Measuring DNSSEC Geoff Huston & George Michaelson APNICLabs October 2012 What are the questions? 1.
Download
Report
Transcript Measuring DNSSEC Geoff Huston & George Michaelson APNICLabs October 2012 What are the questions? 1.
Measuring DNSSEC
Geoff Huston & George Michaelson
APNICLabs
October 2012
What are the questions?
1. What proportion of DNS resolvers are
DNSSEC-capable?
2. What proportion of users are using DNSSECvalidating DNS resolvers?
3. Where are these users?
Experimental Technique
• Use code embedded in an online ad to perform two
simple DNSSEC tests
GET http://t10000.u5950826831.s1347594696.i767.v6022.d.t5.dotnxdomain.net/1x1.png
GET http://t10000.u5950826831.s1347594696.i767.v6022.e.t6.dotnxdomain.net/1x1.png
1x1 pixel image
DNSSEC-signed domain
DNSSEC-signed subdomain
experiment type
unique experiment identifier string
(to eliminate interactions with caches)
Invalid DNSSEC signature chain
Valid DNSSEC signature chain
The Experiment
• Embed the unique id generation and the ad control in flash
code
– Use a 10 second timer to POST results to the server
• Enrol an online advertisement network to display the ad
• The underlying code and the retrieval of the image is
executed as part of the ad display function
– No click is required!
(or wanted!)
Experiment Run
10 – 27 September 2012
2,831,780 experiments were executed
DNSSEC-Validating Resolver
23-Sep-2012 00:09:40.747 queries: client 201.6.x.y#28672:
query: t10000.u356944218.s1348355380.i767.v6022.d.t5.dotnxdomain.net IN A -EDC (203.133.248.110)
23-Sep-2012 00:09:41.118 queries: client 201.6.x.y#11321:
query: t5.dotnxdomain.net IN DNSKEY -EDC (203.133.248.6)
23-Sep-2012 00:09:41.494 queries: client 201.6.x.y#59852:
query: t5.dotnxdomain.net IN DS -EDC (203.133.248.110)
1. x.y.z A?
Client
DNS Resolver
2. x.y.z A?
3. y.z DNSKEY?
4. y.z DS?
5. x.y.z A=addr
DNSSEC validation queries
DNS Resolvers
• How many unique IP addresses queried for
experiment domains in dotnxdomain.net?
• How many of these DNS resolvers also queried
for the DNSKEY RR of dotnxdomain.net?
DNS Resolvers
• How many unique IP addresses queried for
experiment domains in dotnxdomain.net?
126,780
• How many of these DNS resolvers also queried
for the DNSKEY RR of dotnxdomain.net?
3,367
Q1: What proportion of DNS
resolvers are DNSSEC-capable?
2.6% of visible DNS resolvers appear to be performing
DNSSEC validation
Hang on...
How can we tell the difference between a
DNSSEC-capable DNS recursive resolver and a
DNS forwarder?
Hang on...
How can we tell the difference between a
DNSSEC-capable DNS recursive resolver and a
DNS forwarder?
Look for a DNSKEY query within 3 seconds of the
initial DNS query. If the DNSKEY query “follows” the
initial query within 3 seconds it is more likely we are
seeing a DNSSEC-validating DNS recursive resolver.
A DNSSEC-validating resolver will perform validation as part of the query resolution
process. This implies that the resolver will submit a DNSKEY query “very soon” after
the first A query.
So if we look at the time gap between the first A query and the first DNSKEY query we
might be able to distinguish between recursive resolvers and forwarders
Resolvers:
• How many unique IP addresses queried for
experiment domains in dotnxdomain.net?
126,780
• How many of these DNS resolvers also
(immediately) queried for the DNSKEY RR of
dotnxdomain.net?
2,277
Thats 1.7% of the seen resolver set
Hang on again...
• We are getting each client to fetch two URLs:
– One is DNSSEC-valid
– One is not
• If a client fetches the DNSSEC-invalid URL
_and_ if the only resolver used by the client is
a supposedly DNSSEC-validating recursive
resolver then we can infer that the resolver is
not in fact a DNSSEC-validating recursive
resolver
Resolvers:
• How many unique IP addresses queried for experiment
domains in dotnxdomain.net?
126,780
• How many of these DNS resolvers also (immediately)
queried for the DNSKEY RR of dotnxdomain.net AND
returned an error for DNSSEC-invalid queries?
