ࡱ> yz{|n ۥհQʂgbPNG  IHDR0K#`PLTE[rPoc\ZhXiE"Ǹq:FK{,ɷ,;Bv{.?A>hy@>E~ꨖS(\ &$2^bKGDH cmPPJCmp0712HsFIDATx^ wm@}ͷI{X;T*m!=hv62/OXpr;ްp[ r+'o xha~G~׼H~K`W+c ]X/j(VQ "1|g0݌lڡpWy5;"J^~ aW1,yTWu`]'[DAl w|/U1qǦzGpxcˌI`1&=s^/\00Jv=&L NW"8F7%|XYX`, ^`a%ԕEzR815ު6#9} 9:+LAsaao,G>x#A_ ̊%#kSfnar{|N:* X|-A@A +js lW/x:Aϰa.m, >,x>f۾Ts ~0zeǦqM#:85 D[hN Wۣ4b+=15SѢ55lͬKPZ?FVkr@ɛ'ZqE=y۾c1vg:uIDAT/s Ϙ,27Vmh6FvL޹b12?A`*2mɅ@&p_amO,ln`mX([R V`W~)FvԊ4*BcӖf)6 ޱ$X%@^ ܈/ ϢɭFw gswrxtz&U ]&HZ:)vS/^9~t;}ejH7sڝNQؔ03`Vn2Uw-f. J1ܙB\kG-Yӈbم5azV jvĞ;g&D`g<^N,YqD5T%ͭur_s*u$ܺI%(cctb90Оk0&?G+G:?ڙQYH}fYە$)2 ()]+$^uxugݹZg4G {(*Qb}݉ /E׉;3:_<`f>̗)Ӈ˻u7}؀--w< [| glGK jXh`3u% SX'm;*j{#UX0'eVU`j2URXfau"s`n&BJm}Wh+.%VZ]zr bG#ŝskÎ'6/ `y1D_ CYUyr" > }U\HFMIDATh?U/ >TP&BL#?\pA5u,}~E4\ zF.W:/tòB,АԊ@@D?a[y͇y=nff 'MaE{lFiaY a<٤>,%ե+5ZrvXhu ԕզ$e` vs֧ C׿(Rx~%;󞶶V%w{@]YwP2 V$Z{Ğ 6N`N2̚1䥝X[q-~UƖCeR%oݲ0xF; ̺A6-w&bL,,&8L4$5Z$TtqeGt@aB<`U[`kI,&W4,edWzɌ"Yҥ1'`k~WpBa!lULL.ߢٔx,p)diBN!YqbIL$ԉ‰-pd]?ZWщiF޹yA}RLP '6 Rεݽ!YLzn.$`< 7(GpLp sÇLr!`,`πI%U|H.drY5;=yP$={)ǢS07fDʣu1= XQ(nN<T)N{K; (Ƣ[o@x*},)FNAwc8H͖ngXNuE;R7%/'XK$/iMR2uY2lvRt Ti-FcKɟ#2bY=Yj+Z ǖr3ZwP52stxڳY",6*y,"&R-=AoW^,3`c~JA<7bY-|.+-p cc9!thnjFMFqorNlU:Gs`M9:0J؂Y1ZjH}d_x~l{`p13w𚧝׉Y<_aAn>x4_0.ac7Yui\g6ݱwڌ8x]oM KRb2j4?4Ez'Adnce`xk$[m_t**$OЬ?i1`)4j1lѵ>}춫"aynG?կebg=Xv;+qI^/"7C"Uo^+<WyU9ld^Kk G%A /q~A5e˜$Xl`^@L鶉=Y(UJ8[hja43;ݎL04|MmU.N-,S\):=ؚm9 ׼j_/{fgZ*NOƶ4 ~5`PVBHᒵ%[²$U#h(l[ 2yf5VtJD<"0;3q}2,<=燢?abdagMwXF}l"la== (fmPvta* 9}줤^ ʷ壶\&CE> %i 7р1KůHįGIFp?}SkW:۪^o`Iρm1O;˟*Qօ `) "Bt7^Go0Y۷9j L:'o{Sog-m`JaG`MqΘ=T27*AO/ =c?w Ξ>iV_KNA}`͖_X K&miI% 80tOKfҵ%x}]QwH~q?@ `xK `cE`DF~ i&F`Ӊifa&l\р9h+1``'zPF:ƅy߳$-_ZX=`a>Z NP w@i0BP/Far0rU$ O*cDȆǗց]PPr[o ԑD7$#`5x.X;7v&`xr٩-pDu11pE0j02i?[W0BGE?`3Cc fhfV?}uZ2e&AX2C2&7"{Q G3?"fQFG`J41=O95܁yc:V(e*+t8C 4yd;k&iKKi=0@ l6'̦t ưҾ¸xʮFoёv$C9e;L fSq-/X> \Lpܮ, e[& b|DM[wBTV#/@T.- g G)e55+ (jЬYvH(߿#rM`[E,|cWOߋ6J+Ίdw]BY"mVEYkD`I &8ZVaZJ`Hxa a(/:.X wi7qs-5Sj8g:,rj,%0`]D6ꆅM}*J{90k4GjL^Y H(3v4;>i_m#;L SaJWcC,%&+"Yd!; W;>0 `(E\k x͢WKў)0T# ߉3}cjG&8Qԇ5S,Is DDŽEIDAT  椵$=kdIFjf Σf_|X[Q 6<7wM`kp [!1N jlpc:_yϔ/g`#;WH(?/ܻmu2 `6;Zu|iaP- (%=hiuܦ)b |ҿr8Ѯh&la-H7j;;E5e%^H6tHw`E1 G^ `|hPb)> c**;Teg O G^{U`azq@.Ubv#*`mf=nG8a`jse 3!";=U }bax08u2Z͚$W+=^$m3ܰ0e`䐈RXbYk/5?4J&64;j69Рqٞ77e1X5r%f'`Dl4w+q",HI)g֞)6\H6{T{WXݒ7?p'"jﵘ?rM G6eD`ˑÏ5%ρ)mGT'0U<}= ;MbU,;OZ$AgGHSUڔX#wR4ߴ|ʂh{ x/%.WR7\wfP4<?lNTRi#Iaߐs/ i ,;-$蓘b&k$Sb+>, {{ƫf΃ئiT)(P(%P< L#JӲ_XOC{y@$\h)ǔ:|%8F S}% ӂxa)Yؒ!ϵ| 8 0J lAI2w`_ϯ7@brYN}&MH98l'aJ޳􃧫e Z 4yii:E`s-__:/P?AB|@ˀ%+3-2%,'XX Fů|Ї} spIo[XE˿v0=K'-")t} $sr|>5'6+ﴓx7qo`InIe6X[o\ @|d)UN4׳U Þ ,{ T]չS'^)?ࢽ]6& 9IDATxRgQ@(޿*kb>"mѫ{W¡\>ɏI 2'</CUO~M9lr\Ϧ ^dr- D`g_3yTXL%,OOȷ?o a^bGLeo%TXxbE G:uvJg&d)frb.n( (S=bfމVt.},hZ9%YY^lW^4E/MrߟL_ Fh|L>M73JjoE˙YIhbyn&a)o;Փ CXZq%a%hfc {ǟh`0oȀFaKhu*g&RWLu5%_ED4 V{mF]" /68X;'*ES{N Jﺕ[7˘ @U:YXd?'IE!MPM .Dbh%!~M!o|ff['gcs▌  `<(| 8g?)M h;v )KsB$}F"$JƦMMQ% DXL+7\J#ӣs+=&Ot`M0(J¦T,J|Kċ,qUPjmFc_V%opidOnO0༈!aRLTϊ\nwq-OPʋ٦थp&-``!#d{=c"Ls,K_Il|>='Փ4n3 TVG8ZclGqSe/ѦEΝB~X`$ܱz{cSCxjp"bNM>fD1]!}5tz۸BsO?8EgP6a5}n)j*/FND^\@lU|Er.\]ix^,~t$&n!,hndy)ByTPm;ovs crE25-:a>U t2@!Yp}}IGJyψ[7 wɯW劽决z=.M^O+! )H"T.HТ ! X\}5 O']rY*A" Lb+oW$z$Jp*GV'k-rEz##+m^ڦCBbF,Je%#iYҁ{O3bG=Slh5:lat@ ;crZ]d;o⽧P/&|!Mr/cq11bI("h ƞQ`Qy\w~N@<:2D-5yyWBhFa2H$ZnYGmQ[/W0a',J6 ? HIkƗZ+k4mP0jB{nQ~qcՄ ̇_SAFl!XHÁ/ u]N` xf3E #څ=&'fO7/DC M>L!Ycfe8-si4:..կc\GS} o1)o _zJs++rUm$]J-2l]ΟImɆ~q_u^{ryXA3 AHe4YywmӅ.[_nNAvna946RY19$7NPO6t< >O?Ai Ji-E.?PwA wdRXY#zT`hLo61s|tN|;l"XZAS?OMN) +c؜8Kvʧ~|B,U,zL91700'/M7!oHߏ 8VY|~Z-V\\ꓽ}K]fljn튋lٲ]}gu'?;7=MA}DMag|&ևfŮg7YG<ZmG tO8c#''N=zoã#2}N bR:Z^\v@W g]k/ vuO8zȉcccpc'z xL( Q6ӈ 3'><=wdvv#&gfDQAL ɩ### /^l'Ql yu 0^co) mk?Fu1ODv'E> $ѽ"^uҋ?GўѾF{@_E?k߬#}Q7AIENDB`n2[3#2hJtwqӻ0UY55*Y=UQ;.nXah1u~Sz\l.>MA+mW*߀0hإL=0)rS}XKu KWiqэiDj65GD8zh9m?֏mw0H(<;f rzlnzW ̀C} [/h-0B>h 1}`)\v2[9$G,9= _'}qIyInzɾ_Lgz_^F']Hl9MX R_l>"z#VҘ`iN{{UA眾DݪϊQ%U(Hש0Lx\Vݹ\ k69b4PqlvHN*:;=(&' < V` ծ |1AZ[="H۸TbJBR#^Q6š%dC2vJ H A4TH .n2hϻyth=p޹s=wϽ*">_&rO~D`g*" bEؤ <'$Ÿk猛;#.J՜ ɨX N}eFq9~C -m˵=:1C) hZr-{ǜ46q *Zba"KX.V +Xekaul,d[q3e6-<,resk<*Wxep4cFqj-y4 M\SV S-zLuL<Y t'QP Eshb, Ɨ )i. y9"gQUYSVyL ?=11>5c?<7LOx ^[vT |/t_CEC'P5V6‡hsIT1`\X x픱/sQƟDѦuY DD,KCEIb0Y,"a 1DB.F4nDΛ >ss{sysTjq+(}3Gws X-HwcE+h$:1. 9Ѩ ?cZ9}kzs7mq# C<$OQ9Vxgk}j>=3]vpYn2 ΐk5w!Y Ee]3ުt_Kٻw''wF%i|_Ew^DÒ,*ނ+ToVy?#3%]%XoRը)鰷5asw!p>@R3T7j(N9T:tgÄ 5%fC>kLEsYY7Qj&ó=R&o30ȭ/Y0ՏɘuC5Cgz0Mڝ_0UFN2n`L嚏{JFIF,,C    $.' ",#(7),01444'9=82<.342C  2!!22222222222222222222222222222222222222222222222222,e" }!1AQa"q2#BR$3br %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz w!1AQaq"2B #3Rbr $4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz ?( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( (8>9Ox\K \]*o qCy?hc:f[!v;p䜌ko IaC+h^N`r8 W;O/hBώү? ( ( ( ( ( ( ( ΀>o%m}4g/?cx/'kz(` N=/ghб5I(f p $.W]iz-|[^,6u{(>[o;#K9|~;a#sD5s| H4f9Ի0-Gᯍ4̗~6~hR}Im[`y~%\GZ>]j;TOk④NX`)2AF|Ayg^>@enN1?}Ec:'lբ0ǏTٔ򿈭((((()K4jYَ&YLJu=-d[p.s>8?2:Ө9-Y7تx0@m2͐Wo XQvFoaO(8]B7>ⷁe'ol?w$mh?L~fFt O7i)?ƾ'>??<A G3i.DguDR@&>o^V sF$qg9vWz/ m72+bebEW||=O(ҴMYt߁ c]|?;WաлYىFP澈((4$8HR@$ꖱfe*qm$J[, tįB[u?U~0t#q*Ȩ5g7?i5΍fsh+x 7x ϗo`qvbA>=(}P[Xs`=WC_ [u5}2]FpI*wFھw~WN|g?@f32`#Ӆu',oӤR|OE}'Ŀō(8oPI[cwlYj֟_"N;xF "3[LT5Y9|>W֤q峛϶|vf33 O=uRuC]ǕҀ>+x dT!? |?/KwVq[ZTQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEV_<9CX;8] pRp?ԯ!$ݬX(12tY>=(((((((KG"+ 2#Њk㗀+zT ?Q Pabq= {=yk|> E 'Q@}UW:tW" \dr\z}BM1$p"( Z((((((˾%|Ӽ_ږYkݸ Gko:I'),R ?zڼ89'Rԙ-d]g 2C$MrPFtַ Xu؃_ |-q=g˸/.t0Jb1ŝ嶡g =9clA 袊((((+|_d)˔ IV{(|um"$ c=;#ɨx& iydsc*Ba om'h s(1ĸG r+]úO4(m 3V=XOٿCX4 W\u2'R{}QEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQE+⿉>%ǺmrM Yw+쇿_ZJ(eu 2A"z'T@`qBi27=b{wдQEQEQEQEQExK-p 5yT@mB/?MCאE|@bKZ(Xf>ݏ ~W3/'džgM@tQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEUԯҴFHފ#Ŀ)!|çEP|~ 5~O$&:#DU~W_x횽 P!_l0izmla}@9D"MTa s>kQU.ouC" _ kZT}\ZNӌ_ƀ(TD֬KRD2Tj[]jۭY>y__KҥڠLO_@+(((((((((iox|_EwAZҀ ~X?묟)놮>Ƣ(((4 X!u ץכvu_'s)>H(>oz0+8s}|)"lyyyj袊(((((+><_U a'K8$Sՠ袊^+J/KwOWޔQEQEQEQEQEQEQE·_5<R~2v> jW,~V/ [+ DK7|m HTtQckҨ((((+>+o t\El- zv@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@y_EeDIoBk+O~$5q>m8}<2?#~e޻2f6-?嬙}7+> xs߆bmMh/ omc? X]~4snȼ o (C+_G#Y+G?!Bk 9)Hأ Њ{^!O;KT4|?h~(((((((( 7}K#okJ+;%c@觮V4'z(((sԅt=[wzDRO^_,|;M2|lPh袊}F7q*}פii5KxOQO>Sכe`JnI1Gk((((((+>:'5k>:'5hz(- Ҿ /e]BQEQEQEQEQEQEQE|35Ư|1"^0.wn?cW>xSG`@QExoQMmu$]V|(5G__׀hK+KZ~UaQE[KSԴ뇷}J?c;+/h^zRnA/~>VGxS]O );h+Whz{mqn =ttQEQEQEWx&U]-ss@i 'I}l1*(?P*Z(((((((((((((((((((((((( /x<-SYb7[@L@_xCDž5t-!v$`9׳$4 B4o.?2;Vo?TWG? xK S7w=(VWPC))h(((((((iox|_EwAZҀ ~X?묟)놮>Ƣ((o'@5s, {g >!QH vp̒}1kYvI19$IxU'?vWBT^-n/ncY" 3@&"]OǺگm7te3Տ:~uvj/cmo >6aҾaQ.Q&Cҭ:FzRzܚEQEQEQEQEQEQEW|tOX?jףל|tOX?jQE[/e]B|^+J((((((([y-֥7N̍_m?W!Uɿ3_o?P( :E|9dvykǹӧW߮"2:FeaG|KxVtIjpOLy%Q@'|ix_Rb-ͱl,}~׈v0Q(ۺ0G+kd69 wky}v@fQT^]ҭ-6.-']ȝ-i3^ɏ9ȭ!/󻢼1`jf;4{nGլ!>ch*L`/Bv]m @gvqZb_Q/0ï3(?M=#2k%N:[`~[Wf#Kp{MLjQW߉YpOVY]/:qW( 5>QWC__t<}{ _MF|XXdEZDj>t8uT!Qw \c)de.3+LKAixr\?p?슟̅OY+V]B{̕琻'? ?F>wqɲt-{sk˜ydwEE6|xU[LV)>U#59Jtqqڧ|>v¾Ir Hz^5]D f`erbER_,>{!ǦLZo.ok!?֏'4W.#v,ǩ'$icO?M!7um0b|~8#񯎿7WQO7G /N@^E! |P=uI풛YElf [v쿷4 B|E??/g#?M}FK>`:@?|E?0%>{_G5-!_T}5 O=dQcX"0֟_L|7AcX"0֟_L|7A'>կk)dSf/jʏ?9G'>կk(ɥ?j*>oG"ȌR;_(gl"q8a\]w`r9s+X_[A+_:W>| #]q#3(?z]/2ط\o?./iku\iP??J?udmBGb/uk\\6]$OF?(b|%8?T\EvtRx,mmS[f7WcVao+F(կk(ɥ?j*>*.ݞ}ξn_V_L|7AcXOW r*xÒ.k(ȧ?k{KƏJ|=A/#?!?lx@IwۚGl!?ƾ^D?k6XPniUִ`z:|E/7?g~q_ \HX[,OW>b-ePA=j(_gꔽe.aa$+J)d/?Y''FڒE`jJ>?~?*+h/-e&U)$r.e<A+6+9r:A=/xzn+y?O+:N]f|_tMM\7m6?smƟ[ťl' ?~'χ7־]i,M:7h~P8ㅢ(>|N.km}917A;p+K;mB9{iq<@ j\R_%iɫ.32G;TQR"cҨ|n3uV9A+ Լ5eRQ{M}(_8?&?\:$굍>N%PT[Ū{4iQQEuo?TV,((+~)1`F ![]-t%+_ԙǞ.7ޯgIԣd^rrE42q 6ʿMVz)'f~ek3q,}Q^l5{}LJj > FHQծU, ߃%؅GQ^ vkMBOjv&&7O1hI5J?Nd*tKb!_^~N*'&MZ(Hh\Ӽ= 3q8 ƒg_FM4vI<(Ի _ \ľ)r ")WP_.});]]0mJu$֎AZk׈D"f Gr $5/"!r}Fӣ5+JVqEj?2hWҙ&+CٙUѵH)?ށej?u~[)G%ةEY}:Ƣ(~%||[ ږVZ7d Gk|ךN=p9Ib`=?/ִ՚dncW݇QwZ(:m~+~IǥoWZgu'>ǥzW֑B~W_Aby쥺e䗵Rz(C ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( (Ug`dJ*ϴ;.b *z(e " ?-9%ةWtZDԢS dgcoc׫ZFҵH֗ ^b ׄrj~_D,d^x}/nų8?Ͻ|7 w]hjG?&=ys-{KTFdB+Y]7:Fc~cq'Ob?Q~1~]+RN43(f<2Q\GaEPKwcx' OՐAח[]eKq;G 9)'Mz w'=:3yyMkw:*+Ꮛ\jF5'*Ϝ?^֨:-akㅿC<3^?zOPKq6+.N ,MڧtrkhyF^>:'^.h&}ߧ>sq&?+!S[_iO+}NJ_ZSw"&##hSιȶ?ULWpݯha?O+&~ Yng#BS֖/UҧKef;~'Q^֟4!2QoMe5a>xmWK>2ZᬲxeKA0\;?N |$ݦ3q'Tևg|˭_#+V9-sUȬUo |@9yzC-e/ln0 =2nX>2$}ZЪȃWєVR͛9\Wg:w%e)sbpI7 wabi.Ś݉LJ'f>6­QO]dUS[I\aF?ҮQG4CHUQ**s˸r=#V?Hti6$ sVs˸c[?oK8µg݋ò2t+UUQB Z)9J[;#iox|_EwAZҤj~X?묟)j( (>]xw\ `+j|Q?R=rG>Ugt+/h7>ꧨaW>%Cy_'}E`Mu~=IWL#Qq\i ՙ+wm;K 9!) 2: W!t~7%ҹO&"}Gq_Bj=?_q &A1@[_AE?oWƟmG -koWƟmG -koWƟmO_xi(,p=bEگ?=?_qwa~C7@;E/mSʾ -xovkn=Ox{(*OC7@;߅(?1?? DҴ?Z$!% Akk:_$3CQ$£ZԦ5;*{Y3zn{&hwp *d$q־[?t tЅ}Kϻg[?oK8µϻg_ hC HM**{IVȡ*(?c~\>Uؠ4M$.N/f>6­QG<*UQύ_TQ.d@VR0)eX/U]X+ٶLm) -eقN1gv Ú\`=M Fz7x @jEQEQEQEW1i:N9-mt- Pz{W^Լ-i:+O׳)U}#ݏS&菺ުNSKu;;Q{{v$N9")E ;O^7?zW_ߋ|.$?@Oz:.8W mFsq_6P4} @  F%)$an=J ((((((((((((((((((((((j7ize֡r`摽A'f爎mƩ0Z5]Bޡ*\4Aw;d(+?h z2 mz4?k埃V쉼#&6+*((((FUu*2"&ž74`R7̟\5x?6L41?d  !>!@΢(($/H<5wjzj꣙GyanAd~>In%{c^q@GE7dt!:kO_#+@ NA~I]޵kiyWVOfԎo3LJa,IFvZ1>+((((((۟BN/ O)^\( (- Ҿھ((((((8׉Y.뢮Sd/~"`3]}ZLoLvǩM|;_nxA'ï 0[/>ѨEQEQEQEQEW|Uao0Y,p1:fؚz(k[m.xn!rG"ᕇPEC_QaR)}wEWZs$J1/:4nUԐC@ ڒOLj]xkYg}M$ʹ|Ձ!`s֗O3(ȍgf\2+kU>((((((((((((((((((((((=xcXDK@o0P?5潬[A-!iXwl'ofԵ=̯4wf$߳~hzw̶ѓ$}Kc^\G(~Ic]ُ]QEQEQEQE ?GSќ.n`ed[tPRFJ#ea 6ߌо&ko날|Sዟ\HMƚ lBeῊņ#0-&w h:)ȒĒF2B)QEQEQEQEQE0\u?״(}YoX xu3)[a%vډ[>\4QEQEQEs4𥧌/u]Lt&)Ga}A"-մV/1]c=Apk*SC$(XG{YEQ@O|o}_Ǩ%.C>.cUgZ\&a؃}z'ŸsxV6ׅ.}1ɉy=qwPtTwڅ7s x卲(((((S+0Uk zx*鰟ښ0BQ@}o!) {&Fa6A-|* ]((((((#}ʃ &GHWo^m;o:.u4 =X?'koβ|5/ XD??ʾ)>\un ofV*G vtQEQEQEQEQEQE~h$)Z ׶E~zg*-A ?{zg@zV #%m&#kԿgO 9@VEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEuK;Qԓ+:z&^j0Gi.c_1aFT[mJ)ʱ;Dcn;k)jrCZ/h#?D/Y*n\tyn Ӂ+a)ixMs4.h^.֙K{BIH9sh-g$ɓ O9訢() i4?j?Bl X*yj~\ uq4kJ)f,G$~k|>ms*yN'rGo~W)OJ5GSl#S/ I}bXm'&88I>1[K_j䓀7 0S\tMsxI#b2GB+{OЩo&'WO kHM>_ǭSr7QU - <S^g j 4 лM[h4`YN?\VWP ZO xyAҽu,/m`1FȓFʛy8}(e X`ޖ+},hZ _15W<=aGԣopݙ}<Ǿ$|7\iiW&@̒fP/Ek%wV)?U"&yEe1_=3_%? Rm{m.wov8˶8/]տ O&xC@<,h? h*k.~7KЭtD[F8Up92~~@lh]-@j/D|KBR4-'(6#8ttJҿ'gkD|KBR4<+(t-g ʀ>hMH/0"_+|:6z.Bꌢ6+#n=(((F`Y I=mPFi_ :54Ԡ.wr*,ȪhLqXK?:_꬧EҀ>&7@_yXH&M~8_?5V(^J'ȁYwϩkлM>?xl^_vJqzoϋ2ɧjIu&򱟞T i.U,$>^?Hj4k_X7H$_>_iD5;"7_/ I]տ O&>|y7IdlpsTxo^#}C4kcy [7oJ(((((Uё2d_.|aT}wEgK\ޝ=3%Esm1$J$UG| ^<IiY~\xQ7 $ ~CɁsh~RftPQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEW,'t)$R 3߂o/t&3dRS ߊ((((((((((((((((((((((+Z9qM*oDJf6ZNk }wj$Wh((((6zM ok$p3:Edh~(Kcjvg-vʵ((((6zM ok$p3:Er?|C6);GYp?3@e^R[ .8QEQEQEQյ;B7ڥVL(' Vf #V\nBEiEPE2Ic#`I8M> ( ( ( +;Z״^;`vR}s?OkڔZ~$rXh%yh(((3^ΐ[BSY/=;-}ZX{-d4EPEPE293E"8V*J8#(((((ȥxXdY#at9{}Vvi^K^+wDLp H\PxF2ͣjVd0v^{V+x#ie2IPV&xK}V4 d?mEPEPEPE^x~U޷i m`͌ {~tEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEWkv~3gaY {-%v|@MJvsq!XGrp $v=+[W>|Ge,bvif1꫃APG?lRggדwk4gQFK1޼e?`|j/=>I>k*Fq3=h_.3)/c/Llz=oCF-zMcRWz>g [uY]\v1#p@B{@w}igIҭ5?x@q ʖnl+sڀ>XqtiWYTGQ/ ØZw If+.O|>֩gWQDvMMKm;vA4t>Yzm!֚+V+|<7IC> bK2 8,;g]$\% !N={q_?x/sIW?k@59w/+h$6&cwWfYk7 20۷¹_jKuFn <SMB#{b7b@?N('[du\tك>u/ j $O >Fk_ڠq^Wmt-.vPVyCHGc}LWm/>spgLsZ"F 2+ Yӧ;|Ȯ>σM{ŷrcEU.\yV0" N[Q>x5SHm^.8#yg*({{̖2Ѹ`v֊(U‚ٷ^sx~Gu[W|^8d0]G[ɜn EK\?5Ht;B'w 2]m|EkxIY w ZLKFcRpۻר߂/<AAs$ppf\s?{GmΡh`uwA G$c9kxmi"FY`>m|=^.%ѫeFpedwZ Nz|Z5~ Yu];唙lۘ+9}?@&"6?ox kپ(0yl?k@EOX^&3IUOMEkFꚭ?MW??[OtWV/cDVFXR21GJ>n,!쐸u?B8$GA,]ImU \/40h3RIHwVǯGS|x֓sP/4WLM^ڋ2sW;.+u )V{yρ$VFͭasq,lzN=I5+g0K{nҨnzqRmuM^ĿW)3_+|cVu Xd DG5\TR]fxZHݴp` `'9q6 =Խ+?v1C31$,׏A[m.!;] 'ly02}r=-~ >mݜZ|.$ yRᱎ17_M-FwȹɌL`>~>1ԭ,=3Tf/t7;n#k0?:Oז>w0ɧC5pYph xwaI-~V~Eiֽ_ë{m-m 7n3hkh'cRװWO4 KS%ětAw‚~W5? $K]ɻRҴɒ/%7ހ9ٷFcG]ơei #!dTkOٷFcGS*?-}:ƲFe9qXc6_zc9dI熿kkӿ9sPv֊sq!n5m::Ycx'"΋__quJAW3j2F[(;Vux fi{82[L(?U&xA]bI|s׈|-6H5^K'h9rW߱] kl&cBylC }TR29Wɟ\FAr349**=Lʾ-O-j,SF΀>xT$u_=BYi ݺc=-R` L=HV?%o Ҿ՝G#ߟMx{|'a^ݝ遒;zW?Mh@5]8rF2~~;c=Z}FO.v*К77SSP!3Y3 @hk`7nA^Ggy[J33\;e'&4PBM*G{_+?|a[k_][4ZD2nm g㮻s?S5 ,\y탎>^"/h6qE٭CAAe8<.Krc5UV p}3WWF;Ķ6:@O EQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQECn\yʠgyy?>#xvS sH^rN09=ߍ,|S-:`[Ky`V#5]accog B("XuFG-CZ̺䪪am}a|8fwshcɀ +5 wkjpLn=q^s>]jFhZ&VT2Gu'h @g1#v$Sկ}M>;runi[lm=Jh$V$hY/iUW[qN9#k?޻Jז{vi*&?+tȮGD[M>1aq@oU^#;9ϐ|8~$joZHC\6k56q./E/P9׳|nZA4Kf9ٮ5$kR}@N?ָÚ^ZnvVh6u0a'WB)f?:_v\[aR%7sr:>{+x#i%*'fh,\Jq)p=J𯖵7Գ VedhIs׮ y{+sXk}BP9Xm<8{]V/mp2Fl ۛ/|]ҡ0AF3<m]M/WCӈR؇v!2 F=89IaY?TU?Fz4Ky4LUyi+ӯvGL o}GIͿy!{Ѝ{ĸem o$hQǎW~κm5ͺaL2%q_?x/V n~k+Qz@ ?5mZ vqXg>.|4_vk >s =Azsκm5ͺaL2~*埋<7{^&n9V3ؼ[a)⟉hiVF'IԜ{ƽ'Qu M &'5ćĚ|h|+#YchC#|:޸זW6х3DzdWДF8%% 6I+ +~hexf#ʹ.Ǩ6t3!uӕ?R[t LjdA g {;?3@BQE%OT6Z$ƜgoDsqJo}c-cKK 8͗ב^/r)QKVF*DKE|Kt@wa>׉% ܕ%B69|߇>![[7 ,{[U,m`:'?*~'ǚzx|Uⰷ"Iٱ@_ =2JnO{g3LSՐ.|L@D9ۑܞOz6wc[M&6 qc}a,Qh0:($_ҼgmX{Oĸem o$hQǎW~eugVL2w~S8}I"ŦZFu!E@gWdO?D7 0=V*/7'$G768>3iב.&GQQ6\+iH-8 sڀ5'?56էqo-vեX$f۶_1=k-~{FB6 Ҵa2 ?gýgJd-ЭAq!R^aX ؓq j,g! R+V [ޣs-ql#_&m0`y5᧶I0A89Wu\YK xN3<`ZDy+} +G\7-i׍o+^sb>6^I㯮/ *S.]Xo&G2A_Ul&6T*_oVU7mdǓ>J?kO~ON!2=ȮÝC_kss^MռC. *;7S ^^ѷKvOxsjc6<3%!eyj-4xNHLْH1,$gkikZYHa=]8lm^I+h}'[kHx'"#[zq>_5H<;vM$8!nwp{x$O*Z o61Z[Mq #bF\KnEe| m5zޕ| w.G=xzkSJm簛,ʄUWvWV>ky#2*.p{pjIv#m[1aq@7[HPe /M.tmu5E"NHp>#n>E})l ԱD# n1ݫ T Mh & HeRۈO ``gIQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQES]D(꬧aiPҊ(((]"n&ED :)duPEPEPEPEPEPZ4vVdRI#NE}7]u-B4hnV29#r +BzƖd7"2a#_I2#ea"ټZY|13P>վ&[U#kżtd1.}…5Vam@:Eoƣf (@Pc}PYPî:(O xF\^5F0BRc e'2`Nc?<0.Jes! <#:fZO aUq dVQEQEDRUAc@N ( ( ( ( (qp1Nh3}&EQEQEQE҈d]`69:($hUG@S(((*U@,rp:uPEPEPEPYA:(C )PEPEP|6.0[4(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((#(^  v x2+bmanning@ep.net(,www.ep.net~/ 0DTimes New Roman20Wo 0DArial Narrowan20Wo 0" DArialNarrowan20Wo 0"0DMonotype Sorts20Wo 0@DHelveticaorts20Wo 0"PDCourieraorts20Wo 0`DOsakaraorts20Wo 0pDTimesraorts20Wo 0DCourier Newts20Wo 01g .  @n?" dd@  @@`` 80x n 'MGR!%"A  E   ?  T ?  T      A*9 .!+()*+,./012 46899*)8+-*.(C'0F&F %F$M3#"6!STUVU HTJS, Z&\de   Fq'+"" #$%&.   B m `b$ۥհQʂgb $b$K0$j%r b$]ֺ @\ȔfZ:<7$$2$E"C7H9_pW1lv<R$2n`L嚏{V@ 0e0e     A@  A5% 8c8c     ?1 d0u0@Ty2 NP'p<'pA)BCD|E|| f3f3@f8[\ g4dddd0\p@ pp<4!d!d 0L2g4dd0ppp/ <4BdBd 0L2uʚ;2Nʚ;<4ddddЁ 0"BRANCHTO08HOTSPOTTYPENextSlide>$DEFINEDINNAVIGATOR Falseh___PPT2001D<4X`___PPT9f/ 0J2?.