Measuring the Deployment of DNSSEC over the Internet System & - - PowerPoint PPT Presentation

measuring the deployment of dnssec over the internet
SMART_READER_LITE
LIVE PREVIEW

Measuring the Deployment of DNSSEC over the Internet System & - - PowerPoint PPT Presentation

Apr 04, 2023 451 likes •678 views

Introduction Methodology Results Measuring the Deployment of DNSSEC over the Internet System & Network Engineering Research Project Nicolas Canceill RIPE68 May 14, 2014 1/20 Introduction Methodology Results Introduction 1

slide-1
SLIDE 1

Introduction Methodology Results

Measuring the Deployment of DNSSEC

  • ver the Internet

System & Network Engineering — Research Project Nicolas Canceill RIPE68 — May 14, 2014

1/20

slide-2
SLIDE 2

Introduction Methodology Results

1

Introduction

2

Methodology

3

Results

2/20

slide-3
SLIDE 3

Introduction Methodology Results

What DNSSEC?

DNS Domain Name System Essential foundation of the Internet Translates domain names into IP addresses Problem DNS is notoriously insecure Solution: DNSSEC Public key cryptography Signatures for al resources Hierarchical chain of trust

3/20

slide-4
SLIDE 4

Introduction Methodology Results

1

Introduction

2

Methodology

3

Results

4/20

slide-5
SLIDE 5

Introduction Methodology Results

History

DNS Development 1983 DNS specification published 1984 First TLDs defined 1987 DNS becomes IETF standard DNSSEC Development 1997 DNSSEC specification published 1999 DNSSEC specification revised 2005 DNSSEC final revision DNSSEC Deployment 2010 Root level deployment 2011 Most TLDs signed

5/20

slide-6
SLIDE 6

Introduction Methodology Results

Research scope

Research question What is the status of DNSSEC deployment over the Internet and how does it impact Internet users? Which DNS resolvers can be queried from clients? What methods can properly assess DNSSEC support? How does DNSSEC support influence user experience?

6/20

slide-7
SLIDE 7

Introduction Methodology Results

The Atlas network

5,000 active probes Worldwide — mostly Europe

7/20

slide-8
SLIDE 8

Introduction Methodology Results

1

Introduction

2

Methodology

3

Results

8/20

slide-9
SLIDE 9

Introduction Methodology Results

Setup

Altlas probes: presence in client network Controlled nameserver with packet capture

9/20

slide-10
SLIDE 10

Introduction Methodology Results

Challenges

Probes-resolvers IP address seen by the probe: 8.8.8.8 IP address seen by the nameserver: 74.125.18.209 Solution: pre-pend probe ID and use wildcards Probe 1234 requests 1234.example.com Resolving setup Probes with multiple resolvers Probes using forwarders Misconfigured resolvers

10/20

slide-11
SLIDE 11

Introduction Methodology Results

Limitations

Atlas = Internet

Atlas Top10 Country Probes United States 853 Germany 819 Russia 724 United Kingdom 605 Netherlands 457 France 397 Ukraine 364 Belgium 184 Italy 166 Czech Republic 161 Internet Top10 Country Internet users (in 2012) China 568,192,066 United States 254,295,536 India 151,598,994 Japan 100,684,474 Brazil 99,357,737 Russia 75,926,004 Germany 68,296,919 Nigeria 55,930,391 United Kingdom 54,861,245 France 54,473,474 11/20

slide-12
SLIDE 12

Introduction Methodology Results

Process

Steps

1 List all active probes 2 Start packet capture at the nameserver 3 Launch measurement on Atlas probes 4 Wait for measurement results 5 Stop packet capture 6 Repeat steps 2-5 until all active probes have been used

Zones secure insecure badlabel, badrrsigs, norrsigs Software Python, atlas, dpkt nsd, ldns Wireshark

12/20

slide-13
SLIDE 13

Introduction Methodology Results

1

Introduction

2

Methodology

3

Results

13/20

slide-14
SLIDE 14

Introduction Methodology Results

Resolvers

DO bit support Requests on TXT record from secure zone with DO bit set Probes Resolvers Setting DO bit Including RRSIG 4673 5139 4534 [88.23%] 3448 [67.09%] DS type support Requests on DS record from secure zone with DO bit set Probes Answers Authenticated 4553 4228 [92.73%] 1409 [30.41%] Resolvers Active Answers Authenticated 4586 4573 4252 [92.98%] 1374 [30.05%]

14/20

slide-15
SLIDE 15

Introduction Methodology Results

Probes (1)

Resolvers distribution 10 20 30 40 50 60 100 101 102 103 40 most common resolvers Amount of probes Amount of resolvers 40 most common resolvers: Google (38), OVH (2)

15/20

slide-16
SLIDE 16

Introduction Methodology Results

Probes (2)

Protection

Zone Probes Answer No Answer NOERROR FORMERR SERVFAIL REFUSED secure 4606 3098 [67.26%] 1215 [26.38%] 252 [ 5.47%] 18 [ 0.39%] 23 [ 0.50%] badlabel 4212 2381 [56.53%] 296 [ 7.03%] 286 [ 6.79%] 1224 [29.06%] 25 [ 0.59%] badrrsigs 4211 2381 [56.54%] 299 [ 7.10%] 294 [ 6.98%] 1212 [28.78%] 25 [ 0.59%] norrsigs 4124 2655 [64.38%] 1 [ 0.02%] 292 [ 7.08%] 1152 [27.93%] 24 [ 0.58%]

Compatibility

Zone Probes Answer No Answer with AD bit NOERROR SERVFAIL secure 4606 3098 [67.26%] 822 [17.84%] 1215 [26.38%] 18 [ 0.39%] insecure 4642 4350 [93.71%] 0 [ 0.00%] 1 [ 0.02%] 16 [ 0.34%] secure 4695 4376 [93.20%] 1404 [29.90%] 2 [ 0.04%] 11 [ 0.23%]

16/20

slide-17
SLIDE 17

Introduction Methodology Results

Probes (3)

Validation distribution 10 20 30 40 50 60 100 101 102 103 Amount of probes Amount of resolvers All resolvers Validating with AD bit

17/20

slide-18
SLIDE 18

Introduction Methodology Results

Probes (4)

Protection distribution 10 20 30 40 50 60 70 80 100 101 102 103 Amount of probes Amount of resolvers All resolvers Blocking corrupted answers

18/20

slide-19
SLIDE 19

Introduction Methodology Results

Findings

DNSSEC-awareness DO bit indicates 87% DS type indicates 93% Validation and protection AD bit indicates 30% validation bad zones indicate 27-29% protection signatures available in 67% of answers Issues Fallback when RRSIG missing: 1% Bad validation of wildcards: 26%

19/20

slide-20
SLIDE 20

Introduction Methodology Results

Thanks to... NLnet Labs, Amsteram SNE Master, University of Amsterdam

Questions?

20/20