hands-on dnssec with dnsviz - nanog archive...feb 06, 2017 · $ dig +dnssec+multi...
TRANSCRIPT
![Page 1: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/1.jpg)
Hands-OnDNSSECwithDNSVizCaseyDeccio
BrighamYoungUniversityNANOG69,Feb.8,2017
Washington,DC
![Page 2: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/2.jpg)
Preparation
• Demoandexercisesavailableat:• http://dnsviz.net/demo/
• Includeslinkstothefollowing:• VirtualBox software• VirtualBox demoimage• Tutorialexercises
2
![Page 3: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/3.jpg)
Objectives
• UnderstandthebasicsofDNSandDNSSEC• BecomefamiliarwithDNSserverandanalysistools
• DiG• BIND• DNSViz
• Learnhowtoolsmightbeusedtoroutinelyanalyze/monitoryourDNShealth
3
![Page 4: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/4.jpg)
Caveats
• Theexercisesrangefromnovice-leveltoadvanced.• Manyoftheexercisesaremoretofacilitateunderstandingthanefficiency.
• TheexercisesarebemeantforlearningDNS/DNSSECandrelatedtools,butdonotcoveralldetailsforproperDNS/DNSSECmaintenance.
4
![Page 5: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/5.jpg)
DNSOverview
5
![Page 6: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/6.jpg)
DNSNamespace
• Namespaceisorganizedhierarchically
• DNSrootistopofnamespace
• ZonesareautonomouslymanagedpiecesofDNSnamespace
• Subdomainnamespaceisdelegatedtochildzones
6
.
com net
example.com
example.net
![Page 7: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/7.jpg)
referrals
DNSNameResolution
• Resolversqueryauthoritativeservers• Queriesbeginatrootzone,resolversfollowdownwardreferrals
• Resolverstopswhenitreceivesauthoritativeanswer
7
…
.
…
com
…
example.comstubresolver recursiveresolver
authoritativeservers
Answer: 192.0.2.16
Query:example.com/A?
![Page 8: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/8.jpg)
VirtualEnvironmentInitialization
• Unzipdnsviz-demo-v4.zip• Opendnsviz-demo-v4/dnsviz-demo-v4.vbox
• “Start”VM• Enlargescreen• Double-click“TutorialExercises”file
• (Exercises0.1– 0.2)• Open“TerminalEmulator”• Changeto“demo”directory
8
$ cd demo
![Page 9: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/9.jpg)
QueryDNSServers(1.1– 1.5)
9
queryaspecificserver(ratherthanqueryingyour
configuredresolver)
$ dig @a.root-servers.net example.com
norecordtypespecified,sodefaulttype“A”(address)isused
$ dig @a.gtld-servers.net example.com
$ dig @a.iana-servers.net example.com
$ dig example.com
noserverisexplicitlydesignated,soquerygoes
tolocalresolver
$ dig @a.iana-servers.net foobar.example.com
![Page 10: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/10.jpg)
QueryaRootServer
10
![Page 11: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/11.jpg)
QueryaTLDServer
11
![Page 12: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/12.jpg)
QueryanSLDServer
12
![Page 13: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/13.jpg)
QueryLocalRecursiveResolver
13
![Page 14: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/14.jpg)
QueryforaNon-existentName
14
![Page 15: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/15.jpg)
DNSSECOverview
15
![Page 16: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/16.jpg)
PublicKeyCryptography
• Keys• Public Key– advertisedtoeveryone• Private Key– kepthidden
• Signatures• Madebyprivatekey• Validatedwithpublickey
• Validation• Consumerusespublickey,message,andsignaturetovalidatemessage
16
Data
PrivateKeySig
Data
PublicKey
Sig ValidorBogus?
