dnssec update
play

DNSSEC update TF MNM, Lyon Roland van Rijswijk roland.vanrijswijk - PowerPoint PPT Presentation

Mar 24, 2023 •309 likes •482 views

DNSSEC update TF MNM, Lyon Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl February 16 th 2011 DNSSEC validation - Validation rate not rising very much - Interesting to see what will happen after .com signing 2 SURFnet. We make

  1. DNSSEC update TF MNM, Lyon Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl February 16 th 2011

  2. DNSSEC validation - Validation rate not rising very much - Interesting to see what will happen after .com signing 2 SURFnet. We make innovation work

  3. BIND issue with new DS - IMPORTANT: - If you are running BIND as a validating resolver, you should upgrade ASAP - Bug in BIND causes resolver not to pick up on new DS in root zone correctly -> result: SERVFAILs for a (g)TLD - Hint: March 31st .com DS in root zone - See http://bit.ly/BIND-notice 3 SURFnet. We make innovation work

  4. More BIND trouble - We are lucky to be here today... - Last weekend .fr disappeared of the DNSSEC signed Internet - Initial analysis by AFNIC shows that this is an NSEC3 bug in dynamic updates - So pay attention if you (plan to) use BIND in auto-signing/dynamic update mode - See also: http://bit.ly/bind-nsec3 4 SURFnet. We make innovation work

  5. Research into client behaviour - Until now focus was on signing and validating - Limited interest in client behaviour (only studies into CPE hardware) - Joint study by SIDN (.nl) and TNO with live data from SURFnet - See how stub clients respond to e.g. SERVFAIL 5 SURFnet. We make innovation work

  6. The research - Stub clients can be found in many pieces of software and in many devices: - Operating System - Browser - E-mail client - VoIP handset - Mobile phone - etc. - Two methods of testing: - Lab environment where all parameters are ‘under control’ of the researchers - Live data from SURFnet resolvers (work-in-progress) 6 SURFnet. We make innovation work

  7. Results for Windows Response type IE Win XP Total Valid/NXDOMAIN x1 x1 x1 SERVFAIL/REFUSED x1 x1 x1 No response x1 x5 x5 Truncated x1 1 + TCP 1 + TCP - Similar results for other browsers Response type Firefox Win 7 Total Valid/NXDOMAIN x1 x1 x1 SERVFAIL/REFUSED x1 x1 x1 No response x1 x4 x4 Truncated x1 1 + TCP 1 + TCP - Similar results for other browsers 7 SURFnet. We make innovation work

  8. Results for UNIX-/BSD-like Response type Firefox Linux Total Valid x1 x1 x1 NXDOMAIN/Partial x2 x2 x4 SERVFAIL/No Resp/REF x2 x4 x8 Truncated x1 1 + TCP 1 + TCP Response type Safari Mac OS X Total Valid x1 x1 x1 NXDOMAIN/Partial x1 x2 x2 SERVFAIL/No Resp/REF x1 x4 x4 Truncated x1 1 + TCP 1 + TCP - In both cases: - Single auth. NS; in case of prim+sec -> x2 - Only IPv4; in case of IPv6 -> x2 8 SURFnet. We make innovation work

  9. Causes and effects - On UNIX-/BSD-like systems: cause seems to be bad and outdated DNS implementation in glibc -> severely needs a rewrite - Firefox behaves differently on different OSes - Effect: query load can explode when certain events occur (e.g. signing error on popular domain) -> N.B.: both resolver & authoritative feel pain! 9 SURFnet. We make innovation work

  10. Further work - This issue requires more attention than it is getting - With .com signing around the corner we need to be prepared - Currently in progress: more work on ‘live’ data from our resolvers by TNO -> contributions are welcome (contact me) 10 SURFnet. We make innovation work

