SlideShare a Scribd company logo

RIPE 82: DNS Evolution

APNIC
APNIC

1. The DNS is widely used but lacks security measures like encryption, making it easy to monitor users' activities and inject false responses. 2. Efforts to add authenticity through DNSSEC have had limited success due to technical challenges and lack of adoption. 3. The DNS is increasingly being used for application-level functions through extensions, but this increases the privacy risks as DNS queries reveal more user intentions. 4. Solutions exist like DNS over TLS and DNS over HTTPS to provide encryption, but full deployment faces economic and technical barriers, risking further fragmentation of the DNS.

1 of 39
Download to read offline
DNS Evolution Geoff Huston APNIC Labs
https://xkcd.com/1361/
Why pick on the DNS? The DNS is used by everyone and everything • Because pretty much everything you do on the net starts with a call to the DNS • If we could see your stream of DNS queries in real time we could easily assemble a detailed profile of you and your interests and activities - as it happens!
Why pick on the DNS? The DNS is very easy to tap and tamper • DNS queries are open and unencrypted • DNS payloads are not secured and tampering cannot be readily detected • DNS responses are often predictable and false answers can be injected
Why pick on the DNS? The DNS is hard for users to trace • Noone knows exactly where their queries go • Noone can know precisely where their answers come from
What are we doing about this? I’d like to look at this question by grouping our responses into three areas of activity: 1. Adding authenticity to the DNS 2. Increasing the reliance on the DNS for application level rendezvous functions 3. Plugging DNS information leaks
1. Adding authenticity to the DNS 2. Increasing the reliance on the DNS for application level rendezvous functions 3. Plugging DNS information leaks
How can you trust the DNS answer? • Send your query to the “right” IP address and you will get the “right answer! Or • Request a digital signature along with the DNS answer and validate the answer using a pre-provisioned trusted key (DNSSEC) 8
How can you trust the DNS answer? • Send your query to the “right” IP address and you will get the “right answer! Or • Request a digital signature along with the DNS answer and validate the answer using a pre-provisioned trusted key (DNSSEC) 9 Nope! No good! So this must be the ‘right’ answer – yes? So, lets all use DNSSEC! Yes?
Is DNSSEC being used? Yes, and No! 10
Is DNSSEC being used? Yes and No! 11 Who validates DNS responses? https://stats.labs.apnic.net/dnssec
Is DNSSEC being used? Yes and No! 12 2014 2016 2018 2020 Who validates DNS responses? 22% of users are behind DNSSEC-validating resolvers who will not resolve a badly signed DNS name https://stats.labs.apnic.net/dnssec/XA
Is DNSSEC being used? Yes and No! 13 Who signs DNS Zones? Public data on the DNSSEC zone signing rate is hard to define, and even harder to come by! ?
Problems with DNSSEC 14 • Large DNS responses cause robustness issues for DNS • Getting large responses through the network has reliability issues with UDP packet fragmentation and timing issues with signalled cut-over to TCP • The validator has to perform a full backtrace query sequence to assemble the full DNSSEC signature chain • So the problem is that DNSSEC validation may entail a sequence of queries where each of the responses may require encounter UDP fragmentation packet loss • And cryptographically stronger keys tend to be bigger keys over time, so this issue is not going away! • The stub-to-recursive hop is generally not using validation, so the user ends up trusting the validating recursive resolver in any case, so the current DNSSEC framework represents a lot of effort for only a marginal gain
Are we getting better at DNSSEC? There is still a lot of room to improve our DNSSEC story • Reducing validation-chain query delays using DNSSEC Chain responses? • Using “denser” crypto algorithms to limit key and signature sizes? • Using TCP for DNSSEC queries? • NSEC3? Really? • NSEC5? YMBK! 15
Authenticity in the DNS • DNSSEC Validation cannot not prevent DNS eavesdropping, interception or tampering – all it can do is withhold DNS responses that are not “genuine” • DNSSEC adoption is a trade-off in terms of additional costs of added points of fragility, added delay and load points balanced against the increased assurance of being able to place trust that the DNS responses are authentic 16
1. Adding authenticity to the DNS 2. Increasing the reliance on the DNS for application level rendezvous functions 3. Plugging DNS information leaks
It used to be so simple • Query the DNS with a DNS service name • Get a response with the IP host address where the service is located • Use the application to negotiate a service session with the addressed host • All services that share a common name share a common IP host address 18
But we wanted more: We wanted to make a distinction between the service name and the platform that hosted the service • We wanted to have different services accessible using the same service name • We wanted a collection of platforms to deliver the service associated with a single service name • We wanted to outsource different services to different service providers • We wanted to steer the user to the “right” service provider for each user • And we wanted it to be FAST! • The concept of “go anywhere first and get redirected to an optimal service delivery point” is considered to be not FAST 19
So we added Bells and Whistles Place all of this optimisation into the DNS by: • Mapping the service names to host names • CNAME, DNAME and ANAME • None of these are very satisfactory! • The SRV record • It’s either a swiss army knife or a chain saw massacre! • Add the service name (port) and protocol (transport) to the service name and use this as the query • And get the DNS response to come back with a collection of service delivery points • The Client Subnet query extension • Tag the query with the querier to permit tailoring of the service response in the DNS rather than in the application 20
More Bells (and Whistles!) SVCB and HTTPSSVC Resource Records • The “mega” response that can provide Application Level Protocols, IPv4 and IPv6 addresses, ESNI key, priority • Oh, and yes, there is an “alias form” that allows alias mapping at a zone apex 21
It’s faster, but… • But as we add more instrumentation to the DNS, it becomes a generic rendezvous tool, where a client forms a query based on an intended service access and the DNS response provides a set of service connection parameters that is potentially tailored to optimise the delivered service • This means that real time knowledge of a user’s DNS queries is synonymous to knowledge of a users immediate intentions on the network • Which means that the DNS privacy issues become more critical than ever! 22
1. Adding authenticity to the DNS 2. Increasing the reliance on the DNS for application level rendezvous functions 3. Plugging DNS information leaks
Plugging the DNS leakage • Query Name Minimisation to reduce the extravagant chattiness of the DNS resolution process • DNS over TLS on the stub to recursive paths • Channel protection, remote end authentication and transport robustness • DNS over HTTPS (/3) on the stub to recursive paths • Channel protection, remote end authentication, transport robustness and HTTP object semantics • Oblivious DNS over HTTPS (/3) on the stub to recursive paths • Hide the implicit end point identity / query name association leakage 24
Coming soon? • Extending DNS channel protection to the recursive to authoritative hops (Although this may be tougher than it looks at first!) 25
Scaling with Encrypted Channels • Session level encryption involves session establishment and maintenance overhead • Typically this entails a TCP overhead (direction or within a QUIC envelope) and a TGLS overhead • This can be amortised through session reuse • Session reuse is most effective on the stub to recursive paths • The secure Web infrastructure points to ways that we can scale an encrypted DNS infrastructure, but the economics of the DNS are somewhat different than those of the web 26
Will all this be deployed? 27
Can we do this? • Pretty clearly we have most of the tools available to achieve all of these objectives • Leverage TLS to provide session level encryption • Leverage HTTPS to push stub resolution functions into applications • Use the DNS HTTPSSVC to provide the ESNI key • Yes we can! 28
Will we do this? • This is a far more challenging question! 29
If HTTPS worked, why not DoH? • Any change to the DNS that requires user configuration, or a change of host and/or CPE behaviour. Both of these changes will not be easy to gather deployment momentum • There is no untapped financial return in DNS resolution, so this is not an activity that has strong commercial impetus • Many public environments use DNS oversight and alteration as a means of content moderation - there is little appetite to make that role harder to perform • Browser vendors have far more limited leverage in the DNS, as compared to content delivery over HTTP
The DNS Economy • In the public Internet, end clients don’t normally pay directly for DNS recursive resolution services • Which implies that outside of the domain of the local ISP, DNS resolvers are essentially unfunded by the resolver’s clients • And efforts to monetise the DNS with various forms of funded misdirection (such as NXDOMAIN substitution) are generally viewed with extreme disfavour • Open Resolver efforts run the risk of success-disaster • They more they are used, the greater the funding problem • The greater the funding problem the greater the temptation to monetise the DNS resolver function in more subtle ways
The DNS Economy • The default option is that the ISP funds and operate the recursive DNS service, funded by the ISP’s client base • 70% of all end clients use same-network recursive resolvers • However the fact that is works today does not mean that you can double the input costs and expect it to just keep on working tomorrow • For ISPs the DNS is usually a cost department, not a revenue source • We should expect strong resistance from ISPs to increase their costs in DNS service provision • The DNS is also highly resistant to changes in the edge infrastructure 32
Where is this heading? • Will any of these privacy approaches becomes mainstream in the public Internet?
My Opinion • ISP-based provisioning of DNS servers without channel encryption will continue to be the mainstream of the public DNS infrastructure • Most users don’t change their platform settings from the defaults and CPE based service provisioning in the wired networks and direct provisioning in mobile networks will persist
My Opinion • ISP-based provisioning of DNS servers without channel encryption will continue to be the mainstream of the public DNS infrastructure • Most users don’t change their platform settings from the defaults and CPE based service provisioning in the wired networks and direct provisioning in mobile networks will persist • But that’s not the full story...
Fragmenting the DNS • It appears more likely that those applications who want to tailor their DNS use to adopt a more private profile will hive off to use DoH to an application-selected DNS service, while the platform itself will continue to use libraries that will default to DNS over UDP to the ISP- provided recursive DNS resolver • That way the application’s ecosystem can fund its own DNS privacy infrastructure and avoid waiting for everyone else to make the necessary infrastructure and service investments before they can adopt DNS privacy themselves • The prospect of application-specific naming services is a very real prospect in such a scenario
Fragmenting the DNS • It appears more likely that those applications who want to tailor their DNS use to adopt a more private profile will hive off to use DoH to an application-selected DNS service, while the platform itself will continue to use libraries that will default to DNS over UDP to the ISP- provided recursive DNS resolver • That way the application’s ecosystem can fund its own DNS privacy infrastructure and avoid waiting for everyone else to make the necessary infrastructure and service investments before they can adopt DNS privacy themselves • The prospect of application-specific naming services is a very real prospect in such a scenario Those parts of the environment with sufficient motivation and resources will simply stop waiting for everyone else to move and they will just do what they feel they need to do!
It’s life Jim, but not as we know it! • The progression here is an evolution from network-centric services to platform-centric services to today’s world of application-centric services • It’s clear that the DNS is being swept up in this shift, and the DNS is changing in almost every respect • The future prospects of a single unified coherent name space as embodied in the DNS, as we currently know it, for the entire internet service domain are looking pretty poor right now!
Thanks!

Recommended

NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS Evolution
APNIC
 
RIPE 82: Measuring Recursive Resolver Centrality
RIPE 82: Measuring Recursive Resolver CentralityRIPE 82: Measuring Recursive Resolver Centrality
RIPE 82: Measuring Recursive Resolver Centrality
APNIC
 
RIPE 82: An Update on Fragmentation Loss Rates in IPv6
RIPE 82: An Update on Fragmentation Loss Rates in IPv6RIPE 82: An Update on Fragmentation Loss Rates in IPv6
RIPE 82: An Update on Fragmentation Loss Rates in IPv6
APNIC
 
ICANN DNS Symposium 2021: Measuring Recursive Resolver Centrality
ICANN DNS Symposium 2021: Measuring Recursive Resolver CentralityICANN DNS Symposium 2021: Measuring Recursive Resolver Centrality
ICANN DNS Symposium 2021: Measuring Recursive Resolver Centrality
APNIC
 
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache ServersNANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
Chika Yoshimura
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
APNIC
 
Thoughts about DNS for DDoS
Thoughts about DNS for DDoSThoughts about DNS for DDoS
Thoughts about DNS for DDoS
APNIC
 
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSDINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
APNIC
 

Recommended

NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS Evolution
APNIC
 
RIPE 82: Measuring Recursive Resolver Centrality
RIPE 82: Measuring Recursive Resolver CentralityRIPE 82: Measuring Recursive Resolver Centrality
RIPE 82: Measuring Recursive Resolver Centrality
APNIC
 
RIPE 82: An Update on Fragmentation Loss Rates in IPv6
RIPE 82: An Update on Fragmentation Loss Rates in IPv6RIPE 82: An Update on Fragmentation Loss Rates in IPv6
RIPE 82: An Update on Fragmentation Loss Rates in IPv6
APNIC
 
ICANN DNS Symposium 2021: Measuring Recursive Resolver Centrality
ICANN DNS Symposium 2021: Measuring Recursive Resolver CentralityICANN DNS Symposium 2021: Measuring Recursive Resolver Centrality
ICANN DNS Symposium 2021: Measuring Recursive Resolver Centrality
APNIC
 
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache ServersNANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
Chika Yoshimura
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
APNIC
 
Thoughts about DNS for DDoS
Thoughts about DNS for DDoSThoughts about DNS for DDoS
Thoughts about DNS for DDoS
APNIC
 
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSDINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
APNIC
 
Experience Using RIR Whois
Experience Using RIR WhoisExperience Using RIR Whois
Experience Using RIR Whois
APNIC
 
RIPE 78: IPv6 reliability measurements
RIPE 78: IPv6 reliability measurementsRIPE 78: IPv6 reliability measurements
RIPE 78: IPv6 reliability measurements
APNIC
 
DNS Openness
DNS OpennessDNS Openness
DNS Openness
APNIC
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing Key
APNIC
 
IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73
APNIC
 
How Greta uses NATS to revolutionize data distribution on the Internet
How Greta uses NATS to revolutionize data distribution on the InternetHow Greta uses NATS to revolutionize data distribution on the Internet
How Greta uses NATS to revolutionize data distribution on the Internet
Apcera
 
NANOG 74: That KSK Roll
NANOG 74: That KSK RollNANOG 74: That KSK Roll
NANOG 74: That KSK Roll
APNIC
 
DNS Cache Poisoning
DNS Cache PoisoningDNS Cache Poisoning
DNS Cache Poisoning
Christiaan Ottow
 
Measuring the End User
Measuring the End User Measuring the End User
Measuring the End User
APNIC
 
What to consider when monitoring microservices
What to consider when monitoring microservicesWhat to consider when monitoring microservices
What to consider when monitoring microservices
Particular Software
 
Network
NetworkNetwork
NetworkYnon Perek
 
IETF 112: Internet centrality and its impact on routing
IETF 112: Internet centrality and its impact on routingIETF 112: Internet centrality and its impact on routing
IETF 112: Internet centrality and its impact on routing
APNIC
 
Request routing in CDN
Request routing in CDNRequest routing in CDN
Request routing in CDN
Sandeep Kath
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOH
APNIC
 
Big data in the energy sector
Big data in the energy sectorBig data in the energy sector
Big data in the energy sector
FileCatalyst
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
APNIC
 
AWS re:Invent 2016: Making Every Packet Count (NET404)
AWS re:Invent 2016: Making Every Packet Count (NET404)AWS re:Invent 2016: Making Every Packet Count (NET404)
AWS re:Invent 2016: Making Every Packet Count (NET404)
Amazon Web Services
 
How Tencent Applies Apache Pulsar to Apache InLong —— A Streaming Data Integr...
How Tencent Applies Apache Pulsar to Apache InLong —— A Streaming Data Integr...How Tencent Applies Apache Pulsar to Apache InLong —— A Streaming Data Integr...
How Tencent Applies Apache Pulsar to Apache InLong —— A Streaming Data Integr...
StreamNative
 
2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover
APNIC
 
The curse of the open recursor
The curse of the open recursorThe curse of the open recursor
The curse of the open recursorTom Paseka
 
Presentation on 'The Path to Resolverless DNS' by Geoff Huston
Presentation on 'The Path to Resolverless DNS' by Geoff HustonPresentation on 'The Path to Resolverless DNS' by Geoff Huston
Presentation on 'The Path to Resolverless DNS' by Geoff Huston
APNIC
 
RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?
APNIC
 

More Related Content

What's hot

Experience Using RIR Whois
Experience Using RIR WhoisExperience Using RIR Whois
Experience Using RIR Whois
APNIC
 
RIPE 78: IPv6 reliability measurements
RIPE 78: IPv6 reliability measurementsRIPE 78: IPv6 reliability measurements
RIPE 78: IPv6 reliability measurements
APNIC
 
DNS Openness
DNS OpennessDNS Openness
DNS Openness
APNIC
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing Key
APNIC
 
IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73
APNIC
 
How Greta uses NATS to revolutionize data distribution on the Internet
How Greta uses NATS to revolutionize data distribution on the InternetHow Greta uses NATS to revolutionize data distribution on the Internet
How Greta uses NATS to revolutionize data distribution on the Internet
Apcera
 
NANOG 74: That KSK Roll
NANOG 74: That KSK RollNANOG 74: That KSK Roll
NANOG 74: That KSK Roll
APNIC
 
DNS Cache Poisoning
DNS Cache PoisoningDNS Cache Poisoning
DNS Cache Poisoning
Christiaan Ottow
 
Measuring the End User
Measuring the End User Measuring the End User
Measuring the End User
APNIC
 
What to consider when monitoring microservices
What to consider when monitoring microservicesWhat to consider when monitoring microservices
What to consider when monitoring microservices
Particular Software
 
IETF 112: Internet centrality and its impact on routing
IETF 112: Internet centrality and its impact on routingIETF 112: Internet centrality and its impact on routing
IETF 112: Internet centrality and its impact on routing
APNIC
 
Request routing in CDN
Request routing in CDNRequest routing in CDN
Request routing in CDN
Sandeep Kath
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOH
APNIC
 
Big data in the energy sector
Big data in the energy sectorBig data in the energy sector
Big data in the energy sector
FileCatalyst
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
APNIC
 
AWS re:Invent 2016: Making Every Packet Count (NET404)
AWS re:Invent 2016: Making Every Packet Count (NET404)AWS re:Invent 2016: Making Every Packet Count (NET404)
AWS re:Invent 2016: Making Every Packet Count (NET404)
Amazon Web Services
 
How Tencent Applies Apache Pulsar to Apache InLong —— A Streaming Data Integr...
How Tencent Applies Apache Pulsar to Apache InLong —— A Streaming Data Integr...How Tencent Applies Apache Pulsar to Apache InLong —— A Streaming Data Integr...
How Tencent Applies Apache Pulsar to Apache InLong —— A Streaming Data Integr...
StreamNative
 
2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover
APNIC
 
The curse of the open recursor
The curse of the open recursorThe curse of the open recursor
The curse of the open recursorTom Paseka
 

What's hot (20)

Experience Using RIR Whois
Experience Using RIR WhoisExperience Using RIR Whois
Experience Using RIR Whois
 
RIPE 78: IPv6 reliability measurements
RIPE 78: IPv6 reliability measurementsRIPE 78: IPv6 reliability measurements
RIPE 78: IPv6 reliability measurements
 
DNS Openness
DNS OpennessDNS Openness
DNS Openness
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing Key
 
IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73
 
How Greta uses NATS to revolutionize data distribution on the Internet
How Greta uses NATS to revolutionize data distribution on the InternetHow Greta uses NATS to revolutionize data distribution on the Internet
How Greta uses NATS to revolutionize data distribution on the Internet
 
NANOG 74: That KSK Roll
NANOG 74: That KSK RollNANOG 74: That KSK Roll
NANOG 74: That KSK Roll
 
DNS Cache Poisoning
DNS Cache PoisoningDNS Cache Poisoning
DNS Cache Poisoning
 
Measuring the End User
Measuring the End User Measuring the End User
Measuring the End User
 
What to consider when monitoring microservices
What to consider when monitoring microservicesWhat to consider when monitoring microservices
What to consider when monitoring microservices
 
Network
NetworkNetwork
Network
 
IETF 112: Internet centrality and its impact on routing
IETF 112: Internet centrality and its impact on routingIETF 112: Internet centrality and its impact on routing
IETF 112: Internet centrality and its impact on routing
 
Request routing in CDN
Request routing in CDNRequest routing in CDN
Request routing in CDN
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOH
 
Big data in the energy sector
Big data in the energy sectorBig data in the energy sector
Big data in the energy sector
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
AWS re:Invent 2016: Making Every Packet Count (NET404)
AWS re:Invent 2016: Making Every Packet Count (NET404)AWS re:Invent 2016: Making Every Packet Count (NET404)
AWS re:Invent 2016: Making Every Packet Count (NET404)
 
How Tencent Applies Apache Pulsar to Apache InLong —— A Streaming Data Integr...
How Tencent Applies Apache Pulsar to Apache InLong —— A Streaming Data Integr...How Tencent Applies Apache Pulsar to Apache InLong —— A Streaming Data Integr...
How Tencent Applies Apache Pulsar to Apache InLong —— A Streaming Data Integr...
 
2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover
 
The curse of the open recursor
The curse of the open recursorThe curse of the open recursor
The curse of the open recursor
 

Similar to RIPE 82: DNS Evolution

Presentation on 'The Path to Resolverless DNS' by Geoff Huston
Presentation on 'The Path to Resolverless DNS' by Geoff HustonPresentation on 'The Path to Resolverless DNS' by Geoff Huston
Presentation on 'The Path to Resolverless DNS' by Geoff Huston
APNIC
 
RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?
APNIC
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
AFRINIC
 
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
APNIC
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS Privacy
APNIC
 
NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSEC
APNIC
 
NANOG 84: DNS Openness
NANOG 84: DNS OpennessNANOG 84: DNS Openness
NANOG 84: DNS Openness
APNIC
 
How DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An IntroductionHow DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An Introduction
yasithbagya1
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
APNIC
 
Rolling the Root KSK
Rolling the Root KSKRolling the Root KSK
Rolling the Root KSK
APNIC
 
Domain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptxDomain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptx
UsmanAhmed269749
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view
APNIC
 
OpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform TechnologyOpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform Technology
Courtland Smith
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
DNS Entrepreneurship Center
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
Deploy360 Programme (Internet Society)
 
DNS-OARC 38: The resolvers we use
DNS-OARC 38: The resolvers we useDNS-OARC 38: The resolvers we use
DNS-OARC 38: The resolvers we use
APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
APNIC
 
DNS
DNSDNS
DNS
HogrGoran
 

Similar to RIPE 82: DNS Evolution (20)

Presentation on 'The Path to Resolverless DNS' by Geoff Huston
Presentation on 'The Path to Resolverless DNS' by Geoff HustonPresentation on 'The Path to Resolverless DNS' by Geoff Huston
Presentation on 'The Path to Resolverless DNS' by Geoff Huston
 
RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
 
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS Privacy
 
NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSEC
 
Session 4.1 Roy Arends
Session 4.1 Roy ArendsSession 4.1 Roy Arends
Session 4.1 Roy Arends
 
NANOG 84: DNS Openness
NANOG 84: DNS OpennessNANOG 84: DNS Openness
NANOG 84: DNS Openness
 
How DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An IntroductionHow DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An Introduction
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
Rolling the Root KSK
Rolling the Root KSKRolling the Root KSK
Rolling the Root KSK
 
Domain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptxDomain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptx
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view
 
DNS Security
DNS SecurityDNS Security
DNS Security
 
OpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform TechnologyOpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform Technology
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
 
DNS-OARC 38: The resolvers we use
DNS-OARC 38: The resolvers we useDNS-OARC 38: The resolvers we use
DNS-OARC 38: The resolvers we use
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
DNS
DNSDNS
DNS
 

More from APNIC

APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
APNIC
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
APNIC
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
APNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
APNIC
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
APNIC
 

More from APNIC (20)

APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 

Recently uploaded

Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
nhiyenphan2005
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
cuobya
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
SEO Article Boost
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
CIOWomenMagazine
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
Danica Gill
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
Trish Parr
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
cuobya
 
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
JeyaPerumal1
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
harveenkaur52
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
Javier Lasa
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
vmemo1
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 

Recently uploaded (20)

Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
 
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 

RIPE 82: DNS Evolution

  • 3. Why pick on the DNS? The DNS is used by everyone and everything • Because pretty much everything you do on the net starts with a call to the DNS • If we could see your stream of DNS queries in real time we could easily assemble a detailed profile of you and your interests and activities - as it happens!
  • 4. Why pick on the DNS? The DNS is very easy to tap and tamper • DNS queries are open and unencrypted • DNS payloads are not secured and tampering cannot be readily detected • DNS responses are often predictable and false answers can be injected
  • 5. Why pick on the DNS? The DNS is hard for users to trace • Noone knows exactly where their queries go • Noone can know precisely where their answers come from
  • 6. What are we doing about this? I’d like to look at this question by grouping our responses into three areas of activity: 1. Adding authenticity to the DNS 2. Increasing the reliance on the DNS for application level rendezvous functions 3. Plugging DNS information leaks
  • 7. 1. Adding authenticity to the DNS 2. Increasing the reliance on the DNS for application level rendezvous functions 3. Plugging DNS information leaks
  • 8. How can you trust the DNS answer? • Send your query to the “right” IP address and you will get the “right answer! Or • Request a digital signature along with the DNS answer and validate the answer using a pre-provisioned trusted key (DNSSEC) 8
  • 9. How can you trust the DNS answer? • Send your query to the “right” IP address and you will get the “right answer! Or • Request a digital signature along with the DNS answer and validate the answer using a pre-provisioned trusted key (DNSSEC) 9 Nope! No good! So this must be the ‘right’ answer – yes? So, lets all use DNSSEC! Yes?
  • 10. Is DNSSEC being used? Yes, and No! 10
  • 11. Is DNSSEC being used? Yes and No! 11 Who validates DNS responses? https://stats.labs.apnic.net/dnssec
  • 12. Is DNSSEC being used? Yes and No! 12 2014 2016 2018 2020 Who validates DNS responses? 22% of users are behind DNSSEC-validating resolvers who will not resolve a badly signed DNS name https://stats.labs.apnic.net/dnssec/XA
  • 13. Is DNSSEC being used? Yes and No! 13 Who signs DNS Zones? Public data on the DNSSEC zone signing rate is hard to define, and even harder to come by! ?
  • 14. Problems with DNSSEC 14 • Large DNS responses cause robustness issues for DNS • Getting large responses through the network has reliability issues with UDP packet fragmentation and timing issues with signalled cut-over to TCP • The validator has to perform a full backtrace query sequence to assemble the full DNSSEC signature chain • So the problem is that DNSSEC validation may entail a sequence of queries where each of the responses may require encounter UDP fragmentation packet loss • And cryptographically stronger keys tend to be bigger keys over time, so this issue is not going away! • The stub-to-recursive hop is generally not using validation, so the user ends up trusting the validating recursive resolver in any case, so the current DNSSEC framework represents a lot of effort for only a marginal gain
  • 15. Are we getting better at DNSSEC? There is still a lot of room to improve our DNSSEC story • Reducing validation-chain query delays using DNSSEC Chain responses? • Using “denser” crypto algorithms to limit key and signature sizes? • Using TCP for DNSSEC queries? • NSEC3? Really? • NSEC5? YMBK! 15
  • 16. Authenticity in the DNS • DNSSEC Validation cannot not prevent DNS eavesdropping, interception or tampering – all it can do is withhold DNS responses that are not “genuine” • DNSSEC adoption is a trade-off in terms of additional costs of added points of fragility, added delay and load points balanced against the increased assurance of being able to place trust that the DNS responses are authentic 16
  • 17. 1. Adding authenticity to the DNS 2. Increasing the reliance on the DNS for application level rendezvous functions 3. Plugging DNS information leaks
  • 18. It used to be so simple • Query the DNS with a DNS service name • Get a response with the IP host address where the service is located • Use the application to negotiate a service session with the addressed host • All services that share a common name share a common IP host address 18
  • 19. But we wanted more: We wanted to make a distinction between the service name and the platform that hosted the service • We wanted to have different services accessible using the same service name • We wanted a collection of platforms to deliver the service associated with a single service name • We wanted to outsource different services to different service providers • We wanted to steer the user to the “right” service provider for each user • And we wanted it to be FAST! • The concept of “go anywhere first and get redirected to an optimal service delivery point” is considered to be not FAST 19
  • 20. So we added Bells and Whistles Place all of this optimisation into the DNS by: • Mapping the service names to host names • CNAME, DNAME and ANAME • None of these are very satisfactory! • The SRV record • It’s either a swiss army knife or a chain saw massacre! • Add the service name (port) and protocol (transport) to the service name and use this as the query • And get the DNS response to come back with a collection of service delivery points • The Client Subnet query extension • Tag the query with the querier to permit tailoring of the service response in the DNS rather than in the application 20
  • 21. More Bells (and Whistles!) SVCB and HTTPSSVC Resource Records • The “mega” response that can provide Application Level Protocols, IPv4 and IPv6 addresses, ESNI key, priority • Oh, and yes, there is an “alias form” that allows alias mapping at a zone apex 21
  • 22. It’s faster, but… • But as we add more instrumentation to the DNS, it becomes a generic rendezvous tool, where a client forms a query based on an intended service access and the DNS response provides a set of service connection parameters that is potentially tailored to optimise the delivered service • This means that real time knowledge of a user’s DNS queries is synonymous to knowledge of a users immediate intentions on the network • Which means that the DNS privacy issues become more critical than ever! 22
  • 23. 1. Adding authenticity to the DNS 2. Increasing the reliance on the DNS for application level rendezvous functions 3. Plugging DNS information leaks
  • 24. Plugging the DNS leakage • Query Name Minimisation to reduce the extravagant chattiness of the DNS resolution process • DNS over TLS on the stub to recursive paths • Channel protection, remote end authentication and transport robustness • DNS over HTTPS (/3) on the stub to recursive paths • Channel protection, remote end authentication, transport robustness and HTTP object semantics • Oblivious DNS over HTTPS (/3) on the stub to recursive paths • Hide the implicit end point identity / query name association leakage 24
  • 25. Coming soon? • Extending DNS channel protection to the recursive to authoritative hops (Although this may be tougher than it looks at first!) 25
  • 26. Scaling with Encrypted Channels • Session level encryption involves session establishment and maintenance overhead • Typically this entails a TCP overhead (direction or within a QUIC envelope) and a TGLS overhead • This can be amortised through session reuse • Session reuse is most effective on the stub to recursive paths • The secure Web infrastructure points to ways that we can scale an encrypted DNS infrastructure, but the economics of the DNS are somewhat different than those of the web 26
  • 27. Will all this be deployed? 27
  • 28. Can we do this? • Pretty clearly we have most of the tools available to achieve all of these objectives • Leverage TLS to provide session level encryption • Leverage HTTPS to push stub resolution functions into applications • Use the DNS HTTPSSVC to provide the ESNI key • Yes we can! 28
  • 29. Will we do this? • This is a far more challenging question! 29
  • 30. If HTTPS worked, why not DoH? • Any change to the DNS that requires user configuration, or a change of host and/or CPE behaviour. Both of these changes will not be easy to gather deployment momentum • There is no untapped financial return in DNS resolution, so this is not an activity that has strong commercial impetus • Many public environments use DNS oversight and alteration as a means of content moderation - there is little appetite to make that role harder to perform • Browser vendors have far more limited leverage in the DNS, as compared to content delivery over HTTP
  • 31. The DNS Economy • In the public Internet, end clients don’t normally pay directly for DNS recursive resolution services • Which implies that outside of the domain of the local ISP, DNS resolvers are essentially unfunded by the resolver’s clients • And efforts to monetise the DNS with various forms of funded misdirection (such as NXDOMAIN substitution) are generally viewed with extreme disfavour • Open Resolver efforts run the risk of success-disaster • They more they are used, the greater the funding problem • The greater the funding problem the greater the temptation to monetise the DNS resolver function in more subtle ways
  • 32. The DNS Economy • The default option is that the ISP funds and operate the recursive DNS service, funded by the ISP’s client base • 70% of all end clients use same-network recursive resolvers • However the fact that is works today does not mean that you can double the input costs and expect it to just keep on working tomorrow • For ISPs the DNS is usually a cost department, not a revenue source • We should expect strong resistance from ISPs to increase their costs in DNS service provision • The DNS is also highly resistant to changes in the edge infrastructure 32
  • 33. Where is this heading? • Will any of these privacy approaches becomes mainstream in the public Internet?
  • 34. My Opinion • ISP-based provisioning of DNS servers without channel encryption will continue to be the mainstream of the public DNS infrastructure • Most users don’t change their platform settings from the defaults and CPE based service provisioning in the wired networks and direct provisioning in mobile networks will persist
  • 35. My Opinion • ISP-based provisioning of DNS servers without channel encryption will continue to be the mainstream of the public DNS infrastructure • Most users don’t change their platform settings from the defaults and CPE based service provisioning in the wired networks and direct provisioning in mobile networks will persist • But that’s not the full story...
  • 36. Fragmenting the DNS • It appears more likely that those applications who want to tailor their DNS use to adopt a more private profile will hive off to use DoH to an application-selected DNS service, while the platform itself will continue to use libraries that will default to DNS over UDP to the ISP- provided recursive DNS resolver • That way the application’s ecosystem can fund its own DNS privacy infrastructure and avoid waiting for everyone else to make the necessary infrastructure and service investments before they can adopt DNS privacy themselves • The prospect of application-specific naming services is a very real prospect in such a scenario
  • 37. Fragmenting the DNS • It appears more likely that those applications who want to tailor their DNS use to adopt a more private profile will hive off to use DoH to an application-selected DNS service, while the platform itself will continue to use libraries that will default to DNS over UDP to the ISP- provided recursive DNS resolver • That way the application’s ecosystem can fund its own DNS privacy infrastructure and avoid waiting for everyone else to make the necessary infrastructure and service investments before they can adopt DNS privacy themselves • The prospect of application-specific naming services is a very real prospect in such a scenario Those parts of the environment with sufficient motivation and resources will simply stop waiting for everyone else to move and they will just do what they feel they need to do!
  • 38. It’s life Jim, but not as we know it! • The progression here is an evolution from network-centric services to platform-centric services to today’s world of application-centric services • It’s clear that the DNS is being swept up in this shift, and the DNS is changing in almost every respect • The future prospects of a single unified coherent name space as embodied in the DNS, as we currently know it, for the entire internet service domain are looking pretty poor right now!