getdns API Implementation Update Update Willem Toorop NLnet Labs 14 May 2015 NLnet Labs

Transcription

1 AP implementation Willem Toorop Update Willem Toorop ( ) getdns AP mplementation Update 1 / 13

2 AP is: A DNS AP specification by and for application developers (for resolving) (for applications) First implementation by From Verisign: and From : Allison Mankin, Glen Wiley, Neel Goyal, Angelique Finan, Craig Despeaux, Shumon Huque, Duane Wessels, Gowri Visweswaran, Scott Hollenbeck, Prithvi Ranganath, Sanjay Mahurpawar, Rushi Shah Willem Toorop ( ) LABS Willem Toorop, Wouter Wijngaards, Benno Overeinder From Sinodun: Sara & John Dickinson From No Mountain Software: Melinda Shore getdns AP mplementation Update 2 / 13

3 Motivation - for a new DNS AP From AP Design considerations:... There are other DNS APs available, but there has been very little uptake talking to application developers... the APs were developed by and for DNS people, not application developers... Goal... AP design from talking to application developers create a natural follow-on to gettadrinfo()... Originally edited by Paul Hoffman (publiced April 2013) Maintained by the getdnsapi.net team since October 2014 Willem Toorop ( ) getdns AP mplementation Update 3 / 13

4 Motivation - The Last Mile Could be your phone Could be the Wi-Fi. net NS net DS Application stub Authoritatives getdnsapi.net A getdnsapi.net A OS os getdnsapi.net A Validating Recursive Resolver malicious resolver net DNSKEY getdnsapi.net A net DNSKEY getdnsapi.net NS getdnsapi.net DS net getdnsapi.net DNSKEY getdnsapi.net A getdnsapi getdnsapi.net DNSKEY getdnsapi.net A A DNSSEC enabled resolver protects against cache poisoning s the local network resolver trustworthy? Willem Toorop ( ) getdns AP mplementation Update 4 / 13

5 Motivation - The Last Mile Authoritatives order.hbonow.com A stub. com NS com DS Application order.hbonow.com A OS Validating Recursive Resolver com DNSKEY order.hbonow.com A com DNSKEY hbonow.com NS hbonow.com DS com hbonow.com DNSKEY order.hbonow.com A hbonow.com hbonow.com DNSKEY NXDOMAN order.hbonow.com A A DNSSEC enabled resolver protects against cache poisoning s the local network resolver trustworthy? Who s to blame? Willem Toorop ( ) getdns AP mplementation Update 4 / 13

6 Motivation - The Last Mile Authoritatives order.hbonow.com A stub. com NS com DS Application order.hbonow.com A OS Validating Recursive Resolver com DNSKEY order.hbonow.com A com DNSKEY hbonow.com NS hbonow.com DS com hbonow.com DNSKEY order.hbonow.com A hbonow.com hbonow.com DNSKEY NXDOMAN order.hbonow.com A Willem Toorop ( ) getdns AP mplementation Update 4 / 13

7 Motivation - The Last Mile Validating Recursive Resolver stub OS. net NS net DS Application Authoritatives net DNSKEY net DNSKEY getdnsapi.net NS getdnsapi.net DS net getdnsapi.net DNSKEY getdnsapi getdnsapi.net DNSKEY A DNSSEC enabled resolver protects against cache poisoning s the local network resolver trustworthy? Who s to blame? Application does not know an answer is secure (AD bit not given with getaddrinfo()) Willem Toorop ( ) getdns AP mplementation Update 4 / 13

8 Motivation - The Last Mile net NS net DS Application Validating Recursive Resolver stub OS Authoritatives. net DNSKEY net DNSKEY getdnsapi.net NS getdnsapi.net DS net getdnsapi.net DNSKEY getdnsapi getdnsapi.net DNSKEY Willem Toorop ( ) getdns AP mplementation Update 4 / 13

