Hands-on DNSSEC with DNSViz

Recommendations

Info

DNSSEC Chain of Trust • DNSKEY must be authenticated. • Trust extends through ancestry to a trust anchor at resolver. . DNSKEY Zone data DS • DS resource record – provides digest of DNSKEY in child zone. • Resolver must start with trusted key, at root. com DNSKEY Zone data DNSKEY DS Resolver trust anchor example.com Zone data Verisign Public 18
Key Roles – KSK/ZSK • DNSKEY RRset usually has multiple keys, often with split roles. • KSK (Key signing key) • Signs (only) the DNSKEY RRset. • Corresponds to DS records in parent, providing “secure entry point” into zone. • ZSK (Zone signing key) • Signs the rest of the zone. com example.com … DNSKEY Zone data DS DNSKEY (KSK) DNSKEY (ZSK) Zone data Verisign Public 19
Page 1 and 2: Hands-on DNSSEC wi
Page 3 and 4: Objectives • Understand the basic
Page 5 and 6: DNS Overview Verisign Public 5
Page 7 and 8: DNS Name Resolution • Resolvers q
Page 9 and 10: Query DNS Servers (1.1 - 1.5) $ dig
Page 11 and 12: Query a TLD Server Verisign Public
Page 13 and 14: Query Local Recursive Resolver Veri
Page 15 and 16: DNSSEC Overview Verisign Public 15
Page 17: DNS Security Extensions (DNSSEC)
Page 21 and 22: Insecure delegations • How can DN
Page 23 and 24: Query for DNSSEC Records (2.1 - 2.5
Page 25 and 26: Query for DNSSEC Records (DNSKEY) V
Page 27 and 28: Query for DNSSEC Records Verisign P
Page 29 and 30: DNSViz Verisign Public 29
Page 31 and 32: DNS Analysis Using DNSViz (dnsviz g
Page 33 and 34: DNS Analysis Using DNSViz (dnsviz p
Page 35 and 36: Analyze Using dnsviz grok (3.3 - 3.
Page 37 and 38: Analyze Using dnsviz grok (3.7) sho
Page 39 and 40: Analyze Using dnsviz print (3.12 -
Page 41 and 42: View dnsviz probe Output Verisign P
Page 43 and 44: View dnsviz grok Output Verisign Pu
Page 49 and 50: View dnsviz graph Output Verisign P
Page 51 and 52: View dnsviz print Output Verisign P
Page 53 and 54: Signing a DNS Zone Verisign Public
Page 55 and 56: Setup Virtual DNS Environment (4.3)
Page 57 and 58: View dnsviz graph Output Verisign P
Page 59 and 60: Add Records to example.com Zone Ver
Page 61 and 62: Create DNSSEC Keys for example.com
Page 63 and 64: Create DNSSEC keys for example.com
Page 65 and 66: View dnsviz graph Output: DNSKEYs w
Page 67 and 68: Sign Records in example.com Zone (7
Page 69 and 70:
View dig Output: no AD bit Verisign
Page 71 and 72:
Add DS Records for example.com (8.3
Page 73 and 74:
View dnsviz graph Output: Full Chai
Page 75 and 76:
Fun with DNSViz Verisign Public 75
Page 77 and 78:
View dnsviz graph Output: KSK-only
Page 79 and 80:
Add New KSK to example.com Zone (9.
Page 81 and 82:
View dig Output: AD bit Verisign Pu
Page 83 and 84:
View dnsviz graph Output: Multiple
Page 85 and 86:
Change KSK for example.com Zone (9.
Page 87 and 88:
View dig Output: SERVFAIL Verisign
Page 89 and 90:
View dnsviz graph Output: Invalid S
Page 91 and 92:
View dnsviz graph Output: Expired R
Page 93 and 94:
Remove RRSIG for AAAA Record from Z
Page 95 and 96:
Modify TCP Connectivity (9.26 - 9.2
Page 97 and 98:
Modify Path MTU (9.28 - 9.29) • D
Page 99 and 100:
Add Lame Delegation (9.30 - 9.32)
Page 101 and 102:
View dnsviz graph Output: Lame Dele
Page 103 and 104:
View dnsviz graph Output: Select RR
Page 105 and 106:
View dnsviz graph Output: Select RR
Page 107 and 108:
Analyze example.com on Recursive Se
Page 109 and 110:
DNSViz Programmatic Analysis Verisi
Page 111 and 112:
View dnsviz probe Output: Diagnosti
Page 113 and 114:
dnsviz grok Revisited (10.3 - 10.4)
Page 115 and 116:
View dnsviz grok Output: Errors, Wa
Page 117 and 118:
Monitoring with DNSViz • Sample s
Page 119 and 120:
Further Information on DNSViz • S
show all

Hands-on DNSSEC with DNSViz

Create successful ePaper yourself

Delete template?

Save as template?