hands on tutorial
play

Hands on tutorial Willem Toorop, NLNet Labs Shumon Huque, Verisign - PowerPoint PPT Presentation

Nov 20, 2023 •599 likes •1.39k views

Hands on tutorial Willem Toorop, NLNet Labs Shumon Huque, Verisign Glen Wiley, Verisign About getdns API= a DNS API specification resolving names getdns API= created by and for applications developers getdns = the first

  1. Hands on tutorial Willem Toorop, NLNet Labs Shumon Huque, Verisign Glen Wiley, Verisign

  2. About  getdns API= a DNS API specification – resolving names  getdns API= created by and for applications developers  getdns = the first implementation of this specification  getdns highlighted feature : Parry pervasive monitoring and man in the middle attacks by bootstrapping encrypted channels  getdns mission slogan : Security Begins with a Name

  3. About DNSSEC  A globally distributed database with authenticated data

  4. About DNSSEC  A global distributed database with authenticated data  Wasn't it about protecting users against domain hijacking?  DNS = the phone book of the Internet  Data unauthenticated  DNSSEC to the rescue

  5. About DNSSEC  A global distributed database with authenticated data  Wasn't it about protecting users against domain hijacking?  DNS = the phone book of the Internet  Data unauthenticated  DNSSEC to the rescue  Yes, but it does so by giving (origin) authenticated answers - where origin means that the authoritative party for a zone authenticates the domain names within that zone

  6. Refresher – Public Key Crypto Encrypt Public Encrypt Encrypted Encrypted Readable Readable message message message message Shared Decrypt Private Decrypt  Asymmetric encryptjon  Symmetric encryptjon

  7. Refresher – DNS in two slides  Zones with distributed authority . .com .org .net oreilly.com getdnsapi.net

  8. Refresher – DNS in two slides  Zones with distributed authority  Three types of name servers/clients  Iterative querying Authoritatives getdnsapi.net A . net NS Application getdnsapi.net A stub getdnsapi.net A Recursive Resolver net getdnsapi.net NS OS getdnsapi.net A getdnsapi.net A getdnsapi getdnsapi.net A

  9. DNSSEC – Public Key Crypto – Signing Readable message Hash hash of msg Equal? Readable Hash Readable message message Decrypt Encrypt signature signature hash of msg Public Private  Verify signature  Create signature

  10. DNSSEC – Public Key Crypto – delegating authority Readable Public message Readable message signature Hash Readable Hash Public message Public Encrypt Encrypt signature signature hash of msg hash signature Private Private  signs the message  Building the chain of trust authorizes

  11. DNSSEC – Chain of Trust  Zones with distributed authority DNSKEY  Chain of trust follows delegations . ✓ ✓ .com DS .org DS ✓ .net DS  DNSKEY P ublic key of zone DNSKEY DNSKEY DNSKEY  DS Hash of DNSKEY .com .org .net signed by parent ✓ getdnsapi.net DS DNSKEY oreilly.com getdnsapi.net

  12. DNSSEC – Public Key Crypto – Verifying delegations Readable Hash hash Hash hash of msg message signature compare compare Readable Public message Public Decrypt Decrypt signature signature signature Public Public Public Public  Verify signature  Verify authorization

  13. DNSSEC – Validating  A Validating Recursive Resolver uses the root's public key to verify (validate) delegations Authoritatives getdnsapi.net A . net NS net DS Application net DNSKEY getdnsapi.net A Validating stub getdnsapi.net A Recursive net DNSKEY net getdnsapi.net NS Resolver OS getdnsapi.net A getdnsapi.net DS getdnsapi.net DNSKEY getdnsapi.net A getdnsapi ✓ getdnsapi.net DNSKEY getdnsapi.net A

  14. DNSSEC for Applications – for TLS  Transport Layer Security (TLS) uses both asymmetric and symmetric encryption  A symmetric key is sent encrypted with remote public key  How is the remote public key authenticated?

  15. TLS Not Leveraging DNSSEC  How is the remote public key authenticated?

  16. How is Remote Public Key Authenticated?  Through Certificate Authorities (CAs), maintained in OS, browser...  Every CA is authorized to authenticate for any name (as strong as the weakest link)  There are 1000+ CAs

  17. Enter DANE-TLS

  18. Enter DANE-TLS @Kloot  D NS-based A uthentication of N amed E ntities (DANE) RFC6698

  19. DANE out of reach for Applications  getaddrinfo() returns addresses, how to ask for TLSA , or SSHFP  getaddrinfo() doesn’t tell if you got Authenticated Data (AD) Authoritatives _443._tcp.getdnsapi.net TLSA . net NS net DS Application net DNSKEY getdnsapi.net TLSA? Validating getaddrinfo() _443._tcp.getdnsapi.net TLSA Recursive net DNSKEY net getdnsapi.net NS Resolver OS getdnsapi.net DS getdnsapi.net DNSKEY _443._tcp.getdnsapi.net TLSA getdnsapi ✓ getdnsapi.net DNSKEY _443._tcp.getdnsapi.net TLSA

  20. Do you trust the resolver? Could be your phone Authoritatives Could be the Wi-Fi getdnsapi.net A . net NS net DS Application net DNSKEY getdnsapi.net A Validating getaddrinfo() getdnsapi.net A getaddrinfo() Recursive net DNSKEY net getdnsapi.net NS Resolver OS getdnsapi.net DS OS getdnsapi.net DNSKEY malicious getdnsapi.net A resolver getdnsapi getdnsapi.net A ✓ getdnsapi.net DNSKEY getdnsapi.net A

  21. Bypass resolver completely... Authoritatives _443._tcp.getdnsapi.net TLSA . net NS Application net DS net DNSKEY _443._tcp.getdnsapi.net TLSA Recursive net DNSKEY Resolver getdnsapi.net NS net getdnsapi.net DS os OS _443._tcp.getdnsapi.net TLSA ✓ getdnsapi.net DNSKEY _443._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY getdnsapi ✓

  22. Or Do DNSSEC Iteration as a Stub! Authoritatives _443._tcp.getdnsapi.net TLSA . _443._tcp.getdnsapi.net TLSA net NS Application net DS net DNSKEY Validating _443._tcp.getdnsapi.net TLSA Recursive net DNSKEY net getdnsapi.net NS Resolver os getdnsapi.net DS OS ✓ getdnsapi.net DNSKEY getdnsapi.net DNSKEY _443._tcp.getdnsapi.net TLSA _443._tcp.getdnsapi.net TLSA getdnsapi ✓ getdnsapi.net DNSKEY _443._tcp.getdnsapi.net TLSA

  23. Motivation – for a new DNS API  From API Design considerations: … There are other DNS APIs available, but there has been very little uptake … … talking to application developers … … the APIs were developed by and for DNS people, not application developers …

  24. Motivation – for a new DNS API  From API Design considerations: … There are other DNS APIs available, but there has been very little uptake … … talking to application developers … … the APIs were developed by and for DNS people, not application developers …  Goal … API design from talking to application developers … … create a natural follow-on to getaddrinfo() ...

  25. Motivation – for a new DNS API  Goal … API design from talking to application developers … … create a natural follow-on to getaddrinfo() … - http://www.vpnc.org/getdns-api/ - Edited by Paul Hoffman - First publication April 2013 - Updated in February 2014 (after extensive discussion during implementation) - Creative Commons Attribution 3.0 Unported License

  26. Motivation – for a new DNS API  Goal … API design from talking to application developers … … create a natural follow-on to getaddrinfo() … - Implemented by Verisign Labs & NLnet Labs together - http://getdnsapi.net/ - 0.1.0 release in February 2014, 0.1.1 in March, - 0.1.2 & 0.1.3 in June, 0.1.4 in September, 0.1.5 last Friday - Node.js and Python bindings - BSD 3-Clause License

  27. Why this library (and not one of the others)  Offers the full resolving package - Full recursion and DNSSEC … through libunbound - Access to all the resolved data … through ldns

  28. Why this library (and not one of the others)  Delivers a generic data structure … Response Dict - Lists, dicts, data, integers … ubiquitous in modern scripting languages - Very suitable for inspection - Trial and error style programming … resolve, have a look, decide how to proceed - Suitable for scripting language bindings … and those are very developer friendly. Hackathon with Node.js and Python . Ahead are Go , Ruby , Perl ...

  29. Simple Functions – Full Recursion from getdns import * ctx = Context () ext = { "dnssec_return_only_secure": GETDNS_EXTENSION_TRUE } res = ctx.general ( ’_443._tcp.getdnsapi.net’, GETDNS_RRTYPE_TLSA, ext) if res[’status’] = GETDNS_RESPSTATUS_GOOD: # Process TLSA RRs Authoritatives _443._tcp.getdnsapi.net TLSA . net NS Application net DS net DNSKEY _443._tcp.getdnsapi.net TLSA Recursive net DNSKEY Resolver getdnsapi.net NS net getdnsapi.net DS os OS _443._tcp.getdnsapi.net TLSA ✓ getdnsapi.net DNSKEY _443._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY getdnsapi ✓

  30. Simple Functions – Stub mode from getdns import * ctx = Context () ctx.resolution_type = GETDNS_RESOLUTION_STUB ext = { "dnssec_return_only_secure": GETDNS_EXTENSION_TRUE } res = ctx.general ( ’_443._tcp.getdnsapi.net’, GETDNS_RRTYPE_TLSA, ext) if res[’status’] = GETDNS_RESPSTATUS_GOOD: Authoritatives # Process TLSA RRs _443._tcp.getdnsapi.net TLSA . _443._tcp.getdnsapi.net TLSA net NS Application net DS net DNSKEY Validating _443._tcp.getdnsapi.net TLSA Recursive net DNSKEY net getdnsapi.net NS Resolver os getdnsapi.net DS OS ✓ getdnsapi.net DNSKEY getdnsapi.net DNSKEY _443._tcp.getdnsapi.net TLSA _443._tcp.getdnsapi.net TLSA getdnsapi ✓ getdnsapi.net DNSKEY _443._tcp.getdnsapi.net TLSA

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

XDP hands-on tutorial Jesper Dangaard Brouer Toke Hiland-Jrgensen Bornhack Gelsted, August

XDP hands-on tutorial Jesper Dangaard Brouer Toke Hiland-Jrgensen Bornhack Gelsted, August

XDP hands-on tutorial Jesper Dangaard Brouer Toke Hiland-Jrgensen Bornhack Gelsted, August 2019 XDP hands-on tutorial 1 Outline Introduction - what is XDP? About this tutorial - plan for today Bonus tasks XDP hands-on tutorial -

436 views • 16 slides
Hands-on Tutorial Supported by Microsoft Research The CADRE project (Val Pentchev) Hands

Hands-on Tutorial Supported by Microsoft Research The CADRE project (Val Pentchev) Hands

Hands-on Tutorial Supported by Microsoft Research The CADRE project (Val Pentchev) Hands on intro to CADRE Program (Mat Hutchinson) overview Interactive demo with packages and notebooks (Filipi Silva) CADRE fellow presentation

878 views • 65 slides
Hands-on QM/MM Tutorial Files are also available on: http://villekaila.wordpress.com/ and on the

Hands-on QM/MM Tutorial Files are also available on: http://villekaila.wordpress.com/ and on the

Hands-on QM/MM Tutorial Files are also available on: http://villekaila.wordpress.com/ and on the CHARMM web page Our files are also provided on http://github.com/RowleyGroup/charmm-turbomole- examples/tree/master/qmmm Prof. Ville R. I. Kaila

557 views • 38 slides
Hands Overview Outline Existing hands Robot hands of the 80s Commercial hands Research

Hands Overview Outline Existing hands Robot hands of the 80s Commercial hands Research

Hands Overview Outline Existing hands Robot hands of the 80s Commercial hands Research hands Prosthetics Design issues Kinematics Compliance Sensing Actuation Control Robustness Evaluation Discussion Hands of the 80s Hirose

237 views • 22 slides
Supporting Feedback Processes with OnTask: A Hands-on Tutorial LAK 2019 Tempe Arizona 5

Supporting Feedback Processes with OnTask: A Hands-on Tutorial LAK 2019 Tempe Arizona 5

J o h n T h u r m fl i c k r . c o m Supporting Feedback Processes with OnTask: A Hands-on Tutorial LAK 2019 Tempe Arizona 5 March 2019 Abelardo Pardo, Shane Dawson, George Siemens University of South Australia Dragan Ga

349 views • 33 slides
Hands-On Ghidra A Tutorial about the Software Reverse Engineering Framework Roman Rohleder

Hands-On Ghidra A Tutorial about the Software Reverse Engineering Framework Roman Rohleder

Hands-On Ghidra A Tutorial about the Software Reverse Engineering Framework Roman Rohleder Thales Group Ghidra? Gee-druh. The G sounds like the G in goto, great, good, graph and GitHub. The emphasis goes on the first syllable.

1.25k views • 40 slides
XDP hands-on tutorial Jesper Dangaard Brouer Toke Hiland-Jrgensen NetDev 0x13 Prague, March

XDP hands-on tutorial Jesper Dangaard Brouer Toke Hiland-Jrgensen NetDev 0x13 Prague, March

XDP hands-on tutorial Jesper Dangaard Brouer Toke Hiland-Jrgensen NetDev 0x13 Prague, March 2019 1 Outline Introduction - what is XDP and who are we? About this tutorial - plan for today Bonus tasks - Jesper Dangaard

124 views • 11 slides
Mining the social web for music -related data: a hands-on tutorial wifi password: yh4zs Please

Mining the social web for music -related data: a hands-on tutorial wifi password: yh4zs Please

Mining the social web for music -related data: a hands-on tutorial wifi password: yh4zs Please install the required software! Check the details at: ismir2009.benfields.net Welcome! Claudio Baccigalupo Ben Fields IIIACSIC Goldsmiths

2.25k views • 190 slides
GAMS An Introduction Hands-on Tutorial on Optimization Frederik Proske & Lutz Westermann

GAMS An Introduction Hands-on Tutorial on Optimization Frederik Proske & Lutz Westermann

GAMS An Introduction Hands-on Tutorial on Optimization Frederik Proske & Lutz Westermann GAMS Software GmbH GAMS Development Corp. GAMS Software GmbH www.gams.com Agenda GAMS at a Glance GAMS Hands On Examples Outlook A

1.39k views • 111 slides
CENG5030 Caffe Tutorial Part I: Caffe Hands-on Installation Easy customization with

CENG5030 Caffe Tutorial Part I: Caffe Hands-on Installation Easy customization with

CENG5030 Caffe Tutorial Part I: Caffe Hands-on Installation Easy customization with Makefile.config Prepare Data Data stored in LMDB format; The conversion tool convert_imageset is provided; Example:

684 views • 21 slides
PyMTL/Pydgin Tutorial Schedule 8:30am 8:50am Virtual Machine Installation and Setup 8:50am

PyMTL/Pydgin Tutorial Schedule 8:30am 8:50am Virtual Machine Installation and Setup 8:50am

Presentation Presentation Presentation Hands-On Hands-On Presentation Hands-On Overview Pydgin Intro GCD Instr PyMTL Intro Max/RegIncr ML Modeling GCD Unit PyMTL/Pydgin Tutorial Schedule 8:30am 8:50am Virtual Machine

355 views • 9 slides
PyMTL/Pydgin Tutorial Schedule 8:30am 8:50am Virtual Machine Installation and Setup 8:50am

PyMTL/Pydgin Tutorial Schedule 8:30am 8:50am Virtual Machine Installation and Setup 8:50am

Presentation Presentation Presentation Hands-On Presentation Hands-On Hands-On Overview Pydgin Intro GCD Instr PyMTL Intro Max/RegIncr ML Modeling GCD Unit PyMTL/Pydgin Tutorial Schedule 8:30am 8:50am Virtual Machine

487 views • 7 slides
PyMTL/Pydgin Tutorial Schedule 8:30am 8:50am Virtual Machine Installation and Setup 8:50am

PyMTL/Pydgin Tutorial Schedule 8:30am 8:50am Virtual Machine Installation and Setup 8:50am

Presentation Presentation Hands-On Presentation Hands-On Presentation Hands-On Overview Pydgin Intro GCD Instr PyMTL Intro Max/RegIncr ML Modeling GCD Unit PyMTL/Pydgin Tutorial Schedule 8:30am 8:50am Virtual Machine

467 views • 21 slides
PyMTL/Pydgin Tutorial Schedule 8:30am 8:50am Virtual Machine Installation and Setup 8:50am

PyMTL/Pydgin Tutorial Schedule 8:30am 8:50am Virtual Machine Installation and Setup 8:50am

Presentation Presentation Hands-On Presentation Hands-On Presentation Hands-On Overview Pydgin Intro GCD Instr PyMTL Intro Max/RegIncr ML Modeling GCD Unit PyMTL/Pydgin Tutorial Schedule 8:30am 8:50am Virtual Machine

128 views • 11 slides
Translation Quality Estimation Tutorial Hands-on QuEst++ Carolina Scarton and Lucia Specia July

Translation Quality Estimation Tutorial Hands-on QuEst++ Carolina Scarton and Lucia Specia July

Translation Quality Estimation Tutorial Hands-on QuEst++ Carolina Scarton and Lucia Specia July 12, 2016 Abstract In this tutorial we present QuEst++ , an open source framework for pipelined Translation Quality Estimation. QuEst ++ is the newest

467 views • 18 slides
An Introduction to Python for Scientists Hands-On Tutorial Ahmed Attia Statistical and Applied

An Introduction to Python for Scientists Hands-On Tutorial Ahmed Attia Statistical and Applied

An Introduction to Python for Scientists Hands-On Tutorial Ahmed Attia Statistical and Applied Mathematical Science Institute (SAMSI) 19 TW Alexander Dr, Durham, NC 27703 attia@ { samsi.info || vt.edu } Department of Mathematics, North Carolina

536 views • 32 slides
IN WIND ENERGY Wind Power. Redefined. A N EW C ATEGORY OF R ENEWABLE E NERGY :

IN WIND ENERGY Wind Power. Redefined. A N EW C ATEGORY OF R ENEWABLE E NERGY :

A NEW DIRECTION IN WIND ENERGY Wind Power. Redefined. A N EW C ATEGORY OF R ENEWABLE E NERGY : ELECTROHYDRODYNAMIC (EHD) WIND POWER Award $4.9M over 2 years Goals Achieve 10x scale-up and complete first-ever sub-commercial scale

546 views • 9 slides
PBS Documentary Series Nerds 2.0.1: A Brief History of the Internet Watch Part 1. Parts 2 and 3

PBS Documentary Series Nerds 2.0.1: A Brief History of the Internet Watch Part 1. Parts 2 and 3

CS101 Lecture 07: History of the Internet John Magee 9 July 2013 1 PBS Documentary Series Nerds 2.0.1: A Brief History of the Internet Watch Part 1. Parts 2 and 3 are optional. Part 1: Networking the Nerds: Part 1: Networking the Nerds:

345 views • 6 slides
Email SMTP - Simple Mail Transfer Protocol RFC 821 POP - Post Office Protocol

Email SMTP - Simple Mail Transfer Protocol RFC 821 POP - Post Office Protocol

Email SMTP - Simple Mail Transfer Protocol RFC 821 POP - Post Office Protocol RFC 1939 Also: RFC 822 Standard for the Format of ARPA Internet Text Messages RFCs 1521, 1522 Mime Netprog: Email Protocols 1

679 views • 25 slides
Arming the Defenseless: An Incentive-based Approach to DNS Reflection Prevention Casey Deccio,

Arming the Defenseless: An Incentive-based Approach to DNS Reflection Prevention Casey Deccio,

Arming the Defenseless: An Incentive-based Approach to DNS Reflection Prevention Casey Deccio, Brigham Young University AIMS 2017 CAIDA, UCSD, La Jolla, CA March 1, 2017 Reflection/Amplification-based DDoS Attack Queries Responses

314 views • 10 slides
Dynamic answer generation with Lua Pieter Lexis Senior PowerDNS Engineer February 2, 2019 1

Dynamic answer generation with Lua Pieter Lexis Senior PowerDNS Engineer February 2, 2019 1

lieter_ pieterlexis PowerDNS PowerDNS Dynamic answer generation with Lua Pieter Lexis Senior PowerDNS Engineer February 2, 2019 1 Introduction Pieter Lexis Senior PowerDNS Engineer at PowerDNS C++/Python/Go

673 views • 32 slides
sts Prr rtt

sts Prr rtt

sts Prr rtt tr rst ts

312 views • 17 slides
Naming Outline Terminology Domain Naming System 1 Overview Names vs. addresses

Naming Outline Terminology Domain Naming System 1 Overview Names vs. addresses

Naming Outline Terminology Domain Naming System 1 Overview Names vs. addresses Human-friendly vs. Machine-readable Naming name IP address bindings One-to-one map Also ARP: IP address Eth address Location

392 views • 4 slides
Naming identify objects help locate objects define membership in a group Outline

Naming identify objects help locate objects define membership in a group Outline

Overview What do names do? Naming identify objects help locate objects define membership in a group Outline specify a role Terminology convey knowledge of a secret Domain Naming System Name space Distributed

670 views • 4 slides

More recommend