li living on the edge re focus dn dns efforts orts on on
play

Li Living on the Edge: (Re)focus DN DNS Efforts orts on on th - PowerPoint PPT Presentation

Feb 18, 2023 •229 likes •481 views

Li Living on the Edge: (Re)focus DN DNS Efforts orts on on th the e En End-Po Points Benno Overeinder NLnet Labs RIPE 75, Dubai, UAE http://www.nlnetlabs.nl/ Complexity at Core-Middle-Edge moderate Authoritative . complex simple

  1. Li Living on the Edge: (Re)focus DN DNS Efforts orts on on th the e En End-Po Points Benno Overeinder NLnet Labs RIPE 75, Dubai, UAE http://www.nlnetlabs.nl/

  2. Complexity at Core-Middle-Edge moderate Authoritative . complex simple recursive application resolver stub Authoritative net OS Authoritative ripe e2e-ness e2e-ness e2e-ness complex moderate simple http://www.nlnetlabs.nl/

  3. From the ground-up security … and now for something completely different http://www.nlnetlabs.nl/

  4. Customer–Web Portal Interaction auth name servers full recursive customer resolver browser web portal http http/https host server IP address http://www.nlnetlabs.nl/

  5. DNS Spoofing • DNS Spoofing by cache poisoning • attacker flood a DNS resolver with phony information with bogus DNS results • by the law of large numbers, these attacks get a match and plant a bogus result into the cache • Man-in-the-middle attacks • redirect to wrong Internet sites • email to non-authorized email server http://www.nlnetlabs.nl/

  6. The “Too Many CAs” Problem • TLS clients have abundance of TAs • modern web browsers have 1300+ TAs • any of them can issue certificate for example.com example example .com .com TLS client accepts both! http://www.nlnetlabs.nl/ credits wes.hardaker@parsons.com

  7. Customer–Web Portal Interaction auth name servers full recursive customer resolver browser web portal http http/https host too many server CAs IP address CA pinning/HSTS? http://www.nlnetlabs.nl/

  8. DNSSEC-Based Secure Customer–Web Portal Interaction auth name servers DNSSEC full recursive customer resolver browser web portal http http/https host too many server DANE CAs IP address http://www.nlnetlabs.nl/

  9. Resolver Hijack?! auth name servers DNSSEC full recursive resolver browser web portal http host too many server DANE CAs IP address http/https http://www.nlnetlabs.nl/

  10. Countering Resolver Hijack • DNSSEC on the stub • DNS-over-TLS dns-oarc.net A t DNSKEY DS A e n DNSSEC Aware Validation . c r a Recursive o DNSKEY DS Recursive - s n d resolver ← resolver t 64.191.0.198 e Browser n Browser DNSKEY → (application) (application) · https https stub stub OS OS http://www.nlnetlabs.nl/

  11. Countering Resolver Hijack (cont’d) • DNS-over-TLS • DNS-over-TLS security/privacy Authenticate _853._tcp.getdnsapi.net TLSA DNS-over-TLS dns-oarc.net A A with DANE? Validation Recursive Au getdnsapi.net DNSSEC Aware ← DNSKEY DS resolver DNSKEY DS Recursive 64.191.0.198 Browser resolver net Auth → DNSKEY (application) Authorita dns-oarc. · getdnsapi.net https stub Browser → Validation A t e (application) n c . r a - o s n d Recursive stub resolver OS 8 9 1 0 . . 1 9 . 1 4 ← 6 https OS Bootstrap the TLSA lookup with regular DNS? TLS hijack of DNS-over-TLS Bootstrap the TLSA lookup with regular DNS? Chicken and egg problem. http://www.nlnetlabs.nl/

  12. DNSSEC Data Blob-over-TLS • TLSA record + the complete DNSSEC authentication chain embedded in a TLS extension • TLS DNSSEC authentication to prevent “Too many CA’s” problem • https://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension A _853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS net DNSKEY DS Au . DNSKEY RRSIGs Auth Authorita dns-oarc.n getdnsapi.net Browser dns-oarc.net A → Validation (application) Recursive _853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS net DNSKEY DS . DNSKEY RRSIGs stub resolver ← 64.191.0.198 https OS http://www.nlnetlabs.nl/

  13. DNS Privacy and Standards • DNS privacy requirements Capability Standard DNS-over-TLS RFC7858 Reuse/pipelining/OOOP RFC7766 TCP fast open RFC7413 ENDS0 keep alive RFC7828 ENDS0 padding RFC7830 PKIX support for authentication (various) DNSSEC support (various) (for address lookup and authentication) http://www.nlnetlabs.nl/

