getdns API Implementation Update Update Willem Toorop NLnet Labs 14 May 2015 NLnet Labs
|
|
- Cordelia Dorsey
- 5 years ago
- Views:
Transcription
1 AP implementation Willem Toorop Update Willem Toorop ( ) getdns AP mplementation Update 1 / 13
2 AP is: A DNS AP specification by and for application developers (for resolving) (for applications) First implementation by From Verisign: and From : Allison Mankin, Glen Wiley, Neel Goyal, Angelique Finan, Craig Despeaux, Shumon Huque, Duane Wessels, Gowri Visweswaran, Scott Hollenbeck, Prithvi Ranganath, Sanjay Mahurpawar, Rushi Shah Willem Toorop ( ) LABS Willem Toorop, Wouter Wijngaards, Benno Overeinder From Sinodun: Sara & John Dickinson From No Mountain Software: Melinda Shore getdns AP mplementation Update 2 / 13
3 Motivation - for a new DNS AP From AP Design considerations:... There are other DNS APs available, but there has been very little uptake talking to application developers... the APs were developed by and for DNS people, not application developers... Goal... AP design from talking to application developers create a natural follow-on to gettadrinfo()... Originally edited by Paul Hoffman (publiced April 2013) Maintained by the getdnsapi.net team since October 2014 Willem Toorop ( ) getdns AP mplementation Update 3 / 13
4 Motivation - The Last Mile Could be your phone Could be the Wi-Fi. net NS net DS Application stub Authoritatives getdnsapi.net A getdnsapi.net A OS os getdnsapi.net A Validating Recursive Resolver malicious resolver net DNSKEY getdnsapi.net A net DNSKEY getdnsapi.net NS getdnsapi.net DS net getdnsapi.net DNSKEY getdnsapi.net A getdnsapi getdnsapi.net DNSKEY getdnsapi.net A A DNSSEC enabled resolver protects against cache poisoning s the local network resolver trustworthy? Willem Toorop ( ) getdns AP mplementation Update 4 / 13
5 Motivation - The Last Mile Authoritatives order.hbonow.com A stub. com NS com DS Application order.hbonow.com A OS Validating Recursive Resolver com DNSKEY order.hbonow.com A com DNSKEY hbonow.com NS hbonow.com DS com hbonow.com DNSKEY order.hbonow.com A hbonow.com hbonow.com DNSKEY NXDOMAN order.hbonow.com A A DNSSEC enabled resolver protects against cache poisoning s the local network resolver trustworthy? Who s to blame? Willem Toorop ( ) getdns AP mplementation Update 4 / 13
6 Motivation - The Last Mile Authoritatives order.hbonow.com A stub. com NS com DS Application order.hbonow.com A OS Validating Recursive Resolver com DNSKEY order.hbonow.com A com DNSKEY hbonow.com NS hbonow.com DS com hbonow.com DNSKEY order.hbonow.com A hbonow.com hbonow.com DNSKEY NXDOMAN order.hbonow.com A Willem Toorop ( ) getdns AP mplementation Update 4 / 13
7 Motivation - The Last Mile Validating Recursive Resolver stub OS. net NS net DS Application Authoritatives net DNSKEY net DNSKEY getdnsapi.net NS getdnsapi.net DS net getdnsapi.net DNSKEY getdnsapi getdnsapi.net DNSKEY A DNSSEC enabled resolver protects against cache poisoning s the local network resolver trustworthy? Who s to blame? Application does not know an answer is secure (AD bit not given with getaddrinfo()) Willem Toorop ( ) getdns AP mplementation Update 4 / 13
8 Motivation - The Last Mile net NS net DS Application Validating Recursive Resolver stub OS Authoritatives. net DNSKEY net DNSKEY getdnsapi.net NS getdnsapi.net DS net getdnsapi.net DNSKEY getdnsapi getdnsapi.net DNSKEY Willem Toorop ( ) getdns AP mplementation Update 4 / 13
9 Motivation - The Last Mile Application OS os DNSSECAware Resolver getdnsapi.net DNSKEY Authoritatives. net NS net DS net DNSKEY net DNSKEY getdnsapi.net NS getdnsapi.net DS net getdnsapi.net DNSKEY getdnsapi getdnsapi.net DNSKEY A DNSSEC enabled resolver protects against cache poisoning s the local network resolver trustworthy? Who s to blame? Application does not know an answer is secure Network resolver doesn t need to validate. Willem Toorop ( ) getdns AP mplementation Update 4 / 13
10 Motivation - The Last Mile Authoritatives OS os. net NS net DS net DNSKEY Application Recursive Resolver getdnsapi.net DNSKEY net DNSKEY getdnsapi.net NS getdnsapi.net DS net getdnsapi.net DNSKEY getdnsapi A DNSSEC enabled resolver protects against cache poisoning s the local network resolver trustworthy? Who s to blame? Application does not know an answer is secure Network resolver doesn t need to validate. And when it is not even DNSSEC-aware? Willem Toorop ( ) getdns AP mplementation Update 4 / 13
11 mplementation - Features Both stub and full recursive modes (recusive by default) Delivers validated DNSSEC even in stub mode (off by default :( ) Resolves names and gives fine-grained access to the response with a response dict type: Easy to inspect: getdns pretty print dict() new getdns print json dict() Maps well to popular modern scripting languages Have a look at Willem Toorop ( ) getdns AP mplementation Update 5 / 13
12 mplementation - Features Willem Toorop ( ) getdns AP mplementation Update 5 / 13
