[go: up one dir, main page]
|
|
Log in / Subscribe / Register

Adopting DNSSEC

December 14, 2016

This article was contributed by Tom Yates

The Domain Name System (DNS) is an amazing technological achievement, but it suffers from a historical excess of trust, which makes it possible for people who rely on it to be lied to. The DNS Security Extensions (formally DNSSEC-bis, more usually just DNSSEC) are a mechanism for including robust trust information within the DNS. Here we discuss briefly what DNSSEC does, how it does it, and how (and whether) you can use it to secure your domains.

The problem

DNS is the distributed system that maps domain names to IP addresses; it is one the largest distributed databases in the world. However, its design dates back to an earlier era when there was more trust around; specifically, information propagated by the DNS is often cached, while only being validated by checking the IP address of the supplier.

There are at least two problems with this. First, just because a DNS packet comes from the configured resolver is not necessarily a good reason to assume the content is trustworthy. And second, because much DNS information is propagated via UDP, which makes spoofing sender IP addresses trivial, a DNS packet claiming to be from the configured resolver's IP address may not actually come from that resolver.

The fascinating field of security research has unearthed many ingenious attacks against cryptographic protocols, such as power analysis, which are elegant and effective but unlikely to be seen in quantity in the wild anytime soon. DNS spoofing, though, is widespread; it's easy to do, and lots of people are doing it, for all sorts of reasons.

In March 2014, Turkey blocked access to Twitter after recordings damaging to the Turkish government were leaked there. The country did this by instructing Turkish ISPs to return wrong IP address information when twitter.com domains were resolved, so that DNS would instead return IP addresses that took users to a government web page announcing the block. Turks quickly discovered that setting their DNS servers to foreign recursing resolvers such as Google's would bypass the block, and some went a step further by spray-painting the IP addresses of Google's DNS servers on public buildings. Other governments engage in similar practices on a routine basis.

The solution

It's been slow in coming, but DNSSEC is now pretty much here. It enables cryptographic signatures to be distributed in the DNS alongside existing information, so that resolvers that care about such things can ask for it; they can also rely upon the answers they get. This is done by defining a few new DNS Resource Record (RR) types:

  • RRSIG: This one's the workhorse; it's a signature for an RR, made with the appropriate key pair. To verify the authenticity of some RR that has just been queried, whether it was an A record, an MX, a CNAME, or some other record, the accompanying RRSIG is the starting point.
  • DNSKEY: This asserts one of the keys (yes, plural, we'll come to that) for a particular zone or subzone. This is something given out to the world for your own zone(s), much like an SSH server announcing its own public key on connection.
  • DS: This is how trust is distributed. It's a fingerprint for the primary DNSKEY record, generated by the zone's parent (usually, the registrar) and distributed as part of the glue. Like any other RR, it also comes with an RRSIG record, also generated by the zone's parent. This is how people can trust your DNSKEY records when you return them in response to a query. Its existence also functions as a flag that DNSSEC extensions should be checked by a capable resolver for queries in the zone in question.
  • NSEC3: It is as important to sign your negative responses as your positive ones, otherwise any attacker could simply sit there returning faked NXDOMAIN responses for queries about all your hostnames. NSEC3 provably says that no such RR exists, in such a way as to cover a range of possible name queries without enabling a brute-force search of the namespace.
The chain of trust ends up with the public key that is used to sign the DNS root. This is the DNSSEC equivalent of your browser's CA bundle, and it should already be known to any resolver that intends to do DNSSEC.

Can I use it? Should I? How do I?

Not all top-level domains (TLDs) currently implement DNSSEC. Wikipedia's list of TLDs includes information on which do and do not support DNSSEC, but it's pretty widely supported, and if you're not doing registration in some obscure country-code TLD just to get a cute domain name, you probably can deploy DNSSEC.

The following shows how I enabled DNSSEC on teaparty.me.uk by following a procedure which was developed from NLNetLabs' excellent HOWTO, to whose authors I am grateful. You will need to be using a BIND implementation that is DNSSEC-capable, but I'm using BIND 9.8.2 on CentOS 6, which is pretty old, and it works fine.

First, you have to generate your zone keys. Second, you have to include your keys in your zone file and sign your zone. Finally, you have to generate your DS record, and propagate it through your registrar.

So, first off, generate the keys. They come in two types: a key-signing key (KSK), which is used only to sign other keys, and a zone-signing key (ZSK), which is used to sign all the other RRs. These do not have to be different keys, but best practice is to use a different KSK and ZSK. Key lengths and algorithm choices are a matter for you to decide. Also, the choice between /dev/random and /dev/urandom is yours to make; my server has a hardware random-number generator (RNG) attached, without which this process might have taken some time. Note also that I do this in the parent of the directory that holds the zone files themselves, as I find it convenient to keep the keys there. 

    [root@lory dns]# dnssec-keygen -r/dev/random -f KSK -a RSASHA1 -b 2048 teaparty.me.uk
    Generating key pair...............................+++ ..........................+++ 
    Kteaparty.me.uk.+005+02104
    [root@lory dns]# dnssec-keygen -r/dev/random        -a RSASHA1 -b 2048 teaparty.me.uk
    Generating key pair.....+++ .................+++ 
    Kteaparty.me.uk.+005+60996
Here, the -b chooses the key length and the -a is used to choose the cryptographic algorithm to be used. The last line of the output in each case is the base name of the key files, one ending .key and the other ending in .private, which have just been created in the working directory. The filename includes the zone name, the algorithm type (005=RSA/SHA-1), and a five-digit random key identifier which helps detect key rollovers (about which more may be found here). Now, let's extract the meat, that being the new keys, from those .key files we just created: 
    [root@lory dns]# grep DNSKEY *teaparty.me.uk*.key
    Kteaparty.me.uk.+005+02104.key:teaparty.me.uk. IN DNSKEY 257 3 5 AwEAAdCM/LeSga8...
    Kteaparty.me.uk.+005+60996.key:teaparty.me.uk. IN DNSKEY 256 3 5 AwEAAcQxmpGFwWw...
The keys in the above output have been truncated to avoid filling your screen with gibberish. Note the leading 256 and 257 in the DNSKEY RRs: an even number indicates a ZSK and an odd number, a KSK. Your KSK is your zone's primary key, from which we will later derive your DS record.

