Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder. System and Network Engineering July 2014

Similar documents
Assessing and Improving the Quality of DNSSEC

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

DNSSEC Trust tree: (A) ---dnslab.org. (DS keytag: 9247 dig (DNSKEY keytag. ---org. (DS keytag: d

An Overview of DNSSEC. Cesar Diaz! lacnic.net!

Root Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail

DNSSEC All You Need To Know To Get Started

The State and Challenges of the DNSSEC Deployment. Eric Osterweil Michael Ryan Dan Massey Lixia Zhang

Scott Rose, NIST Winter JointTechs Meeting Jan 30, 2011 Clemson University

DNS SECurity Extensions technical overview

12 DNS Security Extensions DNS resolution via recursive nameserver DNS request/response format Simple DNS cache poisoning The Dan Kaminsky DNS

DNS Mark Kosters Carlos Martínez ARIN - LACNIC

Keeping DNS parents and children in sync at Internet Speed! Ólafur Guðmundsson

DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION

Table of Contents. DNS security basics. What DNSSEC has to offer. In what sense is DNS insecure? Why DNS needs to be secured.

A Security Evaluation of DNSSEC with NSEC Review

By Paul Wouters

Algorithm for DNSSEC Trusted Key Rollover

DNS security. Karst Koymans & Niels Sijm. Tuesday, September 18, Informatics Institute University of Amsterdam

Table of Contents. DNS security. Alternative DNS security mechanism. DNSSEC specification. The long (and winding) road to the DNSSEC specification

DNSSEC. Lutz Donnerhacke. db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec e164.arpa. naptr

DNS Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO

3. The DNSSEC Primer. Data Integrity (hashes) Authenticated Denial of Existence (NSEC,

Securing Domain Name Resolution with DNSSEC

Understanding and Deploying DNSSEC. Champika Wijayatunga SANOG29 - Pakistan Jan 2017

SecSpider: Distributed DNSSEC Monitoring and Key Learning

DENIC DNSSEC Testbed Software support for DNSSEC Ralf Weber

Afilias DNSSEC Practice Statement (DPS) Version

MAGPI: Advanced Services IPv6, Multicast, DNSSEC

DNSSec Operation Manual for the.cz and e164.arpa Registers

DNSSEC deployment. Phil Regnauld Hervey Allen

Step by step DNSSEC deployment in.se. Anne-Marie Eklund Löwinder Quality & Security

DNSSEC in Switzerland 2 nd DENIC Testbed Meeting

The impact of DNSSEC on k.root-servers.net and ns-pri.ripe.net

Some DNSSEC thoughts. DNSOPS.JP BOF Interop Japan Geoff Huston Chief Scientist, APNIC June 2007

ARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN

CIRA DNSSEC PRACTICE STATEMENT

Domain Name System Security

CS 356 Using Cryptographic Tools to Secure the Domain Name System (DNS) Spring 2017

A Case for Comprehensive DNSSEC Monitoring and Analysis Tools

Domain Name System Security

APNIC DNSSEC APNIC DNSSEC. Policy and Practice Statement. DNSSEC Policy and Practice Statement Page 1 of 12

Deploying New DNSSEC Algorithms

RSA and ECDSA. Geoff Huston APNIC. #apricot2017

A Look at RFC 8145 Trust Anchor Signaling for the 2017 KSK Rollover

Session J9: DNSSEC and DNS Security

The Performance of ECC Algorithms in DNSSEC: A Model-based Approach

Domain Name System Security

Toward Unspoofable Network Identifiers. CS 585 Fall 2009

A paper on DNSSEC - NSEC3 with Opt-Out

DNSSEC at ORNL. Paige Stafford Joint Techs Conference, Fairbanks July 2011

That KSK Roll. Geoff Huston APNIC Labs

Some Internet exploits target name resolution servers. DNSSEC uses cryptography to protect the name resolution

DNS Security and DNSSEC in the root zone Luzern, Switzerland February 2010

DNSSEC. CS 161: Computer Security Prof. David Wagner. April 11, 2016

DNSSEC operational experiences and recommendations. Antti Ristimäki, CSC/Funet

Expires: June 16, 2004 VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST December 17, 2003

A Longitudinal, End-to-End View of the DNSSEC Ecosystem

Rolling the Root KSK. Geoff Huston. APNIC Labs. September 2017

I certify that this DNS record set is correct Problem: how to certify a negative response, i.e. that a record doesn t exist?

