A Longitudinal, End-to-End View of the DNSSEC Ecosystem
|
|
- Sophie Williamson
- 6 years ago
- Views:
Transcription
1 A Longitudinal, End-to-End View of the DNSSEC Ecosystem Taejoong (tijay) Chung, Roland van Rijswijk-Deij, Bala Chandrasekaran David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Christo Wilson 1
2 Domain Name System (DNS) Browser example.com A records DNS Resolver example.com A records example.com's Authoritative DNS Server
3 DNS Spoofing Browser example.com A records DNS Resolver example.com A records example.com's Authoritative DNS Server 3
4 DNS Spoofing Browser example.com A records DNS Resolver example.com example.com's Authoritative Authoritative DNS DNS Server Server A records
5 DNSSEC 101 DNS Resolver A records w/ DO bit example.com's Authoritative DNS Server A records RRSIG Sign! A records DNSKEY 5
6 DNSSEC 101 DNS Resolver A records w/ DO bit example.com's Authoritative DNS Server A records A records RRSIG DNSKEY A records A records DNSKEY w/ DO bit 6
7 DNSSEC 101 Hierarchical Structure Chain-of-Trust. (root zone) DNSKEY.com DNSKEY DNS Resolver A records DNSKEY example.com's Authoritative DNS Server A records w/ DO bit 7
8 DNSSEC 101 Hierarchical Structure Chain-of-Trust DNSKEY. (root zone) DNSKEY DNSKEY.com DNSKEY DNS Resolver A records DNSKEY example.com's Authoritative DNS Server A records w/ DO bit 8
9 DNSSEC 101 Hierarchical Structure Chain-of-Trust DNSKEY DNSKEY DNSKEY 9
10 DNSSEC 101 Hierarchical Structure Chain-of-Trust DNSKEY DS Record.com RRSIG DNSKEY example.com's Authoritative DNS Server DNSKEY DS Record =Hash( ) DNSKEY 10
11 DNSSEC 101 Two DNSKEYs.com DS Record = Hash of example.com's Authoritative DNS Server DNSKEYs A records RRSIG of DNSKEY RRSIG of A key signing key (KSK) zone signing key (ZSK) 11
12 Summary of DNSSEC 101 Three essential elements for DNSSEC RRSIG DNSKEY DS Record has to be uploaded to the parent zone Resolvers need to verify all signatures along the chains of trust DNSSEC can only function correctly when all principals (server and resolver) work correctly 12
13 Open Question How s the DNSSEC PKI ecosystem managed?
14 Contribution Longitudinal Comprehensive All Angles 14
15 Outline How DNSSEC deployed How DNSSEC managed How resolvers use DNSSEC Authoritative Server Resolver 15
16 Correct Deployment for Authoritative Servers DNSKEY (1) Have DNSKEYs RRSIGs (2) Generate Signatures Valid RRSIGs (3) Valid Signatures (Not expired, correctly signed) DS record Uploads (4) Generate and upload DS record to the parent zone Valid DS record (5) Valid DS record (matched with DNSKEYs) 16
17 Dataset Daily Scans* TLDs.com,.org.,.net # of domains 147M domains Interval every day Period 2015/03/01 ~ 2016/12/31 Over 750 billion DNS Records * 17
18 DNSSEC Deployment DNSKEY ~1.0% RRSIGs Valid RRSIGs DS record Uploads Percent of domains with DNSKEY record Deployment 0.4.com 0.2.net.org 0 02/15 05/15 08/15 11/15 02/16 05/16 08/16 11/16 Date DNSSEC deployment is rare, but growing Valid DS record Are they correctly deployed? 18
19 Missing RRSIG records DNSKEY ~1.0% 2.5 RRSIGs ~0.3% Valid RRSIGs DS record Uploads Valid DS record Percent of domains missing RRSIGs com.net.org missing DomainMonster SOA RRSIG missing DNSKEY RRSIG KSK 0 02/15 05/15 08/15 11/15 02/16 05/16 08/16 11/16 Missing RRSIGs RRSIGs are rarely missing (0.3%) ZSK 19
20 Incorrect RRSIG records DNSKEY ~1.0% RRSIGs Valid RRSIGs DS record Uploads Valid DS record ~0.3% ~0.5% Percent of domains with specific failure reasons Invalid RRSIGs Expired Expired.com.net.org Invalid Signature Invalid Signatures 0 02/15 05/15 08/15 11/15 02/16 05/16 08/16 11/16 RRSIGs are managed well (~0.5%) 20
21 Missing DS records DNSKEY ~1.0% RRSIGs ~0.3% Valid RRSIGs ~0.5% Percent of domains missing DS record com 5.net.org 0 02/15 05/15 08/15 11/15 02/16 05/16 08/16 11/16 DS record Uploads ~30% Valid DS record DS Records Nearly 30% of domains DO NOT upload DS records! 21
22 Incorrect DS records DNSKEY ~1.0% RRSIGs ~0.3% Valid RRSIGs DS record Uploads Valid DS record ~0.5% ~30% ~0.2% Percent of domains having incorrect DS record Incorrect DS record.com 0.05.net.org 0 02/15 05/15 08/15 11/15 02/16 05/16 08/16 11/16 Once DS record is generated, it is managed very well (~0.2%) 22
23 Choosing Authoritative Nameserver example.com example.com $ $$ Selfhosted example.com's Authoritative DNS Server example.com's Authoritative DNS Server 23
24 Why are DS records missing? Nameservers # of domains w/ DS w/ DNSKEY DS Publishing Ratio ovh.net 315, , % loopia.se 1 131, % hyp.net 93,946 94, % transip.net 91,009 91, % domainmonster.com 4 60, % anycast.me 51,403 52, % transip.nl 46,971 47, % binero.se 17,099 44, % ns.cloudflare.com 17,483 28, % is.nl 11 15, % pcextreme.nl 14,801 14, % webhostingserver.nl 10,655 14, % registrar-servers.com 11,463 13, % ns0.nl 12,674 12, % citynetwork.se 13 11, % 24
25 Why are DS records missing? Nameservers # of domains w/ DS w/ DNSKEY DS Publishing Ratio ovh.net 315, , % loopia.se 1 131, % hyp.net 93,946 94, % transip.net 91,009 91, % domainmonster.com 4 60, % anycast.me 51,403 52, % transip.nl 46,971 47, % binero.se 17,099 44, % ns.cloudflare.com 17,483 28, % is.nl 11 15, % pcextreme.nl 14,801 14, % webhostingserver.nl 10,655 14, % registrar-servers.com 11,463 13, % ns0.nl 12,674 12, % citynetwork.se 13 11, % 25
