DNSSECusagesta-s-csandsomeobserva-ons

SEE5,Tirana

SergeyMyasoedov20.4.2016

DNSSEChistory

•  DefinedbyRFCs4033-4035–March2005•  Rootzonesigned–July2010•  March2011–thebiggestzone.comsigned

•  NewGTLDprogramme(2013)requiretorunDNSSEC

•  Currentstate:morethan110ccTLDsaresigned

2

DNSSECprinciples

3

zone. IN SOA ns1.zone. admin@zone. zone. IN NS ns1.zone. zone. IN NS ns2.zone. zone. IN DNSKEY 257 3 10 AwEAbPGd04qzYZmBbhU… zone. IN DNSKEY 256 3 10 AwEAAbywQfdma4SxQMn… zone. IN RRSIG SOA 10 2 86400 20130619092425 (… zone. IN RRSIG NS 10 2 86400 20130619092425 (…

PutDNSKEYSinzone

Recordssigning

Zonepublishing

DNSSECprinciples

4

zone. IN SOA ns1.zone. admin@zone. zone. IN NS ns1.zone. zone. IN NS ns2.zone. zone. IN DNSKEY 257 3 10 AwEAbPGd04qzYZmBbhU… zone. IN DNSKEY 256 3 10 AwEAAbywQfdma4SxQMn… zone. IN RRSIG SOA 10 2 86400 20130619092425 (… zone. IN RRSIG NS 10 2 86400 20130619092425 (…

PutDNSKEYSinzone

Recordssigning

Zonepublishing

Dearroot/TLDadmin,PleaseputourDSrecordinyourzone:zone.INDS64656102DF8F614B79CThankyou.

E-mail,webrequest,fax,paperleaer

DNSSECprinciples

5

zone. IN SOA ns1.zone. admin@zone. zone. IN NS ns1.zone. zone. IN NS ns2.zone. zone. IN DNSKEY 257 3 10 AwEAbPGd04qzYZmBbhU… zone. IN DNSKEY 256 3 10 AwEAAbywQfdma4SxQMn… zone. IN RRSIG SOA 10 2 86400 20130619092425 (… zone. IN RRSIG NS 10 2 86400 20130619092425 (…

PutDNSKEYSinzone

Recordssigning

Zonepublishing

Dearroot/TLDadmin,PleaseputourDSrecordinyourzone:zone.INDS64656102DF8F614B79CThankyou.

E-mail,webrequest,fax,paperleaer

66

com. IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766

7

StatusofccTLDimplementa-onofDNSSEC

7

Whytoanalyze.comzone?

8

•  Thebiggestzoneever(zonefileabout10Gbytes)

•  It’sdifficulttoreceivetheccTLDszones

•  SmallpercentageofDNSSEC-enableddomains

•  Butthebigamountofdomains-~600k

•  Differentcryptoparameters

.COM/.NETsta-s-cs

2016April’sdata

.com-578.000ds-records

.net-102.000ds-records

9

Digginginto.COM

•  580.000DS-recordscorrespondto550.000domainnames

•  Manyofthemaresignedbyasinglehosterusingthesamekey

•  Somedomainshavemorethan1digestpublished

•  Somedomainsareclearlyexperimental

10

TOPnameservers(groupedbycompany)

•  100320nsX.transip.eu/net/nl•  64968nsX.hyp.net•  47651[d]ns200.anycast.me•  17749*.ovh.net•  12620vX.pcextreme.eu•  9999nsX.binero.se•  7015nsX.webhos-ngserver.nl•  5907nsX.openprovider.eu/be/nl

11

12

SelectedkeyparametersAlgorithms:

404091 RSASHA1-NSEC3-SHA1153004 RSA/SHA-25613349 RSA/SHA-17438 ECDSACurveP-256withSHA-256602 RSA/SHA-51267 RSA/MD5(?)41 DH37 DSA33 ECDSACurveP-384withSHA-38424 GOSTR34.10-200115 PRIVATEDNS10 PRIVATEOID9 DSA-NSEC3-SHA1

12

Hashes:

403752SHA-1174675SHA-256175GOSTR34.11-94118SHA-384

Keyre-usage

Morethan10.000domainsaresignedbyasinglekeyofbinero.seThat’stheperfectexampleofmul-plykeyusage.

IntheccTLDzonesIcurrentlyhave,thatisanextremelyRAREsitua-on.(except.CZwheremanyregistrarsareusingonekeyforallits(customers)domains)

13

14

.netkeyparameters

Algorithms:

69033 RSASHA1-NSEC3-SHA127128 RSA/SHA-256

6539 RSA/SHA-1

1460 ECDSACurveP-256withSHA-256

287 RSA/SHA-512

50 ECDSACurveP-384withSHA-38422 DSA

18 RSA/MD5(?)

6 GOSTR34.10-2001

14

Hashes:

77097 SHA-127332 SHA-25669 GOSTR34.11-9455 SHA-384

Similarsta-s-csin.netzone

SimilarrateofDNSSECpenetra-on–97kDNSSEC-enableddomainsper15.6mil.domains

Samedistribu-onofalgorithmsandhashes

Similarobserva-onofkeyre-usage:

2400+entriesofkeyID41182–it’sakeyIDofSwedishhosterBineroAB

15

Andthesamesitua-onin.org

58kDNSSEC-enableddomainsper10.9mil.domainsSamedistribu-onofalgorithmsandhashes;butonlySHA-1andSHA-256arepresentSimilarobserva-onofkeyre-usage:BineroABisaleadingDNSSECDNS-servicefor.netand.org

16

NewGTLDs

•  948newtop-leveldomains,includingIDN•  Adminsareobligedtoprovideaccesstothezone

•  DNSSECisanecessarycondi-on•  Easyaccesstozonefiles

17

Cryptosta-s-cs

From716newGTLD:564–RSA/SHA-512

127–RSASHA1-NSEC3-SHA1

18–RSA/SHA-1

7–RSA/SHA-512

NoGOST.Surprise?

18

TopnewGTLDs

Domainsregistered:.xyz–2665k .top–1854k .wang–1065k.win–886k .club–738k .link–358kTOPDNSSECpenetra-on(GTLDswith100+domains):.ovh–47% .amsterdam–25%.webcam–11% .golf–9%.immo–9% .brussels–8%.sarl–8% .taxi–7%

19

TopnewGTLDs

DNSSECpenetra-onratefor

thetopnewGTLDs

isin0.00%–0.28%range

20

TopnewGTLDs

Thehigherpenetra-onrate(10%-47%)

isbeingobservedintheTLDswith24k-82kdomains

21

Specificrequirements

SomeTLDadministratorsdefineitsownpolicyonDNSSEC.Thispolicycouldaffect:-  TheWHOISoutput

-  Allowedalgorithms/keylength/hashesetc

-  Allowanceofkeyre-usagewithintheregistry

Oneshouldtakesuchpoliciesintoaccount

22

SoswareforDNSSECopera-ons

•  Thereareabout10opensourcesoswarepackagestomanageyourDNSSEC-enabledzone

•  Therearealsosomeproprietarysolu-ons•  WiththewidelydeploymentofDNSSEC,thenumberofdifferenttoolsisgrowing

•  MostofDNSservershaveitsownu-li-es•  Fortherela-velysmallnumberofzones,OpenDNSSECmaybethebestsolu-on

23

Themostcommonconfigura-onerror

24

Themostcommonconfigura-onerror

25

Expira-onofthesignaturevalidity

Allthetrustchainswillbebroken

Themostcommonconfigura-onerror

26

--Themostcommonconfigura-onerror

27

DANEoverview

•  AswehavetrustedDNSdatewiththeDNSSEC,wecouldwishtosecureothersensi-vedata

•  Sowecanputthetrustanchorofourwebsite/mailserver/whatevercer-ficatetooursecuredDNSzone

•  Thiscouldbeeithercer-ficatefingerprint,thewholecer-ficateorpointertoaCArootcert

28

IsDANEdead?

ThedeploymentofDANEresourcerecordis-ny.Whatcouldbeareason?

-  LowdemandsfromtheWEB

-  Implementa-ondifficul-es?

29

DANEusagesta-s-cs

Notmeasuredbecause…

AlmostnobodyisusingDANE

MXsisonlytheDANEfieldcanbeusefultoday

ResearchbyGo6.siisathap://goo.gl/8QcWE1

30

Whatcouldbeakillerapp?

•  Let’sencryptini-a-vecanprovideyouavalidrecognizedcer-ficateforyourdomainname

•  Thiscer-ficatecanbepublishedinDNSusingDANE

•  Thenthiscer-ficatecanbeusedtoencryptallinforma-onexchangeofyourserver

•  Therewillbetwopossibili-estocheckthetrustchain:classicwiththecer-ficatestorageandDANE

31

Ques-ons?

LinkedIn.com/in/myasoedov

32