Ordinary DNS: A? k.root-servers.net. com. NS a.gtld-servers.net a.gtld-servers.net A Client's Resolver
|
|
|
- Denis Weaver
- 5 years ago
- Views:
Transcription
1 Ordinary DNS: A? com. NS a.gtld-servers.net a.gtld-servers.net A k.root-servers.net
2 Ordinary DNS: A? com. NS a.gtld-servers.net a.gtld-servers.net A k.root-servers.net A? google.com. NS ns1.google.com ns1.google.com A a.gtld-servers.net
3 Ordinary DNS: A? com. NS a.gtld-servers.net a.gtld-servers.net A k.root-servers.net A? google.com. NS ns1.google.com ns1.google.com A a.gtld-servers.net A? A ns1.google.com
4 DNSSEC (with simplifications): com. NS a.gtld-servers.net a.gtld-servers.net. A com. DS description-of-com's-key com. RRSIG DS signature-of-that- DS-record-using-root's-key k.root-servers.net
5 DNSSEC (with simplifications): com. NS a.gtld-servers.net a.gtld-servers.net. A com. DS description-of-com's-key com. RRSIG DS signature-of-that- DS-record-using-root's-key k.root-servers.net Delegation Signer identifies.com's public key (name and hash)
6 DNSSEC (with simplifications): com. NS a.gtld-servers.net a.gtld-servers.net. A com. DS description-of-com's-key com. RRSIG DS signature-of-that- DS-record-using-root's-key k.root-servers.net Retrieving.com's public key is complicated (actually involves multiple keys)
7 DNSSEC (with simplifications): com. NS a.gtld-servers.net a.gtld-servers.net. A com. DS description-of-com's-key com. RRSIG DS signature-of-that- DS-record-using-root's-key k.root-servers.net Specifies signature over another RR here, the above DS record
8 DNSSEC (with simplifications): com. NS a.gtld-servers.net a.gtld-servers.net. A com. DS description-of-com's-key com. RRSIG DS signature-of-that- DS-record-using-root's-key k.root-servers.net Note: no signature over NS or A!
9 DNSSEC (with simplifications): google.com. NS ns1.google.com ns1.google.com. A google.com. DS description-ofgoogle.com's-key google.com. RRSIG DS signatureof-that-ds-record-using-com's-key a.gtld-servers.net
10 DNSSEC (with simplifications): A RRSIG A signature-of-the-a-records-usinggoogle.com's-key ns1.google.com
11 DNSSEC - Mallory attacks! A ns1.evil.com
12 DNSSEC - Mallory attacks! A ns1.evil.com observes that the reply didn't include a signature, rejects it as insecure
13 DNSSEC - Mallory attacks! A RRSIG A signature-of-the-a-record-usingevil.com's-key ns1.evil.com
14 DNSSEC - Mallory attacks! A RRSIG A signature-of-the-a-record-usingevil.com's-key ns1.evil.com (1) If resolver didn't receive a signature from.com for evil.com's key, then it can't validate this signature & ignores reply since it's not properly signed
15 DNSSEC - Mallory attacks! A RRSIG A signature-of-the-a-record-usingevil.com's-key ns1.evil.com (2) If resolver did receive a signature from.com for evil.com's key, then it knows the key is for evil.com and not google.com and ignores it
16 DNSSEC - Mallory attacks! A RRSIG A signature-of-the-a-record-usinggoogle.com's-key ns1.evil.com
17 DNSSEC - Mallory attacks! A RRSIG A signature-of-the-a-record-usinggoogle.com's-key ns1.evil.com If signature actually comes from google.com's key, resolver will believe it but no such signature should exist unless either: (1) google.com intended to sign the RR, or (2) google.com's private key was compromised
18 69-byte query
19 3419-byte reply
DNSSEC. CS 161: Computer Security Prof. David Wagner. April 11, 2016
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS
More on DNS and DNSSEC
More on DNS and DNSSEC CS 161: Computer Security Prof. Raluca Ada Popa March 6, 2018 A subset of the slides adapted from David Wagner Domain names Domain names are human friendly names to identify servers
Homework 3 1 DNS. A root. A com. A google.com
Homework 3 1 DNS Suppose you have a Host C, a local name server L, and authoritative name servers A root, A com, and A google.com, where the naming convention A x means that the name server knows about
BIND-USERS and Other Debugging Experiences. Mark Andrews Internet Systems Consortium
BIND-USERS and Other Debugging Experiences Mark Andrews Internet Systems Consortium Mark_Andrews@isc.org http://isc.org BIND-USERS and Other Debugging Experiences We will look at some typical debugging
DNS Review Quiz. Match the term to the description: A. Transfer of authority for/to a subdomain. Domain name DNS zone Delegation C B A
DNS Review Quiz Match the term to the description: C B A Level: Domain name DNS zone Delegation Descriptions: A. Transfer of authority for/to a subdomain B. A set of names under the same authority (ie.com
DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION
DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION Peter R. Egli 1/10 Contents 1. Security Problems of DNS 2. Solutions for securing DNS 3. Security with DNSSEC
An Overview of DNSSEC. Cesar Diaz! lacnic.net!
An Overview of DNSSEC Cesar Diaz! cesar@ lacnic.net! 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that
The impact of DNSSEC on k.root-servers.net and ns-pri.ripe.net
The impact of DNSSEC on k.root-servers.net and ns-pri.ripe.net Olaf M. Kolkman Question What would be the immediate and initial effect on memory, CPU and bandwidth resources if we were to deploy DNSSEC
A Security Evaluation of DNSSEC with NSEC Review
A Security Evaluation of DNSSEC with NSEC Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka November 16, 2011 1 Introduction to the topic and the reason for the topic being
Table of Contents. DNS security basics. What DNSSEC has to offer. In what sense is DNS insecure? Why DNS needs to be secured.
Table of Contents DNS security basics The basics Karst Koymans (with Niels Sijm) Informatics Institute University of Amsterdam (version 2.3, 2013/09/13 11:46:36) Tuesday, Sep 17, 2013 Why DNS needs to
Computer Security CS 426
Computer Security CS 426 Lecture 34 DNS Security 1 Domain Name System Translate host names to IP addresses E.g., www.google.com 74.125.91.103 Hostnames are human-friendly IP addresses keep changing And
Domain Name System (DNS)
Domain Name System (DNS) Computer Networks Lecture 9 http://goo.gl/pze5o8 Domain Name System Naming service used in the Internet Accomplishes mapping of logical ("domain") names to IP addresses (and other
Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder. System and Network Engineering July 2014
Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder System and Network Engineering July 2014 DNS Main Components Server Side: Authoritative Servers Resolvers (Recursive Resolvers, cache) Client
Some DNSSEC thoughts. DNSOPS.JP BOF Interop Japan Geoff Huston Chief Scientist, APNIC June 2007
Some DNSSEC thoughts DNSOPS.JP BOF Interop Japan 2007 Geoff Huston Chief Scientist, APNIC June 2007 The DNS is a miracle! You send out a question into the net And an answer comes back! Somehow But WHO
DNSSEC All You Need To Know To Get Started
DNSSEC All You Need To Know To Get Started Olaf M. Kolkman RIPE NCC A Semi Technical Introduction Why do we need DNSSEC What does DNSSEC provide How does DNSSEC work Question: www.ripe.net A Reminder:
This time. Digging into. Networking. Protocols. Naming DNS & DHCP
This time Digging into Networking Protocols Naming DNS & DHCP Naming IP addresses allow global connectivity But they re pretty useless for humans! Can t be expected to pick their own IP address Can t be
CS 356 Using Cryptographic Tools to Secure the Domain Name System (DNS) Spring 2017
CS 356 Using Cryptographic Tools to Secure the Domain Name System (DNS) Spring 2017 Background Motivation Overview Network Infrastructure Security DNS and DNS Vulnerabilities The DNS Security Extensions
I certify that this DNS record set is correct Problem: how to certify a negative response, i.e. that a record doesn t exist?
