DNSSEC at Mozilla

| No Comments | No TrackBacks
Shyam Mani spoke about implementing DNSSEC. He was involved in implementing DNSSEC at Mozilla. DNSSEC is a bunch of changes to make sure the DNS information hasn't been changed in transit, and that you can verify that a DNS name does not exist.

In DNSSEC you have your public key in a DNS record, I think that's in a DS code type. A DNSKEY record sits in the parents zone. This helps setup a trust chain. You have a KSK (Key SIgning Key), and a ZSK (Zone SIgning Key). You could do this with one key, but for operational reasons it's better to have two. So the KSK becomes the more sensitive key that can have longer life times and higher encryption. You can change over your ZSK key more often. Shyam said RFC4641 is a good read for implementing rollover of keys.

He showed http://dnssec-debugger.verisignlabs.com/mozilla.org, a tool for debugging DNSSEC issues.

He suggests that you check your TLD is signed before you get started. Some registrars may not have implemented DNSSEC, so check with them. Also see if your dns software supports DNSSEC. Apart from doing the key management and signing of zones, the changes to bind configuration are minimal.

He showed http://dnsviz.net/ to visualize the train of trust. He says you should plan in advance of what happens if the keys to compromised. Are you going to allow your dns zones to effectively to go offline. You should sign and publish your zones before you push your DS upto the parent zone.

He had some issues. Pushed DS before signing the zones. Bind defaults to debug logging of DNSSEC stuff, which is a lot.

A question from the flaw asked what the user see's if a DNSSEC shows there has been some DNS tampering has occured. They haven't yet got that in mozilla yet, though there is apparently a firefox plugin. Someone on the floor mentioned freebird, a dnssec proxy that does all the key management for you.

No TrackBacks

TrackBack URL: http://geoff-blog.cromp.id.au/cgi-bin/movabletype/mt-tb.cgi/113

Leave a comment

About this Entry

This page contains a single entry by Geoff Crompton published on January 25, 2011 3:28 PM.

Backing up network gear was the previous entry in this blog.

lightning sysadmin miniconfs is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.



Powered by Movable Type 4.23-en