DNS Advanced with DNSSEC Duration: 4 days

DNS Advanced with DNSSEC

The advanced course covers more complex DNS topics, such as DNS in combination with Firewalls and “Split-DNS”. A complete treatment of DNSSEC (signing and authentication of DNS data) as well as TSIG (DNS Transaction Signatures, EDNS(0) and dynamic updates. There is an obvious relation between DHCP and Dynamic DNS Updates and the course.

The target audience for this course is networking people, network and DNS administrators as well as managers, people working with IT strategy, consultants, security people and others that must get a deeper understanding of both traditional DNS as well as more recent extensions.

This course requires knowledge corresponding to our DNS Introductory Course.

NOTE: This course is not delivered with the FoldOut methodology.

Quick repetition of traditional DNS

Principles behind the DNS Protocol
•    autonomy, coherence, redundancy

Packet format:
•    The different parts of the DNS message and their usage

Name Server Implementations
•    BIND (both authoritative and recursive server)
•    NSD (authoritative-only server)
•    Unbound (recursive-only server)
•    Other Implementations
•    Differences, Pros and Cons

Lab Exercise: Compilation and installation of the DNS software

DNS Vulnerabilities overview

Role separation for name servers:
•    different implementation alternatives
•    pitfalls

TSIG: signing DNS transactions
•    Symmetric Encryption
•    Symmetric Algorithms: HMAC-MD5, HMAC-SHA1, HMAC-SHA256
•    Securing Zone Transfers (server-server)
•    Securing Queries (client-server)
•    Dynamic Updates (client-server)

  • BIND9: TSIG Configuration innamed.conf:
    • key, server and masters directives
  • NSD: TSIG Configuration innsd.conf:
    • key: attributes and the use of the NOKEY keyword

•    Securing the transport vs securing the data

Lab Exercise: Using TSIG between master and slave
•    Configuration
•    Need for synchronized clocks
•    Debugging

BIND9: rndc
•    remote management via rndc: pros and cons
•    Key management
•    Configuration of rndc.conf

Firewall Issues
•    Forwarding
•    Split-DNS
•    Internal Delegations
•    Queries “leaking” to the wrong side
•    management of internal connections
•    multiple versions of the name space and DNS coherency
•    varying functionality in different implementations
•     “forward” zones and stub zones
•    Split-DNS in conjunction with DNSSEC

Lab Exercise: Firewalls, Forwarding, Split-DNS

•    framework for DNS protocol extensions
•    usage of the OPT pseudo-RR
•    fields in the DNS packet that are expanded via EDNS(0) and their use

Introduction to DNSSEC
•    Background, threat scenario, the Kaminsky attack, etc
•    Walkthrough of the concepts

DNSSEC: Validation of signed DNS data
•    “Trusted keys” and validation of data
•    What does “security apex” mean?
•    What should happen when data doesn’t validate?

Lab Exercise: Configuration of a validating resolver

DNSSEC: Publication of signed DNS data
•    Asymmetric encryption with public keys
•    Asymmetric algorithms: RSA, DSA
•    KSK and ZSK: different operational uses for keys

DNSSEC: Protocol extensions and new record types:
•    DNSKEY: public keys stored and distributed via DNS
•    RRSIG: digital signature of DNS records
•    DS: identification of the “KSK” in use

DNSSEC low-level tools:
•    dnssec-keygen to create keys
•    dnssec-signzone to sign zones

Lab Exercise: Publishing a DNSSEC signed zone
•    Create the configuration
•    Generate the keys and add them to the zone
•    DNSSEC Zone Signing

DNSSEC Key Rollover: Replacing old keys with new keys
•    Policy management
•    Delegation Signer and parent interaction
•    Parent/child interaction with examples
•    Tools to simplify DNSSEC management

Lab Exercise: The DS record and interacting with your parent
•    Closing the signature chain from the parent
•    Verification of the signature chain
•    Debugging

Resolver issues
•    Suitable API
•    Securing the “last mile”
•    The requirement for a “clear path”

Lab Exercise: Key Rollover of ZSK and KSK
•    Logging

DNSSEC Protocol extension: ADE (Authenticated Denial of Existence)
•    Why is ADE so important?
•    NSEC: Filling out the empty space to facilitate ADE
•    NSEC3: When zone contents must not be listed

Lab Exercise: NSEC3

DNSSEC: Applications, beyond securing DNS
•    Examples of DNSSEC application support: SSHFP, IPSECKEY
•    DANE: DNS-Based Authentication of Named Entities

DNSSEC high-level tools
•    OpenDNSSECLab Exercise: OpenDNSSEC
•    BIND 9.9 inline-signingLab Exercise: inline-signing
•    others

International outlook:
•    Signing different Top-Level domains
•    Signing the root zone
•    Development and and adjustment of different systems for DNSSEC

Dynamic Update
•    The four different roles: Client, Authoritative name server for forward zone, Authoritative name server for reverse zone and the DHCP server
•    Security Policies
•    Granularity in access rights: control over nodes or entire sub-trees, retrictions on available record types
•    update-policy{}
•    Alternatives for authentication: TSIG (symmetric key), SIG(0) (asymmetric key), GSS-TSIG
•    Comparison SIG(0) vs TSIG

Lab Exercise: Manual dynamic update
•    Name Server Configuration
•    How to trigger the dynamic update automatically
•    Client Configuration
•    Name Server Configuration
•    Design choices in environments with a mix of dynamic and static DNS data
•    Dynamic update of DNSSEC secured data: key management, signatures

Lab Exercise: Automatic dynamic update (with DHCP)
•    Name Server Configuration
•    Relation DHCP server and name server


Price (excl. VAT)