ripe 70 report webinar
TRANSCRIPT
©!Men!&!Mice!!http://menandmice.com!
RIPE!70!review
2nd!June!2015
1
©!Men!&!Mice!!http://menandmice.com!
Agenda
RIPE!70!(and!DNS-OARC)!in!Amsterdam!!
DNS,!DNSSEC,!IPv6!
the!following!information!is!an!excerpt!of!the!RIPE!meeting!
for!a!full!overview!of!all!activities!at!RIPE!70,!see! https://ripe70.ripe.net/archives/
2
©!Men!&!Mice!!http://menandmice.com!
DNS
3
©!Men!&!Mice!!http://menandmice.com!
synchronising!DNS!parent!and!child!zones!using!the!DNS!protocol
DNS!TTL!issues!(too!long,!multiple!hours)!
! !!!!!!!!!!!!!!!!!!!!!!!!30!%!!<!2!hours!
! !!!!!!!!!!!!!!!!!!!!!!!!57!%!!2h!-!1!day!
!!!!!!!!!!!!!!!!!!!!!!!!!!13%!>!1!day!
! !!!!!!!!!!!!!!!!!!!!!!!!!DNS!delegation!update!take!too!long!
DNSSEC!key!rollovers!not!possible!in!one!work-day!
DNS!hoster!to!have!access!to!registrar/registry!access
4
https://ripe70.ripe.net/archives/video/20/
©!Men!&!Mice!!http://menandmice.com!
DNSSEC!Trust!update
5child!auth!DNS
parent!auth!DNS
com IN SOA ….com IN NS a.gtld-servers.net.
example.com. IN NS ns1.example.com. example.com. IN DS 8980 8 2 9E69BD0E3…
example.com IN SOA ….example.com IN NS ns1.example.com.
example.com. IN DNSKEY 257 3 8 …
©!Men!&!Mice!!http://menandmice.com!
DNSSEC!Trust!update!today
6child!auth!DNS
parent!auth!DNS
com IN SOA ….com IN NS a.gtld-servers.net.
example.com. IN NS ns1.example.com. example.com. IN DS 8980 8 2 9E69BD0E3…
example.com IN SOA ….example.com IN NS ns1.example.com.
example.com. IN DNSKEY 257 3 8 …
delegation
©!Men!&!Mice!!http://menandmice.com!
DNSSEC!Trust!update!today
7child!auth!DNS
parent!auth!DNS
com IN SOA ….com IN NS a.gtld-servers.net.
example.com. IN NS ns1.example.com. example.com. IN DS 8980 8 2 9E69BD0E3…
example.com IN SOA ….example.com IN NS ns1.example.com.
example.com. IN DNSKEY 257 3 8 …
DNSSEC!trust
©!Men!&!Mice!!http://menandmice.com!
DNSSEC!Trust!update!today
8child!auth!DNS
parent!auth!DNS
com IN SOA ….com IN NS a.gtld-servers.net.
example.com. IN NS ns1.example.com. example.com. IN DS 8980 8 2 9E69BD0E3…
example.com IN SOA ….example.com IN NS ns1.example.com.
example.com. IN DNSKEY 257 3 8 …
create!DS!from!public!DNSSEC!KSKexample.com. IN DS 8980 8 2 9E69BD0E3…
©!Men!&!Mice!!http://menandmice.com!
DNSSEC!Trust!update!today
9child!auth!DNS
parent!auth!DNS
com IN SOA ….com IN NS a.gtld-servers.net.
example.com. IN NS ns1.example.com. example.com. IN DS 8980 8 2 9E69BD0E3…
example.com IN SOA ….example.com IN NS ns1.example.com.
example.com. IN DNSKEY 257 3 8 …
enter!DS!into!registrar!web!frontendexample.com. IN DS 40924 8 2 3C30447…
©!Men!&!Mice!!http://menandmice.com!
DNSSEC!Trust!update!today
10child!auth!DNS
parent!auth!DNS
com IN SOA ….com IN NS a.gtld-servers.net.
example.com. IN NS ns1.example.com. example.com. IN DS 40924 8 2 3C30447…
example.com IN SOA ….example.com IN NS ns1.example.com.
example.com. IN DNSKEY 257 3 8 …
parent!zone!update
©!Men!&!Mice!!http://menandmice.com!
Automating!DNSSEC!Delegation!Trust!Maintenance!(RFC!7344)
11child!auth!DNS
parent!auth!DNS
com IN SOA ….com IN NS a.gtld-servers.net.
example.com. IN NS ns1.example.com. example.com. IN DS 8980 8 2 9E69BD0E3…
example.com IN SOA ….example.com IN NS ns1.example.com.
example.com. IN DNSKEY 257 3 8 … example.com. IN CDS 40924 8 2 3C30447…
child!publishes!new!DS!record!as!CDS!record
©!Men!&!Mice!!http://menandmice.com!
Automating!DNSSEC!Delegation!Trust!Maintenance!(RFC!7344)
12child!auth!DNS
parent!auth!DNS
com IN SOA ….com IN NS a.gtld-servers.net.
example.com. IN NS ns1.example.com. example.com. IN DS 8980 8 2 9E69BD0E3…
example.com IN SOA ….example.com IN NS ns1.example.com.
example.com. IN DNSKEY 257 3 8 … example.com. IN CDS 40924 8 2 3C30447…
parent!DNS!server!polls!(TTL)!for!new!CDS!records
©!Men!&!Mice!!http://menandmice.com!
Automating!DNSSEC!Delegation!Trust!Maintenance!(RFC!7344)
13child!auth!DNS
parent!auth!DNS
com IN SOA ….com IN NS a.gtld-servers.net.
example.com. IN NS ns1.example.com. example.com. IN DS 8980 8 2 9E69BD0E3…
example.com IN SOA ….example.com IN NS ns1.example.com.
example.com. IN DNSKEY 257 3 8 … example.com. IN CDS 40924 8 2 3C30447…
parent!DNS!checks!DNSSEC!signature!on!CDS!record
©!Men!&!Mice!!http://menandmice.com!
Automating!DNSSEC!Delegation!Trust!Maintenance!(RFC!7344)
14child!auth!DNS
parent!auth!DNS
com IN SOA ….com IN NS a.gtld-servers.net.
example.com. IN NS ns1.example.com. example.com. IN DS 40924 8 2 3C30447…
example.com IN SOA ….example.com IN NS ns1.example.com.
example.com. IN DNSKEY 257 3 8 … example.com. IN CDS 40924 8 2 3C30447…
parent!DNS!update!parent!Zone
©!Men!&!Mice!!http://menandmice.com!
Knot-DNS!2.0!DNS!Server•!Knot!1.6!-!long!term!support!
•!KASP!based!DNSSC!
•new!configuration!format!(simple!YAML!compiled!into!LMDB!database)!
•automatic!key!generation!and!ZSK!rollover!
•support!for!zone!templates!
•switch!to!GnuTLS!from!OpenSSL
15
https://ripe70.ripe.net/archives/video/37/
©!Men!&!Mice!!http://menandmice.com!
The!Knot-DNS!resolvernew!"work!in!progress"!DNS!resolver!from!the!Knot-DNS!team!
•persistent!cache!•default!LMDB!
•memcached!backend!option!
•cache!storage!backend!exchangeable!at!runtime!
•"best-effort"!QNAME!minimisation!
•written!in!C!and!Lua,!libuv!(Async-IO!from!Node.js)!
•anything!scriptable!
•interactive!console
16
https://ripe70.ripe.net/archives/video/81/ https://github.com/CZ-NIC/knot-resolver http://knot-resolver.readthedocs.org/en/latest/
©!Men!&!Mice!!http://menandmice.com!
DNSSEC!look-aside!validation!(DLV)!sunset
ISC!plans!to!shut-down!the!public!DLV!registry!@!http://dlv.isc.org!
•remove!zones!where!the!parent!has!DNSSEC!!
•do!not!accept!new!zones!below!parents!that!operate!DNSSEC!(early!2016)!
•purge!old!zones!in!2016!
•remove!all!DLV!in!2017!
•empty!zone!will!be!kept!online
17
https://ripe70.ripe.net/archives/video/42/
©!Men!&!Mice!!http://menandmice.com!
network!tuning!for!DNS!zone!transfers
DeNIC!tested!different!TCP!congestion!control!modules!in!Linux!
•!1.5!GB!zonefile!transfer,!158!MB!IXFR!
•!because!of!DNSSEC,!zone!transfer!is!size!is!growing!
•!tested!TCP-CUBIC,!TCP-Illinois!and!TCP-Hybla!
•!TCP-Hybla!was!the! winner!for!long-range!high!latency!connections!
18
https://ripe70.ripe.net/archives/video/84/
©!Men!&!Mice!!http://menandmice.com!
Zonemaster!DNS!and!DNSSEC!testing!tool
TRTF!-!Test!Requirement!Task!Forcehttps://github.com/CENTRccTLDs/TRTF
part!of!work!done!for!zonemaster!DNS/DNSSEC testing!tool:!https://zonemaster.net
19
https://ripe70.ripe.net/archives/video/38/
©!Men!&!Mice!!http://menandmice.com!
DNS!based!DDoS!attacksfrom!the!DNS!OARC!Sprint!meeting!!
•A!countermeasure!of!random!subdomain!attacks!(Aggressive!negative!caching!with!NSEC)!
•Dealing!with!large!DNS!packet!floods!
•Everyday!attacks!against!Verisign-operated!DNS!infrastructure!
•Drilling!down!into!DNS!DDoS!Data!
•Update!on!experimental!BIND!features!to!rate-limit!recursive!queries
20
https://indico.dns-oarc.net/event/21/timetable/#20150509https://indico.dns-oarc.net/event/21/timetable/#20150510 Videos: https://indico.dns-oarc.net/event/21/
©!Men!&!Mice!!http://menandmice.com!
DDoS!mitigation:!rate!limiting!recursive!queries
experimental!"fetches-per-server"!and!"fetches-per-zone"feature!in!BIND!9!
monitoring!the!responsiveness!of!the!upwards!authoritative!DNS!server!
experimental!feature!available!in!the!BIND!9!subscription!version
21
https://indico.dns-oarc.net/event/21/contribution/27/material/slides/0.pdf https://www.youtube.com/watch?v=YCXx0RlaokQ (start @ 2:45) https://kb.isc.org/article/AA-01178/0/Recursive-Client-Rate-limiting-in-BIND-9.9-Subscription-Version.html
©!Men!&!Mice!!http://menandmice.com!
Root-Zone!KSK!rollover
the!current!DNS!root-zone!KSK!is!already!5!years!in!use!
•"rolling"!the!KSK!would!be!good!practice!
•larger!DNS!answers!
•first!real!world!test!forRFC!5011!trust!anchorupdates
22
https://ripe70.ripe.net/archives/video/86/ https://ripe70.ripe.net/archives/video/87/
©!Men!&!Mice!!http://menandmice.com!
ECDSA!is!your!friend
CloudFlare!is!planning!to!sign!DNS!zones!with!ECDSA!DNSSEC!algorithm!
•!ECDSA!was!standardised!in!April!2012!!
•80%!can!validate!ECDSA!
•!on-the-fly!signing!—!ECDSA!is!!fast!and!small!
•comparison!of!crypto!RSA!vs.!ECDSA!in!OpenSSL
23
https://ripe70.ripe.net/archives/video/40/
©!Men!&!Mice!!http://menandmice.com!
ECDSA!is!your!friend
24
https://ripe70.ripe.net/archives/video/40/
©!Men!&!Mice!!http://menandmice.com!
ECDSA!is!your!friend
25
https://github.com/ogud/DNSSEC_ALG_Check
©!Men!&!Mice!!http://menandmice.com!
IPv6
26
©!Men!&!Mice!!http://menandmice.com!
IPv6!segment!routing
control!the!path!of!a!packet!through!the!network!
security!issues!of!RH!option!0!(RFC!5095)!fixed!(HMAC!authentication)!
uses!routing!header!option!type!4!
Linux!3.14!kernel!patch
27
http://www.segment-routing.org/ https://ripe70.ripe.net/archives/video/18/https://ripe70.ripe.net/archives/video/19/ http://github.com/segment-routing/sr-ipv6http://github.com/segment-routing/seg6ctl
©!Men!&!Mice!!http://menandmice.com!
IPv6!segment!routing
use!cases:!
•regulation!(national!routing)!
•encryption!
•compression!
•Deep!Packet!Inspection!(DPI)!
•Netflow!
•NAT!
•…
28
©!Men!&!Mice!!http://menandmice.com!
IPv6!extension!headersWilhelm!BoeddinghausUse!Cases!for!IPv6!Extension!Headers!-!Let's!Do!Some!Marketing!
•transit!networks!are!blocking!IPv6!extension!header
•possible!reason:!admin!"bad!feeling"!
•which!EH!to!pass!and!which!to!filter!
•use!cases!for!EH!
•fragmentation!
•IPSec!encryption!
•if!no-one!is!using!EH,!it!is!"dead"!
29
https://ripe70.ripe.net/archives/video/83/
©!Men!&!Mice!!http://menandmice.com!
don't!miss!our!trainings
•!US!DNS!and!BIND!!
•June!8!–!9,!2015!! Introduction!to!DNS!&!BIND!Hands!onOrlando!(FL),!USA!!
•June!8!–!12,!2015!! Introduction!&!Advanced!DNS!and!BIND!Hands!on!!Orlando!(FL),!USA!
•Europe!
•July!6!–!7,!2015!! Introduction!to!DNS!&!BIND!Hands!on!Amsterdam,!The!Netherlands!!
•July!6!–!10,!2015!!Introduction!&!Advanced!DNS!and!BIND!Hands!on!Amsterdam,!The!Netherlands
30
©!Men!&!Mice!!http://menandmice.com!
don't!miss!our!next!webinars
•30.07.2015!–!IETF!93!Report!
•18.08.2015!–!DNS-Resolver!monitoring!using!DNSTAP!and!Unbound!
•Signup!@!https://www.menandmice.com/resources/educational-resources/webinars
31
©!Men!&!Mice!!http://menandmice.com!
Q/A
32
?2015!Schedule,!Slides,!Links,!Recording!and!errata!
can!be!found!@https://www.menandmice.com/resources/educational-resources/webinars/