Next up is to put the two DNSKEY RRs into your zone file, then sign it with the keys you have just created. Signing is accomplished with the dnssec-signzone command: 

    [root@lory ~]# cd /var/named/chroot/var/dns/primary/
    [root@lory primary]# /usr/sbin/dnssec-signzone -o teaparty.me.uk \
        -f teaparty.me.uk.signed -K .. -k Kteaparty.me.uk.+005+02104.key \
	-e +3024000 -N unixtime teaparty.me.uk Kteaparty.me.uk.+005+60996.key
    dnssec-signzone: warning: teaparty.me.uk:8: no TTL specified; using SOA MINTTL instead
    Verifying the zone using the following algorithms: RSASHA1.
    Zone signing complete:
    Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
			ZSKs: 1 active, 0 stand-by, 0 revoked
    teaparty.me.uk.signed
First, I changed into the directory where the zone file is (in whose parent, you will recall, the keys are kept). Then I signed the zone; important flags include:
  • -o specifies the zone origin (domain name); this can be inferred from the filename, but I prefer to keep it explicit.
  • -f specifies the file that will contain the signed zone; I will need to alter my named.conf file so that the zone is taken from this signed file in future.
  • -K specifies where to find key files.
  • -k specifies the file containing the KSK.
  • -e specifies the date until which I wish the signatures to remain valid. +3024000s is now + 35 days, which is designed to let me automate this signing with cron on the first of every month without the signatures ever expiring, even if the leap second people at the IERS decide to put quite a lot of extra seconds onto the end of any given month.
  • -N specifies that the zone serial number (SN) in the new, signed zone file will be Unix time. I could use -N keep to preserve the SN from the input unsigned, zone file, but I prefer this.
Finally, the two arguments are the name of the zone file (which for me is simply the name of the zone), and the ZSK filename.

The last step is to generate your DS record from your KSK. This has already been done by signing the zone; you will notice in the zone file directory a file called, in my case, dsset-teaparty.me.uk.. This contains a couple of potential DS records that differ only in the digest type being used ("1" versus "2") and thus also in the digest of the key itself: 

    [root@lory primary]# cat dsset-teaparty.me.uk.
    teaparty.me.uk.         IN DS 2104 5 1 1E8AB98D...
    teaparty.me.uk.         IN DS 2104 5 2 440A7FA1... 6F8640BE
This can also be done manually with the dnssec-dsfromkey command, which can be fed either the zone file or the KSK file. Although RFC 4034 says that having a DS record with digest type 1 (SHA-1) is mandatory, RFC 4509 defines the digest type 2 (SHA256) digest, and specifies that digest type 1 should be ignored if type 2 is present, in keeping with the move away from SHA-1. Most people seem to publish only the SHA-256 (digest type 2) record, and this works well for me.

So I will give the digest type 2 record to my registrar through whatever mechanism it has decided is appropriate. For registrations in .uk I do it through Nominet's website, being a registrar myself; alternatively, one would go through one's registrar. For .com/.net/.org domains, which I register through an old friend, I email the DS record to him under cover of PGP, and he passes it up the chain of registrars until it gets to someone who can put it into the proper TLD zone file.

And is it working?

You can check for DNSSEC capability in your normal resolution chain by using dig +trace. Try: 
    $ dig +trace www.google.com
If you see a bunch of RRSIG and DS records being returned in the chain along with the more usual A and NS records, you're DNSSEC-capable. If your normal resolution chain isn't capable, try: 
    $ dig +trace www.google.com @8.8.8.8
That will show whether your client is capable and so configured. You'll need a DNSSEC-capable resolver to go any further.

If I take a DNSSEC-capable resolver, such as Fedora 24's, using a capable resolution chain such as Google's public servers, and I ask for explicit signature checks, I should get confirmation that all is well: 

    $ dig +sigchase test.teaparty.me.uk @8.8.8.8
    ...
    ;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS
If I alter the RRSIG on my A record by one byte, increment the zone's SN, reload the zone, and repeat the test, I should get indication of a problem, ending with: 
    ;; Impossible to verify the Non-existence, the NSEC RRset can't be validated: FAILED

The usual sources of error are cut-and-paste failings, publishing a DS record without a signed zone (recall that the presence of the record is the indicator that a zone should be signed), or major clock skew in your DNS server. The latter can cause problems because TTLs in DNSSEC RRs are absolute timestamps, unlike the relative TTLs of pre-DNSSEC RRs; if clocks are badly wrong, RRs that are already out-of-date can be propagated, and these will fail to validate.

So in summary, DNSSEC isn't complex; honestly, it's not. It's fiddly, to be sure; many small parts have to be assembled in the right order. But once this is done, it just works, to the net benefit of all. If you are in charge of any DNS infrastructure, and you haven't come to grips with this already, now might be a good time for you to tackle DNSSEC.

Index entries for this article
SecurityDNSSEC
GuestArticlesYates, Tom

to post comments

Adopting DNSSEC

Posted Dec 14, 2016 21:14 UTC (Wed) by nix (subscriber, #2304) [Link] (2 responses)

The nigh-incomprehensible horror show which you brushed over, of course, is key rollover. About a quarter of the article you linked to is devoted to it, everyone seems to have to hack up their own scripts to do it, and if you get it wrong the first you know of it is that nobody using a DNSSEC-capable resolver can resolve your names properly, possibly for a while, possibly forever. (And, of course, because DNS is a system with distributed caching, nodes furthest from you that reference your zone fairly rarely are most likely to see the problem. *You* most likely won't see it, but random DNS-capable queriers will -- and won't be able to email you about it because your DNS is broken -- and even if they could, unless they're networking people they won't have any idea what's wrong or who to email anyway. Good thing you have that gmail account -- at least the DNS experts can get through. :) )

I do wonder what proportion of DNSSEC-related failures are due to malicious actors and what proportion are due to the key rollover disaster area. I suspect the vast majority are rollover problems. Oh and don't forget that glibc's resolver is not DNSSEC-capable (so you need to run a local forwarder that is), and has no way to tell clients about DNSSEC-related failures in any case (it generally fakes them as being nameserver problems, but even that is not consistent); even if it could, the applications have no idea what to do about such failures.

DNS spoofing and cache poisoning by hostile actors is a serious problem with DNS, indeed -- but whether DNSSEC makes it better when widely deployed, or just makes the DNS ridiculously unreliable, is something that is not yet clear.

Adopting DNSSEC

Posted Dec 15, 2016 10:50 UTC (Thu) by madhatter (subscriber, #4665) [Link]

I completely agree with you that key rollover is nasty, but it's also not mandatory. It's best-crypto-practice, to be sure, but how often do you re-key your SSH servers, and how much more traffic flows under cover of those keys? It's perfectly possible to adopt DNSSEC without also binding yourself to rolling your keys over, so the desire not to get to grips with that shouldn't be a bar to DNSSEC adoption.

Adopting DNSSEC

Posted Dec 30, 2016 11:39 UTC (Fri) by ahla (guest, #108052) [Link]

BIND does automatic keyrollover for ZSK. KSK are rolled over not that often and it's rather unproblematic because you double sign and check the results. Only when the new key works correctly you invalidate the old one.

