getdns API Implementation Update Update Willem Toorop NLnet Labs 14 May 2015 NLnet Labs

Similar documents
API implementation. Willem Toorop NLnet. Labs. 11 May NLnet. Labs

A new stub resolver. Willem Toorop.

DNS Privacy - Implementation and Deployment Status

The Importance of Being an Earnest stub

DNS Privacy Clients. Stubby, Mobile apps and beyond! dnsprivacy.org

Measuring DNSSEC validation deployment with RIPE ATLAS. Willem Toorop (presenting) Nicolas Canceill.

How to get a trustworthy DNS Privacy enabling recursive resolver

DNS Sessions. - where next? OARC 27 San Jose, Sep Sep 2017, San Jose. DNS OARC 27

A Look at RFC 8145 Trust Anchor Signaling for the 2017 KSK Rollover

Latest Measurements on DNS Privacy

Root KSK Roll Update Webinar

getdns Documentation Release Melinda Shore, Gowri Visweswaran

Internet Engineering Task Force. Updates: 6698 (if approved) Intended status: Standards Track Expires: January 06, 2016 Two Sigma July 05, 2015

Recommendations for DNS Privacy Service Operators

Developing a monitoring plugin for DNS-over-TLS at the IETF hackathon

Internet Engineering Task Force (IETF) Request for Comments: 7706 Category: Informational ISSN: November 2015

QNAME minimisation. Ralph Dolmans (NLnet Labs) March 2016 Stichting NLnet Labs

Hands on tutorial. Willem Toorop, NLNet Labs Shumon Huque, Verisign Glen Wiley, Verisign

Developing DNS-over-HTTPS clients and servers

DNSSEC Trust tree: (A) ---dnslab.org. (DS keytag: 9247 dig (DNSKEY keytag. ---org. (DS keytag: d

The Changing Landscape of the DNS

Updates: 7858 (if approved) Intended status: Standards Track Expires: March 15, 2018 McAfee September 11, 2017

Rolling the Root KSK. Geoff Huston. APNIC Labs. September 2017

DANE Demonstration! Duane Wessels, Verisign! ICANN 49 DNSSEC Workshop! March 26, 2014!

Where s my DNS? Sara Dickinson IDS 2. Where s my DNS?

Internet Engineering Task Force (IETF) Request for Comments: Category: Standards Track. McAfee March 2018

That KSK Roll. Geoff Huston APNIC Labs

ARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN

Multi Provider DNSSEC draft-huque-dnsop-multi-provider-dnssec-02. Shumon Huque March 22 nd 2018 DNSOP Working Group, IETF101, London, U.K.

Measuring the effects of DNSSEC deployment on query load

the edge (end user devices)

Impact of security vulnerabilities in timing protocols on Domain Name System (DNS)

Monitoring DNSSEC. Martin Leucht Julien Nyczak Supervisor: Rick van Rein

DNS Privacy. EDU Tutorial dnsprivacy.org. Sara Dickinson Sinodun

RIPE Network Coordination Centre. K-root and DNSSEC. Wolfgang Nagele RIPE NCC.

DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION

MAGPI: Advanced Services IPv6, Multicast, DNSSEC

Root KSK Roll Delay Update

Rolling the Root. Geoff Huston APNIC Labs March 2016

Protecting Privacy: The Evolution of DNS Security

DoH and DoT experience. Ólafur Guðmundsson Marek Vavrusa

DNSSEC KSK-2010 Trust Anchor Signal Analysis

Overview of Open Source Tools for DNSSEC

Packet Traces from a Simulated Signed Root

DNS(SEC) client analysis

Understanding and Characterizing Hidden Interception of the DNS Resolution Path

The DNS Camel. Or How many features can we add to this protocol before it breaks? Bert Hubert /

The impact of DNSSEC on k.root-servers.net and ns-pri.ripe.net

Overview of Open Source Tools for DNSSEC

Keeping DNS parents and children in sync at Internet Speed! Ólafur Guðmundsson

DNSSEC Workshop. Dan York, Internet Society ICANN 54 October 2015

DENIC DNSSEC Testbed Software support for DNSSEC Ralf Weber

Root Zone DNSSEC KSK Rollover. DSSEC KSK Rollover

Is your DNS server up-to-date? Pieter Lexis Senior PowerDNS Engineer April 22 nd 2018

Yahoo Search ATS Plugins. Daniel Morilha and Scott Beardsley

DNSSEC in Switzerland 2 nd DENIC Testbed Meeting

Harness Your Internet Activity

IPv6 How-To for a Registry 17th CENTR Technical Workshop

KSK Roll Prepping: RFC Presented at RIPE 71 DNS WG November 19, 2015

Less is More Cipher-Suite Negotiation for DNSSEC

DNSSEC All You Need To Know To Get Started

ECE 435 Network Engineering Lecture 7

Algorithm for DNSSEC Trusted Key Rollover

A Security Evaluation of DNSSEC with NSEC Review

Root Zone DNSSEC KSK Rollover

Internet Engineering Task Force (IETF) April Elliptic Curve Digital Signature Algorithm (DSA) for DNSSEC

A New Internet? RIPE76 - Marseille May Jordi Palet

An Overview of DNSSEC. Cesar Diaz! lacnic.net!

Web Security. Mahalingam Ramkumar

TESTING WEB SERVICES WITH WEBDRIVER AND QUICKCHECK

Jenkins: A complete solution. From Continuous Integration to Continuous Delivery For HSBC

DNSSEC operational experiences and recommendations. Antti Ristimäki, CSC/Funet

Internet Engineering Task Force (IETF) Request for Comments: 8509 Category: Standards Track. Google December 2018

Internet Engineering Task Force (IETF) Obsoletes: 2671, 2673 Category: Standards Track. April 2013

DNSSEC. Lutz Donnerhacke. db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec e164.arpa. naptr

When HTTPS Meets CDN: A Case of Authentication in Delegated Services. J. Liang, J. Jiang, H. Duan, K. Li, T. Wan, J. Wu

Root KSK Roll Delay Update

Foundations of Python

Network Working Group Request for Comments: 5702 Category: Standards Track October 2009

Implementing DNSSEC with DynDNS and GoDaddy

F5 and Infoblox DNS Integrated Architecture: Offering a Complete Scalable, Secure DNS Solution

But before understanding the Selenium WebDriver concept, we need to know about the Selenium first.

CSE 565 Computer Security Fall 2018

6 March 2012

Intended status: Standards Track Expires: September 2, 2017 March 01, 2017

Review. Fundamentals of Website Development. Web Extensions Server side & Where is your JOB? The Department of Computer Science 11/30/2015

DNS Firewall with Response Policy Zone. Suman Kumar Saha bdcert Amber IT Limited

Overview. Last Lecture. This Lecture. Next Lecture. Scheduled tasks and log management. DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly

3. The DNSSEC Primer. Data Integrity (hashes) Authenticated Denial of Existence (NSEC,

What If Everyone Did It? Geoff Huston APNIC Labs

A Cache Management Strategy for Shortening DNSSEC Name Resolution Time

DDoS on DNS: past, present and inevitable. Töma Gavrichenkov

22/06/ :37 DNS COMPLIANCE. Fred Baker Internet Systems Consortium

2017 DNSSEC KSK Rollover. Guillermo Cicileo LACNIC March 22, 2017

Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder. System and Network Engineering July 2014

DNSSEC Basics, Risks and Benefits

Risks and Security for the Domain Name System

Vendor: Cisco. Exam Code: Exam Name: Developing with Cisco Network Programmability (NPDEV) Version: Demo

What we did last OARC. Keith Mitchell DNS-OARC RIPE77 DNS WG Amsterdam, Oct 2018

Quest for missing keytags. Roy Arends DNS-OARC 1 April 2016

Transcription:

AP implementation Willem Toorop Update Willem@.nl Willem Toorop ( ) getdns AP mplementation Update 1 / 13

AP is: A DNS AP specification by and for application developers (for resolving) (for applications) First implementation by From Verisign: and From : Allison Mankin, Glen Wiley, Neel Goyal, Angelique Finan, Craig Despeaux, Shumon Huque, Duane Wessels, Gowri Visweswaran, Scott Hollenbeck, Prithvi Ranganath, Sanjay Mahurpawar, Rushi Shah Willem Toorop ( ) LABS Willem Toorop, Wouter Wijngaards, Benno Overeinder From Sinodun: Sara & John Dickinson From No Mountain Software: Melinda Shore getdns AP mplementation Update 2 / 13

Motivation - for a new DNS AP From AP Design considerations:... There are other DNS APs available, but there has been very little uptake...... talking to application developers... the APs were developed by and for DNS people, not application developers... Goal... AP design from talking to application developers...... create a natural follow-on to gettadrinfo()... https://getdnsapi.net/spec/ Originally edited by Paul Hoffman (publiced April 2013) Maintained by the getdnsapi.net team since October 2014 Willem Toorop ( ) getdns AP mplementation Update 3 / 13

Motivation - The Last Mile Could be your phone Could be the Wi-Fi. net NS net DS Application stub Authoritatives getdnsapi.net A getdnsapi.net A OS os getdnsapi.net A Validating Recursive Resolver malicious resolver net DNSKEY getdnsapi.net A net DNSKEY getdnsapi.net NS getdnsapi.net DS net getdnsapi.net DNSKEY getdnsapi.net A getdnsapi getdnsapi.net DNSKEY getdnsapi.net A A DNSSEC enabled resolver protects against cache poisoning s the local network resolver trustworthy? Willem Toorop ( ) getdns AP mplementation Update 4 / 13

Motivation - The Last Mile Authoritatives order.hbonow.com A stub. com NS com DS Application order.hbonow.com A OS Validating Recursive Resolver com DNSKEY order.hbonow.com A com DNSKEY hbonow.com NS hbonow.com DS com hbonow.com DNSKEY order.hbonow.com A hbonow.com hbonow.com DNSKEY NXDOMAN order.hbonow.com A A DNSSEC enabled resolver protects against cache poisoning s the local network resolver trustworthy? Who s to blame? Willem Toorop ( ) getdns AP mplementation Update 4 / 13

Motivation - The Last Mile Authoritatives order.hbonow.com A stub. com NS com DS Application order.hbonow.com A OS Validating Recursive Resolver com DNSKEY order.hbonow.com A com DNSKEY hbonow.com NS hbonow.com DS com hbonow.com DNSKEY order.hbonow.com A hbonow.com hbonow.com DNSKEY NXDOMAN order.hbonow.com A Willem Toorop ( ) getdns AP mplementation Update 4 / 13

Motivation - The Last Mile Validating Recursive Resolver stub OS. net NS net DS Application Authoritatives net DNSKEY net DNSKEY getdnsapi.net NS getdnsapi.net DS net getdnsapi.net DNSKEY getdnsapi getdnsapi.net DNSKEY A DNSSEC enabled resolver protects against cache poisoning s the local network resolver trustworthy? Who s to blame? Application does not know an answer is secure (AD bit not given with getaddrinfo()) Willem Toorop ( ) getdns AP mplementation Update 4 / 13

Motivation - The Last Mile net NS net DS Application Validating Recursive Resolver stub OS Authoritatives. net DNSKEY net DNSKEY getdnsapi.net NS getdnsapi.net DS net getdnsapi.net DNSKEY getdnsapi getdnsapi.net DNSKEY Willem Toorop ( ) getdns AP mplementation Update 4 / 13

Motivation - The Last Mile Application OS os DNSSECAware Resolver getdnsapi.net DNSKEY Authoritatives. net NS net DS net DNSKEY net DNSKEY getdnsapi.net NS getdnsapi.net DS net getdnsapi.net DNSKEY getdnsapi getdnsapi.net DNSKEY A DNSSEC enabled resolver protects against cache poisoning s the local network resolver trustworthy? Who s to blame? Application does not know an answer is secure Network resolver doesn t need to validate. Willem Toorop ( ) getdns AP mplementation Update 4 / 13

Motivation - The Last Mile Authoritatives OS os. net NS net DS net DNSKEY Application Recursive Resolver getdnsapi.net DNSKEY net DNSKEY getdnsapi.net NS getdnsapi.net DS net getdnsapi.net DNSKEY getdnsapi A DNSSEC enabled resolver protects against cache poisoning s the local network resolver trustworthy? Who s to blame? Application does not know an answer is secure Network resolver doesn t need to validate. And when it is not even DNSSEC-aware? Willem Toorop ( ) getdns AP mplementation Update 4 / 13

mplementation - Features Both stub and full recursive modes (recusive by default) Delivers validated DNSSEC even in stub mode (off by default :( ) Resolves names and gives fine-grained access to the response with a response dict type: Easy to inspect: getdns pretty print dict() new getdns print json dict() Maps well to popular modern scripting languages Have a look at https://getdnsapi.net/query.html Willem Toorop ( ) getdns AP mplementation Update 5 / 13

mplementation - Features Willem Toorop ( ) getdns AP mplementation Update 5 / 13

mplementation - Features Willem Toorop ( ) getdns AP mplementation Update 5 / 13

mplementation - Features Both stub and full recursive modes (recusive by default) Delivers validated DNSSEC even in stub mode (off by default :( ) Resolves names and gives fine-grained access to the response with a response dict type: Easy to inspect: getdns pretty print dict() Maps well to popular modern scripting languages Have a look at https://getdnsapi.net/query.html Set custom memory management functions No none-custom mallocs when in stub mode anymore new native stub resolver replaced libunbound Minimizing memory allocations and deallocations new No intermediate ldns host format More optimizations in the future Willem Toorop ( ) getdns AP mplementation Update 5 / 13

mplementation - Features Both stub and full recursive modes (recusive by default) Delivers validated DNSSEC even in stub mode (off by default :( ) Resolves names and gives fine-grained access to the response with a response dict type: Set custom memory management functions Easy to inspect: getdns pretty print dict() Maps well to popular modern scripting languages Have a look at https://getdnsapi.net/query.html No none-custom mallocs when in stub mode anymore new Minimizing memory allocations and deallocations new Asynchronous modus operandi is the default new Use getdns context run() Use an even base of choice: libevent, libev, libuv Or hook into the applications native event base updated The nodejs bindings ios POC example hooked into grand central dispatch Willem Toorop ( ) getdns AP mplementation Update 5 / 13

mplementation - Features Both stub and full recursive modes (recusive by default) Delivers validated DNSSEC even in stub mode (off by default :( ) Resolves names and gives fine-grained access to the response with a response dict type: Set custom memory management functions No none-custom mallocs when in stub mode anymore new Minimizing memory allocations and deallocations new Asynchronous modus operandi is the default Easy to inspect: getdns pretty print dict() Maps well to popular modern scripting languages Have a look at https://getdnsapi.net/query.html new Use getdns context run() Use an even base of choice: libevent, libev, libuv Or hook into the applications native event base updated Last two give firm grasp on lower-level behaviour of the library Willem Toorop ( ) getdns AP mplementation Update 5 / 13

mplementation - Native stub resolver Enabling hop-by-hop communication options add opt parameters extension To set arbitrary EDNS0 options mplement DNS cookies with the library Willem Toorop ( ) getdns AP mplementation Update 6 / 13

mplementation - Native stub resolver Enabling hop-by-hop communication options add opt parameters extension To set arbitrary EDNS0 options mplement DNS cookies with the library DNS cookies by the library --enable-draft-edns-cookies Willem Toorop ( ) getdns AP mplementation Update 6 / 13

mplementation - Native stub resolver Enabling hop-by-hop communication options add opt parameters extension To set arbitrary EDNS0 options mplement DNS cookies with the library DNS cookies by the library --enable-draft-edns-cookies TCP Fast Open (RFC 7413) --enable-tcp-fastopen Willem Toorop ( ) getdns AP mplementation Update 6 / 13

mplementation - Native stub resolver Enabling hop-by-hop communication options add opt parameters extension To set arbitrary EDNS0 options mplement DNS cookies with the library DNS cookies by the library --enable-draft-edns-cookies TCP Fast Open (RFC 7413) --enable-tcp-fastopen New transport options GETDNS TRANSPORT... TCP ONLY KEEP CONNECTONS OPEN Works on (some) existing name servers TLS ONLY KEEP CONNECTONS OPEN TLS FRST AND FALL BACK TO TCP KEEP CONNECTONS OPEN STARTTLS FRST AND FALL BACK TO TCP KEEP CONNECTONS OPEN Following draft-ietf-dprive-start-tls-for-dns-00 Willem Toorop ( ) getdns AP mplementation Update 6 / 13

mplementation - Native stub resolver Enabling hop-by-hop communication options add opt parameters extension To set arbitrary EDNS0 options mplement DNS cookies with the library DNS cookies by the library --enable-draft-edns-cookies TCP Fast Open (RFC 7413) --enable-tcp-fastopen New transport options GETDNS TRANSPORT... TCP ONLY KEEP CONNECTONS OPEN Works on (some) existing name servers TLS ONLY KEEP CONNECTONS OPEN TLS FRST AND FALL BACK TO TCP KEEP CONNECTONS OPEN STARTTLS FRST AND FALL BACK TO TCP KEEP CONNECTONS OPEN Following draft-ietf-dprive-start-tls-for-dns-00 Special Cookies/TCP/TLS only open resolver for experimentation available on 2a04:b900:0:100::38 and 185.49.141.38 Willem Toorop ( ) getdns AP mplementation Update 6 / 13

mplementation - Bindings nodejs by Neel Goyal https://github.com/getdnsapi/getdns-node python by Melinda Shore https://github.com/getdnsapi/getdns-python-bindings new Now does async processing too! java bindings by Prithvi Ranganath and Sanjay Mahurpawar new https://github.com/getdnsapi/getdns-java-bindings new php bindings by Scott Hollenbeck https://github.com/getdnsapi/getdns-php-bindings Willem Toorop ( ) getdns AP mplementation Update 7 / 13

Road map C library Release candidate for 0.2.0 just announced Version 0.3 will contain native stub DNSSEC validation (soon) No dependency on ldns any more Version 0.5 will do Just n Time wire format parsing Better timeout and transport fallback handling TSG, Dynamic Updates (@ETF93) (in 0.3) More language bindings, more platforms, more name systems Perl, Ruby MS-Windows, Android DNSSD Willem Toorop ( ) getdns AP mplementation Update 8 / 13

The Next Web - Hack Battle - 22 & 23 April 2015 A dam Willem Toorop ( ) getdns AP mplementation Update 9 / 13

The Next Web - Hack Battle - 22 & 23 April 2015 A dam Bambi - DNS Slack bot A bot doing lookups on request in a chat environment by Tom Mazer spytransfer A from the ground up secure alternative to WeTransfer using a DNSSEC zone for transfer of encryption keys by Bas van Ooyen, Willem Westra, Bart van Halder and Wessel Stoker Willem Toorop ( ) getdns AP mplementation Update 10 / 13

The Next Web - Hack Battle - 22 & 23 April 2015 A dam Looksig Give visual (emojicon) representation of KSK keytag for an email address (OPENPGPKEY) lookup by Jelle Herold Part of his security and privacy for the non-tech users project Willem Toorop ( ) getdns AP mplementation Update 11 / 13

The Next Web - Hack Battle - 22 & 23 April 2015 A dam getsec (winner) Browser plugin that returns DNSSEC status already on hover by Timothy Armstrong, Warren Pai and Nicola Chinellato Willem Toorop ( ) getdns AP mplementation Update 12 / 13

Security starts with a name website AP spec latest tarball https://getdnsapi.net https://getdnsapi.net/spec.html https://getdnsapi.net/dist/getdns-0.2.0rc1.tar.gz github node python java php https://github.com/getdnsapi/getdns https://github.com/getdnsapi/getdns-node https://github.com/getdnsapi/getdns-python-bindings https://github.com/getdnsapi/getdns-java-bindings https://github.com/getdnsapi/getdns-php-bindings repo repo repo repo repo AP list users list me http://www.vpnc.org/mailman/listinfo/getdns-api https://getdnsapi.net/mailman/listinfo/users Willem Toorop <willem@nlnetlabs.nl> Willem Toorop ( ) getdns AP mplementation Update 13 / 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback