A Longitudinal, End-to-End View of the DNSSEC Ecosystem

Transcription

1 A Longitudinal, End-to-End View of the DNSSEC Ecosystem Taejoong (tijay) Chung, Roland van Rijswijk-Deij, Bala Chandrasekaran David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Christo Wilson 1

2 Domain Name System (DNS) Browser example.com A records DNS Resolver example.com A records example.com's Authoritative DNS Server

3 DNS Spoofing Browser example.com A records DNS Resolver example.com A records example.com's Authoritative DNS Server 3

4 DNS Spoofing Browser example.com A records DNS Resolver example.com example.com's Authoritative Authoritative DNS DNS Server Server A records

5 DNSSEC 101 DNS Resolver A records w/ DO bit example.com's Authoritative DNS Server A records RRSIG Sign! A records DNSKEY 5

6 DNSSEC 101 DNS Resolver A records w/ DO bit example.com's Authoritative DNS Server A records A records RRSIG DNSKEY A records A records DNSKEY w/ DO bit 6

7 DNSSEC 101 Hierarchical Structure Chain-of-Trust. (root zone) DNSKEY.com DNSKEY DNS Resolver A records DNSKEY example.com's Authoritative DNS Server A records w/ DO bit 7

8 DNSSEC 101 Hierarchical Structure Chain-of-Trust DNSKEY. (root zone) DNSKEY DNSKEY.com DNSKEY DNS Resolver A records DNSKEY example.com's Authoritative DNS Server A records w/ DO bit 8

9 DNSSEC 101 Hierarchical Structure Chain-of-Trust DNSKEY DNSKEY DNSKEY 9

10 DNSSEC 101 Hierarchical Structure Chain-of-Trust DNSKEY DS Record.com RRSIG DNSKEY example.com's Authoritative DNS Server DNSKEY DS Record =Hash( ) DNSKEY 10

11 DNSSEC 101 Two DNSKEYs.com DS Record = Hash of example.com's Authoritative DNS Server DNSKEYs A records RRSIG of DNSKEY RRSIG of A key signing key (KSK) zone signing key (ZSK) 11

12 Summary of DNSSEC 101 Three essential elements for DNSSEC RRSIG DNSKEY DS Record has to be uploaded to the parent zone Resolvers need to verify all signatures along the chains of trust DNSSEC can only function correctly when all principals (server and resolver) work correctly 12

13 Open Question How s the DNSSEC PKI ecosystem managed?

14 Contribution Longitudinal Comprehensive All Angles 14

15 Outline How DNSSEC deployed How DNSSEC managed How resolvers use DNSSEC Authoritative Server Resolver 15

16 Correct Deployment for Authoritative Servers DNSKEY (1) Have DNSKEYs RRSIGs (2) Generate Signatures Valid RRSIGs (3) Valid Signatures (Not expired, correctly signed) DS record Uploads (4) Generate and upload DS record to the parent zone Valid DS record (5) Valid DS record (matched with DNSKEYs) 16

17 Dataset Daily Scans* TLDs.com,.org.,.net # of domains 147M domains Interval every day Period 2015/03/01 ~ 2016/12/31 Over 750 billion DNS Records * 17

18 DNSSEC Deployment DNSKEY ~1.0% RRSIGs Valid RRSIGs DS record Uploads Percent of domains with DNSKEY record Deployment 0.4.com 0.2.net.org 0 02/15 05/15 08/15 11/15 02/16 05/16 08/16 11/16 Date DNSSEC deployment is rare, but growing Valid DS record Are they correctly deployed? 18

19 Missing RRSIG records DNSKEY ~1.0% 2.5 RRSIGs ~0.3% Valid RRSIGs DS record Uploads Valid DS record Percent of domains missing RRSIGs com.net.org missing DomainMonster SOA RRSIG missing DNSKEY RRSIG KSK 0 02/15 05/15 08/15 11/15 02/16 05/16 08/16 11/16 Missing RRSIGs RRSIGs are rarely missing (0.3%) ZSK 19