Adopting DNSSEC

Posted Dec 14, 2016 21:28 UTC (Wed) by flussence (guest, #85566) [Link] (4 responses)

Good article, I had a hard time finding something this digestible when I first set it up, hopefully it'll save others a few hours of searching.

As mentioned, it needs re-signing periodically. The default is a nasty, arbitrary 30 days which has caught me off guard more than once, so I put this in my daily cron:

#!/bin/sh -eu
PATH="/usr/sbin:/usr/bin"
domain=$1

# Only take action if the secure zone file is missing or stale:
cd /var/bind/pri/
test -f "${domain}.zone"
test -n "$(find "${domain}.zone.signed" -mtime -25)" && exit 0

rndc freeze $domain
dnssec-signzone -3 $(openssl rand 8 -hex) \
  -A -N date -o $domain -t ${domain}.zone
rndc thaw $domain

Adopting DNSSEC

Posted Dec 15, 2016 0:18 UTC (Thu) by smurf (subscriber, #17840) [Link] (3 responses)

You can compare dates directly, which makes more sense than abusing "find".

$ date -r /some/file +%s
1481680702
$ date -d "25 days ago" +%s
1479600938

Thus:
test $(date -r "${domain}.zone.signed" +%s) -gt $(date -d "25 days ago" +%s) && exit 0

Adopting DNSSEC

Posted Dec 15, 2016 17:37 UTC (Thu) by flussence (guest, #85566) [Link] (1 responses)

Not abuse: it's deliberately testing that the file is new enough _and_ that it hasn't been removed; make's rebuild semantics but with a date offset. Yours would work but print two errors for the latter case.

Adopting DNSSEC

Posted Dec 16, 2016 17:33 UTC (Fri) by smurf (subscriber, #17840) [Link]

True. So add 'test ! -e "$file" ||' in front.

Adopting DNSSEC

Posted Dec 16, 2016 13:02 UTC (Fri) by itvirta (guest, #49997) [Link]

Using `find` also needs only one fork+exec instead of two, and `find -mtime` is likely to be more portable than GNU-style `date -r`.

Adopting DNSSEC

Posted Dec 14, 2016 21:30 UTC (Wed) by edmonds42 (guest, #42670) [Link] (1 responses)

Was hoping for an LWN-style thinkpiece on the lack of adoption of DNSSEC instead of yet another DNSSEC and BIND howto.

Adopting DNSSEC

Posted Dec 14, 2016 21:57 UTC (Wed) by edmonds42 (guest, #42670) [Link]

As far as the howto goes though:

- BIND 9.8.2 is pretty ancient, even if the version shipped in CentOS gets backported bug fixes from the upstream vendor. You leave a lot of features on the table by not using a release from the 9.9, 9.10, or 9.11 series.

- Please don't deploy SHA-1. You mention hashed authenticated denial-of-existence using NSEC3 records, but then you sign your zone with RSASHA1, which doesn't support NSEC3. You probably want to sign with a slightly more modern algorithm like RSASHA256 or ECDSAP256SHA256. At some point ED25519/ED448 will be added to DNSSEC. See https://tools.ietf.org/html/draft-wouters-sury-dnsop-algo... for current thinking on DNSSEC algorithm usage.

- Please don't use cron to re-sign zones. You use dnssec-signzone to sign your zone initially but leave out that it requires periodic re-signing. If you upgraded to BIND 9.9+ you could use a more modern style of BIND zone signing ("auto-dnssec maintain" + "inline-signing yes") that automatically re-signs zones while keeping the automatically maintained DNSSEC RRs separate from the manually maintained DNS zone. This style is good if you want to keep your zone files (but not the DNSSEC RRs) in git. See: https://kb.isc.org/article/AA-00626/0/Inline-Signing-in-I....

- dig's +sigchase mode isn't particularly great. ISC recommends the new "delv" tool in BIND 9.10+, since it uses the same DNSSEC validation code that BIND uses. See: https://kb.isc.org/article/AA-01152/0/Eleven-twelve-dig-a....

Adopting DNSSEC

Posted Dec 14, 2016 21:53 UTC (Wed) by bwelling (subscriber, #13189) [Link]

The list of new record types mentions the NSEC3 record, but not the NSEC record, but signed zone uses NSEC, not NSEC3 (as seen in the error).

Adopting DNSSEC

Posted Dec 14, 2016 22:12 UTC (Wed) by kjp (guest, #39639) [Link] (20 responses)

The article sure isn't selling me on the *need* for this. Wouldn't the twitter example (downgrade attack) be solved by HSTS? After that, it's just a normal DOS / censorship attack.

Adopting DNSSEC

Posted Dec 14, 2016 22:31 UTC (Wed) by mtaht (guest, #11087) [Link]

I wanted to note that dnssec has to happen all the way to the edges.

dnsmasq gained support for it finally - 3 years worth of debugging - a year or two back.

Adopting DNSSEC

Posted Dec 15, 2016 4:03 UTC (Thu) by magila (guest, #49627) [Link] (18 responses)

A better example of the problem DNSSEC solves is the hacking of Diginotar and subsequent issuance of fraudulent certs for various popular domains. DNSSEC solves the well-known problem of all CAs being able to issue certs for any domain. More generally, the set of trusted parties with DNSSEC is a strict subset of the trusted parties with the CA system. With CA certs you trust:

1. Whoever supplied your list of CAs.
2. All certificate authorities.
3. The domain registrar and TLD owner.

The last one only applies if you trust domain validated certs, which of course everyone does. There are various band-aids you can layer on top of this like key pinning, but fundamentally this is who your trusted parties are. With DNSSEC+DANE on the other hand, you trust:

1. Whoever supplied your list of TLD keys.
2. The domain registrar and TLD owner.

Adopting DNSSEC

Posted Dec 15, 2016 7:52 UTC (Thu) by alonz (subscriber, #815) [Link] (17 responses)

Unfortunately DNSSEC + DANE has been shown to be impractical in practice: see this writeup for the reasons.

And with the advent of mechanisms like Certificate Transparency, which remove almost all need for trust at all, I suspect DNSSEC has become useless already. It is fixing yesteryear's problems using yesterday's solutions, and its assumptions (especially regarding trust) simply do not scale to today's Internet. And with the encroaching Internet-of-Things apocalypse, and billions of new devices dynamically connecting to the network and offering their services, the security afforded by DNSSEC will become even more irrelevant.

Adopting DNSSEC

Posted Dec 15, 2016 8:47 UTC (Thu) by robbe (guest, #16131) [Link] (4 responses)

Not all the world is http(s). Take smtp, for example. Woefully insecure without dnssec. ssh? Escape the TOFU with dnssec.

Even if we stay with https, where CAs should give us something equivalent to dnssec. Ever wondered what „domain-validated“ means?

Not to say that dnssec is not full of problems… way overengineered (second system, anyone?); bad tool support; unhelpful documentation; targeted at large dns providers, not the „little guy“; no thought given to privacy at all.

Yes, dnssec won’t magically make your lightbulb or your car secure. Neither will it feed the hungry, nor end any war. That doesn’t make it irrelevant, though.

Adopting DNSSEC

Posted Dec 15, 2016 9:54 UTC (Thu) by alonz (subscriber, #815) [Link] (3 responses)

There is no (technical) reason that I can see for SMTP servers not to support certificate transparency. Maybe I should attempt an integration myself…

The SSH case I actually see as a counter-example: sure, on first connection you may have slightly more trust due to DNSSEC – but on every connection after that, SSH's own security mechanisms are generally sufficient (and quick), while DNSSEC would impose extra communication costs on every single connection.

As for security—the security for “domain-validated” certificates is precisely the same level as what DNSSEC offers. Except with LetsEncrypt and similar services, you can now get this same level of security with (way far) less hassle than with DNSSEC.

Adopting DNSSEC

Posted Dec 15, 2016 15:13 UTC (Thu) by tialaramex (subscriber, #21167) [Link] (2 responses)

I don't understand how you can consider the security of DV to be "precisely the same level" as DNSSEC

Today, on paper, DV means whatever a CA thinks it means. So far as we know none of them have completely ridiculous criteria, but keep in mind that we've discovered nonsense such as "Oh, they had proof of control for www.example.com so we presumed that meant they controlled example.com as well" is widespread, and until it was revealed nobody knew that's how it was working.

In a future Ballot 169 world (Ballot 169 is the 169th ballot of the CA/B forum, an informal gathering of Certificate Authorities and trust store owners which writes the Baseline Requirements, which all the major trust stores require CAs to obey, it is currently in limbo due to hilarious patent-related legal wrangling) the rules will be written down so that you can see what is and isn't a "validation" under DV

So far, assuming Ballot 169 survives in full, an applicant is entitled to a DV certificate for some DNS name from a CA if any of:

* A guy we're pretty sure is an actual Real Lawyer™ swore they (the applicant) own the domain name
* A guy we're pretty sure works for the domain registrar says they own the domain name
* We (the CA) are the domain registrar and we think they own the domain name.
* We Faxed the person listed in WHOIS for that domain and they sent back a Fax saying it's fine
* We sent an email to an email address listed in WHOIS for that domain and they pushed a button on a web form to say it's fine
* We did a DNS lookup for a magic TXT entry created by the applicant with that domain name, it matches what we expected
* We did an HTTP (port 80) GET of a text file with a magic file path created by the applicant, it matches what we expected
* We did a TLS connection on port 22 (good luck with that), 25, 443 or 115 (no, I don't know either, I tried moaning) and used SNI to ask for the certificate for a crazy invalid name, the certificate presented matched what we expected.

Now, maybe I'm just too paranoid, but most of those don't feel anywhere close to the security from DNSSEC. Only the DNS one comes close, and only when, in fact, it was secured using DNSSEC. And keep in mind Ballot 169 is considered a _major tightening_ of the security of DV. Some Certificate Authorites feel it went too far!

Adopting DNSSEC

Posted Dec 20, 2016 20:43 UTC (Tue) by Lennie (guest, #49641) [Link] (1 responses)

Well, at least they are tightening up DV.

Are they going to improve EV as well ? I think EV has CT as a requirement now, right ?

EV

Posted Dec 21, 2016 1:34 UTC (Wed) by tialaramex (subscriber, #21167) [Link]

There is not, so far as I know, any activity to "improve" EV from the CA/B forum. Was there some particular problem you feel needs addressing?

In terms of the trust stores, rather than CA/B...

Google's Chrome treats EV certificates as non-EV unless SCTs are supplied (which means the certificate was logged) in accordance with their announced CT policy. At some point (currently scheduled for October 2017) Chrome will care about SCTs in all new certificates.

Nobody else of any significance has a browser which implements CT, although Mozilla expects to ship one in 2017.

Adopting DNSSEC

Posted Dec 15, 2016 10:47 UTC (Thu) by tialaramex (subscriber, #21167) [Link] (8 responses)

Certificate Transparency emphatically does _not_ remove the need for trust. What it does is permit a sorely needed trust-but-verify model in which we are, if we perform the verification steps dutifully as a culture, able to justify our trust in the CAs and in the CT system itself on a continuing basis.

A trustworthy CA will log all issued certificates (in practice, all Web PKI certificates, but IMNSHO all the other PKIs we might care about here aren't worth much) and interested parties can verify that the logs are consistent and every certificate seen was logged.

Much of the system only exists as design, not as implementation, or not as working implementation that's out in the wild with millions of certificates and billions of end users. What we have today are the following components:

* CT logs, implementing the current RFC 6962, to be replaced by 6962-bis once it exists
* CT monitors (but not auditors, outside of a lab) surfacing things from the logs to people who care
* Many popular CAs logging to at least one log
* SCT verification enabled tentatively in Chrome for EV certificates only

In the near-ish future (2017) we expect to have

* All Web PKI participating CAs logging to several logs
* SCT verification required in Chrome, maybe Firefox, with Safari and possibly even Edge announced
* At least one production CT monitor ensuring that, from where it is at least, the CT system integrity checks out

That still leaves to be done

* Gossip technology, ensuring all clients are seeing a consistent CT log world, anybody who can at least sometimes see the Internet is seeing the _same_ Internet with the same trustworthy CAs in it.

_Because_ the CAs are mostly trustworthy what we see today is already useful. But as the recent StartCom/ Wosign incident demonstrated a CA can still just assert that they're trustworthy and intentionally deceive us without penalty, at least until they get caught. Keep in mind that this incident implicated not only two CAs (well, actually one CA, but part of their deceit was in continuing the fiction that StartCom was an independent company) but a Famous Brand Professional Services company, EY Hong Kong, and a major payment services company (Tyro, in Australia). There is plenty of distrust to go around.

Now, what value _does_ DNSSEC give us? Well funny thing, the only way the Web PKI got this big was via DV, Domain Validation. And DV is a really sketchy validation technique, subject to all manner of MITM and other problems _unless_ you have some way to at least know the DNS records are accurate. What do we have that lets us know the DNS records are accurate? DNSSEC. Sure enough one of the largest (probably straight up the largest but it's hard to tell) users of DV on today's Internet does check DNSSEC during their DV process.

Adopting DNSSEC

Posted Dec 16, 2016 15:30 UTC (Fri) by bandrami (guest, #94229) [Link] (7 responses)

And I still think this is the wrong threat model in general. The number of servers I access where I trust the alleged server more than I would trust someone pretending to be that server is vanishingly small: work on validating that vanishingly small corpus (yes, everybody's vanishingly small corpus is different, so it's going to be a moderate corpus) and stop making security tools get in the way of preventing passive attacks on the rest.

Take LWN. I'm reading it over TLS right now, meaning I know nobody has read or modified the traffic in transit between the web server and me. Thanks to PKI, I also have an assurance from RapidSSL that this server is in fact lwn.net, for some definition of "is in fact" that RapidSSL considered appropriate. But even if RapidSSL verified LWN that doesn't particularly help me: I have no actual reason to trust lwn.net more than I would trust someone else pretending to be lwn.net.

Over the course of almost two decades now, I've probably encountered thousands of TLS/SSL errors, 100% of which have been "Type I" errors. I have never, ever, had TLS catch someone in the course of trying to MiTM me. I have had it, over and over again, make it time consuming and expensive to provide the defense against passive attacks that I actually care about more.

Adopting DNSSEC

Posted Dec 16, 2016 17:37 UTC (Fri) by nybble41 (subscriber, #55106) [Link] (6 responses)

> I have no actual reason to trust lwn.net more than I would trust someone else pretending to be lwn.net.

You really think you have no more reason to trust a long-standing member of the Linux community that you've interacted with on many previous occasions without incident vs. an anonymous attacker pretending to be lwn.net? The mere fact that they're pretending to be someone else suggests that the interloper does not have your best interests in mind. If you didn't trust lwn.net more than the attacker there would be no reason to go to the trouble of assuming their name.

Keep in mind that TLS protects more than just the visible content of the page; it also guards against third-party JavaScript attacks and other hidden exploits. It is not at all uncommon for "trusted" intermediaries such as ISPs to inject tracking data into requests (such as the unique advertising IDs injected into unencrypted HTTP headers by popular mobile network providers), or even insert scripts or other content into the pages returned to the browser. Even when these changes are not actively malicious, they can interfere with correct operation or introduce new vulnerabilities. The only protection we have against such changes is properly authenticated TLS.

Adopting DNSSEC

Posted Dec 16, 2016 18:32 UTC (Fri) by bandrami (guest, #94229) [Link] (4 responses)

> You really think you have no more reason to trust a long-standing member of the Linux community that you've interacted with on many previous occasions without incident vs. an anonymous attacker pretending to be lwn.net?

Correct.

> The mere fact that they're pretending to be someone else suggests that the interloper does not have your best interests in mind.

Nor do I think LWN has my best interests in mind. (Nothing against them, I just also have no reason to trust them.)

> If you didn't trust lwn.net more than the attacker there would be no reason to go to the trouble of assuming their name.

Exactly, which is why a third party's verification of the domain isn't terribly useful to me. (I can't remember how I paid my subscription; if I was entering my info on a page hosted on LWN then obviously I cared for that session, but in general I don't.) This may also relate to how, as I've mentioned, of the several thousand TLS errors I've seen in my career, none of them have ever been an attempt at a MiTM.

> it also guards against third-party JavaScript attacks and other hidden exploits

Both of which LWN might supply, too, and my browser settings make that assumption (e.g. I don't in general enable javascript to begin with)

Adopting DNSSEC

Posted Dec 16, 2016 19:29 UTC (Fri) by mathstuf (subscriber, #69389) [Link] (2 responses)

> none of them have ever been an attempt at a MiTM.

You've never even attempted to use Wifi provided at hotels, malls, airports, coffee shops, or the like? They MITM everything all the time.

Adopting DNSSEC

Posted Dec 16, 2016 19:37 UTC (Fri) by bandrami (guest, #94229) [Link] (1 responses)

> You've never even attempted to use Wifi provided at hotels, malls, airports, coffee shops, or the like?

$DEITY no. That's like eating an unwrapped sandwich you happen to find somewhere. 4G plans are cheap. (Yes, then you're at the mercy of your cell carrier for the same dangers, but that's one actor rather than multiple ones so an easier risk to mitigate.)

Adopting DNSSEC

Posted Dec 16, 2016 19:55 UTC (Fri) by mathstuf (subscriber, #69389) [Link]

Well, I wouldn't call it cheap, but I do still have an unlimited 4G plan from Verizon, so I know that strategy :) . But some of those places have shitty cell service and wireless is worth the attempt (though I do refuse to continue if they attempt to intercept SSL connections).

Adopting DNSSEC

Posted Dec 16, 2016 20:17 UTC (Fri) by nybble41 (subscriber, #55106) [Link]

> Nor do I think LWN has my best interests in mind.

Trust is not a binary state. There is plenty of reason to believe that an anonymous attacker is far more likely to cause you harm than LWN. On the other hand, a blind "trust no one" policy causes direct harm to yourself in the form of missed opportunities. For example, a significant fraction of the modern Internet is unavailable to you so long as you leave JavaScript disabled. You may not deem that a great loss, but it's still a cost you pay for refusing to extend a reasonable degree of trust to those who have earned it.

> This may also relate to how, as I've mentioned, of the several thousand TLS errors I've seen in my career, none of them have ever been an attempt at a MiTM.

That is because TLS is doing its job and making MitM difficult to accomplish, and thus a less attractive target. If those connections were not protected by TLS you would see a lot more MitM activity.

> 4G plans are cheap. (Yes, then you're at the mercy of your cell carrier for the same dangers, but that's one actor rather than multiple ones so an easier risk to mitigate.)

A 4G plan from AT&T, perhaps? Or Verizon? Both are well known for inserting tracking information into HTTP headers. Big-name wired ISPs have also been caught inserting their own ads and scripts into web pages. It isn't just free WiFi access points you have to worry about, and one actor is quite enough to cause damage. TLS is the only mechanism available which effectively mitigates the risk of tampering with HTTP traffic.

Adopting DNSSEC

Posted Dec 22, 2016 16:09 UTC (Thu) by Wol (subscriber, #4433) [Link]

> It is not at all uncommon for "trusted" intermediaries such as ISPs to inject tracking data into requests (such as the unique advertising IDs injected into unencrypted HTTP headers by popular mobile network providers), or even insert scripts or other content into the pages returned to the browser.

I'm minded of a small scandal $deity-knows-how-many years ago. Somebody bought a COTS router and put it in their network. The system started crashing at random. Turns out the router was randomly inserting advertising into what it *thought* were web pages. Iirc it was a SCADA system! and was using port 80 and html to communicate, and being a closed system it hadn't allowed for tampering with its wire protocol ...

Or what about when some TLD or registrar started intercepting invalid domain requests and returning an IP pointing at a web advertising site ...

Cheers,
Wol

Adopting DNSSEC

Posted Dec 28, 2016 13:23 UTC (Wed) by sampablokuper (guest, #53150) [Link] (2 responses)

> Unfortunately DNSSEC + DANE has been shown to be impractical in practice: see this writeup for the reasons.

I am curious to know what LWN readers make of that writeup by Adam Langley, and of the objections to DNSSEC by Thomas Ptacek that it links to.

Ptacek, in particular, seems to be leading the charge against DNSSEC: see his further comments about it at Hacker News here and here.

I enjoyed Tom Yates's article above, but had hoped it would address some of Ptacek and Langley's arguments and the relevant counter-arguments. Perhaps a future LWN piece will delve into the relative merits of DANE, DNSSEC and their alternatives.

Adopting DNSSEC

Posted Dec 29, 2016 2:32 UTC (Thu) by flussence (guest, #85566) [Link] (1 responses)

One thing jumps out from all those HN posts — that despite having the time to complain for pages upon pages, tptacek doesn't make a single mention of any alternative solution. He just wants to see a thing people have built at great effort, to fill a real need, fail out of spite.

My DNS is using DNSSEC for the same reason my web browser depends on CAs, X.509 and ASN.1; it's a trash fire, nobody who uses it likes that it's necessary, but that's just how things on the internet (and computers in general) *are*. And while I'd prefer both DNS and TLS become obsolete in my lifetime, whining that some fix isn't good enough won't make a perfect one magically appear.

Adopting DNSSEC

Posted Dec 29, 2016 4:54 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

DNSSEC is actually pretty nice as a protocol. Well, except that it has to work over DNS. Amazingly, it doesn't depend on X.509, or ASN.1, or even TLS.

It's a pretty straightforward and obvious design overall. The problem is that its implementations are not the easiest ones to use so the maintenance burden is not trivial.

DNS infections preventable with DNSSEC and you get to sign your existing SSL cert

Posted Dec 15, 2016 1:51 UTC (Thu) by johnjones (guest, #5462) [Link] (3 responses)

Given that infections such as :

https://www.proofpoint.com/us/threat-insight/post/home-ro...

plus the need to make sure that SSL certificates are not compromised by deploying DANE
(DANE allows a domain owner to specify which CA is allowed to issue certificates for a particular resource, which solves the problem of any CA being able to issue certificates for any domain.)

https://en.wikipedia.org/wiki/DNS-based_Authentication_of...

I'm not sure why any major site does not deploy this...

http://blog.easydns.org/2015/08/06/for-dnssec/

DNS infections preventable with DNSSEC and you get to sign your existing SSL cert

Posted Dec 15, 2016 10:25 UTC (Thu) by anselm (subscriber, #2796) [Link] (2 responses)

The problem with DANE for the web is that browser support for DANE is really patchy. In general, the browser makers prefer solutions like HPKP because they need to handle HTTP, anyway, and like most reasonable people they would much rather not have to deal with DNS (especially DNSSEC) more than they have to.

Unless there is more buy-in from browser vendors, there's really not a lot of incentive for web sites to deploy DANE, but until DANE is widely deployed there is little pressure on browser vendors to include support for it. It's a classic Catch-22 situation.

(DANE has more of a chance to grow legs in the e-mail arena, because mail servers already deal with DNS and don't have anything to do with HTTP. Right now, much of the TLS-enabled mail traffic is handled on an “opportunistic” basis with no validation of a remote mail server's certificate, but DANE would give us a way to batten down the hatches within DNS, with no need for a separate PKI infrastructure.)

DNS infections preventable with DNSSEC and you get to sign your existing SSL cert

Posted Dec 15, 2016 19:53 UTC (Thu) by drag (guest, #31333) [Link] (1 responses)

There really is only 3 major browser makers that really matter... Mozilla, Google, and Microsoft. If they do buy-in on DANE (or something similar) then it's pretty much a done deal.

I also really believe in the need for a central name server service on the OS-level. Doing things like tying into LDAP, kerberos, or AD is massively improved in reliability, performance, and adminstration by the use of SSSD, for example. Local resolver for DNS and having applications depend on that local resolver just makes sense for me.

So since it's effectively bad practice, nowadays, to have each and every application have it's own special configuration method and configuration for dealing with name services then the same thing may be true for certificates.

Maybe along with local DNS there should be local certification service for programs to use to validate certs for various things via DANE or other similar mechanisms.

DNS infections preventable with DNSSEC and you get to sign your existing SSL cert

Posted Dec 16, 2016 0:10 UTC (Fri) by anselm (subscriber, #2796) [Link]

Mozilla, Google, and Microsoft. If they do buy-in on DANE (or something similar) then it's pretty much a done deal.

In theory, yes. In practice, at least Google and Mozilla aren't at all keen on the idea.

NSEC3 allows zone-walking

Posted Dec 15, 2016 9:46 UTC (Thu) by vitek (guest, #36586) [Link] (5 responses)

I cannot agree that NSEC3 does not allow "a brute-force search of the namespace".

You quickly collect the hashes of existing names. Then you can guess the real names privately on your computer without connecting to dns server ever again. Old DNS (without DNSSEC) does not have this problem.

https://dnscurve.org/espionage2.html

NSEC3 allows zone-walking

Posted Dec 17, 2016 5:18 UTC (Sat) by flussence (guest, #85566) [Link] (4 responses)

If I want to look for secret subdomains in a website I'd start with the TLS certificate's SAN field. Let's Encrypt encourages the practice of putting all of one's eggs in this basket, and they don't allow the safe alternative of wildcards.

NSEC3 allows zone-walking

Posted Dec 17, 2016 11:31 UTC (Sat) by anselm (subscriber, #2796) [Link]

Wildcard certificates are widely considered problematic, mostly because it isn't clear what exactly they're supposed to mean, and various ambiguities can introduce subtle security issues (see, e.g., RFC 6125). There's also the problem that if a wildcard certificate is deployed on many different servers, they all need access to the corresponding private key, which increases the risk of that key becoming compromised.

It's probably not a great idea in general to have certificates with lots of SANs, either; at least the private-key issue exists there, too. At least Let's Encrypt lets you have as many certificates as you like, so you're not encouraged to get a single certificate for all your domains from a commercial CA that charges you for every CSR they sign on your behalf.

Certificate Transparency & Redaction

Posted Dec 17, 2016 16:18 UTC (Sat) by tialaramex (subscriber, #21167) [Link] (2 responses)

If you make certificates for the Web PKI you are already strongly encouraged -- and will soon be more or less obliged‡ -- to submit them to the Certificate Transparency logging infrastructure. In the particular case of a web server (and perhaps some day soon SMTP server) Google's systems will automatically submit anything they find in their travels anyway if it wasn't previously logged.

Log monitors (the most famous is run by Rob at Comodo on https://crt.sh/ and the second most famous is Google's which is part of their site about transparency and security) allow the public to peer into the logs, without that load impacting the logs themselves, some monitors offer a pay-for alerting service e.g. "We'll tell you about every certificate issued for example.com, example.org or my.example for $10 per year" and I presume that by now brand protecting outfits operate their own monitors.

So you can already see the vast majority of all DNS names for which Web PKI certificates have been issued.

Now, the idea from CAs that there should be "secret" names in public documents is not a new one. Earlier this year we discussed redaction technology for CT logging. It would be possible in principle to partly redact SAN DNS names, so for example ?.example.com might be any certificate issued for www.example.com or secret.example.com or xyzzy.example.com but not www.example.org. Such redaction would have a cost in terms of the value of CT logging (maybe it's fine if some random engineer got a certificate issued for test-preprod-server-04.example.com but you can't tell it wasn't for www.example.com based on the redacted logs) so it needs to be justified. So far, Google has determined that the cost is not justified and, although this technology exists, refused to accept redacted logging as sufficient.

More or less every time we've asked CAs to justify, their response basically is "This is a legitimate need". Which is exactly the sort of phrase we associate with Mossack Fonseca and shell companies. Further details were conspicuously absent. In fact the last time we went round this loop the push back was even stronger, it was "essential" we were told that subscribers be able to redact parts of their X.500 Distinguished Name from the certificate, not just SANs. As usual no reason was forthcoming beyond "legitimate".

Funny thing about Mossack Fonseca, when journalists could see what was really going on it didn't look terribly legitimate after all. Politicians resigned, scandals erupted, tax investigations began... How about that.

One justification we have been shown is the idea of a temporary secret. Maybe Disney doesn't want us knowing their next Star Wars movie is named "Return of the Empire" and so return-of-the-empire.example shouldn't be revealed in CT logs. But this is basically just a protest of technological incompetence. Not only would star-wars-eight.example be a perfectly fine DNS name for this movie anyway, but if they must have the other name they need not issue a certificate until literally moments before it is needed. Choosing to provision the server with a certificate a month early, and then demand everybody else pay a price to keep its name secret is foolishness.

‡ Early obligation imposed on Symantec broke loads of things for their customers recently. A cynical observer might think this constitutes tit-for-tat over Symantec's poor handling of a security incident last year. Whatever the reason, we can expect Google's engineers learned important lessons for when they do this in anger across the entire web late in 2017.

Certificate Transparency & Redaction

Posted Dec 20, 2016 19:50 UTC (Tue) by niner (guest, #26151) [Link] (1 responses)

How about this for a reason? We're hosting websites for about 1500 customers and have recently been victim of a successful DDoS attack. What we don't know is if we were the target or if it was one of our customers. If it was one of the customers, the way to become more resilient is to distribute them over multiple IP addresses in different ranges. But if we ourselves are the target, the attacker would just go after all our customers. Even such a broad scale attack is still quite affordable. Unless the attacker has no means to find out who those customers are. But with public listings of certificates, that's easy to find out.

Certificate Transparency & Redaction

Posted Dec 21, 2016 1:15 UTC (Wed) by tialaramex (subscriber, #21167) [Link]

To make this into a reason you'd need to spell out the whole thing. How is it "easy to find out" the 1500 customers you host from the CT logs ? How would your proposed name redaction policy prevent this ? If the proposed policy is different from those floated before, how would it be implemented and audited ?

If the reason it's "easy to find" your customers is because you're branding everything in some way, for example you host a specialist product and your brand name for the product is baked into the FQDNs for each company, I'm afraid the fairly obvious feedback you're going to get is "If it hurts when you do that, stop doing it".

The simplest fix to DNS attacks

Posted Dec 15, 2016 10:32 UTC (Thu) by epa (subscriber, #39769) [Link] (6 responses)

If you are concerned about DNS spoofing, then rather than wait for the world to deploy a complex cryptographic protocol, the simple fix is just not to use DNS. Twitter could get a static IP address, publish it, and job done. There are more than enough IPv4 addresses for all the major websites to get one - certainly it is cheaper to buy a static IPv4 address than to configure DNSSEC.

The simplest fix to DNS attacks

Posted Dec 15, 2016 11:03 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (5 responses)

Load balancing? Routing redundancy? Geographically local exit points?

Nah, nobody ever needs more than 1 server in a basement to run a service.

The simplest fix to DNS attacks

Posted Dec 15, 2016 11:14 UTC (Thu) by epa (subscriber, #39769) [Link] (4 responses)

I am not saying that all access to google.com should be over a fixed IP address. I am saying that for those concerned about DNS being spoofed or blocked, publishing a known IP address seems like a much simpler solution than deploying DNSSEC.

The simplest fix to DNS attacks

Posted Dec 15, 2016 11:16 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (3 responses)

It most definitely is not simpler. And is much more stupid.

For example, a single IP is _easier_ to spoof. Just announce it with a more specific route.

Oh, and HTTPS won't help you - IPs are not supported consistently for CNs in X509.

The simplest fix to DNS attacks

Posted Dec 15, 2016 12:55 UTC (Thu) by tialaramex (subscriber, #21167) [Link] (2 responses)

The abuse of X.500s Common Name for things that aren't Common Names unless you squint really hard is one thing, but unless you can show me where I'm wrong I believe a certificate with a CN of 10.20.30.40 and a SAN ipAddress of 10.20.30.40 will indeed work for a server on address 10.20.30.40 (obviously this particular address was chosen as an example, and isn't routeable) with the vast majority of HTTPS-capable software.

What can't work is asking for https://example.com/ and expecting a certificate for 10.20.30.40 to work just because example.com happens to resolve to 10.20.30.40 on some particular client.

The simplest fix to DNS attacks

Posted Dec 15, 2016 15:32 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

CAs are not issuing certs for raw IPs anymore ( https://www.cabforum.org/documents.html - only FQDNs are allowed). And even before that, their support was spotty.

The problem with IPs is that they don't have a clear ownership. Especially for cases like Amazon EC2 instances.

The simplest fix to DNS attacks

Posted Dec 15, 2016 16:16 UTC (Thu) by tialaramex (subscriber, #21167) [Link]

I've seen a few people say this (that CAs aren't issuing for IP addresses), it's not true.

Last year a restriction was imposed forbidding RFC1918 (and its IPv6 moral equivalent) addresses, as well as DNS names that aren't FQDNs from the public Internet. One of my long list of outstanding tasks is to go back and verify the extent to which CAs complied with their further requirement this year to revoke existing certificates that would now be forbidden by that rule.

