Re: [dns-operations] Route 53 Unexpected geo location behavior

[Dave Lawrence]

Dan McCombs via dns-operations writes:
> Ah, yes, so in this case the addresses given back when no edns
> subnet is provided are the addresses of servers in eu-west, whereas
> with the resolver's own IP (or /24 subnet, or the subnet of clients
> querying it) as the edns subnet gets more expected us-west responses
> since this resolver and clients are in San Francisco.

Yes, and this is the case for several other implementations.  I can't
say that it's true of *all* ECS implementations, but personally know
of two others besides AWS that make this distinction.

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Percentage of DoT/DoH requests for public resolvers?

[Geoff Huston]

> On 12 Jun 2023, at 10:49 pm, Stephane Bortzmeyer  wrote:
> 
> Hello,
> 
> I'm looking for the current percentage of encrypted DNS requests
> vs. in-the-clear ones on public resolvers having DoT/DoH/DoQ. I do not
> find public information about it. May be I searched too fast?
> 
> If you work for a public DNS resolver, is there data you can share? If
> you can/want/prefer to reply privately and ask me not to mention the
> name of the resolver, that's OK, too.
> 

https://stats.labs.apnic.net/edns 

This report is based on data from Cloudflare’s recursive resolver service. For
various reasons I believe that this data is not reflective of the larger DNS
resolution environment. 

regards,

 Geoff


___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Percentage of DoT/DoH requests for public resolvers?

[Richard T.A. Neal]

Hi Stephane,

There's also an outstanding feature request to add this to BIND's logs so that 
BIND administrators can more easily capture and report on this information. The 
Gitlab ticket is here but it's been a while since I've pestered the good folks 
at ISC about it!

https://gitlab.isc.org/isc-projects/bind9/-/issues/2748

Best,

Richard.

-Original Message-
From: dns-operations  On Behalf Of 
Stephane Bortzmeyer
Sent: Monday, June 12, 2023 1:49 PM
To: dns-operations@lists.dns-oarc.net
Subject: [dns-operations] Percentage of DoT/DoH requests for public resolvers?

Hello,

I'm looking for the current percentage of encrypted DNS requests vs. 
in-the-clear ones on public resolvers having DoT/DoH/DoQ. I do not find public 
information about it. May be I searched too fast?

If you work for a public DNS resolver, is there data you can share? If you 
can/want/prefer to reply privately and ask me not to mention the name of the 
resolver, that's OK, too.


___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] (no subject)

[Richard T.A. Neal]

Hi Daniel,

I also wrote a Beginner’s Guide for DNSSEC using BIND9 here:
https://www.talkdns.com/articles/a-beginners-guide-to-dnssec-with-bind-9/

I hope that helps,

Richard.

From: dns-operations  On Behalf Of daniel 
majela
Sent: Monday, June 12, 2023 2:37 PM
To: dns-operations@lists.dns-oarc.net
Subject: [dns-operations] (no subject)

  Hello...
My name is Daniel Majela and if possible I would like some help to implement 
DNNSEC on my servers.

Today I have 3 recursive and authoritative servers.
My external authoritative zones are copied to 2 DNS servers that are in the DMZ.

My first question is if there is a step by step way to implement dhssec using 
bind9 9.16.23-RH?

What is the best algorithm for ksk and zsk?

Is there, after generating the ksk and zsk keys, automatic rollover of keys and 
automatic signature of zones from the point of view that technical interaction 
is no longer necessary for this?

An example:
Zone example.com.br signed!
Zonaone.example.com.br ( to sign this zone ) I 
need to copy something inside the zone because it is a daughter of the 
example.com.br zone.

Thanks.


--
Daniel Majela Galvão
http://br.linkedin.com/pub/daniel-souza/6/1b1/774

(55-012) - 9-8201-9885
(55-012) - 9-9761-1511
(55-012) - 32076909
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Route 53 Unexpected geo location behavior

[Dan McCombs via dns-operations]

--- Begin Message ---
>
>  If there is a performance issue with one set of records versus another
> (you don't
> really say why the differing responses matter in your email), you might
> try contacting the nameserver operator directly to discuss the issue.
>

Ah, yes, so in this case the addresses given back when no edns subnet is
provided are the addresses of servers in eu-west, whereas with the
resolver's own IP (or /24 subnet, or the subnet of clients querying it) as
the edns subnet gets more expected us-west responses since this resolver
and clients are in San Francisco.

When contacting Atlassian, they seemed to shrug it off as Route 53 behavior
rather than something they control, so I'm curious if any Route 53
folks are here and could say whether this is expected behavior or not, or
if this could be something with Atlassian's DNS configuration in their
Route 53 service.

Thanks,

-Dan



Dan McCombs
Senior Engineer I - DNS
dmcco...@digitalocean.com


On Sat, Jun 10, 2023 at 3:59 PM Robert Edmonds  wrote:

> Dan McCombs via dns-operations wrote:
> > Hi everyone,
> >
> > We've stumbled upon what seems like unexpected behavior with Route 53
> returning
> > answers based on IP geo location to our resolvers.
> >
> > According to their documentation:
> >
> > When a browser or other viewer uses a DNS resolver that does not
> support
> > edns-client-subnet, Route 53 uses the source IP address of the DNS
> resolver
> > to approximate the location of the user and responds to geolocation
> queries
> > with the DNS record for the resolver's location.
>
> Here is the page that text is from, and the description of the other
> case (when a resolver does send an EDNS Client Subnet payload):
>
>
> https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy-edns0.html
>
> When a browser or other viewer uses a DNS resolver that does not
> support edns-client-subnet, Route 53 uses the source IP address of
> the DNS resolver to approximate the location of the user and
> responds to geolocation queries with the DNS record for the
> resolver's location.
>
> When a browser or other viewer uses a DNS resolver that does support
> edns-client-subnet, the DNS resolver sends Route 53 a truncated
> version of the user's IP address. Route 53 determines the location
> of the user based on the truncated IP address rather than the source
> IP address of the DNS resolver; this typically provides a more
> accurate estimate of the user's location. Route 53 then responds to
> geolocation queries with the DNS record for the user's location.
>
> That text seems to be entirely consistent with nameserver behavior that
> sends different records to a resolver when it supplies its own IP
> address (or its own subnet) via the ECS option versus when it does not,
> because the resolver is asking for two different things. In the former
> case, the resolver is asking for responses tailored to a precise IP (or
> a precise subnet). In the latter case, the resolver is asking for
> responses on behalf of the whole client population that utilizes the
> resolver. These are not necessarily the same.
>
> > If it were using the resolver's source IP address to determine
> geolocation when
> > no edns-client-subnet is sent, I would expect the same answers as when
> sending
> > that address as the edns-client-subnet. What's going on here?
>
> I don't see anything in these DNS responses that is inconsistent with
> their documentation, or with the ECS specification. If there is a
> performance issue with one set of records versus another (you don't
> really say why the differing responses matter in your email), you might
> try contacting the nameserver operator directly to discuss the issue.
>
> > Our resolvers are co-located with our user's instances in the same
> datacenters,
> > so we don't configure our resolvers to send edns-client-subnet since
> they're
> > not geographically different (and in fact in the same IP blocks). This
> is the
> > first time we've had a user contact us about this, so I'm not sure if
> something
> > changed with Route 53 recently, if this is being caused by configuration
> > specific to the atlassian.net zone, or if somehow we just haven't had
> users
> > notice that they were being affected by this for years.
>
> There are many ways for operators of ECS-enabled nameservers to decide
> how to tailor DNS responses when receiving an ECS-enabled query.
> Geolocation, network topology, and actual performance may all be
> relevant. Even if your resolver instances are receiving queries from
> customer instances located in the same physical data center, those
> customer instances may themselves be forwarding traffic from eyeballs
> located further away (e.g.: https://www.digitalocean.com/solutions/vpn).
> A data-driven approach on the part of the nameserver operator could
> plausibly choose to send different kinds of responses to resolvers that
> are serving 

Re: [dns-operations] DNSSEC parameter BCP

[Viktor Dukhovni]

On Mon, Jun 12, 2023 at 10:41:12AM -0400, Viktor Dukhovni wrote:

> On Mon, Jun 12, 2023 at 10:37:22AM -0300, daniel majela wrote:
> 
> > What is the best algorithm for ksk and zsk?
> 
> The BCP algorithm is ECDSAP256SHA256(13).  This is both more secure and
> more compact than RSA.  It is in wide use:
> 
> https://stats.dnssec-tools.org/
> https://stats.dnssec-tools.org/#/?dnssec_param_tab=0
> 
> Today, out of 22,010,850 known signed zones, the number with algorithm
> 14 KSKs is 9,982,219 or just over 45%.
> 
> If you choose NSEC3, set the additional iteration count to 0, and avoid
> opt-out unless you're operating a particularly large (10M+ delegations)
> zone that is thinly signed.  An empty salt is also sensible.

