Post on 05-Sep-2020
MeasuringKSKRollReadiness
Geoff HustonAPNIC Labs
TheDNSmaylooksimple
FortheDNSlooksareverydeceiving
WhatwewouldliketheDNStobe
Client DNS Resolver DNS Server
WhatwesuspectismoreliketheDNS
Client DNS Resolver DNS Server
DNS Resolver
DNS Resolver
DNS Resolver
DNS Resolver
DNS Resolver
DNS Resolver
DNS ResolverDNS
ResolverDNS ResolverDNS
ResolverDNS ResolverDNS
Resolver
SignallingviaQueries
Client DNS Resolver Server
DNS Resolver
DNS Resolver
DNS Resolver
DNS Resolver
DNS Resolver
DNS Resolver
DNS ResolverDNS
ResolverDNS ResolverDNS
ResolverDNS ResolverDNS
Resolver
ThequerycontainsinformationwhichpassesinwardintheDNStowardstheauthoritativeserver(s)
SignallingviaResponses
Client DNS Resolver Server
DNS Resolver
DNS Resolver
DNS Resolver
DNS Resolver
DNS Resolver
DNS Resolver
DNS ResolverDNS
ResolverDNS ResolverDNS
ResolverDNS ResolverDNS
Resolver
TheresponsecontainsinformationwhichpassesbackwardintheDNStowardstheoriginalquerier
KSKRollMeasurementObjective
WhatnumberofusersareatriskofbeingimpactedbytheKSKRoll?
• Therearetworiskelementsforresolvers:• Unabletoreceivea1,414octetUDPresponsefromtherootservers(queryforDNSKEYRRfromtherootzone)• FailuretofollowRFC5011keyintroductionprocedure
• Ineithercasetheresolveroutcomeisthesame:Notloadingtheincomingtrustkeyintothelocaltrustedkeystore• Andiftheuserpassesqueriesonly totheseaffectedresolversthantherollwillcausealossofDNSservice
MeasuringResolversviaRFC8145SignalingGettingresolverstoreportontheirlocaltrustedkeystate• ResolversthatsupporttheRFC8145signalmechanismperiodicallyincludethekeytagoftheirlocallytrustedkeysintoaquerydirectedtowardstherootservers
Whatdidweseeat(some)roots?
DuaneWessels VeriSignRFC8145Signaling TrustAnchorKnowledgeInDNSSecurityExtensionsPresentationtoDNSSECWorkshop@ICANN60– 1Nov2017https://schd.ws/hosted_files/icann60abudhabi2017/ea/Duane%20Wessels-VeriSign-RFC%208145-Signaling%20Trust%20Anchor%20Knowledge%20in%20DNS%20Security%20Extensions.pdf
Whatisthissaying?
• ItsclearthatthereissomeresidualsetofresolversthataresignallingthattheyhavenotyetlearnedtotrustthenewKSKkey• Butitsnotclearif:• Thisisanaccuratesignalaboutthestateofthisresolver• Thisisanaccuratesignalabouttheidentityofthisresolver• Howmanyuserssit‘behind’thisresolver• Whethertheseusesrelysolelyonthisresolver,oriftheyalsohavealternateresolversthattheycanuse• Whatproportionofallusersareaffected
Why?
• BecausetheDNSdoesnotdisclosetheantecedentsofaquery• IfAforwardsaquerytoB,whoqueriesaRootServerthenifthequerycontainsanimplicitsignal(asinthiscase)thenitappearsthatBisquerying,notA• Atnotimeistheusermadevisibleinthereferredquery
• Becausecaching• IfAandBbothforwardtheirqueriesviaC,thenitmaybethatoneorbothofthesequeriesmaybeansweredfromC’scache• Inthiscasethesignalisbeingsuppressed
• Becauseitsactuallymeasuringacause,nottheoutcome• Itsmeasuringresolvers’uptakeofthenewKSK,butisnotabletomeasuretheuserimpactofthis
User-SideMeasurement
CanwedeviseaDNSquerythatcouldrevealthestateofthetrustedkeysoftheresolversbacktotheuser?
• NotwithinthecurrentparametersofDNSSECand/orresolverbehaviour
User-SideMeasurement
CanwedeviseaDNSquerythatcouldrevealthestateofthetrustedkeysoftheresolversbacktotheuser?• Whatifwecouldchangeresolverbehaviour?
• JustasRFC8145requiredachangeinresolverbehaviour• Whataboutachangetotheresolver’sreportingofvalidationoutcomedependingontheresolver’slocaltrustedkeystate?• Ifaquerycontainsthelabel“_is-ta-<key-tag>”thenavalidatingresolverwillreportvalidationfailureifthekeyisNOTinthelocaltrustedkeystore• Ifaquerycontainsthelabel“_not-ta-<key-tag>” thenavalidatingresolverwillreportvalidationfailureifthekeyISinthelocaltrustedkeystore
User-SideResolverMeasurement
ThreeDNSqueries:1. _is-ta-4066.<some.signed.domain>2. _not-ta-4066.<some.signed.domain>3. <badly-signed>.<some.signed.domain>
SingleResolverAnalysis:
ResolverBehaviour TypeLoadedNewKSK
NOTloadedNewKSKMechanismnotsupported
Notvalidating
Query1Query2Query3ASERVFAILSERVFAIL
SERVFAILASERVFAILAASERVFAILAAA
User-SideDNSMeasurement
MultipleResolverAnalysisASERVFAILresponsewillcausetheusetorepeattheyquerytootherconfiguredresolvers.Inamulti-resolverscenario,andwhereforwardersareusedwecanstilldetermineiftheuserwillbeimpactedbytheKSKroll
UserImpactOK
NOTOK
Query1Query2Query3ASERVFAILSERVFAIL
SERVFAILASERVFAILAASERVFAIL
SERVFAILSERVFAILSERVFAIL
AAA
UNKNOWN
NOTImpacted
MeasuringUserImpact
• Createthesetestsinascriptedwebpageandallowuserstotestthestateoftheirresolvers• Loadthesetestsintoanonlineadcampaignandusetheadtopassthetesttomillionsofusers• IftheusercanresolveQuery1,andSERVFAILsonQuery2andQuery3thentheuserisabletovalidateusingthenominatedkeyasatrustedkey• IftheuserSERVFAILSonQuery1,resolvesQuery2andSERVFAILsonQuery3thentheuserisunabletovalidateusingthenominatedkeyasatrustedkeys• OtherwiseiftheuserSERVFAILSonQuery3thentheresultisindeterminate
PrivacyandSecurityConsiderations
• Thistestitselfdoesnotrevealwhichresolversareusedbyendusersinresolvingnames• Thequeryitselfneednotcontainanyenduseridentifyingmaterial• Themethodologyneverchanges“insecure”to”authenticated”– itwillonlychange“authenticated”to“insecure”dependingontheresolver’slocaltrustedkeystatewhenresolvingcertainlabels• AnyonecansetupatestconditionwithintheirdelegatedpartoftheDNS• Theresultsofthetestarepassedbackonlytotheuserintheformofaresolutionoutcome
ADescriptionoftheMechanism
draft-huston-kskroll-sentinel
Thanks!