![Page 17: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/17.jpg)
DNSSecurityExtensions(DNSSEC)
• DNSdatasignedwithprivatekeys• Signatures(RRSIGs)andpublickeys(DNSKEYs)publishedinzonedata
• Resolverresponse• Ifauthentic:Authenticateddata(AD)bitisset• Ifbogus:SERVFAILmessageisreturned
17
example.com
stubresolverrecursive/validatingresolver
authoritativeserver
Query:example.com/A?
Answer:192.0.2.16 RRSIG
Query:example.com/DNSKEY?
Answer: DNSKEY… RRSIG
Query:example.com/A?
Answer: 192.0.2.16 AD
validate
![Page 18: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/18.jpg)
DNSSECChainofTrust
• DNSKEYmustbeauthenticated.
• Trustextendsthroughancestrytoatrustanchoratresolver.
• DSresourcerecord–providesdigestofDNSKEYinchildzone.
• Resolvermuststartwithtrustedkey,atroot.
18
example.comZone data
DNSKEY
comZone data
DNSKEY
.Zone data
DNSKEY
DS
DS
Resolver trust anchor
![Page 19: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/19.jpg)
KeyRoles– KSK/ZSK
• DNSKEYRRset usuallyhasmultiplekeys,oftenwithsplitroles.
• KSK(Keysigningkey)• Signs(only)theDNSKEYRRset.
• CorrespondstoDSrecordsinparent,providing“secureentrypoint”intozone.
• ZSK(Zonesigningkey)• Signstherestofthezone.
19
example.com Zone data
DNSKEY (ZSK)
comZone data
DNSKEY
DS
DNSKEY (KSK)
…
![Page 20: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/20.jpg)
example.com
AuthenticatedDenialofExistence
• Howdoyouprovesomethingdoesn’texist?• “Chain”ofnamesofzoneformedusingNSECrecords.• NSECrecordsformcomprehensivechainofnames(andtheirrecordtypes)inzoneincanonicalordering.
• ServerusesNSECrecordstoprovenon-existence.
20
example.com.
apple.example.com.
banana.example.com.
grape.example.com.
recursive/validatingresolver
authoritativeserver
Query:coconut.example.com/A?
NXDOMAIN:banana.example.com/NSEC RRSIG
Query:example.com/DNSKEY?
Answer: DNSKEY… RRSIGvalidate
![Page 21: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/21.jpg)
QueryforDNSSECRecords(2.1–2.5)
23
includeDNSSECrecordsinresponse(e.g.,RRSIG)
$ dig +dnssec +multi @a.iana-servers.net example.com
presentresponseinmulti-lineformatwithcomments(for
readability)
$ dig +dnssec +multi @a.iana-servers.net example.com DNSKEY
queryforrecordsoftype“DNSKEY”(DNSSECpublickey)insteadofthe
default,“A”(address)
$ dig +dnssec +multi @a.gtld-servers.net example.com DS
querya“parent”serverbecausewe’reseekingaDSrecord
$ dig +dnssec +multi example.com
$ dig +dnssec +multi @a.iana-servers.netfoobar.example.com
![Page 22: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/22.jpg)
QueryforDNSSECRecords(RRSIGs)
24
![Page 23: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/23.jpg)
QueryforDNSSECRecords(DNSKEY)
25
![Page 24: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/24.jpg)
QueryforDNSSECRecords(DS)
26
![Page 25: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/25.jpg)
QueryforDNSSECRecords
27
![Page 26: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/26.jpg)
QueryForDNSSECRecords(NSEC)
28
![Page 27: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/27.jpg)
DNSViz
29
![Page 28: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/28.jpg)
referrals
DNSAnalysisUsingDNSViz(dnsviz probe commandline)• Queriesissued– IPv4/IPv6UDP/TCP
• Referralqueries– tolearndelegationNSrecordsfromparent• NSqueries– tolearnauthoritativeNSrecords• DNSKEY/DSqueries– forbuildingaDNSSECchain• A/AAAA/TXT/MX/SOAqueries• Diagnosticqueries(specialhandlingoferrors,etc.)
