Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNSSEC usage statistics and some observations SEE 5, Tirana Sergey Myasoedov

Published byJulian Gaines Modified over 8 years ago

Similar presentations

Presentation on theme: "DNSSEC usage statistics and some observations SEE 5, Tirana Sergey Myasoedov"— Presentation transcript:

1 DNSSEC usage statistics and some observations SEE 5, Tirana Sergey Myasoedov 20.4.2016

2 DNSSEC history Defined by RFCs 4033-4035 – March 2005 Root zone signed – July 2010 March 2011 – the biggest zone.com signed New GTLD programme (2013) require to run DNSSEC Current state: more than 110 ccTLDs are signed 2

3 DNSSEC principles 3 zone. IN SOA ns1.zone. admin@zone. zone. IN NS ns1.zone. zone. IN NS ns2.zone. zone. IN DNSKEY 257 3 10 AwEAbPGd04qzYZmBbhU… zone. IN DNSKEY 256 3 10 AwEAAbywQfdma4SxQMn… zone. IN RRSIG SOA 10 2 86400 20130619092425 (… zone. IN RRSIG NS 10 2 86400 20130619092425 (… zone. IN SOA ns1.zone. admin@zone. zone. IN NS ns1.zone. zone. IN NS ns2.zone. zone. IN DNSKEY 257 3 10 AwEAbPGd04qzYZmBbhU… zone. IN DNSKEY 256 3 10 AwEAAbywQfdma4SxQMn… zone. IN RRSIG SOA 10 2 86400 20130619092425 (… zone. IN RRSIG NS 10 2 86400 20130619092425 (… Put DNSKEYS in zone Records signing Zone publishing

4 DNSSEC principles 4 zone. IN SOA ns1.zone. admin@zone. zone. IN NS ns1.zone. zone. IN NS ns2.zone. zone. IN DNSKEY 257 3 10 AwEAbPGd04qzYZmBbhU… zone. IN DNSKEY 256 3 10 AwEAAbywQfdma4SxQMn… zone. IN RRSIG SOA 10 2 86400 20130619092425 (… zone. IN RRSIG NS 10 2 86400 20130619092425 (… zone. IN SOA ns1.zone. admin@zone. zone. IN NS ns1.zone. zone. IN NS ns2.zone. zone. IN DNSKEY 257 3 10 AwEAbPGd04qzYZmBbhU… zone. IN DNSKEY 256 3 10 AwEAAbywQfdma4SxQMn… zone. IN RRSIG SOA 10 2 86400 20130619092425 (… zone. IN RRSIG NS 10 2 86400 20130619092425 (… Put DNSKEYS in zone Records signing Zone publishing Dear root/TLD admin, Please put our DS record in your zone: zone. IN DS 64656 10 2 DF8F614B79C Thank you. Dear root/TLD admin, Please put our DS record in your zone: zone. IN DS 64656 10 2 DF8F614B79C Thank you. E-mail, web request, fax, paper letter

5 DNSSEC principles 5 zone. IN SOA ns1.zone. admin@zone. zone. IN NS ns1.zone. zone. IN NS ns2.zone. zone. IN DNSKEY 257 3 10 AwEAbPGd04qzYZmBbhU… zone. IN DNSKEY 256 3 10 AwEAAbywQfdma4SxQMn… zone. IN RRSIG SOA 10 2 86400 20130619092425 (… zone. IN RRSIG NS 10 2 86400 20130619092425 (… zone. IN SOA ns1.zone. admin@zone. zone. IN NS ns1.zone. zone. IN NS ns2.zone. zone. IN DNSKEY 257 3 10 AwEAbPGd04qzYZmBbhU… zone. IN DNSKEY 256 3 10 AwEAAbywQfdma4SxQMn… zone. IN RRSIG SOA 10 2 86400 20130619092425 (… zone. IN RRSIG NS 10 2 86400 20130619092425 (… Put DNSKEYS in zone Records signing Zone publishing Dear root/TLD admin, Please put our DS record in your zone: zone. IN DS 64656 10 2 DF8F614B79C Thank you. Dear root/TLD admin, Please put our DS record in your zone: zone. IN DS 64656 10 2 DF8F614B79C Thank you. E-mail, web request, fax, paper letter

6 66 com. INDS30909 8 2 E2D3C916F6DEEAC73294E8268FB5 885044A833FC5459588F4A9184CF C41A5766

7 7 Status of ccTLD implementation of DNSSEC 7

8 Why to analyze.com zone? 8 The biggest zone ever (zone file about 10 Gbytes) It’s difficult to receive the ccTLDs zones Small percentage of DNSSEC-enabled domains But the big amount of domains - ~600k Different crypto parameters

9 .COM /.NET statistics 2016 April’s data.com - 578.000 ds-records.net - 102.000 ds-records 9

10 Digging into.COM 580.000 DS-records correspond to 550.000 domain names Many of them are signed by a single hoster using the same key Some domains have more than 1 digest published Some domains are clearly experimental 10

11 TOP nameservers (grouped by company) 100320 nsX.transip.eu/net/nl 64968 nsX.hyp.net 47651 [d]ns200.anycast.me 17749 *.ovh.net 12620 vX.pcextreme.eu 9999 nsX.binero.se 7015 nsX.webhostingserver.nl 5907 nsX.openprovider.eu/be/nl 11

12 12 Selected key parameters Algorithms: 404091 RSASHA1-NSEC3-SHA1 153004 RSA/SHA-256 13349 RSA/SHA-1 7438 ECDSA Curve P-256 with SHA- 256 602 RSA/SHA-512 67 RSA/MD5 (?) 41 DH 37DSA 33 ECDSA Curve P-384 with SHA- 384 24 GOST R 34.10-2001 15 PRIVATEDNS 10 PRIVATEOID 9 DSA-NSEC3-SHA1 12 Hashes: 403752 SHA-1 174675 SHA-256 175 GOST R 34.11-94 118 SHA-384

13 Key re-usage More than 10.000 domains are signed by a single key of binero.se That’s the perfect example of multiply key usage. In the ccTLD zones I currently have, that is an extremely RARE situation. (except.CZ where many registrars are using one key for all its (customers) domains) 13

14 14.net key parameters Algorithms: 69033RSASHA1-NSEC3-SHA1 27128RSA/SHA-256 6539RSA/SHA-1 1460 ECDSA Curve P-256 with SHA- 256 287 RSA/SHA-512 50 ECDSA Curve P-384 with SHA- 384 22DSA 18 RSA/MD5 (?) 6GOST R 34.10-2001 14 Hashes: 77097SHA-1 27332SHA-256 69 GOST R 34.11-94 55SHA-384

15 Similar statistics in.net zone Similar rate of DNSSEC penetration – 97k DNSSEC-enabled domains per 15.6 mil. domains Same distribution of algorithms and hashes Similar observation of key re-usage: 2400+ entries of key ID 41182 – it’s a key ID of Swedish hoster Binero AB 15

16 And the same situation in.org 58k DNSSEC-enabled domains per 10.9 mil. domains Same distribution of algorithms and hashes; but only SHA-1 and SHA-256 are present Similar observation of key re-usage: Binero AB is a leading DNSSEC DNS-service for.net and.org 16

17 New GTLDs 948 new top-level domains, including IDN Admins are obliged to provide access to the zone DNSSEC is a necessary condition Easy access to zone files 17

18 Crypto statistics From 716 newGTLD: 564 – RSA/SHA-512 127 – RSASHA1-NSEC3-SHA1 18 – RSA/SHA-1 7 – RSA/SHA-512 No GOST. Surprise? 18

19 Top new GTLDs Domains registered:.xyz – 2665k.top – 1854k.wang – 1065k.win – 886k.club – 738k.link – 358k TOP DNSSEC penetration (GTLDs with 100+ domains):.ovh – 47%.amsterdam – 25%.webcam – 11%.golf – 9%.immo – 9%.brussels – 8%.sarl – 8%.taxi – 7% 19

20 Top new GTLDs DNSSEC penetration rate for the top new GTLDs is in 0.00% – 0.28% range 20

21 Top new GTLDs The higher penetration rate (10% - 47%) is being observed in the TLDs with 24k - 82k domains 21

22 Specific requirements Some TLD administrators define its own policy on DNSSEC. This policy could affect: -The WHOIS output -Allowed algorithms/keylength/hashes etc -Allowance of key re-usage within the registry One should take such policies into account 22

23 Software for DNSSEC operations There are about 10 open source software packages to manage your DNSSEC-enabled zone There are also some proprietary solutions With the widely deployment of DNSSEC, the number of different tools is growing Most of DNS servers have its own utilities For the relatively small number of zones, OpenDNSSEC may be the best solution 23

24 The most common configuration error 24

25 The most common configuration error 25 Expiration of the signature validity All the trust chains will be broken

26 The most common configuration error 26

27 -- The most common configuration error 27

28 DANE overview As we have trusted DNS date with the DNSSEC, we could wish to secure other sensitive data So we can put the trust anchor of our website/mailserver/whatever certificate to our secured DNS zone This could be either certificate fingerprint, the whole certificate or pointer to a CA root cert 28

29 Is DANE dead? The deployment of DANE resource record is tiny. What could be a reason? -Low demands from the WEB -Implementation difficulties? 29

30 DANE usage statistics Not measured because… Almost nobody is using DANE MXs is only the DANE field can be useful today Research by Go6.si is at http://goo.gl/8QcWE1 30

31 What could be a killer app? Let’s encrypt initiative can provide you a valid recognized certificate for your domain name This certificate can be published in DNS using DANE Then this certificate can be used to encrypt all information exchange of your server There will be two possibilities to check the trust chain: classic with the certificate storage and DANE 31

32 Questions? LinkedIn.com/in/myasoedov 32

Download ppt "DNSSEC usage statistics and some observations SEE 5, Tirana Sergey Myasoedov"

Similar presentations

SSL Implementation Guide Onno W. Purbo

SSL Implementation Guide Onno W. Purbo
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.

Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.
DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, 2013 1 Jelte Jansen, Antoin Verschuren.

DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, Jelte Jansen, Antoin Verschuren.
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 SAN Certificate in Unity Connection Presenter Name: Bhawna Goel.

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 SAN Certificate in Unity Connection Presenter Name: Bhawna Goel.
1 San Diego, California 25 February 2014. 2 Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer.

1 San Diego, California 25 February Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer.
Andreas Steffen, 28.11.2011, 12-DNSSEC.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.

Andreas Steffen, , 12-DNSSEC.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.
© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.

© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.
Krit Witwiyaruj Thai Name Server Co., Ltd.th DNSSEC Implementation.

Krit Witwiyaruj Thai Name Server Co., Ltd.th DNSSEC Implementation.
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License The details.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License The details.
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Practicalities.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Practicalities.
1 DNSSEC Deployment: Big Steps Forward; Several Steps to Go NANOG 32 Deployment D N S S E C Rob Austein Steve Crocker

1 DNSSEC Deployment: Big Steps Forward; Several Steps to Go NANOG 32 Deployment D N S S E C Rob Austein Steve Crocker
1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.

1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.
CPS 290.2 Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.

CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, ISOC/Go6 Institute, Slovenia

DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, ISOC/Go6 Institute, Slovenia
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
DNSSEC allocations DNSEXT chairs IETF-75 Stockholm 2009/07/29.

DNSSEC allocations DNSEXT chairs IETF-75 Stockholm 2009/07/29.

Similar presentations

Ads by Google