a longitudinal, end-to-end view of the dnssec …...expired percent of domains with specific failure...
TRANSCRIPT
![Page 1: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/1.jpg)
1
A Longitudinal, End-to-End View of the DNSSEC Ecosystem
Taejoong (tijay) Chung, Roland van Rijswijk-Deij, Bala Chandrasekaran David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Christo Wilson
![Page 2: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/2.jpg)
Domain Name System (DNS)
example.com'sAuthoritativeDNS Server
Browser
2
DNS Resolver
example.com example.com
A records
155.33.17.68
A records
155.33.17.68
![Page 3: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/3.jpg)
DNS Spoofing
example.com'sAuthoritativeDNS Server
Browser
3
DNS Resolver
example.com example.com
A recordsA records
1.2.3.4 155.33.17.68✗1.2.3.4
![Page 4: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/4.jpg)
DNS Spoofing
example.com'sAuthoritativeDNS Server
4
DNS Resolver
Browser example.com
A records
1.2.3.4
example.com
A records
155.33.17.68✗1.2.3.4
example.com'sAuthoritativeDNS Server
![Page 5: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/5.jpg)
DNSSEC 101
5
RRSIG
A records
A records
DNSKEY
DNS Resolver
A records
w/ DO bitexample.com'sAuthoritativeDNS Server
Sign!
![Page 6: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/6.jpg)
DNSSEC 101
6
A records
w/ DO bit
RRSIG
A records
A records
DNSKEY
DNS Resolverexample.com'sAuthoritativeDNS Server
A records
A records
w/ DO bit
DNSKEY
![Page 7: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/7.jpg)
DNS Resolver
DNSKEY
DNSSEC 101Hierarchical Structure
7
A records
A records
w/ DO bit
DNSKEY
DNSKEY
Chain-of-Trust
example.com'sAuthoritativeDNS Server
. (root zone)
.com
![Page 8: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/8.jpg)
DNSSEC 101Hierarchical Structure
8
DNSKEY
Chain-of-Trust
DNSKEY
DNSKEY
DNSKEY
DNSKEY
DNS Resolver
A records
A records
w/ DO bit
example.com'sAuthoritativeDNS Server
. (root zone)
.com
![Page 9: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/9.jpg)
DNSSEC 101Hierarchical Structure
9
DNSKEY
Chain-of-Trust
DNSKEY
DNSKEY
![Page 10: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/10.jpg)
DNSSEC 101Hierarchical Structure
10
RRSIG
DS Record
DS Record =Hash( ) DNSKEY
DNSKEY DNSKEY
DNSKEY .com
example.com'sAuthoritativeDNS Server
Chain-of-Trust
![Page 11: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/11.jpg)
DNSKEYs
DNSSEC 101Two DNSKEYs
11
.com
zone signing key (ZSK)
key signing key (KSK)
A records RRSIG of A
= Hash of DS Record
RRSIG of DNSKEYexample.com'sAuthoritativeDNS Server
![Page 12: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/12.jpg)
Summary of DNSSEC 101
• Three essential elements for DNSSEC• • •
• has to be uploaded to the parent zone
• Resolvers need to verify all signatures along the chains of trust
• DNSSEC can only function correctly when all principals (server and resolver) work correctly
12
DS Record
DNSKEY
RRSIG
![Page 13: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/13.jpg)
Open Question
How’s the DNSSEC PKI ecosystem managed?
![Page 14: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/14.jpg)
Contribution
14
Longitudinal Comprehensive All Angles
![Page 15: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/15.jpg)
Outline
15
How DNSSEC deployed
How DNSSEC managed
How resolversuse DNSSEC
Authoritative Server Resolver
![Page 16: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/16.jpg)
Correct Deployment for Authoritative Servers
16
DNSKEY (1) Have DNSKEYs
RRSIGs (2) Generate Signatures
Valid RRSIGs
(3) Valid Signatures (Not expired, correctly signed)
DS record Uploads
(4) Generate and upload DS record to the parent zone
Valid DS record
(5) Valid DS record (matched with DNSKEYs)
![Page 17: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/17.jpg)
Dataset
17
Daily Scans*
TLDs .com, .org., .net
# of domains 147M domains
Interval every day
Period 2015/03/01 ~ 2016/12/31
* https://openintel.nl/
Over 750 billion DNS Records
![Page 18: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/18.jpg)
0
0.2
0.4
0.6
0.8
1
1.2
02/15 05/15 08/15 11/15 02/16 05/16 08/16 11/16
Pe
rce
nt
of
do
ma
ins
wit
hDNSKEY
re
co
rd
Date
.com
.net
.org
DNSSEC Deployment
18
Deployment DNSSEC deployment is rare, but growing
Are they correctly deployed?
