Measuring DNSSEC
advertisement
Measuring DNSSEC Geoff Huston & George Michaelson APNICLabs October 2012 What are the questions? 1. What proportion of DNS resolvers are DNSSEC-capable? 2. What proportion of users are using DNSSECvalidating DNS resolvers? 3. Where are these users? Experimental Technique • Use code embedded in an online ad to perform two simple DNSSEC tests GET http://t10000.u5950826831.s1347594696.i767.v6022.d.t5.dotnxdomain.net/1x1.png GET http://t10000.u5950826831.s1347594696.i767.v6022.e.t6.dotnxdomain.net/1x1.png 1x1 pixel image DNSSEC-signed domain DNSSEC-signed subdomain experiment type unique experiment identifier string (to eliminate interactions with caches) Invalid DNSSEC signature chain Valid DNSSEC signature chain The Experiment • Embed the unique id generation and the ad control in flash code – Use a 10 second timer to POST results to the server • Enrol an online advertisement network to display the ad • The underlying code and the retrieval of the image is executed as part of the ad display function – No click is required! (or wanted!) Experiment Run 10 – 27 September 2012 2,831,780 experiments were executed DNSSEC-Validating Resolver 23-Sep-2012 00:09:40.747 queries: client 201.6.x.y#28672: query: t10000.u356944218.s1348355380.i767.v6022.d.t5.dotnxdomain.net IN A -EDC (203.133.248.110) 23-Sep-2012 00:09:41.118 queries: client 201.6.x.y#11321: query: t5.dotnxdomain.net IN DNSKEY -EDC (203.133.248.6) 23-Sep-2012 00:09:41.494 queries: client 201.6.x.y#59852: query: t5.dotnxdomain.net IN DS -EDC (203.133.248.110) 1. x.y.z A? Client DNS Resolver 2. x.y.z A? 3. y.z DNSKEY? 4. y.z DS? 5. x.y.z A=addr DNSSEC validation queries DNS Resolvers • How many unique IP addresses queried for experiment domains in dotnxdomain.net? • How many of these DNS resolvers also queried for the DNSKEY RR of dotnxdomain.net? DNS Resolvers • How many unique IP addresses queried for experiment domains in dotnxdomain.net? 126,780 • How many of these DNS resolvers also queried for the DNSKEY RR of dotnxdomain.net? 3,367 Q1: What proportion of DNS resolvers are DNSSEC-capable? 2.6% of visible DNS resolvers appear to be performing DNSSEC validation Hang on... How can we tell the difference between a DNSSEC-capable DNS recursive resolver and a DNS forwarder? Hang on... How can we tell the difference between a DNSSEC-capable DNS recursive resolver and a DNS forwarder? Look for a DNSKEY query within 3 seconds of the initial DNS query. If the DNSKEY query “follows” the initial query within 3 seconds it is more likely we are seeing a DNSSEC-validating DNS recursive resolver. A DNSSEC-validating resolver will perform validation as part of the query resolution process. This implies that the resolver will submit a DNSKEY query “very soon” after the first A query. So if we look at the time gap between the first A query and the first DNSKEY query we might be able to distinguish between recursive resolvers and forwarders Resolvers: • How many unique IP addresses queried for experiment domains in dotnxdomain.net? 126,780 • How many of these DNS resolvers also (immediately) queried for the DNSKEY RR of dotnxdomain.net? 2,277 Thats 1.7% of the seen resolver set Hang on again... • We are getting each client to fetch two URLs: – One is DNSSEC-valid – One is not • If a client fetches the DNSSEC-invalid URL _and_ if the only resolver used by the client is a supposedly DNSSEC-validating recursive resolver then we can infer that the resolver is not in fact a DNSSEC-validating recursive resolver Resolvers: • How many unique IP addresses queried for experiment domains in dotnxdomain.net? 126,780 • How many of these DNS resolvers also (immediately) queried for the DNSKEY RR of dotnxdomain.net AND returned an error for DNSSEC-invalid queries? 2,123 That’s 1.6% of the seen DNS resolver set Infrastructure Resolvers: Filter out all resolvers that are associated with just 10 or fewer end clients How many “big” resolvers are left: How many perform DNSSEC validation: 26,825 819 What’s the DNSSEC-active proportion of these resolvers: 3.1% “small scale” Resolvers How many “small” resolvers were seen: 68,806 How many perform DNSSEC validation: 692 What’s the DNSSEC-active proportion of these resolvers: 1.0% The Biggest Resolvers by Origin AS DNSSEC? Clients no no no no no no no no no yes no no no no no no no no no no no no no no no 976241 472735 411220 330663 294053 274418 228905 194865 145429 140211 120056 113965 107524 100527 87825 86182 85917 83349 82349 82146 78339 75510 71499 69071 67079 AS AS4766 AS15169 AS16880 AS3462 AS3786 AS5384 AS4134 AS9318 AS4837 AS7922 AS4788 AS3356 AS9050 AS45595 AS6799 AS7470 AS17676 AS4713 AS25019 AS8781 AS9737 AS9299 AS15557 AS45758 AS8452 AS NAME KIXS-AS-KR Korea Telecom GOOGLE - Google Inc. TRENDMICRO Global IDC and Backbone of Trend Micro HINET Data Communication Business Group LGDACOM LG DACOM Corporation EMIRATES-INTERNET Emirates Telecommunications Corp CHINANET-BACKBONE No.31,Jin-rong Street HANARO-AS Hanaro Telecom Inc. CHINA169-BACKBONE CNCGROUP China169 Backbone COMCAST-7922 - Comcast Cable Communications, Inc. TMNET-AS-AP TM Net, Internet Service Provider LEVEL3 Level 3 Communications RTD ROMTELECOM S.A PKTELECOM-AS-PK Pakistan Telecom Company Limited OTENET-GR Ote SA (Hellenic Telecommunications Orga TRUEINTERNET-AS-AP TRUE INTERNET Co.,Ltd. GIGAINFRA Softbank BB Corp. OCN NTT Communications Corporation SAUDINETSTC-AS Autonomus System Number for SaudiNe QA-ISP Qatar Telecom (Qtel) Q.S.C. TOTNET-TH-AS-AP TOT Public Company Limited IPG-AS-AP Philippine Long Distance Telephone Compa LDCOMNET Societe Francaise du Radiotelephone S.A TRIPLETNET-AS-AP TripleT Internet Internet service TE-AS TE-AS Country Republic of Korea USA USA Taiwan Republic of Korea United Arab Emirates China Republic of Korea China USA Malaysia USA Romania Pakistan Greece Thailand Japan Japan Saudi Arabia Qatar Thailand Philippines France Thailand Egypt The Biggest DNSSEC-validating Resolvers by Origin AS DNSSEC? Clients yes 140211 yes 11355 yes 9804 yes 9327 yes 9005 yes 7390 yes 5313 yes 4758 yes 3762 yes 3684 yes 3649 yes 3448 yes 3411 yes 3177 yes 2927 yes 2180 yes 1897 yes 1849 yes 1832 yes 1809 yes 1798 yes 1781 yes 1444 yes 1220 yes 947 AS AS7922 AS5466 AS9299 AS3301 AS22047 AS16276 AS28573 AS1257 AS7657 AS23700 AS5713 AS15735 AS2519 AS29562 AS4134 AS28725 AS39651 AS11992 AS12912 AS12301 AS11814 AS2119 AS34779 AS44034 AS23752 AS NAME COMCAST-7922 - Comcast Cable Communications, Inc. EIRCOM Eircom Limited IPG-AS-AP Philippine Long Distance Telephone Compa TELIANET-SWEDEN TeliaSonera AB VTR BANDA ANCHA S.A. OVH OVH Systems NET Servicos de Comunicao S.A. TELE2 VODAFONE-NZ-NGN-AS Vodafone NZ Ltd. BM-AS-ID PT. Broadband Multimedia, Tbk SAIX-NET DATASTREAM-NET GO p.l.c. VECTANT VECTANT Ltd. KABELBW-ASN Kabel BW GmbH CHINANET-BACKBONE No.31,Jin-rong Street CZ-EUROTEL-AS AS of Eurotel Praha COMHEM-SWEDEN Com Hem Sweden CENTENNIAL-PR - Centennial de Puerto Rico ERA Polska Telefonia Cyfrowa S.A. INVITEL Invitel Tavkozlesi Zrt. DISTRIBUTEL-AS11814 - DISTRIBUTEL COMMUNICATIONS L TELENOR-NEXTEL Telenor Norge AS T-2-AS AS set propagated by T-2, d.o.o. HI3G Hi3G Access AB NPTELECOM-NP-AS Nepal Telecommunications Corporati Country USA Ireland Philippines Sweden Chile France Brazil European Union New Zealand Indonesia South Africa Malta Japan Germany China Czech Republic Sweden Puerto Rico Poland Hungary Canada Norway Slovenia Sweden Nepal Now lets look at Clients: • How many unique IP addresses completed web fetches for objects named in the experiment? • How many clients exclusively used DNSSECvalidating resolvers? Clients: • How many unique IP addresses completed web fetches for objects named in the experiment? 1,717,906 • How many clients exclusively used DNSSECvalidating resolvers? 27,838 Q2: What proportion of users are DNSSEC-validating resolvers? 1.6% of end client systems are using only DNS resolvers that appear to be performing DNSSEC validation Q3: Where can we find DNSSECvalidating clients? Q3: Where can we find DNSSECvalidating clients? Client use of DNSSEC by country (%) September 2012 The top of the country list Validate DNSSEC % who validate DNSSEC 63.44% 59.48% 42.31% 32.31% 25.17% 24.88% 21.95% 21.40% 20.88% 16.00% 15.75% 15.66% 14.74% 8.00% 7.07% 6.85% 6.79% 6.63% 4.82% 4.69% 3.75% 3.37% 3.03% 2.83% 2.09% Total AG SE GL ZM IE CL PR ZA AO BB US BJ CZ NC NZ KG IT LB MT FI CH BR LI DE UA 177 1982 11 158 1632 2068 570 782 62 135 9149 13 858 16 569 23 1917 62 171 93 171 1411 1 484 329 279 3332 26 489 6484 8313 2597 3655 297 844 58074 83 5820 200 8045 336 28228 935 3545 1981 4562 41906 33 17105 15711 Antigua and Barbuda Sweden Greenland Zambia Ireland Chile Puerto Rico South Africa Angola Barbados United States of America Benin Czech Republic New Caledonia New Zealand Kyrgyzstan Italy Lebanon Malta Finland Switzerland Brazil Liechtenstein Germany Ukraine The top of the country list Validate DNSSEC % who validate DNSSEC 59.48% 25.17% 24.88% 21.95% 21.40% 15.75% 14.74% 7.07% 6.79% 4.82% 4.69% 3.75% 3.37% 2.83% 2.09% 1.98% 1.97% 1.89% 1.65% 1.65% 1.41% 1.21% 1.15% 1.15% 1.11% 0.94% 0.78% Total SE IE CL PR ZA US CZ NZ IT MT FI CH BR DE UA CA SK PL HU JP UY LT CO SI RS ID TR 1982 1632 2068 570 782 9149 858 569 1917 171 93 171 1411 484 329 543 62 799 255 792 35 105 73 41 133 308 91 3332 6484 8313 2597 3655 58074 5820 8045 28228 3545 1981 4562 41906 17105 15711 27405 3140 42284 15432 48089 2485 8658 6331 3573 11963 32891 11656 Sweden Ireland Chile Puerto Rico South Africa United States of America Czech Republic New Zealand Italy Malta Finland Switzerland Brazil Germany Ukraine Canada Slovakia Poland Hungary Japan Uruguay Lithuania Colombia Slovenia Serbia Indonesia Turkey Ranking only those CCs with more than 1000 sample points in this experiment run (106 CC’s) The bottom of the country list Validate DNSSEC % who validate DNSSEC 59.48% 25.17% 24.88% 21.95% 21.40% 15.75% 14.74% 7.07% 6.79% 4.82% 4.69% 3.75% 3.37% 2.83% 2.09% 1.98% 1.97% 1.89% 1.65% 1.65% 1.41% 1.21% 1.15% 1.15% 1.11% 0.94% 0.78% SE IE CL PR ZA US CZ NZ IT MT FI CH BR DE UA CA SK PL HU JP UY LT CO SI RS ID TR 1982 1632 2068 570 782 9149 858 569 1917 171 93 171 1411 484 329 543 62 799 255 792 35 105 73 41 133 308 91 Total 3332 6484 8313 2597 3655 58074 5820 8045 28228 3545 1981 4562 41906 17105 15711 27405 3140 42284 15432 48089 2485 8658 6331 3573 11963 32891 11656 Sweden Ireland Chile Puerto Rico South Africa United States of America Czech Republic New Zealand Italy Malta Finland Switzerland Brazil Germany Ukraine Canada Slovakia Poland Hungary Japan Uruguay Lithuania Colombia Slovenia Serbia Indonesia Turkey Validate DNSSEC % who validate DNSSEC 0.01% 0.01% 0.01% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% Total GR SA CY AE QA LK DZ KW OM KZ JO EC BH YE MO PS MU LV PA NG ZW SD ME SV GT TT JM 6 3 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 70060 36156 11523 28475 16413 10401 6574 6192 4317 4153 4177 3868 3135 2526 2287 2321 2098 1945 1617 1394 1392 1273 1244 1182 1127 1058 1088 Greece Saudi Arabia Cyprus United Arab Emirates Qatar Sri Lanka Algeria Kuwait Oman Kazakhstan Jordan Ecuador Bahrain Yemen Macao Occupied Palestine Mauritius Latvia Panama Nigeria Zimbabwe Sudan Montenegro El Salvador Guatemala Trinidad and Tobago Jamaica Ranking only those CCs with more than 1000 sample points in this experiment run (106 CC’s) DNSSEC-Validating Clients by AS – the top AS’s Validate DNSSEC % who validate DNSSEC 97.54% 97.26% 97.03% 96.83% 96.49% 96.26% 94.93% 94.30% 91.87% 90.86% 90.79% 88.06% 87.83% 87.74% 87.40% 86.25% 85.19% 83.78% 82.26% 80.43% 80.27% 80.09% 80.00% 79.44% 76.16% Total AS44143 AS27831 AS44034 AS28725 AS15600 AS20776 AS12912 AS31343 AS29518 AS5466 AS38484 AS22047 AS11992 AS3737 AS17711 AS3301 AS3245 AS41833 AS8473 AS7922 AS4704 AS5713 AS41749 AS24852 AS1257 119 122 RS VIPMOBILE-AS Vip mobile d.o.o., Serbia 71 73 CO Colombia M?vil, Colombia 261 269 SE HI3G Hi3G Access AB, Sweden 61 63 CZ CZ-EUROTEL-AS AS of Eurotel Praha, Czech Republic 55 57 CH FINECOM Finecom Telecommunications AG, Switzerland 180 187 FR OUTREMER-AS Outremer Telecom, France 712 750 PL ERA Polska Telefonia Cyfrowa S.A., Poland 248 263 UA INTERTELECOM Intertelecom Ltd, Ukraine 113 123 SE BREDBAND2 Bredband2 AB, Sweden 1631 1795 IE EIRCOM Eircom Limited, Ireland 69 76 AU VIRGIN-BROADBAND-AS-AP Virgin Broadband VISP, Australia 2066 2346 CL VTR BANDA ANCHA S.A., Chile 570 649 PR CENTENNIAL-PR - Centennial de Puerto Rico, Puerto Rico 93 106 US PTD-AS - PenTeleData Inc., United States of America 111 127 TW NDHU-TW National Dong Hwa University, Taiwan 508 589 SE TELIANET-SWEDEN TeliaSonera AB, Sweden 46 54 BG DIGSYS-AS Digital Systems Ltd, Bulgaria 62 74 LB MOSCANET Moscanet (WISE), Lebanon 102 124 SE BAHNHOF Bahnhof Internet AB, Sweden 8855 11010 US COMCAST-7922 - Comcast Cable Communications, Inc., United States of America 118 147 JP SANNET SANYO Information Technology Solutions Co., Ltd., Japan 744 929 ZA SAIX-NET, South Africa 100 125 RO NETCOMPUTERS-AS Net & Computers SRL, Romania 85 107 LT VINITA VINITA Internet Services, Lithuania 409 537 EU TELE2, European Union Ranking only those ASs with more than 50 sample points in this experiment run (15,134 AS’s) The Sort-of-Good News 1.6% of clients appear to use DNSSEC-validating resolvers - that’s almost twice the amount DNSSEC validation coverage for the Internet than the amount of users who have IPv6! And finally... The “Mad Resolver” prize goes to the pair of resolvers: 217.73.15.39 217.73.15.38 who successfully queried for the same A RR from our server for a total of 93,237 times over eight hours Thanks guys! Great achievement! Thank you!
![VanNice-ZeroDays - Indico [Home] - DNS-OARC](http://s3.studylib.net/store/data/009287014_1-149b36c82a2fc9929f2fd0f41394cecc-300x300.png)
