Category: DNSSEC

Feb 13

Are There More (or Newer) DNSSEC / DANE Application Developer Libraries We Should Add To Our List?

dnssecWhat developer libraries / modules are you using to add DNSSEC or DANE support to your applications?  For some time now we’ve maintained a list of DNSSEC developer libraries at:

http://www.internetsociety.org/deploy360/resources/dnssec-developer-libraries/

but I noticed that the list is now two years old!  While many of the libraries listed on the “common” ones that many developers use, I have to think that there have also been some newer libraries in the time since, perhaps in some other languages.  Before I spent time looking around developer sites and mailing lists, I thought I would ask you all who visit this site – do you know of any libraries we aren’t listing?

If you are aware of any additional libraries that we should add to the list, we would love to hear about them, either as comments to this blog post, as comments on the social networks where this post will appear, or via email or our feedback form.

Your help will be greatly appreciated!  Thanks!

Feb 08

Weekend Project: Test Out New DNSSEC Support In Dnsmasq

Dnsmasq iconIf you run your own small network and are comfortable working with Linux, Android, *BSD, Solaris or Mac OS X, here’s a great way you could help advance DNSSEC: Simon Kelley is looking for people to test the new DNSSEC functionality he included in his latest development version of dnsmasq.

If you are not familiar with dnsmasq, it is a DNS fowarder and DHCP server that is already included in many versions of Linux, including Debian, Suse, Fedora, Gentoo and others.  From the dnsmasq website:

Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP server. It is designed to provide DNS and, optionally, DHCP, to a small network. It can serve the names of local machines which are not in the global DNS. The DHCP server integrates with the DNS server and allows machines with DHCP-allocated addresses to appear in the DNS with names configured either in each host or in a central configuration file. Dnsmasq supports static and dynamic DHCP leases and BOOTP/TFTP/PXE for network booting of diskless machines.

Dnsmasq is targeted at home networks using NAT and connected to the internet via a modem, cable-modem or ADSL connection but would be a good choice for any smallish network (up to 1000 clients is known to work) where low resource use and ease of configuration are important.

If you have a bit of time and could help Simon out with some testing, he would greatly appreciate it – and if this can mean that we’ll be able to get DNSSEC validation happening out in so many more distributions of Linux that would be a great win for making the Internet more secure!

Please read Simon’s message and you may also want to scan the email thread to see if there are any more updates or issues found.

Kudos to Simon for making this happen – and also to Comcast for providing enough funding that Simon was able to work on this full-time for a bit to get it working.

Feb 04

NLnet Labs Releases Helpful DNSSEC Infrastructure Audit Framework

NLNet Labs DNSSEC Infrastructure Audit FrameworkHow secure is your DNSSEC infrastructure? If you operate a registry for a top-level domain (TLD) or if you are a DNS operator providing DNSSEC signing services, how secure are your operations?  And how secure are your mechanisms for communicating DNSSEC information with registrars and other entities?  Or, if you are a security auditor or researcher, how can you best assess the security of your client’s DNSSEC infrastructure?

To help assess DNSSEC infrastructure and answer questions like these, the great folks at NLnet Labs recently released a “DNSSEC Infrastructure Audit Framework” available publicly for anyone to use.  You can download the document and use it as a checklist to audit your own infrastructure or that of someone else.

As noted in the introduction, this document is not intended to be any kind of formal standard or assessment, but rather a guide and checklist to help people looking to understand how secure their DNSSEC infrastructure is:

A DNSSEC audit is the process of structural examination of a DNSSEC infrastructure. The purpose of this process is to evaluate the level of assurance of the system. This is achieved by reviewing the implementation and operation of the system controls and whether they are in compliance with the corresponding policy requirements or, in absence of formal policies, with best current industry practices.

A key document for performing an audit is a review checklist. The review checklist provides structure of the actual work and gives confidence that the audit scope is adequately covered. This document is a generic checklist for a DNSSEC review and provides a framework that assists auditors to perform an actual DNSSEC audit. However, the actions herein do not conform any formal audit standards and are merely intended to provide directions of how an audit might look like.

This document is neither standard nor best practice and is not suitable for any form of formal certification. Its intention is to offer a basis for a structured review of a DNSSEC environment.

The authors welcome feedback on this document so that it can mature. The licensing terms of the document are such that any entity may modify and publish the document on their own terms as long as NLnet Labs is being acknowledged. Incorporation in other documents, including standards is encouraged.

