Bestand wählen
Merken

Intro to DNSSEC

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
I I guess his started can you guys hear me OK and several tumor refined cool by the way for it started this list Odyssey this is a zone that I created manually because that predates the author is not mine but those are the 1st guy guys that started buying and student projects that of but the a 3 or 4 of them for student projects than a few other a developers that came right after them that's a different story when so at the end we talking
about the DNS that and DNS security protocols I'm not going to be talking about he said 6 0 and to me talking about at the sun zones in related to that I have a few questions for his started I'm curious at any of you have deployed DNS sect on the hands of pragmatic questions I get it done in authoritative server and you well I guess another question has anybody enabled the validator to start verification in that they are at students and we'll see later on that it's a pretty easy to get started with and also it's very difficult to with him so just just for fun and this is the NSF forest sees only so this is not the DNS sees but just the intersect with that's a pretty thick over 300 pages and some of its and there is maybe another hundred pages that to this because this is a couple years old well I worked for RISC how work on the Byington project release engineer technical writers and maintain our building test farm and before that I was a support engineer C for 1 year at this pre dated most of the intersect use but we did have some customers that were testing the in a 2nd there last inside a love troubleshooting work at earlier today I went to a presentation about logging about using the same log messages in different places in code you know it's a nightmare to track down where all we have is exact same problem in by 9 and you know you have the form where which might be turned into a Cerf fell or immersive fell we like over 50 places with the exact same log message and from the user point of view there's nothing about it and so the administrator but then again there was nothing they could do about it either so as a little bit of work differ by 9 is just adding unique logging I won't get into that a little bit though and also on that yes the developer and I'm on the on the board not
as a few things out we will cover also I'm not gonna cover a dynamic updates and with signing and this will you guys have some basic the inner cell if I experience so how many of you have admin and blind server how about other DNS servers so it would basically got almost everybody here such that but in my example the abusing by 9 but there are other inescapable of resolvers and also authoritative servers that now I've
this talk about some of the threats to DNS and we'll talk about later on how the these apply to signing whether they help or not so we have packet interception the man in the middle attacks but people your wire who might be all the modified questions or responses that eavesdropping to spoof responses will talk at the moment ID guessing inquiry prediction unnamed chaining where a returned part of an answer like the they'd give you pardon answer L point you to their own authority of name server and then once you start wearing the authoritative name server they saw a guy Khot for other things the IRS these might accidentally or purposely provide different answers and we know this is an ongoing debate where IS these purse loosely could provide their own answers and yet even ISP in my area Verizon they do that so OK I don't use their names are reversed madam that's their choice and a denial of service attacks signing does it help that in signing actually can could add to the problem and will talk with briefly later of another type of attack is not modifying data but is actually removing dead and then easy example here is if you remove Annex records most smells reversal drawback this just use the the regular address record in so what if that system is already controlled by the attacker is less example a few things about DNS components and the query information has a source address in the port of the query and that's from the other recursive server or it might not even be a recursive server idea stub that client as a destination address of you know 453 this also asking then they identifier to keep everything has a unique is a core idea but it's only 16 bits now then there's a query name the class in our case we disease Internet class in the type where there's an address record you're asking for an MX record SSH FPU things like that and they don't command and bringing shows you all these things except the source What's interesting is the response it comes back it needs a provide the same original information and as part of the pattern or the way to synchronize all the responses it receives so as original query ID class name in the type and they also should come back from the same by address imports now originally used so now we give you a few examples how you can in the break it yourself and I I I have use some tools and some strips to poison caches in this give you some ideas so you need to know the query and the source for and the other information is generally easy to control or no in you can control it by of flooding your own series a queries to it so now you know which questions can ask seeking control a lot of it I had as a race but again in many ways it is a technique and of course it's obvious if you have a pack a packet sniffer somewhere along the line and it's really easy for you and brute force or random chance was a brute force if you flood responses no tens of thousands or hundreds of thousands responses nods aria never match in your overall the poison is to be the real response back and to the resolver and then once it's in the resolver let's say your Big-ISP and you have a million customers and then from then on until that time to live expires they're feeding your answer solar customers a few years ago I may so you remember there's a lot of by news but is mormon but just binders is DNS news but Kaminsky at techniques for predicting in forging a DNS response and he showed ways where he did spoofer cash in like 30 seconds and so just the very basics of it you get the cash to ask a question you get the resolver ask a question and it might be as simple as doing SMTP connection over and over and over again because most SMTP servers of my respond you can give it you know some information SMTP having you started their DNS queries now based on the birthday paradox you realized it didn't matter if you went through a whole series a query it it matter if you went through a whole series of source sports just keep on flying the same ones over and over again as a small pool news able to do in 30 seconds and this set of providing just an answer he gave him a question that we're apps for further information so he provides something that delegated to his or her own authoritative server and then you just give it a huge time to live and now a lot of name servers will have a cap of the maximum time to live what say Kapor's a week and then they die you cash for a week but I guess I don't cover another slides the whether some Goals with this whole they could point you to there a spoof of your bay or spoof writings anything you log in yeah am I look the same in my redirected the real 1 but they might really capture some information and I potentially use that is still from your FIL all types of things and the DNS
changer warm this was in the news starting a think in November the FBI at working with some other governments they Khot cited 6 out of 8 people there were involved with this they had over a hundred name servers and that they had traffic appointed to in this case over 4 million systems were pointed to just the name servers is via someone's on Windows boxes and also they targeted at a cheaper white wireless routers that actually millions of people have the United States and now redirected and rogue websites and they know that they earned at least 14 million dollars just by pointing into the sites with advertising is 49 dollars but in some cases they also build still money other ways now that's also called Operation ghost collect what's interesting about it now or IIsi runs the name servers now in slowly of other groups are trying to convince all of the I S P's to clean up you know it is just it's all the customers and so I think at least 500 thousand compromise systems or so so using it or turn off was in many but now we got a court order to keep it running until I think July server interesting and maybe some of you might know somebody that has a Windows boxes pointing to the wrong a name servers the answer when they come from in close all right so the the reason while the although I don't know not us but the alternative is as we don't provide any means service and I so a million computers would actually think that the Internet is down 5th you know it is Israeli true that's formulae and that Windows systems now that we don't know the inner security would help in many cases but some browsers and clients have validation built into them the so they chose to use DNS capable client then they could see if they're going to their own website and if it's the not of fire and the very quick short description as DNS set offers as stated the an acid it proves that the dad is not modified and came from the official source and we'll get into detail
know I just before we didn't do setting up DNS sect but talk about some other use cases in some are pretty interesting by dating or DNS-based Authentication of Named Entities and some clients in there hasn't patches for chromium already they can use the and asked a federal initial keying information and so this is something to re- place a certificate authorities is more light weight than the regular HTTP st exchange and so it's alternative way using DNS and it's pretty interesting but also 1 other thing is I'm using it for I SMT piece of smart start TLS in it's also stops it from being compromised there's known attacks another thing is for BGP rout origin verification it announces which routs that it prefers announces these verses the VAD an acid that's been signed would be an asset and so that's the whole rover and do any of you uses secure shell fingerprints in a DNS record and so when you log in via SSH to new boxer does no you are it'll show your fingerprint this is a way to automate or verify the year hitting the box you really wanted to log into but it is not as logging in you might you you know remotely running commands are all types of things on a system and so you could do it I fear that but also that the new pg and maybe PGP does also but it can retrieve certificates and public information of the DNS and so you could have that you'd unisex sign and then some people and use it to make sure that they're hitting their were correct of packages repos in so I have heard of 1 and a distribution of Linux I think it's called 0 c Dad uses that in so those are some interesting cases the over there the state I have not heard of progress on many I would have heard about this this article you guys can invent some more ideas some more users I still get into this a little bit more so the in sack actually adds new resource record types it also as the message header bits and these are used to verify the data matches with his own administrator actually put into the zone in the 1st place in nature hasn't altered entrances it does not provide a secure tunnel as in the DNS world you can use to sing others also a DNS script DNS curve there's some other ideas not for tunneling and DNS traffic but it also does not hide the data so as not encrypting the data whatsoever this design backwards compatibility in mind but saved not 100 per cent but very close in so if if you are do not want be validator then you can just continue to use the NS a saying even if they if you're upstream provides DNS set records and basically when you ask them they will send Mt will be fine it also if the destination content but I mentioned about appointing you to a spoof website a lot of people may not even check if the SSL certificate is in place to be they may not care of the TPS a http a general users of but if you wanted to make sure that have continent there's other technologies but the 1st thing about DNS sectors there requires DNS 0 down these extensions to DNS and this allows you have new flags new return codes new label types it also provides ways to announce it nobody bites you could receive and send it in this is important because historically been asked to usually small packets usually less than 512 and many of now firewalls rather operators kept that in mind and likely DNS has been around for over 10 years and all servers supported and all in all the root servers supported in most infrastructure supports it but I have seen over the last years some big customers rollout set life and then a day later left to turn it off because something between their production environment in someplace else on the Internet and some routers or something your squashing the diene asec traffic and because they're validators enabled it it was incomplete and in so that actually breaking their DNS and will tell examples that later so in your case nature firewalls don't have block these packets no larger 512 bytes and yes there are some broken servers or network devices that poems I don't notice sleeping here on campus but many times I go to differ hotels motels in I see often but it's not just the NS sack is DNS in general may do all types of weird things and wanted the NS might not work will see this slow bit later but 1 of the new header bits is DNS sack OK and basically this means that you're validator and yes all understand sector related traffic coming back to me all understand those doesn't mean I'm gonna do anything with it is just saying OK to receive and just a back up a little bit just
a case some of you have seen documentation for of encountered the SIG record key record next record of those old and outdated or obsolete those are not used and so the new standards are 2005 and on those ones are all showing a few minutes by interesting you know also on here is on some of the threats were documented I was starting maybe 19 89 and then in the early nineties so these threats and documented in announced in different places like this over the years and it wasn't until Komansky's I showed some different ways to do that it came out really big news all Bessel 1 of his ways to limit it is to make sure that the now the source for range was large and so as 1 ways to alleviate the problem the problem still exists so if you are a network with very high speed band with you can still undo this stay Metaxas spoof this the thing is not fixed and so you need you need a solution work around it such as and that's because we're ever ones using DNS it's harder change protocol that the entire world users so we're just extending not very briefly I uses public key crypto there's a private part which you keep on your own systems and you might keep in an HSM use that to sign crater signatures then there's a public key they shared at other people and they're using that just for the verification parts and you will see that upcoming jump though the new resource record types are essentially the NS key DS insect in insect 3 of this lecture I will not cover insect 3 at all Zenger briefly in insect judges of a little bit in the ass get into some detail right so the
1st part is the validator when it sends its query skinny user deal bit you say OK I understand the intersect go ahead and send me where you have if if they have something on the server side there enabled with Indian a 2nd the zones already have this information so it'll recent turn 80 that a signature that's already been set up ahead of time so generally I've never seen the implementation does on the fly so it's generally done had a time but provide a signature that goes along with the answer now all summer you know seeing it also still have other information at the same point as it that's 1 thing it's been modified by the specification you'd never signature was seen in for example but the signature is a house of the entire record set just not envisaged individual record but entire set it's encrypted the hashes encrypted using that's as own key in so that's a that's your signature digital signature and a lotta mention it but if you have 4 NS records that same label same class in tight build the set 1 are sick for that and again it's automatically sent back to answer and so look
at some examples here and you could see the 1st thing here is not all talk about later about if indicated out a bit but the 1st thing you should notice serious answers to and we were using
80-ns 0 you can see this in this figure out that because see the flags was passed that the you know the the question now we're getting to the part where there's 2 answers there's an address record in a corresponding signature and also your already section you might have other sections of information to get back to you they might have also correspond signatures to that records being provided and notice in this case it was signed information is still less than 512 bytes this is the view that all yes what will see that and
