slides.tex

   1 \documentclass[13pt]{beamer}
   2 \usepackage{ngerman}
   3 \usepackage{multicol}
   4 \usepackage[utf8]{inputenc}
   5 \usepackage{listings}
   6
   7 \usepackage{tikz}
   8
   9 \usetikzlibrary{positioning,intersections,backgrounds,calc,shadings,shapes.arrows,shapes.symbols,shadows}
  10 \usepgflibrary{shapes.geometric}
  11 \usepgflibrary{shapes.misc}
  12 \usepgflibrary{shapes.symbols}
  13 \usepgflibrary{shapes}
  14 \usetikzlibrary{shapes,decorations,shadows}
  15 \usetikzlibrary{decorations.pathmorphing}
  16 \usetikzlibrary{decorations.shapes}
  17 \usetikzlibrary{decorations.text}
  18 \usetikzlibrary{fadings}
  19 \usetikzlibrary{patterns}
  20 \usetikzlibrary{calc}
  21 \tikzstyle{netdb}=[anchor=center,color=black,rectangle,draw,minimum
  22 size=.6em,minimum height=.2em]
  23 \tikzstyle{client}=[fill=i4gray,rectangle,draw]
  24 \tikzstyle{chain}=[rectangle,draw,minimum size=1em,minimum height=.5em]
  25 \tikzstyle{arrow}=[->,thick,draw,shorten <=2pt,shorten >=2pt,]
  26 \tikzstyle{tunnel}=[fill=gray,shape=ellipse,minimum size=4em,minimum height=1.1em]
  27
  28
  29 \usetheme{CambridgeUS}
  30 \usefonttheme{structuresmallcapsserif}
  31 \title{DNSSEC}
  32 \author{Christoph Egger}
  33 %\institute[Debian]{The Debian Project}
  34 \date{\today}
  35
  36 \usebackgroundtemplate{\includegraphics[width=\paperwidth]{images/swirl-lightest}}
  37 \logo{\includegraphics[viewport=274 335 360 440,width=1cm]{images/openlogo-nd.pdf}}
  38 \definecolor{debianred}{rgb}{.780,.000,.211} % 199,0,54
  39 \definecolor{debianblue}{rgb}{0,.208,.780} % 0,53,199
  40 \definecolor{debianlightbackgroundblue}{rgb}{.941,.941,.957} % 240,240,244
  41 \definecolor{debianbackgroundblue}{rgb}{.776,.784,.878} % 198,200,224
  42
  43 \usecolortheme[named=debianbackgroundblue]{structure}
  44 \setbeamercolor{normal text}{fg=debianred}
  45 \setbeamercolor{titlelike}{fg=debianblue}
  46 \setbeamercolor{sidebar}{fg=debianred,bg=debianbackgroundblue}
  47
  48 \setbeamercolor{palette sidebar primary}{fg=debianred}
  49 \setbeamercolor{palette sidebar secondary}{fg=debianred}
  50 \setbeamercolor{palette sidebar tertiary}{fg=debianred}
  51 \setbeamercolor{palette sidebar quaternary}{fg=debianred}
  52
  53 \setbeamercolor{block title}{fg=debianblue}
  54 \setbeamercolor{description item}{fg=debianblue}
  55
  56
  57 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  58 % http://www.texample.net/media/tikz/examples/TEX/network-topology.tex %
  59 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  60 \makeatletter
  61 \pgfkeys{/pgf/.cd,
  62   parallelepiped offset x/.initial=2mm,
  63   parallelepiped offset y/.initial=2mm
  64 }
  65 \pgfdeclareshape{parallelepiped}
  66 {
  67   \inheritsavedanchors[from=rectangle] % this is nearly a rectangle
  68   \inheritanchorborder[from=rectangle]
  69   \inheritanchor[from=rectangle]{north}
  70   \inheritanchor[from=rectangle]{north west}
  71   \inheritanchor[from=rectangle]{north east}
  72   \inheritanchor[from=rectangle]{center}
  73   \inheritanchor[from=rectangle]{west}
  74   \inheritanchor[from=rectangle]{east}
  75   \inheritanchor[from=rectangle]{mid}
  76   \inheritanchor[from=rectangle]{mid west}
  77   \inheritanchor[from=rectangle]{mid east}
  78   \inheritanchor[from=rectangle]{base}
  79   \inheritanchor[from=rectangle]{base west}
  80   \inheritanchor[from=rectangle]{base east}
  81   \inheritanchor[from=rectangle]{south}
  82   \inheritanchor[from=rectangle]{south west}
  83   \inheritanchor[from=rectangle]{south east}
  84   \backgroundpath{
  85     % store lower right in xa/ya and upper right in xb/yb
  86     \southwest \pgf@xa=\pgf@x \pgf@ya=\pgf@y
  87     \northeast \pgf@xb=\pgf@x \pgf@yb=\pgf@y
  88     \pgfmathsetlength\pgfutil@tempdima{\pgfkeysvalueof{/pgf/parallelepiped
  89       offset x}}
  90     \pgfmathsetlength\pgfutil@tempdimb{\pgfkeysvalueof{/pgf/parallelepiped
  91       offset y}}
  92     \def\ppd@offset{\pgfpoint{\pgfutil@tempdima}{\pgfutil@tempdimb}}
  93     \pgfpathmoveto{\pgfqpoint{\pgf@xa}{\pgf@ya}}
  94     \pgfpathlineto{\pgfqpoint{\pgf@xb}{\pgf@ya}}
  95     \pgfpathlineto{\pgfqpoint{\pgf@xb}{\pgf@yb}}
  96     \pgfpathlineto{\pgfqpoint{\pgf@xa}{\pgf@yb}}
  97     \pgfpathclose
  98     \pgfpathmoveto{\pgfqpoint{\pgf@xb}{\pgf@ya}}
  99     \pgfpathlineto{\pgfpointadd{\pgfpoint{\pgf@xb}{\pgf@ya}}{\ppd@offset}}
 100     \pgfpathlineto{\pgfpointadd{\pgfpoint{\pgf@xb}{\pgf@yb}}{\ppd@offset}}
 101     \pgfpathlineto{\pgfpointadd{\pgfpoint{\pgf@xa}{\pgf@yb}}{\ppd@offset}}
 102     \pgfpathlineto{\pgfqpoint{\pgf@xa}{\pgf@yb}}
 103     \pgfpathmoveto{\pgfqpoint{\pgf@xb}{\pgf@yb}}
 104     \pgfpathlineto{\pgfpointadd{\pgfpoint{\pgf@xb}{\pgf@yb}}{\ppd@offset}}
 105   }
 106 }
 107 \makeatother
 108
 109 \tikzset{l3 switch/.style={
 110     parallelepiped,fill=switch, draw=white,
 111     minimum width=0.75cm,
 112     minimum height=0.75cm,
 113     parallelepiped offset x=1.75mm,
 114     parallelepiped offset y=1.25mm,
 115     path picture={
 116       \node[fill=white,
 117         circle,
 118         minimum size=6pt,
 119         inner sep=0pt,
 120         append after command={
 121           \pgfextra{
 122             \foreach \angle in {0,45,...,360}
 123             \draw[-latex,fill=white] (\tikzlastnode.\angle)--++(\angle:2.25mm);
 124           }
 125         }
 126       ]
 127        at ([xshift=-0.75mm,yshift=-0.5mm]path picture bounding box.center){};
 128     }
 129   },
 130   ports/.style={
 131     line width=0.3pt,
 132     top color=gray!20,
 133     bottom color=gray!80
 134   },
 135   rack switch/.style={
 136     parallelepiped,fill=white, draw,
 137     minimum width=1.25cm,
 138     minimum height=0.25cm,
 139     parallelepiped offset x=2mm,
 140     parallelepiped offset y=1.25mm,
 141     xscale=-1,
 142     path picture={
 143       \draw[top color=gray!5,bottom color=gray!40]
 144       (path picture bounding box.south west) rectangle
 145       (path picture bounding box.north east);
 146       \coordinate (A-west) at ([xshift=-0.2cm]path picture bounding box.west);
 147       \coordinate (A-center) at ($(path picture bounding box.center)!0!(path
 148         picture bounding box.south)$);
 149       \foreach \x in {0.275,0.525,0.775}{
 150         \draw[ports]([yshift=-0.05cm]$(A-west)!\x!(A-center)$)
 151           rectangle +(0.1,0.05);
 152         \draw[ports]([yshift=-0.125cm]$(A-west)!\x!(A-center)$)
 153           rectangle +(0.1,0.05);
 154        }
 155       \coordinate (A-east) at (path picture bounding box.east);
 156       \foreach \x in {0.085,0.21,0.335,0.455,0.635,0.755,0.875,1}{
 157         \draw[ports]([yshift=-0.1125cm]$(A-east)!\x!(A-center)$)
 158           rectangle +(0.05,0.1);
 159       }
 160     }
 161   },
 162   server/.style={
 163     parallelepiped,
 164     fill=white, draw,
 165     minimum width=0.35cm,
 166     minimum height=0.75cm,
 167     parallelepiped offset x=3mm,
 168     parallelepiped offset y=2mm,
 169     xscale=-1,
 170     path picture={
 171       \draw[top color=gray!5,bottom color=gray!40]
 172       (path picture bounding box.south west) rectangle
 173       (path picture bounding box.north east);
 174       \coordinate (A-center) at ($(path picture bounding box.center)!0!(path
 175         picture bounding box.south)$);
 176       \coordinate (A-west) at ([xshift=-0.575cm]path picture bounding box.west);
 177       \draw[ports]([yshift=0.1cm]$(A-west)!0!(A-center)$)
 178         rectangle +(0.2,0.065);
 179       \draw[ports]([yshift=0.01cm]$(A-west)!0.085!(A-center)$)
