Presentation is loading. Please wait.

Presentation is loading. Please wait.

“DNS Flag day” A tale of five ccTLDs Hugo Salgado, .CL

Published byAlannah Blankenship Modified over 5 years ago

Similar presentations

Presentation on theme: "“DNS Flag day” A tale of five ccTLDs Hugo Salgado, .CL"— Presentation transcript:

1 “DNS Flag day” A tale of five ccTLDs Hugo Salgado, .CL
Sebastián Castro, .NZ DNS-OARC 29, Amsterdam

2 What is EDNS? RFC 6891 Defines a backward compatible mechanism to signal support for new DNS options Original specification includes support for DNS responses larger than 512 bytes, extended response codes, etc.

3 How is it used? Current extensions:
NSID -- RFC 5001, nameserver identification string DNSSEC -- DO bit, signals supports or interest for DNSSEC-related records Client-subnet, RFC 7871, signals the network the query comes from Keep-alive, RFC 7828, variable timeouts for DNS over TCP Cookies, IETF Draft, lightweight security mechanism and more to come

4 So, what’s the problem? Authoritative DNS servers block responses, or don’t answer, or answer with the wrong packet. In general, bad implementations of DNS not following the standards Poorly implemented firewalls on the way, poor firewall rules blocking valid traffic or unaware of the standards Resolvers have to send a query, wait for a timeout and retry using a different method: TCP or discard EDNS Forces delays and thwarts innovation and deployment of new features

5 What’s DNS Flag day? DNS implementations decided to remove workarounds in a coordinated way BIND, Unbound, PowerDNS and Knot will release new versions with the workarounds removed Feel the pain If you run inadequate software, your domains will break

6 How many domains could be affected?
Coordinated effort to measure impact in .CL, .CZ, .SE, .NU and .NZ Many thanks to Petr Špaček from CZ.NIC for the Compliance Scanner, the .CZ, .SE and .NU data and the feedback Comparison against existing measures from ISC around root servers and TLDs nameservers

7 Measurement methodology
“DNS Compliance Testing” tool written by ISC Only check for EDNS compliance at this stage “EDNS Compliance scanner for DNS zones” from CZ.NIC: Uniquely test all addresses of a nameserver Preprocess a TLD zone and generate the minimal set of nameserver tests Test multiple times to discard transient errors

8 Test hierarchy Different values and flags are added to the query
There are dependencies, increasing the complexity of the test edns1opt requires edns1 and endsopt=100 to pass

9 General statistics

10 DNS test results dig +noedns +noad +norec SOA <ZONE>
ok: We got a good answer nosoa: Response didn’t have SOA record noaa: no AA bit in response

11 DNS vs EDNS DNS: dig +noedns +noad +norec SOA <zone>
EDNS: dig +edns=0 +nocookie +noad +norec SOA <zone>

12 EDNS0 vs EDNS1 EDNS0: dig +edns=0 +nocookie +noad +norec SOA <zone> EDNS1: dig +edns=1 +noednsneg +nocookie +noad +norec SOA <zone>

13 EDNS vs DO EDNS: dig +edns=0 +nocookie +noad +norec SOA <zone>
DO: dig +edns=0 +nocookie +noad +norec +dnssec SOA <zone>

14 EDNS vs OPTLIST EDNS: dig +edns=0 +nocookie +noad +norec SOA <zone> OPTLIST: dig +edns=0 +noad +norec +nsid +subnet= /0 +expire +cookie= SOA <zone> Esta prueba es truculenta, pues envia 4 opciones, y cuenta individualmente si las pruebas vuelven. Una respuesta OK no basta en este caso, todas deberian retornar “nsid”, “subnet”, “expire” y “cookie+badcookie” porque la cookie enviada parece que estuviera incorrecta!

15 IPv4 vs IPv6 Is the behaviour of a given nameserver different depending on which address family was queried? Are they differences between IPv4 and IPv6 We can explore the tests that passed against the family of the address.

16 IPv4 vs IPv6 DNS and EDNS tests finish more successfully in IPv6 than IPv4! EDNS1 and OPTLIST complete a lot more in IPv4 than IPv6!

17 How the results change with time?
First data point is from May to July depending on the ccTLD Last data point is from October. CZ is seeing the improvements of their communication campaign.

18 How can I correct the errors?
Use a modern implementation of DNS software Use software that follows the standards Fix your firewall rules, especially around DPI of DNS traffic Re-test

19 Future work We plan to continue the collection monthly to identify trends Communication campaign to reduce the number of errors. We encourage other namespace operators (ccTLDs) to check their domains Watch the world burn on February 1st 2019

20 Questions https://dnsflagday.net Hugo Salgado, hsalgado@nic.cl
Sebastián Castro,

Download ppt "“DNS Flag day” A tale of five ccTLDs Hugo Salgado, .CL"

Similar presentations

DNSSEC Support in SOHO CPE OARC Workshop Ottawa 24 th September 2008.

DNSSEC Support in SOHO CPE OARC Workshop Ottawa 24 th September 2008.
A Study of DNS Lameness Edward Lewis. July 14, 2002 IETF 54 Slide 2 Agenda Lameness Why (Surprise:) Spotty(?) results Approach Plans.

A Study of DNS Lameness Edward Lewis. July 14, 2002 IETF 54 Slide 2 Agenda Lameness Why (Surprise:) Spotty(?) results Approach Plans.
© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:

© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
CS 6401 IPv6 Outline Background Structure Deployment.

CS 6401 IPv6 Outline Background Structure Deployment.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, 2013 1 Jelte Jansen, Antoin Verschuren.

DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, Jelte Jansen, Antoin Verschuren.
Krakow Workshop Extra Exercises IPv6 workshop Krakow May 2012 Carlos Friaças, FCCN Luc De Ghein, CISCO

Krakow Workshop Extra Exercises IPv6 workshop Krakow May 2012 Carlos Friaças, FCCN Luc De Ghein, CISCO
Geoff Huston APNIC Labs

Geoff Huston APNIC Labs
Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.

Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.
Happy Eyeballs for the DNS Geoff Huston, George Michaelson APNIC Labs October 2015.

Happy Eyeballs for the DNS Geoff Huston, George Michaelson APNIC Labs October 2015.
Publishing zone scan data using an open data portal Sebastian Castro OARC Workshop Montreal – Oct 2015.

Publishing zone scan data using an open data portal Sebastian Castro OARC Workshop Montreal – Oct 2015.
Ch 6: DNSSEC and Beyond Updated 4-28-15. DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
GHOST 2.0: What you need to know about the glibc getaddrinfo vulnerability (CVE 2015-7547) Johannes B. Ullrich, Ph.D, SANS https://isc.sans.edu.

GHOST 2.0: What you need to know about the glibc getaddrinfo vulnerability (CVE ) Johannes B. Ullrich, Ph.D, SANS
1 Review – The Internet’s Protocol Architecture. Protocols, Internetworking & the Internet 2 Introduction Internet standards Internet standards Layered.

1 Review – The Internet’s Protocol Architecture. Protocols, Internetworking & the Internet 2 Introduction Internet standards Internet standards Layered.
&. & DNS and IPv6 IPv6 Summit, Canberra 31st October & 1 st November 2005 Chris Wright, Chief Technology Officer &

&. & DNS and IPv6 IPv6 Summit, Canberra 31st October & 1 st November 2005 Chris Wright, Chief Technology Officer &
EDNS0 - the need for speed Lawrence Conroy Roke Manor Research This draft has been produced by Lawrence Conroy

EDNS0 - the need for speed Lawrence Conroy Roke Manor Research This draft has been produced by Lawrence Conroy
WHAT IS DNS??????????.

WHAT IS DNS??????????.
Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia

Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia
Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia

Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia

Similar presentations

Ads by Google