2,123
That’s 1.6% of the seen DNS resolver set
Infrastructure Resolvers:
Filter out all resolvers that are associated with
just 10 or fewer end clients
How many “big” resolvers are left:
How many perform DNSSEC validation:
26,825
819
What’s the DNSSEC-active proportion of these
resolvers:
3.1%
“small scale” Resolvers
How many “small” resolvers were seen:
68,806
How many perform DNSSEC validation:
692
What’s the DNSSEC-active proportion of these
resolvers:
1.0%
The Biggest Resolvers by Origin
AS
DNSSEC? Clients
no
no
no
no
no
no
no
no
no
yes
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
976241
472735
411220
330663
294053
274418
228905
194865
145429
140211
120056
113965
107524
100527
87825
86182
85917
83349
82349
82146
78339
75510
71499
69071
67079
AS
AS4766
AS15169
AS16880
AS3462
AS3786
AS5384
AS4134
AS9318
AS4837
AS7922
AS4788
AS3356
AS9050
AS45595
AS6799
AS7470
AS17676
AS4713
AS25019
AS8781
AS9737
AS9299
AS15557
AS45758
AS8452
AS NAME
KIXS-AS-KR Korea Telecom
GOOGLE - Google Inc.
TRENDMICRO Global IDC and Backbone of Trend Micro
HINET Data Communication Business Group
LGDACOM LG DACOM Corporation
EMIRATES-INTERNET Emirates Telecommunications Corp
CHINANET-BACKBONE No.31,Jin-rong Street
HANARO-AS Hanaro Telecom Inc.
CHINA169-BACKBONE CNCGROUP China169 Backbone
COMCAST-7922 - Comcast Cable Communications, Inc.
TMNET-AS-AP TM Net, Internet Service Provider
LEVEL3 Level 3 Communications
RTD ROMTELECOM S.A
PKTELECOM-AS-PK Pakistan Telecom Company Limited
OTENET-GR Ote SA (Hellenic Telecommunications Orga
TRUEINTERNET-AS-AP TRUE INTERNET Co.,Ltd.
GIGAINFRA Softbank BB Corp.
OCN NTT Communications Corporation
SAUDINETSTC-AS Autonomus System Number for SaudiNe
QA-ISP Qatar Telecom (Qtel) Q.S.C.
TOTNET-TH-AS-AP TOT Public Company Limited
IPG-AS-AP Philippine Long Distance Telephone Compa
LDCOMNET Societe Francaise du Radiotelephone S.A
TRIPLETNET-AS-AP TripleT Internet Internet service
TE-AS TE-AS
Country
Republic of Korea
USA
USA
Taiwan
Republic of Korea
United Arab Emirates
China
Republic of Korea
China
USA
Malaysia
USA
Romania
Pakistan
Greece
Thailand
Japan
Japan
Saudi Arabia
Qatar
Thailand
Philippines
France
Thailand
Egypt
The Biggest DNSSEC-validating
Resolvers by Origin AS
DNSSEC? Clients
yes 140211
yes 11355
yes
9804
yes
9327
yes
9005
yes
7390
yes
5313
yes
4758
yes
3762
yes
3684
yes
3649
yes
3448
yes
3411
yes
3177
yes
2927
yes
2180
yes
1897
yes
1849
yes
1832
yes
1809
yes
1798
yes
1781
yes
1444
yes
1220
yes
947
AS
AS7922
AS5466
AS9299
AS3301
AS22047
AS16276
AS28573
AS1257
AS7657
AS23700
AS5713
AS15735
AS2519
AS29562
AS4134
AS28725
AS39651
AS11992
AS12912
AS12301
AS11814
AS2119
AS34779
AS44034
AS23752
AS NAME
COMCAST-7922 - Comcast Cable Communications, Inc.
EIRCOM Eircom Limited
IPG-AS-AP Philippine Long Distance Telephone Compa
TELIANET-SWEDEN TeliaSonera AB
VTR BANDA ANCHA S.A.
OVH OVH Systems
NET Servicos de Comunicao S.A.
TELE2
VODAFONE-NZ-NGN-AS Vodafone NZ Ltd.
BM-AS-ID PT. Broadband Multimedia, Tbk
SAIX-NET
DATASTREAM-NET GO p.l.c.
VECTANT VECTANT Ltd.
KABELBW-ASN Kabel BW GmbH
CHINANET-BACKBONE No.31,Jin-rong Street
CZ-EUROTEL-AS AS of Eurotel Praha
COMHEM-SWEDEN Com Hem Sweden
CENTENNIAL-PR - Centennial de Puerto Rico
ERA Polska Telefonia Cyfrowa S.A.
INVITEL Invitel Tavkozlesi Zrt.
DISTRIBUTEL-AS11814 - DISTRIBUTEL COMMUNICATIONS L
TELENOR-NEXTEL Telenor Norge AS
T-2-AS AS set propagated by T-2, d.o.o.
