Tuesday, September 11, 2012

How many DNSSEC validators are you missing?

On the heels of my most recent post asking, "How many IPv6 eyeballs are you missing?," I now pose the analogous question for DNSSEC. Do your DNS servers receive queries requesting authenticated resource record data for your namespace? If so, and you have not signed your zones, then DNSSEC validators' requests for authentication will go unfulfilled. And their DNS caches they are attempting to protect from poisoning will go unprotected, not to mention the integrity of your DNS namespace. An attacker "impersonating" your namespace could redirect browsers to the attackers' website for example by providing DNS resolvers with falsified query answers using cache poisoning attacks such as those publicized by Dan Kaminsky.

On the other hand, if hardly any resolvers (i.e., caching servers) initiating queries on the Internet even perform DNSSEC validation, signing your zones will offer value only to a small number of deployed validators and no value to non-validating resolvers that ignore DNSSEC signatures. Is it worth the effort of implementing and maintaining signed zones?

In an attempt to quantify the number of DNNSEC validators issuing queries on the Internet over time, the Internet Society is asking for help on behalf of Verisign Labs. They are asking webmasters to add one line of code in their HTML files which causes each web browser visiting your site to initiate a DNS query to Verisign Labs' DNS servers authoritative for validatorsearch.verisgnlabs.com. The Verisign Labs DNS servers then attempt to determine if the querying server is configured for DNSSEC validation. In this manner, Verisign Labs hopes to gather a measure of the relative quanitity of DNSSEC validating resolvers making Internet queries.

This data should help DNS administrators decide when DNSSEC zone signing makes sense for them. The preliminary results indicate that 3.66% of resolvers are DNSSEC-validating resolvers. Your participation in this analysis through the addition of one line of HTML can help Verisign Labs and the Internet Society to enlarge the sample size and provide robust measurements over time. These measurements will encourage DNS administrators to implement DNSSEC to secure their namespaces with the assurance that a given percentage of resolvers are utilizing and counting on their published DNSSEC signature data.

No comments:

Post a Comment