Observations from the DNSSEC deployment
Tue, 05/20/2008 - 15:43 by Sébastien Barré • Categories:
This paper by E. Osterwell, D. Massey and L. Zhang describes the experience learned from their tool, secspider (http://secspider.cs.ucla.edu/).
After introducing DNSSEC, they show that DNSSEC is currently not widely deployed, and many "islands of security" exists. An island of security is a (set of) zone(s) that have deployed DNSSEC, but their parent have not DNSSEC. Thus the trust chain cannot be established. In particular the root servers have not enabled DNSSEC.
The techniques used by secspider to discover DNSSEC-enabled zones is through a combination of DNS crawling and user submission.
The measurements performed by secspider show that many zones follow the default configuration settings, which is not always a good choice. An example is the bad use of the KSK and ZSK. A KSK (Key Signing Key), is a key signed by the DNS parent, and used to establish the trust chain. Normally the KSK is supposed to have a long lifetime in order to avoid too many interactions between different administrative entities. The ZSK (Zone Signing Key) serves to sign a specific zone, and is signed itself with the KSK. Since the KSK belongs to the same entity as the ZSK, signing the ZSK is simpler that asking the parent to sign the KSK. Thus the lifetime of the ZSK is supposed to be smaller.
Experience from secspider show that in practice many people use the same lifetime for KSK and ZSK, thus loosing the benefits of those different lifetimes.
The paper also underscores the need for an automated way of configuring DNSSEC, because while human errors in standards DNS may cause degraded performance, human errors in DNSSEC may lead to unavailability.
Finally the paper announces that as future work, they want to improve secspider, to make it distributed, and "evolve it towards a key lookup system, as a viable solution to support isolated islands of DNSSEC deployment".