OARC Spring 2013 Workshop (Dublin)

12 May 2013, 09:30 → 13 May 2013, 13:00 Europe/Dublin

Burlington Hotel

Keith Mitchell (DNS-OARC)

DNS-OARC is pleased to announce that its 2013 Spring Workshop will take place in Dublin, Ireland, on the 12th and 13th May. This will be at the same location as the subsequent RIPE66 meeting, and is sponsored by:

The meeting will run all day Sunday 12th, including lunch, and a Sunday evening social event. The meeting will continue on the morning of Monday 13th, which includes an OARC members update session.

Coffee Break Sponsor:  

Social Sponsors:          

Places for the social are limited to OARC Spring Workshop 2013 meeting attendees, so please ensure you have your attendee bage with you when you arrive at the venue.

Start time: 6.30pm
Food from: 7.15pm
--> Click for directions to Social Venue <--

Video 2013 spring day 1 afternoon

• cameraVoip_12_11.flv
• cameraVoip_12_11.xml
• cameraVoip_12_5.flv
• cameraVoip_12_5.xml
• cameraVoip_9_4.flv
• cameraVoip_9_4.xml
• ftchat0.flv
• ftchat0.xml
• ftchat7.flv
• ftchat7.xml
• ftcontent1.flv
• ftcontent1.xml
• ftcontent8.flv
• ftcontent8.xml
• ftstage10.flv
• ftstage10.xml
• ftstage3.flv
• ftstage3.xml
• indexstream.flv
• indexstream.xml
• mainstream.flv
• mainstream.xml
• screenshare_11_2.flv
• screenshare_11_2.xml
• screenshare_13_6.flv
• screenshare_13_6.xml
• screenshare_14_9.flv
• screenshare_14_9.xml
• telephony-files.xml
• transcriptstream.flv
• transcriptstream.xml

Video 2013 spring day 1 morning

• cameraVoip_5_4.flv
• cameraVoip_5_4.xml
• cameraVoip_6_5.flv
• cameraVoip_6_5.xml
• cameraVoip_7_12.flv
• cameraVoip_7_12.xml
• cameraVoip_7_6.flv
• cameraVoip_7_6.xml
• ftchat0.flv
• ftchat0.xml
• ftchat8.flv
• ftchat8.xml
• ftcontent1.flv
• ftcontent1.xml
• ftcontent9.flv
• ftcontent9.xml
• ftstage11.flv
• ftstage11.xml
• ftstage3.flv
• ftstage3.xml
• indexstream.flv
• indexstream.xml
• mainstream.flv
• mainstream.xml
• screenshare_3_2.flv
• screenshare_3_2.xml
• screenshare_8_10.flv
• screenshare_8_10.xml
• screenshare_8_7.flv
• screenshare_8_7.xml
• telephony-files.xml
• transcriptstream.flv
• transcriptstream.xml

Video 2013 spring day 2 morning

• cameraVoip_0_4.flv
• cameraVoip_0_4.xml
• cameraVoip_10_17.flv
• cameraVoip_10_17.xml
• cameraVoip_2_13.flv
• cameraVoip_2_13.xml
• cameraVoip_2_5.flv
• cameraVoip_2_5.xml
• cameraVoip_3_6.flv
• cameraVoip_3_6.xml
• cameraVoip_4_7.flv
• cameraVoip_4_7.xml
• cameraVoip_7_14.flv
• cameraVoip_7_14.xml
• cameraVoip_8_15.flv
• cameraVoip_8_15.xml
• ftchat0.flv
• ftchat0.xml
• ftchat10.flv
• ftchat10.xml
• ftcontent11.flv
• ftcontent11.xml
• ftcontent1.flv
• ftcontent1.xml
• ftstage12.flv
• ftstage12.xml
• ftstage3.flv
• ftstage3.xml
• indexstream.flv
• indexstream.xml
• mainstream.flv
• mainstream.xml
• screenshare_1_2.flv
• screenshare_1_2.xml
• screenshare_5_8.flv
• screenshare_5_8.xml
• screenshare_6_9.flv
• screenshare_6_9.xml
• screenshare_9_16.flv
• screenshare_9_16.xml
• telephony-files.xml
• transcriptstream.flv
• transcriptstream.xml

Sunday, 12 May

09:30 Registration

1 Cache Attacks

Speaker: Greg Choules (Three UK)

Slides Choules-Cache-attacks.pdf

2 Increasing DS queries for JP DNS servers and a proposal for its countermeasures

JPRS observed that DS queries for JP registered domain names have been increasing and 3.5% of queries are qtype DS now. This report presents current status of JP queries, the reason of increasing DS queries, possible situations in the future and some idea of countermeasures for this phenomena. The reason of increasing DS queries is the following. An unsigned domain name does not have a DS RR in its TLD zone. NCACHE TTL is smaller than normal RR TTL in many TLDs. DNSSEC validators need to know DS RR existence for each query name. As a result, each DNSSEC validator may send DS queries for TLD DNS servers one zone cut per NCACHE TTL seconds.

