1 \documentclass[13pt
]{beamer
}
4 \usepackage[utf8
]{inputenc}
9 \usetikzlibrary{positioning,intersections,backgrounds,calc,shadings,shapes.arrows,shapes.symbols,shadows
}
10 \usepgflibrary{shapes.geometric
}
11 \usepgflibrary{shapes.misc
}
12 \usepgflibrary{shapes.symbols
}
13 \usepgflibrary{shapes
}
14 \usetikzlibrary{shapes,decorations,shadows
}
15 \usetikzlibrary{decorations.pathmorphing
}
16 \usetikzlibrary{decorations.shapes
}
17 \usetikzlibrary{decorations.text
}
18 \usetikzlibrary{fadings
}
19 \usetikzlibrary{patterns
}
21 \tikzstyle{netdb
}=
[anchor=center,
color=black,rectangle,draw,minimum
22 size=
.6em,minimum height=
.2em
]
23 \tikzstyle{client
}=
[fill=i4gray,rectangle,draw
]
24 \tikzstyle{chain
}=
[rectangle,draw,minimum size=
1em,minimum height=
.5em
]
25 \tikzstyle{arrow
}=
[->,thick,draw,shorten <=
2pt,shorten >=
2pt,
]
26 \tikzstyle{tunnel
}=
[fill=gray,shape=ellipse,minimum size=
4em,minimum height=
1.1em
]
29 \usetheme{CambridgeUS
}
30 \usefonttheme{structuresmallcapsserif
}
32 \author{Christoph Egger
}
33 %\institute[Debian]{The Debian Project}
36 \usebackgroundtemplate{\includegraphics[width=
\paperwidth]{images/swirl-lightest
}}
37 \logo{\includegraphics[viewport=
274 335 360 440,width=
1cm
]{images/openlogo-nd.pdf
}}
38 \definecolor{debianred
}{rgb
}{.780,
.000,
.211} % 199,0,54
39 \definecolor{debianblue
}{rgb
}{0,
.208,
.780} % 0,53,199
40 \definecolor{debianlightbackgroundblue
}{rgb
}{.941,
.941,
.957} % 240,240,244
41 \definecolor{debianbackgroundblue
}{rgb
}{.776,
.784,
.878} % 198,200,224
43 \usecolortheme[named=debianbackgroundblue
]{structure
}
44 \setbeamercolor{normal text
}{fg=debianred
}
45 \setbeamercolor{titlelike
}{fg=debianblue
}
46 \setbeamercolor{sidebar
}{fg=debianred,bg=debianbackgroundblue
}
48 \setbeamercolor{palette sidebar primary
}{fg=debianred
}
49 \setbeamercolor{palette sidebar secondary
}{fg=debianred
}
50 \setbeamercolor{palette sidebar tertiary
}{fg=debianred
}
51 \setbeamercolor{palette sidebar quaternary
}{fg=debianred
}
53 \setbeamercolor{block title
}{fg=debianblue
}
54 \setbeamercolor{description item
}{fg=debianblue
}
57 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
58 % http://www.texample.net/media/tikz/examples/TEX/network-topology.tex %
59 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
62 parallelepiped offset x/.initial=
2mm,
63 parallelepiped offset y/.initial=
2mm
65 \pgfdeclareshape{parallelepiped
}
67 \inheritsavedanchors[from=rectangle
] % this is nearly a rectangle
68 \inheritanchorborder[from=rectangle
]
69 \inheritanchor[from=rectangle
]{north
}
70 \inheritanchor[from=rectangle
]{north west
}
71 \inheritanchor[from=rectangle
]{north east
}
72 \inheritanchor[from=rectangle
]{center
}
73 \inheritanchor[from=rectangle
]{west
}
74 \inheritanchor[from=rectangle
]{east
}
75 \inheritanchor[from=rectangle
]{mid
}
76 \inheritanchor[from=rectangle
]{mid west
}
77 \inheritanchor[from=rectangle
]{mid east
}
78 \inheritanchor[from=rectangle
]{base
}
