rollover and die
play

Rollover and Die? George Michaelson, APNIC Geoff Huston, APNIC - PowerPoint PPT Presentation

May 08, 2023 •340 likes •951 views

Rollover and Die? George Michaelson, APNIC Geoff Huston, APNIC Patrik Wallstrm, IIS Roy Arends, Nominet UK 1 Were under attack!!! On the 16th of december, traffic more than doubled 2 DNSKEY amplification attack 3 DNSKEY response size

  1. Rollover and Die? George Michaelson, APNIC Geoff Huston, APNIC Patrik Wallström, IIS Roy Arends, Nominet UK 1

  2. We’re under attack!!! On the 16th of december, traffic more than doubled 2

  3. DNSKEY amplification attack 3

  4. DNSKEY response size Response size: 990 Bytes Query rate: 2000 qps 15.8 Mbps Additional load 4

  5. Who does this? 5

  6. Who does this? 5

  7. What was special about the 16th? 6

  8. What was special about the 16th? 7

  9. Hanlon’s razor Never attribute to malice that which can be explained by stupidity. 8

  10. Why so many clients? • Fedora bug report 17th Jan 2010 – (1 month after the roll) • operator reports getting 240.000 log entries in 24hr – “no valid key” • dnssec-conf tool contained a hard-configured trust anchor file – obsolete after the 16th. 9

  11. What was special about the 16th? 10

  12. What was special about the 16th? what a great lesson Randy Bush’s response 10

  13. Current load for in-addr.arpa getting better, below 1000 qps right now But decline not fast enough before new roll 11

  14. The Load Projection 12

  15. The Load Projection remove 12

  16. The Load Projection remove remove 12

  17. The Load Projection add remove remove 12

  18. Was this a one off event? Sweden, june 2009 13

  19. Was this a one off event? Sweden, june 2008 14

  20. Was this a one off event? 1st resolver fix Sweden, june 2008 14

  21. Was this a one off event? 1st resolver fix 2nd resolver fix Sweden, june 2008 14

  22. Why so many Queries? • Resolvers are supposed to cache dnskey • Even when those are bad • Resolvers should be nice, not aggressive • So many resolvers, so few servers 15

  23. Why so many Queries? • Bind bug in all versions • Depth First Search (DFS) problem • Chain of trust validation: 16

  24. Why so many Queries? • Bind bug in all versions • Depth First Search (DFS) problem • Chain of trust validation: root TA 16

  25. Why so many Queries? • Bind bug in all versions • Depth First Search (DFS) problem • Chain of trust validation: www.dnssec.se root A SIG TA 16

  26. Why so many Queries? • Bind bug in all versions • Depth First Search (DFS) problem • Chain of trust validation: dnssec.se root A SIG KEY TA 16

  27. Why so many Queries? • Bind bug in all versions • Depth First Search (DFS) problem • Chain of trust validation: dnssec.se se root A SIG KEY DS TA 16

  28. Why so many Queries? • Bind bug in all versions • Depth First Search (DFS) problem • Chain of trust validation: dnssec.se se root A SIG KEY DS KEY TA 16

  29. Why so many Queries? • Bind bug in all versions • Depth First Search (DFS) problem • Chain of trust validation: dnssec.se se root root A SIG KEY DS KEY DS TA 16

  30. Why so many Queries? • Bind bug in all versions • Depth First Search (DFS) problem • Chain of trust validation: dnssec.se se root root A SIG KEY DS KEY DS KEY TA 16

  31. Why so many Queries? • Bind bug in all versions • Depth First Search (DFS) problem • Chain of trust validation: dnssec.se se root root A SIG KEY DS KEY DS KEY TA 16

  32. Why so many Queries? • Bind bug in all versions • Depth First Search (DFS) problem • Chain of trust validation: dnssec.se se root root A SIG KEY DS KEY DS KEY TA 3 3 13 13 20 20 16

  33. Why so many Queries? • Bind bug in all versions • Depth First Search (DFS) problem • Chain of trust validation: dnssec.se se root root A SIG KEY DS KEY DS KEY TA 3 3 13 13 20 20 16

  34. Why so many Queries? • Bind bug in all versions • Depth First Search (DFS) problem • Chain of trust validation: dnssec.se se root root A SIG KEY DS KEY DS KEY TA 3 3 13 13 20 20 3 * 3 * 13 * 13 * 20 * 20 = 608400 queries 16

  35. ISC • Reported the depth first search bug on februari 8th 17

  36. ISC • Reported the depth first search bug on februari 8th • Acknowledged the problem – fundamental fix, needs thorough testing. 17

  37. ISC • Reported the depth first search bug on februari 8th • Acknowledged the problem – fundamental fix, needs thorough testing. • released BIND 9.7.0 with bug – first version that can validate the root – “Exercise caution”, ignores the lame DS issue 17

  38. ISC • Reported the depth first search bug on februari 8th • Acknowledged the problem – fundamental fix, needs thorough testing. • released BIND 9.7.0 with bug – first version that can validate the root – “Exercise caution”, ignores the lame DS issue • released BIND 9.6.2 with bug – root-validation back ported, no 5011 • tick tock 17

  39. ISC • Reported the depth first search bug on februari 8th • Acknowledged the problem – fundamental fix, needs thorough testing. • released BIND 9.7.0 with bug – first version that can validate the root – “Exercise caution”, ignores the lame DS issue • released BIND 9.6.2 with bug – root-validation back ported, no 5011 • tick tock • Announced a patch as soon as possible. – still waiting – folks are deploying 9.7.0 and 9.6.2 right now 17

  40. The Perfect Storm • DNSSEC deployment at root (DURZ) – guess what: lame trust-anchor, don’t configure 18

  41. The Perfect Storm • DNSSEC deployment at root (DURZ) – guess what: lame trust-anchor, don’t configure 18

  42. The Perfect Storm 19

  43. The Perfect Storm • No automatic trust anchor roll (5011) – 9.7.0 implementation is buggy • promised fix in 9.7.1 – 9.6.2 not planned 19

  44. The Perfect Storm • No automatic trust anchor roll (5011) – 9.7.0 implementation is buggy • promised fix in 9.7.1 – 9.6.2 not planned • DLV mishaps: – DLV registry promiscuously scrapes TLD keys • Just another chain of trust – .PR rolled its key • was unavailable to DLV users for days • caused a major packet storm 19

  45. The Perfect Storm • Multiple trust anchor problem – TLD Trust Anchors trump Root Trust Anchor • stale TLD Trust Anchor trumps valid Root Trust Anchor 20

  46. The Perfect Storm • Multiple trust anchor problem – TLD Trust Anchors trump Root Trust Anchor • stale TLD Trust Anchor trumps valid Root Trust Anchor • Doom scenario: – TLD registers DS in root – new policy: don’t announce rolls, depend on root • That is the way NS records works as well – Operators won’t update TLD trust anchor anymore • Why would they, they’ve configured root trust-anchor 20

  47. A Series Of Unfortunate Events 21

  48. A Series Of Unfortunate Events • buggy software 21

  49. A Series Of Unfortunate Events • buggy software • DNSSEC @ root 21

  50. A Series Of Unfortunate Events • buggy software • DNSSEC @ root • multiple trust anchor problem 21

  51. A Series Of Unfortunate Events • buggy software • DNSSEC @ root • multiple trust anchor problem • no 5011 deployment 21

  52. A Series Of Unfortunate Events • buggy software • DNSSEC @ root • multiple trust anchor problem • no 5011 deployment • opportunistic DLV scraping 21

  53. A Series Of Unfortunate Events • buggy software • DNSSEC @ root • multiple trust anchor problem • no 5011 deployment • opportunistic DLV scraping • Frequent Rollover Syndrome – rolling rolling rolling, keep them DNSKEYs rolling. 21

  54. Frequent Rollover Syndrome • Advice seems to be: – roll the key as often as you can – Some roll twice a year, some roll monthly 22

  55. Frequent Rollover Syndrome • Advice seems to be: – roll the key as often as you can – Some roll twice a year, some roll monthly • Advice is completely misguided: – too many sigs do not leak the key. – Intention is to mitigate a compromised key fallout – but there is no perfect forward security 22

  56. Frequent Rollover Syndrome • Advice seems to be: – roll the key as often as you can – Some roll twice a year, some roll monthly • Advice is completely misguided: – too many sigs do not leak the key. – Intention is to mitigate a compromised key fallout – but there is no perfect forward security • If a key can be compromised in 1 year, it can be compromised in 6 months for twice the cost 22

  57. Frequent Rollover Syndrome • Advice seems to be: – roll the key as often as you can – Some roll twice a year, some roll monthly • Advice is completely misguided: – too many sigs do not leak the key. – Intention is to mitigate a compromised key fallout – but there is no perfect forward security • If a key can be compromised in 1 year, it can be compromised in 6 months for twice the cost • Other reasons: educate operators, exercise procedures – all irrelevant, never mess with a critical production system 22

  58. Solution • Fix the buggy software already – stop releasing versions that have problems – (Help fund BIND-10) • Don’t roll keys (too often) – be practical • Do not endorse configuration of trust-anchors when parent is signed. – no 5011, no web-page with listed keys, no DLV, no ITAR – Manage all through a signed parent. • When parent is not signed: – Use proper 5011. Use ISC’s DLV.

Recommend

Student Rollover 1 Student Rollover 1896 2 Student Rollover 1. much easier to use, 2. Provides

Student Rollover 1 Student Rollover 1896 2 Student Rollover 1. much easier to use, 2. Provides

Student Rollover 1 Student Rollover 1896 2 Student Rollover 1. much easier to use, 2. Provides a superior product, and 3. much less expensive 3 Student Rollover So, Im wondering why are we still using these? NEW SLIDE 1. Hard to use,

734 views • 22 slides
Jordan Rollover System Rollover frequency and AIS 3+ Injury As much as 40% of these injuries

Jordan Rollover System Rollover frequency and AIS 3+ Injury As much as 40% of these injuries

Donald Friedman Susie Bozzini Jordan Rollover System Rollover frequency and AIS 3+ Injury As much as 40% of these injuries occur in pre roll crash events, limiting the likelihood that ESC will be as effective as predicted, emphasizing occupant

757 views • 62 slides
Root Zone KSK Rollover update Roy Arends Principal Research Scientist, Office of the CTO, ICANN

Root Zone KSK Rollover update Roy Arends Principal Research Scientist, Office of the CTO, ICANN

Root Zone KSK Rollover update Roy Arends Principal Research Scientist, Office of the CTO, ICANN FOSDEM 2019 3 February 2019 | 1 The KSK rollover has happened! The KSK rollover occurred on time as planned at 1600 UTC on 11 October 2018

434 views • 24 slides
The Proposed Closure of Rollover Pass Texas General Land Office Jerry Patterson, Land

The Proposed Closure of Rollover Pass Texas General Land Office Jerry Patterson, Land

The Proposed Closure of Rollover Pass Texas General Land Office Jerry Patterson, Land Commissioner Rollover Pass, Galveston County Project Site Rollover Pass, Galveston County GIWW Rollover Pass Rollover Pass, Galveston County History:

231 views • 10 slides
KSK Rollover Update David Conrad, CTO ICANN 59 ccNSO Members Meeting 26 June 2017 | 1 KSK

KSK Rollover Update David Conrad, CTO ICANN 59 ccNSO Members Meeting 26 June 2017 | 1 KSK

KSK Rollover Update David Conrad, CTO ICANN 59 ccNSO Members Meeting 26 June 2017 | 1 KSK Rollover: An Overview ICANN is in the process of performing a Root Zone DNS Security Extensions (DNSSEC) Key Signing Key (KSK) rollover The Root

558 views • 13 slides
MTI Rollover Presentation What Happened? Driver was loaded and inbound to Frac Driver went

MTI Rollover Presentation What Happened? Driver was loaded and inbound to Frac Driver went

MTI Rollover Presentation What Happened? Driver was loaded and inbound to Frac Driver went off the edge of the road No injuries What was spilled? Fuel Engine oil Contributing Factors to Rollover Poor visibility Dark

75 views • 5 slides
Key Rollover for the RPKI Steve Kent (Channeling Geoff

Key Rollover for the RPKI Steve Kent (Channeling Geoff

Key Rollover for the RPKI Steve Kent (Channeling Geoff Huston ) Key Rollover Document New doc: draC-huston-sidr-aao-profile-0-

494 views • 14 slides
Fire Occurrence in Rollover Crashes Based on NASS/CDS Kennerly Digges and Shaun Kildare The

Fire Occurrence in Rollover Crashes Based on NASS/CDS Kennerly Digges and Shaun Kildare The

Fire Occurrence in Rollover Crashes Based on NASS/CDS Kennerly Digges and Shaun Kildare The George Washington University SAE Paper 2007-01-0875 Research Questions What rollover crash factors influence the fire rate? Vehicle class

741 views • 35 slides
QMS Shareholders (other than the Rollover Shareholders) will receive total cash consideration of

QMS Shareholders (other than the Rollover Shareholders) will receive total cash consideration of

QMS Shareholders (other than the Rollover Shareholders) will receive total cash consideration of $1.22 per QMS share held on the Scheme Record Date. Rollover Shareholders will receive a mixture of consideration of cash and shares in Shelley

402 views • 7 slides
Passenger Vehicle Occupant Fatalities by type of crash 4% 2% Rollover 33% 23% Front Side

Passenger Vehicle Occupant Fatalities by type of crash 4% 2% Rollover 33% 23% Front Side

Passenger Vehicle Occupant Fatalities by type of crash 4% 2% Rollover 33% 23% Front Side Rear Other 39% N=32,335 Source: 2002 FARS Side-impact Crashes (non-rollover) by Crash Partner Passenger Cars Other 19% 21% Narrow Objects

708 views • 4 slides
Monetary independence and rollover crises Javier Bianchi (Federal Reserve Bank of Minneapolis &

Monetary independence and rollover crises Javier Bianchi (Federal Reserve Bank of Minneapolis &

Monetary independence and rollover crises Javier Bianchi (Federal Reserve Bank of Minneapolis & NBER) Jorge Mondragon (University of Minnesota) NBER Summer Institute Eurozone Debt Crisis Concerns about rollover crises and sovereign

878 views • 85 slides
Structuring and Negotiating Rollover Equity Interests in Private

Structuring and Negotiating Rollover Equity Interests in Private

Structuring and Negotiating Rollover Equity Interests in Private Equity Transactions September 13, 2016 Saul E. Rudo Steve Jarmel Katten Muchin Rosenman LLP Periscope

382 views • 14 slides
Key rollover @RIPE NCC draft-ietf-sidr-res-certs-18#section-8 draft-huston-sidr-keyroll-00.txt

Key rollover @RIPE NCC draft-ietf-sidr-res-certs-18#section-8 draft-huston-sidr-keyroll-00.txt

RIPE Network Coordination Centre Key rollover @RIPE NCC draft-ietf-sidr-res-certs-18#section-8 draft-huston-sidr-keyroll-00.txt Tim Bruijnzeels IETF78 http://www.ripe.net 1 RIPE Network Coordination Centre Before rollover CA Issuer: TA

258 views • 13 slides
QMS Shareholders (other than Rollover Shareholders, who will receive a mixed consideration

QMS Shareholders (other than Rollover Shareholders, who will receive a mixed consideration

QMS Shareholders (other than Rollover Shareholders, who will receive a mixed consideration alternative) will receive total cash consideration of $1.22 per QMS share held on the Scheme Record Date. Scheme must be approved at this General Scheme

579 views • 9 slides
2017 DNSSEC KSK Rollover Carlos Martnez | LACNIC | LACNIC 27, Foz Do Iguass Purpose of this

2017 DNSSEC KSK Rollover Carlos Martnez | LACNIC | LACNIC 27, Foz Do Iguass Purpose of this

2017 DNSSEC KSK Rollover Carlos Martnez | LACNIC | LACNIC 27, Foz Do Iguass Purpose of this Talk 2 1 3 Provide status, Provide helpful To publicize the upcoming events, resources on new Root Zone and contact the KSK roll DNSSEC KSK

384 views • 21 slides
Managing the Root KSK Rollover, Step by Step for Operators Quickly spun by Edward.Lewis @

Managing the Root KSK Rollover, Step by Step for Operators Quickly spun by Edward.Lewis @

Managing the Root KSK Rollover, Step by Step for Operators Quickly spun by Edward.Lewis @ ICANN.ORG Changed-by: carlos @ lacnic.net LACNIC 27 Foz do Iguassu 1 Agenda What is the problem here ? Some tools to check operation

240 views • 23 slides
2017 DNSSEC KSK Rollover Guillermo Cicileo | LACNIC | March 22, 2017 Purpose of this Talk 1 2 3

2017 DNSSEC KSK Rollover Guillermo Cicileo | LACNIC | March 22, 2017 Purpose of this Talk 1 2 3

2017 DNSSEC KSK Rollover Guillermo Cicileo | LACNIC | March 22, 2017 Purpose of this Talk 1 2 3 Provide status, Provide helpful To publicize the upcoming events, resources on new Root Zone and contact the KSK roll DNSSEC KSK information

720 views • 36 slides
Gasoline Tanker Rollover May 12, 2009

Gasoline Tanker Rollover May 12, 2009

Gasoline Tanker Rollover May 12, 2009

205 views • 9 slides
The Employee Benefits Practice Group Shipman & Goodwin LLP March 3, 2005 You have probably

The Employee Benefits Practice Group Shipman & Goodwin LLP March 3, 2005 You have probably

The Automatic Rollover Rules: A Practical Primer Prepared by: The Employee Benefits Practice Group Shipman & Goodwin LLP March 3, 2005 You have probably already heard about the new automatic rollover rules. With the March 28, 2005

288 views • 4 slides
Parallel ZSK/KSK Rollover Scheme Zheng Wang wangzheng@conac.cn China Organizational Name

Parallel ZSK/KSK Rollover Scheme Zheng Wang wangzheng@conac.cn China Organizational Name

Parallel ZSK/KSK Rollover Scheme Zheng Wang wangzheng@conac.cn China Organizational Name Administration Center (CONAC) April 10th, 2013 Problem Solution Scheme Concluding Outline 1 The problem 2 The Solution 3 The Scheme 4 Concluding and

528 views • 18 slides
SFMS User Group Meeting June 5, 2018 SFMS 6/5/2018 1 SFMA Terms Table Archives Rollover

SFMS User Group Meeting June 5, 2018 SFMS 6/5/2018 1 SFMA Terms Table Archives Rollover

SFMS User Group Meeting June 5, 2018 SFMS 6/5/2018 1 SFMA Terms Table Archives Rollover Programs Document Tracking, Profile Payments, Financial, Year End Receipts, Profiles Purges Closing Programs Vendor Table Year End ACH Vendor

1k views • 86 slides
Spackenkill Union Free School District Board of Education Budget Presentation 2019-2020 Rollover

Spackenkill Union Free School District Board of Education Budget Presentation 2019-2020 Rollover

Spackenkill Union Free School District Board of Education Budget Presentation 2019-2020 Rollover Budget January 22, 2019 2 2018-2019 Financial Update and Current Budget Assumptions for 2019-2020 2018-19 State Aid increased by

301 views • 15 slides
Flame Interaction and Rollover Solutions in Ethylene Cracking Furnaces 1 EEPC Ethylene Seminar

Flame Interaction and Rollover Solutions in Ethylene Cracking Furnaces 1 EEPC Ethylene Seminar

EEPC Ethylene Seminar 24-26 October 2012, Barcelona (Spain) Flame Interaction and Rollover Solutions in Ethylene Cracking Furnaces 1 EEPC Ethylene Seminar 24-26 October 2012, Barcelona Statement of Problem Cracking furnace must be

136 views • 10 slides
Holland 2020-2021 BUDGET PRESENTATION Central DRAFT #3 ROLLOVER BUDGET School District MARCH

Holland 2020-2021 BUDGET PRESENTATION Central DRAFT #3 ROLLOVER BUDGET School District MARCH

Holland 2020-2021 BUDGET PRESENTATION Central DRAFT #3 ROLLOVER BUDGET School District MARCH 23, 2020 PRESENTATION OVERVIEW Tax Cap Calculation Finalized 3rd Draft 2020-2021 Revenues 3rd Draft 2020-2021 Projected Expenditures

241 views • 10 slides

More recommend