  11. The Chicken & Egg - There is a lot of discussion about the ‘chicken and egg’ problem of DNSSEC: If I sign my zone, will anyone validate? - Signer deployment seems to be on a roll - Validator deployment is unclear and not being measured 11 SURFnet. We make innovation work

  12. Measuring validators - The theory: Measuring DNSKEY requests to authoritative name servers should reveal validating resolvers - The practice: - Working on a tool based on libpcap to monitor these queries - Running code available but is still very rough -> some interesting results already 12 SURFnet. We make innovation work

  13. Measuring validators - Who wants to help? - Looking for people willing to help in tool development, specifically: - Database expertise - Hacking together a nice web UI (PHP stuff?) - Maybe a nice geo-IP, Google Maps thingy? - Looking for people willing to participate in the measuring phase - If you have signed domains and are willing to run a simple tool on your authoritative servers: please come forward :-) 13 SURFnet. We make innovation work

  14. Short news - Students at the University of Amsterdam have created a Firefox plugin to validate X.509 certificate hashes stored in DNS -> http://os3sec.org - There is a lot of discussion about trust in DNSSEC; many TLDs are starting to publish DNSSEC Practice Statements (DPSs) inspired by CPSs -> IETF working on DPS framework RFC http://bit.ly/draft-dps 14 SURFnet. We make innovation work

  15. Shameless advertising - We have published a white paper (or rather book) on applications of crypto aimed at connected institutions -> http://bit.ly/sn-crypto 15 SURFnet. We make innovation work

  16. That’s all folks... Questions? ? Thank you for your attention! Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl Presentation released under Creative Commons (http://creativecommons.org/licenses/by-nc-sa/3.0/nl/deed.en) 16 SURFnet. We make innovation work

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry experienced 30th April 2015-- Longest mornings I have ever had. Day started as usual but takes a turn at 9:30am Great day turns to a

449 views • 11 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNS Operator Role Bootstrapping DNSSEC Chain of Trust Update since ICANN53 Buenos Aires ICANN54

DNS Operator Role Bootstrapping DNSSEC Chain of Trust Update since ICANN53 Buenos Aires ICANN54

DNS Operator Role Bootstrapping DNSSEC Chain of Trust Update since ICANN53 Buenos Aires ICANN54 Dublin DNSSEC Workshop Latour - October 21, 2015 Last update ICANN53 DNSSEC Workshop June 24, 2015

442 views • 11 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
DNSSEC Update 27 Aug 2010 Tokyo, Japan DNSSEC Update Signed root published 15 July, 2010

DNSSEC Update 27 Aug 2010 Tokyo, Japan DNSSEC Update Signed root published 15 July, 2010

DNSSEC Update 27 Aug 2010 Tokyo, Japan DNSSEC Update Signed root published 15 July, 2010 .bg .biz .br .cat .cz .dk .edu .lk .museum .na .org .tm .uk .us already in root. more coming (.se .ch .gov .li .my .nu .pr .th) 8 out of

836 views • 30 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
Update on .GOV Matt Larson, VP, Office of the CTO, Verisign DNSSEC Workshop, ICANN 45,

Update on .GOV Matt Larson, VP, Office of the CTO, Verisign DNSSEC Workshop, ICANN 45,

Update on .GOV Matt Larson, VP, Office of the CTO, Verisign DNSSEC Workshop, ICANN 45, 17 October 2012 Background .GOV used by U.S. federal, state and local governments Verisign operates .GOV registry on

223 views • 7 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

609 views • 34 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010 Sara Monteiro Technical Infrastructure Service of DNS.PT Agenda ! About us ! Scope ! Goals ! Initiatives and Support ! Developments on .pt ! Next Steps

468 views • 11 slides
13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff Team Cymru 1 Where is the DNSSEC? We make no endorsement of DNSSEC here We offer no repudiation of DNSSEC here The considerations herein

543 views • 31 slides
DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes Hardaker <wes.hardaker@parsons.com> Overview Business Model Changes Relationship Requirements Relationship with your DNS parent