HI3G Hi3G Access AB
NPTELECOM-NP-AS Nepal Telecommunications Corporati
Country
USA
Ireland
Philippines
Sweden
Chile
France
Brazil
European Union
New Zealand
Indonesia
South Africa
Malta
Japan
Germany
China
Czech Republic
Sweden
Puerto Rico
Poland
Hungary
Canada
Norway
Slovenia
Sweden
Nepal
Now lets look at Clients:
• How many unique IP addresses completed
web fetches for objects named in the
experiment?
• How many clients exclusively used DNSSECvalidating resolvers?
Clients:
• How many unique IP addresses completed
web fetches for objects named in the
experiment?
1,717,906
• How many clients exclusively used DNSSECvalidating resolvers?
27,838
Q2: What proportion of users are
DNSSEC-validating resolvers?
1.6% of end client systems are using only DNS resolvers that appear to be
performing DNSSEC validation
Q3: Where can we find DNSSECvalidating clients?
Q3: Where can we find DNSSECvalidating clients?
Client use of DNSSEC by country (%)
September 2012
The top of the country list
Validate
DNSSEC
% who
validate
DNSSEC
63.44%
59.48%
42.31%
32.31%
25.17%
24.88%
21.95%
21.40%
20.88%
16.00%
15.75%
15.66%
14.74%
8.00%
7.07%
6.85%
6.79%
6.63%
4.82%
4.69%
3.75%
3.37%
3.03%
2.83%
2.09%
Total
AG
SE
GL
ZM
IE
CL
PR
ZA
AO
BB
US
BJ
CZ
NC
NZ
KG
IT
LB
MT
FI
CH
BR
LI
DE
UA
177
1982
11
158
1632
2068
570
782
62
135
9149
13
858
16
569
23
1917
62
171
93
171
1411
1
484
329
279
3332
26
489
6484
8313
2597
3655
297
844
58074
83
5820
200
8045
336
28228
935
3545
1981
4562
41906
33
17105
15711
Antigua and Barbuda
Sweden
Greenland
Zambia
Ireland
Chile
Puerto Rico
South Africa
Angola
Barbados
United States of America
Benin
Czech Republic
New Caledonia
New Zealand
Kyrgyzstan
Italy
Lebanon
Malta
Finland
Switzerland
Brazil
Liechtenstein
Germany
Ukraine
The top of the country list
Validate
DNSSEC
% who
validate
DNSSEC
59.48%
25.17%
24.88%
21.95%
21.40%
15.75%
14.74%
7.07%
6.79%
4.82%
4.69%
3.75%
3.37%
2.83%
2.09%
1.98%
1.97%
1.89%
1.65%
1.65%
1.41%
1.21%
1.15%
1.15%
1.11%
0.94%
0.78%
Total
SE
IE
CL
PR
ZA
US
CZ
NZ
IT
MT
FI
CH
BR
DE
UA
CA
SK
PL
HU
JP
UY
LT
CO
SI
RS
ID
TR
1982
1632
2068
570
782
9149
858
569
1917
171
93
171
1411
484
329
543
62
799
255
792
35
105
73
41
133
308
91
3332
6484
8313
2597
3655
58074
5820
8045
28228
3545
1981
4562
41906
17105
15711
27405
3140
42284
15432
48089
2485
8658
6331
3573
11963
32891
11656
Sweden
Ireland
Chile
Puerto Rico
South Africa
United States of America
Czech Republic
New Zealand
Italy
Malta
Finland
Switzerland
Brazil
Germany
Ukraine
Canada
Slovakia
Poland
Hungary
Japan
Uruguay
Lithuania
Colombia
Slovenia
Serbia
Indonesia
Turkey
Ranking only those CCs with more than 1000 sample points in this experiment run (106 CC’s)
The bottom of the country list
Validate
DNSSEC
% who
validate
DNSSEC
59.48%
25.17%
24.88%
21.95%
21.40%
15.75%
14.74%
7.07%
6.79%
4.82%
4.69%
3.75%
3.37%
2.83%
2.09%
1.98%
1.97%
1.89%
1.65%
1.65%
1.41%
1.21%
1.15%
1.15%
1.11%
0.94%
0.78%
SE
IE
CL
PR
ZA
US
CZ
NZ
IT
MT
FI
CH
BR
DE
UA
CA
SK
PL
HU
JP
UY
LT
CO
SI
RS
ID
TR
1982
1632
2068
570
782
9149
858
569
1917
171
93
171
1411
484
329
543
62
799
255
792
35
105
73
41
133
308
91
Total
3332
6484
8313
2597
3655
58074
5820
8045
28228
3545
1981
4562
41906
17105
15711
27405
3140
42284
15432
48089
2485
8658
6331
3573
11963
32891
11656
Sweden
Ireland
Chile
Puerto Rico
South Africa
United States of America
Czech Republic
New Zealand
Italy
Malta
Finland
Switzerland
Brazil
Germany
Ukraine
Canada
Slovakia
Poland
Hungary
Japan
Uruguay
Lithuania
Colombia
Slovenia
Serbia
Indonesia
Turkey
Validate
DNSSEC
% who
validate
DNSSEC
0.01%
0.01%
0.01%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
Total
GR
SA
CY
AE
QA
LK
DZ
KW
OM
KZ
JO
EC
BH
YE
MO
PS
MU
LV
PA
NG
ZW
SD
ME
SV
GT
TT
JM
6
3
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
70060
36156
11523
28475
16413
10401
6574
6192
4317
4153
4177
3868
3135
2526
2287
2321
2098
1945
1617
1394
1392
1273
1244
1182
1127
1058
1088
Greece
Saudi Arabia
Cyprus
United Arab Emirates
Qatar
Sri Lanka
Algeria
Kuwait
Oman
Kazakhstan
Jordan
Ecuador
Bahrain
Yemen
Macao
Occupied Palestine
Mauritius
Latvia
Panama
Nigeria
Zimbabwe
Sudan
Montenegro
El Salvador
Guatemala
Trinidad and Tobago
Jamaica
Ranking only those CCs with more than 1000 sample points in this experiment run (106 CC’s)
DNSSEC-Validating Clients by AS
– the top AS’s
Validate
DNSSEC
% who
validate
DNSSEC
97.54%
97.26%
97.03%
96.83%
96.49%
96.26%
94.93%
94.30%
91.87%
90.86%
90.79%
88.06%
87.83%
87.74%
87.40%
86.25%
85.19%
83.78%
82.26%
80.43%
80.27%
80.09%
80.00%
79.44%
76.16%
Total
AS44143
AS27831
AS44034
AS28725
AS15600
AS20776
AS12912
AS31343
AS29518
AS5466
AS38484
AS22047
AS11992
AS3737
AS17711
AS3301
AS3245
AS41833
AS8473
AS7922
AS4704
AS5713
AS41749
AS24852
AS1257
119
122 RS VIPMOBILE-AS Vip mobile d.o.o., Serbia
71
73 CO Colombia M?vil, Colombia
261
269 SE HI3G Hi3G Access AB, Sweden
61
63 CZ CZ-EUROTEL-AS AS of Eurotel Praha, Czech Republic
55
57 CH FINECOM Finecom Telecommunications AG, Switzerland
180
187 FR OUTREMER-AS Outremer Telecom, France
712
750 PL ERA Polska Telefonia Cyfrowa S.A., Poland
248
263 UA INTERTELECOM Intertelecom Ltd, Ukraine
113
123 SE BREDBAND2 Bredband2 AB, Sweden
1631 1795 IE EIRCOM Eircom Limited, Ireland
69
76 AU VIRGIN-BROADBAND-AS-AP Virgin Broadband VISP, Australia
2066 2346 CL VTR BANDA ANCHA S.A., Chile
570
649 PR CENTENNIAL-PR - Centennial de Puerto Rico, Puerto Rico
93
106 US PTD-AS - PenTeleData Inc., United States of America
111
127 TW NDHU-TW National Dong Hwa University, Taiwan
508
589 SE TELIANET-SWEDEN TeliaSonera AB, Sweden
46
54 BG DIGSYS-AS Digital Systems Ltd, Bulgaria
62
74 LB MOSCANET Moscanet (WISE), Lebanon
102
124 SE BAHNHOF Bahnhof Internet AB, Sweden
8855 11010 US COMCAST-7922 - Comcast Cable Communications, Inc., United States of America
118
147 JP SANNET SANYO Information Technology Solutions Co., Ltd., Japan
744
929 ZA SAIX-NET, South Africa
100
125 RO NETCOMPUTERS-AS Net & Computers SRL, Romania
85
107 LT VINITA VINITA Internet Services, Lithuania
409
537 EU TELE2, European Union
Ranking only those ASs with more than 50 sample points in this experiment run (15,134 AS’s)
The Sort-of-Good News
1.6% of clients appear to use DNSSEC-validating
resolvers - that’s almost twice the amount
DNSSEC validation coverage for the Internet
than the amount of users who have IPv6!
And finally...
The “Mad Resolver” prize goes to the
pair of resolvers:
217.73.15.39
217.73.15.38
who successfully queried for the
same A RR from our server for a total
of 93,237 times over eight hours
Thanks guys! Great achievement!
Thank you!