Upload File

measuring the deployment of dnssec over the internet

  • Home
  • Documents
  • Measuring the Deployment of DNSSEC over the Internet
20
Introduction Methodology Results Measuring the Deployment of DNSSEC over the Internet System & Network Engineering — Research Project Nicolas Canceill RIPE68 — May 14, 2014 1/20

Upload: others

Post on 01-Jul-2022

5 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Measuring the Deployment of DNSSEC over the Internet

IntroductionMethodology

Results

Measuring the Deployment of DNSSECover the Internet

System & Network Engineering — Research Project

Nicolas Canceill

RIPE68 — May 14, 20141/20

Page 2: Measuring the Deployment of DNSSEC over the Internet

IntroductionMethodology

Results

1 Introduction

2 Methodology

3 Results

2/20

Page 3: Measuring the Deployment of DNSSEC over the Internet

IntroductionMethodology

Results

What DNSSEC?DNSDomain Name System

Essential foundation of the InternetTranslates domain names into IP addresses

ProblemDNS is notoriously insecure

Solution: DNSSECPublic key cryptographySignatures for al resourcesHierarchical chain of trust

3/20

Page 4: Measuring the Deployment of DNSSEC over the Internet

IntroductionMethodology

Results

1 Introduction

2 Methodology

3 Results

4/20

Page 5: Measuring the Deployment of DNSSEC over the Internet

IntroductionMethodology

Results

HistoryDNS Development

1983 DNS specification published1984 First TLDs defined1987 DNS becomes IETF standard

DNSSEC Development1997 DNSSEC specification published1999 DNSSEC specification revised2005 DNSSEC final revision

DNSSEC Deployment2010 Root level deployment2011 Most TLDs signed

5/20

Page 6: Measuring the Deployment of DNSSEC over the Internet

IntroductionMethodology

Results

Research scopeResearch questionWhat is the status of DNSSEC deployment over theInternet and how does it impact Internet users?

Which DNS resolvers can be queried from clients?What methods can properly assess DNSSEC support?How does DNSSEC support influence user experience?

6/20

Page 7: Measuring the Deployment of DNSSEC over the Internet

IntroductionMethodology

Results

The Atlas network

5,000 active probesWorldwide — mostly Europe

7/20

Page 8: Measuring the Deployment of DNSSEC over the Internet

IntroductionMethodology

Results

1 Introduction

2 Methodology

3 Results

8/20

Page 9: Measuring the Deployment of DNSSEC over the Internet

IntroductionMethodology

Results

Setup

Altlas probes: presence in client networkControlled nameserver with packet capture

9/20

Page 10: Measuring the Deployment of DNSSEC over the Internet

IntroductionMethodology

Results

ChallengesProbes-resolvers

IP address seen by the probe: 8.8.8.8IP address seen by the nameserver: 74.125.18.209

Solution: pre-pend probe ID and use wildcardsProbe 1234 requests 1234.example.com

Resolving setupProbes with multiple resolversProbes using forwardersMisconfigured resolvers

10/20

Page 11: Measuring the Deployment of DNSSEC over the Internet

IntroductionMethodology

Results

LimitationsAtlas 6= Internet

Atlas Top10Country Probes

United States 853Germany 819Russia 724

United Kingdom 605Netherlands 457

France 397Ukraine 364Belgium 184

Italy 166Czech Republic 161

Internet Top10Country Internet users (in 2012)China 568,192,066

United States 254,295,536India 151,598,994Japan 100,684,474Brazil 99,357,737Russia 75,926,004

Germany 68,296,919Nigeria 55,930,391

United Kingdom 54,861,245France 54,473,474

11/20

Page 12: Measuring the Deployment of DNSSEC over the Internet

IntroductionMethodology

Results

ProcessSteps

1 List all active probes2 Start packet capture at the nameserver3 Launch measurement on Atlas probes4 Wait for measurement results5 Stop packet capture6 Repeat steps 2-5 until all active probes have been used

Zonessecure insecure badlabel, badrrsigs, norrsigs

SoftwarePython, atlas, dpkt nsd, ldns Wireshark

12/20

Page 13: Measuring the Deployment of DNSSEC over the Internet

IntroductionMethodology

Results

1 Introduction

2 Methodology

3 Results

13/20

Page 14: Measuring the Deployment of DNSSEC over the Internet

IntroductionMethodology

Results

ResolversDO bit supportRequests on TXT record from secure zone with DO bit set

Probes Resolvers Setting DO bit Including RRSIG4673 5139 4534 [88.23%] 3448 [67.09%]

DS type supportRequests on DS record from secure zone with DO bit set

Probes Answers Authenticated4553 4228 [92.73%] 1409 [30.41%]

Resolvers Active Answers Authenticated4586 4573 4252 [92.98%] 1374 [30.05%]

14/20

Page 15: Measuring the Deployment of DNSSEC over the Internet

IntroductionMethodology

Results

Probes (1)Resolvers distribution

0 10 20 30 40 50 60100

101

102

103

40 most common resolvers

Amount of probes

Amou

ntof

resolvers

40 most common resolvers: Google (38), OVH (2)

15/20

Page 16: Measuring the Deployment of DNSSEC over the Internet

IntroductionMethodology

Results

Probes (2)Protection

Zone Probes Answer No AnswerNOERROR FORMERR SERVFAIL REFUSED

secure 4606 3098 [67.26%] 1215 [26.38%] 252 [ 5.47%] 18 [ 0.39%] 23 [ 0.50%]badlabel 4212 2381 [56.53%] 296 [ 7.03%] 286 [ 6.79%] 1224 [29.06%] 25 [ 0.59%]badrrsigs 4211 2381 [56.54%] 299 [ 7.10%] 294 [ 6.98%] 1212 [28.78%] 25 [ 0.59%]norrsigs 4124 2655 [64.38%] 1 [ 0.02%] 292 [ 7.08%] 1152 [27.93%] 24 [ 0.58%]

CompatibilityZone Probes Answer No Answer

with AD bit NOERROR SERVFAILsecure 4606 3098 [67.26%] 822 [17.84%] 1215 [26.38%] 18 [ 0.39%]insecure 4642 4350 [93.71%] 0 [ 0.00%] 1 [ 0.02%] 16 [ 0.34%]secure 4695 4376 [93.20%] 1404 [29.90%] 2 [ 0.04%] 11 [ 0.23%]

16/20

Page 17: Measuring the Deployment of DNSSEC over the Internet

IntroductionMethodology

Results

Probes (3)Validation distribution

0 10 20 30 40 50 60100

101

102

103

Amount of probes

Amou

ntof

resolvers All resolvers

Validating with AD bit

17/20

Page 18: Measuring the Deployment of DNSSEC over the Internet

IntroductionMethodology

Results

Probes (4)Protection distribution

0 10 20 30 40 50 60 70 80100

101

102

103

Amount of probes

Amou

ntof

resolvers All resolversBlocking corrupted answers

18/20

Page 19: Measuring the Deployment of DNSSEC over the Internet

IntroductionMethodology

Results

FindingsDNSSEC-awareness

DO bit indicates 87%DS type indicates 93%

Validation and protectionAD bit indicates 30% validationbad zones indicate 27-29% protectionsignatures available in 67% of answers

IssuesFallback when RRSIG missing: 1%Bad validation of wildcards: 26%

19/20

Page 20: Measuring the Deployment of DNSSEC over the Internet

IntroductionMethodology

Results

Thanks to...NLnet Labs, AmsteramSNE Master, University of Amsterdam

Questions?

20/20


Measuring DNSSEC Use Geoff Huston APNIC. Some Questions… Who is using DNSSEC validation? What is the DNSSEC performance overhead for users and servers?

DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of

DNSSEC Deployment - Internet Society · DNSSEC evangelist of the day ¥NLnet Labs ÐNot for profit Open Source Software lab ¥Developed NSD ÐDNS and DNSSEC research ... DNSSEC deployment

DNSSEC Deployment Guide - 123seminarsonly.com...For an overview of DNSSEC, see Introduction to DNSSEC. For a description of how DNSSEC works in Windows Server® 2008 R2 and Windows®

Availability Problems in the DNSSEC Deployment

Measuring DNSSEC - APNIC

Measuring DNSSEC Geoff Huston APNIC Labs, June 2014

DNSSEC Deployment · DNSSEC Deployment: Where Is It & What Are the Issues Russ Mundy Principal Networking Scientist [email protected] [email protected] 410-430-8063

Measuring the practical impact of DNSSEC Deployment · 2Overview of DNS and DNSSEC A DNS name is a dot-separated concatenation of labels; for example, the name cs.ucsd.edu is com-prised

MC / 080:DNSSEC Deployment Study...3. Establish if any barriers to DNSSEC deployment exist (e.g. technical or economic) DNSSEC is a complex protocol to deploy and support. It involves

DNSSEC Deployment Guidebook for ccTLDs

Domain Name Server Security (DNSSEC) Protocol ... › FA8750-10-C-0020 › DNSSEC Protocol...Domain Name Server Security (DNSSEC) Protocol Deployment Final Technical Report November

State of DNSSEC Deployment 2016 DRAFT - Internet Society › wp-content › uploads › 2017 › ... · 2017-08-23 · State of DNSSEC Deployment 2016 internetsociety.org @internetsociety

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment

DNSSEC Deployment: A Tutorial - Apricotapricot.net/apricot2009/images/lecture_files/dnssec... · 2017-02-06 · DNSSEC: new RRs Adds four new DNS Resource Records*: 1DNSKEY: Public

DNSSEC Deployment at the RIPE NCC

Understanding the Role of Registrars in DNSSEC Deployment · Understanding the Role of Registrars in DNSSEC Deployment IMC ’17, November 1–3, 2017, London, United Kingdom DNS

DNSSEC Deployment: From End-Customer to Content...Providing real-world deployment info for IPv6, DNSSEC and other Internet technologies: • Case Studies • Tutorials • Videos •

Measuring the practical impact of DNSSEC Deployment

Deployment of DNSSEC in the Root Zone: Impact Analysis · Deployment of DNSSEC in the Root Zone: Impact Analysis ... This report examines the impact of the deployment of DNSSEC in

DNSSEC Workshop - ICANN GNSO...4. DNSSEC Lessons Learned: Roland van Rijswijk, SURFnet 5. DNSSEC Tool Development: • Open Source Tools, Russ Mundy, Co‐Chair, DNSSEC Deployment

Measuring DNSSEC Use

Measuring DNSSEC

The State and Challenges of the DNSSEC Deployment

DNSSEC - Why Network Operators Should Care And … · DNSSEC - Why Network Operators Should Care And How To Accelerate Deployment Dan York, ... Providing real-world deployment info

DNSSEC Implementation Approaches - ICANN GNSO · DNSSEC Implementation Approaches . The DLV infrastructure zone • DLV is a DNS-based deployment aid for early DNSSEC deployment –allows

Measuring DNSSEC on the client

Measuring DNSSEC Geoff Huston & George Michaelson APNICLabs September 2012

DNSSEC Deployment: Where We Are - ICANN · DNSSEC: We have passed the point of no return • Fast pace of deployment at the TLD level • Stable deployment at root Inevitable widespread

Measuring DNSSEC Use Geoff Huston & George Michaelson [email protected]

MC / 080:DNSSEC Deployment Study

Root Zone DNSSEC Deployment - ICANN GNSOgnso.icann.org/.../presentation-root-zone-dnssec-deployment-08dec10-en.pdfRoot Zone DNSSEC Deployment ICANN 39, Cartagena, Colombia 8 December

Measuring DNSSEC Geoff Huston & George Michaelson APNICLabs October 2012

Measuring the practical impact of DNSSEC Deploymentwlian/papers/lian_dnssec_usenixsec13.pdf · Measuring the practical impact of DNSSEC Deployment Wilson Lian ... The Domain Name

Measuring the Deployment of DNSSEC over the Internet - System & Network Engineering ... › 2013-2014 › p14 › presentation.pdf · 2018-07-19 · Introduction Methodology Results