30
.
com
example.com
output.json
OnlineanalysisSerializedonlineanalysis(JSON)$ dnsviz probe
example.com
![Page 29: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/29.jpg)
DNSAnalysisUsingDNSViz(dnsviz grok/graph/printcommandline)• Responsesanalyzed(offline)
• Responsiveness• Querytimeouts• Networkerrors• EDNS/fragmentation
capabilities• Consistency
• Acrossservers• BetweenDNSKEY/RRSIG• BetweenDNSKEY/DS
• Correctness• RRSIG
• Expiration/inceptiondates• Cryptographicsignature
• DS- Cryptographichash• Negativeresponses
• NSECproofcorrectness• SOArecordcorrectness
31
$ dnsviz grok
output.json
Serializedonlineanalysis(JSON)
output-p.json Serializedofflineanalysis(JSON)
Analysisgraph(jpg,png,html)
$ dnsviz graph
Colorterminal/textoutput
abcdefghijklmnopqrstuvabcdefghijklmnopqrstuvabcdefghijklmnopqrstuvabcdefghijklmnopqrstuv
$ dnsviz print
![Page 30: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/30.jpg)
AnalyzeUsingdnsviz probe(3.1– 3.2)
32
$ dnsviz probe -A -a . -p example.com > example.com.json
followreferralsfromroot(“.”)toanalyze
name
maketheoutput“pretty”(forreadability)
storeanalysisinfilecalled“example.com.json”
$ medit example.com.json &
Issuediagnosticqueriestoauthoritativeservers,rather
thanrecursiveservers
![Page 31: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/31.jpg)
$ dnsviz grok < example.com.json > example.com-p.json
AnalyzeUsingdnsviz grok(3.3– 3.4)
33
storeanalysisinfilecalled“example.com-p.json”
readanalysisfrom“example.com.json”
$ medit example.com-p.json
![Page 32: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/32.jpg)
$ dnsviz grok -l info < example.com.json \> example.com-p1.json
AnalyzeUsingdnsviz grok(3.5– 3.6)
34
showonlyinformationthatisofpriority“info”or
higher
$ medit example.com-p1.json
![Page 33: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/33.jpg)
AnalyzeUsingdnsviz grok(3.7)
35
displayoutput(ifany)toscreen,insteadof
redirectingtofile
$ dnsviz grok -l error < example.com.json
showonlyinformationthatisofpriority“error”or
higher
![Page 34: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/34.jpg)
$ dnsviz graph -Thtml -t /dev/null < example.com.json \> example.com.html
AnalyzeUsingdnsviz graph(3.8– 3.11)
36
outputinteractiveHTMLformat
$ firefox example.com.html &
$ dnsviz graph -Thtml < example.com.json \> example.com.html
$ firefox example.com.html &
Don’tuseanytrustanchor
![Page 35: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/35.jpg)
$ dnsviz print -t /dev/null < example.com.json
AnalyzeUsingdnsviz print (3.12– 3.13)
37
$ dnsviz print < example.com.json
anchortrustwithrootKSK
Don’tuseanytrustanchor
![Page 36: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/36.jpg)
Viewdnsviz probe Output
38
![Page 37: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/37.jpg)
Viewdnsviz probe Output
39
![Page 38: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/38.jpg)
Viewdnsviz probe Output
40
![Page 39: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/39.jpg)
Viewdnsviz grok Output
41
![Page 40: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/40.jpg)
Viewdnsviz grok Output
42
![Page 41: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/41.jpg)
Viewdnsviz grok Output
43
![Page 42: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/42.jpg)
Viewdnsviz grok Output
44
![Page 43: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/43.jpg)
Viewdnsviz grok Output
45
![Page 44: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/44.jpg)
Viewdnsviz graph Output
46
![Page 45: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/45.jpg)
Viewdnsviz graph Output
47
![Page 46: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/46.jpg)
Viewdnsviz graph Output
48
![Page 47: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/47.jpg)
Viewdnsviz print Output
49
![Page 48: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/48.jpg)
Viewdnsviz print Output
50
![Page 49: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/49.jpg)
SigningaDNSZone
