Category: DNSSEC

Nov 19

New Kamailio DNSSEC Module Enables Higher Security For SIP / VoIP

Kamailio LogoIf you are using voice-over-IP (VoIP), and specifically the Session Initiation Protocol (SIP), how do you know if you are really connecting to the correct SIP server when you make a connection?  When you call someone, your SIP server needs to make a connection to the SIP server for the recipient – how is it sure it is reaching the correct server?

As I’ve talked about and written about in the past, one way to help with this is to use DNSSEC to validate that the information received by the SIP server from DNS is in fact accurate.  While DNSSEC support in VoIP systems has been somewhat limited to date, the great Kamailio team has added a module that provides DNSSEC support.  It will be included in the forthcoming Kamailio 4.1 release (whose development was recently frozen, so it should be available soon), but in the meantime it can be added to Kamailio installations using this tutorial:

http://www.kamailio.org/wiki/tutorials/dns/dnssec

The actual module itself can be found at:

http://kamailio.org/docs/modules/devel/modules/dnssec.html

This kind of support for DNSSEC within VoIP is great to see and will lead to more secure communications over IP in the future.  Plus, getting this kind of DNSSEC support out there now will lay the groundwork for potentially using DANE in the future to secure the certificates used in VoIP communications.

Congrats to the Kamailio team and we look forward to learning more about people using this module in the future!

P.S. See our DNSSEC and DNSSEC Basics pages to learn more about how you can get started with DNSSEC.

Nov 18

DNSSEC Deployment Workshop On Wednesday At ICANN 48 – Live stream available

icann48Interested in learning the current status of DNSSEC deployment?  Want to hear case studies from people who have deployed DNSSEC?  Would you like to know about some of the latest DNSSEC tools and services?  And what the role is of the DANE protocol?  All that and more will be discussed this Wednesday, November 20, 2013, at the “DNSSEC Workshop” at the ICANN 48 meeting in Buenos Aires, Argentina.  The agenda, slides, and links for remote participation can be found at:

http://buenosaires48.icann.org/en/schedule/wed-dnssec

Both and audio and video live stream will be available.  The workshop begins at 9:45 am local time in Argentina, which is 12:45 UTC and 7:45 am US Eastern.

UPDATE: The workshop begins at 8:30am local time, which is 11:30am UTC and 6:30am US Eastern.

This technical workshop at ICANN meetings continues to be one of the best gatherings of the DNSSEC community and the sessions here again look to be extremely useful and educational.  They include:

  • DNSSEC Deployment Statistics
  • DNSSEC Activities in Latin America
  • DNSSEC For The Enterprise
  • Guidance For Registrars in Supporting DNSSEC
  • DNSSEC Root Key Rollover
  • Automated Update of DNSSEC Information
  • Operational Realities of Running DNSSEC
  • DNSSEC Innovation: DANE Tools and Ideas

The last of these sessions on DANE will be one where I will be speaking.

The sessions will be recorded if you are unable to watch live… but if you do get a chance to watch live you’ll also be able to ask questions through the web interface.  As I mentioned, the slides for the session are all available at that URL above if you’d like to get a head start on seeing what will be discussed.

Do check it out… and get started today with using DNSSEC to make the Internet more secure!

 

Nov 18

Watch/Listen Live TODAY to “DNSSEC For Everybody – A Beginner’s Guide” at ICANN 48

icann48Want to quickly learn about DNSSEC and how it can make the Internet more secure?  Want to see an easy illustration of how DNSSEC works? Want to understand why DNSSEC is so important to strengthen the Internet against attackers? If so, tune in TODAY at 5:00 pm / 17:00  Buenos Aires time ( 20:00 UTC, 3:00 pm US Eastern) for the “DNSSEC For Everybody – A Beginner’s Guide” session where a group of people involved with DNSSEC will answer all these questions and more.  Information is at:

http://buenosaires48.icann.org/en/schedule/mon-dnssec-everybody

There are audio streams available in 7 languages and a “Virtual Meeting Room Stream Live” that will get you video and the slides.  The slides and session notes are also available at the bottom of that web page.

The overview of the session is:

DNSSEC continues to be deployed around the world at an ever accelerating pace. From the Root, to both Generic Top Level Domains (gTLDs) and Country Code Top Level Domains (ccTLDs), the push is on to deploy DNSSEC to every corner of the internet. Businesses and ISPs are building their deployment plans too and interesting opportunities are opening up for all as the rollout continues. Worried that you’re getting left behind? Don’t really understand DNSSEC? Then why not come along to the second ‘DNSSEC for Beginners’ session where we hope to demystify DNSSEC and show how you can easily and quickly deploy DNSSEC into your business. Come and find out how it all works, what tools you can use to help and meet the community that can help you plan and implement DNSSEC.

These are great sessions and usually I am participating but this week my travel schedule won’t get me to ICANN 48 until tomorrow. (Warren Kumari thankfully was able to cover my usual role.)  You don’t need any knowledge of DNSSEC to participate and it talks about DNSSEC in a fun and interesting way.  (And yes, there’s actually a skit involved! )

Look for the blue smoke… :-)

P.S. If you can’t watch live, the session will be recorded and available later at that same URL for viewing.

 

Nov 14

Should The Root DNSSEC Key Be Rolled? ICANN’s SSAC Issues Some Guidance

ICANN SSAC 63Should the root key of DNSSEC be rolled over?  And if so, when and under what conditions?  We’ve mentioned this discussion before and even sent in our own comments to ICANN.  After reviewing all those comments and consulting with many people, the ICANN Security and Stability Advisory Committee (SSAC) has now issued their guidance in a document, “SAC063 – SSAC Advisory on DNSSEC Key Rollover in the Root Zone“.  The document is well worth a read and explains SSAC’s thinking on a variety of issues.  For a quick summary, SSAC issued five recommendations that I would paraphrase as:

1:  ICANN and partners should immediately undertake a worldwide communications effort to publicize the root zone KSK rollover motivation and process as widely as possible.

2: ICANN staff should coordinate a testing program to analyze the behavior of validating resolvers to identify problems that could be caused the the root KSK rollover.

3: ICANN staff and the community should identify clear and objective metrics for acceptable levels of “breakage” resulting from a key rollover.

4: ICANN staff should coordinate the development of rollback procedures to be executed in case things go wrong.

5: ICANN staff should coordinate the collection of information during this KSK rollover so that lessons can be learned for future rollovers.

This SSAC report is issued in time for next week’s ICANN 48 meeting in Buenos Aires where this topic will again be in the conversation within DNSSEC circles.  ICANN has contractual requirements to roll the key within five years of the signing of the root in July 2010 and so efforts are underway to make sure this can be done in a sensible manner.

Nov 11

Deployment Guide: DNSSEC for Internet Service Providers (ISPs)

An Internet Service Provider needs to offer high value while containing costs. One way to increase your services’ value is to ensure your customers get to the intended websites, protecting them from going to phishing sites or sites that distribute malware.

One way to offer such protection at relatively little cost is through DNS Security Extensions, an Internet standard commonly known as “DNSSEC“. By deploying “DNSSEC-validating” DNS resolvers within your network, you will provide a higher level of security and trust to your customers and help prevent certain types of attacks and redirection. You also will enable customers to use innovative services that are now becoming available to add more trust and integrity protection to Web certificates (SSL/TLS).

DNSSEC ensures that the information your users retrieve from the DNS is the same information that the domain’s operator entered into the DNS. It verifies that this information was not modified so that your users are directed to their intended destinations.

DNSSEC has two components: the signing of DNS records for a domain and the validation of those cryptographic signatures by caching recursive nameservers. For an ISP, the deployment of DNSSEC-validating DNS resolvers is the most critical element of DNSSEC adoption and this document explains what is necessary to roll out DNSSEC validation support to your customers.

Initial deployment of DNSSEC validation is usually quite inexpensive, requiring a relatively small investment in new hardware and software and only a modest time investment; typical deployment may be completed with as little as a week of total effort by experienced system administrators, depending on how many recursive nameservers and end users are involved.

Hardware and Software

Caching recursive nameservers are the most important part of a DNSSEC validation deployment since they cache and validate answers to DNS queries submitted by end users. Modern, off-the-shelf server hardware is sufficiently powerful to operate a DNSSEC-validating caching recursive nameserver. In addition, it is perfectly feasible to operate such a nameserver on a virtual machine.

Your choice of nameserver and its vintage are important to your success with DNSSEC. DNS infrastructures based on the BIND DNS server should run at least version 9.7, whose features simplify DNSSEC management. All versions of Unbound natively support DNSSEC validation, although version 1.4 and later have features that simplify DNSSEC management.

Microsoft Windows Server 2012 now includes full DNSSEC support, allowing administrators to retrieve the necessary root trust anchors via command-line instructions. A whitepaper by Netherlands DNSSEC authority Surfnet explains this process; you can download the PDF of their guide to DNSSEC installation here.

Effects on Network

In your planning, you should be aware that DNSSEC traffic has several effects on network traffic:

  • DNSSEC adds digital signatures to DNS response packets, which often exceed 1,500 bytes. While large DNS responses are also possible without DNSSEC, you must consider the additional bandwidth demands that DNSSEC places on the network, and ensure that only legitimate hosts are allowed to query your recursive nameservers.
  • Traditionally, the DNS relies on the UDP protocol to transmit queries and responses, but if a DNS response exceeds the maximum allowed packet size, TCP may be used and even required for DNSSEC validation. Check with your firewall vendor and system administrators to ensure your network allows DNS over TCP.
  • Your network equipment must be able to handle large UDP packets (>512 bytes, ≤4,000 bytes).

Pre-Deployment Checklist

This checklist can help you to plan your deployment:

  • Software supports DNSSEC: BIND version 9.7+, Unbound version 1.4+, Microsoft Windows Server 2012, Knot DNS 1.4.0, PowerDNS 3.0+
  • Server systems are sufficiently modern
  • Network infrastructure can handle DNSSEC requirements
  • DNS over TCP is allowed
  • Large UDP DNS packets are allowed through firewall
  • UDP fragments are not blocked by firewall

Beginning Your Deployment

After your install your recursive caching nameservers (or have existing nameservers where you want to start validating), they must be configured with a “trust anchor” in order to validate DNSSEC signatures. You can obtain the trust anchor for the root of the DNS from sources such as https://www.iana.org/dnssec. You can check the trust anchor’s validity by obtaining it from multiple independent sources (i.e. multiple root servers) and comparing the files.

When you enable DNSSEC validation on your recursive caching nameserver you may see validation failures in the log files. While these errors could be signs of a cache-poisoning attack, they may also result from operational errors (particularly in these early days of DNSSEC deployment). This could be something as simple as a zone owner’s failure to re-sign their zone information.

Validation failures for a zone will mean that your users will not be able to connect to that domain. When errors of this type appear it is far better to inform users about the source of the problem and how they were protected from using potentially insecure information, rather than disabling validation in order to provide continued access to the “broken” domain. Standards concerning how to perform this notification continue to evolve, though some organizations have used a dedicated website or social-media channel to post notifications of current validation failures. Regardless of what system you create, it is important that your customers and customer-support team can easily find the information.

Certain ISPs may also install a temporary “negative trust anchor” for broken sites while notifying the zone’s operators of problems or errors that will probably severely degrade their users’ Internet experience. An Internet Draft document is available that explains this process.

While feedback from people currently operating validating caching recursive nameservers show that enabling DNSSEC validation does not necessarily increase user help-desk calls, it is still sensible to train help-desk staff concerning DNSSEC and potentially provide them with tools (i.e. a non-validating resolver) to help with debugging.

Conclusions

DNSSEC rollout is progressing steadily on the Internet, and deployment of validating caching recursive nameservers is an important part of this trend. By deploying DNSSEC within your network you will increase your customers’ Internet security. Doing so provides significant benefits at a minimal cost, and we urge you to begin this process today.

Nov 06

Deploy360@IETF88: Day 3 – Perpass, IPv6 Operations and Operational Security

IETF LogoOn Day 3 of IETF88 our focus is again on IPv6 as well as the overall topic of hardening the security of the Internet.  The first sessions we’re primarily tracking is the IPv6 Operations (V6OPS) which has a whole range of documents under consideration relating to IPv6 addressing. The second session is Operational Security (OPSEC) where there are two drafts related to IPv6 security.

On a broader topic, we’ll be watching the IETF 88 Technical Plenary focused on “Hardening The Internet” and then the “Perpass” working group coming up after that.

My earlier posts about DNSSEC sessions and IPv6 sessions at IETF 88 explain in more detail what we’ll be watching.

Information about the four sessions today, including the links for the audio streams, the slides and the Jabber chat rooms, is:

For these sessions and all the others, the “tools-style agenda” for IETF 88 provides many helpful links for remote participants.

If you’d like to meet with the Deploy360 team here at IETF88, please see our post about where we’ll be at IETF88.

Nov 05

Deploy360@IETF88: Day 2 – SIDR, DNSOP, 6tisch, 6lo and the IPv6 Briefing Panel

IETF LogoDay 2 at IETF88 includes the primary sessions this week about DNSSEC (in DNSOP) as well as secure routing (SIDR).  There are also two working groups focusing on IPv6 in various network configurations (6lo and 6tisch).  Do note that the meeting of the GROW working group was canceled for today.

The other big event happening in just a few hours is the “Internet Society @ IETF Briefing Panel: IPv6 – What Does Success Look Like?” where we will be live-streaming out what looks like will be an outstanding discussion about the state of IPv6 deployment today and where it will be going.  The session starts at 11:45am Pacific time (19:45 UTC).

For more information about these sessions today, we’d encourage you to read our “Rough Guide to IETF88″ documents about:

Information about the four sessions today, including the links for the audio streams, the slides and the Jabber chat rooms, is:

For these sessions and all the others, the “tools-style agenda” for IETF 88 provides many helpful links for remote participants.

If you’d like to meet with the Deploy360 team here at IETF88, please see our post about where we’ll be at IETF88.

Nov 01

4 Sessions About DNSSEC, DNS And DANE At IETF 88 Next Week

IETF LogoNext week IETF 88 in Vancouver will be a bit quieter on the DNSSEC and DANE front.  As I wrote in a post today on our “Internet Technology Matters (ITM)” blog, “Rough Guide to IETF 88: DNSSEC, DANE and DNS“, the only major working group related to DNSSEC that will be meeting will be the DNSOP WG on Tuesday, November 5th.  However, in that meeting there will be the very big topic of how we automate the transfer of updated DS / DNSKEY records from a child zone up to a parent zone within DNS.  There are  a couple of different proposals that will be discussed, including:

It should be an excellent discussion.  As I wrote in the ITM post, there are several other interesting drafts as well being discussed in DNSOP – all focused around improving the operations of DNSSEC.  It should be a great session at IETF!

The DANE Working Group is not meeting but as I mentioned in the other article I expect that DNSSEC / DANE will come up in some of the many conversations that will be going on next week related to how we harden the Internet against large-scale surveillance and pervasive monitoring.  The Technical Plenary on Wednesday, November 6, should be an excellent event well worth listening to.   The “Perpass” BOF session will dive into more details. I don’t know if DNSSEC / DANE will be discussed there… but it certainly could be.

The DNS-SD Working Group discussion could also be quite interesting because as you extend DNS service discovery beyond a simple local network into a multi-network environment, you need to have some way to securely communicate that information.  We’ll see what is begin talked about in that regard.

Anyway, here are four of the sessions where DNSSEC / DANE / DNS will be discussed – you can expect to find me in all of them:

NOTE: If you are not going to be in Vancouver next week, there are multiple ways that you can participate remotely in these working groups, including audio streams and Jabber chat rooms.

Oct 31

Video Interview: Why Use Knot DNS For DNS And DNSSEC?

Knot DNSWhat is the “Knot DNS” server all about and why would you want to use it versus one of the other DNS servers supporting DNSSEC?  At the recent ENOG 6 event in Kiev, Ukraine, I had a chance to speak with Jaromir Talir from CZ.NIC Labs and the resulting video interview can be found below. If you are interested in checking out the software, you can visit:

http://www.knot-dns.cz/

The software is available pre-packaged for several versions of Linux as well as in source-code form.

Here is my interview with Jaromir (and I apologize to Jaromir for repeatedly calling his organization by its domain “nic.cz” instead of by the organization’s name of “cz.nic”):

Prior to this interview, Jaromir had spoken on stage at ENOG 6 in more detail about Knot DNS. His ENOG 6 slides about Knot DNS are online and a video recording of his presentation is available:

It’s great to see a new entrant into the field of DNS name servers.  While the existing servers are very rock solid, it’s always great to see new people coming in with new ideas and new tools.  As Jaromir says in the interview, having diversity among your servers can be a good practice.  I’d encourage you to go check out Knot DNS and let Jaromir and the CZ.NIC team know what you think of it!

Oct 31

Knot DNS

Knot DNSKnot DNS is an authoritative DNS name server that can be used to serve out zone records and includes support for DNSSEC and DANE.  One of the key design goals is to provide simple DNSSEC support for dynamic DNS.  Knot DNS is developed by the team at CZ.NIC and can be found at:

https://www.knot-dns.cz/

It is available pre-packaged for several versions of Linux and also as source code as a release or directly from a git repository.

Knot DNS is highly scalable and used by CZ.NIC for the operation of the .CZ TLD. It was developed with the target audience of network operators and DNS operators in mind but can be used by anyone needing to serve out DNS records.

For an overview of Knot DNS, you can view this short video interview with Jaromir Talir of CZ.NIC:

Prior to this interview, Jaromir had spoken on stage at ENOG 6 in Kiev, Ukrain, in more detail about Knot DNS. His ENOG 6 slides about Knot DNS are online and a video recording of his presentation is available: