From accb3999de7e7d78eeb42695232b6eeaf94ad080 Mon Sep 17 00:00:00 2001 From: Christoph Egger Date: Fri, 27 Feb 2015 21:57:56 +0100 Subject: [PATCH] Updated slides --- slides.tex | 510 ++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 470 insertions(+), 40 deletions(-) diff --git a/slides.tex b/slides.tex index 1d4881e..88750d8 100644 --- a/slides.tex +++ b/slides.tex @@ -6,7 +6,7 @@ \usepackage{tikz} -\usetikzlibrary{svg.path,positioning,intersections} +\usetikzlibrary{positioning,intersections,backgrounds,calc,shadings,shapes.arrows,shapes.symbols,shadows} \usepgflibrary{shapes.geometric} \usepgflibrary{shapes.misc} \usepgflibrary{shapes.symbols} @@ -14,11 +14,12 @@ \usetikzlibrary{shapes,decorations,shadows} \usetikzlibrary{decorations.pathmorphing} \usetikzlibrary{decorations.shapes} +\usetikzlibrary{decorations.text} \usetikzlibrary{fadings} \usetikzlibrary{patterns} \usetikzlibrary{calc} \tikzstyle{netdb}=[anchor=center,color=black,rectangle,draw,minimum - size=.6em,minimum height=.2em] +size=.6em,minimum height=.2em] \tikzstyle{client}=[fill=i4gray,rectangle,draw] \tikzstyle{chain}=[rectangle,draw,minimum size=1em,minimum height=.5em] \tikzstyle{arrow}=[->,thick,draw,shorten <=2pt,shorten >=2pt,] @@ -29,7 +30,7 @@ \usefonttheme{structuresmallcapsserif} \title{DNSSEC} \author{Christoph Egger} -\institute[Debian]{The Debian Project} +%\institute[Debian]{The Debian Project} \date{\today} \usebackgroundtemplate{\includegraphics[width=\paperwidth]{images/swirl-lightest}} @@ -52,6 +53,201 @@ \setbeamercolor{block title}{fg=debianblue} \setbeamercolor{description item}{fg=debianblue} + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% http://www.texample.net/media/tikz/examples/TEX/network-topology.tex % +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\makeatletter +\pgfkeys{/pgf/.cd, + parallelepiped offset x/.initial=2mm, + parallelepiped offset y/.initial=2mm +} +\pgfdeclareshape{parallelepiped} +{ + \inheritsavedanchors[from=rectangle] % this is nearly a rectangle + \inheritanchorborder[from=rectangle] + \inheritanchor[from=rectangle]{north} + \inheritanchor[from=rectangle]{north west} + \inheritanchor[from=rectangle]{north east} + \inheritanchor[from=rectangle]{center} + \inheritanchor[from=rectangle]{west} + \inheritanchor[from=rectangle]{east} + \inheritanchor[from=rectangle]{mid} + \inheritanchor[from=rectangle]{mid west} + \inheritanchor[from=rectangle]{mid east} + \inheritanchor[from=rectangle]{base} + \inheritanchor[from=rectangle]{base west} + \inheritanchor[from=rectangle]{base east} + \inheritanchor[from=rectangle]{south} + \inheritanchor[from=rectangle]{south west} + \inheritanchor[from=rectangle]{south east} + \backgroundpath{ + % store lower right in xa/ya and upper right in xb/yb + \southwest \pgf@xa=\pgf@x \pgf@ya=\pgf@y + \northeast \pgf@xb=\pgf@x \pgf@yb=\pgf@y + \pgfmathsetlength\pgfutil@tempdima{\pgfkeysvalueof{/pgf/parallelepiped + offset x}} + \pgfmathsetlength\pgfutil@tempdimb{\pgfkeysvalueof{/pgf/parallelepiped + offset y}} + \def\ppd@offset{\pgfpoint{\pgfutil@tempdima}{\pgfutil@tempdimb}} + \pgfpathmoveto{\pgfqpoint{\pgf@xa}{\pgf@ya}} + \pgfpathlineto{\pgfqpoint{\pgf@xb}{\pgf@ya}} + \pgfpathlineto{\pgfqpoint{\pgf@xb}{\pgf@yb}} + \pgfpathlineto{\pgfqpoint{\pgf@xa}{\pgf@yb}} + \pgfpathclose + \pgfpathmoveto{\pgfqpoint{\pgf@xb}{\pgf@ya}} + \pgfpathlineto{\pgfpointadd{\pgfpoint{\pgf@xb}{\pgf@ya}}{\ppd@offset}} + \pgfpathlineto{\pgfpointadd{\pgfpoint{\pgf@xb}{\pgf@yb}}{\ppd@offset}} + \pgfpathlineto{\pgfpointadd{\pgfpoint{\pgf@xa}{\pgf@yb}}{\ppd@offset}} + \pgfpathlineto{\pgfqpoint{\pgf@xa}{\pgf@yb}} + \pgfpathmoveto{\pgfqpoint{\pgf@xb}{\pgf@yb}} + \pgfpathlineto{\pgfpointadd{\pgfpoint{\pgf@xb}{\pgf@yb}}{\ppd@offset}} + } +} +\makeatother + +\tikzset{l3 switch/.style={ + parallelepiped,fill=switch, draw=white, + minimum width=0.75cm, + minimum height=0.75cm, + parallelepiped offset x=1.75mm, + parallelepiped offset y=1.25mm, + path picture={ + \node[fill=white, + circle, + minimum size=6pt, + inner sep=0pt, + append after command={ + \pgfextra{ + \foreach \angle in {0,45,...,360} + \draw[-latex,fill=white] (\tikzlastnode.\angle)--++(\angle:2.25mm); + } + } + ] + at ([xshift=-0.75mm,yshift=-0.5mm]path picture bounding box.center){}; + } + }, + ports/.style={ + line width=0.3pt, + top color=gray!20, + bottom color=gray!80 + }, + rack switch/.style={ + parallelepiped,fill=white, draw, + minimum width=1.25cm, + minimum height=0.25cm, + parallelepiped offset x=2mm, + parallelepiped offset y=1.25mm, + xscale=-1, + path picture={ + \draw[top color=gray!5,bottom color=gray!40] + (path picture bounding box.south west) rectangle + (path picture bounding box.north east); + \coordinate (A-west) at ([xshift=-0.2cm]path picture bounding box.west); + \coordinate (A-center) at ($(path picture bounding box.center)!0!(path + picture bounding box.south)$); + \foreach \x in {0.275,0.525,0.775}{ + \draw[ports]([yshift=-0.05cm]$(A-west)!\x!(A-center)$) + rectangle +(0.1,0.05); + \draw[ports]([yshift=-0.125cm]$(A-west)!\x!(A-center)$) + rectangle +(0.1,0.05); + } + \coordinate (A-east) at (path picture bounding box.east); + \foreach \x in {0.085,0.21,0.335,0.455,0.635,0.755,0.875,1}{ + \draw[ports]([yshift=-0.1125cm]$(A-east)!\x!(A-center)$) + rectangle +(0.05,0.1); + } + } + }, + server/.style={ + parallelepiped, + fill=white, draw, + minimum width=0.35cm, + minimum height=0.75cm, + parallelepiped offset x=3mm, + parallelepiped offset y=2mm, + xscale=-1, + path picture={ + \draw[top color=gray!5,bottom color=gray!40] + (path picture bounding box.south west) rectangle + (path picture bounding box.north east); + \coordinate (A-center) at ($(path picture bounding box.center)!0!(path + picture bounding box.south)$); + \coordinate (A-west) at ([xshift=-0.575cm]path picture bounding box.west); + \draw[ports]([yshift=0.1cm]$(A-west)!0!(A-center)$) + rectangle +(0.2,0.065); + \draw[ports]([yshift=0.01cm]$(A-west)!0.085!(A-center)$) + rectangle +(0.15,0.05); + \fill[black]([yshift=-0.35cm]$(A-west)!-0.1!(A-center)$) + rectangle +(0.235,0.0175); + \fill[black]([yshift=-0.385cm]$(A-west)!-0.1!(A-center)$) + rectangle +(0.235,0.0175); + \fill[black]([yshift=-0.42cm]$(A-west)!-0.1!