Step by step DNSSEC deployment in.se. Anne-Marie Eklund Löwinder Quality & Security

Transcription

1 Step by step DNSSEC deployment in.se Anne-Marie Eklund Löwinder Quality & Security

2 Timeline 2005 signing of the.se zone allowing DS records from friendly users opened up for public use removed the extra fee, some ISP:s turned on validation on their resolvers incentives for registrars, 2 SEK/signed domain, only a few jumped on the train an even more attractive offer to registrars (meaning more money for them).

3

4 Some success factors DNS reference group and close contact with ISP s and registrars. Everybody knows each other. Support from the political level 509f1b0c.pdf Everyone is ready to help, even if they are competitors at some level.

5 What is this about? In-depth study and analysis of DNS and DNSSEC in.se. Survey group 911 domains allocated across 1,374 unique name servers, 1,241 using IPv4 133 using IPv6 Control group 1 per cent of the.se zone file:11,730 randomly selected, allocated across 2,938 unique name servers 2,698 using IPv4 240 using IPv6 All signed domains in the.se zone, 14 per cent.

6 Market situation Registrars:.SE s three largest account for 50 percent of the market. Seven largest commands 75 percent. Name server operators: two largest have 36 percent, five largest commands 50 percent. Long tail with very small players.

7 DNSSEC deployment September 2011 Survey group 6.69 per cent signed (61 of 911) Control group 0.45 percent signed (8 of ) February 2012 Survey group 8.89 per cent signed (81 of 911) Control group percent signed (1556 of ) Total number of DNSSEC signed domains 174,487 out of a total of 1,195,719, where of 50,000 lack delegation.

8 Work doesn t work? 174,487 signed domains. 163,700 functioning. Remaining 10,787 domains (6 percent) did not work. Major learning curve during.se s DNSSEC campaign last December

9 Servfail by query type RR type Number A DNSKEY MX NSEC3PARAM SOA

10 Signature lifetimes Looking at signatures in three different ways: inception time (when the signature is created), expiration time (when the signature expires) How SOA Expire is related to expiration time, these two parameters are intimately connected. The difference between expiration time and inception time (the signature s total period of validity).

11 Number of domains on the Y axis - number of days on the X axis Inception time

12 Expiration time

13 SOA Expire vs RRSIG expiration < > 31

14 SOA Expire

15 DNSKEY Algorithms RSA-SHA-512 RSA-SHA-256 RSASHA-1-NSEC3-SHA1 RSA-SHA-1 DSA-SHA

16 RRSIGs from algorithms RSA-SHA-512 RSA-SHA-256 RSASHA-1-NSEC3-SHA1 RSA-SHA-1 DSA-SHA

17 DNSKEY Algorithms per type RSA-SHA-512 RSA-SHA-256 RSASHA1-NSEC3-SHA1 ZSK KSK RSA-SHA-1 DSA-SHA

18 DNSKEY key lengths (DSA)

19 DNSKEY Key lengths per type ZSK KSK (DSA)

20 NSEC vs NSEC3 NSEC zones NSEC3 Hash algorithm

21 Salt length

22 NSEC3 Iterations

23 DS Digest types DS Digest type 2 DS Digest type

24 Domains with shared keys Key Number of domains KSK1 53,224 KSK2 43,642 KSK3 6,075 KSK4 505 KSK5 7

25 Lessons learned Stirring things up exposes flaws - bugs found in PowerDNS and Unbound. Monitor your zone file when you are aware of a massive launch of DNSSEC, some people slightly overestimate their own capabilities... Work needed to convince more registrars, only 6 out of 146 registrars have signed their zones.

26 Future progress Continue with financial incentives to registrars. Continue with educational support. Working with the Swedish Government. Pricing structure: unsigned domains will become more expensive than signed domains. Expect to have half the zone file signed within two years.

27 Future surveys More frequent surveys over extended periods of time. Use of new crypto algorithms. Key structure and occurrence of Combined Signing Key. Quality of key material for DNSSEC how random is random in RSA?

28 Summary on what we found Domains with signature lengths that are both unexpectedly long as well as too short. NSEC3 is essentially adequate. Most domains use 2,048 bit RSA keys as KSK and 1,024 kit keys as ZSK. A few too many domains are using 512 bit keys. We can discontinue the double publication of DS types 1 and 2. SOA Expire often lacks a connection to RRSIG expiration time. Need to be revised.

29 To err is human, to forgive is divine... but this does not make it desirable to make as many errors as possible. Full report: Status-DNS-and-DNSSEC pdf Questions? I prefer not.