On 11/02/2014, at 11:35 am, Andy Linton <asjl@lpnz.org> wrote:

At the recent NZNOG meeting in Nelson, Geoff Huston from APNIC gave a talk on DNSSEC and had some interesting statistics about the use of validating resolvers for DNS and DNSSEC.

For DNSSEC to work there are two parts of the equation that need to happen:

1) People need to sign their zones
2) People need to ask the question "is this zone signed" etc.

I want to talk about 2)

Geoff noted that a number of countries that we might not expect to be high on the list of those validating the responses using the DNSSEC technology were way ahead of the rest of the world. I haven't got the exact numbers here - I expect his presentation will appear shortly  and there's likely to be a video of it at some stage at http://www.r2.co.nz/20140130/ - but from memory the global average is about 7% usage of validating resolvers.

New Zealand is a dismal <2% and I'd like to challenge you all to do something about that. And we're way behind the Australians....

Geoff pointed out that the high rate elsewhere is due to a large degree to the number of people using Google's Public DNS servers and while that looks attractive and an easy way to improve those numbers I'd ask you not to go down that path. You need to do this yourself (or at least as close as possible to the end user). If you use someone else's resolver then your traffic can be intercepted en route to the validating resolver => man in the middle attack => game over.

And of course, handing this data over to a centralised collection agent makes the work of anyone who wants to snoop on you much, much easier.

It's not about Google's servers - this applies equally to public servers run by anyone. DNSSEC validation is not real validation unless it's performed end to end or at least as close as possible to that. A number of NZ ISPs provide this service to their customers with their in house resolvers and those of you who don't should really be looking at when you will do this.

Those people who have signed their zones are making assertions about how they want their DNS data to be interpreted. They're saying that unless you validate their DNS data they really don't want you to connect to them. You should be taking notice of this. But then maybe you just ignore broken certs on websites etc. 

So what should you do?

End user
=======

Check here - http://dnssec.vs.uni-due.de/
Or use - https://www.dnssec-validator.cz/

Ask your ISP/admins to fix this.

ISPs/Enterprise
============

If you're running a resolver for customers do the work to get it validating, please....

Plenty of info out there on how to do this for Bind and Unbound and I'm no Windows expert but this looks straightforward:

Windows: http://info.menandmice.com/blog/bid/88297/Windows-2012-Server-Enabling-DNSSEC-validation 

I�ve been talking about this with one of my customers recently, and there�s a concern by some that turning on validation will trip false positives - which for an ISP is a bad thing to do - all the customer sees is that you 'don�t work' while the other ISP does.

Is there public data available re. this? Does it likely vary much for NZ? I think unbound can be configured to only log when validation fails rather than actually acting on it in a negative way, so I imagine it�s not hard to figure out.. thinking out loud here we�d probably want some full query logging to get some useful stats - i.e. this zone that breaks is looked at by x% of customers, and it is y% of total unique zones queried, etc.
Thinking out loud here.

Good chance that all the problems around this have disappeared these days, but, it�d be interesting to find out.

(note, I haven�t Googled yet :)

Nathan Ward