26 Why are DS records missing? Nameservers # of domains w/ DS w/ DNSKEY DS Publishing Ratio ovh.net 315, , % loopia.se 1 131, % hyp.net 93,946 94, % transip.net 91,009 91, % domainmonster.com 4 60, % anycast.me 51,403 52, % transip.nl 46,971 47, % binero.se 17,099 44, % ns.cloudflare.com base. 17,483 28, % is.nl 11 15, % pcextreme.nl 14,801 14, % webhostingserver.nl 10,655 14, % registrar-servers.com 11,463 13, % ns0.nl 12,674 12, % citynetwork.se 13 11, % Most people do not understand DNS, so imagine the white faces when I mention DNSSEC... I don t think DNSSEC has a high priority anymore currently in our organization or our customer 26
27 Summary of DNSSEC Deployment DNSSEC deployment is still rare, but increasing The major reason of broken DNSSEC is due to the missing DS record Missing RRSIG record: ~ 0.3% Incorrect RRSIG record: ~ 0.3 % Incorrect DS record: ~ 0.2% Missing DS Record: ~ 30% Most of the DNSSEC-support softwares (BIND, Windows Server 2012, PowerDNS, OpenDNSSEC) manage the keys automatically. Regardless, the process to upload DS record is totally dependent on the administrator! 27
28 Outline 30% of domain miss DS records! How DNSSEC deployed How DNSSEC managed How resolver use DNSSEC Authoritative Server Resolver 28
29 Good Steps to Deploy DNSSEC Strong Key (1) Have a cryptographically strong key No Reuse (2) Don t reuse across multiple domains Regular Rollover (3) Replace on a regular basis 29
30 Good Steps to Deploy DNSSEC Strong Key (1) Have a cryptographically strong key No Reuse (2) Don t reuse across multiple domains Regular Rollover (3) Replace on a regular basis 30
31 Key Strength Strong Key No Reuse Regular Rollover 8.3% (ZSK) 66.7% (KSK) Percent of domains with weak keys com.net.org ZSK ZSKs KSK 20 KSKs 0 02/15 05/15 08/15 11/15 02/16 05/16 08/16 11/16 Weak Keys 91.7% of ZSK and 33.3% of KSK are weak! 31
32 Key Reuse Strong Key No Reuse Regular Rollover 91.7% (ZSK) 33.3% (KSK) ~0.1% 45.0% (ZSK) 70.0% (KSK) CDF DNSKEY Sharing ZSK.com.net.org KSK x10 6 KSK.com.net.org ZSK x10 6 Number of Domains Grouped Together Some keys are reused extensively (among 106,640 domains) 32
33 Outline 30% of domain miss DS records! 33% weak 45~70% not switched How DNSSEC deployed How DNSSEC managed How resolver use DNSSEC Authoritative Server Resolver 33
34 Correct Deployment for Resolvers DO Bit (1) DNSSEC OK bit in the header Validation (2) Validate DNSSEC Records 34
35 Measuring DNS resolver Measurement Node DNS Resolver Ads Client Comcast Network No Control over the node Not Reproducible Authoritative DNS Server 35
36 Luminati AT&T Local DNS Resolver Verizon Measurement Node Residential Proxy Node Comcast Authoritative DNS Server Rogers Control over the node Reproducible Scales Deutsche Telekom 36
37 Luminati Local DNS Resolver Measurement Node Comcast Residential Node Control over the node Reproducible Scales Authoritative DNS Server 37
38 Methodology A records w/ DO bit Local DNS Resolver A records RRSIG Authoritative DNS Server (Our testbed) + 8 other scenarios of incorrect DNSSEC records 38
39 Resolvers w/ DO Bit DO Bit - 4,427 resolvers - 83% of them are DO-bit enabled Validation 39
40 Resolvers w/ DO Bit DO Bit - 4,427 resolvers - 83% of them are DO-bit enabled - 3,635 (82%) fail to validate DNSSEC records Validation Time Warner Cable Internet Rogers Cable Communications (12.2%) correctly validate DNSSEC records Comcast Google 40
41 Open Resolver Tests Provide DO Bit Requested DS DNSKEY Validated? Verisign YES YES YES YES Google YES YES YES YES DNSWatch YES YES YES YES DNS Advantage YES YES YES YES Norton ConnectSafe YES YES YES YES Level3 YES NO NO NO Comodo Secure DNS YES NO NO NO SafeDNS YES NO NO NO Dyn YES NO NO NO GreenTeamDNS* YES/NO YES YES NO OpenDNS NO NO NO NO OpenNIC NO NO NO NO FreeDNS NO NO NO NO Alternate DNS NO NO NO NO Yandex DNS NO NO NO NO 41
42 Conclusion Presented a longitudinal, end-to-end study of DNSSEC ecosystem DNSSEC deployment from server-side is rare but growing But, 33% of them are mis-configured DNSKEYs are not managed well Weak Some are shared Rarely updated DNSSEC deployment from client-side is also rare Only 12% of resolvers validate responses Datasets and source code will be available. 42
43 Recommendations Use CDS (Child DS) / CDNSKEY (Child DNSKEY) Automates DNSSEC delegation trust maintenance Modern resolvers (e.g., BIND >= 9.5 ) set DO bit by default, but make sure that it actually validates. Financial incentives for registrars to deploy DNSSEC would work.se and.nl cctld Please read our upcoming paper Understanding the Role of Registrars in DNSSEC Deployment [IMC 17] 43
44 Conclusion Presented a longitudinal, end-to-end study of DNSSEC ecosystem DNSSEC deployment from server-side is rare but growing But, 33% of them are mis-configured DNSKEYs are not managed well Weak Some are shared Rarely updated DNSSEC deployment from client-side is also rare Only 12% of resolvers validate responses Datasets and source code will be available. 44
45 Questions? 45
