Some DNSSEC thoughts. DNSOPS.JP BOF Interop Japan Geoff Huston Chief Scientist, APNIC June 2007

Similar documents
That KSK Roll. Geoff Huston APNIC Labs

DNSSEC All You Need To Know To Get Started

Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder. System and Network Engineering July 2014

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

An Overview of DNSSEC. Cesar Diaz! lacnic.net!

RSA and ECDSA. Geoff Huston APNIC. #apricot2017

SecSpider: Distributed DNSSEC Monitoring and Key Learning

DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION

Root Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail

Some Lessons Learned from Designing the Resource PKI

DNS Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO

Rolling the Root KSK. Geoff Huston. APNIC Labs. September 2017

I certify that this DNS record set is correct Problem: how to certify a negative response, i.e. that a record doesn t exist?

DNS Mark Kosters Carlos Martínez ARIN - LACNIC

ARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN

The ISP Column A column on things Internet. Three DNS articles: 3. Helping Resolvers to help the DNS. RFC8192 Aggressive NSEC Caching

Toward Unspoofable Network Identifiers. CS 585 Fall 2009

Table of Contents. DNS security. Alternative DNS security mechanism. DNSSEC specification. The long (and winding) road to the DNSSEC specification

DNSSEC Trust tree: (A) ---dnslab.org. (DS keytag: 9247 dig (DNSKEY keytag. ---org. (DS keytag: d

DNS security. Karst Koymans & Niels Sijm. Tuesday, September 18, Informatics Institute University of Amsterdam

The State and Challenges of the DNSSEC Deployment. Eric Osterweil Michael Ryan Dan Massey Lixia Zhang

3. The DNSSEC Primer. Data Integrity (hashes) Authenticated Denial of Existence (NSEC,

Assessing and Improving the Quality of DNSSEC

A PKI For IDR Public Key Infrastructure and Number Resource Certification

DNSSEC. CS 161: Computer Security Prof. David Wagner. April 11, 2016

DNSSECbis Lookaside Validation. Peter Losher Internet Systems Consortium (November 2006)

Re-engineering the DNS One Resolver at a Time. Paul Wilson Director General APNIC channeling Geoff Huston Chief Scientist

Keeping DNS parents and children in sync at Internet Speed! Ólafur Guðmundsson

CS 356 Using Cryptographic Tools to Secure the Domain Name System (DNS) Spring 2017

Table of Contents. DNS security basics. What DNSSEC has to offer. In what sense is DNS insecure? Why DNS needs to be secured.

DNSSEC. Lutz Donnerhacke. db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec e164.arpa. naptr

A Security Evaluation of DNSSEC with NSEC Review

The ISP Column A column on various things Internet. DNSSEC and DNS over TLS. August 2018 Geoff Huston

12 DNS Security Extensions DNS resolution via recursive nameserver DNS request/response format Simple DNS cache poisoning The Dan Kaminsky DNS

DENIC DNSSEC Testbed Software support for DNSSEC Ralf Weber

Algorithm for DNSSEC Trusted Key Rollover

More on DNS and DNSSEC

DNS SECurity Extensions technical overview

Some Internet exploits target name resolution servers. DNSSEC uses cryptography to protect the name resolution

Network Working Group

Securing BGP. Geoff Huston November 2007

Expires: June 16, 2004 VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST December 17, 2003

Scott Rose, NIST Winter JointTechs Meeting Jan 30, 2011 Clemson University

IPv6: Are we really ready to turn off IPv4? Geoff Huston APNIC

MAGPI: Advanced Services IPv6, Multicast, DNSSEC

Expires: November 15, 2004 VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST May 17, 2004

Implementing DNSSEC with DynDNS and GoDaddy

GDS Resource Record: Generalization of the Delegation Signer Model

DNSSEC deployment. Phil Regnauld Hervey Allen

Some Thoughts on Integrity in Routing

Network Working Group. Category: Informational November 2007

Ordinary DNS: A? k.root-servers.net. com. NS a.gtld-servers.net a.gtld-servers.net A Client's Resolver

