►
From YouTube: IETF 105: IRTF Open
Description
The Internet Research Task Force (IRTF) Open session at IETF 105 will be held 19:20 - 20:50 UTC on 23 July 2019. The session includes talks by the Applied Network Research Prize awardees.
A
A
A
We
have
a
bunch
of
things
today,
quick
introduction
and
status
update
to
get
us
started.
Then
we
have
a
short
update
from
the
information
centric
networking
research
group
talking
about
the
CC,
NX
RFC's
and
then
we'll
spend
the
majority
of
the
time
today
with
two
really
excellent
talks
from
the
applied
networking
research
prize
with
meta
Rosen's
Schiff
sitting
in
the
front
here
to
start
with
talking
about
MTP
and
a
new
NTP
client
called
Chronos
and
TJ
Chung.
At
the
end.
Talking
about
the
role
of
registrar's
in
DNS.
A
A
A
We
cover
a
pretty
full
range
of
the
possible
subjects
from
the
crypto
forum
group,
all
the
way
through
to
quantum
Internet
network
measurements,
information,
centric,
networking,
Human,
Rights,
global
access
and
the
groups
in
dark
green
fall,
research
groups,
the
ones
in
light,
green
and
grey,
proposed
research
groups.
We
let
new
research
groups
run
for
a
year,
see
if
the
things
are
working
and
if
so,
they
think
it
charted.
As
a
full
research
group,
the
coin
group
had
its
first
meeting
in
Prague.
The
competition
in
the
network
group
looked
reading.
A
A
Who
are
not
meeting
this
time?
Had
a
really
nice
tutorial
in
Prague,
which
I
understood
not
a
word
of
about
quantum
quantum
Internet
and
the
quantum
physics,
the
physics
behind
what
it
needs
to
build
a
quantum
link
and
look
to
be
doing
some
really
nice
work
that
they're
alternating
their
meetings
between
here
and
quantum
physics
conferences,
so
they're
not
meeting
this
time.
A
We
also
have
the
applied
networking
research
workshop,
which
ran
yesterday.
We
had
a
couple
hundred
people
in
attendance,
a
bunch
of
really
nice
papers.
This
is
a
conference
we
organized
in
conjunction
with
ACM
sitcom
proceedings
are
published
in
the
ACM
digital
library.
It's
a
peer,
reviewed
or
workshop.
We
got
some
really
nice
papers
which
are
all
on
the
website
and
we
hope
to
do
this
all
again
next
year,
still
a
little
bit
provisional,
but
hopefully
this
will
be
running
again
in
the
summer
ITF
in
Madrid
next
year.
A
So
look
out
for
the
call
for
papers
around
Christmas
time.
Just
after
and
finally,
we
have
the
applied
networking
research
prize,
which
is
awarded
for
some
results
in
recent
results
in
applied
networking
research
and
we'll
have
the
two
talks
which
would
comprise
the
majority
of
this
session.
Talking
about
NTP
security
and
checking
out
DNS
SEC
deployment,
there'll
be
a
couple
more
NRP
talks
at
iit
f-106
in
singapore
and
we'll
be
opening
nominations
for
the
2020
awards.
Come
October
November
time.
A
C
C
Okay,
there
we
go
so
the
there
were
two
documents
released
as
part
of
this
protocol,
the
versus
the
85
69,
the
semantics
document,
which
describes
the
behavior
and
the
meaning
of
the
different
fields
and
then
there's
an
encoding
document.
80
609,
which
uses
a
mostly
TLV
format
to
encode
the
protocol
messages.
C
So
for
those
of
you
who
don't
know,
CC
NX
is
one
of
the
IC
energy
information
centric
networking
protocols,
and
the
idea
here
is
that
you
do
something
to
name
the
data
that
you're
requesting
and
you
can
use
that
name
in
fetching.
The
data
so
you're
not
doing
quite
host-to-host
networking
you're
trying
to
get
something
by
its
content,
and
this
was
first
proposed
in
2009
and
went
under
a
significant
revision
beginning
in
2014.
C
The
first
drafts
I
think
were
submitted
in
2016,
so
it's
been
kind
of
a
long
march
for
these
specifications
and
just
to
give
you
one
of
the
high
level
use
cases,
it's
an
interest
and
responsible
request
response
protocol.
So
I
can
ask
for
some
name
like
example.com
/
photo
dot
manifest
and
I
can
specify
the
key
that
the
publisher
used
to
publish
this
and
the
network
can
ensure
that
I
get
three.
C
There
are
four
principal
implementations
that
are
going
right
now.
One
is
called
community
ICN
and
this
is
the
Linux
Foundation
work,
and
this
is
meant
to
be
a
fairly
high
speed
implementation
that
uses
vector
packet
packet,
processing,
CCN
light,
which
is
a
widely
used
implementation,
especially
on
smaller
platforms
and
see,
for
this
is
from
the
National
Research
Institute
of
Japan,
and
this
has
also
simulator
an
emulator
modules
available
for
it.
C
So
all
of
these
are
based
on
the
CC
and
XR
FCS
hybrid
ICN
looks
at
integrating
name
based
name
based
routing
into
the
ipv6
address
space,
so
between
the
eyepiece
ipv6
address
and
the
transport
address
it's
kind
of
fully
integrates.
So
it's
not
really
an
overlay.
It's
an
integration.
Thank
you
very
much.
Okay,.
C
A
D
R2
and
protect
NTP
with
the
host
is
a
joint
work
with
O
majority
I
need
to
live
and
make
us
appear
so
NTP
networking
protocol
you.
It
is
used
to
a
synchronous
time
across
computer
over
the
Internet
I
guess
you
all
know
I'm
how
many
port
O'call
is
many
application.
We
learn.
Eight
such
as
TLS,
DNS,
HTTP
cables
and
many
financial
of
applications.
D
In
a
nutshell,
NTP
is
the
client-server
architecture,
consists
of
two
main
processes
purposes
and
selection
process.
So,
for
example,
if
we
have,
we
have
one
client
that
in
the
process
and
ntp
queries,
two
three
NTP
servers
gets
an
NTP
responses
from
the
NTP
servers
and
then
in
the
selection
process.
The
best
time
samples
are
selected
and
used
in
order
to
update
the
client
clock.
D
However,
NTP
is
highly
vulnerable
to
time.
Shifting
attacks,
especially
made
by
man-in-the-middle
attack
Yahoo,
who
have
a
control
over
this
section
between
client
and
one
of
the
NDP
service
and,
for
example,
in
the
previous
one,
let's
assume,
without
loss
of
generality,
that
the
man
in
the
middle
control,
the
section
between
the
client
and
the
left
and
P
server
men
in
the
middle
of
talking
contempor
ntp
responses.
He
can
impact
the
local
clock
of
the
client
by
simply
dropping
on
delay
in
packets.
D
D
As
we
said
before,
and
B
consists
of
two
main
processes
for
process
and
selection
process
in
the
poll
process,
then
P
relies
on
a
very
small
set
of
servers
and
they're,
often
Dinah's
cached,
which
means
that
the
attacker
only
needs
mental
capabilities
with
respect
of
few
and
TP
server.
In
order
to
maintain
his
TUC
over
time
and
the
ntp
selection
process.
Algorithms
assume
that
in
currency
are
rare
and
well
distributed
around
a
you
to
see
the
correct
time.
D
In
order
to
face
these
limitations
and
we
suggest
modified
and
to
be
client
called
homes,
it
has
the
foreign
characteristics
it
has
provable
security.
We
can
bound
the
probability
of
successful
time
shifting
attacks
even
made
by
man
in
the
middle
attack.
Here
we
can
make
what
come
ability,
since
there
is
no
need
to
change
anything
in
the
server
side.
Only
small
and
limit
changes
are
needed
in
this
Indian
client
side
and
we
add
only
low
computational
and
communication
overhead,
since
eventually
with
query
only
few
NTP
servers.
D
So
in
order
to
prove
that
harness
actually
protect
NTP,
we
need
to
define
our
tweet
model,
so
we
assume
that
the
attacker
have
full
control
of
a
large
function
of
the
NTP
service
sake
Porter.
We
also
assume
that
he
is
capable
of
both
modifying
the
content
of
the
NTP
response
and
the
timing
when
it's
going
to
arrive
to
the
client.
And
finally,
we
assume
that
he
is
malicious
and
try
to
shift
the
clients
clock
as
much
as
possible,
so
how
Hollis
is
built.
D
On
the
one
hand,
we
will
lie
on
many
and
to
be
server,
we
serve
as
a
we
generate.
A
large
several
hundred
of
servers
per
client
in
order
to
raise
the
trishul
needed
by
the
attacker
to
attack,
on
the
other
hand,
require
only
few
servers.
Only
terms
of
them
are
choosing
at
random
in
order
to
avoid
NTP
overloading
and
DP
servers
are
overloading,
and
finally,
we
use
smart
filtering
in
order
to
remove
outliers
and
make
it
hard
to
them
many
de
mantequilla
to
contaminate
with
chosen
samples.
D
So
now
out
of
the
the
pool,
I
am
informally
going
to
describe
how
we
update
our
clock
so
out
of
hundred
of
servers
in
the
pool
we
choose
tenth
of
them
at
random,
then
we
ordered
them
from
low
to
high.
We
remove
the
de
lowest
and
the
highest
time
samples
and
take
a
look
at
the
remaining
sets,
and
then
we
ask
two
questions.
We
have
two
conditions.
The
first
one
is
rather,
their
samples
in
the
remaining
set
are
close
to
each
other,
and
the
other
condition
is
rather,
their
average
is
close
to
the
clients
clock.
D
Otherwise
we
were
sample
and
again
out
of
100
of
servers.
Tenants
are
choosing
its
run
and
chosen
at
random
and
we
dropped
it
from
each
side
could
be,
for
example,
one
third,
and
particularly
there
were
many
certain
stand
and
tests
the
two
conditions,
whether
they're
close
to
each
other
and
rather
than
an
average,
is
close
to
the
clients
cook.
D
So
first
I'm
going
to
present
our
security
guarantees
and
then
I
will
describe
our
security
analysis.
So
essentially,
what
we
are
showing
in
our
paper
is
that,
shifting
time
each
one
client
by
at
least
100
millisecond
from
the
UTC
will
take
the
attacker
at
least
22
years
in
expectation-
and
this
is
when
we
consider
an
extreme
case
were
out
of
507
in
the
pool
seventh
of
whom
are
fully
controlled
by
the
attacker.
We
also
aquarii
15
servers
per
hour
and
we
saw
that
these
samples
are
within
25
millisecond
from
the
UTC.
D
And
now
we
compute
the
attacker
probability
of
success
and
for
time-shifting
attack
both
in
the
traditional
NTP
client
and
in
horizontally
client.
We
plot
the
ratio
between
these
probabilities
and
this
is
the
warnings.
So
if
we
consider
the
last
scenario
when
we
have
out
of
500
several
segments
or
more
fully
controlled
by
the
attacker,
we
can
say
that
using
course
improve
the
security
by
a
factor
of
1,000
and
notice.
That
device
is
no
great
week,
and
that
is
why
the
improvement
is
exponential,
and
now
we
are
going
to
describe
our
security
analysis.
D
So
in
order
to
do
so,
we
have
to
look
at
all
the
scenario
that
can
happen,
which
depends
on
the
number
of
malicious
samples
that
we
queried
and
see
how
cornice
is
handling
them.
Of
course,
we
take
their
words
and
I
say
my
they.
It
was
kiss
another
salami
and
the
first,
an
iron
is
when
the
number
of
the
good
samples
is
d.
As
you
remember
out
of
hundreds
of
servers,
we
chose
m
tents
at
random
and
then
we
drop
D
form
each
side.
D
So,
in
the
first
scenario
we
have
the
number
of
good
samples
denoted,
as
yellow
in
shown,
is
higher
than
D,
and
then
there
are
more
malicious
samples
denoted,
as
Diamond
is
less
than
a
minus
D.
So
we
have
to
our
option
here,
because
the
first
one
is
when
we
have
only
a
malicious
sample
remaining
in
our
remaining
set.
D
However,
we
have
more
than
the
good
samples
right,
so
we
have
at
least
one
good
sample
in
each
side
of
the
remaining
set,
which
means
and
and
good
samples
are
within
Omega
way
from
the
UTC
from
the
correct
time.
That
is
why
the
remaining
set
samples
should
be
also
closed
today,
due
to
C
and
your
averages
wheels
in
order
to
update
our
clock.
Eventually,
it's
close
to
duty
see.
The
second
option
is
when
we
have
at
least
one
good
sample
inside
our
remaining
set.
D
However,
according
to
our
second
first
condition,
all
the
samples
in
the
remaining
set
should
be
close
to
each
other.
Otherwise
we
were
some.
So
if
we
know
that
we
have
at
least
one
good
sample
in
the
remaining
set
and
it's
closed
today,
you
see
the
others
should
be
close
to
8,
which
means
that
their
average
also
will
be
close
to
the
UTC,
and
this
is
why
we
can
say
that
these
attack
strategies
are
unaffected.
D
The
second
scenario
is
when
the
number
of
good
samples
is
equal,
less
than
D
and
the
number
of
malicious,
or
else
is
a
high
or
equal
to
a
minus
D.
In
the
worst
case,
we
have
only
malicious
servers
remaining
and
they
are
not
bounded
by
good
samples.
However,
according
to
our
second
condition,
their
average,
which
we
finally
use
in
order
to
update
our
clock,
should
be
close
to
the
client
slope,
which
means
there
is
a
boundary
on
the
time
shift
that
we
allow
here.
Moreover,
the
probability
of
this
kind
of
a
scenario
is
extremely
low.
D
Why?
Because
it
requires
the
malicious
symbols
to
be
randomly
chosen
in
much
higher
rate
than
the
rate
in
the
population,
and,
of
course,
repeated
shifts
is
a
probability
is
negligible.
This
is
why
we
can
say
the
significant
time
shift
here
is
approximately
infeasible,
but
even
if
we
cannot
really
shift
the
plants
clock,
maybe
we
can
create
another
kind
of
attack.
Let's
say
you
know
a
service,
so
how
can?
How
can
we
do
that?
And
if
we
have
more
than
deep
malicious
server,
isn't
less
than
a
mine
and
minus
D
good
servers,
good
good
sample?
D
Sorry,
then,
we
have
at
least
one
malicious
sample
that
remain
in
our
remaining
set
right,
so
it
can
violate,
for
example,
the
first
condition
saying
that
all
the
samples
should
be
close
to
each
other
and
then
because
to
example,
or
something
again
and
again
and
again
we
get
to
the
panic
mode.
When
we
ask
all
them
severally
in
the
the
pool
and
maybe
multiple.
D
However,
we
can
prove
that
even
for
low
penetrance
hold
k
equals
3,
which
means
that
only
after
three
failures
you
move
to
the
panic
mode
and
ask
all
the
services
in
the
pool.
The
probability
of
success
is
negligible,
which
means
that
the
it
will
take
the
attacker
decades
to
force
penico
on
one
server,
one
I'm,
sorry
and
wonder.
D
D
It
is
possible
that
verse
that
there
is
an
adverse
effect
on
its
precision
and
a
currency,
so
in
order
to
improve
the
precision
without,
of
course,
sacrificing
kana
security,
we
introduced
a
smelling
mechanism
and
that
the
thing
that
we
favor
the
minimum
a
sample
of
that
out
of
order
of
setting
the
remaining
self
if
it's
close
to
the
to
the
average
of
sense.
We
evaluate
comes
with
the
smoothing
mechanism
in
multiplication,
both
in
Europe
and
in
the
US,
for
example.
This
is
the
results
from
Oregon,
where
you
can
see
in
the
x-axis.
D
Is
the
average
offset
and
in
the
y-axis
is
the
photo,
the
fluctuation
the
average
of
the
derivative
each
dot?
Here
we
present
through
30
minutes
experiment
that
conduct
in
each
of
these
algorithms
and
we
compare
NTP
in
a
blue
dot
to
horse
with
them
the
smooth
mechanism
in
the
red
dots-
and
we
can
see
here
that
essentially
the
average
offsets
are
close
to
each
other,
but
both
in
ntp
adding
corners,
and
there
is
no
much
fluctuation
both
of
them.
D
So
to
conclude,
ntp
is
a
highly
vulnerable
to
any
time,
computation
shift
again
tax
and
even
attack
here,
who
controls
even
few
section
between
server
and
a
servers
and
client
can
shift
the
french
time.
So
we
presented
a
modified
Antipa
client
called
horns
with
provable
security,
Mequon,
calm
ability
and
low
overhead,
and
we
also
shown
that
precision
and
offset
are
very
close
to
the
NTP
around
two
millisecond
apart,
and
this
is
the
research,
the
further
research.
So
we
come.
D
We
continue
to
evaluate
concept,
scale,
security,
precision,
accountancy
overhead
etc,
and
we
also
working
on
standardized
and
closed
in
the
relevant,
a
working
group,
and
we
would
like
to
extend
Hollis
to
address
several
attack
strategies
and,
of
course,
we
would
like
to
extend
for
us
to
maybe
other
time.
Synchronization
protocol
such
as
PTP,
and
here
you
can
see
that
they're
linked
to
both
our
paper
published
in
and
and
this
s
and
our
last
IDF
draft.
Thank
you
very
much.
E
D
This
is
just
an
estimation
and
effect,
but
basically
we
are
because
there,
corn
NTP
uses
between
4
&
6
servers.
We
didn't
really
calculate
before
so
this
is
the
answer
about.
Why
is
it
get
worse
and
a
white
straight
line,
and
not
really
increasing
then,
and
the
answer
is
that
we
would
like
to
to
remove
deform
h.
Side
d
was
a
once
there
and
we
wanted
to
do
to
be
an
integer
number.
So
this
is
why
you
can
see
there
it
stares
so.
G
Hi
Wes
hurt,
occur,
I,
say,
good
work,
I
love,
seeing
a
good
statistical
analysis
of
your
security
likelihood
I
think
that's
great
and
it
looks
like
it's
a
feasible
solution
with
one
exception,
so
I
assume
it
sounds
like
you,
don't
try
and
handle
man-in-the-middle
type
attacks
where
you
have
an
attacker
very
close
to
you
that
can
almost
respond
to
most
NTP
servers
right
so
that,
thank
you
exactly.
H
D
H
H
D
Mode,
but
we
are
working
on
it,
and
maybe
we
can.
We
don't
have
to
really
query
all
the
servers,
but
only
maybe
a
factor
of
two
of
the
service
that
we
already
query
in
quantum,
maybe
two
M,
for
example,
and
in
order
to
get
to
two
to
the
same
results.
So
this
is
exactly
what
well.
Thank
you.
Thank
you.
D
J
Alyce's
on
the
current
ntp
client,
with
fixed,
so
current
ntp
client
has
a
fixed
number
of
servers
right
that
it
queries.
It's
a.
It
has
a
fixed
number
of
servers,
so
the
fixed
number
of
servers
and
using
your
modified
algorithm
does
it
provide
the
similar
guarantees
or
is
it
similar
security
guarantees?
If
this
client
is
querying
a
fixed
number
of
servers,
as
opposed
to
randomly
selecting
from
a
large
pool
and
using
your
modified
algorithm
for
selection,
does
that
give
the
similar.
D
F
D
D
If
he's,
if
he's
under
the
control
of
malicious
attacker,
then
he
can
do
the
repeated
shift
time
I
mean
I
I
allow
it
to
do
a
limited
time
shift
and
the
fact
that
I
I'm,
telling
that
with
repeated
time
shift
is
probability
is
negligible,
is
because
I'm
I'm
querying
different
servers
all
the
time.
Otherwise,
I
won't
be
able
to
say
that.
K
D
F
L
For
the
introduction
Cowan
hi,
my
name
is
TJ
from
RIT
assistant,
professor
first
of
all,
I'm
very
excited
to
talk
about
research,
and
actually
this
is
my
first
ITF
and
I'm
really
excited
to
see
how
smart
is
to
people
making
a
decision
by
humming.
So
so
this
talk
is
about
DNS
and
DNS
sack.
So
inevitably,
I
need
to
give
you
some
introduction
of
how
DNS
and
the
NSA
works
I'm
little
bit
scared
to
talk
about
the
introduction,
with
the
address
in
front
of
you,
I
actually
make
a
standard
internet,
but
let
me
try
my
best.
L
L
So
when
you
send
the
DNS
request
from
your
host
when
you
type
a
domain
name
on
your
browser,
your
browser
is
configured
to
use
your
local
reserved
verse
and
the
DNS
resolver
will
send
the
DNS
request
to
the
author
activity
in
our
servers
and
the
server
will
return
the
wrist
response
to
the
reserver
and
forwarded
back
to
the
browser
so
that
you
can
see
the
content
right.
But
unfortunately,
unfortunately,
the
sinking
is
not
good,
but
a
browser.
L
The
DNS
message
is
just
plain
text,
so
the
bad
guy
in
the
middle
of
the
apes'
can
snatch
the
packet
and
insert
the
wrong
IP
address
to
make
you
see
the
different
content
such
as
advertisement,
so
to
prove
to
prevent
from
this
attack.
Dns
SEC
was
introduced
about
20
years
ago.
The
idea
is
very
simple:
let's
deploy
public
and
private
key
infrastructure
on
a
DNS
site,
so
example.com
now
manages
a
key
pair,
private
and
public
key
pairs
and
when
the
risk,
when
the
DNS
Rica's
calms
it
responds
with
the
signature
so
to
verify
their
signatures.
L
The
reserver
also
need
to
have
a
public
key
part,
so
the
public
key
is
in
the
DNS
key
record.
So
here
is
another
problem:
how
the
reserver
guarantee
that
this
public
key
actually
belongs
to
D
example.com,
so
DNS
SEC
mirrors
existing
hierarchy
of
DNS,
so
now
that
comm
John
also
have
DNS
key
public
key
and
private
key
and
use
this
key
to
sign.
Example
that
comes
DNS
key
and,
of
course,
that
comes
owns
a
DNS
key
is
also
signed
by
root
DNS
key.
Then
how
does
a
reserved
verify
the
DNS
root
key?
L
It
is
prefetch
it.
So,
as
you
can
tell,
there
is
a
chain
of
trust
root
signs
calm
that
comes
on
is
example,
calm
and
example.com
signs
at
the
end,
LTS
a
DNS
record
right.
So,
let's
see
how
this
actual
chain
of
trust,
making
a
chain
of
trust
process
works,
because
the
making
a
chain
of
trust
between
root
and
calm
and
calm,
and
example
that
color
basically
saying
so,
let's
focus
on
the
later
one.
So
the
key
concept
is
very
simple.
L
So
if
you're,
the
owner
of
example,
calm-
and
if
you
want
to
make
a
chain
of
trust
than
one
you
need
to
do-
is
first
generator,
the
Rickard,
so
TS
record
is
just
a
hash
of
your
dns
key.
So
it
is
basically
long
string,
long
hashida
stream.
After
that,
you
have
to
unload
it
to
the
your
parents.
So
in
this
case,
Stockinger
then.com
john
will
sign
this
dns
key
record
and
I'm
sorry
for
the
animation
and
also
it
generated
a
signature.
L
B
L
So
if
we
reserved
a
fetch,
is
TS
record
from
the
parent
John
and
fetch
a
TNF
ski
from
the
child's
own.
If
it
is
same,
then
it's
done.
Of
course
you
need
to
verify
the
signature
of
the
TS
record,
signed
by
the
con,
john
of
course,
so,
if
you're
the
owner
of
a
domain
name,
if
you
want
to
deploy
the
NSL,
you
need
to
follow
these
three
steps.
First,
you
need
to
have
a
DNS
key
and
using
this
key
you
have
to
generate
a
signature.
L
At
the
last
step,
you
have
to
generate
a
DES
record
and
upload
it
to
your
parent.
So
the
question
and
answer
for
this
research
artist
analyst.
This
is
how
many
domains
out
there
follow
these
steps.
So
to
do
that,
we
used
open,
Intel
dataset,
which
collects
all
the
domain
names
under
combat
earth
and
that
almost
two
years
so,
let's
see
actually
there
was
a
black
box
to
hide
the
graph
to
make
you
CD
to
make
a
surprise.
L
L
The
middle
so
keep
talking,
okay,
so
yep,
so
Y
X
is
shows
percent
of
missing
signatures.
So,
as
you
can
tell
nearly
0.2%
of
domain
names
with
DNS
key
missed
the
signature,
so
signatures
are
rarely
missing.
There
is
a
huge
draw
at
this
point.
This
is
due
to
one
registrar:
I,
don't
want
to
call
a
name,
but
they
used
to
have
a
DNS.
They
all
day
we
kept
with
DNS
key,
but
some
reason
they
forgot
to
sign
it,
but
after
at
that
point
they
finally
signed
generator
signatures.
L
So
that
is
the
reason
why
there
is
a
huge
drop.
Then
how
about
the
finer
one?
The
last
piece
of
puzzle
is:
you
need
to
generate
a
TS
record
and
ignore
it
to
the
pension.
So
y-axis
is
percent
of
domains
missing
the
S
record.
Surprisingly,
we
found
that
nearly
30%
of
domains
do
not
unload
a
TS
record.
So,
as
you
can
tell,
there
are
two
problems
here.
L
First,
one
is:
why
does
the
make
the
NSF
deployment
remains
so
small,
even
though
it
was
introduced
about
20
years
ago,
and
the
second
problem
is:
why
are
30
percent
of
domains
still
without
a
TS
record?
Now
why
the
screen
is
not
working
so
so
there
are
two
questions
main
question
for
desktop
the
first
one
is:
why
is
so
hard
to
deploy
the
intersect
and
D?
As
you
can
tell
from
the
title
title
of
this
talk,
how
does
a
register
policy
impact
of
the
deployment?
So
let's
first
focus
on
the
first
one.
L
So
do
you
understand
that
you
have
to
understand
how
you
can
purchase
your
domain
name
and
how
to
deploy
the
innocent?
So
let's
say
if
you
want
to
buy
a
domain
name,
you
typically
go
to
a
register.
For
example,
code
daddy,
so
registrar
is
organization
tests,
Elsa
main
name
to
the
public,
and
also
it
has
a
access
to
the
database
managed
by
registry.
So
registry
is
a
basically
top-level
domain
name.
John
for
example.com
is
managed
by
Verisign
and
after
that,
after
purchasing
a
domain
name,
you
also
need
to
have
a
name
servers.
L
The
first
choice
you
can
make
is
you
can
just
use
a
name
server
provided
by
the
registrar.
So
in
this
case,
if
you
want
to
deploy
a
DNS
set,
then
GoDaddy
will
generate
a
DNS
key
signatures
and
also
TS
record
right
and
also
it
has
an
access
to
the
database
managed
by
registry.
So
it
can
simply
easily
unload
a
TS
record
to
D
registry
right.
The
second
choice
is,
you
can
run
your
own
name
solver.
L
L
Let's
say:
you're
using
third-party
DNS
operator
third
party
Nassau
operator.
So
in
this
case,
for
example,
Claude
Fleur
will
manage
all
the
DNS
records
for
you,
including
scenario
signatures
TS
record,
but
again
third
party
DNS
operator
doesn't
have
any
access
to
the
registry.
So
you
need
to
copy
the
string
des
record,
which
is
basically
a
long
string
copied
and
pasted,
pass
it
to
the
registrar
and
ask
them
to
am
loaded
to
the
registry.
L
If
you
think
this
process
is
complex,
actually
I
can
make
it
even
worse.
So,
for
example,
let's
say
you
bought
a
domain
name
from
a
reseller.
Reseller
is
organization
that
sells
a
domain
name
to
the
public,
but
it
doesn't
have
any
of
32
Connect
contact
to
the
registry,
so
what
they
do
is
to
partner
with
a
registrar.
L
So
if
you
purchase
a
domain
name
from
a
reseller
and
using
a
third
party
knows
operator,
then
you
need
to
copy
a
TS
record
and
pass
it
to
the
reseller
and
ask
them
to
upload
it
to
the
registrar
and
registry,
such
a
simple
process.
What
could
possibly
go
wrong
so,
as
you
can
tell,
the
key
part
of
the
point
in
a
sec
is
registrar,
so
what
I'm
going
to
do
is
I'm
going
to
show
you?
Is
we
showing
the
research
that
we
surveyed
by
surveying
popular
register
with
the
loss
of
domain
name?
L
So
what
we
do
is
we
first
purchase
a
domain
name
from
a
registrar
and
we
see
if
they
simply
support
the
NSA
under
name
servers.
After
that
we
disable
it.
We
run
our
own
name,
servers,
generate
ideas,
record
and
ask
them.
If
you
guys
can
unload
a
TS
record
to
the
registry.
If
they
do,
we
deliberately
give
them
an
incorrect
TS
record,
which
is
not
matched
with
the
NS
key.
L
The
reason
is
that,
because,
if
the
Registrar
does
not
check
the
validity
of
the
DNS
key
and
the
TS
record
and
simply
unload
it
to
the
registry,
then
your
domain
name
will
be
instantly
in
accessible
to
the
reserver
that
support
DNR
set
such
as
Google
reserver
or
call
or
cloud
ler
resort.
So
before
showing
this
before,
showing
the
all
the
details
of
the
analysis,
I'm
going
to
give
you
some
anecdotal
examples
that
we
experienced
your
during
our
experiment.
L
The
first
one
is,
we
started
the
NS
key
deployment
are
deployed
for
one
rail,
you
start,
but
not
the
s
record,
so
ask
why
you
guys
do
not
know
that
es
record.
The
first
response
was
that
oh,
they
remove
the
DNS
in
mania
and
the
other
another
register
responded
back
to
me
saying
that
hey
most
people
do
not
understand
DNA,
so
imagine
their
white
faces
when
I
mentioning
DNS
SEC
so
yeah.
L
This
is
what
happened
and
also
we
asked
a
register
to
unload
a
TS
record
by
email
from
the
different
email
address
than
the
one
we
use
to
register
it
was
installed
successfully
and
also
we
asked
a
registered
to
him
that
IDs
record
to
our
web.
Our
domain
name
domain
dia
web
live
chat.
It
was
installed
successfully
to
someone
else
domain
name
due
to
a
mistake
by
customer
agent
yeah.
L
Usually
the
customer
Asian
you
know,
opens
a
multiple
pet
to
deal
with
multiple
customers,
so
just
made
a
mistake
to
pass
a
TS
record
to
the
other
domain
name.
So
this
is
the
detail.
Hey
I'd
like
to
update
my
TS
record.
It's
awesome
one
moment
so.
I
now
update
your
DNS
IDs
record
to
panama,
music,
the
comp
right,
I'm,
sorry,
but
my
domain
is
Hg.
L
L
So
this
is
the
research
survey
research
that
we
surveyed
about
a20
registrar,
details
about
50%
on
nearly
50%
of
all
domain
names
of
the
combat
art
and
that
suddenly
only
four
registers
support
DNS
SEC
under
name
servers,
which
is
not
good
for
your
information
we
read
on.
Actually
this
study
was
done
about
twenty
seven
twenty
seventy.
But
for
this
talk
we
just
redid
all
the
survey
a
few
weeks
ago
and
after
that
we
disable
our.
L
We
run
our
own
name
servers
and
disable
Det,
full
names
that
were
provided
by
register,
and
we
asked
them
to
know
that
es
record.
Interestingly
15
out
of
20
was
first
support,
latias
record
on
node,
so
mainly
there
are
two
functions:
functionalities.
The
first
one
is,
for
example,
web
supporting
ticket
or
web
live
chat.
So
using
this
methodology
today,
all
those
terminologies
record
or
some
registrar's
ask
us
to
send
the
email
with
the
you
know.
L
L
L
If
you
want
to
run
your
own
name
servers
still,
you
cannot
deploy
it
in
a
sec
for
5
out
of
20
and
only
5
registers,
four
check
the
various
record
verification,
which
means,
if
you
happen
to
I'm
gonna
incorrect,
yes
record,
not
you
to
copy
and
paste
theater,
then
your
domain
name
will
be
inaccessible
right
then.
The
next
question
is:
why
are
this
DNS,
the
support
of
registrar's
so
rare?
What?
Why
is
that?
L
Actually,
we
already
know
the
answer,
because
the
anisette
introduced
much
more
records
right
it
because,
basically,
in
this
signature
for
every
DNS
records
and
also
signatures
are
usually
three
to
six
times
larger
than
Nam
DNS
records
and
also
the
NS
key
is
like
your
password.
You
have
to
choose
strong,
key
and
also
unique
key
and
also
you
have
to
roll
over
the
key
regularly
in
a
regular
basis.
L
Actually,
you
already
seen
why
how
this
policy
impact
on
DNS
SEC
deployment,
for
example,
we
saw
that
four
out
of
20
registered
support,
DNS
SEC
on
their
name
servers,
but,
interestingly
15
out
of
20
along
all
those
two
I'm,
not
a
TS
record
right.
The
thing
is
in
the
first
case,
when
the
registrar's
run
DTN
our
names
over
with
DNS
SEC.
L
They
need
to
manage
all
DNS
records
right
in
their
name
servers,
but
the
if
the
owner
wants
to
run
their
own
name
servers
than
what
the
registrar
needs
to
do
is
to
simply
receive
a
TS
record
and
unload
it
to
the
registry
done
they
don't
need
to
manage
all
the
ti
records
at
all.
So
so,
let's
compare
the
2017
wizard.
L
So
our
study
was
done
in
2017
March.
So
at
the
time
only
three
out
of
20
registers
supported
DTN,
our
secondary
name
servers
at
the
register
side,
name,
servers
and
11
out
of
20
supporting
it
when
the
users
want
to
use
their
own
name,
servers
and
2
out
of
them
check
the
verification.
So,
as
you
can
tell
it
has
been
improved
but
yep,
it
has
been
proven
it's
much
better
than
you
know
decreasing.
You
know
something
like
the
better
still
way
to
go.
L
So,
let's
now,
let's
severe
to
how
the
register,
how
does
a
registered
policy
impact
the
deployment
to
see
that
we
also
use
the
historical
data
set
so
to
see
that
we
first
focused
on
the
comm
that
worked
on
that
data
set?
But,
as
you
already
seen,
the
deployment
ratio
is
a
very
small
less
than
1%,
but
we
happen
to
know
that
that
NL
that
I
see
this
to
cctlds.
The
NSA
deployment
ratio
is
nearly
50
percent,
which
is
really
good
and
also
we
updated
our
dataset
by
considering
the
most
recent
data
set
2019.
L
L
So,
let's
see
how
the
how
a
registered
policy
impact
on
the
NSA
deployment-
in
other
words,
how
can
we
encourage
a
registrar
to
support
the
NSA?
The
first
perspective
is
registry,
so
we
happen
to
notice
that
the
KP
entities
for
a
loop
is
where
this
register
gained
a
financial
incentive
from
the
registry
registry
when
they
activate
the
inner
sac
for
the
domain
name
state
manager.
L
So,
as
you
can
tell
that
NL
that
has
it
is
domain
names,
the
NF
set
deployment
ratio
is
nearly
90
percent,
which
is
awesome,
but
how
about
the
other
three
domain
names
dollar
than
other
word-
net
comm,
where
they
cannot
get
any
financial
incentive.
So,
as
you
can
tell
actually
I
already
draw
the
figure
outline
here,
it's
nearly
zero
percent,
so
which
means
financial
gain
is
a
huge
incentive
for
the
point
in
a
sec.
They
only
deployed
in
a
sec
when
they
can
get
a
financial
incentive.
L
The
second
perspective
is
registered,
so
we
found
that
OVH
and
GoDaddy
two
registers
supporting
DNA
secondary
for
name
servers
but
Oh
bah-bah
for
free,
but
GoDaddy
you
have
to
obtain
by
paying
$35
per
year
to
activate
the
NSA.
As
you
can,
as
you
can
expect,
the
OVH
DNS
circuit
paloma
ratio
is
over
20%,
but
GoDaddy
is
nearly
3
percent,
so
free
dns
level,
of
course,
support
encourage,
encourages
user
to
deploy
it
in
a
sec,
and
the
third
perspective
is
reseller.
L
Co1
unregistered
call
antagonist
is
a
registrar
for
NL
domain
name,
but
there
are
reseller
further
com
that
are
the
net,
so
the
top
graph
shows
the
number
of
domains
they
manage
and
the
bottom
graph
shows
the
percent
of
domains
with
the
TNF
ski
and
the
TS
record.
So,
as
you
can
tell
from
the
white
line
that
the
NS,
a
polymer
Asia
for
NL
is
nearly
100%,
which
is
good.
But,
interestingly,
we
observe
that
there
is
a
gradual
deployment,
increasing
ratio
for
the
other
domain
names.
L
The
reason
is
that
this
register
dis
antagonist
actually
started
to
deploy
the
NF
sack
at
the
end
of
20
2014.
But
what
that
what
happened?
Was
they
switch?
It
a
register,
the
supporting
at
the
NS
set,
but
the
migration
only
happens
when
the
current
domain
name
expires,
so
they
after
the
previous
domain
name,
expires.
They
migrate
to
a
new
registrar,
the
supports
DNS
SEC.
L
So
for
your
recall,
if
we
are
using
a
third
party
DNS
operator,
if
you
want
to
use
the
intersect,
then
you
have
to
copy
a
TS
record
from
a
third
party
operator
and
a
pass
it
to
your
registrar
and
ask
them
to
not
e2d
registry,
so
cloth
layer
actually
announced
the
universal
DNS,
SEC
and
2016
only
to
sixteen
so
user.
If
you
want
to
use
cloth
layers
dnsa,
you
have
to
opt
in
and
cloth
layer,
Deanna
solver
will
generate
all
TNS
key
signature
as
well
as
TS
record.
L
So
when
you
need
to
do
is
copy
a
dis,
tiene
a
TS
record
and
pass
it
to
the
Registrar
to
ask
them
to
load
it
to
the
registry,
but
the
top
graph
shows
percent
of
TNF
ski
with
TS
record.
But,
interestingly,
even
though
the
TNF
ski
deployment
in
the
bottom
graph
increasing
right
but
still
50
percent
of
domain
names
with
TNF
ski
still
failing
to
deploy
this
record,
this
could
be
either
one.
L
L
So
here's
a
conclusion
so
registrar's
play
a
critical
role
in
supporting
TNS
set
today,
only
four
out
of
actually
it's
for
a
4
out
of
20
register
support,
DN,
f,
cylinder,
authoritative,
name,
servers
or,
interestingly,
a
15
out
of
20
support
on
loading
OTS,
a
custom,
yes
record.
So
comparing
to
the
Reaser
of
2017,
it
has
been
improved,
but
it
requires
much
more
effort.
So
the
NSF
deployment
depends
on
many
policies.
Register
is
supported
for
free
registry.
L
It
would
be
great
if
it
they
can,
of
for
financial
incentive
and
reseller,
be
over
to
choose
a
partner
register
and
also
when
you're,
using
third
party
I,
guess
the
CDC
DNS
key
new
protocol,
which
all
users
to
another
TS
record
directly
to
the
registry,
and
we
have
any
support
from
the
registrar
we.
This
will
be
very
good
solution.
I
guess
so.
L
A
G
Was
hurt,
occur
is
I,
a
great
talk
entertaining
to
and
I
don't
mean
because
of
the
projector
blinking.
Are
you
doing?
Are
you
continuing
to
do
long
running
statistics
gather
gathering
and
are
you
publishing
it
live
at
all
and
then
I
might
offer
to
collaborate
a
little
bit
so
I
actually
have
a
webpage
called
stats,
DNS
SEC
tools
or
where
we
in
Victor
company,
publish
continually
daily
updating
stats
of
DNS,
SEC
deployment
and
deign
deployment
in
particular,
and
it
would
be
really
cool
to
merge
those
because
I
think
yeah.
F
G
M
Nice
talk,
this
is
Pallavi
iris
from
Salesforce,
so
one
of
the
angle
to
this
whole
research
could
be
and
I'm
speaking
from
experience
is
that
when
the
client
is
big
like
if
your
domain
name
is
used
by
a
lot
of
customers,
you
try
to
make
the
domain
name
multi
vendor.
So
you
might
have
your
zone
hosted
on
maybe
CloudFlare
and
one
more
provider,
so
your
zone
might
be
xyz.com
or
whatever
might
be
multi
vendor,
where
it's
hosted
on
provider,
one
and
provider.
M
M
M
N
All
right
polar
bears
from
NuStar
yep
nice
presentation.
You
might
also
on
those
some
30%
that
don't
have
D
s
records.
One
of
the
very
common
things
that
happens
is
people
start
playing
with
DNS
SEC
and
the
first
thing
they
do
when
they
aren't
sure
is
they'll
yank
the
D
s
records
from
the
parent,
because
then
you
simply
go
undetermined
as
opposed
to
going
invalid.
So
you
may
want
to
start
going
back
and
resampling
on
a
recurring
basis
of
who
may
have
D
s,
records
appearing
and
disappearing
yep.
F
N
F
F
O
O
L
P
P
24,
this
is
where
the
chart
where
the
15
out
of
20
20
comes
up
and
I'm
curious
as
to
why
the
the
ones
that
provide
the
upload
by
email
yeah
this
one
here,
why
they
weren't
counted
as
being
supportive
of
DNS
SEC,
even
though
they
don't
appear
to
do
it
based
on
when
the
research
was
done
through
their
web
portal.
They,
those
registrar's
you
indicate
here,
do
support
you.
P
L
B
K
L
K
K
K
Well,
I
think
what
the
issue
is
here
is
that
as
many
domains
that
you're
looking
at
most
of
them
are
for
small
to
medium
businesses,
small
to
medium
businesses,
don't
have
an
IT
department
mm-hmm.
They
also
probably
don't
really
understand
DNS,
so
adding
DNS
SEC
on
top
of
that,
doesn't
make
that
any
better
for
them.
L
Yes,
but
first
small
companies
and
the
we
found
many
times.
These
are
anecdotal
examples.
We
sometimes
out
observe
these
small
companies
just
relying
on
the
default
names
over
it
manages
by
register.
So
that
is
why
we're
in
registers
to
support
the
NSA
on
their
default
name
solvers.
If
that's
the
case,
then
they
don't
the
small
companies
to
do
not
need
to
care
about
the
intersect,
because
they
will
automatically
turn
the
DNS
SEC
sure.
A
Okay,
so
that's
everything
for
this
meeting.
Thank
you
again
to
both
the
speakers.
I
think
that
was
two
really
excellent
talks.
I
think
both
TJ
and
Mehta
will
be
around
for
at
least
tomorrow,
I
think
possibly
most
of
the
week.
So
if
you're
interested
in
the
work,
please
grab
them
in
the
hallways
and
thank
you
for
your
attention.
If.