SlideShare une entreprise Scribd logo

DNSSec

Julien Pivotto
Julien Pivotto

Talk given at RMLL Security Track 2016, about DNS and security, DNSSEC and DANE. Focusing on bind and Puppet.

Technologie
1  sur  71
Télécharger pour lire hors ligne
DNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and Security Julien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien Pivotto RMLL Security Track July 5th, 2016
whoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhois Julien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien Pivotto • Sysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.eu • From small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgs • Automation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & Monitoring • @roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie on irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/github
inuits.eu
DNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNSDNS
What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS? • TTTTTTTTTTTTTTTTTL;DR Translates domain name to IP • IIIIIIIIIIIIIIIIIn facto, stores much more data than IP
How it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it works Licensed under a Creative Commons Attribution-ShareAlike 2.0 License https://www.flickr.com/photos/frans16611/6139595092
Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
DNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-critical • HHHHHHHHHHHHHHHHHolds IP addresses • HHHHHHHHHHHHHHHHHolds service definitions • HHHHHHHHHHHHHHHHHolds hostnames, TXT records
DNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practices • DDDDDDDDDDDDDDDDDo not mix Authoritative and Recursive servers • MMMMMMMMMMMMMMMMMix your DNS server `brand' • HHHHHHHHHHHHHHHHHide your DNS masters • DDDDDDDDDDDDDDDDDo not invent new TLD
Data stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNS • AAAAAAAAAAAAAAAAA records: IP addresses • CCCCCCCCCCCCCCCCCNAME: Cannonical names • SSSSSSSSSSSSSSSSSRV: Service record • MMMMMMMMMMMMMMMMMX: Mail servers • TTTTTTTTTTTTTTTTTXT: Text record
SRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV records _xmpp−client._tcp.inuits.eu. IN SRV 0 5 5222 xmpp.inuits.eu.
TXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT Records • SSSSSSSSSSSSSSSSSPF record: Sender Policy Framework • DDDDDDDDDDDDDDDDDKIM • KKKKKKKKKKKKKKKKKeybase.io • LLLLLLLLLLLLLLLLLet's Encrypt DNS challenge
Not secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by design • 11111111111111111983 • DDDDDDDDDDDDDDDDDesigned for scale, not security • EEEEEEEEEEEEEEEEEarly 2000: birth of DNSSec
DNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSec • 22222222222222222000's DNSSec RFC • DDDDDDDDDDDDDDDDDNSSec hit DNS root in 2010 • MMMMMMMMMMMMMMMMMultiple iteration of RFC
The Domain Name System Security Extensions (DNSSEC) add data origin authentication and data integrity to the Domain Name System. RFC 4033
What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec? • PPPPPPPPPPPPPPPPProof of origin and integrity • ZZZZZZZZZZZZZZZZZones and records signing • PPPPPPPPPPPPPPPPProof of non-existence
Two types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keys • ZZZZZZZZZZZZZZZZZSK: Zone Signing Key • KKKKKKKKKKKKKKKKKSK: Key Signing Key
Zone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing key • PPPPPPPPPPPPPPPPPrivate/Public key pair • SSSSSSSSSSSSSSSSSign the Records • eeeeeeeeeeeeeeeee.g sign the A records, the MX records … • RRRRRRRRRRRRRRRRRolled out frequently
Key Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing Key • PPPPPPPPPPPPPPPPPrivate/Public key pair • SSSSSSSSSSSSSSSSSign the ZSK • DDDDDDDDDDDDDDDDDesigned to be stronger than the ZSK • IIIIIIIIIIIIIIIIIts fingerprint is stored in parent zone
DNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records types • RRRRRRRRRRRRRRRRRRSIG: Signature • DDDDDDDDDDDDDDDDDNSKEY: Public key • DDDDDDDDDDDDDDDDDS: Hash of a DNSKEY (parent zone)
DNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records types • NNNNNNNNNNNNNNNNNSEC: Next secure • RRRRRRRRRRRRRRRRReturns the next secure entry • RRRRRRRRRRRRRRRRReturned when next secure is not found • NNNNNNNNNNNNNNNNNSEC/NSEC3 records are signed • NNNNNNNNNNNNNNNNNSEC3 prevents zone walking
In PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn Practice
BindBindBindBindBindBindBindBindBindBindBindBindBindBindBindBindBind • RRRRRRRRRRRRRRRRReference DNS Server • DDDDDDDDDDDDDDDDDeveloped by the Internet Systems Consortium • CCCCCCCCCCCCCCCCCurrent version: bind9 • bbbbbbbbbbbbbbbbbind10 project is abandoned
Bind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind features • SSSSSSSSSSSSSSSSSupports everything • RRRRRRRRRRRRRRRRRecurive, Authoritative • DDDDDDDDDDDDDDDDDynamic updates • DDDDDDDDDDDDDDDDDNSSec
Bind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSec • FFFFFFFFFFFFFFFFFull support + NSEC3 • MMMMMMMMMMMMMMMMManual signing • AAAAAAAAAAAAAAAAAutomated signing • DDDDDDDDDDDDDDDDDNSSec and dynamic zones
Generating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keys mkdir /etc/bind/keys cd /etc/bind/keys dnssec−keygen rmll.example dnssec−keygen −f KSK rmll.example
Generating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keys dnssec−keygen −a NSEC3RSASHA1 −b 2048 rmll .example dnssec−keygen −a NSEC3RSASHA1 −b 4096 −f KSK rmll.example
Generating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keys dnssec−dsfromkey −f /var/bind/rmll. example −K /etc/bind/keys/ rmll.example rmll.example. IN DS 18025 8 1 E223065EE5EE66F08CA1C89D8 rmll.example. IN DS 18025 8 2 522 D8EA3287FFF41186169A30
Enable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bind options { dnssec−enable yes; dnssec−validation yes; }
Enable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zone Manually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signed zone "rmll.example" IN { type master; file "rmll.example.zone.signed"; };
Enable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zone Auto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto Signing zone "rmll.example" IN { type master; file "rmll.example.zone"; key−directory "/etc/bind/keys"; auto−dnssec maintain; inline−signing yes; };
Manually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zone dnssec−signzone −S −o rmll.example −K /etc /bind/keys/ /var/bind/master/rmll. example.zone • Creates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone file
DANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANE
DANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANE • DDDDDDDDDDDDDDDDDNS-based Authentication of Named Entities • NNNNNNNNNNNNNNNNNew record types to store public keys hashes • IIIIIIIIIIIIIIIIIndependant from DNSSec (!)
TLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA records • HHHHHHHHHHHHHHHHHash the fingerprint of a TLS key • """""""""""""""""Replacement" for the CA (https) • NNNNNNNNNNNNNNNNNot implemented natively in browsers • IIIIIIIIIIIIIIIIImplemented in IRC clients (irssi)
TLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA records _443._tcp IN TLSA 3 0 1 2 bfa3214fda53315b140e65fe66 _443._tcp.www IN TLSA 3 0 1 2 bfa3214fda53315b140e65 _6697._tcp.irc IN TLSA 3 0 1 2 bfa3214fda53315b140e6
Generating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hash openssl x509 −in cert.pem −outform DER | openssl sha256
SSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSH
TOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFU • TTTTTTTTTTTTTTTTTrust on first use • WWWWWWWWWWWWWWWWWorks on slowly moving env's • NNNNNNNNNNNNNNNNNowadays we populate new hosts all the time • NNNNNNNNNNNNNNNNNowadays we rebuild existing hosts
SSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP records • HHHHHHHHHHHHHHHHHash the fingerprint of a SSH server • IIIIIIIIIIIIIIIIImplemented in OpenSSH • UUUUUUUUUUUUUUUUUses DNS to recognize SSH key
IN SSHFP 1 1 e0fd9112d2fc6974597fe8968665ad6b420c IN SSHFP 1 2 9 de5bc066a898733420bcfaae8f43e80e532 IN SSHFP 2 1 223 e89447a53a3178be02fee6fdd5b44228a IN SSHFP 2 2 2644 fcbd2a1b179091a195207e395d009b16
VerifyHostKeyDNS no VerifyHostKeyDNS yes VerifyHostKeyDNS ask
$ ssh −o VerifyHostKeyDNS=yes rmll.example The authenticity of host 'rmll.example (1.2.3.4)' can't be established. ECDSA key fingerprint is SHA256: f8zwQD3RU62PXgwCw5WRk2OIyVY. Matching host key fingerprint found in DNS Are you sure you want to continue?
Populating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fields • WWWWWWWWWWWWWWWWWhat if we have a single source of truth? • SSSSSSSSSSSSSSSSSomething that can scale, and be quick enough?
Config ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig Management • QQQQQQQQQQQQQQQQQuickly moving env often use Cfgmgmt Tools • TTTTTTTTTTTTTTTTThey know the env, store data • WWWWWWWWWWWWWWWWWe use Puppet+The foreman
PuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppet • AAAAAAAAAAAAAAAAA Config Management Tool • DDDDDDDDDDDDDDDDDeclarative • EEEEEEEEEEEEEEEEEnforces a desired state
Puppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet Facts • VVVVVVVVVVVVVVVVValues collected on the host • OOOOOOOOOOOOOOOOOS version, Uptime, kernel • SSSSSSSSSSSSSSSSSSH fingerprints • SSSSSSSSSSSSSSSSSent back to master
facts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfp • hhhhhhhhhhhhhhhhhttps://github.com/jpmens/facts2sshfp • PPPPPPPPPPPPPPPPPython script • RRRRRRRRRRRRRRRRRead facts yaml files • CCCCCCCCCCCCCCCCConverts Puppet facts to SSHFP records • UUUUUUUUUUUUUUUUUses Puppet as single source of truth • fffffffffffffffffacts2sshfp.py -T nsupdate.template -D a.aa. • OOOOOOOOOOOOOOOOOutput to templates, nsupdate commands…
The Foreman
The Foreman Provisioning
The Foreman Provisioning Configuration
The Foreman Provisioning Configuration Monitoring
The Foreman Provisioning Configuration Monitoring Reporting
Foreman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman Proxies • FFFFFFFFFFFFFFFFForeman works with a GUI + Proxies • DDDDDDDDDDDDDDDDDHCP proxy, Puppet Proxy, DNS proxy… • DDDDDDDDDDDDDDDDDNS Proxy is pluggable: bind9, powerdns…
Foreman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is great • OOOOOOOOOOOOOOOOOpen Source • BBBBBBBBBBBBBBBBBacked by Red Hat • TTTTTTTTTTTTTTTTThe main brick behind Red Hat Satellite 6 • PPPPPPPPPPPPPPPPProvides a REST API
Building a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) host • CCCCCCCCCCCCCCCCCreate/update DNS entries • CCCCCCCCCCCCCCCCCreate/update DHCP entries • CCCCCCCCCCCCCCCCCreate the VM in libvirt • BBBBBBBBBBBBBBBBBoot the VM • SSSSSSSSSSSSSSSSServe a kickstart • RRRRRRRRRRRRRRRRRun Puppet
The Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxy • PPPPPPPPPPPPPPPPPuppet Collects and save Facts on the machines • IIIIIIIIIIIIIIIIIt can send it back to the Foreman • FFFFFFFFFFFFFFFFForeman can graph them, query them…
facts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfp • hhhhhhhhhhhhhhhhhttps://github.com/jpmens/facts2sshfp • fffffffffffffffffacts2sshfp.py -T nsupdate.template --foreman-url=https://foreman.example -D a.aa.
ConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusion Licensed under a Creative Commons Attribution 2.0 License https://www.flickr.com/photos/haslamdigital/17191280202/sizes/h/
DNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocks • NNNNNNNNNNNNNNNNNeeded everywhere • DDDDDDDDDDDDDDDDDistributed • CCCCCCCCCCCCCCCCContains lots of data • MMMMMMMMMMMMMMMMMakes our life easier
DNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implement • AAAAAAAAAAAAAAAAAutomation is key • IIIIIIIIIIIIIIIIImplemented in most of the tools • AAAAAAAAAAAAAAAAAnd most of the DNS servers
DANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more security • SSSSSSSSSSSSSSSSSSH fingerprint • IIIIIIIIIIIIIIIIIRC, SMTP certificates hashes • EEEEEEEEEEEEEEEEExisting client-side implementations
DNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANE • DDDDDDDDDDDDDDDDDNSSec and Dane are more useful together • MMMMMMMMMMMMMMMMMake sure your resolver supports DNSsec! • TTTTTTTTTTTTTTTTThe power to check certificates without CA
ContactContactContactContactContactContactContactContactContactContactContactContactContactContactContactContactContact Julien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien Pivotto julien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eu @roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie inuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuits https://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.eu info@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.eu +32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636

