DNSSEC update TF Mobility, Vienna

Size: px
Start display at page:

Download "DNSSEC update TF Mobility, Vienna"

Transcription

1 DNSSEC update TF Mobility, Vienna Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl February 18th 2010

2 Overview - Introduction - DNSSEC validation on resolvers - Update on what we ve learned so far - What you can do - DNSSEC signing - Status of the root zone & (g)tld s - Our plans for Status of OpenDNSSEC - What you can do - One more thing... (or maybe two ;-) 2

3 Current validation rates - Validation rates are around 1-2%: 3

4 Validation running amok - Strange validation failures: Feb 4 14:28:25 ns0 unbound: [18112:0] info: validation failure <time-a.nist.gov. A IN>: no signatures from for key nist.gov. while building chain of trust Feb 4 14:30:32 ns0 unbound: [18112:0] info: validation failure <time.nist.gov. A IN>: no signatures from for key nist.gov. while building chain of trust 4 - We re in constant contact with NLnetLabs to solve these issues

5 The ARIN incident - Around September 4th 09 we noticed that lot s of reverse lookups (PTR) suddenly failed to validate - At first we thought it was an Unbound issue - We worked with the guys from NLnetLabs for 5 days in a row - We analysed over 500MB of DNS queries (packets are usually just 512 bytes!) - It was not a bug in Unbound... 5

6 The ARIN incident - chia.arin.net was the culprit - It has both an IPv4 as well as an IPv6 address - IPv4 (A) could be queried for - IPv6 (AAAA) could not be queried for - But the glue for arin.net contained an AAAA record - Once that AAAA record was cached, IPv6 is also used to access this server - The server gave DNSSEC answers on IPv4 but not on IPv6 - Made about 1 in 12 reverse validations fail - At first, ARIN s hostmaster ignored our message... but pulling some strings helped - Issue was quietly solved on Sep. 15th 09 6

7 7 Common validation failures - Some US government agencies seem unable to get DNSSEC right: Feb 10 04:16:43 ns0 unbound: [5973:1] info: validation failure <USPTO.GOV. MX IN>: no signatures from for key USPTO.GOV. while building chain of trust Feb 10 04:53:00 ns0 unbound: [5973:0] info: validation failure <gk-w-mail.srvs.usps.gov. A IN>: no signatures over NSEC3s from for DS gk-w-mail.srvs.usps.gov. while... Feb 10 14:21:48 ns0 unbound: [5973:1] info: validation failure <www.hud.gov. A IN>: no DS... - Others include.cz and.bg domains: Feb 10 13:47:35 ns0 unbound: [5973:0] info: validation failure <www.atol.bg. A IN>: No DNSK... Feb 10 13:37:17 ns0 unbound: [5973:0] info: validation failure <ns.unicycle.cz. A IN>: no k... - Anybody here from the University of Lissabon? Feb 15 19:10:25 ns0 unbound: [5973:1] info: validation failure <FM.UL.PT. MX IN>: no NSEC3 records from 2001:690:21c0:b::150 for DS FM.UL.PT. while building chain of trust - And of course there was the.se or rather the not.se. incident last year

8 Getting rid of interim solutions - Currently most people that validate use either ITAR or DLV to obtain trust anchors - Stock distributions have pre-packaged configurations for common resolvers that contain trust anchors - Unfortunately, these are not kept up-to-date! - Lesson learned: When the root gets signed, make sure you purge old trust anchors! 8

9 Firewalls and other M-i-t-M - DNSSEC uses the EDNS0 extension (RFC 2671) - For larger messages (signature RRs!) - For the DO-bit (DNSSEC OK) - Some network hardware blocks DNSSEC traffic - Firewalls stop UDP packets: - Over 512 bytes in size on port 53 - Blocking fragmented UDP packets - People block TCP on port 53 on their firewall 9 - SOHO routers interfere with DNS traffic - Many broken DNS implementations - Read the Nominet report: dnssec-cpe/dnssec-cpe-report.pdf

10 What you can do - Start validating on your resolvers - Use BIND, Unbound or even Windows Server 2008 R2 - Advantages: - Your users immediately profit from signed domains - Gain real-life DNSSEC experience - Find out and solve issues before the root is signed - Disadvantages: - Badly managed domains (US gov?) disappear - Nasty firewall issues become apparent - Root not yet signed so you have to rely on DLV or ITAR - B.T.W.: BIND 9.5 sets the DO-bit by default so most of you already ask for DNSSEC answers 10

11 Signing: the status - Root to be signed July 1st L-root and A-root now serve DNSSEC records - J-root is the last planned on May 5th - Follow the project on - Lot s of new TLD s have been signed:.ch,.li,.pt,.tm,.us,.na,.th - Lot s of TLD s have announced dates:.cl,.my,.nl,.uk,.edu,.com,.net - And there are testbeds:.de,.eu 11

12 Our plans for DNSSEC as part of our managed DNS service: 12

13 Our plans for Project approved and started on Feb. 1st - Will use 2x Safenet Luna SA HSM to store key material - Will use OpenDNSSEC as signer engine - Project runs until the end of Q3 - Our goal: 13

14 Status of OpenDNSSEC - OpenDNSSEC 1.0 has been released - Packages for distributions are being prepared - Is a real first release, i.e. your mileage may vary (it works but there s room for improvement) - Used by.uk and.se to sign their zones - OpenDNSSEC 1.1 (±March 2010) - Performance improvements - EPP plugin - Changes to auditing process - OpenDNSSEC 1.2 (±May 2010) - Signer engine in C instead of Python - OpenDNSSEC Lot s of new features (IXFR, web interface, continuous signing,...) 14

15 What you can do - Test OpenDNSSEC and give lots of feedback - Plan for the future: - Are you going to sign your domains? - Do you want/need to offer signing services to your customers? - Plan for problem situations (e.g. when the root is signed) - Share your experiences with the rest of us! -...attend DNSSEC BoF at TNC 2010? 15

16 One more thing... - Should eduroam.org be signed? - There was some discussion about this at the TNC 2009 DNSSEC BoF - DNSSEC strictly speaking not needed for RADSEC - Who should be responsible? - If it s done, who will be involved? - DNSSEC monitoring/auditing - External tool to check zone integrity - Checks DNSSEC stuff - Based on existing tools? - 16

17 That s all folks... Questions?? Thank you for your attention! Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl Presentation released under Creative Commons (http://creativecommons.org/licenses/by-nc-sa/3.0/nl/deed.en) 17

DNSSEC Applying cryptography to the Domain Name System

DNSSEC Applying cryptography to the Domain Name System DNSSEC Applying cryptography to the Domain Name System Gijs van den Broek Graduate Intern at SURFnet Overview First half: Introduction to DNS Attacks on DNS Second half: DNSSEC Questions: please ask! DNSSEC

More information

Use Domain Name System and IP Version 6

Use Domain Name System and IP Version 6 Use Domain Name System and IP Version 6 What You Will Learn The introduction of IP Version 6 (IPv6) into an enterprise environment requires some changes both in the provisioned Domain Name System (DNS)

More information

DNS at NLnet Labs. Matthijs Mekking

DNS at NLnet Labs. Matthijs Mekking DNS at NLnet Labs Matthijs Mekking Topics NLnet Labs DNS DNSSEC Recent events NLnet Internet Provider until 1997 The first internet backbone in Holland Funding research and software projects that aid the

More information

Introduction. What is Unbound and what is DNSSEC. Installation. Manual for Unbound on Windows. W.C.A. Wijngaards, NLnet Labs, October 2010

Introduction. What is Unbound and what is DNSSEC. Installation. Manual for Unbound on Windows. W.C.A. Wijngaards, NLnet Labs, October 2010 Manual for Unbound on Windows W.C.A. Wijngaards, NLnet Labs, October 2010 Introduction This manual aims to provide information about the Unbound server on the Windows platform. Included is installation,

More information

Networking Domain Name System

Networking Domain Name System IBM i Networking Domain Name System Version 7.2 IBM i Networking Domain Name System Version 7.2 Note Before using this information and the product it supports, read the information in Notices on page

More information

The Root of the Matter: Hints or Slaves

The Root of the Matter: Hints or Slaves The Root of the Matter: Hints or Slaves David Malone October 21, 2003 Abstract We consider the possibility of having a name server act as a slave to the root zone, rather than caching

More information

NANOG DNS BoF. DNS DNSSEC IPv6 Tuesday, February 1, 2011 NATIONAL ENGINEERING & TECHNICAL OPERATIONS

NANOG DNS BoF. DNS DNSSEC IPv6 Tuesday, February 1, 2011 NATIONAL ENGINEERING & TECHNICAL OPERATIONS NANOG DNS BoF DNS DNSSEC IPv6 Tuesday, February 1, 2011 NATIONAL ENGINEERING & TECHNICAL OPERATIONS The Role Of An ISP In DNSSEC Valida;on ISPs act in two different DNSSEC roles, both signing and valida;ng

More information

DNSSEC in your workflow

DNSSEC in your workflow DNSSEC in your workflow Presentation roadmap Overview of problem space Architectural changes to allow for DNSSEC deployment Deployment tasks Key maintenance DNS server infrastructure Providing secure delegations

More information

Security of IPv6 and DNSSEC for penetration testers

Security of IPv6 and DNSSEC for penetration testers Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education System and Network Engineering June 30, 2011 Agenda Introduction DNSSEC security IPv6 security Conclusion Questions

More information

Domain Name System 2015-04-28 17:49:44 UTC. 2015 Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

Domain Name System 2015-04-28 17:49:44 UTC. 2015 Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement Domain Name System 2015-04-28 17:49:44 UTC 2015 Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement Contents Domain Name System... 4 Domain Name System... 5 How DNS Works

More information

Copyright 2012 http://itfreetraining.com

Copyright 2012 http://itfreetraining.com In order to find resources on the network, computers need a system to look up the location of resources. This video looks at the DNS records that contain information about resources and services on the

More information

DNS & IPv6. Agenda 4/14/2009. MENOG4, 8-9 April 2009. Raed Al-Fayez SaudiNIC CITC rfayez@citc.gov.sa, www.nic.net.sa. DNS & IPv6.

DNS & IPv6. Agenda 4/14/2009. MENOG4, 8-9 April 2009. Raed Al-Fayez SaudiNIC CITC rfayez@citc.gov.sa, www.nic.net.sa. DNS & IPv6. DNS & IPv6 MENOG4, 8-9 April 2009 Raed Al-Fayez SaudiNIC CITC rfayez@citc.gov.sa, www.nic.net.sa Agenda DNS & IPv6 Introduction What s next? SaudiNIC & IPv6 About SaudiNIC How a cctld Registry supports

More information

Pre Delegation Testing (PDT) Frequently Asked Questions (FAQ)

Pre Delegation Testing (PDT) Frequently Asked Questions (FAQ) Pre Delegation Testing (PDT) Frequently Asked Questions (FAQ) [Ver 1.7 2013-06- 04] List of contents General questions Who do I contact with questions about Pre- Delegation Testing?... 3 What is the process

More information

DNS. The Root Name Servers. DNS Hierarchy. Computer System Security and Management SMD139. Root name server. .se name server. .

DNS. The Root Name Servers. DNS Hierarchy. Computer System Security and Management SMD139. Root name server. .se name server. . Computer System Security and Management SMD139 Lecture 5: Domain Name System Peter A. Jonsson DNS Translation of Hostnames to IP addresses Hierarchical distributed database DNS Hierarchy The Root Name

More information

Internet-Praktikum I Lab 3: DNS

Internet-Praktikum I Lab 3: DNS Kommunikationsnetze Internet-Praktikum I Lab 3: DNS Mark Schmidt, Andreas Stockmayer Sommersemester 2015 kn.inf.uni-tuebingen.de Motivation for the DNS Problem IP addresses hard to remember for humans

More information

page 1 DNS Rate Limiting W. Matthijs Mekking matthijs@nlnetlabs.nl http://www.nlnetlabs.nl/ 28 Feb 2013 Stichting NLnet Labs

page 1 DNS Rate Limiting W. Matthijs Mekking matthijs@nlnetlabs.nl http://www.nlnetlabs.nl/ 28 Feb 2013 Stichting NLnet Labs page 1 DNS Rate Limiting W. Matthijs Mekking matthijs@nlnetlabs.nl page 2 One slide DNS Root www.nlnetlabs.nl A Referral: nl NS www.nlnetlabs.nl A 213.154.224.1 www.nlnetlabs.nl A www.nlnetlabs.nl A 213.154.224.1

More information

Building Nameserver Clusters with Free Software

Building Nameserver Clusters with Free Software Building Nameserver Clusters with Free Software Joe Abley, ISC NANOG 34 Seattle, WA, USA Starting Point Discrete, single-host authoritative nameservers several (two or more) several (two or more) geographically

More information

Domain Name System (DNS) Fundamentals

Domain Name System (DNS) Fundamentals Domain Name System (DNS) Fundamentals Mike Jager Network Startup Resource Center mike.jager@synack.co.nz These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International

More information

A versatile platform for DNS metrics with its application to IPv6

A versatile platform for DNS metrics with its application to IPv6 A versatile platform for DNS metrics with its application to IPv6 Stéphane Bortzmeyer AFNIC bortzmeyer@nic.fr RIPE 57 - Dubai - October 2008 1 A versatile platform for DNS metrics with its application

More information

Enterprise Architecture Office Resource Document Design Note - Domain Name System (DNS)

Enterprise Architecture Office Resource Document Design Note - Domain Name System (DNS) Date: 8/27/2012 Enterprise Architecture Office Resource Document Design Note - Domain Name System (DNS) Table of Contents 1 Overview...2 1.1 Other Resources...2 1.1.1 State of Minnesota Standards and Guidelines...2

More information

Networking Domain Name System

Networking Domain Name System System i Networking Domain Name System Version 5 Release 4 System i Networking Domain Name System Version 5 Release 4 Note Before using this information and the product it supports, read the information

More information

Understand Names Resolution

Understand Names Resolution Understand Names Resolution Lesson Overview In this lesson, you will learn about: Domain name resolution Name resolution process steps DNS WINS Anticipatory Set 1. List the host name of 4 of your favorite

More information

Defending your DNS in a post-kaminsky world. Paul Wouters

Defending your DNS in a post-kaminsky world. Paul Wouters <paul@xelerance.com> Defending your DNS in a post-kaminsky world Paul Wouters Overview History of DNS and the Kaminsky attack Various DNS problems explained Where to address the DNS problem Nameservers,

More information

Recommendations for dealing with fragmentation in DNS(SEC)

Recommendations for dealing with fragmentation in DNS(SEC) Recommendations for dealing with fragmentation in DNS(SEC) Abstract DNS response messages can sometimes be large enough to exceed the Maximum Transmission Unit (MTU) size for the underlying physical network.

More information

Networking Domain Name System

Networking Domain Name System System i Networking Domain Name System Version 6 Release 1 System i Networking Domain Name System Version 6 Release 1 Note Before using this information and the product it supports, read the information

More information

DOMAIN NAME SECURITY EXTENSIONS

DOMAIN NAME SECURITY EXTENSIONS DOMAIN NAME SECURITY EXTENSIONS The aim of this paper is to provide information with regards to the current status of Domain Name System (DNS) and its evolution into Domain Name System Security Extensions

More information

KB259302 - Windows 2000 DNS Event Messages 1 Through 1614

KB259302 - Windows 2000 DNS Event Messages 1 Through 1614 Page 1 of 6 Knowledge Base Windows 2000 DNS Event Messages 1 Through 1614 PSS ID Number: 259302 Article Last Modified on 10/29/2003 The information in this article applies to: Microsoft Windows 2000 Server

More information

WHITE PAPER. Best Practices DNSSEC Zone Management on the Infoblox Grid

WHITE PAPER. Best Practices DNSSEC Zone Management on the Infoblox Grid WHITE PAPER Best Practices DNSSEC Zone Management on the Infoblox Grid What Is DNSSEC, and What Problem Does It Solve? DNSSEC is a suite of Request for Comments (RFC) compliant specifications developed

More information

Motivation. Domain Name System (DNS) Flat Namespace. Hierarchical Namespace

Motivation. Domain Name System (DNS) Flat Namespace. Hierarchical Namespace Motivation Domain Name System (DNS) IP addresses hard to remember Meaningful names easier to use Assign names to IP addresses Name resolution map names to IP addresses when needed Namespace set of all

More information

DNS and IPv6 (and some IPv4 depletion statistics) Stephan Lagerholm, Senior DNS Architect Secure64 Software Corp.

DNS and IPv6 (and some IPv4 depletion statistics) Stephan Lagerholm, Senior DNS Architect Secure64 Software Corp. DNS and IPv6 (and some IPv4 depletion statistics) Stephan Lagerholm, Senior DNS Architect Secure64 Software Corp. Secure64 Software Corporation Privately funded, Colorado-based corporation, founded in

More information

IPV6 SERVICES DEPLOYMENT

IPV6 SERVICES DEPLOYMENT IPV6 SERVICES DEPLOYMENT LINX IPv6 Technical Workshop - March 2009 Jaco Engelbrecht Group Platforms Manager, clara.net DNS root zone goes AAAA! On 4 th February 2008 IANA added AAAA records for the A,

More information

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN Applicable Version: 10.6.2 onwards Overview Virtual host implementation is based on the Destination NAT concept. Virtual

More information

DNS and BIND. David White

DNS and BIND. David White DNS and BIND David White DNS: Backbone of the Internet Translates Domains into unique IP Addresses i.e. developcents.com = 66.228.59.103 Distributed Database of Host Information Works seamlessly behind

More information

Lesson 13: DNS Security. Javier Osuna josuna@gmv.com GMV Head of Security and Process Consulting Division

Lesson 13: DNS Security. Javier Osuna josuna@gmv.com GMV Head of Security and Process Consulting Division Lesson 13: DNS Security Javier Osuna josuna@gmv.com GMV Head of Security and Process Consulting Division Introduction to DNS The DNS enables people to use and surf the Internet, allowing the translation

More information

A DNS Anomaly Detection and Analysis System

A DNS Anomaly Detection and Analysis System A DNS Anomaly Detection and Analysis System Hyo-Jeong Shin, KT NANOG 40 June 2007 KORNET DNS system More than 20 cache DNS server farms Each server farm advertises the same IP address using anycast routing

More information

Request for Comments: 1788 Category: Experimental April 1995

Request for Comments: 1788 Category: Experimental April 1995 Network Working Group W. Simpson Request for Comments: 1788 Daydreamer Category: Experimental April 1995 Status of this Memo ICMP Domain Name Messages This document defines an Experimental Protocol for

More information

The Domain Name System from a security point of view

The Domain Name System from a security point of view The Domain Name System from a security point of view Simon Boman Patrik Hellström Email: {simbo105, pathe321}@student.liu.se Supervisor: David Byers, {davby@ida.liu.se} Project Report for Information Security

More information

Unbound a caching, validating DNSSEC resolver. Do you trust your name server? Configuration. Unbound as a DNS cache (SEC-less)

Unbound a caching, validating DNSSEC resolver. Do you trust your name server? Configuration. Unbound as a DNS cache (SEC-less) Unbound a caching, validating DNSSEC resolver UKUUG Spring 2011 Conference Leeds, UK March 2011 Jan-Piet Mens $ dig 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa naptr Do you trust your name server? DNS clients typically

More information

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0 THE MASTER LIST OF DNS TERMINOLOGY v 2.0 DNS can be hard to understand and if you re unfamiliar with the terminology, learning more about DNS can seem as daunting as learning a new language. To help people

More information

Monitoring the DNS. Gustavo Lozano Event Name XX XXXX 2015

Monitoring the DNS. Gustavo Lozano Event Name XX XXXX 2015 Monitoring the DNS Gustavo Lozano Event Name XX XXXX 2015 Agenda 1 2 3 Components of the DNS Monitoring gtlds Monitoring other components of the DNS 4 5 Monitoring system Conclusion 2 Components of the

More information

The Myth of Twelve More Bytes. Security on the Post- Scarcity Internet

The Myth of Twelve More Bytes. Security on the Post- Scarcity Internet The Myth of Twelve More Bytes Security on the Post- Scarcity Internet IPv6 The Myth of 12 More Bytes HTTP DHCP HTTP TLS ARP TCP UDP Internet Protocol Link Layer Physical Layer ICMP The Myth of 12 More

More information

XN--P1AI (РФ) DNSSEC Policy and Practice Statement

XN--P1AI (РФ) DNSSEC Policy and Practice Statement XN--P1AI (РФ) DNSSEC Policy and Practice Statement XN--P1AI (РФ) DNSSEC Policy and Practice Statement... 1 INTRODUCTION... 2 Overview... 2 Document name and identification... 2 Community and Applicability...

More information

Domain Name System (DNS) Session-1: Fundamentals. Ayitey Bulley abulley@ghana.com

Domain Name System (DNS) Session-1: Fundamentals. Ayitey Bulley abulley@ghana.com Domain Name System (DNS) Session-1: Fundamentals Ayitey Bulley abulley@ghana.com Computers use IP addresses. Why do we need names? Names are easier for people to remember Computers may be moved between

More information

Decoding DNS data. Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs

Decoding DNS data. Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs Decoding DNS data Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs The Domain Name System (DNS) is a core component of the Internet infrastructure,

More information

DNS zone transfers from FreeIPA to non-freeipa slave servers

DNS zone transfers from FreeIPA to non-freeipa slave servers FreeIPA Training Series DNS zone transfers from FreeIPA to non-freeipa slave servers FreeIPA 3.0 and bind-dyndb-ldap 2.3 Petr Špaček 01-03-2013 Text file based

More information

Presented by Greg Lindsay Technical Writer Windows Server Information Experience. Presented at: Seattle Windows Networking User Group April 7, 2010

Presented by Greg Lindsay Technical Writer Windows Server Information Experience. Presented at: Seattle Windows Networking User Group April 7, 2010 Presented by Greg Lindsay Technical Writer Windows Server Information Experience Presented at: Seattle Windows Networking User Group April 7, 2010 Windows 7 DNS client DNS devolution Security-awareness:

More information

dnsperf DNS Performance Tool Manual

dnsperf DNS Performance Tool Manual dnsperf DNS Performance Tool Manual Version 2.0.0 Date February 14, 2012 Copyright 2002-2012, Inc. - All Rights Reserved This software and documentation is subject to and made available pursuant to the

More information

DNSSEC Support in SOHO CPE. OARC Workshop Ottawa 24 th September 2008

DNSSEC Support in SOHO CPE. OARC Workshop Ottawa 24 th September 2008 DNSSEC Support in SOHO CPE OARC Workshop Ottawa 24 th September 2008 or: How not to write a DNS proxy Study Details What is the impact of DNSSEC on consumer-class broadband routers? Joint study between

More information

Intro to djbdns. A DNS server besides BIND. Nathan Straz. nate@techie.com. Intro to djbdns p.1/21

Intro to djbdns. A DNS server besides BIND. Nathan Straz. nate@techie.com. Intro to djbdns p.1/21 Intro to djbdns A DNS server besides BIND Nathan Straz nate@techie.com Intro to djbdns p.1/21 Today s Topics Overview of DNS Overview of djbdns djbdns by example local cache network cache private domain

More information

- Domain Name System -

- Domain Name System - 1 Name Resolution - Domain Name System - Name resolution systems provide the translation between alphanumeric names and numerical addresses, alleviating the need for users and administrators to memorize

More information

THE MASTER LIST OF DNS TERMINOLOGY. First Edition

THE MASTER LIST OF DNS TERMINOLOGY. First Edition THE MASTER LIST OF DNS TERMINOLOGY First Edition DNS can be hard to understand and if you re unfamiliar with the terminology, learning more about DNS can seem as daunting as learning a new language. To

More information

DNSSEC Policy & Practice Statement for.tz Zone

DNSSEC Policy & Practice Statement for.tz Zone DNSSEC Policy & Practice Statement for.tz Zone Version 1.1 Effective Date: January 1, 2013 Tanzania Network Information Centre 14107 LAPF Millenium Towers, Ground Floor, Suite 04 New Bagamoyo Road, Dar

More information

The Root of the Matter: Hints or Slaves

The Root of the Matter: Hints or Slaves The Root of the Matter: Hints or Slaves David Malone Communications Network Research Institute Dublin Institute of Technology Ireland ABSTRACT We consider the possibility of having

More information

Agenda. Network Services. Domain Names. Domain Name. Domain Names Domain Name System Internationalized Domain Names. Domain Names & DNS

Agenda. Network Services. Domain Names. Domain Name. Domain Names Domain Name System Internationalized Domain Names. Domain Names & DNS Agenda Network Services Domain Names & DNS Domain Names Domain Name System Internationalized Domain Names Johann Oberleitner SS 2006 Domain Names Naming of Resources Problems of Internet's IP focus IP

More information

FAQ (Frequently Asked Questions)

FAQ (Frequently Asked Questions) FAQ (Frequently Asked Questions) Specific Questions about Afilias Managed DNS What is the Afilias DNS network? How long has Afilias been working within the DNS market? What are the names of the Afilias

More information

Part 5 DNS Security. SAST01 An Introduction to Information Security 2015-09-21. Martin Hell Department of Electrical and Information Technology

Part 5 DNS Security. SAST01 An Introduction to Information Security 2015-09-21. Martin Hell Department of Electrical and Information Technology SAST01 An Introduction to Information Security Part 5 DNS Security Martin Hell Department of Electrical and Information Technology How DNS works Amplification attacks Cache poisoning attacks DNSSEC 1 2

More information

THE DOMAIN NAME SYSTEM DNS

THE DOMAIN NAME SYSTEM DNS Announcements THE DOMAIN NAME SYSTEM DNS Internet Protocols CSC / ECE 573 Fall, 2005 N. C. State University copyright 2005 Douglas S. Reeves 2 Today s Lecture I. Names vs. Addresses II. III. IV. The Namespace

More information

mydnsipv6 Success Story

mydnsipv6 Success Story Internet Identity For All mydnsipv6 Success Story By Norsuzana Harun Manager, Technology and Innovation Dept. 20 th July 2009 Agenda 1. About mydnsipv6 mydnsipv6 Roadmap (2006 2010) 2. mydnsipv6 Test Bed

More information

DNS traffic analysis -- Issues of IPv6 and CDN --

DNS traffic analysis -- Issues of IPv6 and CDN -- DNS traffic analysis -- Issues of IPv6 and CDN -- Kazunori Fujiwara ^, Akira Sato, Kenichi Yoshida University of Tsukuba ^Japan Registry Services Co., Ltd (JPRS) July 29, 2012 IEPG meeting at Vancouver

More information

IPv6 and DNS. Secure64

IPv6 and DNS. Secure64 IPv6 and DNS Secure64 About me Stephan Lagerholm Director and Founder of TXv6TF. Secure64 Software Corp. Sponsor of the event. Agenda: DNS and IPv6 basics DNS64 (RFC 6147) 464XLAT (RFC 6877) Heuristic

More information

DNS Risks, DNSSEC. Olaf M. Kolkman and Allison Mankin. olaf@nlnetlabs.nl and mankin@psg.com. http://www.nlnetlabs.nl/ 8 Feb 2006 Stichting NLnet Labs

DNS Risks, DNSSEC. Olaf M. Kolkman and Allison Mankin. olaf@nlnetlabs.nl and mankin@psg.com. http://www.nlnetlabs.nl/ 8 Feb 2006 Stichting NLnet Labs DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin olaf@nlnetlabs.nl and mankin@psg.com 8 Feb 2006 Stichting NLnet Labs DNSSEC evangineers of the day Allison: Independent consultant Member of the Internet2

More information

IPv6 Support in the DNS. Workshop Name Workshop Location, Date

IPv6 Support in the DNS. Workshop Name Workshop Location, Date IPv6 Support in the DNS Workshop Name Workshop Location, Date Agenda How important is the DNS? DNS Resource Lookup DNS Extensions for IPv6 Lookups in an IPv6-aware DNS Tree About Required IPv6 Glue in

More information

IPv6 support in the DNS

IPv6 support in the DNS IPv6 support in the DNS How important is the DNS? Getting the IP address of the remote endpoint is necessary for every communication between TCP/IP applications Humans are unable to memorize millions of

More information

HTG XROADS NETWORKS. Network Appliance How To Guide: EdgeDNS. How To Guide

HTG XROADS NETWORKS. Network Appliance How To Guide: EdgeDNS. How To Guide HTG X XROADS NETWORKS Network Appliance How To Guide: EdgeDNS How To Guide V 3. 2 E D G E N E T W O R K A P P L I A N C E How To Guide EdgeDNS XRoads Networks 17165 Von Karman Suite 112 888-9-XROADS V

More information

Reverse DNS considerations for IPv6

Reverse DNS considerations for IPv6 Reverse DNS considerations for IPv6 Kostas Zorbadelos OTE David Freedman - ClaraNet Reverse DNS in IPv4 Every Internet-reachable host should have a name Make sure your PTR and A records match. For every

More information

Debugging With Netalyzr

Debugging With Netalyzr Debugging With Netalyzr Christian Kreibich (ICSI), Nicholas Weaver (ICSI), Boris Nechaev (HIIT/TKK), and Vern Paxson (ICSI & UC Berkeley) 1 What Is Netalyzr?! Netalyzr is a comprehensive network measurement

More information

SIDN Server Measurements

SIDN Server Measurements SIDN Server Measurements Yuri Schaeffer 1, NLnet Labs NLnet Labs document 2010-003 July 19, 2010 1 Introduction For future capacity planning SIDN would like to have an insight on the required resources

More information

Building a Linux IPv6 DNS Server

Building a Linux IPv6 DNS Server Building a Linux IPv6 DS Server By David Gordon and Ibrahim Haddad Open Systems Lab Ericsson Research Corporate Unit This article presents a tutorial on building an IPv6 DS Linux server that provides IPv6

More information

Module 2. Configuring and Troubleshooting DNS. Contents:

Module 2. Configuring and Troubleshooting DNS. Contents: Configuring and Troubleshooting DNS 2-1 Module 2 Configuring and Troubleshooting DNS Contents: Lesson 1: Installing the DNS Server Role 2-3 Lesson 2: Configuring the DNS Server Role 2-9 Lesson 3: Configuring

More information

DNSSEC - Why Network Operators Should Care And How To Accelerate Deployment

DNSSEC - Why Network Operators Should Care And How To Accelerate Deployment DNSSEC - Why Network Operators Should Care And How To Accelerate Deployment Dan York, CISSP Senior Content Strategist, Internet Society Eurasia Network Operators' Group (ENOG) 4 Moscow, Russia October

More information

Why You Need More Than Two Library and Information Services School of African and Oriental Studies London Networkshop 38, 2010 Everything Rolled into Together Design Flaws 1990 s DNS Design in 2010 In

More information

The Domain Name System

The Domain Name System The Domain Name System Antonio Carzaniga Faculty of Informatics University of Lugano October 9, 2012 2005 2007 Antonio Carzaniga 1 IP addresses and host names Outline DNS architecture DNS process DNS requests/replies

More information

Next Steps In Accelerating DNSSEC Deployment

Next Steps In Accelerating DNSSEC Deployment Next Steps In Accelerating DNSSEC Deployment Dan York, CISSP Senior Content Strategist, Internet Society DNSSEC Deployment Workshop, ICANN 45 Toronto, Canada October 17, 2012 Internet Society Deploy360

More information

Configuring Dynamic DNS

Configuring Dynamic DNS 9 CHAPTER This chapter describes how to configure DDNS update methods, and includes the following topics: Information about DDNS, page 9-1 Licensing Requirements for DDNS, page 9-2 Guidelines and Limitations,

More information

LogLogic Microsoft Domain Name System (DNS) Log Configuration Guide

LogLogic Microsoft Domain Name System (DNS) Log Configuration Guide LogLogic Microsoft Domain Name System (DNS) Log Configuration Guide Document Release: September 2011 Part Number: LL600027-00ELS090000 This manual supports LogLogic Microsoft DNS Release 1.0 and later,

More information

Where is Hong Kong in the secure Internet infrastructure development. Warren Kwok, CISSP Internet Society Hong Kong 12 August 2011

Where is Hong Kong in the secure Internet infrastructure development. Warren Kwok, CISSP Internet Society Hong Kong 12 August 2011 The Internet is for Everyone. Become an ISOC Member. Cyber Security Symposium 2011 Where is Hong Kong in the secure Internet infrastructure development Warren Kwok, CISSP Internet Society Hong Kong 12

More information

Root Zone KSK: The Road Ahead. Edward Lewis DNS-OARC & RIPE DNSWG May 2015 edward.lewis@icann.org

Root Zone KSK: The Road Ahead. Edward Lewis DNS-OARC & RIPE DNSWG May 2015 edward.lewis@icann.org Root Zone KSK: The Road Ahead Edward Lewis DNS-OARC & RIPE DNSWG May 2015 edward.lewis@icann.org Agenda Setting the scene Change of Hardware Security Modules (HSMs) Roll (change) the Key Signing Key (KSK)

More information

EDU DNSSEC Testbed. Shumon Huque, University of Pennsylvania Larry Blunk, MERIT Network

EDU DNSSEC Testbed. Shumon Huque, University of Pennsylvania Larry Blunk, MERIT Network EDU DNSSEC Testbed Shumon Huque, University of Pennsylvania Larry Blunk, MERIT Network Internet2 Joint Techs Conference Salt Lake City, Utah February 2nd 2010 1 DNSSEC DNS Security Extensions A system

More information

INLICHTINGEN DIENSTEN INLICHTINGEN DIENSTEN

INLICHTINGEN DIENSTEN INLICHTINGEN DIENSTEN Indien u hergebruik wenst te maken van de inhoud van deze presentatie, vragen wij u in het kader van auteursrechtelijke bescherming de juiste bronvermelding toe te passen. 17 juni 2014 De Reehorst in Ede

More information

IPv6.marceln.org. marcel.nijenhof@proxy.nl

IPv6.marceln.org. marcel.nijenhof@proxy.nl IPv6.marceln.org marcel.nijenhof@proxy.nl RFC 1606 RFC 1606 A Historical Perspective On The Usage Of IP Version 9 1 April 1994, J. Onions Introduction The take-up of the network protocol TCP/IPv9 has been

More information

Lecture 2 CS 3311. An example of a middleware service: DNS Domain Name System

Lecture 2 CS 3311. An example of a middleware service: DNS Domain Name System Lecture 2 CS 3311 An example of a middleware service: DNS Domain Name System The problem Networked computers have names and IP addresses. Applications use names; IP uses for routing purposes IP addresses.

More information

Securing DNS Infrastructure Using DNSSEC

Securing DNS Infrastructure Using DNSSEC Securing DNS Infrastructure Using DNSSEC Ram Mohan Executive Vice President, Afilias rmohan@afilias.info February 28, 2009 Agenda Getting Started Finding out what DNS does for you What Can Go Wrong A Survival

More information

IPv6 and DNS. Secure64

IPv6 and DNS. Secure64 IPv6 and DNS Secure64 About me Stephan Lagerholm Director and Founder of TXv6TF. Secure64 Software Corp. Sponsor of the event. AGENDA DNS and IPv6 basics IETF progress: DNS64 (RFC 6147) 464XLAT (RFC 6877)

More information

DNSSec Operation Manual for the.cz and 0.2.4.e164.arpa Registers

DNSSec Operation Manual for the.cz and 0.2.4.e164.arpa Registers DNSSec Operation Manual for the.cz and 0.2.4.e164.arpa Registers version 1.9., valid since 1 January 2010 Introduction This material lays out operational rules that govern the work of the CZ.NIC association

More information

Description: Objective: Attending students will learn:

Description: Objective: Attending students will learn: Course: Introduction to Cyber Security Duration: 5 Day Hands-On Lab & Lecture Course Price: $ 3,495.00 Description: In 2014 the world has continued to watch as breach after breach results in millions of

More information

DNSSEC Policy Statement Version 1.1.0. 1. Introduction. 1.1. Overview. 1.2. Document Name and Identification. 1.3. Community and Applicability

DNSSEC Policy Statement Version 1.1.0. 1. Introduction. 1.1. Overview. 1.2. Document Name and Identification. 1.3. Community and Applicability DNSSEC Policy Statement Version 1.1.0 This DNSSEC Practice Statement (DPS) conforms to the template included in RFC 6841. 1. Introduction The approach described here is modelled closely on the corresponding

More information

DNSSEC Policy and Practice Statement.amsterdam

DNSSEC Policy and Practice Statement.amsterdam DNSSEC Policy and Practice Statement.amsterdam Contact T +31 26 352 55 00 support@sidn.nl www.sidn.nl Offices Meander 501 6825 MD Arnhem Mailing address Postbus 5022 6802 EA Arnhem May 24, 2016 Public

More information

DNS. Computer Networks. Seminar 12

DNS. Computer Networks. Seminar 12 DNS Computer Networks Seminar 12 DNS Introduction (Domain Name System) Naming system used in Internet Translate domain names to IP addresses and back Communication works on UDP (port 53), large requests/responses

More information

How to Configure the Windows DNS Server

How to Configure the Windows DNS Server Windows 2003 How to Configure the Windows DNS Server How to Configure the Windows DNS Server Objective This document demonstrates how to configure domains and record on the Windows 2003 DNS Server. Windows

More information

DNSSEC Deployment a case study

DNSSEC Deployment a case study DNSSEC Deployment a case study Olaf M. Kolkman Olaf@NLnetLabs.nl RIPE NCCs Project Team: Katie Petrusha, Brett Carr, Cagri Coltekin, Adrian Bedford, Arno Meulenkamp, and Henk Uijterwaal Januari 17, 2006

More information

DNS ActiveX Control for Microsoft Windows. Copyright Magneto Software All rights reserved

DNS ActiveX Control for Microsoft Windows. Copyright Magneto Software All rights reserved DNS ActiveX Control for Microsoft Windows Copyright Magneto Software All rights reserved 1 DNS Overview... 3 1.1 Introduction... 3 1.2 Usage... 3 1.3 Property... 4 1.4 Event... 4 1.5 Method... 4 1.6 Error

More information

DNSSEC Practice Statement (DPS)

DNSSEC Practice Statement (DPS) DNSSEC Practice Statement (DPS) 1. Introduction This document, "DNSSEC Practice Statement ( the DPS ) for the zones under management of Zodiac Registry Limited, states ideas of policies and practices with

More information

USING TRANSACTION SIGNATURES (TSIG) FOR SECURE DNS SERVER COMMUNICATION

USING TRANSACTION SIGNATURES (TSIG) FOR SECURE DNS SERVER COMMUNICATION USING TRANSACTION SIGNATURES (TSIG) FOR SECURE DNS SERVER COMMUNICATION Transaction Signatures (TSIG) provide a secure method for communicating in the Domain Name System (DNS) from a primary to a secondary

More information

DNS SECURITY TROUBLESHOOTING GUIDE

DNS SECURITY TROUBLESHOOTING GUIDE DNS SECURITY TROUBLESHOOTING GUIDE INTERNET DEPLOYMENT OF DNS SECURITY 27 November 2006 Table of Contents 1. INTRODUCTION...3 2. DNS SECURITY SPECIFIC FAILURE MODES...3 2.1 SIGNATURES...3 2.1.1 Signature

More information

Defending against DNS reflection amplification attacks

Defending against DNS reflection amplification attacks University of Amsterdam System & Network Engineering RP1 Defending against DNS reflection amplification attacks February 14, 2013 Authors: Thijs Rozekrans Javy de Koning

More information