4. DNS-hierarkin
. NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. IN A 192.203.230.10
. NS D.ROOT-SERVERS.NET.
. NS A.ROOT-SERVERS.NET.NS C.ROOT-SERVERS.NET.
. D.ROOT-SERVERS.NET. IN A 128.8.10.90
C.ROOT-SERVERS.NET. IN A 192.33.4.12
A.ROOT-SERVERS.NET. IN A 198.41.0.4
A.ROOT-SERVERS.NET IN AAAA 2001:503:ba3e::2:30 B.ROOT-SERVERS.NET.
. NS
B.ROOT-SERVERS.NET. IN A 192.228.79.201
. (root)
Thursday, March 19, 2009
5. DNS-hierarkin
. NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. IN A 192.203.230.10
. NS D.ROOT-SERVERS.NET.
. NS A.ROOT-SERVERS.NET.NS C.ROOT-SERVERS.NET.
. D.ROOT-SERVERS.NET. IN A 128.8.10.90
C.ROOT-SERVERS.NET. IN A 192.33.4.12
A.ROOT-SERVERS.NET. IN A 198.41.0.4
A.ROOT-SERVERS.NET IN AAAA 2001:503:ba3e::2:30 B.ROOT-SERVERS.NET.
. NS
B.ROOT-SERVERS.NET. IN A 192.228.79.201
. (root)
org. NS a0.org.afilias-nst.org. se. NS b.ns.se.
org. NS b0.org.afilias-nst.org. se. NS a.ns.se.
a0.org.afilias-nst.info. IN A 199.19.56.1 b.ns.se. IN A 192.36.133.107
b0.org.afilias-nst.org. IN A 199.19.54.1 a.ns.se. IN A 192.36.144.107
.com .org .se
.net .no
Thursday, March 19, 2009
6. DNS-hierarkin
. NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. IN A 192.203.230.10
. NS D.ROOT-SERVERS.NET.
. NS A.ROOT-SERVERS.NET.NS C.ROOT-SERVERS.NET.
. D.ROOT-SERVERS.NET. IN A 128.8.10.90
C.ROOT-SERVERS.NET. IN A 192.33.4.12
A.ROOT-SERVERS.NET. IN A 198.41.0.4
A.ROOT-SERVERS.NET IN AAAA 2001:503:ba3e::2:30 B.ROOT-SERVERS.NET.
. NS
B.ROOT-SERVERS.NET. IN A 192.228.79.201
. (root)
org. NS a0.org.afilias-nst.org. se. NS b.ns.se.
org. NS b0.org.afilias-nst.org. se. NS a.ns.se.
a0.org.afilias-nst.info. IN A 199.19.56.1 b.ns.se. IN A 192.36.133.107
b0.org.afilias-nst.org. IN A 199.19.54.1 a.ns.se. IN A 192.36.144.107
.com .org .se
.net .no
iana.org. NS a.iana-servers.net. iis.se. NS ns2.nic.se.
a.iana-servers.net.ns.icann.org.
iana.org. NS IN A 192.0.34.43 iis.se. NS ns.nic.se.
ns2.nic.se. IN A 194.17.45.54
ns.icann.org. IN A 92.0.34.126 ns.nic.se. IN A 212.247.7.228
iana.org iis.se
Thursday, March 19, 2009
7. DNS-hierarkin
. NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. IN A 192.203.230.10
. NS D.ROOT-SERVERS.NET.
. NS A.ROOT-SERVERS.NET.NS C.ROOT-SERVERS.NET.
. D.ROOT-SERVERS.NET. IN A 128.8.10.90
C.ROOT-SERVERS.NET. IN A 192.33.4.12
A.ROOT-SERVERS.NET. IN A 198.41.0.4
A.ROOT-SERVERS.NET IN AAAA 2001:503:ba3e::2:30 B.ROOT-SERVERS.NET.
