Upload File

measuring ksk roll readiness - apnic · 2017. 11. 11. · user-side dns measurement multiple...

  • Home
  • Documents
  • Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other
20
Measuring KSK Roll Readiness Geoff Huston APNIC Labs

Upload: others

Post on 05-Sep-2020

0 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other

MeasuringKSKRollReadiness

Geoff HustonAPNIC Labs

Page 2: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other

TheDNSmaylooksimple

Page 3: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other

FortheDNSlooksareverydeceiving

Page 4: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other

WhatwewouldliketheDNStobe

Client DNS Resolver DNS Server

Page 5: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other

WhatwesuspectismoreliketheDNS

Client DNS Resolver DNS Server

DNS Resolver

DNS Resolver

DNS Resolver

DNS Resolver

DNS Resolver

DNS Resolver

DNS ResolverDNS

ResolverDNS ResolverDNS

ResolverDNS ResolverDNS

Resolver

Page 6: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other

SignallingviaQueries

Client DNS Resolver Server

DNS Resolver

DNS Resolver

DNS Resolver

DNS Resolver

DNS Resolver

DNS Resolver

DNS ResolverDNS

ResolverDNS ResolverDNS

ResolverDNS ResolverDNS

Resolver

ThequerycontainsinformationwhichpassesinwardintheDNStowardstheauthoritativeserver(s)

Page 7: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other

SignallingviaResponses

Client DNS Resolver Server

DNS Resolver

DNS Resolver

DNS Resolver

DNS Resolver

DNS Resolver

DNS Resolver

DNS ResolverDNS

ResolverDNS ResolverDNS

ResolverDNS ResolverDNS

Resolver

TheresponsecontainsinformationwhichpassesbackwardintheDNStowardstheoriginalquerier

Page 8: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other

KSKRollMeasurementObjective

WhatnumberofusersareatriskofbeingimpactedbytheKSKRoll?

• Therearetworiskelementsforresolvers:• Unabletoreceivea1,414octetUDPresponsefromtherootservers(queryforDNSKEYRRfromtherootzone)• FailuretofollowRFC5011keyintroductionprocedure

• Ineithercasetheresolveroutcomeisthesame:Notloadingtheincomingtrustkeyintothelocaltrustedkeystore• Andiftheuserpassesqueriesonly totheseaffectedresolversthantherollwillcausealossofDNSservice

Page 9: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other

MeasuringResolversviaRFC8145SignalingGettingresolverstoreportontheirlocaltrustedkeystate• ResolversthatsupporttheRFC8145signalmechanismperiodicallyincludethekeytagoftheirlocallytrustedkeysintoaquerydirectedtowardstherootservers

Page 10: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other

Whatdidweseeat(some)roots?

DuaneWessels VeriSignRFC8145Signaling TrustAnchorKnowledgeInDNSSecurityExtensionsPresentationtoDNSSECWorkshop@ICANN60– 1Nov2017https://schd.ws/hosted_files/icann60abudhabi2017/ea/Duane%20Wessels-VeriSign-RFC%208145-Signaling%20Trust%20Anchor%20Knowledge%20in%20DNS%20Security%20Extensions.pdf

Page 11: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other

Whatisthissaying?

• ItsclearthatthereissomeresidualsetofresolversthataresignallingthattheyhavenotyetlearnedtotrustthenewKSKkey• Butitsnotclearif:• Thisisanaccuratesignalaboutthestateofthisresolver• Thisisanaccuratesignalabouttheidentityofthisresolver• Howmanyuserssit‘behind’thisresolver• Whethertheseusesrelysolelyonthisresolver,oriftheyalsohavealternateresolversthattheycanuse• Whatproportionofallusersareaffected

Page 12: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other

Why?

• BecausetheDNSdoesnotdisclosetheantecedentsofaquery• IfAforwardsaquerytoB,whoqueriesaRootServerthenifthequerycontainsanimplicitsignal(asinthiscase)thenitappearsthatBisquerying,notA• Atnotimeistheusermadevisibleinthereferredquery

• Becausecaching• IfAandBbothforwardtheirqueriesviaC,thenitmaybethatoneorbothofthesequeriesmaybeansweredfromC’scache• Inthiscasethesignalisbeingsuppressed

• Becauseitsactuallymeasuringacause,nottheoutcome• Itsmeasuringresolvers’uptakeofthenewKSK,butisnotabletomeasuretheuserimpactofthis

Page 13: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other

User-SideMeasurement

CanwedeviseaDNSquerythatcouldrevealthestateofthetrustedkeysoftheresolversbacktotheuser?

