1 \documentclass[13pt
]{beamer
}
4 \usepackage[utf8
]{inputenc}
9 \usetikzlibrary{positioning,intersections,backgrounds,calc,shadings,shapes.arrows,shapes.symbols,shadows
}
10 \usepgflibrary{shapes.geometric
}
11 \usepgflibrary{shapes.misc
}
12 \usepgflibrary{shapes.symbols
}
13 \usepgflibrary{shapes
}
14 \usetikzlibrary{shapes,decorations,shadows
}
15 \usetikzlibrary{decorations.pathmorphing
}
16 \usetikzlibrary{decorations.shapes
}
17 \usetikzlibrary{decorations.text
}
18 \usetikzlibrary{fadings
}
19 \usetikzlibrary{patterns
}
21 \tikzstyle{netdb
}=
[anchor=center,
color=black,rectangle,draw,minimum
22 size=
.6em,minimum height=
.2em
]
23 \tikzstyle{client
}=
[fill=i4gray,rectangle,draw
]
24 \tikzstyle{chain
}=
[rectangle,draw,minimum size=
1em,minimum height=
.5em
]
25 \tikzstyle{arrow
}=
[->,thick,draw,shorten <=
2pt,shorten >=
2pt,
]
26 \tikzstyle{tunnel
}=
[fill=gray,shape=ellipse,minimum size=
4em,minimum height=
1.1em
]
29 \usetheme{CambridgeUS
}
30 \usefonttheme{structuresmallcapsserif
}
32 \author{Christoph Egger
}
33 %\institute[Debian]{The Debian Project}
36 \usebackgroundtemplate{\includegraphics[width=
\paperwidth]{images/swirl-lightest
}}
37 \logo{\includegraphics[viewport=
274 335 360 440,width=
1cm
]{images/openlogo-nd.pdf
}}
38 \definecolor{debianred
}{rgb
}{.780,
.000,
.211} % 199,0,54
39 \definecolor{debianblue
}{rgb
}{0,
.208,
.780} % 0,53,199
40 \definecolor{debianlightbackgroundblue
}{rgb
}{.941,
.941,
.957} % 240,240,244
41 \definecolor{debianbackgroundblue
}{rgb
}{.776,
.784,
.878} % 198,200,224
43 \usecolortheme[named=debianbackgroundblue
]{structure
}
44 \setbeamercolor{normal text
}{fg=debianred
}
45 \setbeamercolor{titlelike
}{fg=debianblue
}
46 \setbeamercolor{sidebar
}{fg=debianred,bg=debianbackgroundblue
}
48 \setbeamercolor{palette sidebar primary
}{fg=debianred
}
49 \setbeamercolor{palette sidebar secondary
}{fg=debianred
}
50 \setbeamercolor{palette sidebar tertiary
}{fg=debianred
}
51 \setbeamercolor{palette sidebar quaternary
}{fg=debianred
}
53 \setbeamercolor{block title
}{fg=debianblue
}
54 \setbeamercolor{description item
}{fg=debianblue
}
57 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
58 % http://www.texample.net/media/tikz/examples/TEX/network-topology.tex %
59 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
62 parallelepiped offset x/.initial=
2mm,
63 parallelepiped offset y/.initial=
2mm
65 \pgfdeclareshape{parallelepiped
}
67 \inheritsavedanchors[from=rectangle
] % this is nearly a rectangle
68 \inheritanchorborder[from=rectangle
]
69 \inheritanchor[from=rectangle
]{north
}
70 \inheritanchor[from=rectangle
]{north west
}
71 \inheritanchor[from=rectangle
]{north east
}
72 \inheritanchor[from=rectangle
]{center
}
73 \inheritanchor[from=rectangle
]{west
}
74 \inheritanchor[from=rectangle
]{east
}
75 \inheritanchor[from=rectangle
]{mid
}
76 \inheritanchor[from=rectangle
]{mid west
}
77 \inheritanchor[from=rectangle
]{mid east
}
78 \inheritanchor[from=rectangle
]{base
}
