Internet Engineering Task Force 110, 4 Mar 2021

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: IETF 110: Technology Deep Dive on DNS, Part 2

Description

This session will be held 17:00-19:00 UTC on 4 March 2021 and will cover, in detail, the operational realities and technical nuances of the Domain Name System, a central building block for today’s Internet.

A

Hey jeff is here: you might want to do an audio check as well. Jeff.

B

Audio check, can you hear me that's theoretically, this has video as well, although I don't see any video.

C

You have a nice pair of.

A

See your video either.

D

That's probably a good thing, considering this.

E

In fact, I think I'm going to turn off video because I'm only going to be black, no matter what.

A

Well, none of us have had a good haircut in a year right, so you know.

B

So you know you just don't have a lot.

D

Longer than a year.

D

How long have we known each other.

A

A good point: I've never had a good haircut. That's my.

E

C

B

B

Well, maybe I should share a title slide that would be exciting. Wouldn't it.

A

B

B

D

D

So it looks like people are starting to join increasingly fast quickly. Well, I guess we should give it a few minutes for everybody to sign in where all the buttons are etc.

D

Although I will note we do have a full agenda, so maybe not too long.

D

uh Well, you tell me when to start I'm not taking that kind of responsibility.

D

Yeah, I guess let's give it to about three or four minutes after the hour and.

D

D

Yes, while we're waiting for people to join, um I will just note that this is the second part in the technology deep dives in the dns. The first part happened at ietf 108 and the video is online on youtube and, I believe, is also linked to from the ietf website um somewhere. I realized that was not the most useful update ever, but if you look around, you should be able to find it otherwise email me or I will try and remember to put a update somewhere.

D

I think the invite to this or agenda also has a link to last week's or sorry last time's recording- and it's probably useful, if you're not particularly familiar with the dns, to go and read that or watch that, and um I will also note this kind of builds on that and also explains that a lot of what we told you last time we were actually lying.

B

B

I don't think the camera works.

B

That's a scary photo.

A

Just your camera is working now, jeff.

B

My camera is working, but you know, like I said: it's really dark out there and you know I could go all shadowy.

D

Yeah, it's it's working, but it's not working well because you're much more handsome in person, warren you're, just too kind- I am. I am it's because usually I give you abuse, so I forget seeing lots of people watching. I should be polite for once.

B

Time is, of the essence, look welcome everybody and for those in the asia pacific area, particularly those in japan. I feel your pain um here on the east coast of australia. It is you know, a civilized 4 a.m in parts further west from me, it's not it's worse. um For the next hour and a half we're going to be talking, dns it's when too much dns is barely enough, and this is the second part of these deep dive sessions.

B

So we're going to dive a little bit deeper and have a look at some of the underlying issues inside the dns.

B

Looking at the concepts of of names which I will cover and and what they mean in the context of the dns.

B

Looking at some of the sort of security issues that come up with the way in which we use names which wes is going to cover and cover some of the um more prevalent myths, fantasies and misconceptions that um that sit within the dns and and see what else we can uncover. So we have 90 minutes, which is a comfortable amount of time.

B

um What I would like to do is sort of channel through pretty pretty quickly and then take a small number of questions and hand to where's, but we have reserved around about 30 minutes at the end, possibly longer to actually wander through um your questions and and our feeble attempts at trying to provide answers, or maybe you can provide the answers and we'll just provide the questions which I personally prefer, because it's going to take about that long for my brain to boot.

B

Up and don't forget, I haven't had coffee yet um so with that said, uh let's start the usual. um Read this carefully note it! Well, you have two seconds done, um let's start by thinking about what a name is and wasn't it shakespeare, romeo and juliet, what's in a name, a rose by any other, something or rather my memory is now gone um a name.

B

We use it as as kind of a human-based token, an alias for what we would call an address. An address is something an endpoint destination that an ip network uses to relay a packet, and so all we're doing with the name in this kind of destination based packet. Forwarding network is providing an alias for an ip address.

B

Now we're not talking about why you wanted to send a packet there. It's just the name of an ip address, the name of a host, in fact, to be perfectly frank, the name of an interface on a host, and it's up to something else. The transport protocol port address normally to effectively select what the services that you're trying to get to on that host the name itself.

B

Well, I actually said the name of the platform, not the particular service, but, to be brutally honest, that's not quite correct. It's the name of the ip address of the interface of the platform, not the name of the service, but in any case it's not a service name, and the intention was this is human use. This is about things that you and I use as people talking. You know a natural language.

B

It wasn't an artifact of the network when the packet, the ip packet heads to its destination, the ip part of the packet, never mind. Transport and application does not have any use of a name. All that you find there is those v4 32 bits, v6, 128-bit, source and destination ip addresses. There are no names there. We are not routing names in this architecture, so they were intended at least, and I'm going back about 40 or 50 years.

B

It was so much more useful if the same host had the same name irrespective of the protocol. So if you're going to use uh uucp or unit mail, you know that kind of issue. If you're going to use ip mount, if you're going to use any other form of protocol family, it's very useful. If the name is constant, I'm going to go to the host called fred almost irrespective of what protocol I'm going to use so to make that work.

B

You actually had to have these host names specified as the lowest common denominator across all of these protocol, specific in application, specific limitations and so host names took a much smaller character repertoire than actually is possible inside dns labels, uh which joao is going to explore in incredible detail later on and just to illustrate this. I've actually jumped joe house name into unicode to sort of point out that, even in our human use, what we think is a character repertoire varies language by language.

B

So there's some very subtle distinctions going on here around the names of hosts and the names of labels and the rules for hosts are, of course much more constrained, and the answer is why it's nothing to do with the dns per se. The dns in that area, quite frankly, doesn't care and doesn't make that distinction in and of itself it's more about mapping, protocols and names into applications.

B

So let's talk a little bit about the resource record. Now the original naming model was based on a thing that we always came to call host.txt. uh It was a very, very simple entry.

B

um It was a text file with one mapping per name per entry and it had an ip address, a space and then a set of names that were aliases for that ip address, and so, when you said, what's the name of jeff you'd, look down host.txt and find a name match a line that had jeff and you'd, find the corresponding rp address and send it back.

B

There are one or more ip addresses listed in those entries, I'm not sure about the order. It's been so long since I've ever had to use host.text.

B

Most machines still have an echo, a ghost of that file sitting somewhere inside the file system and it's a common form of of malware to go and make some evil entries there, because it normally takes precedence over the dns. uh We shall probably should have got rid of it.

B

Host.Text is client-centric, so you could have a host dot text that calls the ip address. You know one two, three four uh fred and I could call it jeff and joao could call it bob and no one would care, because, while we're referring to the different hosts with different the same host with different names, the dns doesn't sorry that the host didn't care and actually your applications didn't care.

B

However, when we turned into a distributed database, all of a sudden, the name became unique because we're all sharing one database. We don't have different hosts.txt per se, we're all working in one database, but the database itself was distributed. It wasn't just oh host.txt exists on a server over there.

B

There is going to melt, we distributed it, so everyone ran a little bit of this database, but in a distributed database you need mapping records to say I don't know anything about this name, the person, the thing the host that knows about this name is over there, and so I'm authoritative for a bundle of names and all these other folk hosts our authority for other bundles of names.

B

So we added two more records into this distributed database. We had the my name to ip address. Mapping originally called an a record a for address. We also had sewer records start of authority. That was, if you will, all the names in this bundle that are related, have the common set of properties. These are the properties, the zone, administration, contact, expiry, timers time to live and so on. If it's not specified use this value and the names that I don't know about, which are child names in a hierarchical system.

B

Well, you can find them over there where there is a name server record, the name of the host serving those names. So we added two more resource records, so an ms.

B

But how do you disambiguate services?

B

Excuse me um because you might want to have different services connected to the same host and you might want to explicitly label them, so we started making that an attribute of the name itself so rather than saying query example.com and get an address and attach to port 80 at the time, because you know we're banging the rocks together, then we actually said no, you want to go to dub, dub dub, and so now it's sort of built in braces.

B

It's an alias. The dub dub dumb for giving a name that you subsequently go to port 80 on, and so you can distinguish that from ftp.exam mx.example.com and blah blah blah, where you're actually putting the service name on the left hand side as part of the query name. So this allows you to specify a set of hosts different hosts that supported the services that had a common name and all of a sudden you're.

B

Creating this extra bundle of semantics about that name, because now www.example.com can be a separate machine providing a service in the name of this supposed host example.com, and you can have a number of these things with different services, all mapping to different ip addresses supporting a host service for the common name.

B

So all of a sudden I've got greater capacity. I've got service disambiguation, but why don't I make the dns work harder? Well, obviously, why not? Because I can so why don't? I include the name in the protocol exchange itself. Hi host, I want I've, got a transaction for www.example.com, says the application now, the first one to do. That was actually electronic mail, because one of the early needs was to provide mail when the host was down.

B

So we had secondary mx servers that uh basically provided a mail service for a host that wasn't there because don't forget in the days before gmail, if anyone's, still old and anyone's still old enough to remember that in the news before gmail, a lot of us ran our own mail hosts their own send mail, and maybe we were on dial-up. Remember that and so all of a sudden, when you weren't there, you didn't want to back the mail up at the center.

B

You actually wanted to back the mail up at a relay host closer to you and so adding mx records allowed you to create those relay hosts, and the issue was that when I connected to a machine that was my mail server in the application itself, I would be able to say I want to send mail to, and you specify the name of the server in the application.

B

So service names actually started to migrate into application attributes.

B

um So they're abstractions weren't they they allowed orchestration of multiple servers. Now some of these, we loaded through the dns itself, so the common service name, which is no longer a host name, then had a variety of attributes through different resource records. Ns records, mx records and such, but then we thought well.

