DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana...
Transcript of DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana...
![Page 1: DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana Sergey Myasoedov 20.4.2016](https://reader031.fdocuments.us/reader031/viewer/2022030507/5ab575447f8b9a2f438c8fa3/html5/thumbnails/1.jpg)
DNSSECusagesta-s-csandsomeobserva-ons
SEE5,Tirana
SergeyMyasoedov20.4.2016
![Page 2: DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana Sergey Myasoedov 20.4.2016](https://reader031.fdocuments.us/reader031/viewer/2022030507/5ab575447f8b9a2f438c8fa3/html5/thumbnails/2.jpg)
DNSSEChistory
• DefinedbyRFCs4033-4035–March2005• Rootzonesigned–July2010• March2011–thebiggestzone.comsigned
• NewGTLDprogramme(2013)requiretorunDNSSEC
• Currentstate:morethan110ccTLDsaresigned
2
![Page 3: DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana Sergey Myasoedov 20.4.2016](https://reader031.fdocuments.us/reader031/viewer/2022030507/5ab575447f8b9a2f438c8fa3/html5/thumbnails/3.jpg)
DNSSECprinciples
3
zone. IN SOA ns1.zone. admin@zone. zone. IN NS ns1.zone. zone. IN NS ns2.zone. zone. IN DNSKEY 257 3 10 AwEAbPGd04qzYZmBbhU… zone. IN DNSKEY 256 3 10 AwEAAbywQfdma4SxQMn… zone. IN RRSIG SOA 10 2 86400 20130619092425 (… zone. IN RRSIG NS 10 2 86400 20130619092425 (…
PutDNSKEYSinzone
Recordssigning
Zonepublishing
![Page 4: DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana Sergey Myasoedov 20.4.2016](https://reader031.fdocuments.us/reader031/viewer/2022030507/5ab575447f8b9a2f438c8fa3/html5/thumbnails/4.jpg)
DNSSECprinciples
4
zone. IN SOA ns1.zone. admin@zone. zone. IN NS ns1.zone. zone. IN NS ns2.zone. zone. IN DNSKEY 257 3 10 AwEAbPGd04qzYZmBbhU… zone. IN DNSKEY 256 3 10 AwEAAbywQfdma4SxQMn… zone. IN RRSIG SOA 10 2 86400 20130619092425 (… zone. IN RRSIG NS 10 2 86400 20130619092425 (…
PutDNSKEYSinzone
Recordssigning
Zonepublishing
Dearroot/TLDadmin,PleaseputourDSrecordinyourzone:zone.INDS64656102DF8F614B79CThankyou.
E-mail,webrequest,fax,paperleaer
![Page 5: DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana Sergey Myasoedov 20.4.2016](https://reader031.fdocuments.us/reader031/viewer/2022030507/5ab575447f8b9a2f438c8fa3/html5/thumbnails/5.jpg)
DNSSECprinciples
5
zone. IN SOA ns1.zone. admin@zone. zone. IN NS ns1.zone. zone. IN NS ns2.zone. zone. IN DNSKEY 257 3 10 AwEAbPGd04qzYZmBbhU… zone. IN DNSKEY 256 3 10 AwEAAbywQfdma4SxQMn… zone. IN RRSIG SOA 10 2 86400 20130619092425 (… zone. IN RRSIG NS 10 2 86400 20130619092425 (…
PutDNSKEYSinzone
Recordssigning
Zonepublishing
Dearroot/TLDadmin,PleaseputourDSrecordinyourzone:zone.INDS64656102DF8F614B79CThankyou.
E-mail,webrequest,fax,paperleaer
![Page 6: DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana Sergey Myasoedov 20.4.2016](https://reader031.fdocuments.us/reader031/viewer/2022030507/5ab575447f8b9a2f438c8fa3/html5/thumbnails/6.jpg)
66
com. IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
![Page 7: DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana Sergey Myasoedov 20.4.2016](https://reader031.fdocuments.us/reader031/viewer/2022030507/5ab575447f8b9a2f438c8fa3/html5/thumbnails/7.jpg)
7
StatusofccTLDimplementa-onofDNSSEC
7
![Page 8: DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana Sergey Myasoedov 20.4.2016](https://reader031.fdocuments.us/reader031/viewer/2022030507/5ab575447f8b9a2f438c8fa3/html5/thumbnails/8.jpg)
Whytoanalyze.comzone?
8
• Thebiggestzoneever(zonefileabout10Gbytes)
• It’sdifficulttoreceivetheccTLDszones
• SmallpercentageofDNSSEC-enableddomains
• Butthebigamountofdomains-~600k
• Differentcryptoparameters
![Page 9: DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana Sergey Myasoedov 20.4.2016](https://reader031.fdocuments.us/reader031/viewer/2022030507/5ab575447f8b9a2f438c8fa3/html5/thumbnails/9.jpg)
.COM/.NETsta-s-cs
2016April’sdata
.com-578.000ds-records
.net-102.000ds-records
9
![Page 10: DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana Sergey Myasoedov 20.4.2016](https://reader031.fdocuments.us/reader031/viewer/2022030507/5ab575447f8b9a2f438c8fa3/html5/thumbnails/10.jpg)
Digginginto.COM
• 580.000DS-recordscorrespondto550.000domainnames
• Manyofthemaresignedbyasinglehosterusingthesamekey
• Somedomainshavemorethan1digestpublished
• Somedomainsareclearlyexperimental
10
![Page 11: DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana Sergey Myasoedov 20.4.2016](https://reader031.fdocuments.us/reader031/viewer/2022030507/5ab575447f8b9a2f438c8fa3/html5/thumbnails/11.jpg)
TOPnameservers(groupedbycompany)
• 100320nsX.transip.eu/net/nl• 64968nsX.hyp.net• 47651[d]ns200.anycast.me• 17749*.ovh.net• 12620vX.pcextreme.eu• 9999nsX.binero.se• 7015nsX.webhos-ngserver.nl• 5907nsX.openprovider.eu/be/nl
11
![Page 12: DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana Sergey Myasoedov 20.4.2016](https://reader031.fdocuments.us/reader031/viewer/2022030507/5ab575447f8b9a2f438c8fa3/html5/thumbnails/12.jpg)
12
SelectedkeyparametersAlgorithms:
404091 RSASHA1-NSEC3-SHA1153004 RSA/SHA-25613349 RSA/SHA-17438 ECDSACurveP-256withSHA-256602 RSA/SHA-51267 RSA/MD5(?)41 DH37 DSA33 ECDSACurveP-384withSHA-38424 GOSTR34.10-200115 PRIVATEDNS10 PRIVATEOID9 DSA-NSEC3-SHA1
12
Hashes:
403752SHA-1174675SHA-256175GOSTR34.11-94118SHA-384
![Page 13: DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana Sergey Myasoedov 20.4.2016](https://reader031.fdocuments.us/reader031/viewer/2022030507/5ab575447f8b9a2f438c8fa3/html5/thumbnails/13.jpg)
Keyre-usage
Morethan10.000domainsaresignedbyasinglekeyofbinero.seThat’stheperfectexampleofmul-plykeyusage.
IntheccTLDzonesIcurrentlyhave,thatisanextremelyRAREsitua-on.(except.CZwheremanyregistrarsareusingonekeyforallits(customers)domains)
13
![Page 14: DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana Sergey Myasoedov 20.4.2016](https://reader031.fdocuments.us/reader031/viewer/2022030507/5ab575447f8b9a2f438c8fa3/html5/thumbnails/14.jpg)
14
.netkeyparameters
Algorithms:
69033 RSASHA1-NSEC3-SHA127128 RSA/SHA-256
6539 RSA/SHA-1
1460 ECDSACurveP-256withSHA-256
287 RSA/SHA-512
50 ECDSACurveP-384withSHA-38422 DSA
18 RSA/MD5(?)
6 GOSTR34.10-2001
14
Hashes:
77097 SHA-127332 SHA-25669 GOSTR34.11-9455 SHA-384
![Page 15: DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana Sergey Myasoedov 20.4.2016](https://reader031.fdocuments.us/reader031/viewer/2022030507/5ab575447f8b9a2f438c8fa3/html5/thumbnails/15.jpg)
Similarsta-s-csin.netzone
SimilarrateofDNSSECpenetra-on–97kDNSSEC-enableddomainsper15.6mil.domains
Samedistribu-onofalgorithmsandhashes
Similarobserva-onofkeyre-usage:
2400+entriesofkeyID41182–it’sakeyIDofSwedishhosterBineroAB
15
![Page 16: DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana Sergey Myasoedov 20.4.2016](https://reader031.fdocuments.us/reader031/viewer/2022030507/5ab575447f8b9a2f438c8fa3/html5/thumbnails/16.jpg)
Andthesamesitua-onin.org
58kDNSSEC-enableddomainsper10.9mil.domainsSamedistribu-onofalgorithmsandhashes;butonlySHA-1andSHA-256arepresentSimilarobserva-onofkeyre-usage:BineroABisaleadingDNSSECDNS-servicefor.netand.org
16
![Page 17: DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana Sergey Myasoedov 20.4.2016](https://reader031.fdocuments.us/reader031/viewer/2022030507/5ab575447f8b9a2f438c8fa3/html5/thumbnails/17.jpg)
NewGTLDs
• 948newtop-leveldomains,includingIDN• Adminsareobligedtoprovideaccesstothezone
• DNSSECisanecessarycondi-on• Easyaccesstozonefiles
17
![Page 18: DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana Sergey Myasoedov 20.4.2016](https://reader031.fdocuments.us/reader031/viewer/2022030507/5ab575447f8b9a2f438c8fa3/html5/thumbnails/18.jpg)
Cryptosta-s-cs
From716newGTLD:564–RSA/SHA-512
127–RSASHA1-NSEC3-SHA1
18–RSA/SHA-1
7–RSA/SHA-512
NoGOST.Surprise?
18
![Page 19: DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana Sergey Myasoedov 20.4.2016](https://reader031.fdocuments.us/reader031/viewer/2022030507/5ab575447f8b9a2f438c8fa3/html5/thumbnails/19.jpg)
TopnewGTLDs
Domainsregistered:.xyz–2665k .top–1854k .wang–1065k.win–886k .club–738k .link–358kTOPDNSSECpenetra-on(GTLDswith100+domains):.ovh–47% .amsterdam–25%.webcam–11% .golf–9%.immo–9% .brussels–8%.sarl–8% .taxi–7%
19
![Page 20: DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana Sergey Myasoedov 20.4.2016](https://reader031.fdocuments.us/reader031/viewer/2022030507/5ab575447f8b9a2f438c8fa3/html5/thumbnails/20.jpg)
TopnewGTLDs
DNSSECpenetra-onratefor
thetopnewGTLDs
isin0.00%–0.28%range
20
![Page 21: DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana Sergey Myasoedov 20.4.2016](https://reader031.fdocuments.us/reader031/viewer/2022030507/5ab575447f8b9a2f438c8fa3/html5/thumbnails/21.jpg)
TopnewGTLDs
Thehigherpenetra-onrate(10%-47%)
isbeingobservedintheTLDswith24k-82kdomains
21
![Page 22: DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana Sergey Myasoedov 20.4.2016](https://reader031.fdocuments.us/reader031/viewer/2022030507/5ab575447f8b9a2f438c8fa3/html5/thumbnails/22.jpg)
Specificrequirements
SomeTLDadministratorsdefineitsownpolicyonDNSSEC.Thispolicycouldaffect:- TheWHOISoutput
- Allowedalgorithms/keylength/hashesetc
- Allowanceofkeyre-usagewithintheregistry
Oneshouldtakesuchpoliciesintoaccount
22
![Page 23: DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana Sergey Myasoedov 20.4.2016](https://reader031.fdocuments.us/reader031/viewer/2022030507/5ab575447f8b9a2f438c8fa3/html5/thumbnails/23.jpg)
