Introduction à DNSSEC
Introduction à DNSSEC
DNS: Rappel
+---------------+
| ROOT SERVER | +----------------+
|---------------| 2 | CLIENT |
| |<------------------+ 1 |----------------|
| | | +-------------------->| |
| | | | | |
+---------------+ v v | |
+----------------+ +----------------+
+---------------+ | RESOLVER | ^
| ORG. SERVER | 3 |----------------| |
|---------------|<-------------->| | |
| | | | |5
| | | | |
+---------------+ +----------------+ v
^ +----------------+
+---------------+ | | WEB SERVER |
|CLERMONTECH.ORG| | |----------------|
|---------------| 4 | | |
| |<------------------+ |WWW.CLERMONTECH.|
| | | ORG |
| | | |
+---------------+ +----------------+
DNSSEC: Pourquoi ?
+---------------+
| ROOT SERVER | +----------------+
|---------------| 2 | CLIENT |
| |<------------------+ 1 |----------------|
| | | +-------------------->| |
| | | | | |
+---------------+ v v | |
+----------------+ +----------------+
+---------------+ | RESOLVER | ^
| ORG. SERVER | 3 |----------------| 5 |
|---------------|<-------------->| | +----------------------+
| | | | |
| | | | |
+---------------+ +----------------+ |
^ v +----------------+
+---------------+ | +----------------+ | WEB SERVER |
|CLERMONTECH.ORG| | | BAD GUY | |----------------|
|---------------| 4 +--------+|----------------| | |
| |<-----------------* | | |WWW.CLERMONTECH.|
| | | | | ORG |
| | | | | |
+---------------+ +----------------+ +----------------+
DNSSEC: Comment ?
- Signature numérique des données
- Assure l'authenticité des réponses
- Pas la confidentialité
- Validation
- Chaîne de confiance (Trust Anchors)
DNSSEC: Quoi ?
- Tous les enregistrements d'une zone
$ORIGIN example.com.
$TTL 600
@ IN SOA ns0.example.net. root.example.com. (2013101600 43200 3600 1814400 3600)
3600 IN NS ns0.example.net.
3600 IN NS ns0.example.org.
3600 IN MX 10 mail
www IN AAAA 2001:DB8::80
mail IN A 198.51.100.25
clermontech IN TXT "Can I haz b33r plz ?"
- Avec quoi ?
- Clé de signature de zone (ZSK)
- Clé de signature de clé (KSK)
La validation
Résolveur validateur
- Possède une ancre de confiance (Root Trust Anchor ou DLV)
- Récupère RR + RRSIG + DNSKEY + DS et vérifie la signature
- Echec de la validation = SRVFAIL
En pratique : Configuration de Unbound
- Activer le support de l'ancre racine dans unbound.conf :
auto-trust-anchor-file: "/var/unbound/etc/root.key"
- Récuperer l'ancre racine :
$ sudo unbound-anchor -v
/var/unbound/etc/root.key does not exist
success: the anchor is ok
- Redémarrer Unbound
- Tester
En pratique : Tests
$ dig www.isc.org AAAA +dnssec +multiline
[...]
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2895
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
[...]
www.isc.org. 60 IN AAAA 2001:4f8:0:2::69
www.isc.org. 60 IN RRSIG AAAA 5 3 60 20131120233243 20131021233243
50012 isc.org. eBDe+ahm/zGw[...]
$ dig dnssec-failed.org +dnssec
[...]
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 14080
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
[...]
$ dig platypus.isc.org +dnssec
[...]
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35031
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
[...]
La signature
DNSSEC : Signature (avec NSD - 1/4)
$ ldns-keygen -k -a RSASHA1_NSEC3 -b 4096 example.com
Kexample.com.+007+56193
- 3 fichiers : .key, .private, .ds
$ cat Kexample.com.+007+56193.key
example.com. IN DNSKEY 257 3 7 (
AwEAAbGHBXjlQ/VRp4bRgxJdDtTTY3yfteXxljv/vw+q
18+91jUzrGLdylfC7+cHy0Y1OHK+HYjUnm53zAkMQZYJ
B/4zbsinKkCgcewy22F7H1jcyPjxPYA/cX6W3+etKlq6
[...]
90wwB5gbGPWjZqSKqMQG6qEriwBBeJzNfFnTEwI+Lomj
RW1YLTqONIupWsnUfRcH1sKWriCUuYcekjlR109z0TEN
aCZ5kkAX0c9IDYuhPmriQFV5k2md
)
DNSSEC : Signature (2/4)
$ ldns-keygen -a RSASHA1_NSEC3 -b 1024 example.com
Kexample.com.+007+61568
- 3 fichiers : .key, .private, .ds
$ cat Kexample.com.+007+61568.key
example.com. IN DNSKEY 256 3 7 (
AwEAAcE7aCUT8M3KxilRk92IVYpNJ122JuU+x1vBvrY6
WGvUMCQSh9m4jdMmO6EovK8v2T+sz5bZjXXJLh3ik124
B8WdmylAmWnq9DmF2bqlEF5xb//gbCE4jDzt9bragJ/k
WTsCzeeR7oajIh26rNYn3+ZKoL5UY1EJmBaofhFThA9X
)
DNSSEC : Signature (3/4)
ldns-signzone -n example.com Kexample.com.+007+61568 Kexample.com.+007+56193
- 1 fichier : .signed
- 1 KSK et 1+ ZSK
- Durée de validité des RRSIG limitée
www.example.com. 600 IN RRSIG AAAA 7 3 600 20131112161027 (
20131015161027 61568 example.com.
oMq5952IF5WRaZ7a1Lx9Ifhhyc49f6K4HfHLHieb7yL1
[...]
DNSSEC : Signature (4/4)
- Publication de l'empreinte de la KSK dans la zone parent
$ cat Kexample.com.+007+56193.ds
example.com. IN DS 56193 7 1 c2359ece29082e93c889a7bb454cf068d9b3b64b
- Procédure spécifique à chaque registrar/registre
DNSSEC : Vérification
$ dig example.com DS +trace
[...]
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58524
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
[...]
example.com. 1809 IN DS 56193 7 1 C2359ECE29082E93C889A7BB454CF068D9B3B64B
[...]
;; Received 938 bytes from 192.48.79.30#53(j.gtld-servers.net) in 263 ms
$ dig clermontech.example.com TXT +dnssec +multiline
[...]
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19065
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
[...]
clermontech.example.com. 589 IN TXT "Can I haz b33r plz ?"
clermontech.example.com. 589 IN RRSIG TXT 7 3 600 20131115163332 (
20131018163332 61568 example.com.
dWBHbovckiVKic2HMl5WqqInyPE3dKoFzBNxdeTATINe
[...]
nKpBkMX1yv3cVam+dp8t/LRQHn5m3oBa2r+rgzg= )
DNSSEC : Pièges et limites
- Vigilance
- Chaîne de confiance
- Protection, renouvellement des clés & des signatures
- Embûches
- DNS64
- Boîtiers & récurseurs (ou admin) tordus
- Performances
- Latence de vérification (mesures à faire)
DNSSEC : Et après ?
- SSHFP
- Vérification auto. des empreintes SSH
- ssh-keygen -r srv.example.com.
srv.example.com IN SSHFP 3 1 a925ad229e7005206056711cc1d5cfc98031c2fb
srv.example.com IN SSHFP 3 2 c40675c571f4040f7cb91ad0ed6b1284f9a0477010f95e93829c4495c08f7706
- DANE
- Vérification des empreintes de certificats TLS
- Remplacement des autorités de certification
Conclusion
Liens :
- http://www.internetsociety.org/deploy360/dnssec
- http://www.opendnssec.org/
- https://github.com/bortzmeyer/key-checker
- http://dnsviz.net/