Speaker: Mr Kazunori Fujiwara (Japan Registry Services Co., Ltd)

Slides Fujiwara-DSincreased.pdf

3 Vectors for Bitsquatting Attacks

Bit errors in memory, when they occur in a stored domain name, can direct Internet traffic to the wrong location, potentially compromising security. When a domain name one bit different from a target domain is registered in order to intercept traffic for malicious purposes, the attack is called bitsquatting. For example, by changing only one bit, a target domain such as “twitter.com” can become the bitsquat domain “twitte2.com”.

Speaker: Jaeson Schultz (Cisco Systems, Inc)

Slides Bitsquatting-Slides-v1.8.pdf Bitsquatting-Slides-v1.8.pptx

4 a TCP DNS performance test tool

There were many reasons to develop a TCP DNS performance test tool, others than there was none available when I began: - EDNS0 is not a 100% solution to DNSSEC and/or IPv6 large responses - rate limiting could lead to more TCP queries via artificially truncated UDP responses - ICANN requires in its gTLD applicant guidebook page 218/5-6 module 5 section 5.2.2 some TCP performances... - IXIA boxes could do the job but are a bit expensive This presentation is about a TCP DNS performance test tool and its findings.

Speaker: Mr Francis Dupont (ISC)

Poster Distribution (bzipped tar file)

Slides perftcpdns.pdf

11:40 Coffee

5 Defending against DNS Amplification Attacks

The goal of this presentation is to show how to defend against DNS amplification attacks. The presentation will focus on Response Rate Limiting (RRL) and the effectiveness of this defence mechanism against current and future attacks.

Speaker: Javy de Koning (NLnet Labs)

Slides JavydeKoning_OARC.pdf

6 Comparison of RRL behaviour in BIND9, Knot DNS, and NSD

In March 2013 an L-Root node in Hamburg, Germany received abnormal traffic over a prolonged period of time. Initial inspection of the traffic suggested that L was being used as an amplifier as part of a reflection attack. The short-term effects were mitigated using NSD RRL, which resulted in a decrease in outbound traffic that was noticeable, but smaller than we expected given anecdotal reports from other DNS operators using BIND9 RRL. Full packet captures of the request traffic were retained for further analysis. This retained data was used to replay the query traffic against a variety of authoritative servers that have implemented some form of response rate limiting, in order to compare the implementations from an operational perspective.

Speaker: Dave Knight (ICANN)

Slides dknight-oarc-rrl-comparison.pdf

12:40 Lunch

7 PGP Signing Session

Key printout keyring.html

Keyring file oarc-spring-workshop-dublin-2013.asc

Keyring file SHA1 checksum oarc-spring-workshop-dublin-2013.asc.sha1sum

Paper keysigning.txt

As a way to build community and expand the web of trust, DNS-OARC runs Key Signing Parties whenever it's possible. We'll have one during the Spring Workshop in Dublin, during the lunch break on Sun May 12th.

 

In order to participate, you will need:

 

1. Upload your key to the event keyring. The deadline to have your key uploaded is Sun May 12th at 11:50 (during the coffee break). That will give the party coordinator time to print the key list and be ready for the signing.
2. At 13:00 we will convene at the reception desk. All participants will receive a printout with the keys, and you'll need to bring a government-issued identification (passport, driver's license) or an alternative form of ID (employee ID). You will also need a trusted source of your key's fingerprint, which can be your business card, a piece of paper or your laptop screen.
3. Following the order on the key printout, every participant will have a turn to read their key fingerprint *from its trusted source*, while the rest will verify the fingerprint matches the one listed in the printout.
4. Once all fingerprints are read, every participant will circulate his/her identification document, to allow the rest to confirm identity.
5. Now the party is over. It's up to each participant, if satisfied with the fingerprint and ID, to sign other's keys. To make things easier, it's recommended to download the keyring, import it, and then sign the individual keys. Once signed, you'll like to email the signed key back to the owner, and optionally upload the signed key to a PGP server.

 

DNS Reflection Attacks

Convener: Merike Kaeo (Internet Identity)

8 Classifying Resolver Capabilities

In our attempt to quantify/qualify whether a particular DNS resolver is DNSSEC-compliant, we realized that it is important to test for a resolver's major functional behaviors rather than looking for compliance with all possible corner cases. Based on this idea, we designed a series of tests and grades for resolvers based on each test's results. Based on the tests' outcomes we classify resolvers into categories.

Speaker: Olafur Gudmundsson (Shinkuro)

Slides Classifying_resolvers.pdf

9 Monitoring Recursive DNS in China

Recursive DNS is used to resolve other people’s domains. In order to investigate the security, stability and resiliency of recuisive DNS used in China, we bulit a nationwide distributed platform to monitor the status of recursive DNS, including all recursive DNS deployed by the three largest ISPs in China. After analyzing these data generated from this platform, some valuable information for these recursive DNS was found.

Speaker: Dr Xuebiao Yuchi (CNNIC)

Slides Monitoring_Recursive_DNS_in_China.pdf

10 Self-Serve Open Resolver Testing

Recent attacks bring renewed attention to the millions of open resolvers on the Internet. Discovery of open resolvers has traditionally been done by wide-scale surveys of known name servers or address space. Such surveys suffer from a few problems: (1) probing traffic may be seen as abusive; (2) the desire to provide open resolver addresses to the "good guys" but keep them away from the "bad guys"; and (3) big surveys take a long time and are updated on the surveyor's schedule. Verisign has developed a new tool that allows network administrators to scan their own address space for open resolvers at their own convenience and quickly view the results.

Speaker: Duane Wessels (Verisign)

Slides 2013-05-12-OARC-orscan.pdf 2013-05-12-OARC-orscan.pptx

11 Open Resolver Project

The Open Resolver Project has been performing scans of the entire IPv4 space weekly and has turned up interesting trends and data about the behavior of hosts on the Internet. Many networks and CPE devices pose a risk in replying to DNS traffic, many times in ways that are unexpected or unintended. We are sharing trends and data on our observations, including providing raw data for derivative research.

Speaker: Jared Mauch (NTT America)

Slides 201305-dnsoarc-mauch-openresolver.pdf 201305-dnsoarc-mauch-openresolver.pptx

12 Panel Discussion

Speakers: Duane Wessels (Verisign), Olafur Gudmundsson (Shinkuro), Mr Xuebiao Yuchi (CNNIC), jared mauch (NTT)

15:40 Coffee

13 Anycast Enumeration of Large DNS Services

We have evaluated techniques to enumerate instances of DNS anycast, comparing the use of CHAOS records, traceroute, and a new proposal using IN TXT records. Enumeration allows a third party to evaluate the size of an anycast service, and in some cases to identify masqueraders operating on the same anycast address. We have evaluated our approaches on F-root, Packet Clearinghouse, and the AS112 anycast infrastructures to compare the completeness of our approaches. Joe Abley and L-Root has deployed an IN-based system to support these approaches, and we have also compared tehse results against their ground truth.

Speaker: John Heidemann (ISI)

Handout Heidemann_anycast_enum_at_dns_oarc_130512-1.pdf

Slides ant_heidemann_anycast_enum_at_dns_oarc_130512-1up.pdf

14 Remote DNS services and Content delivery networks

The recent growth of remote DNS services can negatively impact CDN’s performance. CDNs rely on the DNS for replica server selection. DNS based server selection builds on the assumption that, in the absence of information about the client's actual network location, the location of a client's DNS resolver provides a good approximation. Remote DNS breaks this assumption. Consider the performances of both remote DNS and CDN, a practical industry solution should be proposed.

Speaker: Mr Jian Jin (CNNIC)

Slides Content_Delivery_and_Remote_DNS_services.pptx

15 DNS monitoring for Norway

Norid will be deploying a new DNS monitoring system this year. As part of this activity, we've been gathering information on current tools and methodologies, metrics, common data formats and so on. These will be used to develop best common practices and their application to Norid's requirements. We'd like to present our findings and stimulate discussion with others who are interested in this topic and willing/able to share information, collaborate on code or procedures, etc.

Speaker: Jim Reid (NorID)

Slides Reid-Monitoring.pdf

16 Next Steps In Accelerating DNSSEC Deployment

How can we accelerate the global deployment of DNSSEC? What are the major challenges that we as a community need to examine? Over the past 16 months of rolling out the Deploy360 program we've been analyzing the issues and speaking with operators and content providers around the world. In this presentation, we'll present our findings and outline some of the next steps we see as well as work that is already happening within the community.

