dnssec usage sta s cs
play

DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey - PowerPoint PPT Presentation

Feb 28, 2024 •485 likes •811 views

DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC history Defined by RFCs 4033-4035 March 2005 Root zone signed July 2010 March 2011 the biggest zone .com signed New GTLD

  1. DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016

  2. DNSSEC history • Defined by RFCs 4033-4035 – March 2005 • Root zone signed – July 2010 • March 2011 – the biggest zone .com signed • New GTLD programme (2013) require to run DNSSEC • Current state: more than 110 ccTLDs are signed 2

  3. DNSSEC principles zone. IN SOA ns1.zone. admin@zone. zone. IN NS ns1.zone. Put DNSKEYS in zone zone. IN NS ns2.zone. zone. IN DNSKEY 257 3 10 AwEAbPGd04qzYZmBbhU… Records signing zone. IN DNSKEY 256 3 10 AwEAAbywQfdma4SxQMn… zone. IN RRSIG SOA 10 2 86400 20130619092425 (… zone. IN RRSIG NS 10 2 86400 20130619092425 (… Zone publishing 3

  4. DNSSEC principles zone. IN SOA ns1.zone. admin@zone. zone. IN NS ns1.zone. Put DNSKEYS in zone zone. IN NS ns2.zone. zone. IN DNSKEY 257 3 10 AwEAbPGd04qzYZmBbhU… Records signing zone. IN DNSKEY 256 3 10 AwEAAbywQfdma4SxQMn… zone. IN RRSIG SOA 10 2 86400 20130619092425 (… zone. IN RRSIG NS 10 2 86400 20130619092425 (… Zone publishing Dear root/TLD admin, E-mail, web request, Please put our DS record in your zone: fax, paper leaer zone. IN DS 64656 10 2 DF8F614B79C Thank you. 4

  5. DNSSEC principles zone. IN SOA ns1.zone. admin@zone. zone. IN NS ns1.zone. Put DNSKEYS in zone zone. IN NS ns2.zone. zone. IN DNSKEY 257 3 10 AwEAbPGd04qzYZmBbhU… Records signing zone. IN DNSKEY 256 3 10 AwEAAbywQfdma4SxQMn… zone. IN RRSIG SOA 10 2 86400 20130619092425 (… zone. IN RRSIG NS 10 2 86400 20130619092425 (… Zone publishing Dear root/TLD admin, E-mail, web request, Please put our DS record in your zone: fax, paper leaer zone. IN DS 64656 10 2 DF8F614B79C Thank you. 5

  6. com. IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5 885044A833FC5459588F4A9184CF C41A5766 6 6

  7. Status of ccTLD implementa-on of DNSSEC 7 7

  8. Why to analyze .com zone? • The biggest zone ever (zone file about 10 Gbytes) • It’s difficult to receive the ccTLDs zones • Small percentage of DNSSEC-enabled domains • But the big amount of domains - ~600k • Different crypto parameters 8

  9. .COM / .NET sta-s-cs 2016 April’s data .com - 578.000 ds-records .net - 102.000 ds-records 9

  10. Digging into .COM • 580.000 DS-records correspond to 550.000 domain names • Many of them are signed by a single hoster using the same key • Some domains have more than 1 digest published • Some domains are clearly experimental 10

  11. TOP nameservers (grouped by company) • 100320 nsX.transip.eu/net/nl • 64968 nsX.hyp.net • 47651 [d]ns200.anycast.me • 17749 *.ovh.net • 12620 vX.pcextreme.eu • 9999 nsX.binero.se • 7015 nsX.webhos-ngserver.nl • 5907 nsX.openprovider.eu/be/nl 11

  12. Selected key parameters Algorithms: Hashes: 404091 RSASHA1-NSEC3-SHA1 403752 SHA-1 153004 RSA/SHA-256 174675 SHA-256 13349 RSA/SHA-1 175 GOST R 34.11-94 7438 ECDSA Curve P-256 with SHA-256 118 SHA-384 602 RSA/SHA-512 67 RSA/MD5 (?) 41 DH 37 DSA 33 ECDSA Curve P-384 with SHA-384 24 GOST R 34.10-2001 15 PRIVATEDNS 10 PRIVATEOID 9 DSA-NSEC3-SHA1 12 12

  13. Key re-usage More than 10.000 domains are signed by a single key of binero.se That’s the perfect example of mul-ply key usage. In the ccTLD zones I currently have, that is an extremely RARE situa-on. (except .CZ where many registrars are using one key for all its (customers) domains) 13

  14. .net key parameters Algorithms: Hashes: 69033 RSASHA1-NSEC3-SHA1 77097 SHA-1 27128 RSA/SHA-256 27332 SHA-256 6539 RSA/SHA-1 69 GOST R 34.11-94 55 SHA-384 1460 ECDSA Curve P-256 with SHA-256 287 RSA/SHA-512 50 ECDSA Curve P-384 with SHA-384 22 DSA 18 RSA/MD5 (?) 6 GOST R 34.10-2001 14 14

  15. Similar sta-s-cs in .net zone Similar rate of DNSSEC penetra-on – 97k DNSSEC-enabled domains per 15.6 mil. domains Same distribu-on of algorithms and hashes Similar observa-on of key re-usage: 2400+ entries of key ID 41182 – it’s a key ID of Swedish hoster Binero AB 15

  16. And the same situa-on in .org 58k DNSSEC-enabled domains per 10.9 mil. domains Same distribu-on of algorithms and hashes; but only SHA-1 and SHA-256 are present Similar observa-on of key re-usage: Binero AB is a leading DNSSEC DNS-service for .net and .org 16

  17. New GTLDs • 948 new top-level domains, including IDN • Admins are obliged to provide access to the zone • DNSSEC is a necessary condi-on • Easy access to zone files 17

  18. Crypto sta-s-cs From 716 newGTLD: 564 – RSA/SHA-512 127 – RSASHA1-NSEC3-SHA1 18 – RSA/SHA-1 7 – RSA/SHA-512 No GOST. Surprise? 18

  19. Top new GTLDs Domains registered: .xyz – 2665k .top – 1854k .wang – 1065k .win – 886k .club – 738k .link – 358k TOP DNSSEC penetra-on (GTLDs with 100+ domains): .ovh – 47% .amsterdam – 25% .webcam – 11% .golf – 9% .immo – 9% .brussels – 8% .sarl – 8% .taxi – 7% 19

  20. Top new GTLDs DNSSEC penetra-on rate for the top new GTLDs is in 0.00% – 0.28% range 20

  21. Top new GTLDs The higher penetra-on rate (10% - 47%) is being observed in the TLDs with 24k - 82k domains 21

  22. Specific requirements Some TLD administrators define its own policy on DNSSEC. This policy could affect: - The WHOIS output - Allowed algorithms/keylength/hashes etc - Allowance of key re-usage within the registry One should take such policies into account 22

  23. Sosware for DNSSEC opera-ons • There are about 10 open source sosware packages to manage your DNSSEC-enabled zone • There are also some proprietary solu-ons • With the widely deployment of DNSSEC, the number of different tools is growing • Most of DNS servers have its own u-li-es • For the rela-vely small number of zones, OpenDNSSEC may be the best solu-on 23

  24. The most common configura-on error 24

  25. The most common configura-on error Expira-on of the signature validity All the trust chains will be broken 25

  26. The most common configura-on error 26

  27. The most common -- configura-on error 27

  28. DANE overview • As we have trusted DNS date with the DNSSEC, we could wish to secure other sensi-ve data • So we can put the trust anchor of our website/ mailserver/whatever cer-ficate to our secured DNS zone • This could be either cer-ficate fingerprint, the whole cer-ficate or pointer to a CA root cert 28

  29. Is DANE dead? The deployment of DANE resource record is -ny. What could be a reason? - Low demands from the WEB - Implementa-on difficul-es? 29

  30. DANE usage sta-s-cs Not measured because… Almost nobody is using DANE MXs is only the DANE field can be useful today Research by Go6.si is at hap://goo.gl/8QcWE1 30

  31. What could be a killer app? • Let’s encrypt ini-a-ve can provide you a valid recognized cer-ficate for your domain name • This cer-ficate can be published in DNS using DANE • Then this cer-ficate can be used to encrypt all informa-on exchange of your server • There will be two possibili-es to check the trust chain: classic with the cer-ficate storage and DANE 31

  32. Ques-ons? LinkedIn.com/in/myasoedov 32

Recommend

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

609 views • 34 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry experienced 30th April 2015-- Longest mornings I have ever had. Day started as usual but takes a turn at 9:30am Great day turns to a

449 views • 11 slides
DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010 Sara Monteiro Technical Infrastructure Service of DNS.PT Agenda ! About us ! Scope ! Goals ! Initiatives and Support ! Developments on .pt ! Next Steps

468 views • 11 slides
13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff Team Cymru 1 Where is the DNSSEC? We make no endorsement of DNSSEC here We offer no repudiation of DNSSEC here The considerations herein

543 views • 31 slides
DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes Hardaker <wes.hardaker@parsons.com> Overview Business Model Changes Relationship Requirements Relationship with your DNS parent

407 views • 25 slides
DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek petr.spacek@nic.cz 2019-02-03 1w Redraw max 1y 6m 3m 1m 5d 1h 1d 30 ~ 19 % DNSSEC? Who cares? DNSSEC Validation Capability Metrics

433 views • 25 slides
DNSSEC at Scale Dani Grant | DNS @ CloudFlare CloudFlare - Authoritative DNS provider (includes

DNSSEC at Scale Dani Grant | DNS @ CloudFlare CloudFlare - Authoritative DNS provider (includes

DNSSEC at Scale Dani Grant | DNS @ CloudFlare CloudFlare - Authoritative DNS provider (includes DNSSEC for free) - 4M+ domains - 40+ billion queries per day - 76 edge locations in 40 countries (growing) DNSSEC at Scale 1. Elliptic

597 views • 34 slides
Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based

Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based

Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based on current DNSSEC deployments in .com, .net and .org Introduction DNSSEC deployment has taken off, but there are still operational issues

408 views • 16 slides
Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions

Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions

COBHAM Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions (aka: SPARTA, Inc. ) 08 December 2010 COBHAM Simple Illustration I need to have a of DNS Components WWW record Zone Administrator

979 views • 62 slides
TLS and DNSSEC wrap-up CS 161: Computer Security Prof. David Wagner April 14, 2013 DNSSEC

TLS and DNSSEC wrap-up CS 161: Computer Security Prof. David Wagner April 14, 2013 DNSSEC

TLS and DNSSEC wrap-up CS 161: Computer Security Prof. David Wagner April 14, 2013 DNSSEC Mallory attacks! www.google.com A? Clients ns1.evil.com www.google.com. A 6.6.6.6 Resolver DNSSEC Mallory attacks! www.google.com A?

510 views • 30 slides
DNSSEC.CZ CZ.NIC - http://www.nic.cz Ondrej Filip / ondrej.filip @nic.cz Oct 26 2011, Dakar,

DNSSEC.CZ CZ.NIC - http://www.nic.cz Ondrej Filip / ondrej.filip @nic.cz Oct 26 2011, Dakar,

DNSSEC.CZ CZ.NIC - http://www.nic.cz Ondrej Filip / ondrej.filip @nic.cz Oct 26 2011, Dakar, ICANN DNSSEC WS 1 DNSSEC penetration About 17% domains is signed That means ~ 145.000 domains! (of 856.000) Check numbers at

180 views • 17 slides
DNSSEC resolving at SURFnet ICANN38, DNSSEC panel discussion, Brussels Roland van Rijswijk

DNSSEC resolving at SURFnet ICANN38, DNSSEC panel discussion, Brussels Roland van Rijswijk

DNSSEC resolving at SURFnet ICANN38, DNSSEC panel discussion, Brussels Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl June 23rd 2010 woensdag 2 juni 2010 About SURFnet National Research and Educational Network in The Netherlands

154 views • 11 slides
Fedora and DNSSEC Presented by Paul Wouters Fedora Packager, DNSSEC Advisor Creative Commons

Fedora and DNSSEC Presented by Paul Wouters Fedora Packager, DNSSEC Advisor Creative Commons

Fedora and DNSSEC Presented by Paul Wouters Fedora Packager, DNSSEC Advisor Creative Commons Attribution 3.0 https://fedoraproject.org/ What is Fedora Fedora is a fast, stable, and powerful

671 views • 7 slides
DNSSEC Impact on Registries Edward Lewis, Neustar Jakob Schlyter, .SE February 22, 2005 APRICOT

DNSSEC Impact on Registries Edward Lewis, Neustar Jakob Schlyter, .SE February 22, 2005 APRICOT

DNSSEC Impact on Registries Edward Lewis, Neustar Jakob Schlyter, .SE February 22, 2005 APRICOT Tutorial T11-3 1 Agenda What is a Registry, how is it run? Steps Towards Internal DNSSEC Steps Towards External DNSSEC Tough

898 views • 76 slides
DNS/DNSSEC/DPRIVE IETF 96 Hackathon Problem Solved DNS security and

DNS/DNSSEC/DPRIVE IETF 96 Hackathon Problem Solved DNS security and

DNS/DNSSEC/DPRIVE IETF 96 Hackathon Problem Solved DNS security and privacy enhancements and interoperabilty Method of Solution multiple user stories, multiple open source prototypes Highlight 1: DNSSEC

246 views • 12 slides
Multi Provider DNSSEC draft-huque-dnsop-multi-provider-dnssec-02 Shumon Huque March 22 nd 2018

Multi Provider DNSSEC draft-huque-dnsop-multi-provider-dnssec-02 Shumon Huque March 22 nd 2018

Multi Provider DNSSEC draft-huque-dnsop-multi-provider-dnssec-02 Shumon Huque March 22 nd 2018 DNSOP Working Group, IETF101, London, U.K. Note to the DNS Camel* This document does not propose any new extensions to the DNS protocol. It

663 views • 16 slides

More recommend