Presentation is loading. Please wait.

Presentation is loading. Please wait.

Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. 1 key-signing key flag [1] & wildcard-optimization [2] Olaf Kolkman [1] with.

Published byKathlyn Sharp Modified over 8 years ago

Similar presentations

Presentation on theme: "Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. 1 key-signing key flag [1] & wildcard-optimization [2] Olaf Kolkman [1] with."— Presentation transcript:

1 Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. http://www.ripe.net/disi/ 1 key-signing key flag [1] & wildcard-optimization [2] Olaf Kolkman [1] with Jakob Schlyter [2] with Johan Ihren and Roy Arends

2 Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. http://www.ripe.net/disi/ 2 Key Signing Key (KSK) Flag draft-ietf-dnsext-keyrr-key-signing-flag-03 with Jakob Schlyter

3 Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. http://www.ripe.net/disi/ 3 The Gist Operational need to distinguish between key- singing keys and zone-signing keys. Not used in the protocol and verification process but useful for troubleshooting and key exchanges. Use the 15th bit so that the parity determines the ‘role’ of the key, that’s for us… humans.

4 Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. http://www.ripe.net/disi/ 4 Example Before: net 300 IN KEY 256 3 5 Ox1tVxw+j... 300 IN KEY 256 3 5 OTxq2ce5J... After: net 300 IN KEY 256 3 5 Ox1tVxw+j... 300 IN KEY 257 3 5 OTxq2ce5J... KSK

5 Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. http://www.ripe.net/disi/ 5 What’s next Final update and last call?

6 Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. http://www.ripe.net/disi/ 6 DNSSEC Wildcard Optimization draft-olaf-dnsext-dnssec-wildcard-optimization-01 with Johan Ihren and Roy Arends

7 Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. http://www.ripe.net/disi/ 7 Background –Assumption: One needs proof for non-existence of a wildcards. –The proof is to be supplied in the common case where there is no wildcard in a zone. –That proof is complicated and somewhat expensive in terms of computational resources and packet size. –Is there a way to signal that there is no wildcard in a zone?

8 Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. http://www.ripe.net/disi/ 8 Very common case Root will need to proof that *. does not exist. As an aside: –Some people love the idea of a wildcard at the root

9 Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. http://www.ripe.net/disi/ 9 The proposal Use a bit in the NXT RRs type bitmap to signal non-existence of wildcards The meaning: There is no wildcard expansion possible of any name in the zone’s namespace spanned by a NXT RR. Simplest algorithm to set the bit: –Turn it on on all NXT RRs in the zone if there are no wildcards in the zone –Turn it of on all NXT RRs in the zone if there is any wildcard in the zone

10 Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. http://www.ripe.net/disi/ 10 Server side If the NXT RR proving the non-existence of an exact match has the bit set then no further NXT RRs are needed. If the bit is not set on that NXT RR a full denial of existence needs to be served.

11 Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. http://www.ripe.net/disi/ 11 Resolvers Side When bit is set on the NXT RR proving the denial of existence of the QNAME, no further proof is needed; Full RFC2535 type proof of non existence is to be expected and processed if the bit is not set.

12 Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. http://www.ripe.net/disi/ 12 Pros and Cons Pro: Shortcut to a simple and fast code path for server and resolver in the case there are no wildcards. Smaller footprint on the wire and in caches. Con: Although bypassed in the ‘common case; the complicated verification code is still needed. Special meaning of type bitmap bit: –RR type code without RR. –Backwards incompatible (needs to piggyback on DS flag date)

13 Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. http://www.ripe.net/disi/ 13 Current version of doc. The suggested algorithm for setting the bit contains an error –Details will be posted to namedroppers Clarifications are needed

14 Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. http://www.ripe.net/disi/ 14 What’s next Update the draft Does the working group think this is a sane path. General comment: DNSSEC protocol specs need to describe algorithm for denial of authentication of wildcards –If not, resolver implementers will do it wrong. –No need for more than 2 NXT RRs? (Give me an example that needs more.)

15 Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. http://www.ripe.net/disi/ 15 Questions??? http://www.ripe.net/disi olaf@ripe.net

Download ppt "Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. 1 key-signing key flag [1] & wildcard-optimization [2] Olaf Kolkman [1] with."

Similar presentations

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman
Reverse DNS SIG Summary Report APNIC Annual Member Meeting Bangkok, March 7 2002.

Reverse DNS SIG Summary Report APNIC Annual Member Meeting Bangkok, March
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.

DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.
1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
RSVP Cryptographic Authentication ...RSVP requires the ability to protect its messages against corruption and spoofing. This document defines a mechanism.

RSVP Cryptographic Authentication "...RSVP requires the ability to protect its messages against corruption and spoofing. This document defines a mechanism.
IANA Status Update ARIN XXVI meeting, Atlanta Barbara Roseman October 2010.

IANA Status Update ARIN XXVI meeting, Atlanta Barbara Roseman October 2010.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
DNS: Revising the Current Protocol Matt Gustafson Matt Weaver CS522 Computer Communications University of Colorado, Colorado Springs.

DNS: Revising the Current Protocol Matt Gustafson Matt Weaver CS522 Computer Communications University of Colorado, Colorado Springs.
Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.

Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.
1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.

1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
Slide #1IETF 77 – Roll WG – March 2010 ROLL RPL IETF 77 status draft-ietf-roll-rpl Tim Winter Pascal Thubert Design Team.

Slide #1IETF 77 – Roll WG – March 2010 ROLL RPL IETF 77 status draft-ietf-roll-rpl Tim Winter Pascal Thubert Design Team.
Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. /disi Steps towards a secured DNS Olaf M. Kolkman, Henk Uijterwaal, Daniel.

Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. /disi Steps towards a secured DNS Olaf M. Kolkman, Henk Uijterwaal, Daniel.
Time Domain Interest Group. Simple Time Series Note posted to IVOA in Madrid –

Time Domain Interest Group. Simple Time Series Note posted to IVOA in Madrid –
DNSEXT-63 Next steps in Trust Anchor Management for DNSSEC Ólafur Guðmundsson

DNSEXT-63 Next steps in Trust Anchor Management for DNSSEC Ólafur Guðmundsson
IETF 68, MPLS WG, Prague P2MP MPLS-TE Fast Reroute with P2MP Bypass Tunnels draft-leroux-mpls-p2mp-te-bypass-01.txt J.L. Le Roux (France Telecom) R. Aggarwal.

IETF 68, MPLS WG, Prague P2MP MPLS-TE Fast Reroute with P2MP Bypass Tunnels draft-leroux-mpls-p2mp-te-bypass-01.txt J.L. Le Roux (France Telecom) R. Aggarwal.
Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

Similar presentations

Ads by Google