79 \inheritanchor[from=rectangle
]{base west
}
80 \inheritanchor[from=rectangle
]{base east
}
81 \inheritanchor[from=rectangle
]{south
}
82 \inheritanchor[from=rectangle
]{south west
}
83 \inheritanchor[from=rectangle
]{south east
}
85 % store lower right in xa/ya and upper right in xb/yb
86 \southwest \pgf@xa=
\pgf@x
\pgf@ya=
\pgf@y
87 \northeast \pgf@xb=
\pgf@x
\pgf@yb=
\pgf@y
88 \pgfmathsetlength\pgfutil@tempdima
{\pgfkeysvalueof{/pgf/parallelepiped
90 \pgfmathsetlength\pgfutil@tempdimb
{\pgfkeysvalueof{/pgf/parallelepiped
92 \def\ppd@offset
{\pgfpoint{\pgfutil@tempdima
}{\pgfutil@tempdimb
}}
93 \pgfpathmoveto{\pgfqpoint{\pgf@xa
}{\pgf@ya
}}
94 \pgfpathlineto{\pgfqpoint{\pgf@xb
}{\pgf@ya
}}
95 \pgfpathlineto{\pgfqpoint{\pgf@xb
}{\pgf@yb
}}
96 \pgfpathlineto{\pgfqpoint{\pgf@xa
}{\pgf@yb
}}
98 \pgfpathmoveto{\pgfqpoint{\pgf@xb
}{\pgf@ya
}}
99 \pgfpathlineto{\pgfpointadd{\pgfpoint{\pgf@xb
}{\pgf@ya
}}{\ppd@offset
}}
100 \pgfpathlineto{\pgfpointadd{\pgfpoint{\pgf@xb
}{\pgf@yb
}}{\ppd@offset
}}
101 \pgfpathlineto{\pgfpointadd{\pgfpoint{\pgf@xa
}{\pgf@yb
}}{\ppd@offset
}}
102 \pgfpathlineto{\pgfqpoint{\pgf@xa
}{\pgf@yb
}}
103 \pgfpathmoveto{\pgfqpoint{\pgf@xb
}{\pgf@yb
}}
104 \pgfpathlineto{\pgfpointadd{\pgfpoint{\pgf@xb
}{\pgf@yb
}}{\ppd@offset
}}
109 \tikzset{l3 switch/.style=
{
110 parallelepiped,fill=switch, draw=white,
111 minimum width=
0.75cm,
112 minimum height=
0.75cm,
113 parallelepiped offset x=
1.75mm,
114 parallelepiped offset y=
1.25mm,
120 append after command=
{
122 \foreach \angle in
{0,
45,...,
360}
123 \draw[-latex,fill=white
] (
\tikzlastnode.
\angle)--++(
\angle:
2.25mm);
127 at (
[xshift=-
0.75mm,yshift=-
0.5mm
]path picture bounding box.center)
{};
136 parallelepiped,fill=white, draw,
137 minimum width=
1.25cm,
138 minimum height=
0.25cm,
139 parallelepiped offset x=
2mm,
140 parallelepiped offset y=
1.25mm,
143 \draw[top
color=gray!
5,bottom
color=gray!
40]
144 (path picture bounding box.south west) rectangle
145 (path picture bounding box.north east);
146 \coordinate (A-west) at (
[xshift=-
0.2cm
]path picture bounding box.west);
147 \coordinate (A-center) at ($(path picture bounding box.center)!
0!(path
148 picture bounding box.south)$);
149 \foreach \x in
{0.275,
0.525,
0.775}{
150 \draw[ports
](
[yshift=-
0.05cm
]$(A-west)!
\x!(A-center)$)
151 rectangle +(
0.1,
0.05);
152 \draw[ports
](
[yshift=-
0.125cm
]$(A-west)!
\x!(A-center)$)
153 rectangle +(
0.1,
0.05);
155 \coordinate (A-east) at (path picture bounding box.east);
156 \foreach \x in
{0.085,
0.21,
0.335,
0.455,
0.635,
0.755,
0.875,
1}{
157 \draw[ports
](
[yshift=-
0.1125cm
]$(A-east)!
\x!(A-center)$)
158 rectangle +(
0.05,
0.1);
165 minimum width=
0.35cm,
166 minimum height=
0.75cm,
167 parallelepiped offset x=
3mm,
168 parallelepiped offset y=
2mm,
171 \draw[top
color=gray!
5,bottom
color=gray!
40]
172 (path picture bounding box.south west) rectangle
173 (path picture bounding box.north east);
174 \coordinate (A-center) at ($(path picture bounding box.center)!