RRSIG: I certify that this DNS record set is correct Problem: how to certify a negative response, i.e. that a record doesn t exist? NSEC: I certify that there are no DNS records (of type X) whose record
DNS Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO
DNS Workshop @CaribNOG12 Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO DNS Refresher and Intro to DNS Security Extension (DNSSEC) Outline Introduction DNSSEC mechanisms to establish authenticity and
Towards Secure Name Resolution on the Internet
Towards Secure Name Resolution on the Internet C. Grothoff M. Wachs M. Ermert J. Appelbaum 26.2.2017 The Domain Name System is the Achilles heel of the Web. Tim Berners-Lee Security Goals for Name Systems
Hands-on DNSSEC with DNSViz. Casey Deccio, Verisign Labs RIPE 72, Copenhagen May 23, 2016
Hands-on DNSSEC with DNSViz Casey Deccio, Verisign Labs RIPE 72, Copenhagen May 23, 2016 Preparation Demo and exercises available at: http://dnsviz.net/demo/ Includes links to the following: VirtualBox
DNS Security DNSSEC. *http://compsec101.antibo zo.net/papers/dnssec/dnss ec.html. IT352 Network Security Najwa AlGhamdi
DNS Security DNSSEC *http://compsec101.antibo zo.net/papers/dnssec/dnss ec.html 1 IT352 Network Security Najwa AlGhamdi Introduction DNSSEC is a security extensions to the DNS protocol in response to the
Scott Rose, NIST Winter JointTechs Meeting Jan 30, 2011 Clemson University
Scott Rose, NIST scottr@nist.gov 2011 Winter JointTechs Meeting Jan 30, 2011 Clemson University Special Thanks to RIPE NCC who provided the base slides for this tutorial. DNS is not secure Known vulnerabilities
12 DNS Security Extensions DNS resolution via recursive nameserver DNS request/response format Simple DNS cache poisoning The Dan Kaminsky DNS
12 DNS Security Extensions DNS resolution via recursive nameserver DNS request/response format Simple DNS cache poisoning The Dan Kaminsky DNS vulnerability DNS root servers DNSSEC chain of trust DNSSEC
DENIC DNSSEC Testbed Software support for DNSSEC Ralf Weber
DENIC DNSSEC Testbed Software support for DNSSEC Ralf Weber (ralf.weber@nominum.com) Who is Nominum? Mission Product Leadership Industry Expertise Deliver the Trusted Internet Experience Strategic Partners:
DNS security. Karst Koymans & Niels Sijm. Tuesday, September 18, Informatics Institute University of Amsterdam
DNS security Karst Koymans & Niels Sijm Informatics Institute University of Amsterdam Tuesday, September 18, 2012 Karst Koymans & Niels Sijm (UvA) DNS security Tuesday, September 18, 2012 1 / 38 1 Chain
Toward Unspoofable Network Identifiers. CS 585 Fall 2009
Toward Unspoofable Network Identifiers CS 585 Fall 2009 The Problem DNS Spoofing Attacks (e.g., Kaminsky) At link (Ethernet) and IP layers, either: Software sets the source address in the packet, or Software
DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific
DNS/DNSSEC Workshop In Collaboration with APNIC and HKIRC Hong Kong Champika Wijayatunga Regional Security Engagement Manager Asia Pacific 22-24 January 2018 1 DNSSEC 2 2 DNS: Data Flow Zone administrator
SecSpider: Distributed DNSSEC Monitoring and Key Learning
SecSpider: Distributed DNSSEC Monitoring and Key Learning Eric Osterweil UCLA Joint work with Dan Massey and Lixia Zhang Colorado State University & UCLA 1 Who is Deploying DNSSEC? Monitoring Started From
Algorithm for DNSSEC Trusted Key Rollover
Algorithm for DNSSEC Trusted Key Rollover Gilles Guette, Bernard Cousin, and David Fort IRISA, Campus de Beaulieu, 35042 Rennes CEDEX, FRANCE {gilles.guette, bernard.cousin, david.fort}@irisa.fr Abstract.
DNS SECurity Extensions technical overview
The EURid Insights series aims to analyse specific aspects of the domainname environment. The reports are based on surveys, studies and research developed by EURid in cooperation with industry experts
Outline NET 412 NETWORK SECURITY PROTOCOLS. Reference: Lecture 7: DNS Security 3/28/2016
Networks and Communication Department NET 412 NETWORK SECURITY PROTOCOLS Lecture 7: DNS Security 2 Outline Part I: DNS Overview of DNS DNS Components DNS Transactions Attack on DNS Part II: DNS Security
DNS Mark Kosters Carlos Martínez ARIN - LACNIC
DNS Workshop @CaribNOG8 Mark Kosters Carlos Martínez ARIN - LACNIC DNS Refresher and Intro to DNS Security Extension (DNSSEC) Outline Introduction DNSSEC mechanisms to establish authenticity and integrity
Expires: June 16, 2004 VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST December 17, 2003
DNS Extensions Internet-Draft Expires: June 16, 2004 R. Arends Telematica Instituut M. Larson VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST December 17, 2003 Protocol Modifications for the DNS
Practices on DNS Management and Domain Name Emerging Topics. Jirasak Jullawat July 14, 2016
Practices on DNS Management and Domain Name Emerging Topics Jirasak Jullawat July 14, 2016 TABLE OF CONTENTS 1. Definition of Domain Name 2. Domain Name Structure 3. Why Domain Name? 4..th Management 5.
Table of Contents. DNS security. Alternative DNS security mechanism. DNSSEC specification. The long (and winding) road to the DNSSEC specification
Table of Contents DNS security Karst Koymans Informatics Institute University of Amsterdam (version 1.19, 2011/09/27 14:18:11) Friday, September 23, 2011 The long (and winding) road to the DNSSEC specification
Request for Comments: 4509 Category: Standards Track May Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)
Network Working Group W. Hardaker Request for Comments: 4509 Sparta Category: Standards Track May 2006 Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs) Status of This Memo This document
Assessing and Improving the Quality of DNSSEC
Assessing and Improving the Quality of DNSSEC Deployment Casey Deccio, Ph.D. Sandia National Laboratories AIMS-4 CAIDA, SDSC, San Diego, CA Feb 9, 2012 Sandia is a multiprogram laboratory operated by Sandia
A paper on DNSSEC - NSEC3 with Opt-Out
A paper on DNSSEC - NSEC3 with Opt-Out DNSSEC A Way Forward for TLD Registries Method for faster adoption of DNSSEC Providing greater security with minimal impact on customers, registries and Zone Management
DNS. David Malone. 19th October 2004
DNS David Malone 19th October 2004 1 Names vs. Addresses Computers like addresses eg. 134.226.81.11. People prefer names salmon.maths.tcd.ie. Need a way to translate. walton.maths.tcd.ie close to salmon.maths.tcd.ie.
Root Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail
What is DNS? Systems to convert domain names into ip addresses: For an instance; www.tashicell.com 118.103.136.66 Reverse: 118.103.136.66 www.tashicell.com DNS Hierarchy Root Servers The top of the DNS
DNSSEC Trust tree: (A) ---dnslab.org. (DS keytag: 9247 dig (DNSKEY keytag. ---org. (DS keytag: d
DNSSEC Trust tree: www.dnslab.org. (A) ---dnslab.org. (DNSKEY keytag: 7308 alg ---dnslab.org. (DNSKEY keytag: 9247 ---dnslab.org. (DS keytag: 9247 dig DNSSEC ---org. (DNSKEY keytag: 24209 a Domain Name
Implementing DNSSEC with DynDNS and GoDaddy
Implementing DNSSEC with DynDNS and GoDaddy Lawrence E. Hughes Sixscape Communications 27 December 2017 DNSSEC is an IETF standard for adding security to the DNS system, by digitally signing every resource