Speaker: Dan York (Internet Society)

Slides 20130512-DNSSEC-NextSteps-DNS-OARC.pdf

18:30 Social Event

Drinks and Finger Buffet

Monday, 13 May

17 Measuring DNSSEC

With the implementation of a signed root in the DNS, we are now in the initial phases of widespread adoption of DNSSEC. There has been much in the way of surveys of DNSSEC adoption in terms of signed domains, but fewer measurements and studies in the level of use of DNSSEC validation by DNS resolvers and end clients using such resolvers. The recent announcement by google regarding the use of DNSSEC validation in their public DNS product (8.8.8.8) has increased interest in this topic. We have been undertaking a novel form of measurement of DNSSEC that uses online advertizing channels to enroll a large number of clients internet-wide to undertake specific DNS tasks that include aspects of DNSSEC behaviour. in this presentation we will explore the methodology, and present some initial findings related to the extend of DNSSC validation by clients, and the behaviours of DNS resolvers when presented with both valid and invalid DNSSEC keychains.

Speakers: Mr Geoff Huston (APNIC), Mr George Michaelson (APNIC)

Slides DNS-OARC-Dublin-Measuring-DNSSEC-on-The-Client.pdf

18 The use of Elliptic Curve Cryptography in DNSSEC

1- Presentation of modular group cryptography based on Diffie-Hellman (even DNSSEC uses on DSA, not DH, DH math is very simple so far easier to explain and (I expect) to understand) 2- Presentation of elliptic curve cryptography in comparison with modular group cryptography (vs all the mathematical details), e.g., exponentation is replaced by multiplication 3- The different parameters used in DNSSEC (primes, keys, etc), including by PKCS#11, with some words about standard optimizations (again not explaining them but showing how to recognize them) 4- Pros and Cons of ECDSA in DNSSEC (pros 20 times faster, smaller parameters, cons (inherited from DSA) requires a random number for signing, verification slower than signing) 5- ECDSA in practice (bind 9, etc) and open real world questions (e.g., what are the registries which accept ECDSA KSKs/DS RRs) 6- A word about hidden ECC in DNSSEC (GOST which is in fact ECDSA, Chinese commercial crypto too) as a conclusion.

Speaker: Francis Dupont (ISC)

Paper ecc.pdf

Slides eccdnssec.pdf

19 GPU-based NSEC3 Hash Breaking

NSEC3 is a mechanism for authenticated denial of existence in DNSSEC-signed zones. To avoid zone enumeration, names are hashed with SHA-1 and only the resulting hash values are enumerable. In this talk, we present a GPU-based tool for NSEC3 hash breaking, written in OpenCL and Python. The tool can compute 1.8 billion NSEC3 iterations per second on a high-end gaming GPU (AMD Radeon HD 7970). We discuss hash breaking optimization attempts which are inspired by password cracking techniques. The results are meant to aid operators in deciding whether NSEC3 is a useful building block for their DNSSEC setup.

Speaker: Mr Matthäus Wander (University of Duisburg-Essen)

Slides Slides (HTML5) Slides (PDF)

20 DNS Security: Beyond DNSSEC, A "He Must Be Nearing Retirement" Manifesto

Basically, why RRL is only a nice first step, but I want to change the protocol some.

Speaker: Ed Lewis (Neustar)

Slides OARC_submission.pptx OARC_submission.pptx.pdf

21 DNSHarness

DNSHarness is an open-source tool for testing multiple DNS server implementations. Tests are scripted and may be executed against a number of different implementations in sequence. DNSHarness runs on Linux and uses VirtualBox to build and run all of the popular open source DNS software packages. It can also test closed source implementations running externally.

Speaker: Duane Wessels (Verisign)

Slides 2013-05-12-OARC-DNSHarness.pdf 2013-05-12-OARC-DNSHarness.pptx

22 Changes and updates to dnscap

dnscap is a DNS-specific packet capture utility. It has recently been given a plugin-style architecture, such that the user can specify multiple modules to analyze captured packets. One such module provides statistics for root server operators. Plugins may be even be written by end users and/or third parties.

Speaker: Duane Wessels (Verisign)

Slides 2013-05-12-OARC-dnscap.pdf 2013-05-12-OARC-dnscap.pptx

11:15 Morning Break

23 OARC Board

Speaker: Ondrej Filip (CZ.NIC)

24 OARC Status and Development Plan

The OARC Board recently had a retreat to consider OARC's strategy and development. The output from this is a development plan, which the President will be sharing with OARC's members and other interested parties, as well as an update on OARC's recent progress and current status.

Speaker: Keith Mitchell (DNS-OARC)

Slides OARC-Strategy-workshop13_May.odp OARC-Strategy-workshop13_May.pdf

25 DNS-OARC Systems update

The presentation will go over the short history of systems at DNS-OARC and go through future directions to satisfy member demand and bring about the modernization required.

Speakers: Mr Keith Mitchell (DNS-OARC), Mr William Maton (DNS-OARC)

Slides OARC_Systems_Update.pdf

26 Discussion, Wrap-up

Speakers: Mr Keith Mitchell (DNS-OARC), Ondrej Filip (CZ.NIC)