SlideShare une entreprise Scribd logo
1  sur  52
DNSSEC - Towards Enhanced Internet Security
o

o

o

o

o
DNSSEC - Towards Enhanced Internet Security
o

o

o

o
o

o

o

o

o

o

o
o

o

o

o

o

o
DNSSEC - Towards Enhanced Internet Security
DNSSEC - Towards Enhanced Internet Security
o

o

o

o

o
o




o




o




o
TLD’s

   Printer                                                             root
                                               resolvers
  Webcam
Game Console
                                    Router /                              resolvers
                       wifi         Modem                    ISP’s
       Browser
      Mail agents
                                                resolvers
          OS           Firewall                                        Google
                    Virus scanner

                      Telephone
                       Mobile                              resolvers
                     Media Centre
o

o

o

o



o

    o

    o
DNSSEC - Towards Enhanced Internet Security
DNSSEC - Towards Enhanced Internet Security
(authoritative)
                                                                                         name servers

                             local resolver   2    Where’s www.mybank.dom?

 1   Get me www.mybank.dom                                                       3
                                                   Try the name server for
                                                   .dom
Here you can find www.mybank.dom:
      192.0.32.10
                               8               4   Where’s www.mybank.dom?


                                              Try the name server for mybank.dom
                                                                                     5
9    online banking


                                               6   Where’s www.mybank.dom?

                                                                                     7
                                              Here you can find www.mybank.dom
DNSSEC - Towards Enhanced Internet Security
(authoritative)
                                                                                                   name servers

                                         local resolver        Where’s www.mybank.dom?

                 Get me www.mybank.dom                         Try the auth for mybank.dom

          Here you can find www.mybank.dom
                                                               Where’s www.mybank.dom?


online banking                                            Here you can find www.mybank.dom:
                                                                     192.0.32.10


                                                                          Here you can find www.mybank.dom:
                                                                                        6.6.6.10
(authoritative)
                                                                                                      name servers

                                          local resolver        Where’s 1234.mybank.dom?

                 Get me 1234.mybank.dom                          Try the auth for mybank.dom



                                                                Where’s 1234.mybank.dom?


online banking                                                    No such domain exists
                                                                       NXDOMAIN


                                                                            Here you can find 1234.mybank.dom:
                                                                                          6.6.6.10



                                                  And by the way:
                                              ns.mybank.dom = 6.6.6.1
                                             ns2.mybank.dom = 6.6.6.2

                                                     And the authoritative nameserver
                                                       for the entire .dom domain is
                                                           ns.mine.dom = 6.6.6.6
o

    o

    o


o

    o

    o
o

    o




    o




o
o

    o




    o




o
DNSSEC - Towards Enhanced Internet Security
o

    o




    o


o

    o

    o

    o
DNSSEC - Towards Enhanced Internet Security
o

    o

    o

    o




o

    o

    o

    o

    o
o

    o

    o


o

    o

    o




    o

    o
zone

o

o          zone


o

o

o
root zone signing keys

zone

                        Signed records (including .dom)
       contains
                        Public key for .dom




            .dom zone signing keys
zone
                        Signed records for mybank.dom
       contains
                        Public key for mybank.dom




              .mybank.dom signing keys
zone

       contains
                        Signed record for www.mybank.dom
zone                     Public root key




           validates
       Public key for .dom




          validates
zone




       Public key for mybank.dom




             validates
zone



                  Signed record for www.mybank.dom
o

    dnssec-keygen -a alg -b bits -n type [options] name
      o


      o


      o


      o




o

    Kzonename+<alg>+<fing>.key
    Kzonename+<alg>+<fing>.private



     example.dom.           3600    IN      DNSKEY 256 3 5
     AQO6TtiOq7uZa8wHrQNUGT3ZXudaGjnbduUnyLw9WwiDEd8Vy1Ao4FVK
     7xqEAFo4F5gOkdGr6Y7Xz0F+Z5e1AaQlvhBhjujvIhPZ5EIuNGkGUbRT
     YLhVX5OJUHMYdrXpGPdyG+V1TBTmxJ/+OmUdkWiT2J6w5XUpSYRB+p0k
     YwGf7uxPO/cDNp67fILtx1+dduS30B7QygOK+f7PeAZDcdBo2qsy5rnB
     sPsLhbEpdpWFs2WPTVo0IGYAER3nG6WZptiq8OYAb1K22K8i+j8+hDwv
     NRDMjWeVMebBZXbNQGkwsGgJsIsaoGfVOT3WdeJxDu9GqODM//mwZxTv
     O7StbOht
o