Securing BGP: The current state of RPKI. Geoff Huston Chief Scientist, APNIC

Session J9: DNSSEC and DNS Security

DNSSEC From a protocol bug to a security advantage

(DNS, and DNSSEC and DDOS) Geoff Huston APNIC

A Look at RFC 8145 Trust Anchor Signaling for the 2017 KSK Rollover

DNSSEC Policy and Practice Statement. Anne-Marie Eklund Löwinder Quality and Security Manager

Domain Name System (DNS)

DNSSEC Basics, Risks and Benefits

DNSSEC operational experiences and recommendations. Antti Ristimäki, CSC/Funet

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

Rolling the Root. Geoff Huston APNIC Labs March 2016

Domain Name System Security

DNSSEC at ORNL. Paige Stafford Joint Techs Conference, Fairbanks July 2011

Deploying New DNSSEC Algorithms

The impact of DNSSEC on k.root-servers.net and ns-pri.ripe.net

Domain Name System Security

Seamless transition of domain name system (DNS) authoritative servers

Domain Name System Security

Tyre Kicking the DNS. Testing Transport Considerations of Rolling Roots. Geoff Huston APNIC

Root KSK Roll Delay Update

DNSSEC at Scale. Dani Grant CloudFlare

DNSSEC in Switzerland 2 nd DENIC Testbed Meeting

A paper on DNSSEC - NSEC3 with Opt-Out

CSC 574 Computer and Network Security. DNS Security

APNIC DNSSEC APNIC DNSSEC. Policy and Practice Statement. DNSSEC Policy and Practice Statement Page 1 of 12

Securing Domain Name Resolution with DNSSEC

By Paul Wouters

Rolling the Root Zone DNSSEC Key Signing Key Edward Lewis AFRINIC25 November 2016

Root KSK Roll Update Webinar

Step by step DNSSEC deployment in.se. Anne-Marie Eklund Löwinder Quality & Security

Hands-on DNSSEC with DNSViz. Casey Deccio, Verisign Labs RIPE 72, Copenhagen May 23, 2016

BIND-USERS and Other Debugging Experiences. Mark Andrews Internet Systems Consortium

ICANN and Technical Work: Really? Yes! Steve Crocker DNS Symposium, Madrid, 13 May 2017

Afilias DNSSEC Practice Statement (DPS) Version

Monitoring DNSSEC. Martin Leucht Julien Nyczak Supervisor: Rick van Rein

DNSSEC Signing Experiences. Michael Sinatra, UC Berkeley Internet2 Member Meeting 3 November 2010

Less is More Cipher-Suite Negotiation for DNSSEC

DNS Security and DNSSEC in the root zone Luzern, Switzerland February 2010

2017 DNSSEC KSK Rollover. DSSEC KSK Rollover

Migrating an OpenDNSSEC signer (February 2016)

Test cases for domain checks a step towards a best prac5ce. Mats Du(erg,.SE Sandoche Balakrichenan, AFNIC

The ISP Column A monthly column on things Internet

DNSSEC Basics, Risks and Benefits

Root & TLD DNSSEC. Early Deployment Observations. Edward Lewis NANOG 56 October 23, Neustar, Inc.

Facilitating Secure Internet Infrastructure

Root Zone DNSSEC KSK Rollover

CIRA DNSSEC PRACTICE STATEMENT

IPv6 Traffic Hijack Test System and Defense Tools Using DNSSEC

Transcription:

Some DNSSEC thoughts DNSOPS.JP BOF Interop Japan 2007 Geoff Huston Chief Scientist, APNIC June 2007

The DNS is a miracle! You send out a question into the net And an answer comes back! Somehow But WHO provided the answer? Is it a REAL answer? Can I TRUST the answer?

DNSSEC The Motivation How can a DNS resolver tell if a DNS response can be trusted as authentic? Is this the correct DNS response? Has it been altered? Has it been truncated? Is it hopelessly out of date?

