Presentation is loading. Please wait.

Presentation is loading. Please wait.

Measuring DNSSEC validation i.e. how to do it Ólafur Guðmundsson Steve Crocker ogud, steve at shinkuro.com.

Published byLaurel Malbon Modified over 9 years ago

Similar presentations

Presentation on theme: "Measuring DNSSEC validation i.e. how to do it Ólafur Guðmundsson Steve Crocker ogud, steve at shinkuro.com."— Presentation transcript:

1 Measuring DNSSEC validation i.e. how to do it Ólafur Guðmundsson Steve Crocker ogud, steve at shinkuro.com

2 Outline Theory of measurement Reality of measurements Results and questions

3 Theory 101: Basics Do DNSSEC validators behave differently from regular DNS resolvers? ◦ Ask for DNSSEC records  DNSKEY  DS ◦ Needs to refresh these records once in a while  DNSKEY about once every TTL  DS  Resolver needs to resolve RRset that is not in cache AND  If TTL’s on DNSKEY and DS have expired BUT  Not on NS

4 Theory 201: Complications Validators not only ones: ◦ DNSSEC measurement tools ◦ DNSSEC key mangers for trust anchors ◦ “Rollover and Die” validators ◦ DDoS tools  Need to exclude most of above. Validator will ask for DNSKEY ◦ Separated by at least DNSKEY TTL ◦ Asked for non-DNSSEC record just before ◦ Cue on RRtype or name?

5 Theory 202: Validator Draft rules 1. Asks for DNSKEY multiple times in a sample at least DNSKEY TTL apart 2. Asks for info, followed by DNSKEY query 3. Asks for multiple DS records 4. Rule 1 and 3 combined

6 Measurements: ORG traffic TTL’s: ◦ 900 for SOA, NSEC3, DNSKEY ◦ 84600 for NS and DS By simple measure: ◦ 10% of queries originate from suspected DNSSEC validators  BUT:  includes DNSKEY + DS traffic  Excludes: some only using dlv.isc.org

7 Measurement Reality: Saw traffic for some of DNS servers for ORG ◦ 2/3 NS records, ~ 50% of traffic Queries are scattered ◦ Some resolvers ask a narrow band of servers  Busy ones ◦ Some ask random ones and no subsequent questions to the same one.  Sporadic ones Multiple validators/resolvers behind an address ◦ All classified as one, Traces ◦ short < 1 hour ◦ Time 2000-2050 UTZ

8 How good are the samples Are validators over/under represented? ◦ Do the validators we see do more/less DNSSEC than others? ◦ Do DNSSEC validators scatter queries different ?  DNSKEY set size > 1500 effects:  Validator tries multiple UDP servers before falling back on TCP  Overrepresented ◦ Do measurement tools trick us ? What to exclude in calculations? ◦ DNSKEY ? ◦ DS ? ◦ DLV ? ◦ SOA ?

9 Discussion How to measure What to measure Where to measure How to tune TTL’s

Download ppt "Measuring DNSSEC validation i.e. how to do it Ólafur Guðmundsson Steve Crocker ogud, steve at shinkuro.com."

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
Improving DNS contents in the RRR world Ólafur Guðmundsson Steve Crocker 2012 Oct.

Improving DNS contents in the RRR world Ólafur Guðmundsson Steve Crocker Oct.
DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.

DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.
IETF-751 Olafur Gudmundsson Andrew Sullivan.

IETF-751 Olafur Gudmundsson Andrew Sullivan.
DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.

DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
High-Level Awareness of DNSSEC KENIC/NSRC Workshop, Nairobi, May 2011 Phil Regnauld Joe Abley

High-Level Awareness of DNSSEC KENIC/NSRC Workshop, Nairobi, May 2011 Phil Regnauld Joe Abley
February 2003slideset 1 Introduction to the DNS system Olaf M. Kolkman

February 2003slideset 1 Introduction to the DNS system Olaf M. Kolkman
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
Hitesh Ballani, Paul Francis(Cornell University) Presenter: Zhenhua Liu Date: Mar. 16 th, 2009.

Hitesh Ballani, Paul Francis(Cornell University) Presenter: Zhenhua Liu Date: Mar. 16 th, 2009.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.

1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.
© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:

© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
Water Torture: A Slow Drip DNS DDoS Attack on QTNet

Water Torture: A Slow Drip DNS DDoS Attack on QTNet
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Module 10 Advanced Topics. DNS and DHCP DHCP can be configured to auto- update (using DDNS) the forward and reverse map zones Can be secured using allow-update.

Module 10 Advanced Topics. DNS and DHCP DHCP can be configured to auto- update (using DDNS) the forward and reverse map zones Can be secured using allow-update.

Similar presentations

Ads by Google