[Podcast] Measuring DNSSEC keying ‘drift’ between parent and child

By on 28 Nov 2024

Category: Tech matters

Tags: , , ,

2 Comments

Blog home

The weak link in a chain
Original material supplied by APNIC

This time on PING, Peter Thomassen from SSE and DEsec.io discusses his analysis of the failure modes of CDS and CDNSKEY records between parent and child in the DNS. These records provide in-band signalling of the DS record, which is fundamental to maintaining a secure path from the Trust Anchor to the delegation through all the intermediate parent and grandparent domains. Many people use out-of-band methods to update this DS information. Still, the CDS and the CDNSKEY records are designed to signal this critical information inside the DNS, avoiding many of the pitfalls of passing through a registry-registrar web service.

The problem is, as Peter has discovered, the information across the various nameservers (denoted by the NS record in the DNS) of the child domain can get out of alignment, and the tests a parent zone needs to do to check CDS and CDNSKEY information aren’t sufficiently specified to wire down this risk.

Peter performed a ‘meta-analysis’ inside a far larger cohort of DNS data captured by Florian Steurer and Tobias Fiebig at the Max Planck Institute and discovered a low but persisting error rate, a drift in the critical keying information between a zone’s NS and the parent. Some of these related to transitional states in the DNS (such as when you move registry or DNS provider) but by no means all, and this has motivated Peter and his co-authors to look at improved recommendations for managing CDS / CDNSKEY data, to minimize the risk of inconsistency, and the consequent loss of a secure entry path to a domain name.

Read more about DNSSEC delegation at the APNIC Blog, and the IETF:

Subscribe and share your story

You can stream and subscribe to PING via the following channels:

If you’re interested in sharing your insights or research, please get in touch — we’re always looking for great stories from the community. Please let us know what you think of the podcast and the APNIC Blog so we can keep improving.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

2 Comments

  1. Charles

    I Like your podcast, and the stuff about measuring various things through ads is interesting, but the constant DNSSec stuff is boring, vey boring.

    I came to APNIC to hear about the state of the inter-network at large, I want to hear about Backbones, Deep sea cables, traffic routing at scale and through different networks, IPv6 implementations, resiliance, satellite systems, etc. DNS is old simple and works well, DNSec is broken and slow and will never work for end users that want snappy web pages, it will be replaced eventually by some sort of web of trust crypto bro thing like nostr.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Top