\usepackage{tikz}
-\usetikzlibrary{svg.path,positioning,intersections}
+\usetikzlibrary{positioning,intersections,backgrounds,calc,shadings,shapes.arrows,shapes.symbols,shadows}
\usepgflibrary{shapes.geometric}
\usepgflibrary{shapes.misc}
\usepgflibrary{shapes.symbols}
\usetikzlibrary{shapes,decorations,shadows}
\usetikzlibrary{decorations.pathmorphing}
\usetikzlibrary{decorations.shapes}
+\usetikzlibrary{decorations.text}
\usetikzlibrary{fadings}
\usetikzlibrary{patterns}
\usetikzlibrary{calc}
\tikzstyle{netdb}=[anchor=center,color=black,rectangle,draw,minimum
- size=.6em,minimum height=.2em]
+size=.6em,minimum height=.2em]
\tikzstyle{client}=[fill=i4gray,rectangle,draw]
\tikzstyle{chain}=[rectangle,draw,minimum size=1em,minimum height=.5em]
\tikzstyle{arrow}=[->,thick,draw,shorten <=2pt,shorten >=2pt,]
\usefonttheme{structuresmallcapsserif}
\title{DNSSEC}
\author{Christoph Egger}
-\institute[Debian]{The Debian Project}
+%\institute[Debian]{The Debian Project}
\date{\today}
\usebackgroundtemplate{\includegraphics[width=\paperwidth]{images/swirl-lightest}}
\setbeamercolor{block title}{fg=debianblue}
\setbeamercolor{description item}{fg=debianblue}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+% http://www.texample.net/media/tikz/examples/TEX/network-topology.tex %
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\makeatletter
+\pgfkeys{/pgf/.cd,
+ parallelepiped offset x/.initial=2mm,
+ parallelepiped offset y/.initial=2mm
+}
+\pgfdeclareshape{parallelepiped}
+{
+ \inheritsavedanchors[from=rectangle] % this is nearly a rectangle
+ \inheritanchorborder[from=rectangle]
+ \inheritanchor[from=rectangle]{north}
+ \inheritanchor[from=rectangle]{north west}
+ \inheritanchor[from=rectangle]{north east}
+ \inheritanchor[from=rectangle]{center}
+ \inheritanchor[from=rectangle]{west}
+ \inheritanchor[from=rectangle]{east}
+ \inheritanchor[from=rectangle]{mid}
+ \inheritanchor[from=rectangle]{mid west}
+ \inheritanchor[from=rectangle]{mid east}
+ \inheritanchor[from=rectangle]{base}
+ \inheritanchor[from=rectangle]{base west}
+ \inheritanchor[from=rectangle]{base east}
+ \inheritanchor[from=rectangle]{south}
+ \inheritanchor[from=rectangle]{south west}
+ \inheritanchor[from=rectangle]{south east}
+ \backgroundpath{
+ % store lower right in xa/ya and upper right in xb/yb
+ \southwest \pgf@xa=\pgf@x \pgf@ya=\pgf@y
+ \northeast \pgf@xb=\pgf@x \pgf@yb=\pgf@y
+ \pgfmathsetlength\pgfutil@tempdima{\pgfkeysvalueof{/pgf/parallelepiped
+ offset x}}
+ \pgfmathsetlength\pgfutil@tempdimb{\pgfkeysvalueof{/pgf/parallelepiped
+ offset y}}
+ \def\ppd@offset{\pgfpoint{\pgfutil@tempdima}{\pgfutil@tempdimb}}
+ \pgfpathmoveto{\pgfqpoint{\pgf@xa}{\pgf@ya}}
+ \pgfpathlineto{\pgfqpoint{\pgf@xb}{\pgf@ya}}
+ \pgfpathlineto{\pgfqpoint{\pgf@xb}{\pgf@yb}}
+ \pgfpathlineto{\pgfqpoint{\pgf@xa}{\pgf@yb}}
+ \pgfpathclose
+ \pgfpathmoveto{\pgfqpoint{\pgf@xb}{\pgf@ya}}
+ \pgfpathlineto{\pgfpointadd{\pgfpoint{\pgf@xb}{\pgf@ya}}{\ppd@offset}}
+ \pgfpathlineto{\pgfpointadd{\pgfpoint{\pgf@xb}{\pgf@yb}}{\ppd@offset}}
+ \pgfpathlineto{\pgfpointadd{\pgfpoint{\pgf@xa}{\pgf@yb}}{\ppd@offset}}
+ \pgfpathlineto{\pgfqpoint{\pgf@xa}{\pgf@yb}}
+ \pgfpathmoveto{\pgfqpoint{\pgf@xb}{\pgf@yb}}
+ \pgfpathlineto{\pgfpointadd{\pgfpoint{\pgf@xb}{\pgf@yb}}{\ppd@offset}}
+ }
+}
+\makeatother
+
+\tikzset{l3 switch/.style={
+ parallelepiped,fill=switch, draw=white,
+ minimum width=0.75cm,
+ minimum height=0.75cm,
+ parallelepiped offset x=1.75mm,
+ parallelepiped offset y=1.25mm,
+ path picture={
+ \node[fill=white,
+ circle,
+ minimum size=6pt,
+ inner sep=0pt,
+ append after command={
+ \pgfextra{
+ \foreach \angle in {0,45,...,360}
+ \draw[-latex,fill=white] (\tikzlastnode.\angle)--++(\angle:2.25mm);
+ }
+ }
+ ]
+ at ([xshift=-0.75mm,yshift=-0.5mm]path picture bounding box.center){};
+ }
+ },
+ ports/.style={
+ line width=0.3pt,
+ top color=gray!20,
+ bottom color=gray!80
+ },
+ rack switch/.style={
+ parallelepiped,fill=white, draw,
+ minimum width=1.25cm,
+ minimum height=0.25cm,
+ parallelepiped offset x=2mm,
+ parallelepiped offset y=1.25mm,
+ xscale=-1,
+ path picture={
+ \draw[top color=gray!5,bottom color=gray!40]
+ (path picture bounding box.south west) rectangle
+ (path picture bounding box.north east);
+ \coordinate (A-west) at ([xshift=-0.2cm]path picture bounding box.west);
+ \coordinate (A-center) at ($(path picture bounding box.center)!0!(path
+ picture bounding box.south)$);
+ \foreach \x in {0.275,0.525,0.775}{
+ \draw[ports]([yshift=-0.05cm]$(A-west)!\x!(A-center)$)
+ rectangle +(0.1,0.05);
+ \draw[ports]([yshift=-0.125cm]$(A-west)!\x!(A-center)$)
+ rectangle +(0.1,0.05);
+ }
+ \coordinate (A-east) at (path picture bounding box.east);
+ \foreach \x in {0.085,0.21,0.335,0.455,0.635,0.755,0.875,1}{
+ \draw[ports]([yshift=-0.1125cm]$(A-east)!\x!(A-center)$)
+ rectangle +(0.05,0.1);
+ }
+ }
+ },
+ server/.style={
+ parallelepiped,
+ fill=white, draw,
+ minimum width=0.35cm,
+ minimum height=0.75cm,
+ parallelepiped offset x=3mm,
+ parallelepiped offset y=2mm,
+ xscale=-1,
+ path picture={
+ \draw[top color=gray!5,bottom color=gray!40]
+ (path picture bounding box.south west) rectangle
+ (path picture bounding box.north east);
+ \coordinate (A-center) at ($(path picture bounding box.center)!0!(path
+ picture bounding box.south)$);
+ \coordinate (A-west) at ([xshift=-0.575cm]path picture bounding box.west);
+ \draw[ports]([yshift=0.1cm]$(A-west)!0!(A-center)$)
+ rectangle +(0.2,0.065);
+ \draw[ports]([yshift=0.01cm]$(A-west)!0.085!(A-center)$)
+ rectangle +(0.15,0.05);
+ \fill[black]([yshift=-0.35cm]$(A-west)!-0.1!(A-center)$)
+ rectangle +(0.235,0.0175);
+ \fill[black]([yshift=-0.385cm]$(A-west)!-0.1!(A-center)$)
+ rectangle +(0.235,0.0175);
+ \fill[black]([yshift=-0.42cm]$(A-west)!-0.1!(A-center)$)
+ rectangle +(0.235,0.0175);
+ }
+ },
+}
+
+\usetikzlibrary{calc, shadings, shadows, shapes.arrows}
+
+% Styles for interfaces and edge labels
+\tikzset{%
+ interface/.style={draw, rectangle, rounded corners, font=\LARGE\sffamily},
+ ethernet/.style={interface, fill=yellow!50},% ethernet interface
+ serial/.style={interface, fill=green!70},% serial interface
+ speed/.style={sloped, anchor=south, font=\large\sffamily},% line speed at edge
+ route/.style={draw, shape=single arrow, single arrow head extend=4mm,
+ minimum height=1.7cm, minimum width=3mm, white, fill=switch!20,
+ drop shadow={opacity=.8, fill=switch}, font=\tiny}% inroute/outroute arrows
+}
+\newcommand*{\shift}{1.3cm}% For placing the arrows later
+
+% The router icon
+\newcommand*{\router}[1]{
+\begin{tikzpicture}
+ \coordinate (ll) at (-3,0.5);
+ \coordinate (lr) at (3,0.5);
+ \coordinate (ul) at (-3,2);
+ \coordinate (ur) at (3,2);
+ \shade [shading angle=90, left color=switch, right color=white] (ll)
+ arc (-180:-60:3cm and .75cm) -- +(0,1.5) arc (-60:-180:3cm and .75cm)
+ -- cycle;
+ \shade [shading angle=270, right color=switch, left color=white!50] (lr)
+ arc (0:-60:3cm and .75cm) -- +(0,1.5) arc (-60:0:3cm and .75cm) -- cycle;
+ \draw [thick] (ll) arc (-180:0:3cm and .75cm)
+ -- (ur) arc (0:-180:3cm and .75cm) -- cycle;
+ \draw [thick, shade, upper left=switch, lower left=switch,
+ upper right=switch, lower right=white] (ul)
+ arc (-180:180:3cm and .75cm);
+ \node at (0,0.5){\color{blue!60!black}\Huge #1};% The name of the router
+ % The four arrows, symbols for incoming and outgoing routes:
+ \begin{scope}[yshift=2cm, yscale=0.28, transform shape]
+ \node[route, rotate=45, xshift=\shift] {\strut};
+ \node[route, rotate=-45, xshift=-\shift] {\strut};
+ \node[route, rotate=-135, xshift=\shift] {\strut};
+ \node[route, rotate=135, xshift=-\shift] {\strut};
+ \end{scope}
+\end{tikzpicture}}
+
+\makeatletter
+\pgfdeclareradialshading[tikz@ball]{cloud}{\pgfpoint{-0.275cm}{0.4cm}}{%
+ color(0cm)=(tikz@ball!75!white);
+ color(0.1cm)=(tikz@ball!85!white);
+ color(0.2cm)=(tikz@ball!95!white);
+ color(0.7cm)=(tikz@ball!89!black);
+ color(1cm)=(tikz@ball!75!black)
+}
+\tikzoption{cloud color}{\pgfutil@colorlet{tikz@ball}{#1}%
+ \def\tikz@shading{cloud}\tikz@addmode{\tikz@mode@shadetrue}}
+\makeatother
+
+\tikzset{my cloud/.style={
+ cloud, draw, aspect=2,
+ cloud color={gray!5!white}
+ }
+}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
\begin{document}
\frame{
\end{block}
\end{frame}
-\section{Signaturen}
\begin{frame}
- \frametitle{RRSIG}
- \begin{block}{siccegge.de}\resizebox{\textwidth}{!}{\texttt{
- \begin{tabular}{llll}
-siccegge.de. & IN & A & 62.113.200.104\\
-siccegge.de. & IN & RRSIG & A 8 2 43200 20140908181927 20140809171927 60018 siccegge.de.\\
- &
- \multicolumn{3}{l}{zldkAFJKKV4/gkmZ8DZkV7AT6nIt4mLXjClJwSnGqvrlBWEzc9h3knLMa9iJeEh01ZEZcWi+JRD/vVVNqBg4P1}\\
- & \multicolumn{3}{l}{vCGsiPDvzBvO+gq0wtxPPpouNZA9r9h9in4sB3Vw/6HpMcqp843mB+B5SGQZkALDsVCcoY4J0/rPWPXYGHQkA=}\\
-\end{tabular}}}
- \end{block}
+ \frametitle{DNS Anfrage}
+ \begin{figure}
+ \centering
+ \begin{tikzpicture}
+ \begin{scope}[yshift=-5em, xshift=-5em]
+ \node[scale=1.5, server,debianblue](Client){};
+ \node[scale=1.5, server, left of=Client, xshift=-.75em](Gateway){};
+ \node[scale=1.5, server, left of=Gateway, xshift=-2em](ISP){};
+
+ \draw[thick,darkgray!10!gray] (Client.west)--(Gateway.east);
+ \draw[thick,darkgray!10!gray] (Gateway.west)--(ISP);
+ \end{scope}
+
+ \begin{scope}[xshift=15em, yshift=5em]
+ \node[thick, draw=darkgray, dotted, minimum width=12em, minimum
+ height=9em, xshift=-3.5em, yshift=-.5em] (siccegge) {};
+ \node[scale=1.2, server,debianblue](Master){};
+ \node[scale=1.2, server, right of=Master, yshift= 1.5em, xshift=1em](Slave 1){};
+ \node[scale=1.2, server, right of=Master, yshift=-1.5em, xshift=1em](Slave 2){};
+
+ \draw[thick,darkgray!10!gray] (Master.east)--(Slave 1);
+ \draw[thick,darkgray!10!gray] (Master.east)--(Slave 2);
+ \end{scope}
+
+ \begin{scope}[yshift=5em]
+ \node[thick, draw=darkgray, dotted, minimum width=12em, minimum
+ height=9em, xshift=-3.5em, yshift=-.5em] (de) {};
+ \node[scale=1.2, server,debianblue](Sub Master){};
+ \node[scale=1.2, server, right of=Sub Master, yshift= 1.5em,
+ xshift=1em](Sub Slave 1){};
+ \node[scale=1.2, server, right of=Sub Master, yshift=-1.5em,
+ xshift=1em](Sub Slave 2){};
+
+ \draw[thick,darkgray!10!gray] (Sub Master.east)--(Sub Slave 1);
+ \draw[thick,darkgray!10!gray] (Sub Master.east)--(Sub Slave 2);
+ \end{scope}
+
+ \draw[thick,darkgray!10!gray,dotted] (ISP.north)--(Sub Slave 2.south);
+ \draw[thick,darkgray!10!gray,dotted] (ISP.north)--(Slave 2.south);
+
+ \node[darkgray,above=.7em of Client.north,font=\LARGE] {Client};
+ \node[darkgray,below=0 of Gateway.south,font=\LARGE] {Heimrouter};
+ \node[darkgray,below=0 of ISP.south,font=\LARGE] {ISP};
+
+ \node[darkgray,below=0 of Master.south,font=\LARGE] {Master};
+ \node[darkgray,below=0 of Slave 2.south,font=\LARGE] {Slaves};
+ \node[darkgray,below=0 of Sub Master.south,font=\LARGE] {Master};
+ \node[darkgray,below=0 of Sub Slave 2.south,font=\LARGE] {Slaves};
+ \node[darkgray, above=0 of de, font=\LARGE]{.de};
+ \node[darkgray, above=0 of siccegge, font=\LARGE]{.siccegge.de};
+ \end{tikzpicture}
+ \end{figure}
\end{frame}
+\section{Signaturen}
+
\begin{frame}
- \frametitle{ZSK, KSK}
+ \frametitle{ZSK, KSK}
\begin{itemize}
\item \texttt[KSK] ``KeySigningKey'' -- wird in der übergeordneten
Zone referenziert und signiert alle Schlüssel \emph{in} der Zone
\end{figure}
\end{frame}
+\begin{frame}
+ \frametitle{RRSIG}
+ \begin{block}{siccegge.de}\resizebox{\textwidth}{!}{\texttt{
+ \begin{tabular}{llll}
+siccegge.de. & IN & A & 62.113.200.104\\
+siccegge.de. & IN & RRSIG & A 8 2 43200 20140908181927 20140809171927 60018 siccegge.de.\\
+ &
+ \multicolumn{3}{l}{zldkAFJKKV4/gkmZ8DZkV7AT6nIt4mLXjClJwSnGqvrlBWEzc9h3knLMa9iJeEh01ZEZcWi+JRD/vVVNqBg4P1}\\
+ & \multicolumn{3}{l}{vCGsiPDvzBvO+gq0wtxPPpouNZA9r9h9in4sB3Vw/6HpMcqp843mB+B5SGQZkALDsVCcoY4J0/rPWPXYGHQkA=}\\
+\end{tabular}}}
+ \end{block}
+\end{frame}
+
\begin{frame}
\frametitle{Schlüsseltausch}
\begin{block}{Idee}
Wechsle die Schlüssel regelmäßig. Damit lassen sich auch kleine,
- effizienter verwendbare Schlüssel verwenden. Auch in Sachen
- ``Revocation'' nützlich
+ effizienter verwendbare Schlüssel verwenden (DNS verwendet
+ UDP!). Auch in Sachen ``Revocation'' nützlich
\end{block}
\bigskip\pause
Schlüssel wechseln in DNS ist nicht so einfach: \pause Stichpunkt
2 Methoden:
\begin{itemize}
\item Neuen Schlüssel vor der Verwendung veröffentlichen
- \item Vorübergehend mit beiden Schlüsseln signieren
+ \item Vorübergehend die Daten mit beiden Schlüsseln signieren
\end{itemize}
\end{frame}
\section{NSEC und NSEC3}
-
\begin{frame}
+ \frametitle{Negative antworten}
+
+ \begin{block}{Problem}
+ Mit den \texttt{RRSIG}s lassen sich bestehende Einträge im DNS
+ bestätigen. Es ist aber immer noch möglich, Einträge
+ ``verschwinden'' zu lassen. Was also noch fehlt ist die
+ Möglichkeit, die nicht-Existenz von Einträgen zu signieren.
+ \end{block}
+\end{frame}
+
+%TODO Why
+\begin{frame}<1>[label=nsec]
\frametitle{NSEC}
\begin{itemize}
- \item Bilde einen Kreis, der alle vorhandenen Einträge umfasst
- \item Speichere signierte Feststellung, dass zwischen zwei Namen
+ \item<1-> Bilde einen Kreis, der alle vorhandenen Einträge umfasst
+ \item<2-> Speichere signierte Feststellung, dass zwischen zwei Namen
kein dritter liegt
- \item Bei negativer Antwort (\texttt{NXDOMAIN}) sende auch den
+ \item<2-> Bei negativer Antwort (\texttt{NXDOMAIN}) sende auch den
signierten \texttt{NSEC} Eintrag in dessen Interval die Antwort
liegen würde\pause\bigskip
- \item ``Zonewalking'' auflistung aller Einträge in einer Zone
+ \item<3> ``Zonewalking'' auflistung aller Einträge in einer Zone
\end{itemize}
\end{frame}
-\begin{frame}
+\begin{frame}<-2>[label=ring]
+ \begin{figure}
+ \centering
+ \begin{tikzpicture}[scale=0.9]
+ \onslide<2>{
+ \fill[debianred!10] (165:17mm) arc (165:215:17mm) -- (215:27mm)
+ arc (215:165:27mm) -- cycle;
+
+ \path[decoration = {text along path, text = {NSEC},
+ text align = {align = center}, raise = -0.5ex}, decorate]
+ (201:29mm) arc (201:155:29mm);
+ }
+
+ \onslide<5>{
+ \fill[debianred!10] (123:17mm) arc (123:172:17mm) -- (172:27mm)
+ arc (172:123:27mm) -- cycle;
+
+ \path[decoration = {text along path, text = {NSEC3},
+ text align = {align = center}, raise = -0.5ex}, decorate]
+ (180:14mm) arc (180:123:14mm);
+ }
+
+ \foreach \sector/\sectorlabel/\hash/\hashlabel in {%
+ 0/annex/5kau\dots/keyserver,
+ 1/backup/evj1\dots/www,
+ 2/git/imua\dots/git,
+ 3/keyserver/mk9e\dots/wot,
+ 4/static/nq8c\dots/backup,
+ 5/webdav/qp1c\dots/static,
+ 6/wot/thm6\dots/webdav,
+ 7/www/uv8c\dots/annex}%
+ {
+ \node[font=\bfseries](node\sector) at ({45 * (-\sector - .5)}: 22mm) {\alt<-3>{\sectorlabel}{\hash}};
+
+ \draw[->, >=latex] ({45 * (-\sector - .5)-10}:22mm)
+ arc ({45 * (-\sector - .5) - 10}:{45 * (-\sector-1)- 10}:22mm);
+
+ \onslide<4->{
+ \node[font=\bfseries, circle, fill=debianblue!50, text=darkgray](hash\sector) at ({45 * (-\sector -
+ .5) + 15}:32mm) {H};
+
+ \node[font=\bfseries](orig\sector) at ({45 * (-\sector -
+ .5) + 25}: 45mm) {\hashlabel};
+ \draw[arrow, draw=darkgray] (hash\sector) -- (node\sector);)
+ \draw[arrow, draw=darkgray] (orig\sector) -- (hash\sector);)
+ }
+ }
+ \node[font=\bfseries, left=8em of node3](null) {null};
+ \onslide<-2>{
+ \draw[arrow] (null.east) -- ([yshift=1.5em]node3.west);
+ }
+ \onslide<4->{
+ \node[font=\bfseries, circle, fill=debianblue!50, above=3em
+ of null.north, xshift=2em, text=darkgray] (H) {H};
+ \draw[arrow, draw=darkgray] (null) -- (H);
+ \draw[arrow] (H) to node[above,font=\bfseries]{qfna\dots} ([yshift=1.5em]node4.north);
+ }
+ \end{tikzpicture}
+ \end{figure}
+\end{frame}
+
+\againframe<2->{nsec}
+
+\begin{frame}<1>[label=nsec3]
\frametitle{NSEC3}
\begin{itemize}
\item Statt Einträge in einem Ring anzuordnen, bilde zuerst eine
- kryptographische Streusumme
+ kryptographische Streusumme \pause
\item Verwende Salz und mehrere Runden der Streufunktion für
maximalen Effekt.
- \end{itemize}\bigskip\pause
+ \end{itemize}\bigskip
\begin{block}{git.siccegge.de}\resizebox{\textwidth}{!}{\texttt{
\begin{tabular}{llll}
-siccegge.de. & IN & NSEC3PARAM & 1 0 100 3BBD311E9F6B0E57
+siccegge.de. & IN & NSEC3PARAM & 1 0 5 6D1DAF17E2A6A252
\end{tabular}}}
\end{block}
\end{frame}
+\againframe<3->{ring}
+
+\againframe<2->{nsec3}
+
+\begin{frame}
+ \frametitle{Überprüfung negativer Antworten}
+ \begin{block}{Ziel}
+ Es ist trivial, in der \texttt{de}-Zone zu zeigen, dass dort
+ \texttt{www.siccegge.de} nicht existiert -- obwohl der name
+ durchaus vorhanden ist (allerdings nicht in der \texttt{de}-Zone
+ sondern in der \texttt{siccegge.de}-Zone). Wir müssen also auch
+ zeigen, dass wir in der ``richtigen'' Zone operieren.
+ \end{block}\pause
+ \begin{block}{``Closest Encloser''}
+ Daher 3 \texttt{NSEC3}-Einträge:
+ \begin{itemize}
+ \item Für die kürzeste, nicht mehr existente Oberdomäne zur
+ Anfrage, den \texttt{NSEC3}-Eintrag, der das Intervall überspannt.
+ \item den um eine Komponente gekürzten \texttt{NSEC3}-Eintrag, der
+ entweder auch das Flag für \texttt{SOA} oder \emph{keinen}
+ \texttt{NS}-Eintrag enthält.\pause
+ \item den \texttt{NSEC3}-Eintrag, der das Fehlen eines
+ Wildcard-Eintrags an dieser Stelle nachweist.
+ \end{itemize}
+ \end{block}
+\end{frame}
+
\begin{frame}
\frametitle{Negative Antwort}
- Es werden bis zu drei \texttt{NSEC3} Antworten benötigt\bigskip
+ \begin{block}{siccegge.de hat SOA}\resizebox{\textwidth}{!}{\texttt{
+ \begin{tabular}{rl}
+ 4ma0fb5t2s6kjtgc6r3qi4o49bn7pc4i.siccegge.de. & 3573 IN NSEC3 1 0 5 6D1DAF17E2A6A252 \\
+ 4TRVQLKF545FSK90ED6NCJ7DGMOJB6I8 & A NS SOA MX AAAA RRSIG DNSKEY NSEC3PARAM \\
+ \end{tabular}}}
+ \end{block}
+ \texttt{null.siccegge.de} hat den Hash-Wert \texttt{qfna56rlmnlbp3e85m4d6ckonnmpfg1i}
+ \begin{block}{null.siccegge.de existiert nicht}\resizebox{\textwidth}{!}{\texttt{
+ \begin{tabular}{rl}
+ qd2uevk27c2tdrh6535e0mkiratu1t5h.siccegge.de. & 3600 IN NSEC3 1 0 5 6D1DAF17E2A6A252 \\
+ QLLMC1NCRMN4AU8QCFQ24VAH7JFM6LQ6 & \\
+ \end{tabular}}}
+ \end{block}
+ \texttt{*.siccegge.de} hat den Hash-Wert \texttt{68m2atv9712l3e67oua61u5hp0v0273a.}
+ \begin{block}{*.siccegge.de existiert nicht }\resizebox{\textwidth}{!}{\texttt{
+ \begin{tabular}{rl}
+ 63r09adu0p1vdmkif5eb4dr6m2a3l5cp.siccegge.de. & 3600 IN NSEC3 1 0 5 6D1DAF17E2A6A252 \\
+ 6BJ555D3Q50SL34D50L1PGU887R73DC9 & RRSIG TLSA \\
+ \end{tabular}}}
+ \end{block}
+\end{frame}
+
+\section{Zusatznutzen}
+\begin{frame}{DANE}
+ Nachdem unser DNS jetzt kryptographisch abgesichert ist (auch nicht
+ schlechter als das CA System) kann man dort jetzt sicher weiteres
+ Schlüsselmaterial ausliefern:
\begin{itemize}
- \item Der \texttt{NSEC3}-Eintrag, der das entsprechende Interval
- umfasst
- \pause
- \item Der längste existente \texttt{NSEC3}-Eintrag um zu beweisen, dass diese
- Zone zuständig ist.
- \pause
- \item Ein \texttt{NSEC3}-Eintrag, der beweist, dass keine Wildcards existieren
+ \item TLSA für alles was SSL/TLS macht
+ \item SSHFP für SSH Fingerprints
+ \item PGP-Schlüssel-Enträge
+ \item \dots
\end{itemize}
\end{frame}
-\section{Zusatznutzen}
\begin{frame}
- \frametitle{DANE}
- \begin{block}{git.siccegge.de}\resizebox{\textwidth}{!}{\texttt{
+ \frametitle{TLSA}
+ \begin{block}{TLSA}\resizebox{\textwidth}{!}{\texttt{
\begin{tabular}{llll}
\_25.\_tcp.oteiza.siccegge.de. & IN & TLSA & 3 1 1
101B5B5CCDC5568CEC385552611FD0355BF15DB293E96F46E29DE4A0C4B2BC3F \\
\bigskip\pause
\begin{itemize}
\item 3: Bezeichnet ein Service Zertifikat
- \pause
\item 1: Angegeben wird der öffentlich Schlüssel, nicht das
Zertifikat
- \pause
\item 1: Angegeben wird eine \texttt{SHA256}-Summe
\end{itemize}
\end{frame}
\end{itemize}
\end{frame}
+\section{Software}
+\begin{frame}{Überblick}
+ \begin{block}{Nameserver}
+ Müssen zusätzliche Einträge ausliefern (\texttt{RRSIG},
+ \texttt{NSEC3}). Für \texttt{NSEC3} müssen die richtigen Einträge
+ gefunden wernden
+ \end{block}\pause
+ \begin{block}{Signaturwerkzeuge}
+ \begin{itemize}
+ \item Müssen \texttt{RRSIG}s für die vorhandenen Einträge
+ erstellen und gelegentlich erneuern
+ \item Müssen die \texttt{NSEC3}- und \texttt{NSEC3PARAM}-Einträge
+ erstellen und signieren
+ \item Müssen möglichkeit zum Schlüsseltausch beiten
+ \end{itemize}
+ \end{block}\pause
+ \begin{block}{Registrar}
+ Irgendwie müssen die Schlüssel in die darüberliegende Zone
+ kommen. Wenige Registrare haben das schon im Interface vorgesehen,
+ etliche lassen sich aber per Mail an den Support überreden
+ \end{block}
+\end{frame}
+
+\begin{frame}{Nameserver}
+ \begin{block}{Software}
+ Alle nennenswerten Nameserver (nsd, bind, powerdns, knot, \dots) können heutzutage DNSSEC ausliefern.
+ \end{block}\pause
+ \begin{block}{Sekundärserver}
+ Kaum ein kostenfreier Sekundärserveranbieter unterstützt DNSSEC --
+ das liegt unter anderem an den deutlich größeren Antworten und dem
+ Rechenbedarf für \texttt{NSEC3}, die signifikant Resourcen
+ verbrauchen.
+
+ $\Rightarrow$ Selber hosten (mit Freunden) oder beim Registrar schauen.
+ \end{block}
+\end{frame}
+
+\begin{frame}{Signaturwerkzeuge}
+ Im Grunde gibt es zwei Typen von Signaturwerkzeugen
+ \begin{block}{Im primären Nameserver}
+ BIND, Knot, PowerDNS
+ \begin{description}
+ \item[Vorteile] Keine weiteren Werkzeuge, dynamische Updatesmöglich
+ \item[Nachteile] Schlüsselmaterial im Netzwerkserver, bestehende
+ Implementierungen unflexibel in Sachen Schlüsselrotation
+ \end{description}
+ \end{block}\pause
+ \begin{block}{Separates Signaturwerkzeug}
+ OpenDNSSEC, dnssec-tools, cron
+ \begin{description}
+ \item[Vorteile] Flexibel, Signaturlösung Nameserver-agnostisch
+ \item[Nachteile] Softwarequalität \dots, weiteres Element, das
+ kaputt gehen kann
+ \end{description}
+ \end{block}
+\end{frame}
+
\begin{frame}{Fragen?}
\vspace*{\fill}
\begin{center}
projects / talk / dnssec.git / commitdiff