A couple of days ago CloudFlare announced its public alpha release of their DNSSEC implementation. Since they are using the “recent” Elliptic Curve ECDSA P-256 (RFC6605) I wondered how many resolvers can have problems with signatures validation so I wanted to take a peek at the current situation as seen by the RIPE Atlas probes network.
Measurements
I used 10 measurements to ask RIPE Atlas probes around the globe to resolve two hostnames using their local resolvers:
The first group of probes has been selected from the 5 areas defined in the RIPE Atlas project and it has been used to resolve and validate www.ripe.net, in order to obtain a set of probes whose resolvers were able to validate DNSSEC responses based on “old” algorithms, then the same probes have been used to resolve and validate the CloudFlare hostname.
Measurements IDs follow:
Measurements = {
"West": { "MsmID_RIPE": 1849609, "MsmID_CF": 1849622 },
"North-Central": { "MsmID_RIPE": 1849610, "MsmID_CF": 1849623 },
"South-Central": { "MsmID_RIPE": 1849611, "MsmID_CF": 1849624 },
"North-East": { "MsmID_RIPE": 1849612, "MsmID_CF": 1849625 },
"South-East": { "MsmID_RIPE": 1849613, "MsmID_CF": 1849626 }
}
I used the RIPE Atlas Sagan library to build a Python script to analyze data. For each probe I verified whether at least one of the max 3 local resolvers returned a response with the AD flag or not.
Results
Over 1738 probes involved, 1675 obtained valid results for both the hostnames; among these, 1148 (68,5 %) did not receive any authenticated data from their resolvers while 449 (26,8 %) received the AD flag for both RIPE’s and CloudFlare’s hostname. From the remaining 78 probes, 15 (0,9 %) received the AD for the CloudFlare host but not for the RIPE one (!?) while 63 (3,7 %) received the AD flag for the RSA host but did not receive it for the ECDSA host.
RSA ECDSA
1148 (68,5 %):
449 (26,8 %): x x
15 ( 0,9 %): x
63 ( 3,7 %): x
--------------------------
1675
512 probes received an authenticated response for RSA-signed zone, 63 of those (12,3 %) missed the AD flag for the ECDSA-signed one.
If we restrict the analysis to the first used resolver only, we can see the following results:
RSA ECDSA
1112 (72,7 %):
342 (22,3 %): x x
11 ( 0,7 %): x
65 ( 4,2 %): x
--------------------------
1530
65 probes over the 407 that received AD flag for RSA-signed hostname did not receive the AD flag for the ECDSA name. Almost all (64/65) the probes that seem to use an ECDSA-unaware resolver received a response containing the RRSIG.
Further restricting the probes by filtering out those using a resolver with private IP addresses we obtain 255 probes which received an authenticated response for the ECDSA-signed hostname from a resolver with a public IP address: 182 of them (71,4 %) are Google Public DNS IP addresses.
Further reading
My work is not as detailed as the one published on october 2014 by Geoff Huston and George Michaelson, it’s just a glimpse of the current state of ECDSA support between a restricted set of resolvers used by RIPE Atlas probes. I really suggest whoever is interested in this topic to read their work.
Latest posts by Pier Carlo Chiodi (see all)
- Good MANRS for IXPs route servers made easier - 11 December 2020
- Route server feature-rich and automatic configuration - 13 February 2017
- Large BGP Communities playground - 15 September 2016
Leave a Reply