A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure...

1

A Longitudinal, End-to-End View of the DNSSEC Ecosystem

Taejoong (tijay) Chung, Roland van Rijswijk-Deij, Bala Chandrasekaran David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Christo Wilson

Domain Name System (DNS)

example.com'sAuthoritativeDNS Server

Browser

2

DNS Resolver

example.com example.com

A records

155.33.17.68

A records

155.33.17.68

DNS Spoofing


Browser

3

DNS Resolver


A recordsA records

1.2.3.4 155.33.17.68✗1.2.3.4

DNS Spoofing


4

DNS Resolver

Browser example.com

A records

1.2.3.4

example.com

A records

155.33.17.68✗1.2.3.4


DNSSEC 101

5

RRSIG

A records

A records

DNSKEY

DNS Resolver

A records

w/ DO bitexample.com'sAuthoritativeDNS Server

Sign!

DNSSEC 101

6

A records

w/ DO bit

RRSIG

A records

A records

DNSKEY

DNS Resolverexample.com'sAuthoritativeDNS Server

A records

A records

w/ DO bit

DNSKEY

DNS Resolver

DNSKEY

DNSSEC 101Hierarchical Structure

7

A records

A records

w/ DO bit

DNSKEY

DNSKEY

Chain-of-Trust


. (root zone)

.com


8

DNSKEY

Chain-of-Trust

DNSKEY

DNSKEY

DNSKEY

DNSKEY

DNS Resolver

A records

A records

w/ DO bit


. (root zone)

.com


9

DNSKEY

Chain-of-Trust

DNSKEY

DNSKEY


10

RRSIG

DS Record

DS Record =Hash( ) DNSKEY

DNSKEY DNSKEY

DNSKEY .com


Chain-of-Trust

DNSKEYs

DNSSEC 101Two DNSKEYs

11

.com

zone signing key (ZSK)

key signing key (KSK)

A records RRSIG of A

= Hash of DS Record

RRSIG of DNSKEYexample.com'sAuthoritativeDNS Server

Summary of DNSSEC 101

• Three essential elements for DNSSEC• • •

• has to be uploaded to the parent zone

• Resolvers need to verify all signatures along the chains of trust

• DNSSEC can only function correctly when all principals (server and resolver) work correctly

12

DS Record

DNSKEY

RRSIG

Open Question

How’s the DNSSEC PKI ecosystem managed?

Contribution

14

Longitudinal Comprehensive All Angles

Outline

15

How DNSSEC deployed

How DNSSEC managed

How resolversuse DNSSEC

Authoritative Server Resolver

Correct Deployment for Authoritative Servers

16

DNSKEY (1) Have DNSKEYs

RRSIGs (2) Generate Signatures

Valid RRSIGs

(3) Valid Signatures (Not expired, correctly signed)

DS record Uploads

(4) Generate and upload DS record to the parent zone

Valid DS record

(5) Valid DS record (matched with DNSKEYs)

Dataset

17

Daily Scans*

TLDs .com, .org., .net

# of domains 147M domains

Interval every day

Period 2015/03/01 ~ 2016/12/31

* https://openintel.nl/

Over 750 billion DNS Records

0

0.2

0.4

0.6

0.8

1

1.2

02/15 05/15 08/15 11/15 02/16 05/16 08/16 11/16

Pe

rce

nt

of

do

ma

ins

wit

hDNSKEY

re

co

rd

Date

.com

.net

.org

DNSSEC Deployment

18

Deployment DNSSEC deployment is rare, but growing

Are they correctly deployed?

