The Great DNSSEC Quiz (no DNS records where harmed during the making - - PowerPoint PPT Presentation

the great dnssec quiz
SMART_READER_LITE
LIVE PREVIEW

The Great DNSSEC Quiz (no DNS records where harmed during the making - - PowerPoint PPT Presentation

Nov 09, 2022 145 likes •428 views

The Great DNSSEC Quiz (no DNS records where harmed during the making of this quiz) The rules Use the form to answer your questions Put your name on the form When done answering, hand the form to your neighbour Evaluate

slide-1
SLIDE 1

The Great DNSSEC Quiz

(no DNS records where harmed during the making of this quiz)

slide-2
SLIDE 2

| 2

The rules

  • Use the form to answer your questions
  • Put your name on the form
  • When done answering, hand the form to your

neighbour

  • Evaluate your neighbour's answers
  • Count the points
slide-3
SLIDE 3

| 3

Root Hints

  • Sometimes more answers are correct (like A records)
  • A point is scored for each correct answer
  • No points are scored for the entire question if it

contains a single wrong answer (like lame delegations)

slide-4
SLIDE 4

| 4

Five Stone handicap criteria

You start with a handicap of -1 point for each of these criteria you match:

 You are subscribed to the dnsop@ietf.org mailing list  You have or had an icann.org email address  You have root access to a TLD nameserver  You are a listed author on a DNS RFC  You have used the nslookup or host command in the

last fjve years

slide-5
SLIDE 5

| 5

1: The confjdence builder

Which of the following are true? A) The KEY, SIG and DEL RRTYPE were replaced by DNSKEY, RRSIG and the DS RRTYPE B) Many countries have legal requirements that require DNSSEC to always use RFC-5155 opt-out C) dig, drill, unbind, bound, delve and knot are names of

  • pensource DNS software

D) Every key with the SEP bit set in a valid trust chain must have a corresponding DS record published.

slide-6
SLIDE 6

| 6

2: Don't fail me now

Which of the following situations could lead to a DNSSEC validation failure? A) Expired RRSIG records B) A melted HSM card C) RRSIGs only valid starting in an hour D) Disk full on the DNSSEC signer machine E) A cable cut causing identical backup DNS servers to take over DNS resolution

slide-7
SLIDE 7

| 7

3: Continental

Which were the fjrst DNSSEC signed countries on each continent? as per wikipedia [citation needed]: Asia, Africa, North America,

South America, Antarctica, Europe and Australia

A) Sri Lanka, Niger, United States, none, The Netherlands and Australia B) T urkemistan, Namibia, Czech Republic, Brazil, none and New Zealand C) Thailand, Namibia, Puerto Rico, Brazil, none, Sweden and New Zealand D) Sweden, Mexico, Japan, Australia, United States, Antarctica and Australia

slide-8
SLIDE 8

| 8

4: Rollin' rollin' rollin'... rawhide!

How many times has the Root KSK visibly changed (excluding TTL changes) A) Never B) Once C) T wice D) Thrice

slide-9
SLIDE 9

| 9

5: The midway question

Which of these TLDs was signed before the root, but is no longer a signed TLD? A) .test B) .um C) .example D) .aq E) e164.arpa

slide-10
SLIDE 10

| 10

6: I have no glue

When deleting a delegation from a zone, what should be done with its glue records? A) Remove the glue, if not used by any other zones B) Remove the glue, regardless of other zones C) Keep the glue , do not sign it D) Keep the glue, sign it

slide-11
SLIDE 11

| 11

7: Random Efgect

Did the well-known openssl random "Debian bug" impact DNSSEC? A) No, because DNSSEC signed zones are served statically B) Yes, and various TLD's had to perform emergency rollovers C) No, because OpenDNSSEC and Bind do not use

  • penssl to generate keys

D) Yes, about 65 vulnerable keys were found but none in TLD's

slide-12
SLIDE 12

| 12

8: Dutch DNS Dynamics

What was the .nl.nl zone? A) The fjrst DNSSEC TLD zone B) A missing dot leading to a large DNS outage, often blamed on DNSSEC. C) An early experiment that took the .nl domain and republished it using DNSSEC. D) An active delegated zone owned by Olaf Kolkman used for IETF DNSSEC experiments

slide-13
SLIDE 13

| 13

9: DNSKEY support

Which one of these DNSKEY's will work best on resolvers throughout the world A) IN DNSKEY 257 3 13 AwEAAZyIkCwEYe [...] B) IN DNSKEY 385 3 8 AwEAAdZSHCrd7R [...] C) IN DNSKEY 257 3 8 AwEAAZyIkCwEYe [...] D) IN DNSKEY 257 3 8 BQEAAAABnjAVd4 [...] E) IN DNSKEY 257 3 12 AwEAAZyIkCwEYe [...]

slide-14
SLIDE 14

| 14

10: For the high rollers

Which TLDs were signed before the root was signed?

slide-15
SLIDE 15

| 15

10: For the high rollers

Which TLDs were signed before the root was signed? (yeah yeah - DURZ does not count as signed)

slide-16
SLIDE 16

| 16

this slide left mostly blank intentionally

slide-17
SLIDE 17

| 17

1: The confjdence builder

Which of the following are true? A) The KEY, SIG and DEL RRTYPE were replaced by DNSKEY, RRSIG and the DS RRTYPE B) Many countries have legal requirements that require DNSSEC to always use RFC-5155 opt-out C) dig, drill, unbind, bound, delve and knot are names of

  • pensource DNS software

D) Every key with the SEP bit set in a valid trust chain must have a corresponding DS record published.

slide-18
SLIDE 18

| 18

2: Don't fail me now

Which of the following situations could lead to a DNSSEC validation failure? A) Expired RRSIG records B) A melted HSM card C) RRSIGs only valid starting in an hour D) Disk full on the DNSSEC signer machine E) A cable cut causing identical backup DNS servers to take over DNS resolution

slide-19
SLIDE 19

| 19

3: Continental

Which were the fjrst DNSSEC signed countries on each continent? as per wikipedia [citation needed]: Asia, Africa, North America,

South America, Antarctica, Europe and Australia

A) Sri Lanka, Niger, United States, none, The Netherlands and Australia B) T urkemistan, Namibia, Czech Republic, Brazil, none and New Zealand C) Thailand, Namibia, Puerto Rico, Brazil, none, Sweden and New Zealand D) Sweden, Mexico, Japan, Australia, United States, Antarctica and Australia

slide-20
SLIDE 20

| 20

4: Rollin' rollin' rollin'... rawhide!

How many times has the Root KSK visibly changed (excluding TTL changes) A) Never B) Once C) T wice D) Thrice

  • KSK fjrst published as DURZ on Dec 1, 2009
  • June 10, 2010 brief DURZ leak
  • DURZ -–1--> KSK --2--> DURZ
  • July 15, 2010 KSK goes live,
  • DURZ --3--> 19036
slide-21
SLIDE 21

| 21

5: The midway question

Which of these TLDs was signed before the root, but is no longer a signed TLD? A) .test B) .um The United States Minor Outlying Islands (AKA “midway”) no longer exists C) .example D) .aq E) e164.arpa

slide-22
SLIDE 22

| 22

6: I have no glue

When deleting a delegation from a zone, what should be done with its glue records? A) Remove the glue, if not used by any other zones B) Remove the glue, regardless of other zones C) Keep the glue , do not sign it D) Keep the glue, sign it

slide-23
SLIDE 23

| 23

7: Random Efgect

Did the well-known openssl random "Debian bug" impact DNSSEC? A) No, because DNSSEC signed zones are served statically B) Yes, and various TLD's had to perform emergency rollovers C) No, because OpenDNSSEC and Bind do not use

  • penssl to generate keys

D) Yes, about 65 vulnerable keys were found but none in TLD's

slide-24
SLIDE 24

| 24

8: Dutch DNS Dynamics

What was the .nl.nl zone? A) The fjrst DNSSEC TLD zone B) A missing dot leading to a large DNS outage, often blamed on DNSSEC. C) An early experiment that took the .nl domain and republished it using DNSSEC. D) An active delegated zone owned by Olaf Kolkman used for IETF DNSSEC experiments

slide-25
SLIDE 25

| 25

9: DNSKEY support

Which one of these DNSKEY's will work best on resolvers throughout the world A) IN DNSKEY 257 3 13 AwEAAZyIkCwEYe [...] B) IN DNSKEY 385 3 8 AwEAAdZSHCrd7R [...] C) IN DNSKEY 257 3 8 AwEAAZyIkCwEYe [...] D) IN DNSKEY 257 3 8 BQEAAAABnjAVd4 [...] E) IN DNSKEY 257 3 12 AwEAAZyIkCwEYe [...]

slide-26
SLIDE 26

| 26

10: For the high rollers

Which TLDs were signed before the root was signed? (remember: a wrong country means 0 points) .SE .BR .CZ .MUSEUM .GOV .TH .ORG .NA .PTR .CH .LI .TM .US .PT .LK .UK .ARPA .KG .PM .EU .CAT .CL (same day, will give benefjt of doubt)

slide-27
SLIDE 27

| 27

Scoring

  • 5 to 0 DNSSEC Skeptic

1 to 4 Hedonist 5 to 8 DNSSEC Fan 9 to 10 DNSSEC User 11 to 14 DNSSEC Enthusiast 15 to 19 DNSSEC Expert 20 to 29 DNSSEC Historian 30 to 32 DNSSEC Ninja 32 to 37 DNSSEC Procrastinator