    dnssec-keygen -a alg -b bits -n type [options] name
      o


      o


      o


      o




o

    Kzonename+<alg>+<fing>.key
    Kzonename+<alg>+<fing>.private



     example.dom.           3600    IN      DNSKEY 256 3 5
     AQO6TtiOq7uZa8wHrQNUGT3ZXudaGjnbduUnyLw9WwiDEd8Vy1Ao4FVK
     7xqEAFo4F5gOkdGr6Y7Xz0F+Z5e1AaQlvhBhjujvIhPZ5EIuNGkGUbRT
     YLhVX5OJUHMYdrXpGPdyG+V1TBTmxJ/+OmUdkWiT2J6w5XUpSYRB+p0k
     YwGf7uxPO/cDNp67fILtx1+dduS30B7QygOK+f7PeAZDcdBo2qsy5rnB
     sPsLhbEpdpWFs2WPTVo0IGYAER3nG6WZptiq8OYAb1K22K8i+j8+hDwv
     NRDMjWeVMebBZXbNQGkwsGgJsIsaoGfVOT3WdeJxDu9GqODM//mwZxTv
     O7StbOht
o



    o

    o

    o




o

    o

    o

    o
o



    o   example.dom.           3600    IN      DNSKEY 257 3 5
        AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N
    o
        Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW
    o   6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U
        BYtEIQ==
        example.dom.           3600    IN      DNSKEY 256 3 5
        AQOpbYrUNahQAV5/wTCJ9/wbSM/eV+N+jYZAMmIKn6QF3Z57B6upgcjV
o
        HEOyFkA3YcIt5Fz+WqodCrABn4qShd6qJYR8iP3S6fjN6PVpljMjrhsp
    o   /6yVc30C6c7P2b/mgWZi5iYC56lkegDs0VGfAW5HmosKjQVoYMjOtNo3
        F+MGQw==
    o

    o
dnssec-signzone [-o zonename] [-N INCREMENT] [-k KSKfile]
   zonefile [ZSKfile]

o

    o

    o




    o




        example.dom.           9504    IN      RRSIG   A 5 2
        10200 20100412015003 20100315015003 18182 example.dom.
        H4Yy1ClPpBEj+Et3c7rkxZW3Q/w3O28sO3Mpt6c4HRpFdBwwMjzbYI0Q
        vWInuxSIWx3IJ455nX4k/N8NBRENzRK/+L74dM71OovOT50oLJ6ZOVvu
        /cjQtvQzHtJkoIvywsVpzDlgckvp8jVR6pDDM3TuXhehh6HHSR/E9NxT
        7oE=
        example.dom.           9346    IN      RRSIG   NS 5 2
        10200 20100412015003 20100315015003 18182 example.dom.
        XIUX8rm6LZQq1+agULABIllTWic18Fa92MrHtn+vRce+mHN6svWALutF
        SvsqqCbCCBMlwZgShXKNZjuSu8+NKMnurafAtWU4IVWrt3UqSsWxKYPZ
        N3qtKrSuTTo/8vwUmmvyShlehSQ2xTA6Sk6dnn8iwUObO+8eoX190A23
        0Z8=
o

o

    o

    o


o

    o

    o




        example.dom. 3600     DS 10177 5 1 (
            763F5C58926ECA5C4E1B6B2701CA75E9F509F321
            )

