IN this presentation we motivate why there is a need to consider using larger keys for RWSA in the context of DNSSEC. We then describe a measurement experiment that looks at the success rate of using 4,096 bit signing keys in DNSSEC. We conclude with some thoughts as to the option between using ECDSA P-256 and RSA-4096 to counter the potential threat of quantum computing to this form of...
This presentation will discuss the analysis of domain names found within the Common Crawl dataset. It will cover the method of analysis and will focus on the characteristics of DNSSEC with regard to different types of web page content. It will include discussion on the proportion of websites that use content from only signed domains, the kinds of content in websites that are more likely to be...
We present an update to the development and implementation of the DNSSEC Bootstrapping protocol since OARConline 35a. Protocol developments include, in particular, some structural changes to enable straightforward discovery of delegations which are ready for bootstrapping, on a per-parent basis. On the implementation side, we show prototype implementations for both the child (DNS operator) as...
Over the years, DNS proxies (such as dnsdist) have cooperated with
their backends to pass the real IP of the client to those backends.
edns-client-subnet has been abused for this, there was an attempt in
the IETF to standardise a new EDNS option (XPF), but DNSOP did not like
it.
Based on that, and other operational insights, PowerDNS (in dnsdist,
the Authoritative, and the Recursor)...
Information from the Public Suffix List (PSL) is required in various contexts, for example for cookie scoping in browsers, for certificate issuance, and for the secure operation of authoritative multi-tenant nameservers. Applications depending on the PSL customarily bring their own copy of the list, and thus require mechanisms to parse and interpret the list, and to keep it up to date.
The...
DNS Security Extensions (DNSSEC) were introduced nearly two decades ago to provide integrity and authenticity of DNS messages. There have been some studies focusing on how DNSSEC has been deployed over years using active scans, which commonly reported pervasive mismanagement such as missing DS records.
From the domain administrator perspective, however, it is hard to understand what makes...
In large-scale DNS deployments, zone updates are made by DNS hosting services on short timescales to large numbers of servers. It’s normal for the updates to be somewhat asynchronous from each other because DNS is “eventually consistent” by design. The question for DNS operations is how much lag is OK. For our organization, customer sensitivity to stale information is high and we want to take...
What if you loose all your DNSSEC keys for your zone, what is the impact and how can you recover from this?
Over the last year, Knot DNS has added support for Linux’s eXpress Data Path. CIRA and CENGN, with the help of CZ.NIC, took a deep dive into characterizing Knot DNS’s performance with XDP on both UDP and TCP-based queries. On a 36-core server, 16M QPS was achieved on UDP-based queries, and 1.3M QPS on TCP-based queries.
This presentation will detail the hardware, software, configurations...
Some DNS authoritative servers provide incorrect proofs of non-existence which correctly DNSSEC-validate but deny existence of data which actually do exist in the zone. Consequently, this causes silent resolution failures on resolvers which implement aggressive use of DNSSEC-validated cache (RFC 8198).
This talk aims to provide very short glimpse to where the breakage can be found in wild...
Bringing up DoH services at OpenDNS
- Phase 1 - DoH as a proxy
- Phase 2 - Native support
- Phase 3 - Native deployment
