Hans typing on keyboard

Mapping the DNSSEC Quality of DNSSEC Secured .se Domains

The material presented in this article is taken from my thesis. The full work can be found in my thesis [1].

DNS in the Digital World

The digital world we live in is constantly changing and evolving. As technology becomes increasingly advanced, so do the threats to our digital security. An essential aspect of internet infrastructure is the DNS (Domain Name System), which serves as the "phone book of the internet" converting domain names into IP addresses that computers can understand. Traditionally, DNS has been without cryptographic protection, leading to the development of DNSSEC. DNSSEC (Domain Name System Security Extensions) is an addition to DNS that was introduced to counter certain security threats, such as cache poisoning and man-in-the-middle attacks. By using digital signatures to verify DNS data, DNSSEC can help ensure that the information you receive from a DNS server comes from the expected source and has not been manipulated in transit.

Despite the benefits and enhanced security that DNSSEC offers, its adoption and usage are still not widespread. Economic incentives are used to encourage the implementation of DNSSEC. Some top-level domains, such as, .se, offer discounts for signed domain names. However, there is a concern that large operators might take advantage of these incentives by establishing insecure implementations of DNSSEC in order to receive discounts for signed domain names. This raises questions about the real effectiveness of these incentives in encouraging the use of DNSSEC. The thesis that this article is based on has investigated whether the subdomains of the .se zone follow the recommended DNSSEC standards, by mapping the DNSSEC quality of subdomains to the .se zone.

Tangentbord i två delar med sladdar emellan.

In the thesis, I utilized a comprehensive database consisting of approximately 950,000 domains. Each of these domains has a DS record (Delegation Signer) that is signed with DNSSEC. Due to the large volume of data, I have chosen to execute the analysis on a subset of 100,000 randomly selected domains, from the total of 950,000. If you're interested in gaining a deeper understanding of the subject, I recommend reading my full report. It provides an extensive analysis of DNSSEC-secured .se domains, offering more detailed insights into the quality and adherence to recommended standards. You can find the full report in Diva portal [1].

99.9% use recommended algorithms

DNSKEY is the public key that is used to verify the signed DNS data [2]. The public key can be of different crypto algorithms, i.e., methods to create crypto keys. The study found that the vast majority of investigated .se domains comply with the approved and recommended algorithms for DNSKEY. Specifically, the results showed that approximately 99.9% of the domains use recommended algorithms. This provides a robust and secure DNS infrastructure and shows that the work done to maintain these standards and recommendations is bearing fruit.

Correct RSA key length in most cases

One type of cryptographic algorithm used in DNSKEY is the RSA algorithms, which can have varying lengths. When it comes to the key lengths used for RSA, it has been observed that security requirements consistently call for longer key lengths. While the current DNS standard mandates key lengths ranging from 512 to 4096 bits, a minimum key length of 2048 bits is recommended for sufficient protection. The study revealed that RSA algorithms employ the recommended key length of 2048 bits in approximately 98 percent of cases, which is according to the recommendations for DNSSEC.

ZSK and KSK versus CSK

There are two models for DNSKEY. The first model is to have two DNSKEYs, where the first DNSKEY is called ZSK (Zone Signing Key) and the other DNSKEY is called KSK (Key Signing Key). The second model is called CSK (Combined Signing Key). If the ZSK/KSK model is used, ZSK is used for signing DNS data within a zone, while KSK is used for signing the DNSKEY resource record. If the CSK model is used, CSK refers to a combined key that combines the functions of both the ZSK and the KSK.

Among the examined .se domains, the keys were distributed as follows: 83.36 percent used the ZSK/KSK model, 16.21 percent employed the CSK model, and 0.43 percent utilized other models. This distribution indicates clear trends in how DNSSEC implementations are managed within .se domains. The dominant use of the ZSK/KSK model suggests a traditional implementation approach. Simultaneously, a significant proportion of CSK usage indicates that this type of model is also in existence.

CDS and CDNSKEY

Each signed zone has a DS record in the parent zone, in this case the .se zone. The DS record refers to the DNSKEY in the child zone. Changing the DS record can be a complex operation. CDS and CDNSKEY are DNSSEC records utilized for cryptographic processes. These records serve to signal alterations in secure entry points [3].

The distribution of domains without CDS and CDNSKEY records or with one of the record types is as follows:

  • 98.60 percent of the domains lack both CDS and CDNSKEY.
  • 1.40 percent of the domains have either CDS or CDNSKEY, or both CDS and CDNSKEY.

A vast majority of domains have neither CDS nor CDNSKEY. These components are needed only during DS changes, which are infrequent among most domains. Consequently, the uptake of CDS and CDNSKEY has been notably slow, indicating their limited penetration within the domain space.

Regarding the distribution among those domains that have CDS or CDNSKEY records in the examined .se domains, the results were distributed as follows:

  • 68.68 percent of the domains had only CDS.
  • 1.02 percent of the domains had only CDNSKEY.
  • 30.31 percent of the domains had both CDS and CDNSKEY.

The .se registry uses CDS and disregards the implementation of CDNSKEY within its domain management guidelines.

RRSIG for SOA, NS, and DNSKEY RRset

In a signed zone, each record type and owner name has its own RRset. The RRset represents a domain name and its associated records. When an authoritative name server signs each RRset in the zone using the private key of the DNSKEY pair, a digital signature is created and stored in an RRSIG record. So, in a signed zone, there is an RRSIG record for each RRset. The RRSIG contains a DNSSEC signature that can be verified by DNS resolvers using a public key from a DNSKEY record. The SOA RRset provides key authoritative details about a DNS zone and the NS RRset identifies the name servers responsible for a domain [2] [5], the SOA RRset and NS RRset exist in every DNS zone. A DNSKEY RRset exists in every signed DNS zone.

Among the .se domains that were studied, it was observed that the most common or prevailing duration for the signature lifetime of RRSIG, specifically pertaining to the SOA, NS, and DNSKEY RRsets, was 21 days. This means that the digital signatures associated with these resource record sets (SOA, NS, and DNSKEY) were typically set to expire after a period of 21 days in the examined .se domain names.

DNSSEC validation for SOA and NS

To guarantee the reliability and accuracy of DNS information. A method for ensuring that the data obtained from DNS resolvers is accurate and unaltered is provided by DNSSEC. A fundamental principle in DNSSEC is to validate that the data is correct and unaltered. As mentioned above, DNSKEY and RRSIG are components used for this validation in DNSSEC. Regarding DNSSEC validation for SOA and NS, the results show that 99.40% of the investigated domains have correctly signed SOA and NS records with DNSSEC, demonstrating good DNS infrastructure. This high figure suggests strong compliance with the DNSSEC standard and an overall high quality of DNSSEC implementation within the .se domains.

Conclusion

In conclusion, while the majority of .se domains display good DNSSEC quality, there are a small number of domains that show deficiencies in DNSSEC. This mapping thus shows that the majority of .se domains follow the recommendations for DNSSEC, but that there is room for improvement.

Thomas Ido

Sources

  1. Ido T. Kartläggning av DNSSEC-kvalitet hos DNSSEC-säkrade se-domäner (Mapping the DNSSEC Quality of DNSSEC-secured .se Domains). DIVA. 2023 [cited 2023 Jun 27].
  2. Wikipedia Contributors. Domain Name System Security Extensions [Internet]. Wikipedia. Wikimedia Foundation; 2023 [cited 2023 Jun 15].
  3. Mens JP. DNSSEC provisioning automation with CDS/CDNSKEY in the real world | APNIC Blog [Internet]. APNIC Blog. 2021 [cited 2023 Jun 20].
  4. record:rrsig : DNS RRSIG record object. — Infoblox WAPI 2.11.2 documentation [Internet]. Illinois.edu. 2020 [cited 2023 Jun 20].
  5. Wikipedia Contributors. Domain Name System [Internet]. Wikipedia. Wikimedia Foundation; 2023 [cited 2023 Jun 15].