rollover and die
play

Rollover and Die? George Michaelson, APNIC Geoff Huston, APNIC - PowerPoint PPT Presentation

May 08, 2023 •340 likes •951 views

Rollover and Die? George Michaelson, APNIC Geoff Huston, APNIC Patrik Wallstrm, IIS Roy Arends, Nominet UK 1 Were under attack!!! On the 16th of december, traffic more than doubled 2 DNSKEY amplification attack 3 DNSKEY response size

  1. Rollover and Die? George Michaelson, APNIC Geoff Huston, APNIC Patrik Wallström, IIS Roy Arends, Nominet UK 1

  2. We’re under attack!!! On the 16th of december, traffic more than doubled 2

  3. DNSKEY amplification attack 3

  4. DNSKEY response size Response size: 990 Bytes Query rate: 2000 qps 15.8 Mbps Additional load 4

  5. Who does this? 5

  6. Who does this? 5

  7. What was special about the 16th? 6

  8. What was special about the 16th? 7

  9. Hanlon’s razor Never attribute to malice that which can be explained by stupidity. 8

  10. Why so many clients? • Fedora bug report 17th Jan 2010 – (1 month after the roll) • operator reports getting 240.000 log entries in 24hr – “no valid key” • dnssec-conf tool contained a hard-configured trust anchor file – obsolete after the 16th. 9

  11. What was special about the 16th? 10

  12. What was special about the 16th? what a great lesson Randy Bush’s response 10

  13. Current load for in-addr.arpa getting better, below 1000 qps right now But decline not fast enough before new roll 11

  14. The Load Projection 12

  15. The Load Projection remove 12

  16. The Load Projection remove remove 12

  17. The Load Projection add remove remove 12

  18. Was this a one off event? Sweden, june 2009 13

  19. Was this a one off event? Sweden, june 2008 14

  20. Was this a one off event? 1st resolver fix Sweden, june 2008 14

  21. Was this a one off event? 1st resolver fix 2nd resolver fix Sweden, june 2008 14

  22. Why so many Queries? • Resolvers are supposed to cache dnskey • Even when those are bad • Resolvers should be nice, not aggressive • So many resolvers, so few servers 15

  23. Why so many Queries? • Bind bug in all versions • Depth First Search (DFS) problem • Chain of trust validation: 16

  24. Why so many Queries? • Bind bug in all versions • Depth First Search (DFS) problem • Chain of trust validation: root TA 16

  25. Why so many Queries? • Bind bug in all versions • Depth First Search (DFS) problem • Chain of trust validation: www.dnssec.se root A SIG TA 16

  26. Why so many Queries? • Bind bug in all versions • Depth First Search (DFS) problem • Chain of trust validation: dnssec.se root A SIG KEY TA 16

  27. Why so many Queries? • Bind bug in all versions • Depth First Search (DFS) problem • Chain of trust validation: dnssec.se se root A SIG KEY DS TA 16

  28. Why so many Queries? • Bind bug in all versions • Depth First Search (DFS) problem • Chain of trust validation: dnssec.se se root A SIG KEY DS KEY TA 16

  29. Why so many Queries? • Bind bug in all versions • Depth First Search (DFS) problem • Chain of trust validation: dnssec.se se root root A SIG KEY DS KEY DS TA 16

  30. Why so many Queries? • Bind bug in all versions • Depth First Search (DFS) problem • Chain of trust validation: dnssec.se se root root A SIG KEY DS KEY DS KEY TA 16

  31. Why so many Queries? • Bind bug in all versions • Depth First Search (DFS) problem • Chain of trust validation: dnssec.se se root root A SIG KEY DS KEY DS KEY TA 16

  32. Why so many Queries? • Bind bug in all versions • Depth First Search (DFS) problem • Chain of trust validation: dnssec.se se root root A SIG KEY DS KEY DS KEY TA 3 3 13 13 20 20 16

  33. Why so many Queries? • Bind bug in all versions • Depth First Search (DFS) problem • Chain of trust validation: dnssec.se se root root A SIG KEY DS KEY DS KEY TA 3 3 13 13 20 20 16

  34. Why so many Queries? • Bind bug in all versions • Depth First Search (DFS) problem • Chain of trust validation: dnssec.se se root root A SIG KEY DS KEY DS KEY TA 3 3 13 13 20 20 3 * 3 * 13 * 13 * 20 * 20 = 608400 queries 16

  35. ISC • Reported the depth first search bug on februari 8th 17

  36. ISC • Reported the depth first search bug on februari 8th • Acknowledged the problem – fundamental fix, needs thorough testing. 17

  37. ISC • Reported the depth first search bug on februari 8th • Acknowledged the problem – fundamental fix, needs thorough testing. • released BIND 9.7.0 with bug – first version that can validate the root – “Exercise caution”, ignores the lame DS issue 17

  38. ISC • Reported the depth first search bug on februari 8th • Acknowledged the problem – fundamental fix, needs thorough testing. • released BIND 9.7.0 with bug – first version that can validate the root – “Exercise caution”, ignores the lame DS issue • released BIND 9.6.2 with bug – root-validation back ported, no 5011 • tick tock 17

  39. ISC • Reported the depth first search bug on februari 8th • Acknowledged the problem – fundamental fix, needs thorough testing. • released BIND 9.7.0 with bug – first version that can validate the root – “Exercise caution”, ignores the lame DS issue • released BIND 9.6.2 with bug – root-validation back ported, no 5011 • tick tock • Announced a patch as soon as possible. – still waiting – folks are deploying 9.7.0 and 9.6.2 right now 17

  40. The Perfect Storm • DNSSEC deployment at root (DURZ) – guess what: lame trust-anchor, don’t configure 18

  41. The Perfect Storm • DNSSEC deployment at root (DURZ) – guess what: lame trust-anchor, don’t configure 18

  42. The Perfect Storm 19

  43. The Perfect Storm • No automatic trust anchor roll (5011) – 9.7.0 implementation is buggy • promised fix in 9.7.1 – 9.6.2 not planned 19

  44. The Perfect Storm • No automatic trust anchor roll (5011) – 9.7.0 implementation is buggy • promised fix in 9.7.1 – 9.6.2 not planned • DLV mishaps: – DLV registry promiscuously scrapes TLD keys • Just another chain of trust – .PR rolled its key • was unavailable to DLV users for days • caused a major packet storm 19

  45. The Perfect Storm • Multiple trust anchor problem – TLD Trust Anchors trump Root Trust Anchor • stale TLD Trust Anchor trumps valid Root Trust Anchor 20

  46. The Perfect Storm • Multiple trust anchor problem – TLD Trust Anchors trump Root Trust Anchor • stale TLD Trust Anchor trumps valid Root Trust Anchor • Doom scenario: – TLD registers DS in root – new policy: don’t announce rolls, depend on root • That is the way NS records works as well – Operators won’t update TLD trust anchor anymore • Why would they, they’ve configured root trust-anchor 20

  47. A Series Of Unfortunate Events 21

  48. A Series Of Unfortunate Events • buggy software 21

  49. A Series Of Unfortunate Events • buggy software • DNSSEC @ root 21

  50. A Series Of Unfortunate Events • buggy software • DNSSEC @ root • multiple trust anchor problem 21

  51. A Series Of Unfortunate Events • buggy software • DNSSEC @ root • multiple trust anchor problem • no 5011 deployment 21

  52. A Series Of Unfortunate Events • buggy software • DNSSEC @ root • multiple trust anchor problem • no 5011 deployment • opportunistic DLV scraping 21

  53. A Series Of Unfortunate Events • buggy software • DNSSEC @ root • multiple trust anchor problem • no 5011 deployment • opportunistic DLV scraping • Frequent Rollover Syndrome – rolling rolling rolling, keep them DNSKEYs rolling. 21

  54. Frequent Rollover Syndrome • Advice seems to be: – roll the key as often as you can – Some roll twice a year, some roll monthly 22

  55. Frequent Rollover Syndrome • Advice seems to be: – roll the key as often as you can – Some roll twice a year, some roll monthly • Advice is completely misguided: – too many sigs do not leak the key. – Intention is to mitigate a compromised key fallout – but there is no perfect forward security 22

