assessing and improving the quality of dnssec deploymentassessing and improving the quality of...

Assessing and Improving the Quality of DNSSEC

DeploymentDeployment

Casey Deccio, Ph.D.Sandia National Laboratories

AIMS-4CAIDA, SDSC, San Diego, CA

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the

Feb 9, 2012

United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.

O tliOutline

DNSSEC protocol review DNSSEC protocol review DNSSEC maintenance and misconfiguration DNSSEC survey and results Conclusions and solutions

2

DNS Security Extensions (DNSSEC)(DNSSEC) RRsets signed with zone’s private key(s) Signatures covering RRsets returned by server as RRSIGsg g y Public keys published in zone data as DNSKEYs Resolver validates response

If authentic: Authenticated data (AD) bit is set( ) If bogus: SERVFAIL message is returned

Query: www bar com/A ?

Query: www.bar.com/A ?

Query: www.bar.com/A ?

Answer: 192.0.2.16 RRSIG

Query: bar.com/DNSKEY ?

bar.comAnswer: DNSKEY… RRSIG

Answer: 192.0.2.16 AD

validate

3stub resolver

recursive/validatingresolver

authoritative server

Scalable authentication via a h i f t t R lchain of trust

DNSKEY must be DNSKEY

Resolver trust anchor

DNSKEY must be authenticated

Resolver must have .Zone data

DS Resolver must have

some notion of trust Trust extends through

DNSKEY

ancestry to a trust anchor at resolverDS d

comZone data

DS

DS resource record –provides digest of DNSKEY in child zone Zone data

DNSKEY

DNSKEY in child zone4

bar.com

Backwards compatibility… ki d fkind of If no secure link exists

Resolver trust anchor If no secure link exists

between parent and child, referring (parent) server must prove non-

DNSKEY

server must prove nonexistence of DS RRs

NSEC/NSEC3 resource records provide

.Zone data

DS

records provide authenticated denial of existence

Child zones of insecureZone data

DNSKEY

/ Child zones of insecure delegations may be unsigned or signed (“islands of security”) Zone data

net NSEC/DS

( islands of security )5

baz.net

DNSSEClid ti t tvalidation status

Secure unbroken Secure – unbroken chain from anchor to RRsetRRset

(I f htt //d i t/)6

(Image from http://dnsviz.net/)


Insecure – chain that securely terminates (i e insecure(i.e., insecure delegation)


Secure chain termination

7



Bogus broken Bogus – broken chain

(I f htt //d i t/)

Break in chain

8


O tliOutline


9

DNSSEC M i tDNSSEC Maintenance

RRSIG refresh RRSIG refresh DNSKEY rollovers

ZSK ll SEP ( i ) ZSK rollovers – non-SEP (secure entry point), self-contained

KSK rollovers SEP requires interaction with KSK rollovers – SEP requires interaction with parent or trust anchor

Algorithm changes Algorithm changes

10

DNSSEC Mi fi tiDNSSEC Misconfiguration DS Mismatch No DNSKEY matching DS in parent DS Mismatch – No DNSKEY matching DS in parent

zone DNSKEY Missing – DNSKEY not available to validate

RRSIG NSEC Missing – NSEC RRs not returned by

authoritative serverauthoritative server RRSIG Missing – RRSIGs not returned by some servers RRSIG Bogus – Signature in RRSIG does not validate RRSIG Bogus Signature in RRSIG does not validate RRSIG Dates – Expired or premature RRSIG dates

11

DNSSEC i h dDNSSEC is hard.

12

Jan 10, 2012 – Comcast turned on DNSSEC validation for allon DNSSEC validation for all its residential customers.

http://blog comcast com/2012/01/comcast-completes-dnssec-deployment html

13

http://blog.comcast.com/2012/01/comcast-completes-dnssec-deployment.html

Jan 18 2012 – ComcastJan 18, 2012 Comcast customers could not access nasa.gov.

14

http://forums.comcast.com/t5/Connectivity-and-Modem-Help/NASA-gov-blocked/td-p/1169657http://nasawatch.com/archives/2012/01/comcast-blocks.html

Jan 22 2012 – ComcastJan 22, 2012 Comcast customers could not access bi i ibitcoinica.com.

