Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, 2013 1 Jelte Jansen, Antoin Verschuren.

Published byDale Reed Modified over 8 years ago

Similar presentations

Presentation on theme: "DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, 2013 1 Jelte Jansen, Antoin Verschuren."— Presentation transcript:

1 DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, 2013 1 Jelte Jansen, Antoin Verschuren

2 SIDN Labs 2 office o SIDN’s R&D team o SIDN =.nl registry (Netherlands) o 5.3M domain names, 1.600 registrars o Largest DNSSEC zone in the world (1.5M signed)

3 Motivation 3 o Overheard: “Does anyone know a public zone with a wildcard record, using opt-out, signed by ldns, served on BIND 9?” o Answer: “Oh yeah, there’s one on that server, I think. Perhaps. Well at least there was one last year. I think. Maybe. I don’t know.” o Need for a one-stop-shop for name server testing that is well-managed and supports multiple implementations

4 Enter the DNS Workbench 4

5 Overview 5 Documentation

6 Added Value o One-stop-shop and easy-to-use service for name server testing, supporting many RR types o Well-documented set of zones, consistently available across multiple name server implementations o DNS developers: interoperability testing, discovering and reporting bugs in name server software o DNS operators: workbench as a reference point for production servers (compare responses) 6

7 Support for many RR Types 7

8 Current Setup o 3 ‘categories’ of data o RRTypes under types.wb.sidnlabs.nl o DNSSEC errors under bad-dnssec.wb.sidnlabs.nl o All zones transferable with and without TSIG o 6 implementations o NSD 3.2 o BIND 10 1.1 o Knot 1.2 o PowerDNS 3.0 o BIND 9.9 o NSD 4 beta 8

9 Some Example Uses o Query directly: o Use nsd.sidnlabs.nl as the primary for your secondary: 9 dig +dnssec –t MINFO minfo.types-signed.wb.sidnlabs.nl @knot.sidnlabs.nl zone: name: “types.wb.sidnlabs.nl” request-xfr: 94.198.152.169 NOKEY zone: name: “types.wb.sidnlabs.nl” request-xfr: 94.198.152.169 NOKEY

10 Some Example Uses o Check DNSSEC validator, should result in data: o Check DNSSEC validator, should result in SERVFAIL: 10 dig ok.ok.bad-dnssec.wb.sidnlabs.nl dig bogussig.ok.bad-dnssec.wb.sidnlabs.nl dig ok.sigexpired.bad-dnssec.wb.sidnlabs.nl dig ok.nods.ok.bad-dnssec.wb.sidnlabs.nl dig bogussig.ok.bad-dnssec.wb.sidnlabs.nl dig ok.sigexpired.bad-dnssec.wb.sidnlabs.nl dig ok.nods.ok.bad-dnssec.wb.sidnlabs.nl

11 Challenge: Complexity 11 Approach: start small and let grow

12 Growth Path o Started with 4 servers, now 6 o Started with 2 zones o Added TSIG options o Added ‘bad dnssec’ tree o ok No error o bogussig The RRSIG record contains bogus signature data o nods The DS record is missing at the parent o sigexpired The RRSIG record has an expiration date in the past o signotincepted The RRSIG record has an inception date in the future o unknownalgorithm The RRSIG is signed correctly (with a known algorithm), but has the algorithm field set to another value. 12

13 Growth Path o Additional servers o Yadifa o ANS? o Add more zones o Different signers and parameters o ‘Delegation’ corner cases o Other corner cases (wildcards, big rrsets) 13

14 Experimental Service -> Feedback Wanted! o Other testables: what else might be useful to add to the workbench? o Did the workbench help you as a developer or operator? Let us know when and how! o Current “score” o Fixed handling of uncommon RR types o Tested recent TSIG issue 14

15 15 Questions? Jelte Jansen Research Engineer jelte.jansen@sidn.nl @twitjeb workbench.sidnlabs.nl

Download ppt "DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, 2013 1 Jelte Jansen, Antoin Verschuren."

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.

DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
School of Electrical Engineering and Computer Science, 2004 Slide 1 Autonomic DNS Experiment Architecture, Symptom and Fault Identification.

School of Electrical Engineering and Computer Science, 2004 Slide 1 Autonomic DNS Experiment Architecture, Symptom and Fault Identification.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
Web Security A how to guide on Keeping your Website Safe. By: Robert Black.

Web Security A how to guide on Keeping your Website Safe. By: Robert Black.
© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:

© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.

Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Peter Janssen, EURid.eu Ljubljana, RIPE 64, April 18 2012.

Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Peter Janssen, EURid.eu Ljubljana, RIPE 64, April
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.

DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.
Tony Kombol ITIS 3110. www.teacherstalk.com Who knows this? Who controls this? DNS!

Tony Kombol ITIS Who knows this? Who controls this? DNS!
Identity Management and DNS Services Tianyi XING.

Identity Management and DNS Services Tianyi XING.
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi

Similar presentations

Ads by Google