dnssec signing at scale on the edge
play

DNSSEC Signing at Scale on the Edge lafur Gu mundsson What we do: - PowerPoint PPT Presentation

Jan 06, 2024 •264 likes •362 views

DNSSEC Signing at Scale on the Edge lafur Gu mundsson What we do: DNS Third party DNS operator for 2M+ One of largest responders of DNS query traffic Largest dropper of DNS traffic in the world Operate large number of

  1. DNSSEC Signing at Scale on the Edge ólafur Gu ð mundsson

  2. What we do: DNS • Third party DNS operator for 2M+ • One of largest responders of DNS query traffic • Largest dropper of DNS traffic in the world • Operate large number of DNS servers at over 60 locations • Custom DNS server developed in-house 2

  3. DNSSEC launch • Paid customers can enable it from user interface as of today • Soon Default on for all paid customers • Use ECDSA P256 algorithm • speed and size • Sign DNSKEY in central location • publish CDS/CDNSKEY as well • All other RR’s signed at the edge 3

  4. Signing speed (and size): ECDSA P256 RSA: 
 1181 BYTES ECDSA: 
 305 BYTES and faster 4

  5. Minimal non-existent answers: “Black Lies” • Our solution: true lies. sign a NOERROR. • Generate a NSEC for the query name, cover minimal span, only set the NSEC and RRSIG bits ==> NXDOMAIN 5

  6. Quick negative’s: the “NSEC shotgun” • DNS Server optimized for answering exact query • Query for TXT and there’s no TXT? • Set all the other bits that might exist. • The NSEC is a valid denial for TXT, and is useless for an attacker that wants to replay it for other queries. filippo.io. 3600 IN NSEC \003.filippo.io. A NS SOA WKS HINFO MX TXT AAAA LOC SRV CERT SSHFP IPSECKEY RRSIG NSEC DNSKEY TLSA HIP OPENPGPKEY SPF 6

  7. How expensive is online signing ? • Minimal impact • We have highly optimized code • Cutting down on number of NSEC records helps • Reuse signed SOA • Key Distribution • You must trust your servers and have secure software distribution and boot 7

  8. Our Challenge • Required new systems • Central signer • DNSSEC health check ==> if DS is configured correctly • Changes affected many systems we have deployed • DNS servers, DB, UI, secure boot, • Supporting TLSA • Coming soon • Uploading and maintaining DS records for customers 8

  9. DNSSEC’s MAIN ROADBLOCK • Registration System is out of touch with reality!! • Need an easy way to update Parent • CDS/CDNSKEY publication is sufficient statement of intent! • Working with registrars and registers to enable DNSSEC at scale • will offer DNSSEC to free customers were we can update DS at parent • CDS/CDNSKEY needs delete mode 9

Recommend

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC at Scale Dani Grant | DNS @ CloudFlare CloudFlare - Authoritative DNS provider (includes

DNSSEC at Scale Dani Grant | DNS @ CloudFlare CloudFlare - Authoritative DNS provider (includes

DNSSEC at Scale Dani Grant | DNS @ CloudFlare CloudFlare - Authoritative DNS provider (includes DNSSEC for free) - 4M+ domains - 40+ billion queries per day - 76 edge locations in 40 countries (growing) DNSSEC at Scale 1. Elliptic

597 views • 34 slides
Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins

Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins

Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins July 2013 ZSK - Zone Signing Keys ZSK - Zone Signing Keys Its a security key - use secure algorithms Create it to be flexible in use

255 views • 7 slides
Rolling the Root Zone DNSSEC Key Signing Key Presented by Carlos Martnez, on behalf of ICANN |

Rolling the Root Zone DNSSEC Key Signing Key Presented by Carlos Martnez, on behalf of ICANN |

Rolling the Root Zone DNSSEC Key Signing Key Presented by Carlos Martnez, on behalf of ICANN | 1 Motivation for the Talk ICANN is about to change an important configuration parameter in DNSSEC For a network DNS operator, this may

377 views • 21 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
Helping Your Students Join One of the Fastest Growing Careers: Sign Language Interpreting By

Helping Your Students Join One of the Fastest Growing Careers: Sign Language Interpreting By

Helping Your Students Join One of the Fastest Growing Careers: Sign Language Interpreting By James Frost, President and General Counsel, and Anne Frost, Vice-President Signing Edge About Signing Edge Signing Edge is a deaf-owned and

256 views • 13 slides
DNSSEC update TF MNM, Lyon Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl February 16 th

DNSSEC update TF MNM, Lyon Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl February 16 th

DNSSEC update TF MNM, Lyon Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl February 16 th 2011 DNSSEC validation - Validation rate not rising very much - Interesting to see what will happen after .com signing 2 SURFnet. We make

482 views • 16 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
DNSSEC and DNS Proxying DNS is hard at scale when you are a huge target 2 CloudFlare

DNSSEC and DNS Proxying DNS is hard at scale when you are a huge target 2 CloudFlare

DNSSEC and DNS Proxying DNS is hard at scale when you are a huge target 2 CloudFlare DNS is big 3 CloudFlare DNS is fast 4 CloudFlare DNS is always under attack 5 CloudFlare A secure reverse proxy for http(s)

538 views • 25 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
EDGE: Extreme Scale Fused Seismic Simulations with the Discontinuous Galerkin Method Alexander

EDGE: Extreme Scale Fused Seismic Simulations with the Discontinuous Galerkin Method Alexander

EDGE: Extreme Scale Fused Seismic Simulations with the Discontinuous Galerkin Method Alexander Breuer, Alexander Heinecke (Intel), Yifeng Cui What is EDGE? Extreme-scale Discontinuous Galerkin Environment (EDGE): Seismic wave

348 views • 17 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

609 views • 34 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
Digital signing Digital signing an upcomming service for all apache projects Target of project:

Digital signing Digital signing an upcomming service for all apache projects Target of project:

Digital signing Digital signing an upcomming service for all apache projects Target of project: Use symantec as provider Infra-root as Enterprise Service Provider PMC as Software Publishers Provide signing for microsoft jani

359 views • 8 slides
.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry experienced 30th April 2015-- Longest mornings I have ever had. Day started as usual but takes a turn at 9:30am Great day turns to a

449 views • 11 slides
DNSSEC ROLLING KEYS Presented by Olaf Kolkman (NLnet Labs) and Alain Aina(TRS) Rabat,

DNSSEC ROLLING KEYS Presented by Olaf Kolkman (NLnet Labs) and Alain Aina(TRS) Rabat,

DNSSEC ROLLING KEYS Presented by Olaf Kolkman (NLnet Labs) and Alain Aina(TRS) Rabat, Morocco, 1 June 2008 http://www.nlnetlabs.nl/ Rabat, Morocco, June 1 2008 page 2 DNSKEY in flavours Zone Signin Key (ZSK) Key Signing Key (KSK)

155 views • 13 slides
DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010 Sara Monteiro Technical Infrastructure Service of DNS.PT Agenda ! About us ! Scope ! Goals ! Initiatives and Support ! Developments on .pt ! Next Steps

468 views • 11 slides
13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff Team Cymru 1 Where is the DNSSEC? We make no endorsement of DNSSEC here We offer no repudiation of DNSSEC here The considerations herein

543 views • 31 slides
DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes Hardaker <wes.hardaker@parsons.com> Overview Business Model Changes Relationship Requirements Relationship with your DNS parent

407 views • 25 slides
DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek petr.spacek@nic.cz 2019-02-03 1w Redraw max 1y 6m 3m 1m 5d 1h 1d 30 ~ 19 % DNSSEC? Who cares? DNSSEC Validation Capability Metrics

433 views • 25 slides
1 FLP Partial Intuition Implication for fair exchange Quote from paper: Need a trusted

1 FLP Partial Intuition Implication for fair exchange Quote from paper: Need a trusted

TECS Week 2005 Contract Signing Two parties want to sign a contract Contract-Signing Protocols Multi-party signing is more complicated The contract is known to both parties The protocols we will look at are not for contract

402 views • 7 slides

More recommend