DNSKEY

RRSIGs

Valid RRSIGs

DS record Uploads

Valid DS record

RRSIGs

~1.0%

Missing RRSIG records

19

DNSKEY

RRSIGs

Valid RRSIGs

DS record Uploads

Valid DS record

RRSIGs ~0.3%

Missing RRSIGs RRSIGs are rarely missing (0.3%)

0

0.5

1

1.5

2

2.5

02/15 05/15 08/15 11/15 02/16 05/16 08/16 11/16

missing SOA RRSIGmissing DNSKEY RRSIG

Pe

rce

nt

of

do

ma

ins

mis

sin

g RRSIG

s

.com

.net

.org

DomainMonster

~1.0%

ZSK

KSK

Incorrect RRSIG records

20

0

0.2

0.4

0.6

0.8

1

02/15 05/15 08/15 11/15 02/16 05/16 08/16 11/16

Expired

Invalid Signature

Pe

rce

nt

of

do

ma

ins

wit

hs

pe

cif

ic f

ail

ure

re

as

on

s

.com

.net

.org

Expired

Invalid Signatures

DNSKEY

RRSIGs

Valid RRSIGs

DS record Uploads

Valid DS record

RRSIGs

Valid RRSIGs

~0.3%

Invalid RRSIGs RRSIGs are managed well (~0.5%)

~0.5%

~1.0%

Missing DS records

21

DNSKEY

RRSIGs

Valid RRSIGs

DS record Uploads

Valid DS record

RRSIGs ~0.3%

~0.5%

~30%

0

5

10

15

20

25

30

35

02/15 05/15 08/15 11/15 02/16 05/16 08/16 11/16Pe

rce

nt

of

do

ma

ins

mis

sin

gDS

re

co

rd

.com

.net

.org

DS Records

Nearly 30% of domains DO NOTupload DS records!

~1.0%

Incorrect DS records

22

DNSKEY

RRSIGs

Valid RRSIGs

DS record Uploads

Valid DS record

RRSIGs ~0.3%

~0.5%

~30%

0

0.05

0.1

0.15

0.2

0.25

02/15 05/15 08/15 11/15 02/16 05/16 08/16 11/16

Pe

rce

nt

of

do

ma

ins

ha

vin

gin

co

rre

ct DS

re

co

rd

.com

.net

.org

Incorrect DS record

Once DS record is generated, it is managed very well (~0.2%)

~0.2%

~1.0%

Choosing Authoritative Nameserver

23



Self-hosted


$ $$

Why are DS records missing?

24

Nameservers# of domains

DS Publishing Ratiow/ DS w/ DNSKEY

ovh.net 315,204 316,960 99.45%loopia.se 1 131,726 0.00%hyp.net 93,946 94,084 99.85%

transip.net 91,009 91,103 99.90%domainmonster.com 4 60,425 0.01%

anycast.me 51,403 52,381 98.13%transip.nl 46,971 47,007 99.92%binero.se 17,099 44,650 38.30%

ns.cloudflare.com 17,483 28,938 60.42%is.nl 11 15,738 0.07%

pcextreme.nl 14,801 14,967 98.89%webhostingserver.nl 10,655 14,806 71.96%

registrar-servers.com 11,463 13,115 87.40%ns0.nl 12,674 12,738 99.50%

citynetwork.se 13 11,660 0.11%


25











26










“Most people do not understand DNS, so imagine the white faces when I mention DNSSEC ... I don’t think DNSSEC has a high priority anymore currently in our organization or our customer

base.”

Summary of DNSSEC Deployment

• DNSSEC deployment is still rare, but increasing• The major reason of broken DNSSEC is due to the missing DS

record• Missing RRSIG record: ~ 0.3%• Incorrect RRSIG record: ~ 0.3 %• Incorrect DS record: ~ 0.2%• Missing DS Record: ~ 30%

• Most of the DNSSEC-support softwares (BIND, Windows Server 2012, PowerDNS, OpenDNSSEC) manage the keys automatically. Regardless, the process to upload DS record is totally dependent on the administrator!

27

Outline

28

How DNSSEC deployed

How DNSSEC managed

How resolver use DNSSEC


30% of domainmiss DS records!

Good Steps toDeploy DNSSEC

29

Strong Key (1) Have a cryptographically strong key

No Reuse (2) Don’t reuse across multiple domains

Regular Rollover (3) Replace on a regular basis

30

Strong Key

No Reuse

Regular Rollover

(1) Have a cryptographically strong key

(2) Don’t reuse across multiple domains

(3) Replace on a regular basis

Good Steps toDeploy DNSSEC

Key Strength

31

0

20

40

60

80

100

02/15 05/15 08/15 11/15 02/16 05/16 08/16 11/16

KSKs

ZSKs

Pe

rce

nt

of

do

ma

ins

wit

h w

ea

k k

ey

s .com.net.org

ZSK

KSK

Weak Keys

91.7% of ZSK and 33.3% of KSK are weak!

Strong Key

No Reuse

Regular Rollover

8.3% (ZSK) 66.7% (KSK)

0.999

0.9992

0.9994

0.9996

0.9998

1

1 10 100 1000 10000 100000 1x106

KSK

.com

.net

.org

0.999

0.9992

0.9994

0.9996

0.9998

1

1 10 100 1000 10000 100000 1x106

ZSK

CD

F

Number of Domains Grouped Together

.com

.net

.org

ZSK

KSK

Key Reuse

32

DNSKEYSharing

Some keys are reused extensively (among 106,640 domains)

~0.1%

45.0% (ZSK)70.0% (KSK)

Strong Key

No Reuse

Regular Rollover

91.7% (ZSK) 33.3% (KSK)

Outline

33

How DNSSEC deployed

How DNSSEC managed

How resolver use DNSSEC


30% of domainmiss DS records!

33% weak45~70% not switched

Correct Deploymentfor Resolvers

34

DO Bit (1) DNSSEC OK bit in the header

Validation (2) Validate DNSSEC Records

Measuring DNS resolver

35

Comcast Network

DNS Resolver

Authoritative DNS Server

MeasurementNode

Client

Ads

No Control over the nodeNot Reproducible

Luminati

36

MeasurementNode

Local DNSResolver

Proxy

Comcast

Residential Authoritative DNS Server

AT&T

Rogers

Deutsche Telekom

Verizon

Control over the nodeReproducible

Scales

Node

Luminati

37

Local DNSResolver

Authoritative DNS ServerNode

MeasurementNode

Comcast

Residential

Control over the nodeReproducible

Scales

Methodology

38

Local DNSResolver

Authoritative DNS Server

(Our testbed)

A records

w/ DO bit

RRSIG

A records

+ 8 other scenarios of incorrect DNSSEC records

Resolvers w/ DO Bit

39

DO Bit

Validation

- 4,427 resolvers- 83% of them are DO-bit enabled

Resolvers w/ DO Bit

40

DO Bit

Validation

- 3,635 (82%) fail to validate DNSSEC records

- 543 (12.2%) correctly validate DNSSEC records

Time Warner Cable InternetRogers Cable Communications

ComcastGoogle

- 4,427 resolvers- 83% of them are DO-bit enabled

Open Resolver Tests

41

Provide DO Bit Requested Validated?DS DNSKEY

Verisign YES YES YES YESGoogle YES YES YES YESDNSWatch YES YES YES YESDNS Advantage YES YES YES YESNorton ConnectSafe YES YES YES YESLevel3 YES NO NO NOComodo Secure DNS YES NO NO NOSafeDNS YES NO NO NODyn YES NO NO NOGreenTeamDNS* YES/NO YES YES NOOpenDNS NO NO NO NOOpenNIC NO NO NO NOFreeDNS NO NO NO NOAlternate DNS NO NO NO NOYandex DNS NO NO NO NO

Conclusion

42

• Presented a longitudinal, end-to-end study of DNSSEC ecosystem

• DNSSEC deployment from server-side is rare but growing✓ But, 33% of them are mis-configured✓DNSKEYs are not managed well

✓Weak✓ Some are shared✓ Rarely updated

• DNSSEC deployment from client-side is also rare✓Only 12% of resolvers validate responses

• Datasets and source code will be available.• http://securepki.org

Recommendations

• Use CDS (Child DS) / CDNSKEY (Child DNSKEY)• Automates DNSSEC delegation trust maintenance

• Modern resolvers (e.g., BIND >= 9.5 ) set “DO” bit by default, but make sure that it actually validates.

• Financial incentives for registrars to deploy DNSSEC would work• .se and .nl ccTLD • Please read our upcoming paper “Understanding the Role of

Registrars in DNSSEC Deployment [IMC’17]”

43

Conclusion

44

• Presented a longitudinal, end-to-end study of DNSSEC ecosystem

• DNSSEC deployment from server-side is rare but growing✓ But, 33% of them are mis-configured✓DNSKEYs are not managed well

✓Weak✓ Some are shared✓ Rarely updated

• DNSSEC deployment from client-side is also rare✓Only 12% of resolvers validate responses

• Datasets and source code will be available.• http://securepki.org

Questions?

45

Why DNSSEC Deployment is so Low?

46

“Understanding the Role of Registrars in DNSSEC Deployment” [IMC’17]

Ethical Consideration

47

Subject Considration

LuminatiPaid for access

Not violate ToS

Exit Nodes

Not expose PII

Connects only our testbed

Download “Empty” Page

Scenario and Intuition

48

subdomains description requires DS requires DNSKEY

missing-rrsig-a no signature for A record 0 0

invalid-rrsig-a invalid signature for A record 0 1

future-rrsig-a signature is not yet valid 0 0

past-rrsig-a signature is expired 0 0

missing-zsk ZSK used to sign A record is not in DNSKEY 0 1

missing-ksk KSK used to sign DNSKEY record is not in DNSKEY 0 1

missing-rrsig-ksk no signature for DNSKEY record 0 1

invalid-rrsig-ksk invalid signature for DNSKEY record 0 1

mismatch-ds DS record at parent zone is not accord with KSK 1 1

Structure of Domain Name

• Registry: organizations that manage top-level domains (TLDs). They maintain the TLD zone file (the list of all registered names), and work with registrars to sell domain names to the public. • Verisign

• Registrar: organizations that are accredited by ICANN3 and certified by registries to sell domains to the public. They have direct access to the registry.• GoDaddy

• Reseller: organizations that sell domain names, but are either not accredited (by ICANN) or certified (by a given TLD’s registry). Typically, resellers partner with registrars in order to sell domain names, and relay all information through the registrar.

49

DS record uploads

50

Key Sharing

51

Nameservers KSK ZSKKeys Domains Keys Domains

Others 151,733 152,144ovh.net. 316,888 316,887

loopia.se. 133,258 133,258hyp.net. 94,888 94,885

transip.net. 93,819 93,818domainmonster.com. 60,984 60,984

anycast.me. 55,936 55,936transip.nl. 45,676 45,675binero.se. 44,963 44,963

ns.cloudflare.com. 28,469 28,469is.nl. 12,837 12,836

pcextreme.nl. 15,210 15,210webhostingserver.nl. 15,023 15,023registrar-servers.com. 13,183 13,181

ns0.nl. 11,945 11,945citynetwork.se. 11,702 11,702

Key Sharing

52

Nameservers KSK ZSKKeys Domains Keys Domains

Others 157,533 151,733 188,482 152,144ovh.net. 318,036 316,888 326,011 316,887

loopia.se. 199 133,258 217 133,258hyp.net. 119,150 94,888 119,161 94,885

transip.net. 93,774 93,819 187,129 93,818domainmonster.com. 60,991 60,984 121,939 60,984

anycast.me. 56,075 55,936 58,296 55,936transip.nl. 45,648 45,676 91,161 45,675binero.se. 49 44,963 54 44,963

ns.cloudflare.com. 239 28,469 214 28,469is.nl. 12,834 12,837 25,512 12,836

pcextreme.nl. 15,192 15,210 28,654 15,210webhostingserver.nl. 15,019 15,023 22,741 15,023registrar-servers.com. 13,043 13,183 12,998 13,181

ns0.nl. 11,978 11,945 23,790 11,945citynetwork.se. 21 11,702 28 11,702

RolloverAbrupt Changes

53

ZSK

RRSIG

t0

RRSIG

ZSK

t0 + 1200

ZSK

TTL = 3600

RRSIG

ZSK

t0 + 1800

IP Address?

RRSIG

A Record

Can’t verify the signature!

Rollover Process (ZSK)<Pre-publish>

54

ZSK

RRSIG

t0

ZSK

RRSIG

ZSK

t2

RRSIG

ZSK

t3

Introducing a new key

Retiring a signature

Retiring the previous key

t1

ZSK

RRSIG

ZSK

Rollover Process (ZSK) <Double-signature>

55

RRSIG

ZSK

t0

RRSIG

ZSK

t2

Introducing a new key and signature

Retiring the previous key and signature

RRSIG

ZSK

t1

ZSK

RRSIG

Rollover Process (KSK) <Double-signature>

56

Parent Zone

Child Zone

DS record

KSK

RRSIG

t0

DS record

KSK

RRSIG

ZSK

RRSIG

t1

DS Record

KSK

RRSIG

ZSK

RRSIG

t2

DS Record

ZSK

RRSIG

t3

Rollover Process (KSK) <Double-DS>

57

Parent Zone

Child Zone

DS record

KSK

RRSIG

t0

DS Record

ZSK

RRSIG

t3

DS record

KSK

RRSIG

t1

DS Record

ZSK

RRSIG

t2

DS record

DS Record

ZSK Rollovers

58

Scheme .com .org

No ZSK Rollovers 279,935 27,166

Abrupt 5,527 66

Double Signatures 58,807 9,615

Pre-publish 259,327 33,518

ZSK Rollovers

59

Scheme .com .org

No ZSK Rollovers 279,935 27,166

Abrupt 5,527 66

Double Signatures 58,807 9,615

Pre-publish 259,327 33,518

DNSKEY(ZSK)

Nearly 45% of domains DO NOTswitch their DNSKEYs

KSK Rollovers

60

Scheme .com .net .org

No KSK Rollovers

621,213 93,558 65,704

Abrupt 17,724 3,183 1,710

Double Signatures

219,547 46,092 32,206

KSK Rollovers

61

Scheme .com .net .org

No KSK Rollovers

621,213 93,558 65,704

Abrupt 17,724 3,183 1,710

Double Signatures

219,547 46,092 32,206

DNSKEY(KSK)

Nearly 70% of domains DO NOTswitch their DNSKEYs

Superfluous Signatures

62

example.com

.com

zone signing key (ZSK)

key signing key (KSK)

A records RRSIG of A

= Hash of DS Record

DNSKEYs RRSIG of DNSKEY

DNSKEYs RRSIG of DNSKEY

Unnecessary, but not evil!

61% of domains sign their DNSKEY twice! so what?

DNSKEY Fragmentation

63

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9

1

0 500 1000 1500 2000 2500 3000

1,232 bytes (IPv6 limits)


CD

F

DNSKEY Message Size

RRSIGsksk



0.01% experience fragmentation


64

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9

1

0 500 1000 1500 2000 2500 3000



CD

F

DNSKEY Message Size

RRSIGskskRRSIGszsk,ksk



0.8% experience fragmentation

60.7% of them could have avoided fragmentation


65

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9

1

0 500 1000 1500 2000 2500 3000



CD

F

DNSKEY Message Size

RRSIGskskRRSIGszsk,ksk

RRSIGszsk,ksk(2,048)



4.6% experience fragmentation (increased 5x times)

DNSKEYFragmentation

Superfluous signatures increases the chance of fragmentation.

Hola Unblocker

66

HTTP

Get netflix.com

Hola Luminati

67

Luminati user

example.com

HTTPGet example.com

Hola user

Measurement ClientExit Node

Exit Node’s DNS Resolver

HTTP

DNS

68

DNSSEC response

Get testbed.com

DNS & Web servertestbed.com

We measured 403,355 nodes and their 59,513 resolvers !

69

Get testbed.com

Measurement ClientSuper ProxyExit Node

Exit Node’s DNS Server

HTTP

DNS

70

DNS Response

A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure...

Documents

Transcript of A Longitudinal, End-to-End View of the DNSSEC …...Expired Percent of domains with specific failure...