• NotwithinthecurrentparametersofDNSSECand/orresolverbehaviour

Page 14: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other

User-SideMeasurement

CanwedeviseaDNSquerythatcouldrevealthestateofthetrustedkeysoftheresolversbacktotheuser?• Whatifwecouldchangeresolverbehaviour?

• JustasRFC8145requiredachangeinresolverbehaviour• Whataboutachangetotheresolver’sreportingofvalidationoutcomedependingontheresolver’slocaltrustedkeystate?• Ifaquerycontainsthelabel“_is-ta-<key-tag>”thenavalidatingresolverwillreportvalidationfailureifthekeyisNOTinthelocaltrustedkeystore• Ifaquerycontainsthelabel“_not-ta-<key-tag>” thenavalidatingresolverwillreportvalidationfailureifthekeyISinthelocaltrustedkeystore

Page 15: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other

User-SideResolverMeasurement

ThreeDNSqueries:1. _is-ta-4066.<some.signed.domain>2. _not-ta-4066.<some.signed.domain>3. <badly-signed>.<some.signed.domain>

SingleResolverAnalysis:

ResolverBehaviour TypeLoadedNewKSK

NOTloadedNewKSKMechanismnotsupported

Notvalidating

Query1Query2Query3ASERVFAILSERVFAIL

SERVFAILASERVFAILAASERVFAILAAA

Page 16: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other

User-SideDNSMeasurement

MultipleResolverAnalysisASERVFAILresponsewillcausetheusetorepeattheyquerytootherconfiguredresolvers.Inamulti-resolverscenario,andwhereforwardersareusedwecanstilldetermineiftheuserwillbeimpactedbytheKSKroll

UserImpactOK

NOTOK

Query1Query2Query3ASERVFAILSERVFAIL

SERVFAILASERVFAILAASERVFAIL

SERVFAILSERVFAILSERVFAIL

AAA

UNKNOWN

NOTImpacted

Page 17: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other

MeasuringUserImpact

• Createthesetestsinascriptedwebpageandallowuserstotestthestateoftheirresolvers• Loadthesetestsintoanonlineadcampaignandusetheadtopassthetesttomillionsofusers• IftheusercanresolveQuery1,andSERVFAILsonQuery2andQuery3thentheuserisabletovalidateusingthenominatedkeyasatrustedkey• IftheuserSERVFAILSonQuery1,resolvesQuery2andSERVFAILsonQuery3thentheuserisunabletovalidateusingthenominatedkeyasatrustedkeys• OtherwiseiftheuserSERVFAILSonQuery3thentheresultisindeterminate

Page 18: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other

PrivacyandSecurityConsiderations

• Thistestitselfdoesnotrevealwhichresolversareusedbyendusersinresolvingnames• Thequeryitselfneednotcontainanyenduseridentifyingmaterial• Themethodologyneverchanges“insecure”to”authenticated”– itwillonlychange“authenticated”to“insecure”dependingontheresolver’slocaltrustedkeystatewhenresolvingcertainlabels• AnyonecansetupatestconditionwithintheirdelegatedpartoftheDNS• Theresultsofthetestarepassedbackonlytotheuserintheformofaresolutionoutcome

Page 19: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other

ADescriptionoftheMechanism

draft-huston-kskroll-sentinel

Page 20: Measuring KSK Roll Readiness - APNIC · 2017. 11. 11. · User-Side DNS Measurement Multiple Resolver Analysis A SERVFAIL response will cause the use to repeat they query to other

Thanks!


ASME UET KSK Event Report

The Resolvers We Use - APNIC...2019/10/16  · Top Resolvers –by Origin AS Rank Resolver Use % Open Resolver / AS 1Google DNS 9.39% GOOGLE, US 2AS55836 7.89% Reliance Jio, IN 3AS4134

APNIC Update: APNIC 28

APNIC Update - PacNOG€¦ · APNIC Update Elly Tawhai PacNOG21 04-12-2017 . Outline •APNIC in the Internet ecosystem •APNIC Policy update •APNIC Whoisdatabase upgrade •Implementation

TLD Universal Acceptance, KSK Rollover & engagements · TLD Universal Acceptance, KSK ... systems with the public part of the new KSK ... • Training programs (NOGs, Govt, Public

1.1.1 - APNIC · 2018-12-04 · DNS resolver, 1.1.1.1, is served by Cloudflare’s Global Anycast Network. Announced April 1st 2018 Our mission: to help build a better Internet. We

Ksk guidelines 050312

Root KSK Rollover Update (or, We're really doing it …...2018/05/04  · –Unbound 1.6.4, released 27 June 2017 –Knot Resolver 1.5.0, released 2 November 2017 ¡ By September 2017,

APNIC eLearning: DNS Security - … · DNS Security Contact: [email protected] eDNS03_v1.0 . Overview ... (KSK) – Signed the keys which includes ZSK and KSK and may also be used

KSK concept and products

APNIC Update€¦ · •APNIC Policy update •APNIC Whoisdatabase upgrade •Implementation of org object 2. APNIC and other RIRs 3. APNIC region 4. 5. Where do IP addresses come

APNIC Update RIPE 59 October 2009. Overview APNIC Services Update APNIC 28 policy outcomes APNIC Members and Stakeholder Survey Next APNIC Meetings

DNSSEC Deployment in the .gov TLD - USENIX · DNSSEC Deployment in the .gov TLD Scott Rose, NIST ... training to learn – Or ... ZSK KSK Data ZSK KSK DS ZSK KSK DS ZSK KSK Data ZSK

Ksk Potensiometer

APNIC Member MeetingNRO NC Selection – APNIC • As determined by APNIC EC • One member appointed by APNIC EC annually, for 1-year term • Two members elected during the APNIC

Measuring the KSK Roll - APNIC · Measuring the KSK Roll Geoff Huston APNIC Labs. KSK Roll Measurement Objective What number of users are at risk of being impacted by the KSK Roll?

KSK Sentinel - indico.dns-oarc.net€¦ · We need want to roll the DNSSEC trust-anchor (KSK) Users with a validating resolver that doesn't have the new KSK break; everything looks

KSK Cap 04 Over Head

Managing the Root KSK Rollover, Step by Step for Operatorsslides.lacnic.net/wp-content/uploads/2017/05/ksk-rollover... · Managing the Root KSK Rollover, Step by Step for ... –DNS

Electronics Ksk

Internship Report KSK Associates

APNIC Update Update RIPE 59 October 2009 Overview • APNIC Services Update • APNIC 28 policy outcomes • APNIC Members and Stakeholder Survey • Next APNIC Meetings Resource Delegations

DITL & APNIC George Michaelson APNIC 26, Christchurch

2017 DNSSEC KSK Rollover - North American Network ......Embed copies of the KSK (now KSK-2010, later KSK-2017) ! In contact with as many distributors as possible ! Compare with the

Flotation Pump KSK - quantor.technology

DNSSECTutorial& - APNIC Conferences – APNIC · Security3Extensions3(DNSSEC)3 =? DNS Resolver with DNSSEC = 1.2.3.4 DNS Server with DNSSEC 1.2.3.4 Get page webserver www @ 1.2.3.4

KSK Mahanadi Power Company Limited (“KSKMPCL”) · INVITATION FOR EXPRESSION OF INTEREST FOR KSK MAHANADI POWER COMPANY LIMITED 1. BACKGROUND KSK Mahanadi Power Company Limited

APNIC Policy Documentation - APNIC 35

KSK-5230 IN...KSK-5230 IN. Silicone keyboard with touchpad. KSK-6231 INEL. Full-size Silicone keyboard with . touchpad for industrial use. More . Industrie-Tastaturen from . Keysonic

Technical Diary Turbine Ksk

2017 DNSSEC KSK Rollover - APNIC Conferences · ¤DNS Caches, DNS Stubs check the signatures in a few ways, cryptographic and other (time, etc.) ... ¤Unbound ¤Inspect the

COMPETITION LAW - KSK

A1 Resolver Based Punch Press Controls Resolver Based

KSK SS013 COLLECTION

1. ENTITY & OWNERSHIP - KSK-ES