Post on 24-Mar-2018
transcript
DNSSECusagesta-s-csandsomeobserva-ons
SEE5,Tirana
SergeyMyasoedov20.4.2016
DNSSEChistory
• DefinedbyRFCs4033-4035–March2005• Rootzonesigned–July2010• March2011–thebiggestzone.comsigned
• NewGTLDprogramme(2013)requiretorunDNSSEC
• Currentstate:morethan110ccTLDsaresigned
2
DNSSECprinciples
3
zone. IN SOA ns1.zone. admin@zone. zone. IN NS ns1.zone. zone. IN NS ns2.zone. zone. IN DNSKEY 257 3 10 AwEAbPGd04qzYZmBbhU… zone. IN DNSKEY 256 3 10 AwEAAbywQfdma4SxQMn… zone. IN RRSIG SOA 10 2 86400 20130619092425 (… zone. IN RRSIG NS 10 2 86400 20130619092425 (…
PutDNSKEYSinzone
Recordssigning
Zonepublishing
DNSSECprinciples
4
zone. IN SOA ns1.zone. admin@zone. zone. IN NS ns1.zone. zone. IN NS ns2.zone. zone. IN DNSKEY 257 3 10 AwEAbPGd04qzYZmBbhU… zone. IN DNSKEY 256 3 10 AwEAAbywQfdma4SxQMn… zone. IN RRSIG SOA 10 2 86400 20130619092425 (… zone. IN RRSIG NS 10 2 86400 20130619092425 (…
PutDNSKEYSinzone
Recordssigning
Zonepublishing
Dearroot/TLDadmin,PleaseputourDSrecordinyourzone:zone.INDS64656102DF8F614B79CThankyou.
E-mail,webrequest,fax,paperleaer
DNSSECprinciples
5
zone. IN SOA ns1.zone. admin@zone. zone. IN NS ns1.zone. zone. IN NS ns2.zone. zone. IN DNSKEY 257 3 10 AwEAbPGd04qzYZmBbhU… zone. IN DNSKEY 256 3 10 AwEAAbywQfdma4SxQMn… zone. IN RRSIG SOA 10 2 86400 20130619092425 (… zone. IN RRSIG NS 10 2 86400 20130619092425 (…
PutDNSKEYSinzone
Recordssigning
Zonepublishing
Dearroot/TLDadmin,PleaseputourDSrecordinyourzone:zone.INDS64656102DF8F614B79CThankyou.
E-mail,webrequest,fax,paperleaer
66
com. IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
7
StatusofccTLDimplementa-onofDNSSEC
7
Whytoanalyze.comzone?
8
• Thebiggestzoneever(zonefileabout10Gbytes)
• It’sdifficulttoreceivetheccTLDszones
• SmallpercentageofDNSSEC-enableddomains
• Butthebigamountofdomains-~600k
• Differentcryptoparameters
.COM/.NETsta-s-cs
2016April’sdata
.com-578.000ds-records
.net-102.000ds-records
9
Digginginto.COM
• 580.000DS-recordscorrespondto550.000domainnames
• Manyofthemaresignedbyasinglehosterusingthesamekey
• Somedomainshavemorethan1digestpublished
• Somedomainsareclearlyexperimental
10
TOPnameservers(groupedbycompany)
• 100320nsX.transip.eu/net/nl• 64968nsX.hyp.net• 47651[d]ns200.anycast.me• 17749*.ovh.net• 12620vX.pcextreme.eu• 9999nsX.binero.se• 7015nsX.webhos-ngserver.nl• 5907nsX.openprovider.eu/be/nl
11
12
SelectedkeyparametersAlgorithms:
404091 RSASHA1-NSEC3-SHA1153004 RSA/SHA-25613349 RSA/SHA-17438 ECDSACurveP-256withSHA-256602 RSA/SHA-51267 RSA/MD5(?)41 DH37 DSA33 ECDSACurveP-384withSHA-38424 GOSTR34.10-200115 PRIVATEDNS10 PRIVATEOID9 DSA-NSEC3-SHA1
12
Hashes:
403752SHA-1174675SHA-256175GOSTR34.11-94118SHA-384
Keyre-usage
Morethan10.000domainsaresignedbyasinglekeyofbinero.seThat’stheperfectexampleofmul-plykeyusage.
IntheccTLDzonesIcurrentlyhave,thatisanextremelyRAREsitua-on.(except.CZwheremanyregistrarsareusingonekeyforallits(customers)domains)
13
14
.netkeyparameters
Algorithms:
69033 RSASHA1-NSEC3-SHA127128 RSA/SHA-256
6539 RSA/SHA-1
1460 ECDSACurveP-256withSHA-256
287 RSA/SHA-512
50 ECDSACurveP-384withSHA-38422 DSA
18 RSA/MD5(?)
6 GOSTR34.10-2001
14
Hashes:
77097 SHA-127332 SHA-25669 GOSTR34.11-9455 SHA-384
Similarsta-s-csin.netzone
SimilarrateofDNSSECpenetra-on–97kDNSSEC-enableddomainsper15.6mil.domains
Samedistribu-onofalgorithmsandhashes
Similarobserva-onofkeyre-usage:
2400+entriesofkeyID41182–it’sakeyIDofSwedishhosterBineroAB
15
Andthesamesitua-onin.org
58kDNSSEC-enableddomainsper10.9mil.domainsSamedistribu-onofalgorithmsandhashes;butonlySHA-1andSHA-256arepresentSimilarobserva-onofkeyre-usage:BineroABisaleadingDNSSECDNS-servicefor.netand.org
16
NewGTLDs
• 948newtop-leveldomains,includingIDN• Adminsareobligedtoprovideaccesstothezone
• DNSSECisanecessarycondi-on• Easyaccesstozonefiles
17
Cryptosta-s-cs
From716newGTLD:564–RSA/SHA-512
127–RSASHA1-NSEC3-SHA1
18–RSA/SHA-1
7–RSA/SHA-512
NoGOST.Surprise?
18
TopnewGTLDs
Domainsregistered:.xyz–2665k .top–1854k .wang–1065k.win–886k .club–738k .link–358kTOPDNSSECpenetra-on(GTLDswith100+domains):.ovh–47% .amsterdam–25%.webcam–11% .golf–9%.immo–9% .brussels–8%.sarl–8% .taxi–7%
19
TopnewGTLDs
DNSSECpenetra-onratefor
thetopnewGTLDs
isin0.00%–0.28%range
20
TopnewGTLDs
Thehigherpenetra-onrate(10%-47%)
isbeingobservedintheTLDswith24k-82kdomains
21
Specificrequirements
SomeTLDadministratorsdefineitsownpolicyonDNSSEC.Thispolicycouldaffect:- TheWHOISoutput
- Allowedalgorithms/keylength/hashesetc
- Allowanceofkeyre-usagewithintheregistry
Oneshouldtakesuchpoliciesintoaccount
22
SoswareforDNSSECopera-ons
• Thereareabout10opensourcesoswarepackagestomanageyourDNSSEC-enabledzone
• Therearealsosomeproprietarysolu-ons• WiththewidelydeploymentofDNSSEC,thenumberofdifferenttoolsisgrowing
• MostofDNSservershaveitsownu-li-es• Fortherela-velysmallnumberofzones,OpenDNSSECmaybethebestsolu-on
23
Themostcommonconfigura-onerror
24
Themostcommonconfigura-onerror
25
Expira-onofthesignaturevalidity
Allthetrustchainswillbebroken
Themostcommonconfigura-onerror
26
--Themostcommonconfigura-onerror
27
DANEoverview
• AswehavetrustedDNSdatewiththeDNSSEC,wecouldwishtosecureothersensi-vedata
• Sowecanputthetrustanchorofourwebsite/mailserver/whatevercer-ficatetooursecuredDNSzone
• Thiscouldbeeithercer-ficatefingerprint,thewholecer-ficateorpointertoaCArootcert
28
IsDANEdead?
ThedeploymentofDANEresourcerecordis-ny.Whatcouldbeareason?
- LowdemandsfromtheWEB
- Implementa-ondifficul-es?
29
DANEusagesta-s-cs
Notmeasuredbecause…
AlmostnobodyisusingDANE
MXsisonlytheDANEfieldcanbeusefultoday
ResearchbyGo6.siisathap://goo.gl/8QcWE1
30
Whatcouldbeakillerapp?
• Let’sencryptini-a-vecanprovideyouavalidrecognizedcer-ficateforyourdomainname
• Thiscer-ficatecanbepublishedinDNSusingDANE
• Thenthiscer-ficatecanbeusedtoencryptallinforma-onexchangeofyourserver
• Therewillbetwopossibili-estocheckthetrustchain:classicwiththecer-ficatestorageandDANE
31
Ques-ons?
LinkedIn.com/in/myasoedov
32