Assessing and Improving the Quality of DNSSEC Deployment - - PowerPoint PPT Presentation

assessing and improving the quality of dnssec deployment
SMART_READER_LITE
LIVE PREVIEW

Assessing and Improving the Quality of DNSSEC Deployment - - PowerPoint PPT Presentation

Feb 27, 2024 529 likes •916 views

Assessing and Improving the Quality of DNSSEC Deployment Deployment Casey Deccio, Ph.D. Sandia National Laboratories AIMS-4 CAIDA, SDSC, San Diego, CA Feb 9, 2012 Sandia is a multiprogram laboratory operated by Sandia Corporation, a

slide-1
SLIDE 1

Assessing and Improving the Quality of DNSSEC Deployment Deployment

Casey Deccio, Ph.D. Sandia National Laboratories

AIMS-4 CAIDA, SDSC, San Diego, CA

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the

Feb 9, 2012

United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04- 94AL85000.

slide-2
SLIDE 2

O tli Outline

DNSSEC protocol review

 DNSSEC protocol review  DNSSEC maintenance and misconfiguration  DNSSEC survey and results  Conclusions and solutions

2

slide-3
SLIDE 3

DNS Security Extensions (DNSSEC) (DNSSEC)

 RRsets signed with zone’s private key(s)  Signatures covering RRsets returned by server as RRSIGs

g g y

 Public keys published in zone data as DNSKEYs  Resolver validates response

If authentic: Authenticated data (AD) bit is set ( )

If bogus: SERVFAIL message is returned

Query: www bar com/A ? Query: www.bar.com/A ? Query: www.bar.com/A ? Answer: 192.0.2.16 RRSIG Query: bar.com/DNSKEY ?

bar.com

Answer: DNSKEY… RRSIG Answer: 192.0.2.16 AD validate

3

stub resolver

recursive/validating resolver authoritative server

slide-4
SLIDE 4

Scalable authentication via a h i f t t

R l

chain of trust

 DNSKEY must be DNSKEY

Resolver

trust anchor

 DNSKEY must be

authenticated

 Resolver must have . Zone data

DS

 Resolver must have

some notion of trust

 Trust extends through DNSKEY

ancestry to a trust anchor at resolver DS d

com Zone data

DS

 DS resource record –

provides digest of DNSKEY in child zone

Zone data DNSKEY

DNSKEY in child zone

4

bar.com

slide-5
SLIDE 5

Backwards compatibility… ki d f kind of

 If no secure link exists

Resolver

trust anchor

 If no secure link exists

between parent and child, referring (parent) server must prove non-

DNSKEY

server must prove non existence of DS RRs

 NSEC/NSEC3 resource

records provide

. Zone data

DS

records provide authenticated denial of existence

 Child zones of insecure Zone data DNSKEY

/

 Child zones of insecure

delegations may be unsigned or signed (“islands of security”)

Zone data net

NSEC/DS

( islands of security )

5

baz.net

slide-6
SLIDE 6

DNSSEC lid ti t t validation status

 Secure

unbroken

 Secure – unbroken

chain from anchor to RRset RRset

(I f htt //d i t/)

6

(Image from http://dnsviz.net/)

slide-7
SLIDE 7

DNSSEC lid ti t t validation status

 Insecure – chain that

securely terminates (i e insecure (i.e., insecure delegation)

(Image from http://dnsviz.net/) Secure chain termination

7

(Image from http://dnsviz.net/)

slide-8
SLIDE 8

DNSSEC lid ti t t validation status

 Bogus

broken

 Bogus – broken

chain

(I f htt //d i t/) Break in chain

8

(Image from http://dnsviz.net/)

slide-9
SLIDE 9

O tli Outline

DNSSEC protocol review

 DNSSEC protocol review  DNSSEC maintenance and misconfiguration  DNSSEC survey and results  Conclusions and solutions

9

slide-10
SLIDE 10

DNSSEC M i t DNSSEC Maintenance

RRSIG refresh

 RRSIG refresh  DNSKEY rollovers

ZSK ll SEP ( i )

 ZSK rollovers – non-SEP (secure entry point),

self-contained

 KSK rollovers

SEP requires interaction with

 KSK rollovers – SEP requires interaction with

parent or trust anchor

 Algorithm changes  Algorithm changes

10

slide-11
SLIDE 11

DNSSEC Mi fi ti DNSSEC Misconfiguration

 DS Mismatch

No DNSKEY matching DS in parent

 DS Mismatch – No DNSKEY matching DS in parent

zone

 DNSKEY Missing – DNSKEY not available to validate

RRSIG

 NSEC Missing – NSEC RRs not returned by

authoritative server authoritative server

 RRSIG Missing – RRSIGs not returned by some servers  RRSIG Bogus – Signature in RRSIG does not validate  RRSIG Bogus

Signature in RRSIG does not validate

 RRSIG Dates – Expired or premature RRSIG dates

11

slide-12
SLIDE 12

DNSSEC i h d DNSSEC is hard.

12

slide-13
SLIDE 13

Jan 10, 2012 – Comcast turned

  • n DNSSEC validation for all
  • n DNSSEC validation for all

its residential customers.

http://blog comcast com/2012/01/comcast-completes-dnssec-deployment html

13

http://blog.comcast.com/2012/01/comcast-completes-dnssec-deployment.html

slide-14
SLIDE 14

Jan 18 2012 – Comcast Jan 18, 2012 Comcast customers could not access nasa.gov.

14

http://forums.comcast.com/t5/Connectivity-and-Modem-Help/NASA-gov-blocked/td-p/1169657 http://nasawatch.com/archives/2012/01/comcast-blocks.html

slide-15
SLIDE 15

Jan 22 2012 – Comcast Jan 22, 2012 Comcast customers could not access bi i i bitcoinica.com.

15

http://www.reddit.com/r/Bitcoin/comments/orzpq/attention_comcast_users_we_have_been_censored/

slide-16
SLIDE 16

Comcast is clearly “censoring” these sites. But why? these sites. But why? Enter DNSViz…

16

slide-17
SLIDE 17

DNSVi DNSViz

Actively monitors domains from single

 Actively monitors domains from single

vantage point M k lt il bl f i l l i t

 Makes results available for visual analysis at

http://dnsviz.net/

com DNSViz server foo.com

17 17

bar.com

slide-18
SLIDE 18

18

slide-19
SLIDE 19

19

slide-20
SLIDE 20

But, they “fixed” it… , y

20

slide-21
SLIDE 21

O tli Outline

DNSSEC protocol review

 DNSSEC protocol review  DNSSEC maintenance and misconfiguration  DNSSEC survey and results  Conclusions and solutions

21

slide-22
SLIDE 22

DNSSEC d l t DNSSEC deployment survey

Polled 2 700 production signed zones over

 Polled ~2,700 production signed zones over

a year time frame (May 2010 – July 2011) V lid ti f SOA RR l d l ti

 Validation of SOA RR analyzed several times

daily, anchored at ISC DLV or root zone (after July 2010 root signing) (after July 2010 root signing)

 Identified maintenance and misconfigurations

22

slide-23
SLIDE 23

S b kd b TLD Survey breakdown by TLD

900 600 700 800 900 Zones Zones with 400 500 600 Zones misconfiguration 100 200 300

23

TLD

slide-24
SLIDE 24

RRSIG lif ti RRSIG lifetimes

1 0 7 0.8 0.9 1 0 4 0.5 0.6 0.7 CDF RRSIG(DNSKEY) all zones 0 1 0.2 0.3 0.4 C RRSIG(DNSKEY) zones with expired RRSIG 0.1 30 60 90 120 150 180 210 240 270 300 330 360 Days

24

Days

slide-25
SLIDE 25

DNSKEY ll DNSKEY rollovers

Key role Zones that did Zones that rolled Zones that rolled Key role Zones that did not roll key (0) Zones that rolled key once (1) Zones that rolled key more than

  • nce (>1)

ZSK 37% 11% 52% KSK 72% 17% 10%

25

slide-26
SLIDE 26

DNSKEY lif ti DNSKEY lifetime

1 0 7 0.8 0.9 1 0 4 0.5 0.6 0.7 CDF KSK lifetime 0.2 0.3 0.4 ZSK lifetime KSK lifetime (zones w/ 0.1 30 60 90 120 150 180 210 240 270 300 330 360 390 Days bad rollover) Days

26

slide-27
SLIDE 27

Mi fi ti b t Misconfigurations by type

3000 Incremental 2000 2500 Partial Complete 1500 2000 500 1000 500

DS DNSKEY NSEC RRSIG RRSIG RRSIG

27

DS Mismatch DNSKEY Missing NSEC Missing RRSIG Missing RRSIG Bogus RRSIG Dates

slide-28
SLIDE 28

E t d ti Event duration

1 0.8 0.9 1 0.5 0.6 0.7 DS Mismatch DNSKEY Missing 0 2 0.3 0.4 g NSEC Missing RRSIG Missing RRSIG Bogus 0.1 0.2 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 RRSIG Bogus RRSIG Dates

28

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

slide-29
SLIDE 29

R t ff t Repeat offense rate

0 6 0.5 0.6 0.3 0.4 0.1 0.2 DS Mi t h DNSKEY Mi i NSEC Mi i RRSIG Mi i RRSIG B RRSIG D t

29

Mismatch Missing Missing Missing Bogus Dates

slide-30
SLIDE 30

IPv6 analysis

30

slide-31
SLIDE 31

IPv6 inconsistencies

31

slide-32
SLIDE 32

O tli Outline

DNSSEC protocol review

 DNSSEC protocol review  DNSSEC maintenance and misconfiguration  DNSSEC survey and results  Conclusions and solutions

32

slide-33
SLIDE 33

S f Ob ti Summary of Observations

Resolver operators are learning about third

 Resolver operators are learning about third-

party DNSSEC misconfigurations from their customers customers.

 Administrators aren’t detecting and correcting

their DNSSEC problems in a timely fashion their DNSSEC problems in a timely fashion.

 Administrators aren’t learning from past

mistakes mistakes.

33

slide-34
SLIDE 34

S l ti Solutions

 Tools for DNSSEC comprehensive analysis  Tools for DNSSEC comprehensive analysis

 Hierarchical analysis (chain of trust)  Dependency analysis (CNAME MX NS etc)  Dependency analysis (CNAME, MX, NS, etc)  Server consistency analysis  Pointers to specification

p

 Resources for corrective action

 Tools/resources for detection/notification of

misconfiguration

 Individual monitoring and alerts  Global monitoring and alerts

34

slide-35
SLIDE 35

DNSVi f t l DNSViz – future plans

 Expansion of detailed analysis  Expansion of detailed analysis  Passive monitoring, in addition to active monitoring

Diverse backend support

e.g., ISC Security Information Exchange (SIE)

Prioritized active probing

Alerts of misconfiguration Alerts of misconfiguration

 RESTful API for programmatic third-party monitoring  Cache analysis/local perspective  Availability of software for diverse uses

35

slide-36
SLIDE 36

36

slide-37
SLIDE 37

Q ti ? Questions?

ctdecci@sandia gov

 ctdecci@sandia.gov

37