DNS/DNSSEC loose ends



Similar documents
DNS. Some advanced topics. Karst Koymans. (with Niels Sijm) Informatics Institute University of Amsterdam. (version 2.6, 2013/09/19 10:55:30)

Table of Contents DNS. How to package DNS messages. Wire? DNS on the wire. Some advanced topics. Encoding of domain names.

Some advanced topics. Karst Koymans. Friday, September 11, 2015

DNS Conformance Test Specification For Client

Motivation. Domain Name System (DNS) Flat Namespace. Hierarchical Namespace

DNS at NLnet Labs. Matthijs Mekking

Domain Name System :49:44 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

1 DNS Packet Structure

Domain Name System (DNS) Fundamentals

DNSSEC Applying cryptography to the Domain Name System

Clear and Present Danger Increase in Number of DNS AAAA Queries

netkit lab dns Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group Version Author(s)

The Domain Name System

My Services Online Service Support. User Guide for DNS and NTP services

THE DOMAIN NAME SYSTEM DNS

Domain Name System (DNS) Session-1: Fundamentals. Ayitey Bulley

How to Configure the Windows DNS Server

Networking Domain Name System

dnsperf DNS Performance Tool Manual

Internet-Praktikum I Lab 3: DNS

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

DNS & IPv6. Agenda 4/14/2009. MENOG4, 8-9 April Raed Al-Fayez SaudiNIC CITC rfayez@citc.gov.sa, DNS & IPv6.

The Domain Name System from a security point of view

Lecture 2 CS An example of a middleware service: DNS Domain Name System

Section 1 Overview Section 2 Home... 5

Subverting BIND s SRTT algorithm Derandomizing NS selection

DNS Session 4: Delegation and reverse DNS. Joe Abley AfNOG 2006 workshop

Internetworking with TCP/IP Unit 10. Domain Name System

DNS (Domain Name System) IETF-70 (DNS for protocol designers)

How to Add Domains and DNS Records

DNS Domain Name System

Copyright

IPv6 Support in the DNS. Workshop Name Workshop Location, Date

Introduction BIND. The DNS Protocol. History (1) DNS. History (2) Agenda

Application Protocols in the TCP/IP Reference Model

Coordinación. The background image of the cover is desgned by GUIDE TO DNS SECURITY 2

The Domain Name System

Understanding DNS (the Domain Name System)

KB Windows 2000 DNS Event Messages 1 Through 1614

Networking Domain Name System

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Application Protocols in the TCP/IP Reference Model. Application Protocols in the TCP/IP Reference Model. DNS - Concept. DNS - Domain Name System

IPv6 support in the DNS

Hostnames. HOSTS.TXT was a bottleneck. Once there was HOSTS.TXT. CSCE515 Computer Network Programming. Hierarchical Organization of DNS

Reverse DNS considerations for IPv6

How do I get to

DNS. Computer Networks. Seminar 12

Agenda. Network Services. Domain Names. Domain Name. Domain Names Domain Name System Internationalized Domain Names. Domain Names & DNS

Bulk DNS Update CSV File

Naming. Name Service. Why Name Services? Mappings. and related concepts

API of DNS hosting. For DNS-master and Secondary services Table of contents

Rough Outline. Introduction Why DNSSEC DNSSEC Theory Famous last words. Universiteit van Amsterdam, Sep 2006.

Teldat Router. DNS Client

Analysis of Algorithms I: Binary Search Trees

Operational Problems in IPv6: Fallback and DNS issues

Networking Domain Name System

DNS. Computer networks - Administration 1DV202. fredag 30 mars 12

page 1 DNS Rate Limiting W. Matthijs Mekking matthijs@nlnetlabs.nl 28 Feb 2013 Stichting NLnet Labs

Network Working Group. Category: Standards Track October 2006

Use Domain Name System and IP Version 6

SIDN Server Measurements

Talk-101 User Guide. DNSGate

IPv6 and DNS. Secure64

DNS and DHCP. 14 October 2008 University of Reading

Introduction to DNS CHAPTER 5. In This Chapter

Protection of DNS using HAVAL

Configuring DNS. Finding Feature Information

CDN SERVICE ICSS ROUTE MANAGED DNS DEUTSCHE TELEKOM AG INTERNATIONAL CARRIER SALES AND SOLUTIONS (ICSS)

DNS Noise: Measuring the Pervasiveness of Disposable Domains in Modern DNS Traffic

Conexim DNS Administrator s Guide

The Domain Name System

Understand Names Resolution

Ólafur Guðmundsson. Peter Koch. Shinkuro, Inc. DENIC eg. DNS IETF-80 ogud@ogud.com & pk@denic.de

The Use of DNS Resource Records

3. The Domain Name Service

Forouzan: Chapter 17. Domain Name System (DNS)

IPv6 and DNS. Secure64

Computer Networks: Domain Name System

DNS ActiveX Control for Microsoft Windows. Copyright Magneto Software All rights reserved

Computer Networks - CS132/EECS148 - Spring

APNIC elearning: Reverse DNS for IPv4 and IPv6

HTG XROADS NETWORKS. Network Appliance How To Guide: DNS Delegation. How To Guide

The Domain Name System (DNS)

Motivation. Users can t remember IP addresses. Implemented by library functions & servers. - Need to map symbolic names (

Application Protocols in the TCP/IP Reference Model. Application Protocols in the TCP/IP Reference Model. DNS - Domain Name System

DNSSEC in your workflow

Configuring an External Domain

Advanced DNS Course. Module 4. DNS Load Balancing

Domain Name System (DNS) Security By Diane Davidowicz 1999 Diane Davidowicz

Multicast DNS in Wireless Ad-hoc Networks of. Low-resource Devices

what s in a name? taking a deeper look at the domain name system mike boylan penn state mac admins conference

Transcription:

DNS/DNSSEC loose ends Karst Koymans & Niels Sijm Informatics Institute University of Amsterdam Friday, September 21, 2012 Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 1 / 48

1 Encoding of domain names 2 Wildcards in DNS 3 Denial of existence Ignoring wildcards Including wildcard processing Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 2 / 48

Encoding of domain names Outline 1 Encoding of domain names 2 Wildcards in DNS 3 Denial of existence Ignoring wildcards Including wildcard processing Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 3 / 48

Encoding of domain names Composition of domain names Domain name is a sequence of labels Start at leaf 1 www 2 os3 3 nl Start at root 1 nl 2 os3 3 www DNS starts at leaf (least signicant label) Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 4 / 48

Encoding of domain names Encoding of domain names 1 Use a delimiter to seperate labels <label> <delimiter> <label> www. os3. nl. 2 Specify length of labels in label encoding <label> <label> {3,www} {3,os3} {2,nl} {0,} 3 DNS uses latter way of encoding Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 5 / 48

Encoding of domain names Normal label length encoding First byte used for length First 2 bits are ags 00 means normal label length Remaining 6 specify label length Hence the maximum label length of 2 6 1 = 63 octets Remaining bytes contain the label itself Number of remaining bytes is encoded in rst byte of label Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 6 / 48

Encoding of domain names Normal label length encoding Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 7 / 48

Encoding of domain names Normal label length encoding Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 8 / 48

Encoding of domain names Compressed encoding Domain name with compressed encoding has xed length of 2 bytes First 2 bits are ags 11 means compressed label Remaining 6 bits + 8 subsequent bits are used as pointer Points to label at other position in packet Value is oset from beginning of packet Saves space when a domain name is used more than once Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 9 / 48

Encoding of domain names Compressed encoding Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 10 / 48

Encoding of domain names Compressed encoding Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 11 / 48

Encoding of domain names Reading domain names Read rst 2 bits of domain name eld: If values is 00 (normal label length): 1 If label length is 0 (empty label, thus root): Return sequence of noted labels as domain name 2 Read 6 subsequent bits and determine length of label 3 Read rst 2 bits of next byte and iterate If value is 11 (compressed encoding): 1 Read 14 subsequent bits and determine position of domain name 2 Jump to position and decode domain name Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 12 / 48

Encoding of domain names One more type: extended First byte value: 01000001 First two bits are 01 Denes the use of EDSN0 Can be used for binary labels IPv6 PTR resource records Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 13 / 48

Wildcards in DNS Outline 1 Encoding of domain names 2 Wildcards in DNS 3 Denial of existence Ignoring wildcards Including wildcard processing Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 14 / 48

Wildcards in DNS Wildcards according to RFC 1034 From RFC 1034, section 4.3.3 The contents of the wildcard RRs follows the usual rules and formats for RRs. The wildcards in the zone have an owner name that controls the query names they will match. The owner name of the wildcard RRs is of the form "*.<anydomain>", where <anydomain> is any domain name. <anydomain> should not contain other * labels, and should be in the authoritative data of the zone. The wildcards potentially apply to descendants of <anydomain>, but not to <anydomain> itself. Another way to look at this is that the "*" label always matches at least one whole label and sometimes more, but always whole labels. Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 15 / 48

Wildcards in DNS Wildcards according to RFC 1034 From RFC 1034, section 4.3.3 Wildcard RRs do not apply: When the query is in another zone. That is, delegation cancels the wildcard defaults. When the query name or a name between the wildcard domain and the query name is known to exist. For example, if a wildcard RR has an owner name of "*.X", and the zone also contains RRs attached to B.X, the wildcards would apply to queries for name Z.X (presuming there is no explicit information for Z.X), but not to B.X, A.B.X, or X. Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 16 / 48

Wildcards in DNS Problems with wildcards in RFC 1034 Notions are intuitive, not well-dened When does a domain name exist? How does matching work exactly? What about empty non-terminals? RFC 4592 tries to clarify all of this Denes existence of a domain name Denes asterisk label and wildcard domain name Denes source of synthesis and closest encloser Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 17 / 48

Wildcards in DNS Wildcard supporting denitions Denitions A domain name exists if itself or any of its descendants has at least one RR In particular empty non-terminals exist An asterisk label is a label of length 1 containing as only octet the ASCII equivalent of * A wildcard domain name is a domain name with an asterisk label as its leftmost label The closest encloser of a query name is the longest matching ancestor that exists The source of synthesis of a query name is the domain name *.<closest encloser> (if it exists) Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 18 / 48

Wildcards in DNS RFC 4592 example $ORIGIN example. example. 3600 IN SOA <SOA RDATA> example. 3600 NS ns.example.com. example. 3600 NS ns.example.net. *.example. 3600 TXT "this is a wildcard" *.example. 3600 MX 10 host1.example. sub.*.example. 3600 TXT "... not a wildcard" host1.example. 3600 A 192.0.2.1 _ssh..host1.example. 3600 SRV <SRV RDATA> _ssh..host2.example. 3600 SRV <SRV RDATA> subdel.example. 3600 NS ns.example.com. subdel.example. 3600 NS ns.example.net. Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 19 / 48

Wildcards in DNS RFC 4592 example tree example SOA, NS * TXT, MX host1 A host2 subdel NS sub TXT Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 20 / 48

Wildcards in DNS RFC 4592 example queries QNAME QTYPE synthesized? result host3.example. MX example SOA, NS * TXT, MX host1 A host2 subdel NS sub TXT Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 21 / 48

Wildcards in DNS RFC 4592 example queries QNAME QTYPE synthesized? result host3.example. MX yes non-empty example SOA, NS * TXT, MX host1 A host2 subdel NS sub TXT Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 22 / 48

Wildcards in DNS RFC 4592 example queries QNAME QTYPE synthesized? result foo.bar.example. TXT example SOA, NS * TXT, MX host1 A host2 subdel NS sub TXT Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 23 / 48

Wildcards in DNS RFC 4592 example queries QNAME QTYPE synthesized? result foo.bar.example. TXT yes non-empty example SOA, NS * TXT, MX host1 A host2 subdel NS sub TXT Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 24 / 48

Wildcards in DNS RFC 4592 example queries QNAME QTYPE synthesized? result host1.example. MX example SOA, NS * TXT, MX host1 A host2 subdel NS sub TXT Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 25 / 48

Wildcards in DNS RFC 4592 example queries QNAME QTYPE synthesized? result host1.example. MX no empty example SOA, NS * TXT, MX host1 A host2 subdel NS sub TXT Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 26 / 48

Wildcards in DNS RFC 4592 example queries QNAME QTYPE synthesized? result host3.example. A example SOA, NS * TXT, MX host1 A host2 subdel NS sub TXT Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 27 / 48

Wildcards in DNS RFC 4592 example queries QNAME QTYPE synthesized? result host3.example. A yes empty example SOA, NS * TXT, MX host1 A host2 subdel NS sub TXT Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 28 / 48

Wildcards in DNS RFC 4592 example queries QNAME QTYPE synthesized? result sub.*.example. MX example SOA, NS * TXT, MX host1 A host2 subdel NS sub TXT Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 29 / 48

Wildcards in DNS RFC 4592 example queries QNAME QTYPE synthesized? result sub.*.example. MX no empty example SOA, NS * TXT, MX host1 A host2 subdel NS sub TXT Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 30 / 48

Wildcards in DNS RFC 4592 example queries QNAME QTYPE synthesized? result _telnet..host1.example. SRV example SOA, NS * TXT, MX host1 A host2 subdel NS sub TXT Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 31 / 48

Wildcards in DNS RFC 4592 example queries QNAME QTYPE synthesized? result _telnet..host1.example. SRV no no such domain example SOA, NS * TXT, MX host1 A host2 subdel NS sub TXT Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 32 / 48

Wildcards in DNS RFC 4592 example queries QNAME QTYPE synthesized? result host.subdel.example. A example SOA, NS * TXT, MX host1 A host2 subdel NS sub TXT Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 33 / 48

Wildcards in DNS RFC 4592 example queries QNAME QTYPE synthesized? result host.subdel.example. A no referral example SOA, NS * TXT, MX host1 A host2 subdel NS sub TXT Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 34 / 48

Wildcards in DNS RFC 4592 example queries QNAME QTYPE synthesized? result ghost.*.example. MX example SOA, NS * TXT, MX host1 A host2 subdel NS sub TXT Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 35 / 48

Wildcards in DNS RFC 4592 example queries QNAME QTYPE synthesized? result ghost.*.example. MX no no such domain example SOA, NS * TXT, MX host1 A host2 subdel NS sub TXT Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 36 / 48

Wildcards in DNS RFC 4592 example queries QNAME QTYPE synthesized? result host3.example. MX yes non-empty host3.example. A yes empty foo.bar.example. TXT yes non-empty host1.example. MX no empty sub.*.example. MX no empty _telnet..host1.example. SRV no no such domain host.subdel.example. A no referral ghost.*.example. MX no no such domain Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 37 / 48

Denial of existence Outline 1 Encoding of domain names 2 Wildcards in DNS 3 Denial of existence Ignoring wildcards Including wildcard processing Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 38 / 48

Denial of existence Ignoring wildcards Outline 1 Encoding of domain names 2 Wildcards in DNS 3 Denial of existence Ignoring wildcards Including wildcard processing Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 39 / 48

Denial of existence Ignoring wildcards Example zone 0 apex SOA, NS 1 data empty TXT nxdomain 4 wildcard TXT * 3 data TXT 5 * the TXT 2 leaf TXT matches Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 40 / 48

Denial of existence Ignoring wildcards Proving Nodata with matching NSEC record Nodata means No Error, but also no data So some QTYPE's have data, but the queried QTYPE has not The NSEC record at the owner contains a bitmap for existing types Given the query data.apex A Consider the NSEC record data.apex NSEC leaf.*.empty.apex TXT Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 41 / 48

Denial of existence Ignoring wildcards Proving Nodata for empty non-terminals An empty non-terminal implies No Error, but also no data But now no QTYPE's at all have data There is no NSEC record for the empty non-terminal The empty non-terminal is covered (skipped) by some NSEC record Given the query empty.apex A Consider the NSEC record data.apex NSEC leaf.*.empty.apex TXT Server should include this NSEC record in the answer Client should verify this NSEC record is the right one Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 42 / 48

Denial of existence Ignoring wildcards Proving NXDOMAIN (Name Error or No such domain) There is no NSEC record for the non-existing domain name The non-existing domain name is covered by some NSEC record Given the query nxdomain.apex A Consider the NSEC record data.empty.apex NSEC wildcard.apex TXT Server should include this NSEC record in the answer Client should verify this NSEC record is the right one What is the dierence with the previous case? Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 43 / 48

Denial of existence Including wildcard processing Outline 1 Encoding of domain names 2 Wildcards in DNS 3 Denial of existence Ignoring wildcards Including wildcard processing Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 44 / 48

Denial of existence Including wildcard processing NSEC records in the (positive) answer case If a domain name is synthesized from a wildcard record we also need proof that this has been done correctly The next closer is the last (non-existing) domain name on the path to the closest encloser The next closer domain name is covered by some NSEC record Given the query matches.the.wildcard.apex TXT Consider the NSEC record *.wildcard.apex NSEC apex TXT Server should include this NSEC record in the answer Client should verify this NSEC record is the right one Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 45 / 48

Denial of existence Including wildcard processing Proving Nodata for wildcard expansions This is a combination of previous cases Use the NSEC type bitmap to prove queried QTYPE is not available Use a covering NSEC RR for the next closer domain name Given the query matches.the.wildcard.apex A Consider the NSEC record *.wildcard.apex NSEC apex TXT This sole NSEC record works for both requirements above Server includes and client veries this NSEC record What if the wildcard happens to be an empty non-terminal? Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 46 / 48

Denial of existence Including wildcard processing Proving NXDOMAIN revisited Find the NSEC record that covers the next closer domain name Moreover nd the NSEC record that covers the (non-existing) source of synthesis Given the query nxdomain.apex A Consider the NSEC record data.empty.apex NSEC wildcard.apex TXT And also the NSEC record apex NSEC data.apex SOA NS Server includes and client veries these NSEC records Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 47 / 48

Denial of existence Including wildcard processing NSEC3 records NSEC3 also creates a (circular) chain, but uses hashes of the original domain names as labels for the owner domain names of the NSEC3 records also hashes empty non-terminals orders the hashes instead of the original domain names uses the NSEC3PARAM type to specify hashing parameters and indicate the use of NSEC3 instead of NSEC denes the Opt-Out ag to exclude insecure delegations from the chain Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012 48 / 48

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information