the importance of being an earnest stub
play

The Importance of Being an Earnest stub Challenges and solution for - PowerPoint PPT Presentation

Sep 11, 2022 •131 likes •597 views

The Importance of Being an Earnest stub Challenges and solution for the versatile stub Willem Toorop 13 May 2017 OARC 26 (Madrid) From the ground-up security Authoritative . Authoritative net dns-oarc.net A dns-oarc.net A Recursive

  1. The Importance of Being an Earnest stub Challenges and solution for the versatile stub Willem Toorop 13 May 2017 OARC 26 (Madrid)

  2. From the ground-up security Authoritative . Authoritative net dns-oarc.net A dns-oarc.net A Recursive Authoritative resolver dns-oarc.net ← Browser 64.191.0.198 (application) WebSrv → → https stub OS ● Every “secure” connection is preceded by a DNS lookup ● The stub does the lookup at the request of the application The recursive resolver does all the heavy lifting Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 2/45

  3. From the ground-up security Authoritative . t e n . c r a 1 o . - 6 s . n 6 d . Authoritative 6 = net dns-oarc.net A dns-oarc.net A Validation Authoritative Recursive dns-oarc.net resolver ← Browser 64.191.0.198 (application) WebSrv → → https stub OS ● DNSSEC protects against cache poisoning Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 3/45

  4. From the ground-up security Authoritative . ← 6.6.6.1 Authoritative dns-oarc.net A? net Validation Authoritative Recursive dns-oarc.net resolver Browser (application) WebSrv → http stub OS THE ● DNSSEC protects against cache poisoning FIRST/LAST ● But not against resolver hijacking MILE ( i.e. ARP or DHCP hijacking or routing tricks ) Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 4/45

  5. From the ground-up security Authoritative . Authoritative net dns-oarc.net DNSKEY DS A DNSSEC Aware Authoritative Recursive DNSKEY DS dns-oarc.net resolver net Browser DNSKEY (application) WebSrv · https stub OS THE ● DNSSEC protects against cache poisoning FIRST/LAST ● But not against resolver hijacking MILE ● One possibility: DNSSEC on the stub Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 5/45

  6. From the ground-up security/privacy Authoritative . Authoritative net dns-oarc.net A Validation Authoritative Recursive dns-oarc.net ← resolver 64.191.0.198 Browser → (application) WebSrv https stub OS THE ● DNSSEC protects against cache poisoning FIRST/LAST ● But not against resolver hijacking MILE ● Another possibility: DNS over TLS Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 6/45

  7. From the ground-up security/privacy Authoritative . Applies to DNS over TLS too Authoritative net dns-oarc.net A Validation Authoritative Recursive dns-oarc.net ← resolver 64.191.0.198 Browser → (application) WebSrv https https stub OS ● TLS hijacking? Is That Possible?! Durumeric, Zakir, et al. "The Security Impact of HTTPS Interception." ● Network and Distributed Systems Symposium (NDSS’17) . 2017. https://www.internetsociety.org/doc/security-impact-https-interception Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 7/45

  8. From the ground-up security/privacy ● Strengthen TLS security with the stub: DANE ( DNS-based Authentication of Named Entities ) ● Also signalling system for TLS support ( For application without user interaction ) Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 8/45

  9. From the ground-up security/privacy Authenticate DNS-over-TLS Authoritative with DANE? . Authoritative net dns-oarc.net A Validation Authoritative Recursive dns-oarc.net ← resolver 64.191.0.198 Browser → (application) WebSrv https stub OS ● Bootstrap the TLSA lookup with regular DNS? Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 9/45

  10. From the ground-up security/privacy Authenticate A DNS-over-TLS S L T _853._tcp.getdnsapi.net Authoritative with DANE? . Authoritative DNSSEC Aware getdnsapi.net S net D S Recursive D Y E Y K E S K N S resolver D net N Authoritative D Y E K Authoritative S dns-oarc.net N D · getdnsapi.net Browser dns-oarc.net A → Validation (application) WebSrv Recursive stub resolver ← 64.191.0.198 https OS ● Bootstrap the TLSA lookup with regular DNS? – Chicken and Egg problem Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 10/45

  11. From the ground-up security/privacy Authoritative . _853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS net DNSKEY DS Authoritative . DNSKEY RRSIGs net Authoritative Authoritative dns-oarc.net getdnsapi.net Browser dns-oarc.net A → Validation (application) WebSrv Recursive _853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS net DNSKEY DS . DNSKEY RRSIGs stub resolver ← 64.191.0.198 https OS ● Bootstrap the TLSA lookup with regular DNS? ● Have the TLSA record + the complete DNSSEC authentication chain embedded in a TLS extension https://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 11/45

  12. From the ground-up security/privacy Authoritative . _853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS net DNSKEY DS Authoritative . DNSKEY RRSIGs net Authoritative Authoritative dns-oarc.net getdnsapi.net Browser dns-oarc.net A → Validation (application) WebSrv Recursive _853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS net DNSKEY DS . DNSKEY RRSIGs stub resolver ← 64.191.0.198 TLS DNSSEC https OS authentication chain ● Bootstrap the TLSA lookup with regular DNS? extension must be ● Have the TLSA record + the complete DNSSEC obligatory, to prevent the authentication chain embedded in a TLS extension “Too many CA’s” problem https://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 12/45

  13. From the ground-up security/privacy DNS Privacy status DNSSEC Availability X Clear text DNS X Private DNS X Authenticated X Private DNS ● The stub is close to the application Inform status of DNSSEC and DNS Privacy Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 13/45

  14. From the ground-up security/privacy Authoritative . Authoritative Round-robin net Validation Recursive Validation Authoritative dns-oarc.net resolver Recursive Validation Browser resolver Recursive Validation (application) resolver WebSrv Recursive Validation stub resolver Recursive resolver OS ● Enhanced privacy by Bonus round-robining Feature upstreams Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 14/45

  15. From the ground-up Non address lookups security/privacy DNS over TLS DNSSEC ● Requirements for the versatile stub API Cross the first DNSSEC mile X From the ground up Privacy X Strengthened TLS authentication (DANE) X X Strengthened opportunistic TLS (DANE) X X Provide status of DNSSEC & DNS over TLS X Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 15/45

  16. From the ground-up Non address lookups security/privacy DNS over TLS DNSSEC ● Requirements for the versatile stub API Cross the first DNSSEC mile X From the ground up Privacy X Strengthened TLS authentication (DANE) X X Strengthened opportunistic TLS (DANE) X X Provide status of DNSSEC & DNS over TLS X Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 16/45

  17. DNSSEC Roadblocks Authoritative . Authoritative net dns-oarc.net DNSKEY DS A recu cursive ve Authoritative DNSKEY DS resolve ver dns-oarc.net net Browser DNSKEY (application) WebSrv · https stub OS ● Resolving DNSSEC (to cross the first mile) needs DNSSEC Aware recursive resolver Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 17/45

  18. DNSSEC Roadblocks Authoritative . Authoritative net recu cursive ve Authoritative resolve ver dns-oarc.net Browser (application) WebSrv https stub OS ● Resolving DNSSEC (to cross the first mile) needs DNSSEC Aware recursive resolver ● DNSSEC Roadblock Avoidance https://tools.ietf.org/html/rfc8027 +Full recursion capability Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 18/45

  19. DNSSEC Roadblocks Authoritative . Does not apply to first-mile Does not apply to first-mile Authoritative crossed by DNS-over-TLS net crossed by DNS-over-TLS recu cursive ve Authoritative Authoritative resolve ver . dns-oarc.net _853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS Browser net DNSKEY DS Authoritative . DNSKEY RRSIGs net (application) WebSrv Authoritative Authoritative https dns-oarc.net stub getdnsapi.net Browser dns-oarc.net A → Validation (application) Recursive WebSrv _853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS net DNSKEY DS . DNSKEY RRSIGs stub resolver OS ← 64.191.0.198 https OS ● Resolving DNSSEC (to cross the first mile) needs DNSSEC Aware recursive resolver ● DNSSEC Roadblock Avoidance https://tools.ietf.org/html/rfc8027 +Full recursion capability Willem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 19/45

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Importance of Being Earnest Emily Malterre Celena Marsters Mackenzie Willis Literary

The Importance of Being Earnest Emily Malterre Celena Marsters Mackenzie Willis Literary

The Importance of Being Earnest Emily Malterre Celena Marsters Mackenzie Willis Literary Devices Satire Epigram Symbolism of Food Satire: use of humor, irony, exaggeration, or ridicule to exploit vices in other characters or

423 views • 14 slides
The Importance of Being Earnest Oscar Fingal OFlahertie Wills Wilde Ernest st D., ., Ern

The Importance of Being Earnest Oscar Fingal OFlahertie Wills Wilde Ernest st D., ., Ern

The Importance of Being Earnest Oscar Fingal OFlahertie Wills Wilde Ernest st D., ., Ern rnest est E., ., Ern rnest est G., ., Ern rnest est H. H. Choices of the Author Dramatic matic Irony Chara ract cterizati

562 views • 18 slides
EARNEST Study Schools Workshop Paris, 11 February SUBJECTS 1 - CCEMS Short Presentation 2

EARNEST Study Schools Workshop Paris, 11 February SUBJECTS 1 - CCEMS Short Presentation 2

EARNEST Study Schools W orkshop 10-11 February 2007 La Maison Internationale, Paris, France W hat are the infrastructure and service needs of schools? 1 4 :2 0 1 4 :4 0 h Marco Neves ( m neves@ccem s.pt) EARNEST Study Schools Workshop

201 views • 18 slides
SUSAN EARNEST PROFESSIONAL, EXPERIENCED, TRUSTWORTHY Licensed for 20 Years 310.245.1279 |

SUSAN EARNEST PROFESSIONAL, EXPERIENCED, TRUSTWORTHY Licensed for 20 Years 310.245.1279 |

SUSAN EARNEST PROFESSIONAL, EXPERIENCED, TRUSTWORTHY Licensed for 20 Years 310.245.1279 | SusanEarnestRealtor@gmail.com www.SusanEarnestRealEstate.com eReal Estate Corp. 414 Torrance Blvd. Redondo Beach, CA 90277 DRE# 01272987 SUSAN EARNEST

623 views • 18 slides
Multi-scale simulations of whole Tyler Earnest / PI: Zan Luthey-Schulten (UIUC) NCSA Blue Waters

Multi-scale simulations of whole Tyler Earnest / PI: Zan Luthey-Schulten (UIUC) NCSA Blue Waters

Multi-scale simulations of whole Tyler Earnest / PI: Zan Luthey-Schulten (UIUC) NCSA Blue Waters Symposium for Petascale Science and yeast cells Beyond: June 6, 2018 Chemical kinetic simulations Earnest, , ZLS Rep. Prog. Phys (2018)

762 views • 44 slides
Procedure For Purchase Flow Chart Earnest Money (RM12k to RM50k) Sign OTP upon Sale Estimated

Procedure For Purchase Flow Chart Earnest Money (RM12k to RM50k) Sign OTP upon Sale Estimated

Procedure For Purchase Flow Chart Earnest Money (RM12k to RM50k) Sign OTP upon Sale Estimated within 2wks Letter of Acceptance/ Sign SPA (Sales & Purchase Agreement) Pay Balance 10% Downpayment minus Earnest Money Pay State Levy

227 views • 8 slides
readme 1. rpcgen -a task.x task.h (header file to be included) task_xdr.c (XDR: External Data

readme 1. rpcgen -a task.x task.h (header file to be included) task_xdr.c (XDR: External Data

readme 1. rpcgen -a task.x task.h (header file to be included) task_xdr.c (XDR: External Data Representation, to be used by client/server stub) task_clnt.c (client stub) task_svc.c (server stub) task_client.c (client program template)

337 views • 12 slides
Noise Characteriza.on of Quantum Amplifiers Nathan Earnest

Noise Characteriza.on of Quantum Amplifiers Nathan Earnest

Noise Characteriza.on of Quantum Amplifiers Nathan Earnest Mentor: Yi Yin PI: John Mar.nis August 19 th , 2010 Quantum Informa.on Lab Superposi.on

1.71k views • 10 slides
Research Workgroup June 3, 2019 For most of our nations history, earnest and knowledgeable

Research Workgroup June 3, 2019 For most of our nations history, earnest and knowledgeable

Research Workgroup June 3, 2019 For most of our nations history, earnest and knowledgeable Americans have debated how to approach our education system. We have called for reforms of every description. Weve debated how to teach, what

615 views • 14 slides
Presentation to the Indian Affairs Committee Brent Earnest, Deputy Secretary, HSD September 29,

Presentation to the Indian Affairs Committee Brent Earnest, Deputy Secretary, HSD September 29,

Presentation to the Indian Affairs Committee Brent Earnest, Deputy Secretary, HSD September 29, 2014 New Mexico Human Services Department What at i is SNA SNAP? SNAP provides assistance for the purchase of food to eligible, low-income

308 views • 12 slides
Presentation to the Legislative Finance Committee FY19 Appropriation Request Brent Earnest,

Presentation to the Legislative Finance Committee FY19 Appropriation Request Brent Earnest,

Presentation to the Legislative Finance Committee FY19 Appropriation Request Brent Earnest, Secretary December 6, 2017 New Mexico Human Services Department Todays days Presentat atio ion HSD FY19 Appropriation Request Overview

307 views • 28 slides
Interim presentation Third quarter 2019 Sverre Hurum, CEO Erik Stub, CFO 7 November 2019

Interim presentation Third quarter 2019 Sverre Hurum, CEO Erik Stub, CFO 7 November 2019

Interim presentation Third quarter 2019 Sverre Hurum, CEO Erik Stub, CFO 7 November 2019 Bouvets ambition We will be the most credible consultancy with the most satisfied employees and clients 2 Long term goals Best workplace Client

752 views • 31 slides
Data integration Tyler M. Earnest July 19, 2018 Hands-On Workshop on Cell Scale Simulations,

Data integration Tyler M. Earnest July 19, 2018 Hands-On Workshop on Cell Scale Simulations,

Data integration Tyler M. Earnest July 19, 2018 Hands-On Workshop on Cell Scale Simulations, Urbana, IL 1 Introduction Not ab initio ! Required data Reactions Rate parameters Diffusion coefficients Geometry 2 Common

705 views • 34 slides
SAVE OUR SLIDES: POWERPOINT DESIGN THAT WORKS Download Free Author: Billy Earnest Number of

SAVE OUR SLIDES: POWERPOINT DESIGN THAT WORKS Download Free Author: Billy Earnest Number of

SAVE OUR SLIDES: POWERPOINT DESIGN THAT WORKS Download Free Author: Billy Earnest Number of Pages: 88 pages Published Date: 06 Sep 2013 Publisher: Kendall/Hunt Publishing Co ,U.S. Publication Country: Iowa, United States Language: English

272 views • 4 slides
A new stub resolver Willem Toorop willem@nlnetlabs.nl API is: A DNS API specification (for

A new stub resolver Willem Toorop willem@nlnetlabs.nl API is: A DNS API specification (for

A new stub resolver Willem Toorop willem@nlnetlabs.nl API is: A DNS API specification (for resolving) by and for application developers (for application) First implementation by LABS and From Verisign: From NLnet Labs: Theogene Bucuti,

1.63k views • 113 slides
AVOID Study Air Versus Oxygen In ST-elevation MyocarDial Infarction Dr Dion Stub MBBS PhD FRACP

AVOID Study Air Versus Oxygen In ST-elevation MyocarDial Infarction Dr Dion Stub MBBS PhD FRACP

AVOID Study Air Versus Oxygen In ST-elevation MyocarDial Infarction Dr Dion Stub MBBS PhD FRACP Baker IDI Heart & Diabetes Institute, Melbourne Australia St Pauls Hospital Vancouver, Canada On behalf of Karen Smith, Stephen Bernard, Ziad

312 views • 15 slides
Sports Medicine 2015 Carlin Senter M.D. UCSF Internal Medicine and Orthopaedics UCSF Advances in

Sports Medicine 2015 Carlin Senter M.D. UCSF Internal Medicine and Orthopaedics UCSF Advances in

5/22/2015 Hot Topics in Sports Medicine 2015 Carlin Senter M.D. UCSF Internal Medicine and Orthopaedics UCSF Advances in Internal Medicine Hot Topics in Sports Medicine 2015 Sports concussion Diagnosis Treatment Knee pain due

953 views • 30 slides
1 & 2 Samuel Series Lesson #125 March 27, 2018 Dean Bible Ministries

1 & 2 Samuel Series Lesson #125 March 27, 2018 Dean Bible Ministries

1 & 2 Samuel Series Lesson #125 March 27, 2018 Dean Bible Ministries www.deanbibleministries.org Dr. Robert L. Dean, Jr. D AVID M OVES THE A RK 2 S AMUEL 6: 512 1A God blesses David and he unites and expands the kingdom. 2 Sam. 210 2A

663 views • 50 slides
mobile libraries Rusty Days 2020 - Jan-Erik / @badboy_ About me Firefox Telemetry engineer at

mobile libraries Rusty Days 2020 - Jan-Erik / @badboy_ About me Firefox Telemetry engineer at

Leveraging Rust to build cross-platform mobile libraries Rusty Days 2020 - Jan-Erik / @badboy_ About me Firefox Telemetry engineer at Mozilla Rust Community Team member Scuba diver Twitter: @badboy_ Blog: fnordi g.de Slides:

1.02k views • 76 slides
Delancey Street 2012 Commissioner Janette Sadik-Khan New York City Department of

Delancey Street 2012 Commissioner Janette Sadik-Khan New York City Department of

Delancey Street 2012 Commissioner Janette Sadik-Khan New York City Department of Transportation Presented on February 8, 2012 at Community Board 3 Project Area 2 DOTs Recent Improvements Bowery safety island Chrystie St safety islands

531 views • 33 slides
Do you Stop, Look, Listen and Think? Who can demonstrate how to Stop, Look, Listen and Think?

Do you Stop, Look, Listen and Think? Who can demonstrate how to Stop, Look, Listen and Think?

Do you Stop, Look, Listen and Think? Who can demonstrate how to Stop, Look, Listen and Think? Road ready? Expect the unexpected fjlm Why was the girl about to run across the road without looking? What was Sams advice? Why is it dangerous

416 views • 14 slides
HELLO! an opportunity to: Victory and Overland. anything. Locust Grove Rd., Victory Rd. to

HELLO! an opportunity to: Victory and Overland. anything. Locust Grove Rd., Victory Rd. to

Locust Grove Rd., Victory Rd. to Overland Rd. | 3/30/2020 The purpose of this Tell us if we missed Locust Grove between made on the design for Review the progress information is to give you Grove Road Project. interest in the Locust Thank

410 views • 18 slides
Non-crossing partitions for arbitrary Coxeter groups 1 2 4 3 Jon McCammond U.C. Santa

Non-crossing partitions for arbitrary Coxeter groups 1 2 4 3 Jon McCammond U.C. Santa

Non-crossing partitions for arbitrary Coxeter groups 1 2 4 3 Jon McCammond U.C. Santa Barbara (Joint work with Noel Brady, John Crisp, and Anton Kaul) 1 Outline I. Posets and Garside structures II. Examples and consequences III.

418 views • 31 slides
Stream Smart Road Crossings & Maine Barrier Surveys Alex Abbott Welcome! GIS Analyst &

Stream Smart Road Crossings & Maine Barrier Surveys Alex Abbott Welcome! GIS Analyst &

Stream Smart Road Crossings & Maine Barrier Surveys Alex Abbott Welcome! GIS Analyst & Restoration Specialist Under Contract to: Gulf of Maine Coastal Program U.S. Fish and Wildlife Service Welcome! Thanks for taking the time to

601 views • 46 slides

More recommend