13 mplementation - Features Willem Toorop ( ) getdns AP mplementation Update 5 / 13
14 mplementation - Features Both stub and full recursive modes (recusive by default) Delivers validated DNSSEC even in stub mode (off by default :( ) Resolves names and gives fine-grained access to the response with a response dict type: Easy to inspect: getdns pretty print dict() Maps well to popular modern scripting languages Have a look at Set custom memory management functions No none-custom mallocs when in stub mode anymore new native stub resolver replaced libunbound Minimizing memory allocations and deallocations new No intermediate ldns host format More optimizations in the future Willem Toorop ( ) getdns AP mplementation Update 5 / 13
15 mplementation - Features Both stub and full recursive modes (recusive by default) Delivers validated DNSSEC even in stub mode (off by default :( ) Resolves names and gives fine-grained access to the response with a response dict type: Set custom memory management functions Easy to inspect: getdns pretty print dict() Maps well to popular modern scripting languages Have a look at No none-custom mallocs when in stub mode anymore new Minimizing memory allocations and deallocations new Asynchronous modus operandi is the default new Use getdns context run() Use an even base of choice: libevent, libev, libuv Or hook into the applications native event base updated The nodejs bindings ios POC example hooked into grand central dispatch Willem Toorop ( ) getdns AP mplementation Update 5 / 13
16 mplementation - Features Both stub and full recursive modes (recusive by default) Delivers validated DNSSEC even in stub mode (off by default :( ) Resolves names and gives fine-grained access to the response with a response dict type: Set custom memory management functions No none-custom mallocs when in stub mode anymore new Minimizing memory allocations and deallocations new Asynchronous modus operandi is the default Easy to inspect: getdns pretty print dict() Maps well to popular modern scripting languages Have a look at new Use getdns context run() Use an even base of choice: libevent, libev, libuv Or hook into the applications native event base updated Last two give firm grasp on lower-level behaviour of the library Willem Toorop ( ) getdns AP mplementation Update 5 / 13
17 mplementation - Native stub resolver Enabling hop-by-hop communication options add opt parameters extension To set arbitrary EDNS0 options mplement DNS cookies with the library Willem Toorop ( ) getdns AP mplementation Update 6 / 13
18 mplementation - Native stub resolver Enabling hop-by-hop communication options add opt parameters extension To set arbitrary EDNS0 options mplement DNS cookies with the library DNS cookies by the library --enable-draft-edns-cookies Willem Toorop ( ) getdns AP mplementation Update 6 / 13
19 mplementation - Native stub resolver Enabling hop-by-hop communication options add opt parameters extension To set arbitrary EDNS0 options mplement DNS cookies with the library DNS cookies by the library --enable-draft-edns-cookies TCP Fast Open (RFC 7413) --enable-tcp-fastopen Willem Toorop ( ) getdns AP mplementation Update 6 / 13
20 mplementation - Native stub resolver Enabling hop-by-hop communication options add opt parameters extension To set arbitrary EDNS0 options mplement DNS cookies with the library DNS cookies by the library --enable-draft-edns-cookies TCP Fast Open (RFC 7413) --enable-tcp-fastopen New transport options GETDNS TRANSPORT... TCP ONLY KEEP CONNECTONS OPEN Works on (some) existing name servers TLS ONLY KEEP CONNECTONS OPEN TLS FRST AND FALL BACK TO TCP KEEP CONNECTONS OPEN STARTTLS FRST AND FALL BACK TO TCP KEEP CONNECTONS OPEN Following draft-ietf-dprive-start-tls-for-dns-00 Willem Toorop ( ) getdns AP mplementation Update 6 / 13
21 mplementation - Native stub resolver Enabling hop-by-hop communication options add opt parameters extension To set arbitrary EDNS0 options mplement DNS cookies with the library DNS cookies by the library --enable-draft-edns-cookies TCP Fast Open (RFC 7413) --enable-tcp-fastopen New transport options GETDNS TRANSPORT... TCP ONLY KEEP CONNECTONS OPEN Works on (some) existing name servers TLS ONLY KEEP CONNECTONS OPEN TLS FRST AND FALL BACK TO TCP KEEP CONNECTONS OPEN STARTTLS FRST AND FALL BACK TO TCP KEEP CONNECTONS OPEN Following draft-ietf-dprive-start-tls-for-dns-00 Special Cookies/TCP/TLS only open resolver for experimentation available on 2a04:b900:0:100::38 and Willem Toorop ( ) getdns AP mplementation Update 6 / 13
22 mplementation - Bindings nodejs by Neel Goyal python by Melinda Shore new Now does async processing too! java bindings by Prithvi Ranganath and Sanjay Mahurpawar new new php bindings by Scott Hollenbeck Willem Toorop ( ) getdns AP mplementation Update 7 / 13
