Hands-on DNSSEC with DNSViz

Recommendations

Info

Authenticated Denial of Existence • How do you prove something doesn’t exist? • “Chain” of names of zone formed using NSEC records. • NSEC records form comprehensive chain of names (and their record types) in zone in canonical ordering. • Server uses NSEC records to prove non-existence. Query: coconut.example.com/A ? NXDOMAIN: banana.example.com/NSEC Query: example.com/DNSKEY ? RRSIG example.com. apple.example.com. banana.example.com. validate Answer: DNSKEY… RRSIG grape.example.com. Verisign Public recursive/validating resolver example.com authoritative server 20
Insecure delegations • How can DNSSEC be deployed incrementally? Resolver DNSKEY • If child zone is unsigned, resolver must be able to prove it is insecure. • NSEC resource records provide proof of absence of DS. . DNSKEY Zone data DNSKEY DS net Zone data NSEC/DS example.com Zone data 21 Verisign Public 21
Page 1 and 2: Hands-on DNSSEC wi
Page 3 and 4: Objectives • Understand the basic
Page 5 and 6: DNS Overview Verisign Public 5
Page 7 and 8: DNS Name Resolution • Resolvers q
Page 9 and 10: Query DNS Servers (1.1 - 1.5) $ dig
Page 11 and 12: Query a TLD Server Verisign Public
Page 13 and 14: Query Local Recursive Resolver Veri
Page 15 and 16: DNSSEC Overview Verisign Public 15
Page 17 and 18: DNS Security Extensions (DNSSEC)
Page 19: Key Roles - KSK/ZSK • DNSKEY RRse
Page 23 and 24: Query for DNSSEC Records (2.1 - 2.5
Page 25 and 26: Query for DNSSEC Records (DNSKEY) V
Page 27 and 28: Query for DNSSEC Records Verisign P
Page 29 and 30: DNSViz Verisign Public 29
Page 31 and 32: DNS Analysis Using DNSViz (dnsviz g
Page 33 and 34: DNS Analysis Using DNSViz (dnsviz p
Page 35 and 36: Analyze Using dnsviz grok (3.3 - 3.
Page 37 and 38: Analyze Using dnsviz grok (3.7) sho
Page 39 and 40: Analyze Using dnsviz print (3.12 -
Page 41 and 42: View dnsviz probe Output Verisign P
Page 43 and 44: View dnsviz grok Output Verisign Pu
Page 49 and 50: View dnsviz graph Output Verisign P
Page 51 and 52: View dnsviz print Output Verisign P
Page 53 and 54: Signing a DNS Zone Verisign Public
Page 55 and 56: Setup Virtual DNS Environment (4.3)
Page 57 and 58: View dnsviz graph Output Verisign P
Page 59 and 60: Add Records to example.com Zone Ver
Page 61 and 62: Create DNSSEC Keys for example.com
Page 63 and 64: Create DNSSEC keys for example.com
Page 65 and 66: View dnsviz graph Output: DNSKEYs w
Page 67 and 68: Sign Records in example.com Zone (7
Page 69 and 70: View dig Output: no AD bit Verisign
Page 71 and 72:
Add DS Records for example.com (8.3
Page 73 and 74:
View dnsviz graph Output: Full Chai
Page 75 and 76:
Fun with DNSViz Verisign Public 75
Page 77 and 78:
View dnsviz graph Output: KSK-only
Page 79 and 80:
Add New KSK to example.com Zone (9.
Page 81 and 82:
View dig Output: AD bit Verisign Pu
Page 83 and 84:
View dnsviz graph Output: Multiple
Page 85 and 86:
Change KSK for example.com Zone (9.
Page 87 and 88:
View dig Output: SERVFAIL Verisign
Page 89 and 90:
View dnsviz graph Output: Invalid S
Page 91 and 92:
View dnsviz graph Output: Expired R
Page 93 and 94:
Remove RRSIG for AAAA Record from Z
Page 95 and 96:
Modify TCP Connectivity (9.26 - 9.2
Page 97 and 98:
Modify Path MTU (9.28 - 9.29) • D
Page 99 and 100:
Add Lame Delegation (9.30 - 9.32)
Page 101 and 102:
View dnsviz graph Output: Lame Dele
Page 103 and 104:
View dnsviz graph Output: Select RR
Page 105 and 106:
View dnsviz graph Output: Select RR
Page 107 and 108:
Analyze example.com on Recursive Se
Page 109 and 110:
DNSViz Programmatic Analysis Verisi
Page 111 and 112:
View dnsviz probe Output: Diagnosti
Page 113 and 114:
dnsviz grok Revisited (10.3 - 10.4)
Page 115 and 116:
View dnsviz grok Output: Errors, Wa
Page 117 and 118:
Monitoring with DNSViz • Sample s
Page 119 and 120:
Further Information on DNSViz • S
show all

Hands-on DNSSEC with DNSViz

Create successful ePaper yourself

Delete template?

Save as template?