15

http://www.reddit.com/r/Bitcoin/comments/orzpq/attention_comcast_users_we_have_been_censored/

Comcast is clearly “censoring” these sites. But why?these sites. But why?

Enter DNSViz…

16

DNSViDNSViz

Actively monitors domains from single Actively monitors domains from single vantage pointM k lt il bl f i l l i t Makes results available for visual analysis at http://dnsviz.net/

com

DNSViz serverfoo.com

1717bar.com

But, they “fixed” it…, y

20

O tliOutline


21

DNSSEC d l tDNSSEC deployment survey

Polled 2 700 production signed zones over Polled ~2,700 production signed zones over a year time frame (May 2010 – July 2011)V lid ti f SOA RR l d l ti Validation of SOA RR analyzed several times daily, anchored at ISC DLV or root zone (after July 2010 root signing)(after July 2010 root signing)

Identified maintenance and misconfigurations

22

S b kd b TLDSurvey breakdown by TLD900

600700800900

Zones

Zones with

400500600

Zone

s

misconfiguration

100200300

0

23

TLD

RRSIG lif tiRRSIG lifetimes1

0 70.80.9

1

0 40.50.60.7

CD

F

RRSIG(DNSKEY) all zones

0 10.20.30.4C RRSIG(DNSKEY)

zones with expired RRSIG

00.1

0 30 60 90 120 150 180 210 240 270 300 330 360Days

24

Days

DNSKEY llDNSKEY rolloversKey role Zones that did Zones that rolled Zones that rolledKey role Zones that did

not roll key (0)Zones that rolled key once (1)

Zones that rolled key more than once (>1)

ZSK 37% 11% 52%KSK 72% 17% 10%

25

DNSKEY lif tiDNSKEY lifetime1

0 70.80.9

1

0 40.50.60.7

CD

F KSK lifetime

0.20.30.4

ZSK lifetime

KSK lifetime (zones w/

00.1

0 30 60 90 120 150 180 210 240 270 300 330 360 390Days

bad rollover)

Days

26

Mi fi ti b tMisconfigurations by type3000

Incremental

2000

2500 Partial

Complete

1500

2000

500

1000

0

500

DS DNSKEY NSEC RRSIG RRSIG RRSIG

27

DSMismatch

DNSKEYMissing

NSECMissing

RRSIGMissing

RRSIGBogus

RRSIGDates

E t d tiEvent duration1

0.80.9

1

0.50.60.7

DS MismatchDNSKEY Missing

0 20.30.4

gNSEC MissingRRSIG MissingRRSIG Bogus

00.10.2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

RRSIG BogusRRSIG Dates

28

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

R t ff tRepeat offense rate0 6

0.5

0.6

0.3

0.4

0.1

0.2

0DS

Mi t hDNSKEY Mi i

NSEC Mi i

RRSIG Mi i

RRSIG B

RRSIG D t

29

Mismatch Missing Missing Missing Bogus Dates

IPv6 analysis

30

IPv6 inconsistencies

31

O tliOutline


32

S f Ob tiSummary of Observations

Resolver operators are learning about third Resolver operators are learning about third-party DNSSEC misconfigurations from their customerscustomers.

Administrators aren’t detecting and correcting their DNSSEC problems in a timely fashiontheir DNSSEC problems in a timely fashion.

Administrators aren’t learning from past mistakesmistakes.

33

S l tiSolutions Tools for DNSSEC comprehensive analysis Tools for DNSSEC comprehensive analysis Hierarchical analysis (chain of trust) Dependency analysis (CNAME MX NS etc) Dependency analysis (CNAME, MX, NS, etc) Server consistency analysis Pointers to specificationp Resources for corrective action

Tools/resources for detection/notification of misconfiguration Individual monitoring and alerts Global monitoring and alerts

34

DNSVi f t lDNSViz – future plans Expansion of detailed analysis Expansion of detailed analysis Passive monitoring, in addition to active monitoring

Diverse backend support e.g., ISC Security Information Exchange (SIE)

Prioritized active probing Alerts of misconfigurationAlerts of misconfiguration

RESTful API for programmatic third-party monitoring Cache analysis/local perspective Availability of software for diverse uses

35

Q ti ?Questions?

ctdecci@sandia gov [email protected]

37

assessing and improving the quality of dnssec deploymentassessing and improving the quality of...

Documents