. NS
B.ROOT-SERVERS.NET. IN A 192.228.79.201
. (root)
org. NS a0.org.afilias-nst.org. se. NS b.ns.se.
org. NS b0.org.afilias-nst.org. se. NS a.ns.se.
a0.org.afilias-nst.info. IN A 199.19.56.1 b.ns.se. IN A 192.36.133.107
b0.org.afilias-nst.org. IN A 199.19.54.1 a.ns.se. IN A 192.36.144.107
.com .org .se
.net .no
iana.org. NS a.iana-servers.net. iis.se. NS ns2.nic.se.
a.iana-servers.net.ns.icann.org.
iana.org. NS IN A 192.0.34.43 iis.se. NS ns.nic.se.
ns2.nic.se. IN A 194.17.45.54
ns.icann.org. IN A 92.0.34.126 ns.nic.se. IN A 212.247.7.228
iana.org iis.se
www.iana.org. IN A 208.77.188.193 www.iis.se. IN A 212.247.7.220
www.iana.org. IN AAAA 2620:0:2d0:1::193
Thursday, March 19, 2009
15. .SE
Ca 150 namnservrar
4 Operatörer
3 Anycast-kluster
Thursday, March 19, 2009
16. Slå upp i DNS
. (root)
Klient-
dator
Cacheing
.com resolver
.org
.se
iis.se
iana.org
Thursday, March 19, 2009
17. Slå upp i DNS DHCP
server
. (root)
Klient-
dator
Cacheing
.com resolver
.org
.se
iis.se
iana.org
Thursday, March 19, 2009
18. Slå upp i DNS DHCP
server
. (root)
Klient-
dator
Cacheing
.com resolver
.org www.iis.se?
1
.se
iis.se
iana.org
Thursday, March 19, 2009
19. Slå upp i DNS DHCP
server
. (root) 2
www.iis.se? Klient-
dator
Cacheing
.com resolver
.org www.iis.se?
1
.se
iis.se
iana.org
Thursday, March 19, 2009
20. Slå upp i DNS DHCP
server
. (root) 2
www.iis.se?
fråga a.ns.se! Klient-
3
dator
Cacheing
.com resolver
.org www.iis.se?
1
.se
iis.se
iana.org
Thursday, March 19, 2009
21. Slå upp i DNS DHCP
server
. (root) 2
www.iis.se?
fråga a.ns.se! Klient-
3
dator
Cacheing
.com resolver
.org www.iis.se?
1
www.iis.se?
.se 4
iis.se
iana.org
Thursday, March 19, 2009
22. Slå upp i DNS DHCP
server
. (root) 2
www.iis.se?
fråga a.ns.se! Klient-
3
dator
Cacheing
.com resolver
.org www.iis.se?
1
www.iis.se?
.se 4
fråga ns.nic.se!
5
iis.se
iana.org
Thursday, March 19, 2009
23. Slå upp i DNS DHCP
server
. (root) 2
www.iis.se?
fråga a.ns.se! Klient-
3
dator
Cacheing
.com resolver
.org www.iis.se?
1
www.iis.se?
.se 4
fråga ns.nic.se!
5
www.iis.se?
6
iis.se
iana.org
Thursday, March 19, 2009
24. Slå upp i DNS DHCP
server
. (root) 2
www.iis.se?
fråga a.ns.se! Klient-
3
dator
Cacheing
.com resolver
.org www.iis.se?
1
www.iis.se?
.se 4
fråga ns.nic.se!
5
www.iis.se?
www.iis.se
6
fråga adress
iis.se
7
212.247.7.210
iana.org
Thursday, March 19, 2009
25. Slå upp i DNS DHCP
server
. (root) 2
www.iis.se?
fråga a.ns.se! Klient-
3
dator
Cacheing
.com resolver
.org www.iis.se?
1
www.iis.se?
.se www.iis.se
4 8
har adressen
fråga ns.nic.se! 212.247.7.210
5
www.iis.se?
www.iis.se
6
fråga adress
iis.se
7
212.247.7.210
iana.org
Thursday, March 19, 2009
26. Blanda in krypto i mixen
Assymetriska krypton:
Assymetriska nyckalpar har en publik och privat del
Skydda den privata nyckeln
Publicera den publika nyckeln
KSK:
Nyckelsigneringsnyckeln - Vad man litar på
Signerar Zonsigneringsnyckeln, ZSK
ZSK:
Zonsigneringsnyckeln
Skapar signaturer av poster i zonen - RRSIG
Thursday, March 19, 2009
27. DNSKEY och RRSIG
iis.se.
IN DNSKEY 257 3 5 wEAAcq5uqe5VibnyvSnGU20panweAk2QxflGVuVQhzQABQV4SIdAQs
LNVHF61lcxe504jhPmjeQ656X6tdHpRz1DdPOukcIITjIRoJHqSXXyL6gUluZoDUK6vpxkGJx5m5n4boRTKCT
KSK UAR9rw2+IQRRTtb6nBwsC3pmf9IlJQjQMb1cQTb0UO7fYgXDZIYVul2LwGpKRrMJ6Ul1nepkSxTMwQ4H9iK
E9FhqPeIpzU9dnXGtJZCx9tWSZ9VsSLWBJtUwoE6ZfIoF1ioq qxfGl9JV1/6GkDxo3pMN2edhkp8aqoo/R
+mrJYi0vE8jbXvhZ12151Dy wuSxbGjAlxk=
iis.se.
IN DNSKEY 256 3 5 AwEAAdancK9+0Il/tuXCBylBiUpNq4RGzDE2uQ6+nb6Un0myCJFzaN3
ZSK bzSMjAU5xlt6vnAfFZkRNKANu06j2zYjRbQucYfLEq69GIKOBnSHA46H 7uUDqM32KEL+KflIlQvFpXW2/
r835mP9+dtlsa860Kf1n2ye/77I9QtC gBeZ5okF
Thursday, March 19, 2009
29. Signaturer?
En signatur är en krypterad hash av data.
Nyckeln som används för kryptering är den privata
nyckeln och signaturen kan verifieras genom att
dekryptera hashen med den publika nyckeln.
Thursday, March 19, 2009
30. Signaturer?
En signatur är en krypterad hash av data.
Nyckeln som används för kryptering är den privata
nyckeln och signaturen kan verifieras genom att
dekryptera hashen med den publika nyckeln.
En hash är en checksumma av en uppsättning data.
Typiska checksummealgoritmer är MD5, SHA-1 och
SHA-256. MD5 antas vara sårbar.
Thursday, March 19, 2009
31. DNSSEC-signaturer
fou$~>dig ns iis.se +dnssec
; <<>> DiG 9.4.2-P2 <<>> ns iis.se +dnssec
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34814
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 6
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;iis.se. IN NS
;; ANSWER SECTION:
iis.se. 2272 IN NS ns.nic.se.
iis.se. 2272 IN NS ns2.nic.se.
iis.se. 2272 IN NS ns3.nic.se.
iis.se. 2272 IN RRSIG NS 5 2 3600 20081204120501 20081124120501 51402 iis.se.
ukl8uMjAcAC0MiFD9jtWGR5/2AOQ4zrQ3U+x7GmHDBcUBwnRbL/v+BFW yaJdOwwUEpVf30abdRSlNfQRJB19/bt3Rs2AlqLhoQHBFGFuohNVp16D
dQyvtJgxnufD+RR/E9iwEgXwIxIFnJ1xnT1GfAqmgiHZhiuzU6DqOMmb tBI=
;; ADDITIONAL SECTION:
ns.nic.se. 876 IN A 212.247.7.228
ns2.nic.se. 876 IN A 194.17.45.54
ns3.nic.se. 85433 IN A 212.247.3.83
ns.nic.se. 876 IN RRSIG A 5 3 3600 20081202051001 20081122051001 54675 nic.se. bb6J
+7yhGzZORCtCMtFU9BDX8uVbn4ySh6+Ssh02xojzt+OnKdaUj4ZC c9yyqqEfz2hZmY1T91lMhHp+38MSlbAs8Lmtn8sL+K+AOKNfA3dVSOOx
oDOI0xxUfFXXExNw/KBBUPVDqGOQnhMsvAMN721NaS8XNqhKPCtRWm24 fkg=
ns2.nic.se. 876 IN RRSIG A 5 3 3600 20081202051001 20081122051001 54675 nic.se. FD5c3mS
+ul4HmTHHOfO9jkVVgH/9h+Ai5LZ9snxZbIjkX2z5ysqhT3qp ucHUd5vz1TRJkyr2hSpKQjEiHw3fP4bphUCnP72B8g3jwxIU3RaBwPGL xLYt7Zb//5q/
jY72ppgtijNSRwvkS/ghhjiKK6/nG/itymVtIPRHVtF5 RMI=
;; Query time: 1 msec
;; SERVER: 212.247.7.170#53(212.247.7.170)
;; WHEN: Thu Nov 27 14:52:09 2008
;; MSG SIZE rcvd: 638
Thursday, March 19, 2009
32. Zonfil utan DNSSEC
@
IN SOA ns.nic.se. hostmaster.iis.se. (
2009012701
; serial
10800
; refresh (3 hours)
3600
; retry (1 hour)
604800
; expire (1 week)
86400
; minimum (1 day)
)
NS
ns.nic.se.
NS
ns2.nic.se.
NS
ns3.nic.se.
MX
10 cleaner.prod.iis.se.
$ORIGIN iis.se.
www
IN A
212.247.7.210
Thursday, March 19, 2009
33. Fingeravtryck
Ett fingeravtryck är en checksumma av en nyckel. Fingeravtryck
publiceras ofta istllet för nycklar eftersom de är mycket kortare
än en nyckel, och betydligt lättare att läsa.
Thursday, March 19, 2009
34. Fingeravtryck
Ett fingeravtryck är en checksumma av en nyckel. Fingeravtryck
publiceras ofta istllet för nycklar eftersom de är mycket kortare
än en nyckel, och betydligt lättare att läsa.
AwEAAcq5u+qe5VibnyvSnGU20panweAk2QxflGVuVQhzQABQV4SIdAQs
+LNVHF61lcxe504jhPmjeQ656X6t+dHpRz1DdPO/ukcIITjIRoJHqS+X XyL6gUluZoD
+K6vpxkGJx5m5n4boRTKCTUAR9rw2+IQRRTtb6nBwsC3pmf9IlJQjQMb1cQTb0U
O7fYgXDZIYVul2LwGpKRrMJ6Ul1nepkSxTMwQ4H9iKE9FhqPeIpzU9dnXGtJZCx9t
WSZ9VsSLWBJtUwoE6ZfIoF1ioqqxfGl9JV1/6GkDxo3pMN2edhkp8aqoo/R
+mrJYi0vE8jbXvhZ12151DywuSxbGjAlxk=
10DD1EFDC7841ABFDF630C8BB37153724D70830A
Thursday, March 19, 2009
35. DS-poster
DS - Delegation Signer.
En DS-post (hashen av en DNSKEY) publiceras i
förälderzonen för att delegera tillit till barnzonen.
Thursday, March 19, 2009
36. DS-poster
DS - Delegation Signer.
En DS-post (hashen av en DNSKEY) publiceras i
förälderzonen för att delegera tillit till barnzonen.
Detta är vad som är publicerat för iis.se hos .se:
iis.se.
IN DS 18937 5 2 B5C422428DEA4137FBF15E1049A48D27FA5EADE64D2EC9F3B58A994A6ABDE543
iis.se.
IN DS 18937 5 1 10DD1EFDC7841ABFDF630C8BB37153724D70830A
Thursday, March 19, 2009
37. DS-poster
DS - Delegation Signer.
En DS-post (hashen av en DNSKEY) publiceras i
förälderzonen för att delegera tillit till barnzonen.
Detta är vad som är publicerat för iis.se hos .se:
iis.se.
IN DS 18937 5 2 B5C422428DEA4137FBF15E1049A48D27FA5EADE64D2EC9F3B58A994A6ABDE543
iis.se.
IN DS 18937 5 1 10DD1EFDC7841ABFDF630C8BB37153724D70830A
Två DS-poster - två algoritmer används för .SE, SHA-1
och SHA-256.
Både DS och NS signeras av föräldern.
Thursday, March 19, 2009
38. DS-delegeringen
.se:
iis.se.
IN DS 18937 5 2 B5C422428DEA4137FBF15E1049A48D27FA5EADE64D2EC9F3B58A994A6ABDE543
DS iis.se.
IN DS 18937 5 1 10DD1EFDC7841ABFDF630C8BB37153724D70830A
iis.se:
iis.se.
IN DNSKEY 257 3 5 AwEAAcq5u
+qe5VibnyvSnGU20panweAk2QxflGVuVQhzQABQV4SIdAQs +LNVHF61lcxe504jhPmjeQ656X6t
KSK+dHpRz1DdPO/ukcIITjIRoJHqS+X XyL6gUluZoDU+K6vpxkGJx5m5n4boRTKCTUAR/9rw2+IQRRTtb6nBwsC
3pmf9IlJQjQMb1cQTb0UO7fYgXDZIYVul2LwGpKRrMJ6Ul1nepkSxTMw Q4H9iKE9FhqPeIpzU9dnXGtJ
+ZCx9tWSZ9VsSLWBJtUwoE6ZfIoF1ioq qxfGl9JV1/6GkDxo3pMN2edhkp8aqoo/R
+mrJYi0vE8jbXvhZ12151Dy wuSxbGjAlxk=
Thursday, March 19, 2009
39. DS-delegeringen
.se:
iis.se.
IN DS 18937 5 2 B5C422428DEA4137FBF15E1049A48D27FA5EADE64D2EC9F3B58A994A6ABDE543
DS iis.se.
IN DS 18937 5 1 10DD1EFDC7841ABFDF630C8BB37153724D70830A
iis.se:
iis.se.
IN DNSKEY 257 3 5 AwEAAcq5u
+qe5VibnyvSnGU20panweAk2QxflGVuVQhzQABQV4SIdAQs +LNVHF61lcxe504jhPmjeQ656X6t
KSK+dHpRz1DdPO/ukcIITjIRoJHqS+X XyL6gUluZoDU+K6vpxkGJx5m5n4boRTKCTUAR/9rw2+IQRRTtb6nBwsC
3pmf9IlJQjQMb1cQTb0UO7fYgXDZIYVul2LwGpKRrMJ6Ul1nepkSxTMw Q4H9iKE9FhqPeIpzU9dnXGtJ
+ZCx9tWSZ9VsSLWBJtUwoE6ZfIoF1ioq qxfGl9JV1/6GkDxo3pMN2edhkp8aqoo/R
+mrJYi0vE8jbXvhZ12151Dy wuSxbGjAlxk=
Om du har flera KSK-nycklar kommer du också
ha fler DS-poster i förälderzonen.
Thursday, March 19, 2009
40. NSEC
Proof of non-existance.
Man vill också skydda sig från att någon genomför en DoS-
attack mot ett namn i DNS. Detta görs med NSEC.
Thursday, March 19, 2009
41. NSEC
Proof of non-existance.
Man vill också skydda sig från att någon genomför en DoS-
attack mot ett namn i DNS. Detta görs med NSEC.
iis.se.
IN
NSEC
iis07.se. NS DS RRSIG NSEC
iis.se.
IN
RRSIG
NSEC 5 2 7200 20090131230405 20090126101756
28770 se. GK6JQNDTsHlI3z8v1QR2jHr2VNpzhyB2UYFCEASJJBINnRpaUpmnsE4
iF9AoyS4g50Lly1zJb659bY76hkmaJDO6Xwl0+llefX8ZN9iv0snfd2GUJyGyJzlu9txg
ZTsfC7HQcX1gZPjnq9BgE1YDHifJNZAqijBG83rtj 9Wc=
NSEC pekar på nästa label (domännamn) i zonen.
Thursday, March 19, 2009
46. Nycklar i resolvern
En resolver måste åtminstone ha en nyckel för att verifiera
DNSSEC-poster. För .SE använder vi två överlappande KSK, där
varje är giltig i två år.
Year 1 Year 2 Year 3 Year 4
KSK n
KSK n+1
Thursday, March 19, 2009
48. Exempel i BIND
I din named.conf:
trusted-keys {
quot;se.quot; 257 3 5 quot;AQOfYGgsIqyVeES+J9JWQ/
xZdK92sZVN2tTXlJeDm5DgIQM0qfvC3Cd6T3unHQf7pTQv8hf3qP/
50yFEVttiGPVL4ctm3KFhaybJGz/1/AGkCdqmGPymAcVVvdBICCx165gusSsK5fF70j
+Zm6r4NBsFMyUiIPLiMkKHPQE2pWDMLw==quot;;
};
options {
dnssec-enable yes;
dnssec-validation yes;
};
Thursday, March 19, 2009
49. Slå upp DNS med DNSSEC
. (root)
Klientdator
omedveten
Cacheing resolver om DNSSEC
.com konfigurerad för .SE
.org
.se
iis.se
iana.org
Thursday, March 19, 2009
50. Slå upp DNS med DNSSEC
. (root)
Klientdator
omedveten
Cacheing resolver om DNSSEC
.com konfigurerad för .SE
.org www.iis.se?
1
.se
iis.se
iana.org
Thursday, March 19, 2009
51. Slå upp DNS med DNSSEC
. (root) 2
Klientdator
www.iis.se? +do
omedveten
Cacheing resolver om DNSSEC
.com konfigurerad för .SE
.org www.iis.se?
1
.se
iis.se
iana.org
Thursday, March 19, 2009
52. Slå upp DNS med DNSSEC
. (root) 2
Klientdator
www.iis.se? +do
fråga a.ns.se!
omedveten
3
Cacheing resolver om DNSSEC
.com konfigurerad för .SE
.org www.iis.se?
1
.se
iis.se
iana.org
Thursday, March 19, 2009
53. Slå upp DNS med DNSSEC
. (root) 2
Klientdator
www.iis.se? +do
fråga a.ns.se!
omedveten
3
Cacheing resolver om DNSSEC
.com konfigurerad för .SE
.org www.iis.se?
1
www.iis.se? +do
.se 4
iis.se
iana.org
Thursday, March 19, 2009
54. Slå upp DNS med DNSSEC
. (root) 2
Klientdator
www.iis.se? +do
fråga a.ns.se!
omedveten
3
Cacheing resolver om DNSSEC
.com konfigurerad för .SE
.org www.iis.se?
1
www.iis.se? +do
.se 4
DS
RRSIG
fråga ns.nic.se!
5
iis.se
iana.org
Thursday, March 19, 2009
55. Slå upp DNS med DNSSEC
. (root) 2
Klientdator
www.iis.se? +do
fråga a.ns.se!
omedveten
3
Cacheing resolver om DNSSEC
.com konfigurerad för .SE
.org www.iis.se?
1
www.iis.se? +do
.se
DNSKEY
4
DS
RRSIG
fråga ns.nic.se!
5
iis.se
iana.org
Thursday, March 19, 2009
56. Slå upp DNS med DNSSEC
. (root) 2
Klientdator
www.iis.se? +do
fråga a.ns.se!
omedveten
3
Cacheing resolver om DNSSEC
.com konfigurerad för .SE
.org www.iis.se?
1
www.iis.se? +do
.se
DNSKEY
4
DS
RRSIG
fråga ns.nic.se!
5
www.iis.se? +do
6
iis.se
iana.org
Thursday, March 19, 2009
57. Slå upp DNS med DNSSEC
. (root) 2
Klientdator
www.iis.se? +do
fråga a.ns.se!
omedveten
3
Cacheing resolver om DNSSEC
.com konfigurerad för .SE
.org www.iis.se?
1
www.iis.se? +do
.se
DNSKEY
4
DS
RRSIG
fråga ns.nic.se!
5
www.iis.se? +do www.iis.se
6
har adressen
iis.se
7
RRSIG
212.247.7.210
iana.org
Thursday, March 19, 2009
58. Slå upp DNS med DNSSEC
. (root) 2
Klientdator
www.iis.se? +do
fråga a.ns.se!
omedveten
3
Cacheing resolver om DNSSEC
.com konfigurerad för .SE
.org www.iis.se?
1
www.iis.se? +do
.se
DNSKEY
4
DS
RRSIG
fråga ns.nic.se!
5
DNSKEY
www.iis.se? +do www.iis.se
6
har adressen
iis.se
7
RRSIG
212.247.7.210
iana.org
Thursday, March 19, 2009
59. Slå upp DNS med DNSSEC
. (root) 2
Klientdator
www.iis.se? +do
fråga a.ns.se!
omedveten
3
Cacheing resolver om DNSSEC
.com konfigurerad för .SE
.org www.iis.se?
1
www.iis.se? +do
.se www.iis.se
DNSKEY
4 8
DS
har adressen
RRSIG
212.247.7.210
fråga ns.nic.se!
5
+ad
DNSKEY
www.iis.se? +do www.iis.se
6
har adressen
iis.se
7
RRSIG
212.247.7.210
iana.org
Thursday, March 19, 2009
60. Vanliga konfigurationsfel
Alla namnservrar kör inte DNSSEC
Endast ZSK i zonfilen
Inga signaturer
Thursday, March 19, 2009
Editor's Notes
The root is at the top of the DNS hierarchy. The root contains NS records and glue records (A pointers for IP-addresses to the nameservers) for all TLDs. Each node in the hierarchy is called a zone. A zone contains the NS pointers to the zone itself and any child zone, and all other zone data for any services for that domain name (www.example.com).
The root is at the top of the DNS hierarchy. The root contains NS records and glue records (A pointers for IP-addresses to the nameservers) for all TLDs. Each node in the hierarchy is called a zone. A zone contains the NS pointers to the zone itself and any child zone, and all other zone data for any services for that domain name (www.example.com).
The root is at the top of the DNS hierarchy. The root contains NS records and glue records (A pointers for IP-addresses to the nameservers) for all TLDs. Each node in the hierarchy is called a zone. A zone contains the NS pointers to the zone itself and any child zone, and all other zone data for any services for that domain name (www.example.com).
The root is at the top of the DNS hierarchy. The root contains NS records and glue records (A pointers for IP-addresses to the nameservers) for all TLDs. Each node in the hierarchy is called a zone. A zone contains the NS pointers to the zone itself and any child zone, and all other zone data for any services for that domain name (www.example.com).
The root is at the top of the DNS hierarchy. The root contains NS records and glue records (A pointers for IP-addresses to the nameservers) for all TLDs. Each node in the hierarchy is called a zone. A zone contains the NS pointers to the zone itself and any child zone, and all other zone data for any services for that domain name (www.example.com).
The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record.
The servers responsible for each zone is called an Authoritative Nameserver.
The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer.
The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record.
The servers responsible for each zone is called an Authoritative Nameserver.
The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer.
The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record.
The servers responsible for each zone is called an Authoritative Nameserver.
The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer.
The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record.
The servers responsible for each zone is called an Authoritative Nameserver.
The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer.
The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record.
The servers responsible for each zone is called an Authoritative Nameserver.
The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer.
The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record.
The servers responsible for each zone is called an Authoritative Nameserver.
The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer.
The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record.
The servers responsible for each zone is called an Authoritative Nameserver.
The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer.
The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record.
The servers responsible for each zone is called an Authoritative Nameserver.
The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer.
The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record.
The servers responsible for each zone is called an Authoritative Nameserver.
The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer.
Symmetric crypto is a crypto where both parties use the same key to encrypt and decrypt any message.
Assymetric crypto has a feature where anybody can encrypt a message using the receiver’s public key, then the receiver can decrypt that message using only his private key.
The reason for having different keys for signing the zone and signing the ZSK keys is that you want to separate the delegation of trust with the signing of all zone data.
The DNSKEY record contains information about which algorithm is used for the key, and what type of key it is (ie, KSK or ZSK). You don’t ever store any private DNSSEC keys in DNS.
The signatures over the \"apex\" RR-data (for example the DNSKEY records) is done with the KSK.
MD5 is allowed by DNSSEC but not recommended.
This is a validated DNS answer with added DNSSEC signatured. The AD-flag is the way the resolver tells the client that it has validated the DNSSEC signatures. If the DNSSEC aware resolver for some reason failed to validate the signatures, there would be no content in the answer and the result would have been SERVFAIL.
This is a standard zonefile with no keys or signatures and with a very limited set of data.
This is not a complete zone, only an example! What is added here is RRSIGs over every RR-set, one DNSKEY (the ZSK is not here to simplify things) and an NSEC record.
A signed zonefile grows approximately 3.5 times to the original size.
This is not a complete zone, only an example! What is added here is RRSIGs over every RR-set, one DNSKEY (the ZSK is not here to simplify things) and an NSEC record.
A signed zonefile grows approximately 3.5 times to the original size.
This is not a complete zone, only an example! What is added here is RRSIGs over every RR-set, one DNSKEY (the ZSK is not here to simplify things) and an NSEC record.
A signed zonefile grows approximately 3.5 times to the original size.
The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record.
The servers responsible for each zone is called an Authoritative Nameserver.
The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer.
The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record.
The servers responsible for each zone is called an Authoritative Nameserver.
The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer.
The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record.
The servers responsible for each zone is called an Authoritative Nameserver.
The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer.
The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record.
The servers responsible for each zone is called an Authoritative Nameserver.
The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer.
The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record.
The servers responsible for each zone is called an Authoritative Nameserver.
The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer.
The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record.
The servers responsible for each zone is called an Authoritative Nameserver.
The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer.
The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record.
The servers responsible for each zone is called an Authoritative Nameserver.
The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer.
The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record.
The servers responsible for each zone is called an Authoritative Nameserver.
The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer.
The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record.
The servers responsible for each zone is called an Authoritative Nameserver.
The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer.
The cacheing resolver performs all DNS lookups on behalf of the user. It also caches all results. The results will be refreshed after the cache entry is expired, this is controlled by what is called a TTL - Time To Live. The TTL is defined by the authoritative server for each DNS record.
The servers responsible for each zone is called an Authoritative Nameserver.
The act of saying “ask this nameserver” is called a “referral”. This is done if the authoritative nameserver only knows the NS record of the zone asked for. An authoritative nameserver may refuse the query if it does not know the explicit answer.