Assessing and Improving the Quality of DNSSEC Deployment Deployment Casey Deccio, Ph.D. Sandia National Laboratories AIMS-4 CAIDA, SDSC, San Diego, CA Feb 9, 2012 Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04- 94AL85000.
O tli Outline DNSSEC protocol review DNSSEC protocol review DNSSEC maintenance and misconfiguration DNSSEC survey and results Conclusions and solutions 2
DNS Security Extensions (DNSSEC) (DNSSEC) RRsets signed with zone’s private key(s) Signatures covering RRsets returned by server as RRSIGs g g y Public keys published in zone data as DNSKEYs Resolver validates response If authentic: Authenticated data (AD) bit is set ( ) If bogus: SERVFAIL message is returned Query: www.bar.com/A ? Query: www bar com/A ? Query: www.bar.com/A ? Answer: 192.0.2.16 RRSIG Query: bar.com/DNSKEY ? RRSIG Answer: DNSKEY… validate bar.com Answer: 192.0.2.16 AD authoritative server recursive/validating stub resolver resolver 3
Scalable authentication via a chain of trust h i f t t Resolver R l trust anchor DNSKEY DNSKEY must be DNSKEY must be authenticated Zone data DS Resolver must have Resolver must have . some notion of trust DNSKEY Trust extends through ancestry to a trust Zone data DS com anchor at resolver DS resource record – DS d DNSKEY provides digest of Zone data DNSKEY in child zone DNSKEY in child zone bar.com 4
Backwards compatibility… kind of ki d f Resolver trust anchor If no secure link exists If no secure link exists between parent and child, referring (parent) DNSKEY server must prove non- server must prove non Zone data existence of DS RRs DS . NSEC/NSEC3 resource records provide records provide DNSKEY authenticated denial of existence Zone data Child zones of insecure Child zones of insecure NSEC/DS / net delegations may be unsigned or signed Zone data (“islands of security”) ( islands of security ) baz.net 5
DNSSEC validation status lid ti t t Secure Secure – unbroken unbroken chain from anchor to RRset RRset (I (Image from http://dnsviz.net/) f htt //d i t/) 6
DNSSEC validation status lid ti t t Insecure – chain that securely terminates (i e (i.e., insecure insecure delegation) Secure chain termination (Image from http://dnsviz.net/) (Image from http://dnsviz.net/) 7
8 Break in chain validation status t/) (Image from http://dnsviz.net/) t t Bogus – broken broken i htt //d DNSSEC lid ti Bogus chain f (I
O tli Outline DNSSEC protocol review DNSSEC protocol review DNSSEC maintenance and misconfiguration DNSSEC survey and results Conclusions and solutions 9
DNSSEC M i t DNSSEC Maintenance RRSIG refresh RRSIG refresh DNSKEY rollovers ZSK rollovers – non-SEP (secure entry point), ZSK ll SEP ( i ) self-contained KSK rollovers KSK rollovers – SEP requires interaction with SEP requires interaction with parent or trust anchor Algorithm changes Algorithm changes 10
DNSSEC Mi DNSSEC Misconfiguration fi ti DS Mismatch DS Mismatch – No DNSKEY matching DS in parent No DNSKEY matching DS in parent zone DNSKEY Missing – DNSKEY not available to validate RRSIG NSEC Missing – NSEC RRs not returned by authoritative server authoritative server RRSIG Missing – RRSIGs not returned by some servers RRSIG Bogus – Signature in RRSIG does not validate RRSIG Bogus Signature in RRSIG does not validate RRSIG Dates – Expired or premature RRSIG dates 11
12 DNSSEC is hard. d DNSSEC i h
Jan 10, 2012 – Comcast turned on DNSSEC validation for all on DNSSEC validation for all its residential customers. http://blog comcast com/2012/01/comcast-completes-dnssec-deployment html http://blog.comcast.com/2012/01/comcast-completes-dnssec-deployment.html 13
Jan 18 2012 – Comcast Jan 18, 2012 Comcast customers could not access nasa.gov. http://forums.comcast.com/t5/Connectivity-and-Modem-Help/NASA-gov-blocked/td-p/1169657 http://nasawatch.com/archives/2012/01/comcast-blocks.html 14
Jan 22 2012 – Comcast Jan 22, 2012 Comcast customers could not access bi bitcoinica.com. i i http://www.reddit.com/r/Bitcoin/comments/orzpq/attention_comcast_users_we_have_been_censored/ 15
