SlideShare uma empresa Scribd logo

What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]

APNIC
APNIC

What if everyone did it?, by Geoff Huston. A presentation given at APNIC 38 during the APOPS 1 session.

Internet
1 de 50
What If Everyone Did It? Geoff Huston APNIC Labs
2 DNSSEC and DNS Security $ dig xxx.00001.z.dotnxdomain.net ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; ANSWER SECTION: xxx.00001.z.dotnxdomain.net. 1 IN A 199.102.79.186 What does this mean? $ dig xxx.00001.z.dashnxdomain.net ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; ANSWER SECTION: xxx.00001.z.dashnxdomain.net. 3600 IN A 199.102.79.188
DNSSEC and DNS Security 3 $ dig xxx.00002.z.dotnxdomain.net ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 9216 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;xxx.00002.z.dotnxdomain.net. IN A ;; Query time: 619 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Sep 10 01:20:02 UTC 2014 ;; MSG SIZE rcvd: 56 What does this DNS response mean?
DNSSEC and DNS Security • Setting the AD bit in a recursive resolver response seems like a rather unimpressive way of conveying a positive security outcome, and in the same manner, setting SERVFAIL seems like a rather poor way of conveying a failed security outcome • Various approaches to securing the channel between the client and the recursive resolver have been suggested, but in a simple lightweight UDP transaction model this can be challenging • Perhaps it would be simpler for the edge device to perform DNSSEC validation directly • Which is fine, but will this approach scale?
What can we say about a DNS environment where every edge device that poses DNS queries performs their own DNSSEC validation?
DNSSEC today • A small, but growing, fraction of all domain names are signed using DNSSEC • A larger, but still small, fraction of users use DNS resolvers that perform DNSSEC validation At the end of August 2014, some ~11.5% of users send their DNS queries to DNSSEC-validating resolvers
What if everyone did it? What if: every resolver performed DNSSEC validation? or even if: every end device performed DNSSEC validation? What difference in traffic loads and query rates would we see at an authoritative name server between serving an unsigned domain name and serving the signed equivalent of the domain name?
The Experiment • We serve an online Ad with 3 embedded URLs that the user’s browser is tasked to fetch. The URLs use unique domain names that are: – Unsigned – Signed (good) – Signed (bad) • We are looking for behaviours where we see the browser perform: – Queries for the DS and DNSKEY RRs for both of the the signed domains, and – Fetch the signed (good) but not the signed (bad) URLs
What we saw • Users who exclusively used DNSSEC-validating resolvers • Users who used a mix of validating and non-validating resolvers (typically, we saw the SERVFAIL response on a badly signed domain name cause the user to repeat the query to a resolver that did not perform DNSSEC validation) • Users who exclusively used non-validating resolvers
What we saw Did not attempt to fetch DNSSEC RRs DNSSEC-validating Mixed DNSSEC-validating
If your resolver validates DNS responses… • Then the resolver will need to fetch the DNSKEY and DS RRs for the zone, and recurse upward to the root • If these RRs are not cached, then at a minimum there are at least two additional DNS queries that are performed as part of the validation process
If your resolver validates DNS responses… More queries, longer resolution time Dual Stack client - query for unsigned domain name 20:36:40.288 query: unsigned.example.com IN AAAA -ED (199.102.79.186)! 20:36:41.028 query: unsigned.example.com IN A -ED (199.102.79.186)! Dual Stack client - query for signed domain name 20:36:41.749 query: signed.example.com IN A -ED (199.102.79.186)! 20:36:41.758 query: signed.example.com IN AAAA -ED (199.102.79.186)! 20:36:41.876 query: signed.example.com IN DS -ED (199.102.79.186)! 20:36:41.993 query: signed.example.com IN DNSKEY -ED (199.102.79.186)! !
Validation – DNS Queries DNS queries Validation Queries
Measured Time Cost Distribution of elapsed time difference, measured at the server, from the first DNS query until the WEB object fetch. There are three types of clients: those who validate, those who do not validate, and those who use a mix of validating and non-validating resolvers
Measured Time Cost Distribution of elapsed time difference, measured at the server, from the first DNS query of a signed name until the WEB object fetch. There are three types of clients: those who validate, those who do not validate, and those who use a mix of validating and non-validating resolvers
Time Cost Cumulative distribution of elapsed time difference, measured at the server, from the first DNS query until the WEB object fetch
DNS Resolution Time This measures just the DNS resolution part, collecting the elapsed time between the first and last queries for a domain name
Unsigned/Non-Validating vs Signed/Validating Let’s try a slightly different comparison, and compare the total DNS query time between – Non-validating users querying an unsigned name and – Validating users querying for a signed name
Like-vs-like: unsigned vs signed
Like-vs-like: unsigned vs signed 25% of users cannot resolve a simple uncached unsigned domain name within a single query 25% of DNSSEC-validating users cannot resolve a signed name within ½ second
Validation Time • When resolving a previously unseen domain name most clients will experience up to 500ms additional time spent in validation – This is due to the additional queries related to the fetch of the DNSKEY / DS RR sequence to validate the RRSIG of the original response This validation phase could be processed in less time… • Most resolvers appear to perform the validation path check using serial fetches. Parallel fetches of the DNSSEC validation path RRs would improve this situation so that the validation fetches would take a single query cycle time
Do any clients drop out? Does the addition of the DNSSEC RR’s in the response cause any clients to stop attempts at DNS resolution? So we looked…
Do any clients drop out? If there was any clear evidence of DNSSEC causing resolution failure then the blue line would be clearly higher than the other three control lines But its not. There is no experimental evidence to suggest systematic resolution failure here for DNSSEC-signed names However, the DNS responses in this experiment were all below 1500 octets. We have yet to test the case of forced UDP fragmentation in DNS responses
Client Behaviour • Retrieving DNSSEC credentials takes additional time and volume when validating the resolution outcomes of a signed name • But much of this overhead is mitigated by use of local caches in the DNS resolution path • And if resolvers performed validation using parallel fetches, the additional overhead could be brought down to a single retrieval cycle time
Authoritative Server Measurements The following analysis attempts to answer the question: – What increase in queries and traffic should I expect to see if the unsigned zone I currently serve is DNSSEC signed, and everyone is using DNSSEC validating resolvers?
If you serve a signed Domain Name: You will generate larger responses: Dual Stack client - query for unsigned domain name, no EDNS0! ! "Query: 117 Bytes! "Response: 168 bytes! ! Dual Stack client - query for signed domain name, EDNS0! ! "Query: (A) 127 Bytes! "Response: (A) 1168 bytes! ! "Query: (DS) 80 Bytes! "Response: (DS) 341 bytes! ! "Query: (DNSKEY) 80 Bytes! "Response: (DNSKEY) 742 bytes! ! "Total: Query: 287 bytes! " "Response: 2,251 bytes!
If you serve a signed Domain Name: You will generate larger responses: Dual Stack client - query for unsigned domain name, no EDNS0! ! "Query: 117 Bytes! "Response: 168 bytes! ! Dual Stack client - query for signed domain name, EDNS0! ! "Query: (A) 127 Bytes! "Response: (A) 1168 bytes! ! "Query: (DS) 80 Bytes! "Response: (DS) 341 bytes! ! The DS query is directed to the parent zone, so you may or may not see this query at the authoritative server. In our case we are serving the parent zone as well "Query: (DNSKEY) 80 Bytes! "Response: (DNSKEY) 742 bytes! ! "Total: Query: 287 bytes! " "Response: 2,251 bytes!
If you serve a signed Domain Name: You will generate larger responses: Dual Stack client - query for unsigned domain name, no EDNS0! ! "Query: 117 Bytes! "Response: 168 bytes! ! Dual Stack client - query for signed domain name, EDNS0! ! That’s an increase of 13x in terms of outbound traffic volume "Query: (A) 127 Bytes! "Response: (A) 1168 bytes! ! "Query: (DS) 80 Bytes! "Response: (DS) 341 bytes! ! The DS query is directed to the parent zone, so you may or may not see this query at the authoritative server. In our case we are serving the parent zone as well "Query: (DNSKEY) 80 Bytes! "Response: (DNSKEY) 742 bytes! ! "Total: Query: 287 bytes! " "Response: 2,251 bytes!
Server Traffic Load This represents the 5 minute relative traffic load between serving an unsigned control domain and serving a validly signed domain. The originating query rates are the same
Server Traffic Load • Serving a DNSSEC-signed name appears to generate 7.5x the traffic load, as compared to serving an unsigned name – But 20% of clients are performing validation, and hence 20% of the clients generate 13x more traffic – The theory would expect to see a 3.4x increase in traffic. – Why is this observed result double the prediction?
Server Traffic Load • Use of the EDNS DNSSEC-OK flag is far higher than the level of DNSSEC validation – 84% of queries have the EDNS0 DNSSEC-OK flag set – And this query generates a response of 1168 bytes (i.e. 7x the size of a null EDNS response) – So 64% of clients set EDNS0 DNSSEC-OK, and 20% of clients also ask for DS and DNSKEY RRs – The theory predicts that this would result in 7.25x the traffic over an unsigned domain – Which is (roughly) what we see
Server Traffic Load • What is the traffic load difference between serving an unsigned zone and serving a signed zone if every client performed DNSSEC validation? – The difference from the current levels of DNSSEC traffic lies predominately in the additional DNSKEY and DS responses – You should expect approximately 15x the traffic load for response traffic
If you serve a signed Domain Name: You’ll receive 2-3 times as many queries: Dual Stack client - query for unsigned domain name, no EDNS0! ! "Query: 117 Bytes! "Response: 168 bytes! ! Dual Stack client - query for signed domain name, EDNS0! ! "Query: (A) 127 Bytes! "Response: (A) 1168 bytes! ! "Query: (DS) 80 Bytes! "Response: (DS) 341 bytes! ! "Query: (DNSKEY) 80 Bytes! "Response: (DNSKEY) 742 bytes! ! " The DS query is directed to the parent zone, so you may or may not see this query at the authoritative server. In our case we are serving the parent zone as well
Server Query Load
Server Query Load • 20% of clients use validating resolvers, so the signed domain query load should be 1.4x that of the unsigned domain • But we are observing an increase in the query load of 1.6x the unsigned domain. • Why?
Repeat queries are rising Queries per domain name
Query duplication We are seeing a noticeable level of query duplication from anycast DNS server farms The same query is being received from multiple slave resolvers within a short period of time Domain Time Query source Query! ! 0a62f.z.example.com 02:05:31.998 74.125.41.81 port: 52065 q: DNSKEY?! 0a62f.z.example.com 02:05:32.000 74.125.41.19 port: 53887 q: DNSKEY?! 0a62f.z.example.com 02:05:32.005 74.125.41.146 port: 52189 q: DNSKEY?! 0a62f.z.example.com 02:05:32.008 74.125.16.213 port: 42079 q: DNSKEY?! ! This is rising over time
Setting Expectations For a validly signed zone an authoritative server may anticipate about 4x the query load and 15x the traffic load as compared to serving an equivalent unsigned zone, if everyone performed DNSSEC validation * (* if you served the parent zone as well)
The Worst Case But things get worse when the DNSSEC signatures are invalid: – The response from a DNSSEC-validating recursive resolver upon DNSSEC validation failure is SERVFAIL, which prompts clients of this resolver to re-query using an alternative resolver – The recursive resolver may re-query the name using alternative servers, on the assumption that the validation failure is due to a secondary server falling out of sync with the current zone data How much worse does it get?
DNS Resolution Time Difference In this case we look at clients who use a mixed set of resolvers, and fail over from a validating resolver to a non-validating resolver, and measure the time from first DNS query to Web fetch
DNS Resolution Time Difference In this case we look at clients who use a mixed set of resolvers, and fail over from a validating resolver to a non-validating resolver, and measure the time from first DNS query to Web fetch
DNS Resolution Times 25% of DNSSEC-validating clients continue DNS resolution attempts for more than 6 seconds with a badly signed DNS name
Relative Traffic Profile
Traffic Profile • The traffic load for a badly signed domain name is around 10x the load for an unsigned domain • If everyone were to use validating resolvers then the load profile would rise to around 26x the load of an unsigned domain
Query Profile
Query Profile • The query load for a badly signed domain name is around 2.5x the load for an unsigned domain • If everyone were to use validating resolvers then the load profile would rise to around 4x the load of an unsigned domain
Badly Signed Names The problem with a badly signed name is the lack of caching – when a name does not validate, a validating resolver should not cache the resolution outcomes So now all resolution attempts from validating resolvers generate queries at the authoritative name servers And the use of a rather cryptic “ServFail” response prompts some recursive resolvers to query all nameservers So the resultant query load on the authoritative name servers is far higher than these measurements would suggest
Badly Signed Names Edge Device Resolvers Authoritative Name Servers
Setting Expectations for DNSSEC For a validly signed zone an authoritative server may anticipate about 4x the query load and 15x the traffic load as compared to serving an equivalent unsigned zone, if everyone performed DNSSEC validation * But if you serve a badly signed zone, expect >>8x the query load and around >>26x the traffic load * (* if you served the parent zone as well)
Thank You Questions?

Recomendados

NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECAPNIC
 
A study of our DNS full-resolvers
A study of our DNS full-resolversA study of our DNS full-resolvers
A study of our DNS full-resolversBangladesh Network Operators Group
 
Hands-on getdns Tutorial
Hands-on getdns TutorialHands-on getdns Tutorial
Hands-on getdns TutorialShumon Huque
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Dan York
 
OARC 31: NSEC Caching Revisited
OARC 31: NSEC Caching RevisitedOARC 31: NSEC Caching Revisited
OARC 31: NSEC Caching RevisitedAPNIC
 
Content Navigation
Content NavigationContent Navigation
Content Navigationsanjoysanyal
 
DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)Fatima Qayyum
 
DNS Cache Poisoning
DNS Cache PoisoningDNS Cache Poisoning
DNS Cache PoisoningChristiaan Ottow
 

Recomendados

NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECAPNIC
 
A study of our DNS full-resolvers
A study of our DNS full-resolversA study of our DNS full-resolvers
A study of our DNS full-resolversBangladesh Network Operators Group
 
Hands-on getdns Tutorial
Hands-on getdns TutorialHands-on getdns Tutorial
Hands-on getdns TutorialShumon Huque
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Dan York
 
OARC 31: NSEC Caching Revisited
OARC 31: NSEC Caching RevisitedOARC 31: NSEC Caching Revisited
OARC 31: NSEC Caching RevisitedAPNIC
 
Content Navigation
Content NavigationContent Navigation
Content Navigationsanjoysanyal
 
DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)Fatima Qayyum
 
DNS Cache Poisoning
DNS Cache PoisoningDNS Cache Poisoning
DNS Cache PoisoningChristiaan Ottow
 
DNS Cache White Paper
DNS Cache White PaperDNS Cache White Paper
DNS Cache White PaperRyan Ellingson
 
(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53
(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53
(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53Amazon Web Services
 
RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS EvolutionAPNIC
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013Shumon Huque
 
Open-VPN Server
Open-VPN ServerOpen-VPN Server
Open-VPN ServerManish Kc
 
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPROIDEA
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningChristopher Grayson
 
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache ServersNANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache ServersChika Yoshimura
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timeAPNIC
 
DNS-SD Extentions
DNS-SD ExtentionsDNS-SD Extentions
DNS-SD ExtentionsNina Buchina
 
Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Bangladesh Network Operators Group
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSECMen and Mice
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local NetworksMen and Mice
 
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAILDNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAILUtah Networxs Consultoria e Treinamento
 
Class Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingClass Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingBeibei Yang
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksMen and Mice
 
Day 2 Dns Cert 4a Cache Poisoning
Day 2 Dns Cert 4a Cache PoisoningDay 2 Dns Cert 4a Cache Poisoning
Day 2 Dns Cert 4a Cache Poisoningvngundi
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsOpenDNS
 
How DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An IntroductionHow DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An Introductionyasithbagya1
 
RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?APNIC
 

Mais conteúdo relacionado

Mais procurados

(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53
(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53
(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53Amazon Web Services
 
RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS EvolutionAPNIC
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013Shumon Huque
 
Open-VPN Server
Open-VPN ServerOpen-VPN Server
Open-VPN ServerManish Kc
 
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPROIDEA
 
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache ServersNANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache ServersChika Yoshimura
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timeAPNIC
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSECMen and Mice
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local NetworksMen and Mice
 
Class Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingClass Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingBeibei Yang
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksMen and Mice
 
Day 2 Dns Cert 4a Cache Poisoning
Day 2 Dns Cert 4a Cache PoisoningDay 2 Dns Cert 4a Cache Poisoning
Day 2 Dns Cert 4a Cache Poisoningvngundi
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsOpenDNS
 

Mais procurados (20)

DNS Cache White Paper
DNS Cache White PaperDNS Cache White Paper
DNS Cache White Paper
 
(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53
(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53
(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53
 
RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS Evolution
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013
 
Open-VPN Server
Open-VPN ServerOpen-VPN Server
Open-VPN Server
 
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
 
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache ServersNANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a time
 
DNS-SD Extentions
DNS-SD ExtentionsDNS-SD Extentions
DNS-SD Extentions
 
Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSEC
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local Networks
 
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAILDNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
 
Class Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingClass Project Showcase: DNS Spoofing
Class Project Showcase: DNS Spoofing
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
 
Day 2 Dns Cert 4a Cache Poisoning
Day 2 Dns Cert 4a Cache PoisoningDay 2 Dns Cert 4a Cache Poisoning
Day 2 Dns Cert 4a Cache Poisoning
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
 

Semelhante a What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]

How DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An IntroductionHow DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An Introductionyasithbagya1
 
RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?APNIC
 
Rolling the Root KSK
Rolling the Root KSKRolling the Root KSK
Rolling the Root KSKAPNIC
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS PrivacyAPNIC
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS EvolutionAPNIC
 
dns-sec-4-slides
dns-sec-4-slidesdns-sec-4-slides
dns-sec-4-slideskj teoh
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling RootsAPNIC
 
DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxviditsir
 
Domain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptxDomain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptxUsmanAhmed269749
 
Pmw2 k3ni 1-3a
Pmw2 k3ni 1-3aPmw2 k3ni 1-3a
Pmw2 k3ni 1-3ahariclant1
 
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSDINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSAPNIC
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view APNIC
 
Presentation on 'The Path to Resolverless DNS' by Geoff Huston
Presentation on 'The Path to Resolverless DNS' by Geoff HustonPresentation on 'The Path to Resolverless DNS' by Geoff Huston
Presentation on 'The Path to Resolverless DNS' by Geoff HustonAPNIC
 
DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Knowlaurenrprice
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksFindWhitePapers
 

Semelhante a What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1] (20)

How DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An IntroductionHow DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An Introduction
 
RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?
 
Rolling the Root KSK
Rolling the Root KSKRolling the Root KSK
Rolling the Root KSK
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS Privacy
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS Evolution
 
dns-sec-4-slides
dns-sec-4-slidesdns-sec-4-slides
dns-sec-4-slides
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling Roots
 
DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptx
 
DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & Afilias
 
Domain name system
Domain name systemDomain name system
Domain name system
 
Domain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptxDomain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptx
 
Pmw2 k3ni 1-3a
Pmw2 k3ni 1-3aPmw2 k3ni 1-3a
Pmw2 k3ni 1-3a
 
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSDINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view
 
2 technical-dns-workshop-day1
2 technical-dns-workshop-day12 technical-dns-workshop-day1
2 technical-dns-workshop-day1
 
Presentation on 'The Path to Resolverless DNS' by Geoff Huston
Presentation on 'The Path to Resolverless DNS' by Geoff HustonPresentation on 'The Path to Resolverless DNS' by Geoff Huston
Presentation on 'The Path to Resolverless DNS' by Geoff Huston
 
DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Know
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
 
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan YorkION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 

Mais de APNIC

APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6APNIC
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!APNIC
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023APNIC
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAPNIC
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAPNIC
 

Mais de APNIC (20)

APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
 

Último

VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663Call Girls Mumbai
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
 
CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Online
CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service OnlineCALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Online
CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Onlineanilsa9823
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Call Girls in Nagpur High Profile
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Servicesexy call girls service in goa
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...tanu pandey
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLimonikaupta
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...Neha Pandey
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...singhpriety023
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Standkumarajju5765
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.soniya singh
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝soniya singh
 

Último (20)

VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Online
CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service OnlineCALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Online
CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Online
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
 
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in DubaiRussian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
 

What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]

  • 1. What If Everyone Did It? Geoff Huston APNIC Labs
  • 2. 2 DNSSEC and DNS Security $ dig xxx.00001.z.dotnxdomain.net ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; ANSWER SECTION: xxx.00001.z.dotnxdomain.net. 1 IN A 199.102.79.186 What does this mean? $ dig xxx.00001.z.dashnxdomain.net ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; ANSWER SECTION: xxx.00001.z.dashnxdomain.net. 3600 IN A 199.102.79.188
  • 3. DNSSEC and DNS Security 3 $ dig xxx.00002.z.dotnxdomain.net ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 9216 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;xxx.00002.z.dotnxdomain.net. IN A ;; Query time: 619 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Sep 10 01:20:02 UTC 2014 ;; MSG SIZE rcvd: 56 What does this DNS response mean?
  • 4. DNSSEC and DNS Security • Setting the AD bit in a recursive resolver response seems like a rather unimpressive way of conveying a positive security outcome, and in the same manner, setting SERVFAIL seems like a rather poor way of conveying a failed security outcome • Various approaches to securing the channel between the client and the recursive resolver have been suggested, but in a simple lightweight UDP transaction model this can be challenging • Perhaps it would be simpler for the edge device to perform DNSSEC validation directly • Which is fine, but will this approach scale?
  • 5. What can we say about a DNS environment where every edge device that poses DNS queries performs their own DNSSEC validation?
  • 6. DNSSEC today • A small, but growing, fraction of all domain names are signed using DNSSEC • A larger, but still small, fraction of users use DNS resolvers that perform DNSSEC validation At the end of August 2014, some ~11.5% of users send their DNS queries to DNSSEC-validating resolvers
  • 7. What if everyone did it? What if: every resolver performed DNSSEC validation? or even if: every end device performed DNSSEC validation? What difference in traffic loads and query rates would we see at an authoritative name server between serving an unsigned domain name and serving the signed equivalent of the domain name?
  • 8. The Experiment • We serve an online Ad with 3 embedded URLs that the user’s browser is tasked to fetch. The URLs use unique domain names that are: – Unsigned – Signed (good) – Signed (bad) • We are looking for behaviours where we see the browser perform: – Queries for the DS and DNSKEY RRs for both of the the signed domains, and – Fetch the signed (good) but not the signed (bad) URLs
  • 9. What we saw • Users who exclusively used DNSSEC-validating resolvers • Users who used a mix of validating and non-validating resolvers (typically, we saw the SERVFAIL response on a badly signed domain name cause the user to repeat the query to a resolver that did not perform DNSSEC validation) • Users who exclusively used non-validating resolvers
  • 10. What we saw Did not attempt to fetch DNSSEC RRs DNSSEC-validating Mixed DNSSEC-validating
  • 11. If your resolver validates DNS responses… • Then the resolver will need to fetch the DNSKEY and DS RRs for the zone, and recurse upward to the root • If these RRs are not cached, then at a minimum there are at least two additional DNS queries that are performed as part of the validation process
  • 12. If your resolver validates DNS responses… More queries, longer resolution time Dual Stack client - query for unsigned domain name 20:36:40.288 query: unsigned.example.com IN AAAA -ED (199.102.79.186)! 20:36:41.028 query: unsigned.example.com IN A -ED (199.102.79.186)! Dual Stack client - query for signed domain name 20:36:41.749 query: signed.example.com IN A -ED (199.102.79.186)! 20:36:41.758 query: signed.example.com IN AAAA -ED (199.102.79.186)! 20:36:41.876 query: signed.example.com IN DS -ED (199.102.79.186)! 20:36:41.993 query: signed.example.com IN DNSKEY -ED (199.102.79.186)! !
  • 13. Validation – DNS Queries DNS queries Validation Queries
  • 14. Measured Time Cost Distribution of elapsed time difference, measured at the server, from the first DNS query until the WEB object fetch. There are three types of clients: those who validate, those who do not validate, and those who use a mix of validating and non-validating resolvers
  • 15. Measured Time Cost Distribution of elapsed time difference, measured at the server, from the first DNS query of a signed name until the WEB object fetch. There are three types of clients: those who validate, those who do not validate, and those who use a mix of validating and non-validating resolvers
  • 16. Time Cost Cumulative distribution of elapsed time difference, measured at the server, from the first DNS query until the WEB object fetch
  • 17. DNS Resolution Time This measures just the DNS resolution part, collecting the elapsed time between the first and last queries for a domain name
  • 18. Unsigned/Non-Validating vs Signed/Validating Let’s try a slightly different comparison, and compare the total DNS query time between – Non-validating users querying an unsigned name and – Validating users querying for a signed name
  • 20. Like-vs-like: unsigned vs signed 25% of users cannot resolve a simple uncached unsigned domain name within a single query 25% of DNSSEC-validating users cannot resolve a signed name within ½ second
  • 21. Validation Time • When resolving a previously unseen domain name most clients will experience up to 500ms additional time spent in validation – This is due to the additional queries related to the fetch of the DNSKEY / DS RR sequence to validate the RRSIG of the original response This validation phase could be processed in less time… • Most resolvers appear to perform the validation path check using serial fetches. Parallel fetches of the DNSSEC validation path RRs would improve this situation so that the validation fetches would take a single query cycle time
  • 22. Do any clients drop out? Does the addition of the DNSSEC RR’s in the response cause any clients to stop attempts at DNS resolution? So we looked…
  • 23. Do any clients drop out? If there was any clear evidence of DNSSEC causing resolution failure then the blue line would be clearly higher than the other three control lines But its not. There is no experimental evidence to suggest systematic resolution failure here for DNSSEC-signed names However, the DNS responses in this experiment were all below 1500 octets. We have yet to test the case of forced UDP fragmentation in DNS responses
  • 24. Client Behaviour • Retrieving DNSSEC credentials takes additional time and volume when validating the resolution outcomes of a signed name • But much of this overhead is mitigated by use of local caches in the DNS resolution path • And if resolvers performed validation using parallel fetches, the additional overhead could be brought down to a single retrieval cycle time
  • 25. Authoritative Server Measurements The following analysis attempts to answer the question: – What increase in queries and traffic should I expect to see if the unsigned zone I currently serve is DNSSEC signed, and everyone is using DNSSEC validating resolvers?
  • 26. If you serve a signed Domain Name: You will generate larger responses: Dual Stack client - query for unsigned domain name, no EDNS0! ! "Query: 117 Bytes! "Response: 168 bytes! ! Dual Stack client - query for signed domain name, EDNS0! ! "Query: (A) 127 Bytes! "Response: (A) 1168 bytes! ! "Query: (DS) 80 Bytes! "Response: (DS) 341 bytes! ! "Query: (DNSKEY) 80 Bytes! "Response: (DNSKEY) 742 bytes! ! "Total: Query: 287 bytes! " "Response: 2,251 bytes!
  • 27. If you serve a signed Domain Name: You will generate larger responses: Dual Stack client - query for unsigned domain name, no EDNS0! ! "Query: 117 Bytes! "Response: 168 bytes! ! Dual Stack client - query for signed domain name, EDNS0! ! "Query: (A) 127 Bytes! "Response: (A) 1168 bytes! ! "Query: (DS) 80 Bytes! "Response: (DS) 341 bytes! ! The DS query is directed to the parent zone, so you may or may not see this query at the authoritative server. In our case we are serving the parent zone as well "Query: (DNSKEY) 80 Bytes! "Response: (DNSKEY) 742 bytes! ! "Total: Query: 287 bytes! " "Response: 2,251 bytes!
  • 28. If you serve a signed Domain Name: You will generate larger responses: Dual Stack client - query for unsigned domain name, no EDNS0! ! "Query: 117 Bytes! "Response: 168 bytes! ! Dual Stack client - query for signed domain name, EDNS0! ! That’s an increase of 13x in terms of outbound traffic volume "Query: (A) 127 Bytes! "Response: (A) 1168 bytes! ! "Query: (DS) 80 Bytes! "Response: (DS) 341 bytes! ! The DS query is directed to the parent zone, so you may or may not see this query at the authoritative server. In our case we are serving the parent zone as well "Query: (DNSKEY) 80 Bytes! "Response: (DNSKEY) 742 bytes! ! "Total: Query: 287 bytes! " "Response: 2,251 bytes!
  • 29. Server Traffic Load This represents the 5 minute relative traffic load between serving an unsigned control domain and serving a validly signed domain. The originating query rates are the same
  • 30. Server Traffic Load • Serving a DNSSEC-signed name appears to generate 7.5x the traffic load, as compared to serving an unsigned name – But 20% of clients are performing validation, and hence 20% of the clients generate 13x more traffic – The theory would expect to see a 3.4x increase in traffic. – Why is this observed result double the prediction?
  • 31. Server Traffic Load • Use of the EDNS DNSSEC-OK flag is far higher than the level of DNSSEC validation – 84% of queries have the EDNS0 DNSSEC-OK flag set – And this query generates a response of 1168 bytes (i.e. 7x the size of a null EDNS response) – So 64% of clients set EDNS0 DNSSEC-OK, and 20% of clients also ask for DS and DNSKEY RRs – The theory predicts that this would result in 7.25x the traffic over an unsigned domain – Which is (roughly) what we see
  • 32. Server Traffic Load • What is the traffic load difference between serving an unsigned zone and serving a signed zone if every client performed DNSSEC validation? – The difference from the current levels of DNSSEC traffic lies predominately in the additional DNSKEY and DS responses – You should expect approximately 15x the traffic load for response traffic
  • 33. If you serve a signed Domain Name: You’ll receive 2-3 times as many queries: Dual Stack client - query for unsigned domain name, no EDNS0! ! "Query: 117 Bytes! "Response: 168 bytes! ! Dual Stack client - query for signed domain name, EDNS0! ! "Query: (A) 127 Bytes! "Response: (A) 1168 bytes! ! "Query: (DS) 80 Bytes! "Response: (DS) 341 bytes! ! "Query: (DNSKEY) 80 Bytes! "Response: (DNSKEY) 742 bytes! ! " The DS query is directed to the parent zone, so you may or may not see this query at the authoritative server. In our case we are serving the parent zone as well
  • 35. Server Query Load • 20% of clients use validating resolvers, so the signed domain query load should be 1.4x that of the unsigned domain • But we are observing an increase in the query load of 1.6x the unsigned domain. • Why?
  • 36. Repeat queries are rising Queries per domain name
  • 37. Query duplication We are seeing a noticeable level of query duplication from anycast DNS server farms The same query is being received from multiple slave resolvers within a short period of time Domain Time Query source Query! ! 0a62f.z.example.com 02:05:31.998 74.125.41.81 port: 52065 q: DNSKEY?! 0a62f.z.example.com 02:05:32.000 74.125.41.19 port: 53887 q: DNSKEY?! 0a62f.z.example.com 02:05:32.005 74.125.41.146 port: 52189 q: DNSKEY?! 0a62f.z.example.com 02:05:32.008 74.125.16.213 port: 42079 q: DNSKEY?! ! This is rising over time
  • 38. Setting Expectations For a validly signed zone an authoritative server may anticipate about 4x the query load and 15x the traffic load as compared to serving an equivalent unsigned zone, if everyone performed DNSSEC validation * (* if you served the parent zone as well)
  • 39. The Worst Case But things get worse when the DNSSEC signatures are invalid: – The response from a DNSSEC-validating recursive resolver upon DNSSEC validation failure is SERVFAIL, which prompts clients of this resolver to re-query using an alternative resolver – The recursive resolver may re-query the name using alternative servers, on the assumption that the validation failure is due to a secondary server falling out of sync with the current zone data How much worse does it get?
  • 40. DNS Resolution Time Difference In this case we look at clients who use a mixed set of resolvers, and fail over from a validating resolver to a non-validating resolver, and measure the time from first DNS query to Web fetch
  • 41. DNS Resolution Time Difference In this case we look at clients who use a mixed set of resolvers, and fail over from a validating resolver to a non-validating resolver, and measure the time from first DNS query to Web fetch
  • 42. DNS Resolution Times 25% of DNSSEC-validating clients continue DNS resolution attempts for more than 6 seconds with a badly signed DNS name
  • 44. Traffic Profile • The traffic load for a badly signed domain name is around 10x the load for an unsigned domain • If everyone were to use validating resolvers then the load profile would rise to around 26x the load of an unsigned domain
  • 46. Query Profile • The query load for a badly signed domain name is around 2.5x the load for an unsigned domain • If everyone were to use validating resolvers then the load profile would rise to around 4x the load of an unsigned domain
  • 47. Badly Signed Names The problem with a badly signed name is the lack of caching – when a name does not validate, a validating resolver should not cache the resolution outcomes So now all resolution attempts from validating resolvers generate queries at the authoritative name servers And the use of a rather cryptic “ServFail” response prompts some recursive resolvers to query all nameservers So the resultant query load on the authoritative name servers is far higher than these measurements would suggest
  • 48. Badly Signed Names Edge Device Resolvers Authoritative Name Servers
  • 49. Setting Expectations for DNSSEC For a validly signed zone an authoritative server may anticipate about 4x the query load and 15x the traffic load as compared to serving an equivalent unsigned zone, if everyone performed DNSSEC validation * But if you serve a badly signed zone, expect >>8x the query load and around >>26x the traffic load * (* if you served the parent zone as well)