The Border Gateway Protocol (BGP) and the Domain Name System (DNS), are two key protocols that are important for the working of the Internet. When these protocols were developed, security, like integrity, was not an important factor yet. However, with various outages due to the lack of security of these protocols, these protocols needed to be secured. The Resource Public Key Infrastructure...
IPv6-only networks are expanding, with draft-xie-v6ops-framework-md-ipv6only-underlay being a recent example. For IPv6-only networks to be widely deployable, software must be able to function in IPv6-only networks. However, according to RFC3901 BCP91, "every recursive name server SHOULD be either IPv4-only or dual stack." Meaning recursive resolvers should not be IPv6 only. This is because...
The potential impact of Encrypted Client Hello (ECH) on public and private network operators and others
The presentation includes a brief overview of the proposed Encrypted Client Hello (ECH) extension to TLS 1.3, explaining its purpose and current state of development. The presentation goes on to consider some of the implications of ECH being deployed on public and private networks,...
What did we do to make it possible to add a new nameserver to our anycast network with one click on a button and what does this provide.
Goal:
We were looking to create a stable anycast platfrom with the right balance between stable anycast and being able to get new features in production.
Other items:
- which tools
- challenges
- solutions
- automatic tests
- result
- next steps
IETF DNSOPs working group updates
IETF DPRIVE working group updates.
In 2006, RFC 4255 [0] introduced a resource record that holds SSH host key verification fingerprints, named SSHFP. In order to prevent man-in-the-middle attacks, a SSH server's host key fingerprint should be verified by the client [1]. While the manual verification process is prone to errors or ignorance by the user, SSHFP records eliminate any manual interaction. However, SSHFP records must...
Registrants of critical domains subject to substantial monetary losses per minute of downtime are likely to perceive significant DNSSEC deployment barriers due to long error recovery times and lack of pre-publication validation of DS records.
The presentation suggests potential practices to reduce the risk and thus lower DNSSEC adoption barriers.
In this paper, we propose Phoenix Domain, a general and novel attack that allows adversaries to maintain the revoked malicious domain continuously resolvable at scale, which enables an old, mitigated attack, Ghost Domain. Phoenix Domain has two variations and affects all mainstream DNS software and public DNS resolvers overall because it does not violate any DNS specifications and best...
Exploring how CIRA's growth from a single-customer (.CA) unicast DNS platform to an anycast platform supporting 480+ TLD's (almost one third of the root zone), and how customer requirements caused a fundamental change in thinking along the way.
I plan to delve into 4 areas:
1) Zone Propagation architecture, monitoring points, self-healing, and alerting.
2) DNS Availability - CIRA's...
With the DNSThought project we do longitudinal measurements of Resolver capabilities, such as for example qname minimization and all the DNSSEC algorithms, with RIPE Atlas probes. It was the outcome of the DNS Measurements Hackathon organized by the RIPE NCC in April 2017.
Over time some valuable historical information has been collected by DNSThought, but the way it is displayed is still as...
A brief talk about the history of DNS @ Meta, how things evolved over the years, a bit of a deep dive into engineering decisions we made, and announcing the open sourcing of our DNS server
While building SOX network from two POPs in Belgrade to 18 POPs in 4
countries, we faced numerous challenges and learnt from them. Both technical, strategic, and financial.
During this talk, we will go from our journey scaling from a single switch in a couple of location, incrementally adding capacity as business grew and partnership increased, and hosting more and more service,
to hosting...
