| DNSSEC |
| Why DNSSEC? |
| Outline |
| DNS: Known Concepts |
| Reminder: DNS Resolving |
| DNS: Data Flow |
| DNS Vulnerabilities |
| DNS Protocol Vulnerability |
| Motivation for DNSSEC |
| DNSSEC Current State |
| DNSSEC Mechanisms to Authenticate Servers |
| TSIG Protected Vulnerabilities |
| Transaction Signature: TSIG |
| TSIG example |
| Authenticating Servers Using SIG0 |
| Summary: Steps to TSIG Configuration |
| Importance of the Time Stamp |
| TSIG: Questions? |
| DNSSEC Mechanisms to Establish Authenticity and Integrity of Data |
| Vulnerabilities protected
by KEY / SIG / NXT |
| DNSSEC Summary on 1 page |
| Authenticity and Integrity of Data |
| Public Key Crypto Reminder |
| Public Key Crypto Issues |
| New Resource Records for DNSSEC |
| DNSSEC New RRs |
| Other Keys in the DNS |
| Recap: RRs and RRsets |
| KEY RDATA |
| SIG RDATA |
| NXT RDATA |
| NXT Record |
| Meaning of NXT |
| FYI: NXT opt-in Variant |
| NXT opt-in Variant |
| New DNS RRs: Questions? |
| DNSSEC Signing of a Local Zone |
| DNSSEC Signing of a Local Zone |
| Locally Signed Zone |
| Locally Secured Zones |
| Signing Local Zone: Questions? |
| Delegating Signing Authority |
| Using the DNS to Distribute Keys |
| Chain of Trust |
| SIG RDATA Recap for next slides |
| Delegation Signer (DS) |
| DS RDATA |
| Delegating Signing Authority |
| Key / Zone Signing Keys |
| Chain of Trust Verification, Summary |
| Walking the Chain of Trust |
| RFC3090 Terminology |
| Insecure Children |
| Illustrated Terminology |
| Building the Chain of Trust |
| Parental signature adopting orphans carefullyÉ |
| The DNS is not a Public Key Infrastructure (PKI) |
| The DNS is not a PKI (contŐd) |
| DS: Questions? |
| Key Exchange and Rollovers |
| Why Key Exchange |
| Private Key Compromise |
| Short Signature Life Time |
| Key Rollover (part 1) |
| Key Rollover (part 2) |
| Timing of the Scheduled Key Rollover |
| Scheduled Key Rollover Issues |
| Unscheduled Rollover Problems |
| Key Rollover: Questions? |
| Extra: NXT RR and Wildcard Issues |
| Not just one NXT RR in your response |
| Recap Wildcards |
| Proving Non-existence of a wildcard (1) |
| Proving Non-existence of a wildcard (2) |
| Proving Non-existence of a wildcard (3) |
| NXT / wildcards: Questions? |
| DNSSEC - Conclusions |
| What Did We Learn |
| Open Issues (the where-shall-I-put-it slide) |
| Additional Resources |
| End of Part IÉ Questions??? |
| PART II |
| DNSSEC Operations |
| Configuration & installation |
| Server/Named configuration |
| Logging Categories |
| Toolbag The complete set |
| Toolbag: dig For trouble shooting |
| Dig example dig bert.secret-wg.org |
| "Securing host-host communication" |
| TSIG configuration Outline |
| TSIG Toolbag: dnssec-keygen |
| TSIG Toolbag: dnssec-keygen output |
| TSIG configuration steps 1-3 |
| TSIG configuration step 4 |
| TSIG configuration step 5 |
| TSIG Troubleshooting: dig |
| Using TSIG to protect dynamic updates |
| "Securing zones" |
| Setting up a secure
zone Outline |
| Resolving in a secured DNS environment |
| Setting up a verifying resolving name server |
| Configuring verifying
resolving name servers |
| Testing a verifying
forwarder using dig |
| Testing a verifying
forwarder dig: an example |
| Troubleshooting client side |
| Troubleshooting Server side |
| Example debugging output |
| Setting up a secure
zone Outline |
| Toolbag: dnssec-keygen |
| Toolbag: dnssec-signzone |
| Signing a Zone 1 Creating the KEY |
| Creating the key 2 |
| Setting up a secure
zone Outline |
| Signing a Zone 2 Signing the Zone |
| Signing a Zone 2 Publishing Zone |
| Notes on secured zones |
| "Building a secure tree" |
| Task 3 Parent-Child interaction |
| DS RRs for delegation. |
| Delegation of authority |
| DS and key exchanges outline |
| Key exchange 1 Initial Key exchange |
| Key exchange 2 Initial Key exchange parentŐs considerations |
| Key exchange 3 Parental considerations 2 |
| Key exchange 4 The parental hand work |
| Regular Rollover |
| "Miscellaneous" |
| Key exchange and Key rollover |
| Back at the ranch |
| Net::DNS::SEC Shameless plug |
| Feedback |
| Questions |