(A-center)$) + rectangle +(0.235,0.0175); + } + }, +} + +\usetikzlibrary{calc, shadings, shadows, shapes.arrows} + +% Styles for interfaces and edge labels +\tikzset{% + interface/.style={draw, rectangle, rounded corners, font=\LARGE\sffamily}, + ethernet/.style={interface, fill=yellow!50},% ethernet interface + serial/.style={interface, fill=green!70},% serial interface + speed/.style={sloped, anchor=south, font=\large\sffamily},% line speed at edge + route/.style={draw, shape=single arrow, single arrow head extend=4mm, + minimum height=1.7cm, minimum width=3mm, white, fill=switch!20, + drop shadow={opacity=.8, fill=switch}, font=\tiny}% inroute/outroute arrows +} +\newcommand*{\shift}{1.3cm}% For placing the arrows later + +% The router icon +\newcommand*{\router}[1]{ +\begin{tikzpicture} + \coordinate (ll) at (-3,0.5); + \coordinate (lr) at (3,0.5); + \coordinate (ul) at (-3,2); + \coordinate (ur) at (3,2); + \shade [shading angle=90, left color=switch, right color=white] (ll) + arc (-180:-60:3cm and .75cm) -- +(0,1.5) arc (-60:-180:3cm and .75cm) + -- cycle; + \shade [shading angle=270, right color=switch, left color=white!50] (lr) + arc (0:-60:3cm and .75cm) -- +(0,1.5) arc (-60:0:3cm and .75cm) -- cycle; + \draw [thick] (ll) arc (-180:0:3cm and .75cm) + -- (ur) arc (0:-180:3cm and .75cm) -- cycle; + \draw [thick, shade, upper left=switch, lower left=switch, + upper right=switch, lower right=white] (ul) + arc (-180:180:3cm and .75cm); + \node at (0,0.5){\color{blue!60!black}\Huge #1};% The name of the router + % The four arrows, symbols for incoming and outgoing routes: + \begin{scope}[yshift=2cm, yscale=0.28, transform shape] + \node[route, rotate=45, xshift=\shift] {\strut}; + \node[route, rotate=-45, xshift=-\shift] {\strut}; + \node[route, rotate=-135, xshift=\shift] {\strut}; + \node[route, rotate=135, xshift=-\shift] {\strut}; + \end{scope} +\end{tikzpicture}} + +\makeatletter +\pgfdeclareradialshading[tikz@ball]{cloud}{\pgfpoint{-0.275cm}{0.4cm}}{% + color(0cm)=(tikz@ball!75!white); + color(0.1cm)=(tikz@ball!85!white); + color(0.2cm)=(tikz@ball!95!white); + color(0.7cm)=(tikz@ball!89!black); + color(1cm)=(tikz@ball!75!black) +} +\tikzoption{cloud color}{\pgfutil@colorlet{tikz@ball}{#1}% + \def\tikz@shading{cloud}\tikz@addmode{\tikz@mode@shadetrue}} +\makeatother + +\tikzset{my cloud/.style={ + cloud, draw, aspect=2, + cloud color={gray!5!white} + } +} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + \begin{document} \frame{ @@ -72,22 +268,65 @@ \end{block} \end{frame} -\section{Signaturen} \begin{frame} - \frametitle{RRSIG} - \begin{block}{siccegge.de}\resizebox{\textwidth}{!}{\texttt{ - \begin{tabular}{llll} -siccegge.de. & IN & A & 62.113.200.104\\ -siccegge.de. & IN & RRSIG & A 8 2 43200 20140908181927 20140809171927 60018 siccegge.de.\\ - & - \multicolumn{3}{l}{zldkAFJKKV4/gkmZ8DZkV7AT6nIt4mLXjClJwSnGqvrlBWEzc9h3knLMa9iJeEh01ZEZcWi+JRD/vVVNqBg4P1}\\ - & \multicolumn{3}{l}{vCGsiPDvzBvO+gq0wtxPPpouNZA9r9h9in4sB3Vw/6HpMcqp843mB+B5SGQZkALDsVCcoY4J0/rPWPXYGHQkA=}\\ -\end{tabular}}} - \end{block} + \frametitle{DNS Anfrage} + \begin{figure} + \centering + \begin{tikzpicture} + \begin{scope}[yshift=-5em, xshift=-5em] + \node[scale=1.5, server,debianblue](Client){}; + \node[scale=1.5, server, left of=Client, xshift=-.75em](Gateway){}; + \node[scale=1.5, server, left of=Gateway, xshift=-2em](ISP){}; + + \draw[thick,darkgray!10!gray] (Client.west)--(Gateway.east); + \draw[thick,darkgray!10!gray] (Gateway.west)--(ISP); + \end{scope} + + \begin{scope}[xshift=15em, yshift=5em] + \node[thick, draw=darkgray, dotted, minimum