The ICANN DNS Symposium concluded today. It was about 3 hours of talks for the past 3 days. Four talks each day. For me it started at 5:00 am and I didn’t always make it on time and I left early a couple of times. This is a very brief summary since I didn’t take very detailed notes and the presentations are not yet online to review. Materials should appear on the IDS page in due time.
Day 1
DNS-STATS traffic capture and visualization development
Jim Hague
Showcase of the DNS-STATS tool. All you really need to know is
here.
Measuring recursive resolver centrality
Joao Damas, Geoff Huston
They try to provide some insight into the notion of consolidation and
centralization of the resolution services on the Internet using APNIC
Labs Google ads driven name server measurement infrastructure.
Methodology and observations discussed. Some statistics
here.
pktvisor; summarizing traffic for observability and DDoS mitigation
Shannon Weyrick
Another DNS statistics tool, this one currently based on pcap data to
provide a dashboard like view. Other inputs, including sFlow/NetFlow
support planned. All you need to know
here.
DSFI-TSG Panel
Merike Kaeo, Robert Schishka, John L Crain, Tim April, Gavin Brown, and Duane Wessels
The ICANN-sponsored DNS Security Facility Initiative Technical Study
Group. I didn’t stick around for this one. Best I can tell they are
coming up with some big picture guidance to provide to the ICANN board
on security issues involving the DNS. You can find more information
about the group
here.
Day 2
COMAR: classification of compromised versus maliciously registered domains
Maciej Korczynski, Christian Hesselman, Benoit Ampeau
I missed this one, but the title is pretty self explanatory. Probably
everything you need to know
here.
Canadian Shield - A year of experience operating a secure national DNS infrastructure for Canada
Marc Gaudet
A project run by CIRA.ca to essentially help limit “leakage” of DNS data
and limit exposure to malicious domain names for Canadians. Basically a
government sponsored open resolver service. Currently service ~700
million queries/day. More detail
here.
The DNS practice on security and stability in Alibaba Cloud DNS
Yong Ma
An overview of how Alibaba operates it’s DNS resolution infrastructure.
Compare to the project above, Alibaba services about 1 trillion
queries/day.
DNS security threats outreach platform KINDNS
Adiel Akplogan, Michael Hausing, Leslie Daigle, Andrew Campling
I did not stick around for this one. This is a relatively new effort
sponsored by ICANN. KINDNS is Knowledge-sharing and instantiating norms
for DNS and naming security. More detail
here.
Day 3
DNS cache poisoning revived with network side channels (SAD DNS)
Zhiyun Qian
I missed this one, but I believe it was essentially presenting this
research here.
Poison over troubled forwarders: A cache poisoning attack targeting DNS forwarding devices
Xiang Li
More cache poisoning research. Involves IP ID prediction. Uses CNAME
RRs to force fragmentation, which helps facilitate the attack.
Originally published
here.
rm -rf SHA-1: DNSSEC algorithm roll en masse
Howard Eland
Case study on Donuts (formerly Afilias) efforts to change DNSSEC
parameters across their TLDs. Lots of man power to accomplish, no
major problems reported.
Message digest for DNS Zones
Duane Wessels
Discussing the introduction of a new RR called ZONEMD, which is
intended initially for the root zone and will be computed on the
canonically ordered zone data (like DNSSEC does) with the exception of
this record. Ideally this record would be protected by DNSSEC. Other
TLDs are looking at deploying this as well. Recently achieved RFC
status here.