        example.dom. 3600      DNSKEY  257 3 5 (
            AwEAAbctL3nCKtl55NRZW6g4i3tajQi55OtP
            XZYIIPoo2h6ENB0eGA5xfeDDJZwDkZt6z5bp
            ur0P1zCMa17JPMMpylp1+4j8G3VyKuZkLBIV
            eQif7N7sbP14Qzuo/T90ErVG/YbUYTSZifu3
            xm4D/P2xSV+SFe3tNd0g9o94TSs5jWM5
            ) ; key id = 10177
100   IN SOA ns.infra.work. olaf.nlnetlabs.nl. (
             2008091500 ; serial
                                                           *.c.infra.work.             100    IN A   192.168.2.12
             100        ; refresh (1 minute 40 seconds)
                                                                                100    RRSIG A 5 3 100 20081113113016 (
             200        ; retry (3 minutes 20 seconds)
                                                                                              20081014113016 57798 infra.work.
             604800     ; expire (1 week)
                                                                                              coilWP7ucljFJDR/LHan1qCHsgKGony16IEs
             100        ; minimum (1 minute 40 seconds)
                                                                                              FZdPDnPiRsbtfJN539OOxV1Zxw6ZxjoBNXDJ
             )
                                                                                              ze9TsJ9zHYrZbZvOVvI31fBKCEwWcfYnRHUY
100   RRSIG SOA 5 2 100 20081113113016 (
                                                                                              UV1Hc4OQZCdQg3zcPggK8ldzuPrYiqzfQEnY
             20081014113016 57798 infra.work.                          ns.infra.work.              100    IN A   192.168.1.12
                                                                                              NGtDS6Az9q/hZu5cPbRnQ76ODBg= )
             cwFdqVOSA616uejb7F4E9w7x8lNh8P9bGyCG                                           100    RRSIG A 5 3 100 20081113113016 (
                                                                                100    NSEC   a.b.c.infra.work. A RRSIG NSEC
             f2cLW011tzqaW0u5vx6jEFgQ0ZTn/6XDNDkv                                                         20081014113016 57798 infra.work.
                                                                                100    RRSIG NSEC 5 3 100 20081113113016 (
             rRpD8YWljdhZB4i1fdyPPXPdpEVZFLGE/5mC                                                         TWLzBuUgXWMA9cj+xe6YMjXy2/VdauWnONk7
                                                                                              20081014113016 57798 infra.work.
             VgCwHldg3pFcW1FtQbyCGkKaooZ45gF2vcsz                                                         uAP8JcdzsemcfWov4cFzXowS2YX291+5jBMp
                                                                                              e/lQV5TV2VFda2B0mKalvONDmnnQPDt3/wPf
             43WlZN2Vw2Tlz9bM0nnK56puCbc= )                                                               m5AlwpM7ijbSBgAGz22ywlKN8JoOg3KtCM2Y
100   NS     ns.infra.work.
                                  ; infra.work zone
                                  o                                                           zGNoIIGDbyyYdcnpEfSrum0Qm2ImQXCuWnK/
                                                                                                          UX/c8/ATbYEBPKRjBs+YQKmY1NppwSjFi9Y0
                                  ;                                                           Srpr/DobW441qQ6c9K9u84YnzfcFRG3CnV/U
100   RRSIG NS 5 2 100 20081113113016 (                                                                   1fVEBbrCnI0EP33c/VK97s8oNG8= )
                                  $TTL 100                                                    /q8t8uB8xCGmMCKXFZcNoS4kCbRBqMLwBJ+Y
             20081014113016 57798 infra.work.                                               100    NSEC   www.infra.work. A RRSIG NSEC
                                                                                              YJUKUxqlLqykRORd1QJRQEtxpac= )
                                  $ORIGIN infra.work.
             AsnyzVoc9mb64BdmIm59IM6bJHaDVkJoP6pz                                           100    RRSIG NSEC 5 3 100 20081113113016 (
                                                           a.b.c.infra.work.    100    IN A   192.168.2.13
             1KNnEy+Om3ogi7Ub9KlO3RN2gKZY56iKmQqe
                                  @                   100  IN     SOA                                     20081014113016 57798 infra.work.
                                                                                100    RRSIG A 5 5 100 20081113113016 (
             tCqYOnfdhqanAt3s7qMUEd/XCJFvEepzjeJW
                                        ns.infra.work. (                                                  InaRxkn17s8cofPa7yADRtEVeNkuBeklODST
