SlideShare uma empresa Scribd logo

K-root and DNSSEC

RIPE NCC
RIPE NCC

presentation given at Snow BV March 2010 Anand Buddhdev

Tecnologia
1 de 24
Baixar para ler offline
RIPE Network Coordination Centre K-root and DNSSEC Anand Buddhdev RIPE NCC Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 1
RIPE Network Coordination Centre RIPE and RIPE NCC • Réseaux IP Européens - Community of all Internet users in Europe - Now includes the Middle East - Unregistered, informal community • RIPE Network Coordination Centre - Registered as a Dutch non-profit organisation - Provides services to the RIPE Community, as well as the Internet - 116 employees Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 2
RIPE Network Coordination Centre RIPE NCC • One of the five Regional Internet Registries • Provides IP address and AS number resources to Europe and Middle-East regions • Organises RIPE meetings to facilitate development of policies and exchange of ideas • Provides additional services related to IP address and AS number resources • Membership model - Local Internet Registries Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 3
RIPE Network Coordination Centre Additional Services • RIPE Database - Public database for storing Internet resource information • Training - Educate LIRs on resource management and how to use RIPE NCC’s services • Information Services - Hostcount - Test Traffic Measurement (TTM) and DNSMON - Routing Information Service (RIS) Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 4
RIPE Network Coordination Centre The RIPE NCC DNS Team Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 5
RIPE Network Coordination Centre K-root Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 6
RIPE Network Coordination Centre Additional DNS Services • Manage RIPE NCC’s zones (ripe.net, etc) • Reverse DNS for IPv4 and IPv6 address space • DNSSEC • Secondary DNS for ccTLDs and other registries - Support developing countries • ENUM - Uses DNS to map telephone numbers to resources • AS 112 instance - Mops up reverse DNS queries for RFC 1918 address space Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 7
RIPE Network Coordination Centre Features of DNS • Translates names to IP addresses • Invented around 25 years ago • Uses UDP as its primary transport – low overhead • Essential for a working Internet • “512 bytes should be enough” Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 8
RIPE Network Coordination Centre Security Concerns of DNS • UDP based – address spoofing • Neither transport nor content is secure • Protocol design limitations - 16-bit query ID - 512 bytes of payload • Fast hardware and networks make attacks easy - Kaminsky-style attacks - Misdirect clients - Steal personal data (passwords, account numbers) Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 9
RIPE Network Coordination Centre The Solution: DNSSEC • Security extensions to DNS • Introduces cryptographic security for content • Been in development within IETF for about 10 years • Uses Public Key Cryptography - Content is signed by private key - Clients on the Internet have the public key for validation • Learn more in a DNSSEC tutorial Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 10
RIPE Network Coordination Centre DNSSEC at the RIPE NCC • One of the first DNSSEC deployments in 2005 • All forward and reverse zones signed • Uses open-source tools developed at the RIPE NCC • Helped gain a lot of experience Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 11
RIPE Network Coordination Centre Consequences of DNSSEC • DNS responses carry signatures and are bigger - 512 bytes no longer enough • IETF created DNS extensions to allow for larger packets (EDNS0) - Clients can solicit bigger responses of up to 4096 bytes - In theory everything should just work - The reality is very different ! Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 12
RIPE Network Coordination Centre Large DNS Packets • Some devices and software still enforce the 512- byte limit on DNS and/or UDP packets • Path MTU limits cause packet fragmentation - Some firewalls block fragments - Originating servers don’t always get back “fragmentation needed” messages due to ICMP filtering • TCP fallback not practical because of a large number of queries - TCP not suitable in anycast setups Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 13
RIPE Network Coordination Centre DNSSEC in the DNS Root Zone • The IETF considers DNSSEC to be mature enough to be deployed in the root zone • In 2009, NTIA asked Verisign and ICANN to sign the root zone • Much work going on, with progress updates at http://www.root-dnssec.org/ • Verisign and ICANN co-ordinating deployment with root-server operators Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 14
RIPE Network Coordination Centre Staged Roll-out • Prevents a “big bang” situation • Clients which have problems can switch to another root server • Allows people time to upgrade software and networks while still receiving DNS service • Allows Verisign, ICANN, root-server operators and researchers to gauge the effects and make informed decisions Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 15
RIPE Network Coordination Centre DURZ • Deliberately Unvalidatable Root Zone • Signed zone with dummy keys • Ensures that no-one depends upon it • Can be withdrawn quickly without breaking service • Real keys will be published after all root servers are serving a signed root zone - Single trust anchor to begin validation chain Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 16
RIPE Network Coordination Centre K-root Preparation • Upgrade to NSD 3.2.4 - Has options for tuning TCP connection limits and buffer sizes - Clears the DF (don’t fragment) bit on response packets – allows routers to fragment large packets - Sends minimal responses to DNSKEY queries • Network upgrades - Upgrade to Gigabit Ethernet ports at global instances • Co-operation with NLNet Labs on load testing of our K-root setup Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 17
RIPE Network Coordination Centre Monitoring and Data Collection • Upgraded DSC to report TCP connection rates • Enhanced pcap filter to capture TCP queries and responses • Special pcap filter to capture just priming queries • Mini-DITL runs to upload pcap data to OARC before and after each root-server publishes signed zone • Reply-size tester deployed at global instances Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 18
RIPE Network Coordination Centre Reply-size Testing • Code by Duane Wessels of OARC • dig +short txt test.rs.ripe.net [@resolver] • Hidden HTML element on www.ripe.net triggers the same query • Java application on labs.ripe.net to perform the same test • Helps users to figure out a reasonable buffer size for their resolvers Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 19
RIPE Network Coordination Centre Reply-size Tester Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 20
RIPE Network Coordination Centre Tuning EDNS buffer size • BIND and Unbound default is 4096 bytes • For BIND 9, use “edns-udp-size n;” in options clause in named.conf • For Unbound 1.4.0+, use “edns-buffer-size: n” in unbound.conf • Allow TCP/53 connections through your firewall Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 21
RIPE Network Coordination Centre Non-DNSSEC-aware Resolvers x.x.x.x lacks EDNS, defaults to 512 x.x.x.x summary bs=512,rs=486,edns=0,do=0 • These resolvers are unaware of DNSSEC • Will continue to receive DNS responses without signatures • PowerDNS recursor, djbdns • BIND with “dnssec-enable no;” in options clause Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 22
RIPE Network Coordination Centre Public Awareness • Articles on RIPE Labs and in Member Update • Presentations at technical meetings and conferences • Outreach to ISPs and network community Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 23
RIPE Network Coordination Centre Questions? Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 24

Recomendados

RIPE NCC DNS Update
RIPE NCC DNS UpdateRIPE NCC DNS Update
RIPE NCC DNS UpdateRIPE Meetings
 
Martin J Levy - Hurricane Electric - The IPv6 global view - norway ipv6 - apr...
Martin J Levy - Hurricane Electric - The IPv6 global view - norway ipv6 - apr...Martin J Levy - Hurricane Electric - The IPv6 global view - norway ipv6 - apr...
Martin J Levy - Hurricane Electric - The IPv6 global view - norway ipv6 - apr...IKT-Norge
 
Jan Zorz - IPv6 and mobile emergency response teams
Jan Zorz - IPv6 and mobile emergency response teamsJan Zorz - IPv6 and mobile emergency response teams
Jan Zorz - IPv6 and mobile emergency response teamsIKT-Norge
 
Addressing plans
Addressing plansAddressing plans
Addressing plansenes373
 
6421 b Module-04
6421 b Module-046421 b Module-04
6421 b Module-04Bibekananada Jena
 
Eric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in generalEric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in generalIKT-Norge
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveIKT-Norge
 
Introduction of ipv6
Introduction of ipv6Introduction of ipv6
Introduction of ipv6KaushikMajumder22
 

Recomendados

RIPE NCC DNS Update
RIPE NCC DNS UpdateRIPE NCC DNS Update
RIPE NCC DNS UpdateRIPE Meetings
 
Martin J Levy - Hurricane Electric - The IPv6 global view - norway ipv6 - apr...
Martin J Levy - Hurricane Electric - The IPv6 global view - norway ipv6 - apr...Martin J Levy - Hurricane Electric - The IPv6 global view - norway ipv6 - apr...
Martin J Levy - Hurricane Electric - The IPv6 global view - norway ipv6 - apr...IKT-Norge
 
Jan Zorz - IPv6 and mobile emergency response teams
Jan Zorz - IPv6 and mobile emergency response teamsJan Zorz - IPv6 and mobile emergency response teams
Jan Zorz - IPv6 and mobile emergency response teamsIKT-Norge
 
Addressing plans
Addressing plansAddressing plans
Addressing plansenes373
 
6421 b Module-04
6421 b Module-046421 b Module-04
6421 b Module-04Bibekananada Jena
 
Eric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in generalEric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in generalIKT-Norge
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveIKT-Norge
 
Introduction of ipv6
Introduction of ipv6Introduction of ipv6
Introduction of ipv6KaushikMajumder22
 
Eric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayEric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayIKT-Norge
 
Google and IPv6: Steinar H. Gunderson, Software engineer, Google
Google and IPv6: Steinar H. Gunderson, Software engineer, GoogleGoogle and IPv6: Steinar H. Gunderson, Software engineer, Google
Google and IPv6: Steinar H. Gunderson, Software engineer, GoogleIPv6no
 
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...gogo6
 
Sipforum SIP & IPv6 discussion slides
Sipforum SIP & IPv6 discussion slidesSipforum SIP & IPv6 discussion slides
Sipforum SIP & IPv6 discussion slidesOlle E Johansson
 
Cameron - TMO IPv6 Norway Meeting
Cameron - TMO IPv6 Norway MeetingCameron - TMO IPv6 Norway Meeting
Cameron - TMO IPv6 Norway MeetingIPv6no
 
Dnssec
DnssecDnssec
Dnssecguest3131f85
 
OARC 26: Scoring the Root Server System
OARC 26: Scoring the Root Server SystemOARC 26: Scoring the Root Server System
OARC 26: Scoring the Root Server SystemAPNIC
 
IPv6 Autoconfig
IPv6 AutoconfigIPv6 Autoconfig
IPv6 AutoconfigFred Bovy
 
IPv6 Address Planning
IPv6 Address PlanningIPv6 Address Planning
IPv6 Address PlanningDeploy360 Programme (Internet Society)
 
IPv6 Addressing Plan Fundamentals
IPv6 Addressing Plan FundamentalsIPv6 Addressing Plan Fundamentals
IPv6 Addressing Plan FundamentalsRIPE NCC
 
CommunicAsia 2017: IPv6 deployment architecture for IoT
CommunicAsia 2017: IPv6 deployment architecture for IoTCommunicAsia 2017: IPv6 deployment architecture for IoT
CommunicAsia 2017: IPv6 deployment architecture for IoTAPNIC
 
IPv6 How To Set Up a Linux IPv6 Lan
IPv6 How To Set Up a Linux IPv6 LanIPv6 How To Set Up a Linux IPv6 Lan
IPv6 How To Set Up a Linux IPv6 LanJumping Bean
 
IPv6 address-planning
IPv6 address-planningIPv6 address-planning
IPv6 address-planningTim Martin
 
IPv6
IPv6IPv6
IPv6Amir Reza Hashemi
 
Exploring I Pv6
Exploring I Pv6Exploring I Pv6
Exploring I Pv6Gratien D'haese
 
IPv6 Tutorial; USENIX LISA 2013
IPv6 Tutorial; USENIX LISA 2013IPv6 Tutorial; USENIX LISA 2013
IPv6 Tutorial; USENIX LISA 2013Shumon Huque
 
IPv6 Adressvergabe und Adressierung
IPv6 Adressvergabe und AdressierungIPv6 Adressvergabe und Adressierung
IPv6 Adressvergabe und AdressierungSwiss IPv6 Council
 
IPv6 introduction
IPv6 introductionIPv6 introduction
IPv6 introductionGuider Lee
 
IPv6 in cellular networks - Jordi Palet
IPv6 in cellular networks - Jordi PaletIPv6 in cellular networks - Jordi Palet
IPv6 in cellular networks - Jordi PaletРегистар националног Интернет домена Србије - РНИДС
 
IPv6 transition and coexistance - Jordi Palet
IPv6 transition and coexistance - Jordi PaletIPv6 transition and coexistance - Jordi Palet
IPv6 transition and coexistance - Jordi PaletРегистар националног Интернет домена Србије - РНИДС
 
Honeypots and Security
Honeypots and SecurityHoneypots and Security
Honeypots and SecurityAPNIC
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarMen and Mice
 

Mais conteúdo relacionado

Mais procurados

Eric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayEric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayIKT-Norge
 
Google and IPv6: Steinar H. Gunderson, Software engineer, Google
Google and IPv6: Steinar H. Gunderson, Software engineer, GoogleGoogle and IPv6: Steinar H. Gunderson, Software engineer, Google
Google and IPv6: Steinar H. Gunderson, Software engineer, GoogleIPv6no
 
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...gogo6
 
Sipforum SIP & IPv6 discussion slides
Sipforum SIP & IPv6 discussion slidesSipforum SIP & IPv6 discussion slides
Sipforum SIP & IPv6 discussion slidesOlle E Johansson
 
Cameron - TMO IPv6 Norway Meeting
Cameron - TMO IPv6 Norway MeetingCameron - TMO IPv6 Norway Meeting
Cameron - TMO IPv6 Norway MeetingIPv6no
 
OARC 26: Scoring the Root Server System
OARC 26: Scoring the Root Server SystemOARC 26: Scoring the Root Server System
OARC 26: Scoring the Root Server SystemAPNIC
 
IPv6 Autoconfig
IPv6 AutoconfigIPv6 Autoconfig
IPv6 AutoconfigFred Bovy
 
IPv6 Addressing Plan Fundamentals
IPv6 Addressing Plan FundamentalsIPv6 Addressing Plan Fundamentals
IPv6 Addressing Plan FundamentalsRIPE NCC
 
CommunicAsia 2017: IPv6 deployment architecture for IoT
CommunicAsia 2017: IPv6 deployment architecture for IoTCommunicAsia 2017: IPv6 deployment architecture for IoT
CommunicAsia 2017: IPv6 deployment architecture for IoTAPNIC
 
IPv6 How To Set Up a Linux IPv6 Lan
IPv6 How To Set Up a Linux IPv6 LanIPv6 How To Set Up a Linux IPv6 Lan
IPv6 How To Set Up a Linux IPv6 LanJumping Bean
 
IPv6 address-planning
IPv6 address-planningIPv6 address-planning
IPv6 address-planningTim Martin
 
IPv6 Tutorial; USENIX LISA 2013
IPv6 Tutorial; USENIX LISA 2013IPv6 Tutorial; USENIX LISA 2013
IPv6 Tutorial; USENIX LISA 2013Shumon Huque
 
IPv6 Adressvergabe und Adressierung
IPv6 Adressvergabe und AdressierungIPv6 Adressvergabe und Adressierung
IPv6 Adressvergabe und AdressierungSwiss IPv6 Council
 
IPv6 introduction
IPv6 introductionIPv6 introduction
IPv6 introductionGuider Lee
 

Mais procurados (20)

Eric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayEric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norway
 
Google and IPv6: Steinar H. Gunderson, Software engineer, Google
Google and IPv6: Steinar H. Gunderson, Software engineer, GoogleGoogle and IPv6: Steinar H. Gunderson, Software engineer, Google
Google and IPv6: Steinar H. Gunderson, Software engineer, Google
 
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
 
Sipforum SIP & IPv6 discussion slides
Sipforum SIP & IPv6 discussion slidesSipforum SIP & IPv6 discussion slides
Sipforum SIP & IPv6 discussion slides
 
Cameron - TMO IPv6 Norway Meeting
Cameron - TMO IPv6 Norway MeetingCameron - TMO IPv6 Norway Meeting
Cameron - TMO IPv6 Norway Meeting
 
Dnssec
DnssecDnssec
Dnssec
 
OARC 26: Scoring the Root Server System
OARC 26: Scoring the Root Server SystemOARC 26: Scoring the Root Server System
OARC 26: Scoring the Root Server System
 
IPv6 Autoconfig
IPv6 AutoconfigIPv6 Autoconfig
IPv6 Autoconfig
 
IPv6 Address Planning
IPv6 Address PlanningIPv6 Address Planning
IPv6 Address Planning
 
IPv6 Addressing Plan Fundamentals
IPv6 Addressing Plan FundamentalsIPv6 Addressing Plan Fundamentals
IPv6 Addressing Plan Fundamentals
 
CommunicAsia 2017: IPv6 deployment architecture for IoT
CommunicAsia 2017: IPv6 deployment architecture for IoTCommunicAsia 2017: IPv6 deployment architecture for IoT
CommunicAsia 2017: IPv6 deployment architecture for IoT
 
IPv6 How To Set Up a Linux IPv6 Lan
IPv6 How To Set Up a Linux IPv6 LanIPv6 How To Set Up a Linux IPv6 Lan
IPv6 How To Set Up a Linux IPv6 Lan
 
IPv6 address-planning
IPv6 address-planningIPv6 address-planning
IPv6 address-planning
 
IPv6
IPv6IPv6
IPv6
 
Exploring I Pv6
Exploring I Pv6Exploring I Pv6
Exploring I Pv6
 
IPv6 Tutorial; USENIX LISA 2013
IPv6 Tutorial; USENIX LISA 2013IPv6 Tutorial; USENIX LISA 2013
IPv6 Tutorial; USENIX LISA 2013
 
IPv6 Adressvergabe und Adressierung
IPv6 Adressvergabe und AdressierungIPv6 Adressvergabe und Adressierung
IPv6 Adressvergabe und Adressierung
 
IPv6 introduction
IPv6 introductionIPv6 introduction
IPv6 introduction
 
IPv6 in cellular networks - Jordi Palet
IPv6 in cellular networks - Jordi PaletIPv6 in cellular networks - Jordi Palet
IPv6 in cellular networks - Jordi Palet
 
IPv6 transition and coexistance - Jordi Palet
IPv6 transition and coexistance - Jordi PaletIPv6 transition and coexistance - Jordi Palet
IPv6 transition and coexistance - Jordi Palet
 

Semelhante a K-root and DNSSEC

Honeypots and Security
Honeypots and SecurityHoneypots and Security
Honeypots and SecurityAPNIC
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarMen and Mice
 
32-bit ASN for DNS Services
32-bit ASN for DNS Services32-bit ASN for DNS Services
32-bit ASN for DNS ServicesRIPE Meetings
 
Number Resource EXplainer (REX)
Number Resource EXplainer (REX)Number Resource EXplainer (REX)
Number Resource EXplainer (REX)RIPE NCC
 
Internet Resource Management Tutorial at SANOG 24
Internet Resource Management Tutorial at SANOG 24Internet Resource Management Tutorial at SANOG 24
Internet Resource Management Tutorial at SANOG 24APNIC
 
RIPE NCC ENUM Update
RIPE NCC ENUM UpdateRIPE NCC ENUM Update
RIPE NCC ENUM UpdateRIPE Meetings
 
Yeti DNS Project
Yeti DNS ProjectYeti DNS Project
Yeti DNS ProjectAPNIC
 
India Internet Access Problems Whitepaper_Ver 2.2
India Internet Access Problems Whitepaper_Ver 2.2India Internet Access Problems Whitepaper_Ver 2.2
India Internet Access Problems Whitepaper_Ver 2.2Arin Burman
 
Panel with IPv6 CE Vendors
Panel with IPv6 CE VendorsPanel with IPv6 CE Vendors
Panel with IPv6 CE VendorsAPNIC
 
IDNIC Update
IDNIC UpdateIDNIC Update
IDNIC UpdateAPNIC
 
Operators' Tools - RIPE Labs
Operators' Tools - RIPE LabsOperators' Tools - RIPE Labs
Operators' Tools - RIPE LabsRIPE NCC
 
Asia Pacific Internet Leadership Program
Asia Pacific Internet Leadership ProgramAsia Pacific Internet Leadership Program
Asia Pacific Internet Leadership ProgramAPNIC
 
Benefits of Hosting a DNS Root Server
Benefits of Hosting a DNS Root ServerBenefits of Hosting a DNS Root Server
Benefits of Hosting a DNS Root ServerRIPE NCC
 
RIPE Labs at UKNOF
RIPE Labs at UKNOFRIPE Labs at UKNOF
RIPE Labs at UKNOFRIPE NCC
 
RIPE NCC DNSMON Service
RIPE NCC DNSMON ServiceRIPE NCC DNSMON Service
RIPE NCC DNSMON ServiceRIPE Meetings
 
IPv6 Adoption by ASEAN Government Agencies
IPv6 Adoption by ASEAN Government AgenciesIPv6 Adoption by ASEAN Government Agencies
IPv6 Adoption by ASEAN Government AgenciesAPNIC
 
12.00 - Dr. Tim Chown - University of Southampton
12.00 - Dr. Tim Chown - University of Southampton12.00 - Dr. Tim Chown - University of Southampton
12.00 - Dr. Tim Chown - University of SouthamptonIPv6 Summit 2010
 
APNIC Update
APNIC Update APNIC Update
APNIC Update APNIC
 

Semelhante a K-root and DNSSEC (20)

Honeypots and Security
Honeypots and SecurityHoneypots and Security
Honeypots and Security
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinar
 
32-bit ASN for DNS Services
32-bit ASN for DNS Services32-bit ASN for DNS Services
32-bit ASN for DNS Services
 
Number Resource EXplainer (REX)
Number Resource EXplainer (REX)Number Resource EXplainer (REX)
Number Resource EXplainer (REX)
 
Internet Resource Management Tutorial at SANOG 24
Internet Resource Management Tutorial at SANOG 24Internet Resource Management Tutorial at SANOG 24
Internet Resource Management Tutorial at SANOG 24
 
Presd1 09
Presd1 09Presd1 09
Presd1 09
 
RIPE NCC ENUM Update
RIPE NCC ENUM UpdateRIPE NCC ENUM Update
RIPE NCC ENUM Update
 
Yeti DNS Project
Yeti DNS ProjectYeti DNS Project
Yeti DNS Project
 
India Internet Access Problems Whitepaper_Ver 2.2
India Internet Access Problems Whitepaper_Ver 2.2India Internet Access Problems Whitepaper_Ver 2.2
India Internet Access Problems Whitepaper_Ver 2.2
 
Panel with IPv6 CE Vendors
Panel with IPv6 CE VendorsPanel with IPv6 CE Vendors
Panel with IPv6 CE Vendors
 
IDNIC Update
IDNIC UpdateIDNIC Update
IDNIC Update
 
Operators' Tools - RIPE Labs
Operators' Tools - RIPE LabsOperators' Tools - RIPE Labs
Operators' Tools - RIPE Labs
 
Asia Pacific Internet Leadership Program
Asia Pacific Internet Leadership ProgramAsia Pacific Internet Leadership Program
Asia Pacific Internet Leadership Program
 
Benefits of Hosting a DNS Root Server
Benefits of Hosting a DNS Root ServerBenefits of Hosting a DNS Root Server
Benefits of Hosting a DNS Root Server
 
RIPE Labs at UKNOF
RIPE Labs at UKNOFRIPE Labs at UKNOF
RIPE Labs at UKNOF
 
RIPE NCC DNSMON Service
RIPE NCC DNSMON ServiceRIPE NCC DNSMON Service
RIPE NCC DNSMON Service
 
IPv6 Adoption by ASEAN Government Agencies
IPv6 Adoption by ASEAN Government AgenciesIPv6 Adoption by ASEAN Government Agencies
IPv6 Adoption by ASEAN Government Agencies
 
Dns firewalls null-may2020
Dns firewalls null-may2020Dns firewalls null-may2020
Dns firewalls null-may2020
 
12.00 - Dr. Tim Chown - University of Southampton
12.00 - Dr. Tim Chown - University of Southampton12.00 - Dr. Tim Chown - University of Southampton
12.00 - Dr. Tim Chown - University of Southampton
 
APNIC Update
APNIC Update APNIC Update
APNIC Update
 

Mais de RIPE NCC

Navigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryNavigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryRIPE NCC
 
Traces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionTraces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionRIPE NCC
 
Governing Environmental Sustainability in Tech
Governing Environmental Sustainability in TechGoverning Environmental Sustainability in Tech
Governing Environmental Sustainability in TechRIPE NCC
 
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfGerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfRIPE NCC
 
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISLIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISRIPE NCC
 
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopIntro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopRIPE NCC
 
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfIGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfRIPE NCC
 
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfOpportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfRIPE NCC
 
RIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement ToolsRIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement ToolsRIPE NCC
 
IPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsIPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsRIPE NCC
 
RPKI For Routing Security
RPKI For Routing SecurityRPKI For Routing Security
RPKI For Routing SecurityRIPE NCC
 
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdfSEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdfRIPE NCC
 
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE AtlasKnow Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE AtlasRIPE NCC
 
Minimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE AtlasMinimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE AtlasRIPE NCC
 
RIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasRIPE NCC
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasRIPE NCC
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasRIPE NCC
 
111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure111 views of Swiss Internet Infrastructure
111 views of Swiss Internet InfrastructureRIPE NCC
 
The RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in SwedenThe RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in SwedenRIPE NCC
 

Mais de RIPE NCC (20)

Navigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryNavigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet Registry
 
Traces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionTraces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate Action
 
Governing Environmental Sustainability in Tech
Governing Environmental Sustainability in TechGoverning Environmental Sustainability in Tech
Governing Environmental Sustainability in Tech
 
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfGerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
 
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISLIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
 
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopIntro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
 
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfIGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
 
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfOpportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
 
RIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement ToolsRIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement Tools
 
IPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsIPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the Baltics
 
RPKI For Routing Security
RPKI For Routing SecurityRPKI For Routing Security
RPKI For Routing Security
 
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdfSEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
 
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE AtlasKnow Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
 
Minimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE AtlasMinimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE Atlas
 
RIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement Services
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure
 
The RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in SwedenThe RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in Sweden
 

Último

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 

Último (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

K-root and DNSSEC

  • 1. RIPE Network Coordination Centre K-root and DNSSEC Anand Buddhdev RIPE NCC Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 1
  • 2. RIPE Network Coordination Centre RIPE and RIPE NCC • Réseaux IP Européens - Community of all Internet users in Europe - Now includes the Middle East - Unregistered, informal community • RIPE Network Coordination Centre - Registered as a Dutch non-profit organisation - Provides services to the RIPE Community, as well as the Internet - 116 employees Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 2
  • 3. RIPE Network Coordination Centre RIPE NCC • One of the five Regional Internet Registries • Provides IP address and AS number resources to Europe and Middle-East regions • Organises RIPE meetings to facilitate development of policies and exchange of ideas • Provides additional services related to IP address and AS number resources • Membership model - Local Internet Registries Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 3
  • 4. RIPE Network Coordination Centre Additional Services • RIPE Database - Public database for storing Internet resource information • Training - Educate LIRs on resource management and how to use RIPE NCC’s services • Information Services - Hostcount - Test Traffic Measurement (TTM) and DNSMON - Routing Information Service (RIS) Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 4
  • 5. RIPE Network Coordination Centre The RIPE NCC DNS Team Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 5
  • 6. RIPE Network Coordination Centre K-root Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 6
  • 7. RIPE Network Coordination Centre Additional DNS Services • Manage RIPE NCC’s zones (ripe.net, etc) • Reverse DNS for IPv4 and IPv6 address space • DNSSEC • Secondary DNS for ccTLDs and other registries - Support developing countries • ENUM - Uses DNS to map telephone numbers to resources • AS 112 instance - Mops up reverse DNS queries for RFC 1918 address space Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 7
  • 8. RIPE Network Coordination Centre Features of DNS • Translates names to IP addresses • Invented around 25 years ago • Uses UDP as its primary transport – low overhead • Essential for a working Internet • “512 bytes should be enough” Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 8
  • 9. RIPE Network Coordination Centre Security Concerns of DNS • UDP based – address spoofing • Neither transport nor content is secure • Protocol design limitations - 16-bit query ID - 512 bytes of payload • Fast hardware and networks make attacks easy - Kaminsky-style attacks - Misdirect clients - Steal personal data (passwords, account numbers) Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 9
  • 10. RIPE Network Coordination Centre The Solution: DNSSEC • Security extensions to DNS • Introduces cryptographic security for content • Been in development within IETF for about 10 years • Uses Public Key Cryptography - Content is signed by private key - Clients on the Internet have the public key for validation • Learn more in a DNSSEC tutorial Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 10
  • 11. RIPE Network Coordination Centre DNSSEC at the RIPE NCC • One of the first DNSSEC deployments in 2005 • All forward and reverse zones signed • Uses open-source tools developed at the RIPE NCC • Helped gain a lot of experience Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 11
  • 12. RIPE Network Coordination Centre Consequences of DNSSEC • DNS responses carry signatures and are bigger - 512 bytes no longer enough • IETF created DNS extensions to allow for larger packets (EDNS0) - Clients can solicit bigger responses of up to 4096 bytes - In theory everything should just work - The reality is very different ! Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 12
  • 13. RIPE Network Coordination Centre Large DNS Packets • Some devices and software still enforce the 512- byte limit on DNS and/or UDP packets • Path MTU limits cause packet fragmentation - Some firewalls block fragments - Originating servers don’t always get back “fragmentation needed” messages due to ICMP filtering • TCP fallback not practical because of a large number of queries - TCP not suitable in anycast setups Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 13
  • 14. RIPE Network Coordination Centre DNSSEC in the DNS Root Zone • The IETF considers DNSSEC to be mature enough to be deployed in the root zone • In 2009, NTIA asked Verisign and ICANN to sign the root zone • Much work going on, with progress updates at http://www.root-dnssec.org/ • Verisign and ICANN co-ordinating deployment with root-server operators Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 14
  • 15. RIPE Network Coordination Centre Staged Roll-out • Prevents a “big bang” situation • Clients which have problems can switch to another root server • Allows people time to upgrade software and networks while still receiving DNS service • Allows Verisign, ICANN, root-server operators and researchers to gauge the effects and make informed decisions Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 15
  • 16. RIPE Network Coordination Centre DURZ • Deliberately Unvalidatable Root Zone • Signed zone with dummy keys • Ensures that no-one depends upon it • Can be withdrawn quickly without breaking service • Real keys will be published after all root servers are serving a signed root zone - Single trust anchor to begin validation chain Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 16
  • 17. RIPE Network Coordination Centre K-root Preparation • Upgrade to NSD 3.2.4 - Has options for tuning TCP connection limits and buffer sizes - Clears the DF (don’t fragment) bit on response packets – allows routers to fragment large packets - Sends minimal responses to DNSKEY queries • Network upgrades - Upgrade to Gigabit Ethernet ports at global instances • Co-operation with NLNet Labs on load testing of our K-root setup Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 17
  • 18. RIPE Network Coordination Centre Monitoring and Data Collection • Upgraded DSC to report TCP connection rates • Enhanced pcap filter to capture TCP queries and responses • Special pcap filter to capture just priming queries • Mini-DITL runs to upload pcap data to OARC before and after each root-server publishes signed zone • Reply-size tester deployed at global instances Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 18
  • 19. RIPE Network Coordination Centre Reply-size Testing • Code by Duane Wessels of OARC • dig +short txt test.rs.ripe.net [@resolver] • Hidden HTML element on www.ripe.net triggers the same query • Java application on labs.ripe.net to perform the same test • Helps users to figure out a reasonable buffer size for their resolvers Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 19
  • 20. RIPE Network Coordination Centre Reply-size Tester Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 20
  • 21. RIPE Network Coordination Centre Tuning EDNS buffer size • BIND and Unbound default is 4096 bytes • For BIND 9, use “edns-udp-size n;” in options clause in named.conf • For Unbound 1.4.0+, use “edns-buffer-size: n” in unbound.conf • Allow TCP/53 connections through your firewall Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 21
  • 22. RIPE Network Coordination Centre Non-DNSSEC-aware Resolvers x.x.x.x lacks EDNS, defaults to 512 x.x.x.x summary bs=512,rs=486,edns=0,do=0 • These resolvers are unaware of DNSSEC • Will continue to receive DNS responses without signatures • PowerDNS recursor, djbdns • BIND with “dnssec-enable no;” in options clause Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 22
  • 23. RIPE Network Coordination Centre Public Awareness • Articles on RIPE Labs and in Member Update • Presentations at technical meetings and conferences • Outreach to ISPs and network community Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 23
  • 24. RIPE Network Coordination Centre Questions? Anand Buddhdev Snow BV, 4 March 2010 http://www.ripe.net 24