Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<str<strong>on</strong>g>Hands</str<strong>on</strong>g>-<strong>on</strong> <strong>DNSSEC</strong> <strong>with</strong> <strong>DNSViz</strong><br />
Casey Deccio, Verisign Labs<br />
NANOG 66, San Diego<br />
Feb 8, 2016
Preparati<strong>on</strong><br />
• Demo and exercises available at:<br />
• http://dnsviz.net/demo/<br />
• Includes links to the following:<br />
• VirtualBox software<br />
• VirtualBox demo image<br />
• Tutorial exercises<br />
Verisign Public<br />
2
Objectives<br />
• Understand the basics of DNS and <strong>DNSSEC</strong><br />
• Become familiar <strong>with</strong> DNS server and analysis tools<br />
• DiG<br />
• BIND<br />
• <strong>DNSViz</strong><br />
• Learn how tools might be used to routinely analyze/<br />
m<strong>on</strong>itor your DNS health<br />
Verisign Public<br />
3
Caveats<br />
• The exercises range from novice-level to advanced.<br />
• Many of the exercises are more to facilitate understanding<br />
than efficiency.<br />
• The exercises are be meant for learning DNS/<strong>DNSSEC</strong><br />
and related tools, but do not cover all details for proper<br />
DNS/<strong>DNSSEC</strong> maintenance.<br />
Verisign Public<br />
4
DNS Overview<br />
Verisign Public<br />
5
DNS Namespace<br />
• Namespace is organized<br />
hierarchically<br />
• DNS root is top of<br />
namespace<br />
• Z<strong>on</strong>es are aut<strong>on</strong>omously<br />
managed pieces of DNS<br />
namespace<br />
• Subdomain namespace is<br />
delegated to child z<strong>on</strong>es<br />
com<br />
example.com<br />
.<br />
net<br />
example.net<br />
Verisign Public<br />
6
DNS Name Resoluti<strong>on</strong><br />
• Resolvers query authoritative servers<br />
• Queries begin at root z<strong>on</strong>e, resolvers follow<br />
downward referrals<br />
• Resolver stops when it receives authoritative<br />
answer<br />
stub resolver<br />
Query: example.com/A ?<br />
Answer: 192.0.2.16<br />
recursive<br />
resolver<br />
r<br />
e<br />
f<br />
e<br />
r<br />
r<br />
a<br />
l<br />
s<br />
…<br />
.<br />
…<br />
com<br />
…<br />
example.com<br />
authoritative servers<br />
Verisign Public<br />
7
Virtual Envir<strong>on</strong>ment Initializati<strong>on</strong><br />
• Unzip dnsviz-demo-v2.zip<br />
• Open dnsviz-demo-v2/dnsviz-demo-v2.vbox<br />
• “Start” VM<br />
• Enlarge screen<br />
• Double-click “Tutorial Exercises” file<br />
• (Exercises 0.1 – 0.2)<br />
• Open “Terminal Emulator”<br />
• Change to “demo” directory<br />
$ cd demo<br />
Verisign Public<br />
8
Query DNS Servers (1.1 – 1.5)<br />
$ dig @a.root-servers.net example.com<br />
query a specific server<br />
(rather than querying your<br />
c<strong>on</strong>figured resolver)<br />
$ dig @a.gtld-servers.net example.com<br />
no record type specified,<br />
so default type<br />
“A” (address) is used<br />
$ dig @a.iana-servers.net example.com<br />
$ dig example.com<br />
no server is explicitly<br />
designated, so query<br />
goes to local resolver<br />
$ dig @a.iana-servers.net foobar.example.com<br />
Verisign Public<br />
9
Query a root Server<br />
Verisign Public<br />
10
Query a TLD Server<br />
Verisign Public<br />
11
Query an SLD Server<br />
Verisign Public<br />
12
Query Local Recursive Resolver<br />
Verisign Public<br />
13
Query for a N<strong>on</strong>-existent Name<br />
Verisign Public<br />
14
<strong>DNSSEC</strong> Overview<br />
Verisign Public<br />
15
Public Key Cryptography<br />
• Keys<br />
• Public Key – advertised to every<strong>on</strong>e<br />
• Private Key – kept hidden<br />
• Signatures<br />
• Made by private key<br />
• Validated <strong>with</strong> public key<br />
• Validati<strong>on</strong><br />
• C<strong>on</strong>sumer uses public key, message, and signature to validate<br />
message<br />
Data<br />
Data<br />
Private Key<br />
Sig<br />
Sig<br />
Public Key<br />
Valid or Bogus?<br />
Verisign Public<br />
16
DNS Security Extensi<strong>on</strong>s (<strong>DNSSEC</strong>)<br />
• DNS data signed <strong>with</strong> private keys<br />
• Signatures (RRSIGs) and public keys (DNSKEYs) published in<br />
z<strong>on</strong>e data<br />
• Resolver resp<strong>on</strong>se<br />
• If authentic: Authenticated data (AD) bit is set<br />
• If bogus: SERVFAIL message is returned<br />
Query: example.com/A ?<br />
Query: example.com/A ?<br />
Answer: 192.0.2.16<br />
RRSIG<br />
Query: example.com/DNSKEY ?<br />
validate<br />
Answer: DNSKEY…<br />
RRSIG<br />
example.com<br />
Answer: 192.0.2.16<br />
AD<br />
stub resolver<br />
recursive/validating<br />
resolver<br />
authoritative server<br />
Verisign Public<br />
17
<strong>DNSSEC</strong> Chain of Trust<br />
• DNSKEY must be<br />
authenticated.<br />
• Trust extends through<br />
ancestry to a trust anchor<br />
at resolver.<br />
.<br />
DNSKEY<br />
Z<strong>on</strong>e data<br />
DS<br />
• DS resource record –<br />
provides digest of<br />
DNSKEY in child z<strong>on</strong>e.<br />
• Resolver must start <strong>with</strong><br />
trusted key, at root.<br />
com<br />
DNSKEY<br />
Z<strong>on</strong>e data<br />
DNSKEY<br />
DS<br />
Resolver<br />
trust anchor<br />
example.com<br />
Z<strong>on</strong>e data<br />
Verisign Public<br />
18
Key Roles – KSK/ZSK<br />
• DNSKEY RRset usually<br />
has multiple keys, often<br />
<strong>with</strong> split roles.<br />
• KSK (Key signing key)<br />
• Signs (<strong>on</strong>ly) the DNSKEY<br />
RRset.<br />
• Corresp<strong>on</strong>ds to DS records<br />
in parent, providing “secure<br />
entry point” into z<strong>on</strong>e.<br />
• ZSK (Z<strong>on</strong>e signing key)<br />
• Signs the rest of the z<strong>on</strong>e.<br />
com<br />
example.com<br />
…<br />
DNSKEY<br />
Z<strong>on</strong>e data<br />
DS<br />
DNSKEY (KSK)<br />
DNSKEY (ZSK)<br />
Z<strong>on</strong>e data<br />
Verisign Public<br />
19
Authenticated Denial of Existence<br />
• How do you prove something doesn’t exist?<br />
• “Chain” of names of z<strong>on</strong>e formed using NSEC records.<br />
• NSEC records form comprehensive chain of names (and<br />
their record types) in z<strong>on</strong>e in can<strong>on</strong>ical ordering.<br />
• Server uses NSEC records to prove n<strong>on</strong>-existence.<br />
Query: coc<strong>on</strong>ut.example.com/A ?<br />
NXDOMAIN: banana.example.com/NSEC<br />
Query: example.com/DNSKEY ?<br />
RRSIG<br />
example.com.<br />
apple.example.com.<br />
banana.example.com.<br />
validate<br />
Answer: DNSKEY…<br />
RRSIG<br />
grape.example.com.<br />
Verisign Public<br />
recursive/validating<br />
resolver<br />
example.com<br />
authoritative server<br />
20
Insecure delegati<strong>on</strong>s<br />
• How can <strong>DNSSEC</strong> be<br />
deployed incrementally?<br />
Resolver<br />
DNSKEY<br />
• If child z<strong>on</strong>e is unsigned,<br />
resolver must be able to<br />
prove it is insecure.<br />
• NSEC resource records<br />
provide proof of absence<br />
of DS.<br />
.<br />
DNSKEY<br />
Z<strong>on</strong>e data<br />
DNSKEY<br />
DS<br />
net<br />
Z<strong>on</strong>e data<br />
NSEC/DS<br />
example.com<br />
Z<strong>on</strong>e data<br />
21<br />
Verisign Public<br />
21
Z<strong>on</strong>e Enumerati<strong>on</strong> and NSEC3<br />
• NSEC records allow enumerati<strong>on</strong> of entire z<strong>on</strong>e c<strong>on</strong>tents.<br />
• NSEC3 standard introduces hashed denial of existence.<br />
• Joint effort between Verisign, Nominet (.uk), and DENIC (.de).<br />
• Chain is of hashes of names, not names themselves.<br />
(a hash is the output of a <strong>on</strong>e-way cryptographic functi<strong>on</strong>.)<br />
example.com.<br />
BFO8EKQ9L4V2N4AGI9RCMOTV32J8LJ4C.example.com.<br />
apple.example.com.<br />
V6AVHMGSO0IVEI55QMHIAM276OJJER6L.example.com.<br />
banana.example.com.<br />
VLN8BKFFT1FEVQOLFGOBKJKQA1JVNR86.example.com.<br />
grape.example.com.<br />
VLVVLES7LF0ARNU38OHRUP804KPEAGOE.examplec.com.<br />
example.com<br />
Verisign Public<br />
22
Query for <strong>DNSSEC</strong> Records (2.1 – 2.5)<br />
$ dig +dnssec +multi @a.iana-servers.net example.com<br />
include <strong>DNSSEC</strong> records<br />
in resp<strong>on</strong>se (e.g., RRSIG)<br />
present resp<strong>on</strong>se in multiline<br />
format <strong>with</strong> comments<br />
(for readability)<br />
query for records of type<br />
“DNSKEY” (<strong>DNSSEC</strong> public key)<br />
instead of the default, “A” (address)<br />
$ dig +dnssec +multi @a.iana-servers.net example.com DNSKEY<br />
$ dig +dnssec +multi @a.gtld-servers.net example.com DS<br />
query a “parent” server because<br />
we’re seeking a DS record<br />
$ dig +dnssec +multi example.com<br />
$ dig +dnssec +multi @a.iana-servers.net foobar.example.com<br />
Verisign Public<br />
23
Query for <strong>DNSSEC</strong> Records (RRSIGs)<br />
Verisign Public<br />
24
Query for <strong>DNSSEC</strong> Records (DNSKEY)<br />
Verisign Public<br />
25
Query for <strong>DNSSEC</strong> Records (DS)<br />
Verisign Public<br />
26
Query for <strong>DNSSEC</strong> Records<br />
Verisign Public<br />
27
Query For <strong>DNSSEC</strong> Records (NSEC)<br />
Verisign Public<br />
28
<strong>DNSViz</strong><br />
Verisign Public<br />
29
DNS Analysis Using <strong>DNSViz</strong><br />
(dnsviz probe command line)<br />
• Queries issued<br />
.<br />
• Referral queries – to learn delegati<strong>on</strong> NS records from parent<br />
• NS queries – to learn authoritative NS records<br />
• DNSKEY/DS queries – for building a <strong>DNSSEC</strong> chain<br />
• A/AAAA/TXT/MX/SOA queries<br />
• Diagnostic queries (special handling of errors, etc.)<br />
• All servers queried<br />
com<br />
• IPv4/IPv6<br />
• UDP/TCP<br />
example.com<br />
r<br />
e<br />
f<br />
e<br />
r<br />
r<br />
a<br />
l<br />
s<br />
output.js<strong>on</strong><br />
Online analysis<br />
$ dnsviz probe example.com<br />
Serialized <strong>on</strong>line<br />
analysis (JSON)<br />
Verisign Public<br />
30
DNS Analysis Using <strong>DNSViz</strong><br />
(dnsviz grok command line)<br />
• Resp<strong>on</strong>ses analyzed (offline)<br />
• Resp<strong>on</strong>siveness<br />
• Query timeouts<br />
• Network errors<br />
• EDNS/fragmentati<strong>on</strong><br />
capabilities<br />
• C<strong>on</strong>sistency<br />
• Across servers<br />
• Between DNSKEY/RRSIG<br />
• Between DNSKEY/DS<br />
• Correctness<br />
• RRSIG<br />
• Expirati<strong>on</strong>/incepti<strong>on</strong> dates<br />
• Cryptographic signature<br />
• DS<br />
• Cryptographic hash<br />
• Negative resp<strong>on</strong>ses<br />
• NSEC proof correctness<br />
• SOA record correctness<br />
output.js<strong>on</strong><br />
output-p.js<strong>on</strong><br />
Serialized <strong>on</strong>line<br />
analysis (JSON)<br />
$ dnsviz grok<br />
Serialized offline<br />
analysis (JSON)<br />
Verisign Public<br />
31
DNS Analysis Using <strong>DNSViz</strong><br />
(dnsviz graph command line)<br />
• Resp<strong>on</strong>ses analyzed (offline)<br />
• Resp<strong>on</strong>siveness<br />
• Query timeouts<br />
• Network errors<br />
• EDNS/fragmentati<strong>on</strong><br />
capabilities<br />
• C<strong>on</strong>sistency<br />
• Across servers<br />
• Between DNSKEY/RRSIG<br />
• Between DNSKEY/DS<br />
• Correctness<br />
• RRSIG<br />
