SlideShare une entreprise Scribd logo

NZNOG 2013 - Experiments in DNSSEC

APNIC
APNIC

Experiments in DNSSEC by George Michaelson at NZNOG2013

Présentations et discours publics
1  sur  46
Télécharger pour lire hors ligne
Experiments in DNSSEC George Michaelson ggm@apnic.net
Experiments in DNSSEC
Experiments in DNSSEC • We’ve got a system which can perform thousands of measurements per day, on random Internet users – It measures DNS (UDP and TCP), and it measures HTTP (TCP)
Experiments in DNSSEC • We’ve got a system which can perform thousands of measurements per day, on random Internet users – It measures DNS (UDP and TCP), and it measures HTTP (TCP) • We’ve used it to do IPv6 measurements • We’ve used it to do routing visibility on IPv4 blocks • What else can we do with this experimental rig?
Experiments in DNSSEC • We’ve got a system which can perform thousands of measurements per day, on random Internet users – It measures DNS (UDP and TCP), and it measures HTTP (TCP) • We’ve used it to do IPv6 measurements • We’ve used it to do routing visibility on IPv4 blocks • What else can we do with this experimental rig? • Can we use it to tell us something about DNSSEC?
Clean State dns/web fetch
Clean State dns/web fetch resolver (optional) Forwarding resolver Authoritative DNS NS Client webserver
Clean State dns/web fetch resolver (optional) Forwarding resolver Authoritative DNS NS Client webserver
Clean State dns/web fetch resolver (optional) Forwarding resolver Authoritative DNS NS Client webserver
Clean State dns/web fetch resolver (optional) Forwarding resolver Authoritative DNS NS Client webserver
Clean State dns/web fetch resolver (optional) Forwarding resolver Authoritative DNS NS Client webserver
Clean State dns/web fetch resolver (optional) Forwarding resolver Authoritative DNS NS Client webserver
Clean State dns/web fetch resolver (optional) Forwarding resolver Authoritative DNS NS Client webserver
Clean State dns/web fetch resolver (optional) Forwarding resolver Authoritative DNS NS Client webserver
Clean State dns/web fetch resolver (optional) Forwarding resolver Authoritative DNS NS Client webserver
Clean State dns/web fetch resolver (optional) Forwarding resolver Authoritative DNS NS Client webserver
Clean State dns/web fetch • Before web, DNS has to find the A/AAAA bindings • Which means the DNS service has to traverse the namespace (from the root) to find the NSERVER of the domain – And then ask the NSERVER for the A/AAAA information • The traversal is cached, so not all web fetches demand a hunt from the root – Cached state can be set by other peoples queries • And it works!
Cached State dns/web fetch
Cached State dns/web fetch resolver (optional) Forwarding resolver Authoritative DNS NS Client webserver
Cached State dns/web fetch resolver (optional) Forwarding resolver Authoritative DNS NS Client webserver
Cached State dns/web fetch resolver (optional) Forwarding resolver Authoritative DNS NS Client webserver
Cached State dns/web fetch resolver (optional) Forwarding resolver Authoritative DNS NS Client webserver
Cached State dns/web fetch resolver (optional) Forwarding resolver Authoritative DNS NS Client webserver
DNS is indirect, cached
DNS is indirect, cached • First client, establishes state in the DNS resolver chain relating to the domain • Subsequent clients may or may not be exposed to information along the DNS namepath – Cached NS – Cached A/AAAA – Cached RRSIG/DS/NSEC • Since resolvers can pass through forwarders, this state can indirectly cache along a DNS resolver chain from the authority point
DNS is indirect, cached • Can we detect when a DNS resolver is ‘in the path’? • Can we detect when a DNS resolver has cached state? • Can we detect when a DNS resolver has DNSSEC enabled? • Can we detect when a client has validation enabled?
DNSSEC adds data, queries • Public, private digital signatures over DNS data • Public keys used to verify, fetched from parent in DNSKEY requests which fetch DS records • Resources are signed with RRSIG signatures via the private key, RRSIG passed in ‘additional’ data fields of request • NSEC records provide chain over records in the zone so you can tell if you have had something hidden from you, or if it really doesn’t exist
DNSSEC is indirect, but only partly cached
DNSSEC is indirect, but only partly cached • DNSSEC has a characteristic signature in the DNS query sequence 1. You signal you can ‘DO’ DNSSEC in the query flags 2. You receive RRSIG in the additional section of a reply 3. If you want to validate, you have to explicitly ask for DNSKEY for the DS records. • If you see a sequence of {A,DNSKEY/DS} in a short space of time from the same IP, you have high confidence the IP is doing DNSSEC fetches. • Once fetched, can be re-used for some time
DNS complications • People configure more than one resolver – You can see more than one source IP asking questions for one client • Sometimes, the client software does ‘scattergun’ fetches to all the listed NS – You can see more than one authoritative NS being queried by a system you’ve never seen before (ie, no cached state) • DNS re-queries if you don’t answer in time – ‘udp is unreliable’ history?
DNSSEC complications • People don’t always configure ALL their resolvers to do DNSSEC – You can see the same query, signalling DO and not signalling DO – You can see the same query, asking associated DNSKEY/DS • Forwarder chains can create cached state – If the forwarder is itself DNSSEC enabled, it learns at least the RRSIG – If the forwarder is not DNSSEC enabled directly, it can forward on both DNSSEC and non-DNSSEC enabled clients
