ICANN and Technical Work: Really? Yes! Steve Crocker DNS Symposium, Madrid, 13 May 2017

Similar documents
Keeping DNS parents and children in sync at Internet Speed! Ólafur Guðmundsson

Rolling the Root KSK. Geoff Huston. APNIC Labs. September 2017

Root KSK Roll Update Webinar

Rolling the Root. Geoff Huston APNIC Labs March 2016

Rolling the Root Zone DNSSEC Key Signing Key Edward Lewis AFRINIC25 November 2016

ICANN Start, Episode 1: Redirection and Wildcarding. Welcome to ICANN Start. This is the show about one issue, five questions:

That KSK Roll. Geoff Huston APNIC Labs

IPv6 Deployment Experiences

How do we make the transition less painful? IPv6 & recursive resolvers:

The Most Important Slide

The Changing DNS Market: A Technical Perspective

DNSSEC Deployment Issues

IPv6: Are we really ready to turn off IPv4? Geoff Huston APNIC

Re-engineering the DNS One Resolver at a Time. Paul Wilson Director General APNIC channeling Geoff Huston Chief Scientist

Some DNSSEC thoughts. DNSOPS.JP BOF Interop Japan Geoff Huston Chief Scientist, APNIC June 2007

Root KSK Roll Delay Update

.BIZ Agreement Appendix 10 Service Level Agreement (SLA) (22 August 2013)

Chapter01.fm Page 1 Monday, August 23, :52 PM. Part I of Change. The Mechanics. of Change

Flexible Testbed for Recursive Resolver Software

Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder. System and Network Engineering July 2014

(DNS, and DNSSEC and DDOS) Geoff Huston APNIC

CSC 574 Computer and Network Security. DNS Security

Ananta: Cloud Scale Load Balancing. Nitish Paradkar, Zaina Hamid. EECS 589 Paper Review

Root KSK Roll Delay Update

RSA and ECDSA. Geoff Huston APNIC. #apricot2017

MARRAKECH RSSAC Public Session. MARRAKECH RSSAC Public Session Wednesday, March 09, :00 to 15:30 WET ICANN55 Marrakech, Morocco

DNSSEC Deployment Threats What s Real? What s FUD?

Your Data Demands More NETAPP ENABLES YOU TO LEVERAGE YOUR DATA & COMPUTE FROM ANYWHERE

IPv6: Are we really ready to turn off IPv4?

RSSAC Activities Update. Lars Johan Liman and Tripti Sinha RSSAC Chair ICANN-54 October 2015

2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008

DNSSEC. CS 161: Computer Security Prof. David Wagner. April 11, 2016

IPV6 Deployment Experiences or what s it really like hearing IPv6 IPv6 IPv6 every day

1. I NEED TO HAVE MULTIPLE VERSIONS OF VISUAL STUDIO INSTALLED IF I M MAINTAINING APPLICATIONS THAT RUN ON MORE THAN ONE VERSION OF THE.

MD-HQ Utilizes Atlantic.Net s Private Cloud Solutions to Realize Tremendous Growth

IANA ccnso Update Kim Davies ICANN 55, 8 March 2016

Virtualization. Q&A with an industry leader. Virtualization is rapidly becoming a fact of life for agency executives,

Tyre Kicking the DNS. Testing Transport Considerations of Rolling Roots. Geoff Huston APNIC

Securing BGP. Geoff Huston November 2007

3. The DNSSEC Primer. Data Integrity (hashes) Authenticated Denial of Existence (NSEC,

DNSSEC for Humans and BIND 10. Paul Vixie Internet Systems Consortium June 9, 2011

(a) Which of these two conditions (high or low) is considered more serious? Justify your answer.

Registry Vulnerabilities An Overview

DNS and ICANN. Laurent Ferrali. 27th August 2018

ICANN Start -Ep 05 Page 1 of 11. ICANN Start, Episode 5: What Does IPv6 Mean?

IAE Professional s (02)

Some Lessons Learned from Designing the Resource PKI

Enabling Performance & Stress Test throughout the Application Lifecycle

THE AUTHORITATIVE GUIDE TO DNS TERMINOLOGY

DDoS: STRATEGIES FOR DEALING WITH A GROWING THREAT

Help Your Security Team Sleep at Night

Media-Ready Network Transcript

What to Look for in a Partner for Software-Defined Data Center (SDDC)

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

President s Report 2009

DNSSEC the.se way: Overview, deployment and lessons learned. Anne-Marie Eklund Löwinder Quality & Security Manager

Summary of the Impact of Root Zone Scaling

DNS. A Massively Distributed Database. Justin Scott December 12, 2018

CIO 24/7 Podcast: Tapping into Accenture s rich content with a new search capability

The security challenge in a mobile world

DEFENCE IN DEPTH HOW ANTIVIRUS, TRADITIONAL FIREWALLS, AND DNS FIREWALLS WORK TOGETHER

What Are CSS and DHTML?

RIPE NCC DNS Update. Wolfgang Nagele DNS Services Manager

More on DNS and DNSSEC

Background Brief. The need to foster the IXPs ecosystem in the Arab region

2016 All Rights Reserved

Managing the Root KSK Rollover, Step by Step for Operators

A PKI For IDR Public Key Infrastructure and Number Resource Certification

Embarking on the next stage of hosted desktop delivery for international events management company

Fixing URL-based Redirect Errors for AWS Route 53 and S3

What If Everyone Did It? Geoff Huston APNIC Labs

Infrastructure Matters

Understanding Managed Services

DDoS: Evolving Threats, Solutions FEATURING: Carlos Morales of Arbor Networks Offers New Strategies INTERVIEW TRANSCRIPT

IPv4 Unallocated Address Space Exhaustion

This time. Digging into. Networking. Protocols. Naming DNS & DHCP

Monitoring DNSSEC, not everything is perfect, yet

THALES DATA THREAT REPORT

The DNS of Things. A. 2001:19b8:10 1:2::f5f5:1d Q. WHERE IS Peter Silva Sr. Technical Marketing

CS519: Computer Networks. Lecture 2, part 2: Feb 4, 2004 IP (Internet Protocol)

EPISODE 23: HOW TO GET STARTED WITH MAILCHIMP

CASE STUDY IT. Albumprinter Adopting Redgate DLM

The Transition to Networked Storage

A strategy for IPv6 adoption

1.7 Limit of a Function

Enterprise IPv6 Deployment Security and other topics

Monitoring DNSSEC, not everything is perfect, yet

Root Zone DNSSEC KSK Rollover

NAT64/DNS64 experiments, warnings and one useful tool

CREATE YOUR CONTENT STRATEGY & LAUNCH PLAN Amanda Genther Inc. & Irresistible Offerings

Spam. Time: five years from now Place: England

3 Continuous Integration 3. Automated system finding bugs is better than people

White Paper. How the Meltdown and Spectre bugs work and what you can do to prevent a performance plummet. Contents

DNSSEC All You Need To Know To Get Started

Independent Solution Review AppEnsure for Citrix Monitoring

The poor state of SIP endpoint security

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

How To Manage Disk Effectively with MPG's Performance Navigator

Securing intelligent networks: a guide for CISO and CIOs

Chris Skorlinski Microsoft SQL Escalation Services Charlotte, NC

Transcription:

ICANN and Technical Work: Really? Yes! Steve Crocker DNS Symposium, Madrid, 13 May 2017 Welcome, everyone. I appreciate the invitation to say a few words here. This is an important meeting and I think we will all learn quite a bit. I ll talk mainly about technical aspects of DNS, but I chose the title to highlight an important and welcome development at ICANN. I ve been watching where ICANN focuses its resources over the years. We ve always had a strong technical foundation at ICANN, but, of necessity, political and contractual issues dominated the agenda. These issues haven t gone away, but I am now seeing much greater strength and much greater attention on the technical side. The chief technology officer is now part of the top-level management team, alongside the chief information officer, and the team under the CTO is noteworthy. Almost all have noteworthy accomplishments and reputations prior to joining ICANN. We have a team 1

of stars, which is good for ICANN and good for the community. I hope this trend continues and that ICANN becomes known as a place for the best and the brightest in our field to consider joining. The DNS layer is peculiar within the Internet ecosystem. There is a vibrant business in the selling of names, but almost no market for the operation of the lookup of queries. This means an awful lot of the development and research is done by the academic and non-profit community. From an economic perspective, this is unbalanced and I worry about the long-term health of this ecosystem. I ll return to this point at the end of my talk, and it s something for discussion over the next few years. Meanwhile, on the technical level, there is a LOT of activity, and this is what brings us here today. By Internet standards, DNS is an old system, yet it is continuing to expand and evolve. The Internet of Things, the connection to DANE and other forces are likely to expand the number of DNS records in the 2

entire system by an order of magnitude or more. The core design remains strong and can handle the load, but there will be pressure on various aspects. Much of what you will hear today is about measurement. Measurement is essential and the increase in measurement activity and the development of better measurement and reporting tools is essential. Measurements tell us how well the system is working and often bring to light aspects we had not expected. Measurements are one part of a classic trio of modeling, metrics and measurements, and one of my messages this morning is that in addition to measurements, we need more extensive models and we need to work with models to find and predict how the system will behave under various forms of stress, with attention to three topics in particular: DNSSEC, performance, and software reliability. DNSSEC 3