Network Working Group

DS TTL shortening experience in.jp

Tyre Kicking the DNS. Testing Transport Considerations of Rolling Roots. Geoff Huston APNIC

Hands-on DNSSEC with DNSViz. Casey Deccio, Verisign Labs RIPE 72, Copenhagen May 23, 2016

GDS Resource Record: Generalization of the Delegation Signer Model

DNSSEC for the Root Zone. ICANN 37 Nairobi March 2010

THE BRUTAL WORLD OF DNSSEC

Documentation. Name Server Predelegation Check

DNSSECbis Lookaside Validation. Peter Losher Internet Systems Consortium (November 2006)

Expires: November 15, 2004 VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST May 17, 2004

DNSSEC Why, how, why now? Olaf Kolkman (NLnet Labs)

Migrating an OpenDNSSEC signer (February 2016)

Richemont DNS Inc. DNS Practice Statement for the PANERAI Zone. Version 0.2

Root Zone DNSSEC KSK Rollover

Monitoring DNSSEC. Martin Leucht Julien Nyczak Supervisor: Rick van Rein

RFC 2181 Ranking data and referrals/glue importance --- new resolver algorithm proposal ---

Less is More Cipher-Suite Negotiation for DNSSEC

Experience from a Swedish Agency and a Nordic operator

Seamless transition of domain name system (DNS) authoritative servers

DNSSEC the.se way: Overview, deployment and lessons learned. Anne-Marie Eklund Löwinder Quality & Security Manager

DOMAIN NAME SECURITY EXTENSIONS

BIND-USERS and Other Debugging Experiences. Mark Andrews Internet Systems Consortium

Ad-hoc trust associations with Trust Anchor Repositories

Multi Provider DNSSEC draft-huque-dnsop-multi-provider-dnssec-02. Shumon Huque March 22 nd 2018 DNSOP Working Group, IETF101, London, U.K.

Network Working Group. Category: Informational November 2007

More on DNS and DNSSEC

DNS Security DNSSEC. * zo.net/papers/dnssec/dnss ec.html. IT352 Network Security Najwa AlGhamdi

DNSSEC Policy and Practice Statement. Anne-Marie Eklund Löwinder Quality and Security Manager

Operational Challenges when Implementing DNSSEC

DNSSEC Deployment Guide

Secure Domain Name System (DNS) Deployment Guide

Managing Authoritative DNS Server

SOFTWARE USER MANUAL (SUM): TRAINING, PROCEDURAL, AND DEVELOPMENT DOCUMENTATION

Outline NET 412 NETWORK SECURITY PROTOCOLS. Reference: Lecture 7: DNS Security 3/28/2016

Rolling with Confidence: Managing the Complexity of DNSSEC Operations

DNSSEC HOWTO. A Tutorial in Disguise. Olaf Kolkman, RIPE NCC Published September, $Revision: $

DNSSEC for the Root Zone. IETF 76 Hiroshima November 2009

ccnso IANAWG: DNSSEC BRIEFING and Root Zone Signing (Part I) Date: 4th February 2008

TWNIC DNS 網路安全研討會安全問題之解決對策 (DNSSEC) Why do we need DNSSEC? Many application depend on DNS DNS is not secure. There are known vulnerabilities

CSC 574 Computer and Network Security. DNS Security

Ebook: DNS FUNDAMENTALS. From a Technical Dow Street, Manchester, NH USA

Transcription:

Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder System and Network Engineering July 2014

DNS Main Components Server Side: Authoritative Servers Resolvers (Recursive Resolvers, cache) Client Side: Stub resolvers (usually on DNS client machines) No authentication at all! A client cannot be sure Where an answer really came from If the server replied is telling the truth or not If it received exactly what the server sent 2

DNS Vulnerabilities Fill client or resolving server with forged answer Intercept a response packet and modify it Set up a fake name server for some zone Take control of name servers for some zone (false data) Inject bogus data into caches (DNS cache poisoning) Response to Non-Existent domains Compromise the registry: gain unauthorized access to registrar account and change the victim zone s delegation to point at bogus name servers 3

What Does DNSSEC Protect DNSEC uses public key cryptography and digital signatures to provide: Data origin authentication, Name server authenticity Data integrity Authenticated denial of existence DNSSEC offers protection against spoofing of DNS data (TSIG) 4

General DNSSEC Caveats Increase Memory and CPU usage and also cost Zone size increases significantly when signed DNSSEC answers are larger Server side & query side impacts Interference by firewalls, proxies Increase bandwidth DNSSEc added a lot to DNS packets. Resolvers and name servers need to send and receive these large DNS packets Administrative burden: Key Management (generating, publishing and rollover), interaction with parent 5

Key Rollover Not easy and expensive task Two methods Pre-publish: ZSK Double signature: KSK 6

ZSK Rollover: Pre-publish Policy Generate new ZSK, add key to zone (remember to increase the serial number) Re-sign zone with using old key and KSK Time passes TTL Re-sign with the new key but leave the old zsk published in the zone After all records signed with the old private key have expired (wait zone propagation time + largest TTL of all records in the zone), remove old key Resign one last time 7

KSK Rollover: Double Signature Policy Generate new KSK, add new KSK to the zone and sign the DNSKEY RRset with both keys Wait TTL of the zone Upload new DS to the parent zone When new DS RR appears in the zone, wait TTL of the old DS record Remove the old KSK and resign zone Remove old DS record from parent 8

Deployment Status Root signed (July 2010), most TLD signed (July 2014 status) TLDS signed: 445 out of 630 (70%) in the root zone in total 435 TLDs have trust anchors published as DS records in the root zone 5 TLDs have trust anchors published in the ISC DLV Repository 9

Research Questions & Related work What is the DNSsec adoption rate among the most popular domains? If the DNSsec is deployed in the zone, is it managed and operated properly? What are the causes of bogus DNSsec enabled zone Many websites keep statistics of DNSsec deployment But most of them are restricted to the number of checked domains and TLDs They also lack information about maintenance 10

Methodology Gather data: get top one million ranked websites by Alexa Extract their domains Find authoritative servers of domains and ask for data of domain Note their serial number and (in)consistency of their answers Look for RRSIG RRs Check for (no)validated answers Ensure that the zone issues a secure denial of existence for names that do not exist Validating Resolvers Our servers and Google public DNS Check to see if those signatures correspond to DNSKEYs served by the zone are valid or not Analysis to find out possible errors on the deployment of DNSsec 11

12

DNSSEC Validation Status Secure: Unbroken chain from anchor to RRset Insecure: Chain that securely terminates in the parent Bogus: Broken chain 13

Domains How Many Domains are deploying DNSSEC On average 9916 signed domains out of a total of ~930000 (1.066%) With an average of 7562 (76%) Validated and 2355 (24%) Not Validated domains. 12000 10000 DNSsec Adoption Rate 8000 6000 4000 2000 0 1 2 3 4 5 6 7 8 9 10 11 12 13 Days DNSsec-enabled Validated Not Validated 14

Domain Nameserver (in)consistencies On average each domain has 3.5 nameservers ~84% of signed domains have multiple nameservers with the same data (8239) ~16% of signed domains have multiple nameservers with different data (1568) Inconsistent data Consistent data 15

Inconsistency: Different Data in Nameservers 235 signed domains have some nameservers with RRSIG data while others don t have RRSIG The returned answer depends on which nameserver is selected by the resolver 16

Inconsistency: Different Data in Nameservers 17

Consistency: Different Data in Nameservers Differences in A records 18

Consistent: Different Data in Nameservers Differences in RRSIG Multiple ZSK keys and signing with different keys 19

Consistent Data in Nameservers ~76% of the asked domains return RRSIGs with AD flag ~24% of the asked domains return RRSIGs with no AD flag 20

Number of zones Other checks: Common DNSSEC Algorithms 3500 3000 2500 2000 1500 1000 500 0 DSA-SHA1(0.03%) RSA-SHA1(30%) RSA-NSEC3-SHA1(33%) RSA-SHA256(35%) RSA-SHA512(0.33%) ECDSA Curve P-256 with SHA-256 (0.01%) 21

Number of zones Other checks: NSEC and NSEC3 Proof of non-existence Pre-calculated records NSEC vs NSEC3 7000 6000 NSEC vs NSEC3 5000 4000 3000 2000 1000 0 NSEC (42%) NSEC3 (58%) 22

Number of zones Other checks: DNSSEC RRSIG Lifetime Signature lifetimes Default value: Inception time 1 hour before Default value: Expiration 30 days from now Vary between 2 and 3,600 days Be sure about your servers accurate time Validating resolvers has to check signature validity time 3500 3000 Signature Lifetime 2500 2000 1500 1000 500 0 2956 2070 1568 1800 1043 288 2-15 (21.2%) 16-29(16.1%) 30(30%) 31-99 (10.7%) 100-199(18.5%) >200(3%) days 23

DNSSEC Misconfiguration Missing DS no link between parent and child Mismatch DS No DNSKEY matching DS in parent zone None of DNSKEY records could be validated by any of DS records, the DNSKEY RRset was not signed by any keys in the chain-of-trust (the DNSSEC chain-of-trust is broken at this point) Missing DNSKEY DNSKEY not available to validate RRSIG Missing NSEC NSEC RRs not returned by authoritative server No NSEC records in response, no NSEC record could prove that no records of type A Missing RRSIG RRSIGs not returned by some servers Bogus RRSIG - if the zone was signed with different keys than the ones that are published in the zone data DNSSEC signatures did not validate the RRset Expired RRSIG Signature in RRSIG are expired DNSSEC signatures did not validate the RRset 24

Delegation Errors 25

DS Mismatch 26

DNSKEY Missing Turn DNSSEC off but forgot to interact with parent to remove the DS record: found 25 domains 27

RRSIG Expired Dates Regular re-signing is part of the administrators tasks (not only when changes occur) 28

Recommendation & Conclusion Our results showed that few administrators have deployed and maintained DNSSEC properly due to its burden and difficulties Use scripts and online tools for checking the healthiness of the zone and monitor the zone regularly Automate regular process as much as possible Keep all nameservers data updated to avoid inconsistencies 29

Any Questions? 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback