Wednesday 8 March 2017

DNSSEC: A quick introduction

DNS is a pretty old protocol - although used extensively even today. However it's major let down (from a security perspective) is that it transmits data in plain text and the receiver does not have means to validate the content - this makes it extremely easy to manipulate requests with techniques like DNS Poisoning.

DNSSEC was introduced to overcome this problem - and provides a way of validating the responses from a nameserver with help from PKI.

DNSSEC introduces a few new record types (plus a few more not mentioned here):

RRSIG: This provides a signature of the RRSet record

DNSKEY: This provides the public key portion of the ZSK

DS: This provides a summary of a child zone's DNSKEY

With DNNSEC all specific types of records for example: A, MX, SOA etc. are bundled into RRSet's (Resource Record Set) which have a corrosponding RRSIG record - which is simply a digital signature of the RRSet - this is created by the private portion of a zone-signing key pair (ZSK). In order to verify records there the public key from the ZSK is used within a DNSKEY record - the response from the DNS server is checked against the RRSIG with the help of the DNSKEY.

We also have to provide a way of validating that the zones DNSKEY is valid / not forged - this is where the DS (Delegation of Signing) key comes into play - it holds a summary of the DNSKEY in the parent zone - that is then protected by the parent zones DNSKEY.

So each parent domain you are requesting is also validated - for example if you are attempting to request the A record for 'labs.verisigninc.com' the following RR will be validated:

labs.verisigninc.com.
verisigninc.com.
com.

As seen above - even the TLD nameservers are validated - this is part of the 'chain of trust' (we need to ensure that none of the parent zones have been compromised either.) - however the '.' / root namespace does not (obviously) have any parent - so instead it is treated as trusted - this is because of a procedure called the 'root signing ceremony' - more can be read about this here: https://www.cloudflare.com/dns/dnssec/root-signing-ceremony/

We can check the DS and RRSIG records using dig:

dig +dnssec @i.root-servers.net. labs.verisigninc.com.

...
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com. 86400 IN RRSIG DS 8 1 86400 20170321050000 20170308040000 61045 . CfqhL197dQg2mf0u+ak7qP/ZjEwzyn0TIjDQ3CJJpLdGmfrbuHuNynNf vnCMr8ca17ZKzBTijE0faAH41V1e64C20/kxuYfYjDlsk7ZFQXQhpE6X 5yHmbApyB1UbtSNYTSPzE9bhbcWxAlRcMSZ+R+ABINX4xRUvBUFAX8MH 20YRHBJMZlRDLznUTDGBSyrjWNzVINYF48G6a/qaN1bTzrldVFYeLCTV rAsYQ4glaUhwi+amtjnubYNNAfIyIqWu2MOhfaOCGfz6s0weD1OPKomx i0X4CV1+Nu+qDB8Ud02H0Z8OJWFqHDkU75hNwn47/09I/qQ9GvHCZWfL TZOetA==
...

The root nameserver does not know the A record for 'labs.verisigninc.com' but however it can provide us with the nameservers for the .com tld.

dig +dnssec @e.gtld-servers.net. labs.verisigninc.com

...
;; AUTHORITY SECTION:
verisigninc.com. 172800 IN NS a1.verisigndns.com.
verisigninc.com. 172800 IN NS a2.verisigndns.com.
verisigninc.com. 172800 IN NS a3.verisigndns.com.
verisigninc.com. 86400 IN DS 64326 8 2 02E7FEF4C3BBB0A0FA52F0F8E5774C44B243739D1AB7B3B426A417C3 88F45ACF
verisigninc.com. 86400 IN RRSIG DS 8 2 86400 20170315043628 20170308042628 31697 com. xVFjovZdqjyYSf7N0yglKwSrfBKCDmQVQiMw6U94q7+3UlbyzzB95QJI TmhHJ8gvrnGfSSoj7rsRmW1xiGMWBrRCL6VQB5Go9UuEvOHnz6FFMv04 q8FNtjokD/k+nEJ70h5LHc295dxL+xQ3aKF/wWu9ZxpjwLi0MA3d20OM eoU=

;; ADDITIONAL SECTION:
a1.verisigndns.com. 172800 IN AAAA 2001:500:7967::2:33
a1.verisigndns.com. 172800 IN A 209.112.113.33
a2.verisigndns.com. 172800 IN A 209.112.114.33
a2.verisigndns.com. 172800 IN AAAA 2620:74:19::33
a3.verisigndns.com. 172800 IN AAAA 2001:502:cbe4::33
a3.verisigndns.com. 172800 IN A 69.36.145.33
...

Again - no luck - although this time we have the details of some nameservers and their corresponding addresses!

We'll now query the verisign nameserver:

dig +dnssec @a1.verisigndns.com. labs.verisigninc.com

;; ANSWER SECTION:
labs.verisigninc.com. 86400 IN A 72.13.63.55
labs.verisigninc.com. 86400 IN RRSIG A 8 3 86400 20170321010646 20170307010646 1547 verisigninc.com. aqPIS0bEw4pLOcqYqWjNM8VMNfE6UQq6n/FCW40u/1x/CMwYtkfA47ZG ZtFxXQzD0YgEZLXWHETWrl22dIZ2MetXDa4N036XxJf5ZNRe9S3Bcgp/ 2QJAze0mfCFA/XWAEfxgZAN7y6mSuOahFHEOD4gNL5Y+v5SB4OwP70qs S4A=

;; AUTHORITY SECTION:
verisigninc.com. 86400 IN NS a3.verisigndns.com.
verisigninc.com. 86400 IN NS a2.verisigndns.com.
verisigninc.com. 86400 IN NS a1.verisigndns.com.
verisigninc.com. 86400 IN RRSIG NS 8 2 86400 20170321010646 20170307010646 1547 verisigninc.com. BJJIQ5HCrjtilACZdBTqheNIJr6jOJS/RpFYGrRW/qtsNCPLMg1J8sE2 0xyKflNTB6pkUE3QJxv0yQ8Qn7Q83GMmlRFmdlmvkE7dSGUxhOC20mjt yOY9kW5ozYhhquGJzTbcxLgvG1Ss2jGokoJxf+eoaw0NUSR5M44Q8gda 2KY=

Now a1.verisigndns.com. is an authoritative name server and knows the address of labs.verisigninc.com. along with its RRSIG record.

Sources: 
http://backreference.org/2010/11/17/dnssec-verification-with-dig/
https://newsletter.dnsimple.com/dnssec-record-types/
http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml

0 comments:

Post a Comment