1 / 9

Measuring DNSSEC validation i.e. how to do it

Measuring DNSSEC validation i.e. how to do it. Ólafur Guðmundsson Steve Crocker o gud , steve at shinkuro.com. Outline. Theory of measurement Reality of measurements Results and questions. Theory 101: Basics. Do DNSSEC validators behave differently from regular DNS resolvers?

fayre
Download Presentation

Measuring DNSSEC validation i.e. how to do it

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Measuring DNSSEC validationi.e. how to do it Ólafur Guðmundsson Steve Crocker ogud, steve at shinkuro.com

  2. Outline • Theory of measurement • Reality of measurements • Results and questions

  3. Theory 101: Basics • Do DNSSEC validators behave differently from regular DNS resolvers? • Ask for DNSSEC records • DNSKEY • DS • Needs to refresh these records once in a while • DNSKEY about once every TTL • DS • Resolver needs to resolve RRset that is not in cache AND • If TTL’s on DNSKEY and DS have expired BUT • Not on NS

  4. Theory 201: Complications • Validators not only ones: • DNSSEC measurement tools • DNSSEC key mangers for trust anchors • “Rollover and Die” validators • DDoS tools • Need to exclude most of above. • Validator will ask for DNSKEY • Separated by at leastDNSKEY TTL • Asked for non-DNSSEC record just before • Cue on RRtype or name?

  5. Theory 202: Validator Draft rules • Asks for DNSKEY multiple times in a sample at least DNSKEY TTL apart • Asks for info, followed by DNSKEY query • Asks for multiple DS records • Rule 1 and 3 combined

  6. Measurements: ORG traffic • TTL’s: • 900 for SOA, NSEC3, DNSKEY • 84600 for NS and DS • By simple measure: • 10% of queries originate from suspected DNSSEC validators • BUT: • includes DNSKEY + DS traffic • Excludes: some only using dlv.isc.org

  7. Measurement Reality: • Saw traffic for some of DNS servers for ORG • 2/3 NS records, ~ 50% of traffic • Queries are scattered • Some resolvers ask a narrow band of servers • Busy ones • Some ask random ones and no subsequent questions to the same one. • Sporadic ones • Multiple validators/resolvers behind an address • All classified as one, • Traces • short < 1 hour • Time 2000-2050 UTZ

  8. How good are the samples • Are validators over/under represented? • Do the validators we see do more/less DNSSEC than others? • Do DNSSEC validators scatter queries different ? • DNSKEY set size > 1500 effects: • Validator tries multiple UDP servers before falling back on TCP  Overrepresented • Do measurement tools trick us ? • What to exclude in calculations? • DNSKEY ? • DS ? • DLV ? • SOA ?

  9. Discussion • How to measure • What to measure • Where to measure • How to tune TTL’s

More Related