Cleaning Up the Augean DNS - Internet Systems Consortium · 2020. 9. 8. · Cleaning Up the Augean...
Transcript of Cleaning Up the Augean DNS - Internet Systems Consortium · 2020. 9. 8. · Cleaning Up the Augean...
![Page 1: Cleaning Up the Augean DNS - Internet Systems Consortium · 2020. 9. 8. · Cleaning Up the Augean DNS Ondřej Surý @ ISC ICANN DNS Symposium 2018 12. July 2018 Photo by Daniela](https://reader034.fdocuments.in/reader034/viewer/2022051912/60035c98d7cb4e1b430c3647/html5/thumbnails/1.jpg)
Cleaning Up the Augean DNS
Ondřej Surý @ ISCICANN DNS Symposium 2018
12. July 2018
Photo by Daniela Castro on Unsplash
![Page 2: Cleaning Up the Augean DNS - Internet Systems Consortium · 2020. 9. 8. · Cleaning Up the Augean DNS Ondřej Surý @ ISC ICANN DNS Symposium 2018 12. July 2018 Photo by Daniela](https://reader034.fdocuments.in/reader034/viewer/2022051912/60035c98d7cb4e1b430c3647/html5/thumbnails/2.jpg)
DNSEverything but a kitchensink
Photo by Hermes Rivera on Unsplash
![Page 3: Cleaning Up the Augean DNS - Internet Systems Consortium · 2020. 9. 8. · Cleaning Up the Augean DNS Ondřej Surý @ ISC ICANN DNS Symposium 2018 12. July 2018 Photo by Daniela](https://reader034.fdocuments.in/reader034/viewer/2022051912/60035c98d7cb4e1b430c3647/html5/thumbnails/3.jpg)
The Great Ancient DNS Quiz• Use the back of your schedule to answer your questions
• You can form a group or play on your own
• Put your name on your form
• When done answering, hand the form to your neighbour
• We’ll the go over the answers
• Sometimes more answers are correct
• A point is scored for each correct answer
• No points are scored if there is a wrong answer
![Page 4: Cleaning Up the Augean DNS - Internet Systems Consortium · 2020. 9. 8. · Cleaning Up the Augean DNS Ondřej Surý @ ISC ICANN DNS Symposium 2018 12. July 2018 Photo by Daniela](https://reader034.fdocuments.in/reader034/viewer/2022051912/60035c98d7cb4e1b430c3647/html5/thumbnails/4.jpg)
1
What is MAILA resource record type?
A. Not an actual RRTYPE
B. Query type which returns MB, MG, MR and MINFO records
C. Query type which returns MF and MD records
D. Word “MAILER” in #gangsta grammar
![Page 5: Cleaning Up the Augean DNS - Internet Systems Consortium · 2020. 9. 8. · Cleaning Up the Augean DNS Ondřej Surý @ ISC ICANN DNS Symposium 2018 12. July 2018 Photo by Daniela](https://reader034.fdocuments.in/reader034/viewer/2022051912/60035c98d7cb4e1b430c3647/html5/thumbnails/5.jpg)
2
What is WKS resource record type?
A. A Workstation Resource Record
B. A Well-Known Service Description record
C. They serve no known useful function, except internally among LISP machines
D. Caused by alcohol abuse
![Page 6: Cleaning Up the Augean DNS - Internet Systems Consortium · 2020. 9. 8. · Cleaning Up the Augean DNS Ondřej Surý @ ISC ICANN DNS Symposium 2018 12. July 2018 Photo by Daniela](https://reader034.fdocuments.in/reader034/viewer/2022051912/60035c98d7cb4e1b430c3647/html5/thumbnails/6.jpg)
3
What is MAILB resource record type?
A. Not formally obsoleted
B. Query type which returns MB, MG, MR and MINFO records
C. Query type which returns MF and MD records
D. Inspiration for the “You’ve Got Mail” movie
![Page 7: Cleaning Up the Augean DNS - Internet Systems Consortium · 2020. 9. 8. · Cleaning Up the Augean DNS Ondřej Surý @ ISC ICANN DNS Symposium 2018 12. July 2018 Photo by Daniela](https://reader034.fdocuments.in/reader034/viewer/2022051912/60035c98d7cb4e1b430c3647/html5/thumbnails/7.jpg)
4
NULL resource record?
A. Has RDATA that’s 65535 octets or less
B. Has RDATA that’s NULL (0 octets)
C. Not allowed in master files
D. Declared EXPERIMENTAL in RFC1035
![Page 8: Cleaning Up the Augean DNS - Internet Systems Consortium · 2020. 9. 8. · Cleaning Up the Augean DNS Ondřej Surý @ ISC ICANN DNS Symposium 2018 12. July 2018 Photo by Daniela](https://reader034.fdocuments.in/reader034/viewer/2022051912/60035c98d7cb4e1b430c3647/html5/thumbnails/8.jpg)
5
GSS-TSIG?
A. Uses SIG(0) to establish secret keys
B. Used to establish security context
C. Uses TKEY to establish secret keys
D. The server MUST not generate a signed response to an unsigned request under any circumstances.
![Page 9: Cleaning Up the Augean DNS - Internet Systems Consortium · 2020. 9. 8. · Cleaning Up the Augean DNS Ondřej Surý @ ISC ICANN DNS Symposium 2018 12. July 2018 Photo by Daniela](https://reader034.fdocuments.in/reader034/viewer/2022051912/60035c98d7cb4e1b430c3647/html5/thumbnails/9.jpg)
6
What is TKEY resource record?
A. Uses Elliptic-curve Diffie-Hellman for key-exchange
B. Uses Diffie-Hellman key-exchange
C. Misspelled T-KEY, a rapper and hip-hop artist
D. Secret Key Establishment for DNS
![Page 10: Cleaning Up the Augean DNS - Internet Systems Consortium · 2020. 9. 8. · Cleaning Up the Augean DNS Ondřej Surý @ ISC ICANN DNS Symposium 2018 12. July 2018 Photo by Daniela](https://reader034.fdocuments.in/reader034/viewer/2022051912/60035c98d7cb4e1b430c3647/html5/thumbnails/10.jpg)
7
What does “Transactional Security” in IANA DNSSEC table means?
A. Algorithm can be used for DNS over TLS
B. Has a meaning only in DNSKEY records
C. Algorithm can be used for SIG(0)
D. Has a meaning only in KEY records
![Page 11: Cleaning Up the Augean DNS - Internet Systems Consortium · 2020. 9. 8. · Cleaning Up the Augean DNS Ondřej Surý @ ISC ICANN DNS Symposium 2018 12. July 2018 Photo by Daniela](https://reader034.fdocuments.in/reader034/viewer/2022051912/60035c98d7cb4e1b430c3647/html5/thumbnails/11.jpg)
8
What is the reasonable default EDNS(0) size?
A. 4096
B. Slightly less than 1280 (IPv6 minimum fragment size)
C. Around 1500 (ethernet frame size)
D. Only Geoff Huston knows
![Page 12: Cleaning Up the Augean DNS - Internet Systems Consortium · 2020. 9. 8. · Cleaning Up the Augean DNS Ondřej Surý @ ISC ICANN DNS Symposium 2018 12. July 2018 Photo by Daniela](https://reader034.fdocuments.in/reader034/viewer/2022051912/60035c98d7cb4e1b430c3647/html5/thumbnails/12.jpg)
9
What is RP resource record?
A. Reverse Proxy record
B. Responsible Person record
C. RP records are used in IPoAC
D. None of the above
![Page 13: Cleaning Up the Augean DNS - Internet Systems Consortium · 2020. 9. 8. · Cleaning Up the Augean DNS Ondřej Surý @ ISC ICANN DNS Symposium 2018 12. July 2018 Photo by Daniela](https://reader034.fdocuments.in/reader034/viewer/2022051912/60035c98d7cb4e1b430c3647/html5/thumbnails/13.jpg)
10
Why 512 octets was chosen as maximum DNS msg size?
A. To mess with future generations
B. To be less than minimum IPv4 fragment
C. To be less than minimum IPv4 packet size
D. 512 octets should be enough for everyone
![Page 14: Cleaning Up the Augean DNS - Internet Systems Consortium · 2020. 9. 8. · Cleaning Up the Augean DNS Ondřej Surý @ ISC ICANN DNS Symposium 2018 12. July 2018 Photo by Daniela](https://reader034.fdocuments.in/reader034/viewer/2022051912/60035c98d7cb4e1b430c3647/html5/thumbnails/14.jpg)
AnswersPhoto by Edwin Andrade on Unsplash
![Page 15: Cleaning Up the Augean DNS - Internet Systems Consortium · 2020. 9. 8. · Cleaning Up the Augean DNS Ondřej Surý @ ISC ICANN DNS Symposium 2018 12. July 2018 Photo by Daniela](https://reader034.fdocuments.in/reader034/viewer/2022051912/60035c98d7cb4e1b430c3647/html5/thumbnails/15.jpg)
Correct Answers
1. A,C
2. B,C
3. A,B
4. A,C,D
5. B,C
6. B,D
7. C,D
8. D, and maybe B
9. B
10. C
![Page 16: Cleaning Up the Augean DNS - Internet Systems Consortium · 2020. 9. 8. · Cleaning Up the Augean DNS Ondřej Surý @ ISC ICANN DNS Symposium 2018 12. July 2018 Photo by Daniela](https://reader034.fdocuments.in/reader034/viewer/2022051912/60035c98d7cb4e1b430c3647/html5/thumbnails/16.jpg)
Cleaning the DNS Stables
Photo by Alex Blăjan on Unsplash
![Page 17: Cleaning Up the Augean DNS - Internet Systems Consortium · 2020. 9. 8. · Cleaning Up the Augean DNS Ondřej Surý @ ISC ICANN DNS Symposium 2018 12. July 2018 Photo by Daniela](https://reader034.fdocuments.in/reader034/viewer/2022051912/60035c98d7cb4e1b430c3647/html5/thumbnails/17.jpg)
DNS Protocol Development
• We constantly add new things
• We (almost) never remove things
![Page 18: Cleaning Up the Augean DNS - Internet Systems Consortium · 2020. 9. 8. · Cleaning Up the Augean DNS Ondřej Surý @ ISC ICANN DNS Symposium 2018 12. July 2018 Photo by Daniela](https://reader034.fdocuments.in/reader034/viewer/2022051912/60035c98d7cb4e1b430c3647/html5/thumbnails/18.jpg)
Refactoring DNS Protocol
• Why old stuff never gets removed?
• It’s not fun (refactoring never is)
• There are no counters for features
• People might be using this or that
• It’s not a problem
![Page 19: Cleaning Up the Augean DNS - Internet Systems Consortium · 2020. 9. 8. · Cleaning Up the Augean DNS Ondřej Surý @ ISC ICANN DNS Symposium 2018 12. July 2018 Photo by Daniela](https://reader034.fdocuments.in/reader034/viewer/2022051912/60035c98d7cb4e1b430c3647/html5/thumbnails/19.jpg)
Next steps?• Actually rewrite the foundation RFCs
• RFC 1034, 1035, 1183, 2181, …
• Bit by bit
• Start deprecating the features / records that nobody use
• Improve existing (but perhaps less used) features
• Add ECDH to GSS-TSIG and remove DH
• Define transactional security for ECC algorithms
• Find new innovative ways to use SIG(0) or deprecate it