This document provides an introduction to a DNSSEC training course hosted by RIPE NCC. It explains that DNSSEC protects against DNS spoofing and data corruption by using digital signatures to authenticate DNS data and establish the integrity and authenticity of DNS responses. The training course aims to raise awareness of DNSSEC and provide guidance on deployment. It outlines the course agenda which will cover DNSSEC mechanisms such as signing zones and establishing chains of trust, as well as operational concerns. Finally, it provides background on the trainers and the expected audience for the training.
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
This document provides an overview of DNSSEC (Domain Name System Security Extensions). It discusses how DNSSEC introduces digital signatures to cryptographically protect DNS data and prevent man-in-the-middle attacks. It also describes some common DNS record types used in DNSSEC like DNSKEY, RRSIG, and DS. The document notes that while DNSSEC deployment has increased in top-level domains and root servers, adoption remains low at the second-level domain level, and more work is still needed for full deployment.
This document provides an introduction to a DNSSEC training course hosted by RIPE NCC. It explains that DNSSEC protects against DNS spoofing and data corruption by using digital signatures to authenticate DNS data and establish its integrity. The course aims to raise awareness of DNSSEC and provide guidance on deployment. It outlines DNSSEC mechanisms like using new resource records and signing zones to authenticate communication between servers and establish authenticity of DNS data.
This document provides an overview and introduction to DNS and DNSSEC. It begins with introducing the presenter, Nurul Islam Roman, and his background and areas of expertise. The overview section lists the topics to be covered, including DNS overview, forward and reverse DNS, DNS security overview, TSIG, and DNSSEC. The document then delves into explanations of DNS overview, how it works, its features and components. It also covers IP addresses vs domain names, the DNS tree hierarchy, domains, root servers, resolvers, authoritative and recursive nameservers. Finally, it discusses resource records, common RR types, reverse DNS, delegation, glue records and responsibilities around APNIC and ISPs for reverse delegations.
The document summarizes discussions from IETF 94 and RIPE 71 conferences. Several new DNS-related RFCs were published, including ones on DNSSEC, DANE, and IPv6. Discussions also covered DNS record ordering, DS record management automation, and measuring the SMTP over TLS adoption. IPv6 performance improvements were noted since 2011, though challenges remain. DNSTAP was introduced as a new technology for monitoring DNS server operations with minimal performance impact.
Abhishek Mallik has over 9 years of experience in storage administration. He has extensive experience working with NetApp storage technologies including FAS arrays, Data ONTAP, snapshots, replication, and backup software. He has worked on large projects for clients in the US like Mattel and Intel as well as in India. Currently he is the Storage Tower Lead for Mattel managing an 8 person team responsible for NetApp, EMC, and Brocade administration.
This document provides details about Avamar backup configurations and procedures for production and campus environments. It includes information on cluster details, utilization and capacities, backup policies, groups, schedules, and retention policies. It also describes how to perform on-demand backups and restores in Avamar, and covers the Avamar Enterprise Manager and replication.
EMC Data domain advanced features and functionssolarisyougood
This document provides an overview of advanced features and functions of Data Domain systems. It covers topics such as virtual tape libraries (VTL), snapshots, replication, DD Boost integration, capacity and throughput planning, and system monitoring tools. The document consists of multiple lessons that describe these topics in detail and includes configuration examples.
Seeking position as a Linux Administrator by utilizing “6+ years of experience”
In multiple Linux & UNIX platforms, specialized in Red Hat Linux. Self-motivated, dedicated and up to any task that I am given.
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
This document provides an overview of DNSSEC (Domain Name System Security Extensions). It discusses how DNSSEC introduces digital signatures to cryptographically protect DNS data and prevent man-in-the-middle attacks. It also describes some common DNS record types used in DNSSEC like DNSKEY, RRSIG, and DS. The document notes that while DNSSEC deployment has increased in top-level domains and root servers, adoption remains low at the second-level domain level, and more work is still needed for full deployment.
This document provides an introduction to a DNSSEC training course hosted by RIPE NCC. It explains that DNSSEC protects against DNS spoofing and data corruption by using digital signatures to authenticate DNS data and establish its integrity. The course aims to raise awareness of DNSSEC and provide guidance on deployment. It outlines DNSSEC mechanisms like using new resource records and signing zones to authenticate communication between servers and establish authenticity of DNS data.
This document provides an overview and introduction to DNS and DNSSEC. It begins with introducing the presenter, Nurul Islam Roman, and his background and areas of expertise. The overview section lists the topics to be covered, including DNS overview, forward and reverse DNS, DNS security overview, TSIG, and DNSSEC. The document then delves into explanations of DNS overview, how it works, its features and components. It also covers IP addresses vs domain names, the DNS tree hierarchy, domains, root servers, resolvers, authoritative and recursive nameservers. Finally, it discusses resource records, common RR types, reverse DNS, delegation, glue records and responsibilities around APNIC and ISPs for reverse delegations.
The document summarizes discussions from IETF 94 and RIPE 71 conferences. Several new DNS-related RFCs were published, including ones on DNSSEC, DANE, and IPv6. Discussions also covered DNS record ordering, DS record management automation, and measuring the SMTP over TLS adoption. IPv6 performance improvements were noted since 2011, though challenges remain. DNSTAP was introduced as a new technology for monitoring DNS server operations with minimal performance impact.
Abhishek Mallik has over 9 years of experience in storage administration. He has extensive experience working with NetApp storage technologies including FAS arrays, Data ONTAP, snapshots, replication, and backup software. He has worked on large projects for clients in the US like Mattel and Intel as well as in India. Currently he is the Storage Tower Lead for Mattel managing an 8 person team responsible for NetApp, EMC, and Brocade administration.
This document provides details about Avamar backup configurations and procedures for production and campus environments. It includes information on cluster details, utilization and capacities, backup policies, groups, schedules, and retention policies. It also describes how to perform on-demand backups and restores in Avamar, and covers the Avamar Enterprise Manager and replication.
EMC Data domain advanced features and functionssolarisyougood
This document provides an overview of advanced features and functions of Data Domain systems. It covers topics such as virtual tape libraries (VTL), snapshots, replication, DD Boost integration, capacity and throughput planning, and system monitoring tools. The document consists of multiple lessons that describe these topics in detail and includes configuration examples.
Seeking position as a Linux Administrator by utilizing “6+ years of experience”
In multiple Linux & UNIX platforms, specialized in Red Hat Linux. Self-motivated, dedicated and up to any task that I am given.
- The document is a resume for a Solaris Linux Administrator with over 11 years of experience in system administration and support roles. It details technical skills and responsibilities across several roles supporting Solaris, Linux, and AIX environments.
- Experience includes installing, configuring, upgrading, and troubleshooting various Solaris, Linux, and storage systems. Duties involved user management, file systems, backup solutions, web/application deployments, and more.
- The administrator has worked with technologies such as Solaris, Linux, AIX, Veritas, WebLogic, MQSeries, Oracle, and EMC storage solutions.
Deduplication reduces the amount of disk storage needed to retain and protect data by ratios of 10-30x and greater, making a disk a cost-effective alternative to tape. Data on disk is available online and onsite for longer retention periods, and restores become fast and reliable. Storing only unique data on disk also means that data can be cost-effectively replicated over existing networks to remote sites for disaster recovery and consolidated tape operations.
Presentation data domain advanced features and functionsxKinAnx
This document provides an overview of Data Domain advanced features and functions for Velocity Partner Accreditation. It covers topics such as virtual tape library (VTL) planning, snapshots, replication, recovery, DD Boost integration, capacity and throughput planning, and system monitoring tools. The document contains lessons and explanations on these topics to help partners learn about and describe Data Domain's data protection solutions.
This document contains a resume for Haresh Mehta seeking a position utilizing his 16 years of experience administering UNIX systems including Solaris, Linux, HP-UX, and AIX. He has expertise installing, maintaining, and troubleshooting various server hardware and his skills include backup and recovery, volume management, networking, and database administration. His objective is to find a progressive organization where he can continue growing professionally.
Ponnupandi D is a senior IT engineer with 8 years of experience seeking a challenging role in technical support or project management. He has expertise in systems like Oracle servers, EMC storage, UNIX, VMware, Symantec NetBackup, HP servers, Veritas software, Cisco and Brocade switches. He has experience providing technical support, resolving issues, planning projects, and analyzing infrastructure needs for clients in Saudi Arabia and India. His roles have included engineering, technical specialist, and handling implementations for companies like Wipro, AccelFrontline and HCL Infotec.
Presentation deduplication backup software and systemxKinAnx
The document provides information on EMC's Avamar deduplication backup software and system. It discusses how Avamar reduces backup time and storage requirements through client-side deduplication. Avamar provides daily full backups, one-step recovery, and supports both physical and virtual environments. It integrates with EMC Data Domain systems and is optimized for backing up virtual machines, remote offices, desktops/laptops, and enterprise applications.
The Efficient Use of Cyberinfrastructure to Enable Data Analysis CollaborationCybera Inc.
The document discusses using cloud storage and a scalable file delivery system called WOS Clouds to efficiently distribute and deliver large datasets across multiple sites. WOS Clouds provides a single namespace and automated replication to balance loads, heal failures, and replicate data according to user-defined policies across zones that can span geographic regions for high performance and disaster recovery.
Les solutions EMC de sauvegarde des données avec déduplication dans les envir...ljaquet
The document discusses EMC's backup and recovery solutions, with a focus on deduplication-based products. It provides an overview of EMC's portfolio including Avamar, Data Domain, and NetWorker. It then discusses key concepts like deduplication fundamentals and how the technology has evolved backup solutions from tape-based to disk-based. Specific product features and benefits are highlighted, such as Avamar's guest-level VMware backup and Data Domain's inline deduplication approach.
The document discusses scaling tier-based applications using Space Based Architecture (SBA). SBA uses a common data and processing grid to virtualize tiers, enabling applications to scale out processing across commodity hardware. This approach parallelizes transactions, reduces serialization overhead between tiers, and allows dynamic scalability through automated deployment of services on a grid. The session will provide examples of how financial and telecom applications achieve scalability using SBA.
Pramod Kumar has over 20 years of experience as a senior Unix administrator with expertise in Linux, Solaris, AIX, and storage administration. He has worked for large tech companies like eBay, Xilinx, and Stanford University, managing servers, storage, networking equipment, and supporting applications. His technical skills include software like Linux, Solaris, AIX, load balancers, Puppet, and databases, as well as hardware from Dell, HP, IBM, Cisco, Fujitsu, and Sun.
Emc data domain® boost integration guideArvind Varade
The document provides an integration guide for using EMC NetWorker Version 9.0.x with EMC Data Domain Boost (DD Boost) technology. It covers planning, practices, and configuration information for using DD Boost devices within a NetWorker backup and storage management environment. Key points include:
- DD Boost allows deduplication of backup data on Data Domain storage systems for reduced storage requirements.
- The guide provides roadmaps and procedures for configuring DD Boost devices, policies for backups and cloning, software requirements, restoring data, monitoring and reporting, and upgrading existing DD Boost configurations.
- Details are given on network and hardware requirements, performance considerations, licensing, and best practices for backup retention, data types
Strata + Hadoop World 2012: HDFS: Now and FutureCloudera, Inc.
Hadoop 1.0 is a significant milestone in being the most stable and robust Hadoop release tested in production against a variety of applications. It offers improved performance, support for HBase, disk-fail-in-place, Webhdfs, etc over previous releases. The next major release, Hadoop 2.0 offers several significant HDFS improvements including new append-pipeline, federation, wire compatibility, NameNode HA, further performance improvements, etc. We describe how to take advantages of the new features and their benefits. We also discuss some of the misconceptions and myths about HDFS.
The document discusses tools for troubleshooting database performance issues. It describes operating system tools like ps, vmstat, iostat that can help identify hardware and resource bottlenecks. It also covers PostgreSQL-specific tools like the pg_stat views and logs that provide insight into query performance and activity. Benchmarks like pgbench, bonnie++, and the more complex DBT2 are presented as options for reproducing and analyzing problems in a controlled way. The overall approach presented is to start with less invasive tools and progress to more targeted benchmarks if needed to pinpoint severe issues.
The document is a resume for Manu M.S. that summarizes his experience as a senior level storage and backup administration professional. Over 7 years of experience is highlighted, including current role as Senior Storage Administrator at Ernst & Young, Trivandrum. Technical skills and tools are listed, such as NetBackup, 3PAR, Data Domain, Brocade, and various operating systems. Education includes a BSc in Computer Science from Manonmaniam Sundarnar University.
Best Practices for Deploying Enterprise Applications on UNIXNoel McKeown
The document provides best practices for preparing a UNIX server for deploying enterprise applications. It discusses tasks such as OS installation, hardening the server, configuring shared storage, setting up system accounts, enabling sudo privileges, and disabling security features like iptables and SELinux that could interfere with applications. The goal is to baseline the server, lock down access, and set it up securely according to industry standards before deploying enterprise software.
EMC Data Domain Retention Lock Software: Detailed ReviewEMC
This white paper explains how EMC Retention Lock software enables IT organizations to efficiently store and manage retention of archive data for both governance and compliance on a single Data Domain system.
Comparing Dell Compellent network-attached storage to an industry-leading NAS...Principled Technologies
A flexible NAS solution addresses many organizational challenges from server backup to hosting production applications and databases. Advanced NAS solutions such as the Intel Xeon processor-based Dell Compellent FS8600 NAS provide flexibility and scalability, allowing various use options as well as drive options throughout its lifecycle. This scale and flexibility enables an organization to alleviate performance bottlenecks anywhere in the organization simply by reallocating or adding more disk resources.
We found that the Intel Xeon processor-based Dell Compellent FS8600 NAS solution backed up a small-file corpus up to 15.9 percent faster and a large-file corpus up to 17.1 percent faster than a similarly configured, industry-leading NAS solution. This means that selecting the Dell Compellent FS8600 NAS has the potential to help optimize an organization’s infrastructure.
Securing Your Endpoints Using Novell ZENworks Endpoint Security ManagementNovell
Endpoint security is one of the greatest concerns on the minds of senior management today. Protecting your data and controlling how systems access resources is of the utmost importance. You must take actions to protect your infrastructure while ensuring your employees can continue to perform their jobs effectively and efficiently. Come to this session to learn how you can leverage the power of Novell ZENworks Endpoint Security Management across your enterprise to achieve this delicate balance—so you and the rest of your organization can sleep at night.
This document contains the resume of Midhun P S, who has 3.2 years of experience as a storage administrator at Wipro Infotech Ltd. He has hands-on experience with NetApp, EMC, Hitachi, and X-IO storage systems as well as Brocade SAN switches. He aims to build his career in a leading technology company where he can further develop his skills. His core competencies include being achievement oriented, timely response, self-motivation, teamwork, and being a quick learner.
Who guidelines on_pandemic_influenza_and_blood_supplyrtibloodinfo
This document provides guidelines for national blood transfusion services to maintain a safe and adequate blood supply during an influenza pandemic. It recommends that blood services 1) be included in national pandemic planning, 2) receive epidemiological information to inform contingency planning, and 3) develop plans to address potential reductions in blood donations and changes in clinical demand for blood. While the risk of transmitting influenza through blood is very low, services must prepare for temporary losses of up to 50% of donors due to their own or family members' infections and potential restrictions on movement or blood collection activities in affected areas. Ongoing communication with donors is important to maintain safe blood donations during a pandemic.
- The document is a resume for a Solaris Linux Administrator with over 11 years of experience in system administration and support roles. It details technical skills and responsibilities across several roles supporting Solaris, Linux, and AIX environments.
- Experience includes installing, configuring, upgrading, and troubleshooting various Solaris, Linux, and storage systems. Duties involved user management, file systems, backup solutions, web/application deployments, and more.
- The administrator has worked with technologies such as Solaris, Linux, AIX, Veritas, WebLogic, MQSeries, Oracle, and EMC storage solutions.
Deduplication reduces the amount of disk storage needed to retain and protect data by ratios of 10-30x and greater, making a disk a cost-effective alternative to tape. Data on disk is available online and onsite for longer retention periods, and restores become fast and reliable. Storing only unique data on disk also means that data can be cost-effectively replicated over existing networks to remote sites for disaster recovery and consolidated tape operations.
Presentation data domain advanced features and functionsxKinAnx
This document provides an overview of Data Domain advanced features and functions for Velocity Partner Accreditation. It covers topics such as virtual tape library (VTL) planning, snapshots, replication, recovery, DD Boost integration, capacity and throughput planning, and system monitoring tools. The document contains lessons and explanations on these topics to help partners learn about and describe Data Domain's data protection solutions.
This document contains a resume for Haresh Mehta seeking a position utilizing his 16 years of experience administering UNIX systems including Solaris, Linux, HP-UX, and AIX. He has expertise installing, maintaining, and troubleshooting various server hardware and his skills include backup and recovery, volume management, networking, and database administration. His objective is to find a progressive organization where he can continue growing professionally.
Ponnupandi D is a senior IT engineer with 8 years of experience seeking a challenging role in technical support or project management. He has expertise in systems like Oracle servers, EMC storage, UNIX, VMware, Symantec NetBackup, HP servers, Veritas software, Cisco and Brocade switches. He has experience providing technical support, resolving issues, planning projects, and analyzing infrastructure needs for clients in Saudi Arabia and India. His roles have included engineering, technical specialist, and handling implementations for companies like Wipro, AccelFrontline and HCL Infotec.
Presentation deduplication backup software and systemxKinAnx
The document provides information on EMC's Avamar deduplication backup software and system. It discusses how Avamar reduces backup time and storage requirements through client-side deduplication. Avamar provides daily full backups, one-step recovery, and supports both physical and virtual environments. It integrates with EMC Data Domain systems and is optimized for backing up virtual machines, remote offices, desktops/laptops, and enterprise applications.
The Efficient Use of Cyberinfrastructure to Enable Data Analysis CollaborationCybera Inc.
The document discusses using cloud storage and a scalable file delivery system called WOS Clouds to efficiently distribute and deliver large datasets across multiple sites. WOS Clouds provides a single namespace and automated replication to balance loads, heal failures, and replicate data according to user-defined policies across zones that can span geographic regions for high performance and disaster recovery.
Les solutions EMC de sauvegarde des données avec déduplication dans les envir...ljaquet
The document discusses EMC's backup and recovery solutions, with a focus on deduplication-based products. It provides an overview of EMC's portfolio including Avamar, Data Domain, and NetWorker. It then discusses key concepts like deduplication fundamentals and how the technology has evolved backup solutions from tape-based to disk-based. Specific product features and benefits are highlighted, such as Avamar's guest-level VMware backup and Data Domain's inline deduplication approach.
The document discusses scaling tier-based applications using Space Based Architecture (SBA). SBA uses a common data and processing grid to virtualize tiers, enabling applications to scale out processing across commodity hardware. This approach parallelizes transactions, reduces serialization overhead between tiers, and allows dynamic scalability through automated deployment of services on a grid. The session will provide examples of how financial and telecom applications achieve scalability using SBA.
Pramod Kumar has over 20 years of experience as a senior Unix administrator with expertise in Linux, Solaris, AIX, and storage administration. He has worked for large tech companies like eBay, Xilinx, and Stanford University, managing servers, storage, networking equipment, and supporting applications. His technical skills include software like Linux, Solaris, AIX, load balancers, Puppet, and databases, as well as hardware from Dell, HP, IBM, Cisco, Fujitsu, and Sun.
Emc data domain® boost integration guideArvind Varade
The document provides an integration guide for using EMC NetWorker Version 9.0.x with EMC Data Domain Boost (DD Boost) technology. It covers planning, practices, and configuration information for using DD Boost devices within a NetWorker backup and storage management environment. Key points include:
- DD Boost allows deduplication of backup data on Data Domain storage systems for reduced storage requirements.
- The guide provides roadmaps and procedures for configuring DD Boost devices, policies for backups and cloning, software requirements, restoring data, monitoring and reporting, and upgrading existing DD Boost configurations.
- Details are given on network and hardware requirements, performance considerations, licensing, and best practices for backup retention, data types
Strata + Hadoop World 2012: HDFS: Now and FutureCloudera, Inc.
Hadoop 1.0 is a significant milestone in being the most stable and robust Hadoop release tested in production against a variety of applications. It offers improved performance, support for HBase, disk-fail-in-place, Webhdfs, etc over previous releases. The next major release, Hadoop 2.0 offers several significant HDFS improvements including new append-pipeline, federation, wire compatibility, NameNode HA, further performance improvements, etc. We describe how to take advantages of the new features and their benefits. We also discuss some of the misconceptions and myths about HDFS.
The document discusses tools for troubleshooting database performance issues. It describes operating system tools like ps, vmstat, iostat that can help identify hardware and resource bottlenecks. It also covers PostgreSQL-specific tools like the pg_stat views and logs that provide insight into query performance and activity. Benchmarks like pgbench, bonnie++, and the more complex DBT2 are presented as options for reproducing and analyzing problems in a controlled way. The overall approach presented is to start with less invasive tools and progress to more targeted benchmarks if needed to pinpoint severe issues.
The document is a resume for Manu M.S. that summarizes his experience as a senior level storage and backup administration professional. Over 7 years of experience is highlighted, including current role as Senior Storage Administrator at Ernst & Young, Trivandrum. Technical skills and tools are listed, such as NetBackup, 3PAR, Data Domain, Brocade, and various operating systems. Education includes a BSc in Computer Science from Manonmaniam Sundarnar University.
Best Practices for Deploying Enterprise Applications on UNIXNoel McKeown
The document provides best practices for preparing a UNIX server for deploying enterprise applications. It discusses tasks such as OS installation, hardening the server, configuring shared storage, setting up system accounts, enabling sudo privileges, and disabling security features like iptables and SELinux that could interfere with applications. The goal is to baseline the server, lock down access, and set it up securely according to industry standards before deploying enterprise software.
EMC Data Domain Retention Lock Software: Detailed ReviewEMC
This white paper explains how EMC Retention Lock software enables IT organizations to efficiently store and manage retention of archive data for both governance and compliance on a single Data Domain system.
Comparing Dell Compellent network-attached storage to an industry-leading NAS...Principled Technologies
A flexible NAS solution addresses many organizational challenges from server backup to hosting production applications and databases. Advanced NAS solutions such as the Intel Xeon processor-based Dell Compellent FS8600 NAS provide flexibility and scalability, allowing various use options as well as drive options throughout its lifecycle. This scale and flexibility enables an organization to alleviate performance bottlenecks anywhere in the organization simply by reallocating or adding more disk resources.
We found that the Intel Xeon processor-based Dell Compellent FS8600 NAS solution backed up a small-file corpus up to 15.9 percent faster and a large-file corpus up to 17.1 percent faster than a similarly configured, industry-leading NAS solution. This means that selecting the Dell Compellent FS8600 NAS has the potential to help optimize an organization’s infrastructure.
Securing Your Endpoints Using Novell ZENworks Endpoint Security ManagementNovell
Endpoint security is one of the greatest concerns on the minds of senior management today. Protecting your data and controlling how systems access resources is of the utmost importance. You must take actions to protect your infrastructure while ensuring your employees can continue to perform their jobs effectively and efficiently. Come to this session to learn how you can leverage the power of Novell ZENworks Endpoint Security Management across your enterprise to achieve this delicate balance—so you and the rest of your organization can sleep at night.
This document contains the resume of Midhun P S, who has 3.2 years of experience as a storage administrator at Wipro Infotech Ltd. He has hands-on experience with NetApp, EMC, Hitachi, and X-IO storage systems as well as Brocade SAN switches. He aims to build his career in a leading technology company where he can further develop his skills. His core competencies include being achievement oriented, timely response, self-motivation, teamwork, and being a quick learner.
Who guidelines on_pandemic_influenza_and_blood_supplyrtibloodinfo
This document provides guidelines for national blood transfusion services to maintain a safe and adequate blood supply during an influenza pandemic. It recommends that blood services 1) be included in national pandemic planning, 2) receive epidemiological information to inform contingency planning, and 3) develop plans to address potential reductions in blood donations and changes in clinical demand for blood. While the risk of transmitting influenza through blood is very low, services must prepare for temporary losses of up to 50% of donors due to their own or family members' infections and potential restrictions on movement or blood collection activities in affected areas. Ongoing communication with donors is important to maintain safe blood donations during a pandemic.
The document summarizes several popular attractions in Australia:
The Great Barrier Reef off the coast of Queensland has beautiful coral in blue, red, green, and pink colors and is important habitat for endangered dugongs and sea turtles. The Blue Mountains in New South Wales feature the Three Sisters rock formation as well as trees and animals, and colorful sunsets. The iconic Sydney Opera House located in Sydney Harbour has a distinctive shell-like design and was designed by Jorn Utsun; it is important to performers and staff. The Australian War Memorial honors those who fought and died in wars and depicts military equipment and recreated battlefields.
1. The document discusses three types of IT - function IT (FIT), network IT (NIT), and enterprise IT (EIT) - and three tasks for managing them: selection, adoption, and exploitation.
2. IT selection involves taking an inside-out approach to determine what capabilities an organization needs from IT. Adoption requires creating complements to maximize value from selected technologies. Exploitation is about extracting maximum benefit once technologies are implemented.
3. Adoption is particularly challenging for EIT due to imposed new processes, but executives can intervene as complements to facilitate adoption. Ongoing exploitation relies on tuning organizational complements for FIT and NIT, and leveraging standardized data and workflows for E
http://sevennorthgraphics.com
St Pete's Seven North Web & Graphics Social Media-Hub Website: Leveraging Wordpress for Easy SEO and Lower Cost.
Web Design With Wordpress for Social Media Success in St Petersburg, Tampa Bay, Florida
http://sevennorthweb.com
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
ION Islamabad, 25 January 2017
By Champika Wijayatunga, ICANN
DNSSEC helps prevent attackers from subverting and modifying DNS messages and sending users to wrong (and potentially malicious) sites. So what needs to be done for DNSSEC to be deployed on a large scale? We’ll discuss the business reasons for, and financial implications of, deploying DNSSEC, from staying ahead of the technological curve, to staying ahead of your competition, to keeping your customers satisfied and secure on the Internet. We’ll also examine some of the challenges operators have faced and the opportunities to address those challenges and move deployment forward.
Implementing High Availability Caching with MemcachedGear6
Typical Memcached deployments do not comprehensively address web site requirements for high availability. Depending on your web architecture, a single failure can disable your web caches. This presentation offers real world solutions to solving <a>high availability</a> challenges common to large, dynamic websites with Memcached, specifically:
* Options and benefits for deploying high availability services within Memcached
* How companies are approaching high availability
* Considerations on building and deploying high availability
o Recommendations for a typical Memcached environment
o Open source tools available
o High level costs for deployment
This document discusses how F5 Networks' Dynamic DNS Services provide scalability, security, and availability for DNS infrastructure. The services improve web performance, protect sites from attacks, and direct traffic based on location. F5's solutions include BIG-IP Global Traffic Manager for robust, flexible, and secure DNS delivery globally. DNSSEC validation is supported for complete security while mitigating denial of service attacks and scaling to handle large traffic loads.
Why Implement DNSSEC?
Champika Wijayatunga from ICANN discusses the importance of implementing DNSSEC. DNSSEC introduces digital signatures to cryptographically secure DNS data and protect against threats like cache poisoning, spoofing, and man-in-the-middle attacks. While DNSSEC does not protect server threats or ensure data correctness, it does establish the authenticity and integrity of DNS data retrieved. Fully implementing DNSSEC allows businesses and users to be confident they are receiving unmodified DNS information. However, more needs to be done to increase awareness and provide turnkey solutions in order for widespread DNSSEC adoption.
A webinar that looks into the new features that the Windows Server 2016 will offer in the DNS, DHCP and IPv6 space.
Showcase of some of the new stuff using the latest tech preview and the aim is to give administrators a quick overview of the Windows Server 2016 and enough information to decide if early adoption is worthwhile.
This document summarizes improvements made to HDFS to optimize performance, stabilize operations, and improve supportability. Key areas discussed include logging enhancements, metrics and tools for troubleshooting, load management through RPC improvements, and changes to reduce garbage collection overhead and improve liveness detection. Specific optimizations covered range from code changes to reduce logging verbosity to adding batch processing of block reports.
The Hadoop Distributed File System is the foundational storage layer in typical Hadoop deployments. Performance and stability of HDFS are crucial to the correct functioning of applications at higher layers in the Hadoop stack. This session is a technical deep dive into recent enhancements committed to HDFS by the entire Apache contributor community. We describe real-world incidents that motivated these changes and how the enhancements prevent those problems from reoccurring. Attendees will leave this session with a deeper understanding of the implementation challenges in a distributed file system and identify helpful new metrics to monitor in their own clusters.
- Whalebone provides DNS resolution services for millions protecting against malware and anomalies
- They have experienced random subdomain attacks that try to take down domains by overloading resolvers with queries for nonexistent subdomains
- DNSSEC aggressive caching helps mitigate these attacks by reducing load on authoritative nameservers for nonexistent records
- However, some devices like F5 BIG-IP load balancers have had faulty implementations of DNSSEC that can cause validation failures and resolution issues
At StampedeCon 2012 in St. Louis, Pritam Damania presents: Reliable backup and recovery is one of the main requirements for any enterprise grade application. HBase has been very well embraced by enterprises needing random, real-time read/write access with huge volumes of data and ease of scalability. As such, they are looking for backup solutions that are reliable, easy to use, and can co-exist with existing infrastructure. HBase comes with several backup options but there is a clear need to improve the native export mechanisms. This talk will cover various options that are available out of the box, their drawbacks and what various companies are doing to make backup and recovery efficient. In particular it will cover what Facebook has done to improve performance of backup and recovery process with minimal impact to production cluster.
In this session, we'll discuss architectural, design and tuning best practices for building rock solid and scalable Alfresco Solutions. We'll cover the typical use cases for highly scalable Alfresco solutions, like massive injection and high concurrency, also introducing 3.3 and 3.4 Transfer / Replication services for building complex high availability enterprise architectures.
Slides used during a Webinar on Feb 11, 2009 that introduces the Day CRX Version 1.4.1. CRX is a content application platform based on JSR-170 and a RESTful web framework. Learn more on www.day.com/crx
This document summarizes improvements made to the read and write paths for HBase on HDFS. Major issues addressed were skewed disk usage due to large HDFS block sizes, high disk IOPS from small reads, and write outliers over 1 second. Solutions involved using inline checksums to reduce IOPS, syncing file ranges to avoid disk skew, locking pages during writeback to prevent outliers, and profiling to identify root causes. These changes helped optimize HBase performance on HDFS.
Slide chia sẻ công nghệ về caching, thông qua slide này bạn sẽ trả lời được những câu hỏi như:
- Caching là gì
- Làm sao sử dụng cũng như xây dựng hệ thống caching
- Tại sao cache giúp tăng tốc ứng dụng lên vài chục, vài trăm lần
- Các hệ thống lớn của Facebook, Twitter, ... đang sử dụng cache thế nào
- ...
Slide chia sẻ về công nghệ về caching, thông qua slide này bạn sẽ trả lời được những câu hỏi như:
- Caching là gì
- Làm sao sử dụng cũng như xây dựng hệ thống caching
- Tại sao cache giúp tăng tốc ứng dụng lên vài chục, vài trăm lần
- Các hệ thống lớn của Facebook, Twitter, ... đang sử dụng cache thế nào
- ...
This document describes research into developing a discovery method to ensure DNSSEC information can be delivered to end hosts. Measurements using RIPE ATLAS probes found that 64% of recursive resolvers could perform basic DNSSEC queries, while only 40% could process authenticated wildcard information. The proposed discovery method has stub resolvers first try the default recursive resolver, then the ISP resolver, a public resolver, or full recursion if needed, to balance functionality and efficiency.
The document discusses Linux User Management (LUM) and various file access protocols and proxy user configurations available in Novell Open Enterprise Server 2, including NCP, CIFS, AFP, FTP, and HTTP. It provides an overview of features in OES2 SP2 and SP3, recommendations for deployment and troubleshooting, and how multiple protocols can be deployed for data integrity and performance.
This document discusses DNS server monitoring using DNSTAP, an open protocol to capture and store DNS server events. It begins by noting the performance impact of traditional monitoring methods and limitations of network packet capture. It then provides an overview of how DNSTAP works, implementations in Unbound, Knot DNS, and upcoming BIND 9, dependencies, available tools, and examples of configuring DNSTAP in Unbound, Knot DNS, and BIND 9.
DNS resolution is far from being resolved. The latest developments in standards bring not only significant security improvements but also additional configuration and management requirements.
This presentation is summing up the latest related challenges and introduce benefits that all network operators can get out of it with the focus on the DNSSEC challenges and benefits:
- Examples of incidents during DNSSEC introduction and the case study of country-wide DNSSEC introduction from .sk TLD.
- DNSSEC as a benefit for the network-manager - DNSSEC can be beneficial not only for the user. It can be a great benefit for the internet provider or network-manager due to the NSEC3 negative caching.
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptxEduSkills OECD
Iván Bornacelly, Policy Analyst at the OECD Centre for Skills, OECD, presents at the webinar 'Tackling job market gaps with a skills-first approach' on 12 June 2024
How to Setup Warehouse & Location in Odoo 17 InventoryCeline George
In this slide, we'll explore how to set up warehouses and locations in Odoo 17 Inventory. This will help us manage our stock effectively, track inventory levels, and streamline warehouse operations.
Communicating effectively and consistently with students can help them feel at ease during their learning experience and provide the instructor with a communication trail to track the course's progress. This workshop will take you through constructing an engaging course container to facilitate effective communication.
Leveraging Generative AI to Drive Nonprofit InnovationTechSoup
In this webinar, participants learned how to utilize Generative AI to streamline operations and elevate member engagement. Amazon Web Service experts provided a customer specific use cases and dived into low/no-code tools that are quick and easy to deploy through Amazon Web Service (AWS.)
it describes the bony anatomy including the femoral head , acetabulum, labrum . also discusses the capsule , ligaments . muscle that act on the hip joint and the range of motion are outlined. factors affecting hip joint stability and weight transmission through the joint are summarized.
Walmart Business+ and Spark Good for Nonprofits.pdfTechSoup
"Learn about all the ways Walmart supports nonprofit organizations.
You will hear from Liz Willett, the Head of Nonprofits, and hear about what Walmart is doing to help nonprofits, including Walmart Business and Spark Good. Walmart Business+ is a new offer for nonprofits that offers discounts and also streamlines nonprofits order and expense tracking, saving time and money.
The webinar may also give some examples on how nonprofits can best leverage Walmart Business+.
The event will cover the following::
Walmart Business + (https://business.walmart.com/plus) is a new shopping experience for nonprofits, schools, and local business customers that connects an exclusive online shopping experience to stores. Benefits include free delivery and shipping, a 'Spend Analytics” feature, special discounts, deals and tax-exempt shopping.
Special TechSoup offer for a free 180 days membership, and up to $150 in discounts on eligible orders.
Spark Good (walmart.com/sparkgood) is a charitable platform that enables nonprofits to receive donations directly from customers and associates.
Answers about how you can do more with Walmart!"
हिंदी वर्णमाला पीपीटी, hindi alphabet PPT presentation, hindi varnamala PPT, Hindi Varnamala pdf, हिंदी स्वर, हिंदी व्यंजन, sikhiye hindi varnmala, dr. mulla adam ali, hindi language and literature, hindi alphabet with drawing, hindi alphabet pdf, hindi varnamala for childrens, hindi language, hindi varnamala practice for kids, https://www.drmullaadamali.com
Temple of Asclepius in Thrace. Excavation resultsKrassimira Luka
The temple and the sanctuary around were dedicated to Asklepios Zmidrenus. This name has been known since 1875 when an inscription dedicated to him was discovered in Rome. The inscription is dated in 227 AD and was left by soldiers originating from the city of Philippopolis (modern Plovdiv).
1. Welcome to the
DNSSEC
RIPE NCC Training Course
1
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
2. Why DNSSEC?
• DNS is not secure
– Known vulnerabilities
– People depend more and more on DNS
• DNSSEC protects against data spoofing and corruption
• Why this course:
– To raise awareness on DNSSEC
– To provide handles for deployment
• Reverse delegation
2
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
3. Why RIPE NCC?
• Maintaining in-addr.arpa for several /8 blocks
• Involved in other DNS issues:
– K-root name server
– ENUM
• Interested in Internet-wide security technologies
– http://www.ripe.net/disi/
3
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
4. Who are we?
• Trainers:
– Know about DNSSEC
– Not DNS server operators!
• Audience:
– Know about DNS and want to know about DNSSEC
• please fill in the “expectations” in the questionnaire
4
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
5. Course Outline
• Introduction
• DNSSEC mechanisms
– to authenticate communication between hosts
• TSIG / SIG0
– to establish authenticity and integrity of data
• New RRs
• Signing a single zone
• Building chains of trust
• Key exchange and key rollovers
• Operational concerns
• Conclusions
5
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
6. DNS: Known Concepts
• Known DNS concepts:
– Delegation, Referral, Zone, RRs, label, RDATA,
authoritative server, caching forwarder, stub and full
resolver, SOA parameters, etc
– Don’t know? Do ask!
• Operational knowledge with BIND
– BIND 8 or 9 named.conf, writing zone files
– All examples based on IPv4
6
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
7. Reminder: DNS Resolving
Question:
www.ripe.net A
1 2 www.ripe.net A ? root-server
3 “go ask net server @ X.gtld-servers.net”
www.ripe.net A ?
(+ glue)
Resolver Caching
193.0.0.203
forwarder 4 www.ripe.net A ?
8
(recursive) gtld-server
5 “go ask ripe server @ ns.ripe.net”
(+ glue)
9
Add to cache
6 www.ripe.net A ?
10 TTL
“193.0.0.203” 7
ripe-server
7
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
8. DNS: Data Flow
Zone administrator
1
4
Zone file master Caching forwarder
2
3 5
Dynamic
updates
slaves resolver
8
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
9. DNS Vulnerabilities
Corrupting data Impersonating master
Cache impersonation
Zone administrator
1
4
Zone file master Caching forwarder
2
3 5
Dynamic
updates
slaves resolver
Cache pollution by
Data spoofing
Unauthorized updates
Altered zone data
Server protection Data protection
9
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
10. DNS Protocol Vulnerability
• DNS data can be spoofed and corrupted between
master server and resolver or forwarder
• The DNS protocol does not allow you to check the
validity of DNS data
• Exploited by bugs in resolver implementation (predictable
transaction ID)
• Polluted caching forwarders can cause harm for quite some
time (TTL)
• Corrupted DNS data might end up in caches and stay there for
a long time
• How does a slave (secondary) knows it is talking
to the proper master (primary)?
10
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
11. DNSSEC protects..
DNSSEC protects against data spoofing and corruption
• TSIG/SIG0: provides mechanisms to authenticate
communication between servers
• DNSKEY/RRSIG/NSEC: provides mechanisms to
establish authenticity and integrity of data
• DS: provides a mechanism to delegate trust to public
keys of third parties
• A secure DNS will be used as an infrastructure with
public keys
– However it is NOT a PKI
11
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
12. DNSSEC Current State
• RFC 4033
– DNS Security Introduction and Requirements
• RFC 4034
– Resource Records for the DNS Security Extensions
• RFC 4035
– Protocol Modifications for the DNS Security Extensions
• March 2005
• Obsoletes RFC 2535
12
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
13. Configuration & Installation
BIND’s named
• BIND 9.3 or later supports current DNSSEC
– ftp://ftp.isc.org/isc/bind9/
• TSIG requires servers to sync time (time zone!)
– ntpdate -b
– xntpd
• Openssl libraries required for crypto parts
– http://www.openssl.org/
• Compile the source using openssl libraries:
./configure --with-openssl
13
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
14. Bind DNSSEC Tools
• Named
• dnssec-keygen
– Generate keys of various types
• dnssec-signzone
– Sign a zone
• dig
– Troubleshoot: Usage: dig +dnssec @…
• named-checkzone & named-checkconf
– syntax check for zonefiles and named.conf
14
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
15. Server/Named Configuration
• The configuration file is called “named.conf”
• Documentation in <src>/doc/arm/Bv9ARM.html
• Turn on DNSSEC in “options” statement
– dnssec-enable yes;
• Turn on logging for troubleshooting
– Several categories
– Categories are processed in one or more channels
– Channels specify where the output goes
15
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
16. Relevant Logging Categories
• dnssec
– Processing DNSSEC signed responses
• security
– Request that are approved or not
• notify
– Zone change notification (relevant for dynamic update
environments)
• update
– Dynamic update events
16
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
19. Securing Host-Host
Communication
19
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
20. TSIG Protected Vulnerabilities
Impersonating master
Zone administrator
Zone file master Caching forwarder
Dynamic
updates slaves
resolver
Unauthorized updates
20
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
21. Transaction Signature: TSIG
• TSIG (RFC 2845)
– authorizing dynamic updates & zone transfers
– authentication of caching forwarders
– can be used without deploying other features of
DNSSEC
• One-way hash function
– DNS question or answer & timestamp
• Traffic signed with “shared secret” key
• Used in configuration, NOT in zone file
21
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
22. TSIG example
Query: AXFR
AXFR AXFR
verification
Sig ... Sig ...
Slave Master
KEY: KEY:
%sgs!f23fv %sgs!f23fv
SOA SOA
… …
SOA SOA
Sig ... Sig ...
verification
Response: Zone
22
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
23. TSIG for Zone Transfers
1. Generate secret
2. Communicate secret
3. Configure servers
4. Test
23
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
24. Generate TSIG Secret
dnssec-keygen -a <alg> -b <bits> -n <type> [options] <keyname>
• algorithm: HMAC-MD5
• ‘-r /dev/urandom’ might be needed
• Bits: 256 or larger
• type: host
• Name: unique identifier
• Suggested: master-slave.zone.name.
• “me-friend.” used as example because it is short
• TSIG secret can be generated differently (base64
encoding)
24
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
25. TSIG dnssec-keygen Output
dnssec-keygen -a HMAC-MD5 -b 256 -n host me-friend.
algorithm keytag
Kme-friend.+157+51197.private
Kme-friend.+157+51197.key
• Private and Public Key contain the same key
• TSIG should never be put in zone files!!!
– might be confusing because it looks like RR:
me-friend. IN KEY 512 3 157 nEfRX9…bbPn7lyQtE=
25
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
26. Master Server: named.conf
• "Key" statement to configure key
key ”me-friend." {
algorithm hmac-md5;
secret “nEfRX9jxOmzsby8VKRgDWEJorhyNbjt1ebbPn7lyQtE=";
};
• "allow-transfer" option in zone statement indicates which
keys are allowed transfer
– Can be combined with IP based restrictions
zone ”example.net" {
type master;
file "zones/example.net.";
allow-transfer { key me-friend.; };
notify yes;
};
26
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
27. Slave Servers: named.conf
• "key" statement to configure the key
key ”me-friend." {
algorithm hmac-md5;
secret
“nEfRX9jxOmzsby8VKRgDWEJorhyNbjt1ebbPn7lyQtE=";
};
• "server" statement to indicate key used
– Zone configuration doesn’t change on slave server
server 192.168.10.1 {
keys {me-friend.; };
};
27
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
28. Testing & Troubleshooting: dig
• You can use dig to check TSIG configuration
– dig @<server> <zone> AXFR -k <TSIG keyfile>
$ dig @10.0.53.204 example.net AXFR
-k Kme-friend.+157+51197.key
• Wrong key will give “Transfer failed” and on the
server the security-category will log:
security: error: client 193.0.0.182#1228: zone
transfer ’example.net/IN' denied
28
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
29. Importance of the Time Stamp
• TSIG/SIG0 signs a complete DNS request /
response with time stamp
– to prevent replay attacks
– currently hardcoded at 5 minutes
• Operational problems when comparing times
– Make sure your local time zone is properly defined
– date -u will give UTC time, easy to compare between
the two systems
• Use NTP synchronization!!!
29
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
30. Authenticating Servers Using SIG0
• Alternatively its possible to use SIG0
– Not widely used yet
– Works well in dynamic update environment
• Public key algorithm
– Authentication against a public key published in the DNS
• SIG0 specified in RFC 2931
30
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
32. DNSSEC Mechanisms
• New Resource Records
• Setting up a Secure Zone
• Delegating Signing Authority
• Key Rollovers
32
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
33. Vulnerabilities protected by
DNSKEY / RRSIG / NSEC
Cache impersonation
Zone administrator
Zone file master Caching forwarder
Dynamic
updates slaves
resolver
Cache pollution by
Data spoofing
Altered zone data
33
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
34. DNSSEC hypersummary
• Data authenticity and integrity by signing the
Resource Records Sets with private key
• Public DNSKEYs used to verify the RRSIGs
• Children sign their zones with their private key
– Authenticity of that key established by
signature/checksum by the parent (DS)
• Ideal case: one public DNSKEY distributed
34
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
35. The DNS is not a Public Key
Infrastructure (PKI)
• All key procedures are based on local policy
• A PKI is as strong as its weakest link
– Certificate Authorities control this by SLAs
• The DNS does not have Certificate Revocation
Lists
• If the domain is under one administrative control
you might be able to enforce policy
35
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
36. Public Key Crypto
• Key pair: a private (secret) key and a corresponding
public key
• Simplified:
– If you know the public key, you can verify a signature
created with the private key
– If you know the public key, you can encrypt data that can
only be decrypted with the private key
• DNSSEC only uses signatures
– PGP uses both methods
36
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
37. Authenticity and Integrity of Data
• Authenticity: Is the data published by the entity we
think is authoritative?
• Integrity: Is the data received the same as what was
published?
• Public Key cryptography helps to answer these
questions
– signatures to check both integrity and authenticity of data
– verifies the authenticity of signatures
37
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
38. Zone status terminology (RFC3090)
• Verifiably Secure
– RRset and its RRSIG can be verified with a DNSKEY
that can be chased back to a trusted key, the parent has
a DS record
• Verifiably Insecure
– RRset sits in a zone that is not signed and for which the
parent has no DS record
• BAD
– RRset and its RRSIG can not be verified (somebody
messed with the sig, the RRset, or the RRSIG expired)
– A zone and its subzones are BAD when the parent’s
signature over the Child’s key (DS) is BAD
38
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
39. New Resource Records
39
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
40. New Resource Records
• 3 Public key crypto related RRs
– RRSIG Signature over RRset made using private key
– DNSKEY Public key, needed for verifying a RRSIG
– DS Delegation Signer; ‘Pointer’ for building chains
of authentication
• One RR for internal consistency
– NSEC Indicates which name is the next one in the
zone and which typecodes are available for the
current name
• authenticated non-existence of data
40
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
41. Other Keys in the DNS
• DNSKEY RR should only be used for DNSSEC
– keys for other applications should use other RR types
• CERT
– For X.509 certificates
• Application keys under discussion/development
– IPSECKEY
– SSHFP
41
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
42. RR’s and RRsets
• Resource Record:
– name TTL class type rdata
www.ripe.net. 7200 IN A 192.168.10.3
• RRset: RRs with same name, class and type:
www.ripe.net. 7200 IN A 192.168.10.3
A 10.0.0.3
A 172.25.215.2
• RRsets are signed, not the individual RRs
42
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
44. RRSIG RDATA
• 16 bits - type covered
• 8 bits - algorithm
• 8 bits - nr. labels covered
• 32 bits - original TTL
ripe.net. 3600 IN RRSIG A 5 2 3600 (
20031104144523 20031004144523 3112 ripe.net.
VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN
vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW
66DJubZPmNSYXw== ) signature field
• 32 bit - signature expiration
• 32 bit - signature inception
• 16 bit - key tag
• signers name
44
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
45. Delegation Signer (DS)
• Delegation Signer (DS) RR indicates that:
– delegated zone is digitally signed
– indicated key is used for the delegated zone
• Parent is authorative for the DS of the childs zone
– Not for the NS record delegating the childs zone!
– DS should not be in the childs zone
45
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
46. DS RDATA
• 16 bits: key tag
• 8 bits: algorithm
• 8 bits: digest type
• 20 bytes: SHA-1 Digest
$ORIGIN ripe.net.
disi.ripe.net. 3600 IN NS ns.disi.ripe.net
disi.ripe.net. 3600 IN DS 3112 5 1 (
239af98b923c023371b52
1g23b92da12f42162b1a9
)
46
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
47. NSEC RDATA
• Points to the next domain name in the zone
– also lists what are all the existing RRs for “name”
– NSEC record for last name “wraps around” to first name
in zone
• N*32 bit type bit map
• Used for authenticated denial-of-existence of data
– authenticated non-existence of TYPEs and labels
• Example:
www.ripe.net. 3600 IN NSEC ripe.net. A RRSIG NSEC
47
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
48. NSEC Record example
(RRSIG records removed for brevity)
$ORIGIN ripe.net.
@ SOA …..
NS NS.ripe.net.
DNSKEY …..
NSEC mailbox.ripe.net. SOA NS NSEC DNSKEY RRSIG
mailbox A 192.168.10.2
NSEC www.ripe.net. A NSEC RRSIG
WWW A 192.168.10.3
TXT Public RIPE & RIPE NCC webserver
NSEC ripe.net. A NSEC RRSIG TXT
‘popserver’ is missing
• Query for “popserver.ripe.net” would return:
aa bit set RCODE=NXDOMAIN
authority: mailbox.ripe.net. NSEC www.ripe.net. A NSEC RRSIG
• Query for “www.ripe.net MX” would return: an empty
answer section and the “www NSEC” record in the authority
section
48
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
49. NSEC records
• If your query for data does not exist in a zone, the
NSEC RR provides proof of non-existence
• If after a query the response is:
– NXDOMAIN: One or more NSEC RRs indicate that the
name or a wildcard expansion does not exist
– NOERROR and empty answer section: The NSEC
TYPE array proves that the QTYPE did not exist
• More than 1 NSEC may be required in response
– wildcards
• NSEC records are generated by tools
– they also lexicographically order the zone
49
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
51. Setting up a secure Zone
51
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
52. Securing a Zone
1. Generate keypair
– include public key (DNSKEY) in zone file
2. Sign your zone; signing will:
– sort the zone
– Insert:
• NSEC records
• RRSIG records (signature over each RRset)
• DS records (optional)
– generate key-set file (can be used later)
52
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
53. Securing a Zone - continued
3. Publish Signed Zone
4. Configure Forwarding Resolver
5. Test
6. Distribute your public key (DNSKEY) to those that
need to be able to trust your zone
– Key-set or DS-set for Parent
53
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
54. Setting up a secure Zone
Generating keys
54
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
55. Toolbag: dnssec-keygen
• dnssec-keygen to generate keys
dnssec-keygen -a alg -b bits -n type [options] name
• algorithm: RSASHA1 (or RSA or DSA)
• Bitsize: depends on algorithm, key function, paranoia level
• type: zone
• Name: zone you want to sign
• ‘-r /dev/urandom’ might be needed
55
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
56. Creating keys
$dnssec-keygen -a RSASHA1 -b 1024 -n zone example.net.
Kexample.net.+005+20704
$
• 2 files are created:
– Kexample.net.+005+20704.key
• contains the public key
• should go into the zone file
– Kexample.net.+005+20704.private
• contains the private key
• should be kept secret!!!
56
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
57. Setting up a secure Zone
Signing & publishing
57
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
58. Only authoritative records
are signed
• NS records for the zone itself are signed
• NS records for delegations are not signed
– DS RRs are signed!
• Glue is not signed
58
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
59. Preparing the zonefile
• include the public keys in the zonefile:
– cat Kexample.net.+005+20704.key >> example.net
• Use named-checkzone
• Increase the SOA serial number
– Always increase the SOA serial before
signing!
59
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
60. Sign the zone
dnssec-signzone [options] zonefile [ZSK’s]
• If zonefile name is not zone name:
– use –o <origin> option
• Signed zonefile is called “zonefilename.signed”
• Keyset is created as a bonus…
– ready to go to parent
• To create DS records from keyset files:
– use -g option
60
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
61. Publishing the signed zone
• Edit named.conf:
zone ”example.net" {
type master;
file "zones/example.net.signed";
allow-transfer { 10.1.2.3 ;
key mstr-slave.example.net.; };
notify yes;
};
• Use named-checkconf
• Reload zone
• Test
61
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
62. Setting up a secure Zone
Resolver configuration
62
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
63. Setting up a
verifying resolving name server
• To verify the content of a zone:
– Get the public (key signing) key and check that this
key belongs to the zone owner
• Configure the keys you trust as secure entry
points in named.conf
trusted-keys {
"example.net." 256 3 1 "AQ…QQ==";
};
63
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
64. Setting up a secure Zone
Testing the secure zone
64
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
65. Testing a verifying forwarder
dig +dnssec [@server] record [TYPE]
• Answer Flags are relevant
• Example query to an authoritative nameserver
; <<>> DiG 9.1.1 <<>> +dnssec @193.0.0.202 www.example.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1947
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 3,
ADDITIONAL: 4
authoritative answer
Recursion desired (but not available, RA is not set)
Not authenticated!
65
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
66. Testing a verifying forwarder
dig: an example
; <<>> DiG 9.3.0s20020122 <<>> +dnssec @127.0.0.1 example.net NS
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31630
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0,
ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, udp= 4096 “use DNSSEC, if you can”
;; QUESTION SECTION:
;example.net. IN NS
;; ANSWER SECTION:
example.net. 600 IN NS ns1.example.net.
example.net. 600 IN NS ns2.example.net.
example.net. 600 IN SIG NS 1 2 600 20020314134313
20020212134313 47783 example.net.
DVC/ACejHtZylifpS6VSSqLa15xPH6p33HHmr3hC7eE6/QodM6fBi5z3
fsLhbQuuJ3pCEdi2bu+A0duuQlQMiHPvrkYia4bKmoyyvWHwB3jcyFhW
lV4YOzX/fgkLUmu8ysGOiD9C0CkSvNSE6rBCzUa3hfkksHt4FBsuA1oQ
yoc=
Authenticated Data
66
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
67. Troubleshooting
client side
• Dig returns status: SERVFAIL
• First try without +dnssec
• Also try with +dnssec +cdflag
– Checking is disabled. Data directly forwarded
• Be ready for some interesting troubleshooting
67
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
68. Troubleshooting
Server side
• Turn on logging. Category “dnssec” with severity
debug 3 gives you appropriate hints
• Debug output is a little detailed
– On the next page is an example where we corrupted the
trusted-key
– It is not directly obvious what the problem is
– We edited the output a little so that it fits on a slide
68
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
69. Example Debugging Output (partial)
validating sub.tld KEY: in dsvalidated
validating sub.tld KEY: dsset with trust 7
validating sub.tld KEY: verify rdataset: success
validating sub.tld KEY: marking as secure
validator @0x81b53d0: dns_validator_destroy
validating b1.sub.tld A: in fetch_callback_validator
validating b1.sub.tld A: keyset with trust 7
validating b1.sub.tld A: resuming validate
validating b1.sub.tld A: verify rdataset: success
validating b1.sub.tld A: marking as secure
validator @0x81b9e70: dns_validator_destroy
69
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
71. Delegating Signing
Authority
chains of trust
71
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
72. Locally Secured Zones
• Key distribution does not scale!
.
com.
net.
money.net. os.net.
kids.net.
Secure entry points
corp dop mac unix nt
marnick
dev market dilbert
Out of band key-exchanges
72
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
73. Using the DNS to Distribute Keys
• Secured islands make key distribution problematic
• Distributing keys through DNS:
– Use one trusted key to establish authenticity of other keys
– Building chains of trust from the root down
– Parents need to sign the keys of their children
• Ideal world:
– only the root key needs to be configured
– parents always delegate security to child
73
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
74. DS RRs for delegation
• Parent is authoritative for the DS record
– It should not appear in the child's zonefile
• DS resource records are used for Delegation of
Security
• DS is not backwards compatible with RFC2535
• Eases resigning
– parent can sign often => short signature lifetime =>
shorter impact time when key gets compromised
74
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
75. Key problem
• Interaction with parent administratively expensive
– Should only be done when needed
– Bigger keys are better
• Signing zones should be fast
– Memory restrictions
– Space and time concerns
– Smaller keys with short lifetimes are better
75
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
76. Key functions
• Large keys are more secure
– Can be used longer ☺
– Large signatures => large zonefiles
– Signing and verifying computationally expensive
• Small keys are fast
– Small signatures ☺
– Signing and verifying less expensive ☺
– Short lifetime
76
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
77. Key solution: more than one key
• RRsets are signed, not RR’s
• DS points to specific key
– Signature from that key over DNSKEY RRset transfers
trust to all keys in DNSKEY RRset
• Key that DS points to only signs DNSKEY RRset
– Key Signing Key (KSK)
• Other keys in DNSKEY RRset sign entire zone
– Zone Signing Key (ZSK)
77
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
78. Initial Key Exchange
• Child needs to:
– Send key signing keyset to parent
• Parent needs to:
– Check childs zone
• for DNSKEY & RRSIGs
– Verify if key can be trusted
– Generate DS RR
78
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
79. Delegating Signing Authority
• Parent signs the DS record pointing to
the key signing key
Key signing key
$ORIGIN kids.net.
$ORIGIN net. @ NS ns1
RRSIG NS (…) kids.net.
kids NS ns1.kids DNSKEY (…) (1234)
DS (…) 1234 DNSKEY (…) (3456)
RRSIG DS (…)net. RRSIG dnskey … 1234 kids.net. …
RRSIG dnskey … 3456 kids.net. …
money NS ns1.money
DS (…) Zone signing key beth A 127.0.10.1
RRSIG DS (…)net. RRSIG A (…) 3456 kids.net. …
ns1 A 127.0.10.3
RRSIG A (…) 3456 kids.net. …
• The parent is authoritative for the DS RR of its children
79
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
80. Chain of Trust Verification, Summary
• Data in zone can be trusted if signed by a
Zone-Signing-Key
• Zone-Signing-Keys can be trusted if signed by
a Key-Signing-Key
• Key-Signing-Key can be trusted if pointed to by
trusted DS record
• DS record can be trusted
– if signed by the parents Zone-Signing-Key
or
– DS or DNSKEY records can be trusted if exchanged
out-of-band and locally stored (Secure entry point)
80
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
85. Private Key Compromise
• You have to keep your private key secret
• Private key can be stolen
– Put the key on stand alone machines or on bastion
hosts behind firewalls and strong access control
• Private key reconstruction (crypto analysis)
– random number not random
– Leakage of key material (DSA)
– Brute force attacks
85
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
86. Key Rollovers
• Try to minimize impact
– Short validity of signatures
– Regular key-rollover
• Remember: DNSKEYs do not have timestamps
– the RRSIG over the DNSKEY has the timestamp
• Key rollover involves 2nd party or parties:
– State to be maintained during rollover
– operationally expensive
86
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
87. Key Rollover (part 1)
• Scheduled rollover of the child’s Key Signing Key
• Child replaces key-1 with key-2 and wants parent to sign it
$ORIGIN kids.net.
@ NS ns1
DNSKEY (…) (1)
a) DNSKEY (…) (2)
DNSKEY (…) (5)
$ORIGIN net. RRSIG KEY (…) kids.net. 1
b) RRSIG KEY (…) kids.net. 2
kids NS ns1.kids RRSIG KEY (…) kids.net. 5
DS (…) 1
ns1 A 127.0.10.3
RRSIG DS (…)net.
RRSIG A (…) kids.net. 5
parent zone
a) Create key 2
b) Sign key-set with key 1 and 2
and send key 2 to parent
87
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
88. Key Rollover (part 2)
c) Parent generates and signs DS record
d) Child signs his zone with only key 2, once parent
updated his zone
$ORIGIN kids.net.
$ORIGIN net.
@ NS ns1
kids NS ns1.kids DNSKEY (…) 2
DS (…) 2 DNSKEY (…) 5
RRSIG DS (…)net. RRSIG KEY (…) kids.net. 2
RRSIG KEY (…) kids.net. 5
ns1 A 127.0.10.3
RRSIG A (…) kids.net. 5
88
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
89. Timing of the Scheduled Key Rollover
• Child should not remove the old key while there
are still servers handing out the old DS RR.
• The new DS will need to be distributed to the slave
servers
– max time set by the SOA expiration time
• The old DS will need to have expired from caching
servers.
– Set by the TTL of the original DS RR.
• You (or your tool) can check if the master and
slave have picked up the change
89
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
90. Unscheduled Rollover Problems
• Needs out of band communication
– with parent and pre-configured resolvers
• The parent needs to establish your identity again
• How to protect child delegations?
– unsecured?
• There will be a period that the stolen key can be
used to generate data useful on the Internet
– There is no ‘revoke key’ mechanism
• Emergency procedure must be on the shelf
90
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
91. Key Rollover - Summary
1. Generate new KSK
2. Sign with old and new KSKs
3. Inform any resolvers that have you as a trusted entry point
of the new key
– trusted-keys configuration
4. Query for the parental DS and remember the TTL
– you will need it later
5. Upload the new KSK to the parent
– The parent will generate a new DS RR.
6. Check if *all* parental servers (slaves and masters)
picked up the change
7. Wait another TTL before removing the old key
91
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
94. .nl trial 2003
• ~800.000 delegations
• 40 MB unsigned, 350+ MB signed
– .com grows to 10 Gigabyte!
– unsigned .se ~9 MB, signed .se ~32 MB
• Daily signing: ~1.5 hours
• Loading: ~15 minutes
• Very few NXT (NSEC) walks (rate limiting)
94
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
95. Tips…
• Sort zone before signing
– speeds up the signing process
• If signed zone > 3 Gigabytes: 64 bit architecture
• DNSSEC Deployment Working Group
– http://www.sdl.sri.com/other/dnssec/
• DNSSEC deployment in .nl
– http://www.nlnetlabs.nl/dnssec/
95
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
96. Signing the Root
• 3 Organisations check root zone; who signs?
– IANA/ICANN
– Department of Commerce
– Verisign
• How many keys?
– N of M system for trust?
96
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
97. Resolver Issues
• DNSSEC is not in POSIX yet
– e.g. gethostbyname()or getnameinfo()
• SIG verification is (only) done by caching
forwarders
• To test DNSSEC setups, you have to work with
dig, or use the BIND lwresolver library
• Alternatively: write some tools in PERL
– (Net::DNS and Net::DNS::SEC)
97
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
98. End User Side
• Local verifying/recursive server trusted?
– TSIG for queries?
– IPSec?
– Enhance stub resolver functionality?
• How much information needed?
– AD bit enough?
– Verifier built in to programs?
98
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
99. Wish List
• Public and private key management tools
• Provisioning tools
• Secure Islands public keys distribution
• API & protocol to communicate validation results
• Killer App that relies on DNSSEC
• Documentation/training/tools in order to reduce
costs
99
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
101. What Did We Cover
• DNSSEC provides a mechanism to protect DNS
• DNSSEC implementation:
– TSIG for communication between servers
– RRSIG, DNSKEY and NSEC for data
– DS for delegating trust
• DNSSEC main difficulties:
– Key distribution
– Chicken & Egg
101
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
102. Back at the ranch
• Design a secure architecture
• Design a key exchange procedure
• Resign your zone regularly
• Automate the process (cron and Makefiles)
• Have an emergency procedure in place
102
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
103. Thank You!
• Please
– Fill out questionnaire
– Return badges for recycling
– Pick up your certificate
• Slides and other DNSSEC material at:
www.ripe.net/training/dnssec/
• Feedback on this tutorial.
– Suggestions: training@ripe.net
103
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
105. Additional Resources
• http://www.nlnetlabs.nl/dnssec/
• http://www.dnssec.net/
• http://www.ripe.net/disi/
• Papers from the 5th USENIX UNIX Security
Symposium, Salt Lake City, Utah, June 1995
– P. Vixie: DNS and BIND Security Issues
• http://www.usenix.org/publications/library/proceedings/security95/vixie.html
– S. Bellovin: Using the DNS for Break-ins
• http://www.usenix.org/publications/library/proceedings/security95/bellovin.html
105
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
106. Related mailing lists
• dnssec@cafax.se
– operators and developers working on dnssec
• namedroppers@ops.ietf.org
– DNSEXT IETF working group (DNS protocol
development)
• dnsop@cafax.se
– DNSOP IETF working group (operational DNS issues)
• techsec@ripe.net
– RIPE Technical Security working group
• dns-wg@ripe.net
– RIPE DNS working group
106
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
107. TSIG for dynamic updates
• You can use TSIG or SIG0 to protect your
dynamic updates
• Detailed howto at: http://ops.ietf.org
– title: “Secure dynamic DNS howto”
• Steps for TSIG dynamic update of forward tree:
– Configure your TSIG key into /etc/dhclient.conf and
specify the FQDN
– Configure named.conf to allow updates using the key
107
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
108. TSIG for dynamic updates:
client side
• /etc/dhclient.conf
send fqdn.fqdn “laptop.example.net.";
send fqdn.encoded on; # send in dns wire format
send fqdn.server-update off;
# tell dhcp server not to update A
key me-friend. {
algorithm HMAC-MD5;
secret "ic…==";
}
zone example.net. {
primary 193.0.0.4;
key me-friend.;
}
108
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/
109. TSIG for dynamic updates:
server side
• /etc/named.conf:
key me-friend. {
algorithm HMAC-MD5;
secret "ic…==";
};
zone “example.net" {
type master;
file "zones/example.net.signed";
notify yes;
allow-transfer { key tsig.example.net.; };
update-policy {
grant me-friend. name laptop.example.net ;
};
};
109
DNSSEC . RIPE NCC Training Course . http://www.ripe.net/training/dnssec/