assessing and improving the quality of dnssec deployment
play

Assessing and Improving the Quality of DNSSEC Deployment - PowerPoint PPT Presentation

Feb 27, 2024 •529 likes •913 views

Assessing and Improving the Quality of DNSSEC Deployment Deployment Casey Deccio, Ph.D. Sandia National Laboratories AIMS-4 CAIDA, SDSC, San Diego, CA Feb 9, 2012 Sandia is a multiprogram laboratory operated by Sandia Corporation, a

  1. Assessing and Improving the Quality of DNSSEC Deployment Deployment Casey Deccio, Ph.D. Sandia National Laboratories AIMS-4 CAIDA, SDSC, San Diego, CA Feb 9, 2012 Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04- 94AL85000.

  2. O tli Outline  DNSSEC protocol review DNSSEC protocol review  DNSSEC maintenance and misconfiguration  DNSSEC survey and results  Conclusions and solutions 2

  3. DNS Security Extensions (DNSSEC) (DNSSEC)  RRsets signed with zone’s private key(s)  Signatures covering RRsets returned by server as RRSIGs g g y  Public keys published in zone data as DNSKEYs  Resolver validates response If authentic: Authenticated data (AD) bit is set ( )  If bogus: SERVFAIL message is returned  Query: www.bar.com/A ? Query: www bar com/A ? Query: www.bar.com/A ? Answer: 192.0.2.16 RRSIG Query: bar.com/DNSKEY ? RRSIG Answer: DNSKEY… validate bar.com Answer: 192.0.2.16 AD authoritative server recursive/validating stub resolver resolver 3

  4. Scalable authentication via a chain of trust h i f t t Resolver R l trust anchor DNSKEY  DNSKEY must be  DNSKEY must be authenticated Zone data DS  Resolver must have  Resolver must have . some notion of trust DNSKEY  Trust extends through ancestry to a trust Zone data DS com anchor at resolver  DS resource record – DS d DNSKEY provides digest of Zone data DNSKEY in child zone DNSKEY in child zone bar.com 4

  5. Backwards compatibility… kind of ki d f Resolver trust anchor  If no secure link exists  If no secure link exists between parent and child, referring (parent) DNSKEY server must prove non- server must prove non Zone data existence of DS RRs DS .  NSEC/NSEC3 resource records provide records provide DNSKEY authenticated denial of existence Zone data  Child zones of insecure  Child zones of insecure NSEC/DS / net delegations may be unsigned or signed Zone data (“islands of security”) ( islands of security ) baz.net 5

  6. DNSSEC validation status lid ti t t  Secure  Secure – unbroken unbroken chain from anchor to RRset RRset (I (Image from http://dnsviz.net/) f htt //d i t/) 6

  7. DNSSEC validation status lid ti t t  Insecure – chain that securely terminates (i e (i.e., insecure insecure delegation) Secure chain termination (Image from http://dnsviz.net/) (Image from http://dnsviz.net/) 7

  8. 8 Break in chain validation status t/) (Image from http://dnsviz.net/) t t  Bogus – broken broken i htt //d DNSSEC lid ti  Bogus chain f (I

  9. O tli Outline  DNSSEC protocol review DNSSEC protocol review  DNSSEC maintenance and misconfiguration  DNSSEC survey and results  Conclusions and solutions 9

  10. DNSSEC M i t DNSSEC Maintenance  RRSIG refresh RRSIG refresh  DNSKEY rollovers  ZSK rollovers – non-SEP (secure entry point), ZSK ll SEP ( i ) self-contained  KSK rollovers  KSK rollovers – SEP requires interaction with SEP requires interaction with parent or trust anchor  Algorithm changes  Algorithm changes 10

  11. DNSSEC Mi DNSSEC Misconfiguration fi ti  DS Mismatch  DS Mismatch – No DNSKEY matching DS in parent No DNSKEY matching DS in parent zone  DNSKEY Missing – DNSKEY not available to validate RRSIG  NSEC Missing – NSEC RRs not returned by authoritative server authoritative server  RRSIG Missing – RRSIGs not returned by some servers  RRSIG Bogus – Signature in RRSIG does not validate  RRSIG Bogus Signature in RRSIG does not validate  RRSIG Dates – Expired or premature RRSIG dates 11

  12. 12 DNSSEC is hard. d DNSSEC i h

  13. Jan 10, 2012 – Comcast turned on DNSSEC validation for all on DNSSEC validation for all its residential customers. http://blog comcast com/2012/01/comcast-completes-dnssec-deployment html http://blog.comcast.com/2012/01/comcast-completes-dnssec-deployment.html 13

  14. Jan 18 2012 – Comcast Jan 18, 2012 Comcast customers could not access nasa.gov. http://forums.comcast.com/t5/Connectivity-and-Modem-Help/NASA-gov-blocked/td-p/1169657 http://nasawatch.com/archives/2012/01/comcast-blocks.html 14

  15. Jan 22 2012 – Comcast Jan 22, 2012 Comcast customers could not access bi bitcoinica.com. i i http://www.reddit.com/r/Bitcoin/comments/orzpq/attention_comcast_users_we_have_been_censored/ 15

  16. Comcast is clearly “ censoring” these sites. But why? these sites. But why? Enter DNSViz… 16

  17. DNSVi DNSViz  Actively monitors domains from single Actively monitors domains from single vantage point  Makes results available for visual analysis at M k lt il bl f i l l i t http://dnsviz.net/ com foo.com DNSViz server bar.com 17 17

  18. 18

  19. 19

  20. 20 But, they “fixed” it… y ,

  21. O tli Outline  DNSSEC protocol review DNSSEC protocol review  DNSSEC maintenance and misconfiguration  DNSSEC survey and results  Conclusions and solutions 21

  22. DNSSEC d DNSSEC deployment survey l t  Polled ~2,700 production signed zones over Polled 2 700 production signed zones over a year time frame (May 2010 – July 2011)  Validation of SOA RR analyzed several times V lid ti f SOA RR l d l ti daily, anchored at ISC DLV or root zone (after July 2010 root signing) (after July 2010 root signing)  Identified maintenance and misconfigurations 22

  23. S Survey breakdown by TLD b kd b TLD 900 900 Zones 800 700 Zones with 600 600 misconfiguration Zones 500 400 300 200 100 0 TLD 23

  24. RRSIG lif ti RRSIG lifetimes 1 1 0.9 0.8 0.7 0 7 RRSIG(DNSKEY) all 0.6 zones CDF 0.5 C 0 4 0.4 RRSIG(DNSKEY) 0.3 zones with expired RRSIG 0.2 0 1 0.1 0 0 30 60 90 120 150 180 210 240 270 300 330 360 Days Days 24

  25. DNSKEY DNSKEY rollovers ll Key role Key role Zones that did Zones that did Zones that rolled Zones that rolled Zones that rolled Zones that rolled not roll key (0) key once (1) key more than once (>1) ZSK 37% 11% 52% KSK 72% 17% 10% 25

  26. DNSKEY lifetime DNSKEY lif ti 1 1 0.9 0.8 0 7 0.7 0.6 CDF KSK lifetime 0.5 0.4 0 4 ZSK lifetime 0.3 0.2 KSK lifetime (zones w/ 0.1 bad rollover) 0 0 30 60 90 120 150 180 210 240 270 300 330 360 390 Days Days 26

  27. Mi Misconfigurations by type fi ti b t 3000 Incremental Partial 2500 Complete 2000 2000 1500 1000 500 500 0 DS DS DNSKEY DNSKEY NSEC NSEC RRSIG RRSIG RRSIG RRSIG RRSIG RRSIG Mismatch Missing Missing Missing Bogus Dates 27

  28. E Event duration t d ti 1 1 0.9 0.8 0.7 0.6 DS Mismatch 0.5 DNSKEY Missing g 0.4 NSEC Missing 0.3 RRSIG Missing RRSIG Bogus RRSIG Bogus 0.2 0 2 RRSIG Dates 0.1 0 1 1 2 2 3 3 4 4 5 5 6 6 7 7 8 8 9 9 10 10 11 11 12 12 13 13 14 14 15 15 28

  29. R Repeat offense rate t ff t 0 6 0.6 0.5 0.4 0.3 0.2 0.1 0 DS DNSKEY NSEC RRSIG RRSIG RRSIG Mi Mismatch t h Mi Missing i Mi Missing i Mi Missing i B Bogus D t Dates 29

  30. 30 IPv6 analysis

  31. 31 IPv6 inconsistencies

  32. O tli Outline  DNSSEC protocol review DNSSEC protocol review  DNSSEC maintenance and misconfiguration  DNSSEC survey and results  Conclusions and solutions 32

  33. S Summary of Observations f Ob ti  Resolver operators are learning about third- Resolver operators are learning about third party DNSSEC misconfigurations from their customers customers.  Administrators aren’t detecting and correcting their DNSSEC problems in a timely fashion their DNSSEC problems in a timely fashion.  Administrators aren’t learning from past mistakes mistakes. 33

  34. S l ti Solutions  Tools for DNSSEC comprehensive analysis  Tools for DNSSEC comprehensive analysis  Hierarchical analysis (chain of trust)  Dependency analysis (CNAME MX NS etc)  Dependency analysis (CNAME, MX, NS, etc)  Server consistency analysis  Pointers to specification p  Resources for corrective action  Tools/resources for detection/notification of misconfiguration  Individual monitoring and alerts  Global monitoring and alerts 34

  35. DNSVi DNSViz – future plans f t l  Expansion of detailed analysis  Expansion of detailed analysis  Passive monitoring, in addition to active monitoring Diverse backend support  e.g., ISC Security Information Exchange (SIE)  Prioritized active probing  Alerts of misconfiguration Alerts of misconfiguration   RESTful API for programmatic third-party monitoring  Cache analysis/local perspective  Availability of software for diverse uses 35

  36. 36

  37. 37 ctdecci@sandia gov  ctdecci@sandia.gov ? Questions? ti Q

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010 Sara Monteiro Technical Infrastructure Service of DNS.PT Agenda ! About us ! Scope ! Goals ! Initiatives and Support ! Developments on .pt ! Next Steps

468 views • 11 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions

Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions

COBHAM Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions (aka: SPARTA, Inc. ) 08 December 2010 COBHAM Simple Illustration I need to have a of DNS Components WWW record Zone Administrator

979 views • 62 slides
Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van

Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van

Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van Rijswijk-Deij, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Christo Wilson 1 DNSSEC 101 example.com's Authoritative DNS Resolver DNS

1.54k views • 119 slides
Assessing And Improving The Quality Of Aquatic Animal Gametes To Enhance Aquatic Resources - The

Assessing And Improving The Quality Of Aquatic Animal Gametes To Enhance Aquatic Resources - The

Assessing And Improving The Quality Of Aquatic Animal Gametes To Enhance Aquatic Resources - The Need To Harmonize And Standardize Evolving Methodologies, And Improve Transfer From Academia To Industry (AQUAGAMETE) FA1205 Start date:

485 views • 11 slides
DNSSEC Deployment: From End-Customer to Content ION San Diego December 11, 2012

DNSSEC Deployment: From End-Customer to Content ION San Diego December 11, 2012

DNSSEC Deployment: From End-Customer to Content ION San Diego December 11, 2012 www.internetsociety.org/deploy360/ Our Panel Today Moderator: Dan York, Internet Society Panelists: Jim Galvin, Afilias Rick Lamb, ICANN Cricket Liu,

772 views • 41 slides
INFRASTRUCTURE QUALITY, INFRASTRUCTURE QUALITY, DEPLOYMENT, AND DEPLOYMENT, AND OPERATIONS

INFRASTRUCTURE QUALITY, INFRASTRUCTURE QUALITY, DEPLOYMENT, AND DEPLOYMENT, AND OPERATIONS

INFRASTRUCTURE QUALITY, INFRASTRUCTURE QUALITY, DEPLOYMENT, AND DEPLOYMENT, AND OPERATIONS OPERATIONS Christian Kaestner Required reading: Eric Breck, Shanqing Cai, Eric Nielsen, Michael Salib, D. Sculley. The ML Test Score: A Rubric for ML

1.36k views • 124 slides
Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based

Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based

Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based on current DNSSEC deployments in .com, .net and .org Introduction DNSSEC deployment has taken off, but there are still operational issues

408 views • 16 slides
1 Overview Introduction DNSSEC mechanisms To authenticate servers (TSIG ) To

1 Overview Introduction DNSSEC mechanisms To authenticate servers (TSIG ) To

Welcome! DNS/DNSSEC Deployment tutorial Champika Wijayatunga <champika@apnic.net> 2 August 2006, Karachi, Pakistan In conjunction with SANOG 8 Background The original DNS protocol wasnt designed with security in mind It has

705 views • 15 slides
Measuring the Deployment of DNSSEC over the Internet System & Network Engineering Research

Measuring the Deployment of DNSSEC over the Internet System & Network Engineering Research

Introduction Methodology Results Measuring the Deployment of DNSSEC over the Internet System & Network Engineering Research Project Nicolas Canceill SNE RP2 Presentations July 2, 2014 1/19 Introduction Methodology Results

398 views • 19 slides
.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
Measuring the Deployment of DNSSEC over the Internet System & Network Engineering Research

Measuring the Deployment of DNSSEC over the Internet System & Network Engineering Research

Introduction Methodology Results Measuring the Deployment of DNSSEC over the Internet System & Network Engineering Research Project Nicolas Canceill RIPE68 May 14, 2014 1/20 Introduction Methodology Results Introduction 1

673 views • 20 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
Keep Gillings Strong. Where were going next Define the future. Retain our

Keep Gillings Strong. Where were going next Define the future. Retain our

Keep Gillings Strong. Where were going next Define the future. Retain our rankings. Maintain sound financial health. Increase enrollment. Achieve potential of Integrated communications and marketing.

596 views • 37 slides
PMM for AWS Daniel Guzman Burgos Percona Agenda What is different? What is additional?

PMM for AWS Daniel Guzman Burgos Percona Agenda What is different? What is additional?

PMM for AWS Daniel Guzman Burgos Percona Agenda What is different? What is additional? What is not there? 2 What is Different? Doing alternative things What is Different? Adding/Removing instances procedure Access

586 views • 46 slides
Docker for Devs Bud Siddhisena Lead Engineer, Enova My goal is to inform Basic Web Service PHP

Docker for Devs Bud Siddhisena Lead Engineer, Enova My goal is to inform Basic Web Service PHP

Docker for Devs Bud Siddhisena Lead Engineer, Enova My goal is to inform Basic Web Service PHP + Libs Libs OS OS is in the details DEV QA Prod 4.5.2 4.5.0 4.3.8 5.6.21 5.6.1 5.5.35 PHP Maria 10.1.14 MySQL 5.7.12 MySQL 5.5.49 DB

464 views • 23 slides
MySQL Performance Schema in Action April, 23, 2018 Sveta Smirnova, Alexander Rubin Table of

MySQL Performance Schema in Action April, 23, 2018 Sveta Smirnova, Alexander Rubin Table of

MySQL Performance Schema in Action April, 23, 2018 Sveta Smirnova, Alexander Rubin Table of Contents Performance Schema Configuration 5.6+: Statements Instrumentation 5.7+: Prepared Statements 5.7+: Stored Routines

1.67k views • 125 slides
AGNs with the Fermi with the Fermi- -LAT: LAT: AGNs What we have seen What we have seen

AGNs with the Fermi with the Fermi- -LAT: LAT: AGNs What we have seen What we have seen

AGNs with the Fermi with the Fermi- -LAT: LAT: AGNs What we have seen What we have seen Benot Lott CEN Bordeaux-Gradignan lott@cenbg.in2p3.fr on behalf of the Fermi -LAT collaboration Blazars, other AGNs and Galaxy Clusters

350 views • 33 slides
Joan Brucha Healthy Eating Active Living Manager, CDPHE Colorado FTS Task Force Board Member 1

Joan Brucha Healthy Eating Active Living Manager, CDPHE Colorado FTS Task Force Board Member 1

Joan Brucha Healthy Eating Active Living Manager, CDPHE Colorado FTS Task Force Board Member 1 Colorado Farm to School Overview of the Colorado Farm to School Task Force Growth of Farm to School in Colorado Resources Available 2

512 views • 39 slides
MongoDB @ SourceForge Mark Ramm We had a problem six weeks the other sourceforge over 90% of

MongoDB @ SourceForge Mark Ramm We had a problem six weeks the other sourceforge over 90% of

MongoDB @ SourceForge Mark Ramm We had a problem six weeks the other sourceforge over 90% of traffic Design goals Improve Usability (more data, more dynamic pages) Improve Performance Improve Reliability Big Green Button

761 views • 41 slides
S2Graph : A large-scale graph database with Hbase Reference 1. HBase Conference 2015

S2Graph : A large-scale graph database with Hbase Reference 1. HBase Conference 2015

daumkakao S2Graph : A large-scale graph database with Hbase Reference 1. HBase Conference 2015 1.http://www.slideshare.net/HBaseCon/use-cases-session-5 2.https://vimeo.com/128203919 2. Deview 2015 3. Apache Con BigData Europe

883 views • 59 slides

More recommend