Upload
dmitry-kohmanyuk
View
90
Download
0
Embed Size (px)
Citation preview
22 !"#$%&' 2013, (%$)*+#
DNSSEC: там и здесь!"#$%#& '()"*+,-, ... «/(0$"*0$1%»
1
DNSSEC - что это такое?
✤ !"#$%&'(%) *&+,+-+." DNS - #%#,'/0 1+/'((02 %/'(
✤ 3#*+.456', -&%*,+7&"8%9'#-%' *"&0 -.:9'; (+,-&0,0;/5"-&0,0;)
✤ !"<+,"', (" #6='#,>6:=%2 #'&>'&"2 DNS # +<(+>.'((0/ ?@
✤ A>'.%9%>"', <'5+*"#(+#,4 DNS 1.) *+.45+>",'.)
✤ A>'.%9%>"', &"5/'&0 +,>',+> #'&>'&" > ('#-+.4-+ &"5
2
Как работает DNS: Иерархия
3
Как работает DNSSEC: Дерево и Корень
• B"C10; >0$'#,+)=%; 65'. 61+#,+>'&)', *+1*%#% (%C'#,+)=%2 65.+>
• B+&('>+; 65'. 6C' *+1*%#"(• ?+.45+>",'.4 *+.69"', -+&('>6: *+1*%#4 *+ -"("."/, ('5">%#%/0/ +, DNS:– D/'#,' # +*'&"E%+((+; #%#,'/+;– D/'#,' # %(,'&(',-<&+65'&+/
4
Как работает DNSSEC: Противоречие
• B.:9 1+.C'( <0,4 #.+C(0/, 9,+<0 '7+ ('.45) <0.+ <0 >5.+/",4 <0#,&+
• B.:9 1+.C'( <0,4 -+&+,-%/, 9,+<0 '7+ /+7." *'&'1",4 #%#,'/" DNS
• B+&+,-%' -.:9% ("1+ /'(),4 9"#,+, (+ 9"#,+ *'&'*+1*%#0>",4 1+/'(0 ('>+5/+C(+
• D02+1: F>" -.:9" (KSK % ZSK) - 1.%((0; % -+&+,-%;
5
Как работает DNSSEC: два ключа
• A -"C1+7+ 1+/'(" '#,4 #.+C(0; #6*'&-.:9 (KSK – key signing key), -+,+&0; /'()',#) &"5 > 1>"-,&% 7+1"
• F.) *+1*%#% 5"*%#'; 1+/'(" "1/%(%#,&",+& %#*+.456', -+&+,-%' -.:9% (ZSK – zone signing key)
• B.:9% ZSK #."<0', (+ +(% 9"#,+ /'():,#) (> UA ZSK +<(+>.)',#) &"5 > /'#)E)
• D >0$'#,+)=%; 1+/'( *'&'1"',#) ,+.4-+ +,*'9",+- KSK• KSK *+1*%#0>"', ZSK - ,"- #,&+%,#) E'*+9-" 1+>'&%)
6
Хроника внедрения DNSSEC
✤ G"9".+ &"<+,: 1999 (RFC 2535)
✤ H+>&'/'((0' #,"(1"&,0: RFC 4033, 4034, 4035 (2005)
✤ ?%+('&0: .BR, .BG, .CZ, .PR, .SE, RIPE, .ORG
✤ D('1&'(%' > -+&('>+; 5+(': 25 )(>"&) - 15 %:.) 2010 7+1"
✤ G"9".+ &"<+, > A-&"%(': 2 1'-"<&) 2011 7+1"
7
DNSSEC в миреhttp://www.dnssec-deployment.org/
✤ 96 !" 316 #$%&'$( (&)*'&+$ ,)$('- 8
ccTLD DNSSEC Adoption as of 2013-02-19Uncertain Experimental Announced Partial DS in Root Operational
AC: Operational AG: DS in Root AM: Operational AT: Operational AU: Announced BE: Operational BG: Operational BR: Operational BZ: DS in RootCA: Operational CC: Partial CH: Operational CL: Operational CN: Experimental CO: Operational CR: DS in Root CW: Uncertain CZ: OperationalDE: Operational DK: Operational ES: Partial FI: Operational FO: Partial FR: Operational GA: Partial GH: Announced GI: DS in RootGL: DS in Root GN: Partial GR: Operational HN: DS in Root HU: Announced IE: Announced IN: DS in Root IO: Operational IR: ExperimentalIS: Experimental IT: Announced JP: Operational KG: DS in Root KR: Operational LA: DS in Root LB: DS in Root LC: DS in Root LI: OperationalLK: Operational LR: Partial LT: Partial LU: Operational LV: Operational ME: Operational MM: DS in Root MN: Operational MU: ExperimentalMX: Experimental MY: Operational NA: Operational NC: DS in Root NL: Operational NO: Announced NU: DS in Root NZ: Operational PL: OperationalPM: Operational PR: Operational PT: Operational PW: DS in Root RE: Operational RU: Operational SC: Operational SE: Operational SG: AnnouncedSH: Operational SI: DS in Root SX: DS in Root TF: Operational TH: Operational TM: Operational TO: Experimental TT: Operational TV: PartialTW: Operational TZ: Operational UA: Operational UG: DS in Root UK: Operational UM: Experimental US: Operational UY: Announced VC: PartialWF: Operational YT: Operational ZW: Uncertain
Статистика DNSSEC
9
DNSSEC в Украине
✤ I'&'/+(%) 7'('&"E%% -.:9" 1+/'(" UA: 2 1'-"<&) 2011 7+1"
✤ J-,%>"E%) -.:9" % *+1*%#"(%' UA: 27 /"&," 2012 7+1"
✤ D-.:9'(%' *+1*%#% UA > -+&'(4 DNS: 13 "*&'.) 2012 7+1"
✤ !'7%+(".4(0' 1+/'(0 !+>(+ % K'&(+>E+> *+1*%#"(0
✤ !"<+," ,+.4-+ ("9"."#4
10
DNSSEC в дикой природе
✤ A1+#,+>'&'(%' "1&'#+> .:<02 2+#,+> 3(,'&(',"
✤ A1+#,+>'&'(%' -.:9'; #'&>'&+> (SSHFP)
✤ L&"('(%' #'&,%8%-",+> >'<-#'&>'&+> (TLSA)
✤ !"<+9") 7&6**" IETF (DANE) - 1".4(';$'' &"5>%,%'
11
Как попробовать DNSSEC
✤ (" DNS-#'&>'&': BIND, NSD, PowerDNS
✤ (" -.%'(,': unbound, BIND, dnssec-trigger
✤ > <&+65'&': DNSSEC Validator (Firefox)
✤ *6<.%9(0; DNSSEC-#'&>'& > L"&4-+>': lh.cctld.ua
✤ "1&'#": 185.12.113.28 % 2a02:f080:1::71 - /+C(+ %#*+.45+>",4!
12
Контакты и вопросы о DNSSEC
✤ www.hostmaster.ua/dnssec
13