                                                                                              20081014113016 57798 infra.work.
             Tjk4hMHnRm50WaGX9LwqocGRNTigAlw/aNO1                                                         nWFCY4meHrwoVMqZa1G+PRmybTxEOY10rmPi
                                                                                              J56QbbCD4K1TNnNbfST+0KRGZ3xW3zqEJt7s
             sWyqPyATNxYLGpfgE6OVBz1SPEc= )                                                               lkkqluZNymAaD890dX4I1ogykI6wgpeiIb3O
                                        olaf.nlnetlabs.nl.                                    cCttaA8kTb8vb3MEXEC/JWdcwgHenrc9cUzL
100   NSEC   *.infra.work. NS SOA RRSIG NSEC DNSKEY                                                       jCiK8L1vamAeEB4JRI77b/XUI2TOErPkaWxi
                                                                         2008091500           Popz5780j+pvsKnQbQK5nVxPi0OibzjkjQ6x
100   RRSIG NSEC 5 2 100 20081113113016 (                                                                 CSTT6gBza3ZFCB86YEAwjOxbCPw= )
                                                                                              SxoNy2y8S7lnaJln6ACR70SiWwiK15RGciEC
             20081014113016 57798 infra.work.                            100
                                                                       www.infra.work.             100    IN A   192.168.1.10
                                                                                              i3akL9AYuwcCM6n6iVSH4SRwaJU= )
             Oxn+rklVkPLQHi7zl1BmT/nwQIuTbaMR7wed                        200                100    RRSIG A 5 3 100 20081113113016 (
                                                                                100    NSEC   ns.infra.work. A RRSIG NSEC
             uby+HwTsgPjtS4PDgn6vb9zHyoSB9jTN15BD                        604800100                        20081014113016 57798 infra.work.
                                                                                       RRSIG NSEC 5 5 100 20081113113016 (
             cWQhMwITek8Pb+XnVQhIGmWSpt9PNCabMOI1                                                         S3UWujWBQK1ecV2WQGYSzyObqQfizIKUKi9Q
             itYrGHOnVNNyi2AzHCkQfSNMZcbhKILLzawd
                                                                         100                  20081014113016 57798 infra.work.
                                                                                                          R0pX2usXUP4qgQrBGhzVOXrJq8uwcAm6eolt
                                                                         )                    jY0wdhQPN3FBdMxelA1+mRkD7lcdZK2MWmvC
             m47E+I8gxHncY8+vHF5yK05eBbE= )                                                               McGVTR7VOhSpkvuNyQ/HKMPeRR5DGMR3QK4+
                                                                                              AJeytGB+z1+qC42dmWTqcr+K0cAQ8QSl/Hf8
100   DNSKEY 256 3 5 (                                                                                    lY7LShQ6itiSkhohUl8KMJv91XtmOodCn/D+
                                                                                              HrjcPxByb6FKjEWVwMz/YPrr3vO20EbV6jYF
             AwEAAagntu9mrHJO6d0BeNGFN7XoPfcc7JTH     NS          ns.infra.work.                          zmaxUZ3xo9IezPyRxAzFlrL8rMo= )
                                                                                              hVfvO3+2jeYP9X6qpu+DGcQiFfQ0Obc5Er05
             sYk1l35EhF8bLzq4Yr24WshoQrmsijCyuC0r
                                  ns.infra.work.           A             192.168.1.12       100    NSEC   infra.work. A RRSIG NSEC
                                                                                              4Ss3QleMKj0eyWEtq/zS+79D93E= )
             QIucEE1lbDIaZ7W3GpFNNG6avs7uELm9v3el                                           100    RRSIG NSEC 5 3 100 20081113113016 (
             4VgZ909oBHRtIYISDUi/JsNyhSJ8WjmIGw5W                                                         20081014113016 57798 infra.work.
                                  www
             x0XySf7hcfdLU6uK4cXG+oJkmsgMGXl1
                                                      A           192.168.1.10
                                                                                                          HCvz/wd+5S3CVWX+y1MAVgKxBGgnmdJaMmls
             ) ; key id = 57798                                                                           QQUVS3weSvgNwV1KNHm8svbAUpy3exzY9yKC
                                  *            A 192.168.2.11                                             Bw0enV06y5A0tb5Us5VW5XCwUiDXAvME9N6+
                                  *.c          A 192.168.2.12                                             IlIET90o7syM2RwmjuZeLEd+m3NQYb0/MZcu
                                  a.b.c        A 192.168.2.13                                             ML2HkI8jzw93hRQO3egUlBcqrWQ= )
o

    o


o

    o

    o

    o

    o
o

    o




o

    o

    o


o

    o

    o

    o
DNSSEC - Towards Enhanced Internet Security
o

    o

    o

    o

    o

    o


o

    o

    o

    o
o

    o

    o


o

    o

    o


o

    o

    o


o

    o

    o

    o
o

    o

    o

    o


o

    o




    o

    o
DNSSEC - Towards Enhanced Internet Security
o



    o


o

o
o

    o

    o

    o


o

o
Feb 10 04:16:43 ns0 unbound: [5973:1] info: validation failure <USPTO.GOV. MX IN>: no
signatures from 151.207.246.51 for key USPTO.GOV. while building chain of trust
Feb 10 04:53:00 ns0 unbound: [5973:0] info: validation failure <gk-w-mail.srvs.usps.gov. A
IN>: no signatures over NSEC3s from 56.0.141.25 for DS gk-w-mail.srvs.usps.gov. while...
Feb 10 14:21:48 ns0 unbound: [5973:1] info: validation failure <www.hud.gov. A IN>: no DS...


Feb 10 13:47:35 ns0 unbound: [5973:0] info: validation failure <www.atol.bg. A IN>: No DNSK...
Feb 10 13:37:17 ns0 unbound: [5973:0] info: validation failure <ns.unicycle.cz. A IN>: no k...


Feb 15 19:10:25 ns0 unbound: [5973:1] info: validation failure <FM.UL.PT. MX IN>: no NSEC3
records from 2001:690:21c0:b::150 for DS FM.UL.PT. while building chain of trust



                   o

                   o
o




o

o
o

o

o

o
o

    o

    o


o

    o

    o


o

    o
o

    o

    o


o



o

o

    o

    o
DNSSEC - Towards Enhanced Internet Security
@

Contenu connexe

Similaire à DNSSEC - Towards Enhanced Internet Security

Similaire à DNSSEC - Towards Enhanced Internet Security (15)

Dmk neut toor
Dmk neut toorDmk neut toor
Dmk neut toor
 
ISP Network Analyzing Tactics
ISP Network Analyzing TacticsISP Network Analyzing Tactics
ISP Network Analyzing Tactics
 
Ch 8
Ch 8Ch 8
Ch 8
 
1.1 DNS.ppt.ppt
1.1 DNS.ppt.ppt1.1 DNS.ppt.ppt
1.1 DNS.ppt.ppt
 
DNSPresentation.pptx
DNSPresentation.pptxDNSPresentation.pptx
DNSPresentation.pptx
 
DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?
 
Making the Internet Work for You
Making the Internet Work for YouMaking the Internet Work for You
Making the Internet Work for You
 
Domain Flipping Treasure Map
Domain Flipping Treasure MapDomain Flipping Treasure Map
Domain Flipping Treasure Map
 
Domain Name System(ppt)
Domain Name System(ppt)Domain Name System(ppt)
Domain Name System(ppt)
 
DNS Rebinding Attack
DNS Rebinding AttackDNS Rebinding Attack
DNS Rebinding Attack
 
ION Mumbai - Richard Lamb: Why DNSSEC?
ION Mumbai - Richard Lamb: Why DNSSEC?ION Mumbai - Richard Lamb: Why DNSSEC?
ION Mumbai - Richard Lamb: Why DNSSEC?
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rolls
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSEC
 
Dns
DnsDns
Dns
 
Dns server
Dns serverDns server
Dns server
 

Dernier

COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 

Dernier (20)

COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 

DNSSEC - Towards Enhanced Internet Security

  • 11. TLD’s Printer root resolvers Webcam Game Console Router / resolvers wifi Modem ISP’s Browser Mail agents resolvers OS Firewall Google Virus scanner Telephone Mobile resolvers Media Centre
  • 12. o o o o o o o
  • 15. (authoritative) name servers local resolver 2 Where’s www.mybank.dom? 1 Get me www.mybank.dom 3 Try the name server for .dom Here you can find www.mybank.dom: 192.0.32.10 8 4 Where’s www.mybank.dom? Try the name server for mybank.dom 5 9 online banking 6 Where’s www.mybank.dom? 7 Here you can find www.mybank.dom
  • 17. (authoritative) name servers local resolver Where’s www.mybank.dom? Get me www.mybank.dom Try the auth for mybank.dom Here you can find www.mybank.dom Where’s www.mybank.dom? online banking Here you can find www.mybank.dom: 192.0.32.10 Here you can find www.mybank.dom: 6.6.6.10
  • 18. (authoritative) name servers local resolver Where’s 1234.mybank.dom? Get me 1234.mybank.dom Try the auth for mybank.dom Where’s 1234.mybank.dom? online banking No such domain exists NXDOMAIN Here you can find 1234.mybank.dom: 6.6.6.10 And by the way: ns.mybank.dom = 6.6.6.1 ns2.mybank.dom = 6.6.6.2 And the authoritative nameserver for the entire .dom domain is ns.mine.dom = 6.6.6.6
  • 19. o o o o o o
  • 20. o o o o
  • 21. o o o o
  • 23. o o o o o o o
  • 25. o o o o o o o o o
  • 26. o o o o o o o o
  • 27. zone o o zone o o o
  • 28. root zone signing keys zone Signed records (including .dom) contains Public key for .dom .dom zone signing keys zone Signed records for mybank.dom contains Public key for mybank.dom .mybank.dom signing keys zone contains Signed record for www.mybank.dom
  • 29. zone Public root key validates Public key for .dom validates zone Public key for mybank.dom validates zone Signed record for www.mybank.dom
  • 30. o dnssec-keygen -a alg -b bits -n type [options] name o o o o o Kzonename+<alg>+<fing>.key Kzonename+<alg>+<fing>.private example.dom. 3600 IN DNSKEY 256 3 5 AQO6TtiOq7uZa8wHrQNUGT3ZXudaGjnbduUnyLw9WwiDEd8Vy1Ao4FVK 7xqEAFo4F5gOkdGr6Y7Xz0F+Z5e1AaQlvhBhjujvIhPZ5EIuNGkGUbRT YLhVX5OJUHMYdrXpGPdyG+V1TBTmxJ/+OmUdkWiT2J6w5XUpSYRB+p0k YwGf7uxPO/cDNp67fILtx1+dduS30B7QygOK+f7PeAZDcdBo2qsy5rnB sPsLhbEpdpWFs2WPTVo0IGYAER3nG6WZptiq8OYAb1K22K8i+j8+hDwv NRDMjWeVMebBZXbNQGkwsGgJsIsaoGfVOT3WdeJxDu9GqODM//mwZxTv O7StbOht
  • 31. o dnssec-keygen -a alg -b bits -n type [options] name o o o o o Kzonename+<alg>+<fing>.key Kzonename+<alg>+<fing>.private example.dom. 3600 IN DNSKEY 256 3 5 AQO6TtiOq7uZa8wHrQNUGT3ZXudaGjnbduUnyLw9WwiDEd8Vy1Ao4FVK 7xqEAFo4F5gOkdGr6Y7Xz0F+Z5e1AaQlvhBhjujvIhPZ5EIuNGkGUbRT YLhVX5OJUHMYdrXpGPdyG+V1TBTmxJ/+OmUdkWiT2J6w5XUpSYRB+p0k YwGf7uxPO/cDNp67fILtx1+dduS30B7QygOK+f7PeAZDcdBo2qsy5rnB sPsLhbEpdpWFs2WPTVo0IGYAER3nG6WZptiq8OYAb1K22K8i+j8+hDwv NRDMjWeVMebBZXbNQGkwsGgJsIsaoGfVOT3WdeJxDu9GqODM//mwZxTv O7StbOht
  • 32. o o o o o o o o