Computer Networks. Domain Name System. Jianping Pan Spring /25/17 CSC361 1
Computer Networks Domain Name System Jianping Pan Spring 2017 1/25/17 CSC361 1 Review: Web/HTTP Web URI/URL, HTML tags embedded/linked objects HTTP request and response persistence, statefulness web caching,
Lecture 7: Application Layer Domain Name System
Lecture 7: Application Layer Domain Name System COMP 332, Spring 2018 Victoria Manfredi Acknowledgements: materials adapted from Computer Networking: A Top Down Approach 7 th edition: 1996-2016, J.F Kurose
DNS Fundamentals. Steve Conte ICANN60 October 2017
DNS Fundamentals Steve Conte ICANN60 October 2017 Names and Numbers IP addresses easy for machines but hard for people IPv4: 192.0.2.7 IPv6: 2001:db8::7 People need to use names In the early days of the
THE BRUTAL WORLD OF DNSSEC
THE BRUTAL WORLD OF DNSSEC Patrik Fältström Head of Technology Netnod 1 Security Issues with DNS Zone Administrator Bad Data False Master Caching Resolver Zonefile Master Slave slave slave False Cache
Network Working Group. Category: Informational November 2007
Network Working Group S. Weiler Request for Comments: 5074 SPARTA, Inc. Category: Informational November 2007 Status of This Memo DNSSEC Lookaside Validation (DLV) This memo provides information for the
Expires: October 2000 April 2000
INTERNET-DRAFT UPDATES RFC 2535 Donald E. Eastlake 3rd Motorola Expires: October 2000 April 2000 DNS Request and Transaction Signatures ( SIG(0)s ) --- ------- --- ----------- ---------- - ------- -
DNSSEC at ORNL. Paige Stafford Joint Techs Conference, Fairbanks July 2011
DNSSEC at ORNL Paige Stafford Joint Techs Conference, Fairbanks July 2011 Outline Background Brief review of DNSSEC ORNL before DNSSEC was implemented Implementation experience Signer appliance Validation
Advanced Networking. Domain Name System
Advanced Networking Domain Name System Purpose of DNS servers Human being has many identifications: 1) Our name can be used for identification Problem: Two differenet people may have same name. 2) Mobile
Advanced Networking. Domain Name System. Purpose of DNS servers. Purpose of DNS servers. Purpose of DNS servers
Purpose of DNS servers Advanced Networking Domain Name System Human being has many identifications: 1) Our name can be used for identification Problem: Two differenet people may have same name. 2) Mobile
CS Networks and Distributed Systems. Lecture 11: DNS + NAT. Revised 3/10/14
CS 3700 Networks and Distributed Systems Lecture 11: DNS + NAT Revised 3/10/14 2 Outline DNS NAT Other middleboxes Layer 8 (The Carbon-based nodes) 3 If you want to! Call someone, you need to ask for their
Network Working Group
Network Working Group R. Arends Request for Comments: 4035 Telematica Instituut Obsoletes: 2535, 3008, 3090, 3445, 3655, 3658, R. Austein 3755, 3757, 3845 ISC Updates: 1034, 1035, 2136, 2181, 2308, 3225,
Transaction oriented DNS flow analysis (WIP)
Transaction oriented DNS flow analysis (WIP) Shigeya Suzuki / Bill Manning WIDE Project USC/ISI & Keio University + Auto-ID Labs Japan CAIDA Workshop 2006 @ISI, March 17th 2006 Topics Current on-going
Development of DNS security, attacks and countermeasures
Development of DNS security, attacks and countermeasures Karl Andersson Linköpings Tekniska Högskola karan496-at-student.liu.se David Montag Linköpings Tekniska Högskola davmo024-at-student.liu.se Abstract
Seamless transition of domain name system (DNS) authoritative servers
