XXL detection of DNSSEC validation errors
In the period beginning August 2012, a very large number of .nl domain names were secured with DNSSEC in a relatively short space of time. The associated risk of validation errors was an issue that commanded a lot of attention.
No one wanted a repetition of what had happened with the .gov domain. In 2008, the US government had decided that all .gov domains had to be secured with DNSSEC. Perhaps because it wasn't voluntary, the rollout of DNSSEC across .gov involved a significant number of errors. And one of the most frustrating things about DNSSEC errors is that they affect only those that take the trouble to enable validation, while those that are less proactive on security don't have a problem. In other words, errors tend to discourage the adoption of DNSSEC, or at least DNSSEC validation.
The DNSSEC validation monitor
One of the error detection tools that we have been using at SIDN since April 2013 is the DNSSEC Validation Monitor. The Validation Monitor was developed at SIDN Labs and picks up .nl domain names that have failed validation checks by a number of ISPs engaged in DNSSEC validation. It has provided us with valuable feedback about the actual prevalence and types of DNSSEC errors. Via the Validation Monitor, we share information about non-validating domain names with the relevant registrars, enabling them to take corrective action. The system has highlighted software bugs, configuration errors and procedural flaws. Sampling of the thirty thousand domain names that we tested has revealed a fall in the number of errors. Whereas 0.48 per cent of DNSSEC-protected domain names exhibited errors in the latter part of 2012, by early 2014 (about eighteen months later) the figure was down to 0.21 per cent.
Nevertheless, there were a number of points that we wanted to improve, such as the 'granularity' of the Validation Monitor. The reason being that by no means all errors in the configuration of DNSSEC-protected .nl domain names were being detected. That meant that we couldn't entirely trust the picture we were getting of DNSSEC quality in the .nl zone. One of the causes was that the Validation Monitor was reactive: it reported an error only if one of the affiliated ISPs' clients actually tried to look up the relevant domain name in the DNS.
Validation Monitor XXL: testing all .nl domain names every day
Collaboration with validating ISPs yielded valuable information about the ways errors occur. In some cases, the issues went further than we initially suspected. It became apparent, for example, that a lot of denial-of-existence errors were occurring, even though simultaneous queries about actual resources in the same zone were being fielded without a problem.
Building on the experience gained, the SIDN Labs team has therefore developed a new version of the Validation Monitor. The Validation Monitor XXL, as it is known, features three important improvements:
It automatically and continuously tests all the 2.4 million-plus signed .nl domain names for DNSSEC errors.
Testing is performed every day, meaning that registrars are quickly alerted to any domain name that can't be validated, even if no one has tried to reach the domain in question.
Testing goes down to third-level domain names and beyond.
The Validation Monitor XXL has now been in use since April of this year. It works well and has received a positive reception from our registrars. It's also apparent to us that introduction of the XXL version has encouraged registrars to refocus on DNSSEC errors and their correction. That may be because the Validation Monitor XXL flags up more errors than the old version and alerts more registrars.
Figure 1 shows that the number of registrars with validation errors has fallen by more than 28 per cent since the Validation Monitor XXL entered use. The peak around April 2015 is due to the XXL version scanning the entire .nl zone and therefore detecting more validation errors than the old version.
In the latter part of 2012, 0.48 per cent of signed .nl domain names had DNSSEC errors. By early 2014, that figure was down 0.21 per cent. Together with our registrars, we have since been able to cut it to an average of 0.12 per cent (see Figure 2).
DS record, but no DNSKEY
The most common error is still the presence of a DS record in the .nl zone, when the domain name in question doesn't have (or no longer has) any DNSKEY records. That situation typically arises when a domain name is transferred to a registrar that doesn't support DNSSEC and neither of the two registrars involved in the transfer removes the old DS record from the zone. Two thirds of all DNSSEC errors follow that pattern. Our registration system enables registrars to avoid such errors by opting not to receive key material with incoming transfers. The option is activated with a simple tick box but, despite considerable publicity, not all registrars are aware of it.
Fortunately, progress is being made in many areas. We now hardly ever see outdated RRSIGs, for example. The current average is only about thirty, out of more than 2.4 million signed domain names.
The other errors are quite sporadic and sometimes exotic. For instance, three domain names have RRSIG inception dates in the future and a handful of domain names have rare 'crypto' errors. One sometimes wonders how such errors can occur, since any system administrator should be able to observe and resolve them.
Most of the other third of the errors we see involve denial-of-existence issues. Such errors are 'vague', in the sense that they aren't readily apparent when using tools such as DNSviz. Even Google Public DNS usually validates the names with AD bits. It can therefore be difficult to persuade a registrar that anything is actually wrong.
Integration with the Registrar Scorecard
We have firm plans to integrate the Validation Monitor XXL with the recently launched Registrar Scorecard. The RS is an SIDN incentive programme, through which registrars can qualify for performance-related rewards. The scheme recognises various performance parameters, such as having a domain name portfolio with a high validation grade. The RS therefore follows on from our DNSSEC incentive programme. Unlike that programme, however, the RS distinguishes between correctly and incorrectly signed domain names.
Conclusion: disincentives for validation (virtually) removed
Although we haven't yet secured our goal of eliminating all errors, the current error level and the downward trend indicate that the Validation Monitor and its XXL successor have proved their worth and that the DNSSEC quality of the .nl zone is highly satisfactory. By way of comparison: a scan of the .com zone in late July 2015 revealed that 7,997 of the 488,800 signed domain names exhibited errors, including 3,996 denial-of-existence errors. That is 1.63 per cent, or thirteen times the proportion in the .nl zone. What’s more, Dutch registrars account for a significant proportion of signed .com domain names and their error-alertness is probably heightened by the information they receive about errors in their .nl portfolio.
Of course, the registrars that provide DNSSEC services deserve much of the credit for the DNSSEC quality of the .nl zone. Our findings show not only that most .nl registrars are very competent, but also that they respond promptly and appropriately to errors flagged up by the Validation Monitor. We believe that that encourages even more registrars to start signing their domain names.
Our main hope is that, together with our registrars, we have greatly reduced the disincentives for DNSSEC validation, and that more ISPs will start offering validation services to their customers.