Scribd
Upload
32 views20 pages

DNSSEC at Mozilla

This document summarizes a presentation given by Shyam Mani from Mozilla on implementing DNSSEC. The presentation covered the basics of DNSSEC including new resource records, keys, and relationships. It provided steps for setup including generating keys, signing zones, and configuring bind. Potential issues were addressed such as making sure software supports DNSSEC and having a backup plan. Examples of mistakes made during implementation at Mozilla were also discussed such as deploying the DS record before signing zones.

Uploaded by

JennieAWalsh
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
32 views20 pages

DNSSEC at Mozilla

This document summarizes a presentation given by Shyam Mani from Mozilla on implementing DNSSEC. The presentation covered the basics of DNSSEC including new resource records, keys, and relationships. It provided steps for setup including generating keys, signing zones, and configuring bind. Potential issues were addressed such as making sure software supports DNSSEC and having a backup plan. Examples of mistakes made during implementation at Mozilla were also discussed such as deploying the DS record before signing zones.

Uploaded by

JennieAWalsh
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

DNSSEC @ Mozilla

NANOG 51

Shyam Mani [email protected]

about:mozilla

Agenda

The Basics Implementation What we I messed up

What and the Why

DNS Security Extensions



rfc 4033

Based on public key crypto http://en.wikipedia.org/wiki/DNSSEC DNS cache poisoning Phishing

DNS wasnt created for todays world

Whats new?

4 new RRs - rfc 4034



DNSKEY DS NSEC/NSEC3 RRSIG

Whats new?

Keys - Public and Private



Key Signing Key - KSK Algorithms Rollovers Operational Practices - rfc 4641 Zone Signing Key - ZSK

Relationships

Before you leap...

Check if your TLD has been signed Check with your registrar about DNSSEC Make sure your software works

bind, unbound, opendnssec

Else youre an Island of Trust

You might have to poke a bit http://bit.ly/dnssecorg

Setup - Before

Setup - After

Commands
Generate keys dnssec-keygen -K /mozilla.org/ -3 -n ZONE -f KSK mozilla.org dnssec-keygen -K /mozilla.org/ -3 -n ZONE mozilla.org Modify times (if needed) dnssec-settime -A +6mo <keyid> Sign your zones dnssec-signzone -S -K /mozilla.org/ -o mozilla.org -a -t -u -3 salt -H 1 mozilla.org Changes to bind - named.conf dnssec-enable yes; dnssec-validation yes; zone "mozilla.org" IN { type master; file "mozilla.org.signed"; }

Steps

Upgrade bind across the board Kick off signer DNS servers pick up changes and restart Prot!!oneone!!

Verify!

http://dnsviz.net/d/mozilla.org/dnssec/

Sandia National Labs

Things to be aware of

Keys are everything, protect them Make sure you have a backup plan Eventually, you run the risk of your entire Sign (zones), publish (zones) then push (DS) Network equipment might need changes
policy-map global policy class inspection_default inspect dns maximum-length 4096

domain being unreachable

boo-boo(s)

DS was live, no signed zones aka Security Log levels


Lameness

boo-boo(s)

Of course, everyone on twitter notices and


#fails you.

boo-boo(s)

Moving forward...

Thanks!
http://people.mozilla.org/~shyam/presentations/nanog-51-2011-nal.pdf

You might also like