+February 2003O ;t"DNSSEC & Operations* bill manning bmanning@ep.net www.ep.net $+)+ 0, 0(5 DNS Concepts  7 Why DNSSEC? DNS is not secure Applications depend on DNS Known vulnerabilities DNSSEC protects against data spoofing and corruption Who protects the keys?Z%3LL 8Outline$Introduction DNSSEC mechanisms to authenticate servers (TSIG / SIG0) to establish authenticity and integrity of data Quick overview New RRs Using public key cryptography to sign a single zone Delegating signing authority ; building chains of trust Key exchange and rollovers Keys ConclusionsX ZVZZZ V BWhat does it mean to be  Secure ?That the data you ask for, you get, from the correct source. Really authentication and integrity New RR types Meta data (keys & time)!Fundamental Operational changes. LNeed tools to manipulate these RR types. No  hand-crafting Much higher levels of communication required between parents/children & master/slaves Add key management It s a tool kitxProtection of server/server traffic: TSIG Protection of data: SIG/KEY/NXT/DS There are other means. And some of the tool kit may not be  robust in the face of some operational demands. :Reminder: DNS Resolving ;DNS: Data Flow <DNS Vulnerabilities  =DNS Protocol VulnerabilityDNS data can be spoofed and corrupted on its way between server and resolver or forwarder The DNS protocol does not allow you to check the validity of DNS data Exploited by bugs in resolver implementation (predictable transaction ID) Polluted caching forwarders can cause harm for quite some time (TTL) Corrupted DNS data might end up in caches and stay there for a long time How does a slave (secondary) knows it is talking to the proper master (primary)?BQQ>Motivation for DNSSECDNSSEC protects against data spoofing and corruption DNSSEC (TSIG) provides mechanisms to authenticate servers DNSSEC (KEY/SIG/NXT) provides mechanisms to establish authenticity and integrity of data A secure DNS will be used as a public key infrastructure (PKI) However it is NOT a PKIR55?DNSSEC Current State|This material is based on the  current RFC2535 with modifications Changes to the specs that are now going through the IETF: Rewrite of the specs; mainly an editing job; Incorporation of operational experiences; Changes not backward compatible with current specs! E.g. introduction of DS, NXT, NXT opt-in, AD bit, etcB~ZZ6Z~6})DNSSEC Mechanisms to Authenticate Servers** TSIG SIG(0) ATSIG Protected Vulnerabilities   BTransaction Signature: TSIGTTSIG (RFC 2845) authorizing dynamic updates & zone transfers authentication of caching forwarders can be used without deploying other features of DNSSEC One-way hash function over: DNS question or answer & the timestamp Signed with  shared secret key Used in server configuration, not in zone filenZZZ'ZOZ'O,c . C TSIG example TSIG and Message Format Names and Secrets&TSIG name A name is given to the key, the name is what is transmitted in the message (so receiver knows what key the sender used) TSIG secret value A value determined during key generation Usually seen in Base64 encoding 'Looks' like the rndc key BIND uses same interface for TSIG and RNDC keys ZxZZIZZ0Z xI0 Using TSIG to protect AXFRDeriving a secret dnssec-keygen -a ... -b ... -n... name Configuring the key in named.conf file, same syntax as for rndc key { algorithm ...; secret ...;} Making use of the key in named.conf file server x { key ...; } where 'x' is an IP number of the other server'NW&,!   . Configuration Example TIME!!!TSIG is time sensitive - to stop replays Message protection expires in 5 minutes Make sure time is synchronized For testing, set the time In operations, (secure) NTP is needed&)):Mechanisms to Establish Authenticity and Integrity of Data;;New RR types added Using public key cryptography to sign a single zone Delegating signing authority; building chains of trust Key exchange and rolloversI#2Vulnerabilities protected by KEY / SIG / NXT / DS33 J$DNSSEC Summary on 1 page:Data authenticity and integrity by SIGning the resource records Public KEYs used to verify the SIGs Children sign their zones with their private key; The authenticity of their KEY is established by a SIGnature over that key by the parent (DS) In the ideal case, only one public KEY needs to be distributed off-band;;K%"Authenticity and Integrity of Data##*Authenticity: Is the data published by the entity we think is authoritative? Integrity: Is the data received the same as what was published? Public Key cryptography helps to answer these questions signatures to check both integrity and authenticity of data verifies the authenticity of signatures8ZdZcL&Public Key Crypto ReminderKey pair: a secret (or private) key and a public key Simplified: If you know the public key, you can decrypt data encrypted with the secret key Usually an encrypted hash value over a published piece of information; the owner is the only person who can construct the secret. Hence this a signature If you know the secret key, you can decrypt data encrypted with the public key data is usually an encrypted key for symmetric cipher PGP uses both, DNSSEC only uses signaturesAZOZZOZ6Z+ZAOO6 +M'Public Key Crypto IssuesPublic keys need to be distributed Secret keys need to be kept secret Public key cryptography is  slow Math: The security of the cryptosystem is based on a set of mathematical problems for which guessing a solution requires scanning a huge solution space (e.g. factorization) Algorithms e.g.: DSA, RSA, elliptic curve RSA/SHA1 is a good choice Better than RSA/MD5roo5O)DNSSEC New RRs3 Public key crypto related RRs SIG Signature over RRset made using private key KEY Public key, needed for verifying a SIG over a RRset DS Delegation Signer;  Pointer for building chains of trust One RR for internal consistency authenticated non-existence of data NXT Indicates which RRset is the next one in the zoned "$6 "$6 P*Other Keys in the DNSFor non DNSSEC, public keys can appear in the DNS CERT For x509 certificates Under discussion/development are application keys IP-SEC SSHP82 82 [5DNSSEC Signing of a Local Zone  *1. Generate keys and include them in the zone file 2. Sign your zone; signing will: sort the zone insert the NXT records insert SIG-s containing a signature over each RRset made with your private key generate key-set file (used later) 3. Distribute the Public KEY to those that need to be able to trust your zone they configure your key in their resolver thus configuring  secure entry point in the treeTY#O\TY#O\\6Locally Signed Zone ]7Locally Secured ZoneseKey distribution problem for distributing keys It would be better if the whole tree would be secured!0/Z7Z/7`: Using the DNS to Distribute Keys!!Securing a DNS zone tree Building chains of trust from the root down Tools: KEY, SIG and DS records This material is based on new developments Only in bind9.3.0 November 15 snapshot or later !