draft ietf dnsop nsec aggressiveuse
play

draft-ietf-dnsop-nsec-aggressiveuse and - PowerPoint PPT Presentation

Feb 09, 2024 •160 likes •271 views

draft-ietf-dnsop-nsec-aggressiveuse and draft-wkumari-dnsop-cheese-shop 1 IETF96 - Berlin, .de - 07/2016 V0.02 I know one thing: that I know nothing -- Plato, quoting Socrates* 2 *: Not really.... 50000ft example / reminder

  1. draft-ietf-dnsop-nsec-aggressiveuse and draft-wkumari-dnsop-cheese-shop 1 IETF96 - Berlin, .de - 07/2016 V0.02

  2. “I know one thing: that I know nothing” -- Plato, quoting Socrates* 2 *: Not really....

  3. 50’000ft example / reminder wkumari$ dig +dnssec belkin ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN , id: 41230 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 ;; QUESTION SECTION: ;belkin. IN A ;; AUTHORITY SECTION: . 1795 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2016070901 1800 900 604800 86400 beer. 21512 IN NSEC bentley. NS DS RRSIG NSEC beer. 21512 IN RRSIG NSEC 8 1 86400 20160719170000 20160709160000 46551 . AoT2Oe3eVZ3pC1DousLXDYABGuTTvkyP4rbBXvquGp3T/Lg7Rer3Vx2g oC9p5u6T+lj/3u879htWNRO62wSdODkvOdtVFA5iJxN9DJ5EtuJdbuL/ xJuPhoin+0Fc6Vtf0X0l7e5TBtxYAyPZqUq6dxm6qE/NW6Ft1nAv3GYX jlg= ;; Query time: 222 msec 3

  4. The problem Couldn’t have made a better example if I’d planned it... ● May 12, a Friday afternoon, Colin Petrie / Kaveh Ranjbar from RIPE poked me: “Google is suddenly sending K-root way more junk queries, e.g ‘nq0nnjzba-fn.357.225.340.251’. It burns us, please make it stop…” 4

  5. Well, that’s not good…. ● What’s causing this? ○ Have we got some bug? ○ Did anyone change anything?! ○ Are we being used as a DoS reflector? ○ Why does the graph look more like organic growth than a DoS? Phew, it’s not just Google Public DNS, just we show up towards the top… ● ...still, what’s causing this? And why? And can we make it stop? 5

  6. Ugh, unpatched CPE... 6

  7. … turning on Aggressive NSEC / Cheeseshop 7

  8. Rewritten to be more readable Integrated comments / no Aggressive longer applicable NSEC Better examples Draft Seeing as this is moving along, no need for Cheese- shop 8

  9. Updates ● Document adopted by DNSOP WG Adoption comments ● ● Changed main purpose to performance Thanks to Jinmei. ○ ● Use NSEC3/Wildcard keywords Thanks to Matthijs ○ ● Improved wordings (from good comments) Simplified pseudo code for NSEC3 ● ● Added Warren as co-author Reworded much of the problem statement ● ● Reworked examples to better explain the problem / solution 9

  10. Notes ● This technique may occlude newly added information ○ If you ask for foo.example.com, and it doesn’t exist, it doesn’t exist for the NSEC TTL NSEC3 is trickier than NSEC ● ○ So implementations may choose to only support this for NSEC Provide knobs for enabling / disabling on a per-domain basis ● 10

  11. A few minor edits: Jinmei provided some comments, mainly suggesting removing references to subdomain attacks. Done? Typos and grammar nits, fixing references https://github. com/wkumari/draft-ietf-dnsop- nsec-aggressiveuse 11

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

NSEC Overview 1 NSEC Overview 2 NSEC Overview 3 NSEC Participants Growth of Nanoscale

NSEC Overview 1 NSEC Overview 2 NSEC Overview 3 NSEC Participants Growth of Nanoscale

NSEC Overview 1 NSEC Overview 2 NSEC Overview 3 NSEC Participants Growth of Nanoscale Structures Spin and Charge Michael Aziz (Harvard) Federico Capasso (Harvard) Moungi Bawendi (MIT) Eugene Demler (Harvard) Cynthia Friend (Harvard)

201 views • 7 slides
Non-Congestion Robustness (NCR) for TCP draft-ietf-tcpm-draft-ietf-tcpm-tcp-dcr-03.txt IETF 62 -

Non-Congestion Robustness (NCR) for TCP draft-ietf-tcpm-draft-ietf-tcpm-tcp-dcr-03.txt IETF 62 -

Non-Congestion Robustness (NCR) for TCP draft-ietf-tcpm-draft-ietf-tcpm-tcp-dcr-03.txt IETF 62 - March 2005 Sumitha Bhandarkar, A. L. Narasimha Reddy, Mark Allman, Ethan Blanton &quot;Hit our satellite with feeling, Give the people what they

363 views • 8 slides
Multi Provider DNSSEC draft-huque-dnsop-multi-provider-dnssec-02 Shumon Huque March 22 nd 2018

Multi Provider DNSSEC draft-huque-dnsop-multi-provider-dnssec-02 Shumon Huque March 22 nd 2018

Multi Provider DNSSEC draft-huque-dnsop-multi-provider-dnssec-02 Shumon Huque March 22 nd 2018 DNSOP Working Group, IETF101, London, U.K. Note to the DNS Camel* This document does not propose any new extensions to the DNS protocol. It

663 views • 16 slides
IETF 74 DHC draft-dhankins-softwire-tunnel-option draft-ietf-dhc-option-guidelines

IETF 74 DHC draft-dhankins-softwire-tunnel-option draft-ietf-dhc-option-guidelines

IETF 74 DHC draft-dhankins-softwire-tunnel-option draft-ietf-dhc-option-guidelines draft-ietf-dhc-dhcpinform-clarify David W. Hankins Internet Systems Consortium, Inc. March, 2009 softwire-tunnel-option-03 No material changes.

347 views • 15 slides
RFC 2833 bis draft-ietf-avt-rfc2833bis-08.txt draft-ietf-avt-rfc2833bisdata-01.txt

RFC 2833 bis draft-ietf-avt-rfc2833bis-08.txt draft-ietf-avt-rfc2833bisdata-01.txt

RFC 2833 bis draft-ietf-avt-rfc2833bis-08.txt draft-ietf-avt-rfc2833bisdata-01.txt draft-ietf-avt-rfc2833biscas-00.txt Tom Taylor taylor@nortel.com 7 Mar 2005 RFC 2833 bis changes Overview of Changes From RFC 2833 Split into three

421 views • 8 slides
Greater Mekong Sub-region North-South Economic Corridor (GMS 2 - NSEC) Part 1: GMS NSEC Snap

Greater Mekong Sub-region North-South Economic Corridor (GMS 2 - NSEC) Part 1: GMS NSEC Snap

Greater Mekong Sub-region North-South Economic Corridor (GMS 2 - NSEC) Part 1: GMS NSEC Snap shot (1/3) Member Countries: 1. PRC 2. Lao PDR 3. Myanmar 4. Thailand 5. Vietnam Part 1: GMS NSEC Snap shot (2/3) NSEC consists of three major

285 views • 26 slides
Draft-ietf-avt-rtcp-xr-mib-00.txt Authors: Alan Clark, Amy Pendleton IETF 61, Washington DC,

Draft-ietf-avt-rtcp-xr-mib-00.txt Authors: Alan Clark, Amy Pendleton IETF 61, Washington DC,

Draft-ietf-avt-rtcp-xr-mib-00.txt Authors: Alan Clark, Amy Pendleton IETF 61, Washington DC, November 2004 Current draft status WG draft (renamed as -00.txt) Added section on relationship to RAQMON RAQMON authors provided suggested

83 views • 7 slides
draft-dickinson-dnsop- nameserver-control-01 Stephen Morris stephen@isc.org 1 NSCP Function

draft-dickinson-dnsop- nameserver-control-01 Stephen Morris stephen@isc.org 1 NSCP Function

draft-dickinson-dnsop- nameserver-control-01 Stephen Morris stephen@isc.org 1 NSCP Function Breakdown Commands - start, stop, halt etc. Zone manipulation add/remove zone, ACL creation, etc. Parameters - control nameserver

326 views • 9 slides
TLS 1.3 draft-ietf-tls-tls13-12 Eric Rescorla Mozilla ekr@rtfm.com IETF 95 TLS 1 Overview

TLS 1.3 draft-ietf-tls-tls13-12 Eric Rescorla Mozilla ekr@rtfm.com IETF 95 TLS 1 Overview

TLS 1.3 draft-ietf-tls-tls13-12 Eric Rescorla Mozilla ekr@rtfm.com IETF 95 TLS 1 Overview Changes since draft-10 Outstanding consensus calls 1-RTT PSK and session tickets Context values Key schedule and key separation

763 views • 49 slides
NADA Implementation in Mozilla Browser and Draft Update draft-ietf-rmcat-nada-11 Xiaoqing Zhu,

NADA Implementation in Mozilla Browser and Draft Update draft-ietf-rmcat-nada-11 Xiaoqing Zhu,

NADA Implementation in Mozilla Browser and Draft Update draft-ietf-rmcat-nada-11 Xiaoqing Zhu, Rong Pan, Michael A. Ramalho, Sergio Mena, Paul E. Jones, Jiantao Fu, and Stefano D'Aronco July 2019 | IETF 105 | Montreal, Canada 1 Draft Update

472 views • 28 slides
The use of the SIPS URI Scheme in SIP draft-ietf-sip-sips-05 Franois Audet - audet@nortel.com

The use of the SIPS URI Scheme in SIP draft-ietf-sip-sips-05 Franois Audet - audet@nortel.com

The use of the SIPS URI Scheme in SIP draft-ietf-sip-sips-05 Franois Audet - audet@nortel.com draft-sip-sips-05 Status Since draft-ietf-sip-sips-02, 3 iterations of the working group document Almost went WGLC on draft-ietf-sip-

77 views • 6 slides
Proposal for extensions to RTCP XR: draft-ietf-avt-rtcp-xr-bis-00.txt Authors: Alan Clark, Amy

Proposal for extensions to RTCP XR: draft-ietf-avt-rtcp-xr-bis-00.txt Authors: Alan Clark, Amy

Proposal for extensions to RTCP XR: draft-ietf-avt-rtcp-xr-bis-00.txt Authors: Alan Clark, Amy Pendleton, Rajesh Kumar IETF 63, Paris, August 2005 IETF 62 Follow up and Status Idea presented at IETF-62: new parameters Following the

470 views • 7 slides
EMU IETF 74 Note Well Any submission to the IETF intended by the Contributor for publication as

EMU IETF 74 Note Well Any submission to the IETF intended by the Contributor for publication as

EMU IETF 74 Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made within the context of an IETF activity is considered an &quot;IETF

940 views • 7 slides
IETF 68 draft-ietf-sip-outbound-08 Cullen Jennings The key point We need to finish this

IETF 68 draft-ietf-sip-outbound-08 Cullen Jennings The key point We need to finish this

IETF 68 draft-ietf-sip-outbound-08 Cullen Jennings The key point We need to finish this document Change from -07 to -08 Some people on this list felt that we should use CRLF as the keep alive for TCP Wrote text so that the WG

243 views • 8 slides
IETF-88 Draft status: draft-ietf-nvo3-gap-analysis Eric Gray (Ericsson) Nabil Bitar (Verizon)

IETF-88 Draft status: draft-ietf-nvo3-gap-analysis Eric Gray (Ericsson) Nabil Bitar (Verizon)

IETF-88 Draft status: draft-ietf-nvo3-gap-analysis Eric Gray (Ericsson) Nabil Bitar (Verizon) Xiaoming Chen (Huawei) Marc Lasserre (Alcatel-Lucent) Tina Tsou (Huawei) Current Status Update We presented the status of the combined

276 views • 14 slides
Generalized MPLS Signaling draft-ietf-mpls-generalized-signaling-05.txt

Generalized MPLS Signaling draft-ietf-mpls-generalized-signaling-05.txt

Generalized MPLS Signaling draft-ietf-mpls-generalized-signaling-05.txt draft-ietf-mpls-generalized-cr-ldp-04.txt draft-ietf-mpls-generalized-rsvp-te-04.txt Authors Authors Peter Ashwood-Smith (Nortel Networks Corp.) Ayan Banerjee

386 views • 7 slides
E/R Diagrams Converting E/R Diagrams to Relations DB design is a serious and

E/R Diagrams Converting E/R Diagrams to Relations DB design is a serious and

E/R Diagrams Converting E/R Diagrams to Relations DB design is a serious and possibly complex business. A client may know they want a database, but they don t know what they want in it or how it should look. E/R

977 views • 75 slides
Security in Mobile Devices Hacking Mobiles for Fun and Profit Tobias Mueller Universit at

Security in Mobile Devices Hacking Mobiles for Fun and Profit Tobias Mueller Universit at

Intro Hardware Security Platform Security Hacking Q&amp;A Security in Mobile Devices Hacking Mobiles for Fun and Profit Tobias Mueller Universit at Hamburg &amp; Dublin City University 2010-12-16 1 / 54 Intro Hardware Security

974 views • 79 slides
A Support Engineer Walkthrough on pt-stalk Marcos Albe Marcelo Altmann Principal Support

A Support Engineer Walkthrough on pt-stalk Marcos Albe Marcelo Altmann Principal Support

A Support Engineer Walkthrough on pt-stalk Marcos Albe Marcelo Altmann Principal Support Engineer - Percona Senior Support Engineer - Percona Thank You Sponsors! 2 April 23-25, 2018 SAVE THE DATE! Santa Clara Convention Center CALL FOR

870 views • 30 slides
CALL OF DUTY: DEV OPS STEPHEN BURTON, TECH EV ANGELIST , APPDYNAMICS my company Im Steve

CALL OF DUTY: DEV OPS STEPHEN BURTON, TECH EV ANGELIST , APPDYNAMICS my company Im Steve

CALL OF DUTY: DEV OPS STEPHEN BURTON, TECH EV ANGELIST , APPDYNAMICS my company Im Steve Burton my passion tech ev angelist @burtonsa ys THE GAME toda y GAME SELECT DEVELOPER DEVELOPER A OPERATIONS DEVOPS NOOPS Dev MISSION

811 views • 53 slides
Welcome to the Machine Learning Toolbox! Machine Learning Toolbox Supervised learning caret

Welcome to the Machine Learning Toolbox! Machine Learning Toolbox Supervised learning caret

MACHINE LEARNING TOOLBOX Welcome to the Machine Learning Toolbox! Machine Learning Toolbox Supervised learning caret R package Automates supervised learning (a.k.a. predictive modeling ) Target variable Machine Learning Toolbox

634 views • 16 slides
CS6220: DATA MINING TECHNIQUES Chapter 2: Getting to Know Your Data Instructor: Yizhou Sun

CS6220: DATA MINING TECHNIQUES Chapter 2: Getting to Know Your Data Instructor: Yizhou Sun

CS6220: DATA MINING TECHNIQUES Chapter 2: Getting to Know Your Data Instructor: Yizhou Sun yzsun@ccs.neu.edu January 8, 2013 Chapter 2: Getting to Know Your Data Data Objects and Attribute Types Basic Statistical Descriptions of Data

880 views • 52 slides
GUI PROGRAMMING USING TKINTER Cuauhtmoc Carbajal ITESM CEM April 17, 2013 2 Agenda

GUI PROGRAMMING USING TKINTER Cuauhtmoc Carbajal ITESM CEM April 17, 2013 2 Agenda

1 GUI PROGRAMMING USING TKINTER Cuauhtmoc Carbajal ITESM CEM April 17, 2013 2 Agenda Introduction Tkinter and Python Programming Tkinter Examples 3 INTRODUCTION 4 Introduction In this lecture, we will give you a brief

1.2k views • 62 slides
THE BLAME GAME THE BLAME GAME WHAT I WANT TO COVER Our world and a brief history of security

THE BLAME GAME THE BLAME GAME WHAT I WANT TO COVER Our world and a brief history of security

WELCOME TO THE BLAME GAME THE BLAME GAME WHAT I WANT TO COVER Our world and a brief history of security standards in our industry &quot;Shit Auditors Said&quot; Current state of affairs &quot;Shit Auditors Still Say&quot; Our

717 views • 23 slides

More recommend