Clik here to view.
CAA: DNS Certification Authority Authorization
I really like the kind of security features that are easy to use. The CAA “DNS Certification Authority Authorization” is one of those. As a domain administrator you must only generate the appropriate...
View ArticleClik here to view.
PGP Key Distribution via DNSSEC: OPENPGPKEY
What is the biggest problem of PGP? The key distribution. This is well-known and not new at all. What is new is the OPENPGPKEY DNS resource record that delivers PGP public keys for mail addresses. If...
View ArticleClik here to view.
DNS Test Names & Resource Records
I am testing a lot with my own DNS servers as well as with third-party DNS implementations such as DNS proxies on firewalls, DNSSEC validation on resolvers, etc. While there are a number of free DNS...
View ArticleClik here to view.
All-in-One DNS Tool: Domain Analyzer
Just a quick glance at the domain_analyzer script from Sebastián García and Verónica Valeros. “Domain analyzer is a security analysis tool which automatically discovers and reports information about...
View ArticleClik here to view.
Benchmarking DNS: namebench & dnseval
If you’re running your own DNS resolver you’re probably interested in some benchmark tests against it, such as: how fast does my own server (read: Raspberry Pi) answer to common DNS queries compared to...
View ArticleClik here to view.
SSHFP behind CNAME
I am intensely using the SSH Public Key Fingerprint (SSHFP, RFC 4255) in all of my environments. Since my zones are secured via DNSSEC I got rid of any “authenticity of host ‘xyz’ can’t be established”...
View ArticleClik here to view.
SSHFP: FQDN vs. Domain Search/DNS-Suffix
This is actually a bad user experience problem: To generally omit the manual verification of SSH key fingerprints I am using SSHFP. With fully qualified domain names (FQDN) as the hostname for SSH...
View ArticleClik here to view.
Generating SSHFP Records Remotely
Until now I generated all SSHFP resource records on the SSH destination server itself via [crayon-5a7ca807b765d915522629-i/]. This is quite easy when you already have an SSH connection to a standard...
View ArticleClik here to view.
Signing a Delegated Subdomain
If you are already familiar with DNSSEC this is quite easy: How to sign a delegated subdomain zone. For the sake of completeness I am showing how to generate and use the appropriate DS record in order...
View ArticleClik here to view.
DNSSEC KSK Key Rollover
Probably the most crucial part in a DNSSEC environment is the maintenance of the key-signing key, the KSK. You should rollover this key on a regular basis, though not that often as the zone signing...
View ArticleClik here to view.
DNSSEC KSK Emergency Rollover
In my last blogpost I showed how to perform a DNSSEC KSK rollover. I did it quite slowly and carefully. This time I am looking into an emergency rollover of the KSK. That is: What to do if your KSK is...
View ArticleClik here to view.
Signed DNS Zone with too long-living TTLs
Implementing DNSSEC for a couple of years now while playing with many different DNS options such as TTL values, I came around an error message from DNSViz pointing to possible problems when the TTL of...
View ArticleClik here to view.
TROOPERS18: Dynamic IPv6 Prefix Problems and VPNs
Just a few days ago I gave a talk at Troopers 18 in Heidelberg, Germany, about the problems of dynamic (non-persistent) IPv6 prefixes, as well as IPv6 VPNs in general. Following are my slides and the...
View ArticleClik here to view.
My Network Companion: The ProfiShark
Since a couple of months I am carrying a ProfiShark 1G always with me. It’s a small network aggregation TAP that fits into my bag (unlike almost any other TAPs or switches with SPAN functionalities)....
View ArticleClik here to view.
Internet’s Noise
If you are following the daily IT news you have probably seen many articles claiming they have scanned the whole Internet for this or that. Indeed there are tools such as the ZMap Project “that enable...
View ArticleClik here to view.
Yamaha R-N500 Network Receiver Port Scan
During my analysis of Apple AirPlay connections to my Yamaha Network Receiver I was also interested in which TCP/UDP ports are opened on this audio device at all. Hence I did a basic port scan with...
View ArticleClik here to view.
Yamaha R-N500 Network Receiver Packet Capture
Last but not least I was interested which “home-calling” connections my Yamaha R-N500 Network Receiver initiates. In my previous post I already analyzed the open ports within the network, while I...
View ArticleClik here to view.
DNS Test Names & Resource Records
I am testing a lot with my own DNS servers as well as with third-party DNS implementations such as DNS proxies on firewalls, DNSSEC validation on resolvers, etc. While there are a number of free DNS...
View ArticleClik here to view.
All-in-One DNS Tool: Domain Analyzer
Just a quick glance at the domain_analyzer script from Sebastián García and Verónica Valeros. “Domain analyzer is a security analysis tool which automatically discovers and reports information about...
View ArticleClik here to view.
Benchmarking DNS: namebench & dnseval
If you’re running your own DNS resolver you’re probably interested in some benchmark tests against it, such as: how fast does my own server (read: Raspberry Pi) answer to common DNS queries compared to...
View Article