DNSSEC update TF MNM, Lyon Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl February 16 th 2011
DNSSEC validation - Validation rate not rising very much - Interesting to see what will happen after .com signing 2 SURFnet. We make innovation work
BIND issue with new DS - IMPORTANT: - If you are running BIND as a validating resolver, you should upgrade ASAP - Bug in BIND causes resolver not to pick up on new DS in root zone correctly -> result: SERVFAILs for a (g)TLD - Hint: March 31st .com DS in root zone - See http://bit.ly/BIND-notice 3 SURFnet. We make innovation work
More BIND trouble - We are lucky to be here today... - Last weekend .fr disappeared of the DNSSEC signed Internet - Initial analysis by AFNIC shows that this is an NSEC3 bug in dynamic updates - So pay attention if you (plan to) use BIND in auto-signing/dynamic update mode - See also: http://bit.ly/bind-nsec3 4 SURFnet. We make innovation work
Research into client behaviour - Until now focus was on signing and validating - Limited interest in client behaviour (only studies into CPE hardware) - Joint study by SIDN (.nl) and TNO with live data from SURFnet - See how stub clients respond to e.g. SERVFAIL 5 SURFnet. We make innovation work
The research - Stub clients can be found in many pieces of software and in many devices: - Operating System - Browser - E-mail client - VoIP handset - Mobile phone - etc. - Two methods of testing: - Lab environment where all parameters are ‘under control’ of the researchers - Live data from SURFnet resolvers (work-in-progress) 6 SURFnet. We make innovation work
Results for Windows Response type IE Win XP Total Valid/NXDOMAIN x1 x1 x1 SERVFAIL/REFUSED x1 x1 x1 No response x1 x5 x5 Truncated x1 1 + TCP 1 + TCP - Similar results for other browsers Response type Firefox Win 7 Total Valid/NXDOMAIN x1 x1 x1 SERVFAIL/REFUSED x1 x1 x1 No response x1 x4 x4 Truncated x1 1 + TCP 1 + TCP - Similar results for other browsers 7 SURFnet. We make innovation work
Results for UNIX-/BSD-like Response type Firefox Linux Total Valid x1 x1 x1 NXDOMAIN/Partial x2 x2 x4 SERVFAIL/No Resp/REF x2 x4 x8 Truncated x1 1 + TCP 1 + TCP Response type Safari Mac OS X Total Valid x1 x1 x1 NXDOMAIN/Partial x1 x2 x2 SERVFAIL/No Resp/REF x1 x4 x4 Truncated x1 1 + TCP 1 + TCP - In both cases: - Single auth. NS; in case of prim+sec -> x2 - Only IPv4; in case of IPv6 -> x2 8 SURFnet. We make innovation work
Causes and effects - On UNIX-/BSD-like systems: cause seems to be bad and outdated DNS implementation in glibc -> severely needs a rewrite - Firefox behaves differently on different OSes - Effect: query load can explode when certain events occur (e.g. signing error on popular domain) -> N.B.: both resolver & authoritative feel pain! 9 SURFnet. We make innovation work
Further work - This issue requires more attention than it is getting - With .com signing around the corner we need to be prepared - Currently in progress: more work on ‘live’ data from our resolvers by TNO -> contributions are welcome (contact me) 10 SURFnet. We make innovation work
The Chicken & Egg - There is a lot of discussion about the ‘chicken and egg’ problem of DNSSEC: If I sign my zone, will anyone validate? - Signer deployment seems to be on a roll - Validator deployment is unclear and not being measured 11 SURFnet. We make innovation work
Measuring validators - The theory: Measuring DNSKEY requests to authoritative name servers should reveal validating resolvers - The practice: - Working on a tool based on libpcap to monitor these queries - Running code available but is still very rough -> some interesting results already 12 SURFnet. We make innovation work
Measuring validators - Who wants to help? - Looking for people willing to help in tool development, specifically: - Database expertise - Hacking together a nice web UI (PHP stuff?) - Maybe a nice geo-IP, Google Maps thingy? - Looking for people willing to participate in the measuring phase - If you have signed domains and are willing to run a simple tool on your authoritative servers: please come forward :-) 13 SURFnet. We make innovation work
Short news - Students at the University of Amsterdam have created a Firefox plugin to validate X.509 certificate hashes stored in DNS -> http://os3sec.org - There is a lot of discussion about trust in DNSSEC; many TLDs are starting to publish DNSSEC Practice Statements (DPSs) inspired by CPSs -> IETF working on DPS framework RFC http://bit.ly/draft-dps 14 SURFnet. We make innovation work
Shameless advertising - We have published a white paper (or rather book) on applications of crypto aimed at connected institutions -> http://bit.ly/sn-crypto 15 SURFnet. We make innovation work
That’s all folks... Questions? ? Thank you for your attention! Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl Presentation released under Creative Commons (http://creativecommons.org/licenses/by-nc-sa/3.0/nl/deed.en) 16 SURFnet. We make innovation work
Recommend
More recommend