dnssec signing at scale on the edge
play

DNSSEC Signing at Scale on the Edge lafur Gu mundsson What we do: - PowerPoint PPT Presentation

Jan 06, 2024 •264 likes •362 views

DNSSEC Signing at Scale on the Edge lafur Gu mundsson What we do: DNS Third party DNS operator for 2M+ One of largest responders of DNS query traffic Largest dropper of DNS traffic in the world Operate large number of

  1. DNSSEC Signing at Scale on the Edge ólafur Gu ð mundsson

  2. What we do: DNS • Third party DNS operator for 2M+ • One of largest responders of DNS query traffic • Largest dropper of DNS traffic in the world • Operate large number of DNS servers at over 60 locations • Custom DNS server developed in-house 2

  3. DNSSEC launch • Paid customers can enable it from user interface as of today • Soon Default on for all paid customers • Use ECDSA P256 algorithm • speed and size • Sign DNSKEY in central location • publish CDS/CDNSKEY as well • All other RR’s signed at the edge 3

  4. Signing speed (and size): ECDSA P256 RSA: 
 1181 BYTES ECDSA: 
 305 BYTES and faster 4

  5. Minimal non-existent answers: “Black Lies” • Our solution: true lies. sign a NOERROR. • Generate a NSEC for the query name, cover minimal span, only set the NSEC and RRSIG bits ==> NXDOMAIN 5

  6. Quick negative’s: the “NSEC shotgun” • DNS Server optimized for answering exact query • Query for TXT and there’s no TXT? • Set all the other bits that might exist. • The NSEC is a valid denial for TXT, and is useless for an attacker that wants to replay it for other queries. filippo.io. 3600 IN NSEC \003.filippo.io. A NS SOA WKS HINFO MX TXT AAAA LOC SRV CERT SSHFP IPSECKEY RRSIG NSEC DNSKEY TLSA HIP OPENPGPKEY SPF 6

  7. How expensive is online signing ? • Minimal impact • We have highly optimized code • Cutting down on number of NSEC records helps • Reuse signed SOA • Key Distribution • You must trust your servers and have secure software distribution and boot 7

  8. Our Challenge • Required new systems • Central signer • DNSSEC health check ==> if DS is configured correctly • Changes affected many systems we have deployed • DNS servers, DB, UI, secure boot, • Supporting TLSA • Coming soon • Uploading and maintaining DS records for customers 8

  9. DNSSEC’s MAIN ROADBLOCK • Registration System is out of touch with reality!! • Need an easy way to update Parent • CDS/CDNSKEY publication is sufficient statement of intent! • Working with registrars and registers to enable DNSSEC at scale • will offer DNSSEC to free customers were we can update DS at parent • CDS/CDNSKEY needs delete mode 9

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC at Scale Dani Grant | DNS @ CloudFlare CloudFlare - Authoritative DNS provider (includes

DNSSEC at Scale Dani Grant | DNS @ CloudFlare CloudFlare - Authoritative DNS provider (includes

DNSSEC at Scale Dani Grant | DNS @ CloudFlare CloudFlare - Authoritative DNS provider (includes DNSSEC for free) - 4M+ domains - 40+ billion queries per day - 76 edge locations in 40 countries (growing) DNSSEC at Scale 1. Elliptic

597 views • 34 slides
Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins

Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins

Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins July 2013 ZSK - Zone Signing Keys ZSK - Zone Signing Keys Its a security key - use secure algorithms Create it to be flexible in use

255 views • 7 slides
Rolling the Root Zone DNSSEC Key Signing Key Presented by Carlos Martnez, on behalf of ICANN |

Rolling the Root Zone DNSSEC Key Signing Key Presented by Carlos Martnez, on behalf of ICANN |

Rolling the Root Zone DNSSEC Key Signing Key Presented by Carlos Martnez, on behalf of ICANN | 1 Motivation for the Talk ICANN is about to change an important configuration parameter in DNSSEC For a network DNS operator, this may

377 views • 21 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
Helping Your Students Join One of the Fastest Growing Careers: Sign Language Interpreting By

Helping Your Students Join One of the Fastest Growing Careers: Sign Language Interpreting By

Helping Your Students Join One of the Fastest Growing Careers: Sign Language Interpreting By James Frost, President and General Counsel, and Anne Frost, Vice-President Signing Edge About Signing Edge Signing Edge is a deaf-owned and

256 views • 13 slides
DNSSEC update TF MNM, Lyon Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl February 16 th

DNSSEC update TF MNM, Lyon Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl February 16 th

DNSSEC update TF MNM, Lyon Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl February 16 th 2011 DNSSEC validation - Validation rate not rising very much - Interesting to see what will happen after .com signing 2 SURFnet. We make

482 views • 16 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
DNSSEC and DNS Proxying DNS is hard at scale when you are a huge target 2 CloudFlare

DNSSEC and DNS Proxying DNS is hard at scale when you are a huge target 2 CloudFlare

DNSSEC and DNS Proxying DNS is hard at scale when you are a huge target 2 CloudFlare DNS is big 3 CloudFlare DNS is fast 4 CloudFlare DNS is always under attack 5 CloudFlare A secure reverse proxy for http(s)

538 views • 25 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
EDGE: Extreme Scale Fused Seismic Simulations with the Discontinuous Galerkin Method Alexander

EDGE: Extreme Scale Fused Seismic Simulations with the Discontinuous Galerkin Method Alexander

EDGE: Extreme Scale Fused Seismic Simulations with the Discontinuous Galerkin Method Alexander Breuer, Alexander Heinecke (Intel), Yifeng Cui What is EDGE? Extreme-scale Discontinuous Galerkin Environment (EDGE): Seismic wave

348 views • 17 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

609 views • 34 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
PPC-1 Presentation Please find attached a presentation that will be delivered to an institutional

PPC-1 Presentation Please find attached a presentation that will be delivered to an institutional

ASX RELEASE 24 March 2009 PPC-1 Presentation Please find attached a presentation that will be delivered to an institutional investors conference at ABN AMRO Morgans Limited by PIPE Networks Limited (ASX:PWK) CEO and Managing Director, Mr Bevan

523 views • 24 slides
Organizing for T-Trak Bruce DeMaeyer NMRA-MCR-Division 10 Eastgate, Ohio November 11, 2018

Organizing for T-Trak Bruce DeMaeyer NMRA-MCR-Division 10 Eastgate, Ohio November 11, 2018

Organizing for T-Trak Bruce DeMaeyer NMRA-MCR-Division 10 Eastgate, Ohio November 11, 2018 What is T-Trak A simple way to start into Model Railroading Uses module 2 tall Straight modules in multiples of a foot Corner

397 views • 28 slides
PRESENTATION Q4-FY20 / FY20 Co Company Overvie iew HFCL Limited (formerly known as Himachal

PRESENTATION Q4-FY20 / FY20 Co Company Overvie iew HFCL Limited (formerly known as Himachal

EARNINGS PRESENTATION Q4-FY20 / FY20 Co Company Overvie iew HFCL Limited (formerly known as Himachal Futuristic Communications Limited) is a Leading Technology Enterprise connecting the world with fully integrated communication network

614 views • 25 slides
UK Power Networks Methods of detection current & future Alan Croucher ENA 16 th May 2018

UK Power Networks Methods of detection current & future Alan Croucher ENA 16 th May 2018

UK Power Networks Methods of detection current & future Alan Croucher ENA 16 th May 2018 So how do we find cable leaks? Currently we have 3 primary leak location methods: Cable Freeze Capenhurst hydraulic method

214 views • 17 slides
Making Cyber Security Part of Your Business Cybercrime The rapid digitization of

Making Cyber Security Part of Your Business Cybercrime The rapid digitization of

Making Cyber Security Part of Your Business Cybercrime The rapid digitization of consumers lives and enterprise records will increase the cost of data breaches to $2.1 trillion globally by 2019, increasing to almost four times the

578 views • 27 slides
Modeling a Large Data-Acquisition Network in a Simulation Framework Tommaso Colombo 1,2 Holger

Modeling a Large Data-Acquisition Network in a Simulation Framework Tommaso Colombo 1,2 Holger

1st IEEE Workshop on High-Performance Interconnectjon Networks towards the Exascale and Big-Data Era Chicago, 8 September 2015 Modeling a Large Data-Acquisition Network in a Simulation Framework Tommaso Colombo 1,2 Holger Frning 2 Pedro Javier

538 views • 24 slides
GAS ODORIZING GAS ODORIZING SYSTEM SYSTEM ASOG (AUTOMATED GAS ODORIZING ASOG AUTOMATED GAS

GAS ODORIZING GAS ODORIZING SYSTEM SYSTEM ASOG (AUTOMATED GAS ODORIZING ASOG AUTOMATED GAS

GAS ODORIZING GAS ODORIZING SYSTEM SYSTEM ASOG (AUTOMATED GAS ODORIZING ASOG AUTOMATED GAS ODORIZING SYSTEM SYSTEM) DOSER DOSER ASOG ASOG is disigned for is disigned for: - Pulsed dosing of odorant Pulsed dosing of odorant supply to

475 views • 9 slides
& SE & SERVIC VICES ES CO CONFE NFERENCE RENCE JUNE JUNE 20 2019 19 SAF SAFE

& SE & SERVIC VICES ES CO CONFE NFERENCE RENCE JUNE JUNE 20 2019 19 SAF SAFE

BAI AIRD RD GLOBAL AL CO CONSUM SUMER, ER, TECH TECHNOLOGY Y & SE & SERVIC VICES ES CO CONFE NFERENCE RENCE JUNE JUNE 20 2019 19 SAF SAFE E HAR HARBOR BOR ST STATE TEMENT MENT This presentation does not

945 views • 32 slides

More recommend