SlideShare a Scribd company logo

Deploying DNSSEC at Scale

C
Caitlin Magat

The document discusses DNSSEC and how Cloudflare implements it at scale. It covers how Cloudflare uses Elliptic Curve cryptography to keep DNSSEC signatures small, allowing it to mitigate DNS amplification attacks. It also describes how Cloudflare generates negative DNS responses for non-existent domains using NSEC records while remaining efficient at very large query volumes.

Technology
1 of 39
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
<YOUR COURSE NAME HERE> Deploying DNSSEC at Scale
Today’s Speakers 2 •Matt Bromiley – SANS Instructor & Incident Responder •Dani Grant – Cloudflare product manager, responsible for Cloudflare’s web portal and core DNS product
•The Importance of Elliptic Curves •A Unique Approach to Negative Answers •Wrap-Up •Q&A Today’s Agenda 3
Cloudflare DNS
Cloudflare DNS ● 6M+ domains, 120K with DNSSEC ● 100+ billion DNS queries daily ● ~20M DNSSEC signed queries daily
Without DNSSEC: TLDR; How DNSSEC Works Query for A record: With DNSSEC: A A A A A RRSIG
DNSSEC at Scale 1. The Importance of Elliptic Curves 2. A Unique Approach To Negative Answers
Elliptic Curves
Background ● CloudFlare mitigates large DDoS attacks (often 500+ Gbps) ● DDoS is sometimes done through DNS amplification (small DNS query returns large DNS answer) ● Signed zones with large signature sizes are good for attackers doing amplification attacks
Elliptic Curves: Small Packet Size ● CloudFlare uses ECDSA to keep key and signature sizes small ● Almost all DNS answers CloudFlare returns are < 512 bytes, even with DNSSEC
Why does ECDSA have smaller key sizes?
Energy to break 228 bit RSA key vs. 228 bit ECDSA key RSA: Energy to boil a teaspoon of water
RSA: same as boiling a teaspoon of water ECDSA: boiling all the water on earth Energy to break 228 bit RSA key vs. 228 bit ECDSA key
Comparing DNSKEY Answers ietf.org. 985 IN DNSKEY 256 3 5 AwEAAdDECajHaTjfSoNTY58WcBah1BxPKVIHBz4IfLjfqMvium4lgKtK ZLe97DgJ5/NQrNEGGQmr6fKvUj67cfrZUojZ2cGRizVhgkOqZ9scaTVX NuXLM5Tw7VWOVIceeXAuuH2mPIiEV6MhJYUsW6dvmNsJ4XwCgNgroAmX hoMEiWEjBB+wjYZQ5GtZHBFKVXACSWTiCtddHcueOeSVPi5WH94Vlubh HfiytNPZLrObhUCHT6k0tNE6phLoHnXWU+6vpsYpz6GhMw/R9BFxW5Pd PFIWBgoWk2/XFVRSKG9Lr61b2z1R126xeUwvw46RVy3hanV3vNO7LM5H niqaYclBbhk= ietf.org. 985 IN DNSKEY 257 3 5 AwEAAavjQ1H6pE8FV8LGP0wQBFVL0EM9BRfqxz9p/sZ+8AByqyFHLdZc HoOGF7CgB5OKYMvGOgysuYQloPlwbq7Ws5WywbutbXyG24lMWy4jijlJ UsaFrS5EvUu4ydmuRc/TGnEXnN1XQkO+waIT4cLtrmcWjoY8Oqud6lDa Jdj1cKr2nX1NrmMRowIu3DIVtGbQJmzpukpDVZaYMMAm8M5vz4U2vRCV ETLgDoQ7rhsiD127J8gVExjO8B0113jCajbFRcMtUtFTjH4z7jXP2ZzD cXsgpe4LYFuenFQAcRBRlE6oaykHR7rlPqqmw58nIELJUFoMcb/BdRLg byTeurFlnxs= ietf.org. 985 IN RRSIG DNSKEY 5 2 1800 20170213210526 20160214200831 45586 ietf.org. lv7deO/DZ+5Q6mZa9NsT4QQ7ibFU5s73yv7+gHoRyhis/3JmsMy8NIA9 7xoQcYhw1kYNqIgJYZ39XbKcmLyxVG9lzIMFcJOWcWA7QZQ8dW7IbQ4Z /jm8tuoXWWCmO9m1MgSwYfpuPz6IELh8czNylHuG+RZJn1t31wIOnet/ xUDrM5btKotJFeYKAEyVPiuC5N3+R3icd8U96lS1ybKCkXVzbcaDMBNe r21/avPL7ympHeDiR4ubSTJ4xHr0pg5wCusZS0VRrKMPZrYrW/XW1gWl qRIyY/i4rxl9xyaBiP39eD7B7JvyyRTJObsnjpdd1blchM+DLLzl/7q1 y/vFXw== ietf.org. 985 IN RRSIG DNSKEY 5 2 1800 20170213210642 20160214200831 40452 ietf.org. J3FK20+dp6Dy8QnDE4xlv9LJroKfrYQIa4i+ymYWulZqL0GQhEIkkfLb vyjMrNoVPhKjzNiBobFZDgjhFBDur9GONuWMkM4isBc4gBAKgNrirmh7 963HJ+ngsgHsfRTUHp27ISTgPw/SaxrUOz5JJJytNvr6eTiIsKHgtpaP Xn44E210XQd5ak71//xY2/yCNJHjN3zH41Z0ipDG8UlITWzScFRZcEA+ 9frDMBwiv7M9CBbOBeMNDAZXXa6JjkuASROmNIu8mU2XRa+Q8yDnYfF1 1r7JrdASF+zLIrxBX0HHjWtCjn+GvEoPDDTDN6J9oDHlmt8WH6Tmt57h oIuC+g== cloudflare.com. 3574 IN DNSKEY 257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ== cloudflare.com. 3574 IN DNSKEY 256 3 13 koPbw9wmYZ7ggcjnQ6ayHyhHaDNMYELKTqT+qRGrZpWSccr/lBcrm10Z 1PuQHB3Azhii+sb0PYFkH1ruxLhe5g== cloudflare.com. 3574 IN RRSIG DNSKEY 13 2 3600 20160310040015 20160110040015 2371 cloudflare.com. kgH/IAYN5endrnFAfJsNZPJHQvcYXqOLHDgrkhMXwvVJzyac/892fFwa r5jo6u/57JnMJTCGF3P+YHmLiBKE1w== RSA: 1181 bytes ECDSA: 313 bytes
ECDSA is fast ...important when you are computing 56.9 billion signatures a day.
Speeding up ECDSA in Go ● Native implementation in assembly (by Vlad Krasnov) ● 21x speed improvements ● Now part of standard Go crypto library as of Go 1.6 ● Takes CloudFlare 0.0001 seconds to sign a DNS record Before After Speedup ECDSA Sign 1,015,006 ns/op 48,741 ns/op 20.8x ECDSA Verify 3,086,282 ns/op 146,991 ns/op 21.0x
Negative Answers
What goes into an NXDOMAIN negative answer w/ DNSSEC?
dig bogus.ietf.org +dnssec
ietf.org. 1179 IN SOA ns0.amsl.com. glen.amsl.com. 1200000325 1800 1800 604800 1800 SOA
ietf.org. 1179 IN SOA ns0.amsl.com. glen.amsl.com. 1200000325 1800 1800 604800 1800 ietf.org. 1179 IN RRSIG SOA 5 2 1800 20170308083354 20160308073501 40452 ietf.org. S0gIjTnQGA6TyIBjCeBXL4ip8aEQEgg2y+kCQ3sLtFa3oNy9vj9kj4aP 8EVu4oIexr8X/i9L8Oj5ec4HOrQoYsMGObRUG0FGT0MEbxepi+wWrfed vD/3mq8KZg/pj6TQAKebeSQGkmb8y9eP0PdWdUi6EatH9ZY/tsoiKyqg U4vtq9sWZ/4mH3xfhK9RBI4M7XIXsPX+biZoik6aOt4zSWR5WDq27pXI 0l+BLzZb72C7McT4PlBiF+U86OngBlGxVBnILyW2aUisi2LY6KeO5AmK WNT0xHWe5+JtPD5PgmSm46YZ8jMP5mH4hSYr76jqwvlCtXvq8XgYQU/P QyuCpQ== SOA SOA RRSIG
ietf.org. 1179 IN SOA ns0.amsl.com. glen.amsl.com. 1200000325 1800 1800 604800 1800 ietf.org. 1179 IN RRSIG SOA 5 2 1800 20170308083354 20160308073501 40452 ietf.org. S0gIjTnQGA6TyIBjCeBXL4ip8aEQEgg2y+kCQ3sLtFa3oNy9vj9kj4aP 8EVu4oIexr8X/i9L8Oj5ec4HOrQoYsMGObRUG0FGT0MEbxepi+wWrfed vD/3mq8KZg/pj6TQAKebeSQGkmb8y9eP0PdWdUi6EatH9ZY/tsoiKyqg U4vtq9sWZ/4mH3xfhK9RBI4M7XIXsPX+biZoik6aOt4zSWR5WDq27pXI 0l+BLzZb72C7McT4PlBiF+U86OngBlGxVBnILyW2aUisi2LY6KeO5AmK WNT0xHWe5+JtPD5PgmSm46YZ8jMP5mH4hSYr76jqwvlCtXvq8XgYQU/P QyuCpQ== www.apps.ietf.org. 1062 IN NSEC cloudflare-verify.ietf.org. A RRSIG NSEC SOA SOA RRSIG NSEC
ietf.org. 1179 IN SOA ns0.amsl.com. glen.amsl.com. 1200000325 1800 1800 604800 1800 ietf.org. 1179 IN RRSIG SOA 5 2 1800 20170308083354 20160308073501 40452 ietf.org. S0gIjTnQGA6TyIBjCeBXL4ip8aEQEgg2y+kCQ3sLtFa3oNy9vj9kj4aP 8EVu4oIexr8X/i9L8Oj5ec4HOrQoYsMGObRUG0FGT0MEbxepi+wWrfed vD/3mq8KZg/pj6TQAKebeSQGkmb8y9eP0PdWdUi6EatH9ZY/tsoiKyqg U4vtq9sWZ/4mH3xfhK9RBI4M7XIXsPX+biZoik6aOt4zSWR5WDq27pXI 0l+BLzZb72C7McT4PlBiF+U86OngBlGxVBnILyW2aUisi2LY6KeO5AmK WNT0xHWe5+JtPD5PgmSm46YZ8jMP5mH4hSYr76jqwvlCtXvq8XgYQU/P QyuCpQ== www.apps.ietf.org. 1062 IN NSEC cloudflare-verify.ietf.org. A RRSIG NSEC SOA SOA RRSIG NSEC bogus.ietf.org is between these two names
ietf.org. 1179 IN SOA ns0.amsl.com. glen.amsl.com. 1200000325 1800 1800 604800 1800 ietf.org. 1179 IN RRSIG SOA 5 2 1800 20170308083354 20160308073501 40452 ietf.org. S0gIjTnQGA6TyIBjCeBXL4ip8aEQEgg2y+kCQ3sLtFa3oNy9vj9kj4aP 8EVu4oIexr8X/i9L8Oj5ec4HOrQoYsMGObRUG0FGT0MEbxepi+wWrfed vD/3mq8KZg/pj6TQAKebeSQGkmb8y9eP0PdWdUi6EatH9ZY/tsoiKyqg U4vtq9sWZ/4mH3xfhK9RBI4M7XIXsPX+biZoik6aOt4zSWR5WDq27pXI 0l+BLzZb72C7McT4PlBiF+U86OngBlGxVBnILyW2aUisi2LY6KeO5AmK WNT0xHWe5+JtPD5PgmSm46YZ8jMP5mH4hSYr76jqwvlCtXvq8XgYQU/P QyuCpQ== www.apps.ietf.org. 1062 IN NSEC cloudflare-verify.ietf.org. A RRSIG NSEC www.apps.ietf.org. 1062 IN RRSIG NSEC 5 4 1800 20170308083322 20160308073501 40452 ietf.org. NxmjhCkTtoiolJUow/OreeBRxTtf2AnIPM/r2p7oS/hNeOdFI9tpgGQY g0lTOYjcNNoIoDB/r56Kd+5wtuaKT+xsYiZ4K413I+cmrNQ+6oLT+Mz6 Kfzvo/TcrJD99PVAYIN1MwzO42od/vi/juGkuKJVcCzrBKNHCZqu7clu mU3DEqbQQT2O8dYIUjLlfom1iYtZZrfuhB6FCYFTRd3h8OLfMhXtt8f5 8Q/XvjakiLqov1blZAK229I2qgUYEhd77n2pXV6SJuOKcSjZiQsGJeaM wIotSKa8EttJELkpNAUkN9uXfhU+WjouS1qzgyWwbf2hdgsBntKP9his 9MfJNA== SOA SOA RRSIG NSEC NSEC RRSIG
ietf.org. 1179 IN SOA ns0.amsl.com. glen.amsl.com. 1200000325 1800 1800 604800 1800 ietf.org. 1179 IN RRSIG SOA 5 2 1800 20170308083354 20160308073501 40452 ietf.org. S0gIjTnQGA6TyIBjCeBXL4ip8aEQEgg2y+kCQ3sLtFa3oNy9vj9kj4aP 8EVu4oIexr8X/i9L8Oj5ec4HOrQoYsMGObRUG0FGT0MEbxepi+wWrfed vD/3mq8KZg/pj6TQAKebeSQGkmb8y9eP0PdWdUi6EatH9ZY/tsoiKyqg U4vtq9sWZ/4mH3xfhK9RBI4M7XIXsPX+biZoik6aOt4zSWR5WDq27pXI 0l+BLzZb72C7McT4PlBiF+U86OngBlGxVBnILyW2aUisi2LY6KeO5AmK WNT0xHWe5+JtPD5PgmSm46YZ8jMP5mH4hSYr76jqwvlCtXvq8XgYQU/P QyuCpQ== www.apps.ietf.org. 1062 IN NSEC cloudflare-verify.ietf.org. A RRSIG NSEC www.apps.ietf.org. 1062 IN RRSIG NSEC 5 4 1800 20170308083322 20160308073501 40452 ietf.org. NxmjhCkTtoiolJUow/OreeBRxTtf2AnIPM/r2p7oS/hNeOdFI9tpgGQY g0lTOYjcNNoIoDB/r56Kd+5wtuaKT+xsYiZ4K413I+cmrNQ+6oLT+Mz6 Kfzvo/TcrJD99PVAYIN1MwzO42od/vi/juGkuKJVcCzrBKNHCZqu7clu mU3DEqbQQT2O8dYIUjLlfom1iYtZZrfuhB6FCYFTRd3h8OLfMhXtt8f5 8Q/XvjakiLqov1blZAK229I2qgUYEhd77n2pXV6SJuOKcSjZiQsGJeaM wIotSKa8EttJELkpNAUkN9uXfhU+WjouS1qzgyWwbf2hdgsBntKP9his 9MfJNA== SOA SOA RRSIG NSEC NSEC RRSIG I ran out of space, continuing on the next page
SOA RRSIG NSEC NSEC RRSIG SOA
ietf.org. 1062 IN NSEC ietf1._domainkey.ietf.org. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY SPF NSEC SOA RRSIG NSEC NSEC RRSIG SOA
ietf.org. 1062 IN NSEC ietf1._domainkey.ietf.org. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY SPF NSEC SOA RRSIG NSEC NSEC RRSIG SOA *.ietf.org would exist between these names
ietf.org. 1062 IN NSEC ietf1._domainkey.ietf.org. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY SPF ietf.org. 1062 IN RRSIG NSEC 5 2 1800 20170308083303 20160308073501 40452 ietf.org. homg5NrZIKo0tR+aEp0MVYYjT7J/KGTKP46bJ8eeetbq4KqNvLKJ5Yig ve4RSWFYrSARAmbi3GIFW00P/dFCzDNVlMWYRbcFUt5NfYRJxg25jy95 yHNmInwDUnttmzKuBezdVVvRLJY3qSM7S3VfI/b7n6++ODUFcsL88uNB V6bRO6FOksgE1/jUrtz6/lEKmodWWI2goFPGgmgihqLR8ldv0Dv7k9vy Ao1uunP6kDQEj+omkICFHaT/DBSSYq59DVeMAAcfDq2ssbr4p8hUoXiB tNlJWEubMnHi7YmLSgby+m8b97+8b6qPe8W478gAiggsNjc2gQSKOOXH EejOSA== NSEC SOA RRSIG NSEC NSEC RRSIG SOA NSEC RRSIG
NSEC SOA RRSIG NSEC NSEC RRSIG SOA NSEC RRSIG for the previous and next name for the wildcard
ietf.org. 1179 IN SOA ns0.amsl.com. glen.amsl.com. 1200000325 1800 1800 604800 1800 ietf.org. 1179 IN RRSIG SOA 5 2 1800 20170308083354 20160308073501 40452 ietf.org. S0gIjTnQGA6TyIBjCeBXL4ip8aEQEgg2y+kCQ3sLtFa3oNy9vj9kj4aP 8EVu4oIexr8X/i9L8Oj5ec4HOrQoYsMGObRUG0FGT0MEbxepi+wWrfed vD/3mq8KZg/pj6TQAKebeSQGkmb8y9eP0PdWdUi6EatH9ZY/tsoiKyqg U4vtq9sWZ/4mH3xfhK9RBI4M7XIXsPX+biZoik6aOt4zSWR5WDq27pXI 0l+BLzZb72C7McT4PlBiF+U86OngBlGxVBnILyW2aUisi2LY6KeO5AmK WNT0xHWe5+JtPD5PgmSm46YZ8jMP5mH4hSYr76jqwvlCtXvq8XgYQU/P QyuCpQ== www.apps.ietf.org. 1062 IN NSEC cloudflare-verify.ietf.org. A RRSIG NSEC www.apps.ietf.org. 1062 IN RRSIG NSEC 5 4 1800 20170308083322 20160308073501 40452 ietf.org. NxmjhCkTtoiolJUow/OreeBRxTtf2AnIPM/r2p7oS/hNeOdFI9tpgGQY g0lTOYjcNNoIoDB/r56Kd+5wtuaKT+xsYiZ4K413I+cmrNQ+6oLT+Mz6 Kfzvo/TcrJD99PVAYIN1MwzO42od/vi/juGkuKJVcCzrBKNHCZqu7clu mU3DEqbQQT2O8dYIUjLlfom1iYtZZrfuhB6FCYFTRd3h8OLfMhXtt8f5 8Q/XvjakiLqov1blZAK229I2qgUYEhd77n2pXV6SJuOKcSjZiQsGJeaM wIotSKa8EttJELkpNAUkN9uXfhU+WjouS1qzgyWwbf2hdgsBntKP9his 9MfJNA== ietf.org. 1062 IN NSEC ietf1._domainkey.ietf.org. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY SPF ietf.org. 1062 IN RRSIG NSEC 5 2 1800 20170308083303 20160308073501 40452 ietf.org. homg5NrZIKo0tR+aEp0MVYYjT7J/KGTKP46bJ8eeetbq4KqNvLKJ5Yig ve4RSWFYrSARAmbi3GIFW00P/dFCzDNVlMWYRbcFUt5NfYRJxg25jy95 yHNmInwDUnttmzKuBezdVVvRLJY3qSM7S3VfI/b7n6++ODUFcsL88uNB V6bRO6FOksgE1/jUrtz6/lEKmodWWI2goFPGgmgihqLR8ldv0Dv7k9vy Ao1uunP6kDQEj+omkICFHaT/DBSSYq59DVeMAAcfDq2ssbr4p8hUoXiB tNlJWEubMnHi7YmLSgby+m8b97+8b6qPe8W478gAiggsNjc2gQSKOOXH EejOSA== 1096 BYTES!!
Problems with negative answers @ scale 1. Requires authoritative server to return previous and next name a. Expensive $$$ 2. Large answers a. Big answers = slow answers, and reflection attack bait
Cloudflare “Black Lies” for NXDOMAIN ● The next name is always 000.[themissingname] ● One NSEC per answer cloudflare.com. 1799 IN SOA ns3.cloudflare.com. dns.cloudflare.com. 2020905521 10000 2400 604800 3600 bogus.cloudflare.com. 3599 IN NSEC 000.bogus.cloudflare.com. RRSIG NSEC cloudflare.com. 1799 IN RRSIG SOA 13 2 86400 20160309213638 20160307193638 35273 cloudflare.com. mgx1FncjVdOpWhMOqm6+kcPBi/6zC8LF00ccG3DA1RNiI6hXmrqnFiUg dsngBT3VYo0+8AsZ1l0vJiopCdNoTw== bogus.cloudflare.com. 3599 IN RRSIG NSEC 13 3 3600 20160309213638 20160307193638 35273 cloudflare.com. 8nbevvyI/RsSjunQzjlPkIHphiAOu5gti+aj2ucBx3Nhc7cnaHtJbJ5C dFrOF7eoZuPeiegf0KTtMyhAYp3tWQ==
Comparing Negative Answers ietf.org. 1799 IN SOA ns0.amsl.com. glen.amsl.com. 1200000317 1800 1800 604800 1800 ietf.org. 1799 IN RRSIG SOA 5 2 1800 20170213210533 20160214200831 40452 ietf.org. P8XoJx+SK5nUZAV/IqiJrsoKtP1c+GXmp3FvEOUZPFn1VwW33242LVrJ GMI5HHjMEX07EzOXZyLnQeEvlf2QLxRIQm1wAnE6W4SUp7TgKUZ7NJHP dgLr2gqKYim4CI7ikYj3vK7NgcaSE5jqIZUm7oFxxYO9/YPz4Mx7COw6 XBOMYS2v8VY3DICeJdZsHJnVKlgl8L7/yqrL8qhkSW1yDo3YtB9cZEjB OVk8uRDxK7aHkEnMRz0LODOJ10AngJpg9LrkZ1CO444RhZGgTbwzN9Vq rDyH47Cn3h8ofEOJtYCJvuX5CCzaZDInBsjq9wNAiNBgIQatPkNriR77 hCEHhQ== ietf.org. 1799 IN NSEC ietf1._domainkey.ietf.org. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY SPF ietf.org. 1799 IN RRSIG NSEC 5 2 1800 20170213210816 20160214200831 40452 ietf.org. B9z/JJs30tkn0DyxVz0zaRlm4HkeNY1TqYmr9rx8rH7kC32PWZ1Fooy6 16qmB33/cvD2wtOCKMnNQPdTG2qUs/RuVxqRPZaQojIVZsy/GYONmlap BptzgOJLP7/HOxgYFgMt5q/91JHfp6Mn0sd218/H86Aa98RCXwUOzZnW bdttjsmbAqONuPQURaGz8ZgGztFmQt5dNeNRaq5Uqdzw738vQjYwppfU 9GSLkT7RCh3kgbNcSaXeuWfFnxG1R2SdlRoDICos+RqdDM+23BHGYkYc /NEBLtjYGxPqYCMe/7lOtWQjtQOkqylAr1r7pSI2NOA9mexa7yTuXH+x o/rzRA== www.apps.ietf.org. 1799 IN NSEC cloudflare-verify.ietf.org. A RRSIG NSEC www.apps.ietf.org. 1799 IN RRSIG NSEC 5 4 1800 20170213210614 20160214200831 40452 ietf.org. U+hEHcTps2IC8VKS61rU3MDZq+U0KG4/oJjIHVYbrWufQ7NdMdnY6hCL OmQtsvuZVRQjWHmowRhMj83JMUagxoZuWTg6GuLPin3c7PkRimfBx7jI wjqORwcuvpBh92A/s/2HXBma3PtDZl2UDLy4z7wdO62rbxGU/LX1jTqY FoJJLJfJ/C+ngVMIE/QVneXSJkAjHV96FSEnreF81V62x9azv3AHo4tl qnoYvRDtK+cR072A5smtWMKDfcIr2fI11TAGIyhR55yAiollPDEz5koj BfMstC/JXVURJMM+1vCPjxvwYzTZN8iICf1AupyyR8BNWxgic5yh1ljH 1AuAVQ== cloudflare.com. 1799 IN SOA ns3.cloudflare.com. dns.cloudflare.com. 2020742566 10000 2400 604800 3600 blog.cloudflare.com. 3599 IN NSEC 000.blog.cloudflare.com. RRSIG NSEC cloudflare.com. 1799 IN RRSIG SOA 13 2 86400 20160220230013 20160218210013 35273 cloudflare.com. kgjtJDuuNC/yX8yWQpol4ZUUr8s8yAXZi26KWBI6S3HDtry2t6LnP1ou QK10Ut7DXO/XhyZddRBVj3pIpWYdBQ== blog.cloudflare.com. 3599 IN RRSIG NSEC 13 3 3600 20160220230013 20160218210013 35273 cloudflare.com. 8BKAAS8EXNJbm8DxEI1OOBba8KaiimIuB47mPlteiZf3sVLGN1edsrXE +q+pHaSHEfYG5mHfCBJrbi6b3EoXOw== NSEC: 1096 bytes Black Lies: 357 bytes
To Review
To Review Save compute on DNSSEC: ● Small answer sizes utilizing ECDSA ● Auto-generate negative answers
•DNS has inherent vulnerabilities that attackers are taking advantage of – we must mitigate this. •DNSSEC provides a reliable method to secure DNS resolutions. •While DNSSEC is a good idea in theory, implementation must match current DNS 1-to-1. Wrap-Up 37
Please use GoToWebinar’s Questions tool to submit questions to our panel. Send to “Organizers” and tell us if it’s for a specific panelist. Q&A 38
Thanks to Cloudflare! For more questions, contact dani@cloudflare And to our attendees, Thank you for joining us today Acknowledgements 39

More Related Content

PPTX
Finding Evil In DNS Traffic
real_slacker007
 
PPTX
The internet for SEOs by Roxana Stingu
Roxana Stingu
 
PPTX
How to optimise TTFB - BrightonSEO 2020
Roxana Stingu
 
PDF
20190516 web security-basic
MksYi
 
PDF
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
FindWhitePapers
 
PDF
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 
PDF
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 
PDF
#NSD15 - Attaques DDoS Internet et comment les arrêter
NetSecure Day
 
Finding Evil In DNS Traffic
real_slacker007
 
The internet for SEOs by Roxana Stingu
Roxana Stingu
 
How to optimise TTFB - BrightonSEO 2020
Roxana Stingu
 
20190516 web security-basic
MksYi
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
FindWhitePapers
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 
#NSD15 - Attaques DDoS Internet et comment les arrêter
NetSecure Day
 

Similar to Deploying DNSSEC at Scale (20)

PDF
DNSSEC - Domain Name System Security Extensions
Peter R. Egli
 
PDF
Bringing Elliptic Curve Cryptography into the Mainstream
Nick Sullivan
 
PDF
DNS Over HTTPS by Michael Casadevall
Glenn McKnight
 
PDF
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PROIDEA
 
PDF
The DNSSEC KSK of the root rolls
Men and Mice
 
PDF
DNSSEC: What a Registrar Needs to Know
laurenrprice
 
PDF
DNSSEC signing Tutorial
Men and Mice
 
PDF
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
Splend
 
PDF
ION Hangzhou - Why Deploy DNSSEC?
Deploy360 Programme (Internet Society)
 
PDF
Signing DNSSEC answers on the fly at the edge: challenges and solutions
APNIC
 
PDF
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
APNIC
 
PDF
Hardening the Core of the Internet
RIPE NCC
 
PPTX
Dns security threats and solutions
Frank Victory
 
PPTX
F5's Dynamic DNS Services
F5 Networks
 
PPTX
DNSSEC for Registrars by .ORG & Afilias
ORG, The Public Interest Registry
 
PDF
Introduction DNSSec
AFRINIC
 
PDF
IoT Secure Bootsrapping : ideas
Jean-Baptiste Trystram
 
PDF
8 technical-dns-workshop-day4
DNS Entrepreneurship Center
 
PDF
DNS resolver 1.1.1.1 from Cloudflare
APNIC
 
PDF
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
APNIC
 
DNSSEC - Domain Name System Security Extensions
Peter R. Egli
 
Bringing Elliptic Curve Cryptography into the Mainstream
Nick Sullivan
 
DNS Over HTTPS by Michael Casadevall
Glenn McKnight
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PROIDEA
 
The DNSSEC KSK of the root rolls
Men and Mice
 
DNSSEC: What a Registrar Needs to Know
laurenrprice
 
DNSSEC signing Tutorial
Men and Mice
 
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
Splend
 
ION Hangzhou - Why Deploy DNSSEC?
Deploy360 Programme (Internet Society)
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
APNIC
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
APNIC
 
Hardening the Core of the Internet
RIPE NCC
 
Dns security threats and solutions
Frank Victory
 
F5's Dynamic DNS Services
F5 Networks
 
DNSSEC for Registrars by .ORG & Afilias
ORG, The Public Interest Registry
 
Introduction DNSSec
AFRINIC
 
IoT Secure Bootsrapping : ideas
Jean-Baptiste Trystram
 
8 technical-dns-workshop-day4
DNS Entrepreneurship Center
 
DNS resolver 1.1.1.1 from Cloudflare
APNIC
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
APNIC
 
Ad

Recently uploaded (20)

PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
A Presentation on Artificial Intelligence
memembruh336
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Encapsulation theory and applications.pdf
gurumoop
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Ad

Deploying DNSSEC at Scale

  • 1. <YOUR COURSE NAME HERE> Deploying DNSSEC at Scale
  • 2. Today’s Speakers 2 •Matt Bromiley – SANS Instructor & Incident Responder •Dani Grant – Cloudflare product manager, responsible for Cloudflare’s web portal and core DNS product
  • 3. •The Importance of Elliptic Curves •A Unique Approach to Negative Answers •Wrap-Up •Q&A Today’s Agenda 3
  • 5. Cloudflare DNS ● 6M+ domains, 120K with DNSSEC ● 100+ billion DNS queries daily ● ~20M DNSSEC signed queries daily
  • 6. Without DNSSEC: TLDR; How DNSSEC Works Query for A record: With DNSSEC: A A A A A RRSIG
  • 7. DNSSEC at Scale 1. The Importance of Elliptic Curves 2. A Unique Approach To Negative Answers
  • 9. Background ● CloudFlare mitigates large DDoS attacks (often 500+ Gbps) ● DDoS is sometimes done through DNS amplification (small DNS query returns large DNS answer) ● Signed zones with large signature sizes are good for attackers doing amplification attacks
  • 10. Elliptic Curves: Small Packet Size ● CloudFlare uses ECDSA to keep key and signature sizes small ● Almost all DNS answers CloudFlare returns are < 512 bytes, even with DNSSEC
  • 11. Why does ECDSA have smaller key sizes?
  • 12. Energy to break 228 bit RSA key vs. 228 bit ECDSA key RSA: Energy to boil a teaspoon of water
  • 13. RSA: same as boiling a teaspoon of water ECDSA: boiling all the water on earth Energy to break 228 bit RSA key vs. 228 bit ECDSA key
  • 14. Comparing DNSKEY Answers ietf.org. 985 IN DNSKEY 256 3 5 AwEAAdDECajHaTjfSoNTY58WcBah1BxPKVIHBz4IfLjfqMvium4lgKtK ZLe97DgJ5/NQrNEGGQmr6fKvUj67cfrZUojZ2cGRizVhgkOqZ9scaTVX NuXLM5Tw7VWOVIceeXAuuH2mPIiEV6MhJYUsW6dvmNsJ4XwCgNgroAmX hoMEiWEjBB+wjYZQ5GtZHBFKVXACSWTiCtddHcueOeSVPi5WH94Vlubh HfiytNPZLrObhUCHT6k0tNE6phLoHnXWU+6vpsYpz6GhMw/R9BFxW5Pd PFIWBgoWk2/XFVRSKG9Lr61b2z1R126xeUwvw46RVy3hanV3vNO7LM5H niqaYclBbhk= ietf.org. 985 IN DNSKEY 257 3 5 AwEAAavjQ1H6pE8FV8LGP0wQBFVL0EM9BRfqxz9p/sZ+8AByqyFHLdZc HoOGF7CgB5OKYMvGOgysuYQloPlwbq7Ws5WywbutbXyG24lMWy4jijlJ UsaFrS5EvUu4ydmuRc/TGnEXnN1XQkO+waIT4cLtrmcWjoY8Oqud6lDa Jdj1cKr2nX1NrmMRowIu3DIVtGbQJmzpukpDVZaYMMAm8M5vz4U2vRCV ETLgDoQ7rhsiD127J8gVExjO8B0113jCajbFRcMtUtFTjH4z7jXP2ZzD cXsgpe4LYFuenFQAcRBRlE6oaykHR7rlPqqmw58nIELJUFoMcb/BdRLg byTeurFlnxs= ietf.org. 985 IN RRSIG DNSKEY 5 2 1800 20170213210526 20160214200831 45586 ietf.org. lv7deO/DZ+5Q6mZa9NsT4QQ7ibFU5s73yv7+gHoRyhis/3JmsMy8NIA9 7xoQcYhw1kYNqIgJYZ39XbKcmLyxVG9lzIMFcJOWcWA7QZQ8dW7IbQ4Z /jm8tuoXWWCmO9m1MgSwYfpuPz6IELh8czNylHuG+RZJn1t31wIOnet/ xUDrM5btKotJFeYKAEyVPiuC5N3+R3icd8U96lS1ybKCkXVzbcaDMBNe r21/avPL7ympHeDiR4ubSTJ4xHr0pg5wCusZS0VRrKMPZrYrW/XW1gWl qRIyY/i4rxl9xyaBiP39eD7B7JvyyRTJObsnjpdd1blchM+DLLzl/7q1 y/vFXw== ietf.org. 985 IN RRSIG DNSKEY 5 2 1800 20170213210642 20160214200831 40452 ietf.org. J3FK20+dp6Dy8QnDE4xlv9LJroKfrYQIa4i+ymYWulZqL0GQhEIkkfLb vyjMrNoVPhKjzNiBobFZDgjhFBDur9GONuWMkM4isBc4gBAKgNrirmh7 963HJ+ngsgHsfRTUHp27ISTgPw/SaxrUOz5JJJytNvr6eTiIsKHgtpaP Xn44E210XQd5ak71//xY2/yCNJHjN3zH41Z0ipDG8UlITWzScFRZcEA+ 9frDMBwiv7M9CBbOBeMNDAZXXa6JjkuASROmNIu8mU2XRa+Q8yDnYfF1 1r7JrdASF+zLIrxBX0HHjWtCjn+GvEoPDDTDN6J9oDHlmt8WH6Tmt57h oIuC+g== cloudflare.com. 3574 IN DNSKEY 257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ== cloudflare.com. 3574 IN DNSKEY 256 3 13 koPbw9wmYZ7ggcjnQ6ayHyhHaDNMYELKTqT+qRGrZpWSccr/lBcrm10Z 1PuQHB3Azhii+sb0PYFkH1ruxLhe5g== cloudflare.com. 3574 IN RRSIG DNSKEY 13 2 3600 20160310040015 20160110040015 2371 cloudflare.com. kgH/IAYN5endrnFAfJsNZPJHQvcYXqOLHDgrkhMXwvVJzyac/892fFwa r5jo6u/57JnMJTCGF3P+YHmLiBKE1w== RSA: 1181 bytes ECDSA: 313 bytes
  • 15. ECDSA is fast ...important when you are computing 56.9 billion signatures a day.
  • 16. Speeding up ECDSA in Go ● Native implementation in assembly (by Vlad Krasnov) ● 21x speed improvements ● Now part of standard Go crypto library as of Go 1.6 ● Takes CloudFlare 0.0001 seconds to sign a DNS record Before After Speedup ECDSA Sign 1,015,006 ns/op 48,741 ns/op 20.8x ECDSA Verify 3,086,282 ns/op 146,991 ns/op 21.0x
  • 18. What goes into an NXDOMAIN negative answer w/ DNSSEC?
  • 20. ietf.org. 1179 IN SOA ns0.amsl.com. glen.amsl.com. 1200000325 1800 1800 604800 1800 SOA
  • 21. ietf.org. 1179 IN SOA ns0.amsl.com. glen.amsl.com. 1200000325 1800 1800 604800 1800 ietf.org. 1179 IN RRSIG SOA 5 2 1800 20170308083354 20160308073501 40452 ietf.org. S0gIjTnQGA6TyIBjCeBXL4ip8aEQEgg2y+kCQ3sLtFa3oNy9vj9kj4aP 8EVu4oIexr8X/i9L8Oj5ec4HOrQoYsMGObRUG0FGT0MEbxepi+wWrfed vD/3mq8KZg/pj6TQAKebeSQGkmb8y9eP0PdWdUi6EatH9ZY/tsoiKyqg U4vtq9sWZ/4mH3xfhK9RBI4M7XIXsPX+biZoik6aOt4zSWR5WDq27pXI 0l+BLzZb72C7McT4PlBiF+U86OngBlGxVBnILyW2aUisi2LY6KeO5AmK WNT0xHWe5+JtPD5PgmSm46YZ8jMP5mH4hSYr76jqwvlCtXvq8XgYQU/P QyuCpQ== SOA SOA RRSIG
  • 22. ietf.org. 1179 IN SOA ns0.amsl.com. glen.amsl.com. 1200000325 1800 1800 604800 1800 ietf.org. 1179 IN RRSIG SOA 5 2 1800 20170308083354 20160308073501 40452 ietf.org. S0gIjTnQGA6TyIBjCeBXL4ip8aEQEgg2y+kCQ3sLtFa3oNy9vj9kj4aP 8EVu4oIexr8X/i9L8Oj5ec4HOrQoYsMGObRUG0FGT0MEbxepi+wWrfed vD/3mq8KZg/pj6TQAKebeSQGkmb8y9eP0PdWdUi6EatH9ZY/tsoiKyqg U4vtq9sWZ/4mH3xfhK9RBI4M7XIXsPX+biZoik6aOt4zSWR5WDq27pXI 0l+BLzZb72C7McT4PlBiF+U86OngBlGxVBnILyW2aUisi2LY6KeO5AmK WNT0xHWe5+JtPD5PgmSm46YZ8jMP5mH4hSYr76jqwvlCtXvq8XgYQU/P QyuCpQ== www.apps.ietf.org. 1062 IN NSEC cloudflare-verify.ietf.org. A RRSIG NSEC SOA SOA RRSIG NSEC
  • 23. ietf.org. 1179 IN SOA ns0.amsl.com. glen.amsl.com. 1200000325 1800 1800 604800 1800 ietf.org. 1179 IN RRSIG SOA 5 2 1800 20170308083354 20160308073501 40452 ietf.org. S0gIjTnQGA6TyIBjCeBXL4ip8aEQEgg2y+kCQ3sLtFa3oNy9vj9kj4aP 8EVu4oIexr8X/i9L8Oj5ec4HOrQoYsMGObRUG0FGT0MEbxepi+wWrfed vD/3mq8KZg/pj6TQAKebeSQGkmb8y9eP0PdWdUi6EatH9ZY/tsoiKyqg U4vtq9sWZ/4mH3xfhK9RBI4M7XIXsPX+biZoik6aOt4zSWR5WDq27pXI 0l+BLzZb72C7McT4PlBiF+U86OngBlGxVBnILyW2aUisi2LY6KeO5AmK WNT0xHWe5+JtPD5PgmSm46YZ8jMP5mH4hSYr76jqwvlCtXvq8XgYQU/P QyuCpQ== www.apps.ietf.org. 1062 IN NSEC cloudflare-verify.ietf.org. A RRSIG NSEC SOA SOA RRSIG NSEC bogus.ietf.org is between these two names
  • 24. ietf.org. 1179 IN SOA ns0.amsl.com. glen.amsl.com. 1200000325 1800 1800 604800 1800 ietf.org. 1179 IN RRSIG SOA 5 2 1800 20170308083354 20160308073501 40452 ietf.org. S0gIjTnQGA6TyIBjCeBXL4ip8aEQEgg2y+kCQ3sLtFa3oNy9vj9kj4aP 8EVu4oIexr8X/i9L8Oj5ec4HOrQoYsMGObRUG0FGT0MEbxepi+wWrfed vD/3mq8KZg/pj6TQAKebeSQGkmb8y9eP0PdWdUi6EatH9ZY/tsoiKyqg U4vtq9sWZ/4mH3xfhK9RBI4M7XIXsPX+biZoik6aOt4zSWR5WDq27pXI 0l+BLzZb72C7McT4PlBiF+U86OngBlGxVBnILyW2aUisi2LY6KeO5AmK WNT0xHWe5+JtPD5PgmSm46YZ8jMP5mH4hSYr76jqwvlCtXvq8XgYQU/P QyuCpQ== www.apps.ietf.org. 1062 IN NSEC cloudflare-verify.ietf.org. A RRSIG NSEC www.apps.ietf.org. 1062 IN RRSIG NSEC 5 4 1800 20170308083322 20160308073501 40452 ietf.org. NxmjhCkTtoiolJUow/OreeBRxTtf2AnIPM/r2p7oS/hNeOdFI9tpgGQY g0lTOYjcNNoIoDB/r56Kd+5wtuaKT+xsYiZ4K413I+cmrNQ+6oLT+Mz6 Kfzvo/TcrJD99PVAYIN1MwzO42od/vi/juGkuKJVcCzrBKNHCZqu7clu mU3DEqbQQT2O8dYIUjLlfom1iYtZZrfuhB6FCYFTRd3h8OLfMhXtt8f5 8Q/XvjakiLqov1blZAK229I2qgUYEhd77n2pXV6SJuOKcSjZiQsGJeaM wIotSKa8EttJELkpNAUkN9uXfhU+WjouS1qzgyWwbf2hdgsBntKP9his 9MfJNA== SOA SOA RRSIG NSEC NSEC RRSIG
  • 25. ietf.org. 1179 IN SOA ns0.amsl.com. glen.amsl.com. 1200000325 1800 1800 604800 1800 ietf.org. 1179 IN RRSIG SOA 5 2 1800 20170308083354 20160308073501 40452 ietf.org. S0gIjTnQGA6TyIBjCeBXL4ip8aEQEgg2y+kCQ3sLtFa3oNy9vj9kj4aP 8EVu4oIexr8X/i9L8Oj5ec4HOrQoYsMGObRUG0FGT0MEbxepi+wWrfed vD/3mq8KZg/pj6TQAKebeSQGkmb8y9eP0PdWdUi6EatH9ZY/tsoiKyqg U4vtq9sWZ/4mH3xfhK9RBI4M7XIXsPX+biZoik6aOt4zSWR5WDq27pXI 0l+BLzZb72C7McT4PlBiF+U86OngBlGxVBnILyW2aUisi2LY6KeO5AmK WNT0xHWe5+JtPD5PgmSm46YZ8jMP5mH4hSYr76jqwvlCtXvq8XgYQU/P QyuCpQ== www.apps.ietf.org. 1062 IN NSEC cloudflare-verify.ietf.org. A RRSIG NSEC www.apps.ietf.org. 1062 IN RRSIG NSEC 5 4 1800 20170308083322 20160308073501 40452 ietf.org. NxmjhCkTtoiolJUow/OreeBRxTtf2AnIPM/r2p7oS/hNeOdFI9tpgGQY g0lTOYjcNNoIoDB/r56Kd+5wtuaKT+xsYiZ4K413I+cmrNQ+6oLT+Mz6 Kfzvo/TcrJD99PVAYIN1MwzO42od/vi/juGkuKJVcCzrBKNHCZqu7clu mU3DEqbQQT2O8dYIUjLlfom1iYtZZrfuhB6FCYFTRd3h8OLfMhXtt8f5 8Q/XvjakiLqov1blZAK229I2qgUYEhd77n2pXV6SJuOKcSjZiQsGJeaM wIotSKa8EttJELkpNAUkN9uXfhU+WjouS1qzgyWwbf2hdgsBntKP9his 9MfJNA== SOA SOA RRSIG NSEC NSEC RRSIG I ran out of space, continuing on the next page
  • 27. ietf.org. 1062 IN NSEC ietf1._domainkey.ietf.org. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY SPF NSEC SOA RRSIG NSEC NSEC RRSIG SOA
  • 28. ietf.org. 1062 IN NSEC ietf1._domainkey.ietf.org. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY SPF NSEC SOA RRSIG NSEC NSEC RRSIG SOA *.ietf.org would exist between these names
  • 29. ietf.org. 1062 IN NSEC ietf1._domainkey.ietf.org. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY SPF ietf.org. 1062 IN RRSIG NSEC 5 2 1800 20170308083303 20160308073501 40452 ietf.org. homg5NrZIKo0tR+aEp0MVYYjT7J/KGTKP46bJ8eeetbq4KqNvLKJ5Yig ve4RSWFYrSARAmbi3GIFW00P/dFCzDNVlMWYRbcFUt5NfYRJxg25jy95 yHNmInwDUnttmzKuBezdVVvRLJY3qSM7S3VfI/b7n6++ODUFcsL88uNB V6bRO6FOksgE1/jUrtz6/lEKmodWWI2goFPGgmgihqLR8ldv0Dv7k9vy Ao1uunP6kDQEj+omkICFHaT/DBSSYq59DVeMAAcfDq2ssbr4p8hUoXiB tNlJWEubMnHi7YmLSgby+m8b97+8b6qPe8W478gAiggsNjc2gQSKOOXH EejOSA== NSEC SOA RRSIG NSEC NSEC RRSIG SOA NSEC RRSIG
  • 31. ietf.org. 1179 IN SOA ns0.amsl.com. glen.amsl.com. 1200000325 1800 1800 604800 1800 ietf.org. 1179 IN RRSIG SOA 5 2 1800 20170308083354 20160308073501 40452 ietf.org. S0gIjTnQGA6TyIBjCeBXL4ip8aEQEgg2y+kCQ3sLtFa3oNy9vj9kj4aP 8EVu4oIexr8X/i9L8Oj5ec4HOrQoYsMGObRUG0FGT0MEbxepi+wWrfed vD/3mq8KZg/pj6TQAKebeSQGkmb8y9eP0PdWdUi6EatH9ZY/tsoiKyqg U4vtq9sWZ/4mH3xfhK9RBI4M7XIXsPX+biZoik6aOt4zSWR5WDq27pXI 0l+BLzZb72C7McT4PlBiF+U86OngBlGxVBnILyW2aUisi2LY6KeO5AmK WNT0xHWe5+JtPD5PgmSm46YZ8jMP5mH4hSYr76jqwvlCtXvq8XgYQU/P QyuCpQ== www.apps.ietf.org. 1062 IN NSEC cloudflare-verify.ietf.org. A RRSIG NSEC www.apps.ietf.org. 1062 IN RRSIG NSEC 5 4 1800 20170308083322 20160308073501 40452 ietf.org. NxmjhCkTtoiolJUow/OreeBRxTtf2AnIPM/r2p7oS/hNeOdFI9tpgGQY g0lTOYjcNNoIoDB/r56Kd+5wtuaKT+xsYiZ4K413I+cmrNQ+6oLT+Mz6 Kfzvo/TcrJD99PVAYIN1MwzO42od/vi/juGkuKJVcCzrBKNHCZqu7clu mU3DEqbQQT2O8dYIUjLlfom1iYtZZrfuhB6FCYFTRd3h8OLfMhXtt8f5 8Q/XvjakiLqov1blZAK229I2qgUYEhd77n2pXV6SJuOKcSjZiQsGJeaM wIotSKa8EttJELkpNAUkN9uXfhU+WjouS1qzgyWwbf2hdgsBntKP9his 9MfJNA== ietf.org. 1062 IN NSEC ietf1._domainkey.ietf.org. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY SPF ietf.org. 1062 IN RRSIG NSEC 5 2 1800 20170308083303 20160308073501 40452 ietf.org. homg5NrZIKo0tR+aEp0MVYYjT7J/KGTKP46bJ8eeetbq4KqNvLKJ5Yig ve4RSWFYrSARAmbi3GIFW00P/dFCzDNVlMWYRbcFUt5NfYRJxg25jy95 yHNmInwDUnttmzKuBezdVVvRLJY3qSM7S3VfI/b7n6++ODUFcsL88uNB V6bRO6FOksgE1/jUrtz6/lEKmodWWI2goFPGgmgihqLR8ldv0Dv7k9vy Ao1uunP6kDQEj+omkICFHaT/DBSSYq59DVeMAAcfDq2ssbr4p8hUoXiB tNlJWEubMnHi7YmLSgby+m8b97+8b6qPe8W478gAiggsNjc2gQSKOOXH EejOSA== 1096 BYTES!!
  • 32. Problems with negative answers @ scale 1. Requires authoritative server to return previous and next name a. Expensive $$$ 2. Large answers a. Big answers = slow answers, and reflection attack bait
  • 33. Cloudflare “Black Lies” for NXDOMAIN ● The next name is always 000.[themissingname] ● One NSEC per answer cloudflare.com. 1799 IN SOA ns3.cloudflare.com. dns.cloudflare.com. 2020905521 10000 2400 604800 3600 bogus.cloudflare.com. 3599 IN NSEC 000.bogus.cloudflare.com. RRSIG NSEC cloudflare.com. 1799 IN RRSIG SOA 13 2 86400 20160309213638 20160307193638 35273 cloudflare.com. mgx1FncjVdOpWhMOqm6+kcPBi/6zC8LF00ccG3DA1RNiI6hXmrqnFiUg dsngBT3VYo0+8AsZ1l0vJiopCdNoTw== bogus.cloudflare.com. 3599 IN RRSIG NSEC 13 3 3600 20160309213638 20160307193638 35273 cloudflare.com. 8nbevvyI/RsSjunQzjlPkIHphiAOu5gti+aj2ucBx3Nhc7cnaHtJbJ5C dFrOF7eoZuPeiegf0KTtMyhAYp3tWQ==
  • 34. Comparing Negative Answers ietf.org. 1799 IN SOA ns0.amsl.com. glen.amsl.com. 1200000317 1800 1800 604800 1800 ietf.org. 1799 IN RRSIG SOA 5 2 1800 20170213210533 20160214200831 40452 ietf.org. P8XoJx+SK5nUZAV/IqiJrsoKtP1c+GXmp3FvEOUZPFn1VwW33242LVrJ GMI5HHjMEX07EzOXZyLnQeEvlf2QLxRIQm1wAnE6W4SUp7TgKUZ7NJHP dgLr2gqKYim4CI7ikYj3vK7NgcaSE5jqIZUm7oFxxYO9/YPz4Mx7COw6 XBOMYS2v8VY3DICeJdZsHJnVKlgl8L7/yqrL8qhkSW1yDo3YtB9cZEjB OVk8uRDxK7aHkEnMRz0LODOJ10AngJpg9LrkZ1CO444RhZGgTbwzN9Vq rDyH47Cn3h8ofEOJtYCJvuX5CCzaZDInBsjq9wNAiNBgIQatPkNriR77 hCEHhQ== ietf.org. 1799 IN NSEC ietf1._domainkey.ietf.org. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY SPF ietf.org. 1799 IN RRSIG NSEC 5 2 1800 20170213210816 20160214200831 40452 ietf.org. B9z/JJs30tkn0DyxVz0zaRlm4HkeNY1TqYmr9rx8rH7kC32PWZ1Fooy6 16qmB33/cvD2wtOCKMnNQPdTG2qUs/RuVxqRPZaQojIVZsy/GYONmlap BptzgOJLP7/HOxgYFgMt5q/91JHfp6Mn0sd218/H86Aa98RCXwUOzZnW bdttjsmbAqONuPQURaGz8ZgGztFmQt5dNeNRaq5Uqdzw738vQjYwppfU 9GSLkT7RCh3kgbNcSaXeuWfFnxG1R2SdlRoDICos+RqdDM+23BHGYkYc /NEBLtjYGxPqYCMe/7lOtWQjtQOkqylAr1r7pSI2NOA9mexa7yTuXH+x o/rzRA== www.apps.ietf.org. 1799 IN NSEC cloudflare-verify.ietf.org. A RRSIG NSEC www.apps.ietf.org. 1799 IN RRSIG NSEC 5 4 1800 20170213210614 20160214200831 40452 ietf.org. U+hEHcTps2IC8VKS61rU3MDZq+U0KG4/oJjIHVYbrWufQ7NdMdnY6hCL OmQtsvuZVRQjWHmowRhMj83JMUagxoZuWTg6GuLPin3c7PkRimfBx7jI wjqORwcuvpBh92A/s/2HXBma3PtDZl2UDLy4z7wdO62rbxGU/LX1jTqY FoJJLJfJ/C+ngVMIE/QVneXSJkAjHV96FSEnreF81V62x9azv3AHo4tl qnoYvRDtK+cR072A5smtWMKDfcIr2fI11TAGIyhR55yAiollPDEz5koj BfMstC/JXVURJMM+1vCPjxvwYzTZN8iICf1AupyyR8BNWxgic5yh1ljH 1AuAVQ== cloudflare.com. 1799 IN SOA ns3.cloudflare.com. dns.cloudflare.com. 2020742566 10000 2400 604800 3600 blog.cloudflare.com. 3599 IN NSEC 000.blog.cloudflare.com. RRSIG NSEC cloudflare.com. 1799 IN RRSIG SOA 13 2 86400 20160220230013 20160218210013 35273 cloudflare.com. kgjtJDuuNC/yX8yWQpol4ZUUr8s8yAXZi26KWBI6S3HDtry2t6LnP1ou QK10Ut7DXO/XhyZddRBVj3pIpWYdBQ== blog.cloudflare.com. 3599 IN RRSIG NSEC 13 3 3600 20160220230013 20160218210013 35273 cloudflare.com. 8BKAAS8EXNJbm8DxEI1OOBba8KaiimIuB47mPlteiZf3sVLGN1edsrXE +q+pHaSHEfYG5mHfCBJrbi6b3EoXOw== NSEC: 1096 bytes Black Lies: 357 bytes
  • 36. To Review Save compute on DNSSEC: ● Small answer sizes utilizing ECDSA ● Auto-generate negative answers
  • 37. •DNS has inherent vulnerabilities that attackers are taking advantage of – we must mitigate this. •DNSSEC provides a reliable method to secure DNS resolutions. •While DNSSEC is a good idea in theory, implementation must match current DNS 1-to-1. Wrap-Up 37
  • 38. Please use GoToWebinar’s Questions tool to submit questions to our panel. Send to “Organizers” and tell us if it’s for a specific panelist. Q&A 38
  • 39. Thanks to Cloudflare! For more questions, contact dani@cloudflare And to our attendees, Thank you for joining us today Acknowledgements 39