Comcast is clearly “ censoring” these sites. But why? these sites. But why? Enter DNSViz… 16
DNSVi DNSViz Actively monitors domains from single Actively monitors domains from single vantage point Makes results available for visual analysis at M k lt il bl f i l l i t http://dnsviz.net/ com foo.com DNSViz server bar.com 17 17
18
19
20 But, they “fixed” it… y ,
O tli Outline DNSSEC protocol review DNSSEC protocol review DNSSEC maintenance and misconfiguration DNSSEC survey and results Conclusions and solutions 21
DNSSEC d DNSSEC deployment survey l t Polled ~2,700 production signed zones over Polled 2 700 production signed zones over a year time frame (May 2010 – July 2011) Validation of SOA RR analyzed several times V lid ti f SOA RR l d l ti daily, anchored at ISC DLV or root zone (after July 2010 root signing) (after July 2010 root signing) Identified maintenance and misconfigurations 22
S Survey breakdown by TLD b kd b TLD 900 900 Zones 800 700 Zones with 600 600 misconfiguration Zones 500 400 300 200 100 0 TLD 23
RRSIG lif ti RRSIG lifetimes 1 1 0.9 0.8 0.7 0 7 RRSIG(DNSKEY) all 0.6 zones CDF 0.5 C 0 4 0.4 RRSIG(DNSKEY) 0.3 zones with expired RRSIG 0.2 0 1 0.1 0 0 30 60 90 120 150 180 210 240 270 300 330 360 Days Days 24
DNSKEY DNSKEY rollovers ll Key role Key role Zones that did Zones that did Zones that rolled Zones that rolled Zones that rolled Zones that rolled not roll key (0) key once (1) key more than once (>1) ZSK 37% 11% 52% KSK 72% 17% 10% 25
DNSKEY lifetime DNSKEY lif ti 1 1 0.9 0.8 0 7 0.7 0.6 CDF KSK lifetime 0.5 0.4 0 4 ZSK lifetime 0.3 0.2 KSK lifetime (zones w/ 0.1 bad rollover) 0 0 30 60 90 120 150 180 210 240 270 300 330 360 390 Days Days 26
Mi Misconfigurations by type fi ti b t 3000 Incremental Partial 2500 Complete 2000 2000 1500 1000 500 500 0 DS DS DNSKEY DNSKEY NSEC NSEC RRSIG RRSIG RRSIG RRSIG RRSIG RRSIG Mismatch Missing Missing Missing Bogus Dates 27
E Event duration t d ti 1 1 0.9 0.8 0.7 0.6 DS Mismatch 0.5 DNSKEY Missing g 0.4 NSEC Missing 0.3 RRSIG Missing RRSIG Bogus RRSIG Bogus 0.2 0 2 RRSIG Dates 0.1 0 1 1 2 2 3 3 4 4 5 5 6 6 7 7 8 8 9 9 10 10 11 11 12 12 13 13 14 14 15 15 28
R Repeat offense rate t ff t 0 6 0.6 0.5 0.4 0.3 0.2 0.1 0 DS DNSKEY NSEC RRSIG RRSIG RRSIG Mi Mismatch t h Mi Missing i Mi Missing i Mi Missing i B Bogus D t Dates 29
30 IPv6 analysis
31 IPv6 inconsistencies
O tli Outline DNSSEC protocol review DNSSEC protocol review DNSSEC maintenance and misconfiguration DNSSEC survey and results Conclusions and solutions 32
S Summary of Observations f Ob ti Resolver operators are learning about third- Resolver operators are learning about third party DNSSEC misconfigurations from their customers customers. Administrators aren’t detecting and correcting their DNSSEC problems in a timely fashion their DNSSEC problems in a timely fashion. Administrators aren’t learning from past mistakes mistakes. 33
S l ti Solutions Tools for DNSSEC comprehensive analysis Tools for DNSSEC comprehensive analysis Hierarchical analysis (chain of trust) Dependency analysis (CNAME MX NS etc) Dependency analysis (CNAME, MX, NS, etc) Server consistency analysis Pointers to specification p Resources for corrective action Tools/resources for detection/notification of misconfiguration Individual monitoring and alerts Global monitoring and alerts 34
DNSVi DNSViz – future plans f t l Expansion of detailed analysis Expansion of detailed analysis Passive monitoring, in addition to active monitoring Diverse backend support e.g., ISC Security Information Exchange (SIE) Prioritized active probing Alerts of misconfiguration Alerts of misconfiguration RESTful API for programmatic third-party monitoring Cache analysis/local perspective Availability of software for diverse uses 35
36
37 ctdecci@sandia gov ctdecci@sandia.gov ? Questions? ti Q
Recommend
More recommend