  56. Frequent Rollover Syndrome • Advice seems to be: – roll the key as often as you can – Some roll twice a year, some roll monthly • Advice is completely misguided: – too many sigs do not leak the key. – Intention is to mitigate a compromised key fallout – but there is no perfect forward security • If a key can be compromised in 1 year, it can be compromised in 6 months for twice the cost 22

  57. Frequent Rollover Syndrome • Advice seems to be: – roll the key as often as you can – Some roll twice a year, some roll monthly • Advice is completely misguided: – too many sigs do not leak the key. – Intention is to mitigate a compromised key fallout – but there is no perfect forward security • If a key can be compromised in 1 year, it can be compromised in 6 months for twice the cost • Other reasons: educate operators, exercise procedures – all irrelevant, never mess with a critical production system 22

  58. Solution • Fix the buggy software already – stop releasing versions that have problems – (Help fund BIND-10) • Don’t roll keys (too often) – be practical • Do not endorse configuration of trust-anchors when parent is signed. – no 5011, no web-page with listed keys, no DLV, no ITAR – Manage all through a signed parent. • When parent is not signed: – Use proper 5011. Use ISC’s DLV.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Student Rollover 1 Student Rollover 1896 2 Student Rollover 1. much easier to use, 2. Provides

Student Rollover 1 Student Rollover 1896 2 Student Rollover 1. much easier to use, 2. Provides

Student Rollover 1 Student Rollover 1896 2 Student Rollover 1. much easier to use, 2. Provides a superior product, and 3. much less expensive 3 Student Rollover So, Im wondering why are we still using these? NEW SLIDE 1. Hard to use,

734 views • 22 slides
Jordan Rollover System Rollover frequency and AIS 3+ Injury As much as 40% of these injuries

Jordan Rollover System Rollover frequency and AIS 3+ Injury As much as 40% of these injuries

Donald Friedman Susie Bozzini Jordan Rollover System Rollover frequency and AIS 3+ Injury As much as 40% of these injuries occur in pre roll crash events, limiting the likelihood that ESC will be as effective as predicted, emphasizing occupant

757 views • 62 slides
Root Zone KSK Rollover update Roy Arends Principal Research Scientist, Office of the CTO, ICANN

Root Zone KSK Rollover update Roy Arends Principal Research Scientist, Office of the CTO, ICANN

Root Zone KSK Rollover update Roy Arends Principal Research Scientist, Office of the CTO, ICANN FOSDEM 2019 3 February 2019 | 1 The KSK rollover has happened! The KSK rollover occurred on time as planned at 1600 UTC on 11 October 2018

434 views • 24 slides
The Proposed Closure of Rollover Pass Texas General Land Office Jerry Patterson, Land

The Proposed Closure of Rollover Pass Texas General Land Office Jerry Patterson, Land

The Proposed Closure of Rollover Pass Texas General Land Office Jerry Patterson, Land Commissioner Rollover Pass, Galveston County Project Site Rollover Pass, Galveston County GIWW Rollover Pass Rollover Pass, Galveston County History:

231 views • 10 slides
KSK Rollover Update David Conrad, CTO ICANN 59 ccNSO Members Meeting 26 June 2017 | 1 KSK

KSK Rollover Update David Conrad, CTO ICANN 59 ccNSO Members Meeting 26 June 2017 | 1 KSK

KSK Rollover Update David Conrad, CTO ICANN 59 ccNSO Members Meeting 26 June 2017 | 1 KSK Rollover: An Overview ICANN is in the process of performing a Root Zone DNS Security Extensions (DNSSEC) Key Signing Key (KSK) rollover The Root

558 views • 13 slides
MTI Rollover Presentation What Happened? Driver was loaded and inbound to Frac Driver went

MTI Rollover Presentation What Happened? Driver was loaded and inbound to Frac Driver went

MTI Rollover Presentation What Happened? Driver was loaded and inbound to Frac Driver went off the edge of the road No injuries What was spilled? Fuel Engine oil Contributing Factors to Rollover Poor visibility Dark

75 views • 5 slides
Key Rollover for the RPKI Steve Kent (Channeling Geoff

Key Rollover for the RPKI Steve Kent (Channeling Geoff

Key Rollover for the RPKI Steve Kent (Channeling Geoff Huston ) Key Rollover Document New doc: draC-huston-sidr-aao-profile-0-

494 views • 14 slides
Fire Occurrence in Rollover Crashes Based on NASS/CDS Kennerly Digges and Shaun Kildare The

Fire Occurrence in Rollover Crashes Based on NASS/CDS Kennerly Digges and Shaun Kildare The

Fire Occurrence in Rollover Crashes Based on NASS/CDS Kennerly Digges and Shaun Kildare The George Washington University SAE Paper 2007-01-0875 Research Questions What rollover crash factors influence the fire rate? Vehicle class

741 views • 35 slides
QMS Shareholders (other than the Rollover Shareholders) will receive total cash consideration of

QMS Shareholders (other than the Rollover Shareholders) will receive total cash consideration of

QMS Shareholders (other than the Rollover Shareholders) will receive total cash consideration of $1.22 per QMS share held on the Scheme Record Date. Rollover Shareholders will receive a mixture of consideration of cash and shares in Shelley

402 views • 7 slides
Passenger Vehicle Occupant Fatalities by type of crash 4% 2% Rollover 33% 23% Front Side

Passenger Vehicle Occupant Fatalities by type of crash 4% 2% Rollover 33% 23% Front Side

Passenger Vehicle Occupant Fatalities by type of crash 4% 2% Rollover 33% 23% Front Side Rear Other 39% N=32,335 Source: 2002 FARS Side-impact Crashes (non-rollover) by Crash Partner Passenger Cars Other 19% 21% Narrow Objects

708 views • 4 slides
Monetary independence and rollover crises Javier Bianchi (Federal Reserve Bank of Minneapolis &

Monetary independence and rollover crises Javier Bianchi (Federal Reserve Bank of Minneapolis &

Monetary independence and rollover crises Javier Bianchi (Federal Reserve Bank of Minneapolis & NBER) Jorge Mondragon (University of Minnesota) NBER Summer Institute Eurozone Debt Crisis Concerns about rollover crises and sovereign

878 views • 85 slides
Structuring and Negotiating Rollover Equity Interests in Private

Structuring and Negotiating Rollover Equity Interests in Private

Structuring and Negotiating Rollover Equity Interests in Private Equity Transactions September 13, 2016 Saul E. Rudo Steve Jarmel Katten Muchin Rosenman LLP Periscope

382 views • 14 slides
Key rollover @RIPE NCC draft-ietf-sidr-res-certs-18#section-8 draft-huston-sidr-keyroll-00.txt

Key rollover @RIPE NCC draft-ietf-sidr-res-certs-18#section-8 draft-huston-sidr-keyroll-00.txt

RIPE Network Coordination Centre Key rollover @RIPE NCC draft-ietf-sidr-res-certs-18#section-8 draft-huston-sidr-keyroll-00.txt Tim Bruijnzeels IETF78 http://www.ripe.net 1 RIPE Network Coordination Centre Before rollover CA Issuer: TA

258 views • 13 slides
QMS Shareholders (other than Rollover Shareholders, who will receive a mixed consideration

QMS Shareholders (other than Rollover Shareholders, who will receive a mixed consideration

QMS Shareholders (other than Rollover Shareholders, who will receive a mixed consideration alternative) will receive total cash consideration of $1.22 per QMS share held on the Scheme Record Date. Scheme must be approved at this General Scheme

579 views • 9 slides
2017 DNSSEC KSK Rollover Carlos Martnez | LACNIC | LACNIC 27, Foz Do Iguass Purpose of this

2017 DNSSEC KSK Rollover Carlos Martnez | LACNIC | LACNIC 27, Foz Do Iguass Purpose of this

2017 DNSSEC KSK Rollover Carlos Martnez | LACNIC | LACNIC 27, Foz Do Iguass Purpose of this Talk 2 1 3 Provide status, Provide helpful To publicize the upcoming events, resources on new Root Zone and contact the KSK roll DNSSEC KSK

384 views • 21 slides
Managing the Root KSK Rollover, Step by Step for Operators Quickly spun by Edward.Lewis @

Managing the Root KSK Rollover, Step by Step for Operators Quickly spun by Edward.Lewis @

Managing the Root KSK Rollover, Step by Step for Operators Quickly spun by Edward.Lewis @ ICANN.ORG Changed-by: carlos @ lacnic.net LACNIC 27 Foz do Iguassu 1 Agenda What is the problem here ? Some tools to check operation

240 views • 23 slides
Forecast Positions Description Allows the user to add a new position to a course or a meet.

Forecast Positions Description Allows the user to add a new position to a course or a meet.

Forecast Positions Description Allows the user to add a new position to a course or a meet. ADDING A POSITION TO A COURSE OR MEET a. In ARMS, click the TASK TAB menu link to bring up the ARM TASK VIEW page. b. From the ARM Task View Page

418 views • 8 slides
Bridging the Finance and Valuation Gap Negotiating and Structuring Rollovers; Tax Considerations

Bridging the Finance and Valuation Gap Negotiating and Structuring Rollovers; Tax Considerations

Presenting a live 90-minute webinar with interactive Q&A Equity Rollovers in M&A: Bridging the Finance and Valuation Gap Negotiating and Structuring Rollovers; Tax Considerations for Buyers and Sellers WEDNESDAY, JUNE 7, 2017 1pm

657 views • 39 slides
Recommendation FY 2012 through FY 2014 1 FY 2013 Executive Recommendation Economy/Revenues

Recommendation FY 2012 through FY 2014 1 FY 2013 Executive Recommendation Economy/Revenues

The Executive Budget Recommendation FY 2012 through FY 2014 1 FY 2013 Executive Recommendation Economy/Revenues Budget Principles Budget Summary The Plan Good Government Public Safety Education Health &

737 views • 70 slides
Truck Rollovers Michael Campbell BFO Policy & Research Analyst Ontario Cattle Emergency

Truck Rollovers Michael Campbell BFO Policy & Research Analyst Ontario Cattle Emergency

Managing Cattle Transport Truck Rollovers Michael Campbell BFO Policy & Research Analyst Ontario Cattle Emergency Network Preface Over 3500 livestock trucks travel from Manitoba across Northern Ontario Many more truckloads move

436 views • 30 slides
Terms and Conditions TC-20 Tariff Proceeding Customer Workshop 8/21/18 Pre-Decisional. For

Terms and Conditions TC-20 Tariff Proceeding Customer Workshop 8/21/18 Pre-Decisional. For

Terms and Conditions TC-20 Tariff Proceeding Customer Workshop 8/21/18 Pre-Decisional. For Discussion Purposes Only. Agenda TIME TOPIC PRESENTERS 9:00 - 9:05 AM Agenda Review & Safety Rachel Dibble Michelle Cathcart, Michelle Manary

1.57k views • 88 slides
Gasoline Tanker Rollover May 12, 2009

Gasoline Tanker Rollover May 12, 2009

Gasoline Tanker Rollover May 12, 2009

205 views • 9 slides
Preliminary 2017 2018 School Budget Adopted by the Board of Education November 8, 2016

Preliminary 2017 2018 School Budget Adopted by the Board of Education November 8, 2016

Preliminary 2017 2018 School Budget Adopted by the Board of Education November 8, 2016 HASTINGS-ON-HUDSON UNION FREE SCHOOL DISTRICT BOARD OF EDUCATION CALENDAR FOR 2017-2018 BUDGET DATE ACTIVITY 2016 November 8, Tuesday Budget calendar

582 views • 27 slides
Operations Program (LCTOP) OFFICE OF STATE PROGRAMS AND POLICY DIVISION OF RAIL AND MASS

Operations Program (LCTOP) OFFICE OF STATE PROGRAMS AND POLICY DIVISION OF RAIL AND MASS

Low Carbon Transit Operations Program (LCTOP) OFFICE OF STATE PROGRAMS AND POLICY DIVISION OF RAIL AND MASS TRANSPORTATION DEPARTMENT OF TRANSPORTATION Presentation Overview Program History FY 16/17 Guideline Updates Update

424 views • 23 slides

More recommend