 180         rectangle +(0.15,0.05);
 181       \fill[black]([yshift=-0.35cm]$(A-west)!-0.1!(A-center)$)
 182         rectangle +(0.235,0.0175);
 183       \fill[black]([yshift=-0.385cm]$(A-west)!-0.1!(A-center)$)
 184         rectangle +(0.235,0.0175);
 185       \fill[black]([yshift=-0.42cm]$(A-west)!-0.1!(A-center)$)
 186         rectangle +(0.235,0.0175);
 187     }
 188   },
 189 }
 190
 191 \usetikzlibrary{calc, shadings, shadows, shapes.arrows}
 192
 193 % Styles for interfaces and edge labels
 194 \tikzset{%
 195   interface/.style={draw, rectangle, rounded corners, font=\LARGE\sffamily},
 196   ethernet/.style={interface, fill=yellow!50},% ethernet interface
 197   serial/.style={interface, fill=green!70},% serial interface
 198   speed/.style={sloped, anchor=south, font=\large\sffamily},% line speed at edge
 199   route/.style={draw, shape=single arrow, single arrow head extend=4mm,
 200     minimum height=1.7cm, minimum width=3mm, white, fill=switch!20,
 201     drop shadow={opacity=.8, fill=switch}, font=\tiny}% inroute/outroute arrows
 202 }
 203 \newcommand*{\shift}{1.3cm}% For placing the arrows later
 204
 205 % The router icon
 206 \newcommand*{\router}[1]{
 207 \begin{tikzpicture}
 208   \coordinate (ll) at (-3,0.5);
 209   \coordinate (lr) at (3,0.5);
 210   \coordinate (ul) at (-3,2);
 211   \coordinate (ur) at (3,2);
 212   \shade [shading angle=90, left color=switch, right color=white] (ll)
 213     arc (-180:-60:3cm and .75cm) -- +(0,1.5) arc (-60:-180:3cm and .75cm)
 214     -- cycle;
 215   \shade [shading angle=270, right color=switch, left color=white!50] (lr)
 216     arc (0:-60:3cm and .75cm) -- +(0,1.5) arc (-60:0:3cm and .75cm) -- cycle;
 217   \draw [thick] (ll) arc (-180:0:3cm and .75cm)
 218     -- (ur) arc (0:-180:3cm and .75cm) -- cycle;
 219   \draw [thick, shade, upper left=switch, lower left=switch,
 220     upper right=switch, lower right=white] (ul)
 221     arc (-180:180:3cm and .75cm);
 222   \node at (0,0.5){\color{blue!60!black}\Huge #1};% The name of the router
 223   % The four arrows, symbols for incoming and outgoing routes:
 224   \begin{scope}[yshift=2cm, yscale=0.28, transform shape]
 225     \node[route, rotate=45, xshift=\shift] {\strut};
 226     \node[route, rotate=-45, xshift=-\shift] {\strut};
 227     \node[route, rotate=-135, xshift=\shift] {\strut};
 228     \node[route, rotate=135, xshift=-\shift] {\strut};
 229   \end{scope}
 230 \end{tikzpicture}}
 231
 232 \makeatletter
 233 \pgfdeclareradialshading[tikz@ball]{cloud}{\pgfpoint{-0.275cm}{0.4cm}}{%
 234   color(0cm)=(tikz@ball!75!white);
 235   color(0.1cm)=(tikz@ball!85!white);
 236   color(0.2cm)=(tikz@ball!95!white);
 237   color(0.7cm)=(tikz@ball!89!black);
 238   color(1cm)=(tikz@ball!75!black)
 239 }
 240 \tikzoption{cloud color}{\pgfutil@colorlet{tikz@ball}{#1}%
 241   \def\tikz@shading{cloud}\tikz@addmode{\tikz@mode@shadetrue}}
 242 \makeatother
 243
 244 \tikzset{my cloud/.style={
 245      cloud, draw, aspect=2,
 246      cloud color={gray!5!white}
 247   }
 248 }
 249 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 250
 251 \begin{document}
 252
 253 \frame{
 254   \titlepage
 255 }
 256
 257 \section{Einführung}
 258
 259 \begin{frame}
 260   \begin{block}{Wikipedia}
 261     The Domain Name System Security Extensions (DNSSEC) is a suite of
 262     Internet Engineering Task Force (IETF) specifications for securing
 263     certain kinds of information provided by the Domain Name System
 264     (DNS) as used on Internet Protocol (IP) networks. It is a set of
 265     extensions to DNS which provide to DNS clients (resolvers) origin
 266     authentication of DNS data, authenticated denial of existence, and
 267     data integrity, but not availability or confidentiality.
