Monitoring DNSSEC, not everything is perfect, yet                                              St´phane Bortzmeyer        ...
DNSSEC shakes monitoring           1. We all know that a serious DNS zone must be monitored              continuously and ...
DNSSEC shakes monitoring           1. We all know that a serious DNS zone must be monitored              continuously and ...
DNSSEC shakes monitoring           1. We all know that a serious DNS zone must be monitored              continuously and ...
DNSSEC shakes monitoring           1. We all know that a serious DNS zone must be monitored              continuously and ...
Example in .FR3   Monitoring DNSSEC, not everything is perfect, yet /
Example in .FR           1. November 2010: key deletion issue, zone no longer signed,              monitoring did not dete...
Example in .FR           1. November 2010: key deletion issue, zone no longer signed,              monitoring did not dete...
Example in .FR           1. November 2010: key deletion issue, zone no longer signed,              monitoring did not dete...
The specific case of key rollovers        Taboo        Do we really need to do these complicated rollovers? We break       ...
The specific case of key rollovers        Taboo        Do we really need to do these complicated rollovers? We break       ...
Rollovers need to be aware of caching                                          TTL                                        ...
Caching is per set, not per record                                          TTL                                           ...
Time-aware monitoring        Because of caching, monitoring has to take time into account.        The monitor needs a memo...
What do we store        Everything is obtained from authoritative name servers, for        freshness.                Signa...
What do we compute        This tool focus on one thing: timing in key rollovers. Not a        substitute for comprehensive...
Example of signatures        sqlite> SELECT first_seen,last_seen,ttl FROM Signatures                  WHERE type=6 AND nam...
Example of keysets        sqlite> SELECT first_seen,last_seen,ttl,id FROM Keysets                  WHERE name=’192.in-addr...
Example of keys        sqlite> SELECT first_seen,last_seen,key_tag FROM Keys                  WHERE name=’192.in-addr.arpa...
The observed domains and the results                54 domains monitored, mostly serious domains (TLD,                impo...
An example: 192.in-addr.arpa        % ./examine-history.py 192.in-addr.arpa        ERROR: signature of zone 192.in-addr.ar...
An exampe: isoc.org                                      TTL (24 h)                                                       ...
All the glitches          Zone                             Date                  Glitch        Window          isoc.org   ...
Conclusions                The tools for key rollovers are not stable yet,                More monitoring would be a good ...
Upcoming SlideShare
Loading in …5
×

Monitoring DNSSEC, Not everything is perfect yet

973 views

Published on

Presentation made at SATIN on April 4th, 2011 in Teddington, UK, by Stéphane Bortzmeyer of AFNIC on Monitoring DNSSEC.

Présentation faite à la conférence SATIN le 4 Avril 2011 à Teddington, UK, par Stéphane Bortzmeyer de l'AFNIC sur le monitoring de DNSSEC.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
973
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Monitoring DNSSEC, Not everything is perfect yet

  1. 1. Monitoring DNSSEC, not everything is perfect, yet St´phane Bortzmeyer e AFNIC bortzmeyer@nic.fr SATIN, 4 April 20111 Monitoring DNSSEC, not everything is perfect, yet /
  2. 2. DNSSEC shakes monitoring 1. We all know that a serious DNS zone must be monitored continuously and automatically...2 Monitoring DNSSEC, not everything is perfect, yet /
  3. 3. DNSSEC shakes monitoring 1. We all know that a serious DNS zone must be monitored continuously and automatically... 2. Many tests were not done before the introduction of DNSSEC, for instance a clean path for all sizes of packets (my talk at the OARC workshop in Denver),2 Monitoring DNSSEC, not everything is perfect, yet /
  4. 4. DNSSEC shakes monitoring 1. We all know that a serious DNS zone must be monitored continuously and automatically... 2. Many tests were not done before the introduction of DNSSEC, for instance a clean path for all sizes of packets (my talk at the OARC workshop in Denver), 3. DNSSEC-specific tests are typically far from complete, leading to embarassing publications of failures on public mailing lists,2 Monitoring DNSSEC, not everything is perfect, yet /
  5. 5. DNSSEC shakes monitoring 1. We all know that a serious DNS zone must be monitored continuously and automatically... 2. Many tests were not done before the introduction of DNSSEC, for instance a clean path for all sizes of packets (my talk at the OARC workshop in Denver), 3. DNSSEC-specific tests are typically far from complete, leading to embarassing publications of failures on public mailing lists, 4. Some tests detect failures only when too late (signature expiration).2 Monitoring DNSSEC, not everything is perfect, yet /
  6. 6. Example in .FR3 Monitoring DNSSEC, not everything is perfect, yet /
  7. 7. Example in .FR 1. November 2010: key deletion issue, zone no longer signed, monitoring did not detect it,3 Monitoring DNSSEC, not everything is perfect, yet /
  8. 8. Example in .FR 1. November 2010: key deletion issue, zone no longer signed, monitoring did not detect it, 2. 12 February 2011: “TYPE65534” bug. Invalid signature on a NSEC3 record. The monitoring was only done on the apex, which was correct. But requests for unsigned sub-domains failed.3 Monitoring DNSSEC, not everything is perfect, yet /
  9. 9. Example in .FR 1. November 2010: key deletion issue, zone no longer signed, monitoring did not detect it, 2. 12 February 2011: “TYPE65534” bug. Invalid signature on a NSEC3 record. The monitoring was only done on the apex, which was correct. But requests for unsigned sub-domains failed. 3. 13 March 2011: “Missing signature” bug. The SOA record was no longer signed. This time, the monitor detected it (good reason to monitor several types).3 Monitoring DNSSEC, not everything is perfect, yet /
  10. 10. The specific case of key rollovers Taboo Do we really need to do these complicated rollovers? We break many things to solve a security problem which is quite far away.4 Monitoring DNSSEC, not everything is perfect, yet /
  11. 11. The specific case of key rollovers Taboo Do we really need to do these complicated rollovers? We break many things to solve a security problem which is quite far away. Anyway, Without caching, key rollovers would be very simple. But without caching, would the DNS still work?4 Monitoring DNSSEC, not everything is perfect, yet /
  12. 12. Rollovers need to be aware of caching TTL Time Period during which the signature could have been in some caches Signature It is safe published to remove the key5 Monitoring DNSSEC, not everything is perfect, yet /
  13. 13. Caching is per set, not per record TTL Time Period during which and older keyset could have been in some caches Keyset It is safe published with to use the key a new key6 Monitoring DNSSEC, not everything is perfect, yet /
  14. 14. Time-aware monitoring Because of caching, monitoring has to take time into account. The monitor needs a memory, to remember what was done and when.7 Monitoring DNSSEC, not everything is perfect, yet /
  15. 15. What do we store Everything is obtained from authoritative name servers, for freshness. Signatures of SOA, NS and DNSKEY (discussion welcome), with their TTL, Keys, Keysets, with their TTL,8 Monitoring DNSSEC, not everything is perfect, yet /
  16. 16. What do we compute This tool focus on one thing: timing in key rollovers. Not a substitute for comprehensive monitoring. We check: 1. That every “potentially in caches” signature has a published key, 2. That every published signature has a key which is in the keyset(s) that is(are) in all the caches.9 Monitoring DNSSEC, not everything is perfect, yet /
  17. 17. Example of signatures sqlite> SELECT first_seen,last_seen,ttl FROM Signatures WHERE type=6 AND name=’192.in-addr.arpa.’ AND key_tag=20918 ORDER BY last_seen DESC; 2011-03-28 17:29:30|2011-03-28 20:17:31|86400 2011-03-28 13:22:23|2011-03-28 16:25:05|86400 2011-03-28 09:19:59|2011-03-28 12:28:09|8640010 Monitoring DNSSEC, not everything is perfect, yet /
  18. 18. Example of keysets sqlite> SELECT first_seen,last_seen,ttl,id FROM Keysets WHERE name=’192.in-addr.arpa.’ ORDER BY last_seen DESC; 2011-03-29 09:38:45|2011-03-31 08:30:30|14400|J/dCsFib6kxRer/O/eh1ZbI/Un 2011-03-21 21:39:09|2011-03-29 08:38:16|14400|NgM4JKT7QacTgX+ZF7bNo2owKj11 Monitoring DNSSEC, not everything is perfect, yet /
  19. 19. Example of keys sqlite> SELECT first_seen,last_seen,key_tag FROM Keys WHERE name=’192.in-addr.arpa.’ ORDER BY last_seen DESC; 2011-03-01 15:34:17|2011-03-31 08:30:30|39318 2011-03-21 21:39:09|2011-03-31 08:30:30|60494 2011-03-01 15:34:17|2011-03-29 08:38:16|2091812 Monitoring DNSSEC, not everything is perfect, yet /
  20. 20. The observed domains and the results 54 domains monitored, mostly serious domains (TLD, important sub-domains like isoc.org), In two months, seven problems detected, including two TLD, Six of the problems were a key retired too soon. (Only one was a new key used too early.)13 Monitoring DNSSEC, not everything is perfect, yet /
  21. 21. An example: 192.in-addr.arpa % ./examine-history.py 192.in-addr.arpa ERROR: signature of zone 192.in-addr.arpa. last seen at 2011-03-28 20:17:31 (with a TTL of 86400) while the key 20918 was retired at 2011-03-29 09:23:54 The key was withdrawn 11 hours before it was safe to do so.14 Monitoring DNSSEC, not everything is perfect, yet /
  22. 22. An exampe: isoc.org TTL (24 h) Time Period during which (1st the signature could have been and 2nd in some caches March 2011) Last signature with Key 41414 41414 done at 21:00 retired at 10:0015 Monitoring DNSSEC, not everything is perfect, yet /
  23. 23. All the glitches Zone Date Glitch Window isoc.org 2011-03-29 retired too early 11h 192.in-addr.arpa 2011-03-28 retired too early 14h my 2011-03-26 retired too early 24h bg 2011-03-19 retired too early 72h isoc.org 2011-03-01 retired too early 11h noaa.gov 2011-02-18 used too early 24h noaa.gov 2011-02-18 retired too early 24h16 Monitoring DNSSEC, not everything is perfect, yet /
  24. 24. Conclusions The tools for key rollovers are not stable yet, More monitoring would be a good idea, DNSSEC is a sensitive thing: handle with care. Do not put into the hands of children.17 Monitoring DNSSEC, not everything is perfect, yet /

×