407 views • 25 slides
Institute of Computational Modeling SB RAS ORGANIZATION OF ACCESS TO OBSERVATIONAL DATA USING WEB

Institute of Computational Modeling SB RAS ORGANIZATION OF ACCESS TO OBSERVATIONAL DATA USING WEB

Institute of Computational Modeling SB RAS ORGANIZATION OF ACCESS TO OBSERVATIONAL DATA USING WEB SERVICES FOR MONITORING SYSTEMS THE STATE OF THE ENVIRONMENT Kadochnikov Aleksey A. Russia, Krasnoyarsk - 2013 The main tasks of software and

182 views • 17 slides
Computational Physics What is Computational Physics? Basic Computer Hardware Operating Systems

Computational Physics What is Computational Physics? Basic Computer Hardware Operating Systems

Computational Physics What is Computational Physics? Basic Computer Hardware Operating Systems Programming Languages Problem solving environment What is Computational Physics? Computational Physics is a synthesis of theoretical analysis,

1.02k views • 66 slides
DNSSEC for Legacy Applications - POC Presenter: Sara Dickinson (Sinodun) Allison Mankin, Gowri

DNSSEC for Legacy Applications - POC Presenter: Sara Dickinson (Sinodun) Allison Mankin, Gowri

DNSSEC for Legacy Applications - POC Presenter: Sara Dickinson (Sinodun) Allison Mankin, Gowri Visweswaran (Verisign Labs) Theogene H. Bucuti (University of North Texas) Willem Toorop (NLnet Labs) ICANN54 DNSSEC Workshop - October 21, 2015

335 views • 15 slides
Understanding H-1B & TN Employment Status: The Basics Office of International Affairs Dan P.

Understanding H-1B & TN Employment Status: The Basics Office of International Affairs Dan P.

Understanding H-1B & TN Employment Status: The Basics Office of International Affairs Dan P. Ashton , Associate Director Melissa Fox , International Scholar and Employee Adviser Reshecoa Flanders , Employee Services Assistant Agenda

600 views • 31 slides
Devopsn the Operating System John Willis Director of Ecosystem Development Docker, Inc.

Devopsn the Operating System John Willis Director of Ecosystem Development Docker, Inc.

Devopsn the Operating System John Willis Director of Ecosystem Development Docker, Inc. @botchagalupe a.k.a. John Willis 35 Years in IT Operations Exxon, Canonical, Chef, Enstratius, Socketplane Devopsdays Core

872 views • 45 slides
mem o ry noun \memr, mem\ 1 a: the power or process of reproducing or

mem o ry noun \memr, mem\ 1 a: the power or process of reproducing or

Memory 3.0 (Three Dot O) Memory 3.0 (Three Dot O) Sangyeun Cho Memory Solutions Lab, Memory Division Samsung Electronics Co. Memory 3.0 1 mem o ry noun \memr, mem\ 1 a: the power or process of reproducing or recalling what

775 views • 44 slides
Monitoring Tool for Analysing the Use of the Internet Services in the Spanish Academic

Monitoring Tool for Analysing the Use of the Internet Services in the Spanish Academic

Monitoring Tool for Analysing the Use of the Internet Services in the Spanish Academic Network Jordi Domingo-Pascual Universitat Politcnica de Catalunya jordi.domingo@ac.upc.es Partners: UC3M, UPC and UPM Project Objectives

682 views • 28 slides
Helsinki, 8 December 2003 Title: The current truth about heaps Speaker: Jyrki Katajainen

Helsinki, 8 December 2003 Title: The current truth about heaps Speaker: Jyrki Katajainen

Helsinki, 8 December 2003 Title: The current truth about heaps Speaker: Jyrki Katajainen Co-workers: Claus Jensen and Fabio Vitale This talk is about the heaps we all love. I will explain how the heap functions are im- plemented in the CPH

820 views • 30 slides

More recommend