• Expirati<strong>on</strong>/incepti<strong>on</strong> dates<br />
• Cryptographic signature<br />
• DS<br />
• Cryptographic hash<br />
• Negative resp<strong>on</strong>ses<br />
• NSEC proof correctness<br />
• SOA record correctness<br />
output.js<strong>on</strong><br />
Serialized <strong>on</strong>line<br />
analysis (JSON)<br />
$ dnsviz graph Analysis graph<br />
(jpg, png, html)<br />
Verisign Public<br />
32
DNS Analysis Using <strong>DNSViz</strong><br />
(dnsviz print command line)<br />
• Resp<strong>on</strong>ses analyzed (offline)<br />
• Resp<strong>on</strong>siveness<br />
• Query timeouts<br />
• Network errors<br />
• EDNS/fragmentati<strong>on</strong><br />
capabilities<br />
• C<strong>on</strong>sistency<br />
• Across servers<br />
• Between DNSKEY/RRSIG<br />
• Between DNSKEY/DS<br />
• Correctness<br />
• RRSIG<br />
• Expirati<strong>on</strong>/incepti<strong>on</strong> dates<br />
• Cryptographic signature<br />
• DS<br />
• Cryptographic hash<br />
• Negative resp<strong>on</strong>ses<br />
• NSEC proof correctness<br />
• SOA record correctness<br />
output.js<strong>on</strong><br />
Serialized <strong>on</strong>line<br />
analysis (JSON)<br />
$ dnsviz print Color terminal/<br />
text output<br />
Verisign Public<br />
33
Analyze Using dnsviz probe (3.1 – 3.2)<br />
Issue diagnostic queries to<br />
authoritative servers, rather<br />
than recursive servers<br />
$ dnsviz probe -A -a . -p example.com > example.com.js<strong>on</strong><br />
follow referrals<br />
from root (“.”) to<br />
analyze name<br />
make the output<br />
“pretty” (for<br />
readability)<br />
store analysis in file<br />
called<br />
“example.com.js<strong>on</strong>”<br />
$ medit example.com.js<strong>on</strong> &<br />
Verisign Public<br />
34
Analyze Using dnsviz grok (3.3 – 3.4)<br />
make the output<br />
“pretty” (for readability)<br />
read analysis from<br />
“example.com.js<strong>on</strong>”<br />
$ dnsviz grok -p < example.com.js<strong>on</strong> > example.com-p.js<strong>on</strong><br />
store analysis in file called<br />
“example.com-p.js<strong>on</strong>”<br />
$ medit example.com-p.js<strong>on</strong><br />
Verisign Public<br />
35
Analyze Using dnsviz grok (3.5 – 3.6)<br />
show <strong>on</strong>ly<br />
informati<strong>on</strong> that is<br />
of priority “info” or<br />
higher<br />
$ dnsviz grok -l info -p < example.com.js<strong>on</strong> \<br />
> example.com-p1.js<strong>on</strong><br />
$ medit example.com-p1.js<strong>on</strong><br />
Verisign Public<br />
36
Analyze Using dnsviz grok (3.7)<br />
show <strong>on</strong>ly<br />
informati<strong>on</strong> that is<br />
of priority “error” or<br />
higher<br />
display output (if<br />
any) to screen,<br />
instead of<br />
redirecting to file<br />
$ dnsviz grok -l error -p < example.com.js<strong>on</strong><br />
Verisign Public<br />
37
Analyze Using dnsviz graph (3.8 – 3.11)<br />
output interactive<br />
HTML format<br />
D<strong>on</strong>’t use any<br />
trust anchor<br />
$ dnsviz graph -Thtml -t /dev/null < example.com.js<strong>on</strong> \<br />
> example.com.html<br />
$ firefox example.com.html &<br />
$ dnsviz graph -Thtml -t tk.txt < example.com.js<strong>on</strong> \<br />
> example.com.html<br />
anchor trust<br />
<strong>with</strong> root KSK<br />
$ firefox example.com.html &<br />
Verisign Public<br />
38
Analyze Using dnsviz print (3.12 – 3.13)<br />
D<strong>on</strong>’t use any<br />
trust anchor<br />
$ dnsviz print -t /dev/null < example.com.js<strong>on</strong><br />
$ dnsviz print -t tk.txt < example.com.js<strong>on</strong><br />
anchor trust<br />
<strong>with</strong> root KSK<br />
Verisign Public<br />
39
View dnsviz probe Output<br />
Verisign Public<br />
40
View dnsviz probe Output<br />
Verisign Public<br />
41
View dnsviz probe Output<br />
