Quality of DNS andDNSSEC in the .se Zone      Patrik Wallström       pawal@iis.se
The Yearly      Healthcheck Surveys• Analyze the quality and reachability of DNS in .se  • key functions for .se registere...
The Healthcheck System• Based on .SE:s DNSCheck• Collects data from the a set of domains  • DNS quality  • Web pages (Page...
.SE:s DNSSEC campaign• To reach our goal on at least 50000 signed zones...• Part of a larger campaign  • Subsidy of 10 SEK...
.SE Market Situation• Registrars: .SE’s three largest account for 50 percent of the market. Seven largest commands 75 perc...
Most DNS-operators are    DNSSEC newbies• We decided to help them  • By checking their zones  • Regular report on DNS erro...
A tool for analyzing        DNSSEC quality• “dnssec-analysis”  • collect.pl: Quickly gather DNSSEC info on a list of domai...
analyze.plUsage:    analyze -d directory    Required argument(s):         --directory directory   A directory with WhatWeb...
• A new specialized  report on DNS and  DNSSEC quality• Focus on DNSSEC• Explaining the  issues...
Results from the report  • Report was released 2012-03-21  • Measurements and analysis during February 2012  • 174,487 sig...
SERVFAILsThe tool queries for these RR types through local recursors:A                           AuthoritativeDNSKEY      ...
Signature Lifetimes                                                                                Incep&on(&me(1000000" 1...
1"         10"               100"                      1000"                              10000"                          ...
DS#Digest#types#DS"Digest"type""""2"DS"Digest"type""""1"                       1"   10"   100"   1000"   10000" 100000" 10...
Algorithms                       DNSKEYAlgorithms        RSASHA512"        RSASHA256"RSASHA1NSEC3SHA1"          RSASHA1"  ...
Algorithms                       DNSKEYAlgorithms        RSASHA512"        RSASHA256"RSASHA1NSEC3SHA1"          RSASHA1"  ...
Algorithms                       DNSKEYAlgorithms                                                   RRSIGs&from&algorithms...
Key Lengths                      DNSKEYkeylengths   4096"   2304"   2048"   1536"   1304"   1280"   1152"   1024"    768" ...
Key Lengths                      DNSKEYkeylengths                                             DNSKEYKeylengthspertype   40...
NSEC%vs%NSEC3%           NSEC#zones#NSEC3#Hash#algorithm#1#                     80000# 80500# 81000# 81500# 82000# 82500# ...
NSEC3&Itera,ons&100000" 10000"  1000"   100"    10"     1"          0"   1"    3"   5"   8"   10"   100"   128"   150"
NSEC3&Itera,ons&   100000"    10000"     1000"      100"          10"           1"                     0"        1"       ...
Shared Keys     Key Averages...DS per domain          1.614838119KSK per domain         1.000207697ZSK per domain         ...
SOA Expire vs                    RRSIG Expiration                                                           SOA$Expire$100...
SOA Expire vs                            RRSIG Expiration                                                                 ...
Summary of           DNSSEC analysis• Signature lengths found that are too short, or unexpectedly    long•   Use of NSEC3 ...
Future work• Frequent measurements over time to see ...  •   Key rollovers  •   Signature refresh intervals  •   Number of...
Thank you!Code:https://github.com/pawal/dnssec-analysisReport:https://www.iis.se/docs/Health-Status-DNS-and-DNSSEC-2012032...
Upcoming SlideShare
Loading in...5
×

RIPE64 - DNS and DNSSEC in the .se Zone

419

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
419
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • RIPE64 - DNS and DNSSEC in the .se Zone

    1. 1. Quality of DNS andDNSSEC in the .se Zone Patrik Wallström pawal@iis.se
    2. 2. The Yearly Healthcheck Surveys• Analyze the quality and reachability of DNS in .se • key functions for .se registered domains • through a selection of domains that considered important • random selection of a percentage of all .se domains• Primarily aimed at IT strategists and IT managers • Also intended for persons responsible for the operation• Part of larger focus area “Health status of the Internet in Sweden”
    3. 3. The Healthcheck System• Based on .SE:s DNSCheck• Collects data from the a set of domains • DNS quality • Web pages (Page Analyzer for speed, and WhatWeb for content) • AS (web and DNS services) • Some e-mail related info (SPF, StartSSL...)• Presents analysis
    4. 4. .SE:s DNSSEC campaign• To reach our goal on at least 50000 signed zones...• Part of a larger campaign • Subsidy of 10 SEK per new DNSSEC domain • Yet another 4 SEK per DNSSEC domain at end of year
    5. 5. .SE Market Situation• Registrars: .SE’s three largest account for 50 percent of the market. Seven largest commands 75 percent• Name server operators: Two largest have 36 percent, five largest commands 50 percent. Long tail with very small players
    6. 6. Most DNS-operators are DNSSEC newbies• We decided to help them • By checking their zones • Regular report on DNS errors (after changes, opt-in) • Special DNSSEC error reports to Registrar Customer Support• .SE Internal monitoring tools • Summary of the above• A report on DNS with DNSSEC • Explaining all the DNSSEC parameters
    7. 7. A tool for analyzing DNSSEC quality• “dnssec-analysis” • collect.pl: Quickly gather DNSSEC info on a list of domains • analyze.pl: Analyzes the data depending on interest• https://github.com/pawal/dnssec-analysis dnslab$~/dnssec-analysis>./analyze.pl -d 2012-01-09 --rcode Reading all json files... Serialization done Running analysis Return codes: A:NOERROR: 169555 A:SERVFAIL: 2824 DNSKEY:NOERROR: 169562 DNSKEY:SERVFAIL: 2817 MX:NOERROR: 169552 MX:SERVFAIL: 2827 NSEC3PARAM:NOERROR: 169551 NSEC3PARAM:SERVFAIL: 2828 SOA:NOERROR: 169556 SOA:SERVFAIL: 2823 ---------------------- Domains with data: 172379
    8. 8. analyze.plUsage: analyze -d directory Required argument(s): --directory directory A directory with WhatWeb JSON filesOptional arguments: --limit value When generating lists, limit the length to this value --recache Recreate our serialized cache (TODO) --fake-date YY-MM-DD Make this the current date for signature lifetime comparisons --rcode Analyze RCODEs --servfail Toplist of name servers with SERVFAIL --servfaillist ns Get all domains that SERVFAIL on this name server --dsduplicates Toplist of the number of domains that has the same DS record --keyduplicates Toplist of the number of domains that has the same DNSKEY --working-ns Toplist of name servers not NO ERROR on all queries --all-ns List all name servers in descending order # of associated zones --siglife Analyze RRSIG lifetimes --extreme-sigs List extreme RRSIG lifetimes (inception and expiration larger than 100 days) --expiration Correlate SOA expiration value with lowest RRSIG lifetime --algorithms Analyze DNSSEC algorithms and keylengths --nsec3 Analyze NSEC3 (salt, iterations) --keytags Analyze distribution of DNSKEY keytags --keytaglist n List zones which contain the specified keytag
    9. 9. • A new specialized report on DNS and DNSSEC quality• Focus on DNSSEC• Explaining the issues...
    10. 10. Results from the report • Report was released 2012-03-21 • Measurements and analysis during February 2012 • 174,487 signed zones out of a total of 1,195,719 • 163,700 actually worked (no SERVFAIL)“Normal” DNS
    11. 11. SERVFAILsThe tool queries for these RR types through local recursors:A AuthoritativeDNSKEY AuthoritativeMX AuthoritativeNSEC3PARAM AuthoritativeSOA AuthoritativeDS Parent (no DNSSEC validation)NS Parent (no DNSSEC validation)
    12. 12. Signature Lifetimes Incep&on(&me(1000000" 100000" 10000" 1000" 100" 10" 1" <" %108" %86" %54" %52" %38" %30" %29" %28" %27" %26" %24" %23" %22" %20" %19" %18" %17" %16" %15" %14" %13" %12" %11" %10" %9" %8" %7" %6" %5" %4" %3" %2" %1" 0" %150"
    13. 13. 1" 10" 100" 1000" 10000" 100000" 1000000" 0" 1" 2" 3" 4" 5" 6" 7" 8" 9" 10" 11" 12" 13" 14" 15" 16" 17" 18" 19" 20" 21" 22" 23" 24" 25" 26" 27" 28" 29" Expiraon*me* 30" 34" 37" 38" 39" 40" Signature Lifetimes 41" 46" 52" 54" 55" 58" 60" 67" 81" 83" 88" 91" 92" 93" 94" 99" 111" 128">200"
    14. 14. DS#Digest#types#DS"Digest"type""""2"DS"Digest"type""""1" 1" 10" 100" 1000" 10000" 100000" 1000000"
    15. 15. Algorithms DNSKEYAlgorithms RSASHA512" RSASHA256"RSASHA1NSEC3SHA1" RSASHA1" DSASHA1" 1" 10" 100" 1000" 10000" 100000" 1000000"
    16. 16. Algorithms DNSKEYAlgorithms RSASHA512" RSASHA256"RSASHA1NSEC3SHA1" RSASHA1" DSASHA1" 1" 10" 100" 1000" 10000" 100000" 1000000"
    17. 17. Algorithms DNSKEYAlgorithms RRSIGs&from&algorithms& RSASHA512" RSASHA512" RSASHA256" RSASHA256"RSASHA1NSEC3SHA1" RSASHA1NSEC3SHA1" RSASHA1" RSASHA1" DSASHA1" DSASHA1" 1" 10" 100" 1000" 10000" 100000" 1000000" 1" 10" 100" 1000" 10000" 100000" 1000000"
    18. 18. Key Lengths DNSKEYkeylengths 4096" 2304" 2048" 1536" 1304" 1280" 1152" 1024" 768" 512"8"(DSA)" 1" 10" 100" 1000" 10000" 100000" 1000000"
    19. 19. Key Lengths DNSKEYkeylengths DNSKEYKeylengthspertype 4096" 4096" 2304" 2304" 2048" 2048" 1536" 1536" 1304" 1304" 1280" 1280" ZSK" 1152" 1152" KSK" 1024" 1024" 768" 768" 512" 512"8"(DSA)" 8"(DSA)" 1" 10" 100" 1000" 10000" 100000" 1000000" 1" 10" 100" 1000" 10000" 100000" 1000000"
    20. 20. NSEC%vs%NSEC3% NSEC#zones#NSEC3#Hash#algorithm#1# 80000# 80500# 81000# 81500# 82000# 82500# 83000#
    21. 21. NSEC3&Itera,ons&100000" 10000" 1000" 100" 10" 1" 0" 1" 3" 5" 8" 10" 100" 128" 150"
    22. 22. NSEC3&Itera,ons& 100000" 10000" 1000" 100" 10" 1" 0" 1" 3" 5" 8" 10" 100" 128" 150" Salt%length%100000" 10000" 1000" 100" 10" 1" 1" 2" 4" 6" 8" 16" 18" 20" 24" 32" 64"
    23. 23. Shared Keys Key Averages...DS per domain 1.614838119KSK per domain 1.000207697ZSK per domain 1.612724496DNSKEY per domain 2.612932193
    24. 24. SOA Expire vs RRSIG Expiration SOA$Expire$100000" 10000" 1000" 100" 10" 1" 1" 2" 3" 4" 7" 8" 9" 10" 12" 14" 15" 21" 28" 30" 31" 32" 35" 37" 42" 56" 60" 70" 100" RIPE recommendation is 1000 (41 days) for SOA Expire, RIPE-203
    25. 25. SOA Expire vs RRSIG Expiration SOA$Expire$vs$RRSIG$expira1on$100000" 10000" 1000" 100" 10" 1" <"50" &33" &29" &23" &21" &19" &17" &15" &13" &11" &45" &30" &26" &22" &20" &18" &16" &14" &12" &10"&9" &8" &7" &6" &5" &4" &3" &2" &1" 0" 1" 2" 3" 4" 5" 6" 7" 8" 9" 10"11"12"13"14"15"16"17"18"19"20"21"22"23"24"26"27" >"31" RFC4641bis says that RRSIG expiration should be 2/3 of SOA Expire
    26. 26. Summary of DNSSEC analysis• Signature lengths found that are too short, or unexpectedly long• Use of NSEC3 is essentially adequate• Most domains use RSA keys, 2,048 bit KSK and 1,024 ZSK• A few too many domains are using 512 bit keys ... in 2012• We can begin to discontinue the double publication of DS types 1 and 2, as the publication of type 2 is sufficient today.• All too often, SOA Expire lacks a connection to RRSIG expiration time, these parameters should definitely be reviewed.
    27. 27. Future work• Frequent measurements over time to see ... • Key rollovers • Signature refresh intervals • Number of domains that regularly fails • Salt replacements• Long term measurements to see ... • Introduction rate of new algorithms • New operational methods (shared keys, CSK etc)• TTLs• RIPE DNSSEC recommendations document?
    28. 28. Thank you!Code:https://github.com/pawal/dnssec-analysisReport:https://www.iis.se/docs/Health-Status-DNS-and-DNSSEC-20120321.pdf
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×