B

Actually what I'd like to do is move the service for a host to a different name, and we invented the alias record, the canonical name record or the cname record, whereas most of these service names are implicit, the a and quad a records which give you ip addresses simply says. The service delivery host is mapped against this service name.

B

So this allows us to sort of think about what a name is now it started off by effectively taking the idea of the name of a host, a computer, the interface of that computer and actually abstracting that to a university, visible service. Point identifier: it's the name of a service, not a host, but we've also used a whole bunch of other names.

B

There are a whole set, probably outnumbering human names. These days of transient labels, um dynamically generated names of various forms and sorts where it's just a temporal name. Here's a token. Here's a machine over there that for the next 10 15 micro seconds, might well serve as a point of rendezvous with what you're trying to do ns records.

B

The name is a bridging point to glue together the dns database or, oddly enough, you can think of the name as a piece of microcode and think of both recursive and authoritative servers as microcode interpreters, and so the name directs the server to do certain things now, in theory, it's a database lookup key and in theory this is a database lookup, but quite frankly using various dns libraries.

B

Even today, you can create dynamic labels that cause particular actions on the name of the server, because it's microcode, it's just name, is code, so a name is actually all of that and more just to add to the confusion.

B

And so how do we then do service identification?

B

And I suppose the observation is that every time we've looked at this and we've looked at this a lot of times, we propose a new generic mechanism that can be used with any application. Wonderful, but each time we invent this, one application uses that and we move on so every application uses a unique, quite specific, but generic uh dns solution as to how to do this.

B

So when we map names to services, we can place the information in the value part of this key value store, and you know the service. The svc record is a classic example of trying to place rendezvous information in the right hand, side of the dns in the resolution side or we can play with the left hand, side the query name and we can use the dns to go.

B

You meant to go to food.example.com the services bar.example.com, in other words, map the service name through the left hand, side, or we can modify the query type itself to have different application data and actually don't query for an a or a quad, a record query for one of these.

B

So the first time we found one of these, I'm not sure what was in the head of the folk who designed it, but in the people who came subsequently, this was the texas chainsaw massacre of text records the universal thing, because text records is just that it's text, it's ascii strings. I can put anything there. I can hash anything there.

B

I could stuff most things in there and lots of people have seen this because the text record itself is just a string of data, a value and if the application says structure, the value would say field, one equals value. One field two equals value. Two just put that in a text record, that's fine!

B

The problem is, of course, that if everyone used text records, then excuse me, you have to make sex records which are the union of all these applications and disambiguating, which text record is meant for which application can be an enormous problem. But you know if the thought is no matter what you want to do, you can do it in the dns.

B

Then the next thought is no matter what you thought you wanted to do. Use a text record because you know you can get away with it: text records are just the universal garbage bin of the dns and for a good reason, they're completely unstructured.

B

Now there were some various attempts to do this and and the first time we sort of did this in a structured way. We thought we would actually give a name to a structure of a text record, and this was the sender policy framework for mail. We call them spf records in truth, they're just text records with a particular structure, and you see this attempt to be generic. I'm sorry to be specific in a generic solution. So the first part of this you actually have the vehicles, spf 1 and then a bunch of fields and values.

B

Interestingly, the the recommended syntax is use an equal sign first, but then use colons, because you know consistency is great.

B

um What I also like in spf to actually really make this incredibly evil uh is the include function uh which basically says, go and include all this data, and what I didn't do is include example.com, because as soon as you actually start to do domain names in the value side of a resource record as soon as you do, that you admit the potential to create loops inside resolution of names inside finding a value and the spf was actually one of the first as well.

B

That not only used the text record in a structured way, but also used loops in a well used loops in a whatever way.

B

Earlier than that, though, and as an example of doing it, probably a little bit better. Was the mx record. Where here the information you want to give is actually structured by the name of the resource record. So, instead of just querying for a text record, you actually query for a particular structure: record mx and yes, there are names on the right hand, side, but the way they disambiguated and stopped looping was that the names on the right hand side are not mx records themselves.

B

To query the value of example.org for an mx, you get back in this example smtp.example.org, but what you don't do is query smtp example.org for an mx you're, not trying to resolve that you're trying to actually find its ip address, and so the mx record doesn't loop on mx's, which is probably a really really really good thing.

B

And so here is an example where you're trying to say that if I'm going to send mail to example.org, I'm going to send it over to the name smtp1, whereas I'm going to send mail to sorry if I'm going to send mail to I'd, go to if I'm going to send mail to example.org different name, I said mail elsewhere and that's certainly possible in mx records, c names and d names.

B

I always thought were bizarre.

B

This is actually creating aliases in the resolution of names, not in the name space itself. It's it's in the resolution, so you have two perfectly normal trees here in this example, which we borrowed from slide 37 of last time, if you were listening carefully, there'll be a test later.

B

Cnames and d names are relatively similar, except that c names stop at that name and resume over there. So it's a canonical name for a terminal name. There is nothing below a c name, no matter what.

B

So, when you get to a c name record, that's it, whereas in a d name you resume name resolution at the point below the d name target, so the d name is aliases, for I said zones, or at least the slide last weeks at last time said zones.

B

No, it's actually aliases for the entire sub tree, so anything below a d name. On the left hand, side isn't reachable nothing there, but the on the left hand side on the right bit. Sorry on below. On the right hand, side, I'm still tired. The d name exposes the entire sub tree in a c name. That's it both on the left and the right hand side. There is nothing.

B

They exist alone. They can't be at the apex, there's nothing below it. They are terminal names. I suppose that's the distinction between a c name and a d name. A d name is an alias higher up in the tree or potentially so a c name is. It is an alias for terminal labels. There is nothing below them, even so names.

B

On the right hand, side are a problem, and certainly here are some some simple examples to basically illustrate the fact that dog and cat can be seen am to each other, and the only way of stopping this is for the resolver to say. Look enough is enough. Stop stop giving me a hard time, because, while it might be easy to detect a loop of two, it's incredibly challenging to detect a loop of a hundred say, and there are two problems with these kinds of loops.

B

The resolver might well make cache entries for every single entry and just keep on flicking over again and again and again, and of course, it takes an awfully long time for the poor old resolver to figure out that it's inside a loop, and so this is one case where the structure of the name space itself can cause problems as soon as a triggering query exercises that looping structure.

B

But you know we can do more and it's hard to say whether the nafta was just fashionable or a demonic invention of incredible evilness, but it was certainly cute um what happens if we take a text value and throw it into a regular expression, parser and inside the dns actually put that regular expression and I've taken this example uh from the documentation. But let me assure you these are regular expressions and there is more than enough rope more than enough rope to do anything you want.

B

The challenge is to do the towers of hanoi in napta records. Go forth, um it's hard to sort of talk about this in much detail. But what it's saying is: if you look up a nafta, you get a priority and you get effectively an application directive, and then you get this weird thing. If you're saying take the application string, you thought you were looking for and substitute the following.

B

So here's one that was borrowed for that early attempt to borrow telephone numbers into the dns enum, which we thought at the time was incredibly clever and the generic solution we had was take a reverse telephone number, plus. Seven one: seven, oh five, five five one, two one two and translate it using only the dns into a sip call to an alias called information from the server tele2 in sweden.

B

Okay, I wonder if anyone used it, maybe they did at the time. I think it's fallen largely into disuse. uh It really did get and push the dns an awfully long way so generically what's going on. Well, you can put loops in the dns in all kinds of places in all kinds of ways you can actually put loops outside of the dns database structure and put it in the name referencing structure.

B

So in essence, what we're doing at this particular point is doing forwarder clauses- hey, I can't do anything, go and speak to x and x, says I can't do anything. Here's a forward statement go and speak to y and y says I can't do anything, go and speak to x and all of a sudden, you have loops inside the forwarding chains of trying to resolve, but the more common form of loop is actually in in the dns data itself, um and you can certainly do ns record loops quite easily.

B

uh Normally the parent zone contains the glue records of the name servers. But what, if you don't the name server from my domain, is dog.com go figure and in dog it says: well, that's cool, but the name server for my name is cat, but I'm not going to tell you it's address and cat says: hey. The name server for my name is over in dog, all of a sudden. You've got loops inside the ns structure and again, if not handled sensibly by the resolver, you can follow that loop forever and so some ways.

B

Resolvers have to make sure that they're not re-tracking over resolution tasks when they're trying to figure out the names of name, servers and equally c names, d names and naptas can loop like crazy, because it's simple now we get onto the last part of this and actually look at now trying to make the dns offload a whole bunch of application level data and simply load this into the dns and make the dns not an alias for a name but a service rendezvous mechanism.

B

So here what you're trying to say is I want to connect to sip the sip port using tcp of example.com.

B

You've been quite specific about your intention and in the service record you can use leading underscores which in host names is a no-no host names, don't allow underscores and certainly not leading, underscores so underscore sip underscore tcp talks about a service record, which is in particular meant to be used for the sip port on a tcp connection to the named host, and here is the service that actually provides that service for example.com go and speak using that port and that protocol to someone else.

B

And so it's a subtle form of alias where it's not the name that is aliased. The service is aliased, so I can take example.com and I can alias my sip service to someone in theory. I could alias my http service to someone else. I could use my dane service to someone and I could alias the name to a whole bunch of other names simply by service protocol and port while having the common name.

B

Simply as you will the guiding point so the right hand side host now is the canonical name, but unlike a c name or a d name, no matter what you're trying to do look there. This is, if you're, trying to use sip on tcp. Look there if you're trying to do anything else. I don't know I'm not the record to talk about everything else. So it's quite a specific record.

B

um But oddly enough, every generic solution is never generic enough and when we looked at c names and we couldn't do an alias at the root because the apex- sorry because you can't alias at the apex folk wanted to do that. But I want to do this, so we experimented around with various permutations of what I would call a name, and a name was an alias that included aliasing at the apex.