23 Road map C library Release candidate for just announced Version 0.3 will contain native stub DNSSEC validation (soon) No dependency on ldns any more Version 0.5 will do Just n Time wire format parsing Better timeout and transport fallback handling TSG, Dynamic Updates (@ETF93) (in 0.3) More language bindings, more platforms, more name systems Perl, Ruby MS-Windows, Android DNSSD Willem Toorop ( ) getdns AP mplementation Update 8 / 13
24 The Next Web - Hack Battle - 22 & 23 April 2015 A dam Willem Toorop ( ) getdns AP mplementation Update 9 / 13
25 The Next Web - Hack Battle - 22 & 23 April 2015 A dam Bambi - DNS Slack bot A bot doing lookups on request in a chat environment by Tom Mazer spytransfer A from the ground up secure alternative to WeTransfer using a DNSSEC zone for transfer of encryption keys by Bas van Ooyen, Willem Westra, Bart van Halder and Wessel Stoker Willem Toorop ( ) getdns AP mplementation Update 10 / 13
26 The Next Web - Hack Battle - 22 & 23 April 2015 A dam Looksig Give visual (emojicon) representation of KSK keytag for an address (OPENPGPKEY) lookup by Jelle Herold Part of his security and privacy for the non-tech users project Willem Toorop ( ) getdns AP mplementation Update 11 / 13
27 The Next Web - Hack Battle - 22 & 23 April 2015 A dam getsec (winner) Browser plugin that returns DNSSEC status already on hover by Timothy Armstrong, Warren Pai and Nicola Chinellato Willem Toorop ( ) getdns AP mplementation Update 12 / 13
28 Security starts with a name website AP spec latest tarball github node python java php repo repo repo repo repo AP list users list me Willem Toorop <willem@nlnetlabs.nl> Willem Toorop ( ) getdns AP mplementation Update 13 / 13
API implementation. Willem Toorop NLnet. Labs. 11 May NLnet. Labs
AP implementation Willem Toorop Willem@.nl Willem Toorop ( ) getdns AP mplementation 1 / 22 AP is: A DNS AP specification by and for application developers (for resolving) (for applications) LABS From
More informationA new stub resolver. Willem Toorop.
A new stub resolver Willem Toorop willem@nlnetlabs.nl API is: A DNS API specification by and for application developers First implementation by LABS From Verisign: (for resolving) (for application) and
More informationDNS Privacy - Implementation and Deployment Status
DNS Privacy - Implementation and Deployment Status Sara Dickinson Sinodun Allison Mankin Salesforce IEPG@IETF96 Berlin, July 2016 DNS Privacy - Background RFC 7558 - Pervasive Monitoring is an Attack DPRIVE
More informationThe Importance of Being an Earnest stub
The Importance of Being an Earnest Challenges and solution for the versatile Willem Toorop 13 May 2017 OARC 26 (Madrid) From the ground-up security et n A rc a -o s 98 n 1 d 910 1 4 6 Recursive dns-oarc
More informationDNS Privacy Clients. Stubby, Mobile apps and beyond! dnsprivacy.org
DNS Privacy Clients Stubby, Mobile apps and beyond! dnsprivacy.org Sara Dickinson Allison Mankin Willem Toorop sara@sinodun.com amankin@salesforce.com willem@nlnetlabs.com OARC 27 San Jose, Sep 2017 Overview
More informationMeasuring DNSSEC validation deployment with RIPE ATLAS. Willem Toorop (presenting) Nicolas Canceill.
Measuring DNSSEC validation deployment with RPE ATLAS Willem Toorop (presenting) Willem@.nl Nicolas Canceill nicolas.canceill@os3.nl Willem Toorop ( ) 1 / 11 Research scope Research question What is the
More informationHow to get a trustworthy DNS Privacy enabling recursive resolver
How to get a trustworthy DNS an analysis of authentication mechanisms for DNS s Willem Toorop NLnet Labs (presenter) Melinda Shore Fastly Benno Overeinder NLnet Labs DNS over TLS What are the actors, and
More informationDNS Sessions. - where next? OARC 27 San Jose, Sep Sep 2017, San Jose. DNS OARC 27
DNS Sessions - where next? Sara Dickinson sara@sinodun.com OARC 27 San Jose, Sep 2017 1 Overview A tour of the evolution of doing DNS over session based protocols Recent use cases for DNS Sessions Trade-offs
More informationA Look at RFC 8145 Trust Anchor Signaling for the 2017 KSK Rollover
A Look at RFC 8145 Trust Anchor Signaling for the 2017 KSK Rollover Duane Wessels DNS-OARC 26 San Jose, CA September 29, 2017 Background 2 2017 Root Zone KSK Rollover October 11, 2017! Root zone DNSKEY
More informationLatest Measurements on DNS Privacy
Latest Measurements on DNS Privacy Sinodun Sara Dickinson sara@sinodun.com (Presenter) John Dickinson jad@sinodun.com Jim Hague jim@sinodun.com 1 Agenda Two topics Summary of initial benchmarking work
More informationRoot KSK Roll Update Webinar
Root KSK Roll Update Webinar Matt Larson, VP of Research 11 October 2017 1 Who has KSK-2017 configured as a trust anchor? Until recently, there was no way to know which trust anchors validators have configured
More informationgetdns Documentation Release Melinda Shore, Gowri Visweswaran
getdns Documentation Release 0.2.1 Melinda Shore, Gowri Visweswaran April 08, 2015 Contents 1 Dependencies 3 2 Building 5 3 Using getdns 7 3.1 Contexts.................................................
More informationInternet Engineering Task Force. Updates: 6698 (if approved) Intended status: Standards Track Expires: January 06, 2016 Two Sigma July 05, 2015
Internet Engineering Task Force Internet-Draft Updates: 6698 (if approved) Intended status: Standards Track Expires: January 06, 2016 S. Huque Verisign Labs D. James Verisign, Inc. V. Dukhovni Two Sigma
More informationRecommendations for DNS Privacy Service Operators
Recommendations for DNS Privacy Service Operators Presenter: Sara Dickinson sara@sinodun.com Co-authors: Roland van Rijswijk-Deij, Allison Mankin, Benno Overeinder 1 Brief history of DNS Privacy Date 2
More informationDeveloping a monitoring plugin for DNS-over-TLS at the IETF hackathon
Developing a monitoring plugin for DNS-over-TLS at the IETF hackathon Stéphane Bortzmeyer First publication of this article on 7 March 017 The weekend of 5-6 march 017, I
More informationInternet Engineering Task Force (IETF) Request for Comments: 7706 Category: Informational ISSN: November 2015
Internet Engineering Task Force (IETF) Request for Comments: 7706 Category: Informational ISSN: 2070-1721 W. Kumari Google P. Hoffman ICANN November 2015 Decreasing Access Time to Root Servers by Running
More informationQNAME minimisation. Ralph Dolmans (NLnet Labs) https://www.nlnetlabs.nl/ March 2016 Stichting NLnet Labs
QNAME minimisation Ralph Dolmans ralph@nlnetlabs.nl (NLnet Labs) March 2016 Stichting NLnet Labs page 2 Introduction About NLnet Labs A not for profit, public benefit foundation develop Open Source software
More informationHands on tutorial. Willem Toorop, NLNet Labs Shumon Huque, Verisign Glen Wiley, Verisign
Hands on tutorial Willem Toorop, NLNet Labs Shumon Huque, Verisign Glen Wiley, Verisign About getdns API = a DNS API specification resolving names getdns API = created by and for applications developers
More informationDeveloping DNS-over-HTTPS clients and servers
Developing DNS-over-HTTPS clients and servers Stéphane Bortzmeyer First publication of this article on 23 March 2018 The weekend of 17-18 March 2018, I participated to the
More informationDNSSEC Trust tree: (A) ---dnslab.org. (DS keytag: 9247 dig (DNSKEY keytag. ---org. (DS keytag: d
DNSSEC Trust tree: www.dnslab.org. (A) ---dnslab.org. (DNSKEY keytag: 7308 alg ---dnslab.org. (DNSKEY keytag: 9247 ---dnslab.org. (DS keytag: 9247 dig DNSSEC ---org. (DNSKEY keytag: 24209 a Domain Name
More informationThe Changing Landscape of the DNS
The Changing Landscape of the DNS or: the Battle for the Namespace Roland van Rijswijk-Deij Benno Overeinder RoN++ meeting Introduction That the DNS has privacy issues is a public secret Protocol from
More informationUpdates: 7858 (if approved) Intended status: Standards Track Expires: March 15, 2018 McAfee September 11, 2017
dprive Internet-Draft Updates: 7858 (if approved) Intended status: Standards Track Expires: March 15, 2018 S. Dickinson Sinodun D. Gillmor ACLU T. Reddy McAfee September 11, 2017 Usage and (D)TLS Profiles
More informationRolling the Root KSK. Geoff Huston. APNIC Labs. September 2017
Rolling the Root KSK Geoff Huston APNIC Labs September 2017 Will this break the Internet? Why? If we stuff up this trust anchor key roll then resolvers that perform DNSSEC validation will fail to provide
More informationDANE Demonstration! Duane Wessels, Verisign! ICANN 49 DNSSEC Workshop! March 26, 2014!
DANE Demonstration! Duane Wessels, Verisign! ICANN 49 DNSSEC Workshop! March 26, 2014! Outline! What is DANE?! The TLSA Record! TLSA Browser Plugin! Generating the TLSA Record! Other uses for DANE! 2!
More informationWhere s my DNS? Sara Dickinson IDS 2. Where s my DNS?
Sara Dickinson sara@sinodun.com Stub to recursive The DNS protocol is evolving DoT: DNS-over-TLS DoH: DNS-over-HTTPS (WIP) DoT RFC7858 standard May 2016 Implemented to-date in standard open source DNS
More informationInternet Engineering Task Force (IETF) Request for Comments: Category: Standards Track. McAfee March 2018
Internet Engineering Task Force (IETF) Request for Comments: 8310 Updates: 7858 Category: Standards Track ISSN: 2070-1721 S. Dickinson Sinodun D. Gillmor ACLU T. Reddy McAfee March 2018 Usage Profiles
More informationThat KSK Roll. Geoff Huston APNIC Labs
That KSK Roll Geoff Huston APNIC Labs The DNS may look simple But with the DNS, looks are very deceiving So lets talk DNSSEC DNSSEC introduces digital signatures into the DNS It allows a DNS resolver to
More informationARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN
ARIN Support for DNSSEC and ION San Diego 11 December 2012 Pete Toscano, ARIN 2 DNS and BGP They have been around for a long time. DNS: 1982 BGP: 1989 They are not very secure. Methods for securing them
More informationMulti Provider DNSSEC draft-huque-dnsop-multi-provider-dnssec-02. Shumon Huque March 22 nd 2018 DNSOP Working Group, IETF101, London, U.K.
Multi Provider DNSSEC draft-huque-dnsop-multi-provider-dnssec-02 Shumon Huque March 22 nd 2018 DNSOP Working Group, IETF101, London, U.K. Note to the DNS Camel* This document does not propose any new extensions
More informationMeasuring the effects of DNSSEC deployment on query load
Measuring the effects of DNSSEC deployment on query load Jelte Jansen NLnet Labs NLnet Labs document 26-2 May 1, 26 Abstract Ripe NCC recently started signing the zones on their DNS servers. This document
More informationthe edge (end user devices)
Living on the Edge Greatly needed stub resolver capabilities for applications and systems with the library Willem Toorop 4 February 2018 FOSDEM18 (Bruxelles) photo: Pixabay the edge (end user devices)
More informationImpact of security vulnerabilities in timing protocols on Domain Name System (DNS)
November 12 2017 IEPG Open Meeting-IETF100 Impact of security vulnerabilities in timing protocols on Domain Name System (DNS) Aanchal Malhotra 1, Willem Toorop 2, Benno Overeinder 2, Sharon Goldberg 1
More informationMonitoring DNSSEC. Martin Leucht Julien Nyczak Supervisor: Rick van Rein
Monitoring DNSSEC Martin Leucht Julien Nyczak Supervisor: Rick van Rein System and Network Engineering 2015 Introduction DNSSEC becomes more and more popular
More informationDNS Privacy. EDU Tutorial dnsprivacy.org. Sara Dickinson Sinodun
DNS Privacy EDU Tutorial dnsprivacy.org Sara Dickinson Sinodun sara@sinodun.com IETF 99 Prague, July 2017 Overview The problem: Why Internet privacy and DNS Privacy are important (DNS leakage) Recent Progress:
More informationRIPE Network Coordination Centre. K-root and DNSSEC. Wolfgang Nagele RIPE NCC.
K-root and DNSSEC Wolfgang Nagele RIPE NCC RIPE NCC One of the five Regional Internet Registries Provides IP address and AS number resources to Europe and Middle-East regions DNS related work - Parent
More informationDNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION
DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION Peter R. Egli 1/10 Contents 1. Security Problems of DNS 2. Solutions for securing DNS 3. Security with DNSSEC
More informationMAGPI: Advanced Services IPv6, Multicast, DNSSEC
MAGPI: Advanced Services IPv6, Multicast, DNSSEC Shumon Huque MAGPI GigaPoP & Univ. of Pennsylvania MAGPI Technical Meeting April 19th 2006, Philadelphia, PA 1 Outline A description of advanced services
More informationRoot KSK Roll Delay Update
Root KSK Roll Delay Update Data is good! David Conrad, CTO (channeling Roy Arends, ICANN Principal Research Scientist) 12 November 2017 1 Background When you validate DNSSEC signed DNS records, you need
More informationRolling the Root. Geoff Huston APNIC Labs March 2016
Rolling the Root Geoff Huston APNIC Labs March 2016 Use of DNSSEC Validation in Today s Internet Why is this relevant? Because the root zone managers are preparing to roll the DNS Root Zone Key Signing
More informationProtecting Privacy: The Evolution of DNS Security
Protecting Privacy: The Evolution of DNS Security Burt Kaliski Senior Vice President and CTO, Verisign NSF Technology Transfer to Practice in Cyber Security Workshop November 4, 2015 Agenda DNS Overview
More informationDoH and DoT experience. Ólafur Guðmundsson Marek Vavrusa
DoH and DoT experience Ólafur Guðmundsson Marek Vavrusa Announced April 1 st 2018 Our mission: to help build a better Internet. We use 1.1.1.1 and 1.0.0.1 (easy to remember) for our resolver. DNS resolver,
More informationDNSSEC KSK-2010 Trust Anchor Signal Analysis
DNSSEC KSK-2010 Trust Anchor Signal Analysis MAPRG @ IETF102 1 Overview Background: DNSSEC KSK rollover and plan Problems with the KSK rollover Case study analysis: difficulty in identifying old Trust
More informationOverview of Open Source Tools for DNSSEC
Overview of Open Source Tools for DNSSEC Russ Mundy Analytic Solutions (aka: SPARTA, Inc. ) June 23, 2010 I need to have a WWW record Simple DNS Illustration Add Zone Administrator Zone Data publish Authoritative
More informationPacket Traces from a Simulated Signed Root
Packet Traces from a Simulated Signed Root Duane Wessels DNS-OARC DNS-OARC Workshop Beijing, China November 2009 Background We know from active measurements that some DNS resolvers cannot receive large
More informationDNS(SEC) client analysis
DNS(SEC) client analysis powered by assisted by Bart Gijsen (TNO) DNS-OARC, San Francisco, March 2011 Overview DNS traffic analysis CLIENT [8], [9] Applic. browser Operating system DNS stub [7] Resolver
More informationUnderstanding and Characterizing Hidden Interception of the DNS Resolution Path
Who Is Answering My Queries? Understanding and Characterizing Hidden Interception of the DNS Resolution Path Baojun Liu, Chaoyi Lu, Haixin Duan, YingLiu, ZhouLi, ShuangHaoand MinYang ISP DNS Resolver DNS
More informationThe DNS Camel. Or How many features can we add to this protocol before it breaks? Bert Hubert /
The DNS Camel Or How many features can we add to this protocol before it breaks? Bert Hubert / bert.hubert@powerdns.com 185 RFCs 2781 pages / 166891 lines 888233 words This is 2 times The C++
More informationThe impact of DNSSEC on k.root-servers.net and ns-pri.ripe.net
The impact of DNSSEC on k.root-servers.net and ns-pri.ripe.net Olaf M. Kolkman Question What would be the immediate and initial effect on memory, CPU and bandwidth resources if we were to deploy DNSSEC
More informationOverview of Open Source Tools for DNSSEC
Overview of Open Source Tools for DNSSEC Russ Mundy SPARTA, Inc. March 10, 2010 1 I need to have a WWW record Simple DNS Illustration Add Zone Administrator Zone Data publish Authoritative Server Administrator
More informationKeeping DNS parents and children in sync at Internet Speed! Ólafur Guðmundsson
Keeping DNS parents and children in sync at Internet Speed! Ólafur Guðmundsson olafur@cloudflare.com How long does it take to? Post a new selfie on Facebook and all your friends to be notified few seconds
More informationDNSSEC Workshop. Dan York, Internet Society ICANN 54 October 2015
DNSSEC Workshop Dan York, Internet Society ICANN 54 October 2015 Remote Participation Slides and audio streams at: https://meetings.icann.org/en/dublin54/ schedule/wed-dnssec Live video stream via YouTube
More informationDENIC DNSSEC Testbed Software support for DNSSEC Ralf Weber
DENIC DNSSEC Testbed Software support for DNSSEC Ralf Weber (ralf.weber@nominum.com) Who is Nominum? Mission Product Leadership Industry Expertise Deliver the Trusted Internet Experience Strategic Partners:
More informationRoot Zone DNSSEC KSK Rollover. DSSEC KSK Rollover
Root Zone DNSSEC KSK Rollover 2017 Edward Lewis DSSEC KSK Rollover ENOG 15 Edward.Lewis@icann.org FIRST TC September 11, 2017 5 June 2018 The Basics This talk is related to the Domain Name System, in particular,
More informationIs your DNS server up-to-date? Pieter Lexis Senior PowerDNS Engineer April 22 nd 2018
lieter_ PowerDNS pieterlexis PowerDNS Is your DNS server up-to-date? Pieter Lexis Senior PowerDNS Engineer April 22 nd 2018 1 What s all this about? A DNS recap What is EDNS? Issues with EDNS on the internet
More informationYahoo Search ATS Plugins. Daniel Morilha and Scott Beardsley
Yahoo Search ATS Plugins Daniel Morilha and Scott Beardsley About Us We have a HUGE team! Serves traffic which generates ~40% of Yahoo s $$$ We run both Search Ingress and Egress Maintain around a dozen
More informationDNSSEC in Switzerland 2 nd DENIC Testbed Meeting
DNSSEC in Switzerland 2 nd DENIC Testbed Meeting Frankfurt, 26. January 2010 Samuel Benz samuel.benz@switch.ch About SWITCH The SWITCH foundation operates the national research network since 1987 SWITCH
More informationHarness Your Internet Activity
Harness Your Internet Activity Enabling Efficiency and Service Differentiation Ralf Weber October 13, 2014 Authoritative DNS Proven High-performance Tested with up to 1 Billion resource records per server
More informationIPv6 How-To for a Registry 17th CENTR Technical Workshop
IPv6 How-To for a Registry 17th CENTR Technical Workshop Amsterdam, October 2007 Alvaro Vives (alvaro.vives@consulintel.es) Jordi Palet (jordi.palet@consulintel.es) Introduction Main steps to be undertaken
More informationKSK Roll Prepping: RFC Presented at RIPE 71 DNS WG November 19, 2015
KSK Roll Prepping: RFC 5011 Presented at RIPE 71 DNS WG November 19, 2015 Intro ICANN is preparing to roll the Root Zone KSK ICANN performs the management of the root zone KSK as part of fulfilling the
More informationLess is More Cipher-Suite Negotiation for DNSSEC
Less is More Cipher-Suite Negotiation for DNSSEC Amir Herzberg Bar-Ilan University Haya Shulman Technische Universität Darmstadt Bruno Crispo Trento University Domain Name System (DNS) Lookup services
More informationDNSSEC All You Need To Know To Get Started
DNSSEC All You Need To Know To Get Started Olaf M. Kolkman RIPE NCC A Semi Technical Introduction Why do we need DNSSEC What does DNSSEC provide How does DNSSEC work Question: www.ripe.net A Reminder:
More informationECE 435 Network Engineering Lecture 7
ECE 435 Network Engineering Lecture 7 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 25 September 2018 HW#3 was Posted Announcements 1 HW#2 Review C code will be discussed next
More informationAlgorithm for DNSSEC Trusted Key Rollover
Algorithm for DNSSEC Trusted Key Rollover Gilles Guette, Bernard Cousin, and David Fort IRISA, Campus de Beaulieu, 35042 Rennes CEDEX, FRANCE {gilles.guette, bernard.cousin, david.fort}@irisa.fr Abstract.
More informationA Security Evaluation of DNSSEC with NSEC Review
A Security Evaluation of DNSSEC with NSEC Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka November 16, 2011 1 Introduction to the topic and the reason for the topic being
More informationRoot Zone DNSSEC KSK Rollover
Root Zone DNSSEC KSK Rollover 51 51 KSK Rollover: An Overview ICANN is in the process of performing a Root Zone DNS Security Extensions (DNSSEC) Key Signing Key (KSK) rollover The Root Zone DNSSEC Key
More informationInternet Engineering Task Force (IETF) April Elliptic Curve Digital Signature Algorithm (DSA) for DNSSEC
Internet Engineering Task Force (IETF) Request for Comments: 6605 Category: Standards Track ISSN: 2070-1721 P. Hoffman VPN Consortium W.C.A. Wijngaards NLnet Labs April 2012 Abstract Elliptic Curve Digital
More informationA New Internet? RIPE76 - Marseille May Jordi Palet
A New Internet? RIPE76 - Marseille May 2018 Jordi Palet (jordi.palet@theipv6company.com) -1 (a quick) Introduction to HTTP/2, QUIC and DOH and more RIPE76 - Marseille May 2018 Jordi Palet (jordi.palet@theipv6company.com)
More informationAn Overview of DNSSEC. Cesar Diaz! lacnic.net!
An Overview of DNSSEC Cesar Diaz! cesar@ lacnic.net! 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that
More informationWeb Security. Mahalingam Ramkumar
Web Security Mahalingam Ramkumar Web Security Abusing cookies Phishing, Spreading misinformation You are not seeing what you think you are! HREFs, Ill-constructed strings in HREFs Dynamic HTML, Scripting
More informationTESTING WEB SERVICES WITH WEBDRIVER AND QUICKCHECK
TESTING WEB SERVICES WITH WEBDRIVER AND QUICKCHECK Alex Gerdes (joint work with Thomas Arts, John Hughes, Hans Svensson and Ulf Norell) QuviQ AB ABOUT ME From the Netherlands, now living in Sweden Worked
More informationJenkins: A complete solution. From Continuous Integration to Continuous Delivery For HSBC
Jenkins: A complete solution From Integration to Delivery For HSBC Rajesh Kumar DevOps Architect @RajeshKumarIN www.rajeshkumar.xyz Agenda Why Jenkins? Introduction and some facts about Jenkins Supported
More informationDNSSEC operational experiences and recommendations. Antti Ristimäki, CSC/Funet
DNSSEC operational experiences and recommendations Antti Ristimäki, CSC/Funet Agenda Funet DNSSEC status A short DNSSEC tutorial Zone signing considerations Private key security Network layer impacts Monitoring
More informationInternet Engineering Task Force (IETF) Request for Comments: 8509 Category: Standards Track. Google December 2018
Internet Engineering Task Force (IETF) Request for Comments: 8509 Category: Standards Track ISSN: 2070-1721 G. Huston J. Damas APNIC W. Kumari Google December 2018 A Root Key Trust Anchor Sentinel for
More informationInternet Engineering Task Force (IETF) Obsoletes: 2671, 2673 Category: Standards Track. April 2013
Internet Engineering Task Force (IETF) Request for Comments: 6891 STD: 75 Obsoletes: 2671, 2673 Category: Standards Track ISSN: 2070-1721 J. Damas Bond Internet Systems M. Graff P. Vixie Internet Systems
More informationDNSSEC. Lutz Donnerhacke. db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec e164.arpa. naptr
DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec 1.6.5.3.7.5.1.4.6.3.9.4.e164.arpa. naptr 1 A protocol from better times An ancient protocol People were friendly and
More informationWhen HTTPS Meets CDN: A Case of Authentication in Delegated Services. J. Liang, J. Jiang, H. Duan, K. Li, T. Wan, J. Wu
When HTTPS Meets CDN: A Case of Authentication in Delegated Services J. Liang, J. Jiang, H. Duan, K. Li, T. Wan, J. Wu Problem statement: TLS, an End-to-End Protocol 2 Problem Statement: End-to-End Protocol
More informationRoot KSK Roll Delay Update
Root KSK Roll Delay Update PacNOG 21 Patrick Jones, Sr. Director, Global Stakeholder Engagement 4 December 2017 1 Background When you validate DNSSEC signed DNS records, you need a Trust Anchor. A Trust
More informationFoundations of Python
Foundations of Python Network Programming The comprehensive guide to building network applications with Python Second Edition Brandon Rhodes John Goerzen Apress Contents Contents at a Glance About the
More informationNetwork Working Group Request for Comments: 5702 Category: Standards Track October 2009
Network Working Group J. Jansen Request for Comments: 5702 NLnet Labs Category: Standards Track October 2009 Abstract Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC This
More informationImplementing DNSSEC with DynDNS and GoDaddy
Implementing DNSSEC with DynDNS and GoDaddy Lawrence E. Hughes Sixscape Communications 27 December 2017 DNSSEC is an IETF standard for adding security to the DNS system, by digitally signing every resource
More informationF5 and Infoblox DNS Integrated Architecture: Offering a Complete Scalable, Secure DNS Solution
F5 Technical Brief F5 and Infoblox DNS Integrated Architecture: Offering a Complete Scalable, Secure DNS Solution As market leaders in the application delivery market and DNS, DHCP, and IP Address Management
More informationBut before understanding the Selenium WebDriver concept, we need to know about the Selenium first.
As per the today s scenario, companies not only desire to test software adequately, but they also want to get the work done as quickly and thoroughly as possible. To accomplish this goal, organizations
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 18: Network Attacks Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Network attacks denial-of-service (DoS) attacks SYN
More information6 March 2012
6 March 2012 richard.lamb@icann.org www.majorbank.se=? 1.2.3.4 Get page Login page Username / Password Account Data DNS Resolver ISP www.majorbank.se = 1.2.3.4 DNS Server webserver www @ 1.2.3.4 Majorbank
More informationIntended status: Standards Track Expires: September 2, 2017 March 01, 2017
Network Working Group Internet-Draft Intended status: Standards Track Expires: September 2, 2017 A. Ghedini Cloudflare, Inc. V. Vasiliev Google March 01, 2017 Transport Layer Security (TLS) Certificate
More informationReview. Fundamentals of Website Development. Web Extensions Server side & Where is your JOB? The Department of Computer Science 11/30/2015
Fundamentals of Website Development CSC 2320, Fall 2015 The Department of Computer Science Review Web Extensions Server side & Where is your JOB? 1 In this chapter Dynamic pages programming Database Others
More informationDNS Firewall with Response Policy Zone. Suman Kumar Saha bdcert Amber IT Limited
DNS Firewall with Response Policy Zone Suman Kumar Saha bdcert suman@bdcert.org Amber IT Limited suman@amberit.com.bd DNS Response Policy Zone(RPZ) as Firewall RPZ allows a recursive server to control
More informationOverview. Last Lecture. This Lecture. Next Lecture. Scheduled tasks and log management. DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly
Last Lecture Overview Scheduled tasks and log management This Lecture DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly Next Lecture Address assignment (DHCP) TELE 301 Lecture 11: DNS 1 TELE
More information3. The DNSSEC Primer. Data Integrity (hashes) Authenticated Denial of Existence (NSEC,
3. The DNSSEC Primer Authentication (keys, signatures) Data Integrity (hashes) Chain of Trust (root zone, when signed) Authenticated Denial of Existence (NSEC, NSEC3) DNS Authoritative ROOT SERVERS TLD
More informationWhat If Everyone Did It? Geoff Huston APNIC Labs
What If Everyone Did It? Geoff Huston APNIC Labs DNS Security Se#ng the AD bit in a recursive resolver response seems like a rather unimpressive way of conveying a posi;ve security outcome, and in the
More informationA Cache Management Strategy for Shortening DNSSEC Name Resolution Time
A Cache Management Strategy for Shortening DNSSEC Name Resolution Time Shuta FUKUDA 1 and Takayuki FUJINO 2 Abstract To protect the DNS data from cache poisoning attack, the DNSSEC has been deployed on
More informationDDoS on DNS: past, present and inevitable. Töma Gavrichenkov
DDoS on DNS: past, present and inevitable Töma Gavrichenkov DNS DDoS types Volumetric: amplification, other floods Water torture and the likes DNS DDoS problem statement DNS is built on
More information22/06/ :37 DNS COMPLIANCE. Fred Baker Internet Systems Consortium
DNS COMPLIANCE Fred Baker Internet Systems Consortium Background - 2014 ISC was in the process of adding DNS COOKIE (RFC 7873) to BIND and we wanted to see how many servers would mishandle DNS COOKIE options
More information2017 DNSSEC KSK Rollover. Guillermo Cicileo LACNIC March 22, 2017
2017 DNSSEC KSK Rollover Guillermo Cicileo LACNIC March 22, 2017 Purpose of this Talk 1 2 3 To publicize the new Root Zone DNSSEC KSK Provide status, upcoming events, and contact information Provide helpful
More informationHoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder. System and Network Engineering July 2014
Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder System and Network Engineering July 2014 DNS Main Components Server Side: Authoritative Servers Resolvers (Recursive Resolvers, cache) Client
More informationDNSSEC Basics, Risks and Benefits
DNSSEC Basics, Risks and Benefits Olaf M. Kolkman olaf@ripe.net This presentation About DNS and its vulnerabilities DNSSEC status DNSSEC near term future DNS: Data Flow Registry/Registrar Provisioning
More informationRisks and Security for the Domain Name System
Risks and Security for the Domain Name System BOF for Joint Techs 20 July 2005 mankin@psg.com Introduction Attacks via and against the DNS infrastructure are increasing Attacks are becoming costly and
More informationVendor: Cisco. Exam Code: Exam Name: Developing with Cisco Network Programmability (NPDEV) Version: Demo
Vendor: Cisco Exam Code: 600-502 Exam Name: Developing with Cisco Network Programmability (NPDEV) Version: Demo Question Set 1 QUESTION 1 A stock brokerage firm requires that all trades are executed quickly
More informationWhat we did last OARC. Keith Mitchell DNS-OARC RIPE77 DNS WG Amsterdam, Oct 2018
What we did last OARC Keith Mitchell DNS-OARC RIPE77 DNS WG Amsterdam, Oct 2018 OARC's Mission Statement The Domain Name System Operations Analysis and Research Center (DNS-OARC) is a non-profit, membership
More informationQuest for missing keytags. Roy Arends DNS-OARC 1 April 2016
Quest for missing keytags Roy Arends DNS-OARC 1 April 2016 Pubquiz question: What is a DNSKEY Key Tag A. a 16 bit value in the DNSKEY RDATA B. a physical tag that you d hang on your key ring C. a 16 bit
More information