From the Beginning: Key Transitions in the First 15 Years of DNSSEC

Read original: arXiv:2109.08783 - Published 9/12/2024 by Eric Osterweil, Pouyan Fotouhi Tehrani, Thomas C. Schmidt, Matthias Wahlisch

🧪

Overview

The paper explores the challenge of securely transitioning cryptographic keys in the Domain Name System Security Extensions (DNSSEC) protocol.
DNSSEC was rolled out globally starting in 2005 to improve the security of the internet's Domain Name System (DNS).
The scale and decentralized nature of DNS created an unprecedented key management challenge, which the authors aim to address.

Plain English Explanation

The DNSSEC protocol was introduced to make the internet's domain name system more secure. When it was rolled out globally in 2005, it presented a new challenge: how to securely manage the cryptographic keys used to verify the authenticity of DNS information.

The DNS system is decentralized, with many different organizations responsible for managing portions of the overall system. This made the task of properly updating and replacing cryptographic keys across the entire system extremely complex. The authors of this paper wanted to better understand how this key management process was actually playing out in the real world, compared to the ideal practices prescribed for DNSSEC.

To do this, the researchers proposed two key things: 1) a way to formally describe and measure the properties of how cryptographic keys are changed or "transitioned" in DNSSEC, and 2) a classification system to categorize the different types of key transition practices being used. They then applied these tools to analyze 15 years of data on the global DNSSEC deployment.

The results showed that there were measurable gaps between the recommended key management processes and the actual key transition practices being used in the real world. However, the researchers also found evidence that some of these non-compliant key transitions were necessary for DNSSEC to function effectively in practice. The paper aims to provide a framework for better understanding and evaluating this critical aspect of internet security infrastructure.

Technical Explanation

The authors propose two key components to formally characterize and assess the process of securely transitioning cryptographic keys in the DNSSEC protocol:

Anatomy of Key Transitions: Clearly defined, measurable properties that describe the specific changes made to cryptographic keys, such as the number of keys involved, the timing of the transition, and any errors or warnings that occurred.
Transition Classification Model: A novel taxonomy for categorizing the different types of key transition practices observed in the real-world DNSSEC deployment, based on the "anatomy" concepts.

The researchers then applied this framework to analyze 15 years of data on the global DNSSEC rollout, covering all possible key transitions - not just the idealized 1:1 key "rollovers" considered in prior work.

The results revealed measurable gaps between the prescribed DNSSEC key management processes and the actual key transitions being used in operations. However, the analysis also found evidence that some of these non-compliant key transitions were necessary for the DNSSEC system to function effectively in practice.

Critical Analysis

The paper provides a valuable, empirical perspective on the real-world challenges of securely managing cryptographic keys in a decentralized, global system like the DNS. By proposing a formal framework for characterizing and classifying key transition practices, the authors offer a structured way to evaluate this critical aspect of internet security infrastructure.

That said, the research is limited to the DNSSEC protocol and may not necessarily generalize to other decentralized credential management systems. Additionally, the analysis only covers the first 15 years of the DNSSEC rollout, and the landscape may have changed in more recent years.

Further research could explore how this key transition framework applies to other distributed systems, as well as investigate longer-term trends and the impact of any policy or technological changes that have occurred in the DNSSEC ecosystem since the time period analyzed.

Conclusion

This paper presents a novel approach for formally characterizing and assessing the process of securely transitioning cryptographic keys in the DNSSEC protocol. By applying this framework to 15 years of real-world DNSSEC deployment data, the researchers uncovered meaningful gaps between recommended key management practices and actual operational realities.

The findings suggest that while the prescribed DNSSEC key transition processes may be ideal from a security standpoint, some non-compliant practices were necessary to make the system function effectively in practice. This highlights the importance of grounding security protocols in empirical evidence and a nuanced understanding of operational constraints.

Overall, the paper provides a valuable foundation for further research and refinement of key management strategies not just for DNSSEC, but potentially for other distributed systems grappling with the challenge of secure credential transitions at scale.

This summary was produced with help from an AI and may contain inaccuracies - check out the links to read the original source documents!

Follow @aimodelsfyi on 𝕏 →

Related Papers

🧪

From the Beginning: Key Transitions in the First 15 Years of DNSSEC

Eric Osterweil, Pouyan Fotouhi Tehrani, Thomas C. Schmidt, Matthias Wahlisch

When the global rollout of the DNS Security Extensions (DNSSEC) began in 2005, a first-of-its-kind trial started: The complexity of a core Internet protocol was magnified in favor of better security for the overall Internet. Thereby, the scale of the loosely-federated delegation in DNS became an unprecedented cryptographic key management challenge. Though fundamental for current and future operational success, our community lacks a clear notion of how to empirically evaluate the process of securely transitioning keys. In this paper, we propose two building blocks to formally characterize and assess key transitions. First, the anatomy of key transitions, i.e., measurable and well-defined properties of key changes; and second, a novel classification model based on this anatomy for describing key transition practices in abstract terms. This abstraction allows for classifying operational behavior. We apply our proposed transition anatomy and transition classes to describe the global DNSSEC deployment. Specifically, we use measurements from the first 15 years of the DNSSEC rollout to detect and understand which key transitions have been used to what degree and which rates of errors and warnings occurred. In contrast to prior work, we consider all possible transitions and not only 1:1 key rollovers. Our results show measurable gaps between prescribed key management processes and key transitions in the wild. We also find evidence that such noncompliant transitions are needed in operations.

9/12/2024

Guardians of DNS Integrity: A Remote Method for Identifying DNSSEC Validators Across the Internet

Yevheniya Nosyk, Maciej Korczy'nski, Andrzej Duda

DNS Security Extensions (DNSSEC) provide the most effective way to fight DNS cache poisoning attacks. Yet, very few DNS resolvers perform DNSSEC validation. Identifying such systems is non-trivial and the existing methods are not suitable for Internet-scale measurements. In this paper, we propose a novel remote technique for identifying DNSSEC-validating resolvers. The proposed method consists of two steps. In the first step, we identify open resolvers by scanning 3.1 billion end hosts and request every non-forwarder to resolve one correct and seven deliberately misconfigured domains. We then build a classifier that discriminates validators from non-validators based on query patterns and DNS response codes. We find that while most open resolvers are DNSSEC-enabled, less than 18% in IPv4 (38% in IPv6) validate received responses. In the second step, we remotely identify closed non-forwarders in networks that do not have inbound Source Address Validation (SAV) in place. Using the classifier built in step one, we identify 37.4% IPv4 (42.9% IPv6) closed DNSSEC validators and cross-validate the results using RIPE Atlas probes. Finally, we show that the discovered (non)-validators actively send requests to DNS root servers, suggesting that we deal with operational recursive resolvers rather than misconfigured machines.

5/31/2024

Decentralized Credential Status Management: A Paradigm Shift in Digital Trust

Patrick Herbke, Thomas Cory, Mauro Migliardi

Public key infrastructures are essential for Internet security, ensuring robust certificate management and revocation mechanisms. The transition from centralized to decentralized systems presents challenges such as trust distribution and privacy-preserving credential management. The transition from centralized to decentralized systems is motivated by addressing the single points of failure inherent in centralized systems and leveraging decentralized technologies' transparency and resilience. This paper explores the evolution of certificate status management from centralized to decentralized frameworks, focusing on blockchain technology and advanced cryptography. We provide a taxonomy of the challenges of centralized systems and discuss opportunities provided by existing decentralized technologies. Our findings reveal that, although blockchain technologies enhance security and trust distribution, they represent a bottleneck for parallel computation and face inefficiencies in cryptographic computations. For this reason, we propose a framework of decentralized technology components that addresses such shortcomings to advance the paradigm shift toward decentralized credential status management.

6/18/2024

Don't Get Hijacked: Prevalence, Mitigation, and Impact of Non-Secure DNS Dynamic Updates

Yevheniya Nosyk, Maciej Korczy'nski, Carlos H. Ga~n'an, Micha{l} Kr'ol, Qasim Lone, Andrzej Duda

DNS dynamic updates represent an inherently vulnerable mechanism deliberately granting the potential for any host to dynamically modify DNS zone files. Consequently, this feature exposes domains to various security risks such as domain hijacking, compromise of domain control validation, and man-in-the-middle attacks. Originally devised without the implementation of authentication mechanisms, non-secure DNS updates were widely adopted in DNS software, subsequently leaving domains susceptible to a novel form of attack termed zone poisoning. In order to gauge the extent of this issue, our analysis encompassed over 353 million domain names, revealing the presence of 381,965 domains that openly accepted unsolicited DNS updates. We then undertook a comprehensive three-phase campaign involving the notification of Computer Security Incident Response Teams (CSIRTs). Following extensive discussions spanning six months, we observed substantial remediation, with nearly 54% of nameservers and 98% of vulnerable domains addressing the issue. This outcome serves as evidence that engaging with CSIRTs can prove to be an effective approach for reporting security vulnerabilities. Moreover, our notifications had a lasting impact, as evidenced by the sustained low prevalence of vulnerable domains.

5/31/2024