Vol. 9(12), pp. 566-570, 30 June, 2014 DOI: 10.5897/SRE2013.5741 Article Number: 2B9B29C45695 ISSN 1992-2248 2014 Copyright 2014 Author(s) retain the copyright of this article http://www.academicjournals.org/sre
GDS Resource Record: Generalization of the Delegation Signer Model
GDS Resource Record: Generalization of the Delegation Signer Model Gilles Guette, Bernard Cousin, and David Fort IRISA, Campus de Beaulieu, 35042 Rennes CEDEX, France {gilles.guette, bernard.cousin, david.fort}@irisa.fr
Internet Engineering Task Force (IETF) Request for Comments: 6725 Category: Standards Track August 2012 ISSN:
Internet Engineering Task Force (IETF) S. Rose Request for Comments: 6725 NIST Category: Standards Track August 2012 ISSN: 2070-1721 Abstract DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry Updates
Expires: November 15, 2004 VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST May 17, 2004
DNS Extensions Internet-Draft Expires: November 15, 2004 R. Arends Telematica Instituut M. Larson VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST May 17, 2004 Protocol Modifications for the DNS
CNAME-based Redirection Design Notes
CNAME-based Redirection Design Notes When we configure a redirect type of local-zone or access-control action, we might want to specify a CNAME as the action data, whose canonical name is managed by an
Domain Name System Security
Domain Name System Security T-110.4100 Tietokoneverkot October 2008 Bengt Sahlin 2008/10/02 Bengt Sahlin 1 Objectives Provide DNS basics, essential for understanding DNS security
Internet Engineering Task Force (IETF) April Elliptic Curve Digital Signature Algorithm (DSA) for DNSSEC
Internet Engineering Task Force (IETF) Request for Comments: 6605 Category: Standards Track ISSN: 2070-1721 P. Hoffman VPN Consortium W.C.A. Wijngaards NLnet Labs April 2012 Abstract Elliptic Curve Digital
3. The DNSSEC Primer. Data Integrity (hashes) Authenticated Denial of Existence (NSEC,
3. The DNSSEC Primer Authentication (keys, signatures) Data Integrity (hashes) Chain of Trust (root zone, when signed) Authenticated Denial of Existence (NSEC, NSEC3) DNS Authoritative ROOT SERVERS TLD
Security Impact of DNS Delegation Structure and Configuration Problems
Universität Stuttgart INSTITUT FÜR NACHRICHTENVERMITTLUNG UND DATENVERARBEITUNG Prof. Dr.-Ing. Dr. h. c. mult. P. J. Kühn INSTITUT FÜR KOMMUNIKATIONSNETZE UND RECHNERSYSTEME Prof. Dr.-Ing. Dr. h. c. mult.
Networking Applications
Networking Dr. Ayman A. Abdel-Hamid College of Computing and Information Technology Arab Academy for Science & Technology and Maritime Transport 1 Outline Introduction Name Space concepts Domain Name Space
DNSSEC in Switzerland 2 nd DENIC Testbed Meeting
DNSSEC in Switzerland 2 nd DENIC Testbed Meeting Frankfurt, 26. January 2010 Samuel Benz samuel.benz@switch.ch About SWITCH The SWITCH foundation operates the national research network since 1987 SWITCH
Applicability Statement: DNS Security (DNSSEC) DNSKEY Algorithm Implementation Status
Internet Engineering Task Force (IETF) S. Rose Request for Comments: 6944 NIST Updates: 2536, 2539, 3110, 4034, 4398, April 2013 5155, 5702, 5933 Category: Standards Track ISSN: 2070-1721 Applicability
Computer Networks Spring 2017 Homework 3 Due by 4/7/2017, 10:30am
- Computer Networks Spring Homework Due by //, :am (please submit through e-mail to zhuoc@cs.cmu.edu and srini@cs.cmu.edu) Name: A PP and DHT. Srini, in fear that the RIAA will shut down his centralized
Advanced Caching DNS Server
This chapter explains how to set the Caching DNS parameters for the advanced features of the server. Before you proceed with the tasks in this chapter, see Introduction to the Domain Name System which
Domain Name System (DNS)
CPSC 360 - Network Programming Domain Name System (DNS) Michele Weigle Department of Computer Science Clemson University mweigle@cs.clemson.edu April 15, 2005 http://www.cs.clemson.edu/~mweigle/courses/cpsc360
Network Security Part 3 Domain Name System
Network Security Part 3 Domain Name System Domain Name System The$domain$name$system$(DNS)$is$an$applica6on7layer$ protocol$$for$mapping$domain$names$to$ip$addresses$ DNS www.example.com 208.77.188.166
DNSSEC for ISPs workshop.! João Damas
DNSSEC for ISPs workshop!!! João Damas (joao@isc.org) 1 Outline of workshop Brief intro to DNSSEC (30 ) Overview of zone signing (30 ) DNSSEC validation (60 ) trust anchors validation impact of enabling
ARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN
ARIN Support for DNSSEC and ION San Diego 11 December 2012 Pete Toscano, ARIN 2 DNS and BGP They have been around for a long time. DNS: 1982 BGP: 1989 They are not very secure. Methods for securing them
CS4700/5700: Network fundamentals
Cristina Nita-Rotaru CS4700/5700: Network fundamentals ARP. NAT,. 1: ARP Address Resolution Protocol (ARP) } Primarily used to translate IP addresses to Ethernet MAC addresses } The device drive for Ethernet
22/06/ :37 DNS COMPLIANCE. Fred Baker Internet Systems Consortium
DNS COMPLIANCE Fred Baker Internet Systems Consortium Background - 2014 ISC was in the process of adding DNS COOKIE (RFC 7873) to BIND and we wanted to see how many servers would mishandle DNS COOKIE options
(Towards) a Threshold Cryptographic Backend for DNSSEC
(Towards) a Threshold Cryptographic Backend for DNSSEC OARC 2011 Antonio Cansado acansado@niclabs.cl Pablo Sepúlveda psepulv@niclabs.cl Tomás Barros tbarros@niclabs.cl Victor Ramiro vramiro@niclabs.cl
Test cases for domain checks a step towards a best prac5ce. Mats Du(erg,.SE Sandoche Balakrichenan, AFNIC
Test cases for domain checks a step towards a best prac5ce Mats Du(erg,.SE Sandoche Balakrichenan, AFNIC Zonemaster Upcoming tool for test of delegacon of a domain The development of Zonemaster has several
RSA and ECDSA. Geoff Huston APNIC. #apricot2017
RSA and ECDSA Geoff Huston APNIC It s all about Cryptography Why use Cryptography? Public key cryptography can be used in a number of ways: protecting a session from third party eavesdroppers Encryption
Root Zone DNSSEC KSK Rollover
Root Zone DNSSEC KSK Rollover 51 51 KSK Rollover: An Overview ICANN is in the process of performing a Root Zone DNS Security Extensions (DNSSEC) Key Signing Key (KSK) rollover The Root Zone DNSSEC Key
Security Overlays on Core Internet Protocols DNSSEC and RPKI. Mark Kosters ARIN CTO
Security Overlays on Core Internet Protocols DNSSEC and RPKI Mark Kosters ARIN CTO Why are DNSSEC and RPKI Important Two critical resources DNS Routing Hard to tell if compromised From the user point of
DNSSEC. Lutz Donnerhacke. db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec e164.arpa. naptr
DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec 1.6.5.3.7.5.1.4.6.3.9.4.e164.arpa. naptr 1 A protocol from better times An ancient protocol People were friendly and
Some Internet exploits target name resolution servers. DNSSEC uses cryptography to protect the name resolution
SYSADMIN DNSSEC Sergey Ilin, Fotolia Trusted name resolution with DNSSEC CHAIN OF TRUST Some Internet exploits target name resolution servers. DNSSEC uses cryptography to protect the name resolution service.
