the great dnssec quiz
play

The Great DNSSEC Quiz (no DNS records where harmed during the making - PowerPoint PPT Presentation

Nov 09, 2022 •145 likes •422 views

The Great DNSSEC Quiz (no DNS records where harmed during the making of this quiz) The rules Use the form to answer your questions Put your name on the form When done answering, hand the form to your neighbour Evaluate

  1. The Great DNSSEC Quiz (no DNS records where harmed during the making of this quiz)

  2. The rules • Use the form to answer your questions • Put your name on the form • When done answering, hand the form to your neighbour • Evaluate your neighbour's answers • Count the points | 2

  3. Root Hints • Sometimes more answers are correct (like A records) • A point is scored for each correct answer • No points are scored for the entire question if it contains a single wrong answer (like lame delegations) | 3

  4. Five Stone handicap criteria You start with a handicap of -1 point for each of these criteria you match:  You are subscribed to the dnsop@ietf.org mailing list  You have or had an icann.org email address  You have root access to a TLD nameserver  You are a listed author on a DNS RFC  You have used the nslookup or host command in the last fjve years | 4

  5. 1: The confjdence builder Which of the following are true? A) The KEY, SIG and DEL RRTYPE were replaced by DNSKEY, RRSIG and the DS RRTYPE B) Many countries have legal requirements that require DNSSEC to always use RFC-5155 opt-out C) dig, drill, unbind, bound, delve and knot are names of opensource DNS software D) Every key with the SEP bit set in a valid trust chain must have a corresponding DS record published. | 5

  6. 2: Don't fail me now Which of the following situations could lead to a DNSSEC validation failure? A) Expired RRSIG records B) A melted HSM card C) RRSIGs only valid starting in an hour D) Disk full on the DNSSEC signer machine E) A cable cut causing identical backup DNS servers to take over DNS resolution | 6

  7. 3: Continental Which were the fjrst DNSSEC signed countries on each continent? as per wikipedia [citation needed]: Asia, Africa, North America, South America, Antarctica, Europe and Australia A) Sri Lanka, Niger, United States, none, The Netherlands and Australia B) T urkemistan, Namibia, Czech Republic, Brazil, none and New Zealand C) Thailand, Namibia, Puerto Rico, Brazil, none, Sweden and New Zealand D) Sweden, Mexico, Japan, Australia, United States, Antarctica and Australia | 7

  8. 4: Rollin' rollin' rollin'... rawhide! How many times has the Root KSK visibly changed (excluding TTL changes) A) Never B) Once C) T wice D) Thrice | 8

  9. 5: The midway question Which of these TLDs was signed before the root, but is no longer a signed TLD? A) .test B) .um C) .example D) .aq E) e164.arpa | 9

  10. 6: I have no glue When deleting a delegation from a zone, what should be done with its glue records? A) Remove the glue, if not used by any other zones B) Remove the glue, regardless of other zones C) Keep the glue , do not sign it D) Keep the glue, sign it | 10

  11. 7: Random Efgect Did the well-known openssl random "Debian bug" impact DNSSEC? A) No, because DNSSEC signed zones are served statically B) Yes, and various TLD's had to perform emergency rollovers C) No, because OpenDNSSEC and Bind do not use openssl to generate keys D) Yes, about 65 vulnerable keys were found but none in TLD's | 11

  12. 8: Dutch DNS Dynamics What was the .nl.nl zone? A) The fjrst DNSSEC TLD zone B) A missing dot leading to a large DNS outage, often blamed on DNSSEC. C) An early experiment that took the .nl domain and republished it using DNSSEC. D) An active delegated zone owned by Olaf Kolkman used for IETF DNSSEC experiments | 12

  13. 9: DNSKEY support Which one of these DNSKEY's will work best on resolvers throughout the world A) IN DNSKEY 257 3 13 AwEAAZyIkCwEYe [...] B) IN DNSKEY 385 3 8 AwEAAdZSHCrd7R [...] C) IN DNSKEY 257 3 8 AwEAAZyIkCwEYe [...] D) IN DNSKEY 257 3 8 BQEAAAABnjAVd4 [...] E) IN DNSKEY 257 3 12 AwEAAZyIkCwEYe [...] | 13

  14. 10: For the high rollers Which TLDs were signed before the root was signed? | 14

  15. 10: For the high rollers Which TLDs were signed before the root was signed? (yeah yeah - DURZ does not count as signed) | 15

  16. this slide left mostly blank intentionally | 16

  17. 1: The confjdence builder Which of the following are true? A) The KEY, SIG and DEL RRTYPE were replaced by DNSKEY, RRSIG and the DS RRTYPE B) Many countries have legal requirements that require DNSSEC to always use RFC-5155 opt-out C) dig, drill, unbind, bound, delve and knot are names of opensource DNS software D) Every key with the SEP bit set in a valid trust chain must have a corresponding DS record published. | 17

  18. 2: Don't fail me now Which of the following situations could lead to a DNSSEC validation failure? A) Expired RRSIG records B) A melted HSM card C) RRSIGs only valid starting in an hour D) Disk full on the DNSSEC signer machine E) A cable cut causing identical backup DNS servers to take over DNS resolution | 18

  19. 3: Continental Which were the fjrst DNSSEC signed countries on each continent? as per wikipedia [citation needed]: Asia, Africa, North America, South America, Antarctica, Europe and Australia A) Sri Lanka, Niger, United States, none, The Netherlands and Australia B) T urkemistan, Namibia, Czech Republic, Brazil, none and New Zealand C) Thailand, Namibia, Puerto Rico, Brazil, none, Sweden and New Zealand D) Sweden, Mexico, Japan, Australia, United States, Antarctica and Australia | 19

  20. 4: Rollin' rollin' rollin'... rawhide! How many times has the Root KSK visibly changed (excluding TTL changes) A) Never B) Once C) T wice D) Thrice - KSK fjrst published as DURZ on Dec 1, 2009 - June 10, 2010 brief DURZ leak • DURZ -–1--> KSK --2--> DURZ - July 15, 2010 KSK goes live, • DURZ --3--> 19036 | 20

  21. 5: The midway question Which of these TLDs was signed before the root, but is no longer a signed TLD? A) .test B) .um The United States Minor Outlying Islands (AKA “midway”) no longer exists C) .example D) .aq E) e164.arpa | 21

  22. 6: I have no glue When deleting a delegation from a zone, what should be done with its glue records? A) Remove the glue, if not used by any other zones B) Remove the glue, regardless of other zones C) Keep the glue , do not sign it D) Keep the glue, sign it | 22

  23. 7: Random Efgect Did the well-known openssl random "Debian bug" impact DNSSEC? A) No, because DNSSEC signed zones are served statically B) Yes, and various TLD's had to perform emergency rollovers C) No, because OpenDNSSEC and Bind do not use openssl to generate keys D) Yes, about 65 vulnerable keys were found but none in TLD's | 23

  24. 8: Dutch DNS Dynamics What was the .nl.nl zone? A) The fjrst DNSSEC TLD zone B) A missing dot leading to a large DNS outage, often blamed on DNSSEC. C) An early experiment that took the .nl domain and republished it using DNSSEC. D) An active delegated zone owned by Olaf Kolkman used for IETF DNSSEC experiments | 24

  25. 9: DNSKEY support Which one of these DNSKEY's will work best on resolvers throughout the world A) IN DNSKEY 257 3 13 AwEAAZyIkCwEYe [...] B) IN DNSKEY 385 3 8 AwEAAdZSHCrd7R [...] C) IN DNSKEY 257 3 8 AwEAAZyIkCwEYe [...] D) IN DNSKEY 257 3 8 BQEAAAABnjAVd4 [...] E) IN DNSKEY 257 3 12 AwEAAZyIkCwEYe [...] | 25

  26. 10: For the high rollers Which TLDs were signed before the root was signed? (remember: a wrong country means 0 points) .SE .BR .CZ .MUSEUM .GOV .TH .ORG .NA .PTR .CH .LI .TM .US .PT .LK .UK .ARPA .KG .PM .EU .CAT .CL (same day, will give benefjt of doubt) | 26

  27. Scoring -5 to 0 DNSSEC Skeptic 1 to 4 Hedonist 5 to 8 DNSSEC Fan 9 to 10 DNSSEC User 11 to 14 DNSSEC Enthusiast 15 to 19 DNSSEC Expert 20 to 29 DNSSEC Historian 30 to 32 DNSSEC Ninja 32 to 37 DNSSEC Procrastinator | 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Great DNSSEC Quiz Roy Arends Nominet Prague44

The Great DNSSEC Quiz Roy Arends Nominet Prague44

The Great DNSSEC Quiz Roy Arends Nominet Prague44 Introduc?on Use the back of the schedule to answer your ques?ons. You can form a

645 views • 39 slides
.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry experienced 30th April 2015-- Longest mornings I have ever had. Day started as usual but takes a turn at 9:30am Great day turns to a

449 views • 11 slides
.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

609 views • 34 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010 Sara Monteiro Technical Infrastructure Service of DNS.PT Agenda ! About us ! Scope ! Goals ! Initiatives and Support ! Developments on .pt ! Next Steps

468 views • 11 slides
13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff Team Cymru 1 Where is the DNSSEC? We make no endorsement of DNSSEC here We offer no repudiation of DNSSEC here The considerations herein

543 views • 31 slides
DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes Hardaker <wes.hardaker@parsons.com> Overview Business Model Changes Relationship Requirements Relationship with your DNS parent

407 views • 25 slides
DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek petr.spacek@nic.cz 2019-02-03 1w Redraw max 1y 6m 3m 1m 5d 1h 1d 30 ~ 19 % DNSSEC? Who cares? DNSSEC Validation Capability Metrics

433 views • 25 slides
Endocrinology: top- decile quiz SBA Quiz Quiz Dr Shuaib Siddiqui, MB BChir MRCP FY3 doctor

Endocrinology: top- decile quiz SBA Quiz Quiz Dr Shuaib Siddiqui, MB BChir MRCP FY3 doctor

Endocrinology: top- decile quiz SBA Quiz Quiz Dr Shuaib Siddiqui, MB BChir MRCP FY3 doctor Endocrinology series Content reviewed on the 05/05/2020. SBA Quiz Interactive SBA quiz competition Some answers are scored based on speed as

468 views • 43 slides
Staged Magnetic Compression of FRC Targets to Fusion Conditions John Slough, PI Helion Energy:

Staged Magnetic Compression of FRC Targets to Fusion Conditions John Slough, PI Helion Energy:

Staged Magnetic Compression of FRC Targets to Fusion Conditions John Slough, PI Helion Energy: David Kirtley, CEO Project Lead 20 Tesla ARPA-E Experiment 40 Tesla Reactor Existing Facilities and Expertise Theory and Code Development 12

420 views • 7 slides
Cedars A.R.C at Yew Tree Primary Additional provision for children with Social, Emotional

Cedars A.R.C at Yew Tree Primary Additional provision for children with Social, Emotional

Cedars A.R.C at Yew Tree Primary Additional provision for children with Social, Emotional and Mental Health Difficulties Social, Emotional and Mental Health difficulties in Children. Half of all diagnosable mental health disorders are

406 views • 15 slides
HEALTH SCIENCES CENTER

HEALTH SCIENCES CENTER

HEALTH SCIENCES CENTER _____________________________________________________________________________________________ FACULTY CONTRACTS OFFICE FACULTY BENEFITS & GENERAL INFORMATION NEW HIRE PAPERWORK I-9 and Employment Eligibility

644 views • 40 slides
Crop I nsurance Decisions and the new Farm Bill Bruce Sherrick sherrick@illinois.edu Gary

Crop I nsurance Decisions and the new Farm Bill Bruce Sherrick sherrick@illinois.edu Gary

Crop I nsurance Decisions and the new Farm Bill Bruce Sherrick sherrick@illinois.edu Gary Schnitkey schnitke@illinois.edu University of I llinois 2 0 1 4 I llinois Farm Econom ics Sum m it The Profitability of I llinois Agriculture:

522 views • 23 slides
Regionalized nAMEA-type matrix PRESENTATION

Regionalized nAMEA-type matrix PRESENTATION

Regionalized nAMEA-type matrix PRESENTATION

408 views • 8 slides
IP P o R eg egions ns E ng ngag aged ed to in n LIF LIFE IP P olicies icies of A ir (PREP

IP P o R eg egions ns E ng ngag aged ed to in n LIF LIFE IP P olicies icies of A ir (PREP

Pr Prel elimi mina nary ry ass ssessme ssment and d IAM IAM models IP P o R eg egions ns E ng ngag aged ed to in n LIF LIFE IP P olicies icies of A ir (PREP EPAIR) AIR) Michele Stortjni 1 , Stefano Bande 2 , Marco Desertj 3 , Katja

196 views • 18 slides
10.8BN +1.7% MORE SATISFIED/LOYAL CUSTOMERS IN ALL MARKETS (TARGET: > SEK 9.7 BILLION)

10.8BN +1.7% MORE SATISFIED/LOYAL CUSTOMERS IN ALL MARKETS (TARGET: > SEK 9.7 BILLION)

YEAR-END REPORT JANUARY DECEMBER 2018 JOHAN DENNELIND PRESIDENT & CEO 1 DELIVERED ON OUR FULL YEAR AMBITIONS ADJUSTED EBITDA* ADJUSTED EBITDA* OPERATIONAL FREE CASH FLOW OPERATIONAL FREE CASH FLOW IMPROVING ON NPS IMPROVING ON NPS

503 views • 14 slides
Company Introduction Company Introduction 1 Contents About us Our Vision Our

Company Introduction Company Introduction 1 Contents About us Our Vision Our

Ludhiana, India Company Introduction Company Introduction 1 Contents About us Our Vision Our Strategy Our Sailent Features Our Infrastructure & Facilities Glimpse through our company Our Product Development

392 views • 16 slides

More recommend