51
![Page 50: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/50.jpg)
SetupVirtualDNSEnvironment(4.1– 4.2)
52
VirtualBox Guest
UMLGuest
UMLGuest
UMLGuest
Host$ ./start_all
(Waitforallthreeconsolestocomeup)
$ cd /etc/bind
Changedirectoryforallthreeconsoles:root,tld1,sld1
![Page 51: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/51.jpg)
SetupVirtualDNSEnvironment(4.3)
53
VirtualBox Guest
UMLGuest“root1”
UMLGuest“sld1”
UMLGuest“tld1”
$ ./dns_change_root local
(pointDNSroothintsandtrustedkeystointernalrootserver)
virtualswitch
Host
virtualswitch
![Page 52: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/52.jpg)
Analyzeexample.com inLocalEnvironment(4.4– 4.6)
54
$ dnsviz probe -A -a . -p example.com | dnsviz graph -Thtml -O
Piperesultsdirectlytodnsviz graph,
ratherthanredirectingtofile
Outputanalysistofilenamed
“example.com.html”
$ ./dnsviz_analyze example.com (scriptincludedforsimplification)
$ firefox example.com.html &
![Page 53: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/53.jpg)
Viewdnsviz graph Output
55
![Page 54: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/54.jpg)
AddRecordstoexample.comZone(5.1– 5.4)• AddArecordsfornames“a”,“c”,and“e”(onsld1)(hint:seeexistingrecordfor“www”)
• Checkzone
• Reloadzone
• Checkthatrecordshowsup(queryfromVirtualBox guest)
56
# nano zones/db.example.com
# vi zones/db.example.com
or
# service bind9 reload
# named-checkzone example.com zones/db.example.com
$ dig @sld1 a.example.com
![Page 55: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/55.jpg)
AddRecordstoexample.comZone
57
![Page 56: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/56.jpg)
AddRecordstoexample.comZone
58
![Page 57: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/57.jpg)
CreateDNSSECKeysforexample.com Zone(6.1– 6.3)
59
# KSK=`dnssec-keygen -n ZONE -f KSK -a RSASHA256 -b 2048 \-r /dev/urandom example.com`
# ZSK=`dnssec-keygen -n ZONE -a RSASHA256 -b 1024 \-r /dev/urandom example.com`
Setthe“SEP”bitforthisDNSKEY
Createa2048-bitkey
UsealgorithmRSASHA256forsigning
No“SEP”bithere
(onsld1)
Createa1024-bitkey
# ls $KSK* $ZSK*
![Page 58: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/58.jpg)
AddDNSKEYRecordstoexample.com Zone(6.4– 6.9)• LookatDNSKEYrecords(onsld1):
• AddDNSKEYrecordstozone
• Reloadzone
• Re-analyze
60
# service bind9 reload
# cat $KSK.key $ZSK.key >> zones/db.example.com
# cat $KSK.key $ZSK.key
$ ./dnsviz_analyze example.com
$ firefox example.com.html &
$ dig +noall +comment +ad example.com
![Page 59: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/59.jpg)
CreateDNSSECkeysforexample.com Zone
61
![Page 60: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/60.jpg)
CreateDNSSECkeysforexample.com Zone
62
![Page 61: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/61.jpg)
Viewdnsviz graph Output:DNSKEYswithnoRRSIGs
63
![Page 62: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/62.jpg)
Viewdig Output:noADbit
64
![Page 63: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/63.jpg)
SignRecordsinexample.comZone(7.1– 7.4)• Signzone(sld1)
• Pointnamed.conf tosignedzonefile
• Reloadzone
65
# dnssec-signzone -r /dev/urandom \-k $KSK -o example.com zones/db.example.com $ZSK
Usepseudo-randomentropysource(notfor
productionuse)
Signentirezonewiththiskey
SignonlyDNSKEYrecordswiththiskey
# service bind9 reload
# sed -i -e ‘s:/db.example.com:&.signed:’ named.conf.local
$ ./dnsviz_analyze example.com
$ firefox example.com.html &
$ dig +noall +comment +ad example.com
![Page 64: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/64.jpg)
Viewdnsviz graph Output:Signedexample.com Zone
66
![Page 65: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/65.jpg)
Viewdig Output:noADbit
67
![Page 66: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/66.jpg)
GenerateDSRecordsforexample.com (8.1– 8.2)(onsld1)
68
# dnssec-dsfromkey $KSK
![Page 67: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/67.jpg)
AddDSRecordsforexample.com(8.3a– 8.3c)(ontld1)
69
# nano zones/dsset-example.com.
![Page 68: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/68.jpg)
SignRecordsin“example.com”Zone(8.4)• CheckDSconsistencybeforetheyaredeployed(preview)
• Re-analyze
70
$ ./dnsviz probe -A -a . \-N example.com:a.local-sld-servers.net \-D example.com:zones/dsset-example.com. \-p example.com | dnsviz graph -Thtml -O
$ firefox example.com.html &
![Page 69: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/69.jpg)
SignRecordsin“example.com”Zone(8.5– 8.6)• Signzone(ontld1)
• Re-analyze
71
# ./resign_tld
$ ./dnsviz_analyze example.com
$ firefox example.com.html &
$ dig +noall +comment +ad example.com
![Page 70: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/70.jpg)
Previewdnsviz graphOutput:FullChainofTrust
72
![Page 71: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/71.jpg)
Viewdnsviz graph Output:FullChainofTrust
73
![Page 72: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/72.jpg)
Viewdig Output:ADbit
74
![Page 73: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/73.jpg)
FunwithDNSViz
75
![Page 74: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/74.jpg)
UseKSKtoOnlySignDNSKEYRRset (9.1– 9.3)
76
# dnssec-signzone -x -r /dev/urandom \-k $KSK -o example.com zones/db.example.com $ZSK
Don’tsignzonedatawithKSK
# service bind9 reload
$ ./dnsviz_analyze example.com
$ firefox example.com.html &
$ dig +noall +comment +ad example.com
![Page 75: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/75.jpg)
Viewdnsviz graph Output:KSK-only
77
![Page 76: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/76.jpg)
Viewdig Output:ADbit
78
![Page 77: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/77.jpg)
AddNewKSKtoexample.comZone(9.4– 9.8)• GeneratenewKSK:
• Re-signzone:
• Reloadzone
79
# service bind9 reload
# NEWKSK=`dnssec-keygen -n ZONE -f KSK -a RSASHA256 -b 2048 \-r /dev/urandom example.com`
# dnssec-signzone -x -r /dev/urandom \-k $KSK -o example.com zones/db.example.com $ZSK
$ ./dnsviz_analyze example.com
$ firefox example.com.html &
# cat $NEWKSK.key >> zones/db.example.com
$ dig +noall +comment +ad example.com
![Page 78: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/78.jpg)
Viewdnsviz graph Output:StandbyKSK
80
![Page 79: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/79.jpg)
Viewdig Output:ADbit
81
![Page 80: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/80.jpg)
AddNewKSKtoexample.comZone(9.9– 9.11)• Re-signzonewithtwoKSKs:
• Reloadzone
82
# service bind9 reload
# dnssec-signzone -x -r /dev/urandom \-k $KSK -k $NEWKSK -o example.com zones/db.example.com $ZSK
$ ./dnsviz_analyze example.com
$ firefox example.com.html &
$ dig +noall +comment +ad example.com
![Page 81: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/81.jpg)
Viewdnsviz graph Output:MultipleKSKs
83
![Page 82: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/82.jpg)
Viewdig Output:ADbit
84
![Page 83: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/83.jpg)
ChangeKSKforexample.comZone(9.12– 9.13)
• SignwithonlythesecondKSK:
85
# dnssec-signzone -x -r /dev/urandom \-k $NEWKSK -o example.com zones/db.example.com $ZSK
$ firefox example.com.html &
$ dnsviz probe -A -a . -x example.com:zones/db.example.com.signed -p \example.com | dnsviz graph -Thtml -O
![Page 84: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/84.jpg)
ChangeKSKforexample.comZone(9.14– 9.15)
• Reloadzone
86