SoswareforDNSSECopera-ons
• Thereareabout10opensourcesoswarepackagestomanageyourDNSSEC-enabledzone
• Therearealsosomeproprietarysolu-ons• WiththewidelydeploymentofDNSSEC,thenumberofdifferenttoolsisgrowing
• MostofDNSservershaveitsownu-li-es• Fortherela-velysmallnumberofzones,OpenDNSSECmaybethebestsolu-on
23
![Page 24: DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana Sergey Myasoedov 20.4.2016](https://reader031.fdocuments.us/reader031/viewer/2022030507/5ab575447f8b9a2f438c8fa3/html5/thumbnails/24.jpg)
Themostcommonconfigura-onerror
24
![Page 25: DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana Sergey Myasoedov 20.4.2016](https://reader031.fdocuments.us/reader031/viewer/2022030507/5ab575447f8b9a2f438c8fa3/html5/thumbnails/25.jpg)
Themostcommonconfigura-onerror
25
Expira-onofthesignaturevalidity
Allthetrustchainswillbebroken
![Page 26: DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana Sergey Myasoedov 20.4.2016](https://reader031.fdocuments.us/reader031/viewer/2022030507/5ab575447f8b9a2f438c8fa3/html5/thumbnails/26.jpg)
Themostcommonconfigura-onerror
26
![Page 27: DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana Sergey Myasoedov 20.4.2016](https://reader031.fdocuments.us/reader031/viewer/2022030507/5ab575447f8b9a2f438c8fa3/html5/thumbnails/27.jpg)
--Themostcommonconfigura-onerror
27
![Page 28: DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana Sergey Myasoedov 20.4.2016](https://reader031.fdocuments.us/reader031/viewer/2022030507/5ab575447f8b9a2f438c8fa3/html5/thumbnails/28.jpg)
DANEoverview
• AswehavetrustedDNSdatewiththeDNSSEC,wecouldwishtosecureothersensi-vedata
• Sowecanputthetrustanchorofourwebsite/mailserver/whatevercer-ficatetooursecuredDNSzone
• Thiscouldbeeithercer-ficatefingerprint,thewholecer-ficateorpointertoaCArootcert
28
![Page 29: DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana Sergey Myasoedov 20.4.2016](https://reader031.fdocuments.us/reader031/viewer/2022030507/5ab575447f8b9a2f438c8fa3/html5/thumbnails/29.jpg)
IsDANEdead?
ThedeploymentofDANEresourcerecordis-ny.Whatcouldbeareason?
- LowdemandsfromtheWEB
- Implementa-ondifficul-es?
29
![Page 30: DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana Sergey Myasoedov 20.4.2016](https://reader031.fdocuments.us/reader031/viewer/2022030507/5ab575447f8b9a2f438c8fa3/html5/thumbnails/30.jpg)
DANEusagesta-s-cs
Notmeasuredbecause…
AlmostnobodyisusingDANE
MXsisonlytheDANEfieldcanbeusefultoday
ResearchbyGo6.siisathap://goo.gl/8QcWE1
30
![Page 31: DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana Sergey Myasoedov 20.4.2016](https://reader031.fdocuments.us/reader031/viewer/2022030507/5ab575447f8b9a2f438c8fa3/html5/thumbnails/31.jpg)
Whatcouldbeakillerapp?
• Let’sencryptini-a-vecanprovideyouavalidrecognizedcer-ficateforyourdomainname
• Thiscer-ficatecanbepublishedinDNSusingDANE
• Thenthiscer-ficatecanbeusedtoencryptallinforma-onexchangeofyourserver
• Therewillbetwopossibili-estocheckthetrustchain:classicwiththecer-ficatestorageandDANE
31
![Page 32: DNSSEC usage stas-cs - · PDF fileDNSSEC usage stas-cs and some observaons SEE 5, Tirana Sergey Myasoedov 20.4.2016](https://reader031.fdocuments.us/reader031/viewer/2022030507/5ab575447f8b9a2f438c8fa3/html5/thumbnails/32.jpg)
Ques-ons?
LinkedIn.com/in/myasoedov
32