Pentru a face protocolul rezilient asupra acestor doua tipuri majore de atacuri si pentru a putea lansa noi servicii sigura bazate pe DNS, un grup de oameni destepti s-au gandit sa adauge si securitate la protocol. Pentru ca e relativ mult de vorbit despre partea de securitate si ideile nu vin toate o data, exista vreo 3 RFC-uri mari care acopera specificatiile de DNSSEC: 4033<\/a>, 4034<\/a> si 4035<\/a>.<\/p>\n Pe scurt, o autoritate centrala va garanta\u00a0in jos “zonele” de DNS pana la ultimul domeniu astfel incat daca un server de DNS care stie de DNSSEC trebuie sa rezolve un nume de host sau de domeniu, va putea verifica foarte usor ca raspunsurile primite nu au fost modificate in tranzit de catre o terta parte.<\/p>\n DNSSEC foloseste\u00a0doua tipuri de chei:<\/p>\n Ca si tipuri de inregistrari, atunci cand avem DNSSEC, avem:<\/p>\n “Trust anchors” reprezinta mecanismul prin care un server de DNS are incredere in anumite semnaturi pentru domenii. Echivalentul ar fi “root hints” sau in PKI: lista autoritatilor de certificare in care are incredere (Trusted Root CAs).<\/p>\n Acum, partea practica :)<\/p>\n Si pentru ca mi-am dorit mereu un TLD, o sa-l numesc .imacandi. pentru postul asta si o sa avem asa:<\/p>\n Plus un resolver pe langa astea care are doar cheia publica a “.” si va face rezolvare recursiva pentru $hostname.sin.imacandi.net.<\/p>\n Servere si adrese IP:<\/p>\n (da stiu ca pe poza sunt mai multe servere, da m-a luat desenatul pe dinainte si dupa aia mi-am dat seama ca ma pot descurca si cu mai putine)<\/p>\n Ca si software voi folosi BIND 9.9.4 pe CentOS 7 (default).<\/p>\n Prima oara semnam “.”<\/p>\n Modificam \/etc\/named.conf astfel:<\/p>\n Apoi restartam named<\/strong> si in loguri o sa zica urmatoarele (printre altele):<\/p>\n Acum avem “.” semnat (self-signed ca e root, nu exista autoritate mai mare ca .)<\/p>\n Dupa “.” urmeaza crearea unui TLD (Top Level Domain), si anume imacandi. Pentru asta adaugam urmatoarele inregistrari in zona “.”:<\/p>\n Acum ca zona a fost modificata, trebuie re-semnata si dupa aceea reincarcata de BIND.<\/p>\n Acum trecem pe dns-s-2 si cream configurarile necesare pentru noua zona, chain of trust cu “.” si importul inregistrarilor de tip DS in “.”.<\/p>\n In primul rand, modificam \/etc\/named.conf astfel:<\/p>\n In zona “imacandi.” se trec urmatoarele:<\/p>\n Dupa ce avem configurata zona, trecem la crearea cheilor KSK si ZSK si dupa aia semnam zona.<\/p>\n Adaugam cheile in fisierul de zona:<\/p>\n Si semnam zona:<\/p>\n Dupa semnare, luam datele despre DS si le adaugam in zona parinte:<\/p>\n Si re-semnam zona parinte.<\/p>\n Pe dns-s-3 am creat zona sin.imacandi.<\/p>\n Dupa aceea am creat cheile de semnare:<\/p>\n Le-am adaugat in zona si dupa am semnat zona:<\/p>\n Iar pentru validare, in configuratia lui BIND am adaugat cheia pentru “.” pe dns-s-3 in named.conf:<\/p>\n Iar pe dns-s-2 am adaugat inregistrarile de tip DS si am resemnat zona imacandi.:<\/p>\n Acum situatia este in felul urmator:\u00a0dns-s-1 este autoritativ pentru “.” si contine inregistrari de tip DS pentru “imacandi.”, dns-s-2 este autoritativ pentru “imacandi.” si contine inregistrari de tip DS pentru “sin.imacandi.”, dns-s-3 este autoritativ pentru “sin.imacandi.” si contine inregistrari de tip A pentru teste.<\/p>\n Un query recursiv pe dns-s-2 pentru un host numit bumblebee.sin.imacandi. care este definit in zona de pe dns-s-3 arata asa:<\/p>\n Important este flag-ul AD din raspuns care inseamna Authenticated Data, asta inseamna ca serverul care raspunde poate verifica tot lantul si “chain of trust” este intact.<\/p>\n Mai sunt cateva aspecte pe care intentionez sa le exemplific intr-un post urmator candva:<\/p>\n Cam asta e din categoria ce mai face sin sambata cand ploua afara :)<\/p>\n","protected":false},"excerpt":{"rendered":" DNS-ul este unul din protocoalele care reprezinta coloana verterbrala a Internetului. Cand a fost inventat, securitatea nu a fost luata in calcul pentru ca s-a mers pe ideea ca toti utilizatorii o sa fie cinstiti, lucru care s-a dovedit un pic fals. DNS-ul a fost abuzat de tot felul de oameni pentru diverse scopuri, mai … Continue reading dnssec (1)<\/span> \n
\n
![\"dnssec_1\"](\"http:\/\/www.imacandi.net\/sin\/blog\/wp-content\/uploads\/2015\/03\/dnssec_1.jpg\")
<\/p>\n[root \".\"] =>\r\n\r\n[TLD \"imacandi.\"] =>\r\n\r\n[domeniu \"sin.imacandi.\"]<\/pre>\n
\n
root@dns-s-1 named]# dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE .\r\nGenerating key pair....+++ ...................+++\u00a0\r\nK.+007+64334\r\n[root@dns-s-1 named]# dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE .\r\nGenerating key pair...................................................++ ......................................................................................................................................................++\u00a0\r\nK.+007+28638\r\n\r\n[root@dns-s-1 named]# for key in `ls K*key`; do echo \"\\$INCLUDE $key\" >> named.ca ; done\r\n[root@dns-s-1 named]# cat named.ca\u00a0\r\n$TTL 3600\r\n@ \u00a0 \u00a0 \u00a0 IN\u00a0 \u00a0 \u00a0 SOA \u00a0 \u00a0 dns-s-1.root-servers.net.\u00a0 \u00a0 \u00a0 hostmaster.root-servers.net.\r\n(\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a02012071200 ; serial number YYMMDDNN\r\n \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 28800 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ; Refresh\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 7200\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ; Retry\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 864000\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ; Expire\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 3600 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ; Min TTL\r\n)\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 NS\u00a0 \u00a0 \u00a0 dns-s-1.root-servers.net.\r\n$ORIGIN .\r\ndns-s-1.root-servers.net. 3600 IN A 172.16.155.101\r\n$INCLUDE K.+007+28638.key\r\n$INCLUDE K.+007+64334.key\r\n\r\n[root@dns-s-1 named]# dnssec-signzone -A -3 $(head -c 1000 \/dev\/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o . -t named.ca\r\n\r\nVerifying the zone using the following algorithms: NSEC3RSASHA1.\r\nZone fully signed:\r\nAlgorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked\r\n\u00a0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ZSKs: 1 active, 0 stand-by, 0 revoked\r\nnamed.ca.signed\r\nSignatures generated: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 10\r\nSignatures retained: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0\r\nSignatures dropped:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0\r\nSignatures successfully verified:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0\r\nSignatures unsuccessfully verified:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0\r\nSigning time in seconds: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0.022\r\nSignatures per second: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 447.407\r\nRuntime in seconds:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0.026<\/pre>\n
zone \".\" {\r\n\u00a0 \u00a0type master;\r\n\u00a0 \u00a0file \"named.ca.signed\";\r\n};<\/pre>\nMar 28 14:13:34 dns-s-1 named[2338]: zone .\/IN: loaded serial 2012071201 (DNSSEC signed<\/strong>)<\/pre>\n
imacandi. IN NS ns1.dns.imacandi.\r\nns1.dns.imacandi. IN A 172.16.155.102<\/pre>\n
dnssec-signzone -A -3 $(head -c 1000 \/dev\/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o . -t named.ca\r\n[root@dns-s-1 named]# rndc reload\r\nserver reload successful<\/pre>\n
trusted-keys {\r\n\".\" 257 3 7 \"AwEAAa8SV9IPDSXr+THXuogKOGxCvERdRf39cJ9spETd22AgVRYTI1Tr C57FXGtcC+tGa0AYs9chGsZ8eNwGD76YdnydD8CT+tLfokbVHih0ewQz RiobvXE4UY7HycrnC+ZY9yToM4ktKSsX1YWFsNGcIBn60c5J39LbAJ\/i bB2+TCvdJNE4jrHkP4pf\/onXJvG\/RMFllShMtmOqgn1y79yJGTwoO2ab Rbm4kV3qDKiLtfrmyLqJTGbKf+R98NTpe1ufPnQCDwV13xlNRlsok8Gz cFDjTNf6ZepQ2wF8CzpDYHK7\/tANCEFgR0vOzYkb8VkkaEzMUCYOveqp wy8e+isoDtoBA1e48awEYo3o+YN1DVEbCoR4Xbdy4cf+qkXv0nS8QNar 0RHSjghmsQddDVMoFaYLWv8lqSCd1uQufSnMd1okv3nEyKIwWBB3xG5r x7GJpqMtqA4BRWcv28tGgPkbFaWMkjVPqUIBgyk87fAB+a1H51uy0J1K Q+99U+8\/41m6mnNoa2kjxJL53dYcf0DO4eUgsRY2LcO6etk\/XbHm9\/+M GOfes0pmPJ8V3Yb2V1J5WV62sYaPrvw+jh3h2V5RvNW+QHZ6U5M73eWZ w8vYyygYl3sWHy03vX4mQnq2XsMJ0CDvR+XLWG98RpItYG65LwhiayRP +dDhJpSyOY3aeXLD\";\r\n};\r\nzone \"imacandi.\" IN {\r\n type master;\r\n file \"imacandi.\";\r\n };<\/pre>\n$TTL 3600\r\n@ \u00a0 \u00a0 \u00a0 IN\u00a0 \u00a0 \u00a0 SOA \u00a0 \u00a0 ns1.dns.imacandi. \u00a0 \u00a0 hostmaster.dns.imacandi. (\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 2012071203 ; serial number YYMMDDNN\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 28800 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ; Refresh\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 7200\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ; Retry\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 864000\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ; Expire\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 3600 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ; Min TTL\r\n)\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 NS\u00a0 \u00a0 \u00a0 ns1.dns.imacandi.\r\nns1.dns.imacandi. 3600 IN A 172.16.155.102\r\n$ORIGIN imacandi.\r\nsin IN NS dns1.sin.imacandi.\r\ndns1.sin IN A 172.16.155.103<\/pre>\n
[root@dns-s-2 named]# dnssec-keygen -a RSASHA256 -b 2048 -n ZONE imacandi.\r\nGenerating key pair.............+++ ....+++\u00a0\r\nKimacandi.+008+03645\r\n[root@dns-s-2 named]# dnssec-keygen -f KSK -a RSASHA256 -b 2048 -n ZONE imacandi.\r\nGenerating key pair.......................................................................+++ ..................+++\u00a0\r\nKimacandi.+008+35377<\/pre>\n
$INCLUDE Kimacandi.+008+03645\r\n$INCLUDE Kimacandi.+008+35377<\/pre>\n
[root@dns-s-2 named]# dnssec-signzone -N INCREMENT -o imacandi. -t imacandi.\r\nVerifying the zone using the following algorithms: RSASHA256.\r\nZone fully signed:\r\nAlgorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ZSKs: 1 active, 0 stand-by, 0 revoked\r\nimacandi..signed\r\nSignatures generated:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 8\r\nSignatures retained: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0\r\nSignatures dropped:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0\r\nSignatures successfully verified:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0\r\nSignatures unsuccessfully verified:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0\r\nSigning time in seconds: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0.009\r\nSignatures per second: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 833.159\r\nRuntime in seconds:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0.012<\/pre>\n
imacandi. IN DS 35377 8 1 16085596E91E80E95E70FA8EABE646A25499967E\r\nimacandi. IN DS 35377 8 2 818FB42E72B000DCD9621F9F78D85845C25BAC44566CD4B687543C1B A874B6C5<\/pre>\n
zone \"sin.imacandi\" IN {\r\n type master;\r\n file \"sin.imacandi.signed\";\r\n };<\/pre>\n[root@dns-s-3 named]# dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE sin.imacandi\r\nGenerating key pair............................................+++ ..................................+++\u00a0\r\nKsin.imacandi.+007+43763\r\n[root@dns-s-3 named]# dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE sin.imacandi\r\nGenerating key pair.......++ ................++\u00a0Ksin.imacandi.+007+02085<\/pre>\n
[root@dns-s-3 named]# dnssec-signzone -A -3 $(head -c 1000 \/dev\/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o sin.imacandi -t sin.imacandi\r\nVerifying the zone using the following algorithms: NSEC3RSASHA1.\r\nZone fully signed:\r\nAlgorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked\r\n\u00a0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ZSKs: 1 active, 0 stand-by, 0 revoked\r\nsin.imacandi.signed\r\nSignatures generated: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 12\r\nSignatures retained: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0\r\nSignatures dropped:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0\r\nSignatures successfully verified:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0\r\nSignatures unsuccessfully verified:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0\r\nSigning time in seconds: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0.022\r\nSignatures per second: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 543.084\r\nRuntime in seconds:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 0.026<\/pre>\n
trusted-keys {\r\n\".\" 257 3 7 \"AwEAAa8SV9IPDSXr+THXuogKOGxCvERdRf39cJ9spETd22AgVRYTI1Tr C57FXGtcC+tGa0AYs9chGsZ8eNwGD76YdnydD8CT+tLfokbVHih0ewQz RiobvXE4UY7HycrnC+ZY9yToM4ktKSsX1YWFsNGcIBn60c5J39LbAJ\/i bB2+TCvdJNE4jrHkP4pf\/onXJvG\/RMFllShMtmOqgn1y79yJGTwoO2ab Rbm4kV3qDKiLtfrmyLqJTGbKf+R98NTpe1ufPnQCDwV13xlNRlsok8Gz cFDjTNf6ZepQ2wF8CzpDYHK7\/tANCEFgR0vOzYkb8VkkaEzMUCYOveqp wy8e+isoDtoBA1e48awEYo3o+YN1DVEbCoR4Xbdy4cf+qkXv0nS8QNar 0RHSjghmsQddDVMoFaYLWv8lqSCd1uQufSnMd1okv3nEyKIwWBB3xG5r x7GJpqMtqA4BRWcv28tGgPkbFaWMkjVPqUIBgyk87fAB+a1H51uy0J1K Q+99U+8\/41m6mnNoa2kjxJL53dYcf0DO4eUgsRY2LcO6etk\/XbHm9\/+M GOfes0pmPJ8V3Yb2V1J5WV62sYaPrvw+jh3h2V5RvNW+QHZ6U5M73eWZ w8vYyygYl3sWHy03vX4mQnq2XsMJ0CDvR+XLWG98RpItYG65LwhiayRP +dDhJpSyOY3aeXLD\";\r\n};<\/pre>\nsin.imacandi. IN DS 2085 7 1 E1B11E776525C73D7E7484817F57F4F9BDDFAB53\r\nsin.imacandi. IN DS 2085 7 2 FC19462CA30C80691DAF2FFB6847130F7384BB9DAA82199FFDA60415 90976C45<\/pre>\n
[root@dns-s-3 named]# dig +dnssec -t A bumblebee.sin.imacandi. @172.16.155.102 +multiline\r\n; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7_0.1 <<>> +dnssec -t A bumblebee.sin.imacandi. @172.16.155.102 +multiline\r\n;; global options: +cmd\r\n;; Got answer:\r\n;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14987\r\n;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1\r\n;; OPT PSEUDOSECTION:\r\n; EDNS: version: 0, flags: do; udp: 4096\r\n;; QUESTION SECTION:\r\n;bumblebee.sin.imacandi. IN A\r\n;; ANSWER SECTION:\r\nbumblebee.sin.imacandi. 3521 IN A 172.16.155.104\r\nbumblebee.sin.imacandi. 3521 IN RRSIG A 7 3 3600 (\r\n20150427161417 20150328161417 43763 sin.imacandi.\r\nE9AQRx+ns1ZrmoPw+TduURzS8cGBAftivGEBBh1W75\/u\r\nyZ24tGQQ6bmmYQK84YO39qj2JDLANH06212Co0\/emBjJ\r\nUg\/\/YU+06nwT\/fRu8vp\/VL1u\/8F3rSAGT5KSai1cFnjM\r\nTt\/c+urWzAmw9CzxwBO4QE9NCth8jT35tblfUSuTN0xy\r\nlOeTnTPqXvyTYNRm0HxygqIgEDC4K3PdDbZbYAT02djj\r\n\/S8upDBZydJb3KuuHRvIZ6n4k0SKAyKChdCABFEGgM\/M\r\nqPozD0gU52nYuUlR0fbfY844eqQfnRMNJvfIcY3xYb3h\r\nyidsFSwqgxs0vynCriefAVu\/IxpAptlHpw== )<\/pre>\n
\n