DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, 2013 1 Jelte Jansen, Antoin Verschuren.

Slides:

Advertisements

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

Advertisements

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

School of Electrical Engineering and Computer Science, 2004 Slide 1 Autonomic DNS Experiment Architecture, Symptom and Fault Identification.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

Web Security A how to guide on Keeping your Website Safe. By: Robert Black.

© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:

Domain Name System Security Extensions (DNSSEC) Hackers 2.

Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Peter Janssen, EURid.eu Ljubljana, RIPE 64, April

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.

Tony Kombol ITIS Who knows this? Who controls this? DNS!

Identity Management and DNS Services Tianyi XING.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

IIT Indore © Neminath Hubballi

Geoff Huston APNIC Labs

Test cases for domain checks – a step towards a best practice Mats Dufberg,.SE Sandoche Balakrichenan, AFNIC.

Software Pieces for the DNSSEC-deployment roadmap SPARTA, Inc. 01/21/05.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Troubleshooting.

Introduction to DNSSEC AROC Bamako, Mali, What is DNSSEC?

Rev Mats Dufberg TeliaSonera, Sweden Resolving DNSsec.

Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for.

NSEC3 Status and Issues IETF March 2006 Geoffrey Sisson Ben Laurie Roy Arends.

© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.

Krit Witwiyaruj Thai Name Server Co., Ltd.th DNSSEC Implementation.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License The details.

Root Zone KSK: The Road Ahead Edward Lewis | DNS-OARC & RIPE DNSWG | May 2015

Development of the domain name system Baoning Wu 01/30/2003.

1 ESnet DNSSEC Update ESCC/Internet2 Joint Techs Workshop February 14, 2007 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

Karrenberg et. Al.. RIPE 43, September 2002, Ρόδος. DISTEL Domain Name Server Testing Lab Daniel Karrenberg with Alexis Yushin, Ted.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Practicalities.

Tony Kombol ITIS DNS! overview history features architecture records name server resolver dnssec.

1 DNSSEC Deployment: Big Steps Forward; Several Steps to Go NANOG 32 Deployment D N S S E C Rob Austein Steve Crocker

Technical Area Report Byron Ellacott, Technical Area Director 1.

1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

AU, March 2, DNSSEC, APNIC, & how EPP might play a Role Ed Lewis DNS SIG APNIC 21.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

Module 8 DNS Tools & Diagnostics. Dig always available with BIND (*nix) and windows Nslookup available on windows and *nix Dig on windows – unpack zip,

Publishing zone scan data using an open data portal Sebastian Castro OARC Workshop Montreal – Oct 2015.

OpenDNSSEC Deployment Tianyi Xing. Roadmap By mid-term – Establish a DNSSEC server within the mobicloud system (Hopfully be done by next week) Successfully.

What if Everyone Did It? Geoff Huston APNIC Labs.

By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.

Building Trust with Anchors Eric Osterweil Dan Massey Lixia Zhang 1.

OPTION section It is the first section of the named.conf User can use only one option statement and many option-value pair under the section. Syntax is.

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

Slide 1 August 2005, Paris, FranceIETF DNSEXT 2929bis etc. Donald E. Eastlake 3 rd

APNIC DNSSEC deployment considerations APNIC 23, Bali George Michaelson R&D Officer APNIC.

Workshop Overview & Registry Model Model by Jaap Akkerhuis Related by Daniel Karrenberg.

Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

SaudiNIC Experience in Deploying DNSSec AbdulRahman Al-Ghadir SaudiNIC - CITC MENOG 16.

Lecture 20 DNS Sec Slides adapted from Olag Kampman

DNS Security Issues SeongHo Cho DPNM Lab., POSTECH

DNSSEC Operations in .gov

RFC 7706: Decreasing Access Time to Root Servers by Running One on Loopback A good idea or not? Petr Špaček • •

.edu DNSSEC Testbed Lessons Learned

NET 536 Network Security Lecture 8: DNS Security

“DNS Flag day” A tale of five ccTLDs Hugo Salgado, .CL

DNS operator transfers with DNSSEC

The Curious Case of the Crippling DS record

ECDSA P-256 support in DNSSEC-validating Resolvers

Neda Kianpour - Lead Network Engineer - Salesforce

Presentation transcript:

DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, Jelte Jansen, Antoin Verschuren

SIDN Labs 2 office o SIDN’s R&D team o SIDN =.nl registry (Netherlands) o 5.3M domain names, registrars o Largest DNSSEC zone in the world (1.5M signed)

Motivation 3 o Overheard: “Does anyone know a public zone with a wildcard record, using opt-out, signed by ldns, served on BIND 9?” o Answer: “Oh yeah, there’s one on that server, I think. Perhaps. Well at least there was one last year. I think. Maybe. I don’t know.” o Need for a one-stop-shop for name server testing that is well-managed and supports multiple implementations

Enter the DNS Workbench 4

Overview 5 Documentation

Added Value o One-stop-shop and easy-to-use service for name server testing, supporting many RR types o Well-documented set of zones, consistently available across multiple name server implementations o DNS developers: interoperability testing, discovering and reporting bugs in name server software o DNS operators: workbench as a reference point for production servers (compare responses) 6

Support for many RR Types 7

Current Setup o 3 ‘categories’ of data o RRTypes under types.wb.sidnlabs.nl o DNSSEC errors under bad-dnssec.wb.sidnlabs.nl o All zones transferable with and without TSIG o 6 implementations o NSD 3.2 o BIND o Knot 1.2 o PowerDNS 3.0 o BIND 9.9 o NSD 4 beta 8

Some Example Uses o Query directly: o Use nsd.sidnlabs.nl as the primary for your secondary: 9 dig +dnssec –t MINFO zone: name: “types.wb.sidnlabs.nl” request-xfr: NOKEY zone: name: “types.wb.sidnlabs.nl” request-xfr: NOKEY

Some Example Uses o Check DNSSEC validator, should result in data: o Check DNSSEC validator, should result in SERVFAIL: 10 dig ok.ok.bad-dnssec.wb.sidnlabs.nl dig bogussig.ok.bad-dnssec.wb.sidnlabs.nl dig ok.sigexpired.bad-dnssec.wb.sidnlabs.nl dig ok.nods.ok.bad-dnssec.wb.sidnlabs.nl dig bogussig.ok.bad-dnssec.wb.sidnlabs.nl dig ok.sigexpired.bad-dnssec.wb.sidnlabs.nl dig ok.nods.ok.bad-dnssec.wb.sidnlabs.nl

Challenge: Complexity 11 Approach: start small and let grow

Growth Path o Started with 4 servers, now 6 o Started with 2 zones o Added TSIG options o Added ‘bad dnssec’ tree o ok No error o bogussig The RRSIG record contains bogus signature data o nods The DS record is missing at the parent o sigexpired The RRSIG record has an expiration date in the past o signotincepted The RRSIG record has an inception date in the future o unknownalgorithm The RRSIG is signed correctly (with a known algorithm), but has the algorithm field set to another value. 12

Growth Path o Additional servers o Yadifa o ANS? o Add more zones o Different signers and parameters o ‘Delegation’ corner cases o Other corner cases (wildcards, big rrsets) 13

Experimental Service -> Feedback Wanted! o Other testables: what else might be useful to add to the workbench? o Did the workbench help you as a developer or operator? Let us know when and how! o Current “score” o Fixed handling of uncommon RR types o Tested recent TSIG issue 14

15 Questions? Jelte Jansen Research workbench.sidnlabs.nl