so where quickly will go over the different parts of just our C so a lotta Sega identifies a record type the algorithm used and the number of labels whether it's www dot 1 dot to dot 3 you know has a number of labels the original time to live because these are regular is a regular DNS records they have their own time the lives and so it's nice to see what the initial time to live was it just in case cells modified also yeah the expiration time of the signatures and you haven't inception time when it when it should begin earlier the key tag also called a key idea this is used for the administrator or forming as purposes just so you could look to compare things visually but without having a tool to validate or verify for you you should not rely on it is just for your authors just a match things up then we'll see examples the signers name and the name of his own that sign this record and then the digital signature the what I just explained we see that information there and see the inception time expiration time that if it's a shorter value then it would be at that time the 1 thing to note is the expiration is the 4 the inception time when you when you read and that's a lot of people they look at it and go all this something's wrong here is that the reading it out of order and this example here the says labels 3 is because 3 labels that we did indeed IIsi don't over I 1 thing to know this lecture will cover wild cards but wildcards is also covered with this that you could sign wild cards right so DNS key
in this is generated with the key gentle that is for the zone and not for the individual labels like you would create a different key for every single record or a record set and so again the signatures generated with the secret key the private key and then the DNS he is a public key nets user validate the signatures there also a half of the DNS key that's called the DST they will look at that a little bit
but there's some flights 257 and 256 the key signing key in the zone signing key from the validators point of view this does not matter this is only 4 are the convenience of the tools of maintaining a zones It's for convenience for the administrators to set it up and will see out know that so
will look at some examples here so we wanna look at the key tag 4 4 0 1 6 then it's right here in the signature then will go a little bit further doing another day this time I'm asking for the DNS Q record it came back with a couple of DNS keys and seeing this 1 matches up and so in this case it matches up it would valid the the public key used to validate the previous signature and now on top of the the key idea in the world I was in and they want to know is everything sign is just not your original questions but as other information to accuse themselves are assigned to you know do we need every single part of the sign and so the public is assigned to you can see that there are also and this that of others example here is now the signature ASCII signature identifies which 1 was signed with the D N sky of of all original timeless yeah 36 hundred because it's been the cash to for a certain amount of time it's RT killing down
by so the DS record is used to start building a chain of trust between other appear zone in your own zone and apparent might be here's some third-party and usually this it contains a hash of at what's called a key signing key this 1 is the keys 2 of the DS record is created by the signs tool see that the DS itself is also signed that means it has its own signature posted in the Hairer zone can you provide it to the parent zone and this is important point is returned with delegation records so when you ask a parent I have for information is as well OK I don't have this zone good last someplace else you know by giving NS records at the same time it also provide UDS records and all the signatures for this information now the NS records themselves and or not sign the delegation is not signed but the DS records are and
but look at TCP dump hopefully this is fine for you guys and had some other examples a lot with TCP double so we see a address request to apparent and so it's a normal request you seen this happen in knowing time every 2nd but in this case Lady of it was set so in a return answer or here the delegations the last them instead enhanced lessons said by the way there's a DS our record also associated with it by
here's another example this is just a dump of occassion by 9 and this is from a simple query had NS record and then is show the additional that DS did so those sent automatically you can also query from them and ask for them all there would do that skip through
that know the insect record this
is to indicate that a resource record does not exist or word to indicate what I if over a certain individual record type does not exist and the 1st thing that's important with the DNS signed zone is the entire zone is sorted in the canonical order so here is also ordered an order so then it came creates a need these new records insect records in creating entire chain representing every single record in his own and how it works is 1 label will refer to the next label all in order and so by asking for something you could simply see ball is indeed between this label sorry in between this and 2nd that insects there will know that there's a gap something missing in the zone also the insect record identifies the types and so then you can see you on know the MX record is gone someone has done something for example so since there is a change some people were concerned that OK well I don't want anybody to know what's in my zone also using now there's achieve insect records they can call it and so they can know everything in his own it's very simple then sold alternative technology for that is insect 3 which creates a hash instead of using a regular label name but hashes for each 1 and so yeah you can call it also but you don't know the you don't know the original names anymore took all our fault by the following its users generally by before so I think everybody would just use insect most people don't care if you're zone information is called the yeah it's already in the public and but some people do care who helped the people you care like they turn off the zone transfers for example only allowed it from certain systems and so but whatever your head your own desires but so the
authoritative on sorry them the some new additional matter message at events are the indicated data the validating resolver it check to make sure chain accessible see in detail examples of this shortly and if they can verify all this it it said ADB in return it back to you you the common bean like if you're asking authoritative server will send you an 8 bit so now I will if you're asking occur recursive server again Adi will here's another 1 may even now let's say you wanted troubleshooting your testing or simply it doesn't work because it but there is a problem and you could turn off the checking so in your original query I today plus CD and basically it means I turn off the checking just send me the information in the good advice if you ignored the that that's because you're trusting whoever you ask it was in between you and there's no rule at this time no problem anyway to secure the 80 bit itself on less use a different tunneling or other mechanism so you do the validation on your own or you can use a t save between your style of in your resolver for example how or if it's on your local system between your 7 years over there that but we find a very quick
summary n of the keys by the keys are used to prove the integrity of the DNS data and in the private key is used in crypt the private key is not shared via DNS but the signature trade with it is shared via DNS with our said the public key used to verify that is an Indian ASCII this used cryptic there's a hash of that key which is stored in DS record which is stored in your pair there's 2 are associated to a DNS in a DS or associated they can verify that there they can they can have should be an ASCII and verified the same 1 in of signatures also so this is the chain which begins the chain trust the authentication chain now your validating resolve needs a starting point there is depending on how far along this chain that alternative is what's called islands of trust which are not covering but if you need a starting point and also example that little bit later but of the starting point 0 trust anchors Indian asking your DS record you retrieve it securely from a trusted source in let's say you use on unbound you trust the source code so you'll trust them to rook provide you a starting point or this trust inca with the code and if you don't trust them enough to use the key that they provide event have why user code the 1st place and we then will say the same thing about mine but a broken chain and in some cases if there's a broken chain where the there is a DS record in new parent but the child does not have DNS have set or it's or it's wrong then he just made everything underneath the invisible as server fails and so if they've chains broken high let's say it's broken at a level of like dot com or died at each p dot com you know all the labs and reach beyond conquered disappear the Chair trust must be from data of all remember the gene trust maybe from Dad on a caching name-server all a resource records they had time to lives they're gonna live in your caches for a while and so it doesn't need a recreate the stream the trust each time has this information and so and they may not be getting it from authoritative server every single time is already cached again the weakest link defines a strength by so our trust data is the DNS root itself it's been signed since July 15th 2010 there's more than 80 secure delegations provisions in the root of for example dot org but there's many have of Brazil and on and on and on no let's of signed for the registering registrar how you should share the information to provision in the root is by giving them a DS record in so a lot of that is still in flux there's not a consistent way to share this information if you need it hurry up by encouraging your apparent to provide a mechanism for you to get this information to them because of it is manual every single time let's say 6 hours or something like that if you're in an emergency situation it no manual or way to recover is not fast enough so look at this trust chain example here yeah talk
was signed turn a little bit more so I use Joker dot com and so the contact and a few times and yes they genus 2nd enabled but they did not have any mechanism for for me share it would word and things like that the way I got into daughter or was via e-mails to DOD orders administrators and so now I feel like I'm really have a lot there's no way I can maintain it that way a luckily Joker recently enabled some new mechanisms and so on to figure out the Joker's API eyes and see if I can work with those of some of my coworkers use go Daddy and they're able to get there and ideas records came to their parents be a good idea and so there's others to then if any of you know of any go ahead and share so I look at this this entire
chain starting from rate and so I could see it's really with the period as the DNS is that DNS he's are signed this is the beginning so they in by 9 or another validator you have a stress thinkers stored on your system but then it also does a real query I had to make sure he gets it from the real source no
sorry just make sure that there's something from there and
then the next part of the chain is not a word it has a DS record in that notice the 21 hour 21 thousand 366 so remember like he ID but then if you ask them for
their idea and asking only family have like these in 1 of these keys matches it and the reason there's lot accuses someone might be all right using them in the anymore or some of them might be planning for the future which is good advice if 1 a year keys gets attacked and it is the 1 that you use it would be nice to already have a DNS already available c can begin signing with it this important again is because while OK it 900 seconds is not very long but with your time live these things are cash you know ahead of time you plan ahead of time the children and
so all going down further down the chain goes on and on and so in this case we have a DS with 1 2 8 9 2 but then we have a DNS
keys but also the same key IT 1 2 8 9 2 and so you're going to the child has led the and ask you for that now this next slide this is a bad example because the parents and the child are served from the exact same server so when you ask it it's not giving you the in between hoppers argument in between delegation is just going to
give you the answer and so my point is we have a signature and at its key there was used sign it was 39 47 but it
is not associated with the parent that I asked of previously so in this case you would figure this out by
we we see this on the full name is for labels and this 1 has 3 labels this is buying T and IIsi dot org that was a signer of it so you can ask it for its DNS I keep is seeking get the enemy hot in the validator does all the steps for you 20 minutes left dot sole attacker results
you get from the validation if as a stress data if-as Uchena trust and everything's check with signatures hinder DNS keys national DS in the parents all the signatures are verified then that's called verifiably secure in the it could be marked with f indicated data it might be considered verifiably insecure you have a reason you verify you have a reason for the other trust inca chain trust the you have proof they you're not providing the DS in so I don't talk about that here but if you have some way to prove it 1 way is insect 3 you can opt out things out of other DNS sex I mean we have some proof that proves that doesn't exist views using insect for example well if you simply don't have achieved a trust now in the case of a chain of trust is broken it's supposed to be there and then you get what's called bogus but bogus has so many different reasons I could be expires signature unsupported algorithms some missing data something is missing the insects that should have been there I may be a mistake corruption and might be summary spoofing in might be attacked there's so many different reasons but sadly it's the only response to get the Onassis whole served fell so from administrators point of view harder troubleshoot for end user's point of view but say it's impossible unheeded unless they have some tools that do it for them then dimension invisible subdomains for example at this time there is no easy way for the resolve report specific filler reasons I believe there some drastic to expect stand in the sun so the all the have a way to report to specific reasons right so you want to set up the in
set but luckily I an unbounded by 9 they are your DNS capable and make sure your network and even up streams or whatever that a loser squash the NS 0 traffic member I mention is 10 years and most devices handle it also you want them to squash other related traffic like I've seen many devices were do a query for DNS key and the device will lock up it just won't even response could it be that it it doesn't know what to do and so this is common Thom also there is a increase in traffic size there's would be a lot more requested a lot larger responses it was a lot more requests if it's not cast already in use the build that trust chain of high-volume DNS traffic prepare for increased bandwidth needs at this time most people are not hitting any type of problems with the resolvers words using up their disk space or using of the traffic or memory but if you're a larger validators let's say concasse or something like that yes they're they're they're hitting their limits and there have to roll out new validators all the time but and so they should prepare to be prepared I think it a good rule of thumb with plane for 10 times more traffic in 10 times larger zone files but that but when I say traffic depending on how you set details and things like that but that's a one-time hit and it's not going to be continuous another thing is the in a separate sensitive to time issues be really off but so if it's within an hour it should be fine and you set up the tools to manage reciting the signatures if you sign up 10 days in advance could then you have a lot leeway but I am if your system clocks are easily actors you find that that is a bootstrapping problem if you want to use NTP when you 1st start up your system while hurrying to get that information if you don't have the in a 2nd so that's the of bootstrapping issue by so using
by 9 is as examples will be in a 2nd enable is already on by the fall validation is also already on the fault in all of the current stable versions there is also a way to trigger on and off using in DC tool validation on validation off the so these are enabled by default but just because the enabled by default doesn't mean any of you heard you validation it now you might be doing the very 1st step it is you need have trusting and so if you have not configure a trusting for manually then then I'll stop there so by 9 does include a trust thinker and if you wanted you could copy and paste it into your name dot com file or you just use the syntax here DNS asset validation auto and it will use what's called 511 updates and you'll manage this in our manners it'll try to keep it up up-to-date and I don't know anything about the rollovers will if it's even happened yet but look at that later also you could use alternative I called the LVT unisex look aside this is where we used for testing we might use it real production not properly Internet real production in your offices or with your customers what it does is it provides a way to look someplace else all you've looked at your parents they don't have information all let's look someplace else and they all serve a record colored the record which is just like the DS record so apparel provides a hash and there's never services that were provide ideal the a DNS hosting an I does provide 1 and I don't know how many people we have an there might be over a balza nor a couple thousand and so it's a good way for you guys to start testing if you wanted to see his ideal the before you can kick could convince your parents to gear DS records and placing indices deals Our testing validation all the 1st thing to note is once you trust anchors and placing you do query regardless of using the NSX which your validator might already have it enabled the surgeon validation but if you wanna do from the command line you can use the plus the innocent and then this answer came back it has extra flag and in this case the 85 authenticated data and I mentioned also earlier you can disable the checking by using the CD and you get Cerf fell back try is a CD if applied CV get information cruising along a lot of information a cover here enabling it on the server side then it's already enabled by default it's ready to go if someone since a query with the deal BITSET saying that built 70-ns sec traffic you're buying servers already ready go if you're buying server has signatures it's Gunnison among of this important note make sure your 2nd here is also have it enabled and supported and I have seen this is a real problem if you have a DS parents saying now yes assigned but then a whole year secondary is that will provide information then it's also you return Seville's and make it invisible so amateurs secondary supporters' test all of by so here's a
fun part of the real problems in the world and so other family and troubleshooting it for around for years I see different situations and troubleshooting as as much as I can but then there's also mailing lists a people of point out whenever they see problems it's interesting and there of variety of different reasons but so go through these very quickly by a 1 64 seining toll had above so the new signatures were not published or that expiration dates and on the lost the diene set or the lost the DNS fit for whoever was validating of expired they had a known failure so they turned off the monitoring then the real thing came along and they did notice it IP 6 Taupo then a mismatch between the DS and the DNS icky dodgy I got E-Signatures expiring dot kg dot th head start times in the future and has had to do that that you know at times some adjustments the use the tools correctly they should use UTC time in something was often so they started serving so validators there were set up then they would like to lose everything that this thing is now is there's not a lot of the zones using DNS sex so does I heard a lot of people but potentially it can be really bad by that U.S. expires signatures that key management system was automated but remove the old key from use but they never assigned the records previously using it and so what happened is they caches at a mismatch curve of signatures and he's the
UK had a similar thing that a failure in their hardware security module and so it fell over 2 alternative way it is do signing and different signing key so that a mismatch now UK another mismatch in their fell over and that were announced animals a load of word was signed but Mozilla dot org was not signed yet so he published in the wrong order and so DNS EC implementers they can get the MOZAL at Ottawa as an example and in these examples I didn't put the time the on these things were saying you're using somebody else's validated and this time to live was 2 days year in year out I can't the year it out a lot less years you know what to do the switchover it for a regular user they would have no idea what to even begin with a thing called the ISP they were know the it's it's pretty tough now as more
examples of that go of it as this is a real important that dog of when they 1st started they shared the keys to many people who manually configured in 1 place they had gone and some government rules were everybody had a deployed dog of but it wasn't in the room and so everybody in dot gov had configured in their validators manually so then start rolling keys and yes for breaking things this is all manual vs. Automated us some crypto errors generating signatures time provided DS based on a key there wasn't even available via DNS can in no way a weather dog of whole onslaught a dog of sites of had problems over the past couple years and NASA signed with an old key I I I C had some
problems to overlook some reported heirs and so a mailing list as server expired and they that's a list used by people playing with DNS 5th and so they can notice at all also some implementations of elevators checking all the DNS keys but checking the DS records it was so exhaustive in an aggressive it but it is certain scenarios in we call the roll over and die is ample frication attack over 40 thousand requests for the the 3rd a single query at a control and and also in some cases like when dot net introduced a new DNS of sorry DS records because validation problems until I cash there was expired in so somebody's Roco related but a learning experience but were not the only
ones and so just to summarize these are common problems automated maintenance program fillers not detected DS but does match idiot Neski signatures expired signatures for haven't even been start time yet slide servers not knowing DNS set the fell over systems using different keys work that were published yet Z so user differently but the key is not available that's I mean and to the public of the last point here is important as it time to lives versus expirations and so you might have signatures expire but 1 if it's time to live is that of a lot longer is cast for a long time the whole year validator wait time now if the expirations time no also but by so very quickly so the command line tools with key German signs zone set time revoke the from key key from label in insects rehashed not be covering all these and set time itself as something used by administrators not part of protocol but is to help manage on European a set parties that 2 tools you use for playing around Cocke Ji'nan signs
and from the server side without the tools some of the features you could add these via a dynamic pianist on also adding records via dynamic DNS can sign those on the fly also depending on the keys you provided consign entire zone via dynamic pianist we provide deal the full alternative trusting crime mentioned of 4 R A C 5 0 1 1 support also we have support for different crypto hardware or hardware and modules church models now we have automatic of reassigning an expiration of dynamic signatures so it doesn't wait till expires but can do it ahead of time publishing a removal of new old keys it a randomizer scale signature regeneration over time this important but say you have a hundred that the expire you know the exact same time so by 9 and will look at it and start the reassigning those scaled or randomize over time they go all that done before it's needed they you can't let a charter resined everything at the same moment a lot of work we have about
the wire line signing support they could automatically sign reassigned zones that you maintain with other tools but the other tools already use they don't know anything about the in set so you could use the online signing to do this for you and also if let's say you bring in as soon as a secondary and you can use online signing to sign it for you and so it's a nice way to deploy DNS set without learning at 1st not so I mentioned the gender generates the keys a private the public it generates local files so you should get into other policy of maybe having different directories for every single zone a lot of people already do that that is the way that clearly manager and just
very quickly you run the key June tool you can forget about options here but Intel at zone the name of the zone it creates a keys and so we have the originals on file very small we had a couple keys here and you can see looking at the public this is the key that you would put in the files to stop publishing and you
could put in the file also that's 1 slide ahead so then you also will create a key that will be used for that DS record and this it is not used for all of your individual signatures but it's only for what's called Apex views on and this is a born again this is only for management of validators don't care about this but let's say you want to change a key for all of your your own records well you would want that to be the same key that was used in your parents of polished DS because then you have to work with them and changing at the same time now if should imply
correctly civil go for 1 more minute so all uranium devices are adequate in some devices it takes so long I just use you random but there's something to consider here randomness devices by the algorithm choice visitors from the surveys so you can see that algorithm choices or that that links used by the 89 these that exist right now there are signs and so easy way to do it you can use the include macro but to loaded and or just manually put that DNS ASCII in 2 years on so that's a 1st step the 2nd
step is run design sign zone tool of the increment NASA SOA record hit increases it for you by the name of his own it creates new files a said DSA the DSA is where you get your parents and you have your views on file with its extension . signed by the original file was that 2 thousand bytes and this new file 24 thousand in
your own configuration well if you just have the file pointed to your previous 1 in my case I'm sitting without it would be the sign version so I get that new file name and so see just a few steps very easy to do that this time you could do and in DC reload his own name or in you know restart name-server if you wanted and was are working you start
troubleshooting financial DS records of this is what it looks like again you share this with your parents there's no standard mechanism yet for sharing with your parents well now time so let me just quickly look in yeah I just so very quickly here not yet have served fail I don't know what to
do so I could queered again using the
CD flag I get the information so even though the validator of failed CD allow you still get the information like signature in this case exceed the date it would already expired is just an example and I I did this just for fun for testing I have another thing
and from an industry point of view there is very very verbose logging after a
flash 1 look at 104 lines of logging but the thing is that as a help anybody except administrator and so Comcast for example has reports every single week now of cow validation problems so it's interesting point out them
is complex implement yes but you could implement something basic confided 20 minutes has a very steep learning curve but if the user defaults again it should be easy to do initial deployment of the resource requirements or not significant unless you were extremely it's getting your peak right now but there's several
our documents about it you might want look at them or 46 41 or the draft this replacing the operational practices an amount of time I had a bunch of TCP dumped at show 1 more example of that if anybody wanna look at that or is anybody have any questions at this time but yes I could put them only in there any other questions OK so of
or something I had a in the long run you might want to but in the short term you might deal get around it by just creating the keys only and then using that bump in the wire service in the you
know it's all Yau we have a blind version they are that Freebird is alternative than this example the very short and
quick are key gym twice 1 further your own keys in your own zone then 1 for the key for the chain interest for the DS then the name dot com because 2 more injuries here I'm in minus yes although the maintain once that's enabled boom it'll sign and you know may have journaling files before doing dynamic updates is the same concept as a drooling file a separate the zone file that it keeps in sync with your original that answers your question in others yeah I was less the DS record yeah but well there's no chain created yet until the parrot has yes record so you can set up inside all you want the she only exists when the DS record is there and so it doesn't break it is just it the DS record I've got removed outbreak and so you could just without it yes and no 1 way to test again is using the or I did show example here but my manually of pasting in your DNS the into your name dot com file on your validation so you can have a beginning I trust any other questions I will try to deploy DNS 2nd the next year within the next year cool cool and I'll fill freight issue many questions you want or if the use of mindless stuff for doing that but there's a lot of helpful people that could help you out troubleshooting thank you so much for listening my presentation and and and and
Binärdaten
Autorisierung
Managementinformationssystem
Programm/Quellcode
Fächer <Mathematik>
t-Test
Vorzeichen <Mathematik>
Mailing-Liste
Extrempunkt
Zeitzone
Vorhersagbarkeit
Videokonferenz
Metropolitan area network
Service provider
Bildschirmmaske
Programmfehler
Prozessfähigkeit <Qualitätsmanagement>
Bus <Informatik>
Projektive Ebene
Softwareentwickler
Gammafunktion
Dualitätstheorie
Subtraktion
Bit
Punkt
RISC
Extrempunkt
Kombinatorische Gruppentheorie
Code
Whiteboard
Homepage
Systemprogrammierung
Metropolitan area network
Bildschirmmaske
Direkte numerische Simulation
Gravitationsgesetz
Softwareentwickler
Ereignishorizont
Softwaretest
Internetworking
Wald <Graphentheorie>
Sichtenkonzept
Protokoll <Datenverarbeitungssystem>
Computersicherheit
Verhandlungs-Informationssystem
Gebäude <Mathematik>
Validität
Systemverwaltung
Indexberechnung
Zeitzone
Server
Projektive Ebene
Message-Passing
Bit
Numerische Strömungssimulation
Punkt
Paradoxon
Momentenproblem
Extrempunkt
Adressraum
Schreiben <Datenverarbeitung>
Information
Extrempunkt
BAYES
Service provider
Metropolitan area network
Client
Prognoseverfahren
Regulärer Graph
Standardabweichung
Vorzeichen <Mathematik>
Reverse Engineering
Mustersprache
Randomisierung
Kontrollstruktur
Gerade
Auswahlaxiom
Metropolitan area network
Caching
DoS-Attacke
App <Programm>
Datentyp
Singularität <Mathematik>
Stichprobe
Reihe
Abfrage
Quellcode
Knoten <Statik>
Kugelkappe
Strahlensätze
Verkettung <Informatik>
Menge
Forcing
Client
Server
Resolvente
Reelle Zahl
Information
Schwebung
Versionsverwaltung
Server
Klasse <Mathematik>
Zellularer Automat
E-Learning
Kraft
Dienst <Informatik>
Maßerweiterung
Überlagerung <Mathematik>
Service provider
Datensatz
Task
Endogene Variable
Datentyp
Direkte numerische Simulation
Zusammenhängender Graph
Automorphismus
Gammafunktion
Quarkmodell
Physikalischer Effekt
Einfach zusammenhängender Raum
Autorisierung
Zehn
Zwei
Überlagerung <Mathematik>
Physikalisches System
Endogene Variable
Portscanner
Paradoxon
Flächeninhalt
Caching
Mereologie
Gamecontroller
Speicherabzug
Direkte numerische Simulation
Rekursive Funktion
Information Retrieval
Distributionstheorie
Bit
Mereologie
Numerische Strömungssimulation
Nabel <Mathematik>
Dokumentenserver
Browser
Atomarität <Informatik>
Natürliche Zahl
Gruppenkeim
Extrempunkt
Internetworking
Metropolitan area network
Deskriptive Statistik
Client
Bit
Regulärer Graph
Standardabweichung
Vorzeichen <Mathematik>
Typentheorie
Fahne <Mathematik>
Bildschirmfenster
Skript <Programm>
Router
Wurzel <Mathematik>
Kurvenanpassung
E-Mail
Nichtlinearer Operator
Schlüsselverwaltung
Datennetz
Computersicherheit
Web Site
p-Block
Quellcode
Zeitzone
Arithmetisches Mittel
Software
Dienst <Informatik>
Menge
Client
Server
Information
p-Block
Ordnung <Mathematik>
Drahtloses lokales Netz
Programmierumgebung
Repository <Informatik>
Message-Passing
Aggregatzustand
Server
Web Site
Subtraktion
Decodierung
Gewicht <Mathematik>
Quader
Systemverwaltung
Firewall
Hyperbelverfahren
Abgeschlossene Menge
Maßerweiterung
E-Mail
DNS <Internet>
Ausdruck <Logik>
W3C-Standard
Wurm <Informatik>
Systemprogrammierung
Message-Passing
Datensatz
Task
Datennetz
Direkte numerische Simulation
Datentyp
Elektronischer Fingerabdruck
Äußere Algebra eines Moduls
Gruppoid
Inhalt <Mathematik>
Maßerweiterung
Gammafunktion
Physikalischer Effekt
Autorisierung
Videospiel
Digitales Zertifikat
Systemverwaltung
Programmverifikation
Validität
Routing
Physikalisches System
Chipkarte
Portscanner
Patch <Software>
Codierung
Firewall
Direkte numerische Simulation
Zeitzone
Bitrate
Service Pack
Bit
Punkt
VHDSL
Eins
Metropolitan area network
Wechselsprung
Digitalsignal
Bit
Kryptologie
Vorzeichen <Mathematik>
Gruppe <Mathematik>
Addition
Umwandlungsenthalpie
Datentyp
Datennetz
Schlüsselverwaltung
Abfrage
Quellcode
Zeiger <Informatik>
Elektronische Unterschrift
Zeitzone
Menge
Rechter Winkel
Digitalisierer
Server
Information
Schlüsselverwaltung
Ext-Funktor
Standardabweichung
Public-Key-Kryptosystem
Server
Hash-Algorithmus
Mathematisierung
Klasse <Mathematik>
Implementierung
Maßerweiterung
DNS <Internet>
Spannweite <Stochastik>
Datensatz
Direkte numerische Simulation
Datentyp
Hash-Algorithmus
Ganze Funktion
Gammafunktion
Implementierung
Protokoll <Datenverarbeitungssystem>
Programmverifikation
Validität
Physikalisches System
Menge
Mereologie
Direkte numerische Simulation
Zeitzone
Chipkarte
Server
Bit
Sichtenkonzept
Singularität <Mathematik>
Adressraum
Extrempunkt
Elektronische Unterschrift
Menge
Metropolitan area network
Datensatz
Garbentheorie
Bit
Fahne <Mathematik>
Mereologie
Garbentheorie
Information
Gravitationsgesetz
Figurierte Zahl
Ext-Funktor
Große Vereinheitlichung
Informationssystem
Public-Key-Kryptosystem
Bit
Hash-Algorithmus
Gewicht <Mathematik>
Existenzaussage
Zahlenbereich
Zellularer Automat
Extrempunkt
Überlagerung <Mathematik>
Service provider
Metropolitan area network
Sega Enterprises Ltd.