(22a;Chain of Trust/The goal is to build a chain of trust from the root down the DNS tree You need to verify the public keys with which signatures over other keys are made Parents need to sign the keys of their children Outline: Which key is used to make a SIG How do parents sign children keys Walking the chain of trust ZZ]Z  Z ]c=Delegation Signer (DS)The parent delegates authority to sign DNS RRs to the child using this RR DS is a pointer to the next key in the chain of trust You may trust data that is signed using a key that the DS points to New RR to solve problems with key-rollovers More on that laterPD-D-e?Delegating Signing Authority:Parent signs the DS record pointing to the key signing key;;f@Key / Zone Signing KeyshOnly an administrative distinction, you cannot tell from the KEY record itself! DS points to a key signing key (KSK) The zone is signed with a zone signing key (ZSK) (these keys may be the same) Key signing key may be long lived, and  bigger Zone signing key may be short lived can be  smaller =  faster pPWUPWU  gA$Chain of Trust Verification, Summary%%hData in zone can be trusted if signed by a Zone-Signing-Key Zone-Signing-Keys can be trusted if signed by a Key-Signing-Key Key-Signing-Key can be trusted if pointed to by trusted DS record DS record can be trusted if signed by the parents Zone-Signing-Key or DS or Key records can be trusted if exchanged out-of-band and locally stored (Secure entry point) B+chBWalking the Chain of TrustiCRFC3090 TerminologyzVerifiable Secure RRset and it s SIG can be verified with a KEY that can be chased back to a trusted key, the parent has a DS record Verifiable Insecure RRset sits in a zone that is not signed and for which the parent has no DS record (more next slide) BAD RRset and its SIG can not be verified (somebody messed with the sig, the RRset, or the SIG expired) A zone and it s subzones are BAD when the parent s SIG over the Child s key is BADtdtd  jDInsecure ChildrenCryptographic evidence for the verifiably insecure zone status is given by parent If there is no DS record as proved by a NXT record with valid signature, the child is not secured A child may contain signatures but these will not be used when building a chain of trust In RFC2535 the parent has a  NULL key with a signatureGGlFBuilding the Chain of Trust The child has to: be secure (see  Signing the local zone ) upload (off-band) the KSK to the parent The parent has to: generate the DS record from the KSK of the child sign the DS record with his own ZSK (re-sign his zone) Then the parent has to repeat the process, going to his own parent, and so on, till the "." (root) All of this is done automatically - using tools& right!RhFc(8Rh| mG\Parental signature adopting orphans carefully&  /$Parents needs to check if the child KEY is really their child s& Did you get the KEY from the source authoritative for the child zone? This needs an out-of-DNS identification Open operational issue: How do you identify the KEY comes from an authoritative source? Billing information? Phone call? Secret token exchange via surface mail?ZZZ@ZIZ@HnH0The DNS is not a Public Key Infrastructure (PKI)11All procedures on the previous slide are based on local policy i.e. policy set by the zone administrator A PKI is as strong as it s weakest link, we do not know the strength of the weakest link Certificate Authorities control this by SLAs If the domain is under one administrative control you might be able to enforce policy BZ-ZXZ-XoI:The DNS is not a PKI (cont d)The DNS does not have Certificate Revocation Lists There is no way to explicitly say: Do not trust that KEY But it is closest to a globally secured distributed DB IPsec distribution of key material opportunistic keys; if there is a key in the DNS and nothing better we ll use it discussions on using the DNS for key distribution <keydist@cafax.se> x3:7$QF3:7$QFqKKey Exchange and Rollovers     rLWhy Key ExchangeYou have to keep your private key secret Private key can be stolen Put the key on stand alone machines or on bastion hosts behind firewalls and strong access control Private key reconstruction (crypto analysis) random number not random Leakage of key material (DSA) Brute force attacksPCc-KCc-KsMPrivate Key CompromiseTry to minimize impact Short validity of signatures Regular key-rollover Remember: KEYs do not have timestamps in them -- the SIG over the KEY has the timestamp Key exchange involves 2nd party: State to be maintained during rollover operationally more expensiveXZ3ZzZDZ3zDtNShort Signature Life TimeEShort parent signature over DS RR protects child Order 1 day possibleFFwQ$Timing of the Scheduled Key Rollover%%uChild should not remove the old key while there are still servers handing out the old DS RR. The new DS will need to be distributed to the slave servers max time set by the SOA expiration time The old DS will need to have expired from caching servers. Set by the TTL of the original DS RR. You (or your tool) can check for the master and slave to have picked up the change.nZ(Z;Z&ZTZ(;&TxRScheduled Key Rollover IssuesCurrently one can not distinguish between a key signing key and a zone signing key. Once that distinction can be made, the rollover can be fully automated.ySUnscheduled Rollover ProblemsNeeds out of band communication with the parent and to pre-configured resolvers The parent needs to establish your identity out of band again Your children need protection. How to protect them best? Leaving them unsecured? There will be a period that the stolen key can be used to generate data useful on the Internet There is no  revoke key mechanism Emergency procedure must be on the shelfZ]DNSSEC SummaryDNSSEC provides a mechanism to protect DNS DNSSEC implementation: TSIG for servers SIG, KEY and NXT for data DNSSEC main difficulties: keeping private key safe distributing keysPB++B++Performance issuesChanges to offered load Address length changes packet size & format Key/Sig size/strength change packet size & computation overhead Encoding changes packet size greatest delta tested increases DNS response from 576 bytes to 18k bytesF HPerformance concerns|DNS is a very lightweight protocol Simple query  response Any performance limitations are the result of network limitations Speed of light Network congestion Switching/forwarding latencies,}B}BChanges to performancewill the DNS be asked to verify replies in near real time? the validity of cached data becomes more suspect DNS flows begin to look a lot like HTTP traffic.  Keys & sLength Duration Who holds them Where are they? What can we learn from others who have had to manage keys for years?ttLength / DurationPShould Strong/Long keys be used everywhere? Compute times Packet/Buffer sizes KEY and SIG interaction. SIGs have timestamps, KEYs do NOT Impact of pulling  active keysP,"B,"B Who / Where Asymmetric Keys presume a single owner/holder Capture Loss Offline/Nearline/Online UNIX file system protections KEY validationP.,.,PKIs & Certificate AuthoritiesAre their operational constraints the same as for DNSSEC? What can we adopt from their vocabulary & experience? Things to avoid& Generally the DNS is  NOT- the target application Trust is  NOT- transitive Is Liability transitive?(eeHow  we do itOffline Key storage and Zone generation Unidirectional Validation is in test Short Signature values  1 day and 30 days Key Rollover  6 months Questions?  Our testbed: www.rs.net/7  !"#$&'( . / 01245@AB"E#F%H'J(K)L*M+N,O.Q/R0S1T3V4W5X6Y9\:];^DgPsx,,  e je{HH(d/h  ]p =<8  ` 3ff` ` >?" dF@0?n2d@uK FA@ " d`  n?" dd@   @@``@n?" dd@  @@``PR   @ ` `Bp>>.+February 2003 h` ( d    N4wgֳgֳ ?`  T Click to edit Master title style! !.  Hygֳgֳ ?  RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S  H@gֳgֳ?l$ 0 0 0 Jump to first page   0 0 "  6G51?^l$ 0 0 0  6G1? l$ 0 0 0  c $    `*   c $    * -**  $RB   s *D^N  63޽h? ? 3f apricot .+February 2003 [S0 ( 0$ ܱܱ vB  N1? ^   Ngֳgֳ ?   T Click to edit Master title style! !  HDgֳgֳ ?P+ Z  W#Click to edit Master subtitle style$ $  c $    `*  c $ `{   `*  C ^AFF:\abir\ppt-templates\ncc-logo.gif`  E^  C 6AH:\FUN\isi.gif pp2   C A apricot.gif 00022E4E Macintosh HD B746CC0A:"x   c BAԔARIN_cmyk-3-75"` 0 PGN  63޽h? ? 3f 0 `XP ( =    c $' P    Z* X   C  Y      c $)  @  RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S   c $.     \*    s */ `P   Z*    s *9 `   \* N  6޽h? ? ̙33 `8x( P@0o@ 8 8 c $| P    Z*  8 c $<     \*  8 s *h `P   Z*  8 s * `   \* H 8 0޽h ? ̙33   ( )pG@ l  C <   l  C P+ Z  H  03޽h ? 3ff  p $(   r  S \`   r  S   H  03޽h ? 3f6  6(  ~  s *x`   x  c $O`  H  03޽h ? 333380___PPT10.8k  B:(    C xgֳgֳ ?`     3 rgֳgֳ ?  H  03޽h ? 3333  X 0(  X x X c $`   x X c $x  H X 03޽h ? 3f  \ 0(  \ x \ c $`   x \ c $  H \ 03޽h ? 3f  ` 0(  ` x ` c $`   x ` c $  H ` 03޽h ? 3f  00@@0(    C xDgֳgֳ ?`     Zdgֳgֳ1? ``@ @Resolver   B  B8c?PaP,$@ 0  Ngֳgֳ?@  QQuestion: www.ripe.net A 2  Tgֳgֳ?p$&D,$ 0 Jwww.ripe.net A ? F @   @ f  61?@    Zgֳgֳ?.  UCaching forwarder (recursive)    61?P,$@ 0   Zl]gֳgֳ?,$ 0 C root-server      T]gֳgֳ?W Y,$ 0 Jwww.ripe.net A ? B   B8c?A ,$@ 0B @ B8c?qA ,$@  0T  T ]gֳgֳ?0`,$  0 d go ask net server @ X.gtld-servers.net (+ glue)3 3  61?p@ ,$@  0  Z]gֳgֳ?o ,$  0 C gtld-server     T ]gֳgֳ? ,$ 0 Jwww.ripe.net A ? B  B8c?A ,$@ 0H  T]gֳgֳ?` ` ,$ 0 X go ask ripe server @ ns.ripe.net (+ glue)- -B @ B8c?0 q 0 ,$@ 0  61? `p,$@ 0  Zgֳgֳ?A O,$ 0 C ripe-server   B  B8c?! 0P ,$D 0B  B8c?! 0 ,$@ 0  T]gֳgֳ?\ 0 ,$ 0 Jwww.ripe.net A ?   Th#]gֳgֳ? P ,$ 0 V 192.168.5.10    Tx']gֳgֳ?l,$ 0 F 192.168.5.10   B @ B8c?a,$@ 0z 0P0  0P0,$D  0  Z+] 1?c6  S1   2   T 8c?0P0z P p  ! P p ,$D  0 " Zd&] 1? >  S2   2 # T 8c?P p z 00P $ 00P,$D   0 % Z2] 1?CV* S3   2 & T 8c?00Pz p   ' p ,$D  0 ( Z7] 1? ^  S4   2 ) T 8c?p  z  `  * ` ,$D  0 + Z\:] 1?3 Z  S5   2 , T 8c? ` z  @ `  - @ ` ,$@ 0 . ZL>] 1? p D  S6   2 / T 8c? @ ` z   0  ,$@ 0 1 Z@B] 1?    S7   2 2 T 8c? )z   2  3  2 ,$D  0 4  "BrCDE<FD8c? d9W|q- @ 2  ,$@  0 5 TF]gֳgֳ?  $ ,$" 0 F Add to cache     @  6  @ ,$D! 0 7 ZJ] 1?F ~  S9   2 8 T 8c? @ z p@`  9 @p` ,$@ 0 : Z@] 1?f^:  S8   2 ; T 8c?p@` ez ` ~  < ` ~ ,$D   0    = `  ,$D# 0 > ZQ] 1?   T10   2 ? T 8c?   @ ZV] 1? | ~P  =TTL H  03޽h ? 3333Q Q___PPT10P+1QWcDeN' = @B D N' = @BA?%,( < +O%,( < +DC' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<* %(D' =+4 8?\CB#ppt_xBCB#ppt_xB*Y3>B ppt_x<* D' =+4 8?dCB1+#ppt_h/2BCB#ppt_yB*Y3>B ppt_y<* D ' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<* %(D' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<* %(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<* %(D' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<* %(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*#%(D' =+4 8?\CB#ppt_xBCB#ppt_xB*Y3>B ppt_x<*#D' =+4 8?dCB1+#ppt_h/2BCB#ppt_yB*Y3>B ppt_y<*#DC' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*&%(D' =+4 8?\CB#ppt_xBCB#ppt_xB*Y3>B ppt_x<*&D' =+4 8?dCB1+#ppt_h/2BCB#ppt_yB*Y3>B ppt_y<*&D ' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*)%(D' =+4 8?\CB#ppt_xBCB#ppt_xB*Y3>B ppt_x<*)D' =+4 8?dCB1+#ppt_h/2BCB#ppt_yB*Y3>B ppt_y<*)DC' =%(D' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*,%(D' =+4 8?\CB#ppt_xBCB#ppt_xB*Y3>B ppt_x<*,D' =+4 8?dCB1+#ppt_h/2BCB#ppt_yB*Y3>B ppt_y<*,D%' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*%(D ' =%(D' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*/%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*%(D ' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*2%(D' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*%(D ' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*;%(D' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =%(D' =%(D7' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*@%(D' =-s6Bwipe(down)*<3<*@D' =%(D' =%(D7' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*?%(D' =-s6Bwipe(down)*<3<*?+h+0+. ++0+ . ++0+ . ++0+. ++0+. ++0+. ++0+. ++0+. ++0+. ++0+. ++0+. +?G   ))D(    C x a]gֳgֳ ?`  ] ^  61?   Zb]gֳgֳ?  >master   61?@,$@  0   Zf]gֳgֳ?,$  0 KCaching forwarder   61? p ,$@ 0  ZXk]gֳgֳ? ^2 ,$ 0 @resolver   B  @ BԔ? ,$D 0B  @ HԔ? p,$@ 0B   HԔ?a `,$@  0B   BԔ?!a ,$D 0B   BԔ?!0` ,$@ 0=z   ,$@ 0  Tp]gֳgֳ? LZone administrator   Zt]gֳgֳ1?P A Zone file   B  BԔ?,$D 0  Zy]gֳgֳ1?@P ,$@  0 GDynamic updates B  BԔ?10 ,$D 0B  BԔ? 0,$@ 0z 0  0,$@ 0  Z~] 1?@  S1   2  T 8c?0z 0  ,$@ 0  Ź] 1?@  S2   2  T 8c?0z `P p   P` p ,$@  0f  61?   Z]gֳgֳ1?`` p  >slaves N 0  P p  Z$] 1?@  S3   2   T 8c?0vz `  ! ` ,$D  0rB "B BԔ?rB #B BԔ?` z 0 $ P p,$@  0 % Z] 1?@  S4   2 & T 8c?0z 0 ' p,$@ 0 ( Z] 1?@  S5   2 ) T 8c?0H  03޽h ? 33333+++___PPT10 +.+l=D;*' = @B D)' = @BA?%,( < +O%,( < +D' =%(D.' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =+4 8?dCB0-#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<*D' =+4 8?\CB#ppt_yBCB#ppt_yB*Y3>B ppt_y<*D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =%(D;' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =+4 8?\CB#ppt_xBCB#ppt_xB*Y3>B ppt_x<*D' =+4 8?dCB1+#ppt_h/2BCB#ppt_yB*Y3>B ppt_y<*D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =+4 8?\CB#ppt_xBCB#ppt_xB*Y3>B ppt_x<*D' =+4 8?dCB1+#ppt_h/2BCB#ppt_yB*Y3>B ppt_y<*D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*!%(D ' =%(D1 ' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*&%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<* %(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<* %(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<* %(Dq' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*)%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<* %(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<* %(++0+. ++0+. ++0+. +" ! !!088R!(    C x]gֳgֳ ?`  ] ^  61?   Z]gֳgֳ?  >master ^  61?@  Z4]gֳgֳ? KCaching forwarder ^  61? p   Z]gֳgֳ? ^2  @resolver   jB  @ BԔ? pB  @ HԔ? ppB   HԔ?a `jB   BԔ?!a jB   BԔ?!0`  F     T]gֳgֳ? LZone administrator   Z]gֳgֳ1?P A Zone file   jB  BԔ?  Z]gֳgֳ1?@P  GDynamic updates jB  BԔ?10 jB  BԔ? 0F 0  0  Z|] 1?@  S1   2  T 8c?0F 0    Z] 1?@  S2   2  T 8c?0kF `P p   P` p f  61?   Z]gֳgֳ1?`` p  >slaves N 0  P p  Z<] 1?@  S3   2   T 8c?0BF `  ! ` rB "B BԔ?rB #B BԔ?` r $  f 1? P  % N] 1?p  cServer protection   F 0 & P p ' Z ] 1?@  S4   2 ( T 8c?0F 0 ) p * Z] 1?@  S5   2 + T 8c?0 , T]gֳgֳ?< KCorrupting data  pB - H)?` p . T]gֳgֳ?  PImpersonating master  pB /@ H)?0 @ 0 T ]gֳgֳ? D  PUnauthorized updates  pB 1 H)? p  2 T]gֳgֳ?02^ OCache impersonation  pB 3@ H)?  4 TL]gֳgֳ? `   \ Cache pollution by Data spoofing ! !pB 5 H)? K pB 6 H)?  r 7  f 1?  8 N] 1?  aData protection   H  03޽h ? 3333___PPT10e.+D=' = @B + " H@P(    C x]gֳgֳ ?`  ]   C x]gֳgֳ ? ] H  03޽h ? 3333 # B:p(    C xtagֳgֳ ?`  a   3 r0agֳgֳ ?  a H  03޽h ? 3333 $ H@(    C xh]gֳgֳ ?`  ]   C x$]gֳgֳ ? ] H  03޽h ? 3333   $(   r  S ,a`  a r  S ,a a H  03޽h ? 3f_ & ?7(  :z d   d ,$D  02  Zp;agֳgֳ8c?|dt B  2  Z>agֳgֳ8c?,   B    C xHagֳgֳ ?`  a   Zgֳgֳ1?@PP A Zone file   ^  61?p`   Z?agֳgֳ1?  >slaves    ZCagֳgֳ1?p  >master    Z Fagֳgֳ1?p@ KCaching forwarder    ZIagֳgֳ1?P p`  @resolver   jB  @ B1?Q pB  @ H1? 0 pB  H1?! ` jB  B1?aP jB  B1?0   TNagֳgֳ?Q LZone administrator jB  B1?``jB  B1?jB  B1?@  ZSagֳgֳ1?p  GDynamic updates jB  B1?a` jB  B1? 0z  h    h ,$ 0  TXagֳgֳ? h  PUnauthorized updates  rB  Bp? 0 z P  P,$ 0  T]agֳgֳ?@P7 PImpersonating master  rB B Bp?A@ H  03޽h ? 3333___PPT10+VɄ$D' = @B D?' = @BA?%,( < +O%,( < +Dv' =%(D' =%(D' =4@BBB B%(D' =1:Bvisible*o3>+B#style.visibility<*l%(D' =+4 8?dCB0-#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<*lD' =+4 8?dCB1+#ppt_h/2BCB#ppt_yB*Y3>B ppt_y<*l+ ' B:(    C xmagֳgֳ ?`  a   3 rlnagֳgֳ ?^ a H  03޽h ? 33339m ( $$--P$(  |"  T1?|  T1? / @z p     p ,$D   0  Z|agֳgֳ1?p   B    Tgֳgֳ?p s  NSOA & SOA   z       ,$D   0  TD%gֳgֳ?` e  CSig ...   2    B\CDE,F48c? bA[&RTJ8,q@     0? ` ,$D 0   Zagֳgֳ1?`  BMaster  2z P   P,$D 0   Zagֳgֳ1?0P B    Tđagֳgֳ?P$ @AXFR    C xagֳgֳ ?`  a   ZPagֳgֳ1?  ASlave    Ndagֳgֳ?& ,$D 0 KKEY: %sgs!f23fv    Nagֳgֳ?pv ,$D  0 KKEY: %sgs!f23fv  gz Pp  Pp,$D 0N Pp  Pp  Z|agֳgֳ1?Pp B    Tagֳgֳ?P$ @AXFR    Tagֳgֳ?b< CSig ...  B  B8c?,$D 0z dZ  dZ,$D 0  T|agֳgֳ?d CSig ...  R   "BCUDE<FD8c?T  1IifK3!> ( @Zz  P    P ,$D  0  Zagֳgֳ1? P  B    Tagֳgֳ? @s  NSOA & SOA     TDagֳgֳ?U`   CSig ...   B  @ B8c?  ,$D  0 ! 0?,$D 0 " Zagֳgֳ?c,$D 0 B  6z &  # & ,$D  0 $ Z`agֳgֳ1?  ASlave   % Nagֳgֳ?&  KKEY: %sgs!f23fv  Rz `_   & _ ` ,$D 0 ' Nagֳgֳ?`   H verification    (  BC3DEF8c?##Q )z.a8JC6R$\q  .:B^Zt&P~=c2GH@_ q z p b  ) p b ,$D   0 *  jBCDE`Fh8c?nJ A#xBYt!Zo83ax14@+b  + Tagֳgֳ?p D H verification    , Tagֳgֳ?P ,$D 0 G Query: AXFR    - Tagֳgֳ?p tD,$D  0 JResponse: Zone  H  03޽h ? 3333!HH___PPT10G+ DF' = @B DF' = @BA?%,( < +O%,( < +D{' =%(D#' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*|%(D' =+4 8?dCB0-#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<*|D' =+4 8?\CB#ppt_yBCB#ppt_yB*Y3>B ppt_y<*|D{' =%(D#' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*|%(D' =+4 8?dCB1+#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<*|D' =+4 8?\CB#ppt_yBCB#ppt_yB*Y3>B ppt_y<*|D{' =%(D#' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<**|%(D' =+4 8?dCB0-#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<**|D' =+4 8?\CB#ppt_yBCB#ppt_yB*Y3>B ppt_y<**|Dn' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<* |%(D' =+4 8?dCB0-#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<* |D' =+4 8?\CB#ppt_yBCB#ppt_yB*Y3>B ppt_y<* |Dn' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*|%(D' =+4 8?dCB0-#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<*|D' =+4 8?\CB#ppt_yBCB#ppt_yB*Y3>B ppt_y<*|Do' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*|%(D' =+4 8?dCB0-#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<*|D' =+4 8?\CB#ppt_yBCB#ppt_yB*Y3>B ppt_y<*|D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*|%(D' =+4 8?dCB0-#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<*|D' =+4 8?\CB#ppt_yBCB#ppt_yB*Y3>B ppt_y<*|D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*|%(D' =%(D' =K@BBBBPB0B%(/%(0D' =1:Bvisible*o3>+B#style.visibility<* |%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*#|%(Dn' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*)|%(D' =+4 8?dCB1+#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<*)|D' =+4 8?\CB#ppt_yBCB#ppt_yB*Y3>B ppt_y<*)|D{' =%(D#' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*+|%(D' =+4 8?dCB0-#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<*+|D' =+4 8?\CB#ppt_yBCB#ppt_yB*Y3>B ppt_y<*+|Dn' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*|%(D' =+4 8?dCB1+#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<*|D' =+4 8?\CB#ppt_yBCB#ppt_yB*Y3>B ppt_y<*|Dn' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*|%(D' =+4 8?dCB1+#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<*|D' =+4 8?\CB#ppt_yBCB#ppt_yB*Y3>B ppt_y<*|Dp ' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*|%(D' =+4 8?dCB1+#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<*|D' =+4 8?\CB#ppt_yBCB#ppt_yB*Y3>B ppt_y<*|D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*|%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*|%(D' =+4 8?dCB1+#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<*|D' =+4 8?\CB#ppt_yBCB#ppt_yB*Y3>B ppt_y<*|Dn' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*&|%(D' =+4 8?dCB0-#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<*&|D' =+4 8?\CB#ppt_yBCB#ppt_yB*Y3>B ppt_y<*&|++0+|0 ++0+|0 ++0+ |0 ++0+*|0 ++0++|0 +-    0 m(  0 ~ 0 s *a`  a  0 08a7 H DNS Header"  e 0 00a7 FQuestion"  e 0 0a7  DAnswer"e 0 0Da 7  G Authority"  e 0 0$c 7 TAdditional & TSIG data"ed 0 <ԔP    0 s *cb  t8DNS Original Message Format eH 0 03޽h ? ̙33  04 <(  4 ~ 4 s * c`  c ~ 4 s *T c c H 4 03޽h ? ̙33  @8 <(  8 ~ 8 s *`c`  c ~ 8 s *c c H 8 03޽h ? ̙33  d\P< (  < ~ < s *c`  c  < Zh/cwawa1 ? l  Primary server 10.33.40.46 key ns1-ns2.zone. { algorithm hmac-md5; secret "APlaceToBe"; }; server 10.33.40.35 { keys {ns1-ns2.zone.;}; }; zone "my.zone.test." { type master; file...; allow-transfer { key ns1-ns2.zone.; key ns1-ns3.zone.;}; };x0 00c ccc  < Z/cwawa1 ? _  Secondary server 10.33.40.35 key ns1-ns2.zone. { algorithm hmac-md5; secret "APlaceToBe"; }; server 10.33.40.46 { keys {ns1-ns2.zone.;}; }; zone "my.zone.test." { type slave; file...; masters {10.33.40.46;}; allow-transfer { key ns1-ns2.zone.;}; };x0 00c ccc < <T9c ?1 6Again, the secret looks okay, but is purposely invalid.76%aH < 03޽h ? ̙33  `@ <(  @ ~ @ s * R"  8 > R" ,$D  0f2 8 6p?>  "" f2 8 6p?nR 8 C x Kcgֳgֳ ?`  c  8 Zslaves   8 ZTcgֳgֳ1?  >master   8 ZWcgֳgֳ1?@P KCaching forwarder   8 Z\cgֳgֳ1? p  @resolver   jB  8@ B1?0Q 0pB  8@ H1?a pB 8 H1? `0 jB 8 B1?a jB 8 B1?0  8 T_cgֳgֳ?1 LZone administrator jB 8 B1?jB 8 B1?!@jB 8 B1?! 8 Zdcgֳgֳ1?P  GDynamic updates jB 8 B1? jB 8 B1?` 0`z `   8 `  ,$ 0 8 Ticgֳgֳ?` \   \ Cache pollution by Data spoofing ! !rB 8 Bp?  z 2^@ 8 2^@,$ 0 8 Tmcgֳgֳ?2^w OCache impersonation  rB 8B Bp? @H 8 03޽h ? 3333___PPT10+VɄ$D' = @B D?' = @BA?%,( < +O%,( < +Dv' =%(D' =%(D' =4@BBB B%(D' =1:Bvisible*o3>+B#style.visibility<*%(D' =+4 8?dCB0-#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<*D' =+4 8?dCB1+#ppt_h/2BCB#ppt_yB*Y3>B ppt_y<*+ / H@@(  @ @ C x~cgֳgֳ ?`  c  @ C x~cgֳgֳ ? c H @ 03޽h ? 3333 0 B:H(  H H C x4cgֳgֳ ?`  c  H 3 rcgֳgֳ ?@ c H H 03޽h ? 3333 1 B:P(  P P C xpcgֳgֳ ?`  c  P C x,cgֳgֳ ? c B P s *3޽h ? 3333 2 B:X(  X X C xTcgֳgֳ ?`  c  X C xcgֳgֳ ? c B X s *3޽h ? 3333 4 B: h(  h h C x8cgֳgֳ ?`  c  h 3 rcgֳgֳ ?` c H h 03޽h ? 33336 5 @p6(  p~ p s *Tg`   x p c $g`  H p 03޽h ? 333380___PPT10.:pT @ H@`(    C xtcgֳgֳ ?`  c   C x0cgֳgֳ ? c H  03޽h ? 3333 A zr (    C x egֳgֳ ?`  e |  Zcgֳgֳ1?`  |Local DNS server ripe.net. 3600 IN SOA (& SIG SOA ... NXT a.bla.foo SOA NS SIG NXT & . NS SIG NS & & ..Z  O D ^  Zegֳgֳ1? `   Caching forwarder trusted-keys {  ripe.net." 256 3 1  abcdee3312 }0! $3 dB  <1?`   Z lgֳgֳ1?@` <Host   Zegֳgֳ1? 0p <Host   Zegֳgֳ1?@  <Host dB  @ <1?1 dB  @ <1?a @ dB  @ <1?qQ`    Tegֳgֳ?p JCorporate site 2    Tegֳgֳ?0p  JCorporate site 3   T@egֳgֳ?=^ JCorporate site 1 ^  Z!egֳgֳ1? P@ Caching forwarder trusted-keys {  ripe.net." 256 3 1  abcdee3312 }0! $3 :   BtCEDE4F<1?MM#2E `{$6Nf7^)=Tcr2a,j%"+c1=IUgy 3J3aEx]u 8K^n#5Sw6`&29AM&\2k>sD@] b    BXCDEpFx1?\\qfqqqtx&xPqji_C&)>KT TXX X `m#$1B<_CyM[{8Vtq_QC8*|U{`=2abI 0)--$ r 5$$$ W0:FOWqWNS'O@Y    B1C/ DElFt1?[[0   :`ywY42Ll{H# $ 8Qk~[=. $JpnXB+I|MA[ntnaah{~o!YC-F?r-+ -^ - % - < JI hv H k       B g  ( . @c dB  <1?Q H  03޽h ? 3333%# B ))8(    3 r'egֳgֳ ?\  e   3 rgֳgֳ ?  e   T0egֳgֳ? ~ @ <net. jB @ B1?At`   Tt3egֳgֳ?0 @P  B money.net.   jB @ B1?Q p jB  B1?Au 0    T7egֳgֳ?   A kids.net.   jB   B1?Aut0    Tmarket   TJegֳgֳ? \  ?dilbert jB  B1? D jB  B1? t jB @ B1?qEt0jB  B1?qu0jB @ B1?!  jB  B1?! p   T4Oegֳgֳ? 4  <unix   NRegֳgֳ? &  =mac( 2  T Vegֳgֳ?` 4   ?marnick   TYegֳgֳ?   :nt jB  B1?! 4   T]egֳgֳ?   ?os.net.   T`egֳgֳ? r <com. jB @ B1? jB  B1? PjB   B1?Qe$jB ! B1?ejB " B1? T ` jB #@ B1?   $ Teegֳgֳ?<  9.  % TTiegֳgֳ?pW UOut of band key-exchanges  2 &  BoCDE0F81? gu#wPn@  J '  "BTCDE<FD1?-3Sl9lOL'S @ 2 9" (  BV CDEF1?**%1?IXar$OC  ge= _C ?y   6 sC `U @U O UX@ * ) T0negֳgֳ? \ ,$D 0 OSecure entry points  H  03޽h ? 3333%___PPT10+$yD' = @B Dd' = @BA?%,( < +O%,( < +D' =%(%(D#' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*)L%(D' =+4 8?dCB0-#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<*)LD' =+4 8?\CB#ppt_yBCB#ppt_yB*Y3>B ppt_y<*)L+8+0+)LP + E H@(    C x|egֳgֳ ?`  e   C xLegֳgֳ ? e H  03޽h ? 3333 F H@(    C xegֳgֳ ?`  e   C xegֳgֳ ? e H  03޽h ? 3333 H H@(    C xPegֳgֳ ?`  e   C x egֳgֳ ? e H  03޽h ? 3333 J S K  (    C xЭegֳgֳ ?`  e   3 r`egֳgֳ ?Pj e   Zegֳgֳ1?`Pp  > $ORIGIN net. kids NS ns1.kids DS (& ) 1234 SIG DS (& )net. money NS ns1.money DS (& ) SIG DS (& )net.   Zegֳgֳ1?P    $ORIGIN kids.net. @ NS ns1 SIG NS (& ) kids.net. KEY (& ) (1234) KEY (& ) (3456) SIG key & 1234 kids.net. & SIG key & 3456 kids.net. & beth A 127.0.10.1 SIG A (& ) 3456 kids.net. & ns1 A 127.0.10.3 SIG A (& ) 3456 kids.net. & f 8jB  B8c?q  0   Npgֳgֳ?@^` p: The parent is authoritative for the DS RR of its children; ;Vz pQ `   Q p` ,$D 0   Tegֳgֳ?p.   LZone signing key  rB   B8c? Q  rB   B8c? ` Uz 1"    1" ,$D 0   TXegֳgֳ?" KKey signing key  rB B B8c?a@rB B B8c?1P H  03޽h ? 33336 . ___PPT10 +%nD ' = @B D ' = @BA?%,( < +O%,( < +Dn' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<* h%(D' =+4 8?dCB0-#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<* hD' =+4 8?\CB#ppt_yBCB#ppt_yB*Y3>B ppt_y<* hDn' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*h%(D' =+4 8?dCB0-#ppt_w/2BCB#ppt_xB*Y3>B ppt_x<*hD' =+4 8?\CB#ppt_yBCB#ppt_yB*Y3>B ppt_y<*h+ K H@@ (      C xegֳgֳ ?`  e    C xegֳgֳ ? e H   03޽h ? 3333 L <4`((  ( ( 3 regֳgֳ ?@*` e  ( 3 rhegֳgֳ ?0  e H ( 03޽h ? 3333y___PPT10Y+D=' = @B +pZ M _>W>EE0=(  0z ` p 0 ` p,$D  0f 0 61?  p 0 Tegֳgֳ?0`4 C $ORIGIN .   0 Tgֳgֳ?`P ,$D 0 >. KEY (& ) 5TQ3s& (8907) ; KSK KEY (& ) lasE5& (2983) ; ZSK" $ n# 0P0 0 `,$D  0 0 Zxf 1?c6  S1   2 0 T 8c?0P0z 1 p   0 1 p ,$D  0T  pp   0#  pp f  0 61? 0p   0 Tfgֳgֳ?pxD H $ORIGIN net.     0 Tfgֳgֳ? `,$D 0 0net. KEY (& ) q3dEw& (7834) ; KSK KEY (& ) 5TQ3s& (5612) ; ZSKF   0  bBCDE\Fd8c?q"T !=c`A%&F3Jz/0@1 B,$D 0 0 0 P p,$@  0 0 Zf 1?@  S4   2 0 T 8c?0z ``  0 ` `,$D  0T `  0# ` f 0 61?`  0 T$fgֳgֳ? >  K$ORIGIN ripe.net.  0 T(fgֳgֳ?` ~ ,$D 0  ripe.net. KEY (& ) rwx002& (4252) ; KSK KEY (& ) sovP42& (1111) ; ZSKfH  0  "BCDDE<FD8c?m-2Ki# :wl?C @  ,$D 0   0  ` ,$@ 0 0 Z/f 1?    S7   2 0 T 8c?  0 3 r1fgֳgֳ ?^<$  0  f z  0 ,$ 0r 0 BA? 0 T3fgֳgֳ?m\ * Locally configured Trusted key: . 8907D+ &Qz  t 0  t,$D  0  0 Z:f 1?~ S2     t !0  t,$D  0 n t "0 n t,$D  0 #0  BQCDEtF|8c?PnYC2"  $z7nLbcV|J4)  ;<@nP,$D 0, $0 Z>f 1?6 t :SIG KEY (& ) 8907 . 69Hw9..D  2 %0 T 8c?z  R  &0 R  ,$D  0 pN . '0 R ,$D  0p (0 TTCfgֳgֳ?N .  net. DS 7834 3 1ab15& SIG DS (& ) . 2983 BD / )0  BCDEtF|8c?P$$-e6IB2NZl{ %;S1rRv-T;<@pPR,$D 0 P p  *0  @,$D   0 +0 ZIf 1? >  S3   2 ,0 T 8c?P p z  a  -0 a  ,$D 0b .0 ThMfgֳgֳ? `   ripe.net. DS 4252 3 1ab15& SIG DS (& ) net. 5612 0F / /0  JB CDEPFX8c?A>;Tr  =oH%i0),@paR ,$D 0 0 00  ` @ ,$@  0 10 ZRf 1?@  S6   2 20 T 8c?0'z 0 p 30  0 p,$D 0f 40  BCDE,F48c? _* wj`SIB/}@ Qz,$D 0N 0 P @ 50 0 P @ 60 ZDWf 1?` P $ S5   2 70 T 8c?0 P @X 80 Z$[f 1?8p HSIG KEY (& ) 7834 net. cMaso3Ud...D% $ }z `   90  ` ,$D  0 :0  "BaC DE<FD8c?`= -}h-N=4` @  ,$D 0 p@`  ;0 `  ,$@  0 <0 Zt`f 1?fbB  S8   2 =0 T 8c?p@` Z >0 Zcf 1?L   LSIG KEY (& ) 4252 ripe.net. 5tUcwU...B'  & z `0 p` ?0 0 `p`,$D   0 @0 TLjfgֳgֳ?`P ^  www.ripe.net. A 193.0.0.202 SIG A (& ) 1111 ripe.net. a3Ud...BL '$ A0B  JB'C4DEF8c?447@uV4:_!0!I7aVzh~(Vf /'|'-353`3333--' ' &&&il@p0 `,$D  0   B0 P P pp,$@  0 C0 ZHpf 1?    S9   2 D0 T 8c?  E0 Ztf 1?  J   H 0 03޽h ? 3333___PPT10.+Di' = @B D$' = @BA?%,( < +O%,( < +D' =%(D' =%(D3' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*,`%(D' =-o6Bwipe(up)*<3<*,`D' =%(D' =%(D7' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*6`%(D' =-s6Bwipe(left)*<3<*6`D' =%(D' =%(D7' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*5`%(D' =-s6Bwipe(left)*<3<*5`D' =%(D' =%(D3' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*A`%(D' =-o6Bwipe(up)*<3<*A`D' =%(D' =%(D9' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*D`%(D' =-u6Bwipe(right)*<3<*D`D' =%(D' =%(D9' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*E`%(D' =-u6Bwipe(right)*<3<*E`D' =%(D' =%(D7' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*R`%(D' =-s6Bwipe(down)*<3<*R`D' =%(D' =%(D7' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*S`%(D' =-s6Bwipe(down)*<3<*S`D' =%(D' =%(D7' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*T`%(D' =-s6Bwipe(down)*<3<*T`+ N B:8(  8 8 C xdfgֳgֳ ?`  f  8 3 r fgֳgֳ ?@J f H 8 03޽h ? 3333 O H@@(  @ @ C xfgֳgֳ ?`  f  @ C x(fgֳgֳ ? f H @ 03޽h ? 3333 Q P<(  P~ P s *f`  f ~ P s *f f H P 03޽h ? 3333 R H@X(  X X C xfgֳgֳ ?`  f  X C xtfgֳgֳ ? f H X 03޽h ? 3333 S H@ `(  ` ` C xigֳgֳ ?`  i  ` C xLigֳgֳ ? i H ` 03޽h ? 3333 T B:@h(  h h C xDigֳgֳ ?`  i  h 3 rigֳgֳ ?^` i H h 03޽h ? 3333V `x<(  x~ x s *hf  f ~ x s *fP+ Z f B x s *3޽h ? 3333 W H@(    C x)igֳgֳ ?`  i   C xT*igֳgֳ ? i H  03޽h ? 3333 X H@(    C xxgֳgֳ ?`     C xHgֳgֳ ?  H  03޽h ? 3333 Y R(  ^2  61?@p`   C x8igֳgֳ ?`  i   C x9igֳgֳ ? i   NHROOT 2 l  0 i ? p  =TLD 2 l  0@i ?P   =ORG 2 l  0i ?0   >LEAF 2  l  0,i ?`@: C 4096 bits 2   l  0i ?``  B512 bits 2 ~B  l  NDo?P@H l 03޽h ? 3fT   t (  t r t S hi`  i r t S $i i hF  `: t   `:rB t  BDԔ?    t  0$i ? p  >ROOT 2 t  0di ? p  =TLD 2 t  0 i ?P   =ORG 2  t  0pi ?0   >LEAF 2  t  0ti ?`@: D Roll/Multi 2   t  0i ?``  @Single 2~B  t  NDo?P@H t 03޽h ? 3f   $(   r  S i`  i r  S i i H  03޽h ? 3f  | $(  | r | S 0i`  i r | S i i H | 03޽h ? 3f   $(   r  S i`  i r  S i i H  03޽h ? 3fs 0 3+@4( " 4R 4 3  Y   1 4 C E  @    2003 These slides where produced by Bill Manning (EP.NET), Ed Lewis (ARIN) and Olaf M. Kolkman (RIPE NCC).  u~H 4 0޽h ? ̙33 0 ,(  ^ S `    c $ @   " H  0޽h ? ̙33Z 0 (    N1 ?`    3 rfFfF ? @   " H  0޽h ? ̙33f 0 &(    T1 ?`   ] C xD]]fFfF ? @  ] " H  0޽h ? ̙33f 0 & (    T1 ?`   ] C x]fFfF ? @  ] " H  0޽h ? ̙33f 0 &@(    T1 ?`   ] C x]fFfF ? @  ] " H  0޽h ? ̙332 0 `(    N1 ?`   a 3 rafFfF ? @  a Reference: Two papers from the 5th USENIX UNIX Security Symposium, Salt Lake City, Utah, June 1995 (see http://www.usenix.org) Paul Vixie: DNS and BIND Security Issues Steven M. Bellovin: Using the Domain Name System for Break-insH  0޽h ? ̙33 0 f(    N1 ?`   a 3 r]fFfF ? @  a There are some technologies for which the use of the DNS for spreading key material is being considered. Opportunistic IP sec encryption by is one of those technologies. See the FreeSwan implementation.H  0޽h ? ̙33| 0 <4(    N1 ?`   a 3 r`#afFfF ? @  a DOther relevant documents:  H  0޽h ? ̙33Z 0 (    N1 ?`   a 3 riafFfF ? @  a " H  0޽h ? ̙33 0 XP(    N1 ?`   a 3 r8xafFfF ? @  a `&Additional notes: Always use TSIG to secure zone transfers between primary and secondary. Dynamic updates and DNSSEC opens up specific set of problems. Shared secret also called symmetric key cryptography. Symmetric key cryptography is fast. It can be used  on the fly . H  0޽h ? ̙33 0 og (      N1 ?`   a  3 r fFfF ? @  a 8 7   TpafFfF? Uj  aThe original slide contained animations: in this reproduction some of the details have been lost.bb???^^}}H   0޽h ? ̙33Z# 0 <(  < < N1 ?`   c <3 r@zcfFfF ? @  c " H < 0޽h ? ̙33z$ 0 :2D(  D D N1 ?`   c D3 rcfFfF ? @  c B2 H D 0޽h ? ̙33Z% 0 L(  L L N1 ?`   c L3 rcfFfF ? @  c " H L 0޽h ? ̙33B& 0 T(  T T N1 ?`   c T3 rcfFfF ? @  c Public key cryptography theory is difficult. It s based on number theory, one of the finer branches of mathematics. See e.g. http://www.ssh.fi/tech/crypto/algorithms.html for some introduction text. Bruce Schneier: Applied Cryptography, 2nd edition. John Wiley & Sons, 1995 is a seminal work in the field. Only for those who want to go into the details, search for these documents: DNSSEC signatures see RFC 2536 (DSA) and RFC 2537 (RSA). The digital signature standard (DSS) that is used in combination with DSA is described in: Federal information Processing Standards Publication 186 (FIPS 186).(<(H T 0޽h ? ̙33Z' 0 \(  \ \ N1 ?`   c \3 rcfFfF ? @  c " H \ 0޽h ? ̙33t) 0 4,0l(  l l N1 ?`    l3 rhQfFfF ? @   <(RFC 2535 discusses these RRs in detail. H l 0޽h ? ̙33(* 0 Pt8(  td tc $`   c ts * c @  c " H t 0޽h ? ̙3380___PPT10.;p7Z5 0 p(    N1 ?`   e 3 r efFfF ? @  e " H  0޽h ? ̙33Z6 0 (    N1 ?`   e 3 rH,efFfF ? @  e " H  0޽h ? ̙33z7 0 :2(    N1 ?`   e 3 r@}efFfF ? @  e B.Until the DNSSEC is deployed from the  root , use can be made of locally secured zones by configuring resolvers to trust local  secure entry points . H  0޽h ? ̙33Z: 0 (    N1 ?`   e 3 r efFfF ? @  e " H  0޽h ? ̙33Z; 0 (    N1 ?`   e 3 rؼA0deIP^%vx_{}O -[0k ݠ` cJe`sDFl@BIFKMPq@ SUW^Zw0x`be&h `D`*H0̝.Τ Pi˯ w0#" i%-'`SR.@3@^B90hD*}x\PIOQSZpvry !jln[Oh+'0x (4 X d p |;PowerPoint Presentation - Introduction to the DNS systemiOlaf M. Kolkmanlaf"H:\msoffice\templates\apricot.potuc Kennslusvi51nMicrosoft PowerPoint 7.0ico@G*@8@@{jy GRy  !& &&#TNPP2OMi & TNPP &&TNPP    --- !-----,--/gw@ IwIw0- @"Arial Narrow $IwIw0- 3f.2 E DNSSEC & 00-,-01. 3f.2  Operations4)%%))%.--U-- 3f@"Arialw@ PIwIw0- .2  bill manning. .2 bmanning@ep.net.--$$-- &# $.2 K www.ep.net.--OOY-- Q[N--"System 0-&TNPP &0՜.+,D՜.+,`      A4 Paper (210x297 mm)ARIPEper<?+ ITimes New Roman Arial NarrowArialMonotype Sorts HelveticaCourierOsakaTimes Courier NewapricotDNSSEC & Operations DNS Concepts Why DNSSEC?Outline"What does it mean to be Secure?"Fundamental Operational changes. Its a tool kitReminder: DNS ResolvingDNS: Data FlowDNS Vulnerabilities DNS Protocol VulnerabilityMotivation for DNSSECDNSSEC Current State*DNSSEC Mechanisms to Authenticate Servers TSIG Protected Vulnerabilities Transaction Signature: TSIG TSIG exampleTSIG and Message FormatNames and SecretsUsing TSIG to protect AXFRConfiguration ExampleTIME!!!;Mechanisms to Establish Authenticity and Integrity of Data3Vulnerabilities protected by KEY / SIG / NXT / DSDNSSEC Summary on 1 page#Authenticity and Integrity of DataPublic Key Crypto ReminderPublic Key Crypto IssuesDNSSEC New RRsOther Keys in the DNS DNSSEC Signing of a Local Zone Locally Signed ZoneLocally Secured Zones!Using the DNS to Distribute KeysChain of TrustDelegation Signer (DS)Delegating Signing AuthorityKey / Zone Signing Keys%Chain of Trust Verification, SummaryWalking the Chain of TrustRFC3090 TerminologyInsecure ChildrenBuilding the Chain of Trust/Parental signature adopting orphans carefully1The DNS is not a Public Key Infrastructure (PKI)The DNS is not a PKI (contd)Key Exchange and RolloversWhy Key ExchangePrivate Key CompromiseShort Signature Life Time%Timing of the Scheduled Key RolloverScheduled Key Rollover IssuesUnscheduled Rollover ProblemsDNSSEC SummaryPerformance issuesPerformance concernsChanges to performanceKeys Length / Duration Who / WherePKIs & Certificate AuthoritiesHow we do it Questions?  Fonts Used Design Template Slide Titles?LgoKS[cks      #+ _PID_HLINKS TemplateType GraphicType Compression ScreenSize ScreenUsage MailAddress HomePage Other DownloadOriginal DownloadIEButton UseBrowserColor BackColor TextColor LinkColor VisitedColorTransparentButton ButtonType ShowNotes NavBtnPos OutputDirA http://www.ep.net/ http://www.nlnetlabs.nl/dnssec/KOKolkman@ripe.nethohttp://www.ripe.net/disislDNSSEC tutorial Praguei  f3 H:\DISI\PRESENTATIONS\i#_ KennslusviKennslusvi  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`bcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`bcdefghjklmnoprstuvwxRoot EntrydO)Pictures8Current UserqSummaryInformation(aPowerPoint Document(aDocumentSummaryInformation8iRoot EntrydO)`_ƾk@Pictures8Current User#SummaryInformation(a      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`bcdefghjklmnop_