100 likes | 192 Views
The Compulsory Zone Distribution Which DNSSEC Protocol Keys – and Managing them Managing the Children Using DNSSEC. Developing a DNSSEC Policy. Mark Elkins - mje@posix.co.za. The Compulsory. The Certain Time NTP The Uncertain Entropy havenged. Zone Distribution. TSIG
E N D
The Compulsory Zone Distribution Which DNSSEC Protocol Keys – and Managing them Managing the Children Using DNSSEC Developing a DNSSEC Policy Mark Elkins - mje@posix.co.za
The Compulsory • The Certain • Time • NTP • The Uncertain • Entropy • havenged
Zone Distribution • TSIG • Signing the path between Master and Slave • Using a shared secret means there is confidence on the receiving side that the data came from the sender and was not altered in transit • Pass-phrases need to be renewed - once a year • Out of Band Key Management
Which DNSSEC Protocol? • NSEC - Original method • Everything is signed • Light Weight • No privacy • Walk the Zone • NSEC3 - Designed for ccTLD's • Can not Walk the Zone • Opt-Out – only core secure delegations signed • Reduces the increase in signed zone size • NSEC3 Options • Opt-out • Seeding • Hash cycles
Keys – and management • Asymmetrical keys – One part Secret, One part Public • KSK - Key Signing keys • Used to sign ZSK's • Longish live cycle – default is one year • Potentially difficult to roll • Generate with RSASHAR256 with 2048 bits • Hash present in Parent (DS Record) • ZSK - Zone Signing keys • Used to sign the data in a zone • Shortish life cycle - default is one month • Simple to Roll • Generate with RSASHAR256 with 1024 bits
Keys – and management • Hardware Security Module - HSM • Multiple, redundant, tamper proof devices • "Soft" HSM (incorporating with BIND is difficult) • On the File system • Stripped down server • Limited access (no direct Internet access)
Managing the Children • Need to Populate parent with DS Records • Out of Band • Paper • Secure Web Site • Via EPP extension • Via “in-band” methods • What do you record? KSK/DS • Emergency “Roll-over”
Using DNSSEC • Making a Resolver “DNSSEC” aware • RFC5011 • Howto: http://dnssec.co.za & http://dnssec.na • Scripts available at: http://posixafrica.com • “DNSSEC Validator” and get the Green-Key
Ready to run DNSSEC Use TSIG For Zone distribution Need: NTP Havenged NSEC3 ? NSEC Opt In/Out Seed Hash KSK 1 year Signing ZSK 1 month Done