SlideShare a Scribd company logo

EDNS (in)Compatibility: Adventures in Protocol Extension

APNIC
APNIC

EDNS (in)Compatibility: Adventures in Protocol Extension, by Eddy Winstead. A presentation given at APRICOT 2016’s Network Operations session on 24 February 2016.

Internet
1 of 11
EDNS  (in)Compa/bility:   Adventures  in  Protocol  Extension   APRICOT  2016  
Is  Mark  just  being  a   s0ckler?       “dropping  packets  is  just  plain  an/-­‐ social  and  always  has  been”     “A  firewall  can  generate  a  BADVERS   response,  just  like  it  can  generate  a   TCP  RST.    You  don't  have  to  break  the   protocol,  you  can  co-­‐operate  with  the   protocol.”    
What  is  EDNS?   512   bytes   512   512   512   512   512   512   512   512   Original  max  allowable  size  of  a  DNS  message  over  UDP   2000ish+  DNS  msg  max  over  UDP,  up  to  4096  bytes   Extension  mechanisms  for  DNS  
Why  would  you  want  EDNS?   •  DNSSEC,  IPv6  (signatures  and/or  several  IPv6   addresses)   •  Client-­‐subnet  Iden/fier  (iden/fy  query   originator)   •  DNS  cookies  (abuse  mi/ga/on  tool)   •  there  will  be  more  new  applica/ons  ...  
Why  is  EDNS  incompa/bility  a   problem?   1.  Firewall  blocking  is  indis/nguishable  from   packet  loss,  causing  DNS  servers  to  retry   uselessly,  slowing  response  to  users   2.  Poor  failure  modes  can  disable  DNSSEC,   making  DNSSEC-­‐signed  sites  unreachable  for   clients  using  valida/ng  resolvers   3.  NEW  applica/ons  using  EDNS  may  be  s/fled   – DNS  cookies    (DDOS  mi/ga/on  tool)   – Client-­‐subnet  iden/fier  (CDN  op/miza/on)  
Firewalls  may  block  the  following:   •  DNS  queries  with  EDNS  flag  set   •  EDNS  version  not  equal  to  0   •  Unknown  EDNS  op/ons   “These  firewalls  are  not  providing  any  ‘security’   benefit  to  anyone  by  doing  this.    All  they  are  doing   is  stuffing  up  the  ability  to  deploy  protocol   extensions.”  
ednscomp.isc.org  
hap://ednscomp.isc.org/compliance/summary.html   90%++  Compliance  =  Success!!  
hap://ednscomp.isc.org/compliance/summary.html   60%++  Compliance  =  Success????  
5-­‐20  Route  53  Firewall  updated  
What  can  you  do?   •  Test  your  DNS  services  at  ednscomp.isc.org   •  Remove  rules  blocking  EDNS  responses  from   Firewalls   •  Keep  your  DNS  servers  updated     •  Keep  in  mind  while  debugging  DNSSEC   valida/on  failures  

Recommended

How to survive in the work from home era
How to survive in the work from home eraHow to survive in the work from home era
How to survive in the work from home eraMarian Marinov
 
Web Werks Cloud Hosting FAQ
Web Werks Cloud Hosting FAQWeb Werks Cloud Hosting FAQ
Web Werks Cloud Hosting FAQWeb Werks Data Centers
 
DDoS Attacks and Countermeasures
DDoS Attacks and CountermeasuresDDoS Attacks and Countermeasures
DDoS Attacks and Countermeasuresthaidn
 
Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012Vlad Lasky
 
The SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesThe SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesGabriella Davis
 
Managing sysadmins
Managing sysadminsManaging sysadmins
Managing sysadminsMarian Marinov
 
Fun With SHA2 Certificates
Fun With SHA2 CertificatesFun With SHA2 Certificates
Fun With SHA2 CertificatesGabriella Davis
 
ERPNext VPS - #Dotzo
ERPNext VPS - #DotzoERPNext VPS - #Dotzo
ERPNext VPS - #DotzoDotzonetworks
 

Recommended

How to survive in the work from home era
How to survive in the work from home eraHow to survive in the work from home era
How to survive in the work from home eraMarian Marinov
 
Web Werks Cloud Hosting FAQ
Web Werks Cloud Hosting FAQWeb Werks Cloud Hosting FAQ
Web Werks Cloud Hosting FAQWeb Werks Data Centers
 
DDoS Attacks and Countermeasures
DDoS Attacks and CountermeasuresDDoS Attacks and Countermeasures
DDoS Attacks and Countermeasuresthaidn
 
Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012Vlad Lasky
 
The SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesThe SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesGabriella Davis
 
Managing sysadmins
Managing sysadminsManaging sysadmins
Managing sysadminsMarian Marinov
 
Fun With SHA2 Certificates
Fun With SHA2 CertificatesFun With SHA2 Certificates
Fun With SHA2 CertificatesGabriella Davis
 
ERPNext VPS - #Dotzo
ERPNext VPS - #DotzoERPNext VPS - #Dotzo
ERPNext VPS - #DotzoDotzonetworks
 
IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceGabriella Davis
 
Running and Scaling Magento on AWS
Running and Scaling Magento on AWSRunning and Scaling Magento on AWS
Running and Scaling Magento on AWSAOE
 
Web Speed And Scalability
Web Speed And ScalabilityWeb Speed And Scalability
Web Speed And ScalabilityJason Ragsdale
 
High-Performance Magento in the Cloud
High-Performance Magento in the CloudHigh-Performance Magento in the Cloud
High-Performance Magento in the CloudAOE
 
Optimizing website performance
Optimizing website performanceOptimizing website performance
Optimizing website performancePublisto Ltd.
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoGabriella Davis
 
DNSTap Webinar
DNSTap WebinarDNSTap Webinar
DNSTap WebinarMen and Mice
 
OpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform TechnologyOpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform TechnologyCourtland Smith
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 WebinarMen and Mice
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECDeploy360 Programme (Internet Society)
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4DNS Entrepreneurship Center
 
How to stop a VPN DNS leak.
How to stop a VPN DNS leak.How to stop a VPN DNS leak.
How to stop a VPN DNS leak.LimeVPN
 
IPv6 Greenfield
IPv6 Greenfield IPv6 Greenfield
IPv6 Greenfield Bangladesh Network Operators Group
 
MongoDB in Windows Azure - Evgeniy Maliy - Dnipropetrovsk MUG 140303
MongoDB in Windows Azure - Evgeniy Maliy - Dnipropetrovsk MUG 140303 MongoDB in Windows Azure - Evgeniy Maliy - Dnipropetrovsk MUG 140303
MongoDB in Windows Azure - Evgeniy Maliy - Dnipropetrovsk MUG 140303 Victoria Malaya
 
M4 internet systems & applications I
M4 internet systems & applications IM4 internet systems & applications I
M4 internet systems & applications IJosep Bardallo
 
DNSSEC/DANE/TLS Testing in Go6Lab
DNSSEC/DANE/TLS Testing in Go6LabDNSSEC/DANE/TLS Testing in Go6Lab
DNSSEC/DANE/TLS Testing in Go6LabAPNIC
 
Introduction To The DANE Protocol (DNSSEC)
Introduction To The DANE Protocol (DNSSEC)Introduction To The DANE Protocol (DNSSEC)
Introduction To The DANE Protocol (DNSSEC)Deploy360 Programme (Internet Society)
 
Going Cloud? Going Mobile? Don't Let Your Network Be A Showstopper!
Going Cloud? Going Mobile? Don't Let Your Network Be A Showstopper!Going Cloud? Going Mobile? Don't Let Your Network Be A Showstopper!
Going Cloud? Going Mobile? Don't Let Your Network Be A Showstopper!Wes Morgan
 
Mellanox Storage Solutions
Mellanox Storage SolutionsMellanox Storage Solutions
Mellanox Storage SolutionsMellanox Technologies
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarMen and Mice
 
Windows Server 2012 Seminar 4 - De mogelijkheden van Direct Access
Windows Server 2012 Seminar 4 - De mogelijkheden van Direct AccessWindows Server 2012 Seminar 4 - De mogelijkheden van Direct Access
Windows Server 2012 Seminar 4 - De mogelijkheden van Direct AccessCompuTrain. De IT opleider.
 
Ad disasters & how to prevent them
Ad disasters & how to prevent themAd disasters & how to prevent them
Ad disasters & how to prevent themConcentrated Technology
 

More Related Content

What's hot

IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceGabriella Davis
 
Running and Scaling Magento on AWS
Running and Scaling Magento on AWSRunning and Scaling Magento on AWS
Running and Scaling Magento on AWSAOE
 
Web Speed And Scalability
Web Speed And ScalabilityWeb Speed And Scalability
Web Speed And ScalabilityJason Ragsdale
 
High-Performance Magento in the Cloud
High-Performance Magento in the CloudHigh-Performance Magento in the Cloud
High-Performance Magento in the CloudAOE
 
Optimizing website performance
Optimizing website performanceOptimizing website performance
Optimizing website performancePublisto Ltd.
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoGabriella Davis
 

What's hot (6)

IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and Performance
 
Running and Scaling Magento on AWS
Running and Scaling Magento on AWSRunning and Scaling Magento on AWS
Running and Scaling Magento on AWS
 
Web Speed And Scalability
Web Speed And ScalabilityWeb Speed And Scalability
Web Speed And Scalability
 
High-Performance Magento in the Cloud
High-Performance Magento in the CloudHigh-Performance Magento in the Cloud
High-Performance Magento in the Cloud
 
Optimizing website performance
Optimizing website performanceOptimizing website performance
Optimizing website performance
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of Domino
 

Similar to EDNS (in)Compatibility: Adventures in Protocol Extension

OpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform TechnologyOpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform TechnologyCourtland Smith
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 WebinarMen and Mice
 
How to stop a VPN DNS leak.
How to stop a VPN DNS leak.How to stop a VPN DNS leak.
How to stop a VPN DNS leak.LimeVPN
 
MongoDB in Windows Azure - Evgeniy Maliy - Dnipropetrovsk MUG 140303
MongoDB in Windows Azure - Evgeniy Maliy - Dnipropetrovsk MUG 140303 MongoDB in Windows Azure - Evgeniy Maliy - Dnipropetrovsk MUG 140303
MongoDB in Windows Azure - Evgeniy Maliy - Dnipropetrovsk MUG 140303 Victoria Malaya
 
M4 internet systems & applications I
M4 internet systems & applications IM4 internet systems & applications I
M4 internet systems & applications IJosep Bardallo
 
DNSSEC/DANE/TLS Testing in Go6Lab
DNSSEC/DANE/TLS Testing in Go6LabDNSSEC/DANE/TLS Testing in Go6Lab
DNSSEC/DANE/TLS Testing in Go6LabAPNIC
 
Going Cloud? Going Mobile? Don't Let Your Network Be A Showstopper!
Going Cloud? Going Mobile? Don't Let Your Network Be A Showstopper!Going Cloud? Going Mobile? Don't Let Your Network Be A Showstopper!
Going Cloud? Going Mobile? Don't Let Your Network Be A Showstopper!Wes Morgan
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarMen and Mice
 
Windows Server 2012 Seminar 4 - De mogelijkheden van Direct Access
Windows Server 2012 Seminar 4 - De mogelijkheden van Direct AccessWindows Server 2012 Seminar 4 - De mogelijkheden van Direct Access
Windows Server 2012 Seminar 4 - De mogelijkheden van Direct AccessCompuTrain. De IT opleider.
 
Production debugging web applications
Production debugging web applicationsProduction debugging web applications
Production debugging web applicationsIdo Flatow
 
The Path to SDN - How to Ensure a Successful SDN Evolution
The Path to SDN - How to Ensure a Successful SDN EvolutionThe Path to SDN - How to Ensure a Successful SDN Evolution
The Path to SDN - How to Ensure a Successful SDN EvolutionJuniper Networks
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
Desktop interview qestions & answer
Desktop interview qestions & answerDesktop interview qestions & answer
Desktop interview qestions & answermandarshetye45
 

Similar to EDNS (in)Compatibility: Adventures in Protocol Extension (20)

DNSTap Webinar
DNSTap WebinarDNSTap Webinar
DNSTap Webinar
 
OpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform TechnologyOpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform Technology
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
How to stop a VPN DNS leak.
How to stop a VPN DNS leak.How to stop a VPN DNS leak.
How to stop a VPN DNS leak.
 
IPv6 Greenfield
IPv6 Greenfield IPv6 Greenfield
IPv6 Greenfield
 
MongoDB in Windows Azure - Evgeniy Maliy - Dnipropetrovsk MUG 140303
MongoDB in Windows Azure - Evgeniy Maliy - Dnipropetrovsk MUG 140303 MongoDB in Windows Azure - Evgeniy Maliy - Dnipropetrovsk MUG 140303
MongoDB in Windows Azure - Evgeniy Maliy - Dnipropetrovsk MUG 140303
 
M4 internet systems & applications I
M4 internet systems & applications IM4 internet systems & applications I
M4 internet systems & applications I
 
DNSSEC/DANE/TLS Testing in Go6Lab
DNSSEC/DANE/TLS Testing in Go6LabDNSSEC/DANE/TLS Testing in Go6Lab
DNSSEC/DANE/TLS Testing in Go6Lab
 
Introduction To The DANE Protocol (DNSSEC)
Introduction To The DANE Protocol (DNSSEC)Introduction To The DANE Protocol (DNSSEC)
Introduction To The DANE Protocol (DNSSEC)
 
Going Cloud? Going Mobile? Don't Let Your Network Be A Showstopper!
Going Cloud? Going Mobile? Don't Let Your Network Be A Showstopper!Going Cloud? Going Mobile? Don't Let Your Network Be A Showstopper!
Going Cloud? Going Mobile? Don't Let Your Network Be A Showstopper!
 
Mellanox Storage Solutions
Mellanox Storage SolutionsMellanox Storage Solutions
Mellanox Storage Solutions
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinar
 
Windows Server 2012 Seminar 4 - De mogelijkheden van Direct Access
Windows Server 2012 Seminar 4 - De mogelijkheden van Direct AccessWindows Server 2012 Seminar 4 - De mogelijkheden van Direct Access
Windows Server 2012 Seminar 4 - De mogelijkheden van Direct Access
 
Ad disasters & how to prevent them
Ad disasters & how to prevent themAd disasters & how to prevent them
Ad disasters & how to prevent them
 
Production debugging web applications
Production debugging web applicationsProduction debugging web applications
Production debugging web applications
 
The Path to SDN - How to Ensure a Successful SDN Evolution
The Path to SDN - How to Ensure a Successful SDN EvolutionThe Path to SDN - How to Ensure a Successful SDN Evolution
The Path to SDN - How to Ensure a Successful SDN Evolution
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
Desktop interview qestions & answer
Desktop interview qestions & answerDesktop interview qestions & answer
Desktop interview qestions & answer
 

More from APNIC

APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6APNIC
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!APNIC
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023APNIC
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAPNIC
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAPNIC
 

More from APNIC (20)

APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
 

Recently uploaded

All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445ruhi
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceDelhi Call girls
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Servicesexy call girls service in goa
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableSeo
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Call Girls in Nagpur High Profile
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLimonikaupta
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Online
CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service OnlineCALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Online
CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Onlineanilsa9823
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...tanu pandey
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...tanu pandey
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...Escorts Call Girls
 

Recently uploaded (20)

All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
 
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Online
CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service OnlineCALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Online
CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Online
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
 

EDNS (in)Compatibility: Adventures in Protocol Extension

  • 1. EDNS  (in)Compa/bility:   Adventures  in  Protocol  Extension   APRICOT  2016  
  • 2. Is  Mark  just  being  a   s0ckler?       “dropping  packets  is  just  plain  an/-­‐ social  and  always  has  been”     “A  firewall  can  generate  a  BADVERS   response,  just  like  it  can  generate  a   TCP  RST.    You  don't  have  to  break  the   protocol,  you  can  co-­‐operate  with  the   protocol.”    
  • 3. What  is  EDNS?   512   bytes   512   512   512   512   512   512   512   512   Original  max  allowable  size  of  a  DNS  message  over  UDP   2000ish+  DNS  msg  max  over  UDP,  up  to  4096  bytes   Extension  mechanisms  for  DNS  
  • 4. Why  would  you  want  EDNS?   •  DNSSEC,  IPv6  (signatures  and/or  several  IPv6   addresses)   •  Client-­‐subnet  Iden/fier  (iden/fy  query   originator)   •  DNS  cookies  (abuse  mi/ga/on  tool)   •  there  will  be  more  new  applica/ons  ...  
  • 5. Why  is  EDNS  incompa/bility  a   problem?   1.  Firewall  blocking  is  indis/nguishable  from   packet  loss,  causing  DNS  servers  to  retry   uselessly,  slowing  response  to  users   2.  Poor  failure  modes  can  disable  DNSSEC,   making  DNSSEC-­‐signed  sites  unreachable  for   clients  using  valida/ng  resolvers   3.  NEW  applica/ons  using  EDNS  may  be  s/fled   – DNS  cookies    (DDOS  mi/ga/on  tool)   – Client-­‐subnet  iden/fier  (CDN  op/miza/on)  
  • 6. Firewalls  may  block  the  following:   •  DNS  queries  with  EDNS  flag  set   •  EDNS  version  not  equal  to  0   •  Unknown  EDNS  op/ons   “These  firewalls  are  not  providing  any  ‘security’   benefit  to  anyone  by  doing  this.    All  they  are  doing   is  stuffing  up  the  ability  to  deploy  protocol   extensions.”  
  • 10. 5-­‐20  Route  53  Firewall  updated  
  • 11. What  can  you  do?   •  Test  your  DNS  services  at  ednscomp.isc.org   •  Remove  rules  blocking  EDNS  responses  from   Firewalls   •  Keep  your  DNS  servers  updated     •  Keep  in  mind  while  debugging  DNSSEC   valida/on  failures