Mr
Kazunori Fujiwara
(Japan Registry Services Co., Ltd)
5/12/13, 10:20 AM
OARC Public Workshop
JPRS observed that DS queries for JP registered domain names have
been increasing and 3.5% of queries are qtype DS now. This report
presents current status of JP queries, the reason of increasing DS
queries, possible situations in the future and some idea of
countermeasures for this phenomena.
The reason of increasing DS queries is the following. An unsigned
domain name does not have...
Jaeson Schultz
(Cisco Systems, Inc)
5/12/13, 10:50 AM
OARC Public Workshop
Bit errors in memory, when they occur in a stored domain name, can direct Internet traffic to the wrong location, potentially compromising security. When a domain name one bit different from a target domain is registered in order to intercept traffic for malicious purposes, the attack is called bitsquatting. For example, by changing only one bit, a target domain such as “twitter.com” can...
Mr
Francis Dupont
(ISC)
5/12/13, 11:15 AM
OARC Public Workshop
There were many reasons to develop a TCP DNS performance test tool,
others than there was none available when I began:
- EDNS0 is not a 100% solution to DNSSEC and/or IPv6 large responses
- rate limiting could lead to more TCP queries via artificially
truncated UDP responses
- ICANN requires in its gTLD applicant guidebook page 218/5-6 module 5
section 5.2.2 some TCP...
Javy de Koning
(NLnet Labs)
5/12/13, 12:00 PM
OARC Public Workshop
The goal of this presentation is to show how to defend against DNS amplification attacks. The presentation will focus on Response Rate Limiting (RRL) and the effectiveness of this defence mechanism against current and future attacks.
Dave Knight
(ICANN)
5/12/13, 12:20 PM
OARC Public Workshop
In March 2013 an L-Root node in Hamburg, Germany received abnormal traffic over a prolonged period of time. Initial inspection of the traffic suggested that L was being used as an amplifier as part of a reflection attack. The short-term effects were mitigated using NSD RRL, which resulted in a decrease in outbound traffic that was noticeable, but smaller than we expected given anecdotal...
Olafur Gudmundsson
(Shinkuro)
5/12/13, 2:00 PM
OARC Public Workshop
In our attempt to quantify/qualify whether a particular DNS resolver is DNSSEC-compliant, we realized that it is important to test for a resolver's major functional behaviors rather than looking for compliance with all possible corner cases. Based on this idea, we designed a series of tests and grades for resolvers based on each test's results. Based on the tests' outcomes we classify...
Dr
Xuebiao Yuchi
(CNNIC)
5/12/13, 2:20 PM
OARC Public Workshop
Recursive DNS is used to resolve other people’s domains. In order to investigate the security, stability and resiliency of recuisive DNS used in China, we bulit a nationwide distributed platform to monitor the status of recursive DNS, including all recursive DNS deployed by the three largest ISPs in China. After analyzing these data generated from this platform, some valuable information for...
Duane Wessels
(Verisign)
5/12/13, 2:40 PM
OARC Public Workshop
Recent attacks bring renewed attention to the millions of open resolvers on the Internet. Discovery of open resolvers has traditionally been done by wide-scale surveys of known name servers or address space. Such surveys suffer from a few problems: (1) probing traffic may be seen as abusive; (2) the desire to provide open resolver addresses to the "good guys" but keep them away from the "bad...
Jared Mauch
(NTT America)
5/12/13, 3:00 PM
OARC Public Workshop
The Open Resolver Project has been performing scans of the entire IPv4 space weekly and has turned up interesting trends and data about the behavior of hosts on the Internet. Many networks and CPE devices pose a risk in replying to DNS traffic, many times in ways that are unexpected or unintended. We are sharing trends and data on our observations, including providing raw data for derivative...
Duane Wessels
(Verisign),
Olafur Gudmundsson
(Shinkuro), Mr
Xuebiao Yuchi
(CNNIC),
jared mauch
(NTT)
5/12/13, 3:20 PM
John Heidemann
(ISI)
5/12/13, 4:10 PM
OARC Public Workshop
We have evaluated techniques to enumerate instances of DNS anycast,
comparing the use of CHAOS records, traceroute, and a new proposal
using IN TXT records. Enumeration allows a third party to evaluate
the size of an anycast service, and in some cases to identify
masqueraders operating on the same anycast address.
We have evaluated our approaches on F-root, Packet Clearinghouse,...
Mr
Jian Jin
(CNNIC)
5/12/13, 4:35 PM
OARC Public Workshop
The recent growth of remote DNS services can negatively impact CDN’s performance. CDNs rely on the DNS for replica server selection. DNS based server selection builds on the assumption that, in the absence of information about the client's actual network location, the location of a client's DNS resolver provides a good approximation. Remote DNS breaks this assumption. Consider the performances...
Jim Reid
(NorID)
5/12/13, 5:00 PM
OARC Public Workshop
Norid will be deploying a new DNS monitoring system this year.
As part of this activity, we've been gathering information on current
tools and methodologies, metrics, common data formats and so on.
These will be used to develop best common practices and their application to Norid's requirements.
We'd like to present our findings and stimulate discussion with others who are interested...
Dan York
(Internet Society)
5/12/13, 5:25 PM
OARC Public Workshop
How can we accelerate the global deployment of DNSSEC? What are the major challenges that we as a community need to examine? Over the past 16 months of rolling out the Deploy360 program we've been analyzing the issues and speaking with operators and content providers around the world. In this presentation, we'll present our findings and outline some of the next steps we see as well as work...
Mr
Geoff Huston
(APNIC), Mr
George Michaelson
(APNIC)
5/13/13, 9:00 AM
OARC Public Workshop
With the implementation of a signed root in the DNS, we are now in the initial phases of widespread adoption of DNSSEC. There has been much in the way of surveys of DNSSEC adoption in terms of signed domains, but fewer measurements and studies in the level of use of DNSSEC validation by DNS resolvers and end clients using such resolvers.
The recent announcement by google regarding the use...
Francis Dupont
(ISC)
5/13/13, 9:25 AM
OARC Public Workshop
1- Presentation of modular group cryptography based on Diffie-Hellman
(even DNSSEC uses on DSA, not DH, DH math is very simple so far easier
to explain and (I expect) to understand)
2- Presentation of elliptic curve cryptography in comparison with
modular group cryptography (vs all the mathematical details), e.g.,
exponentation is replaced by multiplication
3- The different...
Mr
Matthäus Wander
(University of Duisburg-Essen)
5/13/13, 9:50 AM
OARC Public Workshop
NSEC3 is a mechanism for authenticated denial of existence in DNSSEC-signed zones. To avoid zone enumeration, names are hashed with SHA-1 and only the resulting hash values are enumerable. In this talk, we present a GPU-based tool for NSEC3 hash breaking, written in OpenCL and Python. The tool can compute 1.8 billion NSEC3 iterations per second on a high-end gaming GPU (AMD Radeon HD 7970). We...
Ed Lewis
(Neustar)
5/13/13, 10:15 AM
OARC Public Workshop
Basically, why RRL is only a nice first step, but I want to change the protocol some.
Duane Wessels
(Verisign)
5/13/13, 10:40 AM
OARC Public Workshop
DNSHarness is an open-source tool for testing multiple DNS server implementations. Tests are scripted and may be executed against a number of different implementations in sequence. DNSHarness runs on Linux and uses VirtualBox to build and run all of the popular open source DNS software packages. It can also test closed source implementations running externally.
Duane Wessels
(Verisign)
5/13/13, 11:00 AM
OARC Public Workshop
dnscap is a DNS-specific packet capture utility. It has recently been given a plugin-style architecture, such that the user can specify multiple modules to analyze captured packets. One such module provides statistics for root server operators. Plugins may be even be written by end users and/or third parties.
Keith Mitchell
(DNS-OARC)
5/13/13, 11:40 AM
OARC Members Session
The OARC Board recently had a retreat to consider OARC's strategy and development. The output from this is a development plan, which the President will be sharing with OARC's members and other interested parties, as well as an update on OARC's recent progress and current status.
Mr
Keith Mitchell
(DNS-OARC), Mr
William Maton
(DNS-OARC)
5/13/13, 12:10 PM
OARC Members Session
The presentation will go over the short history of systems at DNS-OARC and go through future directions to satisfy member demand and bring about the modernization required.