0!(path
175 picture bounding box.south)$);
176 \coordinate (A-west) at (
[xshift=-
0.575cm
]path picture bounding box.west);
177 \draw[ports
](
[yshift=
0.1cm
]$(A-west)!
0!(A-center)$)
178 rectangle +(
0.2,
0.065);
179 \draw[ports
](
[yshift=
0.01cm
]$(A-west)!
0.085!(A-center)$)
180 rectangle +(
0.15,
0.05);
181 \fill[black
](
[yshift=-
0.35cm
]$(A-west)!-
0.1!(A-center)$)
182 rectangle +(
0.235,
0.0175);
183 \fill[black
](
[yshift=-
0.385cm
]$(A-west)!-
0.1!(A-center)$)
184 rectangle +(
0.235,
0.0175);
185 \fill[black
](
[yshift=-
0.42cm
]$(A-west)!-
0.1!(A-center)$)
186 rectangle +(
0.235,
0.0175);
191 \usetikzlibrary{calc, shadings, shadows, shapes.arrows
}
193 % Styles for interfaces and edge labels
195 interface/.style=
{draw, rectangle, rounded corners, font=
\LARGE\sffamily},
196 ethernet/.style=
{interface, fill=yellow!
50},
% ethernet interface
197 serial/.style=
{interface, fill=green!
70},
% serial interface
198 speed/.style=
{sloped, anchor=south, font=
\large\sffamily},
% line speed at edge
199 route/.style=
{draw, shape=single arrow, single arrow head extend=
4mm,
200 minimum height=
1.7cm, minimum width=
3mm, white, fill=switch!
20,
201 drop shadow=
{opacity=
.8, fill=switch
}, font=
\tiny}% inroute/outroute arrows
203 \newcommand*
{\shift}{1.3cm
}% For placing the arrows later
206 \newcommand*
{\router}[1]{
208 \coordinate (ll) at (-
3,
0.5);
209 \coordinate (lr) at (
3,
0.5);
210 \coordinate (ul) at (-
3,
2);
211 \coordinate (ur) at (
3,
2);
212 \shade [shading angle=
90, left
color=switch, right
color=white
] (ll)
213 arc (-
180:-
60:
3cm and
.75cm) -- +(
0,
1.5) arc (-
60:-
180:
3cm and
.75cm)
215 \shade [shading angle=
270, right
color=switch, left
color=white!
50] (lr)
216 arc (
0:-
60:
3cm and
.75cm) -- +(
0,
1.5) arc (-
60:
0:
3cm and
.75cm) -- cycle;
217 \draw [thick
] (ll) arc (-
180:
0:
3cm and
.75cm)
218 -- (ur) arc (
0:-
180:
3cm and
.75cm) -- cycle;
219 \draw [thick, shade, upper left=switch, lower left=switch,
220 upper right=switch, lower right=white
] (ul)
221 arc (-
180:
180:
3cm and
.75cm);
222 \node at (
0,
0.5)
{\color{blue!
60!black
}\Huge #1};
% The name of the router
223 % The four arrows, symbols for incoming and outgoing routes:
224 \begin{scope
}[yshift=
2cm, yscale=
0.28, transform shape
]
225 \node[route, rotate=
45, xshift=
\shift] {\strut};
226 \node[route, rotate=-
45, xshift=-
\shift] {\strut};
227 \node[route, rotate=-
135, xshift=
\shift] {\strut};
228 \node[route, rotate=
135, xshift=-
\shift] {\strut};
233 \pgfdeclareradialshading[tikz@ball
]{cloud
}{\pgfpoint{-
0.275cm
}{0.4cm
}}{%
234 color(
0cm)=(tikz@ball!
75!white);
235 color(
0.1cm)=(tikz@ball!
85!white);
236 color(
0.2cm)=(tikz@ball!
95!white);
237 color(
0.7cm)=(tikz@ball!
89!black);
238 color(
1cm)=(tikz@ball!
75!black)
240 \tikzoption{cloud
color}{\pgfutil@colorlet
{tikz@ball
}{#1}%
241 \def\tikz@shading
{cloud
}\tikz@addmode
{\tikz@mode@shadetrue
}}
244 \tikzset{my cloud/.style=
{
245 cloud, draw, aspect=
2,
246 cloud
color=
{gray!
5!white
}
249 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
260 \begin{block
}{Wikipedia
}
261 The Domain Name System Security Extensions (DNSSEC) is a suite of
262 Internet Engineering Task Force (IETF) specifications for securing
263 certain kinds of information provided by the Domain Name System
264 (DNS) as used on Internet Protocol (IP) networks. It is a set of
265 extensions to DNS which provide to DNS clients (resolvers) origin
266 authentication of DNS data, authenticated denial of existence, and
267 data integrity, but not availability or confidentiality.
272 \frametitle{DNS Anfrage
}
276 \begin{scope
}[yshift=-
5em, xshift=-
5em
]
277 \node[scale=
1.5, server,debianblue
](Client)
{};
278 \node[scale=
1.5, server, left of=Client, xshift=-
.75em
](Gateway)
{};
279 \node[scale=
1.5, server, left of=Gateway, xshift=-
2em
](ISP)
{};
281 \draw[thick,darkgray!
10!gray
] (Client.west)--(Gateway.east);
282 \draw[thick,darkgray!
10!gray
] (Gateway.west)--(ISP);
285 \begin{scope
}[xshift=
15em, yshift=
5em
]
286 \node[thick, draw=darkgray, dotted, minimum width=
12em, minimum
287 height=
9em, xshift=-
3.5em, yshift=-
.5em
] (siccegge)
{};
288 \node[scale=
1.2, server,debianblue
](Master)
{};
289 \node[scale=
1.2, server, right of=Master, yshift=
1.5em, xshift=
1em
](Slave
1)
{};
290 \node[scale=
1.2, server, right of=Master, yshift=-
1.5em, xshift=
1em
](Slave
2)
{};
292 \draw[thick,darkgray!
10!gray
] (Master.east)--(Slave
1);
293 \draw[thick,darkgray!
10!gray
] (Master.east)--(Slave
2);
296 \begin{scope
}[yshift=
5em
]
297 \node[thick, draw=darkgray, dotted, minimum width=
12em, minimum
298 height=
9em, xshift=-
3.5em, yshift=-
.5em
] (de)
{};
299 \node[scale=
1.2, server,debianblue
](Sub Master)
{};
300 \node[scale=
1.2, server, right of=Sub Master, yshift=
1.5em,
301 xshift=
1em
](Sub Slave
1)
{};
302 \node[scale=
1.2, server, right of=Sub Master, yshift=-
1.5em,
303 xshift=
1em
](Sub Slave
2)
{};
305 \draw[thick,darkgray!
10!gray
] (Sub Master.east)--(Sub Slave
1);
306 \draw[thick,darkgray!
10!gray
] (Sub Master.east)--(Sub Slave
2);
309 \draw[thick,darkgray!
10!gray,dotted
] (ISP.north)--(Sub Slave
2.south);
310 \draw[thick,darkgray!
10!gray,dotted
] (ISP.north)--(Slave
2.south);
312 \node[darkgray,above=
.7em of Client.north,font=
\LARGE] {Client
};
313 \node[darkgray,below=
0 of Gateway.south,font=
\LARGE] {Heimrouter
};
314 \node[darkgray,below=
0 of ISP.south,font=
\LARGE] {ISP
};
316 \node[darkgray,below=
0 of Master.south,font=
\LARGE] {Master
};
317 \node[darkgray,below=
0 of Slave
2.south,font=
\LARGE] {Slaves
};
318 \node[darkgray,below=
0 of Sub Master.south,font=
\LARGE] {Master
};
319 \node[darkgray,below=
0 of Sub Slave
2.south,font=
\LARGE] {Slaves
};
320 \node[darkgray, above=
0 of de, font=
\LARGE]{.de
};
321 \node[darkgray, above=
0 of siccegge, font=
\LARGE]{.siccegge.de
};
329 \frametitle{ZSK, KSK
}
331 \item \texttt[KSK
] ``KeySigningKey'' -- wird in der übergeordneten
332 Zone referenziert und signiert alle Schlüssel
\emph{in
} der Zone
334 \item \texttt[ZSK
] ``ZoneSigningKey'' -- wird durch den
\texttt{KSK
}
335 authorisiert und signiert weitere Einträge
337 \item Normalerweise gibt es
\emph{einen
} KSK und
\emph{zwei
} ZSKs in
345 \begin{tikzpicture
}[scale=
1.2]
346 \tikzstyle{every node
}=
[font=
\small]
347 \node[minimum width=
8em,minimum height=
12em,draw=gray
](dezone) at (
0,
0)
{};
348 \node[below=
2em of dezone.south
] {de. Zone
};
349 \node[minimum width=
8em,minimum height=
12em,draw=gray
](rootzone) at (-
9em,
0)
{};
350 \node[below=
2em of rootzone.south
] {. Zone
};
351 \node[minimum width=
8em,minimum height=
12em,draw=gray
](sicceggezone) at (
9em,
0)
{};
352 \node[below=
2em of sicceggezone.south
] {siccegge.de. Zone
};
354 \node[ellipse,draw=debianred
](rootksk) at (-
9em,
3em)
{KSK
};
355 \node[ellipse,draw=debianblue
](rootzsk) at (-
9em,
0em)
{ZSK
};
356 \node[ellipse,draw=black
](rootds) at (-
9em,-
3em)
{DS
};
358 \node[ellipse,draw=debianred
](deksk) at (
0em,
3em)
{KSK
};
359 \node[ellipse,draw=debianblue
](dezsk) at (
0em,
0em)
{ZSK
};
360 \node[ellipse,draw=black
](deds) at (
0em,-
3em)
{DS
};
362 \node[ellipse,draw=debianred
](sicceggeksk) at (
9em,
3em)
{KSK
};
363 \node[ellipse,draw=debianblue
](sicceggezsk) at (
9em,
0em)
{ZSK
};
364 \node[ellipse,draw=black
](arecord) at (
6.5em,-
2em)
{\tiny{A
}};
365 \node[ellipse,draw=black
](aaaarecord) at (
8em,-
3em)
{\tiny{AAAA
}};
366 \node[ellipse,draw=black
](sshfprecord) at (
10.5em,-
4em)
{\tiny{SSHFP
}};
368 \draw[arrow,draw=black
] (rootds.south) |- ++(
0,-
2em) -| (
[xshift=
1em
]rootzone.east)
369 |- (
[xshift=
4.5em,yshift=
1em
]rootzone.north) -| (deksk.north);
370 \draw[arrow,draw=black
] (deds.south) |- ++(
0,-
2em) -| (
[xshift=
1em
]dezone.east)
371 |- (
[xshift=
4.5em,yshift=
1em
]dezone.north) -| (sicceggeksk.north);
373 \draw[arrow,draw=debianred
] (rootksk.south) -- (rootzsk.north);
374 \draw[arrow,draw=debianred
] (deksk.south) -- (dezsk.north);
375 \draw[arrow,draw=debianred
] (sicceggeksk.south) -- (sicceggezsk.north);
377 \draw[arrow,draw=debianblue
] (rootzsk) -- (rootds);
378 \draw[arrow,draw=debianblue
] (dezsk) -- (deds);
379 \draw[arrow,draw=debianblue
] (sicceggezsk) -- (arecord);
380 \draw[arrow,draw=debianblue
] (sicceggezsk) -- (aaaarecord);
381 \draw[arrow,draw=debianblue
] (sicceggezsk) -- (sshfprecord);
388 \begin{block
}{siccegge.de
}\resizebox{\textwidth}{!
}{\texttt{
389 \begin{tabular
}{llll
}
390 siccegge.de. & IN & A &
62.113.200.104\\
391 siccegge.de. & IN & RRSIG & A
8 2 43200 20140908181927 20140809171927 60018 siccegge.de.\\
393 \multicolumn{3}{l
}{zldkAFJKKV4/gkmZ8DZkV7AT6nIt4mLXjClJwSnGqvrlBWEzc9h3knLMa9iJeEh01ZEZcWi+JRD/vVVNqBg4P1
}\\
394 &
\multicolumn{3}{l
}{vCGsiPDvzBvO+gq0wtxPPpouNZA9r9h9in4sB3Vw/
6HpMcqp843mB+B5SGQZkALDsVCcoY4J0/rPWPXYGHQkA=
}\\
400 \frametitle{Schlüsseltausch
}
402 Wechsle die Schlüssel regelmäßig. Damit lassen sich auch kleine,
403 effizienter verwendbare Schlüssel verwenden (DNS verwendet
404 UDP!). Auch in Sachen ``Revocation'' nützlich
407 Schlüssel wechseln in DNS ist nicht so einfach:
\pause Stichpunkt
413 \item Neuen Schlüssel vor der Verwendung veröffentlichen
414 \item Vorübergehend die Daten mit beiden Schlüsseln signieren
418 \section{NSEC und NSEC3
}
420 \frametitle{Negative antworten
}
422 \begin{block
}{Problem
}
423 Mit den
\texttt{RRSIG
}s lassen sich bestehende Einträge im DNS
424 bestätigen. Es ist aber immer noch möglich, Einträge
425 ``verschwinden'' zu lassen. Was also noch fehlt ist die
426 Möglichkeit, die nicht-Existenz von Einträgen zu signieren.
431 \begin{frame
}<
1>
[label=nsec
]
434 \item<
1-> Bilde einen Kreis, der alle vorhandenen Einträge umfasst
435 \item<
2-> Speichere signierte Feststellung, dass zwischen zwei Namen
437 \item<
2-> Bei negativer Antwort (
\texttt{NXDOMAIN
}) sende auch den
438 signierten
\texttt{NSEC
} Eintrag in dessen Interval die Antwort
439 liegen würde
\pause\bigskip
440 \item<
3> ``Zonewalking'' auflistung aller Einträge in einer Zone
444 \begin{frame
}<-
2>
[label=ring
]
447 \begin{tikzpicture
}[scale=
0.9]
449 \fill[debianred!
10] (
165:
17mm) arc (
165:
215:
17mm) -- (
215:
27mm)
450 arc (
215:
165:
27mm) -- cycle;
452 \path[decoration =
{text along path, text =
{NSEC
},
453 text align =
{align = center
}, raise = -
0.5ex
}, decorate
]
454 (
201:
29mm) arc (
201:
155:
29mm);
458 \fill[debianred!
10] (
123:
17mm) arc (
123:
172:
17mm) -- (
172:
27mm)
459 arc (
172:
123:
27mm) -- cycle;
461 \path[decoration =
{text along path, text =
{NSEC3
},
462 text align =
{align = center
}, raise = -
0.5ex
}, decorate
]
463 (
180:
14mm) arc (
180:
123:
14mm);
466 \foreach \sector/
\sectorlabel/
\hash/
\hashlabel in
{%
467 0/annex/
5kau
\dots/keyserver,
468 1/backup/evj1
\dots/www,
470 3/keyserver/mk9e
\dots/wot,
471 4/static/nq8c
\dots/backup,
472 5/webdav/qp1c
\dots/static,
473 6/wot/thm6
\dots/webdav,
474 7/www/uv8c
\dots/annex
}%
476 \node[font=
\bfseries](node
\sector) at (
{45 * (-
\sector -
.5)
}:
22mm)
{\alt<-
3>
{\sectorlabel}{\hash}};
478 \draw[->, >=latex
] (
{45 * (-
\sector -
.5)-
10}:
22mm)
479 arc (
{45 * (-
\sector -
.5) -
10}:
{45 * (-
\sector-
1)-
10}:
22mm);
482 \node[font=
\bfseries, circle, fill=debianblue!
50, text=darkgray
](hash
\sector) at (
{45 * (-
\sector -
485 \node[font=
\bfseries](orig
\sector) at (
{45 * (-
\sector -
486 .5) +
25}:
45mm)
{\hashlabel};
487 \draw[arrow, draw=darkgray
] (hash
\sector) -- (node
\sector);)
488 \draw[arrow, draw=darkgray
] (orig
\sector) -- (hash
\sector);)
491 \node[font=
\bfseries, left=
8em of node3
](null)
{null
};
493 \draw[arrow
] (null.east) -- (
[yshift=
1.5em
]node3.west);
496 \node[font=
\bfseries, circle, fill=debianblue!
50, above=
3em
497 of null.north, xshift=
2em, text=darkgray
] (H)
{H
};
498 \draw[arrow, draw=darkgray
] (null) -- (H);
499 \draw[arrow
] (H) to node
[above,font=
\bfseries]{qfna
\dots} (
[yshift=
1.5em
]node4.north);
505 \againframe<
2->
{nsec
}
507 \begin{frame
}<
1>
[label=nsec3
]
511 \item Statt Einträge in einem Ring anzuordnen, bilde zuerst eine
512 kryptographische Streusumme
\pause
513 \item Verwende Salz und mehrere Runden der Streufunktion für
515 \end{itemize
}\bigskip
516 \begin{block
}{git.siccegge.de
}\resizebox{\textwidth}{!
}{\texttt{
517 \begin{tabular
}{llll
}
518 siccegge.de. & IN & NSEC3PARAM &
1 0 5 6D1DAF17E2A6A252
523 \againframe<
3->
{ring
}
525 \againframe<
2->
{nsec3
}
528 \frametitle{Überprüfung negativer Antworten
}
530 Es ist trivial, in der
\texttt{de
}-Zone zu zeigen, dass dort
531 \texttt{www.siccegge.de
} nicht existiert -- obwohl der name
532 durchaus vorhanden ist (allerdings nicht in der
\texttt{de
}-Zone
533 sondern in der
\texttt{siccegge.de
}-Zone). Wir müssen also auch
534 zeigen, dass wir in der ``richtigen'' Zone operieren.
536 \begin{block
}{``Closest Encloser''
}
537 Daher
3 \texttt{NSEC3
}-Einträge:
539 \item Für die kürzeste, nicht mehr existente Oberdomäne zur
540 Anfrage, den
\texttt{NSEC3
}-Eintrag, der das Intervall überspannt.
541 \item den um eine Komponente gekürzten
\texttt{NSEC3
}-Eintrag, der
542 entweder auch das Flag für
\texttt{SOA
} oder
\emph{keinen
}
543 \texttt{NS
}-Eintrag enthält.
\pause
544 \item den
\texttt{NSEC3
}-Eintrag, der das Fehlen eines
545 Wildcard-Eintrags an dieser Stelle nachweist.
551 \frametitle{Negative Antwort
}
552 \begin{block
}{siccegge.de hat SOA
}\resizebox{\textwidth}{!
}{\texttt{
554 4ma0fb5t2s6kjtgc6r3qi4o49bn7pc4i.siccegge.de. &
3573 IN NSEC3
1 0 5 6D1DAF17E2A6A252 \\
555 4TRVQLKF545FSK90ED6NCJ7DGMOJB6I8 & A NS SOA MX AAAA RRSIG DNSKEY NSEC3PARAM \\
558 \texttt{null.siccegge.de
} hat den Hash-Wert
\texttt{qfna56rlmnlbp3e85m4d6ckonnmpfg1i
}
559 \begin{block
}{null.siccegge.de existiert nicht
}\resizebox{\textwidth}{!
}{\texttt{
561 qd2uevk27c2tdrh6535e0mkiratu1t5h.siccegge.de. &
3600 IN NSEC3
1 0 5 6D1DAF17E2A6A252 \\
562 QLLMC1NCRMN4AU8QCFQ24VAH7JFM6LQ6 & \\
565 \texttt{*.siccegge.de
} hat den Hash-Wert
\texttt{68m2atv9712l3e67oua61u5hp0v0273a.
}
566 \begin{block
}{*.siccegge.de existiert nicht
}\resizebox{\textwidth}{!
}{\texttt{
568 63r09adu0p1vdmkif5eb4dr6m2a3l5cp.siccegge.de. &
3600 IN NSEC3
1 0 5 6D1DAF17E2A6A252 \\
569 6BJ555D3Q50SL34D50L1PGU887R73DC9 & RRSIG TLSA \\
574 \section{Zusatznutzen
}
576 Nachdem unser DNS jetzt kryptographisch abgesichert ist (auch nicht
577 schlechter als das CA System) kann man dort jetzt sicher weiteres
578 Schlüsselmaterial ausliefern:
580 \item TLSA für alles was SSL/TLS macht
581 \item SSHFP für SSH Fingerprints
582 \item PGP-Schlüssel-Enträge
589 \begin{block
}{TLSA
}\resizebox{\textwidth}{!
}{\texttt{
590 \begin{tabular
}{llll
}
591 \_25.
\_tcp.oteiza.siccegge.de. & IN & TLSA &
3 1 1
592 101B5B5CCDC5568CEC385552611FD0355BF15DB293E96F46E29DE4A0C4B2BC3F \\
593 \_443.
\_tcp.siccegge.de. & IN & TLSA &
3 1 1
594 62BEBD9F2E77CF26A4006A50F69FC3891BF7BEDDAEF8AC96E57C1D9BA2AB1F73 \\
595 \_5222.
\_tcp.xmpp.egger.im & IN & TLSA &
3 1 1 9c93fab0d88c911592dedfa7f9385aeee228b0c6d526813ad1182c983677736b
599 Achtung! Beim Schlüsseltausch gibt's wieder Spass.
602 \item 3: Bezeichnet ein Service Zertifikat
603 \item 1: Angegeben wird der öffentlich Schlüssel, nicht das
605 \item 1: Angegeben wird eine
\texttt{SHA256
}-Summe
611 \begin{block
}{git.siccegge.de
}\resizebox{\textwidth}{!
}{\texttt{
613 git.siccegge.de & IN & SSHFP
1 1 0E812EE0A3704230F3C415076E1BAA149A5DC75B\\
614 git.siccegge.de & IN & SSHFP
1 2 1CBACAF365040DC1DF841FD07D9186BC343D4AF7DCF689CC8CF4A2F75D7F4B57\\
615 git.siccegge.de & IN & SSHFP
3 1 A2D0495E912DA039EEA51A1593F7F74FB919AAD4\\
616 git.siccegge.de & IN & SSHFP
3 2 9BF73E3654AA65B847054247F85EFB5C88AB7460840B9C922E647B00696661CF\\
617 git.siccegge.de & IN & SSHFP
4 1 2A3EF64AC589193ACFAD783B62E3C193A67F3F46\\
618 git.siccegge.de & IN & SSHFP
4 2 880686195D6C1AAA6791F3A3EF4E7B565DCF9F560F2F1BBB93C56EFD5996F335\\
623 \item Erste Zahl: Hostkeytyp
624 \item Zweite Zahl: Prüfsummentyp
629 \begin{frame
}{Überblick
}
630 \begin{block
}{Nameserver
}
631 Müssen zusätzliche Einträge ausliefern (
\texttt{RRSIG
},
632 \texttt{NSEC3
}). Für
\texttt{NSEC3
} müssen die richtigen Einträge
635 \begin{block
}{Signaturwerkzeuge
}
637 \item Müssen
\texttt{RRSIG
}s für die vorhandenen Einträge
638 erstellen und gelegentlich erneuern
639 \item Müssen die
\texttt{NSEC3
}- und
\texttt{NSEC3PARAM
}-Einträge
640 erstellen und signieren
641 \item Müssen möglichkeit zum Schlüsseltausch beiten
644 \begin{block
}{Registrar
}
645 Irgendwie müssen die Schlüssel in die darüberliegende Zone
646 kommen. Wenige Registrare haben das schon im Interface vorgesehen,
647 etliche lassen sich aber per Mail an den Support überreden
651 \begin{frame
}{Nameserver
}
652 \begin{block
}{Software
}
653 Alle nennenswerten Nameserver (nsd, bind, powerdns, knot,
\dots) können heutzutage DNSSEC ausliefern.
655 \begin{block
}{Sekundärserver
}
656 Kaum ein kostenfreier Sekundärserveranbieter unterstützt DNSSEC --
657 das liegt unter anderem an den deutlich größeren Antworten und dem
658 Rechenbedarf für
\texttt{NSEC3
}, die signifikant Resourcen
661 $
\Rightarrow$ Selber hosten (mit Freunden) oder beim Registrar schauen.
665 \begin{frame
}{Signaturwerkzeuge
}
666 Im Grunde gibt es zwei Typen von Signaturwerkzeugen
667 \begin{block
}{Im primären Nameserver
}
670 \item[Vorteile
] Keine weiteren Werkzeuge, dynamische Updatesmöglich
671 \item[Nachteile
] Schlüsselmaterial im Netzwerkserver, bestehende
672 Implementierungen unflexibel in Sachen Schlüsselrotation
675 \begin{block
}{Separates Signaturwerkzeug
}
676 OpenDNSSEC, dnssec-tools, cron
678 \item[Vorteile
] Flexibel, Signaturlösung Nameserver-agnostisch
679 \item[Nachteile
] Softwarequalität
\dots, weiteres Element, das
685 \begin{frame
}{Fragen?
}
688 \includegraphics[width=
7cm
]{images/
42.pdf
}