measuring the deployment of dnssec over the internet
play

Measuring the Deployment of DNSSEC over the Internet System & - PowerPoint PPT Presentation

Jan 06, 2023 •201 likes •398 views

Introduction Methodology Results Measuring the Deployment of DNSSEC over the Internet System & Network Engineering Research Project Nicolas Canceill SNE RP2 Presentations July 2, 2014 1/19 Introduction Methodology Results

  1. Introduction Methodology Results Measuring the Deployment of DNSSEC over the Internet System & Network Engineering — Research Project Nicolas Canceill SNE RP2 Presentations — July 2, 2014 1/19

  2. Introduction Methodology Results Introduction 1 Methodology 2 Results 3 2/19

  3. Introduction Methodology Results What DNSSEC? DNS Domain Name System Essential foundation of the Internet Translates domain names into IP addresses Problem DNS is notoriously insecure Solution: DNSSEC Public key cryptography Signatures for al resources Hierarchical chain of trust 3/19

  4. Introduction Methodology Results Introduction 1 Methodology 2 Results 3 4/19

  5. Introduction Methodology Results History DNS Development 1983 DNS specification published 1984 First TLDs defined 1987 DNS becomes IETF standard DNSSEC Development 1997 DNSSEC specification published 1999 DNSSEC specification revised 2005 DNSSEC final revision DNSSEC Deployment 2010 Root level deployment 2011 Most TLDs signed 5/19

  6. Introduction Methodology Results Research scope Research question What is the status of DNSSEC deployment over the Internet and how does it impact Internet users? Which DNS resolvers can be queried from clients? What methods can properly assess DNSSEC support? How does DNSSEC support influence user experience? 6/19

  7. Introduction Methodology Results The Atlas network 6,200 active probes Worldwide — mostly Europe 7/19

  8. Introduction Methodology Results Introduction 1 Methodology 2 Results 3 8/19

  9. Introduction Methodology Results Setup Altlas probes: presence in client network Controlled nameserver with packet capture 9/19

  10. Introduction Methodology Results Challenges (1) Authoritatives _443._tcp.getdnsapi.net TLSA . _443._tcp.getdnsapi.net TLSA net NS Application net DS net DNSKEY Validating DNSSEC- _443._tcp.getdnsapi.net TLSA Stub Aware net DNSKEY net getdnsapi.net NS Resolver os OS getdnsapi.net DS ✓ getdnsapi.net DNSKEY getdnsapi.net DNSKEY _443._tcp.getdnsapi.net TLSA _443._tcp.getdnsapi.net TLSA getdnsapi ✓ getdnsapi.net DNSKEY _443._tcp.getdnsapi.net TLSA DNSSEC-aware: fetch DS and DNSKEY Client gets data for application-level validation 10/19

  11. Introduction Methodology Results Challenges (2) Probes-resolvers IP address seen by the probe: 8.8.8.8 IP address seen by the nameserver: 74.125.18.209 Solution: pre-pend probe ID and use wildcards Probe 1234 requests 1234.example.com Resolving setup Probes with multiple resolvers Probes using forwarders Misconfigured resolvers 11/19

  12. Introduction Methodology Results Limitations Atlas � = Internet Atlas Top10 Internet Top10 Country Probes Country Internet users (in 2012) United States 853 China 568,192,066 Germany 819 United States 254,295,536 Russia 724 India 151,598,994 United Kingdom 605 Japan 100,684,474 Netherlands 457 Brazil 99,357,737 France 397 Russia 75,926,004 Ukraine 364 Germany 68,296,919 Belgium 184 Nigeria 55,930,391 Italy 166 United Kingdom 54,861,245 Czech Republic 161 France 54,473,474 12/19

  13. Introduction Methodology Results Process Steps 1 List all active probes 2 Start packet capture at the nameserver 3 Launch measurement on Atlas probes 4 Wait for measurement results 5 Stop packet capture 6 Repeat steps 2-5 until all active probes have been used Zones badlabel , badrrsigs , norrsigs secure insecure Software Python, atlas , dpkt nsd , ldns Wireshark 13/19

  14. Introduction Methodology Results Introduction 1 Methodology 2 Results 3 14/19

  15. Introduction Methodology Results Resolvers DO bit support Requests on TXT record from secure zone with DO bit set Probes Resolvers DO bit RRSIG s 4673 5139 4534 [88.23%] 3448 [67.09%] DS type support Requests on DS record from secure zone with DO bit set Probes Answers AD bit RRSIG s No RRSIG s FORMERR 5602 5323 [95.01%] 1557 [27.79%] 2176 [38.84%] 1590 [28.38%] 268 [ 4.78%] 15/19

  16. Introduction Methodology Results DNSSEC-awareness Resolvers distribution Amount of resolvers 10 3 10 2 10 1 40 most common resolvers 10 0 0 10 20 30 40 50 60 Amount of probes 40 most common resolvers: Google (38), OVH (2) 16/19

  17. Introduction Methodology Results Validation and protection Answer Zone Probes Total AD bit RRSIG s+ NSEC RRSIG s only Just answer secure 5457 5160 [94.55%] 1472 [26.97%] 1109 [20.32%] 967 [17.72%] 1612 [20.54%] badlabel 5366 3631 [67.66%] 0 [ 0.00%] 1014 [18.90%] 1004 [18.71%] 1613 [30.06%] badrrsig 5427 3688 [67.95%] 0 [ 0.00%] 1017 [18.74%] 1034 [19.05%] 1636 [30.15%] norrsigs 5491 3754 [68.37%] 0 [ 0.00%] 0 [ 0.00%] 0 [ 0.00%] 3754 [68.37%] No answer Zone Probes Total Parse Error SERVFAIL FORMERR 5457 297 [ 5.44%] 12 [ 0.22%] 263 [ 4.82%] 100 [ 1.83%] secure 5366 1735 [32.33%] 1410 [26.28%] 302 [ 5.63%] 81 [ 1.51%] badlabel 5427 1739 [32.04%] 1417 [26.11%] 299 [ 5.51%] 67 [ 1.23%] badrrsigs 5491 1737 [31.63%] 1416 [25.79%] 306 [ 5.57%] 20 [ 0.36%] norrsigs 17/19

  18. Introduction Methodology Results Findings DNSSEC-awareness DO bit indicates 88%. . . maybe more DS type indicates 95%. . . maybe less Validation and protection AD bit indicates 27% validation Bad zones indicate 25-26% protection Information available 88-95% can get DS 65% can get RRSIG 47% can get RRSIG and wildcard NSEC 18/19

  19. Introduction Methodology Results Thanks to... B. Overeinder, W. Toorop — NLnet Labs, Amsterdam SNE Master, University of Amsterdam Questions? 19/19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Measuring the Deployment of DNSSEC over the Internet System & Network Engineering Research

Measuring the Deployment of DNSSEC over the Internet System & Network Engineering Research

Introduction Methodology Results Measuring the Deployment of DNSSEC over the Internet System & Network Engineering Research Project Nicolas Canceill RIPE68 May 14, 2014 1/20 Introduction Methodology Results Introduction 1

673 views • 20 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
DNSSEC Deployment: From End-Customer to Content ION San Diego December 11, 2012

DNSSEC Deployment: From End-Customer to Content ION San Diego December 11, 2012

DNSSEC Deployment: From End-Customer to Content ION San Diego December 11, 2012 www.internetsociety.org/deploy360/ Our Panel Today Moderator: Dan York, Internet Society Panelists: Jim Galvin, Afilias Rick Lamb, ICANN Cricket Liu,

772 views • 41 slides
DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010 Sara Monteiro Technical Infrastructure Service of DNS.PT Agenda ! About us ! Scope ! Goals ! Initiatives and Support ! Developments on .pt ! Next Steps

468 views • 11 slides
Assessing and Improving the Quality of DNSSEC Deployment Deployment Casey Deccio, Ph.D. Sandia

Assessing and Improving the Quality of DNSSEC Deployment Deployment Casey Deccio, Ph.D. Sandia

Assessing and Improving the Quality of DNSSEC Deployment Deployment Casey Deccio, Ph.D. Sandia National Laboratories AIMS-4 CAIDA, SDSC, San Diego, CA Feb 9, 2012 Sandia is a multiprogram laboratory operated by Sandia Corporation, a

913 views • 37 slides
Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions

Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions

COBHAM Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions (aka: SPARTA, Inc. ) 08 December 2010 COBHAM Simple Illustration I need to have a of DNS Components WWW record Zone Administrator

979 views • 62 slides
Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van

Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van

Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van Rijswijk-Deij, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Christo Wilson 1 DNSSEC 101 example.com's Authoritative DNS Resolver DNS

1.54k views • 119 slides
Measuring the Internet Project Introduction Mat Ford / David Belson measuring@isoc.org

Measuring the Internet Project Introduction Mat Ford / David Belson measuring@isoc.org

14 September, 2020 African Internet Summit Measuring the Internet Project Introduction Mat Ford / David Belson measuring@isoc.org Presentation title Client name Measuring the Internet Why? The Internet Societys efforts focus on

336 views • 9 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based

Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based

Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based on current DNSSEC deployments in .com, .net and .org Introduction DNSSEC deployment has taken off, but there are still operational issues

408 views • 16 slides
1 Overview Introduction DNSSEC mechanisms To authenticate servers (TSIG ) To

1 Overview Introduction DNSSEC mechanisms To authenticate servers (TSIG ) To

Welcome! DNS/DNSSEC Deployment tutorial Champika Wijayatunga <champika@apnic.net> 2 August 2006, Karachi, Pakistan In conjunction with SANOG 8 Background The original DNS protocol wasnt designed with security in mind It has

705 views • 15 slides
ilab Lab 5 DNS and DNSSec History and Motivation of DNS Problem: The Internet needs IP

ilab Lab 5 DNS and DNSSec History and Motivation of DNS Problem: The Internet needs IP

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen ilab Lab 5 DNS and DNSSec History and Motivation of DNS Problem: The Internet needs IP addresses. Human beings do not memorize IP

779 views • 23 slides
IPsec, BGPsec, DNSSEC Lecture 20 Internet Protocol Suite TCP/IP: Developed in the 70 s IP: at

IPsec, BGPsec, DNSSEC Lecture 20 Internet Protocol Suite TCP/IP: Developed in the 70 s IP: at

IPsec, BGPsec, DNSSEC Lecture 20 Internet Protocol Suite TCP/IP: Developed in the 70 s IP: at the internet layer. Handles addressing and routing TCP: at the transport layer. Setting up channels (between ports), with traffic control, error-

292 views • 17 slides
DNSSEC Workshop Dan York, Internet Society | ICANN 55 | March 2016 Remote Participation Slides

DNSSEC Workshop Dan York, Internet Society | ICANN 55 | March 2016 Remote Participation Slides

DNSSEC Workshop Dan York, Internet Society | ICANN 55 | March 2016 Remote Participation Slides and audio streams at: https://meetings.icann.org/en/marrakech 55/schedule/wed-dnssec Live video stream via YouTube at:

578 views • 29 slides
ManagingandMonitoring aRootDNSService JohnCrain

ManagingandMonitoring aRootDNSService JohnCrain

ManagingandMonitoring aRootDNSService JohnCrain ChiefTechnicalOfficer WhoamI? JohnCrain ChiefTechnologyOfficeratICANN

595 views • 24 slides
DNS Session 3: Configuration of Authoritative Nameservice These materials are licensed under the

DNS Session 3: Configuration of Authoritative Nameservice These materials are licensed under the

DNS Session 3: Configuration of Authoritative Nameservice These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/) Recap DNS is a distributed database

426 views • 39 slides
What is a Mobile Responsive Website? Web Design is the process of creating a website to represent

What is a Mobile Responsive Website? Web Design is the process of creating a website to represent

More and more of your target audience is viewing websites using smart phones and tablets. What is a Mobile Responsive Website? Web Design is the process of creating a website to represent your business, brand, products and services. It

584 views • 16 slides
WORDPRESS Lesson 01.01 Introduction to WordPress Welcome Welcome to WordPress! Over the next

WORDPRESS Lesson 01.01 Introduction to WordPress Welcome Welcome to WordPress! Over the next

WORDPRESS Lesson 01.01 Introduction to WordPress Welcome Welcome to WordPress! Over the next set of sessions we're going to cover a lot of different topics, techniques, and technologies, all of which are going to help you better manage and

410 views • 13 slides
CITY OF PORT PHILLIP DOMAIN PRECINCT Presented by Rebecca Doherty Craig McLean INTRODUCTION

CITY OF PORT PHILLIP DOMAIN PRECINCT Presented by Rebecca Doherty Craig McLean INTRODUCTION

CITY OF PORT PHILLIP DOMAIN PRECINCT Presented by Rebecca Doherty Craig McLean INTRODUCTION Purpose of todays presentation : Provide context and updates on projects Engage stakeholders Part A Domain Precinct Summary and Strategic

461 views • 20 slides
DOMAIN COMMUNITY REFERENCE GROUP Meeting #17 Wednesday 4 September, Seasons Botanic Gardens 1

DOMAIN COMMUNITY REFERENCE GROUP Meeting #17 Wednesday 4 September, Seasons Botanic Gardens 1

DOMAIN COMMUNITY REFERENCE GROUP Meeting #17 Wednesday 4 September, Seasons Botanic Gardens 1 WORKS UPDATE 2 ANZAC STATION PROGRAM 2019 3 PROGRESS UPDATE NORTHERN SECTION 4 NORTHERN SECTION TIME-LAPSE 5 CURRENT AND UPCOMING WORKS

1k views • 66 slides
VILLAGE SITE SEPTEMBER 14, 2016 J o n a t h a n L e v i A r c h i t e c t s BROOKLINE

VILLAGE SITE SEPTEMBER 14, 2016 J o n a t h a n L e v i A r c h i t e c t s BROOKLINE

VILLAGE SITE SEPTEMBER 14, 2016 J o n a t h a n L e v i A r c h i t e c t s BROOKLINE 9 TH ELEMENTARY SCHOOL TRAFFIC STUDY VILLAGE SITE PARKING SPACES 60 PARENT QUEUING 900 feet v BUS QUEUING 200 feet SEPTEMBER 14,

306 views • 7 slides
Executive Summary OVERALL DEVELOPMENT SUMMARY The Arsenal 201 investment opportunity is a planned

Executive Summary OVERALL DEVELOPMENT SUMMARY The Arsenal 201 investment opportunity is a planned

Arsenal 201 LERTA Request to Pittsburgh Public School Board Multifamily Development Arsenal 201 3925 Butler St Pittsburgh, PA 15201 . . . 125 39 th Street, Bldg. 3, Pittsburgh, PA 15201 MIL HAUS.COM This information is provided for

414 views • 16 slides

More recommend