This is great contribution to the larger work of DNSSEC deployment and we thank Matthijs Mekking and Olaf Kolkman for both writing this document and then also making it public under a lenient license.

We hope many of you will find it helpful and do encourage you to provide feedback to Matthijs and Olaf. Using documents like this we can make the Internet more secure!

 

Feb 01

Weekend Project: Install The DNSSEC/TLSA Validator for Chrome, Firefox, more

DNSSEC / TLSA ValidatorHow do you know if a website has a domain signed by DNSSEC?  Here’s another quick weekend project, very similar to last weekend’s project , where you can add support to your web browsers to know the DNSSEC status of sites you are visiting.  Even better, as people start to use the DANE protocol to secure TLS/SSL certificates, you’ll be able to know when DANE is being use.

The great team at CZ.NIC Labs has released a new version 2.1 of their plugin for Google Chrome, Mozilla Firefox, Microsoft Internet Explorer and Opera.  You can get it at:

https://www.dnssec-validator.cz/

A key difference in this version from previous versions is that it now has support for the TLSA record in DNS that is used by the DANE protocol to add an extra layer of trust to the usage of TLS/SSL certificates.

Once you have the DNSSEC/TLSA validator installed in your browser, you should be able to go to links on these pages to test out your new capabilities:

When you visit the sites, you should see additional icons in your browser’s address bar that will give you information such as this:

tlsa-browser

The addition of TLSA record support is a great new feature!  While TLSA record usage is still quite small among web sites today, having this ability to see the TLSA usage will definitely help the people out there who are pioneering the usage.

Kudos to the CZ.NIC team for making this available!

P.S. Do note that in order for this to work in your web browser needs to have access to a DNSSEC-validating DNS resolver.   [UPDATE: As noted in the comments to this post, the add-on no longer requires access to a DNSSEC-validating DNS resolver. The required capabilities were built into the code instead.  Having said that, it's still also great to make sure your local DNS resolver does do DNSSEC validation for all the other apps you have.] The add-on can use DNSSEC-validating DNS resolvers from CZ.NIC or Google, buy why not make your network that much more secure and install your own DNSSEC-validating resolvers?  Check out our recent weekend project to learn more about how to configure DNSSEC validation on your local DNS resolver.

Jan 31

Video – ENOG6: DNSSEC and DANE Deployment Trends, Tools And Challenges

What are DNSSEC and DANE all about?  What advantages do they have?  What tools are out there to help?  Back in October I spoke at the ENOG 6 event in Kiev, Ukraine, about DNSSEC deployment trends and also the opportunities with the DANE protocol to build an additional secure layer of trust in TLS/SSL certificates.  The video is available for viewing and the slides are also available online:

It was a great session and I had a good number of questions from people in the room.  Now.. the question is… how can we help YOU deploy DNSSEC?

Jan 29

Join The “dnssec-maps” List To Receive Weekly DNSSEC Deployment Maps

2014-01-23-2014-01-23We’re pleased to announce that for those of you interested in the current status of DNSSEC deployment, you can now receive a weekly email with the latest DNSSEC deployment maps with both a global and regional perspective.

All you need to do is subscribe to the public “dnssec-maps” mailing list and each Monday you will receive a message containing:

  • Maps showing the current state of DNSSEC deployment among country-code top-level domains (ccTLDs):
    • A global view of ccTLD DNSSEC status
    • Regional views for Africa, Asia-Pacific, Europe, Latin America and North America
  • Maps showing the past state of DNSSEC deployment one year prior to the date
  • Maps showing the predicted future state of DNSSEC deployment one year ahead based on information provided from various sources.
  • Comma-separate-value (CSV) files containing the DNSSEC status of all the ccTLDs and the “generic top-level-domains (gTLDs)”, including all the “newgTLDs” (which are all required to be DNSSEC-signed when they launch).

You are free to use these images for presentations, articles, reports, etc., subject to a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. (Rough translation: you need to credit us and you can’t sell the maps.)

As noted on our “DNSSEC Deployment Maps” page, these maps are a bit different than many of the other sources of DNSSEC statistics in that they are based on both factual observed data (ex. is there a DS record in the root zone?) and also information gathered from various other sources such as industry presentations, news articles, DNSSEC-related mailing lists and other venues.  The intent is to provide the best possible view of DNSSEC deployment both now and in the future.

The database behind these maps and the software to produce them was developed and operated by Steve Crocker’s Shinkuro, Inc.  The responsibility and ownership of the maps was recently transferred to the Internet Society Deploy360 Programme as part of our ongoing working relationship with Shinkuro and Parsons Technology to accelerate DNSSEC deployment.  We are definitely grateful to Shinkuro for all the great work they put into this extremely useful project and for their assistance in the transfer of operations.

We hope you find the public availability of these maps to be useful and encourage you to join the mailing list.  Please do send along any and all feedback, particularly if you see any errors in the current maps.  We also welcome your ideas and interest in enhancements we could potentially make.  For instance, we’re thinking about how we might be able to visualize the DNSSEC status of all the generic TLDs that are not tied to a country and cannot therefore be placed on a map.  Ideas and suggestions are always welcome, either as comments to this blog post or as email or messages to us.  Thanks for your interest in DNSSEC!

 

Jan 26

Video/Slides – Geoff Huston On Measuring DNSSEC Usage at RIPE67

How many people are actually performing DNSSEC validation on DNS queries? What is the true penetration of DNSSEC usage?  While there are many sites offering DNSSEC statistics about the number of signed domains or TLDs, what kind of measurements can be done on the validation side of DNSSEC?  And what is the performance impact of doing DNSSEC validation?

At the RIPE67 meeting Geoff Huston of APNIC gave an entertaining presentation around these exact questions based on measurements through a system of Flash-based web advertisements he has been using.  His slides are available online and the video presentation runs about 28 minutes:

Geoff Huston speaking

The information is certainly useful and we look forward to future presentations based on these measurements!

 

Jan 23

New DNSSEC Deployment Maps Now Available

2014-01-23-2014-01-23Curious to see where DNSSEC is available around the world? We’ve just published the latest DNSSEC deployment maps showing which “country code top-level domains” (ccTLDs) have signed their domains with DNSSEC and the status of many others. We have a global map and also regional maps for Africa, Asia Pacific, Latin America, North America and  Europe.

All of these maps can be found on:

http://www.internetsociety.org/deploy360/dnssec/maps/

As we note on that page, these maps are a bit different from many other DNSSEC statistics sites in that they offer not just information based on observable data but also information based on news reports, industry presentations, interactions with DNS operators and other sources.   The maps are free for anyone to use subject to a Creative Commons license.

The main point of these maps is that the show the signed top-level domains (TLDs). Having a signed TLD is the first step in being able to sign your own domain and give it the additional layer of security possible through DNSSEC.  Once a TLD is signed, you then need to have a registrar that supports passing DNSSEC records and you need a DNS hosting operator (or need to host the zone yourself) who can sign your DNS records with DNSSEC.  But it all starts with having a signed TLD, which is why this is so critical.

Obviously on maps like these we can only show the “country code TLDs (ccTLDs)” as the other “generic TLDs” such as .COM, .ORG, don’t have any location we can easily put on a map.  This includes all the many “new generic TLDs” (newgTLDs) that are appearing each week.  We don’t quite know how to visualize those yet… so for the moment the maps are just for ccTLDs.

I’d like to note that the great team working with Steve Crocker at Shinkuro created the programs and operated the database for these maps until the project was recently transitioned to our team here at the Internet Society Deploy360 Programme as part of our work with Shinkuro and Parsons Technology (announced last July) to accelerate the deployment of DNSSEC.  We’re grateful for the assistance of the team at Shinkuro in helping with the transition and we’re looking forward to providing you these maps on a regular basis.

We’d love to hear your feedback on these maps.  Do you find them useful?  Are they helpful to you?  Did you see any errors?  Please do let us know, either by a comment here to this blog post, through our feedback form or email, or by posting to one of the social networks where this post appears.

Jan 20

Great News! Over 50% Of All Top-Level Domains Now Signed With DNSSEC!

The Internet hit a great DNSSEC deployment milestone today – over 50% of all TLDs are now signed! As Chris Thompson pointed out on the dnssec-deployment mailing list, if you go to a site such as ICANN’s TLD DNSSEC report that was run this morning, you’ll now see that 222 (53%) of 415 TLDs in the root zone of DNS are now signed with DNSSEC. Even better, 216 (52%) have a DS record in the root zone, which means that the DNSSEC “chain of trust” can be established for domains underneath all of those TLDs:

icann-tld-dnssec-20140120

 

Now, granted, as Chris noted in his message, this milestone has primarily happened because of the ongoing influx of all the DNSSEC-signed “new generic top-level domains (newgTLDs)“.  You can see this rather dramatically in a graph from Rick Lamb’s DNSSEC statistics site:

DNSSEC trend statistics

Regardless, it is great to see this milestone!

With over 50% of TLDs signed, have you signed your domain yet?  (Check out our tutorials on signing your domain with DNSSEC and also our DNSSEC Basics page.)

 

Jan 16

CircleID: DNS Security Should Be One Of Your Priorities (including DNSSEC)

Circle ID LogoWe were very pleased to see this recent post over at the CircleID site, “Domain Name System (DNS) Security Should Be One of Your Priorities“, by Rick Rumbarger. He makes a number of great points, particularly about the fact that so many people take DNS for granted and don’t give it the attention they should.

Naturally, given our focus on getting DNSSEC deployed, we were delighted to see his paragraph:

Activate DNSSEC On Your Domain Names – DNSSEC counters cache poisoning attacks by verifying the authenticity of responses received from name servers. It effectively prevents responses from being tampered with, because in practice, signatures are almost impossible to forge without access to the private keys. If your DNS provider is not DNSSEC capable… make a switch.

He’s right! DNSSEC is critical for protecting the integrity of the information you get out of DNS queries.   In his paragraph, he talks about the signing of domain names with DNSSEC, but it is important to remember that this is only half the equation with DNSSEC. The other piece you need to do is to enable validation of DNSSEC on your local DNS resolver.

The local validation of DNSSEC information protects the inquiries your computer makes for DNS info, and the signing protects the integrity of your own domain name.

The one point I do take issue with in Rick Rumbarger’s article is his suggestion to outsource ALL your DNS services on both the authoritative side (distributing your domain records) and the recursive resolver side (making inquiries to DNS).  On the authoritative side, I agree that outsourcing DNS services can make a whole lot more sense than running your own DNS servers.  Most of the DNS hosting companies out there have put a great amount of effort into performance, security, DDoS protection and more – and since they are focused on that can provide better protection and performance than many of us can do ourselves (unless, of course, we operate our own data centers).

However, on the recursive resolver side, I am much more of a fan of having the DNS resolution occur as close to the end user as possible. This is particularly true when you enable DNSSEC validation.  Your DNS query is going from the stub resolver on your local computer to the whatever recursive resolvers  you have configured in your computer.  These are the ”DNS servers” in most operating system network control panels and are often supplied via DHCP to computers on a local network.

The connection between your stub resolver and the recursive resolver you use is typically unencrypted and represents an area where an attacker could inject bogus DNS information.  Ideally the connection occurs over a “trusted” network, such as your local area network.  If the recursive resolver is on the edge of your local network and is performing DNSSEC validation from that point on, then the attacker would have to somehow get on your local network in order to attack your DNS queries.

If you can’t have a recursive resolver at the edge of your local network, the next best option to me is to use the recursive resolvers at your ISP . You are then only widening the attack surface to be between your local network and that of your ISPs network.

If you can’t do DNSSEC validation at either your local network edge or your ISP, you then do need to go out and use an external recursive resolver that does DNSSEC validation such as Google’s Public DNS.  However… the attack surface against your DNS queries has now been expanded to include the entire part of the public Internet that is between your computer and Google’s Public DNS servers (to use the example of Google).  An attacker now has a better chance of getting in the middle and injecting false DNS information that goes back to your stub resolver running on your machine.

So for those reasons, I prefer to run the recursive DNS resolver as close to the end user as possible. In the ideal world, the DNSSEC validation might even be performed on the local machine (which can be done today using something like DNSSEC-Trigger) or in the application the user is using.

Outside of that point, I agree with the points Rick Rumbarger raises – and it’s great to see attention being given to this issue of DNS security!

P.S. And to perfectly illustrate one of Rumbarger’s other points about having strong access control for your DNS records there is this post today about how easy it was to get a DNS hosting provider to change DNS records with a simple email message.  This is something that DNSSEC will NOT protect against because the DNS hosting provider is  changing the actual zone file that would then be encrypted with DNSSEC.  It shows again how “DNS security” is really composed of many different layers!