width=12em, minimum + height=9em, xshift=-3.5em, yshift=-.5em] (siccegge) {}; + \node[scale=1.2, server,debianblue](Master){}; + \node[scale=1.2, server, right of=Master, yshift= 1.5em, xshift=1em](Slave 1){}; + \node[scale=1.2, server, right of=Master, yshift=-1.5em, xshift=1em](Slave 2){}; + + \draw[thick,darkgray!10!gray] (Master.east)--(Slave 1); + \draw[thick,darkgray!10!gray] (Master.east)--(Slave 2); + \end{scope} + + \begin{scope}[yshift=5em] + \node[thick, draw=darkgray, dotted, minimum width=12em, minimum + height=9em, xshift=-3.5em, yshift=-.5em] (de) {}; + \node[scale=1.2, server,debianblue](Sub Master){}; + \node[scale=1.2, server, right of=Sub Master, yshift= 1.5em, + xshift=1em](Sub Slave 1){}; + \node[scale=1.2, server, right of=Sub Master, yshift=-1.5em, + xshift=1em](Sub Slave 2){}; + + \draw[thick,darkgray!10!gray] (Sub Master.east)--(Sub Slave 1); + \draw[thick,darkgray!10!gray] (Sub Master.east)--(Sub Slave 2); + \end{scope} + + \draw[thick,darkgray!10!gray,dotted] (ISP.north)--(Sub Slave 2.south); + \draw[thick,darkgray!10!gray,dotted] (ISP.north)--(Slave 2.south); + + \node[darkgray,above=.7em of Client.north,font=\LARGE] {Client}; + \node[darkgray,below=0 of Gateway.south,font=\LARGE] {Heimrouter}; + \node[darkgray,below=0 of ISP.south,font=\LARGE] {ISP}; + + \node[darkgray,below=0 of Master.south,font=\LARGE] {Master}; + \node[darkgray,below=0 of Slave 2.south,font=\LARGE] {Slaves}; + \node[darkgray,below=0 of Sub Master.south,font=\LARGE] {Master}; + \node[darkgray,below=0 of Sub Slave 2.south,font=\LARGE] {Slaves}; + \node[darkgray, above=0 of de, font=\LARGE]{.de}; + \node[darkgray, above=0 of siccegge, font=\LARGE]{.siccegge.de}; + \end{tikzpicture} + \end{figure} \end{frame} +\section{Signaturen} + \begin{frame} - \frametitle{ZSK, KSK} + \frametitle{ZSK, KSK} \begin{itemize} \item \texttt[KSK] ``KeySigningKey'' -- wird in der übergeordneten Zone referenziert und signiert alle Schlüssel \emph{in} der Zone @@ -144,12 +383,25 @@ siccegge.de. & IN & RRSIG & A 8 2 43200 20140908181927 20140809171927 60018 sicc \end{figure} \end{frame} +\begin{frame} + \frametitle{RRSIG} + \begin{block}{siccegge.de}\resizebox{\textwidth}{!}{\texttt{ + \begin{tabular}{llll} +siccegge.de. & IN & A & 62.113.200.104\\ +siccegge.de. & IN & RRSIG & A 8 2 43200 20140908181927 20140809171927 60018 siccegge.de.\\ + & + \multicolumn{3}{l}{zldkAFJKKV4/gkmZ8DZkV7AT6nIt4mLXjClJwSnGqvrlBWEzc9h3knLMa9iJeEh01ZEZcWi+JRD/vVVNqBg4P1}\\ + & \multicolumn{3}{l}{vCGsiPDvzBvO+gq0wtxPPpouNZA9r9h9in4sB3Vw/6HpMcqp843mB+B5SGQZkALDsVCcoY4J0/rPWPXYGHQkA=}\\ +\end{tabular}}} + \end{block} +\end{frame} + \begin{frame} \frametitle{Schlüsseltausch} \begin{block}{Idee} Wechsle die Schlüssel regelmäßig. Damit lassen sich auch kleine, - effizienter verwendbare Schlüssel verwenden. Auch in Sachen - ``Revocation'' nützlich + effizienter verwendbare Schlüssel verwenden (DNS verwendet + UDP!). Auch in Sachen ``Revocation'' nützlich \end{block} \bigskip\pause Schlüssel wechseln in DNS ist nicht so einfach: \pause Stichpunkt @@ -159,59 +411,182 @@ siccegge.de. & IN & RRSIG & A 8 2 43200 20140908181927 20140809171927 60018 sicc 2 Methoden: \begin{itemize} \item Neuen Schlüssel vor der Verwendung veröffentlichen - \item Vorübergehend mit beiden Schlüsseln signieren + \item Vorübergehend die Daten mit beiden Schlüsseln signieren \end{itemize} \end{frame} \section{NSEC und NSEC3} - \begin{frame} + \frametitle{Negative antworten} + + \begin{block}{Problem} + Mit den \texttt{RRSIG}s lassen sich bestehende Einträge im DNS + bestätigen. Es ist aber immer noch möglich, Einträge + ``verschwinden'' zu lassen. Was also noch fehlt ist die + Möglichkeit, die nicht-Existenz von Einträgen zu signieren. + \end{block} +\end{frame} + +%TODO Why +\begin{frame}<1>[label=nsec] \frametitle{NSEC} \begin{itemize} - \item Bilde einen Kreis, der alle vorhandenen Einträge umfasst - \item Speichere signierte Feststellung, dass zwischen zwei Namen + \item<1-> Bilde einen Kreis, der alle vorhandenen Einträge umfasst + \item<2-> Speichere signierte Feststellung, dass zwischen zwei Namen kein dritter liegt - \item Bei negativer Antwort (\texttt{NXDOMAIN}) sende auch den + \item<2-> Bei negativer Antwort (\texttt{NXDOMAIN}) sende auch den signierten \texttt{NSEC} Eintrag in dessen Interval die Antwort liegen würde\pause\bigskip - \item ``Zonewalking'' auflistung aller Einträge in einer Zone + \item<3> ``Zonewalking'' auflistung aller Einträge in einer Zone \end{itemize} \end{frame} -\begin{frame} +\begin{frame}<-2>[label=ring] + \begin{figure} + \centering + \begin{tikzpicture}[scale=0.9] + \onslide<2>{ + \fill[debianred!10] (165:17mm) arc (165:215:17mm) -- (215:27mm) + arc (215:165:27mm) -- cycle; + + \path[decoration = {text along path, text = {NSEC}, + text align = {align = center}, raise = -0.5ex}, decorate] + (201:29mm) arc (201:155:29mm); + } + + \onslide<5>{ + \fill[debianred!10] (123:17mm) arc (123:172:17mm) -- (172:27mm) + arc (172:123:27mm) -- cycle; + + \path[decoration = {text along path, text = {NSEC3}, + text align = {align = center}, raise = -0.5ex}, decorate] + (180:14mm) arc (180:123:14mm); + } + + \foreach \sector/\sectorlabel/\hash/\hashlabel in {% + 0/annex/5kau\dots/keyserver, + 1/backup/evj1\dots/www, + 2/git/imua\dots/git, + 3/keyserver/mk9e\dots/wot, + 4/static/nq8c\dots/backup, + 5/webdav/qp1c\dots/static, + 6/wot/thm6\dots/webdav, + 7/www/uv8c\dots/annex}% + { + \node[font=\bfseries](node\sector) at ({45 * (-\sector - .5)}: 22mm) {\alt<-3>{\sectorlabel}{\hash}}; + + \draw[->, >=latex] ({45 * (-\sector - .5)-10}:22mm) + arc ({45 * (-\sector - .5) - 10}:{45 * (-\sector-1)- 10}:22mm); + + \onslide<4->{ + \node[font=\bfseries, circle, fill=debianblue!50, text=darkgray](hash\sector) at ({45 * (-\sector - + .5) + 15}:32mm) {H}; + + \node[font=\bfseries](orig\sector) at ({45 * (-\sector - + .5) + 25}: 45mm) {\hashlabel}; + \draw[arrow, draw=darkgray] (hash\sector) -- (node\sector);) + \draw[arrow, draw=darkgray] (orig\sector) -- (hash\sector);) + } + } + \node[font=\bfseries, left=8em of node3](null) {null}; + \onslide<-2>{ + \draw[arrow] (null.east) -- ([yshift=1.5em]node3.west); + } + \onslide<4->{ + \node[font=\bfseries, circle, fill=debianblue!50, above=3em + of null.north, xshift=2em, text=darkgray] (H) {H}; + \draw[arrow, draw=darkgray] (null) -- (H); + \draw[arrow] (H) to node[above,font=\bfseries]{qfna\dots} ([yshift=1.5em]node4.north); + } + \end{tikzpicture} + \end{figure} +\end{frame} + +\againframe<2->{nsec} + +\begin{frame}<1>[label=nsec3] \frametitle{NSEC3} \begin{itemize} \item Statt Einträge in einem Ring anzuordnen, bilde zuerst eine - kryptographische Streusumme + kryptographische Streusumme \pause \item Verwende Salz und mehrere Runden der Streufunktion für maximalen Effekt. - \end{itemize}\bigskip\pause + \end{itemize}\bigskip \begin{block}{git.siccegge.de}\resizebox{\textwidth}{!}{\texttt{ \begin{tabular}{llll} -siccegge.de. & IN & NSEC3PARAM & 1 0 100 3BBD311E9F6B0E57 +siccegge.de. & IN & NSEC3PARAM & 1 0 5 6D1DAF17E2A6A252 \end{tabular}}} \end{block} \end{frame} +\againframe<3->{ring} + +\againframe<2->{nsec3} + +\begin{frame} + \frametitle{Überprüfung negativer Antworten} + \begin{block}{Ziel} + Es ist trivial, in der \texttt{de}-Zone zu zeigen, dass dort + \texttt{www.siccegge.de} nicht existiert -- obwohl der name + durchaus vorhanden ist (allerdings nicht in der \texttt{de}-Zone + sondern in der \texttt{siccegge.de}-Zone). Wir müssen also auch + zeigen, dass wir in der ``richtigen'' Zone operieren. + \end{block}\pause + \begin{block}{``Closest Encloser''} + Daher 3 \texttt{NSEC3}-Einträge: + \begin{itemize} + \item Für die kürzeste, nicht mehr existente Oberdomäne zur + Anfrage, den \texttt{NSEC3}-Eintrag, der das Intervall überspannt. + \item den um eine Komponente gekürzten \texttt{NSEC3}-Eintrag, der + entweder auch das Flag für \texttt{SOA} oder \emph{keinen} + \texttt{NS}-Eintrag enthält.\pause + \item den \texttt{NSEC3}-Eintrag, der das Fehlen eines + Wildcard-Eintrags an dieser Stelle nachweist. + \end{itemize} + \end{block} +\end{frame} + \begin{frame} \frametitle{Negative Antwort} - Es werden bis zu drei \texttt{NSEC3} Antworten benötigt\bigskip + \begin{block}{siccegge.de hat SOA}\resizebox{\textwidth}{!}{\texttt{ + \begin{tabular}{rl} + 4ma0fb5t2s6kjtgc6r3qi4o49bn7pc4i.siccegge.de. & 3573 IN NSEC3 1 0 5 6D1DAF17E2A6A252 \\ + 4TRVQLKF545FSK90ED6NCJ7DGMOJB6I8 & A NS SOA MX AAAA RRSIG DNSKEY NSEC3PARAM \\ + \end{tabular}}} + \end{block} + \texttt{null.siccegge.de} hat den Hash-Wert \texttt{qfna56rlmnlbp3e85m4d6ckonnmpfg1i} + \begin{block}{null.siccegge.de existiert nicht}\resizebox{\textwidth}{!}{\texttt{ + \begin{tabular}{rl} + qd2uevk27c2tdrh6535e0mkiratu1t5h.siccegge.de. & 3600 IN NSEC3 1 0 5 6D1DAF17E2A6A252 \\ + QLLMC1NCRMN4AU8QCFQ24VAH7JFM6LQ6 & \\ + \end{tabular}}} + \end{block} + \texttt{*.siccegge.de} hat den Hash-Wert \texttt{68m2atv9712l3e67oua61u5hp0v0273a.} + \begin{block}{*.siccegge.de existiert nicht }\resizebox{\textwidth}{!}{\texttt{ + \begin{tabular}{rl} + 63r09adu0p1vdmkif5eb4dr6m2a3l5cp.siccegge.de. & 3600 IN NSEC3 1 0 5 6D1DAF17E2A6A252 \\ + 6BJ555D3Q50SL34D50L1PGU887R73DC9 & RRSIG TLSA \\ + \end{tabular}}} + \end{block} +\end{frame} + +\section{Zusatznutzen} +\begin{frame}{DANE} + Nachdem unser DNS jetzt kryptographisch abgesichert ist (auch nicht + schlechter als das CA System) kann man dort jetzt sicher weiteres + Schlüsselmaterial ausliefern: \begin{itemize} - \item Der \texttt{NSEC3}-Eintrag, der das entsprechende Interval - umfasst - \pause - \item Der längste existente \texttt{NSEC3}-Eintrag um zu beweisen, dass diese - Zone zuständig ist. - \pause - \item Ein \texttt{NSEC3}-Eintrag, der beweist, dass keine Wildcards existieren + \item TLSA für alles was SSL/TLS macht + \item SSHFP für SSH Fingerprints + \item PGP-Schlüssel-Enträge + \item \dots \end{itemize} \end{frame} -\section{Zusatznutzen} \begin{frame} - \frametitle{DANE} - \begin{block}{git.siccegge.de}\resizebox{\textwidth}{!}{\texttt{ + \frametitle{TLSA} + \begin{block}{TLSA}\resizebox{\textwidth}{!}{\texttt{ \begin{tabular}{llll} \_25.\_tcp.oteiza.siccegge.de. & IN & TLSA & 3 1 1 101B5B5CCDC5568CEC385552611FD0355BF15DB293E96F46E29DE4A0C4B2BC3F \\ @@ -225,10 +600,8 @@ siccegge.de. & IN & NSEC3PARAM & 1 0 100 3BBD311E9F6B0E57 \bigskip\pause \begin{itemize} \item 3: Bezeichnet ein Service Zertifikat - \pause \item 1: Angegeben wird der öffentlich Schlüssel, nicht das Zertifikat - \pause \item 1: Angegeben wird eine \texttt{SHA256}-Summe \end{itemize} \end{frame} @@ -252,6 +625,63 @@ git.siccegge.de & IN & SSHFP 4 2 880686195D6C1AAA6791F3A3EF4E7B565DCF9F560F2F1BB \end{itemize} \end{frame} +\section{Software} +\begin{frame}{Überblick} + \begin{block}{Nameserver} + Müssen zusätzliche Einträge ausliefern (\texttt{RRSIG}, + \texttt{NSEC3}). Für \texttt{NSEC3} müssen die richtigen Einträge + gefunden wernden + \end{block}\pause + \begin{block}{Signaturwerkzeuge} + \begin{itemize} + \item Müssen \texttt{RRSIG}s für die vorhandenen Einträge + erstellen und gelegentlich erneuern + \item Müssen die \texttt{NSEC3}- und \texttt{NSEC3PARAM}-Einträge + erstellen und signieren + \item Müssen möglichkeit zum Schlüsseltausch beiten + \end{itemize} + \end{block}\pause + \begin{block}{Registrar} + Irgendwie müssen die Schlüssel in die darüberliegende Zone + kommen. Wenige Registrare haben das schon im Interface vorgesehen, + etliche lassen sich aber per Mail an den Support überreden + \end{block} +\end{frame} + +\begin{frame}{Nameserver} + \begin{block}{Software} + Alle nennenswerten Nameserver (nsd, bind, powerdns, knot, \dots) können heutzutage DNSSEC ausliefern. + \end{block}\pause + \begin{block}{Sekundärserver} + Kaum ein kostenfreier Sekundärserveranbieter unterstützt DNSSEC -- + das liegt unter anderem an den deutlich größeren Antworten und dem + Rechenbedarf für \texttt{NSEC3}, die signifikant Resourcen + verbrauchen. + + $\Rightarrow$ Selber hosten (mit Freunden) oder beim Registrar schauen. + \end{block} +\end{frame} + +\begin{frame}{Signaturwerkzeuge} + Im Grunde gibt es zwei Typen von Signaturwerkzeugen + \begin{block}{Im primären Nameserver} + BIND, Knot, PowerDNS + \begin{description} + \item[Vorteile] Keine weiteren Werkzeuge, dynamische Updatesmöglich + \item[Nachteile] Schlüsselmaterial im Netzwerkserver, bestehende + Implementierungen unflexibel in Sachen Schlüsselrotation + \end{description} + \end{block}\pause + \begin{block}{Separates Signaturwerkzeug} + OpenDNSSEC, dnssec-tools, cron + \begin{description} + \item[Vorteile] Flexibel, Signaturlösung Nameserver-agnostisch + \item[Nachteile] Softwarequalität \dots, weiteres Element, das + kaputt gehen kann + \end{description} + \end{block} +\end{frame} + \begin{frame}{Fragen?} \vspace*{\fill} \begin{center} -- 2.39.5