Post on 26-Jul-2020
1
A Longitudinal, End-to-End View of the DNSSEC Ecosystem
Taejoong (tijay) Chung, Roland van Rijswijk-Deij, Bala Chandrasekaran David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Christo Wilson
Domain Name System (DNS)
example.com'sAuthoritativeDNS Server
Browser
2
DNS Resolver
example.com example.com
A records
155.33.17.68
A records
155.33.17.68
DNS Spoofing
example.com'sAuthoritativeDNS Server
Browser
3
DNS Resolver
example.com example.com
A recordsA records
1.2.3.4 155.33.17.68✗1.2.3.4
DNS Spoofing
example.com'sAuthoritativeDNS Server
4
DNS Resolver
Browser example.com
A records
1.2.3.4
example.com
A records
155.33.17.68✗1.2.3.4
example.com'sAuthoritativeDNS Server
DNSSEC 101
5
RRSIG
A records
A records
DNSKEY
DNS Resolver
A records
w/ DO bitexample.com'sAuthoritativeDNS Server
Sign!
DNSSEC 101
6
A records
w/ DO bit
RRSIG
A records
A records
DNSKEY
DNS Resolverexample.com'sAuthoritativeDNS Server
A records
A records
w/ DO bit
DNSKEY
DNS Resolver
DNSKEY
DNSSEC 101Hierarchical Structure
7
A records
A records
w/ DO bit
DNSKEY
DNSKEY
Chain-of-Trust
example.com'sAuthoritativeDNS Server
. (root zone)
.com
DNSSEC 101Hierarchical Structure
8
DNSKEY
Chain-of-Trust
DNSKEY
DNSKEY
DNSKEY
DNSKEY
DNS Resolver
A records
A records
w/ DO bit
example.com'sAuthoritativeDNS Server
. (root zone)
.com
DNSSEC 101Hierarchical Structure
9
DNSKEY
Chain-of-Trust
DNSKEY
DNSKEY
DNSSEC 101Hierarchical Structure
10
RRSIG
DS Record
DS Record =Hash( ) DNSKEY
DNSKEY DNSKEY
DNSKEY .com
example.com'sAuthoritativeDNS Server
Chain-of-Trust
DNSKEYs
DNSSEC 101Two DNSKEYs
11
.com
zone signing key (ZSK)
key signing key (KSK)
A records RRSIG of A
= Hash of DS Record
RRSIG of DNSKEYexample.com'sAuthoritativeDNS Server
Summary of DNSSEC 101
• Three essential elements for DNSSEC• • •
• has to be uploaded to the parent zone
• Resolvers need to verify all signatures along the chains of trust
• DNSSEC can only function correctly when all principals (server and resolver) work correctly
12
DS Record
DNSKEY
RRSIG
Open Question
How’s the DNSSEC PKI ecosystem managed?
Contribution
14
Longitudinal Comprehensive All Angles
Outline
15
How DNSSEC deployed
How DNSSEC managed
How resolversuse DNSSEC
Authoritative Server Resolver
Correct Deployment for Authoritative Servers
16
DNSKEY (1) Have DNSKEYs
RRSIGs (2) Generate Signatures
Valid RRSIGs
(3) Valid Signatures (Not expired, correctly signed)
DS record Uploads
(4) Generate and upload DS record to the parent zone
Valid DS record
(5) Valid DS record (matched with DNSKEYs)
Dataset
17
Daily Scans*
TLDs .com, .org., .net
# of domains 147M domains
Interval every day
Period 2015/03/01 ~ 2016/12/31
* https://openintel.nl/
Over 750 billion DNS Records
0
0.2
0.4
0.6
0.8
1
1.2
02/15 05/15 08/15 11/15 02/16 05/16 08/16 11/16
Pe
rce
nt
of
do
ma
ins
wit
hDNSKEY
re
co
rd
Date
.com
.net
.org
DNSSEC Deployment
18
Deployment DNSSEC deployment is rare, but growing
Are they correctly deployed?
DNSKEY
RRSIGs
Valid RRSIGs
DS record Uploads
Valid DS record
RRSIGs
~1.0%
Missing RRSIG records
19
DNSKEY
RRSIGs
Valid RRSIGs
DS record Uploads
Valid DS record
RRSIGs ~0.3%
Missing RRSIGs RRSIGs are rarely missing (0.3%)
0
0.5
1
1.5
2
2.5
02/15 05/15 08/15 11/15 02/16 05/16 08/16 11/16
missing SOA RRSIGmissing DNSKEY RRSIG
Pe
rce
nt
of
do
ma
ins
mis
sin
g RRSIG
s
.com
.net
.org
DomainMonster
~1.0%
ZSK
KSK
Incorrect RRSIG records
20
0
0.2
0.4
0.6
0.8
1
02/15 05/15 08/15 11/15 02/16 05/16 08/16 11/16
Expired
Invalid Signature
Pe
rce
nt
of
do
ma
ins
wit
hs
pe
cif
ic f
ail
ure
re
as
on
s
.com
.net
.org
Expired
Invalid Signatures
DNSKEY
RRSIGs
Valid RRSIGs
DS record Uploads
Valid DS record
RRSIGs
Valid RRSIGs
~0.3%
Invalid RRSIGs RRSIGs are managed well (~0.5%)
~0.5%
~1.0%
Missing DS records
21
DNSKEY
RRSIGs
Valid RRSIGs
DS record Uploads
Valid DS record
RRSIGs ~0.3%
~0.5%
~30%
0
5
10
15
20
25
30
35
02/15 05/15 08/15 11/15 02/16 05/16 08/16 11/16Pe
rce
nt
of
do
ma
ins
mis
sin
gDS
re
co
rd
.com
.net
.org
DS Records
Nearly 30% of domains DO NOTupload DS records!
~1.0%
Incorrect DS records
22
DNSKEY
RRSIGs
Valid RRSIGs
DS record Uploads
Valid DS record
RRSIGs ~0.3%
~0.5%
~30%
0
0.05
0.1
0.15
0.2
0.25
02/15 05/15 08/15 11/15 02/16 05/16 08/16 11/16
Pe
rce
nt
of
do
ma
ins
ha
vin
gin
co
rre
ct DS
re
co
rd
.com
.net
.org
Incorrect DS record
Once DS record is generated, it is managed very well (~0.2%)
~0.2%
~1.0%
Choosing Authoritative Nameserver
23
example.com example.com
example.com'sAuthoritativeDNS Server
Self-hosted
example.com'sAuthoritativeDNS Server
$ $$
Why are DS records missing?
24
Nameservers# of domains
DS Publishing Ratiow/ DS w/ DNSKEY
ovh.net 315,204 316,960 99.45%loopia.se 1 131,726 0.00%hyp.net 93,946 94,084 99.85%
transip.net 91,009 91,103 99.90%domainmonster.com 4 60,425 0.01%
anycast.me 51,403 52,381 98.13%transip.nl 46,971 47,007 99.92%binero.se 17,099 44,650 38.30%
ns.cloudflare.com 17,483 28,938 60.42%is.nl 11 15,738 0.07%
pcextreme.nl 14,801 14,967 98.89%webhostingserver.nl 10,655 14,806 71.96%
registrar-servers.com 11,463 13,115 87.40%ns0.nl 12,674 12,738 99.50%
citynetwork.se 13 11,660 0.11%
Why are DS records missing?
25
Nameservers# of domains
DS Publishing Ratiow/ DS w/ DNSKEY
ovh.net 315,204 316,960 99.45%loopia.se 1 131,726 0.00%hyp.net 93,946 94,084 99.85%
transip.net 91,009 91,103 99.90%domainmonster.com 4 60,425 0.01%
anycast.me 51,403 52,381 98.13%transip.nl 46,971 47,007 99.92%binero.se 17,099 44,650 38.30%
ns.cloudflare.com 17,483 28,938 60.42%is.nl 11 15,738 0.07%
pcextreme.nl 14,801 14,967 98.89%webhostingserver.nl 10,655 14,806 71.96%
registrar-servers.com 11,463 13,115 87.40%ns0.nl 12,674 12,738 99.50%
citynetwork.se 13 11,660 0.11%
Why are DS records missing?
26
Nameservers# of domains
DS Publishing Ratiow/ DS w/ DNSKEY
ovh.net 315,204 316,960 99.45%loopia.se 1 131,726 0.00%hyp.net 93,946 94,084 99.85%
transip.net 91,009 91,103 99.90%domainmonster.com 4 60,425 0.01%
anycast.me 51,403 52,381 98.13%transip.nl 46,971 47,007 99.92%binero.se 17,099 44,650 38.30%
ns.cloudflare.com 17,483 28,938 60.42%is.nl 11 15,738 0.07%
pcextreme.nl 14,801 14,967 98.89%webhostingserver.nl 10,655 14,806 71.96%
registrar-servers.com 11,463 13,115 87.40%ns0.nl 12,674 12,738 99.50%
citynetwork.se 13 11,660 0.11%
“Most people do not understand DNS, so imagine the white faces when I mention DNSSEC ... I don’t think DNSSEC has a high priority anymore currently in our organization or our customer
base.”
