DNS Security

微討論 + DNSSEC 簡介

複習一下 DNS

user

nameserver(s)

resolver

1.1.1.1

8.8.8.8

DNS zone

DNS 訊息

;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		300	IN	A	216.58.200.238

有答案:

去問別人:

;; QUESTION SECTION:
;google.com.			IN	A

;; AUTHORITY SECTION:
com.			172800	IN	NS	l.gtld-servers.net.
com.			172800	IN	NS	b.gtld-servers.net.
com.			172800	IN	NS	c.gtld-servers.net.


;; ADDITIONAL SECTION:
l.gtld-servers.net.	172800	IN	A	192.41.162.30
b.gtld-servers.net.	172800	IN	A	192.33.14.30
c.gtld-servers.net.	172800	IN	A	192.26.92.30

type

resource record (RR)

type

resource record (RR)

resource record (RR)

resource record (RR)

DNS 訊息內容

// response from root zone ==============================================================================================================
;; QUESTION SECTION:
;community.cloudflare.com.	IN	A

;; AUTHORITY SECTION:
com.			172800	IN	NS	a.gtld-servers.net.
com.			172800	IN	NS	b.gtld-servers.net.
com.			172800	IN	NS	c.gtld-servers.net.
com.			172800	IN	NS	d.gtld-servers.net.
com.			172800	IN	NS	e.gtld-servers.net.
com.			172800	IN	NS	f.gtld-servers.net.
com.			172800	IN	NS	g.gtld-servers.net.
com.			172800	IN	NS	h.gtld-servers.net.
com.			172800	IN	NS	i.gtld-servers.net.
com.			172800	IN	NS	j.gtld-servers.net.
com.			172800	IN	NS	k.gtld-servers.net.
com.			172800	IN	NS	l.gtld-servers.net.
com.			172800	IN	NS	m.gtld-servers.net.
com.			86400	IN	DS	30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.			86400	IN	RRSIG	DS 8 1 86400 20210427170000 20210414160000 14631 . jwahsbkHuNHBLp9YgL9d4EVhLmtgBaTHHyKZAla3//yfTJZSdjzasjlr jQztqmJE/eESu812+7DG7S1LFfs8TMoyENlaxUoBuqB5PVAec2B2aiW2 udE8MSPUJ55VaOEAPIg8WWj5U81b8L28xWrnpCKTuP+nyKrOihGHHc5j FIByd9537+uUzwsCjKgQCEjllYb5n/jLvbHypqywkDwvboL5jV/Amo8h kmGBcm3BwKVoa44l56mHdwU29g2mUwErbzE5ac6SHcsWchQy2JSzSu7F cFXUDXRBJd1PPTiiKZZHJR/XhOMIy19Y5zsUsTcqpgKrIvTQBvbf1+Mt ZLq8Gw==

;; ADDITIONAL SECTION:
a.gtld-servers.net.	172800	IN	A	192.5.6.30
b.gtld-servers.net.	172800	IN	A	192.33.14.30
c.gtld-servers.net.	172800	IN	A	192.26.92.30
d.gtld-servers.net.	172800	IN	A	192.31.80.30
e.gtld-servers.net.	172800	IN	A	192.12.94.30
f.gtld-servers.net.	172800	IN	A	192.35.51.30
g.gtld-servers.net.	172800	IN	A	192.42.93.30
h.gtld-servers.net.	172800	IN	A	192.54.112.30
i.gtld-servers.net.	172800	IN	A	192.43.172.30
j.gtld-servers.net.	172800	IN	A	192.48.79.30
k.gtld-servers.net.	172800	IN	A	192.52.178.30
l.gtld-servers.net.	172800	IN	A	192.41.162.30
m.gtld-servers.net.	172800	IN	A	192.55.83.30
// ==============================================================================================================


// response from .com zone ==============================================================================================================
;; QUESTION SECTION:
;community.cloudflare.com.	IN	A

;; AUTHORITY SECTION:
cloudflare.com.		172800	IN	NS	ns3.cloudflare.com.
cloudflare.com.		172800	IN	NS	ns5.cloudflare.com.
cloudflare.com.		172800	IN	NS	ns4.cloudflare.com.
cloudflare.com.		172800	IN	NS	ns6.cloudflare.com.
cloudflare.com.		172800	IN	NS	ns7.cloudflare.com.
cloudflare.com.		86400	IN	DS	2371 13 2 32996839A6D808AFE3EB4A795A0E6A7A39A76FC52FF228B22B76F6D6 3826F2B9
cloudflare.com.		86400	IN	RRSIG	DS 8 2 86400 20210421041721 20210414030721 58540 com. AbNlrffLewRXntWb0GEkNsUSRWisQV8lVagZuD+RUpcsTjFPd/fkQInM XKfp6nSMB632tfceGPE3C1mr4jxR4lyV93O+MexAe1bEmSS5s1ZhX3Sb JWXkh/cZlS6yCDGBmlJHbgfwmVQ0vIvitfOw4VlxcAV+FYsRdF3C/ClT Dr8KQ1QY0kKHdp8TeLbVSkSmdm2wYBhi3kIcoomdsFkZHQ==

;; ADDITIONAL SECTION:
ns3.cloudflare.com.	172800	IN	A	162.159.0.33
ns3.cloudflare.com.	172800	IN	A	162.159.7.226
ns5.cloudflare.com.	172800	IN	A	162.159.2.9
ns5.cloudflare.com.	172800	IN	A	162.159.9.55
ns4.cloudflare.com.	172800	IN	A	162.159.1.33
ns4.cloudflare.com.	172800	IN	A	162.159.8.55
ns6.cloudflare.com.	172800	IN	A	162.159.3.11
ns6.cloudflare.com.	172800	IN	A	162.159.5.6
ns7.cloudflare.com.	172800	IN	A	162.159.4.8
ns7.cloudflare.com.	172800	IN	A	162.159.6.6
// ==============================================================================================================


// response from cloudflare.com zone ==============================================================================================================
;; QUESTION SECTION:
;community.cloudflare.com.	IN	A

;; ANSWER SECTION:
community.cloudflare.com. 300	IN	A	104.16.133.229
community.cloudflare.com. 300	IN	A	104.16.132.229
community.cloudflare.com. 300	IN	RRSIG	A 13 3 300 20210416013846 20210413233846 34505 cloudflare.com. JMiz99Buhxb6QbD51D/ysTzsG2Rz5ifr3lRo48PkOqLjt1Az37whx8AO NmA4kZAED5hJh3dZfZbNcoTtIdMnwg==
// ==============================================================================================================

DNS 的發展很早

明文傳輸 & 沒有簽章

1987 年

RFC 1034

RFC 1035

明文傳輸

隱私

隱含的安全性問題

看得到問了哪些 domain

沒有簽章

沒有簽章的話,沒辦法確定傳訊息的對象是誰

複習一下典型的數位簽章

用公鑰解密 解得開、內容沒錯 嗯是由對應的私鑰加密的

可以確保 1. 訊息沒有漏或被竄改 2. 訊息是有私鑰的人發的 

有私鑰的人

有可能不是我們以為的那個人

可能一開始公鑰就錯了

公鑰要有人背書

要有別人對這個公鑰做簽章

別人可能也不能相信

要有別人對別人的公鑰做簽章

這樣下去沒完沒了

要找到一個可以相信的人

他簽的公鑰我們都相信

他簽的公鑰簽的公鑰我們也相信

他簽的公鑰簽的公鑰簽的公鑰我們也相信

...

這就是信任鏈

DNS spoofing/cache poisoning

port number?

以前很多用固定的同一個

現在每個 request 隨機

request ID number?

以前可能數字遞增

現在也要亂

resolver

nameserver

DNS spoofing/cache poisoning

理論上 user 跟 resolver 之間的溝通也不安全

中國的防火長城

有用 dns spoofing

DNSSEC (DNS Security Extensions)

有一堆 RFC,大約在 2000 年左右開始發布

是 DNS 的擴充

可以解決 resolver 跟 nameserver 間的信任問題

(雖然現在大多數網站還是沒有使用)

nameserver 除了回傳紀錄之外

同時回傳紀錄的簽章

key 由 parent zone 背書

RRSIG record 就是簽章

// response from root zone ==============================================================================================================
;; QUESTION SECTION:
;community.cloudflare.com.	IN	A

;; AUTHORITY SECTION:
com.			172800	IN	NS	a.gtld-servers.net.
com.			172800	IN	NS	b.gtld-servers.net.
com.			172800	IN	NS	c.gtld-servers.net.
com.			172800	IN	NS	d.gtld-servers.net.
com.			172800	IN	NS	e.gtld-servers.net.
com.			172800	IN	NS	f.gtld-servers.net.
com.			172800	IN	NS	g.gtld-servers.net.
com.			172800	IN	NS	h.gtld-servers.net.
com.			172800	IN	NS	i.gtld-servers.net.
com.			172800	IN	NS	j.gtld-servers.net.
com.			172800	IN	NS	k.gtld-servers.net.
com.			172800	IN	NS	l.gtld-servers.net.
com.			172800	IN	NS	m.gtld-servers.net.
com.			86400	IN	DS	30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.			86400	IN	RRSIG	DS 8 1 86400 20210427170000 20210414160000 14631 . jwahsbkHuNHBLp9YgL9d4EVhLmtgBaTHHyKZAla3//yfTJZSdjzasjlr jQztqmJE/eESu812+7DG7S1LFfs8TMoyENlaxUoBuqB5PVAec2B2aiW2 udE8MSPUJ55VaOEAPIg8WWj5U81b8L28xWrnpCKTuP+nyKrOihGHHc5j FIByd9537+uUzwsCjKgQCEjllYb5n/jLvbHypqywkDwvboL5jV/Amo8h kmGBcm3BwKVoa44l56mHdwU29g2mUwErbzE5ac6SHcsWchQy2JSzSu7F cFXUDXRBJd1PPTiiKZZHJR/XhOMIy19Y5zsUsTcqpgKrIvTQBvbf1+Mt ZLq8Gw==

;; ADDITIONAL SECTION:
a.gtld-servers.net.	172800	IN	A	192.5.6.30
b.gtld-servers.net.	172800	IN	A	192.33.14.30
c.gtld-servers.net.	172800	IN	A	192.26.92.30
d.gtld-servers.net.	172800	IN	A	192.31.80.30
e.gtld-servers.net.	172800	IN	A	192.12.94.30
f.gtld-servers.net.	172800	IN	A	192.35.51.30
g.gtld-servers.net.	172800	IN	A	192.42.93.30
h.gtld-servers.net.	172800	IN	A	192.54.112.30
i.gtld-servers.net.	172800	IN	A	192.43.172.30
j.gtld-servers.net.	172800	IN	A	192.48.79.30
k.gtld-servers.net.	172800	IN	A	192.52.178.30
l.gtld-servers.net.	172800	IN	A	192.41.162.30
m.gtld-servers.net.	172800	IN	A	192.55.83.30
// ==============================================================================================================

// response from .com zone ==============================================================================================================
;; QUESTION SECTION:
;community.cloudflare.com.	IN	A

;; AUTHORITY SECTION:
cloudflare.com.		172800	IN	NS	ns3.cloudflare.com.
cloudflare.com.		172800	IN	NS	ns5.cloudflare.com.
cloudflare.com.		172800	IN	NS	ns4.cloudflare.com.
cloudflare.com.		172800	IN	NS	ns6.cloudflare.com.
cloudflare.com.		172800	IN	NS	ns7.cloudflare.com.
cloudflare.com.		86400	IN	DS	2371 13 2 32996839A6D808AFE3EB4A795A0E6A7A39A76FC52FF228B22B76F6D6 3826F2B9
cloudflare.com.		86400	IN	RRSIG	DS 8 2 86400 20210421041721 20210414030721 58540 com. AbNlrffLewRXntWb0GEkNsUSRWisQV8lVagZuD+RUpcsTjFPd/fkQInM XKfp6nSMB632tfceGPE3C1mr4jxR4lyV93O+MexAe1bEmSS5s1ZhX3Sb JWXkh/cZlS6yCDGBmlJHbgfwmVQ0vIvitfOw4VlxcAV+FYsRdF3C/ClT Dr8KQ1QY0kKHdp8TeLbVSkSmdm2wYBhi3kIcoomdsFkZHQ==

;; ADDITIONAL SECTION:
ns3.cloudflare.com.	172800	IN	A	162.159.0.33
ns3.cloudflare.com.	172800	IN	A	162.159.7.226
ns5.cloudflare.com.	172800	IN	A	162.159.2.9
ns5.cloudflare.com.	172800	IN	A	162.159.9.55
ns4.cloudflare.com.	172800	IN	A	162.159.1.33
ns4.cloudflare.com.	172800	IN	A	162.159.8.55
ns6.cloudflare.com.	172800	IN	A	162.159.3.11
ns6.cloudflare.com.	172800	IN	A	162.159.5.6
ns7.cloudflare.com.	172800	IN	A	162.159.4.8
ns7.cloudflare.com.	172800	IN	A	162.159.6.6
// ==============================================================================================================

// response from cloudflare.com zone ==============================================================================================================
;; QUESTION SECTION:
;community.cloudflare.com.	IN	A

;; ANSWER SECTION:
community.cloudflare.com. 300	IN	A	104.16.133.229
community.cloudflare.com. 300	IN	A	104.16.132.229
community.cloudflare.com. 300	IN	RRSIG	A 13 3 300 20210416013846 20210413233846 34505 cloudflare.com. JMiz99Buhxb6QbD51D/ysTzsG2Rz5ifr3lRo48PkOqLjt1Az37whx8AO NmA4kZAED5hJh3dZfZbNcoTtIdMnwg==
// ==============================================================================================================

RRSIG 也是一筆紀錄 (RR)

DNSSEC 新增了一些 RR 的 type

先看最後面 cloudflare.com 的 response

// response from cloudflare.com zone ==============================================================================================================
;; QUESTION SECTION:
;community.cloudflare.com.	IN	A

;; ANSWER SECTION:
community.cloudflare.com. 300	IN	A	104.16.133.229
community.cloudflare.com. 300	IN	A	104.16.132.229
community.cloudflare.com. 300	IN	RRSIG	A 13 3 300 20210416013846 20210413233846 34505 cloudflare.com. JMiz99Buhxb6QbD51D/ysTzsG2Rz5ifr3lRo48PkOqLjt1Az37whx8AO NmA4kZAED5hJh3dZfZbNcoTtIdMnwg==
// ==============================================================================================================

有兩個 key

而且也有 RRSIG

要驗證這個 RRSIG

會需要另一個 request 去拿 key

// response from cloudflare.com zone ==============================================================================================================
;; QUESTION SECTION:
;cloudflare.com.			IN	DNSKEY

;; ANSWER SECTION:
cloudflare.com.		3600	IN	DNSKEY	257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ== (key id: 2371)
cloudflare.com.		3600	IN	DNSKEY	256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8 KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA== (key id: 34505)
cloudflare.com.		3600	IN	RRSIG	DNSKEY 13 2 3600 20210514040914 20210315040914 2371 cloudflare.com. jj+c/7Y67inA4heXnNUKBNOGI+B8Foy3wtcsgK0wXgX0ZlRhsyvc6Eys oJowpHvrz2/PCXDZD/z0yZ6eXEFADg==
// ==============================================================================================================

上面兩筆 A record 的簽章

上面兩筆 DNSKEY record 的簽章

兩個 key

// response from cloudflare.com zone ==============================================================================================================
;; QUESTION SECTION:
;cloudflare.com.			IN	DNSKEY

;; ANSWER SECTION:
cloudflare.com.		3600	IN	DNSKEY	257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ== (key id: 2371)
cloudflare.com.		3600	IN	DNSKEY	256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8 KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA== (key id: 34505)
cloudflare.com.		3600	IN	RRSIG	DNSKEY 13 2 3600 20210514040914 20210315040914 2371 cloudflare.com. jj+c/7Y67inA4heXnNUKBNOGI+B8Foy3wtcsgK0wXgX0ZlRhsyvc6Eys oJowpHvrz2/PCXDZD/z0yZ6eXEFADg==
// ==============================================================================================================

257 是 key-signing key

256 是 zone-signing key

key-signing key 用來驗證 DNSKEY 的 RRSIG

zone-signing key 用來驗證其它 RRSIG

稍微整理一下

key-signing key 拿來驗證 DNSKEY record 的 RRSIG

zone-signing key 拿來驗證其它的 RRSIG

現在有兩個 RRSIG record

A record 有 RRSIG

DNSKEY record 也有 RRSIG

兩個 DNSKEY record

  • key-signing key
  • zone-signing key

所以

  • A record 由 zone-signing key 背書
  • zone-signing key 由 key-signing key 背書

要怎麼相信 key-signing key?

parent zone 給的 DS record

是 child zone 的 key-signing key 的 hash 值

// response from .com zone ==============================================================================================================
;; QUESTION SECTION:
;community.cloudflare.com.	IN	A

;; AUTHORITY SECTION:
cloudflare.com.		172800	IN	NS	ns3.cloudflare.com.
cloudflare.com.		172800	IN	NS	ns5.cloudflare.com.
cloudflare.com.		172800	IN	NS	ns4.cloudflare.com.
cloudflare.com.		172800	IN	NS	ns6.cloudflare.com.
cloudflare.com.		172800	IN	NS	ns7.cloudflare.com.
cloudflare.com.		86400	IN	DS	2371 13 2 32996839A6D808AFE3EB4A795A0E6A7A39A76FC52FF228B22B76F6D6 3826F2B9
cloudflare.com.		86400	IN	RRSIG	DS 8 2 86400 20210421041721 20210414030721 58540 com. AbNlrffLewRXntWb0GEkNsUSRWisQV8lVagZuD+RUpcsTjFPd/fkQInM XKfp6nSMB632tfceGPE3C1mr4jxR4lyV93O+MexAe1bEmSS5s1ZhX3Sb JWXkh/cZlS6yCDGBmlJHbgfwmVQ0vIvitfOw4VlxcAV+FYsRdF3C/ClT Dr8KQ1QY0kKHdp8TeLbVSkSmdm2wYBhi3kIcoomdsFkZHQ==

;; ADDITIONAL SECTION:
ns3.cloudflare.com.	172800	IN	A	162.159.0.33
ns3.cloudflare.com.	172800	IN	A	162.159.7.226
ns5.cloudflare.com.	172800	IN	A	162.159.2.9
ns5.cloudflare.com.	172800	IN	A	162.159.9.55
ns4.cloudflare.com.	172800	IN	A	162.159.1.33
ns4.cloudflare.com.	172800	IN	A	162.159.8.55
ns6.cloudflare.com.	172800	IN	A	162.159.3.11
ns6.cloudflare.com.	172800	IN	A	162.159.5.6
ns7.cloudflare.com.	172800	IN	A	162.159.4.8
ns7.cloudflare.com.	172800	IN	A	162.159.6.6


// response from cloudflare.com zone ==============================================================================================================
;; QUESTION SECTION:
;community.cloudflare.com.	IN	A

;; ANSWER SECTION:
community.cloudflare.com. 300	IN	A	104.16.133.229
community.cloudflare.com. 300	IN	A	104.16.132.229
community.cloudflare.com. 300	IN	RRSIG	A 13 3 300 20210416013846 20210413233846 34505 cloudflare.com. JMiz99Buhxb6QbD51D/ysTzsG2Rz5ifr3lRo48PkOqLjt1Az37whx8AO NmA4kZAED5hJh3dZfZbNcoTtIdMnwg==

再整理一下

  • A record 由 child zone 的 zone-signing key 背書
  • child zone 的 zone-signing key 由 key-signing key 背書
  • child zone 的 key-signing key 由 parent zone 的 DS record 背書
  • parent zone 的 DS record 由 parent zone 的 zone-signing key 背書
  • parent zone 的 zone-signing key 由 parent zone 的 key-signing key 背書
  • parent zone 的 key-signing key 由 parent zone 的 parent zone 的 DS record 背書
  • ...

從 root nameserver 開始的話

resolver 要預設定 root key-signing key 的 DS record

→ 可以相信 root zone 的 key-signing key

可以相信 root zone 的 DNSKEY record (zone-signing key)

可以相信 root zone 的 DS record (跟 NS record)

→ 可以相信 .com 的 key-signing key

可以相信 .com 的 DNSKEY record (zone-signing key)

可以相信 .com 的 DS record (跟 NS record)

→ 可以相信 cloudflare.com 的 key-signing key

可以相信 cloudflare.com 的 DNSKEY record (zone-signing key)

可以相信 cloudflare.com 的 A record

如果沒資料的話 要簽什麼

NSEC 或 NSEC3 Record

// response from cloudflare.com zone
;; QUESTION SECTION:
;ttjsioj90jkljfsgr.cloudflare.com. IN	A

;; AUTHORITY SECTION:
cloudflare.com.				300	IN	SOA	ns3.cloudflare.com. dns.cloudflare.com. 2037003995 10000 2400 604800 300
ttjsioj90jkljfsgr.cloudflare.com. 	300 	IN 	NSEC	\000.ttjsioj90jkljfsgr.cloudflare.com. RRSIG NSEC
cloudflare.com.				300	IN	RRSIG	SOA 13 2 300 20210416052852 20210414032852 34505 cloudflare.com. Em2EYGHAQI69NYZYQtO2A/Th6C8FTLEKu6VfWrvXNNHufkazWfjZw7JO 9ALBZAK3Y7+sFNXoL4xhh7hVB40KaA==
ttjsioj90jkljfsgr.cloudflare.com. 	300 	IN 	RRSIG	NSEC 13 3 300 20210416052852 20210414032852 34505 cloudflare.com. xXA4glHt7T38O5JNT12oe9EHy3BhHuxLabzHqSSNpD4XMY9iU0fr4iLs k/kkfl4+idUGqXTu1T7ShLsY1mUS+A==

// response from cloudflare.com zone
;; QUESTION SECTION:
;google.com.			IN	A

;; AUTHORITY SECTION:
google.com.		172800	IN	NS	ns2.google.com.
google.com.		172800	IN	NS	ns1.google.com.
google.com.		172800	IN	NS	ns3.google.com.
google.com.		172800	IN	NS	ns4.google.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A  NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20210422042410 20210415031410 58540 com. fePohSpUOL9K9eCljlIgjwl8TiSbS1ahDo0B1FI9aIIZA3u1AuzKQgzK yRxC56l4SXq5oLvuUe8Xti4/G8ARewoTTNtgNN0KWIj7PKCNdLDSQYtu nF3HoZZLtoKomKgq6YXbdwt9+6Qern+as2SAI2pWvPPjsGVx0400tCNY C1YgPGOuMomEm/Fg/aWwW6uv/a+k7SJPSKIvJ0CLHiCmuw==
S84BDVKNH5AGDSI7F5J0O3NPRHU0G7JQ.com. 86400 IN NSEC3 1 1 0 - S84BUO64GQCVN69RJFUO6LVC7FSLUNJ5  NS DS RRSIG
S84BDVKNH5AGDSI7F5J0O3NPRHU0G7JQ.com. 86400 IN RRSIG NSEC3 8 2 86400 20210419042155 20210412031155 58540 com. q4Vpx7gnbxsb3HXnw9FCe203ZHl6pBDgAgVDQK3lA9eFh1XCGUbjcpwQ gjZbb7OfuSBa2Bee9J/YRMpUw11D5uXSllNfoSjdWCZvQPSKtGLVEH72 32VA1nikaRTIZEe4FDIKWjMrJJpKSYDZIUtMmg66KnQ+RN8TPTvlhUt4 NkGiIWeqwHP5eY4HhuCDaLezn4T640BB16usghh5AO+G5g==

DNSSEC 線上解析器

DNSSEC Deployment

root zone 有支援

top-level domain 也絕大多數都有支援

絕大多數的網站都沒有啟用

很多域名註冊商不支援設定 DS record

沒人逼?

Google 和 Facebook 的網站沒有用 (現在還是)

DNSSEC 的機制可以拿來保證各種跟 domain 有關的紀錄

跟找 ip 沒有直接關聯的東西也可以

例如 TLS 的憑證

DANE (DNS-Based Authentication of Named Entities)

RFC 6698、RFC 7671

(「理論上」這套機制可以取代 CA 的角色)

DNSSEC 不能解決的問題

訊息未加密 & last mile 

"last mile"

關於 last mile 的解決辦法

用 tls/https 的隧道來傳遞 dns 訊息

DNS over TLS (DoT) (2016/05 RFC 7858、2018/03 RFC 8310)

DNS over HTTPS (DoH) (2018/10 RFC 8484)

"last mile"

resolver 支援度

小總結

原始 DNS 協定沒有加密訊息、沒有簽章

後來 DNSSEC 加上了 nameserver 的簽章

這套機制不錯

不過他主要是在保護 resolver 不要被騙

沒有處理 user 跟 resolver 之間這段

目前也沒有什麼網站有啟用

之前還有其它一些增加 DNS 安全性的做法,可能沒下文?

last mile 要解決的話可能還是要用 DNS over TLS/HTTPS

參考資料

DNS Security

By luyunghsien

DNS Security

  • 529