Hands-on DNSSEC with DNSViz

Recommendations

Info

Zone Enumeration and NSEC3 • NSEC records allow enumeration of entire zone contents. • NSEC3 standard introduces hashed denial of existence. • Joint effort between Verisign, Nominet (.uk), and DENIC (.de). • Chain is of hashes of names, not names themselves. (a hash is the output of a one-way cryptographic function.) example.com. BFO8EKQ9L4V2N4AGI9RCMOTV32J8LJ4C.example.com. apple.example.com. V6AVHMGSO0IVEI55QMHIAM276OJJER6L.example.com. banana.example.com. VLN8BKFFT1FEVQOLFGOBKJKQA1JVNR86.example.com. grape.example.com. VLVVLES7LF0ARNU38OHRUP804KPEAGOE.examplec.com. example.com Verisign Public 22
Query for DNSSEC Records (2.1 – 2.5) $ dig +dnssec +multi @a.iana-servers.net example.com include DNSSEC records in response (e.g., RRSIG) present response in multiline format with comments (for readability) query for records of type “DNSKEY” (DNSSEC public key) instead of the default, “A” (address) $ dig +dnssec +multi @a.iana-servers.net example.com DNSKEY $ dig +dnssec +multi @a.gtld-servers.net example.com DS query a “parent” server because we’re seeking a DS record $ dig +dnssec +multi example.com $ dig +dnssec +multi @a.iana-servers.net foobar.example.com Verisign Public 23
Page 1 and 2: Hands-on DNSSEC wi
Page 3 and 4: Objectives • Understand the basic
Page 5 and 6: DNS Overview Verisign Public 5
Page 7 and 8: DNS Name Resolution • Resolvers q
Page 9 and 10: Query DNS Servers (1.1 - 1.5) $ dig
Page 11 and 12: Query a TLD Server Verisign Public
Page 13 and 14: Query Local Recursive Resolver Veri
Page 15 and 16: DNSSEC Overview Verisign Public 15
Page 17 and 18: DNS Security Extensions (DNSSEC)
Page 19 and 20: Key Roles - KSK/ZSK • DNSKEY RRse
Page 21: Insecure delegations • How can DN
Page 25 and 26: Query for DNSSEC Records (DNSKEY) V
Page 27 and 28: Query for DNSSEC Records Verisign P
Page 29 and 30: DNSViz Verisign Public 29
Page 31 and 32: DNS Analysis Using DNSViz (dnsviz g
Page 33 and 34: DNS Analysis Using DNSViz (dnsviz p
Page 35 and 36: Analyze Using dnsviz grok (3.3 - 3.
Page 37 and 38: Analyze Using dnsviz grok (3.7) sho
Page 39 and 40: Analyze Using dnsviz print (3.12 -
Page 41 and 42: View dnsviz probe Output Verisign P
Page 43 and 44: View dnsviz grok Output Verisign Pu
Page 49 and 50: View dnsviz graph Output Verisign P
Page 51 and 52: View dnsviz print Output Verisign P
Page 53 and 54: Signing a DNS Zone Verisign Public
Page 55 and 56: Setup Virtual DNS Environment (4.3)
Page 57 and 58: View dnsviz graph Output Verisign P
Page 59 and 60: Add Records to example.com Zone Ver
Page 61 and 62: Create DNSSEC Keys for example.com
Page 63 and 64: Create DNSSEC keys for example.com
Page 65 and 66: View dnsviz graph Output: DNSKEYs w
Page 67 and 68: Sign Records in example.com Zone (7
Page 69 and 70: View dig Output: no AD bit Verisign
Page 71 and 72: Add DS Records for example.com (8.3
Page 73 and 74:
View dnsviz graph Output: Full Chai
Page 75 and 76:
Fun with DNSViz Verisign Public 75
Page 77 and 78:
View dnsviz graph Output: KSK-only
Page 79 and 80:
Add New KSK to example.com Zone (9.
Page 81 and 82:
View dig Output: AD bit Verisign Pu
Page 83 and 84:
View dnsviz graph Output: Multiple
Page 85 and 86:
Change KSK for example.com Zone (9.
Page 87 and 88:
View dig Output: SERVFAIL Verisign
Page 89 and 90:
View dnsviz graph Output: Invalid S
Page 91 and 92:
View dnsviz graph Output: Expired R
Page 93 and 94:
Remove RRSIG for AAAA Record from Z
Page 95 and 96:
Modify TCP Connectivity (9.26 - 9.2
Page 97 and 98:
Modify Path MTU (9.28 - 9.29) • D
Page 99 and 100:
Add Lame Delegation (9.30 - 9.32)
Page 101 and 102:
View dnsviz graph Output: Lame Dele
Page 103 and 104:
View dnsviz graph Output: Select RR
Page 105 and 106:
View dnsviz graph Output: Select RR
Page 107 and 108:
Analyze example.com on Recursive Se
Page 109 and 110:
DNSViz Programmatic Analysis Verisi
Page 111 and 112:
View dnsviz probe Output: Diagnosti
Page 113 and 114:
dnsviz grok Revisited (10.3 - 10.4)
Page 115 and 116:
View dnsviz grok Output: Errors, Wa
Page 117 and 118:
Monitoring with DNSViz • Sample s
Page 119 and 120:
Further Information on DNSViz • S
show all

Hands-on DNSSEC with DNSViz

Create successful ePaper yourself

Delete template?

Save as template?