DNSSEC has progressed steadily. A significant event, the rollover of the key-signing key, or KSK, of the root is taking place in stages, with the big event scheduled for 11 October this year. Your tee-shirts have the public part of the new key, though I hope all of your systems are able to receive and install the new key without you having to copy it from your tee-shirt. With respect to deployment, the progress is mixed, though compared to the deployment of IPv6 the progress is lightning quick. Here s the status of DNSSEC deployment in the cctlds. 4

Dark green means the TLD is signed and it accepts DS records from its registrants. Light green means it s signed but is not yet accepting DS records from its registrants. This is usually a transitional stage. As you can see, with the exception of Africa, we re doing quite well, and even in Africa there is noticeable progress. The gtlds are mostly signed as well. This was expected since we made it a requirement for all of the new gtlds. Signing of enterprises and actual checking of signatures are not as far along and need some help. We are also seeing some issues that have to be addressed: DANE integration Size of responses due to IPv6, key rollover over and long RSA keys Speed of validation browser vendors care about this Local trust anchors, e.g. homenet, which is just one of many local trust anchors 5

PERFORMANCE DNS, like all of the layers of the Internet, is full of complex interactions. One of the key elements in the DNS architecture is the caching resolver. Without these, the DNS system would not scale properly and the authoritative servers would break under the everincreasing load. The rule for caching resolvers is simple: the TTL says how long to keep prior responses, and it s ok to discard sooner if there s no space. What actually happens is more varied. Some have minimum times, so they effectively raise the TTL. Some extend the TTL as long as lookups for that name continue to come in. Some generate ghost queries to the authoritative server for the negative queries they ve seen recently. (I have to credit Geoff Huston for this tidbit, and I hope I ve conveyed it accurately.) 6

These and other variations are motivated by the individual developer s or local operators ideas of the best policy. What s hard to tell, however, is the overall impact of these separate decisions. The kind of measurement activity being reported today and being carried out across the world will shed some light. Let me suggest that in addition to the measurements, it would also be helpful to look at the various policies in the abstract to see what behavior is predicatable and where the stress points are likely to be. I ll give one small anecdote from the earliest days of the Arpanet. The Arpanet IMPs that s what we called the routers then accepted a message of up to 8,000 bits from a host, broke it up into 1,000 bit packets, sent the packets to the other end, where they were reassembled into a full message for the receiving host. 7

In the receiving IMP, there was small buffer allocated to keep track of the several packets in a message a handle, and there was a small pool of these handles. This wasn t necessary for a single packet message, i.e. a message that was smaller than 1,000 bits, so this storage was only allocated for messages over 1,000 bits. In those early days, the actual traffic on the Arpanet tended to be either very short messages for interactive traffic, or very long messages for file transfers. One other form of traffic was generated internally by the IMPs, and that was snapshots of the statistics of each IMP s interactions with each other IMP. These were created as internal messages and sent to the network monitoring center, and they looked the same as all other traffic. At first these measurement messages fit into a single packet, but after the network grew past a certain point, the messages consumed two packets. 8

Do you see where this is going? Short messages didn t consume handles. Long messages consumed one handle for every eight packets. But the measurement messages consumed one handle for every two packets. And it turned out the pool of handles wasn t big enough. And the entire network crashed! A little analysis ahead of time might have helped. Well, the interactions across the network are far more complex these days, and the analysis challenge is much harder. There are lots of parameters and not enough science about how to set them and how they interaction with each other. Bring the policies into the light and study their interactions from an analytical perspective, not just by measurement. SOFTWARE RELIABILITY We all know how vital the DNS layer is. If it breaks, the results are bad. One of my strongest fears is a latent bug in widely deployed DNS software and the 9

threat that it might be exploited in a way that causes widespread outage or some other form of disruption. Each of the developers does its level best to write quality code and to test it before deployment. But the main pressures on developers remember I mentioned funding? -- are on adding new features or improving performance. I d like to see a strategic effort to transform the development process to provide much higher assurance, including better tools for analyzing the attack surface of this software. This is not an easy subject, but I think it s important, and, better yet, I think it s possible to make significant progress. There have been big advances in tools to analyze software and to provide assurance that software does what it s supposed to do and doesn t do what it s not supposed to do. Summing up, my messages this morning are this: 10

1. ICANN is growing stronger technically and will make increasing contributions to the community. 2. Security is vital and will ever more so. DNSSEC is one of the main forms of protection. It s partially deployed and used; more is needed and there are some emerging challenges. 3. Performance issues are important and require a lot of attention. Use modeling as well as measurement to find the bottlenecks and other issues. 4. The reliability of the DNS software is vital. We cannot afford a large-scale disruption. We need to improve our analysis techniques and we need to insist on the highest quality standards. Thank you for your listening. You have a fully packed program for a very substantive day. 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback