Signing DNSSEC answers on the fly at the edge: challenges and solutions, by Jono Bergquist.
A presentation given at the APNIC 40 APOPS 2 session on Tue, 8 Sep 2015.
This document provides an overview of DNSSEC (Domain Name System Security Extensions). It discusses cryptography concepts used in DNSSEC like public-key cryptography, hashing algorithms, and digital signatures. It explains how DNSSEC uses these concepts to provide data integrity and authentication for DNS responses through the use of new resource records like RRSIG, DNSKEY, DS, and NSEC. It also discusses how DNSSEC establishes trust chains to validate signatures up to the root zone, and how "denial of existence" responses are signed using NSEC records.
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
Encryption is coming to mainstream DNS. This briefing discusses the history, protocols and architecture of encrypted DNS, specifically DNS over TLS and DNS over HTTPS. It also describes the impact of DoT and DoH on various operational models.
This briefing was given during DNSheads Vienna #5 at the nic.at office in Vienna on Jan 30 2018.
The document provides an overview of DNS (Domain Name System) security. It begins with introductions and defines DNS as the core internet protocol that converts domain names to IP addresses. It then discusses some security issues with DNS like hijacking and cache poisoning since DNS data is not encrypted or authenticated. It provides examples of how DNS works through a system of delegation from the root zone down. It explains how DNSSEC aims to address security but has limitations. The document demonstrates DNSSEC in action by showing signed responses from the root zone down to an example domain.
This document provides an introduction to DNSSEC (Domain Name System Security Extensions) in 3 parts:
1. It explains the purpose of DNSSEC is to address vulnerabilities in the DNS like cache poisoning and lack of data integrity by cryptographically signing DNS records.
2. It discusses some of the operational implications of DNSSEC like increased response sizes requiring EDNS0, using multiple keys (KSK and ZSK), and developing a DNSSEC Policy and Practice Statement.
3. It provides resources for further learning including open source DNSSEC software, mailing lists, and examples of deployed DNSSEC at the root zone and in some top-level domains.
The document discusses DNS over HTTPS (DoH), DNS over TLS (DoT), and Encrypted Server Name Indication (ESNI). It explains that DoH and DoT encrypt DNS queries and responses for increased privacy and security compared to traditional DNS. However, ESNI is also discussed as a solution to further improve privacy by encrypting the server name in the TLS handshake. Concerns about the potential use of these protocols by malware for command and control are also raised.
This document provides an overview of key concepts in DNSSEC including public/private keys, message digests or hashes, and digital signatures. It explains that public/private key pairs are used, where the private key is kept secret and the public key can be freely distributed. It also describes how one-way hashing functions work to generate fixed-length hashes from variable-length data, and how digital signatures are created by encrypting a message hash with a private key. These three concepts of public/private keys, hashes, and digital signatures form the basis of cryptographic techniques used in DNSSEC.
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Dan York
In this talk to the IEPG session at IETF 93 in Prague on 19 July 2015, I outlined some of the challenges associated with deploying new crypto algorithms within DNSSEC and what we potentially need to do to address these challenges.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
This document provides an overview of DNSSEC (Domain Name System Security Extensions). It discusses cryptography concepts used in DNSSEC like public-key cryptography, hashing algorithms, and digital signatures. It explains how DNSSEC uses these concepts to provide data integrity and authentication for DNS responses through the use of new resource records like RRSIG, DNSKEY, DS, and NSEC. It also discusses how DNSSEC establishes trust chains to validate signatures up to the root zone, and how "denial of existence" responses are signed using NSEC records.
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
Encryption is coming to mainstream DNS. This briefing discusses the history, protocols and architecture of encrypted DNS, specifically DNS over TLS and DNS over HTTPS. It also describes the impact of DoT and DoH on various operational models.
This briefing was given during DNSheads Vienna #5 at the nic.at office in Vienna on Jan 30 2018.
The document provides an overview of DNS (Domain Name System) security. It begins with introductions and defines DNS as the core internet protocol that converts domain names to IP addresses. It then discusses some security issues with DNS like hijacking and cache poisoning since DNS data is not encrypted or authenticated. It provides examples of how DNS works through a system of delegation from the root zone down. It explains how DNSSEC aims to address security but has limitations. The document demonstrates DNSSEC in action by showing signed responses from the root zone down to an example domain.
This document provides an introduction to DNSSEC (Domain Name System Security Extensions) in 3 parts:
1. It explains the purpose of DNSSEC is to address vulnerabilities in the DNS like cache poisoning and lack of data integrity by cryptographically signing DNS records.
2. It discusses some of the operational implications of DNSSEC like increased response sizes requiring EDNS0, using multiple keys (KSK and ZSK), and developing a DNSSEC Policy and Practice Statement.
3. It provides resources for further learning including open source DNSSEC software, mailing lists, and examples of deployed DNSSEC at the root zone and in some top-level domains.
The document discusses DNS over HTTPS (DoH), DNS over TLS (DoT), and Encrypted Server Name Indication (ESNI). It explains that DoH and DoT encrypt DNS queries and responses for increased privacy and security compared to traditional DNS. However, ESNI is also discussed as a solution to further improve privacy by encrypting the server name in the TLS handshake. Concerns about the potential use of these protocols by malware for command and control are also raised.
This document provides an overview of key concepts in DNSSEC including public/private keys, message digests or hashes, and digital signatures. It explains that public/private key pairs are used, where the private key is kept secret and the public key can be freely distributed. It also describes how one-way hashing functions work to generate fixed-length hashes from variable-length data, and how digital signatures are created by encrypting a message hash with a private key. These three concepts of public/private keys, hashes, and digital signatures form the basis of cryptographic techniques used in DNSSEC.
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Dan York
In this talk to the IEPG session at IETF 93 in Prague on 19 July 2015, I outlined some of the challenges associated with deploying new crypto algorithms within DNSSEC and what we potentially need to do to address these challenges.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017APNIC
The document summarizes Vietnam's deployment of DNSSEC for the .VN top-level domain. It discusses Vietnam moving the domain to partial DNSSEC in 2015, getting the DS record included in the DNS root zone in 2016, and becoming fully operational in 2017. It provides details on preparations like infrastructure, key management, and monitoring plans. The next steps include signing additional subdomains and training registrars and ISPs to deploy DNSSEC to complete the rollout.
DNSSEC - Domain Name System Security ExtensionsPeter R. Egli
This document introduces DNS Security Extensions (DNSSEC) which aims to secure DNS queries and information by adding digital signatures to DNS response records. It discusses security problems with the current DNS system like cache poisoning and spoofing attacks. DNSSEC uses cryptographic keys and signatures to authenticate DNS responses and establish a chain of trust. While DNSSEC adds security, its deployment has been gradual due to complexity and the need for widespread implementation to provide full benefits.
This document provides an overview of DNS security and DNSSEC. It begins with explanations of what DNS is, how it works, and how DNS responses can be corrupted. It then discusses the problems that occur when DNS goes bad, such as being directed to the wrong site or downloading malware. The document introduces DNSSEC as a solution and explains why it was created and why it is important, particularly for government agencies. It addresses why more organizations don't use DNSSEC and the challenges of deploying and maintaining it. Finally, it describes options for implementing DNSSEC, including the GSA DNSSEC Cloud Signing Service, which handles the complexities for .gov domains.
This presentation gives an overview of the Domain Name System (DNS) and what goes into making the DNS secure. This deck also answers the question what is ICANN's role in Domain Name System Security (DNSSEC) deployment?
The document describes a technique for covertly exfiltrating data from an infected client by encoding it in DNS queries to an evil name server. The infected client breaks sensitive files into blocks, encodes each block, and queries the blocks' names from the evil name server. The server collects the queries to reconstruct the original data. Modern network security systems like next-gen firewalls and intrusion prevention systems cannot detect this technique as the DNS queries appear normal and are mixed with legitimate traffic. The document proposes filtering suspicious domains and analyzing DNS query patterns and volumes to identify exfiltration attempts.
- DNSSEC and RPKI are protocols that aim to secure the core of the Internet by adding authentication and integrity to DNS and routing data.
- DNSSEC works by digitally signing DNS records with private keys, and publishing the signatures and corresponding public keys. It builds a chain of trust from the root zone down by including fingerprints of child keys in parent zones.
- RPKI uses a similar approach to secure routing by digitally signing routing announcements and filtering invalid routes. It establishes a framework for routers to validate the authenticity and authorization of routing information.
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSMen and Mice
The focus of this webinar will be to take a deeper look into this local name-resolution system and the implementations for other Unix systems like Linux and FreeBSD. Linux’s new über-Daemon “systemd” supports both mDNS and the Windows LLMNR (Link-Local-Multicast-Name-Resolution). We will also show how well a Systemd-Linux behaves in heterogenous networks running both Windows and macOS.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
Used in this "DNS Security" course:
https://samsclass.info/40/40_F17.shtml
Based on "DNS Security" by Anestis Karasaridis, Amazon Digital Services, Inc., ASIN: B007ZW50WE
Learn to recognize the many ways in which attackers can tamper with DNS servers and records, and the measures you can take to prevent this.
See the full webinar and the rest of the series at https://www.thousandeyes.com/resources/monitoring-for-dns-security-webinar
Practical Red Teaming is a hands-on class designed to teach participants with various techniques and tools for performing red teaming attacks. The goal of the training is to give a red teamer’s perspective to participants who want to go beyond VAPT. This intense course immerses students in a simulated enterprise environment, with multiple domains, up-to-date and patched operating systems. We will cover several phases of a Red Team engagement in depth – Local Privilege escalation, Domain Enumeration, Admin Recon, Lateral movement, Domain Admin privileges etc.
If you want to learn how to perform Red Team operations, sharpen your red teaming skillset, or understand how to defend against modern attacks, Practical Red Teaming is the course for you.
Topics :
• Red Team philosophy/overview
• Red Teaming vs Penetration Testing
• Active Directory Fundamentals – Forests, Domains, OU’s etc
• Assume Breach Methodology
• Insider Attack Simulation
• Introduction to PowerShell
• Initial access methods
• Privilege escalation methods through abuse of misconfigurations
• Domain Enumeration
• Lateral Movement and Pivoting
• Single sign-on in Active Directory
• Abusing built-in functionality for code execution
• Credential Replay
• Domain privileges abuse
• Dumping System and Domain Secrets
• Kerberos – Basics and its Fundamentals
• Kerberos Attack and Defense (Kerberoasting, Silver ticket, Golden ticket attack etc)
https://bsidessg.org/schedule/2019-ajaychoudhary-and-niteshmalviya/
This document discusses IPv6 threats to government networks. It provides an overview of IPv6 including its large address space and advantages over IPv4. It notes that while the US government is required to transition to IPv6, progress has been slow. Specific IPv6 threats are examined such as NDP spoofing, SLAAC attacks, and Teredo tunneling. It is concluded that most organizations are not fully prepared to detect and mitigate IPv6 threats due to limitations in tools, analyst expertise, and threat intelligence focusing primarily on IPv4.
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
The document discusses penetration testing of Active Directory forests and trusts. It begins with an introduction to forests, domains, and trust types. It then covers authentication protocols like NTLM and Kerberos across trusts. Next, it discusses techniques for enumerating trusts and mapping the trust relationships. The document outlines common attacks when domain admin privileges are available, such as using Golden Tickets and SID history exploitation. For situations without domain admin, it recommends reconnaissance of trusts and objects to map a path to privileged accounts.
The document discusses various techniques that internet service providers can use to prevent IP reflection attacks, including:
- Implementing BCP38 and BCP140, which involve validating the source IP address of incoming packets to prevent spoofing. This is recommended to be deployed as close to the edge of the network as possible.
- Enforcing validation using access control lists (ACLs) to filter packets and unicast reverse path forwarding (uRPF) to check the return path of source IP addresses. Strict uRPF is recommended for customers.
- Example ACL and uRPF configurations are provided for Cisco and Juniper routers to filter traffic from customer networks connected to the ISP edge router.
This document discusses DNSSEC deployment. It provides an introduction to DNSSEC and outlines the preparation, process, strategy, and potential influences of a DNSSEC deployment. Key aspects include setting up a test environment, upgrading systems, training staff, signing zones and managing keys, implementing the deployment in stages, and dealing with increased size of packets and potential for larger DDoS attacks. Regular key rollover is part of the long-term strategy. Resources for further information are also provided.
This document provides an overview of DNSSEC (Domain Name System Security Extensions). It begins with some background on the history and vulnerabilities of DNS that led to the development of DNSSEC. It then explains how DNSSEC works by digitally signing DNS data to authenticate its source and ensure its integrity. The document discusses the state of DNSSEC deployment globally and in various top-level domains and country code top-level domains. It also provides examples of DNSSEC implementation strategies used by early adopter registries such as Sweden, the Netherlands, Czechia, and Norway.
Rolling the Root Zone DNSSEC Key Signing Key, by Edward Lewis.
A presentation given at APNIC 42's DNS and INR Security session on Monday, 3 October 2016.
11 April 2016 - ION Bangladesh - Jan Zorz set up DNSSEC, DANE, and TLS in his go6lab and then tested the implementations in the top one million Alexa domains. Jan will share his experiences deploying, testing, and evaluating DNSSEC, DANE, and TLS in his own lab and explain the process he used.
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017APNIC
The document summarizes Vietnam's deployment of DNSSEC for the .VN top-level domain. It discusses Vietnam moving the domain to partial DNSSEC in 2015, getting the DS record included in the DNS root zone in 2016, and becoming fully operational in 2017. It provides details on preparations like infrastructure, key management, and monitoring plans. The next steps include signing additional subdomains and training registrars and ISPs to deploy DNSSEC to complete the rollout.
DNSSEC - Domain Name System Security ExtensionsPeter R. Egli
This document introduces DNS Security Extensions (DNSSEC) which aims to secure DNS queries and information by adding digital signatures to DNS response records. It discusses security problems with the current DNS system like cache poisoning and spoofing attacks. DNSSEC uses cryptographic keys and signatures to authenticate DNS responses and establish a chain of trust. While DNSSEC adds security, its deployment has been gradual due to complexity and the need for widespread implementation to provide full benefits.
This document provides an overview of DNS security and DNSSEC. It begins with explanations of what DNS is, how it works, and how DNS responses can be corrupted. It then discusses the problems that occur when DNS goes bad, such as being directed to the wrong site or downloading malware. The document introduces DNSSEC as a solution and explains why it was created and why it is important, particularly for government agencies. It addresses why more organizations don't use DNSSEC and the challenges of deploying and maintaining it. Finally, it describes options for implementing DNSSEC, including the GSA DNSSEC Cloud Signing Service, which handles the complexities for .gov domains.
This presentation gives an overview of the Domain Name System (DNS) and what goes into making the DNS secure. This deck also answers the question what is ICANN's role in Domain Name System Security (DNSSEC) deployment?
The document describes a technique for covertly exfiltrating data from an infected client by encoding it in DNS queries to an evil name server. The infected client breaks sensitive files into blocks, encodes each block, and queries the blocks' names from the evil name server. The server collects the queries to reconstruct the original data. Modern network security systems like next-gen firewalls and intrusion prevention systems cannot detect this technique as the DNS queries appear normal and are mixed with legitimate traffic. The document proposes filtering suspicious domains and analyzing DNS query patterns and volumes to identify exfiltration attempts.
- DNSSEC and RPKI are protocols that aim to secure the core of the Internet by adding authentication and integrity to DNS and routing data.
- DNSSEC works by digitally signing DNS records with private keys, and publishing the signatures and corresponding public keys. It builds a chain of trust from the root zone down by including fingerprints of child keys in parent zones.
- RPKI uses a similar approach to secure routing by digitally signing routing announcements and filtering invalid routes. It establishes a framework for routers to validate the authenticity and authorization of routing information.
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSMen and Mice
The focus of this webinar will be to take a deeper look into this local name-resolution system and the implementations for other Unix systems like Linux and FreeBSD. Linux’s new über-Daemon “systemd” supports both mDNS and the Windows LLMNR (Link-Local-Multicast-Name-Resolution). We will also show how well a Systemd-Linux behaves in heterogenous networks running both Windows and macOS.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
Used in this "DNS Security" course:
https://samsclass.info/40/40_F17.shtml
Based on "DNS Security" by Anestis Karasaridis, Amazon Digital Services, Inc., ASIN: B007ZW50WE
Learn to recognize the many ways in which attackers can tamper with DNS servers and records, and the measures you can take to prevent this.
See the full webinar and the rest of the series at https://www.thousandeyes.com/resources/monitoring-for-dns-security-webinar
Practical Red Teaming is a hands-on class designed to teach participants with various techniques and tools for performing red teaming attacks. The goal of the training is to give a red teamer’s perspective to participants who want to go beyond VAPT. This intense course immerses students in a simulated enterprise environment, with multiple domains, up-to-date and patched operating systems. We will cover several phases of a Red Team engagement in depth – Local Privilege escalation, Domain Enumeration, Admin Recon, Lateral movement, Domain Admin privileges etc.
If you want to learn how to perform Red Team operations, sharpen your red teaming skillset, or understand how to defend against modern attacks, Practical Red Teaming is the course for you.
Topics :
• Red Team philosophy/overview
• Red Teaming vs Penetration Testing
• Active Directory Fundamentals – Forests, Domains, OU’s etc
• Assume Breach Methodology
• Insider Attack Simulation
• Introduction to PowerShell
• Initial access methods
• Privilege escalation methods through abuse of misconfigurations
• Domain Enumeration
• Lateral Movement and Pivoting
• Single sign-on in Active Directory
• Abusing built-in functionality for code execution
• Credential Replay
• Domain privileges abuse
• Dumping System and Domain Secrets
• Kerberos – Basics and its Fundamentals
• Kerberos Attack and Defense (Kerberoasting, Silver ticket, Golden ticket attack etc)
https://bsidessg.org/schedule/2019-ajaychoudhary-and-niteshmalviya/
This document discusses IPv6 threats to government networks. It provides an overview of IPv6 including its large address space and advantages over IPv4. It notes that while the US government is required to transition to IPv6, progress has been slow. Specific IPv6 threats are examined such as NDP spoofing, SLAAC attacks, and Teredo tunneling. It is concluded that most organizations are not fully prepared to detect and mitigate IPv6 threats due to limitations in tools, analyst expertise, and threat intelligence focusing primarily on IPv4.
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
The document discusses penetration testing of Active Directory forests and trusts. It begins with an introduction to forests, domains, and trust types. It then covers authentication protocols like NTLM and Kerberos across trusts. Next, it discusses techniques for enumerating trusts and mapping the trust relationships. The document outlines common attacks when domain admin privileges are available, such as using Golden Tickets and SID history exploitation. For situations without domain admin, it recommends reconnaissance of trusts and objects to map a path to privileged accounts.
The document discusses various techniques that internet service providers can use to prevent IP reflection attacks, including:
- Implementing BCP38 and BCP140, which involve validating the source IP address of incoming packets to prevent spoofing. This is recommended to be deployed as close to the edge of the network as possible.
- Enforcing validation using access control lists (ACLs) to filter packets and unicast reverse path forwarding (uRPF) to check the return path of source IP addresses. Strict uRPF is recommended for customers.
- Example ACL and uRPF configurations are provided for Cisco and Juniper routers to filter traffic from customer networks connected to the ISP edge router.
This document discusses DNSSEC deployment. It provides an introduction to DNSSEC and outlines the preparation, process, strategy, and potential influences of a DNSSEC deployment. Key aspects include setting up a test environment, upgrading systems, training staff, signing zones and managing keys, implementing the deployment in stages, and dealing with increased size of packets and potential for larger DDoS attacks. Regular key rollover is part of the long-term strategy. Resources for further information are also provided.
This document provides an overview of DNSSEC (Domain Name System Security Extensions). It begins with some background on the history and vulnerabilities of DNS that led to the development of DNSSEC. It then explains how DNSSEC works by digitally signing DNS data to authenticate its source and ensure its integrity. The document discusses the state of DNSSEC deployment globally and in various top-level domains and country code top-level domains. It also provides examples of DNSSEC implementation strategies used by early adopter registries such as Sweden, the Netherlands, Czechia, and Norway.
Rolling the Root Zone DNSSEC Key Signing Key, by Edward Lewis.
A presentation given at APNIC 42's DNS and INR Security session on Monday, 3 October 2016.
11 April 2016 - ION Bangladesh - Jan Zorz set up DNSSEC, DANE, and TLS in his go6lab and then tested the implementations in the top one million Alexa domains. Jan will share his experiences deploying, testing, and evaluating DNSSEC, DANE, and TLS in his own lab and explain the process he used.
Technical and Business Considerations for DNSSEC DeploymentAPNIC
The document discusses both technical and business considerations for deploying DNSSEC. On the technical side, it addresses issues like zone size, CPU load, traffic levels, key rotation, tooling, and use cases. On the business side, it discusses choices around signing algorithms, managing keys and signatures, monitoring, user interfaces, documentation, training, and barriers to deployment. The document provides advice to help DNS administrators better understand the deployment trade-offs and considerations involved with DNSSEC.
This document discusses mainframe encryption and self-encrypting drives. It summarizes the evolution of IBM's RACF password encryption algorithms over time from encoding to DES to KDFAES. It also discusses self-encrypting drives, how they work to encrypt data in real-time, and potential risks around trusting drive encryption implementations and algorithms. The document advocates moving encryption higher in the software stack and using open implementations when possible rather than relying solely on drive-based encryption.
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
This document provides an overview of DNSSEC (Domain Name System Security Extensions). It discusses how DNSSEC introduces digital signatures to cryptographically protect DNS data and prevent man-in-the-middle attacks. It also describes some common DNS record types used in DNSSEC like DNSKEY, RRSIG, and DS. The document notes that while DNSSEC deployment has increased in top-level domains and root servers, adoption remains low at the second-level domain level, and more work is still needed for full deployment.
This document provides an overview and introduction to DNS and DNSSEC. It begins with introducing the presenter, Nurul Islam Roman, and his background and areas of expertise. The overview section lists the topics to be covered, including DNS overview, forward and reverse DNS, DNS security overview, TSIG, and DNSSEC. The document then delves into explanations of DNS overview, how it works, its features and components. It also covers IP addresses vs domain names, the DNS tree hierarchy, domains, root servers, resolvers, authoritative and recursive nameservers. Finally, it discusses resource records, common RR types, reverse DNS, delegation, glue records and responsibilities around APNIC and ISPs for reverse delegations.
This document summarizes the challenges of deploying new DNSSEC algorithms. It discusses how validation software, signing servers, registries, registrars, and developers need updates to accept and use new algorithms like ECDSA and GOST that offer improvements over older algorithms like RSA/SHA-1. However, some validation software and registries/registrars currently only support a limited set of algorithms, preventing deployment of newer, better algorithms. The document proposes documenting steps needed for deployment, surveying registries, encouraging acceptance of wider algorithm ranges, and encouraging developers to support all standard algorithms.
This document summarizes Dan York's presentation on deploying DNSSEC. It discusses how DNSSEC helps ensure the integrity of DNS data by using digital signatures to authenticate DNS responses, preventing cache poisoning and man-in-the-middle attacks. It provides examples of normal DNS interactions versus attacks, and how DNSSEC establishes a chain of trust. The presentation also covers the current state of DNSSEC deployment, how it works in combination with TLS/SSL through DANE, and business reasons for organizations to deploy DNSSEC.
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F18.shtml
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. This talk includes real-world examples of attacks that they use on a daily basis, and some reflections on what techniques have changed over the last year. Vulnerabilities related to the application, network, and server layers will all be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
APNIC Chief Scientist Geoff Huston briefly explains DNSSEC and the role of the KSK, and the way in which we can measure the possible impact of this planned roll.
This document provides a history of the development of the Domain Name System (DNS) and describes some of its key components and functions. It discusses how DNS was created in 1983 to provide a decentralized naming system as networks and sites grew larger. It also describes some important upgrades to DNS, including incremental zone transfers and notification mechanisms. Additionally, the document outlines DNS record types, zones, policies, and integration with DHCP. It provides examples of how policies can be used for application load balancing and filtering. Finally, it briefly discusses newer DNS features in Windows Server like response rate limiting, DANE support, unknown record types, and IPv6 root hints.
The document discusses using an experimental system that can perform thousands of DNS and HTTP measurements per day on random internet users to test DNSSEC implementation. It proposes configuring five domains - one validly signed, one invalidly signed, one with IPv6-only NS, one with large IPv6 responses, and one without DNSSEC - to test clients' DNSSEC support, validation, IPv6 capability, and response handling. Initial results from testing 1.8 million clients worldwide found 4.4% of resolvers and 14.15% of clients appear to support DNSSEC. Further analysis of 7,500 New Zealand experiments identified variability between internet providers in estimated DNSSEC support rates. Future work to improve DNSSEC activity detection is proposed
Demystifying SharePoint Infrastructure – for NON-IT People SPC Adriatics
This talk is specifically for NON-SharePoint infrastructure administrators (or for new ones still figuring things out)! Instead it’s for the rest of the SharePoint team – come learn about the basic building blocks of SharePoint infrastructure – things like DNS, load balancing, AD, high availability and disaster recovery, backup options, database options, and some of the core components of Windows in an understandable way so you can speak the lingo and seem really smart!
Zvonimir Mavretić
AFRINIC DNSSEC Infrastructure and Signer MigrationAFRINIC
1. AfriNIC operates DNSSEC services for reverse DNS zones and several African ccTLDs. They migrated their signing infrastructure to a new signer while maintaining DNSSEC validation.
2. The migration was done silently without any invalidity window by using the existing DNSKEYs followed by a rollover. This avoided any interactions with parent zones during the migration.
3. Very few AfriNIC members currently sign their reverse zones and submit DS records. AfriNIC aims to improve adoption of DNSSEC by their members and may provide hosted signing services.
This document summarizes a presentation about developing an internal DNS cluster using Ansible to replace an existing Puppet-based solution. It describes using Unbound as the core DNS server with zones and versions stored in Git. Ansible plays are used to deploy DNS servers across multiple Amazon regions for high availability. Performance tests show the DNS cluster provides faster queries and lower latency than AWS DNS. Future plans include integrating the DNS cluster with Amazon VPC DHCP and using Ansible templates for universal instance provisioning along with monitoring and alerting.
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
DNSSEC: What a Registrar Needs to Knowlaurenrprice
The document summarizes an upcoming webinar on DNSSEC hosted by .ORG, The Public Interest Registry and Afilias. The webinar will provide an introduction to DNSSEC including how it adds security and authentication to the Domain Name System to prevent forged DNS data. It will also discuss PIR's implementation timeline and test program for DNSSEC in the .ORG top-level domain.
Similar to Signing DNSSEC answers on the fly at the edge: challenges and solutions (20)
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...APNIC
Chimi Dorji, Internet Resource Analyst at APNIC, presented on Registry Data Accuracy Improvements at SANOG 41 jointly held with INNOG 7 in Mumbai, India from 25 to 30 April 2024.
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
Sunny Chendi, Senior Advisor, Membership and Policy at APNIC, presents 'APNIC Policy Roundup' at the 5th ICANN APAC-TWNIC Engagement Forum and 41st TWNIC OPM in Taipei, Taiwan from 23 to 24 April.
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
Dave Phelan, Senior Network Analyst/Technical Trainer at APNIC, presents 'DDoS In Oceania and the Pacific' at NZNOG 2024 held in Nelson, New Zealand from 8 to 12 April 2024.
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
Geoff Huston, Chief Scientist at APNIC deliver keynote presentation on the 'Future Evolution of the Internet' at the Everything Open 2024 conference in Gladstone, Australia from 16 to 18 April 2024.
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
Paul Wilson, Director General of APNIC delivers a presentation on IP addressing and IPv6 to the Policymakers Program during IETF 119 in Brisbane Australia from 16 to 22 March 2024.
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
Tom Harrison, Product and Delivery Manager at APNIC presents at the Registration Protocols Extensions working group during IETF 119 in Brisbane, Australia from 16-22 March 2024
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
Che-Hoo Cheng, Senior Director, Development at APNIC presents on the "Benefits of doing Internet peering and running an Internet Exchange (IX)" at the Communications Regulatory Commission of Mongolia's IPv6, IXP, Datacenter - Policy and Regulation International Trends Forum in Ulaanbaatar, Mongolia on 7 March 2024
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
APNIC Senior Advisor, Membership and Policy, Sunny Chendi presented on APNIC updates and RIR Policies for ccTLDs at APTLD 85 in Goa, India from 19-22 February 2024.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
2. Goals // DNSSEC at web scale
2
• Scalable // DNSSEC for entire CloudFlare customer base
• Simple // make it easy to consume
• DNSSEC shouldn’t be for power users only! It should be for everyone!
3. Large scale DNSSEC deployment
• We are writing our own DNSSEC systems -> Scale and speed dictated this
• We use modern crypto and sign on the fly at the edge
• We are modifying and extending existing protocols to automate registrar
interactions -> Necessary to enable ease of use and deployment
• We are third party DNS operator i.e. do not exit is many registration models
3
4. How big?
• 2+ million domains
• Authoritative for 40% of Alexa top 1 million
• 43+ billion DNS queries per day
• Second to only Verisign
4
7. Why CloudFlare needs live signing
• Lots (lots!) of small, light traffic zones
• Heavily distributed network (43 data centers)
• Dynamically generated records
• Zone walking protection
7
8. Issues with live signing
• Speed!
• Negative answers
• Key management
8
Constraints
Keep size small, and don’t require full zonefiles
11. CloudFlare’s DNS(SEC) overview
• RRDNS is our in-house DNS server written in Go
• Resilient against attacks and abuse
• No zonefiles, records are pulled from a global distributed
database
• Full featured (dynamic answers, CNAME flattening, …)
• DNSSEC is just a “filter” applied to the answer
11
12. Solving speed (and size): ECDSA P256
• ECDSA P256 signatures are > 3x faster than RSA1024
Measured on OpenSSL 1.0.2 on our servers
• We (Vlad Krasnov) ported OpenSSL ASM to Go
21X speedup for the sign: https://go-review.googlesource.com/#/c/8968/
• Bonus: small signatures, small keys, modern crypto!
• Supported by most validators, working on registrars
12
16. Solving negatives: “Black Lies”
• To answer a NXDOMAIN normally we need:
• Database lookups for previous and next name
• 2 or 3 signatures (NSEC/NSEC3) - slow and big!
• Previous and next name disclosure
16
18. Solving negatives: “Black Lies”
• RFC 4470 introduces “white lies” for online signing:
• Generate a NSEC on the name’s immediate
predecessor, covering up to the successor (RFC4471)
• Same with the wildcard
• Solves: zone walking, database lookups
• Still, 2 signatures to say one thing :(
18
19. Solving negatives: “Black Lies”
• Our solution: true lies. Just sign a NOERROR.
• Place a NSEC on the name, cover until the successor,
set only the NSEC and RRSIG bits
19
21. Solving negatives: “Black Lies”
• 1 signature op, no db lookup or zone walking
• The entire answer fits 512 bytes (actually, < 400!)
• End-user behavior is unchanged
21
22. Solving negatives: the “NSEC shotgun”
• But. To answer a missing type on an existing name, we
still need to query the database for the NSEC bitmap
• That’s not even always possible! (Dynamic answers)
22
filippo.io. 3600 IN NSEC 003.filippo.io. A NS SOA MX TXT
AAAA RRSIG NSEC DNSKEY
23. Solving negatives: the “NSEC shotgun”
• Step back: what is a NSEC? A denial of existence.
• “The types not in the bitmap don’t exist”
• So, let’s make a “minimally covering” one.
By setting all possible bits in the bitmap!
23
filippo.io. 3600 IN NSEC 003.filippo.io. A NS SOA WKS
HINFO MX TXT AAAA LOC SRV CERT SSHFP IPSECKEY RRSIG
NSEC DNSKEY TLSA HIP OPENPGPKEY SPF
24. Solving negatives: the “NSEC shotgun”
• Asked for TXT and there’s no TXT? Set all the other bits
that might exist.
• The NSEC is a valid denial for TXT, and is useless for an
attacker that wants to replay it for other queries.
24
filippo.io. 3600 IN NSEC 003.filippo.io. A NS SOA WKS
HINFO MX TXT AAAA LOC SRV CERT SSHFP IPSECKEY RRSIG
NSEC DNSKEY TLSA HIP OPENPGPKEY SPF
26. Solving keys: centralized DNSKEY sets
• It’s live-signing, you need the ZSK at the edge (for now)
• Protect the KSK: keep it in a safe central auditable
machine, distribute the signed DNSKEY sets to edges
• Short regular RRSIG validity, longer for DNSKEY
• Prepared to roll the ZSK fast at any time
26
27. Solving keys: global ZSK and KSK
• No reason to have millions of ZSKs and KSKs:
all would be used/stored/rolled together
• Use a single KSK and a single ZSK with multiple names
filippo.io. 3600 IN DNSKEY 256 3 13
koPbw9wmYZ7ggcjnQ6ayHyhHaDNMYELKTqT+qRGrZpWSccr/lBcrm10Z 1PuQHB3Azhii
+sb0PYFkH1ruxLhe5g==
cloudflare-dnssec-auth.com. 3600 IN DNSKEY 256 3 13
koPbw9wmYZ7ggcjnQ6ayHyhHaDNMYELKTqT+qRGrZpWSccr/lBcrm10Z 1PuQHB3Azhii
+sb0PYFkH1ruxLhe5g==
27
29. How long does it take to ?
• Post a new selfie on Facebook and all your friends to be notified
• few seconds <= INTERNET SPEED
• For a new domain to appear in the DNS?
• less than 5 minutes in ICANN TLD’s, random in others
• Move domain from one DNS operator to another?
• long time limited by MAX(Parent NS TTL, Child NS TTL)
• Transfer a domain from one registrar to another one?
• 1 sec … 5 days
• DNSSEC key rollover
• many DAYS your mileage may vary
29
30. Recent example: HBOnow.com
• Affected: Customers behind DNSSEC validating DNS resolvers
• Blamed: Comcast and ISP’s for resolution failure i.e. blocking
• Root cause: HBO for not checking the domain was DNSSEC bogus
• Time to full recovery: 1 day to purge DS from all caches after HBO made a
change in .com registration system
• Mitigation: temporary enable negative trust anchor by resolvers operators
• Side effect: Lots of non-polite Facebook and Twitter posts
30
31. Third party DNS operator (3-DNS)
(3-DNS)
• Definition: An entity contracted by “owner” of the domain to operate
DNS on their behalf.
• Who: 3-DNS Operators include CDN’s, DNS specialists, Appliance
vendors, friends, etc.
• Millions of domains are operated by 3-DNS
• Many “important” domains are operated by 3-DNS
• Some domains use vanity DNS server names, but routing/traceroute do not lie :-)
31
32. Domain Registry model:
• Includes Registries,
Registrars, Resellers and
Registrants.
• when developed did not
envision 3-DNS
32
33. What info do 3-DNS want to maintain?
• NS records
• DS records
• A/AAAA records
• need to be able to look up if glue is registered, add and delete.
33
NS
DS
NS
DS
SOA
NS
DNSKEY
Parent
Server
Child
Server
A & AAAA
Should be same
34. What happens today?
• To change information in parent Registrant has to be in the loop
• Not reliable, registrant may or may not take action
• Not timely
• Cut & Paste errors happen.
• Registrant can give access to registration account to 3-DNS ==>
BAD idea
34
35. 3-DNS as registars?
• Addresses part of the problem
• Hard to become registrar in all ccTLD’s
• Registrars/resellers are frequently partners with 3-DNS
35
36. What is desired by 3-DNS?
• Ability to gain authenticated permission to maintain delegation
information for customers
• Ability to learn where to change information and connect there
• WHOIS has last century contact information when it has any, frequently unusable
36
37. How can this be done?
#1 In-band signaling
• When DNSSEC is enabled
• Child zone can advertise what the contents of NS and
DS should be
• via NS and CDS/CDNSKEY records when DNSSEC is present
[RFC7344]
• Not specified how to tickle right parental agent.
• Not possible to say do it NOW!!
37
38. Vision
#2 Registry System interface
• If 3-DNS gets authenticated and authorized to make
changes to
• NS/DS/glue for specific domain, these changes can be injected into
registration systems via
• Registars/Resellers
• Registries
• ==> updates can take place at Internet speed
38
39. Goal: DNS operators change < 4 hours
• Assume changes in parent take less than 1 hour
• Operations:
• provision new operator
• change NS in parent and old operator (if possible)
• wait for resolvers
• Precondition: Child and Parent NS
• TTL <= 2 hours
39
40. Goal: DNSSEC KSK rollover in 6 hours
• Assume changes in TLD’s take less than 1 hour
• Operations:
• update DNSKEY and/or DS;
• switch KSK signing key;
• purge old DS and DNSKEY records (Not in critical path)
• Child DNSKEY set < 1 hour TTL
• Child and Parent NS + DS sets TTL <= 2 hours
40
41. • Start discussion on what the right goals and policies are
• Proposed goals:
• Get TLD’s to adopt lower TTL <= 2H
• Give 3-DNS access to maintain Delegation information
• Bonus: get registries and registrars to support new DNSSEC algorithms by
default in particular ALG-13 ECDSA
41