measuring the deployment of dnssec over the internet
play

Measuring the Deployment of DNSSEC over the Internet System & - PowerPoint PPT Presentation

Apr 04, 2023 •451 likes •673 views

Introduction Methodology Results Measuring the Deployment of DNSSEC over the Internet System & Network Engineering Research Project Nicolas Canceill RIPE68 May 14, 2014 1/20 Introduction Methodology Results Introduction 1

  1. Introduction Methodology Results Measuring the Deployment of DNSSEC over the Internet System & Network Engineering — Research Project Nicolas Canceill RIPE68 — May 14, 2014 1/20

  2. Introduction Methodology Results Introduction 1 Methodology 2 Results 3 2/20

  3. Introduction Methodology Results What DNSSEC? DNS Domain Name System Essential foundation of the Internet Translates domain names into IP addresses Problem DNS is notoriously insecure Solution: DNSSEC Public key cryptography Signatures for al resources Hierarchical chain of trust 3/20

  4. Introduction Methodology Results Introduction 1 Methodology 2 Results 3 4/20

  5. Introduction Methodology Results History DNS Development 1983 DNS specification published 1984 First TLDs defined 1987 DNS becomes IETF standard DNSSEC Development 1997 DNSSEC specification published 1999 DNSSEC specification revised 2005 DNSSEC final revision DNSSEC Deployment 2010 Root level deployment 2011 Most TLDs signed 5/20

  6. Introduction Methodology Results Research scope Research question What is the status of DNSSEC deployment over the Internet and how does it impact Internet users? Which DNS resolvers can be queried from clients? What methods can properly assess DNSSEC support? How does DNSSEC support influence user experience? 6/20

  7. Introduction Methodology Results The Atlas network 5,000 active probes Worldwide — mostly Europe 7/20

  8. Introduction Methodology Results Introduction 1 Methodology 2 Results 3 8/20

  9. Introduction Methodology Results Setup Altlas probes: presence in client network Controlled nameserver with packet capture 9/20

  10. Introduction Methodology Results Challenges Probes-resolvers IP address seen by the probe: 8.8.8.8 IP address seen by the nameserver: 74.125.18.209 Solution: pre-pend probe ID and use wildcards Probe 1234 requests 1234.example.com Resolving setup Probes with multiple resolvers Probes using forwarders Misconfigured resolvers 10/20

  11. Introduction Methodology Results Limitations Atlas � = Internet Atlas Top10 Internet Top10 Country Probes Country Internet users (in 2012) United States 853 China 568,192,066 Germany 819 United States 254,295,536 Russia 724 India 151,598,994 United Kingdom 605 Japan 100,684,474 Netherlands 457 Brazil 99,357,737 France 397 Russia 75,926,004 Ukraine 364 Germany 68,296,919 Belgium 184 Nigeria 55,930,391 Italy 166 United Kingdom 54,861,245 Czech Republic 161 France 54,473,474 11/20

  12. Introduction Methodology Results Process Steps 1 List all active probes 2 Start packet capture at the nameserver 3 Launch measurement on Atlas probes 4 Wait for measurement results 5 Stop packet capture 6 Repeat steps 2-5 until all active probes have been used Zones badlabel , badrrsigs , norrsigs secure insecure Software Python, atlas , dpkt nsd , ldns Wireshark 12/20

  13. Introduction Methodology Results Introduction 1 Methodology 2 Results 3 13/20

  14. Introduction Methodology Results Resolvers DO bit support Requests on TXT record from secure zone with DO bit set Probes Resolvers Setting DO bit Including RRSIG 4673 5139 4534 [88.23%] 3448 [67.09%] DS type support Requests on DS record from secure zone with DO bit set Probes Answers Authenticated 4553 4228 [92.73%] 1409 [30.41%] Resolvers Active Answers Authenticated 4586 4573 4252 [92.98%] 1374 [30.05%] 14/20

  15. Introduction Methodology Results Probes (1) Resolvers distribution Amount of resolvers 10 3 10 2 10 1 40 most common resolvers 10 0 0 10 20 30 40 50 60 Amount of probes 40 most common resolvers: Google (38), OVH (2) 15/20

  16. Introduction Methodology Results Probes (2) Protection Zone Probes Answer No Answer NOERROR FORMERR SERVFAIL REFUSED secure 4606 3098 [67.26%] 1215 [26.38%] 252 [ 5.47%] 18 [ 0.39%] 23 [ 0.50%] 4212 2381 [56.53%] 296 [ 7.03%] 286 [ 6.79%] 1224 [29.06%] 25 [ 0.59%] badlabel 4211 2381 [56.54%] 299 [ 7.10%] 294 [ 6.98%] 1212 [28.78%] 25 [ 0.59%] badrrsigs 4124 2655 [64.38%] 1 [ 0.02%] 292 [ 7.08%] 1152 [27.93%] 24 [ 0.58%] norrsigs Compatibility Zone Probes Answer No Answer with AD bit NOERROR SERVFAIL 4606 3098 [67.26%] 822 [17.84%] 1215 [26.38%] 18 [ 0.39%] secure 4642 4350 [93.71%] 0 [ 0.00%] 1 [ 0.02%] 16 [ 0.34%] insecure 4695 4376 [93.20%] 1404 [29.90%] 2 [ 0.04%] 11 [ 0.23%] secure 16/20

  17. Introduction Methodology Results Probes (3) Validation distribution All resolvers Amount of resolvers 10 3 Validating with AD bit 10 2 10 1 10 0 0 10 20 30 40 50 60 Amount of probes 17/20

  18. Introduction Methodology Results Probes (4) Protection distribution All resolvers Amount of resolvers 10 3 Blocking corrupted answers 10 2 10 1 10 0 0 10 20 30 40 50 60 70 80 Amount of probes 18/20

  19. Introduction Methodology Results Findings DNSSEC-awareness DO bit indicates 87% DS type indicates 93% Validation and protection AD bit indicates 30% validation bad zones indicate 27-29% protection signatures available in 67% of answers Issues Fallback when RRSIG missing: 1% Bad validation of wildcards: 26% 19/20

  20. Introduction Methodology Results Thanks to... NLnet Labs, Amsteram SNE Master, University of Amsterdam Questions? 20/20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Measuring the Deployment of DNSSEC over the Internet System & Network Engineering Research

Measuring the Deployment of DNSSEC over the Internet System & Network Engineering Research

Introduction Methodology Results Measuring the Deployment of DNSSEC over the Internet System & Network Engineering Research Project Nicolas Canceill SNE RP2 Presentations July 2, 2014 1/19 Introduction Methodology Results

398 views • 19 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
DNSSEC Deployment: From End-Customer to Content ION San Diego December 11, 2012

DNSSEC Deployment: From End-Customer to Content ION San Diego December 11, 2012

DNSSEC Deployment: From End-Customer to Content ION San Diego December 11, 2012 www.internetsociety.org/deploy360/ Our Panel Today Moderator: Dan York, Internet Society Panelists: Jim Galvin, Afilias Rick Lamb, ICANN Cricket Liu,

772 views • 41 slides
DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010 Sara Monteiro Technical Infrastructure Service of DNS.PT Agenda ! About us ! Scope ! Goals ! Initiatives and Support ! Developments on .pt ! Next Steps

468 views • 11 slides
Assessing and Improving the Quality of DNSSEC Deployment Deployment Casey Deccio, Ph.D. Sandia

Assessing and Improving the Quality of DNSSEC Deployment Deployment Casey Deccio, Ph.D. Sandia

Assessing and Improving the Quality of DNSSEC Deployment Deployment Casey Deccio, Ph.D. Sandia National Laboratories AIMS-4 CAIDA, SDSC, San Diego, CA Feb 9, 2012 Sandia is a multiprogram laboratory operated by Sandia Corporation, a

913 views • 37 slides
Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions

Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions

COBHAM Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions (aka: SPARTA, Inc. ) 08 December 2010 COBHAM Simple Illustration I need to have a of DNS Components WWW record Zone Administrator

979 views • 62 slides
Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van

Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van

Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van Rijswijk-Deij, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Christo Wilson 1 DNSSEC 101 example.com's Authoritative DNS Resolver DNS

1.54k views • 119 slides
Measuring the Internet Project Introduction Mat Ford / David Belson measuring@isoc.org

Measuring the Internet Project Introduction Mat Ford / David Belson measuring@isoc.org

14 September, 2020 African Internet Summit Measuring the Internet Project Introduction Mat Ford / David Belson measuring@isoc.org Presentation title Client name Measuring the Internet Why? The Internet Societys efforts focus on

336 views • 9 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based

Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based

Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based on current DNSSEC deployments in .com, .net and .org Introduction DNSSEC deployment has taken off, but there are still operational issues

408 views • 16 slides
1 Overview Introduction DNSSEC mechanisms To authenticate servers (TSIG ) To

1 Overview Introduction DNSSEC mechanisms To authenticate servers (TSIG ) To

Welcome! DNS/DNSSEC Deployment tutorial Champika Wijayatunga <champika@apnic.net> 2 August 2006, Karachi, Pakistan In conjunction with SANOG 8 Background The original DNS protocol wasnt designed with security in mind It has

705 views • 15 slides
ilab Lab 5 DNS and DNSSec History and Motivation of DNS Problem: The Internet needs IP

ilab Lab 5 DNS and DNSSec History and Motivation of DNS Problem: The Internet needs IP

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen ilab Lab 5 DNS and DNSSec History and Motivation of DNS Problem: The Internet needs IP addresses. Human beings do not memorize IP

779 views • 23 slides
IPsec, BGPsec, DNSSEC Lecture 20 Internet Protocol Suite TCP/IP: Developed in the 70 s IP: at

IPsec, BGPsec, DNSSEC Lecture 20 Internet Protocol Suite TCP/IP: Developed in the 70 s IP: at

IPsec, BGPsec, DNSSEC Lecture 20 Internet Protocol Suite TCP/IP: Developed in the 70 s IP: at the internet layer. Handles addressing and routing TCP: at the transport layer. Setting up channels (between ports), with traffic control, error-

292 views • 17 slides
DNSSEC Workshop Dan York, Internet Society | ICANN 55 | March 2016 Remote Participation Slides

DNSSEC Workshop Dan York, Internet Society | ICANN 55 | March 2016 Remote Participation Slides

DNSSEC Workshop Dan York, Internet Society | ICANN 55 | March 2016 Remote Participation Slides and audio streams at: https://meetings.icann.org/en/marrakech 55/schedule/wed-dnssec Live video stream via YouTube at:

578 views • 29 slides
Applications! Where we are in the Course Application layer protocols are often part of

Applications! Where we are in the Course Application layer protocols are often part of

Applications! Where we are in the Course Application layer protocols are often part of app But dont need a GUI, e.g., DNS Application Transport Network Link Physical CSE 461 University of Washington 2 Recall Application

1.65k views • 122 slides
ICANN & Internet Security (DNS) Security Albert Daniels Albert.daniels@icann.og Internet

ICANN & Internet Security (DNS) Security Albert Daniels Albert.daniels@icann.og Internet

ICANN & Internet Security (DNS) Security Albert Daniels Albert.daniels@icann.og Internet Week Guyana 11 th October 2017 | 1 What Does ICANN Mean for the End User? POLIC Y The Domain Name System Policy Development is an L-Root is one

636 views • 32 slides
ECE590 Computer and Information Security Fall 2018 Networking Overview Tyler Bletsch Duke

ECE590 Computer and Information Security Fall 2018 Networking Overview Tyler Bletsch Duke

ECE590 Computer and Information Security Fall 2018 Networking Overview Tyler Bletsch Duke University Some slides adapted from Brian Rogers (Duke) Network fundamentals This course isnt a networking course, so well just hit the highlights

682 views • 65 slides
Internet 101 U.S. National Cybersecurity, Technical Breakout #1 10/5/04 presented by: Martin

Internet 101 U.S. National Cybersecurity, Technical Breakout #1 10/5/04 presented by: Martin

Internet 101 U.S. National Cybersecurity, Technical Breakout #1 10/5/04 presented by: Martin Casado Network vs. Internet a network is a system of computers that talk over some communication medium: phone line (analogue modem, DSL),

748 views • 30 slides
Internet and CyberSecurity 101 U.S. National Cybersecurity, 10/5/06 presented by: Martin Casado

Internet and CyberSecurity 101 U.S. National Cybersecurity, 10/5/06 presented by: Martin Casado

Internet and CyberSecurity 101 U.S. National Cybersecurity, 10/5/06 presented by: Martin Casado Network vs. Internet a network is a system of computers that talk over some communication medium: phone line (analogue modem, DSL), cable,

957 views • 47 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J Lecture #25 Dec 1 st 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Remainder of the semester: Quiz #3 is Today 40 mins

414 views • 20 slides
A new stub resolver Willem Toorop willem@nlnetlabs.nl API is: A DNS API specification (for

A new stub resolver Willem Toorop willem@nlnetlabs.nl API is: A DNS API specification (for

A new stub resolver Willem Toorop willem@nlnetlabs.nl API is: A DNS API specification (for resolving) by and for application developers (for application) First implementation by LABS and From Verisign: From NLnet Labs: Theogene Bucuti,

1.63k views • 113 slides
Ofcoms role in cyber security UKNOF Edinburgh Huw Saunders Director, Network Infrastructure

Ofcoms role in cyber security UKNOF Edinburgh Huw Saunders Director, Network Infrastructure

Ofcoms role in cyber security UKNOF Edinburgh Huw Saunders Director, Network Infrastructure PROMOTING CHOICE SECURING STANDARDS PREVENTING HARM Ofcom and cyber security Area of growing importance across all sectors, with

216 views • 7 slides

More recommend