You are here: Home > Publications > RIPE Labs > Security

Security

Adam Castle — 24 Feb 2014
A Virtual Canary-in-the-Coalmine for the DNSSEC Root Key Rollover
A Virtual Canary-in-the-Coalmine for the DNSSEC Root Key Rollover
Roland van Rijswijk — 27 Jun 2017

As many in the tech community will know, the DNS is a core part of the Internet’s infrastructure. It provides the vital function of mapping human-readable names (such as www.surf.nl) to machine readable information (such as 2001:610:188:410:145:100:190:243). When the DNS was designed in the 1980s, security was not a prime concern. … Read more

Routing Detours: Can We Avoid Nation-State Surveillance?
Routing Detours: Can We Avoid Nation-State Surveillance?
Annie Edmundson — 09 Nov 2016

An increasing number of countries are passing laws that facilitate the mass surveillance of their citizens. In response, governments and citizens are increasingly paying attention to the countries that their Internet traffic traverses. In some cases, countries are taking extreme steps, such as building new IXPs and encouraging local interconnection to keep local traffic local. We find that although many of these efforts are extensive, they are often futile, due to the inherent lack of hosting and route diversity for many popular sites. We investigate how the use of overlay network relays and the DNS open resolver infrastructure can prevent traffic from traversing certain jurisdictions.… Read more

Speculating on DNS DDoS
Speculating on DNS DDoS
Geoff Huston — 28 Oct 2016

The recent attacks on the DNS infrastructure operated by Dyn have generated a lot of comment in recent days. Indeed, it’s not often that the DNS itself has been prominent in the mainstream of news commentary and, in some ways, this DNS DDoS prominence is for all the wrong reasons! I’d like to speculate a bit on what this attack means for the DNS and what we could do to mitigate the recurrence of such attacks.… Read more

Tags: security dns
DNS Privacy
DNS Privacy
Geoff Huston — 18 Jul 2016

The DNS is normally a relatively open protocol that smears its data (which is your data and mine too!) far and wide. Little wonder that the DNS is used in many ways, not just as a mundane name resolution protocol, but as a data channel for surveillance and as a common means of implementing various forms of content access control. But all this is poised to change. Now that the Snowden files have sensitized us to the level of such activities, we have become acutely aware that many of our tools are just way too trusting, way too chatty, and way too easily subverted. First and foremost in this collection of vulnerable tools is the Domain Name System.… Read more

Tags: security dns
Anycast vs. DDoS - Evaluating the November 2015 Root DNS Event
Anycast vs. DDoS - Evaluating the November 2015 Root DNS Event
Giovane Moura — 31 May 2016

IP anycast has been widely used to replicate services in multiple locations as a way to deliver better performance and resilience. It has been largely employed by CDNs and DNS operators, such as on the root server system. However, there is little evaluation of anycast under stress.… Read more

The Internet for Things
The Internet for Things
Mirjam Kühne — 10 May 2016

Please read this guest post by Byron Ellacott, Senior Software Architect at APNIC: The Internet of Things without the Internet is just things, and we’ve had things since the first caveman used a pointy stick to draw on a wall. What then does the Internet bring to things to justify a capital T?… Read more

Support for Elliptic Curve Cryptography (ECC) in DNS Resolvers as Seen by RIPE Atlas
Support for Elliptic Curve Cryptography (ECC) in DNS Resolvers as Seen by RIPE Atlas
Maciej Andzinski — 21 Mar 2016

The Elliptic Curve Cryptography (ECC) is becoming increasingly popular in DNSSEC. While it is sometimes considered to be a remedy for the low DNSSEC adoption rate, there is also a lot of controversy around it. One of the main concerns is that DNSSEC-validating resolvers don't always make use of ECC. We used RIPE Atlas to measure the support for ECC in DNS resolvers.… Read more

DNSSEC Algorithm Roll-over
Anand Buddhdev — 06 Nov 2015

Rolling over the algorithm (usually to a stronger variant) used to sign a DNS zone isn't as easy as regular key roll-overs. This is because some DNSSEC validators are less forgiving than others, and fail validation unless the right combination of keys and signatures is present in a zone. This article describes our experiences with DNSSEC algorithm roll-over. We hope that our experience will help others who may be considering doing this.… Read more

Document Actions