Recommandé

DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSEC
APNIC
 
DNSSEC Validation Tutorial
DNSSEC Validation TutorialDNSSEC Validation Tutorial
DNSSEC Validation Tutorial
APNIC
 
ИБ АСУ ТП NON-STOP. Серия 4. Практика проведения аудитов информационной безоп...
ИБ АСУ ТП NON-STOP. Серия 4. Практика проведения аудитов информационной безоп...ИБ АСУ ТП NON-STOP. Серия 4. Практика проведения аудитов информационной безоп...
ИБ АСУ ТП NON-STOP. Серия 4. Практика проведения аудитов информационной безоп...
Компания УЦСБ
 
LDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolLDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access Protocol
S. Hasnain Raza
 
DNS Security
DNS SecurityDNS Security
DNS Security
inbroker
 
DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
Himanshu Prabhakar
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
AFRINIC
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
Peter R. Egli
 

Recommandé

DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSEC
APNIC
 
DNSSEC Validation Tutorial
DNSSEC Validation TutorialDNSSEC Validation Tutorial
DNSSEC Validation Tutorial
APNIC
 
ИБ АСУ ТП NON-STOP. Серия 4. Практика проведения аудитов информационной безоп...
ИБ АСУ ТП NON-STOP. Серия 4. Практика проведения аудитов информационной безоп...ИБ АСУ ТП NON-STOP. Серия 4. Практика проведения аудитов информационной безоп...
ИБ АСУ ТП NON-STOP. Серия 4. Практика проведения аудитов информационной безоп...
Компания УЦСБ
 
LDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolLDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access Protocol
S. Hasnain Raza
 
DNS Security
DNS SecurityDNS Security
DNS Security
inbroker
 
DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
Himanshu Prabhakar
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
AFRINIC
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
Peter R. Egli
 
Evolving Cybersecurity Threats
Evolving Cybersecurity Threats Evolving Cybersecurity Threats
Evolving Cybersecurity Threats
Nevada County Tech Connection
 
Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancer
xKinAnx
 
4_Session 1- Universal ZTNA.pptx
4_Session 1- Universal ZTNA.pptx4_Session 1- Universal ZTNA.pptx
4_Session 1- Universal ZTNA.pptx
aungyekhant1
 
The Ldap Protocol
The Ldap ProtocolThe Ldap Protocol
The Ldap Protocol
Glen Plantz
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
Rommel Garcia
 
Hands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentHands-on DNSSEC Deployment
Hands-on DNSSEC Deployment
Bangladesh Network Operators Group
 
Overview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) TechnologyOverview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) Technology
Liwei Ren任力偉
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)
danb02
 
Zero Trust Network Access
Zero Trust Network Access Zero Trust Network Access
Zero Trust Network Access
Er. Ajay Sirsat
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
Julian Catrambone
 
LDAP
LDAPLDAP
LDAP
Khemnath Chauhan
 
Zero trust for everybody: 3 ways to get there fast
Zero trust for everybody: 3 ways to get there fastZero trust for everybody: 3 ways to get there fast
Zero trust for everybody: 3 ways to get there fast
Cloudflare
 
The Zero Trust Model of Information Security
The Zero Trust Model of Information Security The Zero Trust Model of Information Security
The Zero Trust Model of Information Security
Tripwire
 
Intro to DNS
Intro to DNSIntro to DNS
Intro to DNS
ThousandEyes
 
Active directory domain service
Active directory domain serviceActive directory domain service
Active directory domain service
Festus Oriaku
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity Monitoring
Kimberly Simon MBA
 
Active Directory Trusts
Active Directory TrustsActive Directory Trusts
Active Directory Trusts
n|u - The Open Security Community
 
Next Generation Network Automation
Next Generation Network AutomationNext Generation Network Automation
Next Generation Network Automation
Laurent Ciavaglia
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDE
Girindro Pringgo Digdo
 
Deployment and Continous Integration of a Zope/Plone application
Deployment and Continous Integration of a Zope/Plone applicationDeployment and Continous Integration of a Zope/Plone application
Deployment and Continous Integration of a Zope/Plone application
Julien Pivotto
 
Managing a R&D Lab with Foreman
Managing a R&D Lab with ForemanManaging a R&D Lab with Foreman
Managing a R&D Lab with Foreman
Julien Pivotto
 

Contenu connexe

Tendances

Evolving Cybersecurity Threats
Evolving Cybersecurity Threats Evolving Cybersecurity Threats
Evolving Cybersecurity Threats
Nevada County Tech Connection
 
Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancer
xKinAnx
 
4_Session 1- Universal ZTNA.pptx
4_Session 1- Universal ZTNA.pptx4_Session 1- Universal ZTNA.pptx
4_Session 1- Universal ZTNA.pptx
aungyekhant1
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)
danb02
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
Julian Catrambone
 
Zero trust for everybody: 3 ways to get there fast
Zero trust for everybody: 3 ways to get there fastZero trust for everybody: 3 ways to get there fast
Zero trust for everybody: 3 ways to get there fast
Cloudflare
 
The Zero Trust Model of Information Security
The Zero Trust Model of Information Security The Zero Trust Model of Information Security
The Zero Trust Model of Information Security
Tripwire
 

Tendances (20)

Evolving Cybersecurity Threats
Evolving Cybersecurity Threats Evolving Cybersecurity Threats
Evolving Cybersecurity Threats
 
Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancer
 
4_Session 1- Universal ZTNA.pptx
4_Session 1- Universal ZTNA.pptx4_Session 1- Universal ZTNA.pptx
4_Session 1- Universal ZTNA.pptx
 
The Ldap Protocol
The Ldap ProtocolThe Ldap Protocol
The Ldap Protocol
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
 
Hands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentHands-on DNSSEC Deployment
Hands-on DNSSEC Deployment
 
Overview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) TechnologyOverview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) Technology
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)
 
Zero Trust Network Access
Zero Trust Network Access Zero Trust Network Access
Zero Trust Network Access
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
 
LDAP
LDAPLDAP
LDAP
 
Zero trust for everybody: 3 ways to get there fast
Zero trust for everybody: 3 ways to get there fastZero trust for everybody: 3 ways to get there fast
Zero trust for everybody: 3 ways to get there fast
 
The Zero Trust Model of Information Security
The Zero Trust Model of Information Security The Zero Trust Model of Information Security
The Zero Trust Model of Information Security
 
Intro to DNS
Intro to DNSIntro to DNS
Intro to DNS
 
Active directory domain service
Active directory domain serviceActive directory domain service
Active directory domain service
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity Monitoring
 
Active Directory Trusts
Active Directory TrustsActive Directory Trusts
Active Directory Trusts
 
Next Generation Network Automation
Next Generation Network AutomationNext Generation Network Automation
Next Generation Network Automation
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDE
 

En vedette

En vedette (15)

Deployment and Continous Integration of a Zope/Plone application
Deployment and Continous Integration of a Zope/Plone applicationDeployment and Continous Integration of a Zope/Plone application
Deployment and Continous Integration of a Zope/Plone application
 
Managing a R&D Lab with Foreman
Managing a R&D Lab with ForemanManaging a R&D Lab with Foreman
Managing a R&D Lab with Foreman
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27
 
Community tools to fight against DDoS
Community tools to fight against DDoSCommunity tools to fight against DDoS
Community tools to fight against DDoS
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runit
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSEC
 
Fighting Abuse with DNS
Fighting Abuse with DNSFighting Abuse with DNS
Fighting Abuse with DNS
 
Linux14 Dynamic DNS
Linux14 Dynamic DNSLinux14 Dynamic DNS
Linux14 Dynamic DNS
 
Linux15 dynamic dns-2
Linux15 dynamic dns-2Linux15 dynamic dns-2
Linux15 dynamic dns-2
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practices
 
DDoS Attacks : Preparation Detection Mitigation
DDoS Attacks : Preparation Detection MitigationDDoS Attacks : Preparation Detection Mitigation
DDoS Attacks : Preparation Detection Mitigation
 
Puppet DSL: back to the basics
Puppet DSL: back to the basicsPuppet DSL: back to the basics
Puppet DSL: back to the basics
 
CI on large open source software : Plone & Plone 5 is here!
CI on large open source software : Plone & Plone 5 is here!CI on large open source software : Plone & Plone 5 is here!
CI on large open source software : Plone & Plone 5 is here!
 

Similaire à DNSSec

"The Sorry State of SSL" Hynek Schlawack, PyConRu 2014
"The Sorry State of SSL" Hynek Schlawack, PyConRu 2014"The Sorry State of SSL" Hynek Schlawack, PyConRu 2014
"The Sorry State of SSL" Hynek Schlawack, PyConRu 2014
it-people
 
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
Digital Transformation EXPO Event Series
 
Passive DNS Collection – Henry Stern, Cisco
Passive DNS Collection – Henry Stern, CiscoPassive DNS Collection – Henry Stern, Cisco
Passive DNS Collection – Henry Stern, Cisco
Henry Stern
 
How to Backdoor Diffie-Hellman
How to Backdoor Diffie-HellmanHow to Backdoor Diffie-Hellman
How to Backdoor Diffie-Hellman
David Wong
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE - ATT&CKcon
 

Similaire à DNSSec (20)

Enhance OpenSSH for fun and security
Enhance OpenSSH for fun and securityEnhance OpenSSH for fun and security
Enhance OpenSSH for fun and security
 
DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?
 
The internet for SEOs by Roxana Stingu
The internet for SEOs by Roxana StinguThe internet for SEOs by Roxana Stingu
The internet for SEOs by Roxana Stingu
 
DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & Afilias
 
"The Sorry State of SSL" Hynek Schlawack, PyConRu 2014
"The Sorry State of SSL" Hynek Schlawack, PyConRu 2014"The Sorry State of SSL" Hynek Schlawack, PyConRu 2014
"The Sorry State of SSL" Hynek Schlawack, PyConRu 2014
 
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
 
Distributed systems in practice, in theory
Distributed systems in practice, in theoryDistributed systems in practice, in theory
Distributed systems in practice, in theory
 
systemd and configuration management
systemd and configuration managementsystemd and configuration management
systemd and configuration management
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS Privacy
 
Passive DNS Collection – Henry Stern, Cisco
Passive DNS Collection – Henry Stern, CiscoPassive DNS Collection – Henry Stern, Cisco
Passive DNS Collection – Henry Stern, Cisco
 
Hardening the Core of the Internet
Hardening the Core of the InternetHardening the Core of the Internet
Hardening the Core of the Internet
 
通信の秘密とブロッキング
通信の秘密とブロッキング通信の秘密とブロッキング
通信の秘密とブロッキング
 
DNS Survival Guide
DNS Survival GuideDNS Survival Guide
DNS Survival Guide
 
DNS Survival Guide.
DNS Survival Guide.DNS Survival Guide.
DNS Survival Guide.
 
How to Backdoor Diffie-Hellman
How to Backdoor Diffie-HellmanHow to Backdoor Diffie-Hellman
How to Backdoor Diffie-Hellman
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
 
Qunog12-DNS暗号化
Qunog12-DNS暗号化Qunog12-DNS暗号化
Qunog12-DNS暗号化
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
 

Plus de Julien Pivotto

Plus de Julien Pivotto (20)

The O11y Toolkit
The O11y ToolkitThe O11y Toolkit
The O11y Toolkit
 
What's New in Prometheus and Its Ecosystem
What's New in Prometheus and Its EcosystemWhat's New in Prometheus and Its Ecosystem
What's New in Prometheus and Its Ecosystem
 
Prometheus: What is is, what is new, what is coming
Prometheus: What is is, what is new, what is comingPrometheus: What is is, what is new, what is coming
Prometheus: What is is, what is new, what is coming
 
What's new in Prometheus?
What's new in Prometheus?What's new in Prometheus?
What's new in Prometheus?
 
Introduction to Grafana Loki
Introduction to Grafana LokiIntroduction to Grafana Loki
Introduction to Grafana Loki
 
Why you should revisit mgmt
Why you should revisit mgmtWhy you should revisit mgmt
Why you should revisit mgmt
 
Observing the HashiCorp Ecosystem From Prometheus
Observing the HashiCorp Ecosystem From PrometheusObserving the HashiCorp Ecosystem From Prometheus
Observing the HashiCorp Ecosystem From Prometheus
 
Monitoring in a fast-changing world with Prometheus
Monitoring in a fast-changing world with PrometheusMonitoring in a fast-changing world with Prometheus
Monitoring in a fast-changing world with Prometheus
 
5 tips for Prometheus Service Discovery
5 tips for Prometheus Service Discovery5 tips for Prometheus Service Discovery
5 tips for Prometheus Service Discovery
 
Prometheus and TLS - an Introduction
Prometheus and TLS - an IntroductionPrometheus and TLS - an Introduction
Prometheus and TLS - an Introduction
 
Powerful graphs in Grafana
Powerful graphs in GrafanaPowerful graphs in Grafana
Powerful graphs in Grafana
 
YAML Magic
YAML MagicYAML Magic
YAML Magic
 
HAProxy as Egress Controller
HAProxy as Egress ControllerHAProxy as Egress Controller
HAProxy as Egress Controller
 
Improved alerting with Prometheus and Alertmanager
Improved alerting with Prometheus and AlertmanagerImproved alerting with Prometheus and Alertmanager
Improved alerting with Prometheus and Alertmanager
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
 
Monitoring as an entry point for collaboration
Monitoring as an entry point for collaborationMonitoring as an entry point for collaboration
Monitoring as an entry point for collaboration
 
Incident Resolution as Code
Incident Resolution as CodeIncident Resolution as Code
Incident Resolution as Code
 
Monitor your CentOS stack with Prometheus
Monitor your CentOS stack with PrometheusMonitor your CentOS stack with Prometheus
Monitor your CentOS stack with Prometheus
 
Monitor your CentOS stack with Prometheus
Monitor your CentOS stack with PrometheusMonitor your CentOS stack with Prometheus
Monitor your CentOS stack with Prometheus
 
An introduction to Ansible
An introduction to AnsibleAn introduction to Ansible
An introduction to Ansible
 

Dernier

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Dernier (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 

DNSSec

  • 1. DNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and SecurityDNS and Security Julien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien Pivotto RMLL Security Track July 5th, 2016
  • 2. whoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhoiswhois Julien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien Pivotto • Sysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.eu • From small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgsFrom small to large scale orgs • Automation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & MonitoringAutomation & Monitoring • @roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie on irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/github
  • 5. What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS?What is DNS? • TTTTTTTTTTTTTTTTTL;DR Translates domain name to IP • IIIIIIIIIIIIIIIIIn facto, stores much more data than IP
  • 6. How it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it worksHow it works Licensed under a Creative Commons Attribution-ShareAlike 2.0 License https://www.flickr.com/photos/frans16611/6139595092
  • 7. Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
  • 8. Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
  • 9. Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
  • 10. Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
  • 11. Licensed under a Creative Commons Attribution-ShareAlike 2.0 License Inspired by @jpmens - Icons by http://jcartier.net/spip.php?aticle39
  • 12. DNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-criticalDNS is mission-critical • HHHHHHHHHHHHHHHHHolds IP addresses • HHHHHHHHHHHHHHHHHolds service definitions • HHHHHHHHHHHHHHHHHolds hostnames, TXT records
  • 13. DNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practicesDNS practices • DDDDDDDDDDDDDDDDDo not mix Authoritative and Recursive servers • MMMMMMMMMMMMMMMMMix your DNS server `brand' • HHHHHHHHHHHHHHHHHide your DNS masters • DDDDDDDDDDDDDDDDDo not invent new TLD
  • 14. Data stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNSData stored in DNS • AAAAAAAAAAAAAAAAA records: IP addresses • CCCCCCCCCCCCCCCCCNAME: Cannonical names • SSSSSSSSSSSSSSSSSRV: Service record • MMMMMMMMMMMMMMMMMX: Mail servers • TTTTTTTTTTTTTTTTTXT: Text record
  • 15. SRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV recordsSRV records _xmpp−client._tcp.inuits.eu. IN SRV 0 5 5222 xmpp.inuits.eu.
  • 16. TXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT RecordsTXT Records • SSSSSSSSSSSSSSSSSPF record: Sender Policy Framework • DDDDDDDDDDDDDDDDDKIM • KKKKKKKKKKKKKKKKKeybase.io • LLLLLLLLLLLLLLLLLet's Encrypt DNS challenge
  • 17. Not secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by designNot secure by design • 11111111111111111983 • DDDDDDDDDDDDDDDDDesigned for scale, not security • EEEEEEEEEEEEEEEEEarly 2000: birth of DNSSec
  • 18. DNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSecDNSSec • 22222222222222222000's DNSSec RFC • DDDDDDDDDDDDDDDDDNSSec hit DNS root in 2010 • MMMMMMMMMMMMMMMMMultiple iteration of RFC
  • 19. The Domain Name System Security Extensions (DNSSEC) add data origin authentication and data integrity to the Domain Name System. RFC 4033
  • 20. What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec?What is DNS Sec? • PPPPPPPPPPPPPPPPProof of origin and integrity • ZZZZZZZZZZZZZZZZZones and records signing • PPPPPPPPPPPPPPPPProof of non-existence
  • 21. Two types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keysTwo types of keys • ZZZZZZZZZZZZZZZZZSK: Zone Signing Key • KKKKKKKKKKKKKKKKKSK: Key Signing Key
  • 22. Zone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing keyZone Signing key • PPPPPPPPPPPPPPPPPrivate/Public key pair • SSSSSSSSSSSSSSSSSign the Records • eeeeeeeeeeeeeeeee.g sign the A records, the MX records … • RRRRRRRRRRRRRRRRRolled out frequently
  • 23. Key Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing KeyKey Signing Key • PPPPPPPPPPPPPPPPPrivate/Public key pair • SSSSSSSSSSSSSSSSSign the ZSK • DDDDDDDDDDDDDDDDDesigned to be stronger than the ZSK • IIIIIIIIIIIIIIIIIts fingerprint is stored in parent zone
  • 24. DNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records types • RRRRRRRRRRRRRRRRRRSIG: Signature • DDDDDDDDDDDDDDDDDNSKEY: Public key • DDDDDDDDDDDDDDDDDS: Hash of a DNSKEY (parent zone)
  • 25. DNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records typesDNS Records types • NNNNNNNNNNNNNNNNNSEC: Next secure • RRRRRRRRRRRRRRRRReturns the next secure entry • RRRRRRRRRRRRRRRRReturned when next secure is not found • NNNNNNNNNNNNNNNNNSEC/NSEC3 records are signed • NNNNNNNNNNNNNNNNNSEC3 prevents zone walking
  • 26. In PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn PracticeIn Practice
  • 27. BindBindBindBindBindBindBindBindBindBindBindBindBindBindBindBindBind • RRRRRRRRRRRRRRRRReference DNS Server • DDDDDDDDDDDDDDDDDeveloped by the Internet Systems Consortium • CCCCCCCCCCCCCCCCCurrent version: bind9 • bbbbbbbbbbbbbbbbbind10 project is abandoned
  • 28. Bind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind featuresBind features • SSSSSSSSSSSSSSSSSupports everything • RRRRRRRRRRRRRRRRRecurive, Authoritative • DDDDDDDDDDDDDDDDDynamic updates • DDDDDDDDDDDDDDDDDNSSec
  • 29. Bind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSecBind and DNSSec • FFFFFFFFFFFFFFFFFull support + NSEC3 • MMMMMMMMMMMMMMMMManual signing • AAAAAAAAAAAAAAAAAutomated signing • DDDDDDDDDDDDDDDDDNSSec and dynamic zones
  • 30. Generating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keys mkdir /etc/bind/keys cd /etc/bind/keys dnssec−keygen rmll.example dnssec−keygen −f KSK rmll.example
  • 31. Generating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keysGenerating keys dnssec−keygen −a NSEC3RSASHA1 −b 2048 rmll .example dnssec−keygen −a NSEC3RSASHA1 −b 4096 −f KSK rmll.example
  • 32. Generating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keysGenerating DS keys dnssec−dsfromkey −f /var/bind/rmll. example −K /etc/bind/keys/ rmll.example rmll.example. IN DS 18025 8 1 E223065EE5EE66F08CA1C89D8 rmll.example. IN DS 18025 8 2 522 D8EA3287FFF41186169A30
  • 33. Enable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bindEnable DNSSec in bind options { dnssec−enable yes; dnssec−validation yes; }
  • 34. Enable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zone Manually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signedManually signed zone "rmll.example" IN { type master; file "rmll.example.zone.signed"; };
  • 35. Enable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zoneEnable DNSSec for a zone Auto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto SigningAuto Signing zone "rmll.example" IN { type master; file "rmll.example.zone"; key−directory "/etc/bind/keys"; auto−dnssec maintain; inline−signing yes; };
  • 36. Manually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zoneManually Sign a zone dnssec−signzone −S −o rmll.example −K /etc /bind/keys/ /var/bind/master/rmll. example.zone • Creates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone fileCreates a .signed zone file
  • 38. DANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANEDANE • DDDDDDDDDDDDDDDDDNS-based Authentication of Named Entities • NNNNNNNNNNNNNNNNNew record types to store public keys hashes • IIIIIIIIIIIIIIIIIndependant from DNSSec (!)
  • 39. TLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA records • HHHHHHHHHHHHHHHHHash the fingerprint of a TLS key • """""""""""""""""Replacement" for the CA (https) • NNNNNNNNNNNNNNNNNot implemented natively in browsers • IIIIIIIIIIIIIIIIImplemented in IRC clients (irssi)
  • 40. TLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA recordsTLSA records _443._tcp IN TLSA 3 0 1 2 bfa3214fda53315b140e65fe66 _443._tcp.www IN TLSA 3 0 1 2 bfa3214fda53315b140e65 _6697._tcp.irc IN TLSA 3 0 1 2 bfa3214fda53315b140e6
  • 41. Generating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hashGenerating a hash openssl x509 −in cert.pem −outform DER | openssl sha256
  • 43. TOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFU • TTTTTTTTTTTTTTTTTrust on first use • WWWWWWWWWWWWWWWWWorks on slowly moving env's • NNNNNNNNNNNNNNNNNowadays we populate new hosts all the time • NNNNNNNNNNNNNNNNNowadays we rebuild existing hosts
  • 44. SSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP recordsSSHFP records • HHHHHHHHHHHHHHHHHash the fingerprint of a SSH server • IIIIIIIIIIIIIIIIImplemented in OpenSSH • UUUUUUUUUUUUUUUUUses DNS to recognize SSH key
  • 45. IN SSHFP 1 1 e0fd9112d2fc6974597fe8968665ad6b420c IN SSHFP 1 2 9 de5bc066a898733420bcfaae8f43e80e532 IN SSHFP 2 1 223 e89447a53a3178be02fee6fdd5b44228a IN SSHFP 2 2 2644 fcbd2a1b179091a195207e395d009b16
  • 47. $ ssh −o VerifyHostKeyDNS=yes rmll.example The authenticity of host 'rmll.example (1.2.3.4)' can't be established. ECDSA key fingerprint is SHA256: f8zwQD3RU62PXgwCw5WRk2OIyVY. Matching host key fingerprint found in DNS Are you sure you want to continue?
  • 48. Populating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fieldsPopulating SSHFP fields • WWWWWWWWWWWWWWWWWhat if we have a single source of truth? • SSSSSSSSSSSSSSSSSomething that can scale, and be quick enough?
  • 49. Config ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig ManagementConfig Management • QQQQQQQQQQQQQQQQQuickly moving env often use Cfgmgmt Tools • TTTTTTTTTTTTTTTTThey know the env, store data • WWWWWWWWWWWWWWWWWe use Puppet+The foreman
  • 50. PuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppetPuppet • AAAAAAAAAAAAAAAAA Config Management Tool • DDDDDDDDDDDDDDDDDeclarative • EEEEEEEEEEEEEEEEEnforces a desired state
  • 51. Puppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet FactsPuppet Facts • VVVVVVVVVVVVVVVVValues collected on the host • OOOOOOOOOOOOOOOOOS version, Uptime, kernel • SSSSSSSSSSSSSSSSSSH fingerprints • SSSSSSSSSSSSSSSSSent back to master
  • 52. facts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfpfacts2sshfp • hhhhhhhhhhhhhhhhhttps://github.com/jpmens/facts2sshfp • PPPPPPPPPPPPPPPPPython script • RRRRRRRRRRRRRRRRRead facts yaml files • CCCCCCCCCCCCCCCCConverts Puppet facts to SSHFP records • UUUUUUUUUUUUUUUUUses Puppet as single source of truth • fffffffffffffffffacts2sshfp.py -T nsupdate.template -D a.aa. • OOOOOOOOOOOOOOOOOutput to templates, nsupdate commands…
  • 58.
  • 59.
  • 60.
  • 61. Foreman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman ProxiesForeman Proxies • FFFFFFFFFFFFFFFFForeman works with a GUI + Proxies • DDDDDDDDDDDDDDDDDHCP proxy, Puppet Proxy, DNS proxy… • DDDDDDDDDDDDDDDDDNS Proxy is pluggable: bind9, powerdns…
  • 62. Foreman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is greatForeman is great • OOOOOOOOOOOOOOOOOpen Source • BBBBBBBBBBBBBBBBBacked by Red Hat • TTTTTTTTTTTTTTTTThe main brick behind Red Hat Satellite 6 • PPPPPPPPPPPPPPPPProvides a REST API
  • 63. Building a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) hostBuilding a (libvirt) host • CCCCCCCCCCCCCCCCCreate/update DNS entries • CCCCCCCCCCCCCCCCCreate/update DHCP entries • CCCCCCCCCCCCCCCCCreate the VM in libvirt • BBBBBBBBBBBBBBBBBoot the VM • SSSSSSSSSSSSSSSSServe a kickstart • RRRRRRRRRRRRRRRRRun Puppet
  • 64. The Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxyThe Foreman - Puppet proxy • PPPPPPPPPPPPPPPPPuppet Collects and save Facts on the machines • IIIIIIIIIIIIIIIIIt can send it back to the Foreman • FFFFFFFFFFFFFFFFForeman can graph them, query them…
  • 67. DNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocksDNS rocks • NNNNNNNNNNNNNNNNNeeded everywhere • DDDDDDDDDDDDDDDDDistributed • CCCCCCCCCCCCCCCCContains lots of data • MMMMMMMMMMMMMMMMMakes our life easier
  • 68. DNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implementDNSSec is easy to implement • AAAAAAAAAAAAAAAAAutomation is key • IIIIIIIIIIIIIIIIImplemented in most of the tools • AAAAAAAAAAAAAAAAAnd most of the DNS servers
  • 69. DANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more securityDANE adds more security • SSSSSSSSSSSSSSSSSSH fingerprint • IIIIIIIIIIIIIIIIIRC, SMTP certificates hashes • EEEEEEEEEEEEEEEEExisting client-side implementations
  • 70. DNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANEDNSSec+DANE • DDDDDDDDDDDDDDDDDNSSec and Dane are more useful together • MMMMMMMMMMMMMMMMMake sure your resolver supports DNSsec! • TTTTTTTTTTTTTTTTThe power to check certificates without CA
  • 71. ContactContactContactContactContactContactContactContactContactContactContactContactContactContactContactContactContact Julien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien Pivotto julien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eu @roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie inuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuits https://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.eu info@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.eu +32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636