PPT-Measuring DNSSEC Geoff Huston & George

Michaelson APNICLabs September 2012 What are the questions What proportion of DNS resolvers are DNSSECcapable What proportion of users are using DNSSEC validatingDNS resolvers Where are these users. Lutz Donnerhacke. db089309. : 1c1c 6311 ef09 d819 e029 65be bfb6 . c9cb. dig +. dnssec. 1.6.5.3.7.5.1.4.6.3.9.4.e164.arpa. . naptr. A . protocol. from better . times. An . ancient. . protocol. People were. Eric Osterweil. Dan Massey. Lixia Zhang. 1. Motivation: Why Use DNSSEC?. DNS cache poisoning has been a known attack against DNS since the 1990s [1]. Now there is a new variant: the . Kaminsky. attack. Geoff Huston. APNIC Labs, May 2015. The Internet is all about US!. What’s the question?. How many users do <x>?. How many users can are running IPv6?. How many users are using DNSSEC validation?. Geoff . Huston & George . Michaelson. . APNICLabs. September 2012. What are the questions?. What proportion of DNS resolvers are DNSSEC-capable?. What proportion of users are using DNSSEC-. validatingDNS. . 2013 . 12 June. . 2013. j. ohn.crain. @icann.org. DNS Basics. DNS converts names (www.uob.com.sg) to numbers (203.116.108.5). ..to identify services such as www and e-mail. ..that identify and link customers to business and visa versa. APNIC. https://. xkcd.com. /1361/. Why?. Because everything you do on the net starts with a call to the DNS. If we could see your stream of queries in real time we could assemble a detailed profile of you and interests and activities. APNIC. https://. xkcd.com. /1361/. Why?. Because everything you do on the net starts with a call to the DNS. If we could see your stream of queries in real time we could assemble a detailed profile of you and interests and activities. Michaelson. . APNICLabs. October 2012. What are the questions?. What proportion of DNS resolvers are . capable of performing DNS queries using IPv6?. What proportion of users are using . IPv6-capable DNS . Chief Scientist . APNIC Labs. Why pick on the DNS?. The DNS is very . easy . to. tap . and. tamper. DNS queries are open and unencrypted. DNS payloads are not secured and tampering cannot be detected. APNIC. Background. All computers run with some kind of internal oscillator (called a ‘clock’). This clock manages the internal state changes at each cycle of the central processing unit. Clock ‘ticks’ are fed to a digital counter. Huston. APNIC. February 2014. The E. volution of Evil. It used to be that . they sent . evil packets to . their . chosen . victim. but this exposed the attacker, and limited the damage they could cause. Why?. Because we’ve run. out of addresses. again. We’ve been here before .... The original . ARPAnet. design from 1969 used the NCP protocol, which used 8 bit addresses. Maximum network of 256 nodes. Chief Scientist, APNIC. Through the Routing Lens …. There are very few ways to assemble a single view of the entire Internet. The lens of routing is one of the ways in which information relating to the entire reachable Internet is bought together. in today’s Internet. Geoff Huston. APNIC . June 2016. What is being measured?. Clients who will perform DNSSEC validation of a domain name. Using RSA/SHA-1 as the crypto algorithm. Who will not resolve a badly-signed domain name.