This document summarizes a panel discussion on deploying DNSSEC. It begins by introducing the panelists from the Internet Society and NIC.BR. It then provides an overview of the DNSSEC technology, explaining how it uses cryptographic signatures to validate the authenticity and integrity of DNS data, preventing DNS poisoning attacks. The document outlines both the signing and validating components of DNSSEC. It discusses how DNSSEC complements but does not replace TLS/SSL, and how the combination of the two in DANE provides both strong integrity and encryption.
This document provides a summary of a panel discussion on deploying DNSSEC from end customers to content. The panel discusses next steps that top-level domain operators, network operators, and enterprises can take to deploy DNSSEC, including signing their domains, accepting DS records, working with registrars, and deploying validating DNS resolvers. The Internet Society's Deploy360 program is also introduced, which provides real-world deployment information on technologies like DNSSEC through case studies, tutorials, videos, and other resources.
This document summarizes and compares four DNS server software options: BIND, NSD, djbdns, and PrimDNS. It finds that BIND has the highest memory usage but fastest query times, while djbdns has the lowest memory usage but does not support DNSSEC. NSD and PrimDNS offer alternatives to BIND with lower memory usage and comparable performance.
The document discusses DNS security and various DNS attacks. It begins with an overview of the DNS protocol and infrastructure, then describes common DNS attacks like spoofing, cache poisoning, and reflection attacks. It also covers mitigation techniques like DNSSEC and discusses fast flux networks used by malware to evade detection. The document provides technical details on securing DNS servers and domains through configurations, software updates, and cryptographic protocols.
Stephen McHenry - Chanecellor of Site Reliability Engineering, GoogleIE Group
The document discusses Google's mission to organize the world's information and make it universally accessible. It provides an overview of Google's history from its early systems using Lego disks to store data to its current large scale data centers. The document discusses Google's challenges in dealing with the ever increasing amounts of data and computational needs required by its services. It outlines Google's strategies for planning for failure, expansion of applications, infrastructure and hardware. Key systems developed by Google to manage large scale data and computing needs include Google File System, MapReduce and BigTable.
Dhaval Kapil presented on DNS security. He discussed how DNS works and its flaws due to a lack of security in its original design. This allowed various threats to emerge like zone file compromise, DNS amplification attacks, and cache poisoning. To mitigate these threats, extensions like DNSSEC were developed to authenticate DNS responses and ensure integrity, though adoption remains limited.
The document discusses the Internet Society's efforts to promote IPv6 deployment through a new Deployment & Operationalization Hub initiative. The DO Hub will create educational resources to help network operators and organizations adopt new Internet standards like IPv6 and DNSSEC. It will provide a knowledge base, case studies, blogs, and networking events to share expertise and best practices. The DO Hub is launching in October 2011 and will grow its content and features over time based on user feedback.
This document provides a summary of a panel discussion on deploying DNSSEC from end customers to content. The panel discusses next steps that top-level domain operators, network operators, and enterprises can take to deploy DNSSEC, including signing their domains, accepting DS records, working with registrars, and deploying validating DNS resolvers. The Internet Society's Deploy360 program is also introduced, which provides real-world deployment information on technologies like DNSSEC through case studies, tutorials, videos, and other resources.
This document summarizes and compares four DNS server software options: BIND, NSD, djbdns, and PrimDNS. It finds that BIND has the highest memory usage but fastest query times, while djbdns has the lowest memory usage but does not support DNSSEC. NSD and PrimDNS offer alternatives to BIND with lower memory usage and comparable performance.
The document discusses DNS security and various DNS attacks. It begins with an overview of the DNS protocol and infrastructure, then describes common DNS attacks like spoofing, cache poisoning, and reflection attacks. It also covers mitigation techniques like DNSSEC and discusses fast flux networks used by malware to evade detection. The document provides technical details on securing DNS servers and domains through configurations, software updates, and cryptographic protocols.
Stephen McHenry - Chanecellor of Site Reliability Engineering, GoogleIE Group
The document discusses Google's mission to organize the world's information and make it universally accessible. It provides an overview of Google's history from its early systems using Lego disks to store data to its current large scale data centers. The document discusses Google's challenges in dealing with the ever increasing amounts of data and computational needs required by its services. It outlines Google's strategies for planning for failure, expansion of applications, infrastructure and hardware. Key systems developed by Google to manage large scale data and computing needs include Google File System, MapReduce and BigTable.
Dhaval Kapil presented on DNS security. He discussed how DNS works and its flaws due to a lack of security in its original design. This allowed various threats to emerge like zone file compromise, DNS amplification attacks, and cache poisoning. To mitigate these threats, extensions like DNSSEC were developed to authenticate DNS responses and ensure integrity, though adoption remains limited.
The document discusses the Internet Society's efforts to promote IPv6 deployment through a new Deployment & Operationalization Hub initiative. The DO Hub will create educational resources to help network operators and organizations adopt new Internet standards like IPv6 and DNSSEC. It will provide a knowledge base, case studies, blogs, and networking events to share expertise and best practices. The DO Hub is launching in October 2011 and will grow its content and features over time based on user feedback.
Presentation given by Alvaro Retana at ION Santiago in Chile on 28 October 2014.
What’s happening at the Internet Engineering Task Force (IETF)? What RFCs and Internet-Drafts are in progress related to IPv6, DNSSEC, Routing Security/Resiliency, and other key topics? We’ll give an overview of the ongoing discussions in several working groups and discuss the outcomes of recent Birds-of-a-Feather (BoF) sessions, and provide a preview of what to expect in future discussions, including bringing the IETF to Latin America in 2016.
This document discusses the business case for DNSSEC (Domain Name System Security Extensions). It outlines how DNSSEC helps secure the DNS infrastructure by cryptographically protecting domain name records from man-in-the-middle attacks and cache poisoning. The document provides examples of past DNS hijacking incidents that could have been prevented with DNSSEC. It argues that DNSSEC adoption gives businesses a competitive advantage by helping ensure customers are directed to the correct websites and services. Governments are also encouraging DNSSEC to improve online security and trust.
The document discusses the business case for IPv6 and DNSSEC deployment by examining lessons from the rise of the Internet and IPv4 deployment. It notes that the transition from circuit switching to packet switching exposed new market opportunities by greatly reducing network costs. This allowed small ISPs to enter the market and gain market share from incumbents. Over time, communications became a volume-dominated industry, allowing large providers to leverage economies of scale and consolidate the market. The document questions whether similar technology shifts, costs, and regulations will drive the transition from IPv4 to IPv6.
The document discusses the Internet Engineering Task Force (IETF), including that it develops internet standards through an open process, holds 3 meetings per year around the world, and focuses on topics like IPv6, DNS, routing security, and fellowships. Key points are that the IETF is open to anyone, develops RFC standards documents, and discusses drafts in working groups at their periodic global meetings.
The document thanks the speakers and hosts of the ION Tokyo event, including Dr. Shin Miyakawa from NTT Communications and Tomohiro Fujisaki from the Internet Society Japan. It also thanks the co-location hosts and sponsor. Finally, it encourages attendees to get involved by creating content, defining new features, or contacting the organizers to provide their experiences and needs to help develop deployment materials.
The document discusses the history and evolution of TLS (Transport Layer Security) and SSL (Secure Sockets Layer), their increasing usage across internet applications and services, and efforts by organizations like IETF and Internet Society to promote stronger encryption and the adoption of TLS. It provides an overview of TLS versions and standards development, factors driving increased TLS usage like Snowden revelations, and resources for network operators and developers to help secure communications over the internet using TLS.
ION Cape Town, 8 September 2015: The Internet Society is working toward fostering a larger and more engaged network operator community around the IETF and protocol development work. Part of that work was a survey of network operators in 2014 and an Internet-Draft about its results. We’re also interested specifically in bringing more African engineers with operational experience into the IETF, and perhaps even bringing a physical IETF meeting to the continent of Africa within the next few years. We’ll outline some of our recent work and hope to make this an interactive session to learn from the local community how to encourage more IETF participation.
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksFindWhitePapers
Domain Name System (DNS) provides one of the most basic but critical functions on the Internet. If DNS isn't working, then your business likely isn't either. Secure your business and web presence with Domain Name System Security Extensions (DNSSEC).
The document discusses DNS attacks and how to prevent them. It begins by explaining what DNS is and how it works to translate domain names to IP addresses. It then outlines several common attacks against DNS like cache poisoning, amplification attacks, and DDoS attacks. The document recommends approaches to secure DNS like DNSSEC, which adds digital signatures to authenticate DNS data and prevent spoofing. It provides details on how DNSSEC works through cryptographic signing of DNS records and validation of signatures up the DNS hierarchy.
APNIC Director General Paul Wilson discusses APNIC’s support of updates to BIND to implement caching of NSEC responses, to reduce root server query loads.
1) The document discusses DNS basics including its hierarchical database structure with root and top level domains (TLDs) at the top, and its main components like authoritative servers, recursive resolvers, and resource records.
2) It explains key DNS concepts like domains, zones, and delegation between zones. Common resource record types and a sample zone file are also described.
3) The document covers potential DNS issues like cache poisoning and vulnerabilities if data is not validated, which DNS Security Extensions (DNSSEC) aims to address through cryptographic signing of resource records.
ION Tokyo slides for "The Business Case for Implementing DNSSEC" by Dan York (Internet Society).
DNSSEC helps prevent attackers from subverting and modifying DNS messages and sending users to wrong (and potentially malicious) sites. So what needs to be done for DNSSEC to be deployed on a large scale? We’ll discuss the business reasons for, and financial implications of, deploying DNSSEC, from staying ahead of the technological curve, to staying ahead of your competition, to keeping your customers satisfied and secure on the Internet. We’ll also examine some of the challenges operators have faced and the opportunities to address those challenges and move deployment forward.
BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"Barry Greene
Learn how to turn your network’s DNS into a Security Tool! Webinar-Oct 12th
What do you do if the security tools are not protecting your network? Cyber-criminals are constantly finding ways to bypass your security tools and own your network. When the threat changes, you should grow with the threat - think out of the box – using tools that the criminals have not yet considered; the DNS.
ISC’s Internet Critical Open Source DNS software BIND has a new feature that would turn a DNS Caching Resolver into a tool to help protect your network from malware. All the computers in your network must contact your DNS Resolvers to get to the outside world. Your DNS Resolvers are critical “choke-point” for which all devices in your network must interact to get to the outside world. This "choke-point" is a logical choice to put security capabilities to check if a domain is "clean" or "dirty."
How can you have your DNS Resolver check if a domain is clean or dirty? Use BIND’s new feature – the DNS Response Policy Zone (DNSRPZ). DNSRPZ uses secure and fast zone transfer technologies to pull down black list of bad domains and put them into your DNS resolver.
The archived recording of the Webinar is here: www.isc.org/webinars
Who should watch this Webinar?
E-mail Administrators: Find out how DNSRPZ offers more effective way to work with the Anti-Spam black list.
Network Operators: Learn how DNSRPZ can be used inside your network to keep your users from being in-inadvertently infected by malware, zero-days, and malvertisements.
Security Engineers: Discover how DNSRPZ is a tool to help contain infections that get into your network and try to “call home” to a BOTNET controller.
Hosting Providers: By default, most of your hosting customers are using your DNS resolvers. Learn how DNSRPZ can help prevent and contain the threat of your customers getting infected.
Service Providers: Learn how to turn your DNS services into a tool to help protect all your customers from infection.
Mobile Telecoms Operators: Find a new tool that would prevent miscreant smart phone applications from calling home with DNS and infecting your customer’s phones.
SCADA and Critical Industrial System Operators: Learn how DNSRPZ is a tool to help protect legacy control systems that need DNS to work.
How DNS works and How to secure it: An Introductionyasithbagya1
The document discusses DNS (Domain Name System) and how to secure it. It explains that DNS translates domain names to IP addresses, involving recursive queries to root nameservers and authoritative nameservers. Common DNS attacks are spoofing, poisoning, hijacking, amplification and flooding. Recommended security measures include DNS encryption using DNS over HTTPS and TLS, DNSSEC for response authentication, DNSCrypt for encryption and anonymity, redundant infrastructure for DDoS protection, and DNS firewalls.
Learn to choose and set up ThousandEyes DNS tests to systematically monitor the DNS records and servers for domains critical to your business.
See the full webinar and the rest of the series at https://www.thousandeyes.com/resources/monitoring-dns-records-servers-webinar
in this presentation their is the detailed information regarding Domain Name System that is DNS.
What is DNS,how it works,query, resolution wtc all are being covered thoroughly in this presentation as it would have in for all new upcoming Engineering students to know about the DNS as well as would also help employees to get the better understanding regarding the protocol.
The complete agenda of the presentation is to provide the detailed knowledge regarding dns as its the most basic protocol used in Web development.
Hope you would like it. If so please do like share and subscribe.
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
This document provides an overview of DNSSEC (Domain Name System Security Extensions). It discusses how DNSSEC introduces digital signatures to cryptographically protect DNS data and prevent man-in-the-middle attacks. It also describes some common DNS record types used in DNSSEC like DNSKEY, RRSIG, and DS. The document notes that while DNSSEC deployment has increased in top-level domains and root servers, adoption remains low at the second-level domain level, and more work is still needed for full deployment.
This document discusses DNS cache poisoning. It begins by explaining what DNS is and its purpose of mapping domain names to IP addresses. It then discusses how DNS servers implement caching to improve performance and defines DNS cache poisoning as getting unauthorized entries into a DNS server's cache. The document outlines how an attacker could poison a cache to redirect traffic to a machine they control in order to perform man-in-the-middle attacks or install malware. It describes various methods of poisoning caches locally or remotely, such as between end users and nameservers or between nameservers themselves using the Kaminsky attack. Defenses like DNSSEC are mentioned along with encouragement to try cache poisoning in a controlled lab environment.
This document discusses strategies for improving the resilience of the Domain Name System (DNS) against distributed denial-of-service (DDoS) attacks. It outlines how caching of DNSSEC-signed responses for non-existent domain names can help prevent unnecessary queries from reaching the DNS root servers. The document details an initiative by APNIC to sponsor the inclusion of this NSEC caching in the upcoming BIND 9.12 release, which would help distribute DNS query load more efficiently and mitigate DDoS attacks targeting the root servers.
The document provides an overview of the Domain Name System (DNS) and how it works. DNS translates domain names to IP addresses and vice versa. It operates as a hierarchical, distributed database with delegated authority. DNS queries start at the root servers and follow referrals down through top-level domain servers, registry servers, and finally to authoritative name servers for the domain being looked up. DNS is essential for accessing resources on the internet and allows websites, email servers, and other internet infrastructure to be located by name rather than IP address.
The document discusses re-engineering the root of the DNS to improve its resilience against attacks. It describes how the DNS and root servers currently work, and issues like anycast root servers and caching. Recent initiatives by APNIC aim to leverage DNSSEC to have recursive resolvers cache NXDOMAIN responses for non-existent domain ranges from the root zone. This would allow resolvers to directly answer 70% of queries, reducing root server load. Features like local root secondaries and NSEC caching are presented as ways to distribute the root load to edge resolvers through caching, rather than amplifying queries to the root.
Presentation given by Alvaro Retana at ION Santiago in Chile on 28 October 2014.
What’s happening at the Internet Engineering Task Force (IETF)? What RFCs and Internet-Drafts are in progress related to IPv6, DNSSEC, Routing Security/Resiliency, and other key topics? We’ll give an overview of the ongoing discussions in several working groups and discuss the outcomes of recent Birds-of-a-Feather (BoF) sessions, and provide a preview of what to expect in future discussions, including bringing the IETF to Latin America in 2016.
This document discusses the business case for DNSSEC (Domain Name System Security Extensions). It outlines how DNSSEC helps secure the DNS infrastructure by cryptographically protecting domain name records from man-in-the-middle attacks and cache poisoning. The document provides examples of past DNS hijacking incidents that could have been prevented with DNSSEC. It argues that DNSSEC adoption gives businesses a competitive advantage by helping ensure customers are directed to the correct websites and services. Governments are also encouraging DNSSEC to improve online security and trust.
The document discusses the business case for IPv6 and DNSSEC deployment by examining lessons from the rise of the Internet and IPv4 deployment. It notes that the transition from circuit switching to packet switching exposed new market opportunities by greatly reducing network costs. This allowed small ISPs to enter the market and gain market share from incumbents. Over time, communications became a volume-dominated industry, allowing large providers to leverage economies of scale and consolidate the market. The document questions whether similar technology shifts, costs, and regulations will drive the transition from IPv4 to IPv6.
The document discusses the Internet Engineering Task Force (IETF), including that it develops internet standards through an open process, holds 3 meetings per year around the world, and focuses on topics like IPv6, DNS, routing security, and fellowships. Key points are that the IETF is open to anyone, develops RFC standards documents, and discusses drafts in working groups at their periodic global meetings.
The document thanks the speakers and hosts of the ION Tokyo event, including Dr. Shin Miyakawa from NTT Communications and Tomohiro Fujisaki from the Internet Society Japan. It also thanks the co-location hosts and sponsor. Finally, it encourages attendees to get involved by creating content, defining new features, or contacting the organizers to provide their experiences and needs to help develop deployment materials.
The document discusses the history and evolution of TLS (Transport Layer Security) and SSL (Secure Sockets Layer), their increasing usage across internet applications and services, and efforts by organizations like IETF and Internet Society to promote stronger encryption and the adoption of TLS. It provides an overview of TLS versions and standards development, factors driving increased TLS usage like Snowden revelations, and resources for network operators and developers to help secure communications over the internet using TLS.
ION Cape Town, 8 September 2015: The Internet Society is working toward fostering a larger and more engaged network operator community around the IETF and protocol development work. Part of that work was a survey of network operators in 2014 and an Internet-Draft about its results. We’re also interested specifically in bringing more African engineers with operational experience into the IETF, and perhaps even bringing a physical IETF meeting to the continent of Africa within the next few years. We’ll outline some of our recent work and hope to make this an interactive session to learn from the local community how to encourage more IETF participation.
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksFindWhitePapers
Domain Name System (DNS) provides one of the most basic but critical functions on the Internet. If DNS isn't working, then your business likely isn't either. Secure your business and web presence with Domain Name System Security Extensions (DNSSEC).
The document discusses DNS attacks and how to prevent them. It begins by explaining what DNS is and how it works to translate domain names to IP addresses. It then outlines several common attacks against DNS like cache poisoning, amplification attacks, and DDoS attacks. The document recommends approaches to secure DNS like DNSSEC, which adds digital signatures to authenticate DNS data and prevent spoofing. It provides details on how DNSSEC works through cryptographic signing of DNS records and validation of signatures up the DNS hierarchy.
APNIC Director General Paul Wilson discusses APNIC’s support of updates to BIND to implement caching of NSEC responses, to reduce root server query loads.
1) The document discusses DNS basics including its hierarchical database structure with root and top level domains (TLDs) at the top, and its main components like authoritative servers, recursive resolvers, and resource records.
2) It explains key DNS concepts like domains, zones, and delegation between zones. Common resource record types and a sample zone file are also described.
3) The document covers potential DNS issues like cache poisoning and vulnerabilities if data is not validated, which DNS Security Extensions (DNSSEC) aims to address through cryptographic signing of resource records.
ION Tokyo slides for "The Business Case for Implementing DNSSEC" by Dan York (Internet Society).
DNSSEC helps prevent attackers from subverting and modifying DNS messages and sending users to wrong (and potentially malicious) sites. So what needs to be done for DNSSEC to be deployed on a large scale? We’ll discuss the business reasons for, and financial implications of, deploying DNSSEC, from staying ahead of the technological curve, to staying ahead of your competition, to keeping your customers satisfied and secure on the Internet. We’ll also examine some of the challenges operators have faced and the opportunities to address those challenges and move deployment forward.
BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"Barry Greene
Learn how to turn your network’s DNS into a Security Tool! Webinar-Oct 12th
What do you do if the security tools are not protecting your network? Cyber-criminals are constantly finding ways to bypass your security tools and own your network. When the threat changes, you should grow with the threat - think out of the box – using tools that the criminals have not yet considered; the DNS.
ISC’s Internet Critical Open Source DNS software BIND has a new feature that would turn a DNS Caching Resolver into a tool to help protect your network from malware. All the computers in your network must contact your DNS Resolvers to get to the outside world. Your DNS Resolvers are critical “choke-point” for which all devices in your network must interact to get to the outside world. This "choke-point" is a logical choice to put security capabilities to check if a domain is "clean" or "dirty."
How can you have your DNS Resolver check if a domain is clean or dirty? Use BIND’s new feature – the DNS Response Policy Zone (DNSRPZ). DNSRPZ uses secure and fast zone transfer technologies to pull down black list of bad domains and put them into your DNS resolver.
The archived recording of the Webinar is here: www.isc.org/webinars
Who should watch this Webinar?
E-mail Administrators: Find out how DNSRPZ offers more effective way to work with the Anti-Spam black list.
Network Operators: Learn how DNSRPZ can be used inside your network to keep your users from being in-inadvertently infected by malware, zero-days, and malvertisements.
Security Engineers: Discover how DNSRPZ is a tool to help contain infections that get into your network and try to “call home” to a BOTNET controller.
Hosting Providers: By default, most of your hosting customers are using your DNS resolvers. Learn how DNSRPZ can help prevent and contain the threat of your customers getting infected.
Service Providers: Learn how to turn your DNS services into a tool to help protect all your customers from infection.
Mobile Telecoms Operators: Find a new tool that would prevent miscreant smart phone applications from calling home with DNS and infecting your customer’s phones.
SCADA and Critical Industrial System Operators: Learn how DNSRPZ is a tool to help protect legacy control systems that need DNS to work.
How DNS works and How to secure it: An Introductionyasithbagya1
The document discusses DNS (Domain Name System) and how to secure it. It explains that DNS translates domain names to IP addresses, involving recursive queries to root nameservers and authoritative nameservers. Common DNS attacks are spoofing, poisoning, hijacking, amplification and flooding. Recommended security measures include DNS encryption using DNS over HTTPS and TLS, DNSSEC for response authentication, DNSCrypt for encryption and anonymity, redundant infrastructure for DDoS protection, and DNS firewalls.
Learn to choose and set up ThousandEyes DNS tests to systematically monitor the DNS records and servers for domains critical to your business.
See the full webinar and the rest of the series at https://www.thousandeyes.com/resources/monitoring-dns-records-servers-webinar
in this presentation their is the detailed information regarding Domain Name System that is DNS.
What is DNS,how it works,query, resolution wtc all are being covered thoroughly in this presentation as it would have in for all new upcoming Engineering students to know about the DNS as well as would also help employees to get the better understanding regarding the protocol.
The complete agenda of the presentation is to provide the detailed knowledge regarding dns as its the most basic protocol used in Web development.
Hope you would like it. If so please do like share and subscribe.
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
This document provides an overview of DNSSEC (Domain Name System Security Extensions). It discusses how DNSSEC introduces digital signatures to cryptographically protect DNS data and prevent man-in-the-middle attacks. It also describes some common DNS record types used in DNSSEC like DNSKEY, RRSIG, and DS. The document notes that while DNSSEC deployment has increased in top-level domains and root servers, adoption remains low at the second-level domain level, and more work is still needed for full deployment.
This document discusses DNS cache poisoning. It begins by explaining what DNS is and its purpose of mapping domain names to IP addresses. It then discusses how DNS servers implement caching to improve performance and defines DNS cache poisoning as getting unauthorized entries into a DNS server's cache. The document outlines how an attacker could poison a cache to redirect traffic to a machine they control in order to perform man-in-the-middle attacks or install malware. It describes various methods of poisoning caches locally or remotely, such as between end users and nameservers or between nameservers themselves using the Kaminsky attack. Defenses like DNSSEC are mentioned along with encouragement to try cache poisoning in a controlled lab environment.
This document discusses strategies for improving the resilience of the Domain Name System (DNS) against distributed denial-of-service (DDoS) attacks. It outlines how caching of DNSSEC-signed responses for non-existent domain names can help prevent unnecessary queries from reaching the DNS root servers. The document details an initiative by APNIC to sponsor the inclusion of this NSEC caching in the upcoming BIND 9.12 release, which would help distribute DNS query load more efficiently and mitigate DDoS attacks targeting the root servers.
The document provides an overview of the Domain Name System (DNS) and how it works. DNS translates domain names to IP addresses and vice versa. It operates as a hierarchical, distributed database with delegated authority. DNS queries start at the root servers and follow referrals down through top-level domain servers, registry servers, and finally to authoritative name servers for the domain being looked up. DNS is essential for accessing resources on the internet and allows websites, email servers, and other internet infrastructure to be located by name rather than IP address.
The document discusses re-engineering the root of the DNS to improve its resilience against attacks. It describes how the DNS and root servers currently work, and issues like anycast root servers and caching. Recent initiatives by APNIC aim to leverage DNSSEC to have recursive resolvers cache NXDOMAIN responses for non-existent domain ranges from the root zone. This would allow resolvers to directly answer 70% of queries, reducing root server load. Features like local root secondaries and NSEC caching are presented as ways to distribute the root load to edge resolvers through caching, rather than amplifying queries to the root.
Learn about the essentials of the Domain Name System (DNS), including name resolution, different record types, roots, zones, authority and recursion.
See the full webinar and the rest of the series at https://www.thousandeyes.com/resources/intro-to-dns-webinar
The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. A domain name represents an Internet Protocol (IP) resource ultimately identifiable by a numeric IP address. DNS servers store records that map domain names to IP addresses and vice versa. The DNS hierarchy consists of root name servers at the top, authoritative name servers for top-level domains and their subdomains below them. When a user enters a domain name, the DNS server first checks its cache and if it doesn't find a match, it queries authoritative name servers to resolve the IP address associated with the domain name.
bdNOG 7 - Re-engineering the DNS - one resolver at a timeAPNIC
APNIC Director General, Paul Wilson, talks about APNIC's support of updates to BIND to implement caching of NSEC responses to reduce root server query load.
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...JosephTesta9
This document summarizes Chris Partridge's work on scraping and analyzing DNS data to generate threat intelligence. It discusses scraping domain and DNS data at scale, analyzing it for anomalies, integrating threat intelligence, and limitations. The goal is to develop proactive threat intelligence by identifying relationships between domains, IPs, and known bad actors from DNS data and intelligence. Future work includes scaling up data collection, distributed analysis, and integrating findings into security tools.
This document provides an overview of geo-DNS and how it works. Geo-DNS allows DNS servers to return different IP addresses for a domain based on the geographic location of the requester. It works by DNS servers checking the requester's location using geoIP databases and returning the corresponding IP address based on the requester's assigned host group. The document describes the basic DNS process and how geo-DNS integrates location data to dynamically route requests to different IP addresses for a domain based on the requester's location.
23 November 2017 - At ION Belgrade, Kevin Meynell discusses what happened at the recent IETF meeting, and how to get involved in the open Internet standards community.
The document provides information about the Internet Society and its Deploy360 program. It summarizes that the Internet Society was founded 25 years ago to support the technical evolution and use of the Internet. Its Deploy360 program aims to advance the real-world deployment of protocols like IPv6, DNSSEC, and TLS by providing hands-on technical resources for networks. The program involves online documentation, events, and engaging with first adopters to share deployment experiences. It encourages participation through its website, social media, and industry events.
This document provides information about joining the Internet Society and its Serbia chapter to help preserve the open internet. It encourages attendees to get involved by creating content or providing feedback to help develop resources for internet deployments. Contact details and links are given to follow developments and access presentation materials from the conference.
September 2017 - Aftab Siddiqui presents on the Mutually Agreed Norms for Routing Security (MANRS), and how we can work together to improve the security and resiliency of the Internet's routing system.
18 September 2017 - ION Malta
What’s happening at the Internet Engineering Task Force (IETF)? What RFCs and Internet-Drafts are in progress related to IPv6, DNSSEC, Routing Security/Resiliency, and other key topics? We’ll give an overview of the ongoing discussions in several working groups and discuss the outcomes of recent Birds-of-a-Feather (BoF) sessions, and provide a preview of what to expect in future discussions.
Collaboration and shared responsibility are two pillars supporting the Internet’s growth and success. While the global routing system has worked well, it has significant security challenges that we must address. In this panel, security experts will discuss how we can create a culture of collective responsibility and improve the global routing system, including an introduction to the “Mutually Agreed Norms for Routing Security” (MANRS).
18 September 2017 - ION Malta
DNSSEC helps prevent attackers from subverting and modifying DNS messages and sending users to wrong (and potentially malicious) sites. So what needs to be done for DNSSEC to be deployed on a large scale? We’ll discuss the reasons for deploying DNSSEC, examine some of the challenges operators have faced, and address those challenges and move deployment forward.
18 September 2017 - Rick Lamb, ICANN, on DANE:
If you connect to a “secure” server using TLS/SSL (such as a web server, email server or xmpp server), how do you know you are using the correct certificate? With DNSSEC now being deployed, “DANE” (“DNS-Based Authentication of Named Entities”) has emerged allowing you to securely specify exactly which TLS/SSL certificate an application should use to connect to your site. DANE has great potential to make the Internet much more secure by marrying the strong integrity protection of DNSSEC with the confidentiality of SSL/TLS certificates. In this session, we will explain how DANE works and how you can use it to secure your websites, email, XMPP, VoIP, and other web services.
18 September 2017 - At ION Malta, Adam Peake discusses the IANA transition:
The IANA transition was successfully completed in October 2016 creating strengthened relationships between the IETF (Internet protocols and standards), Regional Internet Registries RIRs (IP addresses), and ccTLD and gTLD operators and TLD community and ICANN. A new organisation, Public Technical Identifiers (PTI), an affiliate of ICANN, is now responsible for performing the IANA functions and delivering the IANA Services on behalf of ICANN. The session will discuss these new arrangements and how they have enhanced ICANN’s accountability and transparency to the global Internet community. The session will also describe how ICANN is preparing for the Root KSK Rollover.
This document summarizes Finland's efforts to promote IPv6 adoption. It discusses the formation of the Finnish IPv6 Task Force to develop recommendations for IPv6 implementation. It also describes Finland's national IPv6 launch in 2015, where major ISPs enabled IPv6 for over 5 million broadband subscriptions. As a result, IPv6 usage increased significantly. The document discusses challenges faced during the transition like upgrading network equipment and changing attitudes. It concludes that while work remains, the launch was successful and IPv6 introduction costs can be limited by starting with easier implementations.
The document discusses Marco d'Itri's thoughts on the transition to IPv6. It describes the transition as ongoing, with no flag days, as IPv6 adoption grows. It notes that while IPv4 NAT is easy for access networks, it is difficult for servers. Many large content providers already use IPv6. The transition involves steps before IPv4 addresses ran out, the current transition period, and after the transition when IPv4 will be optional. IPv6 adoption is growing in several countries like Belgium and the US. Eventually IPv4-only islands will need to make themselves accessible over IPv6. The document provides advice on starting an IPv6 transition and offers a simple IPv6 addressing plan.
MANRS protects networks and reputations by preventing BGP leaks and spoofing that can saturate networks or attack infrastructure. Implementing MANRS filtering of BGP customers and spoofed traffic helps avoid these issues. It also allows other networks to filter your routes to prevent leaks. While RPSL is complex, registering autonomous systems and routes in the RIPE database through simple objects helps third parties and saves time for automation. Overall, MANRS establishes basic management practices that benefit networks by improving stability and security.
The document provides information about celebrating 25 years of the Internet Society and getting involved in various initiatives. It encourages readers to help shape the future of the internet, visit websites for more resources, follow social media accounts, and find presentation archives from a past conference. Contact details are also listed.
The document summarizes Thato Mfikwe's presentation at the ION Conference 2017 in Durban about the ISOC South Africa Gauteng Chapter. It provides details about the chapter's establishment, vision, pillars, membership reach across Africa and Europe, and projects from 2014-2016 and planned for 2017 focusing on community networks, policy engagement, outreach, and training. It also discusses ICT, internet governance landscape, topics at the ION conference including DNS, IPv6, cyber threats, and secure routing.
7 September 2017 - At ION Conference Durban, South Africa, Kevin Meynell discusses what's happening at the IETF in the world of Internet standards, and how you can get involved in the process.
More from Deploy360 Programme (Internet Society) (20)
"NATO Hackathon Winner: AI-Powered Drug Search", Taras KlobaFwdays
This is a session that details how PostgreSQL's features and Azure AI Services can be effectively used to significantly enhance the search functionality in any application.
In this session, we'll share insights on how we used PostgreSQL to facilitate precise searches across multiple fields in our mobile application. The techniques include using LIKE and ILIKE operators and integrating a trigram-based search to handle potential misspellings, thereby increasing the search accuracy.
We'll also discuss how the azure_ai extension on PostgreSQL databases in Azure and Azure AI Services were utilized to create vectors from user input, a feature beneficial when users wish to find specific items based on text prompts. While our application's case study involves a drug search, the techniques and principles shared in this session can be adapted to improve search functionality in a wide range of applications. Join us to learn how PostgreSQL and Azure AI can be harnessed to enhance your application's search capability.
The Department of Veteran Affairs (VA) invited Taylor Paschal, Knowledge & Information Management Consultant at Enterprise Knowledge, to speak at a Knowledge Management Lunch and Learn hosted on June 12, 2024. All Office of Administration staff were invited to attend and received professional development credit for participating in the voluntary event.
The objectives of the Lunch and Learn presentation were to:
- Review what KM ‘is’ and ‘isn’t’
- Understand the value of KM and the benefits of engaging
- Define and reflect on your “what’s in it for me?”
- Share actionable ways you can participate in Knowledge - - Capture & Transfer
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
"Scaling RAG Applications to serve millions of users", Kevin GoedeckeFwdays
How we managed to grow and scale a RAG application from zero to thousands of users in 7 months. Lessons from technical challenges around managing high load for LLMs, RAGs and Vector databases.
Must Know Postgres Extension for DBA and Developer during MigrationMydbops
Mydbops Opensource Database Meetup 16
Topic: Must-Know PostgreSQL Extensions for Developers and DBAs During Migration
Speaker: Deepak Mahto, Founder of DataCloudGaze Consulting
Date & Time: 8th June | 10 AM - 1 PM IST
Venue: Bangalore International Centre, Bangalore
Abstract: Discover how PostgreSQL extensions can be your secret weapon! This talk explores how key extensions enhance database capabilities and streamline the migration process for users moving from other relational databases like Oracle.
Key Takeaways:
* Learn about crucial extensions like oracle_fdw, pgtt, and pg_audit that ease migration complexities.
* Gain valuable strategies for implementing these extensions in PostgreSQL to achieve license freedom.
* Discover how these key extensions can empower both developers and DBAs during the migration process.
* Don't miss this chance to gain practical knowledge from an industry expert and stay updated on the latest open-source database trends.
Mydbops Managed Services specializes in taking the pain out of database management while optimizing performance. Since 2015, we have been providing top-notch support and assistance for the top three open-source databases: MySQL, MongoDB, and PostgreSQL.
Our team offers a wide range of services, including assistance, support, consulting, 24/7 operations, and expertise in all relevant technologies. We help organizations improve their database's performance, scalability, efficiency, and availability.
Contact us: info@mydbops.com
Visit: https://www.mydbops.com/
Follow us on LinkedIn: https://in.linkedin.com/company/mydbops
For more details and updates, please follow up the below links.
Meetup Page : https://www.meetup.com/mydbops-databa...
Twitter: https://twitter.com/mydbopsofficial
Blogs: https://www.mydbops.com/blog/
Facebook(Meta): https://www.facebook.com/mydbops/
From Natural Language to Structured Solr Queries using LLMsSease
This talk draws on experimentation to enable AI applications with Solr. One important use case is to use AI for better accessibility and discoverability of the data: while User eXperience techniques, lexical search improvements, and data harmonization can take organizations to a good level of accessibility, a structural (or “cognitive” gap) remains between the data user needs and the data producer constraints.
That is where AI – and most importantly, Natural Language Processing and Large Language Model techniques – could make a difference. This natural language, conversational engine could facilitate access and usage of the data leveraging the semantics of any data source.
The objective of the presentation is to propose a technical approach and a way forward to achieve this goal.
The key concept is to enable users to express their search queries in natural language, which the LLM then enriches, interprets, and translates into structured queries based on the Solr index’s metadata.
This approach leverages the LLM’s ability to understand the nuances of natural language and the structure of documents within Apache Solr.
The LLM acts as an intermediary agent, offering a transparent experience to users automatically and potentially uncovering relevant documents that conventional search methods might overlook. The presentation will include the results of this experimental work, lessons learned, best practices, and the scope of future work that should improve the approach and make it production-ready.
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...Jason Yip
The typical problem in product engineering is not bad strategy, so much as “no strategy”. This leads to confusion, lack of motivation, and incoherent action. The next time you look for a strategy and find an empty space, instead of waiting for it to be filled, I will show you how to fill it in yourself. If you’re wrong, it forces a correction. If you’re right, it helps create focus. I’ll share how I’ve approached this in the past, both what works and lessons for what didn’t work so well.
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillLizaNolte
HERE IS YOUR WEBINAR CONTENT! 'Mastering Customer Journey Management with Dr. Graham Hill'. We hope you find the webinar recording both insightful and enjoyable.
In this webinar, we explored essential aspects of Customer Journey Management and personalization. Here’s a summary of the key insights and topics discussed:
Key Takeaways:
Understanding the Customer Journey: Dr. Hill emphasized the importance of mapping and understanding the complete customer journey to identify touchpoints and opportunities for improvement.
Personalization Strategies: We discussed how to leverage data and insights to create personalized experiences that resonate with customers.
Technology Integration: Insights were shared on how inQuba’s advanced technology can streamline customer interactions and drive operational efficiency.
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...Fwdays
Direct losses from downtime in 1 minute = $5-$10 thousand dollars. Reputation is priceless.
As part of the talk, we will consider the architectural strategies necessary for the development of highly loaded fintech solutions. We will focus on using queues and streaming to efficiently work and manage large amounts of data in real-time and to minimize latency.
We will focus special attention on the architectural patterns used in the design of the fintech system, microservices and event-driven architecture, which ensure scalability, fault tolerance, and consistency of the entire system.
In our second session, we shall learn all about the main features and fundamentals of UiPath Studio that enable us to use the building blocks for any automation project.
📕 Detailed agenda:
Variables and Datatypes
Workflow Layouts
Arguments
Control Flows and Loops
Conditional Statements
💻 Extra training through UiPath Academy:
Variables, Constants, and Arguments in Studio
Control Flow in Studio
Session 1 - Intro to Robotic Process Automation.pdfUiPathCommunity
👉 Check out our full 'Africa Series - Automation Student Developers (EN)' page to register for the full program:
https://bit.ly/Automation_Student_Kickstart
In this session, we shall introduce you to the world of automation, the UiPath Platform, and guide you on how to install and setup UiPath Studio on your Windows PC.
📕 Detailed agenda:
What is RPA? Benefits of RPA?
RPA Applications
The UiPath End-to-End Automation Platform
UiPath Studio CE Installation and Setup
💻 Extra training through UiPath Academy:
Introduction to Automation
UiPath Business Automation Platform
Explore automation development with UiPath Studio
👉 Register here for our upcoming Session 2 on June 20: Introduction to UiPath Studio Fundamentals: https://community.uipath.com/events/details/uipath-lagos-presents-session-2-introduction-to-uipath-studio-fundamentals/
What is an RPA CoE? Session 1 – CoE VisionDianaGray10
In the first session, we will review the organization's vision and how this has an impact on the COE Structure.
Topics covered:
• The role of a steering committee
• How do the organization’s priorities determine CoE Structure?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
What is an RPA CoE? Session 2 – CoE RolesDianaGray10
In this session, we will review the players involved in the CoE and how each role impacts opportunities.
Topics covered:
• What roles are essential?
• What place in the automation journey does each role play?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
"Choosing proper type of scaling", Olena SyrotaFwdays
Imagine an IoT processing system that is already quite mature and production-ready and for which client coverage is growing and scaling and performance aspects are life and death questions. The system has Redis, MongoDB, and stream processing based on ksqldb. In this talk, firstly, we will analyze scaling approaches and then select the proper ones for our system.
2. Panelists
• Dan York, Internet Society
• Frederico Neves, NIC.BR
• Robert Martin-Legene, Packet Clearing House
www.internetsociety.org/deploy360/
3. Internet Society Deploy360 Programme
Providing real-world deployment
info for IPv6, DNSSEC and other
Internet technologies:
• Case Studies
• Tutorials
• Videos
• Whitepapers
• News, information
English content, initially, but will
www.internetsociety.org/deploy360/ be translated into other
languages.
www.internetsociety.org/deploy360/ 12/5/12
4. What Problem Is DNSSEC Trying To Solve?
DNSSEC = "DNS Security Extensions"
• Defined in RFCs 4033, 4034, 4035
• Operational Practices: RFC 4641
Ensures that the information entered into DNS by the
domain name holder is the SAME information
retrieved from DNS by an end user.
Let's walk through an example to explain…
www.internetsociety.org/deploy360/
5. A Normal DNS Interaction
Web
Server
example.com? Resolver checks its local cache. If it has the
3 DNS answer, it sends it back.
1
https://example.com/ Resolver
example.com 10.1.1.123
4 If not…
web page Web
Browser 2
10.1.1.123
www.internetsociety.org/deploy360/
6. A Normal DNS Interaction DNS Svr
root
.com
NS
DNS Svr
.com
Web example.com
NS
Server
example.com?
5 DNS 2
https://example.com/
1
Resolver DNS Svr
example.com
3
6
10.1.1.123
web page Web
Browser 4
10.1.1.123
www.internetsociety.org/deploy360/
7. DNS Works On Speed
• First result received by a DNS resolver is treated as
the correct answer.
• Opportunity is there for an attacker to be the first one
to get an answer to the DNS resolver, either by:
• Getting to the correct point in the network to provide faster responses;
• Blocking the responses from the legitimate servers (ex. executing a
Denial of Service attack against the legitimate servers to slow their
responses)
www.internetsociety.org/deploy360/
8. Attacking DNS DNS Svr
root
.com
NS
DNS Svr
.com
Web example.com
NS
Server
example.com?
5 DNS 2
https://example.com/
1
Resolver DNS Svr
example.com
10.1.1.123
6
web page Web 3
Browser 4
192.168.2.2
Attacking
192.168.2.2 DNS Svr
example.com
www.internetsociety.org/deploy360/
9. A Poisoned Cache
Web
Server
example.com? Resolver cache now has wrong data:
3 DNS
1 example.com 192.168.2.2
https://example.com/ Resolver
4
This stays in the cache until the
web page Web Time-To-Live (TTL) expires!
Browser 2
192.168.2.2
www.internetsociety.org/deploy360/
10. How Does DNSSEC Help?
• DNSSEC introduces new DNS records for a domain:
• RRSIG – a signature ("hash") of a set of DNS records
• DNSKEY – a public key that a resolver can use to validate RRSIG
• A DNSSEC-validating DNS resolver:
• Uses DNSKEY to perform a hash calculation on received DNS records
• Compares result with RRSIG records. If results match, records are the
same as those transmitted. If the results do NOT match, they were
potentially changed during the travel from the DNS server.
www.internetsociety.org/deploy360/ 12/5/12
11. A DNSSEC Interaction DNS Svr
root
DNS Svr
.com
Web
Server
example.com?
5 DNS 2
https://example.com/
1
Resolver DNS Svr
example.com
3
6
10.1.1.123
web page Web DNSKEY
RRSIGs
Browser 4
10.1.1.123
www.internetsociety.org/deploy360/
12. But Can DNSSEC Be Spoofed?
• But why can't an attacker simply insert DNSKEY and
RRSIG records? What prevents DNSSEC from being
spoofed?
• An additional was introduced, the "Delegation Signer
(DS)" record
• It is a fingerprint of the DNSKEY record that is sent to
the TLD registry
• Provides a global "chain of trust" from the root of
DNS down to the domain
• Attackers would have to compromise the registry
www.internetsociety.org/deploy360/ 12/5/12
13. A DNSSEC Interaction DNS Svr
root
.com
NS
DS
DNS Svr
.com
Web example.com
NS
Server DS
example.com?
5 DNS 2
https://example.com/
1
Resolver DNS Svr
example.com
3
6
10.1.1.123
web page Web DNSKEY
RRSIGs
Browser 4
10.1.1.123
www.internetsociety.org/deploy360/
14. The Global Chain of Trust DNS Svr
root
.com
NS
DS
DNS Svr
.com
Web example.com
NS
Server DS
example.com?
5 DNS 2
https://example.com/
1
Resolver DNS Svr
example.com
3
6
10.1.1.123
web page Web DNSKEY
RRSIGs
Browser 4
10.1.1.123
www.internetsociety.org/deploy360/
15. Attempting to Spoof DNS DNS Svr
root
.com
NS
DS
DNS Svr
.com
Web example.com
NS
Server DS
example.com?
5 DNS 2
https://example.com/
1
Resolver DNS Svr
example.com
10.1.1.123
6 DNSKEY
RRSIGs
web page Web 3
Browser
Attacking
192.168.2.2 DNS Svr
DNSKEY example.com
RRSIGs
www.internetsociety.org/deploy360/
16. Attempting to Spoof DNS DNS Svr
root
.com
NS
DS
DNS Svr
.com
Web example.com
NS
Server DS
example.com?
5 DNS 2
https://example.com/
1
Resolver DNS Svr
example.com
10.1.1.123
6 DNSKEY
RRSIGs
web page Web 3
Browser 4
SERVFAIL
Attacking
192.168.2.2 DNS Svr
DNSKEY example.com
RRSIGs
www.internetsociety.org/deploy360/
17. What DNSSEC Proves:
• "These ARE the IP addresses you are looking for."
(or they are not)
• Ensures that information entered into DNS by the domain
name holder (or the operator of the DNS hosting service
for the domain) is the SAME information that is received
by the end user.
www.internetsociety.org/deploy360/ 12/5/12
18. The Two Parts of DNSSEC
Signing Validating
Registries Applications
Registrars Enterprises
DNS Hosting ISPs
www.internetsociety.org/deploy360/
19. DNSSEC Signing - The Individual Steps
• Signs TLD
Registry • Accepts DS records
• Publishes/signs records
• Accepts DS records
Registrar • Sends DS to registry
• Provides UI for mgmt
• Signs zones
DNS Hosting Provider • Publishes all records
• Provides UI for mgmt
Domain Name • Enables DNSSEC
Registrant (unless automatic)
www.internetsociety.org/deploy360/
21. Why Do I Need DNSSEC If I Have SSL?
• A common question: why do I need DNSSEC if I already
have a SSL certificate? (or an "EV-SSL" certificate?)
• SSL (more formerly known today as Transport Layer
Security (TLS)) solves a different issue – it provides
encryption and protection of the communication between
the browser and the web server
www.internetsociety.org/deploy360/
22. The Typical TLS (SSL) Web Interaction DNS Svr
root
Web
Server
DNS Svr
.com
5
https://example.com/
DNS Svr
6 example.com
TLS-encrypted
web page
2
example.com?
3
1 10.1.1.123
DNS
Resolver
Web
Browser 4
10.1.1.123
www.internetsociety.org/deploy360/
23. The Typical TLS (SSL) Web Interaction DNS Svr
root
Web
Server
DNS Svr
.com
5
https://example.com/
DNS Svr
6 example.com
TLS-encrypted
web page
2
example.com?
3
1 10.1.1.123
DNS
Resolver
Is this encrypted
with the Web
CORRECT Browser 4
certificate? 10.1.1.123
www.internetsociety.org/deploy360/
24. What About This?
DNS
Web Server
https://www.example.com/
Server
www.example.com?
Firewall https://www.example.com/
TLS-encrypted web page (or
1
with CORRECT certificate attacker) 1.2.3.4
2
Web
TLS-encrypted web page
Browser
with NEW certificate
(re-signed by firewall)
www.internetsociety.org/deploy360/
25. Problems?
DNS
Web Server
https://www.example.com/
Server
www.example.com?
https://www.example.com/
TLS-encrypted web page Firewall
1
with CORRECT certificate 1.2.3.4
2
Web
TLS-encrypted web page
Browser
with NEW certificate
(re-signed by firewall)
www.internetsociety.org/deploy360/
26. Problems?
DNS
Web Server
https://www.example.com/
Server
www.example.com?
https://www.example.com/
TLS-encrypted web page Firewall
1
with CORRECT certificate 1.2.3.4
2
Web
TLS-encrypted web page
Browser
with NEW certificate
Log files (re-signed by firewall)
or other
servers
Potentially including
personal information
www.internetsociety.org/deploy360/
27. Issues
A Certificate Authority (CA) can sign ANY domain.
Now over 1,500 CAs – there have been compromises
where valid certs were issued for domains.
Middle-boxes such as firewalls can re-sign sessions.
www.internetsociety.org/deploy360/
28. A Powerful Combination
• TLS = encryption + limited integrity protection
• DNSSEC = strong integrity protection
• How to get encryption + strong integrity protection?
• TLS + DNSSEC = DANE
www.internetsociety.org/deploy360/ 12/5/12
29. DNS-Based Authentication of Named Entities
(DANE)
• Q: How do you know if the TLS (SSL) certificate is the
correct one the site wants you to use?
• A: Store the certificate (or fingerprint) in DNS (new TLSA
record) and sign them with DNSSEC.
A browser that understand DNSSEC and DANE will then
know when the required certificate is NOT being used.
Certificate stored in DNS is controlled by the domain name
holder. It could be a certificate signed by a CA – or a self-
signed certificate.
www.internetsociety.org/deploy360/
30. DANE
DNS
Web Server
https://example.com/
Server
example.com? 2
Firewall https://example.com/
TLS-encrypted web page (or
1
with CORRECT certificate attacker) 10.1.1.123
DNSKEY
RRSIGs
TLSA
Web
TLS-encrypted web page Browser
with NEW certificate w/DANE
Log files (re-signed by firewall)
or other
servers
DANE-equipped browser
compares TLS certificate
with what DNS / DNSSEC
says it should be.
www.internetsociety.org/deploy360/
31. DANE – Not Just For The Web
• DANE defines protocol for storing TLS certificates in DNS
• Securing Web transactions is the obvious use case
• Other uses also possible:
• Email via S/MIME
• VoIP
• Jabber/XMPP
• ?
www.internetsociety.org/deploy360/ 12/5/12
32. DANE Resources
DANE Overview and Resources:
• http://www.internetsociety.org/deploy360/resources/dane/
IETF Journal article explaining DANE:
• http://bit.ly/dane-dnssec
RFC 6394 - DANE Use Cases:
• http://tools.ietf.org/html/rfc6394
RFC 6698 – DANE Protocol:
• http://tools.ietf.org/html/rfc6698
www.internetsociety.org/deploy360/
33. How Do We Get DANE Deployed?
Developers:
• Add DANE support into applications (see list of libraries)
DNS Hosting Providers:
• Provide a way that customers can enter a “TLSA” record into DNS
as defined in RFC 6698 ( http://tools.ietf.org/html/rfc6698 )
• This will start getting TLS certificates into DNS so that when
browsers support DANE they will be able to do so.
• [More tools are needed to help create TLSA records –
ex. hashslinger ]
Network Operators / Enterprises / Governments:
• Start talking about need for DANE
• Express desire for DANE to app vendors (especially browsers)
www.internetsociety.org/deploy360/
34. Opportunities
• DANE is just one example of new opportunities brought
about by DNSSEC
• Developers and others already exploring new ideas
www.internetsociety.org/deploy360/ 12/5/12
36. Three Steps TLD Operators Can Take:
1. Sign your TLD!
• Tools and services available to help automate process
2. Accept DS records
• Make it as easy as possible (and accept multiple records)
3. Work with your registrars
• Help them make it easy for DNS hosting providers and registrants
4. Help With Statistics
• Can you help by providing statistics?
Implement DNSSEC and make your TLD more secure!
www.internetsociety.org/deploy360/
37. Three Requests For Network Operators
1. Deploy DNSSEC-validating DNS resolvers
2. Sign your own domains where possible
3. Help promote support of DANE protocol
• Allow usage of TLSA record. Let browser vendors and others know you
want to use DANE. Help raise awareness of how DANE and DNSSEC
can make the Internet more secure.
www.internetsociety.org/deploy360/
38. Internet Society Deploy360 Programme
Can You Help Us With:
• Case Studies?
• Tutorials?
• Videos?
How Can We Help You?
www.internetsociety.org/deploy360/
www.internetsociety.org/deploy360/ 12/5/12
39. Dan York, CISSP
Senior Content Strategist, Internet Society
york@isoc.org
www.internetsociety.org/deploy360/
Thank You!
www.internetsociety.org/deploy360/
40. Download A DNSSEC Whitepaper
“Challenges and Opportunities in Deploying DNSSEC”
http://bit.ly/isoc-satin2012
www.internetsociety.org/deploy360/