dnssec fragmentation a prickly combination
play

DNSSEC & fragmentation a prickly combination Roland van - PowerPoint PPT Presentation

Feb 06, 2024 •298 likes •442 views

DNSSEC & fragmentation a prickly combination Roland van Rijswijk - Deij roland.vanrijswijk@surfnet.nl The problem in 1 slide Authoritative Name Server Firewall Recursive Caching Name Server (resolver) 2 SURFnet:

  1. DNSSEC & fragmentation a prickly combination Roland van Rijswijk - Deij roland.vanrijswijk@surfnet.nl

  2. The problem in 1 slide Authoritative Name Server ➀ ➁ ➂ Firewall ➃ Recursive Caching Name Server (resolver) 2 SURFnet: we make innovation work

  3. Extent of the problem •9% of all internet hosts may have problems receiving fragmented UDP messages [1]; •2% – 10% of all resolving name servers experience problems receiving fragmented DNS responses [2] [1] Weaver, N., Kreibich, C., Nechaev, B., and Paxson, V.: Implications of Netalyzr’s DNS Measurements. In: Proceedings of the First Workshop on Securing and Trusting Internet Names (SATIN), Teddington, United Kingdom, (2011). [2] Van den Broek, J., Van Rijswijk, R., Pras, A., Sperotto, A., “DNSSEC and firewalls - Deployment problems and solutions”, Private Communication, Pending Publication, (2012). 3 SURFnet: we make innovation work

  4. The problem biting us for real •SURFnet deployed DNSSEC for surfnet.nl in 2010 (first secure delegation in .nl) •Within a week we had problems •Cause: largest ISP (2.5M users) in the country blocks fragments on service network edge •Helpdesk: “ SURFnet is doing something wrong ” :-( 4 SURFnet: we make innovation work

  5. Solutions •Resolving name servers SHOULD advertise a proper max. response size to avoid fragmentation issues [RFC 2671BIS (DRAFT)]; Not explicitly stated in standards yet, nor widely implemented; •Until then: set maximum response size at some authoritative name servers 5 SURFnet: we make innovation work

  6. Resolver experiments (1) Normal operations Response(>me((ms.)( 900$ 800$ 785$ 700$ 687$ 600$ Time((ms.)( 500$ 400$ 388$ 381$ 300$ 281$ 200$ 150$ 109$ 105$ 100$ 83$ 0$ Windows(Server(2012( Unbound( BIND( 6 SURFnet: we make innovation work

  7. Resolver experiments (2) Blocking fragments Response(>me((ms.)([0/5(altered(Authorita>ve(Name(Servers]( 6.000% Time x10 (!) [24,195;12,167] 5.000% x̅=17,787 4.463% 4.000% Time((ms.)( 3.435% Time x2 3.000% 2.524% 2.000% Time x100+ (!!!) 1.175% 1.000% 760% 465% 0% Windows(Server(2012( Unbound( BIND( 7 SURFnet: we make innovation work

  8. Resolver experiments (3) Max. resp. size on 1 authNS Response(>me((ms.)([1/5(altered(Authorita>ve(Name(Servers]( 6.000% Max. ¡= ¡16,162 5.000% 4.889% 4.000% Time((ms.)( 3.000% 2.126% 2.000% 1.169% 1.118% 1.000% 638% 173% 117% 109% 0% Windows(Server(2012( Unbound( BIND( 8 SURFnet: we make innovation work

  9. Resolver experiments (4) Max. resp. size on 2 authNS Response(>me((ms.)([2/5(altered(Authorita>ve(Name(Servers]( 3.500& 3.295& 3.000& Time x10 Time x2 2.500& Time((ms.)( 2.000& Time x1.5 1.756& 1.500& 1.408& 1.036& 1.000& 651& 513& 500& 290& 126& 99& 0& Windows(Server(2012( Unbound( BIND( 9 SURFnet: we make innovation work

  10. Experiment on live authNS Normal Max. response Tra ffi c (IPv4 + IPv6) Operations size 1232 bytes Fragmented responses 28.9% 0.0%* Fragment receiving resolvers 57.3% 0.0%* Truncated UDP responses 0.8% 0.9% ICMP FRTE messages 5649/h < 1/h* ICMP FRTE sending resolvers 1.3% 0.0%* Total retries 25.8% 25.5% *Statistically significant di ff erence between experiments 10 SURFnet: we make innovation work

  11. Rise in truncated answers •Experiment: – Querying 995 zones in .com, .edu, .mil, .net and .nl – All zones are signed and have a www-node – Results: Max. response A for www AAAA for www DNSKEY 4096 0.0% 0.0% 0.0% 1472 1.8% 1.8% 8.1% 1232 2.9% 3.5% 40.0% – 30% truncations were expected for a maximum response size of 1232 bytes by Rikitake, K., Nogawa, H., Tanaka, T., Nakao, K. and Shimojo, S. “An Analysis of DNSSEC Transport Overhead Increase”, IPSJ SIG Technical Reports 2005-CSEC-28, Vol. 2005, No. 33, pp. 345-350, ISSN 0919-6072, 2005 11 SURFnet: we make innovation work

  12. How to move forward? •Working on a recommendation in the RIPE DNS working group (http:/ /bit.ly/ripe-draft-frag) •Make sure your resolver(s) set the maximum response size to something that actually works! Learn how: http:/ /bit.ly/sn-dnssec-vali 12 SURFnet: we make innovation work

  13. roland.vanrijswijk@surfnet.nl nl.linkedin.com/in/rolandvanrijswijk @reseauxsansfil Questions? Remarks? Read our blog: https:/ /dnssec.surfnet.nl/

Recommend

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

609 views • 34 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
Institutional challenges Outline Why Fragmentation? Overview on the reasons and levels of SSN

Institutional challenges Outline Why Fragmentation? Overview on the reasons and levels of SSN

Topic # 3 Fragmentation of Social Safety Nets: Institutional challenges Outline Why Fragmentation? Overview on the reasons and levels of SSN program fragmentation (Inas) Case studies of Pakistan (Shereen), Kenya (Stefanie), and

488 views • 18 slides
Weeds and CSG Problems of Co-Existence CLASS 2 DECLARED WEEDS African Boxthorn Groundsel

Weeds and CSG Problems of Co-Existence CLASS 2 DECLARED WEEDS African Boxthorn Groundsel

Weeds and CSG Problems of Co-Existence CLASS 2 DECLARED WEEDS African Boxthorn Groundsel Mother of Millions Parthenium Prickly acacia Prickly pear Rats tail grasses LOCAL COUNCIL WEED OF CONCERN African Lovegrass

342 views • 16 slides
.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry experienced 30th April 2015-- Longest mornings I have ever had. Day started as usual but takes a turn at 9:30am Great day turns to a

449 views • 11 slides
DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010 Sara Monteiro Technical Infrastructure Service of DNS.PT Agenda ! About us ! Scope ! Goals ! Initiatives and Support ! Developments on .pt ! Next Steps

468 views • 11 slides
13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff Team Cymru 1 Where is the DNSSEC? We make no endorsement of DNSSEC here We offer no repudiation of DNSSEC here The considerations herein

543 views • 31 slides
DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes Hardaker &lt;wes.hardaker@parsons.com&gt; Overview Business Model Changes Relationship Requirements Relationship with your DNS parent

407 views • 25 slides
DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek petr.spacek@nic.cz 2019-02-03 1w Redraw max 1y 6m 3m 1m 5d 1h 1d 30 ~ 19 % DNSSEC? Who cares? DNSSEC Validation Capability Metrics

433 views • 25 slides
MT System Combination Silja Hildebrand MT System Combination System Combination in MT

MT System Combination Silja Hildebrand MT System Combination System Combination in MT

MT System Combination Silja Hildebrand MT System Combination System Combination in MT Methods of machine translation Rule based Statistical Hierarchical Syntax based Output is different Make use of the individual strengths of the

722 views • 70 slides
who am I? who am I? project opportunity: prickly visibility theory implementation project

who am I? who am I? project opportunity: prickly visibility theory implementation project

who am I? who am I? project opportunity: prickly visibility theory implementation project opportunity: prickly visibility theory implementation project opportunity: prickly visibility theory implementation project opportunity: prickly

1.28k views • 87 slides
DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC

DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC

DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC history Defined by RFCs 4033-4035 March 2005 Root zone signed July 2010 March 2011 the biggest zone .com signed New GTLD

811 views • 32 slides
Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva,

Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva,

Ciphertext Fragmentation and Related Problems Formalizing Fragmentation Security Notions Constructions and Comparison Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva, Jean Paul Degabriele , Kenny

924 views • 43 slides
DNSSEC at Scale Dani Grant | DNS @ CloudFlare CloudFlare - Authoritative DNS provider (includes

DNSSEC at Scale Dani Grant | DNS @ CloudFlare CloudFlare - Authoritative DNS provider (includes

DNSSEC at Scale Dani Grant | DNS @ CloudFlare CloudFlare - Authoritative DNS provider (includes DNSSEC for free) - 4M+ domains - 40+ billion queries per day - 76 edge locations in 40 countries (growing) DNSSEC at Scale 1. Elliptic

597 views • 34 slides
CS 356: Computer Network Architectures Lecture 10: IP Fragmentation, ARP, and ICMP Xiaowei Yang

CS 356: Computer Network Architectures Lecture 10: IP Fragmentation, ARP, and ICMP Xiaowei Yang

CS 356: Computer Network Architectures Lecture 10: IP Fragmentation, ARP, and ICMP Xiaowei Yang xwy@cs.duke.edu Overview Homework 2-dimension parity IP fragmentation ARP ICMP Fragmentation and Reassembly (not required for

847 views • 42 slides
Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based

Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based

Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based on current DNSSEC deployments in .com, .net and .org Introduction DNSSEC deployment has taken off, but there are still operational issues

408 views • 16 slides
Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions

Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions

COBHAM Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions (aka: SPARTA, Inc. ) 08 December 2010 COBHAM Simple Illustration I need to have a of DNS Components WWW record Zone Administrator

979 views • 62 slides

More recommend