Serverside complications • DNSSEC configuration is fiddly • New commands to be run to bootstrap keys – Keys associate tightly with domains – Keys have lifetimes – Keys are themselves complex multipart data • New data to be lodged in parent domain – DS record has to be placed in parent zone, signed over by parent – DS records are complex multipart data – Registries don’t necessarily honour the ‘file’ format you have in-hand • New data to be included in your zonefile – You have to re-sign over your zone on each edit.
Serverside complications • Seriously: • we spent a horrendous amount of time fixing up stupid mistakes in the key application to the zone – ZSK and KSK aren’t easily distinguished by filename in BIND 9 – Lots of keys in one flat /etc/named/keys directory didn’t help • Every zone edit demands a re-sign – Forget to sign, now have zonefile and zonefile.signed out of sync • This process is highly ameanable to fat finger trouble.
Anatomy of a DNSSEC Experiment
Anatomy of a DNSSEC Experiment • Configure five domains 1. DNSSEC enabled, validly signed: checks if clients resolver is enabled to do DNSSEC 2. DNSSEC enabled, invalidly signed: checks if the clients resolver is enabled for validation 3. DNSSEC enabled, IPv6 only NS: checks if the clients resolver can do DNS over IPv6 4. DNSSEC enabled IPv6 only NS, extra large response required (> 1500 bytes): checks if the clients resolver can handle pMTU 5. No DNSSEC (takes results) • Get clients to fetch from first 4, return results on 5
Anatomy of a DNSSEC Experiment • Configure five domains 1. DNSSEC enabled, validly signed: checks if clients resolver is enabled to do DNSSEC 2. DNSSEC enabled, invalidly signed: checks if the clients resolver is enabled for validation 3. DNSSEC enabled, IPv6 only NS: checks if the clients resolver can do DNS over IPv6 4. DNSSEC enabled IPv6 only NS, extra large response required (> 1500 bytes): checks if the clients resolver can handle pMTU 5. No DNSSEC (takes results) • Get clients to fetch from first 4, return results on 5
Invalid DNSSEC? • Use the tools to validly sign a zone • Lodge the DS records with the parent zone • Use the keys to sign the zone • Then, corrupt the RRSIG over labels in the zone • Result: valid DNSSEC chain TO the zone, but the RRSIG return for the label is incorrectly signed. • Can also lodge corrupted DS with parent and have an entire sub-domain invalidly signed • RRSIG works with wildcards. Corrupted RRSIG ‘fails’ properly with wildcards (NSEC is still valid)
Results • 1 weeks advert placement, $140/day bought ~ 250,000 placements per 24h billing period • Total of 1,838,084 experiments run worldwide • 67,766 resolvers seen • 2,984 appear to be DNSSEC enabled 4.4% • 1,329,084 clients seen • 188,112 appear to be DNSSEC enabled 14.15%
Hows the world doing on DNSSEC?
NZ Results • 7500 experiments ran against NZ end-users in the last week – 79 ASNs had resolvers active – 111 ASNs had clients tested • In aggregate, 15% of clients appear to have DNSSEC enabled resolvers – Since the average number of nservers per host is 1.9, this means nearly everyone has a non-DNSSEC enabled alternate and so has far lower validation coverage. – But.. This is from a small sample, with a couple of standout ASN • Almost 300 distinct resolvers were seen in the DNS and around 2.7% were DNSSEC enabled
NZ Results ASN NetName Sample size %clients 4771 NZTELECOM 3274 0.95% 4768 CLIX-NZ 1241 1.37% 7657 VODAFONE-NZ-NGN-AS 1041 93.37% 9790 CALLPLUS-NZ-AP 587 2.73% 17746 ORCONINTERNET-NZ-AP 334 2.69% 17412 WOOSHWIRELESSNZ 116 2.59% 17705 INSPIRENET-AS-AP 22 95.45% 23655 SNAP-NZ-AS 85 3.53% 4648 NZIX-2 84 2.38% 17435 WXC-AS-NZ 72 2.77%
NZ Results ASN NetName Sample size %clients 4771 NZTELECOM 3274 0.95% 4768 CLIX-NZ 1241 1.37% 7657 VODAFONE-NZ-NGN-AS 1041 93.37% 9790 CALLPLUS-NZ-AP 587 2.73% 17746 ORCONINTERNET-NZ-AP 334 2.69% 17412 WOOSHWIRELESSNZ 116 2.59% 17705 INSPIRENET-AS-AP 22 95.45% 23655 SNAP-NZ-AS 85 3.53% 4648 NZIX-2 84 2.38% 17435 WXC-AS-NZ 72 2.77%
Future work • Improve the ‘is DNSSEC active’ tests – Unique intermediate domains, with DNSSEC DS per experiment – Less cached data, more instances of the {A,DNSKEY} fetch signature • Mapping the relationships of clients, resolvers – We already have initial data on the use of google 8.8.8.8 • Oddities – Evidence resolver does DNSSEC, but fetches malsigned URL – Evidence of >10 nservers covering a client • Probably use of services with anycast/replicated infrastructure
DNSSEC observations
DNSSEC observations • DNSSEC is complicated to configure on the server side
DNSSEC observations • DNSSEC is complicated to configure on the server side • Its also complicated to configure on the client side – DNSSEC enabled resolver, but not validating – Validating resolver, but client has more than one resolver – Clients bypass OS installed resolver logic, invent their own – (we measure on average 1.8 resolvers per client) • Trust comes from the root – If you don’t have the root out of band, you depend on in-band trust – Bad… • Hop-Over DNS (8.8.8.8) is very good QoS, popular – But isn’t DNSSEC enabled in itself (it will forward) • Chained DNS behind forwarders may not be adding value

Recommandé

Thoughts about DNS for DDoS
Thoughts about DNS for DDoSThoughts about DNS for DDoS
Thoughts about DNS for DDoSAPNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS OblivionAPNIC
 
DNS Survival Guide
DNS Survival GuideDNS Survival Guide
DNS Survival GuideAPNIC
 
OARC 31: NSEC Caching Revisited
OARC 31: NSEC Caching RevisitedOARC 31: NSEC Caching Revisited
OARC 31: NSEC Caching RevisitedAPNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI MattersAPNIC
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timeAPNIC
 
IETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNSIETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNSAPNIC
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
 

Recommandé

Thoughts about DNS for DDoS
Thoughts about DNS for DDoSThoughts about DNS for DDoS
Thoughts about DNS for DDoSAPNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS OblivionAPNIC
 
DNS Survival Guide
DNS Survival GuideDNS Survival Guide
DNS Survival GuideAPNIC
 
OARC 31: NSEC Caching Revisited
OARC 31: NSEC Caching RevisitedOARC 31: NSEC Caching Revisited
OARC 31: NSEC Caching RevisitedAPNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI MattersAPNIC
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timeAPNIC
 
IETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNSIETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNSAPNIC
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Dan York
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4DNS Entrepreneurship Center
 
Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Bangladesh Network Operators Group
 
2 technical-dns-workshop-day1
2 technical-dns-workshop-day12 technical-dns-workshop-day1
2 technical-dns-workshop-day1DNS Entrepreneurship Center
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksFindWhitePapers
 
DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020APNIC
 
Domain Name System (DNS)
Domain Name System (DNS)Domain Name System (DNS)
Domain Name System (DNS)Venkatesh Jambulingam
 
CNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureCNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureSam Bowne
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamMyNOG
 
7 technical-dns-workshop-day3
7 technical-dns-workshop-day37 technical-dns-workshop-day3
7 technical-dns-workshop-day3DNS Entrepreneurship Center
 
Dnssec
DnssecDnssec
Dnssecguest3131f85
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local NetworksMen and Mice
 
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPMake Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPAPNIC
 
DNS Attacks
DNS AttacksDNS Attacks
DNS AttacksHimanshu Prabhakar
 
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPROIDEA
 
RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS EvolutionAPNIC
 
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...APNIC
 
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache ServersNANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache ServersChika Yoshimura
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksMen and Mice
 
DNS Security
DNS SecurityDNS Security
DNS Securityinbroker
 
What We are Learning About DNS Security: DNSSEC and Much More..
What We are Learning About DNS Security: DNSSEC and Much More..What We are Learning About DNS Security: DNSSEC and Much More..
What We are Learning About DNS Security: DNSSEC and Much More..Neustar, Inc.
 