9 Motivation - The Last Mile Application OS os DNSSECAware Resolver getdnsapi.net DNSKEY Authoritatives. net NS net DS net DNSKEY net DNSKEY getdnsapi.net NS getdnsapi.net DS net getdnsapi.net DNSKEY getdnsapi getdnsapi.net DNSKEY A DNSSEC enabled resolver protects against cache poisoning s the local network resolver trustworthy? Who s to blame? Application does not know an answer is secure Network resolver doesn t need to validate. Willem Toorop ( ) getdns AP mplementation Update 4 / 13

10 Motivation - The Last Mile Authoritatives OS os. net NS net DS net DNSKEY Application Recursive Resolver getdnsapi.net DNSKEY net DNSKEY getdnsapi.net NS getdnsapi.net DS net getdnsapi.net DNSKEY getdnsapi A DNSSEC enabled resolver protects against cache poisoning s the local network resolver trustworthy? Who s to blame? Application does not know an answer is secure Network resolver doesn t need to validate. And when it is not even DNSSEC-aware? Willem Toorop ( ) getdns AP mplementation Update 4 / 13

11 mplementation - Features Both stub and full recursive modes (recusive by default) Delivers validated DNSSEC even in stub mode (off by default :( ) Resolves names and gives fine-grained access to the response with a response dict type: Easy to inspect: getdns pretty print dict() new getdns print json dict() Maps well to popular modern scripting languages Have a look at Willem Toorop ( ) getdns AP mplementation Update 5 / 13

12 mplementation - Features Willem Toorop ( ) getdns AP mplementation Update 5 / 13

13 mplementation - Features Willem Toorop ( ) getdns AP mplementation Update 5 / 13

14 mplementation - Features Both stub and full recursive modes (recusive by default) Delivers validated DNSSEC even in stub mode (off by default :( ) Resolves names and gives fine-grained access to the response with a response dict type: Easy to inspect: getdns pretty print dict() Maps well to popular modern scripting languages Have a look at Set custom memory management functions No none-custom mallocs when in stub mode anymore new native stub resolver replaced libunbound Minimizing memory allocations and deallocations new No intermediate ldns host format More optimizations in the future Willem Toorop ( ) getdns AP mplementation Update 5 / 13

15 mplementation - Features Both stub and full recursive modes (recusive by default) Delivers validated DNSSEC even in stub mode (off by default :( ) Resolves names and gives fine-grained access to the response with a response dict type: Set custom memory management functions Easy to inspect: getdns pretty print dict() Maps well to popular modern scripting languages Have a look at No none-custom mallocs when in stub mode anymore new Minimizing memory allocations and deallocations new Asynchronous modus operandi is the default new Use getdns context run() Use an even base of choice: libevent, libev, libuv Or hook into the applications native event base updated The nodejs bindings ios POC example hooked into grand central dispatch Willem Toorop ( ) getdns AP mplementation Update 5 / 13

16 mplementation - Features Both stub and full recursive modes (recusive by default) Delivers validated DNSSEC even in stub mode (off by default :( ) Resolves names and gives fine-grained access to the response with a response dict type: Set custom memory management functions No none-custom mallocs when in stub mode anymore new Minimizing memory allocations and deallocations new Asynchronous modus operandi is the default Easy to inspect: getdns pretty print dict() Maps well to popular modern scripting languages Have a look at new Use getdns context run() Use an even base of choice: libevent, libev, libuv Or hook into the applications native event base updated Last two give firm grasp on lower-level behaviour of the library Willem Toorop ( ) getdns AP mplementation Update 5 / 13

17 mplementation - Native stub resolver Enabling hop-by-hop communication options add opt parameters extension To set arbitrary EDNS0 options mplement DNS cookies with the library Willem Toorop ( ) getdns AP mplementation Update 6 / 13

18 mplementation - Native stub resolver Enabling hop-by-hop communication options add opt parameters extension To set arbitrary EDNS0 options mplement DNS cookies with the library DNS cookies by the library --enable-draft-edns-cookies Willem Toorop ( ) getdns AP mplementation Update 6 / 13