  14. DNSSEC Roadblocks Consequences of living on the edge http://www.nlnetlabs.nl/

  15. DNSSEC Roadblocks Authoritative . Authoritative net dns-oarc.net DNSKEY DS A recursi sive Authoritative DNSKEY DS resolver re dns-oarc.net net Browser DNSKEY (application) WebSrv · https stub OS • Resolving DNSSEC (to cross the first mile) needs DNSSEC aware recursive resolver http://www.nlnetlabs.nl/

  16. DNSSEC Roadblock Avoidance • DNSSEC roadblock avoidance + full recursion capability • https://tools.ietf.org/html/rfc8027 http://www.nlnetlabs.nl/

  17. DNSSEC Roadblock Avoidance • DNSSEC roadblock avoidance + full recursion capability • https://tools.ietf.org/html/rfc8027 http://www.nlnetlabs.nl/

  18. DNSSEC with DNS64 & NAT64 Authoritative . IPv6 Only Authoritative com twitter.com AAAA Browser ← (application) DNS64 Authoritative → 64:ff9b::68e0:2ac1 twitter.com stub NAT64 IPv4 only OS https https 104.244.42.193 • Jen Linkova’s “Let’s talk about IPv6 DNS64 & DNSSEC” • https://blog.apnic.net/2016/06/09/lets-talk-ipv6-dns64-dnssec/ • With IPv6 prefix discovery, stub can do DNSSEC validation of A RR itself http://www.nlnetlabs.nl/

  19. DNSSEC with DNS64 & NAT64 Authoritative . IPv6 Only Authoritative com Browser (application) Authoritative DNS64 twitter.com stub NAT64 Privacy OS resolver • IPv6 address synthesis prefix discovery + DNS64 capability • https://tools.ietf.org/html/rfc7050 • https://tools.ietf.org/html/rfc6147 http://www.nlnetlabs.nl/

  20. KSK Root Rollover More roadblocks ahead http://www.nlnetlabs.nl/

  21. RFC5011 for DNSSEC Validating Stubs • DNSSEC validating stub must do RFC5011 In-band RFC5011 tracking with DNSSEC auth chain TLS extension http://www.nlnetlabs.nl/

  22. KSK Root Rollover for Stub Library • A stub library for DANE • runs with user’s privileges • no system config • bootstrap DNSSEC capabilities • https://tools.ietf.org/html/rfc7958 • unbound-anchor functionality http://www.nlnetlabs.nl/

  23. DNSSEC Roadblocks and Standards • DNSSEC stubs capability requirements Capability Standard DNSSEC validation (various) DNSSEC roadblock avoidance RFC8027 IPv6 prefix discovery RFC7050 IPv6 address synthesis RFC6147 Automated trust anchor updates RFC5011 Automated initial trust anchor retrieval RFC7958 http://www.nlnetlabs.nl/

  24. Living on the Edge “Final Thoughts” http://www.nlnetlabs.nl/

  25. Wrapping Up • Stub resolver/library experience complex e2e-ness • at the edge of the network many kinds of roadblocks/brokenness • DNS-based security from the ground up • bootstraps with the stub • Closing the gap in the last mile with ongoing work • overview of RFCs and drafts • most of discussed work is implemented in getdns and its stub resolver Stubby • DNSSEC Authentication Chain Extension • https://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension http://www.nlnetlabs.nl/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Resurrection of Fukushima, NPO 1 1. Efforts to secure living environment 2. Efforts to produce

Resurrection of Fukushima, NPO 1 1. Efforts to secure living environment 2. Efforts to produce

Resurrection of Fukushima, NPO 1 1. Efforts to secure living environment 2. Efforts to produce safe food 3. Examine the conditions of animals and plants 4. Examine radiation and radioactivity levels around the village 5. Secure electricity and

775 views • 32 slides
Susan Marina Wolfe Living on the Edge Conference St Martin in the Fields Oct 2015

Susan Marina Wolfe Living on the Edge Conference St Martin in the Fields Oct 2015

Susan Marina Wolfe Living on the Edge Conference St Martin in the Fields Oct 2015 Photo on screen of infant me, screaming. You may recognise this screaming infant on the screen. Health problems and the efforts to shut me up, began

356 views • 6 slides
Focus on Roadway Configuration Outside edge of pavement to outside edge of payment

Focus on Roadway Configuration Outside edge of pavement to outside edge of payment

Focus on Roadway Configuration Outside edge of pavement to outside edge of payment including median This will become the base from which the rest of the project will be designed and built in Phases 2 and 3. Three Items of

678 views • 52 slides
Supporting efforts that promote a just, equitable and sustainable society. WHY FOCUS ON FLINT?

Supporting efforts that promote a just, equitable and sustainable society. WHY FOCUS ON FLINT?

Supporting efforts that promote a just, equitable and sustainable society. WHY FOCUS ON FLINT? To give the bigger picture of Flints story To share what residents are saying To better understand challenges and efforts underway To

421 views • 20 slides
Enrollment Efforts 1 May 8, 2013 Agenda Living in a Digital World Specific Social

Enrollment Efforts 1 May 8, 2013 Agenda Living in a Digital World Specific Social

Using Social Media to Amplify Outreach and Enrollment Efforts 1 May 8, 2013 Agenda Living in a Digital World Specific Social Channels Facebook Twitter YouTube Tips on Engagement 2 Living In a Digital World The Evolution

586 views • 40 slides
MEDICATION USE IN ADULTS WITH ID/DD LIVING IN COMMUNITY HOMES AND STATE EFFORTS TO REDUCE OVERUSE

MEDICATION USE IN ADULTS WITH ID/DD LIVING IN COMMUNITY HOMES AND STATE EFFORTS TO REDUCE OVERUSE

MEDICATION USE IN ADULTS WITH ID/DD LIVING IN COMMUNITY HOMES AND STATE EFFORTS TO REDUCE OVERUSE VALERIE BRADLEY AND DOROTHY HIERSTEINER, HSRI GAIL GROSSMAN, MASSACHUSETTS DEPARTMENT OF DEVELOPMENTAL SERVICES EMILY LAUER, SHRIVER CENTER

715 views • 50 slides
Micr croelimination Up Update Efforts to Eliminate HCV among People Living with HIV in San

Micr croelimination Up Update Efforts to Eliminate HCV among People Living with HIV in San

Micr croelimination Up Update Efforts to Eliminate HCV among People Living with HIV in San Francisco Progress as of June 2020 Katie Burk Chris Toomey Jordan Akerly What do we mean when we say micro- elimination? A micro-elimination

176 views • 16 slides
Example: bank and its A TM mac hines. 4. Supp orts secure, atomic access to

Example: bank and its A TM mac hines. 4. Supp orts secure, atomic access to

What is a Database Managemen t System? 1. Manages v ery large amoun ts of data. 2. Supp orts ecien t access to v ery large amoun ts of data. 3. Supp orts concurren t access to v.l.a.d. Example: bank

393 views • 14 slides
LIVING ON THE EDGE: Americas low-earning families Sophia Parker If you work

LIVING ON THE EDGE: Americas low-earning families Sophia Parker If you work

LIVING ON THE EDGE: Americas low-earning families Sophia Parker If you work 40 hours a week and youve got a child in the house, you will no longer be

325 views • 6 slides
Living on the Edge Phase Transitions in Convex Programs with Random Data Joel A. Tropp

Living on the Edge Phase Transitions in Convex Programs with Random Data Joel A. Tropp

Living on the Edge Phase Transitions in Convex Programs with Random Data Joel A. Tropp Michael B. McCoy Computing + Mathematical Sciences California Institute of Technology Joint with Dennis Amelunxen and Martin Lotz (Manchester)

494 views • 36 slides
A 5G Convergent Virtualized Radio Access Network Living at the Edge Alain Mourad 1 , Antonio De La

A 5G Convergent Virtualized Radio Access Network Living at the Edge Alain Mourad 1 , Antonio De La

A 5G Convergent Virtualized Radio Access Network Living at the Edge Alain Mourad 1 , Antonio De La Oliva 2 , Shahzoob Bilal 3 1 InterDigital Europe Ltd, 2 University Carlos III of Madrid, 3 ITRI 5G-CORAL in a Nutshell 2 A joint EU-Taiwan bid to

432 views • 24 slides
Setting the Stage on Diabetes Prevention & Interventions in Iowa: A Focus on Efforts in the

Setting the Stage on Diabetes Prevention & Interventions in Iowa: A Focus on Efforts in the

Setting the Stage on Diabetes Prevention & Interventions in Iowa: A Focus on Efforts in the Workplace Dr. Paul Mulhausen, MD, MHS, FACP, Chief Medical Officer and Ami Bolles, Strategic Account Manager Iowa Statistics 2 Diabetes

609 views • 30 slides
Research Continuity Goals Focus your planning efforts Thinking inward rather than just

Research Continuity Goals Focus your planning efforts Thinking inward rather than just

Research Continuity Goals Focus your planning efforts Thinking inward rather than just externally about continuity Clarity to your roles and responsibilities in a continuity incident Build a culture of continuity Building

401 views • 17 slides
Teaching Continuity Goals Focus your planning efforts Thinking inward rather than just

Teaching Continuity Goals Focus your planning efforts Thinking inward rather than just

Teaching Continuity Goals Focus your planning efforts Thinking inward rather than just externally about continuity Clarity to your roles and responsibilities in a continuity incident Build a culture of continuity Building

410 views • 21 slides
DPPL's 2018-2021 Strategic Plan Why Do We Have A Strategic Plan? To focus our efforts and

DPPL's 2018-2021 Strategic Plan Why Do We Have A Strategic Plan? To focus our efforts and

DPPL's 2018-2021 Strategic Plan Why Do We Have A Strategic Plan? To focus our efforts and spending. So Staff and Board are aligned. To measure, evaluate and report. Who Participated? Wh D W H What was the process? What Was the

598 views • 29 slides
Living on the Edge: Safe Search with Unsafe Heuristics Erez Karpas Carmel Domshlak Faculty of

Living on the Edge: Safe Search with Unsafe Heuristics Erez Karpas Carmel Domshlak Faculty of

Safeness of Heuristics Path Dependent Heuristics Unjustified Actions The Connection More than a Pruning Mechanism Experimental Evaluation Living on the Edge: Safe Search with Unsafe Heuristics Erez Karpas Carmel Domshlak Faculty of

706 views • 37 slides
CS 356: Computer Network Architectures Lecture 9: The Internet Protocol (IP) Ch 3.2 Xiaowei

CS 356: Computer Network Architectures Lecture 9: The Internet Protocol (IP) Ch 3.2 Xiaowei

CS 356: Computer Network Architectures Lecture 9: The Internet Protocol (IP) Ch 3.2 Xiaowei Yang xwy@cs.duke.edu Overview History of IP IP header format IP addressing IP forwarding Forwarding algorithm Fragmentation

882 views • 57 slides
Introduction to exterior routing S-38.2121 / Fall-2006 / RKa, NB CIDR-1 Autonomous Systems

Introduction to exterior routing S-38.2121 / Fall-2006 / RKa, NB CIDR-1 Autonomous Systems

Introduction to exterior routing S-38.2121 / Fall-2006 / RKa, NB CIDR-1 Autonomous Systems An Autonomous System (AS) is a part of the Internet owned by a single organization. In an AS, usually one interior routing protocol is used

471 views • 10 slides
Linux Performance 2018 Brendan Gregg Senior Performance Architect Apr 2018

Linux Performance 2018 Brendan Gregg Senior Performance Architect Apr 2018

Linux Performance 2018 Brendan Gregg Senior Performance Architect Apr 2018 h1p://neuling.org/linux-next-size.html Post frequency: 4 per year h1ps://kernelnewbies.org/Linux_4.15 h1ps://lwn.net/Kernel/ 4 per week LKML 400 per day

468 views • 19 slides
IPv4 Run-Out And the consequences Alex Semenyaka | UADOM, Kyiv | 6 December 2019 Timeline

IPv4 Run-Out And the consequences Alex Semenyaka | UADOM, Kyiv | 6 December 2019 Timeline

IPv4 Run-Out And the consequences Alex Semenyaka | UADOM, Kyiv | 6 December 2019 Timeline 2011 IANA ran-out of /8s 15 Sept 2012 RIPE NCC: exhaustion - final /22 per member 17 April 2018 RIPE NCC: final 185/8 block depleted 25

1.37k views • 15 slides
From IPv4 to eternity The High Energy Physics transition to IPv6 David Kelsey EGI

From IPv4 to eternity The High Energy Physics transition to IPv6 David Kelsey EGI

From IPv4 to eternity The High Energy Physics transition to IPv6 David Kelsey EGI Community Forum, Munich 30 March 2012 On behalf of my co-authors Bob Cowles (SLAC), Phil DeMar (FNAL), Marek Elias (FZU), Thomas Finnern (DESY), David

507 views • 29 slides
Linux Performance 2018 Brendan Gregg Senior Performance Architect

Linux Performance 2018 Brendan Gregg Senior Performance Architect

Linux Performance 2018 Brendan Gregg Senior Performance Architect http://neuling.org/linux-next-size.html Post frequency: 4 per year https://kernelnewbies.org/Linux_4.15 https://lwn.net/Kernel/ 4 per week LKML 400 per day

473 views • 19 slides
CS615 - Aspects of System Administration Networking I Department of Computer Science Stevens

CS615 - Aspects of System Administration Networking I Department of Computer Science Stevens

CS615 - Aspects of System Administration Slide 1 CS615 - Aspects of System Administration Networking I Department of Computer Science Stevens Institute of Technology Jan Schaumann jschauma@stevens.edu

1.19k views • 62 slides
Lecture 8: Internetworking, Naming CSE 123: Computer Networks Chris Kanich Project 1 due 11:59pm

Lecture 8: Internetworking, Naming CSE 123: Computer Networks Chris Kanich Project 1 due 11:59pm

Lecture 8: Internetworking, Naming CSE 123: Computer Networks Chris Kanich Project 1 due 11:59pm tonight Lecture 8 Overview Finish up IP Fragmentation, Route Aggregation CIDR Packet forwarding example User-friendly names (DNS)

760 views • 16 slides

More recommend