79 \inheritanchor[from=rectangle
]{base west
}
80 \inheritanchor[from=rectangle
]{base east
}
81 \inheritanchor[from=rectangle
]{south
}
82 \inheritanchor[from=rectangle
]{south west
}
83 \inheritanchor[from=rectangle
]{south east
}
85 % store lower right in xa/ya and upper right in xb/yb
86 \southwest \pgf@xa=
\pgf@x
\pgf@ya=
\pgf@y
87 \northeast \pgf@xb=
\pgf@x
\pgf@yb=
\pgf@y
88 \pgfmathsetlength\pgfutil@tempdima
{\pgfkeysvalueof{/pgf/parallelepiped
90 \pgfmathsetlength\pgfutil@tempdimb
{\pgfkeysvalueof{/pgf/parallelepiped
92 \def\ppd@offset
{\pgfpoint{\pgfutil@tempdima
}{\pgfutil@tempdimb
}}
93 \pgfpathmoveto{\pgfqpoint{\pgf@xa
}{\pgf@ya
}}
94 \pgfpathlineto{\pgfqpoint{\pgf@xb
}{\pgf@ya
}}
95 \pgfpathlineto{\pgfqpoint{\pgf@xb
}{\pgf@yb
}}
96 \pgfpathlineto{\pgfqpoint{\pgf@xa
}{\pgf@yb
}}
98 \pgfpathmoveto{\pgfqpoint{\pgf@xb
}{\pgf@ya
}}
99 \pgfpathlineto{\pgfpointadd{\pgfpoint{\pgf@xb
}{\pgf@ya
}}{\ppd@offset
}}
100 \pgfpathlineto{\pgfpointadd{\pgfpoint{\pgf@xb
}{\pgf@yb
}}{\ppd@offset
}}
101 \pgfpathlineto{\pgfpointadd{\pgfpoint{\pgf@xa
}{\pgf@yb
}}{\ppd@offset
}}
102 \pgfpathlineto{\pgfqpoint{\pgf@xa
}{\pgf@yb
}}
103 \pgfpathmoveto{\pgfqpoint{\pgf@xb
}{\pgf@yb
}}
104 \pgfpathlineto{\pgfpointadd{\pgfpoint{\pgf@xb
}{\pgf@yb
}}{\ppd@offset
}}
109 \tikzset{l3 switch/.style=
{
110 parallelepiped,fill=switch, draw=white,
111 minimum width=
0.75cm,
112 minimum height=
0.75cm,
113 parallelepiped offset x=
1.75mm,
114 parallelepiped offset y=
1.25mm,
120 append after command=
{
122 \foreach \angle in
{0,
45,...,
360}
123 \draw[-latex,fill=white
] (
\tikzlastnode.
\angle)--++(
\angle:
2.25mm);
127 at (
[xshift=-
0.75mm,yshift=-
0.5mm
]path picture bounding box.center)
{};
136 parallelepiped,fill=white, draw,
137 minimum width=
1.25cm,
138 minimum height=
0.25cm,
139 parallelepiped offset x=
2mm,
140 parallelepiped offset y=
1.25mm,
143 \draw[top
color=gray!
5,bottom
color=gray!
40]
144 (path picture bounding box.south west) rectangle
145 (path picture bounding box.north east);
146 \coordinate (A-west) at (
[xshift=-
0.2cm
]path picture bounding box.west);
147 \coordinate (A-center) at ($(path picture bounding box.center)!
0!(path
148 picture bounding box.south)$);
149 \foreach \x in
{0.275,
0.525,
0.775}{
150 \draw[ports
](
[yshift=-
0.05cm
]$(A-west)!
\x!(A-center)$)
151 rectangle +(
0.1,
0.05);
152 \draw[ports
](
[yshift=-
0.125cm
]$(A-west)!
\x!(A-center)$)
153 rectangle +(
0.1,
0.05);
155 \coordinate (A-east) at (path picture bounding box.east);
156 \foreach \x in
{0.085,
0.21,
0.335,
0.455,
0.635,
0.755,
0.875,
1}{
157 \draw[ports
](
[yshift=-
0.1125cm
]$(A-east)!
\x!(A-center)$)
158 rectangle +(
0.05,
0.1);
165 minimum width=
0.35cm,
166 minimum height=
0.75cm,
167 parallelepiped offset x=
3mm,
168 parallelepiped offset y=
2mm,
171 \draw[top
color=gray!
5,bottom
color=gray!
40]
172 (path picture bounding box.south west) rectangle
173 (path picture bounding box.north east);
174 \coordinate (A-center) at ($(path picture bounding box.center)!
0!(path
175 picture bounding box.south)$);
176 \coordinate (A-west) at (
[xshift=-
0.575cm
]path picture bounding box.west);
177 \draw[ports
](
[yshift=
0.1cm
]$(A-west)!
0!(A-center)$)
178 rectangle +(
0.2,
0.065);
179 \draw[ports
](
[yshift=
0.01cm
]$(A-west)!
0.085!(A-center)$)
180 rectangle +(
0.15,
0.05);
181 \fill[black
](
[yshift=-
0.35cm
]$(A-west)!-
0.1!(A-center)$)
182 rectangle +(
0.235,
0.0175);
183 \fill[black
](
[yshift=-
0.385cm
]$(A-west)!-
0.1!(A-center)$)
184 rectangle +(
0.235,
0.0175);
185 \fill[black
](
[yshift=-
0.42cm
]$(A-west)!-
0.1!(A-center)$)
186 rectangle +(
0.235,
0.0175);
191 \usetikzlibrary{calc, shadings, shadows, shapes.arrows
}
193 % Styles for interfaces and edge labels
195 interface/.style=
{draw, rectangle, rounded corners, font=
\LARGE\sffamily},
196 ethernet/.style=
{interface, fill=yellow!
50},
% ethernet interface
197 serial/.style=
{interface, fill=green!
70},
% serial interface
198 speed/.style=
{sloped, anchor=south, font=
\large\sffamily},
% line speed at edge
199 route/.style=
{draw, shape=single arrow, single arrow head extend=
4mm,
200 minimum height=
1.7cm, minimum width=
3mm, white, fill=switch!
20,
201 drop shadow=
{opacity=
.8, fill=switch
}, font=
\tiny}% inroute/outroute arrows
203 \newcommand*
{\shift}{1.3cm
}% For placing the arrows later
206 \newcommand*
{\router}[1]{
208 \coordinate (ll) at (-
3,
0.5);
209 \coordinate (lr) at (
3,
0.5);
210 \coordinate (ul) at (-
3,
2);
211 \coordinate (ur) at (
3,
2);
212 \shade [shading angle=
90, left
color=switch, right
color=white
] (ll)
213 arc (-
180:-
60:
3cm and
.75cm) -- +(
0,
1.5) arc (-
60:-
180:
3cm and
.75cm)
215 \shade [shading angle=
270, right
color=switch, left
color=white!
50] (lr)
216 arc (
0:-
60:
3cm and
.75cm) -- +(
0,
1.5) arc (-
60:
0:
3cm and
.75cm) -- cycle;
217 \draw [thick
] (ll) arc (-
180:
0:
3cm and
.75cm)
218 -- (ur) arc (
0:-
180:
3cm and
.75cm) -- cycle;
219 \draw [thick, shade, upper left=switch, lower left=switch,
220 upper right=switch, lower right=white
] (ul)
221 arc (-
180:
180:
3cm and
.75cm);
222 \node at (
0,
0.5)
{\color{blue!
60!black
}\Huge #1};
% The name of the router
223 % The four arrows, symbols for incoming and outgoing routes:
224 \begin{scope
}[yshift=
2cm, yscale=
0.28, transform shape
]
225 \node[route, rotate=
45, xshift=
\shift] {\strut};
226 \node[route, rotate=-
45, xshift=-
\shift] {\strut};
227 \node[route, rotate=-
135, xshift=
\shift] {\strut};
228 \node[route, rotate=
135, xshift=-
\shift] {\strut};
233 \pgfdeclareradialshading[tikz@ball
]{cloud
}{\pgfpoint{-
0.275cm
}{0.4cm
}}{%
234 color(
0cm)=(tikz@ball!
75!white);
235 color(
0.1cm)=(tikz@ball!
85!white);
236 color(
0.2cm)=(tikz@ball!
95!white);
237 color(
0.7cm)=(tikz@ball!
89!black);
238 color(
1cm)=(tikz@ball!
75!black)
240 \tikzoption{cloud
color}{\pgfutil@colorlet
{tikz@ball
}{#1}%
241 \def\tikz@shading
{cloud
}\tikz@addmode
{\tikz@mode@shadetrue
}}
244 \tikzset{my cloud/.style=
{
245 cloud, draw, aspect=
2,
246 cloud
color=
{gray!
5!white
}
249 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
260 \begin{block
}{Wikipedia
}
261 The Domain Name System Security Extensions (DNSSEC) is a suite of
262 Internet Engineering Task Force (IETF) specifications for securing
263 certain kinds of information provided by the Domain Name System
264 (DNS) as used on Internet Protocol (IP) networks. It is a set of
265 extensions to DNS which provide to DNS clients (resolvers) origin
266 authentication of DNS data, authenticated denial of existence, and
267 data integrity, but not availability or confidentiality.
272 \frametitle{DNS Anfrage
}
276 \begin{scope
}[yshift=-
5em, xshift=-
5em
]
277 \node[scale=
1.5, server,debianblue
](Client)
{};
278 \node[scale=
1.5, server, left of=Client, xshift=-
.75em
](Gateway)
{};
279 \node[scale=
1.5, server, left of=Gateway, xshift=-
2em
](ISP)
{};
281 \draw[thick,darkgray!
10!gray
] (Client.west)--(Gateway.east);
282 \draw[thick,darkgray!
10!gray
] (Gateway.west)--(ISP);
285 \begin{scope
}[xshift=
15em, yshift=
5em
]
286 \node[thick, draw=darkgray, dotted, minimum width=
12em, minimum
287 height=
9em, xshift=-
3.5em, yshift=-
.5em
] (siccegge)
{};
288 \node[scale=
1.2, server,debianblue
](Master)
{};
289 \node[scale=
1.2, server, right of=Master, yshift=
1.5em, xshift=
1em
](Slave
1)
{};
290 \node[scale=
1.2, server, right of=Master, yshift=-
1.5em, xshift=
1em
](Slave
2)
{};
292 \draw[thick,darkgray!
10!gray
] (Master.east)--(Slave
1);
293 \draw[thick,darkgray!
10!gray
] (Master.east)--(Slave
2);
296 \begin{scope
}[yshift=
5em
]
297 \node[thick, draw=darkgray, dotted, minimum width=
12em, minimum
298 height=
9em, xshift=-
3.5em, yshift=-
.5em
] (de)
{};
299 \node[scale=
1.2, server,debianblue
](Sub Master)
{};
300 \node[scale=
1.2, server, right of=Sub Master, yshift=
1.5em,
301 xshift=
1em
](Sub Slave
1)
{};
302 \node[scale=
1.2, server, right of=Sub Master, yshift=-
1.5em,
303 xshift=
1em
](Sub Slave
2)
{};
305 \draw[thick,darkgray!
10!gray
] (Sub Master.east)--(Sub Slave
1);
306 \draw[thick,darkgray!
10!gray
] (Sub Master.east)--(Sub Slave
2);
309 \draw[thick,darkgray!
10!gray,dotted
] (ISP.north)--(Sub Slave
2.south);
310 \draw[thick,darkgray!
10!gray,dotted
] (ISP.north)--(Slave
2.south);
312 \node[darkgray,above=
.7em of Client.north,font=
\LARGE] {Client
};
313 \node[darkgray,below=
0 of Gateway.south,font=
\LARGE] {Heimrouter
};
314 \node[darkgray,below=
0 of ISP.south,font=
\LARGE] {ISP
};
316 \node[darkgray,below=
0 of Master.south,font=
\LARGE] {Master
};
317 \node[darkgray,below=
0 of Slave
2.south,font=
\LARGE] {Slaves
};
318 \node[darkgray,below=
0 of Sub Master.south,font=
\LARGE] {Master
};
319 \node[darkgray,below=
0 of Sub Slave
2.south,font=
\LARGE] {Slaves
};
320 \node[darkgray, above=
0 of de, font=
\LARGE]{.de
};
321 \node[darkgray, above=
0 of siccegge, font=
\LARGE]{.siccegge.de
};
329 % \frametitle{ZSK, KSK}
331 % \item \texttt[KSK] ``KeySigningKey'' -- wird in der übergeordneten
332 % Zone referenziert und signiert alle Schlüssel \emph{in} der Zone
334 % \item \texttt[ZSK] ``ZoneSigningKey'' -- wird durch den \texttt{KSK}
335 % authorisiert und signiert weitere Einträge
337 % \item Normalerweise gibt es \emph{einen} KSK und \emph{zwei} ZSKs in
344 \item[KSK
] ``KeySigningKey'' -- wird in der übergeordneten
345 Zone referenziert und signiert alle Schlüssel
\emph{in
} der Zone
346 \item[ZSK
] ``ZoneSigningKey'' -- wird durch den
\texttt{KSK
}
347 authorisiert und signiert weitere Einträge
351 \begin{tikzpicture
}[scale=
1.2]
352 \tikzstyle{every node
}=
[font=
\small]
353 \node[minimum width=
8em,minimum height=
12em,draw=gray
](dezone) at (
0,
0)
{};
354 \node[below=
2em of dezone.south
] {de. Zone
};
355 \node[minimum width=
8em,minimum height=
12em,draw=gray
](rootzone) at (-
9em,
0)
{};
356 \node[below=
2em of rootzone.south
] {. Zone
};
357 \node[minimum width=
8em,minimum height=
12em,draw=gray
](sicceggezone) at (
9em,
0)
{};
358 \node[below=
2em of sicceggezone.south
] {siccegge.de. Zone
};
360 \node[ellipse,draw=debianred
](rootksk) at (-
9em,
3em)
{KSK
};
361 \node[ellipse,draw=debianblue
](rootzsk) at (-
9em,
0em)
{ZSK
};
362 \node[ellipse,draw=black
](rootds) at (-
9em,-
3em)
{DS
};
364 \node[ellipse,draw=debianred
](deksk) at (
0em,
3em)
{KSK
};
365 \node[ellipse,draw=debianblue
](dezsk) at (
0em,
0em)
{ZSK
};
366 \node[ellipse,draw=black
](deds) at (
0em,-
3em)
{DS
};
368 \node[ellipse,draw=debianred
](sicceggeksk) at (
9em,
3em)
{KSK
};
369 \node[ellipse,draw=debianblue
](sicceggezsk) at (
9em,
0em)
{ZSK
};
370 \node[ellipse,draw=black
](arecord) at (
6.5em,-
2em)
{\tiny{A
}};
371 \node[ellipse,draw=black
](aaaarecord) at (
8em,-
3em)
{\tiny{AAAA
}};
372 \node[ellipse,draw=black
](sshfprecord) at (
10.5em,-
4em)
{\tiny{SSHFP
}};
374 \draw[arrow,draw=black
] (rootds.south) |- ++(
0,-
2em) -| (
[xshift=
1em
]rootzone.east)
375 |- (
[xshift=
4.5em,yshift=
1em
]rootzone.north) -| (deksk.north);
376 \draw[arrow,draw=black
] (deds.south) |- ++(
0,-
2em) -| (
[xshift=
1em
]dezone.east)
377 |- (
[xshift=
4.5em,yshift=
1em
]dezone.north) -| (sicceggeksk.north);
379 \draw[arrow,draw=debianred
] (rootksk.south) -- (rootzsk.north);
380 \draw[arrow,draw=debianred
] (deksk.south) -- (dezsk.north);
381 \draw[arrow,draw=debianred
] (sicceggeksk.south) -- (sicceggezsk.north);
383 \draw[arrow,draw=debianblue
] (rootzsk) -- (rootds);
384 \draw[arrow,draw=debianblue
] (dezsk) -- (deds);
385 \draw[arrow,draw=debianblue
] (sicceggezsk) -- (arecord);
386 \draw[arrow,draw=debianblue
] (sicceggezsk) -- (aaaarecord);
387 \draw[arrow,draw=debianblue
] (sicceggezsk) -- (sshfprecord);
394 \begin{block
}{siccegge.de
}\resizebox{\textwidth}{!
}{\texttt{
395 \begin{tabular
}{llll
}
396 siccegge.de. & IN & A &
62.113.200.104\\
397 siccegge.de. & IN & RRSIG & A
8 2 43200 20140908181927 20140809171927 60018 siccegge.de.\\
399 \multicolumn{3}{l
}{zldkAFJKKV4/gkmZ8DZkV7AT6nIt4mLXjClJwSnGqvrlBWEzc9h3knLMa9iJeEh01ZEZcWi+JRD/vVVNqBg4P1
}\\
400 &
\multicolumn{3}{l
}{vCGsiPDvzBvO+gq0wtxPPpouNZA9r9h9in4sB3Vw/
6HpMcqp843mB+B5SGQZkALDsVCcoY4J0/rPWPXYGHQkA=
}\\
406 \frametitle{Schlüsseltausch
}
408 Wechsle die Schlüssel regelmäßig. Damit lassen sich auch kleine,
409 effizientere Schlüssel verwenden (DNS verwendet UDP!). Auch in
410 Sachen ``Revocation'' nützlich
413 Schlüssel wechseln in DNS ist nicht so einfach:
\pause Stichpunkt
419 \item Neuen Schlüssel vor der Verwendung veröffentlichen
420 \item Vorübergehend die Daten mit beiden Schlüsseln signieren
424 \section{NSEC und NSEC3
}
426 \frametitle{Negative antworten
}
428 \begin{block
}{Problem
}
429 Mit den
\texttt{RRSIG
}s lassen sich bestehende Einträge im DNS
430 bestätigen. Es ist aber immer noch möglich, Einträge
431 ``verschwinden'' zu lassen. Was also noch fehlt ist die
432 Möglichkeit, die nicht-Existenz von Einträgen zu signieren.
437 \begin{frame
}<
1>
[label=nsec
]
438 \frametitle{NSEC (Next SECure)
}
440 \item<
1-> Bilde einen Kreis, der alle vorhandenen Einträge umfasst
441 \item<
2-> Speichere signierte Feststellung, dass zwischen zwei Namen
443 \item<
2-> Bei negativer Antwort (
\texttt{NXDOMAIN
}) sende auch den
444 signierten
\texttt{NSEC
} Eintrag in dessen Interval die Antwort
445 liegen würde
\pause\bigskip
446 \item<
3> ``Zonewalking'' auflistung aller Einträge in einer Zone
450 \begin{frame
}<-
3>
[label=ring
]
453 \begin{tikzpicture
}[scale=
0.9]
455 \fill[debianred!
10] (
165:
17mm) arc (
165:
215:
17mm) -- (
215:
27mm)
456 arc (
215:
165:
27mm) -- cycle;
458 \path[decoration =
{text along path, text =
{NSEC
},
459 text align =
{align = center
}, raise = -
0.5ex
}, decorate
]
460 (
201:
29mm) arc (
201:
155:
29mm);
464 \fill[debianred!
10] (
110:
17mm) arc (
110:
165:
17mm) -- (
165:
27mm)
465 arc (
165:
110:
27mm) -- cycle;
467 \path[decoration =
{text along path, text =
{NSEC3
},
468 text align =
{align = center
}, raise = -
0.5ex
}, decorate
]
469 (
180:
14mm) arc (
180:
123:
14mm);
472 \foreach \sector/
\sectorlabel/
\hash/
\hashlabel in
{%
473 0/backup/evj1
\dots/www,
475 2/keyserver/mk9e
\dots/wot,
476 3/wot/thm6
\dots/webdav,
477 4/www/uv8c
\dots/annex,
478 5/annex/
5kau
\dots/keyserver
}%
480 \node[font=
\bfseries](node
\sector) at (
{60 * (-
\sector -
.5)
}:
22mm)
{\alt<-
4>
{\sectorlabel}{\hash}};
482 \draw[->, >=latex
] (
{60 * (-
\sector -
.5)-
10}:
22mm)
483 arc (
{60 * (-
\sector -
.5) -
10}:
{60 * (-
\sector-
1)-
10}:
22mm);
486 \node[font=
\bfseries, circle, fill=debianblue!
50, text=darkgray
](hash
\sector) at (
{60 * (-
\sector -
489 \node[font=
\bfseries](orig
\sector) at (
{60 * (-
\sector -
490 .5) +
30}:
50mm)
{\hashlabel};
491 \draw[arrow, draw=darkgray
] (hash
\sector) -- (node
\sector);)
492 \draw[arrow, draw=darkgray
] (orig
\sector) -- (hash
\sector);)
496 \node[font=
\bfseries, left=
8em of node3
](null)
{null
};
499 \draw[arrow
] (null.east) -- (
[yshift=
3em
]node2.west);
502 \node[font=
\bfseries, circle, fill=debianblue!
50, above=
3em
503 of null.north, xshift=
2em, text=darkgray
] (H)
{H
};
504 \draw[arrow, draw=darkgray
] (null) -- (H);
505 \draw[arrow
] (H) to node
[above,font=
\bfseries]{qfna
\dots} (
[yshift=
1.5em
]node3.north);
511 \againframe<
2->
{nsec
}
513 \begin{frame
}<
1>
[label=nsec3
]
517 \item Statt Einträge in einem Ring anzuordnen, bilde zuerst eine
518 kryptographische Streusumme
\pause
519 \item Verwende Salz und mehrere Runden der Streufunktion für
521 \end{itemize
}\bigskip
522 \begin{block
}{git.siccegge.de
}\resizebox{\textwidth}{!
}{\texttt{
523 \begin{tabular
}{llll
}
524 siccegge.de. & IN & NSEC3PARAM &
1 0 5 6D1DAF17E2A6A252
529 \againframe<
4->
{ring
}
531 \againframe<
2->
{nsec3
}
534 \frametitle{Überprüfung negativer Antworten
}
536 Es ist trivial, in der
\texttt{de
}-Zone zu zeigen, dass dort
537 \texttt{www.siccegge.de
} nicht existiert -- obwohl der name
538 durchaus vorhanden ist (allerdings nicht in der
\texttt{de
}-Zone
539 sondern in der
\texttt{siccegge.de
}-Zone). Wir müssen also auch
540 zeigen, dass wir in der ``richtigen'' Zone operieren.
542 \begin{block
}{``Closest Encloser''
}
543 Daher
3 \texttt{NSEC3
}-Einträge:
545 \item Für die kürzeste, nicht mehr existente Oberdomäne zur
546 Anfrage, den
\texttt{NSEC3
}-Eintrag, der das Intervall überspannt.
547 \item Den um eine Komponente gekürzten
\texttt{NSEC3
}-Eintrag, der
548 entweder
\emph{keinen
} \texttt{NS
}-Eintrag oder auch das Flag
549 für
\texttt{SOA
} enthält.
\pause
550 \item Den
\texttt{NSEC3
}-Eintrag, der das Fehlen eines
551 Wildcard-Eintrags an dieser Stelle nachweist.
557 \frametitle{Negative Antwort
}
558 \begin{block
}{siccegge.de hat SOA
}\resizebox{\textwidth}{!
}{\texttt{
560 4ma0fb5t2s6kjtgc6r3qi4o49bn7pc4i.siccegge.de. &
3573 IN NSEC3
1 0 5 6D1DAF17E2A6A252 \\
561 4TRVQLKF545FSK90ED6NCJ7DGMOJB6I8 & A NS SOA MX AAAA RRSIG DNSKEY NSEC3PARAM \\
564 \texttt{null.siccegge.de
} hat den Hash-Wert
\texttt{qfna56rlmnlbp3e85m4d6ckonnmpfg1i
}
565 \begin{block
}{null.siccegge.de existiert nicht
}\resizebox{\textwidth}{!
}{\texttt{
567 qd2uevk27c2tdrh6535e0mkiratu1t5h.siccegge.de. &
3600 IN NSEC3
1 0 5 6D1DAF17E2A6A252 \\
568 QLLMC1NCRMN4AU8QCFQ24VAH7JFM6LQ6 & \\
571 \texttt{*.siccegge.de
} hat den Hash-Wert
\texttt{68m2atv9712l3e67oua61u5hp0v0273a.
}
572 \begin{block
}{*.siccegge.de existiert nicht
}\resizebox{\textwidth}{!
}{\texttt{
574 63r09adu0p1vdmkif5eb4dr6m2a3l5cp.siccegge.de. &
3600 IN NSEC3
1 0 5 6D1DAF17E2A6A252 \\
575 6BJ555D3Q50SL34D50L1PGU887R73DC9 & RRSIG TLSA \\
580 \section{Zusatznutzen
}
582 Nachdem unser DNS jetzt kryptographisch abgesichert ist (auch nicht
583 schlechter als das CA System) kann man dort jetzt sicher weiteres
584 Schlüsselmaterial ausliefern:
586 \item TLSA für alles was SSL/TLS macht
587 \item SSHFP für SSH Fingerprints
588 \item PGP-Schlüssel-Enträge
595 \begin{block
}{TLSA
}\resizebox{\textwidth}{!
}{\texttt{
596 \begin{tabular
}{llll
}
597 \_25.
\_tcp.oteiza.siccegge.de. & IN & TLSA &
3 1 1
598 101B5B5CCDC5568CEC385552611FD0355BF15DB293E96F46E29DE4A0C4B2BC3F \\
599 \_443.
\_tcp.siccegge.de. & IN & TLSA &
3 1 1
600 62BEBD9F2E77CF26A4006A50F69FC3891BF7BEDDAEF8AC96E57C1D9BA2AB1F73 \\
601 \_5222.
\_tcp.xmpp.egger.im & IN & TLSA &
3 1 1 9c93fab0d88c911592dedfa7f9385aeee228b0c6d526813ad1182c983677736b
605 Achtung! Beim Schlüsseltausch gibt's wieder Spass.
608 \item 3: Bezeichnet ein Service Zertifikat
609 \item 1: Angegeben wird der öffentlich Schlüssel, nicht das
611 \item 1: Angegeben wird eine
\texttt{SHA256
}-Summe
617 \begin{block
}{git.siccegge.de
}\resizebox{\textwidth}{!
}{\texttt{
619 git.siccegge.de & IN & SSHFP
1 1 0E812EE0A3704230F3C415076E1BAA149A5DC75B\\
620 git.siccegge.de & IN & SSHFP
1 2 1CBACAF365040DC1DF841FD07D9186BC343D4AF7DCF689CC8CF4A2F75D7F4B57\\
621 git.siccegge.de & IN & SSHFP
3 1 A2D0495E912DA039EEA51A1593F7F74FB919AAD4\\
622 git.siccegge.de & IN & SSHFP
3 2 9BF73E3654AA65B847054247F85EFB5C88AB7460840B9C922E647B00696661CF\\
623 git.siccegge.de & IN & SSHFP
4 1 2A3EF64AC589193ACFAD783B62E3C193A67F3F46\\
624 git.siccegge.de & IN & SSHFP
4 2 880686195D6C1AAA6791F3A3EF4E7B565DCF9F560F2F1BBB93C56EFD5996F335\\
629 \item Erste Zahl: Hostkeytyp
630 \item Zweite Zahl: Prüfsummentyp
635 \begin{frame
}{Überblick
}
636 \begin{block
}{Nameserver
}
637 Müssen zusätzliche Einträge ausliefern (
\texttt{RRSIG
},
638 \texttt{NSEC3
}). Für
\texttt{NSEC3
} müssen die richtigen Einträge
641 \begin{block
}{Signaturwerkzeuge
}
643 \item Müssen
\texttt{RRSIG
}s für die vorhandenen Einträge
644 erstellen und gelegentlich erneuern
645 \item Müssen die
\texttt{NSEC3
}- und
\texttt{NSEC3PARAM
}-Einträge
646 erstellen und signieren
647 \item Sollten Möglichkeit zum Schlüsseltausch beiten
650 \begin{block
}{Registrar
}
651 Irgendwie müssen die Schlüssel in die darüberliegende Zone
652 kommen. Wenige Registrare haben das schon im Interface vorgesehen,
653 etliche lassen sich aber per Mail an den Support überreden
657 \begin{frame
}{Nameserver
}
658 \begin{block
}{Software
}
659 Alle nennenswerten Nameserver (nsd, bind, powerdns, knot,
\dots) können heutzutage DNSSEC ausliefern.
661 \begin{block
}{Sekundärserver
}
662 Kaum ein kostenfreier Sekundärserveranbieter unterstützt DNSSEC --
663 das liegt unter anderem an den deutlich größeren Antworten und dem
664 Rechenbedarf für
\texttt{NSEC3
}, die signifikant Resourcen
667 $
\Rightarrow$ Selber hosten (mit Freunden), beim Registrar schauen
672 \begin{frame
}{Signaturwerkzeuge
}
673 Im Grunde gibt es zwei Typen von Signaturwerkzeugen
674 \begin{block
}{Im primären Nameserver
}
677 \item[Vorteile
] Keine weiteren Werkzeuge, dynamische Updatesmöglich
678 \item[Nachteile
] Schlüsselmaterial im Netzwerkserver, bestehende
679 Implementierungen unflexibel in Sachen Schlüsselrotation
682 \begin{block
}{Separates Signaturwerkzeug
}
683 OpenDNSSEC, dnssec-tools, cron
685 \item[Vorteile
] Flexibel, Signaturlösung Nameserver-agnostisch
686 \item[Nachteile
] Softwarequalität
\dots, weiteres Element, das
692 \begin{frame
}{Fragen?
}
693 Download: https://static.siccegge.de/talks/dnssec-augsburg-
2015-
03-
28.pdf\\
694 https://git.siccegge.de/?p=talk/dnssec.git
698 \includegraphics[width=
7cm
]{images/
42.pdf
}