Shumon Huque

@shuque

Software Engineering Architect @salesforce. Ex @VERISIGN Principal Scientist. Ex @Penn engineer. @Penn CS Alum. Opinions here are my own.

Washington, DC

Joined November 2008

701 Following

581 Followers

1.9K Posts

Pinned Tweet

Shumon Huque @shuque

almost 5 years ago

RFC 9102: "TLS DNSSEC Chain Extension", finally published as "experimental" -- a few years after a long, acrimonious battle in the IETF TLS WG to get it published as "standards track" failed: https://t.co/o1xH10uCEH

1

13

2

0

0

shuque retweeted

DNS-OARC @dnsoarc

almost 3 years ago

Shumon Huque covers much ground in his presentation, including a call for an ICANN role for DNS providers, and handling parental detection of CDS/CDNSKEY records - on which there were new ideas proposed by Johan Stenstam during IDS yesterday. #OARC41 #LoveDNS ^CA

dnsoarc's tweet photo. Shumon Huque covers much ground in his presentation, including a call for an ICANN role for DNS providers, and handling parental detection of CDS/CDNSKEY records - on which there were new ideas proposed by Johan Stenstam during IDS yesterday.
#OARC41 #LoveDNS ^CA https://t.co/bir4gSAkoS

0

6

5

0

506

shuque retweeted

DNS-OARC @dnsoarc

almost 3 years ago

Shumon Huque from Salesforce presenting "Automation of DNSSEC provisioning and maintenance" asserts that robust automation in these areas should make it easier to deploy DNSSEC https://t.co/gm6xcuOcai #OARC41 #LoveDNS ^CA

dnsoarc's tweet photo. Shumon Huque from Salesforce presenting "Automation of DNSSEC provisioning and maintenance" asserts that robust automation in these areas should make it easier to deploy DNSSEC
https://t.co/gm6xcuOcai
#OARC41 #LoveDNS ^CA https://t.co/Q1T7AMRikr

0

5

3

0

271

Shumon Huque @shuque

about 3 years ago

@marcodavids It is not. The A record set (via Fastly) is not signed and can be spoofed, so this response is not secure end to end. All RRsets in the DNS response's answer section need to be signed for the response to be secure. Since they weren't the resolver did not set the AD flag.

0

4

1

0

133

Who to follow

SIDN’s Research Team

Knot DNS is a high-performance authoritative DNS server (https://t.co/v2jUTAIKbc). Knot Resolver is a caching DNSSEC-validating DNS resolver (https://t.co/sqTgqSzxdX).

Shumon Huque @shuque

almost 4 years ago

#IETF114 Meeting Tshirt. Does it look familiar?

shuque's tweet photo. #IETF114 Meeting Tshirt. Does it look familiar? https://t.co/Q7iM8dVbuo

0

14

1

0

0

Shumon Huque @shuque

about 4 years ago

@aabdnn Oh, wow! Thanks for thinking of me while playing Scrabble, Anand! :)

1

1

0

0

0

Shumon Huque @shuque

over 4 years ago

@AkiTuomi No worries

0

0

0

0

0

shuque retweeted

almost 5 years ago

On the blog today, @shuque breaks down alternative models to zone transfer that can support #DNSSEC's non-standardized features: https://t.co/0gk3K9ba2V #DNS #MultiSigner #security

apnic's tweet photo. On the blog today, @shuque breaks down alternative models to zone transfer that can support #DNSSEC's non-standardized features: https://t.co/0gk3K9ba2V

#DNS #MultiSigner #security https://t.co/6bo5cfDiat

0

5

4

0

0

Shumon Huque @shuque

almost 5 years ago

#IETF111 dnsop yesterday "Black Lies Empty Non-Terminal Sentinel" Slides: https://t.co/09cHQaa9Np draft: https://t.co/8fGdpm3M3F

0

1

1

0

0

Shumon Huque @shuque

almost 5 years ago

And 1 more #IETF111 DNSSEC Automation https://t.co/NcKIHJtFwc; Slides https://t.co/muvdXWFgRQ, with @wisser

0

1

2

0

0

Shumon Huque @shuque

almost 5 years ago

Also #IETF11 Domain Verification Techniques: https://t.co/aR9Oolp4rf; Slides https://t.co/qC72LfWZAL with @shivan_kaul

0

4

3

0

0

Shumon Huque @shuque

almost 5 years ago

Presented at #IETF111 today: (DNS) Glue is not Optional draft https://t.co/HVTEXdAP0O; Slides: https://t.co/nivOsyhavU with m. andrews, @letoams & @PacketPusher

0

1

5

0

0

Shumon Huque @shuque

almost 5 years ago

@letoams @VDukhovni Ha! :) That would solve some problems!

0

0

0

0

0

Shumon Huque @shuque

almost 5 years ago

@letoams @VDukhovni There are definitely security benefits for individual certs. We do that for customers with "high security" needs - they go in their own namespace with their own certs/keys. For vast majority of tenants that don't ask for this, there is no business need to forgo wildcard certs.

0

0

0

0

0

Shumon Huque @shuque

almost 5 years ago

@letoams @VDukhovni So, that creates another problem: the app has to manage N million certs.

1

0

0

0

0

Shumon Huque @shuque

almost 5 years ago

@letoams @VDukhovni Also, I wonder what the performance impact on the TLS handshake will be if it has to carry an EE certificate with N million SANs.

1

1

0

0

0

Shumon Huque @shuque

almost 5 years ago

@letoams @VDukhovni Not really, new SNIs appear dynamically and very rapidly. There is no time (or desire) to provision new certificates on that time scale.

2

1

0

0

0

Shumon Huque @shuque

almost 5 years ago

@letoams @VDukhovni Also, without wildcards, they'd have to reissue the certs with additional SANs probably hundreds of times per day as new tenant names are deployed.

1

0

0

0

0

Shumon Huque @shuque

almost 5 years ago

@letoams @VDukhovni That wouldn't fly and not because of cost. Many application service providers deploy thousands and sometimes millions of tenant specific names that map to the same or small set of apps. They would not want to deploy certificates with that many SANs even if that were feasible.

2

1

0

0

0

Last Seen Users on Sotwe

Trends for you

Most Popular Users