Madison, Wisconsin 9 September14
1 Madison, Wisconsin 9 September14 2 Security Overlays on Core Internet Protocols DNSSEC and RPKI Mark Kosters ARIN Engineering 3 Why are DNSSEC and RPKI Important Two critical resources DNS Routing Hard
Security Overlays on Core Internet Protocols DNSSEC and RPKI. Mark Kosters ARIN CTO
Security Overlays on Core Internet Protocols DNSSEC and RPKI Mark Kosters ARIN CTO Why are DNSSEC and RPKI Important Two critical resources DNS Routing Hard to tell if compromised From the user point of
Applications & Application-Layer Protocols: The Domain Name System and Peerto-Peer
CPSC 360 Network Programming Applications & Application-Layer Protocols: The Domain Name System and Peerto-Peer Systems Michele Weigle Department of Computer Science Clemson University mweigle@cs.clemson.edu
Understanding and Deploying DNSSEC. Champika Wijayatunga SANOG29 - Pakistan Jan 2017
Understanding and Deploying DNSSEC Champika Wijayatunga SANOG29 - Pakistan Jan 2017 Agenda 1 2 3 Background Why DNSSEC? How it Works? 4 5 Signatures and Key Rollovers DNSSEC Demo 2 3 Background DNS in
Rolling the Root Zone DNSSEC Key Signing Key Edward Lewis AFRINIC25 November 2016
Rolling the Root Zone DNSSEC Key Signing Key Edward Lewis AFRINIC25 November 2016 edward.lewis@icann.org 1 Motivation for this talk ICANN is about to change an important configuration parameter in DNSSEC
DNSSEC Why, how, why now? Olaf Kolkman (NLnet Labs)
DNSSEC Why, how, why now? Olaf Kolkman (NLnet Labs) olaf@nlnetlabs.nl Stichting NLnet Labs page 2 Registrars/ Registrants DNS Architecture As friend secondary As ISP Cache server Registry DB primary As
Protecting Privacy: The Evolution of DNS Security
Protecting Privacy: The Evolution of DNS Security Burt Kaliski Senior Vice President and CTO, Verisign NSF Technology Transfer to Practice in Cyber Security Workshop November 4, 2015 Agenda DNS Overview
Testing IPv6 address records in the DNS root
Testing IPv6 address records in the DNS root February 2007 Geoff Huston Chief Scientist APNIC Priming a DNS name server 1. Take the provided root hints file 2. Generate a DNS query for resource records
Domain Name System Security
Domain Name System Security Eustace Asanghanwa Andrew Bates Shane Jahnke Brian Wilke Abstract In this paper, we examine the Domain Name System (DNS) and its secure successor, DNSSEC. Many exploits have
DANE Best Current Practice
DANE Best Current Practice draft-dukhovni-dane-ops-01 Viktor Dukhovni & Wes Hardaker IETF 87, Berlin July 2013 General DANE Guidelines (Type Independent) Large DNS payload issues Issues with large UDP
Questions? Post on piazza, or Radhika (radhika at eecs.berkeley) or Sameer (sa at berkeley)!
EE122 Fall 2013 HW3 Instructions Recor your answers in a file calle hw3.pf. Make sure to write your name an SID at the top of your assignment. For each problem, clearly inicate your final answer, bol an
You Should Delete Dns Delegations In The Parent Zone
You Should Delete Dns Delegations In The Parent Zone Currently I'm at the step where I should decommission one Server 2008 DC. It's going to remove the zone records for that DC from that DC and any references
ROOT SERVERS MANAGEMENT AND SECURITY
ROOT SERVERS MANAGEMENT AND SECURITY WSIS African regional meeting 01/29/05 ALAIN PATRICK AINA aalain@trstech.net What is DNS(1)? Addresses are used to locate objects Names are easier to remember than
Worst Current Practice. Lutz Donnerhacke IKS GmbH
Worst Current Practice Lutz Donnerhacke IKS GmbH Worst Current Practice Not a talk about simple bugs Too many WTFs to talk about Sometimes instructive anyway SEOS: IPv6 packets crash Ether Channels: Card
RFC 2181 Ranking data and referrals/glue importance --- new resolver algorithm proposal ---
RFC 2181 Ranking data and referrals/glue importance --- new resolver algorithm proposal --- Kazunori Fujiwara fujiwara@jprs.co.jp Japan Registry Services Co., Ltd (JPRS) DNS-OARC Workshop 2016/10/16 Last
Packet Traces from a Simulated Signed Root
Packet Traces from a Simulated Signed Root Duane Wessels DNS-OARC DNS-OARC Workshop Beijing, China November 2009 Background We know from active measurements that some DNS resolvers cannot receive large
The GNU Name System: A Public Key Infrastructure for Social Movements in the Age of Universal Surveillance
The GNU Name System: A Public Key Infrastructure for Social Movements in the Age of Universal Surveillance Christian Grothoff The GNUnet Project 28.04.2017 Never doubt your ability to change the world.