B

um There were alternatives for service records, alt servers and then, when we looked at encrypted snr, we wanted to put the keys somewhere, and these are all attributes of a rendezvous trying to get to somewhere, and so what? If we try and make this generic and take all of these things and put it in a generic service form, which became service b and service b, looks a little bit like a structured text record again.

B

Yay come back spf, where now we've got two forms of a service record, this port, this protocol, this host has an alias form to somewhere else.

B

Just this port in this protocol and somewhere else now has a whole bunch of attributes that talk about the application level protocol name, the port name, the keys name, the this name. So all of a sudden you can say that flu.foo colon api example.com and this port 8443 is alias to use an application level protocol called bar and service endpoints offered on this host, using this port, etc.

B

And so now, oddly enough, all of the work that you would do somewhere else at the application level in redirections and other forms. You can now do in the dns generic solution and of course, it's only used in one particular context.

B

So you might just go there, and this is service b for https, which is currently being standardized or if it isn't already, and it's the equivalent of service b for the https scheme, and and now you get the full appreciation of what's going on here, because if in first use you find an http header that had this record that there's an alt service field in the data that says well, you've come to me, but in future go to there.

B

You can eliminate that completely by simply saying in the dns. If you wanted to go there, you should go over here and have a whole bunch of aliases, and so what we're doing now is actually making the dns not just map host names to host addresses we're now mapping your immediate intentions.

B

I want to use https to go to this service name. This is my immediate intention into the dns telling you exactly what those service rendezvous mechanisms should be, what protocols to use what ports to use, what attributes you're going to use at the application level in order to make that connection work. Why do we do this because it's faster because all of a sudden, I'm getting rid of that? First? Look: I'm getting rid of redirection to the application level by pushing stuff into the dns.

B

The theory goes, and it's not always true- that the dns can give you that rendezvous information much much faster, but in some ways this is not the best of things, and this is my lead, I think, into where wes is going to be. I've used more than enough time, I'm four minutes over dns is not secure and anything that is promiscuous and to dns is promiscuous, no matter how we try is not completely private.

B

Some information is always going to have to be public, because this is public rendezvous and to what extent, if now we're saying I just want not just the the ip address of a host, but I intend to connect to pharmdafa.org or some other evil name. But more than that, I intend to use this protocol and this port. I intend to do the following, and the dns goes.

B

Absolutely here's how you do it, but there's a trade-off now, because now I'm telling a whole lot more to the dns about what I'm about to do in the next microsecond, and maybe that's not a really good thing.

B

So wes is going to explain why that not be the best of ideas. Thank you.

A

All right, thank you, jeff, um yes, so the dns is not secure. The dns was not secure would be the other way to possibly do it. Let me share my slides, and so I'm going to talk for the next half an hour about dns security and I'm wes hardiker from the information sciences institute, and this is the uh 30 minute overview of dns security. However, uh first I want to touch on something I did last time.

A

So this is actually my wild card slide from the dns deep dive number one and there's a mistake on it, and this was the last slide I created, and you know what happens when you create.

A

The very last thing always has the most mistakes, because it gets the last review at least review, so it actually occurred with this top record down here, where I had said at the time that host1.example.commx matched the wildcard, it does not, uh it actually should not match and it should return no error, but the text up above we actually should have called this out as well. It matches any label that doesn't already exist, but that label did exist down here.

A

In the actual example records, so uh thanks very much to andre for uh catching that and pointing it out to me, and so that's the errata and then now we'll actually dive into dns security.

A

We're going to start by looking at sort of the attack surfaces. Where can dns be attacked and, like you know, most other protocols that started in the internet they weren't secure in the beginning, because everybody believed that the network should be trusted. That's certainly no longer the case, I'm stealing a slide from russ mundy. Who has talked about this at icann meetings, a number of other places to talk about how the dns actually is put together from a registration point of view.

A

So you know maybe some zone content wants to start, and you have you have this great new domain. It's called iutf.org and I need to register it somewhere. So you go through some registrar in order to actually attach it to the dns tree.

A

Attach your specific section to the dns tree, the ietf uses network solutions, and then it's hosted in a registry like par happens, to run dot org, and that is actually how your particular name servers get linked into the whole tree and in fact, in fact the ietf.org uses ns0.ems as one of their name servers.

A

I'm only listing one and resolvers can then query that that includes isps, and you know the quad public, resolvers and open dns and some of the other resolvers and then finally, the data gets all the way back down to dns users and applications.

A

The important thing to note that most of what I'm going to be talking about today is over, on the right hand, side. I have one next slide on the registration area, but we're not going to touch that too much we're going to talk a lot more about the right-hand side. The important thing to note, of course, is that evil people can do stuff to pretty much anywhere in the entire tree. So do be aware of that.

A

So if we talk about the registration side, there are sources of you know, insecurity all throughout the dns, and the question you know you should ask is: what is the best way I could get data into the dns itself right. If you really want to uh populate the dns tree with bad information, you should actually do it during the publication side- and there are, you know, well-known mechanisms for doing so, a lot of which include social engineering on the publication side on both registry and the registrar, and then you can also attack the zone itself.

A

None of the security protocols, I'm about to talk about help at all. If you don't have your source of your data, you know secured in the first place, so somebody can take over where your data is coming from. Then the dns securities mechanisms are not going to help you at all on the publication and consumption side.

A

There's a number of ways that things can be attacked, so we're going to talk about uh cash poisoning is sort of one of the oldest and not quite as relevant these days, but uh that the gain of security mechanisms were trying to fix. We'll also talk about ddos attacks, and you know what happens there.

A

Jeff already talked about loops, so I'm not going to go into them in my slides and then we're going to talk about privacy, because queries can be seen by both resolvers and authoritative servers, as jeff indicated sort of at the end of his talk and then finally, we'll talk a little bit about dennis abuse and deception.

A

And you know the interesting things are: what happens when there's typos registered in the domains that aren't you know from the domain itself or internationalization and other font related issues and joao is going to talk about that after I'm done so a little bit of architecture, refresher, I'm sure most people remember this, that a when you know I some example.com is queried for a record that the resolver you know near you, be it an isp or be it in a nearby box or whatever ends up needing to talk to most of the tree.

A

It'll start by talking to the root which then it finds dot com, and then it finds example.com and then finally, that's able to return www.

A

So what is cash poisoning so remember that resolvers actually cache information for a a period of time that is subject to the data itself, a maximum period of time. And what happens is your laptop may query the resolver and the resolver is going to? Maybe it has the root and comcast, and it's going to send its query immediately to www.example.com note that www.example.com or the example.com, authoritative server is probably really far away.

A

So if the resolver is getting an answer, first from somebody really nearby that is giving it a false answer, then the resolver may believe that answer. So in this case you know the resolver answers, but it's before the authoritative server could possibly have answered, and so the the thing about dns is that the first answer wins period. So you may get more multiple answers. The ietf has long talked about.

A

You know you have to expect duplicate, packets and stuff and duplicate answers, and you should pick the first well that works if uh that that works really well for attackers, if you don't aren't able to check the data, so one of the earliest cache poisoning attacks the things that actually made cash point impossible was just to include extra data in the additional section, so at the end of the dns packet.

A

Not only does it give you information about the question you asked about at the top, but at the bottom, in the additional section, there's also other records and in early resolvers would actually just trust anything that was there. So you could include records that were totally unrelated to the question and the resolver would cache it and keep it. uh The other thing that happens is in protocol attacks. You can actually sometimes just flood the dns resolver with response packets and hope that they accept them. If you're.

A

Actually, you know on the wire, if you're a man in the middle attack or a person in the middle of attack, then you can actually possibly see the values. Otherwise you end up having to guess you know the ap address the protocol values uh the names the source addresses, and things like that. Maybe you can see some of them.

A

You can pick popular names to try and flood the most, and actually that was a very valid form of attack and it actually did work and the best part about it from a hacker's point of view is that the answer is cashed for the ttl chosen by the attacker. Remember, the the the attacker is actually returning the entire dns record. That includes the time to live value and how long something should be cashed for so it's very common to see very large ttl values in cash poisoning attacks.

A

So how do we combat this? Well, the early mechanisms were, let's just ignore, non-authoritative answers right. So if you don't you don't accept data from questions you didn't ask and there's some changing and stuff that has to be taken into account too. But generally you shouldn't accept stuff, that's below not not, authoritative, for the, where you asked and note that parents do have to supply glue, address records uh for in zone child name servers. I did talk about that in part one.

A

You should go watch that, if you're interested more in about that subject, but resolvers should also check that the ip address and the udp source port is correct and that the dns id field is correct and senders should make it really hard for these to guess so that that flooding takes. You know a whole lot of random attempts and not just being able to predict the next value that might be sent.

A

So you should randomize your source port number and you should randomize the id field in the dns, and that gives you about 32 bits of randomness, but that's still not cryptographically strong and it doesn't work for onpath attackers either that can see and copy the requests in the first place. So the real question is, you know: can we fix it, and I hope I got at least that song stuck in a number of people's heads?

A

Well, we can and there's uh some data protection mechanisms. uh So there's two different types really there's object security of. How do we actually validate an object versus path security, which is you know? How do you actually validate the path you got it over was secure and there.

F

A

Two different forms of protection so object: security is done by dnsec in the dns and it adds cryptographic signatures and all the records it's signed at or near the data's origin. And then, once it's been signed, it really doesn't matter how you get there. It's verifiable in the middle of all the transactions, it's very fireball at the end, but it only provides integrity production. It does not provide any privacy detection. Those records are queried all over the dns tree and various parties can see it path.

A

Security, on the other hand, which has become a very hot topic lately for dns over tls and dns over https, for example, and possibly even dnf's over quick at some point tunnels. The ansel's answers between two points, and it does this with both integrity, protection and encryption, but it offers uh you know, point-to-point protection only so it verifies who you got it from, but not actually what it is. So it doesn't it's not able to verify that the data on the other end is actually correct.

A

So what is going on here? Well, they have two very different: complementary properties, object and path security, so, which are you going to pick? You have to pick one or the other right? No, you actually don't object and pass security. Work very well together and you'll find that many uh endpoints of of path-based approaches, like public resolvers, are actually doing dns sect validation so that they can prove that the object they tried to validate was secure before tunneling it over to you. So there's nothing wrong with putting a locked box in a tunnel.

A

So a brief recap of dns security technologies that exist to date. uh The object security like I've been talking about is dnsec and it is, you know, records that were assigned by the authoritative source or somewhere near it, and it's talked about in a number of rfcs, including 43, is the most recent one that is at least a current standard.

A

The path security, on the other hand, there's a number of options to pick from there's dns over tls there's dns over dtls, which is the udp version of tls. There's dns over https there's, oblivious dns over https, which is being talked about in the dinosaur working group sort of right.

F

A

Actually, I think it might be in the uh security um dispatch group uh this this coming ietf, so you might consider attending to that. If I got the schedule right and then there is a dns over dns using shared keys, so tcig is actually a very old protocol. There's a recent update to that document.

A

Hence the large rfc number, but it's actually one of the older ways to do dns, secured dns using shared keys and dns curve was another technology that was proposed at one point, uh which is another point-to-point, encryption authentication mechanism using elliptic curve and that's still used and deployed in a few places around on the internet as well. But it's not standardized within the ietf.

A

So the thing to note about all of this is that there are various areas of all of these transactions that need to be secured right, so the path-based mechanisms like doe dot and dodt, and any of the other ones authenticates and encrypts the user to the resolver's protocol traffic is on the left hand. Side of that dnsec, on the other hand, is really designed to to prove that the right hand, data set, has not been modified anywhere from the root. All the way down to the answers you actually need now.

A

Can these protocols be used in the opposite? You know: can you do pass security on the right? Yes, but it's not being done. Can you dmd in a sec on the left? Yes, uh it's not being done as much. There are some instances of dnsec occurring on the left-hand side, but not as much it can be used in both places, but it typically isn't so again.

A

This is the reason that they pair really well so the nice thing about dnssec is that it secures uh records, no matter where they are right. So if there was a record that was created in example.com and it propagates up to you know various dns resolvers in isps or even in cloud infrastructure, and if you get all the way to your home router and then possibly all the way, even into your local infrastructure.

A

If you're, especially for running mail servers, it's much more common to run something very local, and then it doesn't really matter right. That locked box is verifiable, no matter where it came from, including over a swallow. You know carrying a coconut and possibly a locked box of dns information as well or the atf rfc on communicating over avian carrier.

A

So how does it work? uh The dns sec is a hierarchical signing mechanism where there's public private key pairs created at various points along the tree. uh The resolver typically only has the one key, possibly a couple of keys, just to be their trust, anchor of where that they accept stuff from that is signed, and they do this by checking all of the records from the chaining on down. So the root zone signs with its dns key, the uh the ds record of com.

A

So a ds record is just a pointer to coms key, which then also has a ds record for example.com and a signature on that note that this is a very high level presentation.

A

So there are many other things that we could talk about, that I'm leaving out, but basically, by following this chain, all the way down a resolver is able to provably identify that records have never been tampered with, since they were created by the original owner, regardless of whether it was example.com or com or the root, for example, and the nice thing about it is that all of the records within those zones are then protected uh if they're included.

A

So you can put other records like all the text records that jeff just talked about, for example, are all equally as well validatable, so the resolver in the end after it is said hey all of this is great uh client. Here you go. Here's the answer, and I'm going to set the ad bit. 80 is equal to 1 means that I checked it. It is secure. Dnsec has validated the whole tree you're good to go, except that this message typically isn't sent securely.

A

So remember that the resolver talking to the end system is typically not secure, which is why uh some path security actually makes a great thing to pair with object security so going to back to the high level overview um object. Security provides end-to-end integrity, production, it works everywhere. It is a distributed trust model with minimal configuration. Typically, you only have one trust anchor, but it doesn't provide any privacy protection whatsoever and it typically is not deployed all the way to the end user, which is typically referred to as the last mile problem.

A

Path. Security, on the other hand, provides privacy, protection and point-to-point integrity, protection, which is fantastic, but it doesn't verify that the data actually came from the original origin. It only verifies that that hop that you're communicating over and for so true security. It also requires that every link be protected and trusted right. So if data is being transferred between three or four entities on the on the internet, you'd better be able to trust them all and you're, actually not the one.

A

Typically querying them so, uh but it does very much solve the last mile problem and solve some privacy issues as well so path, security and obscurity are really stronger when used together. Object security protects the data, object, security ties the data to its source path. Security. You know, fixes that last mile problem all the way to the end user and it provides encryption protecting clients from on paths eavesdropping.

A

So we're going to switch a little bit now into other ways that the dns has security issues, and you know some solutions around them, because the dns, you know is primarily a spoofable udp protocol based design in order to keep things low. Although tcp is used as well, most dns responses are larger than their request and thus it's a great source of reflection attacks. So if the entire world is sending a whole bunch of resolvers, you know udp packets that are spoofed containing the source address of the victim.

A

Well, all of those responses are going to end up at the victim. Unfortunately, and so this was a bigger problem back in the day, but it's still a problem today and one of the reasons that it is we'll get to actually the solution to that in a minute. Let me talk about the other side of the ddos targets so because nearly all internet communication actually starts with dns lookups.

A

It itself is often a ddos target and I'm sure many of you have have seen some of the uh highlights in the past number of years, especially the the dine out of january years ago, that you know knocked out a good portion of major websites across the u.s, because it.

F

Was the target of.

A

A ddos attack so to battle. Oh I'm missing an l there to battle aggressive clients. uh One thing that has been done. A lot lately is deploying something called response rate limiting and it really is saying: hey, client you've asked a whole lot of the questions you know in in the past 10 minutes uh and in fact, they've really all been the same question.

A

I'm not going to answer you anymore. I'm going to punish you and I'm going to give you only partial answers or no answers, but I'm going to set the truncation bit, which means that you should come back over tcp please or implement dns cookies, either one of those as a solution, and that proves that you have end-to-end communication and so udp spoofing no longer works.

A

This helps prevent overwhelmed, udp spoofing requests and is very commonly deployed these days in multiple implementations of dns, authoritative servers, it's interestingly, not standardized. Yet so there's actually some variations in how it's actually deployed and configured, but it's very widely implemented and very widely deployed. At this point to battle dns outages, you should optimize your caches because there's been a number of research.

A

Recent research studies that have shown that, if you are on a network- and you don't want to be affected by dos attacks, there's a few things that you can do- one latest rfc is been published, called serv stale. That basically says if you fail to get an answer to a question that you've asked it's: okay to use an old one, at least for a while.

A

uh So that's you know, helps protect your local infrastructure from outages and then, if you can also run a copy of the root zone on your local resolver, which is rfc, 86 8606 and I have a local root project at isi that actually allows you to mirror and simply mirror a whole bunch of other zones as well. There's also insect aggressive caching. This is actually highly beneficial to prevent validating resolvers from asking questions that they know that there isn't.

A

An answer for one thing: I'm not getting into today about dnssec is how you can provably know that there isn't a name within a zone based on some of the additional records, the insect record that I'm not talking about today, but it reduces traffic loads to authoritative servers by quite a bit.

A

Now. uh The one thing to note is: I gave you a short overview about all of the potential security topics at a very high level. Each one of the topics that I covered, including dough, including dnfsec, including pass security and everything, could take an entire 30-minute segment on its own to dive deeply into it. So we didn't, we didn't go into everything, that's related to dns security, but we, these are potential topics for future talks.

A

If people want to hear about them or you can look up, look them up on on the internet for other sources of people that have talked about them, um but you know for just to pick a couple of example ones. uh You can have multiple sources of trust anchors, for example. So I talked about the root of the dns sec key having its uh the dnsec having it. You know a single trust anchor at the root, but there are enterprises that actually also have a trust anchor for their local enterprise.

A

uh Nsec3 is a pr is a slightly more privacy protecting on the zone owner's side of way to prove that something doesn't exist. uh There's many ways of doing bootstrap security, that's becoming more and more popular, like dane pgp keys, ssh fingerprints and things like that, all of a sudden become much much more secure when you're actually signing them with the nsx.

A

I didn't talk about how dnsec you can actually know when you're falling into an insecure zone, for example, so dnsec actually does a great job of knowing letting you know that you are in the secure portion of the dns versus the insecure portion of the dns anyway, there's a bunch of other topics, I'm not going to talk about. I talked a little bit about q name minimization last time, um there's algorithms, strengths and rollovers, which are actually really being talked about right now. How do you deal with cryptographic changeovers when algorithms will get get weeks?

A

Jeff talked about query loops earlier um then, there's even unauthoritative servers. The servers that you know answer for incorrectly. Do you know helps fix that at least, and then you know one of the biggest ones out. There is, I'm sure, you've all been in a hotel or been in a coffee shop that you have dns intercepting middle boxes.

A

That refuse to give you the answers you want, because maybe it's you're behind a paywall or something like that, and you know what sort of things there's actually rfcs about that as well as dnsec can help in that case and there's a bunch of other things related to dns.

A

Second particular about white lies and black lives, which I won't go into as well as minimal signing and there's many new things in working group states that are that are not included in these slides yet, except for a couple like oblivious dns over https that are still being worked on. So with that, I'm going to turn it over to joao. Who is going to talk about myths in the dns and some wonderful misconceptions and give you new answers right, joao.

C

I'll try I'll try thanks wes. Let me start by seeing if I can share the screen.

C

Can you all hear me by the way.

A

C

Okay, good and all that's left is selecting the slides, okay, so this last this last part this last half hour. So is a a collection of loose ends, uh but that people come up with frequently so we decided- maybe it's a good idea to look, do a quick review of common misconceptions about the dns or things people think work one way, but actually work a different way. So, let's go also, as I see that a lot of the people actually watching this live are dns.

C

Experts feel free to add a complement or correct at the end. In case, I got something wrong, so one of the usual things you see even at the idf is that when people want to have a solution for a problem of disseminating information in a way, that's helpful siri um that is accessible to everyone in the internet um and this distribution is propagating history. The way uh it's often the case that they look to the dns as the solution to other problems.

C

uh Dns after all, is a success story, and so it also carries with it the burden of that success.

C

One of the problems that people have uh in implementing that solution I mean, after all, the dns is there to be used, so everyone is welcome to use it to their best uh advantage.

C

However, it should be realized that better ways and worse ways of doing this, one of the ones that has traditionally been abused as jeff mentioned briefly earlier, is the abuse of the text record, and I realized that there is a an rsc from 1993 rc1464 that actually defines how you should dump stuff on the tax record.

C

If you want to do that, to solve your more immediate problems, it's still a bad idea and the problem is the dns defines not only resource records, but also the idea of resource record sets and those are all the records of the same type that are present at a given name and the dns also defines those to be indivisible.

C

So if you ask for a text record at the given name, you, the dns server is obliged to give you all of them, even if you don't want it. So if you are the first one that uses a given text recorder to solve your problem- you're- probably okay with it, but some people- other people will see that and will try to use the same and then, after a little while you won't be the only one using that and then the problem comes and to illustrate these I'm just using this example.

C

That's now on screen not to pick on google or anything like that, but that is actually the result of a dns query. You can do it live now and you will see- and as you can see, there are five text records and four different usages for that.

C

If you query for the text records at that name, you necessarily get all of them and then you have to start parsing the ones that you want from the ones that you don't want to select and proceed and, as you see there are the most diverse uses uh made being made of these records. So okay, so if that's not the best way, what is the best way? Well, we, the current thinking, is that you should just get another type. The our type code space is big.

C

We are not filling it up at any rate that will put in danger the exhaustion of that space. So just go ahead and try to get one. uh It is not hard. There has been a myth that is going to be hard, because uh this would mean you have to write rfc go through the motion of the working group back and forth comments and so on, and it takes very long time and then it has to be implemented. Well.

C

Actually, no, there is a a fast path to get a new rr type, and you all have to do is basically, if, as long as you don't ex demand that the name servers, the dns servers that are delivering the information have to do special processing, they just do a standard lookup in a database for to fetch a value for a key, and so you just have to define what the format of that record is in a clear spec in an internet graph, and then you submit it to the a panel of experts, there's a standing panel waiting for you to send in the requests your requests and they'll review it and come back to you with comments or approval in a fairly short amount of time.

C

So that's definitely the best way of getting things done for your application. uh Sometimes people also get confused about separating the name spaces and one way of doing that would be, for instance, inventing your own top level domain or buying it. um Either of those options is not good, they are hard, they are expensive, they are pointless and they cause more problem than it's worth.

C

um Well, I just jumped ahead of myself. I will say that so don't get a ldld. uh If you get a proper internet one, you have to go through the whole icon process and it's expensive. It's very hard. It involves layers. It takes a long time longer than you might even imagine. It was possible and- and it's probably also not the solution to your problems, so um not a good idea.

C

If you make up your own tld, which uh people have been known to do in the past, then the problems are of the sort. You don't have the approval process to take care of, but most likely down the road. At some point, you'll have clashes in namespace because if you mix your own newly created namespace with the internet's shared namespace at some point, things are going to get hairy. There will be clashes.

C

There will be, in definition of which namespace you have to address, to get the information you want, and it's generally not a good idea. A network is only good as its cohesion as the participation of everyone. If you split the naming space of the internet, you are actually splitting the internet and then you have instead of one big network. You have two smaller networks and each of them has less value now um jeff alluded to these and whether names are for humans or not. What is the purpose of names?

C

Well, in the beginning, everyone was kind of happy with ascii, with just identifying machines and phones, as jeff described. Things got more complicated with time and obviously one of the things that humans want is to speak their own language and write in their own language and that wasn't possible. In the dns um there were attempts at trying to define dns labels that would be able to encode.

C

Unicode characters but it didn't quite work out. Actually, in fact, the problem is not with the dns itself. The nes itself would be happy with uh uh any sort of a stream of 8b values that it was given, but the implementations and the applications that make use of dns started interpreting things in a way that implied the use of ascii.

C

Soon after the usage, for instance, it was implied that capitalization of a name should not be taken into account for uh comparisons, and that you should only expect a certain number of characters and that kind of, even though the protocol itself allowed for uh 8-bit clean labels in the practice, all the implementations and applications that made use of it, stop that being a possibility.

C

So we still wanted to write in our own languages, and the ietf came up with the idea of idea internationalized domain names. What this does is define a way of encoding, unique unicode characters for many scripts in a dns compatible ascii representation.

C

It does work, but while it solves the problem, it creates new ones, as is often the case with many things humans do.

C

One of the problems is that several characters in different scripts actually look the same to the human eye when they are represented by a web browser on screen, for instance, or any other application. That makes a visual representation.

C

Some of them don't look the same but are remarkably close to each other and, for instance, I'm putting the case there of the latin eye, which has a dot on it and the turkish eye without the dot.

C

I think the letter is actually called, ha which you think is easy to spot, but if you have a long text, it's probably not that easy. So this creates problems because bad people are bound to be using this against good people, innocent people in internet.

C

So, as an example of the representation I'm putting these up there um there's three domain names, um probably something familiar to everyone.

C

I dare you to click on any of them, see where you go, and that would illustrate the problem. We are talking about. um There's a website to generate the names with homoglyphs and characters that be in the screen to be something else to see. This is the same as the ones you want to represent, but actually represent it differently, and this is a sort of problem which relates to west's problems on security.

C

So again, what are the valid characters on dns? Well, the dns has itself, as I said, doesn't actually place a restriction on what car is going to use. The only restriction that dns plays on names is about size.

C

Each label can have up to 63 bytes and altogether, a name made of several labels can have up to 355 bytes. It's almost like. They wrote this in pascal, um but applications do place restrictions. Some of them are applications or common uses that were already inherited by the dns because they were exist in existence before the dns came into place, and one of those was the host name restriction that jeff also mentioned.

C

Also the restrictions have. Our conventions have been evolved with the time soon after the dns was defined, and the concept of a host name was defined with stone's restrictions.

C

It was altered because, in the beginning you weren't allowed to have domain names that started with or the main labels that were started with a number, and there used to be this famous company called freecom that had a problem with that. So we changed the rules uh still, for instance today, uh and this illustrates the uh principle that you should be liberal with what it said.

C

Things like 4011, 411., um exist and work, even though the standards say that the a label should have at least one letter, something that is not a number you can should not be able to have labels that are only numbers, but there you go, they exist and they work.

C

So how do we represent these idn's? As I mentioned, it's an ascii, compatible representation. There's an encoding called punycode. That's how we represent these names.

C

You see an example there at the left side, you see the representation that the dns actually stores and delivers to the application, but on the right side is what the application represents, and you can find very interesting examples.

C

uh For instance, in that example.several.example.com, it's not clear to anyone just by looking at it, where the actual dot is where the label begins, where the label ends, and that poses problems, and it's it's kind of a hard problem to solve. To be honest, so a lot of these problems from the fact that people are more and more thinking about the dns as if it was a search engine and by god it is not a search engine.

C

If you want the search engine go to google bing, whatever you like, your preference might be, but the dns is is not that so just an aside, okay, another thing people often stumble upon in the dns when they use the dns, um is an asterisk, a valid label. Or is it something else?

C

Well, it is a valid label, but its meaning depends on where it appears and how it appears.

C

If it's used in a query, um it might be a wildcard not exactly a traditional label. uh However, it's only a wild card if it's a play only if it appears by itself, it's the only character in that level and it's the leftmost label in any other place or combination, it stops being a wild card. So don't think about parallel, regular expressions, that's not what this is about. It's just a one instance of a wild card and it only works as such when it appears in in the star currencies.

C

You cannot combine a star to mean all the names beginning with a if it is stored in a zone. It's it's. uh It can be just the characteristics just like if it appears anywhere else in the in the query and asterisk again is is a valid name in the domain name, because the dns doesn't place the restrictions in the names it can store.

C

So you might as well uh end up with a name. That's that that's just the last risk.

C

uh There is also a distinction that people fall for uh uh in this in this uh when using dns wildcards, because often you use the dns to lead to websites and websites are secured with certificates that allow wildcards a leftmost label in dns can match any number of labels down deep into the tree to its left, but the certificate as uh to be used in x509 certificate we use on a website only allows one level of depth, which is a good thing. But you have to keep in mind that uh difference.

C

You cannot just expect to get a wildcard certificate for all uh all the names in a tree and a sub tree under a given name. So just one limited one level so to illustrate how the dns wildcards exist. um I've created an example zone under example.com um with those four text records and there's a bunch of uh queries that are issued towards that name, and it will be the exercise for the reader to figure out.

C

What is the response that you would you'd get so here is the solution just to pervert it, and the first one of course matches exactly the second one see those examples you see doesn't exist in there, there's no label. That name doesn't exist in the zone above so it gets matched by the wildcard, the first record in the zone, so those asking for the wildcard itself. You get the result pack.

C

um However, if you ask for a dotstar.example.com, you don't no longer get the the wildcard response. You get that exact match because it exists, and you can see that the wildcat is not the one matching, because if you turn a star to b star which does not exist in the zone above and is not matched by the wild card as defined before you get an x domain.

C

So hopefully that clarifies wildcards a little bit. The subject was uh confusing enough for even the people who spend their lives in the dns that, 20 years after the creation of the dns, the definition of the iss someone had to someone at lewis had to write an rfc to define what wild has meant.

C

So when you get no data from a response from a query in a response, what does that mean? um Well coming? Several things uh depends on what the no data response coming back at you uh contains as information.

C

uh It can have a given a response code, r code, three, for instance, uh which means nx domain, um which translates to that domain name. You asked me about, doesn't exist, nor does anything below it. It's the end of the tree, there's nothing here or is there that? Nor does the tree continue in that direction, so try something else.

C

uh There's a response type that people in the u.s call no data, which is actually a little bit ambiguous, because it's not defined with that name anywhere. um It's the combination of the fact that you get a response with our code, zero, which means there wasn't an error, and yet there is no data in the answer section.

C

So if there is no error, how come I asked the question? I got still got no data what's going on here. Well, it can be both the two things. One is that you ask for a type of data that I don't have infrared information for, if you ask me for the idea of ipv4 address for a name, but they only have an ipv6 address, for instance. um Well, I cannot have uh I give you an answer with data, but that doesn't mean the name doesn't exist and there is any deposit type of information there.

C

So you just be careful. What you ask for um the second is what has been called an empty non-thermal. um It might be the zone, for example, in the zone example dot com that you have example, a.b.example.com, come as a value record in that zone, but b dot example, dot com doesn't exist.

C

uh So if you ask for b dot example dot com, what you get is an empty, no error response, meaning that I know nothing about that name, but there's actually stuff. That is a subdomain of this name in the same zone by the way, and then there are other errors like surface and so on.

C

uh This is a little bit of a further explanation of what an empty non-thermal an end, not in the tolkien way, but in the dns way is you can refer to it back. I already explained it so c names have already been mentioned and why we always mention them, because they are source of confusion.

C

What the cname stands for is a canonical name. You ask for a name and that response to that tells you that the name you asked for is actually this other name over there and because you cannot be here and there at the same time, uh because what you are telling in a response is that I'm not the name you wanted, you go look somewhere else.

C

You cannot have then um information of any other type associated to the name.

C

That's a source of the cname, because that would immediately introduce two sources of truth into the system and you won't be able to really know which one was the correct one as a consequence of that zones apex, which is where the start of authority for the name is uh as well as the name servers for that zone are defined, cannot have a c name, because it would imply that there is more information at the same level as a c name, and that again creates trouble. It's not allowed by the current definition of the dns.

C

However, that doesn't prevent people from saying and thanks to the how liberal the internet is in what things it's willing to accept. Some people actually abuse this mechanism and mostly get away with it. The itf is not defining a proper way of dealing with this use case, so if this is a good, successful worldwide distributed database, surely all the servers that authority for a given a given set of data will have the same information?

C

Well, yes, and no, the dns was never meant to be strictly coherent. It is actually what is defined as the loosely coherent.

C

There is one source of truth as in any well a decent database protocol and that's called usually a master server or primary server, which is helped in its function by a set of secondary or slave servers, slaves out out of use. Now we call them secondaries.

C

That will reflect what the what the primary service tells them is the new information that might take a little bit of time to catch up. So in that sense there is a loose coherence which will catch up if the system will usually catch up catches up with itself as time goes by short amount of time.

C

Usually um there is, however, the fact that, uh as was mentioned earlier, there are recursive servers that cache information and that information is cached for a given amount of time if the source of the data changes that data in the meantime that recursive server that caching server will contain steel data for the duration of the ttl. So that's one way where things can be a little bit of sync, it's again self-correcting with time.

C

However, the last uh fashion, the latest fashion internet, is that people play tricks with how to serve what information is served.

C

um People will answer differently, even with different ip addresses for a given name, depending on where you are and how you reach them, uh either by looking at your ip address uh and saying. Okay, if your ipr is according to my local databases from north america, so I will give you an address for you for you to connect to that's located in north america. Why is a uh your user that is uh asking from europe will probably get an ip address that points to server in europe? That's fancy using it's transparent.

C

Most people are okay with it these days, because everyone tries to do it, but it can lead to interesting debugging problems.

C

We chose to publish an informational irc in how to make these a little better, uh which was uh an attempt called uh edns, client subnet, which is some sort of signaling of where the client that's behind me is located so that I I'm asking he in the client's behalf. Give me information. That's pertinent to the client uh in exchange you get uh told by you got filled information about where the user is, and this can be exceedingly uh granular, so you might be exposing exactly who the user is.

C

um We have had in the last few years a couple of flag days in the bns.

C

They are mostly not really flag days as they we people tend to think about flag days, but they are dates somewhere. People agree that they'll change the behaviors in their implementations or on operations um in operations, it's nearly impossible to actually have a a flag day, that's effective, so it's mainly a communications tool.

C

These days, the dns is implemented in millions, probably of hosts around the world, and even if you only look at servers, you see it's unwise and realistic to expect that the whole deploy base would switch in a given day, just because you asked them to that's, not how things work anymore. uh So it's more more than anything, a communication day uh to make uh people aware of changes that are desired and agreed to in the dns, but they don't come into effect as a usual flag. They would a little bit of a myth.

C

Is that ctes, the routers, the things that you have at the edge of your home network office network enterprise network work? Well, as the interest resolver well misconceptions here, there are several one of them. The most typical is that cpes are actually not running, usually resolvers. They are running forwarders. What is a forward there is something piece of software, has a small little cache locally trying to help you to get further and for future answers quicker, uh but it actually uh just furthers your forwards.

C

Your question to a proper recursive resolver that does all the heavy lifting on your behalf. So that's the first one uh and then there have been ideas of uh or opinions or recommendations of whether it's good or bad, to have a local recursive resolver in your cp. If you are allowed to or or if you are inclined to tinkle in one- and there are both good things and bad things about these I'll skip this, because I'm going to run off the time. But the slide is there for reference, uh not me.

C

If you turn on cdns sec, everything in the dns becomes too slow, um well too slow for what and for whom, um which is um always a qualification you have to make when you make a statement like that.

C

So it is true that if you make any operation that you were not doing before, it will take additional time to do that. Operation. That's true here and anywhere else you do, but actually the dns has a feature that might reverse these. In some cases, when the nssec was defined, it was decided that not only would it sign that a piece of information that exists uh will be attested to by a signature.

C

uh It was also decided that the nsx would have to prove that when a name does not exist, um it can be proved uh cryptography as well, and this was implementing by creating a gap record.

C

The next secure nsec record, which says in between two existing names in this interval between you names that I know exist in the zone. There is nothing so f, and you can sign that, because now the absence of information has become information that exists and it can be signed. Now, if you were to ask a name server for something that doesn't exist and it falls in one of these gaps that has been documented and proved proven to to to exist.

C

You can use that previous answer as a as a as a way to shortcut the lookup and say well. This domain doesn't exist either because it falls in the gap identified by this nsx record, which I have proof of being true, so it can become. It can accelerate dns lookups for the domains that do not exist also because the lookups for names do not that do not exist actually take longer than any other lookup in the dns, because the dns will always try very hard to find the information you were asking about.

C

So if you still experience problems with dns, then a slowness when the nsx is enabled, maybe your problem lies elsewhere.

C

One of the things that happens when you carry more information in in the dns message, which the nsx always implies, is that uh sometimes those packets turn out to be very big. Sometimes they are so exceedingly big that they don't fall fit in a single udp packet and that packet becomes fragmented.

C

Now some networks take exception to the handling of fragmented udp packets and if they drop that, and they don't have or don't enable the fallback magazines that the dns dns has from the beginning like use tcp, then you might have a big problem in your hands, but the problem is not necessarily with dns, but rather with the network and that the network management other other things.

C

That may happen is that needle boxes well, they are not always up to date or are not implemented by people that knew what they're doing at the time they did it and dns being qualities at the at the root of everything you usually do on. The internet is always seemed like the neglected child of all the protocols you wanted to go to your website.

C

You wanted to fetch a file you wanted to send the mail you wanted to know about the time um while the ns second level dns enables all those uh applications uh it stays. It does so in the background. So most people are not aware of it and it just also happens to be a very stable protocol and operation, so it kind of fades in the background and most people don't think about it, and then stuff happens, as I mentioned before.

C

Tcp and dns has been a thing since it's uh since dns began since the original times its tcp in the dns is always used for some of operations like zone transfers, because they involve massive amounts of information being translated transferred from one place to the other, but it should always be available as well for um a standard fallback amazing mechanism when udp has issues, and we at 18 has published several papers on how many people are affected in today's internet by issues like udp non-handling mishandling.

C

Also, it can be that clients choose to use tcp right away without by using trying uh or attempting udp as a first step that is allowed by the protocol.

C

If you use tcp, if, when you use tcp, the only thing you have to keep in mind is that the protocol and the state that is kept in the servers that serve tcp is a little bit different than the usage of eub. But the myth that this cannot be used is easily defeated by. If you look at any standard, a big web farm that always uses tcp.

C

So it's totally. If you do a google, you just need to be a pro. You just do care about what you're doing your craft and to end. uh We thought we had a question here. There is a dns query type that stands for any. We type 255 also used in the old ones or broadcast kind of thing.

C

The official name for it in the standard is star, and no one uses that name for it, because we already have trouble enough with the other star, the wildcard one.

C

We don't need to introduce any more confusion, so we call it any now, even so, since the beginning any was defined as not to be all but really any anything you have about this name or given you all you have about this name.

C

This might not be all there is about that name in the dns, for instance, if you ask a caching server that has some records regarding that name, because it was asked about an a record, an ms record relating to that name earlier on, and you ask it give me anything you have, it will give you all that it has in its cache. It doesn't mean that it will give you everything that the authoritative server have on that.

C

So you have to be careful, uh particularly because this is a debugging query, that if you you know what you are debugging and that information you are getting might be partial, and I think that is the last of the myths we wanted to address in this thing, because he had 30 minutes to go on it and now it's time for questions, comments, insults. If you must- and I hope my co-chairs co-speakers will still be around and able to join me around.

C

Let me just stop the.

C

A

Thanks jeff, I think uh I'm sorry not jeff thanks, you are, I think you know the the any all problem is is definitely.

F

A

Myths that most people don't know yeah uh if anybody attending the atf crowd, wants to ask questions or yell at us. Please raise your hand and we will. Maybe that was all perfect and we have no questions. Is that.

C

Okay, I'll be a.

C

First, um did we put everyone to sleep.

A

D

Oops go ahead warren, so you mentioned that the any query causes a lot of confusion. I think there's been some talk about deprecating it. What do you think of that? As an idea like? Do you think it causes more harm than good um or not, or what.

C

um Well, I like it, I use it when I need to debug, but I know what I'm going, what I should be expecting from it um for the general public. Perhaps uh it is misleading, so some people are already choosing to not implement implemented there. It's one of the valid response codes that you can get from the dns and it's a it's a valid choice. um So by all means go ahead and do it you don't have to implement things. You don't like uh to be dns compliant. um I wouldn't deprecate it.

C

I think it still has the occasional useful purpose.

B

What what might that purpose be joao, because in some ways you know I I fail to actually understand when an any query does something that you couldn't do with other queries. Does the name exist? Well, you just need to ask even any other resource type, including the name.

C

Exists, you can use it directly at the recursive server to find out if the recursive server is dropping certain records on the floor because it doesn't like them. If you know that the record is in the zone and you ask ask the recursive server for it, you get back no answer. You can try to trigger this and see whether, uh where the name is disappearing in the in the resolution process, you can you can see if it only got partial information which might be a pointer to a misconfiguration somewhere.

C

It is useful, it's not a solval thing, but it has its use cases, but it's a debugging tool. It's not something you should use as uh I'll shortcut my lookup time, because I want to have both the app e4 and ipv6 addresses. So please give me any that's not the way it's meant to use and you might be surprised by the answers you get or not.

A

I know that there are reports of real queries that are happening, not just those that are trying to get all the data they can that there's some applications.

A

I think there was a mail server that that was by defaulting querying for any and in order to get back data about mxs and stuff, so turning it entirely off is potentially unsafe. Yeah.

A

All right is there any uh robert go ahead.

F

Can I come through? Are you hearing me yep yep, so quick question? um Do you think the dns has a gracefully over its 20 years, you're saying it hasn't worked right? Has it aged gracefully in terms of a protocol? Do you feel that it's still good for it or has it? Has it outgrown its initial roots.

A

So that that has been so widely discussed and when you get something as entrenched as the dns, you know uh the thought of doing dns version. 2 is the phrase that has been kicked around for 20 years as well. uh You know, should it ever be replaced and reconsidered with something new. um You get huge issues with trying to uh you know to update that much infrastructure. I think it is. It is scaled, amazingly. Well, I think that if we were going to redesign it today, you know we would certainly change some things.

A

uh There are you know one of the biggest desires that people have right now is. Can I- and I talked about this last time- can we put more than one question in a packet and you can't and and the the the issues around that are you know that the resolver would have to wait for multiple answers and try and figure out how to answer all the questions and what happens when you have multiple errors and all those types of problems exist, which is why you shouldn't put more than one question in a packet.

A

Even though there's a myth uh that you that you can that the reality is you can't because no implementation to support it for good reasons? That being said, I think if we were redesigning it today, the fact that so many things are being asked for you know. Jeff talked about the https record and we're talking about the a record and the quad a record, and you know I mean how many different things can you query for you actually want answers for all at once.

C

Well, I think it has been quite well. I mean it has been extended uh beyond whatever you want to imagine with crutches, even but it's still fulfilling a lot of the purpose it was meant to fill, um defining an entirely new protocol to replace dns is going to be extremely hard, because why would anyone put things in a protocol that is mostly volume information at the beginning?

C

If I wanted to be provocative, I would say that actually we have sort of an opportunity to do a new, dns dns new generation by abusing perhaps this thing called dough, because it allows a lot of flexibility and extension there, while still retaining backwards compatibility if he wants to, but that's a discussion to have amongst all of the idf. I guess.

B

You know I disagree and actually think that the cracks are are showing and they're pretty fundamental.

B

The original specification of the dns was as a predominant udp protocol, so predominant was that the maximum payload size in a dns packet was meant to be in udp, 512 bytes and for simple here's, a domain name give me an ip address.

B

You know there was no reason conceivably that you ever needed to go more than 512 bytes and large packets in the dns were kind of odd and an exception.

B

At the same time, let me remind you, the maximum packet that a v4 compliant host had to accept was a maximum of 576 octets and a host was quite able to drop 577 octet incoming id packets. So we designed the dns to sort of sit within this small size and large packets were the exception.

B

The way you got a large dns response through was you sent a small response with the trunk eight bit set, which was triggering the client to go to tcp and you've just wasted one round trip time, and so these days, when we talk about dns sec, when we talk about service records, when we talk about large text records and we sort of get the view that you know you can put anything in the dns you can.

B

But then you stress out the transport protocol problem and the issue is that a whole lot of folk, particularly clients, lie like crazy. In the dns sure I can handle 4096 octet udp, fragmented back at trains wrong, send them one of those, and it goes huh huh what happened you know, and so this whole area of the sort of mutated transport in the dns, where udp is prime tcp is backup, has worked badly.

B

Now we then go well okay, let's just go all the way and use dot dns over tls or dns over https, and even if you think about it, dns over https, 3 or quick is just a mutated tcp. It's just taken up. One level in the transport layer, but you have in essence the same sets of problems.

B

Now we point to the web and say it is possible to create totally massive http based service infrastructure and that's true totally true, but we built a massive udp-based system with tcp is the exception and there is an awful lot of money required to actually make the dns work over tcp in all cases, because throughputs and servers etc. Don't actually work now put that to one point one side and then let's look at the dns resolution economy who pays to get dns answers provided?

B

Well, it's not me, I'm just the user, and so when you say we have to forklift the entire dns resolution infrastructure up to cope with tcp, because that's not where we started. You immediately open up this massive economic issue. Well, who's going to pay! For that. You know. I want my dns to be free. That's what it is all about.

B

No one pays to have names resolved at the query: the client side, so we're kind of between a rock and a hard place that, while udp is difficult to make secure, it has enormous troubles with privacy.

B

The effort to add encryption is largely a failure in udp, and we kind of look at this and go what we really need to move on with that transport protocol.

B

This whole udp thing is a 1980s concept, but the whole problem is adhere to their problem and the dns is kind of stuck in nostalgia because it's cheap, it's easy and that's what we all do and trying to get us into some if we real tcp based flow control, algorithm, whether it's quick or tcp, it's the same thing in terms of cost, that's what's causing us absolute heartache, and I'm not sure I see a clear resolution of that.

B

But I do see I do see a clear desire on the part of many applications to actually push a huge amount of rendezvous information into the dns. It's fast, it can be made relatively secure, particularly with dnsec.

B

You can trust it and, quite frankly, if we actually made the responses even bigger and I'm referring to dns sect chaining, which I think is brilliant, you actually can make validation work in a single round trip time. This is fantastic, but you're carrying a large. You know carry a load of information sitting inside these sessions. Will the network handle it yeah sure this is tiny stuff?

B

Will the dns infrastructure handle it? Well, we built that for udp, so we're trying to put 21st century payloads into 20th century infrastructure and that's where we're kind of the cracks are really showing robert and I think the answers are as much economic as they are practical, um we're just not quite sure how to get there.

F

Thank you very much um and also I should say thank you to all three of you for your um your talks very, very interesting. So thank you.

A

Thanks robert, I'm certainly glad you enjoyed.

B

Him anybody else want to ask a question: there's a question in the chat window where's: um it's actually, I think joel q mount used any. Actually, it's more of an observation really.

A

B

That's actually.

A

The one that I was thinking of yeah.

A

There's a question of how widely it's deployed, I know uh in the infrastructure I run. I certainly see any still pop around quite a bit and it's unclear if it's a needed any or if it's a or an abuse of any and there's it's very hard to tell.

A

I believe cloudflare's systems don't support any weren't. They one of the ones that returned.

C

Not implemented here.

B

Well, this again was this issue about pushing pushing the dns into content, distribution networks, and it was sort of seen as why do I have to push the entire elephant. You know out to the front edge of all parts of my network when all you're asking for is a query relating to a toenail. You know, I really don't want to push the rest of this craft onward and outward I'll just push basically cache-based answers and just a fragment of the dns. If everyone asks for a quad, a that's all I'll serve at the edge.

B

Oh you ask for any. If I want to be quick I'll, just say, here's an answer: the name exists. The rest of the stuff is not immediately available to the front end shim that answers dns. It's back in some database that, quite frankly, I don't have the time to look up, and I can see that as the way we try and make the dns go faster, because you know the other pressure. That's on the dns is it's too slow and no matter what we do.

B

Someone somewhere, I predict, will always say it's too slow and you know it's almost the impossible target, but that's that's. I think the other reason why any, which requires, if you're, going to go instead of any all, give me everything you know the answer is well. This might take a while and we're just not patient enough.

A

B

We need response.

A

Times and negative milliseconds, yes,.

B

Yes, dns over tachyons, I think, is where we're heading.

C

Predictive dns, just like when you type in the google search bar yeah, it comes up at you with what might be the the question you wanted. Some idea applied.

B

What do the two of you think about pre-provisioning dns over https? Will you actually get server-side push.

A

Then well, I've been I've been pushing for for pushes. You know using dns signed data for forever right. So the whole thing that I had the whole slide on. You know don't accept stuff from authoritative, and uh you know, authoritative, name servers for which you didn't ask questions, that's moot in the case of dns sec right, you can. You can actually return other data, and so there's been discussions of. Should we start accepting stuff. If you know that if, if you're talking to some name server, that actually knows what you want.

A

C

Absolutely sure, but in the absence of the ns sect this would be a queen to the earlier cache poisoning attacks that you mentioned in your.

A

Only it only works if the inner sec is enabled. So that's the only time you should.

C

A

Know if you get this gigantic response back, you know ideally over tcp and it contains an entire zone's data right. uh Here's here's the resolver, believes that it it has the top 100 domain seen by this isp for the past hour, I'm going to give it to you all so that you can be. Oh look, it's a negative millisecond answer, but it should be verifiable.

C

On the other hand, things like, though, as I mentioned, if you look at using dough as a way to get to the ns as an api, might be possible to introduce versioning and then the sky's. The limit.

A

Robert go ahead.

F

I have another question for you: it's probably for you always um so you mentioned effectively the split in terms of security between uh securing the path to is it the local resolver local custom resolver versus securing using dns sec upwards for the records.

F

You seem to suggest that you don't need to take dnsec all the way down to the end host is that is that a correct interpretation or.

A

That is not a correct interpretation of my belief.

A

That being said, there's a lot of people that don't think that your personal phone laptop whatever needs to do dns tech validation on it, because you're, your resolver, is doing it. My personal belief and I've both won and lost this battle in multiple places is that if you are using the dns sec signed data to store critical data, that you are bootstrapping security off of right and dane, is a good example of that pgp keys are a good example of that ssh fingerprints are a good example of that.

A

I don't trust my resolvers a d bit equal to one in order to ensure that I am accepting that data and it's valid, so my belief is there's no reason why we can't do validation on individual devices. They're, certainly fast enough. These days, that's not a problem, and it allows you greater respect with respect to being able to bootstrap security related data that is already encoded in the dns.

B

Well, I do remember, and it's an ongoing debate about dane: why haven't we got pkix keys sitting inside the dns and getting rid of the twisted and potentially corrupted version of all of those cas in in the web? Pki and the response from the browser folk has been. You know when I talked about time. It really is an issue and that, while dane, can feasibly do this one of the issues not all of them, but one of the issues is that doubt the incline level performing validation.

B

You know on your own takes an extended amount of time.

B

I've got to basically query backwards up the chain and get back all of those dns key and ds records, and- and so that's also this push that says, if you really want to do this and robert, you can experiment with this and add your own stub dns sec validator, and I think you should because it's certainly a learning experience as to how long it can take in terms of elapsed, time to actually perform this validation and- and that's the issue that, while the resolver, which normally is handling a lot of queries, caches this stuff up and the validation, the validated answers are stored in the case down at the end user client level.

B

There's nowhere near that intensive activity level that loads the case efficiently, you're, not combining strengths from other players, you're back on your own again, and because of that, the time penalty is well. I think for most users would agree the time penalty is excessive and various efforts have been made to try and get around that and the most successful I've seen is dns sect chaining, where you push the burden of work back onto the zone publisher, who, as well as publishing this, is my rr records. This is a signature.

B

They actually publish a combined record, a dns set chain record, which is the answers to all the validation questions you ever were going to ask about me and again, because it's dns sec, that's okay, because you don't have to believe it. You can use the answers to validate. What's going on now. That means huge answers.

B

That means pushing huge answers in tcp out into stubs and while that link between recursives and authoritatives is relatively robust and handles large packets and tcp adequately, I wouldn't say well but adequately. The real problem is out there in stub land, where the amount of cheap crap that people buy. You know there's an awful lot numbering in the billions. It's not even clear how easily tcp gets out there or fragmented udp. So, while it's really good to say, clients in mobile phones should do validation and we think we can do that. The implication is wow.

B

We need to push large dns responses out to these things. Gee, that's an issue. So that's why this becomes a vexed problem that a good dnsx system should go all the way to the edge. We really don't understand how logistically that can be done within the bounds of current infrastructure. So that's kind of the.

A

Tough question: do you remember one thing when it comes to validation and slowness? It's only slow the first time, if you have a three hundred and three thousand six hundred millisecond uh sorry 300 600. Second, you know ttl, then you only have to do it once an hour.

A

uh But let's ask monica in the chat window actually asked a question which is how prevalent is edns client subnet and how my screen saver kicked on right then, and how privacy sensitive is it and uh has the data protection crowd detected it already so jeff do you actually have measurements or one of you have measurements?

A

B

Really difficult question monica because the folk who could answer view that the data that they get is so sensitive they're not going to answer your question and it's kind of the problem is acute.

B

Certainly, as we've observed in the analysis, around initiatives like oblivious dns, the combination of who you are, and the name you're querying for- is extraordinarily valuable. It exposes what people are doing absolutely and so in that respect, this is a problem, because, when you think about the dns, the query never has the query err.

B

The query er is the source ip address of the packet. So when I query for pottery.net, I go through a recursive resolver. The recursive resolver knows about me, but if it's not in the case at that point, the recursive resolver goes to the authority. If the authority there has no idea, jeff is asking all it knows, is the recursive is asking on behalf of I don't know now. Edna zero says no, no jeff's asking it's jeff and you go oh, but we've obscured it. This is a slash 24 subnet.

B

Unless, when someone configures it to do a slash, 32 oops, which happens or in the case of v6, you know, what's the right, subnet size to obscure me, it's an extraordinarily difficult problem and as a data leak, it's humongously bad.

B

On the other side, the issue of content distribution networks, we've seen already with the service record that realistically folk don't want to spend the time customizing the response and steering you to the closest entry point in their cdn through the application to cut the time and throw the problem to someone else, put it in the dns to give the right answer. I need an idea of the end user's location.

B

The problem is addresses the location and identity and to say I just wanted to know where you are. I didn't want to know who you are our ip address infrastructure says no, no, no, no can't do that as soon as you get to know that address, even at a prefix level, it's pretty clear who you are and disambiguating that is nigh on impossible in the current ip address infrastructure.

B

So you know, one person's problem is another person's nightmare moniker and uh yes, it's incredibly sensitive data, and if I could answer your question, that would mean we're treating that data badly.

B

The fact that I can't answer it in a generic way. I can't give you data- is, I suppose, some slight reassurance that the folk who are privy inside that resolution power do not make a habit of publishing what they know and and that's about as good as it gets.

B

I think in today's world right now with this, I agree with the caveats on the rfc and there were a lot and the caveats, as I recall basically said, we're going to publish this, because interoperability is good, we're not publishing it, because it's the best way of doing this, we don't know what the best way is, but we think this leaks like a sieve, and I agree with that analysis. It leaks like a shiv. There really should be a better way of doing this, but we don't know what it is.

B

If you really want to go down this path, the other path is don't expose any information at all.

B

Oblivious dns hides that combination, no one, not even a recursive resolver, gets to know who's asking what, because you deliberately obscure it, and so that's his tension that the application folk want to assume that the dns tells all it racks on everyone all of the time over on the other side, dns and privacy, which is a big thing in today's world.

B

The answer is we're ratting on no one and we're making sure that no one, not even recursive resolvers, are privy to the profiling of what users do, and you know we get as much security as we're prepared to wait for and we're prepared to pay for and as long as the assumption is, the user is incredibly impatient and waits for nothing. Security is sitting there going. Oh, my god, how do we do this yet still provide an incredibly fast sort of responsiveness and feel- and I don't understand how to resolve that.

A

Tension, a lot of I think what we've been talking about in the last 15 minutes, has been the tension around three pillars. Right. You have uh security with respect to integrity. You have security with respect to privacy and you have speed of response.

A

You cannot optimize for all three at once and things like ecs and don't do validation, because I need to show the webpage faster is an indication that it matters. You know more to to get speed over those other two and unfortunately, users don't have the ability to actually select what they prefer and also users. Typically, don't have the the understanding to be able to select what they would prefer.

B

Although, although our efforts to empower users have always been in some ways, thwarted by the fact that almost no one fiddles with the buttons and increasingly the application folk have become impatient with that and are now arming the application with presets, you only need to look at the mozilla firefox decisions about their use of dough in certain markets to sort of sense. This level of impatience that saying users have a choice. They can go into settings and do xxx is kind of speaking to the one in a thousand folk. Who might do that?

B

If you really want to move the dial for everyone, the application folk. I think at large now got to the point of going. I'm not waiting, I'm going to arm the application with the necessary behavior patterns, sure you can reverse, but the default settings the decisions, the applications making. So increasingly these days, users don't get. If you will a say in this, because there's no expectation users will exercise that right applications, not platforms, but applications are now making these default choices. You know welcome to the new world, that's just a.

C

Reflection of normal user behavior, I mean you only care about security with something bad happens to you and in the meantime, large e-commerce platforms are showing have data that a few milliseconds of delay in any of the transactions causes a measurable loss of close in those transactions. Right, so I mean you only shout for the police when you're bugged.

C

In the meantime, you don't want.

E

A

A

All right, well, it looks like we are now at the top of the hour. I don't know if warren wants to come back in and close us out or not, but thank you for everybody that listened to us today and um if, if we spoke too quick or you missed something it'll be on youtube, I'm pretty positive. If it's, I know it's already been broadcast there, whether it's archive they're in the same place, I'm not sure but.

B

Now, thank you all too, for coming. Hopefully, it's been useful. Thank you all.

D

Yep, thank you, everybody, everyone and yes, it will be archived and will be will be on youtube. I believe that greg will also post it on the ietf website for a link to it, so people can find it there and thank you very much to all of the presenters. I know it was a huge amount of work getting organized, but I think people really enjoyed it enjoy not.

A

Prague next week, sob thanks bye. All one of my favorite.

F

A

Go to in how well sub.

A

A