dnssec interview questions
Top dnssec frequently asked interview questions
could anyone explain to me how the DNSSEC works in a nutshell?
What I can already understand (but i do not know if it is completely correct) is:
DNS is an old protocol created in the early Internet, therefore it has flaws (e.g. no authentication). It allows attacks as Man-In-The-Middle and Cache poisoning.
The solution? The creation of the DNSSEC. A protocol that uses public key cryptography and that gives authentication and integrity to the DNS queries. It works using a chain of trust that starts in the root DNS server - the "trust" here means that you trust in the public key of the root server.
In the zone level, the process works using one or more pair of keys. First the zone server has the ZSK (zone signing key) and it signs the queried data using the private ZSK. After, it sends the public ZSK, the data (RRSET) and the signed data (RRSIG) to the DNS resolver. But now you have to trust in the public ZSK. The solution? To have another key, the KSK (key signing key). The zone signs the new set that contains the public KSK and public ZKS. After it sends that new set, the signed set and the public KSK. It guarantees the security in the zone.
But how about the whole recursive process that the DNS needs? How do we make sure that it is also secure? It is done by making the child server hash its public KSK and sending it to its parent, that stores it as a DS (delegate signature). It is done early and I don't know how. In this way, if you trust the father and the father has the child DS, if you hash the child public KSK and the result be equal to the father DS, you can trust the child. This creates the whole chain of trust. The secure entry point of this chain is in the root. You assume that you can trust in the public key of the root.
This is what I think that I understand about DNSSEC, if someone could explain better, fix what I wrote ou give more information that you think it is essential to understand DNSSEC I would be very grateful.
Also if someone could explain to me the DNSSEC architecture and key management I would be glad as well.
Thank you very much!!!!!
Source: (StackOverflow)
I am trying to execute a subprocess, something done in my script a couple of times. But on the last one, it outputs an error I cannot find the solution to.
The exact same command using the same files produced at the command line works just fine.
Line of code in question:
sfmove = subprocess.call(["dnssec-signzone","-e",strftime("%Y%m%d%H", gmtime())+"0000","-p","-t","-g","-","K"+name+".ksk.key","-o",name,name+".external","K"+name+".zsk.key"])
output of script
# python3.4 makekeys.py
Enter the domain to configure keys for? test123.com
Generating key pair....................................................................+++ ................................................................................+++
K
Generating key pair...........................................................+++ .................................................................................+++
K
dnssec-signzone: fatal: No self-signed KSK DNSKEY found. Supply an active
key with the KSK flag set, or use '-P'.
signing works at command line:
dnssec-signzone -e20180330000000 -p -t -g -k Ktest123.com.ksk.key -o test123.com test123.com.external Ktest123.com.zsk.key
Verifying the zone using the following algorithms: RSASHA256.
Zone fully signed:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
test123.com.external.signed
Signatures generated: 9
Signatures retained: 0
Signatures dropped: 0
Signatures successfully verified: 0
Signatures unsuccessfully verified: 0
Signing time in seconds: 0.010
Signatures per second: 875.401
Runtime in seconds: 0.013
How do I execute the dnssec-signzone correctly via Python?
url to complete code CODE
Source: (StackOverflow)
I have read, in their entirety, IETF RFC6781, BIND-AMR-9.8, and DNSSEC Howto, a tutorial in disguise. I have also set up a DNSSEC domain with ISC using DLV which works. Now, I have a large number of questions for which I can find no evident answer.
This is the first:
In /var/named/masters I see files having the form:
-rw-r--r--. 1 root root 479 Mar 24 02:29 Kparschecks.ca.+008+60246.key
-rw-------. 1 root root 1200 Mar 24 02:29 Kparschecks.ca.+008+60246.private
note that this domain is not enabled with DLV.
These evidently change each day some time around 02:20 local. As is shown below for the directory contents of the previous day:
-rw-r--r--. 1 root root 479 Mar 23 02:30 Kparschecks.ca.+008+15573.key
-rw-------. 1 root root 1200 Mar 23 02:30 Kparschecks.ca.+008+15573.private
I infer from what I have read that these setting in /etc/named.conf influence this behaviour:
dnssec-enable yes; // enable
dnssec-validation yes; // for recursive servers
dnssec-lookaside auto; // Enable DLV and use built-in key
But I cannot find any reference as to what process (named itself?) generates the keys in this fashion, how it is scheduled, and how to alter that setting. I speculate that the utility used is dnssec-keygen but I cannot discover the scheduling process that is running every morning whatever utility is being used.
Looking at the signature reveals this:
dnssec-settime -p all /var/named/masters/Kparschecks.ca.+008+60246.key
Created: Thu Mar 24 02:29:42 2016
Publish: Thu Mar 24 02:29:42 2016
Activate: Thu Mar 24 02:29:42 2016
Revoke: UNSET
Inactive: UNSET
Delete: UNSET
Q. Is the named daemon process controlling the generation of these keys (auto-dnssec)? If not then what is? If so then how is the schedule set?
Source: (StackOverflow)
As per RFC 2845 the TSIG RR key name should be in the Canonical wire format. What does canonical wire format exactly mean? I have gone through the RFC 2523 and it states that
"For purposes of DNS security, the canonical form for an RR is the
wire format of the RR with domain names (1) fully expanded (no name
compression via pointers), (2) all domain name letters set to lower
case, (3) owner name wild cards in master file form (no substitution
made for *), and (4) the original TTL substituted for the current
TTL."
For example if the keyname is abc.def.shared.key, will it be "\003abc\003def\006\003key\000" in the canonical wire format ?
Source: (StackOverflow)
So DNSSEC is to ensure that returned IP address is not poisoned.
And https is to verify the remote server.
My question is that when protected by https, under what circumstances, a client is vulnerable?
Say I go to https://www.facebook.com, even if I'm not protected by DNSSEC, what damage can an adversary cause?
Let's assume no DigiNotar stuffs.
Thanks
Source: (StackOverflow)
im reading RFC 4035 which has to do with DNSSec, and there's a term which is causing me trouble to get, which is the following - Zone Apex -, perhaps i sound like a rookie, but every help on this is very welcome. Thanks!!
Source: (StackOverflow)
DPDK seems to provide an impressive performance boost for certain applications but I don't think servers will benefit nearly as much as things like routers/switches.
I haven't seen any mention of this being done or worked on so I am just wondering if it might would be worth working on.
Source: (StackOverflow)
I'm now working on WMbind and I'm making a new module called 'signedzone' . And, I added one more table to wmbind database which is a keys table. So, as the questions asked above, do we have to store keys(in this case, I mean both KSK and ZSK) after we use them to sign the zone?
I have tried deleting those used keys before and it didn't do anything to the signed zones.
However, I just need to know if deleting used keys will affect zones that are signed with them.
Thank you in advance
Source: (StackOverflow)
I'm trying to set up ddns (dynamic dns) using keys generated with dnssec-keygen. I used -n USER "username", thinking this would limit use of the key to "username". However, anyone who has the key can do ddns updates, which is not what I want.
I'd like to understand the significance of the USER owner type in dnssec-keygen.
Source: (StackOverflow)
I have a domain mydomain.com. The DNS servers for this domain are under my control and I'm running PowerDNS there. I've set up DNSSEC for my main domain mydomain.com and I've registered the keys at registrar. Everything works fine for the main domain. However when I create subdomains (zones) with PowerAdmin GUI then I get the following error for my subdomains from DNSSEC analysis tool at http://dnssec-debugger.verisignlabs.com/:
No DS records found for subdomain.mydomain.com in the mydomain.com zone
Question: how to add that DS record to mydomain.com zone with powerdns?
Source: (StackOverflow)
I'm using the Python getdns API.
I'm using the extensions:
extensions = {"dnssec_return_validation_chain" : getdns.EXTENSION_TRUE}
This means that I'm told if the responses are DNSSEC secured with the dnssec_status option in the reply dictionary. (The results.replies_tree is an array of reply dictionaries.)
A query can have no replies if there is no name (e.g. results.status==getdns.RESPSTATUS_NO_NAME).
In this case, how do I know if the RESPSTATUS_NO_NAME response is authenticated with DNSSEC?
Source: (StackOverflow)
I am working on building a custom DNSSEC server that will respond to queries based on their subdomain. For example, queries of
abc123.example.com would respond with 0.0.0.0
def456.example.com would respond with 1.1.1.1
I am using ARSoft Tools to generate the responses to the DNS queries. My question relates to, what do I need to do to generate the RRSig Record that needs to go along with the response?
Here is how I am generating the record in code:
response.AnswerRecords.Add(new DsRecord(DomainName.Parse("example.com"), RecordClass.Any, 60, 0, DnsSecAlgorithm.RsaSha256, DnsSecDigestType.Sha256, new byte[] {1,2,3}));
response.AnswerRecords.Add(new DnsKeyRecord(DomainName.Parse("example.com"), RecordClass.Any, 60, DnsKeyFlags.Zone, 3, DnsSecAlgorithm.RsaSha256, new byte[] { 1, 2, 3 }));
response.AnswerRecords.Add(new RrSigRecord(DomainName.Parse("example.com"), RecordClass.Any, 60,
RecordType.A, DnsSecAlgorithm.RsaSha256, 4, 0, DateTime.Now.AddMinutes(1), DateTime.Now, 0, DomainName.Parse("example.com"), new byte[] {1,2,3}));
How and what do I need to gather up to put into the byte array for each of the three records (currently set as byte[] {1,2,3})? The DS record is asking for a digest, the DnsKey is asking for the publicKey, and the rrsig is asking for a signature.
Source: (StackOverflow)
I've followed the steps outlined here to generate a signed Zone file: https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2
In the generation of that file, it gave me 2 private and public key files that end with .private and .key as their file types, and the private file looks formatted like this:
Private-key-format: v1.3
Algorithm: 7 (NSEC3RSASHA1)
Modulus: (random characters)
PublicExponent: (random characters)
PrivateExponent: (random characters)
Prime1: (random characters)
Prime2: (random characters)
Exponent1: (random characters)
Exponent2: (random characters)
Coefficient: (random characters)
Created: 20160415164633
Publish: 20160415164633
Activate: 20160415164633
I'd like to somehow get these files into the AsymmetricCypherKeyPair object within the BouncyCastle package, so that it can be used like this:
privateKey = PrivateKeyInfoFactory.CreatePrivateKeyInfo(importedPair.Private).GetDerEncoded();
Does anyone know if there is support in the BouncyCastle package to import this type of public/private key file?
Source: (StackOverflow)
I'm using Mac OS X 10.10.3 Yosemite. Very recently upgraded from Snow Leopard (10.6.8) to Yosemite.
STEPs-A: In MacBook i login into an Admin type privileged account, and installed latest free "Xcode" from Apple App Store. By using Xcode, added "Command Line Tools", etc.
STEPs-B:
Installed Homebrew, from https://brew.sh/ website. Copy-pasted below command-line code in Terminal, from homebrew website:
ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
Above process/script checks presence of various necessary software & settings, and it showed (info & status inside Terminal window, on) what else commands or tools are needed to be obtained or executed, i followed those.
STEPs-C:
When "homebrew" & related installation steps were done, then installed "openssl" & "unbound" by using "brew" tool, via command-lines in Terminal:
• brew help
• brew update
• brew install unbound openssl
• sudo cp -fv /usr/local/opt/unbound/*.plist /Library/LaunchDaemons
• sudo chown root /Library/LaunchDaemons/homebrew.mxcl.unbound.plist
• sudo launchctl load -w /Library/LaunchDaemons/homebrew.mxcl.unbound.plist
• brew upgrade --all
STEPs-D:
Restarted MacBook once, and then tried below "dig" commands, and it did not show "ad" flag in dns query result, which is indicating DNSSEC authenticated DNS resolving is still not working and disabled !
dig @127.0.0.1 in TLSA _443._tcp.www.dnssec-validator.cz. +dnssec
dig @127.0.0.1 in TLSA _443._tcp.www.isc.org. +dnssec
dig @192.168.10.1 in TLSA _443._tcp.www.dnssec-validator.cz. +dnssec
dig @192.168.10.1 in TLSA _443._tcp.www.isc.org. +dnssec
The 192.168.10.1 is my (internet router) gateway for primary network interface/adapter which is connected with internet. My net adapter is currently using 192.168.10.50, a dynamic (not fixed) DHCP based ip-address.
Unfortunately, developers at https://unbound.net/ site, do not provide standalone "unbound" pkg or dmg installer-file for Mac OS X. They do not either (actively) develop the "DNSSEC-Trigger" app. In Snow Leopard i was using only "unbound" portion, from "dnssec-trigger" bundle. I was able to disable their "dnssec-trigger" portion, and kept "unbound" portion running, after following tips shown in their mailing-list archive, and in that way i did not need to install any Xcode command-line tools or homebrew.
What should/can i do now ? so that entire MacBook all apps can use "unbound" dnssec resolver for all apps/clients, where "unbound" resolver will be listening on 127.0.0.1:53 (ip.address:port) for dnssec & dns queries.
Source: (StackOverflow)