  • 33. o o example.dom. 3600 IN DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N o Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW o 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ== example.dom. 3600 IN DNSKEY 256 3 5 AQOpbYrUNahQAV5/wTCJ9/wbSM/eV+N+jYZAMmIKn6QF3Z57B6upgcjV o HEOyFkA3YcIt5Fz+WqodCrABn4qShd6qJYR8iP3S6fjN6PVpljMjrhsp o /6yVc30C6c7P2b/mgWZi5iYC56lkegDs0VGfAW5HmosKjQVoYMjOtNo3 F+MGQw== o o
  • 34. dnssec-signzone [-o zonename] [-N INCREMENT] [-k KSKfile] zonefile [ZSKfile] o o o o example.dom. 9504 IN RRSIG A 5 2 10200 20100412015003 20100315015003 18182 example.dom. H4Yy1ClPpBEj+Et3c7rkxZW3Q/w3O28sO3Mpt6c4HRpFdBwwMjzbYI0Q vWInuxSIWx3IJ455nX4k/N8NBRENzRK/+L74dM71OovOT50oLJ6ZOVvu /cjQtvQzHtJkoIvywsVpzDlgckvp8jVR6pDDM3TuXhehh6HHSR/E9NxT 7oE= example.dom. 9346 IN RRSIG NS 5 2 10200 20100412015003 20100315015003 18182 example.dom. XIUX8rm6LZQq1+agULABIllTWic18Fa92MrHtn+vRce+mHN6svWALutF SvsqqCbCCBMlwZgShXKNZjuSu8+NKMnurafAtWU4IVWrt3UqSsWxKYPZ N3qtKrSuTTo/8vwUmmvyShlehSQ2xTA6Sk6dnn8iwUObO+8eoX190A23 0Z8=
  • 35. o o o o o o o example.dom. 3600 DS 10177 5 1 ( 763F5C58926ECA5C4E1B6B2701CA75E9F509F321 ) example.dom. 3600 DNSKEY 257 3 5 ( AwEAAbctL3nCKtl55NRZW6g4i3tajQi55OtP XZYIIPoo2h6ENB0eGA5xfeDDJZwDkZt6z5bp ur0P1zCMa17JPMMpylp1+4j8G3VyKuZkLBIV eQif7N7sbP14Qzuo/T90ErVG/YbUYTSZifu3 xm4D/P2xSV+SFe3tNd0g9o94TSs5jWM5 ) ; key id = 10177
  • 36. 100 IN SOA ns.infra.work. olaf.nlnetlabs.nl. ( 2008091500 ; serial *.c.infra.work. 100 IN A 192.168.2.12 100 ; refresh (1 minute 40 seconds) 100 RRSIG A 5 3 100 20081113113016 ( 200 ; retry (3 minutes 20 seconds) 20081014113016 57798 infra.work. 604800 ; expire (1 week) coilWP7ucljFJDR/LHan1qCHsgKGony16IEs 100 ; minimum (1 minute 40 seconds) FZdPDnPiRsbtfJN539OOxV1Zxw6ZxjoBNXDJ ) ze9TsJ9zHYrZbZvOVvI31fBKCEwWcfYnRHUY 100 RRSIG SOA 5 2 100 20081113113016 ( UV1Hc4OQZCdQg3zcPggK8ldzuPrYiqzfQEnY 20081014113016 57798 infra.work. ns.infra.work. 100 IN A 192.168.1.12 NGtDS6Az9q/hZu5cPbRnQ76ODBg= ) cwFdqVOSA616uejb7F4E9w7x8lNh8P9bGyCG 100 RRSIG A 5 3 100 20081113113016 ( 100 NSEC a.b.c.infra.work. A RRSIG NSEC f2cLW011tzqaW0u5vx6jEFgQ0ZTn/6XDNDkv 20081014113016 57798 infra.work. 100 RRSIG NSEC 5 3 100 20081113113016 ( rRpD8YWljdhZB4i1fdyPPXPdpEVZFLGE/5mC TWLzBuUgXWMA9cj+xe6YMjXy2/VdauWnONk7 20081014113016 57798 infra.work. VgCwHldg3pFcW1FtQbyCGkKaooZ45gF2vcsz uAP8JcdzsemcfWov4cFzXowS2YX291+5jBMp e/lQV5TV2VFda2B0mKalvONDmnnQPDt3/wPf 43WlZN2Vw2Tlz9bM0nnK56puCbc= ) m5AlwpM7ijbSBgAGz22ywlKN8JoOg3KtCM2Y 100 NS ns.infra.work. ; infra.work zone o zGNoIIGDbyyYdcnpEfSrum0Qm2ImQXCuWnK/ UX/c8/ATbYEBPKRjBs+YQKmY1NppwSjFi9Y0 ; Srpr/DobW441qQ6c9K9u84YnzfcFRG3CnV/U 100 RRSIG NS 5 2 100 20081113113016 ( 1fVEBbrCnI0EP33c/VK97s8oNG8= ) $TTL 100 /q8t8uB8xCGmMCKXFZcNoS4kCbRBqMLwBJ+Y 20081014113016 57798 infra.work. 100 NSEC www.infra.work. A RRSIG NSEC YJUKUxqlLqykRORd1QJRQEtxpac= ) $ORIGIN infra.work. AsnyzVoc9mb64BdmIm59IM6bJHaDVkJoP6pz 100 RRSIG NSEC 5 3 100 20081113113016 ( a.b.c.infra.work. 100 IN A 192.168.2.13 1KNnEy+Om3ogi7Ub9KlO3RN2gKZY56iKmQqe @ 100 IN SOA 20081014113016 57798 infra.work. 100 RRSIG A 5 5 100 20081113113016 ( tCqYOnfdhqanAt3s7qMUEd/XCJFvEepzjeJW ns.infra.work. ( InaRxkn17s8cofPa7yADRtEVeNkuBeklODST 20081014113016 57798 infra.work. Tjk4hMHnRm50WaGX9LwqocGRNTigAlw/aNO1 nWFCY4meHrwoVMqZa1G+PRmybTxEOY10rmPi J56QbbCD4K1TNnNbfST+0KRGZ3xW3zqEJt7s sWyqPyATNxYLGpfgE6OVBz1SPEc= ) lkkqluZNymAaD890dX4I1ogykI6wgpeiIb3O olaf.nlnetlabs.nl. cCttaA8kTb8vb3MEXEC/JWdcwgHenrc9cUzL 100 NSEC *.infra.work. NS SOA RRSIG NSEC DNSKEY jCiK8L1vamAeEB4JRI77b/XUI2TOErPkaWxi 2008091500 Popz5780j+pvsKnQbQK5nVxPi0OibzjkjQ6x 100 RRSIG NSEC 5 2 100 20081113113016 ( CSTT6gBza3ZFCB86YEAwjOxbCPw= ) SxoNy2y8S7lnaJln6ACR70SiWwiK15RGciEC 20081014113016 57798 infra.work. 100 www.infra.work. 100 IN A 192.168.1.10 i3akL9AYuwcCM6n6iVSH4SRwaJU= ) Oxn+rklVkPLQHi7zl1BmT/nwQIuTbaMR7wed 200 100 RRSIG A 5 3 100 20081113113016 ( 100 NSEC ns.infra.work. A RRSIG NSEC uby+HwTsgPjtS4PDgn6vb9zHyoSB9jTN15BD 604800100 20081014113016 57798 infra.work. RRSIG NSEC 5 5 100 20081113113016 ( cWQhMwITek8Pb+XnVQhIGmWSpt9PNCabMOI1 S3UWujWBQK1ecV2WQGYSzyObqQfizIKUKi9Q itYrGHOnVNNyi2AzHCkQfSNMZcbhKILLzawd 100 20081014113016 57798 infra.work. R0pX2usXUP4qgQrBGhzVOXrJq8uwcAm6eolt ) jY0wdhQPN3FBdMxelA1+mRkD7lcdZK2MWmvC m47E+I8gxHncY8+vHF5yK05eBbE= ) McGVTR7VOhSpkvuNyQ/HKMPeRR5DGMR3QK4+ AJeytGB+z1+qC42dmWTqcr+K0cAQ8QSl/Hf8 100 DNSKEY 256 3 5 ( lY7LShQ6itiSkhohUl8KMJv91XtmOodCn/D+ HrjcPxByb6FKjEWVwMz/YPrr3vO20EbV6jYF AwEAAagntu9mrHJO6d0BeNGFN7XoPfcc7JTH NS ns.infra.work. zmaxUZ3xo9IezPyRxAzFlrL8rMo= ) hVfvO3+2jeYP9X6qpu+DGcQiFfQ0Obc5Er05 sYk1l35EhF8bLzq4Yr24WshoQrmsijCyuC0r ns.infra.work. A 192.168.1.12 100 NSEC infra.work. A RRSIG NSEC 4Ss3QleMKj0eyWEtq/zS+79D93E= ) QIucEE1lbDIaZ7W3GpFNNG6avs7uELm9v3el 100 RRSIG NSEC 5 3 100 20081113113016 ( 4VgZ909oBHRtIYISDUi/JsNyhSJ8WjmIGw5W 20081014113016 57798 infra.work. www x0XySf7hcfdLU6uK4cXG+oJkmsgMGXl1 A 192.168.1.10 HCvz/wd+5S3CVWX+y1MAVgKxBGgnmdJaMmls ) ; key id = 57798 QQUVS3weSvgNwV1KNHm8svbAUpy3exzY9yKC * A 192.168.2.11 Bw0enV06y5A0tb5Us5VW5XCwUiDXAvME9N6+ *.c A 192.168.2.12 IlIET90o7syM2RwmjuZeLEd+m3NQYb0/MZcu a.b.c A 192.168.2.13 ML2HkI8jzw93hRQO3egUlBcqrWQ= )
  • 37. o o o o o o o
  • 38. o o o o o o o o o
  • 40. o o o o o o o o o o
  • 41. o o o o o o o o o o o o o
  • 42. o o o o o o o o
  • 44. o o o o
  • 45. o o o o o o
  • 46. Feb 10 04:16:43 ns0 unbound: [5973:1] info: validation failure <USPTO.GOV. MX IN>: no signatures from 151.207.246.51 for key USPTO.GOV. while building chain of trust Feb 10 04:53:00 ns0 unbound: [5973:0] info: validation failure <gk-w-mail.srvs.usps.gov. A IN>: no signatures over NSEC3s from 56.0.141.25 for DS gk-w-mail.srvs.usps.gov. while... Feb 10 14:21:48 ns0 unbound: [5973:1] info: validation failure <www.hud.gov. A IN>: no DS... Feb 10 13:47:35 ns0 unbound: [5973:0] info: validation failure <www.atol.bg. A IN>: No DNSK... Feb 10 13:37:17 ns0 unbound: [5973:0] info: validation failure <ns.unicycle.cz. A IN>: no k... Feb 15 19:10:25 ns0 unbound: [5973:1] info: validation failure <FM.UL.PT. MX IN>: no NSEC3 records from 2001:690:21c0:b::150 for DS FM.UL.PT. while building chain of trust o o
  • 47. o o o
  • 49. o o o o o o o o
  • 50. o o o o o o o o
  • 52. @