Clik here to view.
DNSSEC Signing w/ BIND
To solve the chicken-or-egg problem for DNSSEC from the other side, let’s use an authoritative DNS server (BIND) for signing DNS zones. This tutorial describes how to generate the keys and configure...
View ArticleClik here to view.
How to use DANE/TLSA
DNS-based Authentication of Named Entities (DANE) is a great feature that uses the advantages of a DNSSEC signed zone in order to tell the client which TLS certificate he has to expect when connecting...
View ArticleClik here to view.
SSHFP: Authenticate SSH Fingerprints via DNSSEC
This is really cool. After DNSSEC is used to sign a complete zone, SSH connections can be authenticated via checking the SSH fingerprint against the SSHFP resource record on the DNS server. With this...
View ArticleClik here to view.
DNSSEC ZSK Key Rollover
One important maintenance requirement for DNSSEC is the key rollover of the zone signing key (ZSK). With this procedure a new public/private key pair is used for signing the resource records, of course...
View ArticleClik here to view.
DNSSEC with NSEC3
By default DNSSEC uses the next secure (NSEC) resource record “to provide authenticated denial of existence for DNS data”, RFC 4034. This feature creates a complete chain of all resource records of a...
View ArticleClik here to view.
How to walk DNSSEC Zones: dnsrecon
After the implementation of DNS and DNSSEC (see the last posts) it is good to do some reconnaissance attacks against the own DNS servers. Especially to see the NSEC or NSEC3 differences, i.e., whether...
View ArticleClik here to view.
Idea: On-the-Fly TLSA Record Spoofing
It is quite common that organizations use some kind of TLS decryption to have a look at the client traffic in order to protect against malware or evasion. (Some synonyms are SSL/TLS interception,...
View ArticleClik here to view.
Idea: SSHFP Validator
The usage of the SSHFP resource record helps admins to authenticate the SSH server before they are exposing their credentials or before a man-in-the-middle attack occurs. This is only one great...
View ArticleClik here to view.
Palo Alto External Dynamic IP Lists
This is a cool and easy to use (security) feature from Palo Alto Networks firewalls: The External Dynamic Lists which can be used with some (free) 3rd party IP lists to block malicious incoming IP...
View ArticleClik here to view.
F5 SSL Profile: “Single DH use” not working?
In the paper of the Logjam attack, a sentence about the F5 load balancers confused me a bit: “The F5 BIG-IP load balancers and hardware TLS frontends will reuse unless the “Single DH” option is...
View ArticleClik here to view.
IPv6 Site-to-Site VPN Recommendations
With global IPv6 routing, every single host has its own global unicast IPv6 address (GUA). No NAT anymore. No dirty tricks between hosts and routers. Great. Security is made merely by firewalls and...
View ArticleClik here to view.
IKEv1 & IKEv2 Capture
It is probably one of the most used protocols in my daily business but I have never captured it in detail: IKE and IPsec/ESP. And since IKEv2 is coming I gave it a try and tcpdumped two VPN session...
View ArticleClik here to view.
CAA: DNS Certification Authority Authorization
I really like the kind of security features that are easy to use. The CAA “DNS Certification Authority Authorization” is one of those. As a domain administrator you must only generate the appropriate...
View ArticleClik here to view.
PGP Key Distribution via DNSSEC: OPENPGPKEY
What is the biggest problem of PGP? The key distribution. This is well-known and not new at all. What is new is the OPENPGPKEY DNS resource record that delivers PGP public keys for mail addresses. If...
View ArticleClik here to view.
SSHFP behind CNAME
I am intensely using the SSH Public Key Fingerprint (SSHFP, RFC 4255) in all of my environments. Since my zones are secured via DNSSEC I got rid of any “authenticity of host ‘xyz’ can’t be established”...
View ArticleClik here to view.
SSHFP: FQDN vs. Domain Search/DNS-Suffix
This is actually a bad user experience problem: To generally omit the manual verification of SSH key fingerprints I am using SSHFP. With fully qualified domain names (FQDN) as the hostname for SSH...
View ArticleClik here to view.
Generating SSHFP Records Remotely
Until now I generated all SSHFP resource records on the SSH destination server itself via [crayon-5a7ca1e9d67ae167082743-i/]. This is quite easy when you already have an SSH connection to a standard...
View ArticleClik here to view.
Lastline SSH Key-Based Authentication for “monitoring” User
If you are using a Lastline device (Manager, Engine, Sensor or Pinbox) you can reach the machine via SSH after you activated it via [crayon-5a85e730d6fe4368490379-i/] . However, per default this uses...
View ArticleClik here to view.
DNSSEC KSK Key Rollover
Probably the most crucial part in a DNSSEC environment is the maintenance of the key-signing key, the KSK. You should rollover this key on a regular basis, though not that often as the zone signing...
View ArticleClik here to view.
DNSSEC KSK Emergency Rollover
In my last blogpost I showed how to perform a DNSSEC KSK rollover. I did it quite slowly and carefully. This time I am looking into an emergency rollover of the KSK. That is: What to do if your KSK is...
View Article