Presentation on 'The Path to Resolverless DNS' by Geoff HustonAPNIC
Presentation on 'The Path to Resolverless DNS' by Geoff Huston for OARC 39 and 47th CENTR technical workshop, held in Belgrade on 22 and 23 October 2022
2nd ICANN APAC-TWNIC Engagement Forum: DNS OblivionAPNIC
APNIC Chief Scientist Geoff Huston gives an overview of the complex many-layered model of DNS security, and a new emerging world of choices for protecting traffic, hiding queries, and the future trends in ISP provided, and independent third-party DNS services at the 2nd ICANN APAC-TWNIC Engagement Forum, held from 15 to 16 April 2021.
Presentation on 'The Path to Resolverless DNS' by Geoff HustonAPNIC
Presentation on 'The Path to Resolverless DNS' by Geoff Huston for OARC 39 and 47th CENTR technical workshop, held in Belgrade on 22 and 23 October 2022
2nd ICANN APAC-TWNIC Engagement Forum: DNS OblivionAPNIC
APNIC Chief Scientist Geoff Huston gives an overview of the complex many-layered model of DNS security, and a new emerging world of choices for protecting traffic, hiding queries, and the future trends in ISP provided, and independent third-party DNS services at the 2nd ICANN APAC-TWNIC Engagement Forum, held from 15 to 16 April 2021.
This presentation is a tutorial intro to DANE (DNS Authentication of Named Entities). It describes the root problem, a possible solution using DANE, and briefly shows how you can starting using DANE and TLSA records yourself.
APNIC Chief Scientist, Geoff Huston, gives a presentation on DOH and the changing nature of the DNS as infrastructure at NZNOG 2020 in Christchurch, New Zealand, from 28 to 31 January 2020.
APNIC Chief Scientist Geoff Huston briefly explains DNSSEC and the role of the KSK, and the way in which we can measure the possible impact of this planned roll.
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096APNIC
APNIC Chief Scientist Geoff Huston presents on why using larger keys for RSA in the context of DNSSEC impairs the robustness of DNSSEC validation for the signed name at DNS-OARC 36, held online from 29 to 30 November 2021.
Signing DNSSEC answers on the fly at the edge: challenges and solutionsAPNIC
Signing DNSSEC answers on the fly at the edge: challenges and solutions, by Jono Bergquist.
A presentation given at the APNIC 40 APOPS 2 session on Tue, 8 Sep 2015.
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F18.shtml
Certificate pinning in android applicationsArash Ramez
How to do cryptography right in android
Part #4 / How to mitigate MITM attacks in SSL/TLS channels using server certification validation
watch it on youtube:
https://www.youtube.com/playlist?list=PLT2xIm2X7W7gZ0mtoAA8JrfFrvOKr1Qlp
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...APNIC
Chimi Dorji, Internet Resource Analyst at APNIC, presented on Registry Data Accuracy Improvements at SANOG 41 jointly held with INNOG 7 in Mumbai, India from 25 to 30 April 2024.
This presentation is a tutorial intro to DANE (DNS Authentication of Named Entities). It describes the root problem, a possible solution using DANE, and briefly shows how you can starting using DANE and TLSA records yourself.
APNIC Chief Scientist, Geoff Huston, gives a presentation on DOH and the changing nature of the DNS as infrastructure at NZNOG 2020 in Christchurch, New Zealand, from 28 to 31 January 2020.
APNIC Chief Scientist Geoff Huston briefly explains DNSSEC and the role of the KSK, and the way in which we can measure the possible impact of this planned roll.
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096APNIC
APNIC Chief Scientist Geoff Huston presents on why using larger keys for RSA in the context of DNSSEC impairs the robustness of DNSSEC validation for the signed name at DNS-OARC 36, held online from 29 to 30 November 2021.
Signing DNSSEC answers on the fly at the edge: challenges and solutionsAPNIC
Signing DNSSEC answers on the fly at the edge: challenges and solutions, by Jono Bergquist.
A presentation given at the APNIC 40 APOPS 2 session on Tue, 8 Sep 2015.
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F18.shtml
Certificate pinning in android applicationsArash Ramez
How to do cryptography right in android
Part #4 / How to mitigate MITM attacks in SSL/TLS channels using server certification validation
watch it on youtube:
https://www.youtube.com/playlist?list=PLT2xIm2X7W7gZ0mtoAA8JrfFrvOKr1Qlp
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...APNIC
Chimi Dorji, Internet Resource Analyst at APNIC, presented on Registry Data Accuracy Improvements at SANOG 41 jointly held with INNOG 7 in Mumbai, India from 25 to 30 April 2024.
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
Sunny Chendi, Senior Advisor, Membership and Policy at APNIC, presents 'APNIC Policy Roundup' at the 5th ICANN APAC-TWNIC Engagement Forum and 41st TWNIC OPM in Taipei, Taiwan from 23 to 24 April.
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
Dave Phelan, Senior Network Analyst/Technical Trainer at APNIC, presents 'DDoS In Oceania and the Pacific' at NZNOG 2024 held in Nelson, New Zealand from 8 to 12 April 2024.
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
Geoff Huston, Chief Scientist at APNIC deliver keynote presentation on the 'Future Evolution of the Internet' at the Everything Open 2024 conference in Gladstone, Australia from 16 to 18 April 2024.
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
Paul Wilson, Director General of APNIC delivers a presentation on IP addressing and IPv6 to the Policymakers Program during IETF 119 in Brisbane Australia from 16 to 22 March 2024.
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
Tom Harrison, Product and Delivery Manager at APNIC presents at the Registration Protocols Extensions working group during IETF 119 in Brisbane, Australia from 16-22 March 2024
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
Che-Hoo Cheng, Senior Director, Development at APNIC presents on the "Benefits of doing Internet peering and running an Internet Exchange (IX)" at the Communications Regulatory Commission of Mongolia's IPv6, IXP, Datacenter - Policy and Regulation International Trends Forum in Ulaanbaatar, Mongolia on 7 March 2024
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
APNIC Senior Advisor, Membership and Policy, Sunny Chendi presented on APNIC updates and RIR Policies for ccTLDs at APTLD 85 in Goa, India from 19-22 February 2024.
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
3. Why?
• Isn’t www.google.com DNSSEC-signed?
• Or www.amazon.com, www.facebook.com, or www.microsoft.com?
• Or many other major Internet service names?
• Yet there are other places that mandate the use of DNSSEC, including
gTLDs in the root zone, the USG OMB directive?
• Why the mixed signals about DNSSEC?
4. What’s going on?
• Some parts of the DNS world see net benefit in having users assure
themselves that the answer provided to a DNS query is genuine, by
using DNSSEC and performing validation of the DNS answer
• Other parts of the DNS world see the sum of risks and costs of of
adding DNSSEC to their part of the DNS as being greater than the
benefit
• Lets look at this topic, and also look at the way we provide the secure
foundations for today’s Internet
5. What is DNSSEC?
(This answer could be really long or very short – I’ll go for the ultra short version here)
• A DNS zone administration generates a public/private key pair and
generates a digital signature for every authoritative record in a zone. These
signatures are placed into the zone as RRSIG records. DNSSEC also signs
across the “spans” between each pair of adjacent names in the zone.
• A hash of the zone’s public key is passed to the zone’s parent, which is
placed into the signed parent zone as an authoritative (signed) record
• Clients can authenticate a DNS record by validating it against the
associated signature record and assembling a validation chain from child to
parent up to the root zone to validate the sequence of interlocking zone
signing keys
6. DNSSEC - The Case for NO
The Zone Admin’s perspective:
• Managing keys can be tricky and many zones have got themselves
tied up with misconfigured keys (https://ianix.com/pub/dnssec-
outages.html)
• The operational preference to use keys for shorter periods and regularly roll
across the new keys appears to generate its own failures
• Performing key rolls some years apart tend to resist treating key rolls as part
of Standard Operational Practice
7. DNSSEC - The Case for NO
The Zone Admin’s perspective:
• The procedures for passing the public key of the zone entry point to
the parent are inconsistent and error prone
• Can this be automated?
• How does automation of the DS record sit with the current paraphernalia of
semi-automation of delegation information through EPP and related
processes?
8. Publishing Signed Zones
Things get warped and twisted…
• Key Management
• ZSK/KSK issues
• Key Revocation
• Key Rollover
• Zone Signing
• Signature record lifetimes
• Whole-of-zone signing or Front-End signers
• Incremental signers and assembling negative spans (Compact answers)
• Handling Large Zones
• TTL settings
• Multiple DNS operators
• Single shared key and issues of coordination and key risks
• Multiple keys and issues of DNS response bloat with multiple keys
• NSEC3 issues
9. Incremental Signing
• NSEC and NSEC3 are both based on the assumption that online
signers are not viable
• Private keys should not be actively used in online environments
• They also assume that the entirety of a zone can be assembled for signature
• As incremental signers proliferate we are seeing a defacto redefinition
of NODATA and NXDOMAIN responses where the signed payload is a
minimally spanning response to the query name and query type
instead of a pre-computed maximal span
• This compact-form denial response can confuse some resolvers
10. Validation
• Key and Signature Size and Cryptographic strength
• Careful choice of crypto needed
• Elapsed time for users to incrementally create the validation path
• The incremental query/response approach to path creation creates an
unacceptable time penalty
• And large DNSKEY responses have an additional switch-to-TCP time penalty
• Time to repair DNSSEC config errors is exacerbated by TTL choice
• Stub resolvers generally do NOT validate – the recursive to stub path
is still susceptible to various forms of manipulation
11. Who Validates?
• Validation is slow, error prone and stresses out the DNS over UDP
model
• Most end users do not even use DNSSEC-validating functions in their
local stub resolver
• They generally rely on the recursive resolver to perform validation –
and the recursive-to-stub hop is still vulnerable to tampering
12. What is DNSSEC protecting you
against?
• What’s the threat issue going on here?
• Kaminsky styled attack of off-path cache poisoning?
• Between port and case randomisation there is probably adequate randomisation to protect
the client from an off-path guessing attack
• On path direct attack of response substitution?
• Even then - so what?
• If we are looking at poisoning the name-to-address relationship and misdirecting the
user then this is much the same as a routing attack -- TLS is going to help here by
authenticating the named identity of the remote service – its IP address is irrelevant
to this authentication!
• If the service does not use some form of authentication then the client is very
exposed in any case and DNSSEC is not going to mitigate all risks here!
13. Why bother with DNSSEC at all?
• It slows down name resolution
• Its more to go wrong
• We don’t really know what we are protecting against
• That’s a lot of complexity, fragility and cost without a clear
incremental benefit
• And TLS is doing a Fine Job!
14. DNSSEC – The Case for YES
It’s not about DNSSEC per se
But if we could place trust in DNS responses that they are authentic
and current then we could use the DNS for roles where it would highly
unwise to do so otherwise
Is TLS really doing a Fine Job?
15. Are Domain Name certificates
robust?
Are they achieving what we need from them?
• A domain owner demonstrates to a third party certificate issuer that it has
control over a domain
• There are more involved certificates that include additional validation of this “control”,
but they all present to the client in the same format, so the client is unaware of the
strength of the validation steps that were taken to issue the certificate in the first place
• On this basis the certificate issuer issues a certificate for the domain owner
that attest that the domain is owned by this party
• The certificate is used without any further ongoing reference to the certificate
issuer, nor to the parent domain, nor with any check over the certificate
holder’s continuing control over the domain
16. Domain Name Certificate
Issuers
• The Certificate and Browser Forum (CAB Forum) is a group of ~1000
entities who issue domain name certificates and the browser
platforms who use them
• The certificate issues undertake to apply a set of tests to determine that the
applicant “controls” a given domain name
• And they undertake to never deviate from these tests (*)
• And they undertake never to lie in the certificates they issue (**)
• And they undertake never to have their certificate issuance systems
compromised by hostile attacks (***)
* except when they do
** except when they lie
*** except when their systems are compromised
17. Domain Name Certificates
• Certificate Issuance Abuse
• Pinning - Any CA can issue a domain name certificate for any domain name.
How can a client know which is the “right” CA for a domain name certificate?
• Transparency – All CAs should stash a copy of all issued certificates in a
transparency log, so that all issuance transactions are recorded
18. Certificate Revocation
This is challenging to scale
• Sending a full revocation list to check the status of a single certificate is
hopelessly inefficient
• An online certificate status check represents a potential privacy leak as well as
a scaling issue for the CA
• OSCP stapling is somewhat pointless
• OCSP data is a commentary about the pasts state of a certificate, not the current state
• And why pass the client a certificate AND an OCSP revocation notice?
19. DANE and DNSSEC
• If the entire aim of the domain name certificate framework is to
securely associate a key pair with a domain name then why not just
stash the public key in the DNS (DANE)?
• And sign it with DNSSEC
• You get currency and authenticity and eliminate a bunch of third
party intermediaries
20. Comparison
• The model of DANE allows the key to be bound to the domain name,
and DNSSEC is used to support authentication of this key value
• The model of Domain Name Certificates is a detached third party
commentary about the control of a domain name
22. But DNSSEC over DNS over UDP
still sucks!
• So don’t use it!
• Why not turn off the use of DNSSEC OK in DNS over UDP queries by default
23. But DNSSEC over DNS over UDP
still sucks!
• So don’t use it!
• Why not turn off the use of DNSSEC OK in DNS over UDP queries by default
• But validation is still a pain
• But if we are using TCP to transport credentials then we can also look
at pushing the validation workload from the client to the server
• RFC7901 – Chain Query Requests
• Task the authoritative server for a zone to maintain the current validation path for the
zone
• And package the path in TCP responses when the query has the chain extension
24. Then we can use this in TLS..
• RFC 9102 - TLS DNSSEC Chain Extension
• ”staple” the DNSSEC chain extension to the TLS data alongside the DANE TLSA
record
• The server maintains a current copy of the DANE TLSA record and the DNSSEC
validation path to construct the chain extension
• The client can validate the DANE date based on a local copy of the DNS root
zone KSK without any direct query to the DNS
• Which integrates query-less DANE and DNSSEC into TLS
25. DNSSEC
• If we are serious about DNSSEC, then we really need to fix the
validation time and stub resolver issues
• We can do both of that with DNSSEC Chain Extensions but to get
there then we need to push DNS + DNSSEC queries to TCP (or perhaps
DoT / DoH)
• We can do that if both DNS clients and servers are willing to tolerate
the incrementally higher overheads of DNS over reliable (and possibly
secure) transport
• Which might be achievable if anyone actually pays for the DNS!
• But they don’t
• So DNS over UDP wins because its cheaper!
26. DNSSEC
• Were we trying to be too clever in trying to cram DNSSEC into the
UDP query/response mechanism?
• What if we re-thought DNSSEC as a server-side function?
• And use TCP transport to push validation keychains to validating clients
27. Chickens and Eggs
• Why bother?
There is no compelling use case than makes DNSSEC essential
• No point!
• There is no point in creating widespread critical dependences on DNSSEC
while there is only piecemeal adoption of DNSSEC
28. DNSSEC: Yes? Or No?
• Widely distributed diverse systems have a strong preference for stasis
• Change is challenging to orchestrate
• Costs and benefit are often misaligned
• Very large scale systems are averse to complexity and fragility
• If all that we are doing here is making a case for replacing X.509
domain name certificates with DNSSEC-signed DANE records then this
is going to be a difficult sell job!
• The benefits are marginal, but the transitional costs are high
29. Musing on Infrastructure
Security Mechanisms
Do we get the level of security we need?
Or the level of security that we are prepared to pay for?