DNSSEC: ECDSA-aware resolvers seen by RIPE Atlas

A couple of days ago CloudFlare announced its public alpha release of their DNSSEC implementation. Since they are using the “recent” Elliptic Curve ECDSA P-256 (RFC6605) I wondered how many resolvers can have problems with signatures validation so I wanted to take a peek at the current situation as seen by the RIPE Atlas probes network.

Measurements

I used 10 measurements to ask RIPE Atlas probes around the globe to resolve two hostnames using their local resolvers:

  • www.ripe.net, which uses old RSA RFC4034/RFC5702 algorithm;
  • www.cloudflare-dnssec-auth.com, which uses RFC6605 ECDSA.
  • The first group of probes has been selected from the 5 areas defined in the RIPE Atlas project and it has been used to resolve and validate www.ripe.net, in order to obtain a set of probes whose resolvers were able to validate DNSSEC responses based on “old” algorithms, then the same probes have been used to resolve and validate the CloudFlare hostname.

    Measurements IDs follow:

    Measurements = {
            "West":                 { "MsmID_RIPE": 1849609, "MsmID_CF": 1849622 },
            "North-Central":        { "MsmID_RIPE": 1849610, "MsmID_CF": 1849623 },
            "South-Central":        { "MsmID_RIPE": 1849611, "MsmID_CF": 1849624 },
            "North-East":           { "MsmID_RIPE": 1849612, "MsmID_CF": 1849625 },
            "South-East":           { "MsmID_RIPE": 1849613, "MsmID_CF": 1849626 }
    }

    I used the RIPE Atlas Sagan library to build a Python script to analyze data. For each probe I verified whether at least one of the max 3 local resolvers returned a response with the AD flag or not.

    Results

    Over 1738 probes involved, 1675 obtained valid results for both the hostnames; among these, 1148 (68,5 %) did not receive any authenticated data from their resolvers while 449 (26,8 %) received the AD flag for both RIPE’s and CloudFlare’s hostname. From the remaining 78 probes, 15 (0,9 %) received the AD for the CloudFlare host but not for the RIPE one (!?) while 63 (3,7 %) received the AD flag for the RSA host but did not receive it for the ECDSA host.

                     RSA  ECDSA
      1148 (68,5 %):
       449 (26,8 %):  x     x
        15 ( 0,9 %):        x
        63 ( 3,7 %):  x
      --------------------------
      1675

    512 probes received an authenticated response for RSA-signed zone, 63 of those (12,3 %) missed the AD flag for the ECDSA-signed one.

    If we restrict the analysis to the first used resolver only, we can see the following results:

                     RSA  ECDSA
      1112 (72,7 %):
       342 (22,3 %):  x     x
        11 ( 0,7 %):        x
        65 ( 4,2 %):  x
      --------------------------
      1530

    65 probes over the 407 that received AD flag for RSA-signed hostname did not receive the AD flag for the ECDSA name. Almost all (64/65) the probes that seem to use an ECDSA-unaware resolver received a response containing the RRSIG.

    Further restricting the probes by filtering out those using a resolver with private IP addresses we obtain 255 probes which received an authenticated response for the ECDSA-signed hostname from a resolver with a public IP address: 182 of them (71,4 %) are Google Public DNS IP addresses.

    Further reading

    My work is not as detailed as the one published on october 2014 by Geoff Huston and George Michaelson, it’s just a glimpse of the current state of ECDSA support between a restricted set of resolvers used by RIPE Atlas probes. I really suggest whoever is interested in this topic to read their work.

    The following two tabs change content below.
    Italian, born in 1980, I started working in the IT area in the late '90s; I'm now a system and network administrator with a deep knowledge of the global Internet and its core architectures.

    Leave a Reply