measuring ksk roll readiness - apnic · 2017. 11. 11. · user-side dns measurement multiple...
TRANSCRIPT
![Page 1: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other](https://reader035.vdocuments.site/reader035/viewer/2022071111/5fe7764abbf568226e00efe8/html5/thumbnails/1.jpg)
MeasuringKSKRollReadiness
Geoff HustonAPNIC Labs
![Page 2: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other](https://reader035.vdocuments.site/reader035/viewer/2022071111/5fe7764abbf568226e00efe8/html5/thumbnails/2.jpg)
TheDNSmaylooksimple
![Page 3: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other](https://reader035.vdocuments.site/reader035/viewer/2022071111/5fe7764abbf568226e00efe8/html5/thumbnails/3.jpg)
FortheDNSlooksareverydeceiving
![Page 4: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other](https://reader035.vdocuments.site/reader035/viewer/2022071111/5fe7764abbf568226e00efe8/html5/thumbnails/4.jpg)
WhatwewouldliketheDNStobe
Client DNS Resolver DNS Server
![Page 5: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other](https://reader035.vdocuments.site/reader035/viewer/2022071111/5fe7764abbf568226e00efe8/html5/thumbnails/5.jpg)
WhatwesuspectismoreliketheDNS
Client DNS Resolver DNS Server
DNS Resolver
DNS Resolver
DNS Resolver
DNS Resolver
DNS Resolver
DNS Resolver
DNS ResolverDNS
ResolverDNS ResolverDNS
ResolverDNS ResolverDNS
Resolver
![Page 6: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other](https://reader035.vdocuments.site/reader035/viewer/2022071111/5fe7764abbf568226e00efe8/html5/thumbnails/6.jpg)
SignallingviaQueries
Client DNS Resolver Server
DNS Resolver
DNS Resolver
DNS Resolver
DNS Resolver
DNS Resolver
DNS Resolver
DNS ResolverDNS
ResolverDNS ResolverDNS
ResolverDNS ResolverDNS
Resolver
ThequerycontainsinformationwhichpassesinwardintheDNStowardstheauthoritativeserver(s)
![Page 7: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other](https://reader035.vdocuments.site/reader035/viewer/2022071111/5fe7764abbf568226e00efe8/html5/thumbnails/7.jpg)
SignallingviaResponses
Client DNS Resolver Server
DNS Resolver
DNS Resolver
DNS Resolver
DNS Resolver
DNS Resolver
DNS Resolver
DNS ResolverDNS
ResolverDNS ResolverDNS
ResolverDNS ResolverDNS
Resolver
TheresponsecontainsinformationwhichpassesbackwardintheDNStowardstheoriginalquerier
![Page 8: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other](https://reader035.vdocuments.site/reader035/viewer/2022071111/5fe7764abbf568226e00efe8/html5/thumbnails/8.jpg)
KSKRollMeasurementObjective
WhatnumberofusersareatriskofbeingimpactedbytheKSKRoll?
• Therearetworiskelementsforresolvers:• Unabletoreceivea1,414octetUDPresponsefromtherootservers(queryforDNSKEYRRfromtherootzone)• FailuretofollowRFC5011keyintroductionprocedure
• Ineithercasetheresolveroutcomeisthesame:Notloadingtheincomingtrustkeyintothelocaltrustedkeystore• Andiftheuserpassesqueriesonly totheseaffectedresolversthantherollwillcausealossofDNSservice
![Page 9: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other](https://reader035.vdocuments.site/reader035/viewer/2022071111/5fe7764abbf568226e00efe8/html5/thumbnails/9.jpg)
MeasuringResolversviaRFC8145SignalingGettingresolverstoreportontheirlocaltrustedkeystate• ResolversthatsupporttheRFC8145signalmechanismperiodicallyincludethekeytagoftheirlocallytrustedkeysintoaquerydirectedtowardstherootservers
![Page 10: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other](https://reader035.vdocuments.site/reader035/viewer/2022071111/5fe7764abbf568226e00efe8/html5/thumbnails/10.jpg)
Whatdidweseeat(some)roots?
DuaneWessels VeriSignRFC8145Signaling TrustAnchorKnowledgeInDNSSecurityExtensionsPresentationtoDNSSECWorkshop@ICANN60– 1Nov2017https://schd.ws/hosted_files/icann60abudhabi2017/ea/Duane%20Wessels-VeriSign-RFC%208145-Signaling%20Trust%20Anchor%20Knowledge%20in%20DNS%20Security%20Extensions.pdf
![Page 11: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other](https://reader035.vdocuments.site/reader035/viewer/2022071111/5fe7764abbf568226e00efe8/html5/thumbnails/11.jpg)
Whatisthissaying?
• ItsclearthatthereissomeresidualsetofresolversthataresignallingthattheyhavenotyetlearnedtotrustthenewKSKkey• Butitsnotclearif:• Thisisanaccuratesignalaboutthestateofthisresolver• Thisisanaccuratesignalabouttheidentityofthisresolver• Howmanyuserssit‘behind’thisresolver• Whethertheseusesrelysolelyonthisresolver,oriftheyalsohavealternateresolversthattheycanuse• Whatproportionofallusersareaffected
![Page 12: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other](https://reader035.vdocuments.site/reader035/viewer/2022071111/5fe7764abbf568226e00efe8/html5/thumbnails/12.jpg)
Why?
• BecausetheDNSdoesnotdisclosetheantecedentsofaquery• IfAforwardsaquerytoB,whoqueriesaRootServerthenifthequerycontainsanimplicitsignal(asinthiscase)thenitappearsthatBisquerying,notA• Atnotimeistheusermadevisibleinthereferredquery
• Becausecaching• IfAandBbothforwardtheirqueriesviaC,thenitmaybethatoneorbothofthesequeriesmaybeansweredfromC’scache• Inthiscasethesignalisbeingsuppressed
• Becauseitsactuallymeasuringacause,nottheoutcome• Itsmeasuringresolvers’uptakeofthenewKSK,butisnotabletomeasuretheuserimpactofthis
![Page 13: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other](https://reader035.vdocuments.site/reader035/viewer/2022071111/5fe7764abbf568226e00efe8/html5/thumbnails/13.jpg)
User-SideMeasurement
CanwedeviseaDNSquerythatcouldrevealthestateofthetrustedkeysoftheresolversbacktotheuser?
• NotwithinthecurrentparametersofDNSSECand/orresolverbehaviour
![Page 14: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other](https://reader035.vdocuments.site/reader035/viewer/2022071111/5fe7764abbf568226e00efe8/html5/thumbnails/14.jpg)
User-SideMeasurement
CanwedeviseaDNSquerythatcouldrevealthestateofthetrustedkeysoftheresolversbacktotheuser?• Whatifwecouldchangeresolverbehaviour?
• JustasRFC8145requiredachangeinresolverbehaviour• Whataboutachangetotheresolver’sreportingofvalidationoutcomedependingontheresolver’slocaltrustedkeystate?• Ifaquerycontainsthelabel“_is-ta-<key-tag>”thenavalidatingresolverwillreportvalidationfailureifthekeyisNOTinthelocaltrustedkeystore• Ifaquerycontainsthelabel“_not-ta-<key-tag>” thenavalidatingresolverwillreportvalidationfailureifthekeyISinthelocaltrustedkeystore
![Page 15: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other](https://reader035.vdocuments.site/reader035/viewer/2022071111/5fe7764abbf568226e00efe8/html5/thumbnails/15.jpg)
User-SideResolverMeasurement
ThreeDNSqueries:1. _is-ta-4066.<some.signed.domain>2. _not-ta-4066.<some.signed.domain>3. <badly-signed>.<some.signed.domain>
SingleResolverAnalysis:
ResolverBehaviour TypeLoadedNewKSK
NOTloadedNewKSKMechanismnotsupported
Notvalidating
Query1Query2Query3ASERVFAILSERVFAIL
SERVFAILASERVFAILAASERVFAILAAA
![Page 16: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other](https://reader035.vdocuments.site/reader035/viewer/2022071111/5fe7764abbf568226e00efe8/html5/thumbnails/16.jpg)
User-SideDNSMeasurement
MultipleResolverAnalysisASERVFAILresponsewillcausetheusetorepeattheyquerytootherconfiguredresolvers.Inamulti-resolverscenario,andwhereforwardersareusedwecanstilldetermineiftheuserwillbeimpactedbytheKSKroll
UserImpactOK
NOTOK
Query1Query2Query3ASERVFAILSERVFAIL
SERVFAILASERVFAILAASERVFAIL
SERVFAILSERVFAILSERVFAIL
AAA
UNKNOWN
NOTImpacted
![Page 17: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other](https://reader035.vdocuments.site/reader035/viewer/2022071111/5fe7764abbf568226e00efe8/html5/thumbnails/17.jpg)
MeasuringUserImpact
• Createthesetestsinascriptedwebpageandallowuserstotestthestateoftheirresolvers• Loadthesetestsintoanonlineadcampaignandusetheadtopassthetesttomillionsofusers• IftheusercanresolveQuery1,andSERVFAILsonQuery2andQuery3thentheuserisabletovalidateusingthenominatedkeyasatrustedkey• IftheuserSERVFAILSonQuery1,resolvesQuery2andSERVFAILsonQuery3thentheuserisunabletovalidateusingthenominatedkeyasatrustedkeys• OtherwiseiftheuserSERVFAILSonQuery3thentheresultisindeterminate
![Page 18: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other](https://reader035.vdocuments.site/reader035/viewer/2022071111/5fe7764abbf568226e00efe8/html5/thumbnails/18.jpg)
PrivacyandSecurityConsiderations
• Thistestitselfdoesnotrevealwhichresolversareusedbyendusersinresolvingnames• Thequeryitselfneednotcontainanyenduseridentifyingmaterial• Themethodologyneverchanges“insecure”to”authenticated”– itwillonlychange“authenticated”to“insecure”dependingontheresolver’slocaltrustedkeystatewhenresolvingcertainlabels• AnyonecansetupatestconditionwithintheirdelegatedpartoftheDNS• Theresultsofthetestarepassedbackonlytotheuserintheformofaresolutionoutcome
![Page 19: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other](https://reader035.vdocuments.site/reader035/viewer/2022071111/5fe7764abbf568226e00efe8/html5/thumbnails/19.jpg)
ADescriptionoftheMechanism
draft-huston-kskroll-sentinel
![Page 20: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other](https://reader035.vdocuments.site/reader035/viewer/2022071111/5fe7764abbf568226e00efe8/html5/thumbnails/20.jpg)
Thanks!