Yeti DNS: Status after a Year

Slides:



Advertisements
Similar presentations
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
Advertisements

DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.
Shared-Dictionary Compression over HTTP (SDCH)‏ Wei-Hsin Lee June 2008.
DNS DOMAIN NAME SYSTEM NAME SYSTEM By Lijo George.
Small-world Overlay P2P Network
CSE 115 Week 14 April , Announcements April 14 – Exam 10 April 14 – Exam 10 April 18 – Last day to turn in Lab 8 for any credit April 18.
Computer Science 1 Providing QoS through Active Domain Management Liang Guo, Ibrahim Matta Quality-of-Service Networking Lab CS Department Boston University.
Basic DNS Course Lecturer: Ron Aitchison. Module 1 DNS Theory.
Day 10 Hardware Fault Tolerance RAID. High availability All servers should be on UPSs –2 Types Smart UPS –Serial cable connects from UPS to computer.
Paper Presentation – CAP Page 2 Outline Review - DNS Proposed Solution Simulation Results / Evaluation Discussion.
Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.
Creating With Code.
Private Keyword Search on Streaming Data Rafail Ostrovsky William Skeith UCLA (patent pending)
Rolling the Keys of the DNS Root Zone Geoff Huston APNIC Labs.
DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.
Rolling the Root Geoff Huston APNIC Labs. Use of DNSSEC in Today’s Internet.
Happy Eyeballs for the DNS Geoff Huston, George Michaelson APNIC Labs October 2015.
Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. 1 key-signing key flag [1] & wildcard-optimization [2] Olaf Kolkman [1] with.
X-ASVP Technical Overview eXtensible Anti-spam Verification Protocol X-ASVP Committee Technical Working Group July 22, 2007.
Olaf M. Kolkman. IETF58, Minneapolis, November DNSSEC Operational Practices draft-ietf-dnsop-dnssec-operational-practices-00.txt.
Developing a DNSSEC Policy The Compulsory Zone Distribution Which DNSSEC Protocol Keys – and Managing them Managing the Children Using DNSSEC Mark Elkins.
Domain Name System INTRODUCTION to Eng. Yasser Al-eimad
Basics of the Domain Name System (DNS) By : AMMY- DRISS Mohamed Amine KADDARI Zakaria MAHMOUDI Soufiane Oujda Med I University National College of Applied.
Rolling the Root Geoff Huston APNIC Labs March 2016.
Increasing the Zone Signing Key Size for the Root Zone
BIND 10 DNS Project Status + DNS Resolver Status/Plans Shane Kerr 23 January 2013.
Nov 05, 2008, PragueSA3 Workshop1 A short presentation from Owen Synge SA3 and dCache.
Android’s Malware Attack, Stealthiness and Defense: An Improvement Mohammad Ali, Humayun Ali and Zahid Anwar 2011 Frontiers of Information Technology.
Security Issues with Domain Name Systems
Rolling the Root Zone DNSSEC Key Signing Key
KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting
A longitudinal, End-to-End View of the DNSSEC Ecosystem
DNS Security Advanced Network Security Peter Reiher August, 2014
CSC207 Fall 2016.
DNS Team IETF 99 Hackathon.
KSK Rollover Update David Conrad, CTO ICANN 59 – GAC 29 June 2017.
Code.org Lessons 11 & 12 Lesson 11- Packets and Making a Reliable Internet Lesson 12- The Need for DNS.
Geoff Huston APNIC Labs
Mattias Wadenstein System Integrator, NDGF HEPiX Spring 2008 at CERN
Geoff Huston APNIC Labs September 2017
DNS.
draft-huston-kskroll-sentinel
CZ.NIC in a nutshell Domain, DNSSEC, Turris Project and others
RFC 7706: Decreasing Access Time to Root Servers by Running One on Loopback A good idea or not? Petr Špaček • •
tb3: using tinderboxes efficiently
DNSSEC Iván González Montemayor A
A Longitudinal, End-to-End View of the DNSSEC Ecosystem
Domain Name System (DNS)
Joao Damas, Geoff Labs March 2018
draft-zhang-dnsext-test-result-00
Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.
Ticketing Systems with RT
Root KSK Roll Update DNS-OARC 27 Matt Larson, VP of Research
Providing QoS through Active Domain Management
Measuring KSK Roll Readiness
Geoff Huston APNIC Labs
Encrypting DNS traffic
DNS: Domain Name System
Code.org Lessons 11 & 12 Lesson 11- Packets and Making a Reliable Internet Lesson 12- The Need for DNS.
Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.
Measuring KSK Roll Readiness
DNS operator transfers with DNSSEC
Distributed Availability Groups
DNSSEC Status Update in UA
Code.org Lessons 11 & 12 Lesson 11- Packets and Making a Reliable Internet Lesson 12- The Need for DNS.
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
The Curious Case of the Crippling DS record
Trust Anchor Signals from Custom Applications
ECDSA P-256 support in DNSSEC-validating Resolvers
Presentation transcript:

Yeti DNS: Status after a Year Davey Song -宋林健 / BII Labs / ljsong@biigroup.cn Shane Kerr / BII Labs / shane@biigroup.cn 2016-07-17 / Berlin / IEPG

Introduction Yeti Project Motivation Initiation Project coordination & setup

Technical Setup

Technical Setup Web site, Mailman, Trac, Nagios, … 3 distribution masters (DM) Using shared git repository for synchronization http://yeti-dns.org/operators.html 25 Yeti root servers (soon 26) 14 Yeti root servers (soon 15) About 30 resolvers http://dsc.yeti-dns.org/dsc-grapher.pl?binsize...

Current Need: Traffic DNS caching is really efficient 30 resolvers yield < 100 queries/second Please help! Set up a Yeti resolver http://yeti-dns.org/join.html Use dnsdist with a Yeti resolver http://yeti-dns.org/.../Mirroring-traffic-using- dnsdist.html Try the ymmv query mirror (alpha code) https://github.com/shane-kerr/ymmv

Experiments Yeti is for research! Experimental protocol Lab test List proposal Experiment Report https://github.com/BII-Lab/.../Experiment- Protocol.md Queue of experiments https://github.com/BII-Lab/.../Experiment- Schedule.md

Experiment: MZSK MZSK is ”Multiple ZSK”: separate ZSK for each DM Phase 1: lots of DNSKEY (1 KSK, 6 ZSK) Simulates all ZSK rolling at once Phase 2: actual separate ZSK Various bugs: Linux kernel bug, IXFR issues, ... Completed, report written (pending data analysis) https://github.com/BII-Lab/.../Report-MZSK.md Future work: Non-shared KSK Zone verification by Yeti root servers

Experiment: BGZSK BGZSK is ”Big ZSK”: 2048 bit ZSK Moved to top of list by Verisign announcement Skipped lab test No surprises (good!) Completed, pending report https://github/.../Experiment-BGZSK.md

Experiment: KROLL KROLL is ”KSK roll”: KSK roll Test root KSK roll before ICANN First of two experiments: KROLL is normal double-DS KSK roll IROLL is like the proposed ICANN roll Takes at least 30 days, maybe 60 days 😞 KROLL IN-PROGRESS https://github.com/.../Experiment-KROLL.md

Pending Experiments RENUM: Root Server Renumbering 5011X: RFC 5011 Roll-Back FAKER: Lots of Root Servers DOT-Y: Rename Servers to .YETI-DNS PMTNC: Priming Truncation ECDSA: KSK ECDSA Roll FSTRL: Frequent ZSK Roll TCPRT: TCP-only Root

Conclusion Results are finally appearing Don’t forget to send us queries! Join us at the next Yeti Workshop Before IETF 97 in Seoul (2016-11-12)

Image Credits Traffic: https://www.youtube.com/...0rOO4qlzJVQ Science: https://commons.wikimedia.org/...nd.svg

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.