# service bind9 reload
$ ./dnsviz_analyze example.com
$ firefox example.com.html &
$ dig +noall +comment +ad example.com
![Page 85: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/85.jpg)
Viewdnsviz graph Output:DSMismatch
87
![Page 86: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/86.jpg)
Viewdig Output:SERVFAIL
88
![Page 87: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/87.jpg)
TamperwithRecordContent(9.16– 9.18)• ChangeSOArecord:
89
# sed -i -e ‘s/root.localhost/root1.localhost/’ \zones/db.example.com.signed
# service bind9 reload
$ ./dnsviz_analyze example.com
$ firefox example.com.html &
![Page 88: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/88.jpg)
Viewdnsviz graph Output:InvalidSignatures
90
![Page 89: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/89.jpg)
ChangeRRSIGExpiration(9.19–9.22)• SettheRRSIGexpirationexplicitlyto1secondfrom“now”
• Manipulate(again)SOArecord
• Reloadzone
91
# service bind9 reload
# dnssec-signzone -x -e now+1 -r /dev/urandom \-k $NEWKSK -o example.com zones/db.example.com $ZSK
$ ./dnsviz_analyze example.com
$ firefox example.com.html &
# sed -i -e ‘s/root.localhost/root1.localhost/’ \zones/db.example.com.signed
![Page 90: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/90.jpg)
Viewdnsviz graph Output:ExpiredRRSIGs
92
![Page 91: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/91.jpg)
RemoveRRSIGs(9.23– 9.26)• RemoveRRSIGcoveringAAAArecord(onsld1)
• Checkzone
• Reloadzone
93
# nano zones/db.example.com.signed
# vi zones/db.example.com.signed
or
# service bind9 reload
# named-checkzone example.com zones/db.example.com.signed
$ ./dnsviz_analyze example.com
$ firefox example.com.html &
![Page 92: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/92.jpg)
RemoveRRSIGforAAAARecordfromZone
94
![Page 93: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/93.jpg)
Viewdnsviz graph Output:MissingRRSIGs
95
![Page 94: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/94.jpg)
ModifyTCPConnectivity(9.27–9.28)• RejectTCPconnectionrequests
96
# ip6tables -A INPUT -m state --state NEW -p tcp \--dport 53 -j REJECT
$ ./dnsviz_analyze example.com
$ firefox example.com.html &
![Page 95: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/95.jpg)
Viewdnsviz graph Output:NoTCP
97
![Page 96: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/96.jpg)
ModifyPathMTU(9.29– 9.30)
• DropUDPresponseswithpayloadslargerthan512bytes
98
# iptables -A OUTPUT -p udp --sport 53 \-m length --length 540:65535 -j DROP
$ ./dnsviz_analyze example.com
$ firefox example.com.html &
![Page 97: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/97.jpg)
Viewdnsviz graph Output:LowPMTU
99
![Page 98: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/98.jpg)
AddLameDelegation(9.31–9.33)• AddseconddelegationNSrecordforexample.com incomzone(ontld1)
• Signcomzone(ontld1)
100
# nano zones/db.com
# vi zones/db.com
or
# ./resign_tld
$ ./dnsviz_analyze example.com
$ firefox example.com.html &
![Page 99: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/99.jpg)
AddSecondNSRecordforexample.com
101
![Page 100: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/100.jpg)
Viewdnsviz graph Output:LameDelegation
102
![Page 101: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/101.jpg)
GraphOnlySelectRRsets (9.34)
103
$ firefox example.com.html &
$ dnsviz graph -R A,AAAA -Thtml -O < example.com-working.json
OnlygraphAandAAAARRsets
