DNSSEC aims to secure the Domain Name System (DNS) by introducing digital signatures to guarantee the authenticity and integrity of DNS data and protect against vulnerabilities like cache poisoning, as it uses cryptographic keys to validate that DNS responses have not been tampered with and that the data originates from the authoritative name server.
A lunch lecture was given at Differ (www.differ.nl) about another method of sequestering CO2. Olivine is one of the minerals that can be used for the application. It details three routes for CO2 sequestration. A focus is given on the development of a process intensification. This would increase the geological reaction rate to process engineering time scale.
The proposed process has got a parallel in the "VerTech process" as established in the 1990's in Apeldoorn (the Netherlands).
The lecture was from global scale (focussing on amounts of CO2 involved) down to atomic scale.
A lunch lecture was given at Differ (www.differ.nl) about another method of sequestering CO2. Olivine is one of the minerals that can be used for the application. It details three routes for CO2 sequestration. A focus is given on the development of a process intensification. This would increase the geological reaction rate to process engineering time scale.
The proposed process has got a parallel in the "VerTech process" as established in the 1990's in Apeldoorn (the Netherlands).
The lecture was from global scale (focussing on amounts of CO2 involved) down to atomic scale.
Ring: 프로그래밍 언어와 가까운 캐시 인터페이스
#
user에 item을 추가해야 한다고 생각해 봅시다.
클래스가 없는 언어라면 아마도 user_add_item(user, item) 같은 코드를 쓸 것입니다.
아마 user_delete_item도 있고 user_clear_items도 있겠지요.
하지만 우리는 파이썬 프로그래머니까 보통 user.add_item(item) 같은 코드를 씁니다.
#
user에 속한 item들을 가져오는 함수가 있고 이 함수는 결과를 캐시하고 있다고 생각해 봅시다.
user.get_items() 같은 코드를 쓸 수도 있고 user.get_cached_items(storage) 같은 코드를 쓸 수도 있겠지요.
item의 목록이 업데이트 되었습니다. 이제 캐시를 무효화해야 합니다.
아마도 user.invalidate_items()나 user.delete_cached_items(storage) 같은 코드를 만들어야 하겠지요.
Ring에서는 user.get_items.delete() 를 호출합니다.
#
Ring은 이 아이디어에서부터 출발합니다.
Una panoramica su Net::Amazon::EC2 e Net::RackSpace::Servers. Potete trovare la presentazione con le note qui: http://polettix.s3.amazonaws.com/IPW2011/nubilus-perl-1.1-note.pdf
Presented by Gregg Donovan, Senior Software Engineer, Etsy.com, Inc.
Understanding the impact of garbage collection, both at a single node and a cluster level, is key to developing high-performance, high-availability Solr and Lucene applications. After a brief overview of garbage collection theory, we will review the design and use of the various collectors in the JVM.
At a single-node level, we will explore GC monitoring -- how to understand GC logs, how to monitor what % of your Solr request time is spend on GC, how to use VisualGC, YourKit, and other tools, and what to log and monitor. We will review GC tuning and how to measure success.
At a cluster-level, we will review how to design for partial availability -- how to avoid sending requests to a GCing node and how to be resilient to mid-request GC pauses.For application development, we will review common memory leak scenarios in custom Solr and Lucene application code and how to detect them.
PuppetCamp SEA @ Blk 71 - Nagios in under 10 mins with PuppetOlinData
Choon Ming, senior consultant at OlinData, gave an overview of how Puppet compliments Nagios, and how you can make Puppet work with Nagios in under 10 minutes.
AEP Netwrorks Keyper HSM & ICANN DNSSECChin Wan Lim
SecureMetric's partner AEP Networks presented at the ISOC Malaysian chapter DNSSEC Awareness Campaign.
The slides details AEP Network's involvement in protecting the root of the Internet.
ION Toronto, 11 November 2013: What is DNSSEC and why is it so important? We’ll discuss the business reasons for, and financial implications of, deploying DNSSEC, from staying ahead of the technological curve, to staying ahead of your competition, to keeping your customers satisfied and secure on the Internet.
Ring: 프로그래밍 언어와 가까운 캐시 인터페이스
#
user에 item을 추가해야 한다고 생각해 봅시다.
클래스가 없는 언어라면 아마도 user_add_item(user, item) 같은 코드를 쓸 것입니다.
아마 user_delete_item도 있고 user_clear_items도 있겠지요.
하지만 우리는 파이썬 프로그래머니까 보통 user.add_item(item) 같은 코드를 씁니다.
#
user에 속한 item들을 가져오는 함수가 있고 이 함수는 결과를 캐시하고 있다고 생각해 봅시다.
user.get_items() 같은 코드를 쓸 수도 있고 user.get_cached_items(storage) 같은 코드를 쓸 수도 있겠지요.
item의 목록이 업데이트 되었습니다. 이제 캐시를 무효화해야 합니다.
아마도 user.invalidate_items()나 user.delete_cached_items(storage) 같은 코드를 만들어야 하겠지요.
Ring에서는 user.get_items.delete() 를 호출합니다.
#
Ring은 이 아이디어에서부터 출발합니다.
Una panoramica su Net::Amazon::EC2 e Net::RackSpace::Servers. Potete trovare la presentazione con le note qui: http://polettix.s3.amazonaws.com/IPW2011/nubilus-perl-1.1-note.pdf
Presented by Gregg Donovan, Senior Software Engineer, Etsy.com, Inc.
Understanding the impact of garbage collection, both at a single node and a cluster level, is key to developing high-performance, high-availability Solr and Lucene applications. After a brief overview of garbage collection theory, we will review the design and use of the various collectors in the JVM.
At a single-node level, we will explore GC monitoring -- how to understand GC logs, how to monitor what % of your Solr request time is spend on GC, how to use VisualGC, YourKit, and other tools, and what to log and monitor. We will review GC tuning and how to measure success.
At a cluster-level, we will review how to design for partial availability -- how to avoid sending requests to a GCing node and how to be resilient to mid-request GC pauses.For application development, we will review common memory leak scenarios in custom Solr and Lucene application code and how to detect them.
PuppetCamp SEA @ Blk 71 - Nagios in under 10 mins with PuppetOlinData
Choon Ming, senior consultant at OlinData, gave an overview of how Puppet compliments Nagios, and how you can make Puppet work with Nagios in under 10 minutes.
AEP Netwrorks Keyper HSM & ICANN DNSSECChin Wan Lim
SecureMetric's partner AEP Networks presented at the ISOC Malaysian chapter DNSSEC Awareness Campaign.
The slides details AEP Network's involvement in protecting the root of the Internet.
ION Toronto, 11 November 2013: What is DNSSEC and why is it so important? We’ll discuss the business reasons for, and financial implications of, deploying DNSSEC, from staying ahead of the technological curve, to staying ahead of your competition, to keeping your customers satisfied and secure on the Internet.
DNSSEC - Domain Name System Security ExtensionsPeter R. Egli
Overview of DNSSEC protocol.
DNS is a pivotal infrastructure in TCP/IP based networks. An outage of the DNS system would bring entire networks to a grinding halt.
When DNS was devised in the early days of the Internet, security had no importance. Therefore, DNS is entirely unsecured which means it offers countless attack vectors to hack and crack a network.
Common attacks are DNS cache poisoning, i.e. adding false entries in DNS databases thus diverting the unsuspecting user to a malicious server and man in the middle attacks.
To secure DNS, an extension was defined in the form of DNSSEC. It uses state-of-the-art security algorithms to authenticate and digitally sign requests and responses so that a DNS resolver is able to verify legitimate DNS responses.
The adoption rate of DNSSEC is still slow, but is gradually picking up speed.
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Dan York
In this talk to the IEPG session at IETF 93 in Prague on 19 July 2015, I outlined some of the challenges associated with deploying new crypto algorithms within DNSSEC and what we potentially need to do to address these challenges.
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
OSGi is becoming the technology of choice for modular and dynamic applications in many realms. One of those is the area of device-based software, which brings along its own set of characteristics and challenges. In this session, we will focus on remote management and the software evolution accompanying a large number of devices 'in the field', with ever-changing requirements, deployment scenarios, and device configurations. We'll present the case of a company which uses OSGi as the foundation for their modular device software, and the challenges they faced during their journey from small-scale pilot deployments all the way to large commercial roll-outs.
As presented at Confoo 2013.
More than some arcane NoSQL tool, Redis is a simple but powerful swiss army knife you can begin using today.
This talk introduces the audience to Redis and focuses on using it to cleanly solve common problems. Along the way, we'll see how Redis can be used as an alternative to several common PHP tools.
Scientists lives revolve around data. But what if I told you that to present to non experts, you need to forget most of it. This presentation shows what we should be presenting and how to present it to get our message across.
Using Apache ACE as a distribution and management platform for a large--and growing-- number of embedded devices in the field.
I used this presentation at Apachecon NA 2010.
I'm more about story and images than about text on slides, you can try to follow along here.
What the !@#$ is UX? A fun and concise introductionSean Buch
An entertaining intro to the field of UX, that I presented at Entelect Dev 2018. This talk was centered around the practical applications of UX principles such as Gestalt and heuristics to enable non-UX professionals, mainly software engineers to use learnings from UX in their day to day roles.
What makes your code slow? How do you make it faster? And how do you prove it?
This talk will describe my adventures benchmarking and optimizing ordered hashes in Perl, culminating in the release of Hash::Ordered (http://p3rl.org/Hash::Ordered) — which outperforms all other CPAN alternatives, often by a substantial margin. We will cover:
* How to customize Benchmark.pm
* How and why to benchmark at different scales
* Why tied anything in Perl is a horrible idea
* How ordered hashes got faster from a simple algorithm change
Teaching Your Machine To Find FraudstersIan Barber
The slides from my talk at PHP Tek 11.
When dealing with money online, fraud is an ongoing problem for both
consumers and sellers. Researchers have been developing statistical
and machine learning techniques to detect shady sellers on auction
sites, spot fraudulent payments on e-commerce systems and catch click
fraud on adverts. While there is no silver bullet, you will learn to
flag suspicious activity and help protect your site from scammers
using PHP and a little help from some other technologies.
Getting Other People to Care - Social Media Breakfast CTCauseShift
Scott Henderson, managing director of CauseShift, presented at the Social Media Breakfast Connecticut December meeting at Quinnipiac University. He focused on how organizations and people can use social media to engage others in causes they care about.
Slow Database in your PHP stack? Don't blame the DBA!Harald Zeitlhofer
Your users complain about the bad performance of your app or website? Developers blame the database? How can we find the cause for the performance hotspot?
Far too often the database is held responsible for performance or scalability problems. It seems to be main contributor to the overall web request response time. However, in many cases it’s not the database itself, but the way, how the application is using the database! Too many database statements, inefficient queries and poor index selection are among the common problem patterns.
Based on real life examples, you will learn how to approach performance problems, how to figure out if the database is really to blame and how to end the finger pointing between developers and DBAs.
Slides from my talk at PHP conference Asia 2016 in Singapore
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
4. Domain Name System (DNS)
•! Internet works with IP addresses (similar to
telephone numbers)
–! Example: 200.1.123.3
•! A DNS server is like a “Phone guide to
remember the IP address”
–! Example: www.nic.cl ! 200.1.123.3
•! This guide or database is hierarchical and
distributed
4
5. How DNS works
Authoritative
http://www.uchile.cl/index.html Resolver Root
DNS Server ¿cl?
¿www.uchile.cl?
ns.nic.cl -#(($!$!#)$&.'
#(($+%$($&' !"#$%$%$#&!'
#(($*"$+($!**'
!"($",$&*$!),'
Authoritative
Cache ns.nic.cl
GET index.html #(($*"$+($!**'
/'
000$123456$25''#(($*"$+($!**'778'
/'
¿www.uchile.cl?
www.uchile.cl Expiration #(($!$!#)$&'
ns1.uchile.cl
Authoritative
#(($*"$+($!**'
#(($*"$+($)'
5
7. Motivation to implement security into
DNS
•! “Normal” DNS doesn’t have means to
guaranty the authenticity of the information
•! Neither can guaranty the information
integrity
•! It’s a higly distributed database
–! There isn’t a centralized agent for verification
–! There are several failure points
7
8. Security problems in DNS
http://www.uchile.cl/index.html Root
DNS Server ¿cl?
¿www.uchile.cl?
ns.nic.cl -#(($!$!#)$&.'
#(($+%$($&' !"#$%$%$#&!'
!$#$)$&'
!"($",$&*$!),'
ns.nic.cl
GET index.html !$#$)$&'
www.uchile.cl #(($!$!#)$&'
ns1.uchile.cl
evil.uchile.cl (6.6.6.0)
!$#$)$&' “from 200.1.123.4”
,$,$,$('
#(($*"$+($!**' #(($*"$+($)'
8
9. DNS data flow
Zone generation Master Resolvers
/'
;42'''''''''''9:';<$;42$25'
;<$;42$25'''''=''#(($!$!#)$&'
123456''''''''9:';<!$123456$25'
;<!$123456$25'=''#(($*"$+($)'
/'
Dynamic update
/'
/'
;42'''''''''''9:'>$;42$25'
/';42'''''''''''9:'>$;42$25'
/'
Secondaries Stub Resolver
(application library)
9
10. Vulnerabilities
DNSSEC
Zone generation Master Resolvers
/'
;42'''''''''''9:';<$;42$25' Data
;<$;42$25'''''=''#(($!$!#)$&'
123456''''''''9:';<!$123456$25'corruption
;<!$123456$25'=''#(($*"$+($)' Cache
/'
poisoning
Unauthorized
Dynamic update Update
/'
/'
;42'''''''''''9:'>$;42$25'
/';42'''''''''''9:'>$;42$25'
/'
Supplanting
Secondaries Stub Resolver
10
Server Security Data Security
11. DNS Security Extensions
(DNSSEC)
•! Guaranties the data authenticity and
integrity
–! Introduces digital signatures
•! It uses trust chains from the root to the
requested domain
•! It introduces a considerable extra
complexity into the processes
11
12. Digital Signature
Bob Bob
Private Key
Public Key Verify Public Key
Alice Creates Bob
I love you!
Bob creates a
mmm… ¿How may I be key pair
sure that the message
comes from Bob?
(and that nobody has
changed it)
12
13. How DNSSEC works?
root root
http://www.uchile.cl/ Root
index.html DNS Server cl
ns.nic.cl -#(($!$!#)$&.'
¿www.uchile.cl? DS Record
¿cl? !"#$%$%$#&!'
#(($*"$+($!**' #(($+%$($&'
!"($",$&*$!),' -=1B36;B42>B6C.'
#(($*"$+($!**'
ns.nic.cl
GET index.html
uchile.cl
uchile.cl
DS Record cl
¿www.uchile.cl?
?
www.uchile.cl #(($!$!#)$&'
ns1.uchile.cl
cl
uchile.cl
#(($*"$+($!**'
#(($*"$+($)'
13
14. Some facts about digital signatures
•! All the security resides in the private key
•! The strength of a key is defined by the time to
break it
–! As bigger is the key, longer is the time it lives (harder to
break it)
•! It’s computational consuming to create a key pair
•! It’s computational consuming to generate a digital
signature (expotentially to the key key size)
–! The existing domains are pre-signed
–! What about the non existing domains?
14
15. Non existing domains
DNSSEC
Normal DNS
ns.nic.cl
/'
¿existsfake.nic.cl? >$;42$25'
6P4<B<$;42$25'
NXDOMAIN 6P4<B<B??$;42$25'
000$;42$25'
/'
] exists.nic.cl , existstoo.nic.cl [ Alphabetic order
¡Consequence!, with several request
for domains we can learn the full
zone (walking the zone)
15
16. Non existing domains
New extension: NSEC3, solves “walking the zone”
H(m)
m 635EA8F7CD9A76EEF610B1
X
ns.nic.cl
H(exitstsfake.nic.cl)
/'
¿exitstsfake.nic.cl? J->;?B36@$;42$25.'
>$;42$25'
J-000$;42$25.'
6P4<B<$;42$25'
NXDOMAIN J-F>45$;42$25.'
6P4<B<B??$;42$25'
J->$;42$25.'
000$;42$25'
/'
] H(www.nic.cl) , H(mail.nic.cl) [ Alphabetic order with the
Alphabetic order
hash
16
18. Implementation
•! Resources DNS (Resource Records)
Name
TTL Class Type Value
www.niclabs.cl. ! !86400 !IN !A !200.27.115.130!
niclabs.cl. ! !3579 !IN !NS !ns.niclabs.cl.!
niclabs.cl. ! !86400 !IN !MX !10 smtp.niclabs.cl.!
www.niclabs.cl. ! !86400 !IN !AAAA !2001:1398:16:4:100::2!
18
19. New resource records
•! Digital signature records
–! RRSIG: Signature of a RRset
–! DNSKEY: Public key
–! DS: Delegation Signer
•! Consistency records
–! NSEC/NSEC3
19
20. Implementation
•! DNSSEC Introduces 4 new records
–! 1) RRSIG (Digital Signature)
Algorithm
RR sign. Labels
type Original Expiration
www.niclabs.cl. ! !19 IN A !212.247.7.218! TTL Time
www.niclabs.cl. ! !19 IN RRSIG A 5 3 60 20091019132001 (!
! ! ! !20091009132001 51428 niclabs.cl.!
! Inception
! ! !W1PycCseBhS9doaTgqETt2xyaD5psVf0uCdoa6MLqliW!
! Time
! ! !L4T05B5wYobl/+IMIFxaHyEPqZIzezUCQEMD5L1QJCK6!
! ! ! !Fp/HHTJOPsfgHvGP5pKc2SjzQvJ+5Tx6BIKSnrwCduAl!
! ! ! !4yWGRSMhXiMArz4nUfVymzFjYfepMlhXbupycps= )!
Key Tag Digital
Signer’s Signature
20
name
22. Implementation
•! DNSSEC Introduces 4 new records
Key Tag
–! 3) DS (Delegation)
Hash Type
niclabs.cl. ! ! !1007 IN !DS 16696 5 1 (! Hash Value
! ! ! !EF5D421412A5EAF1230071AFFD4F585E3B2B1A60 )!
niclabs.cl. ! ! !1007 IN !RRSIG DS 5 1 3600 20091022230530 (!
! ! ! !20091016022314 12075 cl.!
! ! ! !HAqB5XoFsakxjmzk6YvRvJFXHyXvBMfjjPbd0u4RXojV!
! ! ! !fGGrHtBgt5eIh/c6X8p+JDONf5nypt7cFatUCRm2M4N3!
! ! ! !ZbBKOJyYonFU4LIEQ5CjmHVFCJHBOxKLDAWe2P3jX4/a!
! ! ! !kQ3JUy5SKztkoGn4GFhQnjCgWyf+n1GqAwTgD6A= )!
Signature from
the father
Algorithm
22
23. Implementation
•! DNSSEC Introduces 4 new records
–! 4) NSEC (Non existing domain: none.niclabs.cl)
lists.niclabs.cl. ! !3536 IN !NSEC ns.niclabs.cl. A MX RRSIG NSEC!
lists.niclabs.cl. ! !3536 IN !RRSIG NSEC 5 3 3600 20091026132001 (!
! ! ! !20091016132001 51428 niclabs.cl.!
! ! ! !npxr6gaJtvrdYFndtKa8rJYcIdonp6q/Nrklaf6xoMN9!
! ! ! !xDbIqem0HzzM5qPStXWbG3TGSWJfIwqOeY6FMAaXER/e!
! ! ! !hlg+eFyRd5Zb/EAxSIx4NMUkKrWMkdsj49GZhHO9yEtB!
Next existing !
! ! !5yRU1T4Ii2GULiX233DwvWt/+ZLaJfEODU0kVTk= )!
domain
Asociated
resources to
list.niclabs.cl.
23
24. Key issues
•! Interaction with parent is administratively
expensive
–! Should only be done when needed
–! Bigger keys with long lifetime are better
•! Signing zones should be fast
–! Memory restrictions
–! Space and time concerns
–! Smaller keys with short lifetimes are better
24
25. Key solution
•! Operate with two keys
–! KSK: Key Signing Key
•! Bigger Key
•! Create bigger signatures (just signs ZSK DNSKEY)
•! Long lifetime (years)
–! ZSK: Zone Signing Key
•! Smaller Key
•! Create smaller signatures
•! Short lifetime (months)
•! Flag Entry Point (256/257)
25
26. Walking the trust chain
CL. KSK signs ZSK
Root KSK signs ZSK
. DNSKEY (id = 11) ; KSK! cl. DNSKEY (id = 33) ; KSK !
DNSKEY (id = 22) ; ZSK! DNSKEY (id = 44) ; ZSK!
RRSIG DNSKEY (11)! RRSIG DNSKEY (33)!
CL. DS 33! nic.cl. DS 55!
RRSIG DS (...) (22)! RRSIG DS (...) (44)!
nic.cl. DNSKEY (id = 55) ; KSK !
Root ZSK sign DNSKEY (id = 66) ; ZSK!
CL. ZSK sign
authoritative data RRSIG DNSKEY (55)! authoritative data
(SOA, NS, DS, etc) (SOA, NS, DS, etc)
www.nic.cl. A 200.1.123.3!
RRSIG A (...) (66)!
26
27. Verify the trust chain
•! Data in zone can be trusted if signed by a ZSK
•! ZSK can be trusted if signed by a KSK
•! KSK can be trusted if pointed to by a trusted
DS record
•! DS record can be trusted:
–! If signed by the parent ZSK
–! DS or DNSKEY can be trusted if they are a Secure
Entry Point (SEP)
27
31. DNSSEC in the world
•! Operative TLDs:
–! .se .org .gov .br .bg .cz .pr .na .th
•! Root zone:
–! fully deployed by July 2010
–! So, no more excuses to implement it!
•! And Chile…?
31
32. NIC Chile
•! Working on DNSSEC since
–! 2004/xx: First toy tests...
–! 2008/07: Niclabs start formal research
–! 2008/11: Internal Working Group
–! 2009/06: Internal resolver with iTAR & DLV
(BIND + Unbound)
–! 2009/07: Testbed .CL + DNSSEC
–! 2009/08: Public resolver resolversec.niclabs.cl
32
33. NIC Chile
•! Short term solution
–! Signing differences
–! DS registry by hand
–! Currently in test
•! Long term solution
–! DS exchange integrated with EPP
–! Distributed crypto
–! Open generic solution for the community
33
37. What do I need?
•! You want to do it! (really)
•! Define signature and keys lifetime
–! RRSIG 1 month
–! ZSK 3 months / KSK 1 year
•! Define keys sizes
–! KSK>= 2048 and ZSK>=1024
•! Define your process and policy
–! Documentation (emergency recovery)
–! Training
37
38. Key creation
•! KSK
dnssec-keygen -a RSASHA1 -r /dev/urandom !
-b 2048 -f KSK -n ZONE cl.!
•! ZSK
dnssec-keygen -a NSEC3RSASHA1 -r /dev/urandom
-b 2048 -n ZONE cl.!
38
40. Zone-resigning
•! -i interval: keep “old” signatures
•! default cycle interval = (end time - start
times)/4.
•! Replace with a new RRSIG if it expires in
the last cycle interval
40
42. Decisions for DNSSEC
•! NSEC or NSEC3?
•! Key sizes?
–! KSK (Key Signing Key) and ZSK (Zone Signing Key)
•! Life time for keys/signatures?
•! Sign all at once? Opt-out?
•! Revoke keys
–! Normal rollover, key compromise, key lost.
–! Overlap of keys (old ones sign new ones) ?
–! Father, Sons ?
42
43. Other issues
•! Resolver behaviour
–! Domain secure, unsecure, bogus,
undeterminated
•! How much cost DNSSEC
–! CPU, memory, time, bandwidth, effort,
development
44. DNSSEC…
•! Solves authenticity and integrity problems
•! Introduces a lot of operational overhead
–! Key management must be improved
–! Needs practice
•! Is it worth it?
–! Open discussion…
44