20 Incorrect RRSIG records DNSKEY ~1.0% RRSIGs Valid RRSIGs DS record Uploads Valid DS record ~0.3% ~0.5% Percent of domains with specific failure reasons Invalid RRSIGs Expired Expired.com.net.org Invalid Signature Invalid Signatures 0 02/15 05/15 08/15 11/15 02/16 05/16 08/16 11/16 RRSIGs are managed well (~0.5%) 20

21 Missing DS records DNSKEY ~1.0% RRSIGs ~0.3% Valid RRSIGs ~0.5% Percent of domains missing DS record com 5.net.org 0 02/15 05/15 08/15 11/15 02/16 05/16 08/16 11/16 DS record Uploads ~30% Valid DS record DS Records Nearly 30% of domains DO NOT upload DS records! 21

22 Incorrect DS records DNSKEY ~1.0% RRSIGs ~0.3% Valid RRSIGs DS record Uploads Valid DS record ~0.5% ~30% ~0.2% Percent of domains having incorrect DS record Incorrect DS record.com 0.05.net.org 0 02/15 05/15 08/15 11/15 02/16 05/16 08/16 11/16 Once DS record is generated, it is managed very well (~0.2%) 22

23 Choosing Authoritative Nameserver example.com example.com $ $$ Selfhosted example.com's Authoritative DNS Server example.com's Authoritative DNS Server 23

24 Why are DS records missing? Nameservers # of domains w/ DS w/ DNSKEY DS Publishing Ratio ovh.net 315, , % loopia.se 1 131, % hyp.net 93,946 94, % transip.net 91,009 91, % domainmonster.com 4 60, % anycast.me 51,403 52, % transip.nl 46,971 47, % binero.se 17,099 44, % ns.cloudflare.com 17,483 28, % is.nl 11 15, % pcextreme.nl 14,801 14, % webhostingserver.nl 10,655 14, % registrar-servers.com 11,463 13, % ns0.nl 12,674 12, % citynetwork.se 13 11, % 24

25 Why are DS records missing? Nameservers # of domains w/ DS w/ DNSKEY DS Publishing Ratio ovh.net 315, , % loopia.se 1 131, % hyp.net 93,946 94, % transip.net 91,009 91, % domainmonster.com 4 60, % anycast.me 51,403 52, % transip.nl 46,971 47, % binero.se 17,099 44, % ns.cloudflare.com 17,483 28, % is.nl 11 15, % pcextreme.nl 14,801 14, % webhostingserver.nl 10,655 14, % registrar-servers.com 11,463 13, % ns0.nl 12,674 12, % citynetwork.se 13 11, % 25

26 Why are DS records missing? Nameservers # of domains w/ DS w/ DNSKEY DS Publishing Ratio ovh.net 315, , % loopia.se 1 131, % hyp.net 93,946 94, % transip.net 91,009 91, % domainmonster.com 4 60, % anycast.me 51,403 52, % transip.nl 46,971 47, % binero.se 17,099 44, % ns.cloudflare.com base. 17,483 28, % is.nl 11 15, % pcextreme.nl 14,801 14, % webhostingserver.nl 10,655 14, % registrar-servers.com 11,463 13, % ns0.nl 12,674 12, % citynetwork.se 13 11, % Most people do not understand DNS, so imagine the white faces when I mention DNSSEC... I don t think DNSSEC has a high priority anymore currently in our organization or our customer 26

27 Summary of DNSSEC Deployment DNSSEC deployment is still rare, but increasing The major reason of broken DNSSEC is due to the missing DS record Missing RRSIG record: ~ 0.3% Incorrect RRSIG record: ~ 0.3 % Incorrect DS record: ~ 0.2% Missing DS Record: ~ 30% Most of the DNSSEC-support softwares (BIND, Windows Server 2012, PowerDNS, OpenDNSSEC) manage the keys automatically. Regardless, the process to upload DS record is totally dependent on the administrator! 27

28 Outline 30% of domain miss DS records! How DNSSEC deployed How DNSSEC managed How resolver use DNSSEC Authoritative Server Resolver 28

29 Good Steps to Deploy DNSSEC Strong Key (1) Have a cryptographically strong key No Reuse (2) Don t reuse across multiple domains Regular Rollover (3) Replace on a regular basis 29

30 Good Steps to Deploy DNSSEC Strong Key (1) Have a cryptographically strong key No Reuse (2) Don t reuse across multiple domains Regular Rollover (3) Replace on a regular basis 30

31 Key Strength Strong Key No Reuse Regular Rollover 8.3% (ZSK) 66.7% (KSK) Percent of domains with weak keys com.net.org ZSK ZSKs KSK 20 KSKs 0 02/15 05/15 08/15 11/15 02/16 05/16 08/16 11/16 Weak Keys 91.7% of ZSK and 33.3% of KSK are weak! 31

32 Key Reuse Strong Key No Reuse Regular Rollover 91.7% (ZSK) 33.3% (KSK) ~0.1% 45.0% (ZSK) 70.0% (KSK) CDF DNSKEY Sharing ZSK.com.net.org KSK x10 6 KSK.com.net.org ZSK x10 6 Number of Domains Grouped Together Some keys are reused extensively (among 106,640 domains) 32

33 Outline 30% of domain miss DS records! 33% weak 45~70% not switched How DNSSEC deployed How DNSSEC managed How resolver use DNSSEC Authoritative Server Resolver 33

34 Correct Deployment for Resolvers DO Bit (1) DNSSEC OK bit in the header Validation (2) Validate DNSSEC Records 34

35 Measuring DNS resolver Measurement Node DNS Resolver Ads Client Comcast Network No Control over the node Not Reproducible Authoritative DNS Server 35

36 Luminati AT&T Local DNS Resolver Verizon Measurement Node Residential Proxy Node Comcast Authoritative DNS Server Rogers Control over the node Reproducible Scales Deutsche Telekom 36

37 Luminati Local DNS Resolver Measurement Node Comcast Residential Node Control over the node Reproducible Scales Authoritative DNS Server 37

38 Methodology A records w/ DO bit Local DNS Resolver A records RRSIG Authoritative DNS Server (Our testbed) + 8 other scenarios of incorrect DNSSEC records 38

39 Resolvers w/ DO Bit DO Bit - 4,427 resolvers - 83% of them are DO-bit enabled Validation 39

40 Resolvers w/ DO Bit DO Bit - 4,427 resolvers - 83% of them are DO-bit enabled - 3,635 (82%) fail to validate DNSSEC records Validation Time Warner Cable Internet Rogers Cable Communications (12.2%) correctly validate DNSSEC records Comcast Google 40

41 Open Resolver Tests Provide DO Bit Requested DS DNSKEY Validated? Verisign YES YES YES YES Google YES YES YES YES DNSWatch YES YES YES YES DNS Advantage YES YES YES YES Norton ConnectSafe YES YES YES YES Level3 YES NO NO NO Comodo Secure DNS YES NO NO NO SafeDNS YES NO NO NO Dyn YES NO NO NO GreenTeamDNS* YES/NO YES YES NO OpenDNS NO NO NO NO OpenNIC NO NO NO NO FreeDNS NO NO NO NO Alternate DNS NO NO NO NO Yandex DNS NO NO NO NO 41

42 Conclusion Presented a longitudinal, end-to-end study of DNSSEC ecosystem DNSSEC deployment from server-side is rare but growing But, 33% of them are mis-configured DNSKEYs are not managed well Weak Some are shared Rarely updated DNSSEC deployment from client-side is also rare Only 12% of resolvers validate responses Datasets and source code will be available. 42

43 Recommendations Use CDS (Child DS) / CDNSKEY (Child DNSKEY) Automates DNSSEC delegation trust maintenance Modern resolvers (e.g., BIND >= 9.5 ) set DO bit by default, but make sure that it actually validates. Financial incentives for registrars to deploy DNSSEC would work.se and.nl cctld Please read our upcoming paper Understanding the Role of Registrars in DNSSEC Deployment [IMC 17] 43

44 Conclusion Presented a longitudinal, end-to-end study of DNSSEC ecosystem DNSSEC deployment from server-side is rare but growing But, 33% of them are mis-configured DNSKEYs are not managed well Weak Some are shared Rarely updated DNSSEC deployment from client-side is also rare Only 12% of resolvers validate responses Datasets and source code will be available. 44

45 Questions? 45

46 Why DNSSEC Deployment is so Low? Understanding the Role of Registrars in DNSSEC Deployment [IMC 17] 46

47 Ethical Consideration Subject Considration Luminati Paid for access Not violate ToS Not expose PII Exit Nodes Connects only our testbed Download Empty Page 47

48 Scenario and Intuition subdomains description requires DS requires DNSKEY missing-rrsig-a no signature for A record 0 0 invalid-rrsig-a invalid signature for A record 0 1 future-rrsig-a signature is not yet valid 0 0 past-rrsig-a signature is expired 0 0 missing-zsk ZSK used to sign A record is not in DNSKEY 0 1 missing-ksk KSK used to sign DNSKEY record is not in DNSKEY 0 1 missing-rrsig-ksk no signature for DNSKEY record 0 1 invalid-rrsig-ksk invalid signature for DNSKEY record 0 1 mismatch-ds DS record at parent zone is not accord with KSK

49 Structure of Domain Name Registry: organizations that manage top-level domains (TLDs). They maintain the TLD zone file (the list of all registered names), and work with registrars to sell domain names to the public. Verisign Registrar: organizations that are accredited by ICANN 3 and certified by registries to sell domains to the public. They have direct access to the registry. GoDaddy Reseller: organizations that sell domain names, but are either not accredited (by ICANN) or certified (by a given TLD s registry). Typically, resellers partner with registrars in order to sell domain names, and relay all information through the registrar. 49

50 DS record uploads 50

51 Key Sharing Nameservers KSK ZSK Keys Domains Keys Domains Others 151, ,144 ovh.net. 316, ,887 loopia.se. 133, ,258 hyp.net. 94,888 94,885 transip.net. 93,819 93,818 domainmonster.com. 60,984 60,984 anycast.me. 55,936 55,936 transip.nl. 45,676 45,675 binero.se. 44,963 44,963 ns.cloudflare.com. 28,469 28,469 is.nl. 12,837 12,836 pcextreme.nl. 15,210 15,210 webhostingserver.nl. 15,023 15,023 registrar-servers.com. 13,183 13,181 ns0.nl. 11,945 11,945 citynetwork.se. 11,702 11,702 51

52 Key Sharing Nameservers KSK ZSK Keys Domains Keys Domains Others 157, , , ,144 ovh.net. 318, , , ,887 loopia.se , ,258 hyp.net. 119,150 94, ,161 94,885 transip.net. 93,774 93, ,129 93,818 domainmonster.com. 60,991 60, ,939 60,984 anycast.me. 56,075 55,936 58,296 55,936 transip.nl. 45,648 45,676 91,161 45,675 binero.se , ,963 ns.cloudflare.com , ,469 is.nl. 12,834 12,837 25,512 12,836 pcextreme.nl. 15,192 15,210 28,654 15,210 webhostingserver.nl. 15,019 15,023 22,741 15,023 registrar-servers.com. 13,043 13,183 12,998 13,181 ns0.nl. 11,978 11,945 23,790 11,945 citynetwork.se , ,702 52

53 Rollover Abrupt Changes TTL = 3600 RRSIG RRSIG RRSIG ZSK ZSK ZSK t0 t t IP Address? A Record RRSIG ZSK Can t verify the signature! 53

54 Rollover Process (ZSK) <Pre-publish> RRSIG RRSIG RRSIG RRSIG ZSK ZSK ZSK ZSK ZSK ZSK t0 t1 t2 t3 Introducing a new key Retiring a signature Retiring the previous key 54

55 Rollover Process (ZSK) <Double-signature> RRSIG RRSIG ZSK ZSK RRSIG RRSIG ZSK ZSK t0 t1 t2 Introducing a new key and signature Retiring the previous key and signature 55

56 Rollover Process (KSK) <Double-signature> Parent Zone DS record DS record DS Record DS Record RRSIG RRSIG KSK KSK RRSIG RRSIG RRSIG RRSIG Child Zone KSK ZSK ZSK ZSK t0 t1 t2 t3 56

57 Rollover Process (KSK) <Double-DS> DS record DS record DS record DS Record Parent Zone DS Record DS Record RRSIG RRSIG RRSIG RRSIG Child Zone KSK KSK ZSK ZSK t0 t1 t2 t3 57

58 ZSK Rollovers Scheme.com.org No ZSK Rollovers 279,935 27,166 Abrupt 5, Double Signatures 58,807 9,615 Pre-publish 259,327 33,518 58

59 ZSK Rollovers Scheme.com.org No ZSK Rollovers 279,935 27,166 Abrupt 5, Double Signatures 58,807 9,615 Pre-publish 259,327 33,518 DNSKEY (ZSK) Nearly 45% of domains DO NOT switch their DNSKEYs 59

60 KSK Rollovers Scheme.com.net.org No KSK Rollovers 621,213 93,558 65,704 Abrupt 17,724 3,183 1,710 Double Signatures 219,547 46,092 32,206 60

61 KSK Rollovers Scheme.com.net.org No KSK Rollovers 621,213 93,558 65,704 Abrupt 17,724 3,183 1,710 Double Signatures 219,547 46,092 32,206 DNSKEY (KSK) Nearly 70% of domains DO NOT switch their DNSKEYs 61

62 Superfluous Signatures.com DS Record = Hash of A records DNSKEYs RRSIG of A RRSIG of DNSKEY example.com DNSKEYs RRSIG of DNSKEY zone signing key (ZSK) Unnecessary, but not evil! key signing key (KSK) 61% of domains sign their DNSKEY twice! so what? 62

63 DNSKEY Fragmentation CDF ,472 bytes (IPv4 limits) 1,472 bytes (IPv4 limits) 1,232 bytes (IPv6 limits) 1,232 bytes (IPv6 limits) RRSIGs ksk DNSKEY Message Size 0.01% experience fragmentation 63

64 DNSKEY Fragmentation CDF ,472 bytes (IPv4 limits) 1,232 bytes (IPv6 limits) DNSKEY Message Size 1,472 bytes (IPv4 limits) 1,232 bytes (IPv6 limits) RRSIGs ksk RRSIGs zsk,ksk 0.8% experience fragmentation 60.7% of them could have avoided fragmentation 64

65 DNSKEY Fragmentation CDF ,472 bytes (IPv4 limits) 1,232 bytes (IPv6 limits) DNSKEY Message Size 1,472 bytes (IPv4 limits) 1,232 bytes (IPv6 limits) RRSIGs ksk RRSIGs zsk,ksk RRSIGs zsk,ksk(2,048) 4.6% experience fragmentation (increased 5x times) DNSKEY Fragmentation Superfluous signatures increases the chance of fragmentation. 65

66 Hola Unblocker Get netflix.com HTTP 66

67 Hola Luminati example.com Hola user HTTP Luminati user Get example.com 67

68 Measurement Client Exit Node Exit Node s DNS Resolver DNS & Web server testbed.com DNSSEC response HTTP DNS Get testbed.com 68

69 We measured 403,355 nodes and their 59,513 resolvers! 69

70 Measurement Client Super Proxy Exit Node Exit Node s DNS Server DNS Response Get testbed.com HTTP DNS 70