OARC 27 (San Jose)

DNSSEC Operations in the .gov TLD

29 Sept 2017, 10:10

15m

Regency 2 Ballroom (Fairmont San Jose)

Standard Presentation Public Workshop Public Workshop

Speaker

Mr Scott Rose (NIST)

Description

We look at the results of multiple years of DNSSEC scanning to see how DNSSEC is being maintained in the .gov TLD. We look at signing algorithm use, hash algorithms use in DS RRsets and parameters used in NSEC3. We also look for trends and changes over time to detect algorithm rollovers and changes to NSEC3 parameters. The goal of this work is to see how DNSSEC is being deployed and administered in .gov delegations and if there are any issues that need to be addressed. We are primarily looking at NSEC/NSEC3 usage and algorithm usage to see how well they conform to best common practices and federal policy.

Summary

We scanned the list of .gov delegations for several months to look for algorithm usage, NSEC/NSEC3 usage, and NSEC3 parameters. We also looked at previous years for signing algorithm usage and detect algorithm rollovers. It appears that algorithm usage is fairly stable through the last three years in .gov delegations with only a few zones changing algorithms in any given year. RSA/SHA-256 seems to be the largest deployed algorithm and was the algorithm of choice for most changes. Only a few zones have changed to ECDSA as a signing algorithm, which is recommended by federal guidelines since 2015.

NSEC3 usage is fairly stable in .gov and is the preferred choice for denial of existence proof. The choice of values for salt and iterations seems to also fall within a narrow range of choices. These parameter values rarely change no matter how many times the zone is resigned, which does not follow guidance. Given the (believed) wide use of automated tools and appliances for DNSSEC in .gov zones, these issues could be addressed by changing tools or promoting best common practices.

Presentation materials

Slides

oarc-scottr-dnssec-gov-ops.pptx