DNSSEC Overview

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everybody john wagon on here with dev central and we are coming to you with another light board lesson video today and today we're going to talk about DNS SEC and so so you may be asking hey what is DNS SEC or maybe you've heard of DNS SEC which you don't quite know what it is and so I'll put DNS SEC up here alright so before we talk about DNS SEC let's let's just overview Dee an astragal quick DNS is absolutely critical foundational to the internet today and one of the issues with DNS is it was designed like back in the 80s I mean it's been around for a long time or as technology goes it's a long time but it wasn't designed with security in mind and so let's say I'll just do a little I'll just do a little example here let's say you have a client who goes to I don't know example.com and so you type example calm your little address bar there in your browser but that needs to be turned into an IP address and as we all know that's what DNS is all about it terms it turns a you know a readable human name into an IP address that a computer can figure out and understand and so it goes through this recursive lookup process well it potentially goes through a recursive look at process but let's just say for the sake of this example that it needs to do that so it's going to go out to the root if if it doesn't know this it's going to go out to the root and then it's going to go out to the dot-com and then it's going to go out to the example.com and finally get back the IP address that it is looking for the entire time and then once it has that IP address it can go and access the web server and you're good to go all right so that's that's quick very very quick DNS review but let's say for example there's some bad guy out there and I'll draw him I'll draw him in blue so we'll say we'll say bad guy injects himself right here and he takes over control of this let's say and so when the IP s that comes back let's say it was supposed to be you know 1.2.3.4 well he let's say he sends back you know 1.2.3.4 so that's the wrong that's the wrong IP address and so now this client is going to go out there and say okay well let me access you know 1.2.3.4 and lo and behold 'yes if the bad guys website the bad guy does all kinds of bad things and you know this guy's this guy's day is really ruined at that point that's but this so anyway so that's the that's the problem with DNS and that introduces the need for DNS sex so what DNS SEC does is it validates these different lookups or these different requests and it says hey I want to make sure that when you say you are someone that you are actually that person and so now when you have a DNS request or DNS response then that response can be what we call DNS SEC validated or DNS X signed and and then that way the client knows that he's talking to the correct person and so the way that the the DNS tech validation or the DNS signed thing happens is is by this idea of a chain of trust so I'll put chain of trust right here and so just like you have the root domain and then the the top-level domain and then like your domain so it kind of goes down here what happens with this chain of trust is you have you have the root and then you have top-level domain and you have yours let's say example calm down here calm which this top-level domain is calm in this example and so what have you've got this you've got this organization out there called ICANN I see a n and and they've kind of taken over this and they said hey this is a big deal and we need to make sure that all this happens correctly and so they have they have formalized all this and they said hey let's let's let's sign you know these different domains so that people can then sign up underneath those and then everyone can trust everybody so what they did is they said hey they got together and it's all these experts all over the world get together they said hey let's sign the root dough mein and that thing was signed back in 2010 so I'll put 2010 there so literally five years ago this the root level domain was signed and it's available now for DNS SEC validation and so now now that this thing is signed then the now your top-level domain can say hey based on that signature I can now get a certificate and a signature that I can trust and so because I trust this guy or this guy is trust able now and that's kind of the anchor that holds all this together then the top-level domain can say okay because I trust you then I can pull down certificates that are signed by you and then it just keeps it kind of this waterfall effect you know the this guy can I can get a signature on his DNS requests or responses based on the fact that he trusts this guy based on the back that this guy trust this guy and we all trust the route because we all trust that organization that got together that's signed all that alright so the point is we can now have signed responses via DNS SEC against each of these you know responses so now when the client goes down and says hey I need to know about or I need this certain IP address we can do that we can have we can have confidence that it's coming from the right person okay so how does all that fit in with the big IP well the big IP I'll just draw a little diagram right here let's say you have all these DNS servers DNS that's bad D anyway DNS servers on the back end you have all your DNS infrastructure what you could do is if a client were to come in and request that you could put a big IP in line here and you could moot you could basically let this act as your authoritative DNS so that when a client comes in with a DNS request it comes in to the big IP and then the big IP can respond on behalf of all your other DNS servers and so it takes the load off of these guys and you can configure DNS SEC DNS SEC on your big IP and so which by the way if you've ever configured DNS SEC in bind so let's say these guys have bind running back here it is it is as I've heard in the past not for the faint of heart - to configure DNS SEC & Bide so if you were to have to configure that each individual and all these DNS backend servers that's a lot of that's a lot of headache that you're going to have to go through so move all that stuff to the big IP with the big IP handle it the big IP very simply there's literally a couple of things you set up your key signing key and then there's a zone signing key that you would set up here on on the big IP you configure DNS SEC on your big IP it handles all the all the responses so now when a client comes in to any one of your back-end servers looking for that IP address that we just talked about the big IP is now going to send back a DNS SEC validated response to the client the clients going to say hey it's Dena SEC validated I can I can look at that chain of trust I can know that it's coming from the person that I wanted to come you know from and he's happy you're happy because you're serving up the correct IP address all your clients and so anyway so that's a that's that's kind of the overview of DNS SEC how it works why it's important because DNS on its own is not as not inherently a secure operation but because it is so fundamentally important to the operation of the internet today you've got to use it you've got to make sure it works and so so because these things are all signed you can get out there you can you can provide DNS validated responses on behalf of your web applications to any client that comes in then wants to that wants to communicate and find out the the right IP address so anyway so DNS SEC is available on the big IP it's very simple to configure get out there check it out configure it up offer those validated responses to all your clients they'll be happy you'll be happy we'll all be secure so so thanks for tuning in today and we'll see you guys out there in the community

Info

Channel: F5 DevCentral

Views: 70,712

Rating: undefined out of 5

Keywords: f5, devcentral, Domain Name System Security Extensions

Id: MrtsKTC3KDM

Channel Id: undefined

Length: 8min 47sec (527 seconds)

Published: Wed Nov 11 2015