![Page 102: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/102.jpg)
Viewdnsviz graph Output:SelectRRsets
104
![Page 103: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/103.jpg)
Analyzewithdnsviz print (9.35)
105
$ dnsviz print -R A,AAAA < example.com-working.json
![Page 104: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/104.jpg)
Viewdnsviz graph Output:SelectRRsets
106
![Page 105: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/105.jpg)
DNSViz RecursiveServerAnalysis
107
![Page 106: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/106.jpg)
Analyzeexample.com onRecursiveServer(10.1)
108
$ dnsviz probe example.com | dnsviz graph -Thtml -O
No“-A”optionmeansquery
recursiveservers
$ firefox example.com.html &
![Page 107: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/107.jpg)
Viewdnsviz graph Output:Recursive
109
![Page 108: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/108.jpg)
DNSViz ProgrammaticAnalysis
110
![Page 109: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/109.jpg)
dnsviz probe Revisited(11.1)
111
$ medit example.com-working.json &
$ vi example.com-working.json
or
![Page 110: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/110.jpg)
Viewdnsviz probe Output:DiagnosticQueryHistory
112
![Page 111: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/111.jpg)
Viewdnsviz probe Output:DiagnosticQueryHistory
113
![Page 112: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/112.jpg)
dnsviz grok Revisited(10.3–10.4)
114
$ dnsviz grok -l warning -p < example.com-broken.json \> example.com-working-p.json
$ medit example.com-working-p.json &
$ vi example.com-working-p.json
or
![Page 113: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/113.jpg)
Viewdnsviz grok Output:Errors,Warnings,Statuses
115
![Page 114: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/114.jpg)
Viewdnsviz grok Output:Errors,Warnings,Statuses
116
![Page 115: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/115.jpg)
Viewdnsviz grok Output:Errors,Warnings,Statuses
117
![Page 116: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/116.jpg)
MonitoringwithDNSViz• Samplescriptusescombinationofdnsviz getanddnsviz graph,e.g.,forusewithcron
118
#!/bin/shname=$1date=`date +%Y%m%d%H%M%S`probe_out=/tmp/$name-probe-$date.jsongrok_out=/tmp/$name-grok-$date.jsongraph_out=/tmp/$name-graph-$date.png
dnsviz probe -A -d 0 -p $name > $probe_outdnsviz grok -l warning -p $name < $probe_out > $grok_outif (( $( stat -c %s $grok_out ) > 0 )); then
dnsviz graph -Tpng -o $graph_out $name $name < $probe_outgzip $probe_outcat $grok_out | \mutt -s “Problems with $name” -a $graph_out $grok_out.gz -- \
rm $probe_out* $grok_out $graph_out
![Page 117: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/117.jpg)
Summary
• UnderstandingandanalyzingDNSandDNSSECcanbecomplex.
• DiG,BIND,DNSViz,andothertoolscanaidinunderstanding,troubleshooting,andmonitoring.
• MaintainandmonitoryourDNSzones!
119
![Page 118: Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi @a.iana-servers.netexample.com present response in multi-line format with comments (for readability)](https://reader035.vdocuments.site/reader035/viewer/2022071001/5fbd2b0a9dd6c147fc0a8cc8/html5/thumbnails/118.jpg)
FurtherInformationonDNSViz
• Source:https://github.com/dnsviz/dnsviz (License:GPLv2)
• Onlineversion:http://dnsviz.net/• Mailinglist:https://groups.google.com/d/forum/dnsviz-users
120