Tag: DNSSEC

My participation at #Afrinic29 in Yasmine Hammamet, Tunisia

My participation at Afrinic-29 in Hammamet, Tunisia was productive and unique in itself. The event took place between 26-30 November 2018 at Diar Lemdina hotel. These are the days that will always be remembered. Situated in the north of Tunisia, Yasmine Hammamet was the place selected and it was close to the beach. I still can’t believe I was on the Mediterranean beach discussing about Internet-related topics such as DNS, DNSSEC and Policies development in Africa region.

My participation at #Afrinic29 in Yasmine Hammamet, Tunisia 1

Before departing, I seized the opportunity to make a video and posted in on my Tunnelix.com Facebook Page as well as on my Tunnelix Twitter account.

For some reasons, I had to travel to Hungary, then to Germany then to Tunisia. So I got the opportunity to spend a night in Munich on Transit. The hotel in Munich was pretty nice and cozy. On the next day, I flew to Tunisia. Once landed in Carthage in Tunisia, the atmosphere was pretty polluted, but as soon as I reached Yasmine Hammamet, things are different. It was a pretty beautiful and calm place.

My main objectives were to :

  • Focus on the DNSSEC hackathon carried out under the umbrella of cyberstorm.mu titled Operation KSK-ROLLOVER.
  • Sharing knowledge in the Africa region.
  • Allocation of IPv4 and IPv6 in Africa region.
  • Presenting DNS and DNSSEC.
  • DNS Flag day.
  • Security incidents on DNS.
  • Policy discussion development in Africa.
My participation at #Afrinic29 in Yasmine Hammamet, Tunisia 2

During the event, I got the opportunity to speak with Afrinic29 fellow, Souad Abidi who shared pretty good experience about the event.

Also met with some guys from Chad republic and we shared some Linux and network techniques. Besides, I met with several guys from the ATI Tunisia telecom and we discussed a lot about the event especially about Policy development. I’m glad to receive media coverage from the cyberstorm.mu team who supported me a lot as well as ICT.IO who published an article about the event.

My participation at #Afrinic29 in Yasmine Hammamet, Tunisia 3

Overall, the event was very productive. I seized the opportunity to congratulate Afrinic staffs during the open mike session. Indeed, they did a good job which demands extreme planning. During my speech on DNSSEC as Devops engineer at Orange Business Services, several issues were raised such as hackathon carried out by the cyberstorm.mu team and even prospective future hackathon concerning other DNS applications. I also attended few sessions on IPv6, Cert Africa and others. Also got the opportunity to meet with people who are very busy with Policy development in Africa as well as the father of Africa Internet, Nii Quaynor.

During my free time especially at night, I went to the NA3NA3A Karaoke Tunisian songs. It was pretty nice and unique. Took some videos and made some audio recording for the car whilst i’m driving.

You can also view my youtube playlist for Afrinic29 here and here

Several pictures also taken can be viewed here my Flicker Account:

Afrinic29

Operation KSK-ROLL by cyberstorm.mu – KSK Rollover Explained

The last cyberstorm.mu event was on OpenSource licensing with Dr. Till Jaeger at Flying Dodo, Bagatelle Mall Mauritius. We discussed several issues concerning cybersecurity laws, trademarks, OpenSource licensing issues etc.. Dr. Till Jaeger appreciated the meetup and encouraged us to evangelize more on OpenSource. The event was organized by Loganaden Velvindron member of cyberstorm.mu.

Dr. Till Jaeger and logan with a surprise gift.
Dr. Till Jaeger brought a surprise gift to Logan 🙂

I should say that we were already planning about our next event, hence, a hackathon on Operation KSK-ROLL by the cyberstorm.mu team which was pretty easy, important and successful. Dr. Till Jaeger congratulate us for creating the cyberstorm.mu team. Several pull requests sent to many repositories to encourage developers to adopt the new key.

Operation KSK-ROLL by cyberstorm.mu - KSK Rollover Explained 4

What is Operation KSK-ROLL?

At cyberstorm.mu all Non-IETF hackathons are usually given a name. This time for the KSK rollover hackathon we have chosen 'Operation KSK-Roll'. Operation KSK-ROLL has been started to make sure that software is up-to-date with the new KSK key.

What is the KSK rollover?

The DNS KSK Rollover happened on 11 October at 11:00 UTC. Rolling the KSK means generating a new key cryptographic key pair (public and private key).

What are those keys?

The public key is distributed to those who operate valid DNS resolvers such as ISPs, network administrators, system integrators etc.. whilst, the private key is kept secret.

If its secret, why do we need to generate another secret key?

For security purpose, the secret key is generated anew and this ensures that DNS resolvers have a more robust security layer on top of the DNS AKA: DNSSEC

What are DNS resolvers?

All websites, example tunnelix.com which is a domain name is behind an IP Address. For your browser to be able to resolve the website, a DNS resolver which is located at several parts of the world will identify the IP with the domain name. Consequently, this will render the website on your browser.

What is DNSSEC?

As mentioned previously, DNSSEC (DNS Security) is a layer added by ICANN to ensure by means of cryptographic keys to ensure an online protection from the provider of the root domain name to your browser.

How will you know if a website is DNSSEC signed?

There is a tool by VeriSign lab which provides DNSSEC Analyzer. You can enter the name of the domain, say tunnelix.com which will analyze the domain show you the public key and the chain from the . (dot),  com and tunnelix.com.

credits to: verisignlabs.com
credits to: verisignlabs.com

Is there another way to verify it?

Yes, you can use the nslookup or dig tool to check it. In the case of the dig tool here is a screenshot.

Operation KSK-ROLL by cyberstorm.mu - KSK Rollover Explained 5

What is the logic behind the DIG command?

Some years back (the Year 2015), I explained the anatomy of the dig command. You can view more details about the blog post called "Anatomy of a simple dig result".


What is the role of the KSK?

The KSK private key is used to generate a digital signature for the ZSK. In fact, the KSK public key is stored in the DNS to be used for authenticating the ZSK. So, the KSK is a key to sign another key for the ZSK. That is why it is called the "Key Signing Key".

So, what is the ZSK?

The ZSK (Zone Signing Key) is another private-public key pair which is used to generate a digital signature known as RRSIG ( Resource Record Signature). The RRSIG in itself is a digital signature for each RRSET (Resource Record Sets) in a zone. In fact, the ZSK is stored in the domain name system to authenticate the RRset.

What are RRsets?

RRsets (Resource Record sets) is a group of records DNS Record Set (RRsets) with the same record type, for example, all DNS A records are one RRset.

My contributions for KSK ROLL

Please follow me on my Github account. One of the repositories is Nagval which is a plugin to check the validity of one of more DNSSEC domains.

For more information about DNSSEC, ZSK, PSK etc, I would advise to check out Cloudflare which provided a good source of information.

Cyberstorm.mu continue to go beyond and further with innovations and more ideas to protect and secure the Internet. We believe that though we are a small team will be able to recruit more people who are strongly interested in developing their skills to strive for excellence.

I also wish to seize this opportunity to thanks Manuv Panchoo for designing the logo of  tunnelix.com


All rights reserved: tunnelix.com
All rights reserved: tunnelix.com

Anatomy of a simple dig result

The ‘dig’ (Domain Information Gropper) command is one of the tools which is frequently used to troubleshoot DNS and BIND configurations. Its main purpose is to perform DNS lookups and query DNS servers. Though the subject is vast, I decided to blog some DNS stuff under the ‘Bind and DNS tools’ category which I just created. I will keep on updating this article as I keep on finding interesting dig commands.


Screenshot from 2015-11-08 15:45:52

Let’s analyze the result from a simple dig google.com. You would have a result similar to this one (In green). By default, dig perform query A record when launched without any arguments.

1. I made a dig google.com on my Linux terminal

[[email protected] ~]# dig google.com

2. The header section starts here. Several files in /etc/ld.so.* is being read and the dig command will also launch a uname with the argument sys and node. The uname is already inbuilt in the code of the dig command. It then reads the /etc/resolv.conf


; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.5 <<>> google.com

3. The ;; global options: +cmd is referred to the default arguments sets by dig to use only the +cmd variables.  The opcode value is always static. The status is to inform us if any error occurred during the query. Each query is also associated with an id number ( ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35133).

The flags qr (query response), rd (recursion desired) and ra (recursion available) are also information retrieved from the DNS header. As per the IETF RFC1035, when a dig with the default arguments is performed it will flag the qr, rd, ra and when the bit is 1 it’s a response and 0 for a query. Therefore ‘qr’ appears as 1

The ANSWER:2 is the numbers of answers received in the Answer section, same for QUERY, AUTHORITY and ADDITIONAL.


 ;; global options: +cmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35133
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

4. The “question section” is what you are querying for. In this case, a ‘dig’ has been done on the A record. An A record simply means Adress i.e; the address associated with the website. We have several DNS records types which I will elaborate in future articles.

;; QUESTION SECTION:
 ;google.com.            IN    A

5. The number 173 is the TTL (Time To Live), IN refers to Internet i.e the class in which it is. TTL  is a 32 bit signed integer which corresponds to the time interval a record can be cached before the information is again queried. A TTL zero is used for extremely volatile data.

To resume we read it as follows: Google.com has a 173 seconds Time To Live on the Internet with the IP Address 74.125.226.168


;; ANSWER SECTION:
 google.com.        173    IN    A    74.125.226.168
 google.com.        173    IN    A    74.125.226.162

6. This section acts like a stat section. Information is given about the time it takes to query. The server IP address i.e; 4.2.2.1 and the port number 53 which is associated with it. The date and finally the message size received is 204 bytes.

;; Query time: 22 msec
 ;; SERVER: 4.2.2.1#53(4.2.2.1)
 ;; WHEN: Sun Nov 08 01:19:23 EST 2015
 ;; MSG SIZE  rcvd: 204

More analysis can be performed by launching a strace in front of a dig command. The RFC 1035 is also of great help. You can also check out the Internet System Consortium (ISC) website for more details.

Tips:

    • dig -t MX google.com will show you in the list of MX records in the ‘Answer Section’
    • A  dig result is composed of only 5 parts i.e; Header, Question (question for the name server), Answer (resource records answering the question ), Authority (resource records pointing towards an authority) and Additional (resource records holding additional information).
    • To filter information from a default dig command you can use dig google.com +nocomments +noauthority +noadditional +nostats which will give you only the answer. With an additional +noanswer won’t give you anything.
    • However, the reverse way to filter dig results with a specific answer can be dig google.com +noall +answer will give you only the answer section.
    • Another interesting tip from Keith Wright is to use recursion during the name resolution using the command dig +trace google.com.