Author: otmar

Categories
IETF Internet

DNSSEC and large packets

In the wake of .org going signed, we finally have good data what that means for the authoritative nameservers. Duane gave a good talk at the recent NANOG event, showing the increase of TCP connections.

So what is the problem?

In a nutshell: Packet sizes. DNS responses containing the DNSSEC specific RRSETs are larger, and setting the DO bit that triggers their inclusion is almost default these days. So we’re now routinely exceeding the 512 bytes that the original DNS spec required. Over the years, the IETF defined EDNS0 which allowed clients to announce their support for larger responses via UDP. Not this is finally really put to the test and we can see how fallback to TCP we still observe.

Continue reading “DNSSEC and large packets”
Categories
CERT Pet Peeves

FUD, the Microsoft way

Dear Microsoft,

we all know that the “Fear, Uncertainty, and Doubt”-strategy worked quite well against Linux and other threats to your Monopoly business. By why do you apply the same tactic towards a Windows user that simply wants to open a zip-file?

microsoft-fud

(Translation: “This page contains an unspecified potential security risk. Do you want to continue?”)

What do you think a user should do with that information?

Categories
Internet Pet Peeves

Heise, Slashdot, Broken Records, and DNSSEC

Almost whenever a security event involving Windows is featured on Slashdot or Heise, some Linux fanboys will invariably post their cocky “that would not have happened with Linux” messages.

I start to see the same thing with DNS incidents and DNSSEC.

This is just as childish and stupid, especially as the voices writing such notes are often enough established engineers and not your average adolescent geek.

In reality most of the recent DNS hacks were not perpetrated by crafting forged DNS responses to poison caches but were successful attacks against the Registrar/Registrant interfaces. No, DNSSEC would not have helped in such a case.

The same is true for DNSSEC and the domain-based censorship which was just passed by the German government. DNSSEC will not help here. It is no panacea against meddling with DNS answers. It depends on who is doing the validation and whether the offending domains are actually signed or not (not likely these days):

  1. DNSSEC validation is done at the ISP resolver:

    DNSSEC doesn’t help the end-user here at all.

  2. DNSSEC validation in the client, ISP recursor is used:

    If the domain is signed, then the user will get a NXDOMAIN (or maybe a better error-reporting) instead of the IP address of the STOP-sign website.

    So the censuring still works, just the alerting of the user (and the logging of the STOP-sign access) does not.

  3. DNSSEC validation in the client, full recursion at the client

    Censorship is ineffective. Just the same as when the local recursor does no DNSSEC checking.

Remember: DNSSEC is not about the availability part of security, it’s only about the integrity. Censorship does not really need to attack the integrity, it’s all about availability.

Categories
Life

Diversions at work

Our office is at a busy intersection and sometimes this provides interesting views:

bim vs rettung

Categories
Tracks

Tracks

track 2009-06-11a

This time I tried something new: the goal was to build a track where the electric locomotive would pass over all pieces when set on the track. That goal is simple to reach by building a simple loop or anything else topologically isomorphic to a circle. Getting the same result with a lot of switches and having the train run back over the same piece is a lot trickier. The only assumption you need to make is that the train will take the straight rail when encountering a switch.

track 2009-06-11b

The second picture is right before godzilla got her fingers on the track.

Categories
Tracks

Tracks

Hannes and Evelyn are back in Vienna. We built this one together:

track 209-06-09

Categories
Tracks

A new feature for this blog

Kevin Drum does “Friday cat-blogging”, John Cole has also pictures of pets between serious posts, so I thought I do something similar.

So, from now on this blog will feature wooden train tracks.

Clemens Track

They are actually toys for the kids. When we first got them, Clemens didn’t quite know what to do with them, but now he finally starts to build his own tracks and trains to push along.

And then there is the menace of land of trains: Godzilla, the destroyer of tracks:

Elena engine

Anyway, as with a good number of stuff kids get from their parents, it’s not all selfless giving. (Andrea is looking forward to buy Clemens a Carrerabahn, as she always wanted to have one as a kid.) Sometimes it’s nice to have an excuse for playing with children’s toys again.

So I’ve taken up building fancy sets of tracks with Clemens’ wooden tracks.

I’ve started to photograph my creations some time ago and will now upload them. I’ll date the blog posts accordingly, so some of the entries will appear in the past. Use this link to see them all.

Categories
Internet Pet Peeves

Bad timing, Last.fm

Date: Wed, 20 May 2009 14:05:42 +0000
To: @bofh.priv.at
From: “Last.fm”
Subject: Your free trial to Last.fm Radio is over. Did you enjoy it?

Hi XYZ,

Your free trial to Last.fm Radio is about to end. If you’re enjoying it, why not
subscribe for only €3.00/month and continue listening to non-stop personalised
radio.

http://www.last.fm/subscribe

Best Regards,
The Last.fm Team

and

Deny This, Last.fm
by Michael Arrington on May 22, 2009

A couple of months ago Erick Schonfeld wrote a post titled “Did Last.fm Just Hand Over User Listening Data To the RIAA?” based on a source that has proved to be very reliable in the past. All hell broke loose shortly thereafter.

I was inclined to pay them the 3€, partly because I’ve listened a lot to a stream from them, but after this breach of their privacy agreement?

Sorry, no deal guys.

[Update: yes, I know that LastFM is disputing this story.]

Categories
Life

And then the first year was over …

It’s strange: this happened just a year ago, but sometimes it feels like it was ages ago. Maybe it just depends on the perspective: For Elena, this year made quite a difference: from 9 months to 21 months of existance, or from zero to one years of life. For me it was just the step from 38 to 39 years. No big deal.

Elena's first birthday

Categories
CERT

Otmar @ DNS-OARC in Amsterdam

I almost forgot: one of the reasons I was in Amsterdam was the DNS-OARC Workshop. I gave two presentations there:

An update on the post-Kaminsky patch statistics concerning the Austrian recursors.

Stephane asked me to be on a panel regarding what Registries should do about Conficker (and similar threats). I presented our point of view with these slides.