Verisign Public<br />
42
View dnsviz grok Output<br />
Verisign Public<br />
43
View dnsviz grok Output<br />
Verisign Public<br />
44
View dnsviz grok Output<br />
Verisign Public<br />
45
View dnsviz grok Output<br />
Verisign Public<br />
46
View dnsviz grok Output<br />
Verisign Public<br />
47
View dnsviz graph Output<br />
Verisign Public<br />
48
View dnsviz graph Output<br />
Verisign Public<br />
49
View dnsviz graph Output<br />
Verisign Public<br />
50
View dnsviz print Output<br />
Verisign Public<br />
51
View dnsviz print Output<br />
Verisign Public<br />
52
Signing a DNS Z<strong>on</strong>e<br />
Verisign Public<br />
53
Setup Virtual DNS Envir<strong>on</strong>ment (4.1 – 4.2)<br />
$ ./start_all<br />
(Wait for all three<br />
c<strong>on</strong>soles to come up)<br />
Host<br />
VirtualBox Guest<br />
UML Guest<br />
UML Guest<br />
UML Guest<br />
Change directory for<br />
all three c<strong>on</strong>soles:<br />
root, tld1, sld1<br />
$ cd /etc/bind<br />
Verisign Public<br />
54
Setup Virtual DNS Envir<strong>on</strong>ment (4.3)<br />
$ ./dns_change_root local<br />
(point DNS root hints and trusted<br />
keys to internal root server)<br />
virtual switch<br />
virtual switch<br />
VirtualBox Guest<br />
UML Guest<br />
“root1”<br />
Host<br />
UML Guest<br />
“tld1”<br />
UML Guest<br />
“sld1”<br />
Verisign Public<br />
55
Analyze example.com in Local Envir<strong>on</strong>ment (4.4 –<br />
4.6)<br />
Specify<br />
addresses for<br />
alternate (local)<br />
root servers<br />
Pipe results directly to<br />
dnsviz graph,<br />
rather than redirecting<br />
to file<br />
$ dnsviz probe -A -a .<br />
-x .:root1=192.168.213.10,root1=fd02:f00d:8::10 example.com | \<br />
dnsviz graph -Thtml -O -t tk-local.txt<br />
Output analysis to<br />
file named<br />
“example.com.html”<br />
Use local trust anchor,<br />
rather than the <strong>on</strong>e for the<br />
public root<br />
$ ./dnsviz_analyze example.com (script included for simplificati<strong>on</strong>)<br />
$ firefox example.com.html &<br />
Verisign Public<br />
56
View dnsviz graph Output<br />
Verisign Public<br />
57
Add Records to example.com Z<strong>on</strong>e (5.1 – 5.4)<br />
• Add A records for names “a”, “c”, and “e” (<strong>on</strong> sld1)<br />
(hint: see existing record for “www”)<br />
# nano db.example.com<br />
or<br />
# vi db.example.com<br />
• Check z<strong>on</strong>e<br />
# named-checkz<strong>on</strong>e example.com db.example.com<br />
• Reload z<strong>on</strong>e<br />
# service bind9 reload<br />
• Check that record shows up (query from VirtualBox guest)<br />
$ dig @sld1 a.example.com<br />
Verisign Public<br />
58
Add Records to example.com Z<strong>on</strong>e<br />
Verisign Public<br />
59
Add Records to example.com Z<strong>on</strong>e<br />
Verisign Public<br />
60
Create <strong>DNSSEC</strong> Keys for example.com Z<strong>on</strong>e (6.1<br />
– 6.3)<br />
(<strong>on</strong> sld1)<br />
Set the “SEP”<br />
bit for this<br />
DNSKEY<br />
Use algorithm<br />
RSASHA256<br />
for signing<br />
Create a<br />
2048-bit key<br />
# KSK=`dnssec-keygen -n ZONE -f KSK -a RSASHA256 -b 2048 \<br />
-r /dev/urandom example.com`<br />
No “SEP” bit<br />
here<br />
Create a<br />
1024-bit key<br />
# ZSK=`dnssec-keygen -n ZONE -a RSASHA256 -b 1024 \<br />
-r /dev/urandom example.com`<br />
# ls $KSK* $ZSK*<br />
Verisign Public<br />
61
Add DNSKEY Records to example.com Z<strong>on</strong>e (6.4<br />
– 6.9)<br />
• Look at DNSKEY records (<strong>on</strong> sld1):<br />
# cat $KSK.key $ZSK.key<br />
• Add DNSKEY records to z<strong>on</strong>e<br />
# cat $KSK.key $ZSK.key >> db.example.com<br />
• Reload z<strong>on</strong>e<br />
# service bind9 reload<br />
• Re-analyze<br />
$ ./dnsviz_analyze example.com<br />
$ firefox example.com.html &<br />
$ dig +noall +comment +ad example.com<br />
Verisign Public<br />
62
Create <strong>DNSSEC</strong> keys for example.com<br />
Verisign Public<br />
63
Create <strong>DNSSEC</strong> keys for example.com<br />
Verisign Public<br />
64
View dnsviz graph Output: DNSKEYs <strong>with</strong> no RRSIGs<br />
Verisign Public<br />
65
View dig Output: no AD bit<br />
Verisign Public<br />
66
Sign Records in example.com Z<strong>on</strong>e (7.1 – 7.4)<br />
• Sign z<strong>on</strong>e (sld1)<br />
Use pseudo-random<br />
entropy source (not for<br />
producti<strong>on</strong> use)<br />
# dnssec-signz<strong>on</strong>e -r /dev/urandom \<br />
-k $KSK -o example.com db.example.com $ZSK<br />
Sign <strong>on</strong>ly DNSKEY<br />
records <strong>with</strong> this key<br />
• Point named.c<strong>on</strong>f to signed z<strong>on</strong>e file<br />
• Reload z<strong>on</strong>e<br />
# service bind9 reload<br />
Sign entire z<strong>on</strong>e<br />
<strong>with</strong> this key<br />
# sed -i -e ‘s:/db.example.com:&.signed:’ named.c<strong>on</strong>f.local<br />
$ ./dnsviz_analyze example.com<br />
$ firefox example.com.html &<br />
$ dig +noall +comment +ad example.com<br />
Verisign Public<br />
67
View dnsviz graph Output: Signed example.com Z<strong>on</strong>e<br />
Verisign Public<br />
68
View dig Output: no AD bit<br />
Verisign Public<br />
69
Generate DS Records for example.com (8.1 – 8.2)<br />
• Create/copy DS records (<strong>on</strong> sld1)<br />
# dnssec-dsfromkey $KSK<br />
Verisign Public<br />
70
Add DS Records for example.com (8.3a – 8.3c)<br />
• Add DS records to “example” z<strong>on</strong>e (<strong>on</strong> tld1)<br />
# nano dsset-example.com.<br />
Verisign Public<br />
71
Sign Records in “example.com” Z<strong>on</strong>e (8.4 – 8.5)<br />
• Sign z<strong>on</strong>e (<strong>on</strong> tld1)<br />
# ./resign_tld<br />
$ ./dnsviz_analyze example.com<br />
$ firefox example.com.html &<br />
$ dig +noall +comment +ad example.com<br />
Verisign Public<br />
72
View dnsviz graph Output: Full Chain of Trust<br />
Verisign Public<br />
73<br />
73
View dig Output: AD bit<br />
Verisign Public<br />
74
Fun <strong>with</strong> <strong>DNSViz</strong><br />
Verisign Public<br />
75
Use KSK to Only Sign DNSKEY RRset (9.1 – 9.3)<br />
D<strong>on</strong>’t sign z<strong>on</strong>e<br />
data <strong>with</strong> KSK<br />
# dnssec-signz<strong>on</strong>e -x -r /dev/urandom \<br />
-k $KSK -o example.com db.example.com $ZSK<br />
# service bind9 reload<br />
$ ./dnsviz_analyze example.com<br />
$ firefox example.com.html &<br />
$ dig +noall +comment +ad example.com<br />
Verisign Public<br />
76
View dnsviz graph Output: KSK-<strong>on</strong>ly<br />
Verisign Public<br />
77
View dig Output: AD bit<br />
Verisign Public<br />
78
Add New KSK to example.com Z<strong>on</strong>e (9.4 – 9.8)<br />
• Generate new KSK:<br />
# NEWKSK=`dnssec-keygen -n ZONE -f KSK -a RSASHA256 -b 2048 \<br />
-r /dev/urandom example.com`<br />
# cat $NEWKSK.key >> db.example.com<br />
• Re-sign z<strong>on</strong>e:<br />
# dnssec-signz<strong>on</strong>e -x -r /dev/urandom \<br />
-k $KSK -o example.com db.example.com $ZSK<br />
• Reload z<strong>on</strong>e<br />
# service bind9 reload<br />
$ ./dnsviz_analyze example.com<br />
$ firefox example.com.html &<br />
$ dig +noall +comment +ad example.com<br />
Verisign Public<br />
79
View dnsviz graph Output: Standby KSK<br />
Verisign Public<br />
80
View dig Output: AD bit<br />
Verisign Public<br />
81
Add New KSK to example.com Z<strong>on</strong>e (9.9 – 9.11)<br />
• Re-sign z<strong>on</strong>e <strong>with</strong> two KSKs:<br />
# dnssec-signz<strong>on</strong>e -x -r /dev/urandom \<br />
-k $KSK -k $NEWKSK -o example.com db.example.com $ZSK<br />