DNSSEC The Theory Sign and publish everything! Every DNS zone has associated key pairs Each zone publishes: The public key (DNSKEY RR) Private-key signatures of all RR Sets (RRSIG RR) Private-key signed gaps in the zone file (NSEC RR) Hashes of the public key of child zones (DS RR)

So you take a small zone. TTL 86400 $ORIGIN dnssec.potaroo.net. @ IN SOA dns0.potaroo.net. gih.potaroo.net. (2006090803 3h 15 1w 3h ) ; name servers IN NS dns0.potaroo.net. IN NS dns1.potaroo.net. ; ; subdomains ; sub IN NS dns0.dnssec.potaroo.net. IN NS dns1.dnssec.potaroo.net. ; www IN A 203.50.0.6 bgp IN A 203.50.0.159 bgp2 IN A 203.50.0.33 dns0 IN A 203.50.0.18 dns1 IN A 203.50.0.6 ; ; wildcard ; * IN A 203.50.0.18

And turn it into a big zone dnssec.potaroo.net. 86400 IN SOA dns0.potaroo.net. gih.potaroo.net. ( 2006090803 ; serial 10800 ; refresh (3 hours) 15 ; retry (15 seconds) 604800 ; expire (1 week) 10800 ; minimum (3 hours) ) 86400 RRSIG SOA 5 3 86400 20061008080832 ( sylogfkxp1klekyp4pic6qgw1nr16powlzx+ VbpdA/erzxRdARd1l77F56N7TB+v3aS82aLh BLIN+f0MzHEo/JNWVl0xjn95pRDd3gyZSoE+ awg21mokmbtbxf2pymfa1ennkkk+psxuxvss dap+kcvqt6pfo67+m2chsqbh+ua= ) 86400 NS dns0.potaroo.net. 86400 NS dns1.potaroo.net. 86400 RRSIG NS 5 3 86400 20061008080832 ( p2kklk4gzlm8nkr4lpxyz4firwwxtiyxc5x/ Ns2NYC3CNYDNIRFHzEI14RZO08R9z4aoQlfO jxidijz2bgxzmykvjuaa7awgirvtr+6wdjrd if9tm7udyn2powrp9o2lq0dkhwyk8i4dyjdd 9kwt7/x44ZECzEj7w30GfW4uvy8= ) 10800 NSEC *.dnssec.potaroo.net. NS SOA RRSIG NSEC DNSKEY 10800 RRSIG NSEC 5 3 10800 20061008080832 ( h75ds6c1lglprbqtz9+kv4osuida+bdt6geq q6nrrnenga6rr00fk4td9aqs1+jpm3kridl5 LKqQM7yMarC7aE3v/23iW9YqFv3Z6PpjW7Ze oehalncv3kg4tvmilsogep/ewtgntnxkjdkd hw+o91s7xvngmo7m9jkuou8ss2e= ) 86400 DNSKEY 256 3 5 ( AQO8xvbN4hZ8bn926wpM8c9Uqqhqcf45v73k 4J/YSu+6o/QsPCKwJoDYxMH3s5Z0NJlgLUQs cizzkdyvhpw3txt59bhrn739osnq80rbogvt H/Vi//L3BGjZrZr+PWtH2Vb3wIhrujMej2m4 E2Mth/XjSDAhYZVWCNhJG0nPH6G6Ww== ) ; key id = 3755

Wait - there s more! 86400 DNSKEY 257 3 5 ( AQPSOR9BUnuQQ8ien6WibaSsKddzZstW4TEu JrSzezQL79DFqHeOvVuhJr+9JMQmJuQGUjVc XDG1gBRQboiFJ6e+G6sibIKlkzXCLSX7O9Yq Ytyv1AMyEbYWLTwRvKojZSZr2LyKqeKGFqWd oa8a1m6xruchblwxmwo5i5fsediyyw== ) ; key id = 29022 86400 RRSIG DNSKEY 5 3 86400 20061008080832 ( EMXe20wX8CNOeAg1iexEMSlGUuApeIB/zW1z phhz+i/9yfe2bmmwaj6+jtfmmw8tvjlqdefh 8TOihsMaPhu0nMQnqTrKTNS4Y4DkHqt05N6a 3yS1h/ufRfBDn2rA5EquVNGZM6TRI0iweDSn 1HsWy5+FiQcCFubsVJjCyqG/RXo= ) 86400 RRSIG DNSKEY 5 3 86400 20061008080832 ( 20060908080832 29022 dnssec.potaroo.net. plmpatyiqinpi0rcibicry9eofjhvm6mkxzs nl5qb4x/g+dc02kxmhfcsvvnsu9atawriohy PG85LaC7FdfWdOud5I+AVvVPRB+8aX1scS/8 /kq5abjuxt3b6ezcehu2fsurkn3uskv5af4n 1nBBVmFWd7vXR53Q6KCucWjBvmg= ) *.dnssec.potaroo.net. 86400 IN A 203.50.0.18 86400 RRSIG A 5 3 86400 20061008080832 ( UTLlJPY60iaVo8skJKbljkF+Dz0ZFJiPGSLM EmmzHVlYNeIjpQNK/o5jcIdDv7S4MZ+MJg31 MLPXuStBWe8ElfwU4w+eQX38dXP1fPs2Mjz2 RyG/dw2krgvVRfQDa27UJVurxDxoQTykEwW7 yyzada6ovflekjytf8o/cxrgvy0= ) 10800 NSEC bgp.dnssec.potaroo.net. A RRSIG NSEC 10800 RRSIG NSEC 5 3 10800 20061008080832 ( ThBINgb7kHEq5t+wunmN/uTxlE5Z3nxI29e9 effidmbmmo459/oxeuc8w8kh9u0x2tq1og8l 3GQwLNO75JrbsgMOSGzhNVD5b7Yj7PZNPWa7 M4O8z7ok3Dru5XOYf4NV5fORUsvHhBnOBr+/ 6wTSdnpI/mQvGk5EmCKPwkvhzqE= ) bgp.dnssec.potaroo.net. 86400 IN A 203.50.0.159 86400 RRSIG A 5 4 86400 20061008080832 ( BjQFfiLaiOxP4rKIzT9OvteuVR3kR2NBYZgM WMQxbSK6X4b84hE6HTRparY71bXXBvcKXIt7 MpWX97m1A9KScR7b37h084ZE1I6b86eaN3f9 Ad+9X1NXPw/RdrQZXby5xkyNSB0oIpM8R0Jz kkggi+oo5tn7o3tybwmrlcznlaa= ) 10800 NSEC bgp2.dnssec.potaroo.net. A RRSIG NSEC 10800 RRSIG NSEC 5 4 10800 20061008080832 ( SjjK2OpKnv514pUd0cfTMkgpqggljvcf+1NP fizufxmjoewjbdskkxe9farhwrdnvqpnwdyy adgv+tbrlzhthr1po7affpyxcnsabffnphwc 0s/xb1mAhAmPtf3f7Ri/CxrF5HFQF/lHHbHW UUHzU2dkM8wOHzkGP/OPv5oNDOo= ) bgp2.dnssec.potaroo.net. 86400 IN A 203.50.0.33 86400 RRSIG A 5 4 86400 20061008080832 ( fuykcujf/miedcfseppac/5wvyg6mmeqmlsg xftwdykt0otcsdsy5r/20medtwbywqwi1wb5 7zTuBmSJprklTieq69j8Ptr4y3JGEsNeGA14 1fDMpqdT29kgvWJHKiZyEJ7Hj2zV9WuOrpu6 6hzW7pKz/xm9+Xv2ssx+u5nfrXU= ) 10800 NSEC dns0.dnssec.potaroo.net. A RRSIG NSEC 10800 RRSIG NSEC 5 4 10800 20061008080832 ( S+X4oHey+hizmSF8d73877qYGK782uJzLgOA dhnod9rc0solsrikfsd+l/q+47ckbhsamx5b 9jMTRwor1fKZH8XKKyiNsuQjJqHi84sh2ZeK fgmgpezpdzr+pk2biqsrpjo9th29b0fsse/o fgdjimgkrhujnmla/7ra1oilpf0= ) dns0.dnssec.potaroo.net. 86400 IN A 203.50.0.18 86400 RRSIG A 5 4 86400 20061008080832 ( LpbfDJtud6wqXVLnurpxkCuYtiFakQ0HFkIF qjfs/r9xgwnizes4f2+dr/rgnwxtdw522qdt JFIBXbBR9RG9pSEqOCk/ivNSF8dPc7URbI4e E0RWkgf9fE87x6cd2CHEaOrcgHDXbCZX594R oweutr9wohupovs0at1fot2c9gs= ) 10800 NSEC dns1.dnssec.potaroo.net. A RRSIG NSEC 10800 RRSIG NSEC 5 4 10800 20061008080832 ( fgmgpezpdzr+pk2biqsrpjo9th29b0fsse/o fgdjimgkrhujnmla/7ra1oilpf0= ) dns0.dnssec.potaroo.net. 86400 IN A 203.50.0.18 86400 RRSIG A 5 4 86400 20061008080832 ( LpbfDJtud6wqXVLnurpxkCuYtiFakQ0HFkIF qjfs/r9xgwnizes4f2+dr/rgnwxtdw522qdt JFIBXbBR9RG9pSEqOCk/ivNSF8dPc7URbI4e E0RWkgf9fE87x6cd2CHEaOrcgHDXbCZX594R oweutr9wohupovs0at1fot2c9gs= ) 10800 NSEC dns1.dnssec.potaroo.net. A RRSIG NSEC 10800 RRSIG NSEC 5 4 10800 20061008080832 ( fxw5mrckkjr6bcrbad4u/28solkzbvvtjyas 1dBcYyx0aW3lIUpvyIsjERU+oEG+g2DUQui+ 2LA6PVntaCbKWfezwGkBtZBGKbwUcfNCdEa7 dnkqv3aki5qgw1ealkbahkt1fgbqlwo/wi4g JFmOpYfcmaLtZdhgyWX60KBGIoY= ) dns1.dnssec.potaroo.net. 86400 IN A 203.50.0.6 86400 RRSIG A 5 4 86400 20061008080832 ( C1NTVm64mJDTDpM+aX07OLWhi92G9l5hkiW5 QbBmmITLq1x7QhMpasSPh41PRpa+teyeByFl /46QGRpVb8IP4KmpbURd1YkPwAJbBBwb2Q+s dxa6vfz3r/gsa62vsb2acpfpvaapke3hs66m DF3DwVONpGuSgAWpn3A3H+1KbQs= ) 10800 NSEC sub.dnssec.potaroo.net. A RRSIG NSEC 10800 RRSIG NSEC 5 4 10800 20061008080832 ( RfjymANoHG3TQ909fU/lenv3GsIZtEqR6fs7 fa/kj4o4/ozu7+/vgz3cguwbolembab9f+yr KuFi83KvAt/W4E0nGxeDwgtnkTzUQJpkv7lA AStqMIrqsZc8FyGJuZPJgU8Fzvn7+Ju7qsPU Ntwi658ZRKoUl/K7uok6O7HmGSE= ) sub.dnssec.potaroo.net. 86400 IN NS dns0.dnssec.potaroo.net. 86400 IN NS dns1.dnssec.potaroo.net. 10800 NSEC www.dnssec.potaroo.net. NS RRSIG NSEC 10800 RRSIG NSEC 5 4 10800 20061008080832 ( XNgHeGnZnmdg8AwHcnsvW6DzZEtnB0n5HVpk 1m2/oFoVgFr7MBuJT1t0beN8p/2zMuLF3Wad HLmwLX0GqYBE/f+6afIA33aWTrLkuB11cmUj iek/4xmkaugran04v6jovvdnyesxy6g6afd3 J9yhhNvDukG3/8Iq1bUyVlRSKz8= ) www.dnssec.potaroo.net. 86400 IN A 203.50.0.6 86400 RRSIG A 5 4 86400 20061008080832 ( gwxzdrdivrwxmcsewpq2oi0qihqxmzht+qj+ nk+tjmw3gvevh+ip6ulgkwewywey8ek1blme Uwqlh6z8B35pBBn0hljwO3xO0Ly3ELHvtHUB Q/2/bDbFaFDaXNA5IQn8I4RGLuaExDKq0dIF tl/hq9y4rnhg7wtcnw9q3prfnua= ) 10800 NSEC dnssec.potaroo.net. A RRSIG NSEC 10800 RRSIG NSEC 5 4 10800 20061008080832 ( LRLFqls+FF2DqvuPOrnloRe6OclswCG/RL38 X1NLOshkpYjK4GcCsgsoyYCxH2vvmt2va+OU RqVgL06brBizmmG7raS4kK9yd0bP+91CikWF HuN8GOLjZ0Sel8CtyOeahtjy7cdqVovPkcje P1yjDR8cI58wVsdvSCWlaoeCx9k= )

DNSSEC Signing a Zone Generate a keypair Generate a Key-Signing keypair Load the keys into the zone Use a zone signing utility to sign every RR in the zone, and to sign every name gap in the zone Update the parent zone with the child s public key hash Publish the zone with a DNSSEC-aware name server

DNSSEC DNS Response The Additional Information section in a DNSSEC response contains: a DNSKEY RR, and an RRSIG RR for a data response, or an NSEC(3) RR response for a no such data response

DNSSEC Response Validation Validation of a DNS response: Did the matching private key sign the RRSIG RR? Does the hash match the RR data? Does the public key validate? Does the parent have a DS RR? Has the Parent signed the matching RRSIG RR? Does the parent s key validate? Loop until you get to a recognised trust anchor This interlocking of parent signing over child is a critical aspect of the robustness of DNSSEC. It s also DNSSEC s major weakness in today s partial DNSSEC deployment world

Some initial questions: How do you know if this is current data, or a replay of older stale data that was signed with the current key? How do you know that a zone is DNSSEC signed? (As distinct from man-in the-middle attack that is stripping out DNSSEC information from DNS responses) How do you roll keys over? How do you revoke keys? What s NSEC3? What s a trust anchor?

Trust is a very tricky thing In the ideal world ALL the DNS would be DNSSEC signed As long as you have the current root DNSSEC public key as your trust anchor then every DNS response can be validated by simply walking backwards up the name hierarchy to the root But this is really not the case: Only a few zones are signed And you don t know which ones! So which trust keys do you load and from whom? And when should you update these keys? Right now DNSSEC is pretty much unuseable as a generally useful tool

Status of DNSSEC The DNSSEC spec is over 10 years old Interest in deployment of DNSSEC has been very limited The trust model makes use of DNSSEC to validate responses in a partial deployment world very frustrating So few clients use DNSSEC to validate DNS responses So few zone publishers see any benefit in signing their zone And nothing happens. Will DNSSEC ever get deployed across a meaningful and generally useful proportion of the DNS world?

One Opinion

DNSSEC Positives DNSSEC makes the DNS harder to attack Trust injection into the DNS can be leveraged for more than just trusting DNS responses Use the DNS to pass other keys, SSL certs, other data objects, all secured by DNSSEC DNSSEC can avoid the overheads of yet more special-purpose PKIs The DNS is a critical point of vulnerability in the network s overall model of integrity of operation -- DNSSEC can really help here

DNSSEC Negatives DNS Zones get VERY LARGE x 10 in size DNS responses can get VERY LARGE amplification attacks become more effective DNSSEC Zone management is complicated NSEC implicitly exposes the zone contents NSEC3 is extremely obscure and challenging to verify Who can use the signed answer, and how? Today s partial deployment trust model is useless DNSSEC represents a significant investment on the part of the server with unclear benefits for a potential client

My Opinion The DNS would be really very useful and far more straightforward to use for validation if everyone deployed DNSSEC The DNS would be far more cumbersome, far more complex to manage, and far more error-prone to operate, if everyone deployed DNSSEC And for as long as only some of us deploy DNSSEC its not of much value at the moment!

Next Steps for DNSSEC? Complete, top down, all zones, DNSSEC deployment looks like it may never happen If all that happens is that only some of us deploy DNSSEC, then the entire DNSSEC effort is largely a waste of time, because of the trust point discovery problem in the current DNSSEC model Can we devise a more robust partial deployment model that can deliver benefits to both the DNSSEC signed zone publisher and the DNSSEC-aware resolver client base? Is the DLV model of interest here? Are there other approaches?

Another Opinion

Thank You

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback