SlideShare a Scribd company logo

Introduction DNSSec

AFRINIC
AFRINIC

This document provides an introduction to DNSSEC (Domain Name System Security Extensions) in 3 parts: 1. It explains the purpose of DNSSEC is to address vulnerabilities in the DNS like cache poisoning and lack of data integrity by cryptographically signing DNS records. 2. It discusses some of the operational implications of DNSSEC like increased response sizes requiring EDNS0, using multiple keys (KSK and ZSK), and developing a DNSSEC Policy and Practice Statement. 3. It provides resources for further learning including open source DNSSEC software, mailing lists, and examples of deployed DNSSEC at the root zone and in some top-level domains.

1 of 70
Download to read offline
Introduction to DNSSEC DNSSEC Tutorial
Objectives • Understand DNSSEC terminology • Understand the threat models that DNSSEC is intended to address • Appreciate the benefits of DNSSEC to sensitive applications • Understand some of the operational and legal implications of DNSSEC
DNS Refresher
DNS Overview • What is the DNS? • What applications depend on the stable and secure operation of the DNS? • What are the implications of a failure in DNS operations?
As ISP As ‘friend’ As DNS provider DNS Architecture Registry DB primary secondary Cache server Registrars/ Registrants client DNS ProtocolProvisioning secondary
DNS Data Flow
DNS Vulnerabilities
DNS Vulnerabilities
DNS Vulnerabilities Registry DB Server compromise Registrars Registrants DNS ProtocolProvisioning Inter-server communication Cache Poisoning Cache-Stub resolver communication
DNS Vulnerabilities • Cache-poisoning • DNS interception • Confidentiality • Reliability • Integrity • Reflection attacks Which of these does DNSSEC address?
Astrophysics Mail Server Example: Unauthorized mail scanning DNS Central Admin Mail Server Where? There! Subject: tenure
Astrophysics Mail Server Example: Unauthorized mail scanning DNS Central Admin Mail Server Where? Elsewhere Bad Guy Subject: tenure
Reflection Attacks • DNS servers can act as very efficient packet amplifiers • Use of UDP, small queries, large responses • DNSSEC makes DNS servers better packet amplifiers • Still lots of UDP, larger responses
Reliability • In the grand scheme of things, DNSSEC does not help make your DNS more reliable • in fact it makes the DNS more brittle, and makes it harder to maintain reliable service
Confidentiality • DNSSEC does not address confidentiality of queries or responses • anybody who can intercept a secure response can still see the details • there is no encryption here
Integrity, Authenticity • DNSSEC provides a mechanism for data published in the DNS to carry cryptographic signatures • secure responses include signatures • clients receiving a secure response can tell whether it is authentic
Benefits of DNSSEC
Why DNSSEC • Good security is multi-layered – Multiple defense rings in physical secured systems – Multiple ‘layers’ in the networking world •  DNS infrastructure – Providing DNSSEC to raise the barrier for DNS based attacks – Provides a security ‘ring’ around many systems and applications
DNSSEC secondary benefits • DNSSEC provides an “independent” trust path – The person administering “https” is most probably a different from person from the one that does “DNSSEC” – The chains of trust are most probably different – See acmqueue.org article: “Is Hierarchical Public-Key Certification the Next Target for Hackers?”
More benefits? • With reasonable confidence perform opportunistic key exchanges – SSHFP and IPSECKEY Resource Records •  With DNSSEC one could use the DNS for a priori negotiation of security requirements. – “You can only access this service over a secure channel”
More benefits? • DNS-based Authentication of Named Entities WG http://tools.ietf.org/wg/dane/ Objective: Specify mechanisms and techniques that allow Internet applications to establish cryptographically secured communications by using information distributed through DNSSEC for discovering and authenticating public keys which are associated with a service located at a domain name.
Attacks against PKI
Attacks against PKI(cont.)
Benefits to End-Users • Users who validate will not see answers from the DNS that fail validation • might increase helpdesk load, but the alternative is infected computers, stolen bank details, etc • Ongoing work to improve SSL security using DNSSEC-signed certificates • IETF “dane” working group
Benefits to Content Providers • Reduce the risk that your content is being intercepted by unknown third parties • for end-users that validate, at least • Demonstrate technical proficiency and security awareness
Three Slides about Cryptography
Cryptography • Public Key Cryptography • X.509, PGP, ssh, DNSSEC • (Public, Private) Key Pairs • use the private key to sign data • use the public key to verify signature
Private Key • The private key needs to be kept private and secure • the degree of security depends on what the key is used for • a compromised key means you can no longer expect people to trust signatures • a signature from a compromised key is more dangerous than no signature at all
Public Key • The public key needs to be widely- distributed • it also needs to be accurate • In DNSSEC, public keys are published as DNSKEY RRSets in the zone they are used to sign • Trust anchors are published in the parent zone as DS RRSets
DNSSEC Protocol
DNS Considerations • When using the DNS to distribute keys, we need to remember a few things • the DNS is widely-distributed • information does not update instantaneously • we need to think hard about TTLs and caches when constructing a suitable policy
Public Keys in the DNS • In DNSSEC, we distribute public keys in the DNS itself • use the DNSKEY RRSet • supports different key sizes, cryptographic algorithms
RR Signing in DNSSEC • Each Resource Record Set (RRSet) can carry zero or more signatures • signatures appear in an RRSIG RRSet with the same owner name • signatures have an inception and expiry time • we need to re-sign regularly
Chain of Trust • If we can trust the public key which corresponds to the private key that made a signature, we can trust a signature • If we can trust a signature, we can trust the data that is signed • How do we trust the public key?
Delegation Signer • DS is the Delegation Signer Resource Record • it carries a hash of a public key • it is signed • this is how we extend trust across delegations
Chain of Trust RRSet RRSIG(RRSet) DNSKEY DS RRSIG(DS) DNSKEY Parent Zone Child Zone
Chain of Trust Root ORG ISOC.ORG
Root Anchor • At some point a validator needs to install a trust anchor into its software • root zone trust anchor • http://www.iana.org/dnssec/
Two DNSKEY RRSets • Common practice in 2010 is to use two different DNSKEY RRSets per zone • ZSK – Zone Signing Key • used to sign the data in the zone • KSK – Key Signing Key • used to sign the DNSKEY RRSet
ZSK • Since we need to re-sign the zone regularly, the ZSK needs to be on-line • The ZSK is the key that is used most often by validators, so we can make it smaller and save some CPU • We can change the ZSK we are using regularly without involving others
KSK • The KSK is the key that corresponds to the DS record in our parent zone • We need to use the KSK to sign the ZSK, and then we can put it away in a safe place • no need to keep the KSK on-line • changing the KSK involves talking to our parent (update DS record)
KSK and ZSK Child Zone DNSKEY(KSK) DNSKEY(ZSK) RRSIG(DNSKEY) RRSIG(DNSKEY) RRSIG(RRSet) RRSet Parent Zone DNSKEY(KSK) DNSKEY(ZSK) RRSIG(DNSKEY) RRSIG(DNSKEY) RRSIG(DS) DS
DNS Transport • Plain old DNS was optimised to work over UDP with small packets (512 bytes) • fall-back to TCP • Modern DNS supports larger messages over UDP (EDNS0, RFC 2671) • DNSSEC means larger DNS messages • beware of faulty assumptions in firewalls! • Cisco PIXes and ASA can still cause problems with ”fixup”
Signing Things that Are Not There • Verifiable deniability of existence • you can’t sign something that’s not there • use NSEC or NSEC3 records to cover the gaps • sign the NSEC and NSEC3 records • More on this later...
DNSSEC for ISPs
Validate • The most effective step you can take to encourage DNSSEC uptake as an ISP is to validate responses • DNSSEC-signed zones are fairly new, so expect this to cause some non-zero (but manageable) amount of helpdesk load • Comcast is an example of a large ISP (in the US) who has taken this step
DNSSEC for Registries and Hosting Providers
Sign your Zones • All the zones you serve can be signed • think about key rollover • think about key compromise scenarios, and what processes you will follow when you detect them • think about how you can detect compromises, and monitor signatures
Key Management • need to implement secure key storage, management procedures • need to sign your zones • registries need to accept DS records from users (how?) • need to publish DS records to parents (how?)
NSEC and NSEC3 • If you’re signing a zone, you have to use one of these. Which one? • Simple rule of thumb • if you are happy for anybody in the world to obtain a copy of your zone, and your zone is not very big, use NSEC • if you normally don’t allow (e.g.) zone transfers to random people, or if you have a large zone to sign, use NSEC3
Key Management • DNSSEC has many parameters to consider, including: • key rollover schedule • signature duration • choosing appropriate TTL for the zone data • key size • Those will be determined by your policy • You must determine them for your own organisation, via a risk and operational assessment • Don't blindly copy the policies of another orgs!
Key Management • How do we keep the ZSK secure? • How do we keep the KSK secure? • important questions • no simple answers here • requires risk analysis, consultation, maybe audit • again, a matter of policy • hybrid models possible • HSM for KSK, software for ZSK
Communication • Communicate with your customers • explain benefits/risks of DNSSEC • Communicate with end-users • demonstrate how to validate responses • explain operational changes (firewalls, TCP, response sizes)
Legal Aspects
Legal Aspects • Deployment of DNSSEC involves trust in procedures and policies • otherwise why trust signatures? • DNSSEC Policy and Practice Statement (DPS) • a public attestation of procedures and policies • can be used as the basis for audits
Migration Strategies for Registries and DNS Hosting Companies
Migration • For registries and hosting providers, DNSSEC can be deployed without radically changing your existing systems • registries will need to deploy a means of publishing trust anchors as DS RRSets, however
Streamlined Operations • Remember, DNSSEC makes you zones more brittle and fragile than they were before • need to have excellent reliability in registry and DNS operations (verification of output, monitoring, etc...) • need to have emergency procedures to update DS RRSets in your zones
Resources
Open-Source Software • NSD • http://www.nlnetlabs.nl/ • BIND9 • http://www.isc.org/ • Unbound • http://www.unbound.net/ • OpenDNSSEC • http://www.opendnssec.org/
Mailing Lists • dnssec-deployment mailing list • http://www.dnssec-deployment.org/ • dns-operations mailing list • http://www.dns-oarc.net/ • Ongoing protocol work • IETF dnsop, dnsext working groups
Other ressources • DNS visualization tool http://dnsviz.net • DNSSEC AFRICA http://dnssec-africa.org
DPS •  http://tools.ietf.org/html/rfc6841 • DPS for the Root Zone KSK Operator •  https://www.iana.org/dnssec/ • Also review published DPS documents from TLDs who have already deployed DNSSEC
DPS • .SE's DNSSEC Practice Statement • www.iis.se/docs/se-dnssec-dps-eng.pdf • .CL's DNSSEC Practice Statement • http://www.nic.cl/dnssec/en/dps.html • .NET DNSSEC Practice Statement • http://www.verisigninc.com/assets/ 20100925-NET+DPS-FINAL.pdf
Deployment • Root zone was signed in July 2010 • Many TLDs are currently signed • ARPA, BE, BG, BIZ, BR, CAT, CH, CL, CZ, DK, EDU, EU, FI, FR, GOV, INFO, KG, LI, LK, MUSEUM, NA, NL, NU, ORG, PM, PR, PT, RE, SE, TF, TH, TM, UK, US,UG,TZ,GN ... • http://stats.research.icann.org/dnssec/
DNSSEC Adoption 70 www.ohmo.to/dnssec/maps Seen today

Recommended

DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
Peter R. Egli
 
DNS Security
DNS SecurityDNS Security
DNS Security
johnmcclure00
 
Security of DNS
Security of DNSSecurity of DNS
Security of DNS
Philippe Camacho, Ph.D.
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul Islam
MyNOG
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
Alex Mayrhofer
 
DNS Configuration
DNS ConfigurationDNS Configuration
DNS Configuration
Vinod Gour
 
NAS - Network Attached Storage
NAS - Network Attached StorageNAS - Network Attached Storage
NAS - Network Attached Storage
Shashank Bhatnagar
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
Michael Earls
 

Recommended

DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
Peter R. Egli
 
DNS Security
DNS SecurityDNS Security
DNS Security
johnmcclure00
 
Security of DNS
Security of DNSSecurity of DNS
Security of DNS
Philippe Camacho, Ph.D.
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul Islam
MyNOG
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
Alex Mayrhofer
 
DNS Configuration
DNS ConfigurationDNS Configuration
DNS Configuration
Vinod Gour
 
NAS - Network Attached Storage
NAS - Network Attached StorageNAS - Network Attached Storage
NAS - Network Attached Storage
Shashank Bhatnagar
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
Michael Earls
 
Group policy objects
Group policy objectsGroup policy objects
Group policy objects
MianMuhammadMuaz
 
Caching solutions with Redis
Caching solutions with RedisCaching solutions with Redis
Caching solutions with Redis
George Platon
 
DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
Himanshu Prabhakar
 
Dns
DnsDns
Dns
deshvikas
 
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPMake Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
APNIC
 
DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacks
MyNOG
 
Hands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentHands-on DNSSEC Deployment
Hands-on DNSSEC Deployment
Bangladesh Network Operators Group
 
Embedded CDNs in 2023
Embedded CDNs in 2023Embedded CDNs in 2023
Embedded CDNs in 2023
MyNOG
 
DDS and XMPP
DDS and XMPPDDS and XMPP
DDS and XMPP
Angelo Corsaro
 
Ceph issue 해결 사례
Ceph issue 해결 사례Ceph issue 해결 사례
Ceph issue 해결 사례
Open Source Consulting
 
EnterpriseDB's Best Practices for Postgres DBAs
EnterpriseDB's Best Practices for Postgres DBAsEnterpriseDB's Best Practices for Postgres DBAs
EnterpriseDB's Best Practices for Postgres DBAs
EDB
 
PostgreSQL_ Up and Running_ A Practical Guide to the Advanced Open Source Dat...
PostgreSQL_ Up and Running_ A Practical Guide to the Advanced Open Source Dat...PostgreSQL_ Up and Running_ A Practical Guide to the Advanced Open Source Dat...
PostgreSQL_ Up and Running_ A Practical Guide to the Advanced Open Source Dat...
MinhLeNguyenAnh2
 
IPv6 in Mobile Networks
IPv6 in Mobile NetworksIPv6 in Mobile Networks
IPv6 in Mobile Networks
APNIC
 
Chapter 29 Domain Name System.ppt
Chapter 29 Domain Name System.pptChapter 29 Domain Name System.ppt
Chapter 29 Domain Name System.ppt
webhostingguy
 
Windows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory DomainWindows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory Domain
Napoleon NV
 
(DAT201) Introduction to Amazon Redshift
(DAT201) Introduction to Amazon Redshift(DAT201) Introduction to Amazon Redshift
(DAT201) Introduction to Amazon Redshift
Amazon Web Services
 
History of Windows Server
History of Windows ServerHistory of Windows Server
History of Windows Server
sundas Shabbir
 
How VXLAN works on Linux
How VXLAN works on LinuxHow VXLAN works on Linux
How VXLAN works on Linux
Etsuji Nakai
 
Chapter 4 configuring and managing the dns server role
Chapter 4 configuring and managing the dns server roleChapter 4 configuring and managing the dns server role
Chapter 4 configuring and managing the dns server role
Luis Garay
 
DNS Security
DNS SecurityDNS Security
DNS Security
inbroker
 
20 Tweetable Quotes to Inspire Marketing & Design Creative Genius
20 Tweetable Quotes to Inspire Marketing & Design Creative Genius20 Tweetable Quotes to Inspire Marketing & Design Creative Genius
20 Tweetable Quotes to Inspire Marketing & Design Creative Genius
IMPACT Branding & Design LLC
 
2015 Travel Trends
2015 Travel Trends 2015 Travel Trends
2015 Travel Trends
Creative Lodging Solutions
 

More Related Content

What's hot

Group policy objects
Group policy objectsGroup policy objects
Group policy objects
MianMuhammadMuaz
 
Caching solutions with Redis
Caching solutions with RedisCaching solutions with Redis
Caching solutions with Redis
George Platon
 
DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
Himanshu Prabhakar
 
Dns
DnsDns
Dns
deshvikas
 
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPMake Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
APNIC
 
DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacks
MyNOG
 
Hands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentHands-on DNSSEC Deployment
Hands-on DNSSEC Deployment
Bangladesh Network Operators Group
 
Embedded CDNs in 2023
Embedded CDNs in 2023Embedded CDNs in 2023
Embedded CDNs in 2023
MyNOG
 
DDS and XMPP
DDS and XMPPDDS and XMPP
DDS and XMPP
Angelo Corsaro
 
Ceph issue 해결 사례
Ceph issue 해결 사례Ceph issue 해결 사례
Ceph issue 해결 사례
Open Source Consulting
 
EnterpriseDB's Best Practices for Postgres DBAs
EnterpriseDB's Best Practices for Postgres DBAsEnterpriseDB's Best Practices for Postgres DBAs
EnterpriseDB's Best Practices for Postgres DBAs
EDB
 
PostgreSQL_ Up and Running_ A Practical Guide to the Advanced Open Source Dat...
PostgreSQL_ Up and Running_ A Practical Guide to the Advanced Open Source Dat...PostgreSQL_ Up and Running_ A Practical Guide to the Advanced Open Source Dat...
PostgreSQL_ Up and Running_ A Practical Guide to the Advanced Open Source Dat...
MinhLeNguyenAnh2
 
IPv6 in Mobile Networks
IPv6 in Mobile NetworksIPv6 in Mobile Networks
IPv6 in Mobile Networks
APNIC
 
Chapter 29 Domain Name System.ppt
Chapter 29 Domain Name System.pptChapter 29 Domain Name System.ppt
Chapter 29 Domain Name System.ppt
webhostingguy
 
Windows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory DomainWindows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory Domain
Napoleon NV
 
(DAT201) Introduction to Amazon Redshift
(DAT201) Introduction to Amazon Redshift(DAT201) Introduction to Amazon Redshift
(DAT201) Introduction to Amazon Redshift
Amazon Web Services
 
History of Windows Server
History of Windows ServerHistory of Windows Server
History of Windows Server
sundas Shabbir
 
How VXLAN works on Linux
How VXLAN works on LinuxHow VXLAN works on Linux
How VXLAN works on Linux
Etsuji Nakai
 
Chapter 4 configuring and managing the dns server role
Chapter 4 configuring and managing the dns server roleChapter 4 configuring and managing the dns server role
Chapter 4 configuring and managing the dns server role
Luis Garay
 
DNS Security
DNS SecurityDNS Security
DNS Security
inbroker
 

What's hot (20)

Group policy objects
Group policy objectsGroup policy objects
Group policy objects
 
Caching solutions with Redis
Caching solutions with RedisCaching solutions with Redis
Caching solutions with Redis
 
DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
 
Dns
DnsDns
Dns
 
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPMake Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
 
DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacks
 
Hands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentHands-on DNSSEC Deployment
Hands-on DNSSEC Deployment
 
Embedded CDNs in 2023
Embedded CDNs in 2023Embedded CDNs in 2023
Embedded CDNs in 2023
 
DDS and XMPP
DDS and XMPPDDS and XMPP
DDS and XMPP
 
Ceph issue 해결 사례
Ceph issue 해결 사례Ceph issue 해결 사례
Ceph issue 해결 사례
 
EnterpriseDB's Best Practices for Postgres DBAs
EnterpriseDB's Best Practices for Postgres DBAsEnterpriseDB's Best Practices for Postgres DBAs
EnterpriseDB's Best Practices for Postgres DBAs
 
PostgreSQL_ Up and Running_ A Practical Guide to the Advanced Open Source Dat...
PostgreSQL_ Up and Running_ A Practical Guide to the Advanced Open Source Dat...PostgreSQL_ Up and Running_ A Practical Guide to the Advanced Open Source Dat...
PostgreSQL_ Up and Running_ A Practical Guide to the Advanced Open Source Dat...
 
IPv6 in Mobile Networks
IPv6 in Mobile NetworksIPv6 in Mobile Networks
IPv6 in Mobile Networks
 
Chapter 29 Domain Name System.ppt
Chapter 29 Domain Name System.pptChapter 29 Domain Name System.ppt
Chapter 29 Domain Name System.ppt
 
Windows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory DomainWindows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory Domain
 
(DAT201) Introduction to Amazon Redshift
(DAT201) Introduction to Amazon Redshift(DAT201) Introduction to Amazon Redshift
(DAT201) Introduction to Amazon Redshift
 
History of Windows Server
History of Windows ServerHistory of Windows Server
History of Windows Server
 
How VXLAN works on Linux
How VXLAN works on LinuxHow VXLAN works on Linux
How VXLAN works on Linux
 
Chapter 4 configuring and managing the dns server role
Chapter 4 configuring and managing the dns server roleChapter 4 configuring and managing the dns server role
Chapter 4 configuring and managing the dns server role
 
DNS Security
DNS SecurityDNS Security
DNS Security
 

Viewers also liked

20 Tweetable Quotes to Inspire Marketing & Design Creative Genius
20 Tweetable Quotes to Inspire Marketing & Design Creative Genius20 Tweetable Quotes to Inspire Marketing & Design Creative Genius
20 Tweetable Quotes to Inspire Marketing & Design Creative Genius
IMPACT Branding & Design LLC
 
2015 Travel Trends
2015 Travel Trends 2015 Travel Trends
2015 Travel Trends
Creative Lodging Solutions
 
Brand New World
Brand New WorldBrand New World
Brand New World
Torsten Henning Hensel
 
40 Tools in 20 Minutes: Hacking your Marketing Career
40 Tools in 20 Minutes: Hacking your Marketing Career40 Tools in 20 Minutes: Hacking your Marketing Career
40 Tools in 20 Minutes: Hacking your Marketing Career
Eric Leist
 
Email Marketing 101: The Welcome Email
Email Marketing 101: The Welcome EmailEmail Marketing 101: The Welcome Email
Email Marketing 101: The Welcome Email
SendGrid
 
Quick & Dirty Tips for : Better PowerPoint Presentations Faster
Quick & Dirty Tips for : Better PowerPoint Presentations FasterQuick & Dirty Tips for : Better PowerPoint Presentations Faster
Quick & Dirty Tips for : Better PowerPoint Presentations Faster
Eugene Cheng
 
What REALLY Differentiates The Best Content Marketers From The Rest
What REALLY Differentiates The Best Content Marketers From The RestWhat REALLY Differentiates The Best Content Marketers From The Rest
What REALLY Differentiates The Best Content Marketers From The Rest
Ross Simmonds
 
Digital transformation in 50 soundbites
Digital transformation in 50 soundbitesDigital transformation in 50 soundbites
Digital transformation in 50 soundbites
Julie Dodd
 
Create icons in PowerPoint
Create icons in PowerPointCreate icons in PowerPoint
Create icons in PowerPoint
Presentitude
 
Eco-nomics, The hidden costs of consumption
Eco-nomics, The hidden costs of consumptionEco-nomics, The hidden costs of consumption
Eco-nomics, The hidden costs of consumption
Josh Beatty
 
How to Craft Your Company's Storytelling Voice by Ann Handley of MarketingProfs
How to Craft Your Company's Storytelling Voice by Ann Handley of MarketingProfsHow to Craft Your Company's Storytelling Voice by Ann Handley of MarketingProfs
How to Craft Your Company's Storytelling Voice by Ann Handley of MarketingProfs
MarketingProfs
 
Social Proof Tips to Boost Landing Page Conversions
Social Proof Tips to Boost Landing Page ConversionsSocial Proof Tips to Boost Landing Page Conversions
Social Proof Tips to Boost Landing Page Conversions
Angie Schottmuller
 
Creating Powerful Customer Experiences
Creating Powerful Customer ExperiencesCreating Powerful Customer Experiences
Creating Powerful Customer Experiences
Digital Surgeons
 
17 Copywriting Do's and Don'ts: How To Write Persuasive Content
17 Copywriting Do's and Don'ts: How To Write Persuasive Content17 Copywriting Do's and Don'ts: How To Write Persuasive Content
17 Copywriting Do's and Don'ts: How To Write Persuasive Content
Henneke Duistermaat
 
The Sharing Economy
The Sharing EconomyThe Sharing Economy
The Sharing Economy
Loic Le Meur
 
Your Sales Pitch Sucks!
Your Sales Pitch Sucks!Your Sales Pitch Sucks!
Your Sales Pitch Sucks!
Slides That Rock
 
The Ultimate Freebies Guide for Presentations by @damonify
The Ultimate Freebies Guide for Presentations by @damonifyThe Ultimate Freebies Guide for Presentations by @damonify
The Ultimate Freebies Guide for Presentations by @damonify
Slides | Presentation Design Agency
 
10 Disruptive Quotes for Entrepreneurs
10 Disruptive Quotes for Entrepreneurs10 Disruptive Quotes for Entrepreneurs
10 Disruptive Quotes for Entrepreneurs
Guy Kawasaki
 
26 Top Crowdfunding Sites (Infographic)
26 Top Crowdfunding Sites (Infographic)26 Top Crowdfunding Sites (Infographic)
26 Top Crowdfunding Sites (Infographic)
Wrike
 
How To Assemble a High Converting eBook
How To Assemble a High Converting eBookHow To Assemble a High Converting eBook
How To Assemble a High Converting eBook
Uberflip
 

Viewers also liked (20)

20 Tweetable Quotes to Inspire Marketing & Design Creative Genius
20 Tweetable Quotes to Inspire Marketing & Design Creative Genius20 Tweetable Quotes to Inspire Marketing & Design Creative Genius
20 Tweetable Quotes to Inspire Marketing & Design Creative Genius
 
2015 Travel Trends
2015 Travel Trends 2015 Travel Trends
2015 Travel Trends
 
Brand New World
Brand New WorldBrand New World
Brand New World
 
40 Tools in 20 Minutes: Hacking your Marketing Career
40 Tools in 20 Minutes: Hacking your Marketing Career40 Tools in 20 Minutes: Hacking your Marketing Career
40 Tools in 20 Minutes: Hacking your Marketing Career
 
Email Marketing 101: The Welcome Email
Email Marketing 101: The Welcome EmailEmail Marketing 101: The Welcome Email
Email Marketing 101: The Welcome Email
 
Quick & Dirty Tips for : Better PowerPoint Presentations Faster
Quick & Dirty Tips for : Better PowerPoint Presentations FasterQuick & Dirty Tips for : Better PowerPoint Presentations Faster
Quick & Dirty Tips for : Better PowerPoint Presentations Faster
 
What REALLY Differentiates The Best Content Marketers From The Rest
What REALLY Differentiates The Best Content Marketers From The RestWhat REALLY Differentiates The Best Content Marketers From The Rest
What REALLY Differentiates The Best Content Marketers From The Rest
 
Digital transformation in 50 soundbites
Digital transformation in 50 soundbitesDigital transformation in 50 soundbites
Digital transformation in 50 soundbites
 
Create icons in PowerPoint
Create icons in PowerPointCreate icons in PowerPoint
Create icons in PowerPoint
 
Eco-nomics, The hidden costs of consumption
Eco-nomics, The hidden costs of consumptionEco-nomics, The hidden costs of consumption
Eco-nomics, The hidden costs of consumption
 
How to Craft Your Company's Storytelling Voice by Ann Handley of MarketingProfs
How to Craft Your Company's Storytelling Voice by Ann Handley of MarketingProfsHow to Craft Your Company's Storytelling Voice by Ann Handley of MarketingProfs
How to Craft Your Company's Storytelling Voice by Ann Handley of MarketingProfs
 
Social Proof Tips to Boost Landing Page Conversions
Social Proof Tips to Boost Landing Page ConversionsSocial Proof Tips to Boost Landing Page Conversions
Social Proof Tips to Boost Landing Page Conversions
 
Creating Powerful Customer Experiences
Creating Powerful Customer ExperiencesCreating Powerful Customer Experiences
Creating Powerful Customer Experiences
 
17 Copywriting Do's and Don'ts: How To Write Persuasive Content
17 Copywriting Do's and Don'ts: How To Write Persuasive Content17 Copywriting Do's and Don'ts: How To Write Persuasive Content
17 Copywriting Do's and Don'ts: How To Write Persuasive Content
 
The Sharing Economy
The Sharing EconomyThe Sharing Economy
The Sharing Economy
 
Your Sales Pitch Sucks!
Your Sales Pitch Sucks!Your Sales Pitch Sucks!
Your Sales Pitch Sucks!
 
The Ultimate Freebies Guide for Presentations by @damonify
The Ultimate Freebies Guide for Presentations by @damonifyThe Ultimate Freebies Guide for Presentations by @damonify
The Ultimate Freebies Guide for Presentations by @damonify
 
10 Disruptive Quotes for Entrepreneurs
10 Disruptive Quotes for Entrepreneurs10 Disruptive Quotes for Entrepreneurs
10 Disruptive Quotes for Entrepreneurs
 
26 Top Crowdfunding Sites (Infographic)
26 Top Crowdfunding Sites (Infographic)26 Top Crowdfunding Sites (Infographic)
26 Top Crowdfunding Sites (Infographic)
 
How To Assemble a High Converting eBook
How To Assemble a High Converting eBookHow To Assemble a High Converting eBook
How To Assemble a High Converting eBook
 

Similar to Introduction DNSSec

RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS Evolution
APNIC
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
APNIC
 
Technical and Business Considerations for DNSSEC Deployment
Technical and Business Considerations for DNSSEC DeploymentTechnical and Business Considerations for DNSSEC Deployment
Technical and Business Considerations for DNSSEC Deployment
APNIC
 
dnssec_networking_improvement_for_security.pptx
dnssec_networking_improvement_for_security.pptxdnssec_networking_improvement_for_security.pptx
dnssec_networking_improvement_for_security.pptx
pipopopo3
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOH
APNIC
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS Evolution
APNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
APNIC
 
RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?
APNIC
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyond
Sam Bowne
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 
Session 4.1 Roy Arends
Session 4.1 Roy ArendsSession 4.1 Roy Arends
Session 4.1 Roy Arends
Commonwealth Telecommunications Organisation
 
DNS Openness
DNS OpennessDNS Openness
DNS Openness
APNIC
 
DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Know
laurenrprice
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
DNS Entrepreneurship Center
 
NANOG 74: That KSK Roll
NANOG 74: That KSK RollNANOG 74: That KSK Roll
NANOG 74: That KSK Roll
APNIC
 
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
Internet Society
 
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
Deploy360 Programme (Internet Society)
 
Presentation on 'The Path to Resolverless DNS' by Geoff Huston
Presentation on 'The Path to Resolverless DNS' by Geoff HustonPresentation on 'The Path to Resolverless DNS' by Geoff Huston
Presentation on 'The Path to Resolverless DNS' by Geoff Huston
APNIC
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view
APNIC
 

Similar to Introduction DNSSec (20)

RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS Evolution
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
 
Technical and Business Considerations for DNSSEC Deployment
Technical and Business Considerations for DNSSEC DeploymentTechnical and Business Considerations for DNSSEC Deployment
Technical and Business Considerations for DNSSEC Deployment
 
dnssec_networking_improvement_for_security.pptx
dnssec_networking_improvement_for_security.pptxdnssec_networking_improvement_for_security.pptx
dnssec_networking_improvement_for_security.pptx
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOH
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS Evolution
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
 
RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyond
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
Session 4.1 Roy Arends
Session 4.1 Roy ArendsSession 4.1 Roy Arends
Session 4.1 Roy Arends
 
DNS Openness
DNS OpennessDNS Openness
DNS Openness
 
DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Know
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
NANOG 74: That KSK Roll
NANOG 74: That KSK RollNANOG 74: That KSK Roll
NANOG 74: That KSK Roll
 
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
 
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
 
Presentation on 'The Path to Resolverless DNS' by Geoff Huston
Presentation on 'The Path to Resolverless DNS' by Geoff HustonPresentation on 'The Path to Resolverless DNS' by Geoff Huston
Presentation on 'The Path to Resolverless DNS' by Geoff Huston
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view
 

More from AFRINIC

AIS19 - Policies under discussion
AIS19 - Policies under discussionAIS19 - Policies under discussion
AIS19 - Policies under discussion
AFRINIC
 
AIS19 Newcomers Session (EN)
AIS19 Newcomers Session (EN)AIS19 Newcomers Session (EN)
AIS19 Newcomers Session (EN)
AFRINIC
 
AFRINIC 101 2017
AFRINIC 101 2017AFRINIC 101 2017
AFRINIC 101 2017
AFRINIC
 
AFRINIC 101 2016 (Fr)
AFRINIC 101 2016 (Fr)AFRINIC 101 2016 (Fr)
AFRINIC 101 2016 (Fr)
AFRINIC
 
Internet development in Africa: a content use, hosting and distribution persp...
Internet development in Africa: a content use, hosting and distribution persp...Internet development in Africa: a content use, hosting and distribution persp...
Internet development in Africa: a content use, hosting and distribution persp...
AFRINIC
 
Insight Into Africa’s Country-level Latencies
Insight Into Africa’s Country-level LatenciesInsight Into Africa’s Country-level Latencies
Insight Into Africa’s Country-level Latencies
AFRINIC
 
Deep Diving into Africa’s Inter-Country Latencies
Deep Diving into Africa’s Inter-Country LatenciesDeep Diving into Africa’s Inter-Country Latencies
Deep Diving into Africa’s Inter-Country Latencies
AFRINIC
 
Studying performance barriers to cloud services in Africa's public sector
Studying performance barriers to cloud services in Africa's public sectorStudying performance barriers to cloud services in Africa's public sector
Studying performance barriers to cloud services in Africa's public sector
AFRINIC
 
Routing security and implications for NRENs
Routing security and implications for NRENsRouting security and implications for NRENs
Routing security and implications for NRENs
AFRINIC
 
APRICOT Latency Clustering
APRICOT Latency ClusteringAPRICOT Latency Clustering
APRICOT Latency Clustering
AFRINIC
 
Latency clustering AfPIF2017
Latency clustering AfPIF2017Latency clustering AfPIF2017
Latency clustering AfPIF2017
AFRINIC
 
AFRINIC RIA MoU
AFRINIC RIA MoUAFRINIC RIA MoU
AFRINIC RIA MoU
AFRINIC
 
DNS Measurements
DNS MeasurementsDNS Measurements
DNS Measurements
AFRINIC
 
AFRINIC DNSSEC Infrastructure and Signer Migration
AFRINIC DNSSEC Infrastructure and Signer MigrationAFRINIC DNSSEC Infrastructure and Signer Migration
AFRINIC DNSSEC Infrastructure and Signer Migration
AFRINIC
 
Tampering With the Open Internet: Experiences From Africa
Tampering With the Open Internet: Experiences From AfricaTampering With the Open Internet: Experiences From Africa
Tampering With the Open Internet: Experiences From Africa
AFRINIC
 
Assessing Internet Freedom and the Digital Resilience
Assessing Internet Freedom and the Digital ResilienceAssessing Internet Freedom and the Digital Resilience
Assessing Internet Freedom and the Digital Resilience
AFRINIC
 
Measuring quality of Internet links in NRENs
Measuring quality of Internet links in NRENsMeasuring quality of Internet links in NRENs
Measuring quality of Internet links in NRENs
AFRINIC
 
State of Internet measurement Infrastructure/tools in Africa
State of Internet measurement Infrastructure/tools in AfricaState of Internet measurement Infrastructure/tools in Africa
State of Internet measurement Infrastructure/tools in Africa
AFRINIC
 
TraceMON - a new RIPE Atlas tool
TraceMON - a new RIPE Atlas tool TraceMON - a new RIPE Atlas tool
TraceMON - a new RIPE Atlas tool
AFRINIC
 
Measuring the complexity of the Internet: indexes and indicators
Measuring the complexity of the Internet: indexes and indicatorsMeasuring the complexity of the Internet: indexes and indicators
Measuring the complexity of the Internet: indexes and indicators
AFRINIC
 

More from AFRINIC (20)

AIS19 - Policies under discussion
AIS19 - Policies under discussionAIS19 - Policies under discussion
AIS19 - Policies under discussion
 
AIS19 Newcomers Session (EN)
AIS19 Newcomers Session (EN)AIS19 Newcomers Session (EN)
AIS19 Newcomers Session (EN)
 
AFRINIC 101 2017
AFRINIC 101 2017AFRINIC 101 2017
AFRINIC 101 2017
 
AFRINIC 101 2016 (Fr)
AFRINIC 101 2016 (Fr)AFRINIC 101 2016 (Fr)
AFRINIC 101 2016 (Fr)
 
Internet development in Africa: a content use, hosting and distribution persp...
Internet development in Africa: a content use, hosting and distribution persp...Internet development in Africa: a content use, hosting and distribution persp...
Internet development in Africa: a content use, hosting and distribution persp...
 
Insight Into Africa’s Country-level Latencies
Insight Into Africa’s Country-level LatenciesInsight Into Africa’s Country-level Latencies
Insight Into Africa’s Country-level Latencies
 
Deep Diving into Africa’s Inter-Country Latencies
Deep Diving into Africa’s Inter-Country LatenciesDeep Diving into Africa’s Inter-Country Latencies
Deep Diving into Africa’s Inter-Country Latencies
 
Studying performance barriers to cloud services in Africa's public sector
Studying performance barriers to cloud services in Africa's public sectorStudying performance barriers to cloud services in Africa's public sector
Studying performance barriers to cloud services in Africa's public sector
 
Routing security and implications for NRENs
Routing security and implications for NRENsRouting security and implications for NRENs
Routing security and implications for NRENs
 
APRICOT Latency Clustering
APRICOT Latency ClusteringAPRICOT Latency Clustering
APRICOT Latency Clustering
 
Latency clustering AfPIF2017
Latency clustering AfPIF2017Latency clustering AfPIF2017
Latency clustering AfPIF2017
 
AFRINIC RIA MoU
AFRINIC RIA MoUAFRINIC RIA MoU
AFRINIC RIA MoU
 
DNS Measurements
DNS MeasurementsDNS Measurements
DNS Measurements
 
AFRINIC DNSSEC Infrastructure and Signer Migration
AFRINIC DNSSEC Infrastructure and Signer MigrationAFRINIC DNSSEC Infrastructure and Signer Migration
AFRINIC DNSSEC Infrastructure and Signer Migration
 
Tampering With the Open Internet: Experiences From Africa
Tampering With the Open Internet: Experiences From AfricaTampering With the Open Internet: Experiences From Africa
Tampering With the Open Internet: Experiences From Africa
 
Assessing Internet Freedom and the Digital Resilience
Assessing Internet Freedom and the Digital ResilienceAssessing Internet Freedom and the Digital Resilience
Assessing Internet Freedom and the Digital Resilience
 
Measuring quality of Internet links in NRENs
Measuring quality of Internet links in NRENsMeasuring quality of Internet links in NRENs
Measuring quality of Internet links in NRENs
 
State of Internet measurement Infrastructure/tools in Africa
State of Internet measurement Infrastructure/tools in AfricaState of Internet measurement Infrastructure/tools in Africa
State of Internet measurement Infrastructure/tools in Africa
 
TraceMON - a new RIPE Atlas tool
TraceMON - a new RIPE Atlas tool TraceMON - a new RIPE Atlas tool
TraceMON - a new RIPE Atlas tool
 
Measuring the complexity of the Internet: indexes and indicators
Measuring the complexity of the Internet: indexes and indicatorsMeasuring the complexity of the Internet: indexes and indicators
Measuring the complexity of the Internet: indexes and indicators
 

Recently uploaded

Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
Laura Szabó
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
k4ncd0z
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
uehowe
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
bseovas
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
fovkoyb
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
Toptal Tech
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
uehowe
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
Design Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptxDesign Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptx
saathvikreddy2003
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
wolfsoftcompanyco
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
uehowe
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
ysasp1
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
hackersuli
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 

Recently uploaded (19)

Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
Design Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptxDesign Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptx
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 

Introduction DNSSec

  • 2. Objectives • Understand DNSSEC terminology • Understand the threat models that DNSSEC is intended to address • Appreciate the benefits of DNSSEC to sensitive applications • Understand some of the operational and legal implications of DNSSEC
  • 4. DNS Overview • What is the DNS? • What applications depend on the stable and secure operation of the DNS? • What are the implications of a failure in DNS operations?
  • 5. As ISP As ‘friend’ As DNS provider DNS Architecture Registry DB primary secondary Cache server Registrars/ Registrants client DNS ProtocolProvisioning secondary
  • 9. DNS Vulnerabilities Registry DB Server compromise Registrars Registrants DNS ProtocolProvisioning Inter-server communication Cache Poisoning Cache-Stub resolver communication
  • 11.
  • 12.
  • 13. Astrophysics Mail Server Example: Unauthorized mail scanning DNS Central Admin Mail Server Where? There! Subject: tenure
  • 14. Astrophysics Mail Server Example: Unauthorized mail scanning DNS Central Admin Mail Server Where? Elsewhere Bad Guy Subject: tenure
  • 15. Reflection Attacks • DNS servers can act as very efficient packet amplifiers • Use of UDP, small queries, large responses • DNSSEC makes DNS servers better packet amplifiers • Still lots of UDP, larger responses
  • 16. Reliability • In the grand scheme of things, DNSSEC does not help make your DNS more reliable • in fact it makes the DNS more brittle, and makes it harder to maintain reliable service
  • 17. Confidentiality • DNSSEC does not address confidentiality of queries or responses • anybody who can intercept a secure response can still see the details • there is no encryption here
  • 18. Integrity, Authenticity • DNSSEC provides a mechanism for data published in the DNS to carry cryptographic signatures • secure responses include signatures • clients receiving a secure response can tell whether it is authentic
  • 20. Why DNSSEC • Good security is multi-layered – Multiple defense rings in physical secured systems – Multiple ‘layers’ in the networking world •  DNS infrastructure – Providing DNSSEC to raise the barrier for DNS based attacks – Provides a security ‘ring’ around many systems and applications
  • 21. DNSSEC secondary benefits • DNSSEC provides an “independent” trust path – The person administering “https” is most probably a different from person from the one that does “DNSSEC” – The chains of trust are most probably different – See acmqueue.org article: “Is Hierarchical Public-Key Certification the Next Target for Hackers?”
  • 22. More benefits? • With reasonable confidence perform opportunistic key exchanges – SSHFP and IPSECKEY Resource Records •  With DNSSEC one could use the DNS for a priori negotiation of security requirements. – “You can only access this service over a secure channel”
  • 23. More benefits? • DNS-based Authentication of Named Entities WG http://tools.ietf.org/wg/dane/ Objective: Specify mechanisms and techniques that allow Internet applications to establish cryptographically secured communications by using information distributed through DNSSEC for discovering and authenticating public keys which are associated with a service located at a domain name.
  • 26. Benefits to End-Users • Users who validate will not see answers from the DNS that fail validation • might increase helpdesk load, but the alternative is infected computers, stolen bank details, etc • Ongoing work to improve SSL security using DNSSEC-signed certificates • IETF “dane” working group
  • 27. Benefits to Content Providers • Reduce the risk that your content is being intercepted by unknown third parties • for end-users that validate, at least • Demonstrate technical proficiency and security awareness
  • 29. Cryptography • Public Key Cryptography • X.509, PGP, ssh, DNSSEC • (Public, Private) Key Pairs • use the private key to sign data • use the public key to verify signature
  • 30. Private Key • The private key needs to be kept private and secure • the degree of security depends on what the key is used for • a compromised key means you can no longer expect people to trust signatures • a signature from a compromised key is more dangerous than no signature at all
  • 31. Public Key • The public key needs to be widely- distributed • it also needs to be accurate • In DNSSEC, public keys are published as DNSKEY RRSets in the zone they are used to sign • Trust anchors are published in the parent zone as DS RRSets
  • 33. DNS Considerations • When using the DNS to distribute keys, we need to remember a few things • the DNS is widely-distributed • information does not update instantaneously • we need to think hard about TTLs and caches when constructing a suitable policy
  • 34. Public Keys in the DNS • In DNSSEC, we distribute public keys in the DNS itself • use the DNSKEY RRSet • supports different key sizes, cryptographic algorithms
  • 35. RR Signing in DNSSEC • Each Resource Record Set (RRSet) can carry zero or more signatures • signatures appear in an RRSIG RRSet with the same owner name • signatures have an inception and expiry time • we need to re-sign regularly
  • 36. Chain of Trust • If we can trust the public key which corresponds to the private key that made a signature, we can trust a signature • If we can trust a signature, we can trust the data that is signed • How do we trust the public key?
  • 37. Delegation Signer • DS is the Delegation Signer Resource Record • it carries a hash of a public key • it is signed • this is how we extend trust across delegations
  • 39. Chain of Trust Root ORG ISOC.ORG
  • 40. Root Anchor • At some point a validator needs to install a trust anchor into its software • root zone trust anchor • http://www.iana.org/dnssec/
  • 41. Two DNSKEY RRSets • Common practice in 2010 is to use two different DNSKEY RRSets per zone • ZSK – Zone Signing Key • used to sign the data in the zone • KSK – Key Signing Key • used to sign the DNSKEY RRSet
  • 42. ZSK • Since we need to re-sign the zone regularly, the ZSK needs to be on-line • The ZSK is the key that is used most often by validators, so we can make it smaller and save some CPU • We can change the ZSK we are using regularly without involving others
  • 43. KSK • The KSK is the key that corresponds to the DS record in our parent zone • We need to use the KSK to sign the ZSK, and then we can put it away in a safe place • no need to keep the KSK on-line • changing the KSK involves talking to our parent (update DS record)
  • 44. KSK and ZSK Child Zone DNSKEY(KSK) DNSKEY(ZSK) RRSIG(DNSKEY) RRSIG(DNSKEY) RRSIG(RRSet) RRSet Parent Zone DNSKEY(KSK) DNSKEY(ZSK) RRSIG(DNSKEY) RRSIG(DNSKEY) RRSIG(DS) DS
  • 45. DNS Transport • Plain old DNS was optimised to work over UDP with small packets (512 bytes) • fall-back to TCP • Modern DNS supports larger messages over UDP (EDNS0, RFC 2671) • DNSSEC means larger DNS messages • beware of faulty assumptions in firewalls! • Cisco PIXes and ASA can still cause problems with ”fixup”
  • 46. Signing Things that Are Not There • Verifiable deniability of existence • you can’t sign something that’s not there • use NSEC or NSEC3 records to cover the gaps • sign the NSEC and NSEC3 records • More on this later...
  • 48. Validate • The most effective step you can take to encourage DNSSEC uptake as an ISP is to validate responses • DNSSEC-signed zones are fairly new, so expect this to cause some non-zero (but manageable) amount of helpdesk load • Comcast is an example of a large ISP (in the US) who has taken this step
  • 49. DNSSEC for Registries and Hosting Providers
  • 50. Sign your Zones • All the zones you serve can be signed • think about key rollover • think about key compromise scenarios, and what processes you will follow when you detect them • think about how you can detect compromises, and monitor signatures
  • 51. Key Management • need to implement secure key storage, management procedures • need to sign your zones • registries need to accept DS records from users (how?) • need to publish DS records to parents (how?)
  • 52. NSEC and NSEC3 • If you’re signing a zone, you have to use one of these. Which one? • Simple rule of thumb • if you are happy for anybody in the world to obtain a copy of your zone, and your zone is not very big, use NSEC • if you normally don’t allow (e.g.) zone transfers to random people, or if you have a large zone to sign, use NSEC3
  • 53. Key Management • DNSSEC has many parameters to consider, including: • key rollover schedule • signature duration • choosing appropriate TTL for the zone data • key size • Those will be determined by your policy • You must determine them for your own organisation, via a risk and operational assessment • Don't blindly copy the policies of another orgs!
  • 54. Key Management • How do we keep the ZSK secure? • How do we keep the KSK secure? • important questions • no simple answers here • requires risk analysis, consultation, maybe audit • again, a matter of policy • hybrid models possible • HSM for KSK, software for ZSK
  • 55. Communication • Communicate with your customers • explain benefits/risks of DNSSEC • Communicate with end-users • demonstrate how to validate responses • explain operational changes (firewalls, TCP, response sizes)
  • 57. Legal Aspects • Deployment of DNSSEC involves trust in procedures and policies • otherwise why trust signatures? • DNSSEC Policy and Practice Statement (DPS) • a public attestation of procedures and policies • can be used as the basis for audits
  • 58. Migration Strategies for Registries and DNS Hosting Companies
  • 59. Migration • For registries and hosting providers, DNSSEC can be deployed without radically changing your existing systems • registries will need to deploy a means of publishing trust anchors as DS RRSets, however
  • 60.
  • 61.
  • 62. Streamlined Operations • Remember, DNSSEC makes you zones more brittle and fragile than they were before • need to have excellent reliability in registry and DNS operations (verification of output, monitoring, etc...) • need to have emergency procedures to update DS RRSets in your zones
  • 65. Mailing Lists • dnssec-deployment mailing list • http://www.dnssec-deployment.org/ • dns-operations mailing list • http://www.dns-oarc.net/ • Ongoing protocol work • IETF dnsop, dnsext working groups
  • 66. Other ressources • DNS visualization tool http://dnsviz.net • DNSSEC AFRICA http://dnssec-africa.org
  • 67. DPS •  http://tools.ietf.org/html/rfc6841 • DPS for the Root Zone KSK Operator •  https://www.iana.org/dnssec/ • Also review published DPS documents from TLDs who have already deployed DNSSEC
  • 68. DPS • .SE's DNSSEC Practice Statement • www.iis.se/docs/se-dnssec-dps-eng.pdf • .CL's DNSSEC Practice Statement • http://www.nic.cl/dnssec/en/dps.html • .NET DNSSEC Practice Statement • http://www.verisigninc.com/assets/ 20100925-NET+DPS-FINAL.pdf
  • 69. Deployment • Root zone was signed in July 2010 • Many TLDs are currently signed • ARPA, BE, BG, BIZ, BR, CAT, CH, CL, CZ, DK, EDU, EU, FI, FR, GOV, INFO, KG, LI, LK, MUSEUM, NA, NL, NU, ORG, PM, PR, PT, RE, SE, TF, TH, TM, UK, US,UG,TZ,GN ... • http://stats.research.icann.org/dnssec/