Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. 1 key-signing key flag [1] & wildcard-optimization [2] Olaf Kolkman [1] with.

Slides:

Advertisements

Similar presentations

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman

Advertisements

Reverse DNS SIG Summary Report APNIC Annual Member Meeting Bangkok, March

Review iClickers. Ch 1: The Importance of DNS Security.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.

1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

RSVP Cryptographic Authentication "...RSVP requires the ability to protect its messages against corruption and spoofing. This document defines a mechanism.

IANA Status Update ARIN XXVI meeting, Atlanta Barbara Roseman October 2010.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS: Revising the Current Protocol Matt Gustafson Matt Weaver CS522 Computer Communications University of Colorado, Colorado Springs.

Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.

1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.

Domain Name System Security Extensions (DNSSEC) Hackers 2.

Slide #1IETF 77 – Roll WG – March 2010 ROLL RPL IETF 77 status draft-ietf-roll-rpl Tim Winter Pascal Thubert Design Team.

Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. /disi Steps towards a secured DNS Olaf M. Kolkman, Henk Uijterwaal, Daniel.

Time Domain Interest Group. Simple Time Series Note posted to IVOA in Madrid –

DNSEXT-63 Next steps in Trust Anchor Management for DNSSEC Ólafur Guðmundsson

IETF 68, MPLS WG, Prague P2MP MPLS-TE Fast Reroute with P2MP Bypass Tunnels draft-leroux-mpls-p2mp-te-bypass-01.txt J.L. Le Roux (France Telecom) R. Aggarwal.

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Troubleshooting.

Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.

NSEC3 Status and Issues IETF March 2006 Geoffrey Sisson Ben Laurie Roy Arends.

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License The details.

MPTCP – MULTIPATH TCP Interim meeting #3 20 th October 2011 audio Yoshifumi Nishida Philip Eardley.

QUALCOMM Incorporated 1 Protocol Options for BSN- BSMCS Controller Interface Jun Wang, Kirti Gupta 05/16/2005 Notice: Contributors grant a free, irrevocable.

Rolling the Keys of the DNS Root Zone Geoff Huston APNIC Labs.

15 July 2003draft-ietf-dnsext-wcard-clarify-00.txt1 Wildcard Clarify draft-ietf-dnsext-wcard-clarify-00.txt.

1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

This is the DNSEXT Working Group (where the microphones are at Scandic hights) San Diego IETF60

How to use DNS during the evolution of ICN? Zhiwei Yan.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

Slide 1 July 2006, Montreal, QuebecIETF DNSEXT 2929bis Donald E. Eastlake 3 rd

New Revision of the Interactive Connectivity Establishment (ICE) IETF 85, Atlanta November 6 th, 2012 Ari Keränen.

Olaf M. Kolkman. IETF58, Minneapolis, November DNSSEC Operational Practices draft-ietf-dnsop-dnssec-operational-practices-00.txt.

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

0 NAT/Firewall NSLP IETF 63th – August 2005 draft-ietf-nsis-nslp-natfw-07.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.

Comments on draft-ietf-pkix-rfc3280bis-01.txt IETF PKIX Meeting Paris - August 2005 Denis Pinkas

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

Developing a DNSSEC Policy The Compulsory Zone Distribution Which DNSSEC Protocol Keys – and Managing them Managing the Children Using DNSSEC Mark Elkins.

Root Zone KSK: After 5 years Elise Gerich | APNIC 40 | September 2015.

August 2, 2005IETF63 EAP WG AAA-Key Derivation with Lower-Layer Parameter Binding (draft-ohba-eap-aaakey-binding-01.txt) Yoshihiro Ohba (Toshiba) Mayumi.

Slide 1 November 2005, Vancouver, BCIETF DNSEXT 2929bis etc. Donald E. Eastlake 3 rd

64th IETF Vancouver November 2005 ASON-Compatible Signaling.

PMIPv6 multicast handover optimization by the Subscription Information Acquisition through the LMA (SIAL) Luis M. Contreras Telefónica I+D Carlos J. Bernardos.

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

DNSSec.TLD is signed! What next? V.Dolmatov November 2011.

The Troubleshooting Process. Hardware Maintenance Make sure that the hardware is operating properly.  Check the condition of parts.  Repair or replace.

Lecture 20 DNS Sec Slides adapted from Olag Kampman

DNS Security Issues SeongHo Cho DPNM Lab., POSTECH

Living on the Edge: (Re)focus DNS Efforts on the End-Points

Extending Option Space Discussion Overview and its requirements

RFC 7706: Decreasing Access Time to Root Servers by Running One on Loopback A good idea or not? Petr Špaček • •

IKEv2 Mobility and Multihoming Protocol (MOBIKE)

DNSSEC Basics, Risks and Benefits

nsd a Name Service Daemon

draft-zhang-dnsext-test-result-00

IEEE MEDIA INDEPENDENT HANDOVER DCN:

Migration-Issues-xx Where it’s been and might be going

NET 536 Network Security Lecture 8: DNS Security

NET 536 Network Security Lecture 6: DNS Security

Daniel Kaiser, Christian Huitema IETF 98 March 28, 2017

Multi-server Namespace in NFSv4.x Previous and Pending Updates

DNS operator transfers with DNSSEC

DNSSEC Status Update in UA

The Curious Case of the Crippling DS record

OSPF WG Supporting Authentication Trailer for OSPFv3

Presentation transcript:

Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. 1 key-signing key flag [1] & wildcard-optimization [2] Olaf Kolkman [1] with Jakob Schlyter [2] with Johan Ihren and Roy Arends

Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. 2 Key Signing Key (KSK) Flag draft-ietf-dnsext-keyrr-key-signing-flag-03 with Jakob Schlyter

Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. 3 The Gist Operational need to distinguish between key- singing keys and zone-signing keys. Not used in the protocol and verification process but useful for troubleshooting and key exchanges. Use the 15th bit so that the parity determines the ‘role’ of the key, that’s for us… humans.

Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. 4 Example Before: net 300 IN KEY Ox1tVxw+j IN KEY OTxq2ce5J... After: net 300 IN KEY Ox1tVxw+j IN KEY OTxq2ce5J... KSK

Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. 5 What’s next Final update and last call?

Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. 6 DNSSEC Wildcard Optimization draft-olaf-dnsext-dnssec-wildcard-optimization-01 with Johan Ihren and Roy Arends

Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. 7 Background –Assumption: One needs proof for non-existence of a wildcards. –The proof is to be supplied in the common case where there is no wildcard in a zone. –That proof is complicated and somewhat expensive in terms of computational resources and packet size. –Is there a way to signal that there is no wildcard in a zone?

Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. 8 Very common case Root will need to proof that *. does not exist. As an aside: –Some people love the idea of a wildcard at the root

Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. 9 The proposal Use a bit in the NXT RRs type bitmap to signal non-existence of wildcards The meaning: There is no wildcard expansion possible of any name in the zone’s namespace spanned by a NXT RR. Simplest algorithm to set the bit: –Turn it on on all NXT RRs in the zone if there are no wildcards in the zone –Turn it of on all NXT RRs in the zone if there is any wildcard in the zone

Olaf M. Kolkman. IETF55, November 2002, Atlanta GA Server side If the NXT RR proving the non-existence of an exact match has the bit set then no further NXT RRs are needed. If the bit is not set on that NXT RR a full denial of existence needs to be served.

Olaf M. Kolkman. IETF55, November 2002, Atlanta GA Resolvers Side When bit is set on the NXT RR proving the denial of existence of the QNAME, no further proof is needed; Full RFC2535 type proof of non existence is to be expected and processed if the bit is not set.

Olaf M. Kolkman. IETF55, November 2002, Atlanta GA Pros and Cons Pro: Shortcut to a simple and fast code path for server and resolver in the case there are no wildcards. Smaller footprint on the wire and in caches. Con: Although bypassed in the ‘common case; the complicated verification code is still needed. Special meaning of type bitmap bit: –RR type code without RR. –Backwards incompatible (needs to piggyback on DS flag date)

Olaf M. Kolkman. IETF55, November 2002, Atlanta GA Current version of doc. The suggested algorithm for setting the bit contains an error –Details will be posted to namedroppers Clarifications are needed

Olaf M. Kolkman. IETF55, November 2002, Atlanta GA What’s next Update the draft Does the working group think this is a sane path. General comment: DNSSEC protocol specs need to describe algorithm for denial of authentication of wildcards –If not, resolver implementers will do it wrong. –No need for more than 2 NXT RRs? (Give me an example that needs more.)

Olaf M. Kolkman. IETF55, November 2002, Atlanta GA Questions???