 268   \end{block}
 269 \end{frame}
 270
 271 \begin{frame}
 272   \frametitle{DNS Anfrage}
 273   \begin{figure}
 274     \centering
 275     \begin{tikzpicture}
 276       \begin{scope}[yshift=-5em, xshift=-5em]
 277         \node[scale=1.5, server,debianblue](Client){};
 278         \node[scale=1.5, server, left of=Client, xshift=-.75em](Gateway){};
 279         \node[scale=1.5, server, left of=Gateway, xshift=-2em](ISP){};
 280
 281         \draw[thick,darkgray!10!gray] (Client.west)--(Gateway.east);
 282         \draw[thick,darkgray!10!gray] (Gateway.west)--(ISP);
 283       \end{scope}
 284
 285       \begin{scope}[xshift=15em, yshift=5em]
 286         \node[thick, draw=darkgray, dotted, minimum width=12em, minimum
 287         height=9em, xshift=-3.5em, yshift=-.5em] (siccegge) {};
 288         \node[scale=1.2, server,debianblue](Master){};
 289         \node[scale=1.2, server, right of=Master, yshift= 1.5em, xshift=1em](Slave 1){};
 290         \node[scale=1.2, server, right of=Master, yshift=-1.5em, xshift=1em](Slave 2){};
 291
 292         \draw[thick,darkgray!10!gray] (Master.east)--(Slave 1);
 293         \draw[thick,darkgray!10!gray] (Master.east)--(Slave 2);
 294       \end{scope}
 295
 296       \begin{scope}[yshift=5em]
 297         \node[thick, draw=darkgray, dotted, minimum width=12em, minimum
 298         height=9em, xshift=-3.5em, yshift=-.5em] (de) {};
 299         \node[scale=1.2, server,debianblue](Sub Master){};
 300         \node[scale=1.2, server, right of=Sub Master, yshift= 1.5em,
 301         xshift=1em](Sub Slave 1){};
 302         \node[scale=1.2, server, right of=Sub Master, yshift=-1.5em,
 303         xshift=1em](Sub Slave 2){};
 304
 305         \draw[thick,darkgray!10!gray] (Sub Master.east)--(Sub Slave 1);
 306         \draw[thick,darkgray!10!gray] (Sub Master.east)--(Sub Slave 2);
 307       \end{scope}
 308
 309       \draw[thick,darkgray!10!gray,dotted] (ISP.north)--(Sub Slave 2.south);
 310       \draw[thick,darkgray!10!gray,dotted] (ISP.north)--(Slave 2.south);
 311
 312       \node[darkgray,above=.7em of Client.north,font=\LARGE] {Client};
 313       \node[darkgray,below=0 of Gateway.south,font=\LARGE] {Heimrouter};
 314       \node[darkgray,below=0 of ISP.south,font=\LARGE] {ISP};
 315
 316       \node[darkgray,below=0 of Master.south,font=\LARGE] {Master};
 317       \node[darkgray,below=0 of Slave 2.south,font=\LARGE] {Slaves};
 318       \node[darkgray,below=0 of Sub Master.south,font=\LARGE] {Master};
 319       \node[darkgray,below=0 of Sub Slave 2.south,font=\LARGE] {Slaves};
 320       \node[darkgray, above=0 of de, font=\LARGE]{.de};
 321       \node[darkgray, above=0 of siccegge, font=\LARGE]{.siccegge.de};
 322     \end{tikzpicture}
 323   \end{figure}
 324 \end{frame}
 325
 326 \section{Signaturen}
 327
 328 % \begin{frame}
 329 %   \frametitle{ZSK, KSK}
 330 %   \begin{itemize}
 331 %   \item \texttt[KSK] ``KeySigningKey'' -- wird in der übergeordneten
 332 %     Zone referenziert und signiert alle Schlüssel \emph{in} der Zone
 333 %     \pause
 334 %   \item \texttt[ZSK] ``ZoneSigningKey'' -- wird durch den \texttt{KSK}
 335 %     authorisiert und signiert weitere Einträge
 336 %     \pause\bigskip
 337 %   \item Normalerweise gibt es \emph{einen} KSK und \emph{zwei} ZSKs in
 338 %     einer Zone
 339 %   \end{itemize}
 340 % \end{frame}
 341
 342 \begin{frame}
 343   \begin{description}
 344   \item[KSK] ``KeySigningKey'' -- wird in der übergeordneten
 345     Zone referenziert und signiert alle Schlüssel \emph{in} der Zone
 346   \item[ZSK] ``ZoneSigningKey'' -- wird durch den \texttt{KSK}
 347     authorisiert und signiert weitere Einträge
 348   \end{description}
 349   \begin{figure}
 350     \centering
 351     \begin{tikzpicture}[scale=1.2]
 352       \tikzstyle{every node}=[font=\small]
 353       \node[minimum width=8em,minimum height=12em,draw=gray](dezone) at (0,0) {};
 354       \node[below=2em of dezone.south] {de. Zone};
 355       \node[minimum width=8em,minimum height=12em,draw=gray](rootzone) at (-9em,0) {};
 356       \node[below=2em of rootzone.south] {. Zone};
 357       \node[minimum width=8em,minimum height=12em,draw=gray](sicceggezone) at (9em,0) {};
 358       \node[below=2em of sicceggezone.south] {siccegge.de. Zone};
 359
 360       \node[ellipse,draw=debianred](rootksk) at (-9em,3em) {KSK};
 361       \node[ellipse,draw=debianblue](rootzsk) at (-9em,0em) {ZSK};
 362       \node[ellipse,draw=black](rootds)  at (-9em,-3em) {DS};
 363
 364       \node[ellipse,draw=debianred](deksk)  at (0em,3em) {KSK};
 365       \node[ellipse,draw=debianblue](dezsk)  at (0em,0em) {ZSK};
 366       \node[ellipse,draw=black](deds)   at (0em,-3em) {DS};
 367
 368       \node[ellipse,draw=debianred](sicceggeksk)  at (9em,3em) {KSK};
 369       \node[ellipse,draw=debianblue](sicceggezsk)  at (9em,0em) {ZSK};
 370       \node[ellipse,draw=black](arecord) at (6.5em,-2em) {\tiny{A}};
 371       \node[ellipse,draw=black](aaaarecord) at (8em,-3em) {\tiny{AAAA}};
 372       \node[ellipse,draw=black](sshfprecord) at (10.5em,-4em) {\tiny{SSHFP}};
 373
 374       \draw[arrow,draw=black] (rootds.south) |- ++(0,-2em) -| ([xshift=1em]rootzone.east)
 375         |- ([xshift=4.5em,yshift=1em]rootzone.north) -| (deksk.north);
 376       \draw[arrow,draw=black] (deds.south) |- ++(0,-2em) -| ([xshift=1em]dezone.east)
 377         |- ([xshift=4.5em,yshift=1em]dezone.north) -| (sicceggeksk.north);
 378
 379       \draw[arrow,draw=debianred] (rootksk.south) -- (rootzsk.north);
 380       \draw[arrow,draw=debianred] (deksk.south) -- (dezsk.north);
 381       \draw[arrow,draw=debianred] (sicceggeksk.south) -- (sicceggezsk.north);
 382
 383       \draw[arrow,draw=debianblue] (rootzsk) -- (rootds);
 384       \draw[arrow,draw=debianblue] (dezsk) -- (deds);
 385       \draw[arrow,draw=debianblue] (sicceggezsk) -- (arecord);
 386       \draw[arrow,draw=debianblue] (sicceggezsk) -- (aaaarecord);
 387       \draw[arrow,draw=debianblue] (sicceggezsk) -- (sshfprecord);
 388     \end{tikzpicture}
 389   \end{figure}
 390 \end{frame}
 391
 392 \begin{frame}
 393   \frametitle{RRSIG}
 394   \begin{block}{siccegge.de}\resizebox{\textwidth}{!}{\texttt{
 395         \begin{tabular}{llll}
 396 siccegge.de. & IN & A & 62.113.200.104\\
 397 siccegge.de. & IN & RRSIG & A 8 2 43200 20140908181927 20140809171927 60018 siccegge.de.\\
 398  &
 399  \multicolumn{3}{l}{zldkAFJKKV4/gkmZ8DZkV7AT6nIt4mLXjClJwSnGqvrlBWEzc9h3knLMa9iJeEh01ZEZcWi+JRD/vVVNqBg4P1}\\
 400  & \multicolumn{3}{l}{vCGsiPDvzBvO+gq0wtxPPpouNZA9r9h9in4sB3Vw/6HpMcqp843mB+B5SGQZkALDsVCcoY4J0/rPWPXYGHQkA=}\\
 401 \end{tabular}}}
 402   \end{block}
 403 \end{frame}
 404
 405 \begin{frame}
 406   \frametitle{Schlüsseltausch}
 407   \begin{block}{Idee}
 408     Wechsle die Schlüssel regelmäßig. Damit lassen sich auch kleine,
 409     effizientere Schlüssel verwenden (DNS verwendet UDP!). Auch in
 410     Sachen ``Revocation'' nützlich
 411   \end{block}
 412   \bigskip\pause
 413   Schlüssel wechseln in DNS ist nicht so einfach: \pause Stichpunkt
 414   \texttt{TTL}
 415   \bigskip\pause
 416
 417   2 Methoden:
 418   \begin{itemize}
 419   \item Neuen Schlüssel vor der Verwendung veröffentlichen
 420   \item Vorübergehend die Daten mit beiden Schlüsseln signieren
 421   \end{itemize}
 422 \end{frame}
 423
 424 \section{NSEC und NSEC3}
 425 \begin{frame}
 426   \frametitle{Negative antworten}
 427
 428   \begin{block}{Problem}
 429     Mit den \texttt{RRSIG}s lassen sich bestehende Einträge im DNS
 430     bestätigen. Es ist aber immer noch möglich, Einträge
 431     ``verschwinden'' zu lassen. Was also noch fehlt ist die
 432     Möglichkeit, die nicht-Existenz von Einträgen zu signieren.
 433   \end{block}
 434 \end{frame}
 435
 436 %TODO Why
 437 \begin{frame}<1>[label=nsec]
 438   \frametitle{NSEC (Next SECure)}
 439   \begin{itemize}
 440   \item<1-> Bilde einen Kreis, der alle vorhandenen Einträge umfasst
 441   \item<2-> Speichere signierte Feststellung, dass zwischen zwei Namen
 442     kein dritter liegt
 443   \item<2-> Bei negativer Antwort (\texttt{NXDOMAIN}) sende auch den
 444     signierten \texttt{NSEC} Eintrag in dessen Interval die Antwort
 445     liegen würde\pause\bigskip
 446   \item<3> ``Zonewalking'' auflistung aller Einträge in einer Zone
 447   \end{itemize}
 448 \end{frame}
 449
 450 \begin{frame}<-3>[label=ring]
 451   \begin{figure}
 452     \centering
 453     \begin{tikzpicture}[scale=0.9]
 454       \onslide<3>{
 455         \fill[debianred!10] (165:17mm) arc (165:215:17mm) -- (215:27mm)
 456         arc (215:165:27mm) -- cycle;
 457
 458         \path[decoration = {text along path, text = {NSEC},
 459           text align = {align = center}, raise = -0.5ex}, decorate]
 460         (201:29mm) arc (201:155:29mm);
 461       }
 462
 463       \onslide<6>{
 464         \fill[debianred!10] (110:17mm) arc (110:165:17mm) -- (165:27mm)
 465         arc (165:110:27mm) -- cycle;
 466
 467         \path[decoration = {text along path, text = {NSEC3},
 468           text align = {align = center}, raise = -0.5ex}, decorate]
 469         (180:14mm) arc (180:123:14mm);
 470       }
 471
 472       \foreach \sector/\sectorlabel/\hash/\hashlabel in {%
 473         0/backup/evj1\dots/www,
 474         1/git/imua\dots/git,
 475         2/keyserver/mk9e\dots/wot,
 476         3/wot/nq8c\dots/backup,
 477         4/www/uv8c\dots/annex,
 478         5/annex/5kau\dots/keyserver}%
 479       {
 480         \node[font=\bfseries](node\sector) at ({60 * (-\sector - .5)}: 22mm) {\alt<-4>{\sectorlabel}{\hash}};
 481
 482         \draw[->, >=latex] ({60 * (-\sector - .5)-10}:22mm)
 483         arc ({60 * (-\sector - .5) - 10}:{60 * (-\sector-1)- 10}:22mm);
 484
 485         \onslide<5->{
 486           \node[font=\bfseries, circle, fill=debianblue!50, text=darkgray](hash\sector) at ({60 * (-\sector -
 487             .5) + 15}:38mm) {H};
 488
 489           \node[font=\bfseries](orig\sector) at ({60 * (-\sector -
 490             .5) + 30}: 50mm) {\hashlabel};
 491           \draw[arrow, draw=darkgray] (hash\sector) -- (node\sector);)
 492           \draw[arrow, draw=darkgray] (orig\sector) -- (hash\sector);)
 493         }
 494       }
 495       \onslide<2->{
 496         \node[font=\bfseries, left=8em of node3](null) {null};
 497       }
 498       \onslide<2-3>{
 499         \draw[arrow] (null.east) -- ([yshift=3em]node2.west);
 500       }
 501       \onslide<5->{
 502         \node[font=\bfseries, circle, fill=debianblue!50, above=3em
 503         of null.north, xshift=2em, text=darkgray] (H) {H};
 504         \draw[arrow, draw=darkgray] (null) -- (H);
 505         \draw[arrow] (H) to node[above,font=\bfseries]{qfna\dots} ([yshift=1.5em]node3.north);
 506       }
 507     \end{tikzpicture}
 508   \end{figure}
 509 \end{frame}
 510
 511 \againframe<2->{nsec}
 512
 513 \begin{frame}<1>[label=nsec3]
 514   \frametitle{NSEC3}
 515
 516   \begin{itemize}
 517   \item Statt Einträge in einem Ring anzuordnen, bilde zuerst eine
 518     kryptographische Streusumme \pause
 519   \item Verwende Salz und mehrere Runden der Streufunktion für
 520     maximalen Effekt.
 521   \end{itemize}\bigskip
 522   \begin{block}{git.siccegge.de}\resizebox{\textwidth}{!}{\texttt{
 523         \begin{tabular}{llll}
 524 siccegge.de. & IN & NSEC3PARAM & 1 0 5 6D1DAF17E2A6A252
 525 \end{tabular}}}
 526   \end{block}
 527 \end{frame}
 528
 529 \againframe<4->{ring}
 530
 531 \againframe<2->{nsec3}
 532
 533 \begin{frame}
 534   \frametitle{Überprüfung negativer Antworten}
 535   \begin{block}{Ziel}
 536     Es ist trivial, in der \texttt{de}-Zone zu zeigen, dass dort
 537     \texttt{www.siccegge.de} nicht existiert -- obwohl der name
 538     durchaus vorhanden ist (allerdings nicht in der \texttt{de}-Zone
 539     sondern in der \texttt{siccegge.de}-Zone). Wir müssen also auch
 540     zeigen, dass wir in der ``richtigen'' Zone operieren.
 541   \end{block}\pause
 542   \begin{block}{``Closest Encloser''}
 543     Daher 3 \texttt{NSEC3}-Einträge:
 544     \begin{itemize}
 545     \item Für die kürzeste, nicht mehr existente Oberdomäne zur
 546       Anfrage, den \texttt{NSEC3}-Eintrag, der das Intervall überspannt.
 547     \item Den um eine Komponente gekürzten \texttt{NSEC3}-Eintrag, der
 548       entweder \emph{keinen} \texttt{NS}-Eintrag oder auch das Flag
 549       für \texttt{SOA} enthält.\pause
 550     \item Den \texttt{NSEC3}-Eintrag, der das Fehlen eines
 551       Wildcard-Eintrags an dieser Stelle nachweist.
 552     \end{itemize}
 553   \end{block}
 554 \end{frame}
 555
 556 \begin{frame}
 557   \frametitle{Negative Antwort}
 558   \begin{block}{siccegge.de hat SOA}\resizebox{\textwidth}{!}{\texttt{
 559      \begin{tabular}{rl}
 560  4ma0fb5t2s6kjtgc6r3qi4o49bn7pc4i.siccegge.de. & 3573 IN NSEC3 1 0 5 6D1DAF17E2A6A252 \\
 561  4TRVQLKF545FSK90ED6NCJ7DGMOJB6I8 & A NS SOA MX AAAA RRSIG DNSKEY NSEC3PARAM \\
 562      \end{tabular}}}
 563   \end{block}
 564   \texttt{null.siccegge.de} hat den Hash-Wert \texttt{qfna56rlmnlbp3e85m4d6ckonnmpfg1i}
 565   \begin{block}{null.siccegge.de existiert nicht}\resizebox{\textwidth}{!}{\texttt{
 566      \begin{tabular}{rl}
 567  qd2uevk27c2tdrh6535e0mkiratu1t5h.siccegge.de. & 3600 IN NSEC3 1 0 5 6D1DAF17E2A6A252 \\
 568  QLLMC1NCRMN4AU8QCFQ24VAH7JFM6LQ6 & \\
 569      \end{tabular}}}
 570   \end{block}
 571   \texttt{*.siccegge.de} hat den Hash-Wert \texttt{68m2atv9712l3e67oua61u5hp0v0273a.}
 572   \begin{block}{*.siccegge.de existiert nicht }\resizebox{\textwidth}{!}{\texttt{
 573      \begin{tabular}{rl}
 574  63r09adu0p1vdmkif5eb4dr6m2a3l5cp.siccegge.de. & 3600 IN NSEC3 1 0 5 6D1DAF17E2A6A252 \\
 575  6BJ555D3Q50SL34D50L1PGU887R73DC9 & RRSIG TLSA \\
 576      \end{tabular}}}
 577   \end{block}
 578 \end{frame}
 579
 580 \section{Zusatznutzen}
 581 \begin{frame}{DANE}
 582   Nachdem unser DNS jetzt kryptographisch abgesichert ist (auch nicht
 583   schlechter als das CA System) kann man dort jetzt sicher weiteres
 584   Schlüsselmaterial ausliefern:
 585   \begin{itemize}
 586   \item TLSA für alles was SSL/TLS macht
 587   \item SSHFP für SSH Fingerprints
 588   \item PGP-Schlüssel-Enträge
 589   \item \dots
 590   \end{itemize}
 591 \end{frame}
 592
 593 \begin{frame}
 594   \frametitle{TLSA}
 595   \begin{block}{TLSA}\resizebox{\textwidth}{!}{\texttt{
 596         \begin{tabular}{llll}
 597 \_25.\_tcp.oteiza.siccegge.de. & IN & TLSA & 3 1 1
 598 101B5B5CCDC5568CEC385552611FD0355BF15DB293E96F46E29DE4A0C4B2BC3F \\
 599 \_443.\_tcp.siccegge.de. & IN & TLSA & 3 1 1
 600 62BEBD9F2E77CF26A4006A50F69FC3891BF7BEDDAEF8AC96E57C1D9BA2AB1F73 \\
 601 \_5222.\_tcp.xmpp.egger.im & IN & TLSA & 3 1 1 9c93fab0d88c911592dedfa7f9385aeee228b0c6d526813ad1182c983677736b
 602 \end{tabular}}}
 603   \end{block}
 604   \bigskip\pause
 605   Achtung! Beim Schlüsseltausch gibt's wieder Spass.
 606   \bigskip\pause
 607   \begin{itemize}
 608   \item 3: Bezeichnet ein Service Zertifikat
 609   \item 1: Angegeben wird der öffentlich Schlüssel, nicht das
 610     Zertifikat
 611   \item 1: Angegeben wird eine \texttt{SHA256}-Summe
 612   \end{itemize}
 613 \end{frame}
 614
 615 \begin{frame}
 616   \frametitle{SSHFP}
 617   \begin{block}{git.siccegge.de}\resizebox{\textwidth}{!}{\texttt{
 618         \begin{tabular}{lll}
 619 git.siccegge.de & IN & SSHFP 1 1 0E812EE0A3704230F3C415076E1BAA149A5DC75B\\
 620 git.siccegge.de & IN & SSHFP 1 2 1CBACAF365040DC1DF841FD07D9186BC343D4AF7DCF689CC8CF4A2F75D7F4B57\\
 621 git.siccegge.de & IN & SSHFP 3 1 A2D0495E912DA039EEA51A1593F7F74FB919AAD4\\
 622 git.siccegge.de & IN & SSHFP 3 2 9BF73E3654AA65B847054247F85EFB5C88AB7460840B9C922E647B00696661CF\\
 623 git.siccegge.de & IN & SSHFP 4 1 2A3EF64AC589193ACFAD783B62E3C193A67F3F46\\
 624 git.siccegge.de & IN & SSHFP 4 2 880686195D6C1AAA6791F3A3EF4E7B565DCF9F560F2F1BBB93C56EFD5996F335\\
 625 \end{tabular}}}
 626   \end{block}
 627   \bigskip\pause
 628   \begin{itemize}
 629   \item Erste Zahl: Hostkeytyp
 630   \item Zweite Zahl: Prüfsummentyp
 631   \end{itemize}
 632 \end{frame}
 633
 634 \section{Software}
 635 \begin{frame}{Überblick}
 636   \begin{block}{Nameserver}
 637     Müssen zusätzliche Einträge ausliefern (\texttt{RRSIG},
 638     \texttt{NSEC3}). Für \texttt{NSEC3} müssen die richtigen Einträge
 639     gefunden wernden
 640   \end{block}\pause
 641   \begin{block}{Signaturwerkzeuge}
 642     \begin{itemize}
 643     \item Müssen \texttt{RRSIG}s für die vorhandenen Einträge
 644       erstellen und gelegentlich erneuern
 645     \item Müssen die \texttt{NSEC3}- und \texttt{NSEC3PARAM}-Einträge
 646       erstellen und signieren
 647     \item Sollten Möglichkeit zum Schlüsseltausch beiten
 648     \end{itemize}
 649   \end{block}\pause
 650   \begin{block}{Registrar}
 651     Irgendwie müssen die Schlüssel in die darüberliegende Zone
 652     kommen. Wenige Registrare haben das schon im Interface vorgesehen,
 653     etliche lassen sich aber per Mail an den Support überreden
 654   \end{block}
 655 \end{frame}
 656
 657 \begin{frame}{Nameserver}
 658   \begin{block}{Software}
 659     Alle nennenswerten Nameserver (nsd, bind, powerdns, knot, \dots) können heutzutage DNSSEC ausliefern.
 660   \end{block}\pause
 661   \begin{block}{Sekundärserver}
 662     Kaum ein kostenfreier Sekundärserveranbieter unterstützt DNSSEC --
 663     das liegt unter anderem an den deutlich größeren Antworten und dem
 664     Rechenbedarf für \texttt{NSEC3}, die signifikant Resourcen
 665     verbrauchen.
 666
 667     $\Rightarrow$ Selber hosten (mit Freunden), beim Registrar schauen
 668     oder bezahlen.
 669   \end{block}
 670 \end{frame}
 671
 672 \begin{frame}{Signaturwerkzeuge}
 673   Im Grunde gibt es zwei Typen von Signaturwerkzeugen
 674   \begin{block}{Im primären Nameserver}
 675     BIND, Knot, PowerDNS
 676     \begin{description}
 677     \item[Vorteile] Keine weiteren Werkzeuge, dynamische Updatesmöglich
 678     \item[Nachteile] Schlüsselmaterial im Netzwerkserver, bestehende
 679       Implementierungen unflexibel in Sachen Schlüsselrotation
 680     \end{description}
 681   \end{block}\pause
 682   \begin{block}{Separates Signaturwerkzeug}
 683     OpenDNSSEC, dnssec-tools, cron
 684     \begin{description}
 685     \item[Vorteile] Flexibel, Signaturlösung Nameserver-agnostisch
 686     \item[Nachteile] Softwarequalität \dots, weiteres Element, das
 687       kaputt gehen kann
 688     \end{description}
 689   \end{block}
 690 \end{frame}
 691
 692 \begin{frame}{Fragen?}
 693   Download: https://static.siccegge.de/talks/dnssec-augsburg-2015-03-28.pdf\\
 694   https://git.siccegge.de/?p=talk/dnssec.git
 695
 696     \vspace*{\fill}
 697     \begin{center}
 698         \includegraphics[width=7cm]{images/42.pdf}
 699     \end{center}
 700     \vspace*{\fill}
 701 \end{frame}
 702
 703 \end{document}