I was reminded off-list that I neglected to recommend NSEC as the BCP
default choice for end-user zones.  Much simpler than NSEC3, and again
smaller response sizes.

In addition, best to optimise for "agility": keep your TTLs reasonably
short, rarely more than one hour, and ideally shorter.  That way, if
anything does go wrong, you should be able to recover faster.

You don't currently get to choose (through your registrar) the TTL of
the DS RRs in the parent zone, perhaps some day...  In the mean time,
many registry now default DS TTLs to 1 hour or less.  Some still have
DS TTLs as high as one day.

-- 
Viktor.
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Percentage of DoT/DoH requests for public resolvers?

[Andrey Meshkov via dns-operations]

--- Begin Message ---
A lot depends on the resolver as well.

In our case the statistics is skewed towards DNS-over-TLS and the reason is
that there are a lot of people
who configure their Android devices to use AdGuard DNS. If we remove
Android devices from the equation,
about 30-40% of DNS requests are from DoH (mostly), DoQ and DNSCrypt.

--
Regards,
Andrey Meshkov

CTO and Co-Founder at AdGuard 
a...@adguard.com


On Mon, Jun 12, 2023 at 5:19 PM  wrote:

>
>
> Hi,
>
> >I'm looking for the current percentage of encrypted DNS requests
> >vs. in-the-clear ones on public resolvers having DoT/DoH/DoQ.
>
> I suspect a lot will depend on whether the DoX resolver is used or
> suggested in popular devices or operating systems or browsers.
>
> Winfried
>
> ___
> dns-operations mailing list
> dns-operations@lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
--- End Message ---
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] (no subject)

[Viktor Dukhovni]

On Mon, Jun 12, 2023 at 10:37:22AM -0300, daniel majela wrote:

> What is the best algorithm for ksk and zsk?

The BCP algorithm is ECDSAP256SHA256(13).  This is both more secure and
more compact than RSA.  It is in wide use:

https://stats.dnssec-tools.org/
https://stats.dnssec-tools.org/#/?dnssec_param_tab=0

Today, out of 22,010,850 known signed zones, the number with algorithm
14 KSKs is 9,982,219 or just over 45%.

If you choose NSEC3, set the additional iteration count to 0, and avoid
opt-out unless you're operating a particularly large (10M+ delegations)
zone that is thinly signed.  An empty salt is also sensible.

> Is there, after generating the ksk and zsk keys, automatic rollover of keys
> and automatic signature of zones from the point of view that technical
> interaction is no longer necessary for this?

BIND supports automatic zone resigning and also automatic ZSK rollovers.
IIRC BIND also supports KSK rollovers with IIRC prior KSK deactivation
gated on the publication of matching parent DS records for the new KSKs

Don't choose automatic transition based on just a timer, if the parent
DS is not ready stick with the old KSK indefinitely!

> An example:
> Zone example.com.br signed!
> Zonaone.example.com.br ( to sign this zone ) I need to copy something
> inside the zone because it is a daughter of the example.com.br zone.

I haven't looked into whether BIND automatically does the right thing
vis. DS records when it serves both sides of a zone cut.  Best to check
the documentation, but it would seem like something that *should be* taken
care of in a sufficiently recent release.

-- 
Viktor.
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Percentage of DoT/DoH requests for public resolvers?

[abang]

Hi,

>I'm looking for the current percentage of encrypted DNS requests
>vs. in-the-clear ones on public resolvers having DoT/DoH/DoQ.

I suspect a lot will depend on whether the DoX resolver is used or suggested in 
popular devices or operating systems or browsers.