But that doesn't forbid issuing for Internet IP addresses, you are correct that you won't be able to adequately prove control over the IP address for your Amazon EC2 instance, but you would be able to prove control for addresses issued to an Autonomous System you control and in some cases even where you have an Autonomous System you may be able to adequately prove control via the AS owner. If you are (in your scenario) publishing an address you claim people can rely on as really yours, it certainly shouldn't be for some EC2 instance that might abort at any moment.

Cloudflare

Posted Dec 15, 2016 16:29 UTC (Thu) by niall.noigiallach (guest, #47469) [Link]

No mention of Cloudflare, who enabled DNSSEC in their infrastructure not too long ago and are using EC-DSA. Makes job lot easier for end user who only than has to submit DS to relevant domain registry. Also takes hassle out of stuff such as automating zone resigning etc. https://blog.cloudflare.com/introducing-universal-dnssec/

Adopting DNSSEC

Posted Dec 15, 2016 18:43 UTC (Thu) by kjp (guest, #39639) [Link] (2 responses)

Re: The twitter example (again), how does DNSSEC actually prevent a downgrade attack to normal DNS? Why couldn't the government / ISPs just filter out all the DNSSEC records?

I've searched for DNSSEC downgrade attack, and searched the 3 RFCS I found for "downgrade", and haven't found very much.

Adopting DNSSEC

Posted Dec 15, 2016 21:34 UTC (Thu) by mbunkus (subscriber, #87248) [Link] (1 responses)

Basically your local resolver has a copy of the key used to sign the root zone (this is often called the trust anchor). Therefore your resolver knows that the root zone is signed, and that all answers from the root zone must contain valid DNSSEC records. If a bad actor filters those out, your resolver will detect this due to the aforementioned knowledge.

Next DNSSEC uses DS (delegation signer) records in the parent zone to specify the keys used in the child zone. This means that inside the root zone there's the DS record for the .com top level domain. Its presence in the root zone indicates that .com itself is signed and that it must contain the appropriate DNSSEC records. If a bad actor filters those out, your resolver will be able to detect this, too.

We can repeat this pattern all the way down: the twitter.com domain itself will again contain DS records for their signed sub-domains.

Adopting DNSSEC

Posted Dec 15, 2016 23:17 UTC (Thu) by kjp (guest, #39639) [Link]

Thanks. Wow, the root key rollover looks like a nightmare.

https://www.icann.org/news/blog/dnssec-rolling-the-root-z...

"The KSK rollover will take place in eight phases, which are expected to take about two years. The first phase is scheduled to begin in Q4 of 2016."

Holy. Shit. I look forward to when a billion devices won't boot because they don't have the right key, or their local clock is wrong.

Adopting DNSSEC

Posted Dec 15, 2016 23:05 UTC (Thu) by giraffedata (guest, #1954) [Link]

I found that in order to see any of this with dig, I had to add the +dnssec command line option.

Adopting DNSSEC

Posted Dec 15, 2016 23:12 UTC (Thu) by giraffedata (guest, #1954) [Link] (4 responses)

What's an example of a domain that has DNSSEC set up?

I thought maybe www.google.com, but from what I can tell with dig, neither that nor google.com have any of these records. I do see that com has DNSKEY, RRSIG, and DS records.

Adopting DNSSEC

Posted Dec 15, 2016 23:26 UTC (Thu) by sfeam (subscriber, #2841) [Link] (2 responses)

I get the DS RRSIG records back from "dig +trace" for both google.com and www.google.com. And from lwn.net for that matter.

Adopting DNSSEC

Posted Dec 16, 2016 0:30 UTC (Fri) by giraffedata (guest, #1954) [Link] (1 responses)

I believe you're talking about trace statements showing records from .com that dig receives incidentally to your query, because that's what I get.

To see google.com DS records, I do this: 


  $ dig +dnssec @8.8.8.8 -q google.com. -t DS
and get no answers.

Adopting DNSSEC

Posted Dec 16, 2016 1:37 UTC (Fri) by sfeam (subscriber, #2841) [Link]

OK. How about this one: 
;; ANSWER SECTION:
whitehouse.gov.         1792    IN      DS      38601 7 1 DA224BC306E05A54B7B96FE85A9593FBC13A8210
whitehouse.gov.         1792    IN      RRSIG   DS 8 2 3600 20161222221015 20161215221015 60980 gov. dauaNaO6gZpf6NZYPmgQJLDYI2H8cNgMSPFfJl4gBnpivpLB+sBPtm7o 5m/zKmde6Cwpn9F+jP35OjCKH/XRxEcl6QYlxHkzwzXT9i3hIIfXvXUD TJcKIsPLoRuw2GKJf+GPwK4j7ZDJMNRsVY4rqaWY/LO5AEVoGwg7iYUs ooM=

Adopting DNSSEC

Posted Dec 16, 2016 15:53 UTC (Fri) by niall.noigiallach (guest, #47469) [Link]

Here's some:

iedr.ie
dnssec.ie
ns.ie

dnsviz.net is handy way to visualise chain of trust.

http://dnsviz.net/d/ns.ie/dnssec/

SHA1? Seriously?

Posted Dec 16, 2016 14:57 UTC (Fri) by alarsen (subscriber, #4585) [Link]

dnssec-keygen is perfectly capable of generating better keys...

# dnssec-keygen -r/dev/random -f KSK -3 -a RSASHA256 -b 4096 teaparty.me.uk
will generate a 4096-bit NSEC3-capable RSASHA256 key (algorithm number 8, see https://tools.ietf.org/html/rfc5702#section-2.1)

Adopting DNSSEC

Posted Dec 22, 2016 8:41 UTC (Thu) by chojrak11 (guest, #52056) [Link] (1 responses)

DNSSEC is a cancer. Why can't you see that at last? It will never be fully implemented.
DNSCurve is much better approach and is easy as 1, 2, 3.

Adopting DNSSEC

Posted Dec 24, 2016 23:32 UTC (Sat) by flussence (guest, #85566) [Link]

Last time I heard someone call a software project "cancer" unironically, they ended up making a mistake called Vista...

Adopting DNSSEC

Posted Dec 22, 2016 17:08 UTC (Thu) by spwhitton (subscriber, #71678) [Link]

There's an amusing litany of famous DNSSEC failures on FastMail's blog (none of these are FastMail's failures: they are the reasons they haven't tried yet).

Adopting DNSSEC

Posted Dec 29, 2016 2:19 UTC (Thu) by hawk (guest, #3195) [Link]

On the topic of doing DNSSEC signing with BIND specifically, I would suggest reading this: https://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html
It takes a more maintainable approach, utilizing the improved DNSSEC functionality in modern BIND versions.


Copyright © 2016, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds