OARC Spring 2013 Workshop (Dublin)

Europe/Dublin
Burlington Hotel

Burlington Hotel

Connaught Suite, Upper Leeson Street, Dublin 4, Ireland
Keith Mitchell (DNS-OARC)
Description
DNS-OARC is pleased to announce that its 2013 Spring Workshop will take place in Dublin, Ireland, on the 12th and 13th May. This will be at the same location as the subsequent RIPE66 meeting, and is sponsored by:
IEDR"

The meeting will run all day Sunday 12th, including lunch, and a Sunday evening social event. The meeting will continue on the morning of Monday 13th, which includes an OARC members update session.

Coffee Break Sponsor:  Nominet"

Social Sponsors:APNIC"     New Zealand Registry Services"     RIPE NCC"

Places for the social are limited to OARC Spring Workshop 2013 meeting attendees, so please ensure you have your attendee bage with you when you arrive at the venue.

Start time: 6.30pm
Food from: 7.15pm
--> Click for directions to Social Venue <--




Participants
  • Anand Buddhdev
  • Andrew Sullivan
  • Anlei Hu
  • Antoin Verschuren
  • Betty Burke
  • Billy Glynn
  • Brad Verd
  • Brendan Boyd
  • Brendan Minish
  • Brett Carr
  • Bruce Van Nice
  • Carsten Strotmann
  • Cathy Almond
  • Christian Petrasch
  • Colm MacCarthaigh
  • Conor Quigley
  • Dan York
  • Dave Knight
  • David Malone
  • Denesh Bhabuta
  • Dmitry Kohmanyuk
  • Duane Wessels
  • Eduardo Mercader
  • Edward Lewis
  • Einar Lönn
  • Elmar K. Bins
  • Fabio Bardella
  • Filippo Giunchedi
  • Florian Maury
  • Francis Dupont
  • Frederic Simons
  • Gareth Bradshaw
  • Gavin Brown
  • Geoff Huston
  • George Michaelson
  • Greg Choules
  • Greg Patrick
  • Henrik Levkowetz
  • Izumi Okutani
  • Jaap Akkerhuis
  • Jaeson Schultz
  • Jake McAleer
  • Jake Zack
  • Jakob Schlyter
  • James Raftery
  • Jared Mauch
  • Jarle Fredrik Greipsland
  • Jaromir Talir
  • Javy de Koning
  • Jian Jin
  • Jim Martin
  • Jim Reid
  • Joe Abley
  • John Crain
  • John Heidemann
  • Jonathan Tuliani
  • João Luis Siva Damas
  • Kazunori Fujiwara
  • Keith Mitchell
  • Lars-Johan Liman
  • Liam Hynes
  • Marco Davids
  • Marcos Sanz
  • Matt Larson
  • Matthew Pounsett
  • Matthijs Mekking
  • Matthäus Wander
  • Mauricio Vergara Ereche
  • Merike Kaeo
  • Michele Neylon
  • Niall O'Reilly
  • Ondrej Filip
  • Patrik Wallström
  • Peter Budkowski
  • Peter Koch
  • Peter Losher
  • Randy Bush
  • Ray Bellis
  • Rich Archbold
  • Rob Austein
  • Robert Gallagher
  • Rod Rasmussen
  • Roy Arends
  • Samuel Weiler
  • Sandoche BALAKRICHENAN
  • Sebastian Castro
  • Shane Kerr
  • Siôn Lloyd
  • Stephen Malone
  • Stéphane Bortzmeyer
  • Suzanne Woolf
  • Thomas Dupas
  • Ting Wei
  • Tomas Hlavacek
  • Tonny Yu
  • Tony Cundari
  • Valeri Liborski
  • Vasily Dolmatov
  • Vincent Levigneron
  • Vlad Romanenko
  • Warren Kumari
  • William Maton
  • Xuebiao Yuchi
  • Ólafur Guðmundsson
    • 9:30 AM
      Registration
    • 1
      Cache Attacks
      Speaker: Greg Choules (Three UK)
      Slides
    • 2
      Increasing DS queries for JP DNS servers and a proposal for its countermeasures
      JPRS observed that DS queries for JP registered domain names have been increasing and 3.5% of queries are qtype DS now. This report presents current status of JP queries, the reason of increasing DS queries, possible situations in the future and some idea of countermeasures for this phenomena. The reason of increasing DS queries is the following. An unsigned domain name does not have a DS RR in its TLD zone. NCACHE TTL is smaller than normal RR TTL in many TLDs. DNSSEC validators need to know DS RR existence for each query name. As a result, each DNSSEC validator may send DS queries for TLD DNS servers one zone cut per NCACHE TTL seconds.
      Speaker: Mr Kazunori Fujiwara (Japan Registry Services Co., Ltd)
      Slides
    • 3
      Vectors for Bitsquatting Attacks
      Bit errors in memory, when they occur in a stored domain name, can direct Internet traffic to the wrong location, potentially compromising security. When a domain name one bit different from a target domain is registered in order to intercept traffic for malicious purposes, the attack is called bitsquatting. For example, by changing only one bit, a target domain such as “twitter.com” can become the bitsquat domain “twitte2.com”.
      Speaker: Jaeson Schultz (Cisco Systems, Inc)
      Slides
    • 4
      a TCP DNS performance test tool
      There were many reasons to develop a TCP DNS performance test tool, others than there was none available when I began: - EDNS0 is not a 100% solution to DNSSEC and/or IPv6 large responses - rate limiting could lead to more TCP queries via artificially truncated UDP responses - ICANN requires in its gTLD applicant guidebook page 218/5-6 module 5 section 5.2.2 some TCP performances... - IXIA boxes could do the job but are a bit expensive This presentation is about a TCP DNS performance test tool and its findings.
      Speaker: Mr Francis Dupont (ISC)
      Poster
      Slides
    • 11:40 AM
      Coffee
    • 5
      Defending against DNS Amplification Attacks
      The goal of this presentation is to show how to defend against DNS amplification attacks. The presentation will focus on Response Rate Limiting (RRL) and the effectiveness of this defence mechanism against current and future attacks.
      Speaker: Javy de Koning (NLnet Labs)
      Slides
    • 6
      Comparison of RRL behaviour in BIND9, Knot DNS, and NSD
      In March 2013 an L-Root node in Hamburg, Germany received abnormal traffic over a prolonged period of time. Initial inspection of the traffic suggested that L was being used as an amplifier as part of a reflection attack. The short-term effects were mitigated using NSD RRL, which resulted in a decrease in outbound traffic that was noticeable, but smaller than we expected given anecdotal reports from other DNS operators using BIND9 RRL. Full packet captures of the request traffic were retained for further analysis. This retained data was used to replay the query traffic against a variety of authoritative servers that have implemented some form of response rate limiting, in order to compare the implementations from an operational perspective.
      Speaker: Dave Knight (ICANN)
      Slides
    • 12:40 PM
      Lunch
    • 7
      PGP Signing Session
      Key printout
      Keyring file
      Keyring file SHA1 checksum
      Paper
      As a way to build community and expand the web of trust, DNS-OARC runs Key Signing Parties whenever it's possible. We'll have one during the Spring Workshop in Dublin, during the lunch break on Sun May 12th.
       
      In order to participate, you will need:
       
      1. Upload your key to the event keyring. The deadline to have your key uploaded is Sun May 12th at 11:50 (during the coffee break). That will give the party coordinator time to print the key list and be ready for the signing.
      2. At 13:00 we will convene at the reception desk. All participants will receive a printout with the keys, and you'll need to bring a government-issued identification (passport, driver's license) or an alternative form of ID (employee ID). You will also need a trusted source of your key's fingerprint, which can be your business card, a piece of paper or your laptop screen.
      3. Following the order on the key printout, every participant will have a turn to read their key fingerprint *from its trusted source*, while the rest will verify the fingerprint matches the one listed in the printout.
      4. Once all fingerprints are read, every participant will circulate his/her identification document, to allow the rest to confirm identity.
      5. Now the party is over. It's up to each participant, if satisfied with the fingerprint and ID, to sign other's keys. To make things easier, it's recommended to download the keyring, import it, and then sign the individual keys. Once signed, you'll like to email the signed key back to the owner, and optionally upload the signed key to a PGP server.
       
    • DNS Reflection Attacks
      Convener: Merike Kaeo (Internet Identity)
      • 8
        Classifying Resolver Capabilities
        In our attempt to quantify/qualify whether a particular DNS resolver is DNSSEC-compliant, we realized that it is important to test for a resolver's major functional behaviors rather than looking for compliance with all possible corner cases. Based on this idea, we designed a series of tests and grades for resolvers based on each test's results. Based on the tests' outcomes we classify resolvers into categories.
        Speaker: Olafur Gudmundsson (Shinkuro)
        Slides
      • 9
        Monitoring Recursive DNS in China
        Recursive DNS is used to resolve other people’s domains. In order to investigate the security, stability and resiliency of recuisive DNS used in China, we bulit a nationwide distributed platform to monitor the status of recursive DNS, including all recursive DNS deployed by the three largest ISPs in China. After analyzing these data generated from this platform, some valuable information for these recursive DNS was found.
        Speaker: Dr Xuebiao Yuchi (CNNIC)
        Slides
      • 10
        Self-Serve Open Resolver Testing
        Recent attacks bring renewed attention to the millions of open resolvers on the Internet. Discovery of open resolvers has traditionally been done by wide-scale surveys of known name servers or address space. Such surveys suffer from a few problems: (1) probing traffic may be seen as abusive; (2) the desire to provide open resolver addresses to the "good guys" but keep them away from the "bad guys"; and (3) big surveys take a long time and are updated on the surveyor's schedule. Verisign has developed a new tool that allows network administrators to scan their own address space for open resolvers at their own convenience and quickly view the results.
        Speaker: Duane Wessels (Verisign)
        Slides
      • 11
        Open Resolver Project
        The Open Resolver Project has been performing scans of the entire IPv4 space weekly and has turned up interesting trends and data about the behavior of hosts on the Internet. Many networks and CPE devices pose a risk in replying to DNS traffic, many times in ways that are unexpected or unintended. We are sharing trends and data on our observations, including providing raw data for derivative research.
        Speaker: Jared Mauch (NTT America)
        Slides
      • 12
        Panel Discussion
        Speakers: Duane Wessels (Verisign), Olafur Gudmundsson (Shinkuro), Mr Xuebiao Yuchi (CNNIC), jared mauch (NTT)
    • 3:40 PM
      Coffee
    • 13
      Anycast Enumeration of Large DNS Services
      We have evaluated techniques to enumerate instances of DNS anycast, comparing the use of CHAOS records, traceroute, and a new proposal using IN TXT records. Enumeration allows a third party to evaluate the size of an anycast service, and in some cases to identify masqueraders operating on the same anycast address. We have evaluated our approaches on F-root, Packet Clearinghouse, and the AS112 anycast infrastructures to compare the completeness of our approaches. Joe Abley and L-Root has deployed an IN-based system to support these approaches, and we have also compared tehse results against their ground truth.
      Speaker: John Heidemann (ISI)
      Handout
      Slides
    • 14
      Remote DNS services and Content delivery networks
      The recent growth of remote DNS services can negatively impact CDN’s performance. CDNs rely on the DNS for replica server selection. DNS based server selection builds on the assumption that, in the absence of information about the client's actual network location, the location of a client's DNS resolver provides a good approximation. Remote DNS breaks this assumption. Consider the performances of both remote DNS and CDN, a practical industry solution should be proposed.
      Speaker: Mr Jian Jin (CNNIC)
      Slides
    • 15
      DNS monitoring for Norway
      Norid will be deploying a new DNS monitoring system this year. As part of this activity, we've been gathering information on current tools and methodologies, metrics, common data formats and so on. These will be used to develop best common practices and their application to Norid's requirements. We'd like to present our findings and stimulate discussion with others who are interested in this topic and willing/able to share information, collaborate on code or procedures, etc.
      Speaker: Jim Reid (NorID)
      Slides
    • 16
      Next Steps In Accelerating DNSSEC Deployment
      How can we accelerate the global deployment of DNSSEC? What are the major challenges that we as a community need to examine? Over the past 16 months of rolling out the Deploy360 program we've been analyzing the issues and speaking with operators and content providers around the world. In this presentation, we'll present our findings and outline some of the next steps we see as well as work that is already happening within the community.
      Speaker: Dan York (Internet Society)
      Slides
    • 6:30 PM
      Social Event Waterloo Bar

      Waterloo Bar

      Drinks and Finger Buffet

    • 17
      Measuring DNSSEC
      With the implementation of a signed root in the DNS, we are now in the initial phases of widespread adoption of DNSSEC. There has been much in the way of surveys of DNSSEC adoption in terms of signed domains, but fewer measurements and studies in the level of use of DNSSEC validation by DNS resolvers and end clients using such resolvers. The recent announcement by google regarding the use of DNSSEC validation in their public DNS product (8.8.8.8) has increased interest in this topic. We have been undertaking a novel form of measurement of DNSSEC that uses online advertizing channels to enroll a large number of clients internet-wide to undertake specific DNS tasks that include aspects of DNSSEC behaviour. in this presentation we will explore the methodology, and present some initial findings related to the extend of DNSSC validation by clients, and the behaviours of DNS resolvers when presented with both valid and invalid DNSSEC keychains.
      Speakers: Mr Geoff Huston (APNIC), Mr George Michaelson (APNIC)
      Slides
    • 18
      The use of Elliptic Curve Cryptography in DNSSEC
      1- Presentation of modular group cryptography based on Diffie-Hellman (even DNSSEC uses on DSA, not DH, DH math is very simple so far easier to explain and (I expect) to understand) 2- Presentation of elliptic curve cryptography in comparison with modular group cryptography (vs all the mathematical details), e.g., exponentation is replaced by multiplication 3- The different parameters used in DNSSEC (primes, keys, etc), including by PKCS#11, with some words about standard optimizations (again not explaining them but showing how to recognize them) 4- Pros and Cons of ECDSA in DNSSEC (pros 20 times faster, smaller parameters, cons (inherited from DSA) requires a random number for signing, verification slower than signing) 5- ECDSA in practice (bind 9, etc) and open real world questions (e.g., what are the registries which accept ECDSA KSKs/DS RRs) 6- A word about hidden ECC in DNSSEC (GOST which is in fact ECDSA, Chinese commercial crypto too) as a conclusion.
      Speaker: Francis Dupont (ISC)
      Paper
      Slides
    • 19
      GPU-based NSEC3 Hash Breaking
      NSEC3 is a mechanism for authenticated denial of existence in DNSSEC-signed zones. To avoid zone enumeration, names are hashed with SHA-1 and only the resulting hash values are enumerable. In this talk, we present a GPU-based tool for NSEC3 hash breaking, written in OpenCL and Python. The tool can compute 1.8 billion NSEC3 iterations per second on a high-end gaming GPU (AMD Radeon HD 7970). We discuss hash breaking optimization attempts which are inspired by password cracking techniques. The results are meant to aid operators in deciding whether NSEC3 is a useful building block for their DNSSEC setup.
      Speaker: Mr Matthäus Wander (University of Duisburg-Essen)
      Slides
    • 20
      DNS Security: Beyond DNSSEC, A "He Must Be Nearing Retirement" Manifesto
      Basically, why RRL is only a nice first step, but I want to change the protocol some.
      Speaker: Ed Lewis (Neustar)
      Slides
    • 21
      DNSHarness
      DNSHarness is an open-source tool for testing multiple DNS server implementations. Tests are scripted and may be executed against a number of different implementations in sequence. DNSHarness runs on Linux and uses VirtualBox to build and run all of the popular open source DNS software packages. It can also test closed source implementations running externally.
      Speaker: Duane Wessels (Verisign)
      Slides
    • 22
      Changes and updates to dnscap
      dnscap is a DNS-specific packet capture utility. It has recently been given a plugin-style architecture, such that the user can specify multiple modules to analyze captured packets. One such module provides statistics for root server operators. Plugins may be even be written by end users and/or third parties.
      Speaker: Duane Wessels (Verisign)
      Slides
    • 11:15 AM
      Morning Break
    • 23
      OARC Board
      Speaker: Ondrej Filip (CZ.NIC)
    • 24
      OARC Status and Development Plan
      The OARC Board recently had a retreat to consider OARC's strategy and development. The output from this is a development plan, which the President will be sharing with OARC's members and other interested parties, as well as an update on OARC's recent progress and current status.
      Speaker: Keith Mitchell (DNS-OARC)
      Slides
    • 25
      DNS-OARC Systems update
      The presentation will go over the short history of systems at DNS-OARC and go through future directions to satisfy member demand and bring about the modernization required.
      Speakers: Mr Keith Mitchell (DNS-OARC), Mr William Maton (DNS-OARC)
      Slides
    • 26
      Discussion, Wrap-up
      Speakers: Mr Keith Mitchell (DNS-OARC), Ondrej Filip (CZ.NIC)