Assessing and Improving the Quality of DNSSEC
DeploymentDeployment
Casey Deccio, Ph.D.Sandia National Laboratories
AIMS-4CAIDA, SDSC, San Diego, CA
Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the
Feb 9, 2012
United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.
O tliOutline
DNSSEC protocol review DNSSEC protocol review DNSSEC maintenance and misconfiguration DNSSEC survey and results Conclusions and solutions
2
DNS Security Extensions (DNSSEC)(DNSSEC) RRsets signed with zone’s private key(s) Signatures covering RRsets returned by server as RRSIGsg g y Public keys published in zone data as DNSKEYs Resolver validates response
If authentic: Authenticated data (AD) bit is set( ) If bogus: SERVFAIL message is returned
Query: www bar com/A ?
Query: www.bar.com/A ?
Query: www.bar.com/A ?
Answer: 192.0.2.16 RRSIG
Query: bar.com/DNSKEY ?
bar.comAnswer: DNSKEY… RRSIG
Answer: 192.0.2.16 AD
validate
3stub resolver
recursive/validatingresolver
authoritative server
Scalable authentication via a h i f t t R lchain of trust
DNSKEY must be DNSKEY
Resolver trust anchor
DNSKEY must be authenticated
Resolver must have .Zone data
DS Resolver must have
some notion of trust Trust extends through
DNSKEY
ancestry to a trust anchor at resolverDS d
comZone data
DS
DS resource record –provides digest of DNSKEY in child zone Zone data
DNSKEY
DNSKEY in child zone4
bar.com
Backwards compatibility… ki d fkind of If no secure link exists
Resolver trust anchor If no secure link exists
between parent and child, referring (parent) server must prove non-
DNSKEY
server must prove nonexistence of DS RRs
NSEC/NSEC3 resource records provide
.Zone data
DS
records provide authenticated denial of existence
Child zones of insecureZone data
DNSKEY
/ Child zones of insecure delegations may be unsigned or signed (“islands of security”) Zone data
net NSEC/DS
( islands of security )5
baz.net
DNSSEClid ti t tvalidation status
Secure unbroken Secure – unbroken chain from anchor to RRsetRRset
(I f htt //d i t/)6
(Image from http://dnsviz.net/)
DNSSEClid ti t tvalidation status
Insecure – chain that securely terminates (i e insecure(i.e., insecure delegation)
(Image from http://dnsviz.net/)
Secure chain termination
7
(Image from http://dnsviz.net/)
DNSSEClid ti t tvalidation status
Bogus broken Bogus – broken chain
(I f htt //d i t/)
Break in chain
8
(Image from http://dnsviz.net/)
O tliOutline
DNSSEC protocol review DNSSEC protocol review DNSSEC maintenance and misconfiguration DNSSEC survey and results Conclusions and solutions
9
DNSSEC M i tDNSSEC Maintenance
RRSIG refresh RRSIG refresh DNSKEY rollovers
ZSK ll SEP ( i ) ZSK rollovers – non-SEP (secure entry point), self-contained
KSK rollovers SEP requires interaction with KSK rollovers – SEP requires interaction with parent or trust anchor
Algorithm changes Algorithm changes
10
DNSSEC Mi fi tiDNSSEC Misconfiguration DS Mismatch No DNSKEY matching DS in parent DS Mismatch – No DNSKEY matching DS in parent
zone DNSKEY Missing – DNSKEY not available to validate
RRSIG NSEC Missing – NSEC RRs not returned by
authoritative serverauthoritative server RRSIG Missing – RRSIGs not returned by some servers RRSIG Bogus – Signature in RRSIG does not validate RRSIG Bogus Signature in RRSIG does not validate RRSIG Dates – Expired or premature RRSIG dates
11
DNSSEC i h dDNSSEC is hard.
12
Jan 10, 2012 – Comcast turned on DNSSEC validation for allon DNSSEC validation for all its residential customers.
http://blog comcast com/2012/01/comcast-completes-dnssec-deployment html
13
http://blog.comcast.com/2012/01/comcast-completes-dnssec-deployment.html
Jan 18 2012 – ComcastJan 18, 2012 Comcast customers could not access nasa.gov.
14
http://forums.comcast.com/t5/Connectivity-and-Modem-Help/NASA-gov-blocked/td-p/1169657http://nasawatch.com/archives/2012/01/comcast-blocks.html
Jan 22 2012 – ComcastJan 22, 2012 Comcast customers could not access bi i ibitcoinica.com.
15
http://www.reddit.com/r/Bitcoin/comments/orzpq/attention_comcast_users_we_have_been_censored/
Comcast is clearly “censoring” these sites. But why?these sites. But why?
Enter DNSViz…
16
DNSViDNSViz
Actively monitors domains from single Actively monitors domains from single vantage pointM k lt il bl f i l l i t Makes results available for visual analysis at http://dnsviz.net/
com
DNSViz serverfoo.com
1717bar.com
18
19
But, they “fixed” it…, y
20
O tliOutline
DNSSEC protocol review DNSSEC protocol review DNSSEC maintenance and misconfiguration DNSSEC survey and results Conclusions and solutions
21
DNSSEC d l tDNSSEC deployment survey
Polled 2 700 production signed zones over Polled ~2,700 production signed zones over a year time frame (May 2010 – July 2011)V lid ti f SOA RR l d l ti Validation of SOA RR analyzed several times daily, anchored at ISC DLV or root zone (after July 2010 root signing)(after July 2010 root signing)
Identified maintenance and misconfigurations
22
S b kd b TLDSurvey breakdown by TLD900
600700800900
Zones
Zones with
400500600
Zone
s
misconfiguration
100200300
0
23
TLD
RRSIG lif tiRRSIG lifetimes1
0 70.80.9
1
0 40.50.60.7
CD
F
RRSIG(DNSKEY) all zones
0 10.20.30.4C RRSIG(DNSKEY)
zones with expired RRSIG
00.1
0 30 60 90 120 150 180 210 240 270 300 330 360Days
24
Days
DNSKEY llDNSKEY rolloversKey role Zones that did Zones that rolled Zones that rolledKey role Zones that did
not roll key (0)Zones that rolled key once (1)
Zones that rolled key more than once (>1)
ZSK 37% 11% 52%KSK 72% 17% 10%
25
DNSKEY lif tiDNSKEY lifetime1
0 70.80.9
1
0 40.50.60.7
CD
F KSK lifetime
0.20.30.4
ZSK lifetime
KSK lifetime (zones w/
00.1
0 30 60 90 120 150 180 210 240 270 300 330 360 390Days
bad rollover)
Days
26
Mi fi ti b tMisconfigurations by type3000
Incremental
2000
2500 Partial
Complete
1500
2000
500
1000
0
500
DS DNSKEY NSEC RRSIG RRSIG RRSIG
27
DSMismatch
DNSKEYMissing
NSECMissing
RRSIGMissing
RRSIGBogus
RRSIGDates
E t d tiEvent duration1
0.80.9
1
0.50.60.7
DS MismatchDNSKEY Missing
0 20.30.4
gNSEC MissingRRSIG MissingRRSIG Bogus
00.10.2
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
RRSIG BogusRRSIG Dates
28
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
R t ff tRepeat offense rate0 6
0.5
0.6
0.3
0.4
0.1
0.2
0DS
Mi t hDNSKEY Mi i
NSEC Mi i
RRSIG Mi i
RRSIG B
RRSIG D t
29
Mismatch Missing Missing Missing Bogus Dates
IPv6 analysis
30
IPv6 inconsistencies
31
O tliOutline
DNSSEC protocol review DNSSEC protocol review DNSSEC maintenance and misconfiguration DNSSEC survey and results Conclusions and solutions
32
S f Ob tiSummary of Observations
Resolver operators are learning about third Resolver operators are learning about third-party DNSSEC misconfigurations from their customerscustomers.
Administrators aren’t detecting and correcting their DNSSEC problems in a timely fashiontheir DNSSEC problems in a timely fashion.
Administrators aren’t learning from past mistakesmistakes.
33
S l tiSolutions Tools for DNSSEC comprehensive analysis Tools for DNSSEC comprehensive analysis Hierarchical analysis (chain of trust) Dependency analysis (CNAME MX NS etc) Dependency analysis (CNAME, MX, NS, etc) Server consistency analysis Pointers to specificationp Resources for corrective action
Tools/resources for detection/notification of misconfiguration Individual monitoring and alerts Global monitoring and alerts
34
DNSVi f t lDNSViz – future plans Expansion of detailed analysis Expansion of detailed analysis Passive monitoring, in addition to active monitoring
Diverse backend support e.g., ISC Security Information Exchange (SIE)
Prioritized active probing Alerts of misconfigurationAlerts of misconfiguration
RESTful API for programmatic third-party monitoring Cache analysis/local perspective Availability of software for diverse uses
35
36