Datensatz
Algorithmus
Regulärer Graph
Vorzeichen <Mathematik>
Direkte numerische Simulation
Datentyp
Gammafunktion
Autorisierung
Datentyp
Schlüsselverwaltung
Matching <Graphentheorie>
Singularität <Mathematik>
Systemverwaltung
Elektronische Unterschrift
Zeitzone
Chipkarte
Menge
Verschlingung
Mereologie
Information
Ordnung <Mathematik>
Zeitzone
Schlüsselverwaltung
Informationssystem
Public-Key-Kryptosystem
Bit
Sichtenkonzept
Punkt
Schlüsselverwaltung
Stichprobe
Validität
Systemverwaltung
Vorzeichen <Mathematik>
Extrempunkt
Zeitzone
Elektronische Unterschrift
Metropolitan area network
Datensatz
Bit
Garbentheorie
Fahne <Mathematik>
Vorzeichen <Mathematik>
Direkte numerische Simulation
Mereologie
Information
Zeitzone
Schlüsselverwaltung
Hash-Algorithmus
Punkt
Güte der Anpassung
Adressraum
Extrempunkt
Elektronische Unterschrift
Zeitzone
Portscanner
Metropolitan area network
Datensatz
Verkettung <Informatik>
Bit
Fahne <Mathematik>
Vorzeichen <Mathematik>
Hash-Algorithmus
Vererbungshierarchie
Punkt
Information
Zeitzone
Schlüsselverwaltung
Gammafunktion
Mathematisierung
Wärmeübergang
Gradient
Metropolitan area network
Datensatz
Regulärer Graph
Typentheorie
Hash-Algorithmus
Datentyp
Punkt
Ordnung <Mathematik>
Gammafunktion
Schreib-Lese-Kopf
Abfrage
Negative Zahl
Physikalisches System
Zeitzone
Menge
Diskrete-Elemente-Methode
Verkettung <Informatik>
Wort <Informatik>
Speicherabzug
Information
Ordnung <Mathematik>
Zeitzone
Ext-Funktor
Domain <Netzwerk>
Bit
Mereologie
Punkt
Extrempunkt
Übergang
Streaming <Kommunikationstechnik>
Metropolitan area network
Digitalsignal
Bit
Kryptologie
Punkt
Wurzel <Mathematik>
Softwaretest
Kraftfahrzeugmechatroniker
Addition
Schlüsselverwaltung
Computersicherheit
Abfrage
Quellcode
Elektronische Unterschrift
SISP
Ereignishorizont
Sinusfunktion
Verkettung <Informatik>
Verschlingung
Client
Server
Windkanal
Resolvente
Information
Schlüsselverwaltung
Message-Passing
Public-Key-Kryptosystem
Server
Subtraktion
Hash-Algorithmus
Kontrollstruktur
Systemverwaltung
Fächer <Mathematik>
Fluss <Mathematik>
Nichtlinearer Operator
E-Mail
Code
RFID
Data Mining
Physikalisches System
Datensatz
Message-Passing
Direkte numerische Simulation
Hash-Algorithmus
Vererbungshierarchie
Äußere Algebra eines Moduls
COM
Booten
Validität
Einfache Genauigkeit
Schlussregel
Physikalisches System
Binder <Informatik>
Integral
Portscanner
Chatten <Kommunikation>
Caching
Authentifikation
Direkte numerische Simulation
Zeitzone
Informationssystem
Bit
Domain <Netzwerk>
Mereologie
Systemverwaltung
Gemeinsamer Speicher
Nichtlinearer Operator
Metropolitan area network
Datensatz
Bit
Direkte numerische Simulation
Vererbungshierarchie
Booten
E-Mail
Gammafunktion
Kraftfahrzeugmechatroniker
Schlüsselverwaltung
Validität
Systemverwaltung
Abfrage
Physikalisches System
Quellcode
Frequenz
Sinusfunktion
Portscanner
Verkettung <Informatik>
Wort <Informatik>
Direkte numerische Simulation
Ordnung <Mathematik>
Normalspannung
Multiplikation
Schlüsselverwaltung
Zwei
Familie <Mathematik>
Metropolitan area network
Datensatz
Verkettung <Informatik>
Garbentheorie
Mereologie
Direkte numerische Simulation
Mailbox
Wort <Informatik>
Schlüsselverwaltung
Parametersystem
Punkt
Multiplikation
Extrempunkt
Rechenschieber
Metropolitan area network
Verkettung <Informatik>
Garbentheorie
Vorzeichen <Mathematik>
Direkte numerische Simulation
Server
Vererbungshierarchie
Zeitzone
Schlüsselverwaltung
Informationssystem
Resultante
Explosion <Stochastik>
Punkt
Multiplikation
Hausdorff-Dimension
Metropolitan area network
Algorithmus
Endogene Variable
Direkte numerische Simulation
Vererbungshierarchie
Umwandlungsenthalpie
Sichtenkonzept
Systemverwaltung
Validität
Störungstheorie
Elektronische Unterschrift
Verkettung <Informatik>
Beweistheorie
Resolvente
Schlüsselverwaltung
Normalspannung
Zeitzone
Fehlende Daten
Verkehrsinformation
Informationssystem
Bootstrap-Aggregation
Versionsverwaltung
Extrempunkt
Raum-Zeit
Internetworking
Metropolitan area network
Streaming <Kommunikationstechnik>
Bit
Default
Softwaretest
Schlüsselverwaltung
Datennetz
Gruppe <Mathematik>
Singularität <Mathematik>
Güte der Anpassung
Abfrage
Ideal <Mathematik>
Biprodukt
Elektronische Unterschrift
Zeitzone
Dienst <Informatik>
Verkettung <Informatik>
Festspeicher
Server
Resolvente
Information
p-Block
Versionsverwaltung
Schlüsselverwaltung
Ebene
Server
Thumbnail
Maßerweiterung
E-Mail
Überlagerung <Mathematik>
Physikalisches System
Message-Passing
Datensatz
Reelle Zahl
Datennetz
Mini-Disc
Datentyp
Direkte numerische Simulation
Endogene Variable
Hash-Algorithmus
Vererbungshierarchie
Inverser Limes
Äußere Algebra eines Moduls
COM
Indexberechnung
Relativitätstheorie
Validität
Schlussregel
Physikalisches System
Elektronische Publikation
Menge
Endogene Variable
Portscanner
Wort <Informatik>
Bandmatrix
Direkte numerische Simulation
Bitrate
Informationssystem
Subtraktion
Punkt
Familie <Mathematik>
Datenmanagement
Implementierung
Extrempunkt
Service provider
Metropolitan area network
Physikalisches System
Datensatz
Datenmanagement
Vorzeichen <Mathematik>
Direkte numerische Simulation
Kurvenanpassung
Schreib-Lese-Kopf
Hardware
Schlüsselverwaltung
Computersicherheit
Singularität <Mathematik>
Validität
Mailing-Liste
Physikalisches System
Elektronische Unterschrift
Zeitzone
Modul
Last
Mereologie
Wort <Informatik>
Ordnung <Mathematik>
Zeitzone
Schlüsselverwaltung
Varietät <Mathematik>
Fitnessfunktion
Sichtbarkeitsverfahren
Server
Web Site
Euler-Winkel
Schlüsselverwaltung
Kryptologie
Validität
Abfrage
Implementierung
Schlussregel
Mailing-Liste
Elektronische Unterschrift
Metropolitan area network
Datensatz
Direkte numerische Simulation
Server
Fünf
Zeitzone
Schlüsselverwaltung
E-Mail
Fehlermeldung
Server
Subtraktion
Hash-Algorithmus
Punkt
Numerische Strömungssimulation
Momentenproblem
Extrempunkt
Eins
Metropolitan area network
Physikalisches System
Informationsmodellierung
Datensatz
Bit
Kryptologie
Vorzeichen <Mathematik>
Direkte numerische Simulation
Randomisierung
Äußere Algebra eines Moduls
Optimierung
Ganze Funktion
Hardware
Gammafunktion
Zentrische Streckung
Hardware
Schlüsselverwaltung
Protokoll <Datenverarbeitungssystem>
Matching <Graphentheorie>
Kryptologie
Validität
Systemverwaltung
Vorzeichen <Mathematik>
Physikalisches System
Knoten <Statik>
Modul
Elektronische Unterschrift
Zeitzone
Menge
Softwarewartung
Rechenschieber
Menge
Mereologie
Server
Direkte numerische Simulation
Zeitzone
Schlüsselverwaltung
Server
Schlüsselverwaltung
Singularität <Mathematik>
Vorzeichen <Mathematik>
Aggregatzustand
Elektronische Publikation
Zeitzone
Konfiguration <Informatik>
Sinusfunktion
Physikalisches System
Service provider
Metropolitan area network
Mailing-Liste
Verzeichnisdienst
Task
Datenmanagement
Menge
Vorzeichen <Mathematik>
Geschlecht <Mathematik>
Direkte numerische Simulation
Zeitzone
Schlüsselverwaltung
Verzeichnisdienst
Gerade
Sondierung
Extrempunkt
Physikalisches System
Metropolitan area network
Datensatz
Datenmanagement
Algorithmus
Vorzeichen <Mathematik>
Direkte numerische Simulation
Vererbungshierarchie
Randomisierung
Punkt
Auswahlaxiom
Sichtenkonzept
Schlüsselverwaltung
Validität
Elektronischer Datenaustausch
Binder <Informatik>
Elektronische Publikation
Elektronische Unterschrift
Systemaufruf
Rechenschieber
Sinusfunktion
Zeitzone
Makrobefehl
Schlüsselverwaltung
Elektronische Publikation
Datentyp
Sichtenkonzept
Versionsverwaltung
Vorzeichen <Mathematik>
Elektronische Publikation
Zeitzone
Physikalisches System
Metropolitan area network
Font
Datensatz
Vorzeichen <Mathematik>
Vererbungshierarchie
Maßerweiterung
Konfigurationsraum
Zeitzone
Softwaretest
Kraftfahrzeugmechatroniker
Server
Elektronische Publikation
Datentyp
Validität
Extrempunkt
Elektronische Unterschrift
Systemaufruf
Sturmsche Kette
Metropolitan area network
Service provider
Datensatz
Garbentheorie
Fahne <Mathematik>
Vererbungshierarchie
Statistische Analyse
Direkte numerische Simulation
Information
Große Vereinheitlichung
Server
Sichtenkonzept
Punkt
Systemverwaltung
Validität
Ausnahmebehandlung
Metropolitan area network
Flash-Speicher
Mehrrechnersystem
Diskrete-Elemente-Methode
Datennetz
Zeitzone
Default
Verkehrsinformation
Gerade
Hilfesystem
Implementierung
Gammafunktion
Caching
Server
Systemverwaltung
Extrempunkt
Information
Term
Endogene Variable
Metropolitan area network
Dienst <Informatik>
Fahne <Mathematik>
Direkte numerische Simulation
Schlüsselverwaltung
Gammafunktion
Datentyp
Baum <Mathematik>
Versionsverwaltung
Validität
Extrempunkt
Elektronische Publikation
Ausgleichsrechnung
Zeitzone
Synchronisierung
Metropolitan area network
Datensatz
Verkettung <Informatik>
Vorzeichen <Mathematik>
Direkte numerische Simulation
Datenerfassung
COM
Kontrollstruktur
Schlüsselverwaltung
Hilfesystem
Gammafunktion
Haar-Integral

Metadaten

Formale Metadaten

Titel Intro to DNSSEC
Serientitel The Technical BSD Conference 2012
Autor Reed, Jeremy C.
Lizenz CC-Namensnennung - keine kommerzielle Nutzung - Weitergabe unter gleichen Bedingungen 3.0 Unported:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen und nicht-kommerziellen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen und das Werk bzw. diesen Inhalt auch in veränderter Form nur unter den Bedingungen dieser Lizenz weitergeben
DOI 10.5446/19518
Herausgeber Berkeley System Distribution (BSD), Andrea Ross
Erscheinungsjahr 2012
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract This presentation will introduce the DNS Security Extensions which extend standard DNS to add resource records and algorithms to provide source authentication. We will cover the need, signing, validating, and troubleshooting DNSSEC signed zones. The presentation will also introduce EDNS0, new resource records, and DNSSEC related tools. Some examples will be shown using ISC BIND.

Ähnliche Filme

Loading...
Feedback