19 mplementation - Native stub resolver Enabling hop-by-hop communication options add opt parameters extension To set arbitrary EDNS0 options mplement DNS cookies with the library DNS cookies by the library --enable-draft-edns-cookies TCP Fast Open (RFC 7413) --enable-tcp-fastopen Willem Toorop ( ) getdns AP mplementation Update 6 / 13

20 mplementation - Native stub resolver Enabling hop-by-hop communication options add opt parameters extension To set arbitrary EDNS0 options mplement DNS cookies with the library DNS cookies by the library --enable-draft-edns-cookies TCP Fast Open (RFC 7413) --enable-tcp-fastopen New transport options GETDNS TRANSPORT... TCP ONLY KEEP CONNECTONS OPEN Works on (some) existing name servers TLS ONLY KEEP CONNECTONS OPEN TLS FRST AND FALL BACK TO TCP KEEP CONNECTONS OPEN STARTTLS FRST AND FALL BACK TO TCP KEEP CONNECTONS OPEN Following draft-ietf-dprive-start-tls-for-dns-00 Willem Toorop ( ) getdns AP mplementation Update 6 / 13

21 mplementation - Native stub resolver Enabling hop-by-hop communication options add opt parameters extension To set arbitrary EDNS0 options mplement DNS cookies with the library DNS cookies by the library --enable-draft-edns-cookies TCP Fast Open (RFC 7413) --enable-tcp-fastopen New transport options GETDNS TRANSPORT... TCP ONLY KEEP CONNECTONS OPEN Works on (some) existing name servers TLS ONLY KEEP CONNECTONS OPEN TLS FRST AND FALL BACK TO TCP KEEP CONNECTONS OPEN STARTTLS FRST AND FALL BACK TO TCP KEEP CONNECTONS OPEN Following draft-ietf-dprive-start-tls-for-dns-00 Special Cookies/TCP/TLS only open resolver for experimentation available on 2a04:b900:0:100::38 and Willem Toorop ( ) getdns AP mplementation Update 6 / 13

22 mplementation - Bindings nodejs by Neel Goyal python by Melinda Shore new Now does async processing too! java bindings by Prithvi Ranganath and Sanjay Mahurpawar new new php bindings by Scott Hollenbeck Willem Toorop ( ) getdns AP mplementation Update 7 / 13

23 Road map C library Release candidate for just announced Version 0.3 will contain native stub DNSSEC validation (soon) No dependency on ldns any more Version 0.5 will do Just n Time wire format parsing Better timeout and transport fallback handling TSG, Dynamic Updates (@ETF93) (in 0.3) More language bindings, more platforms, more name systems Perl, Ruby MS-Windows, Android DNSSD Willem Toorop ( ) getdns AP mplementation Update 8 / 13

24 The Next Web - Hack Battle - 22 & 23 April 2015 A dam Willem Toorop ( ) getdns AP mplementation Update 9 / 13

25 The Next Web - Hack Battle - 22 & 23 April 2015 A dam Bambi - DNS Slack bot A bot doing lookups on request in a chat environment by Tom Mazer spytransfer A from the ground up secure alternative to WeTransfer using a DNSSEC zone for transfer of encryption keys by Bas van Ooyen, Willem Westra, Bart van Halder and Wessel Stoker Willem Toorop ( ) getdns AP mplementation Update 10 / 13

26 The Next Web - Hack Battle - 22 & 23 April 2015 A dam Looksig Give visual (emojicon) representation of KSK keytag for an address (OPENPGPKEY) lookup by Jelle Herold Part of his security and privacy for the non-tech users project Willem Toorop ( ) getdns AP mplementation Update 11 / 13

27 The Next Web - Hack Battle - 22 & 23 April 2015 A dam getsec (winner) Browser plugin that returns DNSSEC status already on hover by Timothy Armstrong, Warren Pai and Nicola Chinellato Willem Toorop ( ) getdns AP mplementation Update 12 / 13

28 Security starts with a name website AP spec latest tarball github node python java php repo repo repo repo repo AP list users list me Willem Toorop <willem@nlnetlabs.nl> Willem Toorop ( ) getdns AP mplementation Update 13 / 13