DNSSEC update TF MNM, Lyon Roland van Rijswijk roland.vanrijswijk - - PowerPoint PPT Presentation

dnssec update
SMART_READER_LITE
LIVE PREVIEW

DNSSEC update TF MNM, Lyon Roland van Rijswijk roland.vanrijswijk - - PowerPoint PPT Presentation

Mar 24, 2023 309 likes •488 views

DNSSEC update TF MNM, Lyon Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl February 16 th 2011 DNSSEC validation - Validation rate not rising very much - Interesting to see what will happen after .com signing 2 SURFnet. We make

slide-1
SLIDE 1

February 16th 2011

DNSSEC update

TF MNM, Lyon Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl

slide-2
SLIDE 2
  • SURFnet. We make innovation work

DNSSEC validation

  • Validation rate not rising very much
  • Interesting to see what will happen

after .com signing

2

slide-3
SLIDE 3
  • SURFnet. We make innovation work

BIND issue with new DS

  • IMPORTANT:
  • If you are running BIND as a validating

resolver, you should upgrade ASAP

  • Bug in BIND causes resolver not to pick up
  • n new DS in root zone correctly
  • > result: SERVFAILs for a (g)TLD
  • Hint: March 31st .com DS in root zone
  • See http://bit.ly/BIND-notice

3

slide-4
SLIDE 4
  • SURFnet. We make innovation work

More BIND trouble

  • We are lucky to be here today...
  • Last weekend .fr disappeared of the DNSSEC

signed Internet

  • Initial analysis by AFNIC shows that this is

an NSEC3 bug in dynamic updates

  • So pay attention if you (plan to) use BIND in

auto-signing/dynamic update mode

  • See also: http://bit.ly/bind-nsec3

4

slide-5
SLIDE 5
  • SURFnet. We make innovation work

Research into client behaviour

  • Until now focus was on signing and

validating

  • Limited interest in client behaviour (only

studies into CPE hardware)

  • Joint study by SIDN (.nl) and TNO with live

data from SURFnet

  • See how stub clients respond to e.g.

SERVFAIL

5

slide-6
SLIDE 6
  • SURFnet. We make innovation work

The research

  • Stub clients can be found in many pieces of

software and in many devices:

  • Operating System
  • Browser
  • E-mail client
  • VoIP handset
  • Mobile phone
  • etc.
  • Two methods of testing:
  • Lab environment where all parameters are ‘under

control’ of the researchers

  • Live data from SURFnet resolvers (work-in-progress)

6

slide-7
SLIDE 7
  • SURFnet. We make innovation work

Results for Windows

  • Similar results for other browsers
  • Similar results for other browsers

7

Response type IE Win XP Total Valid/NXDOMAIN x1 x1 x1 SERVFAIL/REFUSED x1 x1 x1 No response x1 x5 x5 Truncated x1 1 + TCP 1 + TCP Response type Firefox Win 7 Total Valid/NXDOMAIN x1 x1 x1 SERVFAIL/REFUSED x1 x1 x1 No response x1 x4 x4 Truncated x1 1 + TCP 1 + TCP

slide-8
SLIDE 8
  • SURFnet. We make innovation work

Results for UNIX-/BSD-like

  • In both cases:
  • Single auth. NS; in case of prim+sec -> x2
  • Only IPv4; in case of IPv6 -> x2

8

Response type Firefox Linux Total Valid x1 x1 x1 NXDOMAIN/Partial x2 x2 x4 SERVFAIL/No Resp/REF x2 x4 x8 Truncated x1 1 + TCP 1 + TCP Response type Safari Mac OS X Total Valid x1 x1 x1 NXDOMAIN/Partial x1 x2 x2 SERVFAIL/No Resp/REF x1 x4 x4 Truncated x1 1 + TCP 1 + TCP

slide-9
SLIDE 9
  • SURFnet. We make innovation work

Causes and effects

  • On UNIX-/BSD-like systems: cause seems to be

bad and outdated DNS implementation in glibc

  • > severely needs a rewrite
  • Firefox behaves differently on different OSes
  • Effect: query load can explode when certain

events occur (e.g. signing error on popular domain)

  • > N.B.: both resolver & authoritative feel pain!

9

slide-10
SLIDE 10
  • SURFnet. We make innovation work

Further work

  • This issue requires more attention than it is

getting

  • With .com signing around the corner we

need to be prepared

  • Currently in progress: more work on ‘live’

data from our resolvers by TNO

  • > contributions are welcome (contact me)

10

slide-11
SLIDE 11
  • SURFnet. We make innovation work

The Chicken & Egg

  • There is a lot of discussion about the

‘chicken and egg’ problem of DNSSEC: If I sign my zone, will anyone validate?

  • Signer deployment seems to be on a roll
  • Validator deployment is unclear and not

being measured

11

slide-12
SLIDE 12
  • SURFnet. We make innovation work

Measuring validators

  • The theory:

Measuring DNSKEY requests to authoritative name servers should reveal validating resolvers

  • The practice:
  • Working on a tool based on libpcap to

monitor these queries

  • Running code available but is still very rough
  • > some interesting results already

12

slide-13
SLIDE 13
  • SURFnet. We make innovation work

Measuring validators

  • Who wants to help?
  • Looking for people willing to help in tool

development, specifically:

  • Database expertise
  • Hacking together a nice web UI (PHP stuff?)
  • Maybe a nice geo-IP, Google Maps thingy?
  • Looking for people willing to participate in

the measuring phase

  • If you have signed domains and are willing to run a

simple tool on your authoritative servers: please come forward :-)

13

slide-14
SLIDE 14
  • SURFnet. We make innovation work

Short news

  • Students at the University of Amsterdam

have created a Firefox plugin to validate X.509 certificate hashes stored in DNS

  • > http://os3sec.org
  • There is a lot of discussion about trust in

DNSSEC; many TLDs are starting to publish DNSSEC Practice Statements (DPSs) inspired by CPSs

  • > IETF working on DPS framework RFC

http://bit.ly/draft-dps

14

slide-15
SLIDE 15
  • SURFnet. We make innovation work

Shameless advertising

  • We have published a white paper (or rather

book) on applications of crypto aimed at connected institutions

  • > http://bit.ly/sn-crypto

15

slide-16
SLIDE 16
  • SURFnet. We make innovation work

That’s all folks... Questions?

?

Thank you for your attention!

Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl

Presentation released under Creative Commons (http://creativecommons.org/licenses/by-nc-sa/3.0/nl/deed.en)

16