sign RRSETRSA-SHA256

1024NSEC3

KSK Sign DNSKEY RRSET 2048

• Key rollover cycle and RRSIG period

Key Type Period Roll Overlap RRSIG Period

ZSK 100 day 90 day 10 day30 day

KSK 13 month 12 month 30 day

• Different types of zones use different key pairs


3.2. DNSSEC Environment

HSM

FW

FW

RT

FW

LB

SWSW

DB SERVER

SITEs

SERVERs

SERVERs


3.3. Switching Scheme

1. Several sites using anycast2. On-line switching3. Immediate verification

a) Part of servers received DNSSEC zone data

b) Verify datac) Onlined) No-dnssec off-linee) Repeat


3.4. Emergency Response Strategy

1. Emergency response strategy for every step;2. Anycast ensure the availability of service;3. If DNSSEC service in the main operation center is

down, secondary operation center can take over the service shortly;

4. If DNSSEC service in sites is down, DNS service (without DNSSEC) can take over the service in 10 minute;

5. Comprehensive checking mechanism.


3.5. Submit DS in Root

1. Email2. Online system3. Check, check, check…4. Validation

Partial DS in Root


3.6. Commands

• Recursive • Authority

options {

dnssec-enable yes;

dnssec-validation auto;

dnssec-lookaside auto;

};

trusted-keys {

. 257 3 8 “AwEAAag……1ihz0=”;

};

options {

dnssec-enable yes;

};

dnssec-keygen ……

dnssec-signzone ……

>***.zone.signed

zone “example.com” {

type master;

file “zones/example.com/***.zone.signed”;

key-directory “keys/”;

};


OUTLINE



2、 Preparation

3、 Process

4、 Strategy

5、 Influence


• Zone signing is recommended to be executed in the HSM, the basic procedures are as follows:a) The primary master obtains RR from the registration database and

generates the original zone file;b) The hidden primary master sends the original zone file to HSM;c) HSM read the right keys;d) HSM sign zone using keys;e) HSM sends the signed

zone back to the hidden primary master;

f) The signed zone are loaded onto hidden primary master, which will update to secondary master servers.

4.1. Zone Signing


4.2. Key RolloverZSK• To prevent the keys from being cracked or

leaked out, ZSK should be replaced and rotated on a regular basis;

• The ZSK roll-over policy is to adopt a pre-publish mechanism (RFC4641);

• The validity period of each ZSK generated is 100 days and the roll-over cycle is 90 days.

KSK• To prevent the keys from being cracked or

leaked out, ZSK should be replaced and rotated on a regular basis;

• The ZSK roll-over policy is to adopt a pre-publish mechanism (RFC4641);

• The validity period of each ZSK generated is 100 days and the roll-over cycle is 90 days.


4.2. Key Rollover

• Steps (KSK)• New KSK generation, resigning the zone with ZSK, KSK_old and

KSK_new• Submit new DS to root & delete old DS• KSK_old Revoke• KSK_old delete

KSK_1 KSK_oldKSK_new Active

KSK_old RevokeKSK_new

KSK_old DeleteKSK_new

300 days

KSK_newKSK_new_2 Active35

days30 days

1 2 3


4.3. Key management

1. Key pairs generation offline

2. Key pairs backup online/offline

3. Private key protection

4. Key pairs management document/system


4.4. Security consideration

1. Physical Controls Electromagnetic shielding Physical access management Different roles for different tasks Teamwork Procedural Controls

2. Technical Controls Certifications Network controls: FW, ACL, VLAN Software controls: Versions, Bugs, documents


OUTLINE



2、 Preparation

3、 Process

4、 Strategy

5、 Influence


5.1. Size

• Zone Size− Opt-out− Increased a little (7%)

• Packet Size− RRSIG− 2.5 times larger in average

Zone Size1

101201301401501601701

No DNSSEC DNSSEC

Mb

Packet size1

101201301401501601701

No DNSSEC DNSSEC

Byte• 73% DNSSEC query in usual

• After sub-domain and recursive nameservers

implemented DNSSEC, bandwidth costs will

be much larger


5.2. Challenge

DDoS Attack

• QpS increased to 2.4 times larger

• Packet size increased to 700 Byte average (1.65 times)

• Bandwidth reach 4 (2.4*1.65) times larger than usual

Packet size1

101201301401501601701

423

700

Usual Attack

Byte


Sharing

• http://www.internetsociety.org/deploy360/dnssec/• http://www.nlnetlabs.nl/publications/dnssec_howto

/• http://stats.research.icann.org/dns/tld_report/• http://www.nlnetlabs.nl/projects/dnssec/• http://www.dnssec-deployment.org/• https://www.iana.org/dnssec/• http://dnssec-debugger.verisignlabs.com/• https://www.opendnssec.org/

• [email protected]

http://www.internetsociety.org/deploy360/dnssec/

http://www.internetsociety.org/deploy360/dnssec/

http://www.nlnetlabs.nl/publications/dnssec_howto/



http://stats.research.icann.org/dns/tld_report/



http://www.nlnetlabs.nl/projects/dnssec/



http://www.dnssec-deployment.org/



https://www.iana.org/dnssec/



http://dnssec-debugger.verisignlabs.com/



https://www.opendnssec.org/

https://www.opendnssec.org/


Information Sharing

Thank you!Questions?


北京市海淀区中关村南四街四号中科院软件园邮编 : 100190www.cnnic.cn

ION Hangzhou - How to Deploy DNSSEC

Technology

Transcript of ION Hangzhou - How to Deploy DNSSEC