DNSSEC - A small overview
DNSSEC - A small overviewDNSSEC - A small overview
DNSSEC - A small overviewMattias Geniar
 

Contenu connexe

Tendances

Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Dan York
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksFindWhitePapers
 
DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020APNIC
 
CNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureCNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureSam Bowne
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamMyNOG
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local NetworksMen and Mice
 
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPMake Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPAPNIC
 
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPROIDEA
 
RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS EvolutionAPNIC
 
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...APNIC
 
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache ServersNANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache ServersChika Yoshimura
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksMen and Mice
 
DNS Security
DNS SecurityDNS Security
DNS Securityinbroker
 

Tendances (20)

Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time
 
2 technical-dns-workshop-day1
2 technical-dns-workshop-day12 technical-dns-workshop-day1
2 technical-dns-workshop-day1
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
 
DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020
 
Domain Name System (DNS)
Domain Name System (DNS)Domain Name System (DNS)
Domain Name System (DNS)
 
CNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureCNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and Architecture
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul Islam
 
7 technical-dns-workshop-day3
7 technical-dns-workshop-day37 technical-dns-workshop-day3
7 technical-dns-workshop-day3
 
Dnssec
DnssecDnssec
Dnssec
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local Networks
 
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPMake Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
 
DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
 
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
 
RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS Evolution
 
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
 
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache ServersNANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
 
DNS Security
DNS SecurityDNS Security
DNS Security
 

En vedette

What We are Learning About DNS Security: DNSSEC and Much More..
What We are Learning About DNS Security: DNSSEC and Much More..What We are Learning About DNS Security: DNSSEC and Much More..
What We are Learning About DNS Security: DNSSEC and Much More..Neustar, Inc.
 
DNSSEC - A small overview
DNSSEC - A small overviewDNSSEC - A small overview
DNSSEC - A small overviewMattias Geniar
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
 
DNS Security Presentation ISSA
DNS Security Presentation ISSADNS Security Presentation ISSA
DNS Security Presentation ISSASrikrupa Srivatsan
 
Domain Name Server
Domain Name ServerDomain Name Server
Domain Name Servervipulvaid
 
Domain Name System DNS
Domain Name System DNSDomain Name System DNS
Domain Name System DNSAkshay Tiwari
 
Understanding the DNS & DNSSEC
Understanding the DNS & DNSSECUnderstanding the DNS & DNSSEC
Understanding the DNS & DNSSECICANN
 
DNSSEC - Towards Enhanced Internet Security
DNSSEC - Towards Enhanced Internet SecurityDNSSEC - Towards Enhanced Internet Security
DNSSEC - Towards Enhanced Internet Securityesthermakaay
 
DNS - Domain Name System
DNS - Domain Name SystemDNS - Domain Name System
DNS - Domain Name SystemPeter R. Egli
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
DNSSEC best practices Webinar
DNSSEC best practices WebinarDNSSEC best practices Webinar
DNSSEC best practices WebinarMen and Mice
 

En vedette (19)

What We are Learning About DNS Security: DNSSEC and Much More..
What We are Learning About DNS Security: DNSSEC and Much More..What We are Learning About DNS Security: DNSSEC and Much More..
What We are Learning About DNS Security: DNSSEC and Much More..
 
DNSSEC - A small overview
DNSSEC - A small overviewDNSSEC - A small overview
DNSSEC - A small overview
 
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAILDNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
 
An Overview of DNSSEC
An Overview of DNSSECAn Overview of DNSSEC
An Overview of DNSSEC
 
DnsSec
DnsSecDnsSec
DnsSec
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
DNS Security Presentation ISSA
DNS Security Presentation ISSADNS Security Presentation ISSA
DNS Security Presentation ISSA
 
Domain Name Server
Domain Name ServerDomain Name Server
Domain Name Server
 
Domain name system
Domain name systemDomain name system
Domain name system
 
Domain Name System DNS
Domain Name System DNSDomain Name System DNS
Domain Name System DNS
 
DNSSEC FIRST
DNSSEC FIRSTDNSSEC FIRST
DNSSEC FIRST
 
Understanding the DNS & DNSSEC
Understanding the DNS & DNSSECUnderstanding the DNS & DNSSEC
Understanding the DNS & DNSSEC
 
DNSSEC - Towards Enhanced Internet Security
DNSSEC - Towards Enhanced Internet SecurityDNSSEC - Towards Enhanced Internet Security
DNSSEC - Towards Enhanced Internet Security
 
DNS - Domain Name System
DNS - Domain Name SystemDNS - Domain Name System
DNS - Domain Name System
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
DNSSEC best practices Webinar
DNSSEC best practices WebinarDNSSEC best practices Webinar
DNSSEC best practices Webinar
 
An Introduction To Sociology
An Introduction To SociologyAn Introduction To Sociology
An Introduction To Sociology
 
Introduction to DNS
Introduction to DNSIntroduction to DNS
Introduction to DNS
 
Dns ppt
Dns pptDns ppt
Dns ppt
 

Similaire à NZNOG 2013 - Experiments in DNSSEC

Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling RootsAPNIC
 
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]APNIC
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS PrivacyAPNIC
 
NANOG 74: That KSK Roll
NANOG 74: That KSK RollNANOG 74: That KSK Roll
NANOG 74: That KSK RollAPNIC
 
RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?APNIC
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS EvolutionAPNIC
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
Rolling the Root KSK
Rolling the Root KSKRolling the Root KSK
Rolling the Root KSKAPNIC
 
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSDINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSAPNIC
 
mnNOG 1: DNS privacy over DOH
mnNOG 1: DNS privacy over DOHmnNOG 1: DNS privacy over DOH
mnNOG 1: DNS privacy over DOHAPNIC
 
DNS privacy
DNS privacyDNS privacy
DNS privacyAPNIC
 
DNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and ResponseDNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and Responsepm123008
 
Presentation on 'The Path to Resolverless DNS' by Geoff Huston
Presentation on 'The Path to Resolverless DNS' by Geoff HustonPresentation on 'The Path to Resolverless DNS' by Geoff Huston
Presentation on 'The Path to Resolverless DNS' by Geoff HustonAPNIC
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsAPNIC
 
DNS Measurements
DNS MeasurementsDNS Measurements
DNS MeasurementsAFRINIC
 
RIPE 78: A review of the KSK Roll
RIPE 78: A review of the KSK RollRIPE 78: A review of the KSK Roll
RIPE 78: A review of the KSK RollAPNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 

Similaire à NZNOG 2013 - Experiments in DNSSEC (20)

Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling Roots
 
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS Privacy
 
NANOG 74: That KSK Roll
NANOG 74: That KSK RollNANOG 74: That KSK Roll
NANOG 74: That KSK Roll
 
RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS Evolution
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
 
Rolling the Root KSK
Rolling the Root KSKRolling the Root KSK
Rolling the Root KSK
 
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSDINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
 
mnNOG 1: DNS privacy over DOH
mnNOG 1: DNS privacy over DOHmnNOG 1: DNS privacy over DOH
mnNOG 1: DNS privacy over DOH
 
DNS privacy
DNS privacyDNS privacy
DNS privacy
 
DNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and ResponseDNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and Response
 
Presentation on 'The Path to Resolverless DNS' by Geoff Huston
Presentation on 'The Path to Resolverless DNS' by Geoff HustonPresentation on 'The Path to Resolverless DNS' by Geoff Huston
Presentation on 'The Path to Resolverless DNS' by Geoff Huston
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
 
DNS Measurements
DNS MeasurementsDNS Measurements
DNS Measurements
 
RIPE 78: A review of the KSK Roll
RIPE 78: A review of the KSK RollRIPE 78: A review of the KSK Roll
RIPE 78: A review of the KSK Roll
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 

Plus de APNIC

IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6APNIC
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!APNIC
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023APNIC
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAPNIC
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAPNIC
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAPNIC
 
AFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAPNIC
 
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAfghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAPNIC
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsAPNIC
 
IDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemIDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemAPNIC
 
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessAPNIC
 
RIPE 87: On Low Earth Orbit Satellites (LEOs) and Starlink
RIPE 87: On Low Earth Orbit Satellites (LEOs) and StarlinkRIPE 87: On Low Earth Orbit Satellites (LEOs) and Starlink
RIPE 87: On Low Earth Orbit Satellites (LEOs) and StarlinkAPNIC
 
VNNIC Internet Day 2023: On LEOs and Starlink
VNNIC Internet Day 2023: On LEOs and StarlinkVNNIC Internet Day 2023: On LEOs and Starlink
VNNIC Internet Day 2023: On LEOs and StarlinkAPNIC
 

Plus de APNIC (20)

IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressing
 
AFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & Development
 
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAfghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerations
 
IDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemIDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry System
 
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
 
RIPE 87: On Low Earth Orbit Satellites (LEOs) and Starlink
RIPE 87: On Low Earth Orbit Satellites (LEOs) and StarlinkRIPE 87: On Low Earth Orbit Satellites (LEOs) and Starlink
RIPE 87: On Low Earth Orbit Satellites (LEOs) and Starlink
 
VNNIC Internet Day 2023: On LEOs and Starlink
VNNIC Internet Day 2023: On LEOs and StarlinkVNNIC Internet Day 2023: On LEOs and Starlink
VNNIC Internet Day 2023: On LEOs and Starlink
 

Dernier

THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...漢銘 謝
 
Quality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for RA (1ST SEMQuality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for RA (1ST SEMCharmi13
 
Internship Presentation | PPT | CSE | SE
Internship Presentation | PPT | CSE | SEInternship Presentation | PPT | CSE | SE
Internship Presentation | PPT | CSE | SESaleh Ibne Omar
 
The Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationThe Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationNathan Young
 
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.comSaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.comsaastr
 
Engaging Eid Ul Fitr Presentation for Kindergartners.pptx
Engaging Eid Ul Fitr Presentation for Kindergartners.pptxEngaging Eid Ul Fitr Presentation for Kindergartners.pptx
Engaging Eid Ul Fitr Presentation for Kindergartners.pptxAsifArshad8
 
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...Henrik Hanke
 
Chizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck. .pptxChizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck. .pptxogubuikealex
 
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRRINDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRRsarwankumar4524
 
Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170Escort Service
 
Event 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxEvent 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxaryanv1753
 
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATIONRACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATIONRachelAnnTenibroAmaz
 
Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸mathanramanathan2005
 
CHROMATOGRAPHY and its types with procedure,diagrams,flow charts,advantages a...
CHROMATOGRAPHY and its types with procedure,diagrams,flow charts,advantages a...CHROMATOGRAPHY and its types with procedure,diagrams,flow charts,advantages a...
CHROMATOGRAPHY and its types with procedure,diagrams,flow charts,advantages a...university
 
proposal kumeneger edited.docx A kumeeger
proposal kumeneger edited.docx A kumeegerproposal kumeneger edited.docx A kumeeger
proposal kumeneger edited.docx A kumeegerkumenegertelayegrama
 
Application of GIS in Landslide Disaster Response.pptx
Application of GIS in Landslide Disaster Response.pptxApplication of GIS in Landslide Disaster Response.pptx
Application of GIS in Landslide Disaster Response.pptxRoquia Salam
 
Dutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular PlasticsDutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular PlasticsDutch Power
 
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.KathleenAnnCordero2
 
Early Modern Spain. All about this period
Early Modern Spain. All about this periodEarly Modern Spain. All about this period
Early Modern Spain. All about this periodSaraIsabelJimenez
 

Dernier (19)

THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
 
Quality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for RA (1ST SEMQuality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for RA (1ST SEM
 
Internship Presentation | PPT | CSE | SE
Internship Presentation | PPT | CSE | SEInternship Presentation | PPT | CSE | SE
Internship Presentation | PPT | CSE | SE
 
The Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationThe Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism Presentation
 
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.comSaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
 
Engaging Eid Ul Fitr Presentation for Kindergartners.pptx
Engaging Eid Ul Fitr Presentation for Kindergartners.pptxEngaging Eid Ul Fitr Presentation for Kindergartners.pptx
Engaging Eid Ul Fitr Presentation for Kindergartners.pptx
 
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
 
Chizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck. .pptxChizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck. .pptx
 
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRRINDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
 
Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170
 
Event 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxEvent 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptx
 
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATIONRACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
 
Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸
 
CHROMATOGRAPHY and its types with procedure,diagrams,flow charts,advantages a...
CHROMATOGRAPHY and its types with procedure,diagrams,flow charts,advantages a...CHROMATOGRAPHY and its types with procedure,diagrams,flow charts,advantages a...
CHROMATOGRAPHY and its types with procedure,diagrams,flow charts,advantages a...
 
proposal kumeneger edited.docx A kumeeger
proposal kumeneger edited.docx A kumeegerproposal kumeneger edited.docx A kumeeger
proposal kumeneger edited.docx A kumeeger
 
Application of GIS in Landslide Disaster Response.pptx
Application of GIS in Landslide Disaster Response.pptxApplication of GIS in Landslide Disaster Response.pptx
Application of GIS in Landslide Disaster Response.pptx
 
Dutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular PlasticsDutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
 
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
 
Early Modern Spain. All about this period
Early Modern Spain. All about this periodEarly Modern Spain. All about this period
Early Modern Spain. All about this period
 

NZNOG 2013 - Experiments in DNSSEC

  • 1. Experiments in DNSSEC George Michaelson ggm@apnic.net
  • 3. Experiments in DNSSEC • We’ve got a system which can perform thousands of measurements per day, on random Internet users – It measures DNS (UDP and TCP), and it measures HTTP (TCP)
  • 4. Experiments in DNSSEC • We’ve got a system which can perform thousands of measurements per day, on random Internet users – It measures DNS (UDP and TCP), and it measures HTTP (TCP) • We’ve used it to do IPv6 measurements • We’ve used it to do routing visibility on IPv4 blocks • What else can we do with this experimental rig?
  • 5. Experiments in DNSSEC • We’ve got a system which can perform thousands of measurements per day, on random Internet users – It measures DNS (UDP and TCP), and it measures HTTP (TCP) • We’ve used it to do IPv6 measurements • We’ve used it to do routing visibility on IPv4 blocks • What else can we do with this experimental rig? • Can we use it to tell us something about DNSSEC?
  • 7. Clean State dns/web fetch resolver (optional) Forwarding resolver Authoritative DNS NS Client webserver
  • 8. Clean State dns/web fetch resolver (optional) Forwarding resolver Authoritative DNS NS Client webserver
  • 9. Clean State dns/web fetch resolver (optional) Forwarding resolver Authoritative DNS NS Client webserver
  • 10. Clean State dns/web fetch resolver (optional) Forwarding resolver Authoritative DNS NS Client webserver
  • 11. Clean State dns/web fetch resolver (optional) Forwarding resolver Authoritative DNS NS Client webserver
  • 12. Clean State dns/web fetch resolver (optional) Forwarding resolver Authoritative DNS NS Client webserver
  • 13. Clean State dns/web fetch resolver (optional) Forwarding resolver Authoritative DNS NS Client webserver
  • 14. Clean State dns/web fetch resolver (optional) Forwarding resolver Authoritative DNS NS Client webserver
  • 15. Clean State dns/web fetch resolver (optional) Forwarding resolver Authoritative DNS NS Client webserver
  • 16. Clean State dns/web fetch resolver (optional) Forwarding resolver Authoritative DNS NS Client webserver
  • 17. Clean State dns/web fetch • Before web, DNS has to find the A/AAAA bindings • Which means the DNS service has to traverse the namespace (from the root) to find the NSERVER of the domain – And then ask the NSERVER for the A/AAAA information • The traversal is cached, so not all web fetches demand a hunt from the root – Cached state can be set by other peoples queries • And it works!
  • 19. Cached State dns/web fetch resolver (optional) Forwarding resolver Authoritative DNS NS Client webserver
  • 20. Cached State dns/web fetch resolver (optional) Forwarding resolver Authoritative DNS NS Client webserver
  • 21. Cached State dns/web fetch resolver (optional) Forwarding resolver Authoritative DNS NS Client webserver
  • 22. Cached State dns/web fetch resolver (optional) Forwarding resolver Authoritative DNS NS Client webserver
  • 23. Cached State dns/web fetch resolver (optional) Forwarding resolver Authoritative DNS NS Client webserver
  • 25. DNS is indirect, cached • First client, establishes state in the DNS resolver chain relating to the domain • Subsequent clients may or may not be exposed to information along the DNS namepath – Cached NS – Cached A/AAAA – Cached RRSIG/DS/NSEC • Since resolvers can pass through forwarders, this state can indirectly cache along a DNS resolver chain from the authority point
  • 26. DNS is indirect, cached • Can we detect when a DNS resolver is ‘in the path’? • Can we detect when a DNS resolver has cached state? • Can we detect when a DNS resolver has DNSSEC enabled? • Can we detect when a client has validation enabled?
  • 27. DNSSEC adds data, queries • Public, private digital signatures over DNS data • Public keys used to verify, fetched from parent in DNSKEY requests which fetch DS records • Resources are signed with RRSIG signatures via the private key, RRSIG passed in ‘additional’ data fields of request • NSEC records provide chain over records in the zone so you can tell if you have had something hidden from you, or if it really doesn’t exist
  • 28. DNSSEC is indirect, but only partly cached
  • 29. DNSSEC is indirect, but only partly cached • DNSSEC has a characteristic signature in the DNS query sequence 1. You signal you can ‘DO’ DNSSEC in the query flags 2. You receive RRSIG in the additional section of a reply 3. If you want to validate, you have to explicitly ask for DNSKEY for the DS records. • If you see a sequence of {A,DNSKEY/DS} in a short space of time from the same IP, you have high confidence the IP is doing DNSSEC fetches. • Once fetched, can be re-used for some time
  • 30. DNS complications • People configure more than one resolver – You can see more than one source IP asking questions for one client • Sometimes, the client software does ‘scattergun’ fetches to all the listed NS – You can see more than one authoritative NS being queried by a system you’ve never seen before (ie, no cached state) • DNS re-queries if you don’t answer in time – ‘udp is unreliable’ history?
  • 31. DNSSEC complications • People don’t always configure ALL their resolvers to do DNSSEC – You can see the same query, signalling DO and not signalling DO – You can see the same query, asking associated DNSKEY/DS • Forwarder chains can create cached state – If the forwarder is itself DNSSEC enabled, it learns at least the RRSIG – If the forwarder is not DNSSEC enabled directly, it can forward on both DNSSEC and non-DNSSEC enabled clients
  • 32. Serverside complications • DNSSEC configuration is fiddly • New commands to be run to bootstrap keys – Keys associate tightly with domains – Keys have lifetimes – Keys are themselves complex multipart data • New data to be lodged in parent domain – DS record has to be placed in parent zone, signed over by parent – DS records are complex multipart data – Registries don’t necessarily honour the ‘file’ format you have in-hand • New data to be included in your zonefile – You have to re-sign over your zone on each edit.
  • 33. Serverside complications • Seriously: • we spent a horrendous amount of time fixing up stupid mistakes in the key application to the zone – ZSK and KSK aren’t easily distinguished by filename in BIND 9 – Lots of keys in one flat /etc/named/keys directory didn’t help • Every zone edit demands a re-sign – Forget to sign, now have zonefile and zonefile.signed out of sync • This process is highly ameanable to fat finger trouble.
  • 34. Anatomy of a DNSSEC Experiment
  • 35. Anatomy of a DNSSEC Experiment • Configure five domains 1. DNSSEC enabled, validly signed: checks if clients resolver is enabled to do DNSSEC 2. DNSSEC enabled, invalidly signed: checks if the clients resolver is enabled for validation 3. DNSSEC enabled, IPv6 only NS: checks if the clients resolver can do DNS over IPv6 4. DNSSEC enabled IPv6 only NS, extra large response required (> 1500 bytes): checks if the clients resolver can handle pMTU 5. No DNSSEC (takes results) • Get clients to fetch from first 4, return results on 5
  • 36. Anatomy of a DNSSEC Experiment • Configure five domains 1. DNSSEC enabled, validly signed: checks if clients resolver is enabled to do DNSSEC 2. DNSSEC enabled, invalidly signed: checks if the clients resolver is enabled for validation 3. DNSSEC enabled, IPv6 only NS: checks if the clients resolver can do DNS over IPv6 4. DNSSEC enabled IPv6 only NS, extra large response required (> 1500 bytes): checks if the clients resolver can handle pMTU 5. No DNSSEC (takes results) • Get clients to fetch from first 4, return results on 5
  • 37. Invalid DNSSEC? • Use the tools to validly sign a zone • Lodge the DS records with the parent zone • Use the keys to sign the zone • Then, corrupt the RRSIG over labels in the zone • Result: valid DNSSEC chain TO the zone, but the RRSIG return for the label is incorrectly signed. • Can also lodge corrupted DS with parent and have an entire sub-domain invalidly signed • RRSIG works with wildcards. Corrupted RRSIG ‘fails’ properly with wildcards (NSEC is still valid)
  • 38. Results • 1 weeks advert placement, $140/day bought ~ 250,000 placements per 24h billing period • Total of 1,838,084 experiments run worldwide • 67,766 resolvers seen • 2,984 appear to be DNSSEC enabled 4.4% • 1,329,084 clients seen • 188,112 appear to be DNSSEC enabled 14.15%
  • 39. Hows the world doing on DNSSEC?
  • 40. NZ Results • 7500 experiments ran against NZ end-users in the last week – 79 ASNs had resolvers active – 111 ASNs had clients tested • In aggregate, 15% of clients appear to have DNSSEC enabled resolvers – Since the average number of nservers per host is 1.9, this means nearly everyone has a non-DNSSEC enabled alternate and so has far lower validation coverage. – But.. This is from a small sample, with a couple of standout ASN • Almost 300 distinct resolvers were seen in the DNS and around 2.7% were DNSSEC enabled
  • 41. NZ Results ASN NetName Sample size %clients 4771 NZTELECOM 3274 0.95% 4768 CLIX-NZ 1241 1.37% 7657 VODAFONE-NZ-NGN-AS 1041 93.37% 9790 CALLPLUS-NZ-AP 587 2.73% 17746 ORCONINTERNET-NZ-AP 334 2.69% 17412 WOOSHWIRELESSNZ 116 2.59% 17705 INSPIRENET-AS-AP 22 95.45% 23655 SNAP-NZ-AS 85 3.53% 4648 NZIX-2 84 2.38% 17435 WXC-AS-NZ 72 2.77%
  • 42. NZ Results ASN NetName Sample size %clients 4771 NZTELECOM 3274 0.95% 4768 CLIX-NZ 1241 1.37% 7657 VODAFONE-NZ-NGN-AS 1041 93.37% 9790 CALLPLUS-NZ-AP 587 2.73% 17746 ORCONINTERNET-NZ-AP 334 2.69% 17412 WOOSHWIRELESSNZ 116 2.59% 17705 INSPIRENET-AS-AP 22 95.45% 23655 SNAP-NZ-AS 85 3.53% 4648 NZIX-2 84 2.38% 17435 WXC-AS-NZ 72 2.77%
  • 43. Future work • Improve the ‘is DNSSEC active’ tests – Unique intermediate domains, with DNSSEC DS per experiment – Less cached data, more instances of the {A,DNSKEY} fetch signature • Mapping the relationships of clients, resolvers – We already have initial data on the use of google 8.8.8.8 • Oddities – Evidence resolver does DNSSEC, but fetches malsigned URL – Evidence of >10 nservers covering a client • Probably use of services with anycast/replicated infrastructure
  • 45. DNSSEC observations • DNSSEC is complicated to configure on the server side
  • 46. DNSSEC observations • DNSSEC is complicated to configure on the server side • Its also complicated to configure on the client side – DNSSEC enabled resolver, but not validating – Validating resolver, but client has more than one resolver – Clients bypass OS installed resolver logic, invent their own – (we measure on average 1.8 resolvers per client) • Trust comes from the root – If you don’t have the root out of band, you depend on in-band trust – Bad… • Hop-Over DNS (8.8.8.8) is very good QoS, popular – But isn’t DNSSEC enabled in itself (it will forward) • Chained DNS behind forwarders may not be adding value