• Reload z<strong>on</strong>e<br />
# service bind9 reload<br />
$ ./dnsviz_analyze example.com<br />
$ firefox example.com.html &<br />
$ dig +noall +comment +ad example.com<br />
Verisign Public<br />
82
View dnsviz graph Output: Multiple KSKs<br />
Verisign Public<br />
83
View dig Output: AD bit<br />
Verisign Public<br />
84
Change KSK for example.com Z<strong>on</strong>e (9.12 – 9.14)<br />
• Sign <strong>with</strong> <strong>on</strong>ly the sec<strong>on</strong>d KSK:<br />
# dnssec-signz<strong>on</strong>e -x -r /dev/urandom \<br />
-k $NEWKSK -o example.com db.example.com $ZSK<br />
• Reload z<strong>on</strong>e<br />
# service bind9 reload<br />
$ ./dnsviz_analyze example.com<br />
$ firefox example.com.html &<br />
$ dig +noall +comment +ad example.com<br />
Verisign Public<br />
85
View dnsviz graph Output: DS Mismatch<br />
Verisign Public<br />
86
View dig Output: SERVFAIL<br />
Verisign Public<br />
87
Tamper <strong>with</strong> Record C<strong>on</strong>tent (9.15 – 9.17)<br />
• Change SOA record:<br />
# sed -i -e ‘s/root.localhost/root1.localhost/’ \<br />
db.example.com.signed<br />
# service bind9 reload<br />
$ ./dnsviz_analyze example.com<br />
$ firefox example.com.html &<br />
Verisign Public<br />
88
View dnsviz graph Output: Invalid Signatures<br />
Verisign Public<br />
89
Change RRSIG Expirati<strong>on</strong> (9.18 – 9.21)<br />
• Set the RRSIG expirati<strong>on</strong> explicitly to 1 sec<strong>on</strong>d from “now”<br />
# dnssec-signz<strong>on</strong>e -x -e now+1 -r /dev/urandom \<br />
-k $NEWKSK -o example.com db.example.com $ZSK<br />
• Manipulate (again) SOA record<br />
# sed -i -e ‘s/root.localhost/root1.localhost/’ \<br />
db.example.com.signed<br />
• Reload z<strong>on</strong>e<br />
# service bind9 reload<br />
$ ./dnsviz_analyze example.com<br />
$ firefox example.com.html &<br />
Verisign Public<br />
90
View dnsviz graph Output: Expired RRSIGs<br />
Verisign Public<br />
91
Remove RRSIGs (9.22 – 9.25)<br />
• Remove RRSIG covering AAAA record (<strong>on</strong> sld1)<br />
# nano db.example.com.signed<br />
or<br />
# vi db.example.com.signed<br />
• Check z<strong>on</strong>e<br />
# named-checkz<strong>on</strong>e example.com db.example.com.signed<br />
• Reload z<strong>on</strong>e<br />
# service bind9 reload<br />
$ ./dnsviz_analyze example.com<br />
$ firefox example.com.html &<br />
Verisign Public<br />
92
Remove RRSIG for AAAA Record from Z<strong>on</strong>e<br />
Verisign Public<br />
93
View dnsviz graph Output: Missing RRSIGs<br />
Verisign Public<br />
94
Modify TCP C<strong>on</strong>nectivity (9.26 – 9.27)<br />
• Reject TCP c<strong>on</strong>necti<strong>on</strong> requests<br />
# ip6tables -A INPUT -m state --state NEW -p tcp \<br />
--dport 53 -j REJECT<br />
$ ./dnsviz_analyze example.com<br />
$ firefox example.com.html &<br />
Verisign Public<br />
95
View dnsviz graph Output: No TCP<br />
Verisign Public<br />
96
Modify Path MTU (9.28 – 9.29)<br />
• Drop UDP resp<strong>on</strong>ses <strong>with</strong> payloads larger than 512 bytes<br />
# iptables -A OUTPUT -p udp --sport 53 \<br />
-m length --length 540:65535 -j DROP<br />
$ ./dnsviz_analyze example.com<br />
$ firefox example.com.html &<br />
Verisign Public<br />
97
View dnsviz graph Output: Low PMTU<br />
Verisign Public<br />
98
Add Lame Delegati<strong>on</strong> (9.30 – 9.32)<br />
• Add sec<strong>on</strong>d delegati<strong>on</strong> NS record for example.com in<br />
com z<strong>on</strong>e (<strong>on</strong> tld1)<br />
# nano db.com<br />
or<br />
# vi db.com<br />
• Sign com z<strong>on</strong>e (<strong>on</strong> tld1)<br />
# ./resign_tld<br />
$ ./dnsviz_analyze example.com<br />
$ firefox example.com.html &<br />
Verisign Public<br />
99
Add Sec<strong>on</strong>d NS Record for example.com<br />
Verisign Public<br />
100
View dnsviz graph Output: Lame Delegati<strong>on</strong><br />
Verisign Public<br />
101
Graph Only Select RRsets (9.33)<br />
Only graph A and<br />
AAAA RRsets<br />
$ dnsviz graph -R A,AAAA -Thtml -O -t tk-local.txt < \<br />
example.com-working.js<strong>on</strong><br />
$ firefox example.com.html &<br />
Verisign Public<br />
102
View dnsviz graph Output: Select RRsets<br />
Verisign Public<br />
103
Analyze <strong>with</strong> dnsviz print (9.34)<br />
$ dnsviz print -R A,AAAA -t tk-local.txt < \<br />
example.com-working.js<strong>on</strong><br />
Verisign Public<br />
104
View dnsviz graph Output: Select RRsets<br />
Verisign Public<br />
105
<strong>DNSViz</strong> Recursive Server Analysis<br />
Verisign Public<br />
106
Analyze example.com <strong>on</strong> Recursive Server (10.1)<br />
No “-A” opti<strong>on</strong><br />
means query<br />
recursive servers<br />
$ dnsviz probe example.com | dnsviz graph -Thtml -O -t tk-local.txt<br />
$ firefox example.com.html &<br />
Verisign Public<br />
107
View dnsviz graph Output: Recursive<br />
Verisign Public<br />
108
<strong>DNSViz</strong> Programmatic Analysis<br />
Verisign Public<br />
109
dnsviz probe Revisited (11.1)<br />
$ medit example.com-working.js<strong>on</strong> &<br />
or<br />
$ vi example.com-working.js<strong>on</strong><br />
Verisign Public<br />
110
View dnsviz probe Output: Diagnostic Query History<br />
Verisign Public<br />
111
View dnsviz probe Output: Diagnostic Query History<br />
Verisign Public<br />
112
dnsviz grok Revisited (10.3 – 10.4)<br />
$ dnsviz grok -l warning -p < example.com-broken.js<strong>on</strong> \<br />
> example.com-working-p.js<strong>on</strong><br />
$ medit example.com-working-p.js<strong>on</strong> &<br />
or<br />
$ vi example.com-working-p.js<strong>on</strong><br />
Verisign Public<br />
113
View dnsviz grok Output: Errors, Warnings, Statuses<br />
Verisign Public<br />
114
View dnsviz grok Output: Errors, Warnings, Statuses<br />
Verisign Public<br />
115
View dnsviz grok Output: Errors, Warnings, Statuses<br />
Verisign Public<br />
116
M<strong>on</strong>itoring <strong>with</strong> <strong>DNSViz</strong><br />
• Sample script uses combinati<strong>on</strong> of dnsviz get and dnsviz<br />
graph, e.g., for use <strong>with</strong> cr<strong>on</strong><br />
#!/bin/sh<br />
name=$1<br />
date=`date +%Y%m%d%H%M%S`<br />
probe_out=/tmp/$name-probe-$date.js<strong>on</strong><br />
grok_out=/tmp/$name-grok-$date.js<strong>on</strong><br />
graph_out=/tmp/$name-graph-$date.png<br />
dnsviz probe -A -d 0 -p $name > $probe_out<br />
dnsviz grok -l warning -p $name < $probe_out > $grok_out<br />
if (( $( stat -c %s $grok_out ) > 0 )); then<br />
dnsviz graph -Tpng -o $graph_out $name $name < $probe_out<br />
gzip $probe_out<br />
cat $grok_out | \<br />
mutt -s “Problems <strong>with</strong> $name” -a $graph_out $grok_out.gz -- \<br />
joe@example.com<br />
fi<br />
rm $probe_out* $grok_out $graph_out<br />
Verisign Public<br />
117
Summary<br />
• Understanding and analyzing DNS and <strong>DNSSEC</strong> can be<br />
complex.<br />
• DiG, BIND, <strong>DNSViz</strong>, and other tools can aid in<br />
understanding, troubleshooting, and m<strong>on</strong>itoring.<br />
• Maintain and m<strong>on</strong>itor your DNS z<strong>on</strong>es!<br />
Verisign Public
Further Informati<strong>on</strong> <strong>on</strong> <strong>DNSViz</strong><br />
• Source: https://github.com/dnsviz/dnsviz (License: GPLv2)<br />
• Online versi<strong>on</strong>: http://dnsviz.net/<br />
• Mailing list: https://groups.google.com/d/forum/dnsviz-users<br />
Verisign Public<br />
119
© 2015 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of<br />
VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.