DNSKEY
RRSIGs
Valid RRSIGs
DS record Uploads
Valid DS record
RRSIGs
~1.0%
![Page 19: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/19.jpg)
Missing RRSIG records
19
DNSKEY
RRSIGs
Valid RRSIGs
DS record Uploads
Valid DS record
RRSIGs ~0.3%
Missing RRSIGs RRSIGs are rarely missing (0.3%)
0
0.5
1
1.5
2
2.5
02/15 05/15 08/15 11/15 02/16 05/16 08/16 11/16
missing SOA RRSIGmissing DNSKEY RRSIG
Pe
rce
nt
of
do
ma
ins
mis
sin
g RRSIG
s
.com
.net
.org
DomainMonster
~1.0%
ZSK
KSK
![Page 20: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/20.jpg)
Incorrect RRSIG records
20
0
0.2
0.4
0.6
0.8
1
02/15 05/15 08/15 11/15 02/16 05/16 08/16 11/16
Expired
Invalid Signature
Pe
rce
nt
of
do
ma
ins
wit
hs
pe
cif
ic f
ail
ure
re
as
on
s
.com
.net
.org
Expired
Invalid Signatures
DNSKEY
RRSIGs
Valid RRSIGs
DS record Uploads
Valid DS record
RRSIGs
Valid RRSIGs
~0.3%
Invalid RRSIGs RRSIGs are managed well (~0.5%)
~0.5%
~1.0%
![Page 21: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/21.jpg)
Missing DS records
21
DNSKEY
RRSIGs
Valid RRSIGs
DS record Uploads
Valid DS record
RRSIGs ~0.3%
~0.5%
~30%
0
5
10
15
20
25
30
35
02/15 05/15 08/15 11/15 02/16 05/16 08/16 11/16Pe
rce
nt
of
do
ma
ins
mis
sin
gDS
re
co
rd
.com
.net
.org
DS Records
Nearly 30% of domains DO NOTupload DS records!
~1.0%
![Page 22: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/22.jpg)
Incorrect DS records
22
DNSKEY
RRSIGs
Valid RRSIGs
DS record Uploads
Valid DS record
RRSIGs ~0.3%
~0.5%
~30%
0
0.05
0.1
0.15
0.2
0.25
02/15 05/15 08/15 11/15 02/16 05/16 08/16 11/16
Pe
rce
nt
of
do
ma
ins
ha
vin
gin
co
rre
ct DS
re
co
rd
.com
.net
.org
Incorrect DS record
Once DS record is generated, it is managed very well (~0.2%)
~0.2%
~1.0%
![Page 23: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/23.jpg)
Choosing Authoritative Nameserver
23
example.com example.com
example.com'sAuthoritativeDNS Server
Self-hosted
example.com'sAuthoritativeDNS Server
$ $$
![Page 24: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/24.jpg)
Why are DS records missing?
24
Nameservers# of domains
DS Publishing Ratiow/ DS w/ DNSKEY
ovh.net 315,204 316,960 99.45%loopia.se 1 131,726 0.00%hyp.net 93,946 94,084 99.85%
transip.net 91,009 91,103 99.90%domainmonster.com 4 60,425 0.01%
anycast.me 51,403 52,381 98.13%transip.nl 46,971 47,007 99.92%binero.se 17,099 44,650 38.30%
ns.cloudflare.com 17,483 28,938 60.42%is.nl 11 15,738 0.07%
pcextreme.nl 14,801 14,967 98.89%webhostingserver.nl 10,655 14,806 71.96%
registrar-servers.com 11,463 13,115 87.40%ns0.nl 12,674 12,738 99.50%
citynetwork.se 13 11,660 0.11%
![Page 25: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/25.jpg)
Why are DS records missing?
25
Nameservers# of domains
DS Publishing Ratiow/ DS w/ DNSKEY
ovh.net 315,204 316,960 99.45%loopia.se 1 131,726 0.00%hyp.net 93,946 94,084 99.85%
transip.net 91,009 91,103 99.90%domainmonster.com 4 60,425 0.01%
anycast.me 51,403 52,381 98.13%transip.nl 46,971 47,007 99.92%binero.se 17,099 44,650 38.30%
ns.cloudflare.com 17,483 28,938 60.42%is.nl 11 15,738 0.07%
pcextreme.nl 14,801 14,967 98.89%webhostingserver.nl 10,655 14,806 71.96%
registrar-servers.com 11,463 13,115 87.40%ns0.nl 12,674 12,738 99.50%
citynetwork.se 13 11,660 0.11%
![Page 26: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/26.jpg)
Why are DS records missing?
26
Nameservers# of domains
DS Publishing Ratiow/ DS w/ DNSKEY
ovh.net 315,204 316,960 99.45%loopia.se 1 131,726 0.00%hyp.net 93,946 94,084 99.85%
transip.net 91,009 91,103 99.90%domainmonster.com 4 60,425 0.01%
anycast.me 51,403 52,381 98.13%transip.nl 46,971 47,007 99.92%binero.se 17,099 44,650 38.30%
ns.cloudflare.com 17,483 28,938 60.42%is.nl 11 15,738 0.07%
pcextreme.nl 14,801 14,967 98.89%webhostingserver.nl 10,655 14,806 71.96%
registrar-servers.com 11,463 13,115 87.40%ns0.nl 12,674 12,738 99.50%
citynetwork.se 13 11,660 0.11%
“Most people do not understand DNS, so imagine the white faces when I mention DNSSEC ... I don’t think DNSSEC has a high priority anymore currently in our organization or our customer
base.”
![Page 27: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/27.jpg)
Summary of DNSSEC Deployment
• DNSSEC deployment is still rare, but increasing• The major reason of broken DNSSEC is due to the missing DS
record• Missing RRSIG record: ~ 0.3%• Incorrect RRSIG record: ~ 0.3 %• Incorrect DS record: ~ 0.2%• Missing DS Record: ~ 30%
• Most of the DNSSEC-support softwares (BIND, Windows Server 2012, PowerDNS, OpenDNSSEC) manage the keys automatically. Regardless, the process to upload DS record is totally dependent on the administrator!
27
![Page 28: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/28.jpg)
Outline
28
How DNSSEC deployed
How DNSSEC managed
How resolver use DNSSEC
Authoritative Server Resolver
30% of domainmiss DS records!
![Page 29: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/29.jpg)
Good Steps toDeploy DNSSEC
29
Strong Key (1) Have a cryptographically strong key
No Reuse (2) Don’t reuse across multiple domains
Regular Rollover (3) Replace on a regular basis
![Page 30: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/30.jpg)
30
Strong Key
No Reuse
Regular Rollover
(1) Have a cryptographically strong key
(2) Don’t reuse across multiple domains
(3) Replace on a regular basis
Good Steps toDeploy DNSSEC
![Page 31: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/31.jpg)
Key Strength
31
0
20
40
60
80
100
02/15 05/15 08/15 11/15 02/16 05/16 08/16 11/16
KSKs
ZSKs
Pe
rce
nt
of
do
ma
ins
wit
h w
ea
k k
ey
s .com.net.org
ZSK
KSK
Weak Keys
91.7% of ZSK and 33.3% of KSK are weak!
Strong Key
No Reuse
Regular Rollover
8.3% (ZSK) 66.7% (KSK)
![Page 32: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/32.jpg)
0.999
0.9992
0.9994
0.9996
0.9998
1
1 10 100 1000 10000 100000 1x106
KSK
.com
.net
.org
0.999
0.9992
0.9994
0.9996
0.9998
1
1 10 100 1000 10000 100000 1x106
ZSK
CD
F
Number of Domains Grouped Together
.com
.net
.org
ZSK
KSK
Key Reuse
32
DNSKEYSharing
Some keys are reused extensively (among 106,640 domains)
~0.1%
45.0% (ZSK)70.0% (KSK)
Strong Key
No Reuse
Regular Rollover
91.7% (ZSK) 33.3% (KSK)
![Page 33: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/33.jpg)
Outline
33
How DNSSEC deployed
How DNSSEC managed
How resolver use DNSSEC
Authoritative Server Resolver
30% of domainmiss DS records!
33% weak45~70% not switched
![Page 34: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/34.jpg)
Correct Deploymentfor Resolvers
34
DO Bit (1) DNSSEC OK bit in the header
Validation (2) Validate DNSSEC Records
![Page 35: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/35.jpg)
Measuring DNS resolver
35
Comcast Network
DNS Resolver
Authoritative DNS Server
MeasurementNode
Client
Ads
No Control over the nodeNot Reproducible
![Page 36: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/36.jpg)
Luminati
36
MeasurementNode
Local DNSResolver
Proxy
Comcast
Residential Authoritative DNS Server
AT&T
Rogers
Deutsche Telekom
Verizon
Control over the nodeReproducible
Scales
Node
![Page 37: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/37.jpg)
Luminati
37
Local DNSResolver
Authoritative DNS ServerNode
MeasurementNode
Comcast
Residential
Control over the nodeReproducible
Scales
![Page 38: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/38.jpg)
Methodology
38
Local DNSResolver
Authoritative DNS Server
(Our testbed)
A records
w/ DO bit
RRSIG
A records
+ 8 other scenarios of incorrect DNSSEC records
![Page 39: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/39.jpg)
Resolvers w/ DO Bit
39
DO Bit
Validation
- 4,427 resolvers- 83% of them are DO-bit enabled
![Page 40: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/40.jpg)
Resolvers w/ DO Bit
40
DO Bit
Validation
- 3,635 (82%) fail to validate DNSSEC records
- 543 (12.2%) correctly validate DNSSEC records
Time Warner Cable InternetRogers Cable Communications
ComcastGoogle
- 4,427 resolvers- 83% of them are DO-bit enabled
![Page 41: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/41.jpg)
Open Resolver Tests
41
Provide DO Bit Requested Validated?DS DNSKEY
Verisign YES YES YES YESGoogle YES YES YES YESDNSWatch YES YES YES YESDNS Advantage YES YES YES YESNorton ConnectSafe YES YES YES YESLevel3 YES NO NO NOComodo Secure DNS YES NO NO NOSafeDNS YES NO NO NODyn YES NO NO NOGreenTeamDNS* YES/NO YES YES NOOpenDNS NO NO NO NOOpenNIC NO NO NO NOFreeDNS NO NO NO NOAlternate DNS NO NO NO NOYandex DNS NO NO NO NO
![Page 42: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/42.jpg)
Conclusion
42
• Presented a longitudinal, end-to-end study of DNSSEC ecosystem
• DNSSEC deployment from server-side is rare but growing✓ But, 33% of them are mis-configured✓DNSKEYs are not managed well
✓Weak✓ Some are shared✓ Rarely updated
• DNSSEC deployment from client-side is also rare✓Only 12% of resolvers validate responses
• Datasets and source code will be available.• http://securepki.org
![Page 43: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/43.jpg)
Recommendations
• Use CDS (Child DS) / CDNSKEY (Child DNSKEY)• Automates DNSSEC delegation trust maintenance
• Modern resolvers (e.g., BIND >= 9.5 ) set “DO” bit by default, but make sure that it actually validates.
• Financial incentives for registrars to deploy DNSSEC would work• .se and .nl ccTLD • Please read our upcoming paper “Understanding the Role of
Registrars in DNSSEC Deployment [IMC’17]”
43
![Page 44: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/44.jpg)
Conclusion
44
• Presented a longitudinal, end-to-end study of DNSSEC ecosystem
• DNSSEC deployment from server-side is rare but growing✓ But, 33% of them are mis-configured✓DNSKEYs are not managed well
✓Weak✓ Some are shared✓ Rarely updated
• DNSSEC deployment from client-side is also rare✓Only 12% of resolvers validate responses
• Datasets and source code will be available.• http://securepki.org
![Page 45: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/45.jpg)
Questions?
45
![Page 46: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/46.jpg)
Why DNSSEC Deployment is so Low?
46
“Understanding the Role of Registrars in DNSSEC Deployment” [IMC’17]
![Page 47: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/47.jpg)
Ethical Consideration
47
Subject Considration
LuminatiPaid for access
Not violate ToS
Exit Nodes
Not expose PII
Connects only our testbed
Download “Empty” Page
![Page 48: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/48.jpg)
Scenario and Intuition
48
subdomains description requires DS requires DNSKEY
missing-rrsig-a no signature for A record 0 0
invalid-rrsig-a invalid signature for A record 0 1
future-rrsig-a signature is not yet valid 0 0
past-rrsig-a signature is expired 0 0
missing-zsk ZSK used to sign A record is not in DNSKEY 0 1
missing-ksk KSK used to sign DNSKEY record is not in DNSKEY 0 1
missing-rrsig-ksk no signature for DNSKEY record 0 1
invalid-rrsig-ksk invalid signature for DNSKEY record 0 1
mismatch-ds DS record at parent zone is not accord with KSK 1 1
![Page 49: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/49.jpg)
Structure of Domain Name
• Registry: organizations that manage top-level domains (TLDs). They maintain the TLD zone file (the list of all registered names), and work with registrars to sell domain names to the public. • Verisign
• Registrar: organizations that are accredited by ICANN3 and certified by registries to sell domains to the public. They have direct access to the registry.• GoDaddy
• Reseller: organizations that sell domain names, but are either not accredited (by ICANN) or certified (by a given TLD’s registry). Typically, resellers partner with registrars in order to sell domain names, and relay all information through the registrar.
49
![Page 50: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/50.jpg)
DS record uploads
50
![Page 51: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/51.jpg)
Key Sharing
51
Nameservers KSK ZSKKeys Domains Keys Domains
Others 151,733 152,144ovh.net. 316,888 316,887
loopia.se. 133,258 133,258hyp.net. 94,888 94,885
transip.net. 93,819 93,818domainmonster.com. 60,984 60,984
anycast.me. 55,936 55,936transip.nl. 45,676 45,675binero.se. 44,963 44,963
ns.cloudflare.com. 28,469 28,469is.nl. 12,837 12,836
pcextreme.nl. 15,210 15,210webhostingserver.nl. 15,023 15,023registrar-servers.com. 13,183 13,181
ns0.nl. 11,945 11,945citynetwork.se. 11,702 11,702
![Page 52: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/52.jpg)
Key Sharing
52
Nameservers KSK ZSKKeys Domains Keys Domains
Others 157,533 151,733 188,482 152,144ovh.net. 318,036 316,888 326,011 316,887
loopia.se. 199 133,258 217 133,258hyp.net. 119,150 94,888 119,161 94,885
transip.net. 93,774 93,819 187,129 93,818domainmonster.com. 60,991 60,984 121,939 60,984
anycast.me. 56,075 55,936 58,296 55,936transip.nl. 45,648 45,676 91,161 45,675binero.se. 49 44,963 54 44,963
ns.cloudflare.com. 239 28,469 214 28,469is.nl. 12,834 12,837 25,512 12,836
pcextreme.nl. 15,192 15,210 28,654 15,210webhostingserver.nl. 15,019 15,023 22,741 15,023registrar-servers.com. 13,043 13,183 12,998 13,181
ns0.nl. 11,978 11,945 23,790 11,945citynetwork.se. 21 11,702 28 11,702
![Page 53: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/53.jpg)
RolloverAbrupt Changes
53
ZSK
RRSIG
t0
RRSIG
ZSK
t0 + 1200
ZSK
TTL = 3600
RRSIG
ZSK
t0 + 1800
IP Address?
RRSIG
A Record
Can’t verify the signature!
![Page 54: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/54.jpg)
Rollover Process (ZSK)<Pre-publish>
54
ZSK
RRSIG
t0
ZSK
RRSIG
ZSK
t2
RRSIG
ZSK
t3
Introducing a new key
Retiring a signature
Retiring the previous key
t1
ZSK
RRSIG
ZSK
![Page 55: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/55.jpg)
Rollover Process (ZSK) <Double-signature>
55
RRSIG
ZSK
t0
RRSIG
ZSK
t2
Introducing a new key and signature
Retiring the previous key and signature
RRSIG
ZSK
t1
ZSK
RRSIG
![Page 56: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/56.jpg)
Rollover Process (KSK) <Double-signature>
56
Parent Zone
Child Zone
DS record
KSK
RRSIG
t0
DS record
KSK
RRSIG
ZSK
RRSIG
t1
DS Record
KSK
RRSIG
ZSK
RRSIG
t2
DS Record
ZSK
RRSIG
t3
![Page 57: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/57.jpg)
Rollover Process (KSK) <Double-DS>
57
Parent Zone
Child Zone
DS record
KSK
RRSIG
t0
DS Record
ZSK
RRSIG
t3
DS record
KSK
RRSIG
t1
DS Record
ZSK
RRSIG
t2
DS record
DS Record
![Page 58: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/58.jpg)
ZSK Rollovers
58
Scheme .com .org
No ZSK Rollovers 279,935 27,166
Abrupt 5,527 66
Double Signatures 58,807 9,615
Pre-publish 259,327 33,518
![Page 59: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/59.jpg)
ZSK Rollovers
59
Scheme .com .org
No ZSK Rollovers 279,935 27,166
Abrupt 5,527 66
Double Signatures 58,807 9,615
Pre-publish 259,327 33,518
DNSKEY(ZSK)
Nearly 45% of domains DO NOTswitch their DNSKEYs
![Page 60: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/60.jpg)
KSK Rollovers
60
Scheme .com .net .org
No KSK Rollovers
621,213 93,558 65,704
Abrupt 17,724 3,183 1,710
Double Signatures
219,547 46,092 32,206
![Page 61: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/61.jpg)
KSK Rollovers
61
Scheme .com .net .org
No KSK Rollovers
621,213 93,558 65,704
Abrupt 17,724 3,183 1,710
Double Signatures
219,547 46,092 32,206
DNSKEY(KSK)
Nearly 70% of domains DO NOTswitch their DNSKEYs
![Page 62: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/62.jpg)
Superfluous Signatures
62
example.com
.com
zone signing key (ZSK)
key signing key (KSK)
A records RRSIG of A
= Hash of DS Record
DNSKEYs RRSIG of DNSKEY
DNSKEYs RRSIG of DNSKEY
Unnecessary, but not evil!
61% of domains sign their DNSKEY twice! so what?
![Page 63: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/63.jpg)
DNSKEY Fragmentation
63
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9
1
0 500 1000 1500 2000 2500 3000
1,232 bytes (IPv6 limits)
1,472 bytes (IPv4 limits)
CD
F
DNSKEY Message Size
RRSIGsksk
1,232 bytes (IPv6 limits)
1,472 bytes (IPv4 limits)
0.01% experience fragmentation
![Page 64: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/64.jpg)
DNSKEY Fragmentation
64
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9
1
0 500 1000 1500 2000 2500 3000
1,232 bytes (IPv6 limits)
1,472 bytes (IPv4 limits)
CD
F
DNSKEY Message Size
RRSIGskskRRSIGszsk,ksk
1,232 bytes (IPv6 limits)
1,472 bytes (IPv4 limits)
0.8% experience fragmentation
60.7% of them could have avoided fragmentation
![Page 65: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/65.jpg)
DNSKEY Fragmentation
65
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9
1
0 500 1000 1500 2000 2500 3000
1,232 bytes (IPv6 limits)
1,472 bytes (IPv4 limits)
CD
F
DNSKEY Message Size
RRSIGskskRRSIGszsk,ksk
RRSIGszsk,ksk(2,048)
1,232 bytes (IPv6 limits)
1,472 bytes (IPv4 limits)
4.6% experience fragmentation (increased 5x times)
DNSKEYFragmentation
Superfluous signatures increases the chance of fragmentation.
![Page 66: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/66.jpg)
Hola Unblocker
66
HTTP
Get netflix.com
![Page 67: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/67.jpg)
Hola Luminati
67
Luminati user
example.com
HTTPGet example.com
Hola user
![Page 68: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/68.jpg)
Measurement ClientExit Node
Exit Node’s DNS Resolver
HTTP
DNS
68
DNSSEC response
Get testbed.com
DNS & Web servertestbed.com
![Page 69: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/69.jpg)
We measured 403,355 nodes and their 59,513 resolvers !
69
![Page 70: A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure reasons Invalid Signature.com.net.org Expired Invalid Signatures DNSKEY RRSIGs](https://reader033.vdocuments.site/reader033/viewer/2022050310/5f71fba581a3b94cc00c770a/html5/thumbnails/70.jpg)
Get testbed.com
Measurement ClientSuper ProxyExit Node
Exit Node’s DNS Server
HTTP
DNS
70
DNS Response