Winfried

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] DNSSEC in BIND

[Petr Špaček]

Hello,

detailed documentation for DNSSEC in BIND is here:
https://bind9.readthedocs.io/en/latest/dnssec-guide.html

If anything is unclear please post questions to BIND mailing list:
https://lists.isc.org/mailman/listinfo/bind-users

HTH.
Petr Špaček
Internet Systems Consortium

On 12. 06. 23 15:37, daniel majela wrote:

   Hello...
My name is Daniel Majela and if possible I would like some help to 
implement DNNSEC on my servers.


Today I have 3 recursive and authoritative servers.
My external authoritative zones are copied to 2 DNS servers that are in 
the DMZ.


My first question is if there is a step by step way to implement dhssec 
using bind9 9.16.23-RH?


___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] DNSSEC in BIND

[Petr Špaček]

Hello,

detailed documentation for DNSSEC in BIND is here:
https://bind9.readthedocs.io/en/latest/dnssec-guide.html

If anything is unclear please post questions to BIND mailing list:
https://lists.isc.org/mailman/listinfo/bind-users

HTH.
Petr Špaček
Internet Systems Consortium

On 12. 06. 23 15:37, daniel majela wrote:

   Hello...
My name is Daniel Majela and if possible I would like some help to 
implement DNNSEC on my servers.


Today I have 3 recursive and authoritative servers.
My external authoritative zones are copied to 2 DNS servers that are in 
the DMZ.


My first question is if there is a step by step way to implement dhssec 
using bind9 9.16.23-RH?


___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

[dns-operations] (no subject)

[daniel majela]

  Hello...
My name is Daniel Majela and if possible I would like some help to
implement DNNSEC on my servers.

Today I have 3 recursive and authoritative servers.
My external authoritative zones are copied to 2 DNS servers that are in the
DMZ.

My first question is if there is a step by step way to implement dhssec
using bind9 9.16.23-RH?

What is the best algorithm for ksk and zsk?

Is there, after generating the ksk and zsk keys, automatic rollover of keys
and automatic signature of zones from the point of view that technical
interaction is no longer necessary for this?

An example:
Zone example.com.br signed!
Zonaone.example.com.br ( to sign this zone ) I need to copy something
inside the zone because it is a daughter of the example.com.br zone.

Thanks.


-- 
Daniel Majela Galvão
http://br.linkedin.com/pub/daniel-souza/6/1b1/774

(55-012) - 9-8201-9885
(55-012) - 9-9761-1511
(55-012) - 32076909
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Percentage of DoT/DoH requests for public resolvers?

[Bill Woodcock]

> On Jun 12, 2023, at 2:49 PM, Stephane Bortzmeyer  wrote:
> I'm looking for the current percentage of encrypted DNS requests
> vs. in-the-clear ones on public resolvers having DoT/DoH/DoQ.

I expect it will be different for each resolver, since they all have fairly 
distinct user communities, with different priorities.  John can give you a more 
specific answer on behalf of Quad9 once he’s awake out there on the Pacific 
coast.

-Bill
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Percentage of DoT/DoH requests for public resolvers?

[Peter Thomassen]

Hi Stephane,

On 6/12/23 08:49, Stephane Bortzmeyer wrote:

I'm looking for the current percentage of encrypted DNS requests
vs. in-the-clear ones on public resolvers having DoT/DoH/DoQ. I do not
find public information about it. May be I searched too fast?


Geoff gave an IEPG presentation in November which has some numbers on 
Cloudflare's 1.1.1.1 Do* breakdown, see slides 7 and 8 here: 
https://iepg.org/2022-11-06-ietf115/slides-115-iepg-sessa-doh-vs-dot-geoff-huston-joao-damas-00.pdf

Best,
Peter

--
https://desec.io/
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

[dns-operations] Percentage of DoT/DoH requests for public resolvers?

[Stephane Bortzmeyer]

Hello,

I'm looking for the current percentage of encrypted DNS requests
vs. in-the-clear ones on public resolvers having DoT/DoH/DoQ. I do not
find public information about it. May be I searched too fast?

If you work for a public DNS resolver, is there data you can share? If
you can/want/prefer to reply privately and ask me not to mention the
name of the resolver, that's OK, too.


___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations