ValiBox: DNSSEC validation at home
The .nl zone has more DNSSEC-signed delegations than any other top-level domain. Unfortunately, however, there are still very few validating resolvers in the Netherlands. The ValiBox is our attempt to address that problem and make DNSSEC available to home users.
Although a handful of the big players, such as Google and Comcast, now have their resolvers set up for DNSSEC validation, the number of validating resolvers remains small. In principle, anyone can connect a resolver to a home network and configure it for DNSSEC validation. But that requires DNS and networking expertise that most users simply don't have.
That's the reason for the ValiBox home router software image, based on OpenWRT. If you install a ValiBox device on your home network, it acts as a wi-fi access point with its own local NAT, which supports DNSSEC validation.
ValiBox's DNSSEC validation differs from 'ordinary' DNSSEC validation in one important respect. If a DNSSEC error is detected, the user doesn't receive the standard message saying that the address can't be found. Instead, the user is diverted to a page that explains that an error's been detected and offers the option of temporarily ignoring it. If the user chooses to ignore the error, the domain name is resolved. The approach is similar to that taken with self-signed SSL certificates, which trigger your browser to highlight the situation and ask you whether you want to give temporary approval.
Why (temporarily) ignore a DNSSEC error?
One of the reasons often given for not implementing DNSSEC validation is that problems can arise if the domain name's administrator makes a mistake. For example, if the digital signatures aren't updated in time, the zone will 'disappear' for people who check the signatures, while still being reachable for people who don't. That's because a validator can't easily tell the difference between a DNS man-in-the-middle attack and an innocent error. All the validator sees is that the signatures are invalid.Also, because DNSSEC is backwards compatible with the traditional DNS, the protocol makes no distinction between, say, a lame delegation and a DNSSEC error. Both will result in a validating resolver reporting a server failure ('SERVFAIL').SIDN is working hard to the cut of the number of DNSSEC errors in .nl. For example, we carry out active monitoring and warn registrars when problems are detected. We are currently picking up about five thousand errors a day, out of 2.6 million signed delegations.Although the number of errors is quite small, it can be annoying if a domain is unavailable due to a DNSSEC error. That is one of the reasons why service providers are reluctant to introduce validation. In this phase of DNSSEC's rollout, therefore, the ability to temporarily ignore some errors can be useful.
How does the ValiBox work?
Some validating resolvers allow the administrator to set Negative Trust Anchors (NTAs). NTAs effectively disable DNSSEC validation for specific zones for defined periods. The thinking behind the functionality is that a person is more likely to be able to tell the difference between an attack and a configuration error, and more able to decide whether, in a given situation, successfully resolving a domain is more important than retaining the protection provided by DNSSEC.The ValiBox makes that functionality available to users, without requiring them to get involved in resolver configuration.Internally, the ValiBox uses a standard OpenWRT image, to which we have made a few refinements. We have created a variant of Unbound, which doesn't return a standard SERVFAIL when a DNSSEC error is detected, but gives the ValiBox's own IP address. The ValiBox runs a web application set up to recognise when a validation error has been detected and give the user the option of setting an NTA. Finally, we've created a simple one-click system for updating the software.
A user test has been performed within SIDN. We built a prototype ValiBox, with simple versions of the software described above. Although it had some known shortcomings, we wanted to find out whether the basic concept was acceptable to users and whether the average user was able to get on with the ValiBox.
We gave twenty staff members GL-Inet devices to try out, with ValiBox software installed. The users ranged from people who knew nothing about network technology to people who were able to get straight to work on system security.The results were generally positive. Fifteen of the twenty users were able to get the system working straight away, without any further help. They were able to visit dnssec-test.sidnlabs.nl and see that the DNSSEC validation was working. Two users couldn't get the ValiBox to work. The other three were unable to find time to try out the prototype.Users did nevertheless highlight a number of shortcomings. Two users received a notification saying that the software was running in ‘permissive mode’. In that mode, DNSSEC validation takes place, but errors are disregarded. One user found that he could no longer control his audio equipment over his home network.We also received feedback highlighting issues that we were already aware of. The NTA management pages weren't properly protected, for example, and one user preferred to disable the NTA option altogether (and simply have normal DNSSEC protection). Our customised version of Unbound wasn't always able to recognise DNSSEC errors and the redirect setup didn't work properly with Safari.
All in all, the test was very useful, providing results that will enable us to take the project forward. For most users, the ValiBox worked as expected, and we believe that the identified issues can be resolved by improving the software.
First, we'll be working to resolve the main flaws discovered so far. We'll then release the ValiBox software under an open-source licence. After that, we plan to see whether we can refine the features that we've added to Unbound and pass on our work to Unbound's developers. We'll also be looking for possible alternative or additional software for DNSSEC validation and NTA management.
Our ultimate aim is that the ValiBox becomes redundant. We'd like all home routers or maybe even user systems to support DNSSEC validation. There are already a few initiatives in that direction, such as Turris and system resolved. In the meantime, we hope that the ValiBox can help to expedite the rollout of DNSSEC validation.
Keep an eye on our site for the public release of ValiBox!