Whitepaper Ultra-Flash CSFB
Whitepaper Ultra-Flash CSFB
Whitepaper Ultra-Flash CSFB
Securing Domain
Name Resolution with
DNSSEC
by Timothy Rooney
BT Diamond IP
diamondip.com
Securing Domain Name Resolution with
DNSSEC
By Tim Rooney, Director, Product Management
Introduction
DNS security extensions, DNSSEC, defined in RFCs 4033-4035 [1-3], provide a means to
authenticate the origin of resolution data within DNS and to verify the integrity of that data. It
enables resolvers to validate that the resolution data received for a given zone was indeed
published by the corresponding zone administrator and was not tampered with en route. Thus,
DNSSEC provides a means to detect packet interception, message ID guessing, and cache
poisoning attacks. In fact, DNSSEC was acknowledged as the only comprehensive solution to the
highly publicized Kaminsky cache poisoning DNS protocol vulnerability in 2008 [4]. This white
paper provides a high level overview of how DNSSEC works and the basic administrative
requirements for configuring and managing DNSSEC configurations.
DNSSEC Overview
DNSSEC utilizes asymmetric cryptography, also known as public key cryptography, which
provides for digital signatures to secure DNS resolutions. Digital signatures provide a means for
the recipient of a given set of data to verify the integrity of that data and to authenticate the origin
of the data; i.e., to confirm that it was actually sent by the claimed data sender. In the context of
DNS, this assures the resolver that the zone publisher indeed published the resolved data and that
the data is accurate as published on the server.
DNSSEC does not change the DNS resolution process: the resolver queries DNS root servers,
down the domain tree to an authoritative DNS server, which ultimately resolves the DNS query.
But DNSSEC adds signature data in the form of additional resource records, and enables
validation of signatures using the domain tree as the signature trust model as we’ll explain.
Note that we use the term “resolver” in this discussion to refer to the resolver function residing on
the caching or recursive server as shown in Figure 1. The recursive DNS server is queried by end
clients or stub resolvers. This approach reduces the scope of DNSSEC validation configuration to
recursive DNS servers without necessarily impacting end user clients’ resolver configurations.
The first ingredient requires a DNS zone administrator to implement DNSSEC zone signing
procedures described in this white paper. Zone signing does not change DNS resolution data, it
simply supplements it with signature and related data. This enables non-DNSSEC validating
resolvers to successfully resolve data. But administering signed zones does not stop with the
The second ingredient requires resolver configuration with DNSSEC parameters including trusted
keys which are used to validate received DNSSEC-signed resolution data. When so configured,
the recursive DNS server will indicate its ability to process DNSSEC resolution data by setting
the “DNSSEC OK” bit in the DNS Extensions header. An authoritative DNS server will ignore
this bit if it has not been configured with signed zones.
Without both ingredients, a signed zone and a validating resolver, a DNS query and resolution
functions as it does without DNSSEC, i.e., in “insecure” mode. Only when both ingredients are
configured for a given query will DNSSEC processing ensue.
Digital Signatures
DNSSEC signed zones feature digital signatures published alongside resolution data. The
signature is used by a validating resolver to verify the integrity of the resolution data that it signs
and that the resolution data was indeed published by the owner or administrator of the zone file.
In order to verify (1) the data using (2) its signature, a third piece of information is required: the
public key that corresponds to the private key used by the zone administrator to originally sign
the data. Hence the term asymmetric key pair cryptography: the private key and public key form a
key pair but they are not identical. But the keys comprising a key pair are mathematically
“bonded.” The digital signature generation and verification process is depicted in Figure 2.
To sign a zone, the zone administrator generates a key pair: the private key to sign the zone data
and the corresponding public key which is published within the zone file. The zone is not signed
as a single glom of data; each resource record set (RRSet) is individually signed. An RRSet is the
set of resource records within the zone file with identical owner name, class, and resource record
type values. Hence the following three resource records comprise an RRSet:
From the resolver’s perspective, the resolved information (e.g., the answer to the query:
{www.diamondip.com, IN, A}) comprises the desired data while the RRSIG provides the
corresponding digital signature. The third component, the public key corresponding to the signing
private key, is published in the zone file in the form of the DNSKEY resource record. The
DNSKEY RRSet is also retrieved by the resolver or included by the resolving authoritative server
in the original query response.
Moving to the right of Figure 2, on the receiving end, the retrieved public key (DNSKEY) is
applied to the signature (RRSIG) to essentially reverse the signature process. The resulting data
hash is compared to a hash of the resolved RRSet data retreived in the query; if it matches, the
signature is confirmed and the resolution is deemed secure. Once confirmed, the resolver can be
assured that the data integrity is intact and that it was signed with a private key corresponding to
the retreived public key.
Once the resolution data has been received and its signature validated via the zone’s public key,
the only remaining question is: “do you trust this private/public key pair?” An attacker who is
able to respond to a particular query from a resolver before the “real” server does can use his own
private/public key pair to produce DNSKEY and RRSIG records in the response to the resolver.
If the response matches the query {name, class, type} plus the UDP port and transaction ID
match, all made easier via the Kaminsky vulnerabillity, the resolver will consider the response
*
Technically these records are appended to the RRSIG record Rdata field less the signature to form the
data to be hashed.
Trusted Keys
To avert this situation of an imposter signator, the resolver must be configured with one or more
trusted keys or trust anchors. The trusted key is a copy of the trusted zone’s public key. Having
developed a trust relationship with the given zone administrator outside the bounds of the DNS
protocol, a copy of the administrator’s key can be configured in the recursive or caching server.
Following the resolution process described above, the recursive server can validate the data using
the signature and the zone’s public key. If the recursive server “knows” this key, the data is
considered secure and trusted.
Does this mean I need a copy of every zone’s public key? Fortunately, no. The term trust anchor
refers to a given point in the domain tree where a trust relationship has been established and a
copy of the corresponding domain’s public key is trusted. This trusted domain can vouch for its
signed child domains, who can in turn vouch for their child domains and so on. Hence, a
resolution deep in the domain tree can ultimately be trusted due to this chain of trust up the
domain tree to an “upstream” trust anchor. I don’t need every zone’s key, just the trust anchor’s,
which can be used to validate its signed decendent domains.
The Internet root zone and many of its children domains, the top-level domains (TLDs) have
already been signed so for the most part, the “Internet chain of trust” anchors at the root zone.
This vastly simplifies the configuration of your rescursive servers by simply requiring
configuration of the root zone’s public key, which can then be used to validate resolutions within
the chain of trust from the authoritative zone up to the root zone trust anchor. And ongoing
maintenance of trusted keys is minimal thanks to RFC 5011 [5] as we’ll describe in the
Administrative Tasks section.
Analagous to a parent zone referring resolvers down the domain tree using name server (NS)
resource records to link the domain tree, the Delegation Signer (DS) record within a parent zone
file authenticates its child zone’s public key, thereby linking the parent-child zones in a chain of
trust. The chain of trust may be extended to descendant zones using DS records on the “parent”
side of each link to enable the trust anchor to validate its decendants.
DNSSEC also supports authenticated denial of existence of queried zone data. Consider an
attacker responding with “NXDOMAIN” (query data not found) for a query which in fact has a
legitimate RRSet. Such a response could effectively render the destination unresolvable and thus
unreachable from the resolver’s perspective. The use of “Next Secure” resource records facilitate
denial of queried RRSet existence by enumeration of the “next” secure (signed) resolution data
(RRSet) within the zone file in canonical order.
The “Next Secure” resource records are published in the zone file as either NSEC resource
records which indicate the “next” cannonically ordered RRSet owner name verbatim or as
NSEC3 resource records, which link hashed RRSet owner names to deter zone footprinting via
simple RRSet enumeration by following NSEC records. These NSEC/NSEC3 records are
Initial DNSSEC operational experience [6] has led to the recommendation that two keys be used
per zone: a zone signing key (ZSK) and a key signing key (KSK). One of the benefits of this
approach is that it streamlines the complex key rollover process as discussed in the next section.
At this point, suffice it to say that the ZSK is used to sign the data within the zone and the KSK is
a longer term key that signs the ZSK (and itself). This allows for the efficiency of shorter ZSK
key lengths for faster validation using the ZSK, while providing more secure (longer) though
more processing-intensive KSK keys to validate ZSK signatures. The use of two keys also helps
with key rollover.
Both the ZSK and KSK are each comprised of a public and private key pair. The private keys are
used to sign zone information and must be secured, ideally on a secure server or host. The
corresponding public keys are published within the zone file as DNSKEY records. The flags field
within the Rdata portion of the DNSKEY record indicates whether the corresponding public key
is a ZSK or a KSK.
The public KSK of the highest (within the domain tree, i.e., the root) trusted zone is the trusted
key configured in each recursive server and authenticates that zone and any descendant zones
within the chain of trust. As a trust anchor within a resolver or recursive server configuration, this
key is also sometimes referred to as a Secure Entry Point (SEP) into the DNS.
Key Rollover
Zone administrators must change keys periodically to reduce the chance of key compromise,
much like changing your password provides a “moving target” for attackers. Changing a ZSK
affects intra-zone validation only which has relatively limited impact. But rolling a KSK has
wider ranging impacts. Each time a KSK trust anchor key is changed, each trusting recursive
server configuration must be updated with the zone’s new trusted key.*
Due to the manner in which zone data is distributed and maintained in the global DNS system via
zone transfers from master to slave servers and caching of zone data in recursive servers and
resolvers, flash cutting of keys is not practical. Publishing a new key while simultaneously
removing the formerly active key will result in recursive servers attempting to validate zone data
based on old keys (slaves not yet zone transferred) or failing to validate signatures created using
the new key by applying the old (cached) key. Hence the process of key rollover provides for this
relatively slow key data distribution process.
Two common forms of rollover are the pre-seed method and the dual-signature method. The pre-
seed method, illustrated in Figure 3, is typically applied to ZSK rollover. The pre-seed method
*
More likely for a non-trust anchor KSK, the parent zone must be updated with a new DS record
referencing the new KSK and signed with its own key.
Then at time t1, the new ZSK is used to sign zone data as indicated by the “pen” graphic. The old
ZSK should be retained in the zone file as resolvers having both ZSKs cached, will be able to
trust previoulsy validated signatures signed using the old key. Then at time t2, the old ZSK can be
removed, completing the rollover. Guidelines for time intervals are that t1 – t0 should be a time
interval exceeding the TTL of the DNSKEY RRSet for the zone, while t2 – t1 should be a time
interval exceeding the maximum TTL of all RRSets for the zone.
The dual-signature method, depicted in Figure 4, is applicable to KSK rollover and entails
introducing a new KSK while retaining the current KSK, then signing the zone using both KSKs.
You might think this process would excessively increase the size of the zone file as “double
signing” renders two RRSIG records for each RRSet, one per signing key. However, the KSK
generally signs only the DNSKEY RRSet to validate [itself and] the ZSK, so this RRSet would be
the only one with a signature for each KSK.
This dual KSK signing of the ZSK enables validation of the ZSK and zone data signed by the
ZSK using either KSK as a zone trust anchor.The twist is that the KSK is used by the parent zone
administrator to publish the DS record linking the chain of trust from the parent zone to your
zone. Therefore, when you introduce a new KSK, you must communicate the corresponding
public KSK to the parent zone administrator. The parent zone administrator then creates their DS
record with a hash of your KSK to peform the linkage. Of course, you have no control over when
your parent zone administrator will introduce the new DS record corresonding to your new KSK
so you should query the parent zone for its presence. The general rule of thumb is to await a time
interval greater than twice the TTL of the parent zone DS record before removing the old KSK
from the zone. Then the zone should be re-signed with only the new KSK (e.g., at time t1 in
Figure 4).
While the public key of the cryptographic key pair is published in the zone file, the private key
must be kept secure. Should a third party obtain the private key, the party may effectively
impersonate the zone, using the valid private key to sign bogus zone resource records to provide
validatable falsified resource records. Therefore, private keys must be protected from
compromise. At the same time the private key must be accessible during the process of zone
signing.
Many implementations feature deployment of Hardware Security Modules (HSMs) which may be
in the form of an HSM card installed in the DNS server or of a network-attached HSM
appliance.The HSM is responsible for the secure storage of the private keys used for zone
signing. The PKCS#11 (Public Key Cryptography Standard #11) crypto API is used between the
DNS server and the HSM to perform zone signing functions, without exposing the key outside the
confines of the HSM.
Should a private key be compromised, immediate action must be taken to “repossess” the zone.
For a compromised ZSK, the impact is constrained to the zone itself. A new ZSK should be
created, the private key used to sign the zone, and the public key published in the zone. Ideally,
the compromised key may also be published though not used to sign, and it must be in a revoked
state, as indicated by the revoke flag of the corresponding DNSKEY resource record. The
revoked ZSK if published along with the new ZSK must be signed with the zone’s KSK.
Compromise of a KSK private key is more menacing. In addition to revoking the compromised
KSK and publishing and signing with a new one, the parent zone administrator must update its
DS record pointing to the zone as soon as possible. This step reverts the chain of trust to the new
KSK, orphaning the compromised KSK. Due to the immediacy of action required due to its wide-
ranging impact, the documentation of an emergency KSK rollover policy should be documented
and agreed with the parent zone administrator.
This section highlights the key tasks required of DNS administrators for managing DNSSEC for
servers by server role.
The authoritative server administrator must perform the following tasks when signing zones.
*
For details about each of these BIND options per BIND version, please refer to
http://www.ipamworldwide.com/bind-options.html
Configuration of internal caching servers that resolve queries from Internet DNS servers require
consideration of the following tasks.
∗
Such as allow-query, allow-query-cache, allow-transfer, allow-notify, etc.
The trust anchor (trusted key) update process can be performed manually be editing the recursive
server’s trusted keys, or with BIND 9.7.0 and above, automatically using DNS. This automation
enables the trust anchor (root) zone administrator to add a new key to be used in the future. The
new key will be considered valid as long as it is signed with the currently trusted key(s) for the
zone. Keys may also be revoked using this automated method, which can also save time and
maual effort reconfiguring trusted keys. Revoked keys must likewise be signed with the current
trust anchor key(s).
RFC 5011 [5] defines a key lifecycle, which validating resolvers can follow simply by querying
the root zone periodically. In this manner, the recursive server can automatically update its trust
anchor without manual intervention. BIND 9.7.0 and above implements this automation using the
managed-keys statement in the named.conf configuration file.
*
For details about each of these BIND options per BIND version, please refer to
http://www.ipamworldwide.com/bind-options.html
Most administrators have a mix of signed and unsigned zones. Having the ability to manage all of
these zones and corresponding resource records using one tool can provide time savings, training
reduction and efficiencies with data consistency. A centralized IP address management solution
such as IPControl™ from BT Diamond IP can help you manage all domain information centrally,
as well as associated IPv4 and IPv6 address plans and DHCP.
In either case, DNS configuration information can be deployed to a variety of DNS servers.
IPControl provides full configuration of ISC BIND DNS configuration via the innovative DNS
option dictionary, which provides named.conf, zone and view option definitions for various
versions of BIND. This in itself is a major time saver if you have multiple server versions
deployed. This also enables you to leverage IPControl to configure a variety of servers, from
authoritative, caching, hidden, even internal root servers. The web graphical interface reduces
configuration errors and promotes consistency. Administrator controls also provide the means to
delineate administrator or role access to certain DNS management functions, domains, DNS
servers, and approvals for DNS resource records updates. Audit reports also enable tracing of the
history of a given resource record for example, in terms of tracking record creation,
modification(s), deletion, approval(s) and rejection(s).
Zones that are to be signed can be deployed to the Sapphire Sx20 appliance to initiate the
automated zone signing and maintenance functions. The Sapphire Sx20 has a dedicated login
account to minimize exposure to critical DNSSEC signing and key policies. This simplifies many
of the administrative tasks required for authoritative servers, including ZSK and KSK key
creation, zone signing and key rollover. Once configured, it will function according to these
policies to automate these tedious yet critical operations of key generation, signature refresh, and
Conclusion
DNSSEC provides valuable origin authentication, authenticated denial of existence of zone data
and end-to-end data integrity validation to mitigate DNS cache poisoning attacks. As we have
discussed in this white paper at a high level, DNSSEC requires extensive configuration and
ongoing management. Use of the IPControl centralized IP address management solution saves
time and increases efficiencies. The IPControl Sapphire Sx20 appliance automates authoritative
DNSSEC setup and management tasks and provides a secure user interface with which to
configure this automation. And with full BIND options support, configuration of automatically
rolling trust anchors streamlines management tasks for DNSSEC-validating recursive servers.
Together, IPControl and the Sapphire Sx20 enables you to “set and forget” your authoritative and
recursive DNSSEC management policies.
Please visit us at http://www.btdiamondip.com for more information and to schedule a
demonstration of BT Diamond IP DNSSEC solutions.
[2] —. Resource Records for DNS Security Extensions.: IETF, March, 2005. RFC 4034.
[3] —. Protocol Modifications for the DNS Security Extensions.: IETF, March, 2005. RFC 4035.
[4] An Illustrated Guide to the Kaminsky DNS Vulnerability, Steve Friedl unixwiz.net [Online]
http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html
[5] StJohns, M. Automated Updates of DNS Security (DNSSEC) Trust Anchors: IETF, September,
2007. RFC 5011.
[6] Kolkman, O., Gieben, R., DNSSEC Operational Practices: IETF, September, 2006, RFC
4641.
[7] Rooney, Timothy. IP Address Management Principles and Practice : IEEE Press/John
Wiley & Sons, 2011.
About BT Diamond IP
BT Diamond IP is a leading provider of software and appliance products that help customers
effectively manage complex IP networks. Our next-generation IP management solutions help
businesses more efficiently manage IP address space across mid-to-very large sized enterprise
and service provider networks. These products include IPControl™ for comprehensive IP address
management, Sapphire appliances for DNS/DHCP services deployment and managed IPAM
services which enable monitoring and troubleshooting of your Sapphire DHCP/DNS
infrastructure and performance of IPAM moves/adds/changes. Our cable firmware management
product, ImageControl™, helps broadband cable operators automate and simplify the process of
upgrading and maintaining firmware on DOCSIS® devices in the field. Our customers include
regional, national and global service providers and enterprises in all major industries. For
additional information, please visit http://www.btdiamondip.com or contact BT Diamond IP at
1-800-390-6295 in the U.S. or 1-610-423-4770 worldwide.