Summary of DNSSEC Deployment
• DNSSEC deployment is still rare, but increasing• The major reason of broken DNSSEC is due to the missing DS
record• Missing RRSIG record: ~ 0.3%• Incorrect RRSIG record: ~ 0.3 %• Incorrect DS record: ~ 0.2%• Missing DS Record: ~ 30%
• Most of the DNSSEC-support softwares (BIND, Windows Server 2012, PowerDNS, OpenDNSSEC) manage the keys automatically. Regardless, the process to upload DS record is totally dependent on the administrator!
27
Outline
28
How DNSSEC deployed
How DNSSEC managed
How resolver use DNSSEC
Authoritative Server Resolver
30% of domainmiss DS records!
Good Steps toDeploy DNSSEC
29
Strong Key (1) Have a cryptographically strong key
No Reuse (2) Don’t reuse across multiple domains
Regular Rollover (3) Replace on a regular basis
30
Strong Key
No Reuse
Regular Rollover
(1) Have a cryptographically strong key
(2) Don’t reuse across multiple domains
(3) Replace on a regular basis
Good Steps toDeploy DNSSEC
Key Strength
31
0
20
40
60
80
100
02/15 05/15 08/15 11/15 02/16 05/16 08/16 11/16
KSKs
ZSKs
Pe
rce
nt
of
do
ma
ins
wit
h w
ea
k k
ey
s .com.net.org
ZSK
KSK
Weak Keys
91.7% of ZSK and 33.3% of KSK are weak!
Strong Key
No Reuse
Regular Rollover
8.3% (ZSK) 66.7% (KSK)
0.999
0.9992
0.9994
0.9996
0.9998
1
1 10 100 1000 10000 100000 1x106
KSK
.com
.net
.org
0.999
0.9992
0.9994
0.9996
0.9998
1
1 10 100 1000 10000 100000 1x106
ZSK
CD
F
Number of Domains Grouped Together
.com
.net
.org
ZSK
KSK
Key Reuse
32
DNSKEYSharing
Some keys are reused extensively (among 106,640 domains)
~0.1%
45.0% (ZSK)70.0% (KSK)
Strong Key
No Reuse
Regular Rollover
91.7% (ZSK) 33.3% (KSK)
Outline
33
How DNSSEC deployed
How DNSSEC managed
How resolver use DNSSEC
Authoritative Server Resolver
30% of domainmiss DS records!
33% weak45~70% not switched
Correct Deploymentfor Resolvers
34
DO Bit (1) DNSSEC OK bit in the header
Validation (2) Validate DNSSEC Records
Measuring DNS resolver
35
Comcast Network
DNS Resolver
Authoritative DNS Server
MeasurementNode
Client
Ads
No Control over the nodeNot Reproducible
Luminati
36
MeasurementNode
Local DNSResolver
Proxy
Comcast
Residential Authoritative DNS Server
AT&T
Rogers
Deutsche Telekom
Verizon
Control over the nodeReproducible
Scales
Node
Luminati
37
Local DNSResolver
Authoritative DNS ServerNode
MeasurementNode
Comcast
Residential
Control over the nodeReproducible
Scales
Methodology
38
Local DNSResolver
Authoritative DNS Server
(Our testbed)
A records
w/ DO bit
RRSIG
A records
+ 8 other scenarios of incorrect DNSSEC records
Resolvers w/ DO Bit
39
DO Bit
Validation
- 4,427 resolvers- 83% of them are DO-bit enabled
Resolvers w/ DO Bit
40
DO Bit
Validation
- 3,635 (82%) fail to validate DNSSEC records
- 543 (12.2%) correctly validate DNSSEC records
Time Warner Cable InternetRogers Cable Communications
ComcastGoogle
- 4,427 resolvers- 83% of them are DO-bit enabled
Open Resolver Tests
41
Provide DO Bit Requested Validated?DS DNSKEY
Verisign YES YES YES YESGoogle YES YES YES YESDNSWatch YES YES YES YESDNS Advantage YES YES YES YESNorton ConnectSafe YES YES YES YESLevel3 YES NO NO NOComodo Secure DNS YES NO NO NOSafeDNS YES NO NO NODyn YES NO NO NOGreenTeamDNS* YES/NO YES YES NOOpenDNS NO NO NO NOOpenNIC NO NO NO NOFreeDNS NO NO NO NOAlternate DNS NO NO NO NOYandex DNS NO NO NO NO
Conclusion
42
• Presented a longitudinal, end-to-end study of DNSSEC ecosystem
• DNSSEC deployment from server-side is rare but growing✓ But, 33% of them are mis-configured✓DNSKEYs are not managed well
✓Weak✓ Some are shared✓ Rarely updated
• DNSSEC deployment from client-side is also rare✓Only 12% of resolvers validate responses
• Datasets and source code will be available.• http://securepki.org
Recommendations
• Use CDS (Child DS) / CDNSKEY (Child DNSKEY)• Automates DNSSEC delegation trust maintenance
• Modern resolvers (e.g., BIND >= 9.5 ) set “DO” bit by default, but make sure that it actually validates.
• Financial incentives for registrars to deploy DNSSEC would work• .se and .nl ccTLD • Please read our upcoming paper “Understanding the Role of
Registrars in DNSSEC Deployment [IMC’17]”
43
Conclusion
44
• Presented a longitudinal, end-to-end study of DNSSEC ecosystem
• DNSSEC deployment from server-side is rare but growing✓ But, 33% of them are mis-configured✓DNSKEYs are not managed well
✓Weak✓ Some are shared✓ Rarely updated
• DNSSEC deployment from client-side is also rare✓Only 12% of resolvers validate responses
• Datasets and source code will be available.• http://securepki.org
Questions?
45
Why DNSSEC Deployment is so Low?
46
“Understanding the Role of Registrars in DNSSEC Deployment” [IMC’17]
Ethical Consideration
47
Subject Considration
LuminatiPaid for access
Not violate ToS
Exit Nodes
Not expose PII
Connects only our testbed
Download “Empty” Page
Scenario and Intuition
48
subdomains description requires DS requires DNSKEY
missing-rrsig-a no signature for A record 0 0
invalid-rrsig-a invalid signature for A record 0 1
future-rrsig-a signature is not yet valid 0 0
past-rrsig-a signature is expired 0 0
missing-zsk ZSK used to sign A record is not in DNSKEY 0 1
missing-ksk KSK used to sign DNSKEY record is not in DNSKEY 0 1
missing-rrsig-ksk no signature for DNSKEY record 0 1
invalid-rrsig-ksk invalid signature for DNSKEY record 0 1
mismatch-ds DS record at parent zone is not accord with KSK 1 1
Structure of Domain Name
• Registry: organizations that manage top-level domains (TLDs). They maintain the TLD zone file (the list of all registered names), and work with registrars to sell domain names to the public. • Verisign
• Registrar: organizations that are accredited by ICANN3 and certified by registries to sell domains to the public. They have direct access to the registry.• GoDaddy
• Reseller: organizations that sell domain names, but are either not accredited (by ICANN) or certified (by a given TLD’s registry). Typically, resellers partner with registrars in order to sell domain names, and relay all information through the registrar.
49
DS record uploads
50
Key Sharing
51
Nameservers KSK ZSKKeys Domains Keys Domains
Others 151,733 152,144ovh.net. 316,888 316,887
loopia.se. 133,258 133,258hyp.net. 94,888 94,885
transip.net. 93,819 93,818domainmonster.com. 60,984 60,984
anycast.me. 55,936 55,936transip.nl. 45,676 45,675binero.se. 44,963 44,963
ns.cloudflare.com. 28,469 28,469is.nl. 12,837 12,836
pcextreme.nl. 15,210 15,210webhostingserver.nl. 15,023 15,023registrar-servers.com. 13,183 13,181
ns0.nl. 11,945 11,945citynetwork.se. 11,702 11,702
Key Sharing
52
Nameservers KSK ZSKKeys Domains Keys Domains
Others 157,533 151,733 188,482 152,144ovh.net. 318,036 316,888 326,011 316,887
loopia.se. 199 133,258 217 133,258hyp.net. 119,150 94,888 119,161 94,885
transip.net. 93,774 93,819 187,129 93,818domainmonster.com. 60,991 60,984 121,939 60,984
anycast.me. 56,075 55,936 58,296 55,936transip.nl. 45,648 45,676 91,161 45,675binero.se. 49 44,963 54 44,963
ns.cloudflare.com. 239 28,469 214 28,469is.nl. 12,834 12,837 25,512 12,836
pcextreme.nl. 15,192 15,210 28,654 15,210webhostingserver.nl. 15,019 15,023 22,741 15,023registrar-servers.com. 13,043 13,183 12,998 13,181
ns0.nl. 11,978 11,945 23,790 11,945citynetwork.se. 21 11,702 28 11,702
RolloverAbrupt Changes
53
ZSK
RRSIG
t0
RRSIG
ZSK
t0 + 1200
ZSK
TTL = 3600
RRSIG
ZSK
t0 + 1800
IP Address?
RRSIG
A Record
Can’t verify the signature!
Rollover Process (ZSK)<Pre-publish>
54
ZSK
RRSIG
t0
ZSK
RRSIG
ZSK
t2
RRSIG
ZSK
t3
Introducing a new key
Retiring a signature
Retiring the previous key
t1
ZSK
RRSIG
ZSK
Rollover Process (ZSK) <Double-signature>
55
RRSIG
ZSK
t0
RRSIG
ZSK
t2
Introducing a new key and signature
Retiring the previous key and signature
RRSIG
ZSK
t1
ZSK
RRSIG
Rollover Process (KSK) <Double-signature>
56
Parent Zone
Child Zone
DS record
KSK
RRSIG
t0
DS record
KSK
RRSIG
ZSK
RRSIG
t1
DS Record
KSK
RRSIG
ZSK
RRSIG
t2
DS Record
ZSK
RRSIG
t3
Rollover Process (KSK) <Double-DS>
57
Parent Zone
Child Zone
DS record
KSK
RRSIG
t0
DS Record
ZSK
RRSIG
t3
DS record
KSK
RRSIG
t1
DS Record
ZSK
RRSIG
t2
DS record
DS Record
ZSK Rollovers
58
Scheme .com .org
No ZSK Rollovers 279,935 27,166
Abrupt 5,527 66
Double Signatures 58,807 9,615
Pre-publish 259,327 33,518
ZSK Rollovers
59
Scheme .com .org
No ZSK Rollovers 279,935 27,166
Abrupt 5,527 66
Double Signatures 58,807 9,615
Pre-publish 259,327 33,518
DNSKEY(ZSK)
Nearly 45% of domains DO NOTswitch their DNSKEYs
KSK Rollovers
60
Scheme .com .net .org
No KSK Rollovers
621,213 93,558 65,704
Abrupt 17,724 3,183 1,710
Double Signatures
219,547 46,092 32,206
KSK Rollovers
61
Scheme .com .net .org
No KSK Rollovers
621,213 93,558 65,704
Abrupt 17,724 3,183 1,710
Double Signatures
219,547 46,092 32,206
DNSKEY(KSK)
Nearly 70% of domains DO NOTswitch their DNSKEYs
Superfluous Signatures
62
example.com
.com
zone signing key (ZSK)
key signing key (KSK)
A records RRSIG of A
= Hash of DS Record
DNSKEYs RRSIG of DNSKEY
DNSKEYs RRSIG of DNSKEY
Unnecessary, but not evil!
61% of domains sign their DNSKEY twice! so what?
DNSKEY Fragmentation
63
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9
1
0 500 1000 1500 2000 2500 3000
1,232 bytes (IPv6 limits)
1,472 bytes (IPv4 limits)
CD
F
DNSKEY Message Size
RRSIGsksk
1,232 bytes (IPv6 limits)
1,472 bytes (IPv4 limits)
0.01% experience fragmentation
DNSKEY Fragmentation
64
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9
1
0 500 1000 1500 2000 2500 3000
1,232 bytes (IPv6 limits)
1,472 bytes (IPv4 limits)
CD
F
DNSKEY Message Size
RRSIGskskRRSIGszsk,ksk
1,232 bytes (IPv6 limits)
1,472 bytes (IPv4 limits)
0.8% experience fragmentation
60.7% of them could have avoided fragmentation
DNSKEY Fragmentation
65
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9
1
0 500 1000 1500 2000 2500 3000
1,232 bytes (IPv6 limits)
1,472 bytes (IPv4 limits)
CD
F
DNSKEY Message Size
RRSIGskskRRSIGszsk,ksk
RRSIGszsk,ksk(2,048)
1,232 bytes (IPv6 limits)
1,472 bytes (IPv4 limits)
4.6% experience fragmentation (increased 5x times)
DNSKEYFragmentation
Superfluous signatures increases the chance of fragmentation.
Hola Unblocker
66
HTTP
Get netflix.com
Hola Luminati
67
Luminati user
example.com
HTTPGet example.com
Hola user
Measurement ClientExit Node
Exit Node’s DNS Resolver
HTTP
DNS
68
DNSSEC response
Get testbed.com
DNS & Web servertestbed.com
We measured 403,355 nodes and their 59,513 resolvers !
69
Get testbed.com
Measurement ClientSuper ProxyExit Node
Exit Node’s DNS Server
HTTP
DNS
70
DNS Response