46 Why DNSSEC Deployment is so Low? Understanding the Role of Registrars in DNSSEC Deployment [IMC 17] 46
47 Ethical Consideration Subject Considration Luminati Paid for access Not violate ToS Not expose PII Exit Nodes Connects only our testbed Download Empty Page 47
48 Scenario and Intuition subdomains description requires DS requires DNSKEY missing-rrsig-a no signature for A record 0 0 invalid-rrsig-a invalid signature for A record 0 1 future-rrsig-a signature is not yet valid 0 0 past-rrsig-a signature is expired 0 0 missing-zsk ZSK used to sign A record is not in DNSKEY 0 1 missing-ksk KSK used to sign DNSKEY record is not in DNSKEY 0 1 missing-rrsig-ksk no signature for DNSKEY record 0 1 invalid-rrsig-ksk invalid signature for DNSKEY record 0 1 mismatch-ds DS record at parent zone is not accord with KSK
49 Structure of Domain Name Registry: organizations that manage top-level domains (TLDs). They maintain the TLD zone file (the list of all registered names), and work with registrars to sell domain names to the public. Verisign Registrar: organizations that are accredited by ICANN 3 and certified by registries to sell domains to the public. They have direct access to the registry. GoDaddy Reseller: organizations that sell domain names, but are either not accredited (by ICANN) or certified (by a given TLD s registry). Typically, resellers partner with registrars in order to sell domain names, and relay all information through the registrar. 49
50 DS record uploads 50
51 Key Sharing Nameservers KSK ZSK Keys Domains Keys Domains Others 151, ,144 ovh.net. 316, ,887 loopia.se. 133, ,258 hyp.net. 94,888 94,885 transip.net. 93,819 93,818 domainmonster.com. 60,984 60,984 anycast.me. 55,936 55,936 transip.nl. 45,676 45,675 binero.se. 44,963 44,963 ns.cloudflare.com. 28,469 28,469 is.nl. 12,837 12,836 pcextreme.nl. 15,210 15,210 webhostingserver.nl. 15,023 15,023 registrar-servers.com. 13,183 13,181 ns0.nl. 11,945 11,945 citynetwork.se. 11,702 11,702 51
52 Key Sharing Nameservers KSK ZSK Keys Domains Keys Domains Others 157, , , ,144 ovh.net. 318, , , ,887 loopia.se , ,258 hyp.net. 119,150 94, ,161 94,885 transip.net. 93,774 93, ,129 93,818 domainmonster.com. 60,991 60, ,939 60,984 anycast.me. 56,075 55,936 58,296 55,936 transip.nl. 45,648 45,676 91,161 45,675 binero.se , ,963 ns.cloudflare.com , ,469 is.nl. 12,834 12,837 25,512 12,836 pcextreme.nl. 15,192 15,210 28,654 15,210 webhostingserver.nl. 15,019 15,023 22,741 15,023 registrar-servers.com. 13,043 13,183 12,998 13,181 ns0.nl. 11,978 11,945 23,790 11,945 citynetwork.se , ,702 52
53 Rollover Abrupt Changes TTL = 3600 RRSIG RRSIG RRSIG ZSK ZSK ZSK t0 t t IP Address? A Record RRSIG ZSK Can t verify the signature! 53
54 Rollover Process (ZSK) <Pre-publish> RRSIG RRSIG RRSIG RRSIG ZSK ZSK ZSK ZSK ZSK ZSK t0 t1 t2 t3 Introducing a new key Retiring a signature Retiring the previous key 54
55 Rollover Process (ZSK) <Double-signature> RRSIG RRSIG ZSK ZSK RRSIG RRSIG ZSK ZSK t0 t1 t2 Introducing a new key and signature Retiring the previous key and signature 55
56 Rollover Process (KSK) <Double-signature> Parent Zone DS record DS record DS Record DS Record RRSIG RRSIG KSK KSK RRSIG RRSIG RRSIG RRSIG Child Zone KSK ZSK ZSK ZSK t0 t1 t2 t3 56
57 Rollover Process (KSK) <Double-DS> DS record DS record DS record DS Record Parent Zone DS Record DS Record RRSIG RRSIG RRSIG RRSIG Child Zone KSK KSK ZSK ZSK t0 t1 t2 t3 57
58 ZSK Rollovers Scheme.com.org No ZSK Rollovers 279,935 27,166 Abrupt 5, Double Signatures 58,807 9,615 Pre-publish 259,327 33,518 58
59 ZSK Rollovers Scheme.com.org No ZSK Rollovers 279,935 27,166 Abrupt 5, Double Signatures 58,807 9,615 Pre-publish 259,327 33,518 DNSKEY (ZSK) Nearly 45% of domains DO NOT switch their DNSKEYs 59
60 KSK Rollovers Scheme.com.net.org No KSK Rollovers 621,213 93,558 65,704 Abrupt 17,724 3,183 1,710 Double Signatures 219,547 46,092 32,206 60
61 KSK Rollovers Scheme.com.net.org No KSK Rollovers 621,213 93,558 65,704 Abrupt 17,724 3,183 1,710 Double Signatures 219,547 46,092 32,206 DNSKEY (KSK) Nearly 70% of domains DO NOT switch their DNSKEYs 61
62 Superfluous Signatures.com DS Record = Hash of A records DNSKEYs RRSIG of A RRSIG of DNSKEY example.com DNSKEYs RRSIG of DNSKEY zone signing key (ZSK) Unnecessary, but not evil! key signing key (KSK) 61% of domains sign their DNSKEY twice! so what? 62
63 DNSKEY Fragmentation CDF ,472 bytes (IPv4 limits) 1,472 bytes (IPv4 limits) 1,232 bytes (IPv6 limits) 1,232 bytes (IPv6 limits) RRSIGs ksk DNSKEY Message Size 0.01% experience fragmentation 63
64 DNSKEY Fragmentation CDF ,472 bytes (IPv4 limits) 1,232 bytes (IPv6 limits) DNSKEY Message Size 1,472 bytes (IPv4 limits) 1,232 bytes (IPv6 limits) RRSIGs ksk RRSIGs zsk,ksk 0.8% experience fragmentation 60.7% of them could have avoided fragmentation 64
65 DNSKEY Fragmentation CDF ,472 bytes (IPv4 limits) 1,232 bytes (IPv6 limits) DNSKEY Message Size 1,472 bytes (IPv4 limits) 1,232 bytes (IPv6 limits) RRSIGs ksk RRSIGs zsk,ksk RRSIGs zsk,ksk(2,048) 4.6% experience fragmentation (increased 5x times) DNSKEY Fragmentation Superfluous signatures increases the chance of fragmentation. 65
66 Hola Unblocker Get netflix.com HTTP 66
67 Hola Luminati example.com Hola user HTTP Luminati user Get example.com 67
68 Measurement Client Exit Node Exit Node s DNS Resolver DNS & Web server testbed.com DNSSEC response HTTP DNS Get testbed.com 68
69 We measured 403,355 nodes and their 59,513 resolvers! 69
70 Measurement Client Super Proxy Exit Node Exit Node s DNS Server DNS Response Get testbed.com HTTP DNS 70
Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder. System and Network Engineering July 2014
Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder System and Network Engineering July 2014 DNS Main Components Server Side: Authoritative Servers Resolvers (Recursive Resolvers, cache) Client
More informationRolling with Confidence: Managing the Complexity of DNSSEC Operations
Rolling with Confidence: Managing the Complexity of DNSSEC Operations Moritz Müller 1,2, Taejoong Chung 3, Roland van Rijswijk-Deij 2, Alan Mislove 3 1 SIDN, 2 University of Twente, 3 Northeastern University
More informationAssessing and Improving the Quality of DNSSEC
Assessing and Improving the Quality of DNSSEC Deployment Casey Deccio, Ph.D. Sandia National Laboratories AIMS-4 CAIDA, SDSC, San Diego, CA Feb 9, 2012 Sandia is a multiprogram laboratory operated by Sandia
More informationMigrating an OpenDNSSEC signer (February 2016)
Migrating an OpenDNSSEC signer (February 2016) Contributors David Njuki Amreesh Phokeer Logan Velvindron Alain Aina Email david.njuki@afrinic.net amreesh@afrinic.net logan@afrinic.net aalain@trstech.net
More informationKeeping DNS parents and children in sync at Internet Speed! Ólafur Guðmundsson
Keeping DNS parents and children in sync at Internet Speed! Ólafur Guðmundsson olafur@cloudflare.com How long does it take to? Post a new selfie on Facebook and all your friends to be notified few seconds
More informationDNSSEC All You Need To Know To Get Started
DNSSEC All You Need To Know To Get Started Olaf M. Kolkman RIPE NCC A Semi Technical Introduction Why do we need DNSSEC What does DNSSEC provide How does DNSSEC work Question: www.ripe.net A Reminder:
More informationRoot Zone DNSSEC KSK Rollover
Root Zone DNSSEC KSK Rollover 51 51 KSK Rollover: An Overview ICANN is in the process of performing a Root Zone DNS Security Extensions (DNSSEC) Key Signing Key (KSK) rollover The Root Zone DNSSEC Key
More informationDS TTL shortening experience in.jp
DS TTL shortening experience in.jp APRICOT2014 DNS Session 27 Feb 2014 Yoshiro YONEYA Copyright 2014 Japan Registry Services Co., Ltd. 1 What is DS? Establish a DNSSEC chain
More informationDENIC DNSSEC Testbed Software support for DNSSEC Ralf Weber
DENIC DNSSEC Testbed Software support for DNSSEC Ralf Weber (ralf.weber@nominum.com) Who is Nominum? Mission Product Leadership Industry Expertise Deliver the Trusted Internet Experience Strategic Partners:
More informationDNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION
DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION Peter R. Egli 1/10 Contents 1. Security Problems of DNS 2. Solutions for securing DNS 3. Security with DNSSEC
More informationRoot Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail
What is DNS? Systems to convert domain names into ip addresses: For an instance; www.tashicell.com 118.103.136.66 Reverse: 118.103.136.66 www.tashicell.com DNS Hierarchy Root Servers The top of the DNS
More informationDNSSEC operational experiences and recommendations. Antti Ristimäki, CSC/Funet
DNSSEC operational experiences and recommendations Antti Ristimäki, CSC/Funet Agenda Funet DNSSEC status A short DNSSEC tutorial Zone signing considerations Private key security Network layer impacts Monitoring
More informationDNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific
DNS/DNSSEC Workshop In Collaboration with APNIC and HKIRC Hong Kong Champika Wijayatunga Regional Security Engagement Manager Asia Pacific 22-24 January 2018 1 DNSSEC 2 2 DNS: Data Flow Zone administrator
More information12 DNS Security Extensions DNS resolution via recursive nameserver DNS request/response format Simple DNS cache poisoning The Dan Kaminsky DNS
12 DNS Security Extensions DNS resolution via recursive nameserver DNS request/response format Simple DNS cache poisoning The Dan Kaminsky DNS vulnerability DNS root servers DNSSEC chain of trust DNSSEC
More informationDNSSEC Trust tree: (A) ---dnslab.org. (DS keytag: 9247 dig (DNSKEY keytag. ---org. (DS keytag: d
DNSSEC Trust tree: www.dnslab.org. (A) ---dnslab.org. (DNSKEY keytag: 7308 alg ---dnslab.org. (DNSKEY keytag: 9247 ---dnslab.org. (DS keytag: 9247 dig DNSSEC ---org. (DNSKEY keytag: 24209 a Domain Name
More informationWhat's so hard about DNSSEC? Paul Ebersman May 2016 RIPE72 Copenhagen
What's so hard about DNSSEC? Paul Ebersman Paul_Ebersman@cable.comcast.com 23-27 May 2016 RIPE72 Copenhagen 1 Why use DNSSEC What does it solve? Helps against cache poisoning Identifies DNS lying Enables
More informationAlgorithm for DNSSEC Trusted Key Rollover
Algorithm for DNSSEC Trusted Key Rollover Gilles Guette, Bernard Cousin, and David Fort IRISA, Campus de Beaulieu, 35042 Rennes CEDEX, FRANCE {gilles.guette, bernard.cousin, david.fort}@irisa.fr Abstract.
More informationA Security Evaluation of DNSSEC with NSEC Review
A Security Evaluation of DNSSEC with NSEC Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka November 16, 2011 1 Introduction to the topic and the reason for the topic being
More informationStep by step DNSSEC deployment in.se. Anne-Marie Eklund Löwinder Quality & Security
Step by step DNSSEC deployment in.se Anne-Marie Eklund Löwinder Quality & Security Manager,.SE amel@iis.se @amelsec www.iis.se Timeline 2005 signing of the.se zone. 2006 allowing DS records from friendly
More information2017 DNSSEC KSK Rollover. Guillermo Cicileo LACNIC March 22, 2017
2017 DNSSEC KSK Rollover Guillermo Cicileo LACNIC March 22, 2017 Purpose of this Talk 1 2 3 To publicize the new Root Zone DNSSEC KSK Provide status, upcoming events, and contact information Provide helpful
More informationDNSSEC in Switzerland 2 nd DENIC Testbed Meeting
DNSSEC in Switzerland 2 nd DENIC Testbed Meeting Frankfurt, 26. January 2010 Samuel Benz samuel.benz@switch.ch About SWITCH The SWITCH foundation operates the national research network since 1987 SWITCH
More informationBy Paul Wouters
By Paul Wouters Overview presentation Theory of DNSSEC Using bind with DNSSEC Securing Ò.nlÓ with SECREG Securing Ò.orgÓ with VerisignLabs Deploying DNSSEC on large scale Audience participation
More informationDNS SECurity Extensions technical overview
The EURid Insights series aims to analyse specific aspects of the domainname environment. The reports are based on surveys, studies and research developed by EURid in cooperation with industry experts
More informationMore on DNS and DNSSEC
More on DNS and DNSSEC CS 161: Computer Security Prof. Raluca Ada Popa March 6, 2018 A subset of the slides adapted from David Wagner Domain names Domain names are human friendly names to identify servers
More informationA Case for Comprehensive DNSSEC Monitoring and Analysis Tools
A Case for Comprehensive DNSSEC Monitoring and Analysis Tools Casey Deccio Sandia National Laboratories ctdecci@sandia.gov Jeff Sedayao and Krishna Kant Intel Corporation {jeff.sedayao,krishna.kant}@intel.com
More informationToward Unspoofable Network Identifiers. CS 585 Fall 2009
Toward Unspoofable Network Identifiers CS 585 Fall 2009 The Problem DNS Spoofing Attacks (e.g., Kaminsky) At link (Ethernet) and IP layers, either: Software sets the source address in the packet, or Software
More informationDNSSEC at ORNL. Paige Stafford Joint Techs Conference, Fairbanks July 2011
DNSSEC at ORNL Paige Stafford Joint Techs Conference, Fairbanks July 2011 Outline Background Brief review of DNSSEC ORNL before DNSSEC was implemented Implementation experience Signer appliance Validation
More informationDNS Security. Wolfgang Nagele DNS Group Manager
DNS Security Wolfgang Nagele DNS Group Manager DNS: the Domain Name System Specified by Paul Mockapetris in 1983 Distributed Hierarchical Database Main purpose: Translate names to IP addresses Since then:
More informationAPNIC DNSSEC APNIC DNSSEC. Policy and Practice Statement. DNSSEC Policy and Practice Statement Page 1 of 12
APNIC DNSSEC Policy and Practice Statement DNSSEC Policy and Practice Statement Page 1 of 12 Table of Contents Overview 4 Document name and identification 4 Community and applicability 4 Specification
More informationSome DNSSEC thoughts. DNSOPS.JP BOF Interop Japan Geoff Huston Chief Scientist, APNIC June 2007
Some DNSSEC thoughts DNSOPS.JP BOF Interop Japan 2007 Geoff Huston Chief Scientist, APNIC June 2007 The DNS is a miracle! You send out a question into the net And an answer comes back! Somehow But WHO
More informationDNS security. Karst Koymans & Niels Sijm. Tuesday, September 18, Informatics Institute University of Amsterdam
DNS security Karst Koymans & Niels Sijm Informatics Institute University of Amsterdam Tuesday, September 18, 2012 Karst Koymans & Niels Sijm (UvA) DNS security Tuesday, September 18, 2012 1 / 38 1 Chain
More informationDNS Security. Wolfgang Nagele DNS Services Manager
DNS Security Wolfgang Nagele DNS Services Manager DNS: the Domain Name System Specified by Paul Mockapetris in 1983 Distributed Hierarchical Database Main purpose: Translate names to IP addresses Since
More informationRolling the Root KSK. Geoff Huston. APNIC Labs. September 2017
Rolling the Root KSK Geoff Huston APNIC Labs September 2017 Will this break the Internet? Why? If we stuff up this trust anchor key roll then resolvers that perform DNSSEC validation will fail to provide
More informationEbook: DNS FUNDAMENTALS. From a Technical Dow Street, Manchester, NH USA
8 Ebook: DNS FUNDAMENTALS From a Technical Perspective 603 668 4998USA 150 Dow Street, Manchester, NH 03101 150 Dow Street, Manchester, NH 03101 USA DNS Fundamentals From a Technical Perspective Introduction:
More informationDNSSEC Deployment in the.gov TLD
DNSSEC Deployment in the.gov TLD Scott Rose, NIST scott.rose@nist.gov LISA 2012, San Diego CA Dec. 14, 2012 What This Talk Will Cover DNSSEC deployment drivers in the US Federal government How did deployment
More informationUnderstanding and Deploying DNSSEC. Champika Wijayatunga SANOG29 - Pakistan Jan 2017
Understanding and Deploying DNSSEC Champika Wijayatunga SANOG29 - Pakistan Jan 2017 Agenda 1 2 3 Background Why DNSSEC? How it Works? 4 5 Signatures and Key Rollovers DNSSEC Demo 2 3 Background DNS in
More informationTable of Contents. DNS security basics. What DNSSEC has to offer. In what sense is DNS insecure? Why DNS needs to be secured.
Table of Contents DNS security basics The basics Karst Koymans (with Niels Sijm) Informatics Institute University of Amsterdam (version 2.3, 2013/09/13 11:46:36) Tuesday, Sep 17, 2013 Why DNS needs to
More informationA paper on DNSSEC - NSEC3 with Opt-Out
A paper on DNSSEC - NSEC3 with Opt-Out DNSSEC A Way Forward for TLD Registries Method for faster adoption of DNSSEC Providing greater security with minimal impact on customers, registries and Zone Management
More informationRolling the Root Zone DNSSEC Key Signing Key Edward Lewis AFRINIC25 November 2016
Rolling the Root Zone DNSSEC Key Signing Key Edward Lewis AFRINIC25 November 2016 edward.lewis@icann.org 1 Motivation for this talk ICANN is about to change an important configuration parameter in DNSSEC
More informationAn Overview of DNSSEC. Cesar Diaz! lacnic.net!
An Overview of DNSSEC Cesar Diaz! cesar@ lacnic.net! 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that
More informationHands-on DNSSEC with DNSViz. Casey Deccio, Verisign Labs RIPE 72, Copenhagen May 23, 2016
Hands-on DNSSEC with DNSViz Casey Deccio, Verisign Labs RIPE 72, Copenhagen May 23, 2016 Preparation Demo and exercises available at: http://dnsviz.net/demo/ Includes links to the following: VirtualBox
More informationARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN
ARIN Support for DNSSEC and ION San Diego 11 December 2012 Pete Toscano, ARIN 2 DNS and BGP They have been around for a long time. DNS: 1982 BGP: 1989 They are not very secure. Methods for securing them
More informationSome Internet exploits target name resolution servers. DNSSEC uses cryptography to protect the name resolution
SYSADMIN DNSSEC Sergey Ilin, Fotolia Trusted name resolution with DNSSEC CHAIN OF TRUST Some Internet exploits target name resolution servers. DNSSEC uses cryptography to protect the name resolution service.
More informationCIRA DNSSEC PRACTICE STATEMENT
CIRA DNSSEC PRACTICE STATEMENT 1. Introduction This DNSSEC Practice Statement ( DPS ) is a statement of security practices and provisions made by the Canadian Internet Registration Authority (CIRA). These
More informationThe State and Challenges of the DNSSEC Deployment. Eric Osterweil Michael Ryan Dan Massey Lixia Zhang
The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang 1 Monitoring Shows What s Working and What needs Work DNS operations must already deal with widespread
More informationDNSSEC for the Root Zone. ICANN 37 Nairobi March 2010
DNSSEC for the Root Zone ICANN 37 Nairobi March 2010 Kim Davies, ICANN This design is the result of a cooperation between ICANN & VeriSign with support from the U.S. DoC NTIA Design Design Requirements
More informationSecSpider: Distributed DNSSEC Monitoring and Key Learning
SecSpider: Distributed DNSSEC Monitoring and Key Learning Eric Osterweil UCLA Joint work with Dan Massey and Lixia Zhang Colorado State University & UCLA 1 Who is Deploying DNSSEC? Monitoring Started From
More informationMAGPI: Advanced Services IPv6, Multicast, DNSSEC
MAGPI: Advanced Services IPv6, Multicast, DNSSEC Shumon Huque MAGPI GigaPoP & Univ. of Pennsylvania MAGPI Technical Meeting April 19th 2006, Philadelphia, PA 1 Outline A description of advanced services
More informationTHE BRUTAL WORLD OF DNSSEC
THE BRUTAL WORLD OF DNSSEC Patrik Fältström Head of Technology Netnod 1 Security Issues with DNS Zone Administrator Bad Data False Master Caching Resolver Zonefile Master Slave slave slave False Cache
More informationDNS Security and DNSSEC in the root zone Luzern, Switzerland February 2010
DNS Security and DNSSEC in the root zone Luzern, Switzerland February 2010 Kim Davies Manager, Root Zone Services Internet Corporation for Assigned Names & Numbers Recap DNS originally not designed with
More informationAfilias DNSSEC Practice Statement (DPS) Version
Afilias DNSSEC Practice Statement (DPS) Version 1.07 2018-02-26 Page 1 of 8 1. INTRODUCTION 1.1. Overview This document was created using the template provided under the current practicing documentation.
More information2017 DNSSEC KSK Rollover. DSSEC KSK Rollover
2017 DNSSEC KSK Rollover 2017 Edward Lewis DSSEC KSK Rollover APNIC 44 Edward.Lewis@icann.org FIRST TC September 11, 2017 13 September 2017 DNSSEC Signing vs. Validation DNS Security Extensions Digital
More informationRoot KSK Roll Delay Update
Root KSK Roll Delay Update Data is good! David Conrad, CTO (channeling Roy Arends, ICANN Principal Research Scientist) 12 November 2017 1 Background When you validate DNSSEC signed DNS records, you need
More informationICANN DNSSEC Workshop Comcast s Operational Experiences 14 March 2012
ICANN DNSSEC Workshop Comcast s Operational Experiences 14 March 2012 NATIONAL ENGINEERING & TECHNICAL OPERATIONS DNSSEC Deployment Status We began working on this in 2008 (see Bmeline) We completed our
More informationScott Rose, NIST Winter JointTechs Meeting Jan 30, 2011 Clemson University
Scott Rose, NIST scottr@nist.gov 2011 Winter JointTechs Meeting Jan 30, 2011 Clemson University Special Thanks to RIPE NCC who provided the base slides for this tutorial. DNS is not secure Known vulnerabilities
More informationThe Performance of ECC Algorithms in DNSSEC: A Model-based Approach
Master Thesis The Performance of ECC Algorithms in DNSSEC: A Model-based Approach Faculty: Group: Electrical Engineering, Mathematics and Computer Science Design and Analysis of Communication Systems Author
More informationDNSSEC for the Root Zone. IETF 76 8 November 2009
DNSSEC for the Root Zone IEPG @ IETF 76 8 November 2009 Richard Lamb, ICANN Joe Abley, ICANN Matt Larson, VeriSign 1 This design is the result of a cooperation between ICANN & VeriSign with support from
More informationMeasurement and Analysis of Private Key Sharing in the HTTPS Ecosystem
Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem Frank Cangialosi, Taejoong Chung, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Christo Wilson How do we know with whom
More informationGDS Resource Record: Generalization of the Delegation Signer Model
GDS Resource Record: Generalization of the Delegation Signer Model Gilles Guette, Bernard Cousin, and David Fort IRISA, Campus de Beaulieu, 35042 Rennes CEDEX, France {gilles.guette, bernard.cousin, david.fort}@irisa.fr
More informationDNSSEC. Lutz Donnerhacke. db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec e164.arpa. naptr
DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec 1.6.5.3.7.5.1.4.6.3.9.4.e164.arpa. naptr 1 A protocol from better times An ancient protocol People were friendly and
More informationBIND-USERS and Other Debugging Experiences. Mark Andrews Internet Systems Consortium
BIND-USERS and Other Debugging Experiences Mark Andrews Internet Systems Consortium Mark_Andrews@isc.org http://isc.org BIND-USERS and Other Debugging Experiences We will look at some typical debugging
More informationRIPE Network Coordination Centre. K-root and DNSSEC. Wolfgang Nagele RIPE NCC.
K-root and DNSSEC Wolfgang Nagele RIPE NCC RIPE NCC One of the five Regional Internet Registries Provides IP address and AS number resources to Europe and Middle-East regions DNS related work - Parent
More informationDNSSEC Policy and Practice Statement. Anne-Marie Eklund Löwinder Quality and Security Manager
DNSSEC Policy and Practice Statement Anne-Marie Eklund Löwinder Quality and Security Manager amel@iis.se What is a DNSSEC Policy and Practice Statement (DPS)? A document that contains the DNSSEC Policy
More informationDocumentation. Name Server Predelegation Check
Name Server Predelegation Check Doc. version: 1.4.1 Doc. status: Final Doc. date: 01.12.2015 Doc. name: Name Server Predelegation Check- -DNS Services-V1.4.1-2015-12-01 Copyright 2015 DENIC eg Imprint
More informationRSA and ECDSA. Geoff Huston APNIC. #apricot2017
RSA and ECDSA Geoff Huston APNIC It s all about Cryptography Why use Cryptography? Public key cryptography can be used in a number of ways: protecting a session from third party eavesdroppers Encryption
More information6 March 2012
6 March 2012 richard.lamb@icann.org www.majorbank.se=? 1.2.3.4 Get page Login page Username / Password Account Data DNS Resolver ISP www.majorbank.se = 1.2.3.4 DNS Server webserver www @ 1.2.3.4 Majorbank
More informationDNSSEC Validators Requirements
DNSSEC Validators Requirements draft-mglt-dnsop-dnssec-validator-requirements-05 Migault, Lewis, York IETF99 ToC Time Requirements Trust Anchor Requirements Bootstrapping / configuration TA Datastore Interaction
More informationIs the Web Ready for OCSP Must-Staple?
Is the Web Ready for OCSP Must-Staple? Taejoong (Tijay) Chung*, Jay Lok, Bala Chandrasekaran David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, John Rula, Nick Sullivan, Christo Wilson *This work
More informationDNSSEC KSK-2010 Trust Anchor Signal Analysis
DNSSEC KSK-2010 Trust Anchor Signal Analysis MAPRG @ IETF102 1 Overview Background: DNSSEC KSK rollover and plan Problems with the KSK rollover Case study analysis: difficulty in identifying old Trust
More informationA Look at RFC 8145 Trust Anchor Signaling for the 2017 KSK Rollover
A Look at RFC 8145 Trust Anchor Signaling for the 2017 KSK Rollover Duane Wessels DNS-OARC 26 San Jose, CA September 29, 2017 Background 2 2017 Root Zone KSK Rollover October 11, 2017! Root zone DNSKEY
More informationSOFTWARE USER MANUAL (SUM): TRAINING, PROCEDURAL, AND DEVELOPMENT DOCUMENTATION
SOFTWARE USER MANUAL (SUM): TRAINING, PROCEDURAL, AND DEVELOPMENT DOCUMENTATION Step-by-Step DNS Security Operator Guidance Document (Version 1.0) [Using the BIND-9.3.0 (or later) distribution] 1 December
More informationTable of Contents. DNS security. Alternative DNS security mechanism. DNSSEC specification. The long (and winding) road to the DNSSEC specification
Table of Contents DNS security Karst Koymans Informatics Institute University of Amsterdam (version 1.19, 2011/09/27 14:18:11) Friday, September 23, 2011 The long (and winding) road to the DNSSEC specification
More informationDNSSEC for ISPs workshop João Damas
DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Outline of workshop Brief intro to DNSSEC Overview of zone signing DNSSEC validation trust anchors validation impact of enabling validation debugging
More informationMeasuring Adoption of Security Additions to the HTTPS Ecosystem
Chair of Network Architectures and Services Department of Informatics Technical University of Munich Measuring Adoption of Security Additions to the HTTPS Ecosystem Quirin Scheitle July 16, 2018 Applied
More information3. The DNSSEC Primer. Data Integrity (hashes) Authenticated Denial of Existence (NSEC,
3. The DNSSEC Primer Authentication (keys, signatures) Data Integrity (hashes) Chain of Trust (root zone, when signed) Authenticated Denial of Existence (NSEC, NSEC3) DNS Authoritative ROOT SERVERS TLD
More informationDNS Mark Kosters Carlos Martínez ARIN - LACNIC
DNS Workshop @CaribNOG8 Mark Kosters Carlos Martínez ARIN - LACNIC DNS Refresher and Intro to DNS Security Extension (DNSSEC) Outline Introduction DNSSEC mechanisms to establish authenticity and integrity
More informationUnderstanding and Characterizing Hidden Interception of the DNS Resolution Path
Who Is Answering My Queries? Understanding and Characterizing Hidden Interception of the DNS Resolution Path Baojun Liu, Chaoyi Lu, Haixin Duan, YingLiu, ZhouLi, ShuangHaoand MinYang ISP DNS Resolver DNS
More informationThat KSK Roll. Geoff Huston APNIC Labs
That KSK Roll Geoff Huston APNIC Labs The DNS may look simple But with the DNS, looks are very deceiving So lets talk DNSSEC DNSSEC introduces digital signatures into the DNS It allows a DNS resolver to
More informationDNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC. Wes Hardaker
DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes Hardaker Overview Business Model Changes Relationship Requirements Relationship with
More informationDNSSEC at Scale. Dani Grant CloudFlare
DNSSEC at Scale Dani Grant DNS @ CloudFlare CloudFlare - Authoritative DNS provider (includes DNSSEC for free) - 4M+ domains - 40+ billion queries per day - 76 edge locations in 40 countries (growing)
More informationOperational Challenges when Implementing DNSSEC
Operational Challenges when Implementing DNSSEC Torbjörn Eklöv, Interlan Gefle AB Stephan Lagerholm, Secure64 Software Corp. Background As a reader of this article, you are probably familiar with the DNS
More informationPacket Traces from a Simulated Signed Root
Packet Traces from a Simulated Signed Root Duane Wessels DNS-OARC DNS-OARC Workshop Beijing, China November 2009 Background We know from active measurements that some DNS resolvers cannot receive large
More informationMonitoring DNSSEC. Martin Leucht Julien Nyczak Supervisor: Rick van Rein
Monitoring DNSSEC Martin Leucht Julien Nyczak Supervisor: Rick van Rein System and Network Engineering 2015 Introduction DNSSEC becomes more and more popular
More informationRIPE NCC DNS Update. K-root and DNSSEC. Anand Buddhdev October 2018 RIPE 77
RIPE NCC DNS Update K-root and DNSSEC Anand Buddhdev October 2018 RIPE 77 K-root Status 63 instances (2 new since RIPE 76, in Vilnius and Lugansk) Response rate across all of K-root Capacity and usage
More informationThe impact of DNSSEC on k.root-servers.net and ns-pri.ripe.net
The impact of DNSSEC on k.root-servers.net and ns-pri.ripe.net Olaf M. Kolkman Question What would be the immediate and initial effect on memory, CPU and bandwidth resources if we were to deploy DNSSEC
More informationA Cache Management Strategy for Shortening DNSSEC Name Resolution Time
A Cache Management Strategy for Shortening DNSSEC Name Resolution Time Shuta FUKUDA 1 and Takayuki FUJINO 2 Abstract To protect the DNS data from cache poisoning attack, the DNSSEC has been deployed on
More informationDNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific
DNS/DNSSEC Workshop In Collaboration with APNIC and HKIRC Hong Kong Champika Wijayatunga Regional Security Engagement Manager Asia Pacific 22-24 January 2018 1 Agenda 1 2 3 Introduction to DNS DNS Features
More informationNetwork Security Part 3 Domain Name System
Network Security Part 3 Domain Name System Domain Name System The$domain$name$system$(DNS)$is$an$applica6on7layer$ protocol$$for$mapping$domain$names$to$ip$addresses$ DNS www.example.com 208.77.188.166
More informationRIPE NCC DNS Update. Wolfgang Nagele DNS Services Manager
RIPE NCC DNS Update Wolfgang Nagele DNS Services Manager DNS Department Services Reverse DNS for RIPE NCC zones Secondary for other RIRs K-root F-reverse (in-addr.arpa & ip6.arpa) Secondary DNS for cctlds
More informationIn the Domain Name System s language, rcode 0 stands for: no error condition.
12/2017 SIMPLE, FAST, RESILIENT In the Domain Name System s language, rcode 0 stands for: no error condition. If a DNS server answers a query with this result code, the service is running properly. This
More informationDNSSEC the.se way: Overview, deployment and lessons learned. Anne-Marie Eklund Löwinder Quality & Security Manager
DNSSEC the.se way: Overview, deployment and lessons learned Anne-Marie Eklund Löwinder Quality & Security Manager My agenda Getting Started Finding out about.se Finding out what DNS does for you Why DNSSEC?
More informationRoot Management Update
Root Management Update San Francisco, USA March 2011 Kim Davies Manager, Root Zone Services Internet Corporation for Assigned Names & Numbers IANA NOI Notice of Inquiry IANA Contract expires later in 2011
More informationNetwork Working Group
Network Working Group R. Arends Request for Comments: 4035 Telematica Instituut Obsoletes: 2535, 3008, 3090, 3445, 3655, 3658, R. Austein 3755, 3757, 3845 ISC Updates: 1034, 1035, 2136, 2181, 2308, 3225,
More informationThis time. Digging into. Networking. Protocols. Naming DNS & DHCP
This time Digging into Networking Protocols Naming DNS & DHCP Naming IP addresses allow global connectivity But they re pretty useless for humans! Can t be expected to pick their own IP address Can t be
More informationDNS Security. APNIC42 Colombo Sri Lanka 01 October 2016 Champika Wijayatunga
DNS Security APNIC42 Colombo Sri Lanka 01 October 2016 Champika Wijayatunga 2 Brief Overview of DNS What is the Domain Name System? A distributed database primarily used to obtain
More informationSeamless transition of domain name system (DNS) authoritative servers
Vol. 9(12), pp. 566-570, 30 June, 2014 DOI: 10.5897/SRE2013.5741 Article Number: 2B9B29C45695 ISSN 1992-2248 2014 Copyright 2014 Author(s) retain the copyright of this article http://www.academicjournals.org/sre
More informationAdvanced Caching DNS Server
This chapter explains how to set the Caching DNS parameters for the advanced features of the server. Before you proceed with the tasks in this chapter, see Introduction to the Domain Name System which
More informationDNS and cctld Management. Save Vocea and Champika Wijayatunga Apia Samoa July 2015
DNS and cctld Management Save Vocea and Champika Wijayatunga Apia Samoa 14-15 July 2015 Agenda 1 2 3 Intro to ICANN DNS Concepts Root Server Operation 4 5 6 Managing Zones cctld Management Security, Stability
More informationRSSAC Activities Update. Lars Johan Liman and Tripti Sinha RSSAC Chair ICANN-54 October 2015
RSSAC Activities Update Lars Johan Liman and Tripti Sinha RSSAC Chair ICANN-54 October 2015 Agenda 1 2 3 Overview RSSAC002 Implementation Status Update RSSAC003: RSSAC Report on Root Zone TTLs 4 5 6 RSSAC
More informationDNSSEC for the Root Zone. IETF 76 Hiroshima November 2009
DNSSEC for the Root Zone IETF 76 Hiroshima November 2009 Jakob Schlyter Richard Lamb, ICANN Matt Larson, VeriSign 1 This design is the result of a cooperation between ICANN & VeriSign with support from
More information