Presentation is loading. Please wait.

Presentation is loading. Please wait.

Why SLD Blocking Misses the Point Burt Kaliski, Verisign gTLD Collisions Workshop October 29, 2013.

Published byLoraine Horton Modified over 8 years ago

Similar presentations

Presentation on theme: "Why SLD Blocking Misses the Point Burt Kaliski, Verisign gTLD Collisions Workshop October 29, 2013."— Presentation transcript:

1 Why SLD Blocking Misses the Point Burt Kaliski, Verisign gTLD Collisions Workshop October 29, 2013

2 2 Name Collision Problem for DNS Queries Installed System Global DNS without TLD ….SLD.TLD NXDOMAIN expected See Verisign Labs’ technical reports New gTLD Security and Stability Considerations and New gTLD Security, Stability, Resiliency Update: Exploratory Consumer Impact Analysis for further information.New gTLD Security and Stability ConsiderationsNew gTLD Security, Stability, Resiliency Update: Exploratory Consumer Impact Analysis

3 3 Name Collision Problem for DNS Queries Installed System Global DNS with TLD ….SLD.TLD Resource record received (if SLD delegated) Internally Generated Query  collides with  Externally Assigned Name Potential Risks Installed System Breaks Internal Information Leaks (beyond root) Cyberattacks Exploit Collision

4 4 Mitigating Name Collisions: General Approaches Installed System Global DNS with TLD ….SLD.TLD Resource record received (if SLD delegated) Internally Generated Query  collides with  Externally Assigned Name Potential Risks Installed System Breaks Internal Information Leaks (beyond root) Cyberattacks Exploit Collision (1) Remediate Installed System (3) Hybrid of Both (2) Constrain Global DNS

5 5 How to Constrain the Global DNS? If we knew how all the installed systems used the global DNS … If we knew all the queries they might make … If we knew all the SLDs they might use...

6 6 How Long Does It Take to Learn All the SLDs? A- and J-root data for 96-day period from July 16 to October 19, 2013. (Excludes non-LDH, “Chrome 10” strings.) Still growing after 90+ days …

7 7 SLD ≠ Risk Query = Risk in context of installed system, application, protocol Qualitative Analysis minimize false negatives & positives solve problem Does It Even Matter?

8 8 If SLD blocking for a gTLD leaves too much risk, how do we back out? Expedited approval process needs an expedited rollback process What If It’s Not Enough?

9 9 New gTLD Security and Stability Considerations. Verisign Labs Technical Report #1130007. Version 2.2, March 28, 2013.New gTLD Security and Stability Considerations New gTLD Security, Stability, Resiliency Update: Exploratory Consumer Impact Analysis. Verisign Labs Technical Report #1130008. Version 1.1, August 27, 2013.New gTLD Security, Stability, Resiliency Update: Exploratory Consumer Impact Analysis Danny McPherson. Part 1 of 5; Introduction: New gTLD Security and Stability Considerations. Between the Dots, Verisign, May 9, 2013.Part 1 of 5; Introduction: New gTLD Security and Stability ConsiderationsBetween the Dots Danny McPherson. New gTLD SSR-2: Exploratory Consumer Impact Analysis. Between the Dots, Verisign, August 6, 2013.New gTLD SSR-2: Exploratory Consumer Impact AnalysisBetween the Dots Danny McPherson. New gTLD Queries at the Root & Heisenberg’s Uncertainty Principle. Between the Dots, Verisign, August 27, 2013.New gTLD Queries at the Root & Heisenberg’s Uncertainty PrincipleBetween the Dots Patrick S. Kane, Thomas C. Indelicarto and Danny McPherson. Re: ICANN’s Proposal to Mitigate Name Collision Risks –.CBA Case Study. September 15, 2013. Re: ICANN’s Proposal to Mitigate Name Collision Risks –.CBA Case Study Patrick S. Kane. Letter to Vernita D. Harris re: Joint Test Summary Report, RZM 2.0. May 30, 2013.Letter to Vernita D. Harris re: Joint Test Summary Report, RZM 2.0 For Further Reading Verisign Public

10 Thank You © 2013 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.

Download ppt "Why SLD Blocking Misses the Point Burt Kaliski, Verisign gTLD Collisions Workshop October 29, 2013."

Similar presentations

Get ready! New-gTLD Preparedness Project Thoughts August, 2013 © Mikey OConnor (just attribution is fine) version 0.3.

Get ready! New-gTLD Preparedness Project Thoughts August, 2013 © Mikey OConnor (just attribution is fine) version 0.3.
ICANN Report Presented by: Dr Paul Twomey CEO and President LACNIC, Montevideo 31 March 2004.

ICANN Report Presented by: Dr Paul Twomey CEO and President LACNIC, Montevideo 31 March 2004.
Update on IANA APNIC Meeting 29 February 2008 Barbara Roseman Internet Assigned Numbers Authority.

Update on IANA APNIC Meeting 29 February 2008 Barbara Roseman Internet Assigned Numbers Authority.
Naming: The Domain Name System Nick Feamster CS 4251 Fall 2008.

Naming: The Domain Name System Nick Feamster CS 4251 Fall 2008.
Whois Task Force GNSO Public Forum Wellington March 28, 2006.

Whois Task Force GNSO Public Forum Wellington March 28, 2006.
ICANN Plan for Enhancing Internet Security, Stability and Resiliency.

ICANN Plan for Enhancing Internet Security, Stability and Resiliency.
DNS Security and Stability Analysis Working Group (DSSA) DSSA Update Prague – June, 2012.

DNS Security and Stability Analysis Working Group (DSSA) DSSA Update Prague – June, 2012.
The Role of Governments Caribbean Telecommunications Union Ministerial Seminar May 29, 2012 Heather Dryden Chair - Governmental Advisory Committee, ICANN.

The Role of Governments Caribbean Telecommunications Union Ministerial Seminar May 29, 2012 Heather Dryden Chair - Governmental Advisory Committee, ICANN.
Internationalization Status and Directions: IETF, JET, and ICANN John C Klensin October 2002 © 2002 John C Klensin.

Internationalization Status and Directions: IETF, JET, and ICANN John C Klensin October 2002 © 2002 John C Klensin.
Text #ICANN50. Text #ICANN50 IDN Variant TLD Program GNSO Update Saturday 21 June 2014.

Text #ICANN50. Text #ICANN50 IDN Variant TLD Program GNSO Update Saturday 21 June 2014.
Updates to ‘dnscap’ Duane Wessels DNS-OARC Workshop Dublin May 12, 2013.

Updates to ‘dnscap’ Duane Wessels DNS-OARC Workshop Dublin May 12, 2013.
Governmental Advisory Committee New gTLD Program Briefing 19 June 2010.

Governmental Advisory Committee New gTLD Program Briefing 19 June 2010.
ICANN/ccTLD Agreements: Why and How Andrew McLaughlin Monday, January 21, 2002 TWNIC.

ICANN/ccTLD Agreements: Why and How Andrew McLaughlin Monday, January 21, 2002 TWNIC.
Text DNS Name Collision Risk Mitigation Francisco Arias Director, Technical Services GDD, ICANN DNS-OARC - 12 October 2014.

Text DNS Name Collision Risk Mitigation Francisco Arias Director, Technical Services GDD, ICANN DNS-OARC - 12 October 2014.
Cairo 2 November 2008 1. Agenda  Guidebook overview  Supporting and explanatory materials  Guidebook Module detail  Probable timelines 2.

Cairo 2 November Agenda  Guidebook overview  Supporting and explanatory materials  Guidebook Module detail  Probable timelines 2.
Kindred Domains: Detecting and Clustering Botnet Domains Using DNS Traffic Matt Thomas Data Architect, Verisign Labs.

Kindred Domains: Detecting and Clustering Botnet Domains Using DNS Traffic Matt Thomas Data Architect, Verisign Labs.
IANA Status Update ARIN XXVI meeting, Atlanta Barbara Roseman October 2010.

IANA Status Update ARIN XXVI meeting, Atlanta Barbara Roseman October 2010.
Glen de Saint Géry ICANN GNSO Secretariat for Theresa Swinehart Counsel for International Legal Affairs Domain Day Milan.

Glen de Saint Géry ICANN GNSO Secretariat for Theresa Swinehart Counsel for International Legal Affairs Domain Day Milan.
New gTLD Basics. 2  Overview about domain names, gTLD timeline and the New gTLD Program  Why is ICANN doing this; potential impact of this initiative.

New gTLD Basics. 2  Overview about domain names, gTLD timeline and the New gTLD Program  Why is ICANN doing this; potential impact of this initiative.
Introduction to ICANN’s new gTLD program. A practical example: the Dot Deloitte case. Jan Corstens, Partner, Deloitte WIPO Moscow, 9 Dec 2011.

Introduction to ICANN’s new gTLD program. A practical example: the Dot Deloitte case. Jan Corstens, Partner, Deloitte WIPO Moscow, 9 Dec 2011.

Similar presentations

Ads by Google