The Border Gateway Protocol (BGP) and the Domain Name System (DNS), are two key protocols that are important for the working of the Internet. When these protocols were developed, security, like integrity, was not an important factor yet. However, with various outages due to the lack of security of these protocols, these protocols needed to be secured. The Resource Public Key Infrastructure (RPKI) was developed to deliver an integrity factor to the routing protocol. Using RPKI, an address prefix and size can be certified and signed. This is a Route Origin Autorisation (ROA) and it certifies that a prefix of a set size may be announced by a specific AS. Using that mechanism, operators can validate routes upon reception, this is called Route Origin Validation (ROV). Thus, giving the ability to drop invalid announcements.
Until now, no research has been done into the state of ROV of authoritative DNS operators. This research shows a method on how to measure, analyze, and answers the question: “What is the state of RPKI adoption on authoritative name servers?”. To answer that main question three subquestions have been defined:
- How many authoritative name servers reside in an AS that does ROV?
- How many domains are protected?
- How many authoritative name servers have ROAs?
To measure the state, three entities have been created. There is one sender, which sends an order of thousands of DNS requests per second to authoritative name servers. This sender is fed with a list of authoritative name server addresses, both IPv4 and IPv6, provided by OpenINTEL. The list includes gTLDs, ccTLDs, Alexa’s, and Cisco’s Umbrella top one million. There are two collectors, both have the same IPv4 and IPv6 addresses. However, one is a valid collector that resides in RPKI valid prefixes. And there is an invalid collector that resides in an invalid prefix, these are namely more specific. With this setup, it is possible to perform a controlled sub-prefix attack.
The collectors listen for DNS responses from the queries sent by the sender. Depending on where the response arrives, the authoritative name server resides in an AS that implements ROV. A total of 731,113 IPv4 and 79,701 IPv6 authoritative name servers are queried. The measurements were taken between the 17th and 26th of July. The analysis of the measurements shows that 42.87% of the IPv4 reachable authoritative name servers are protected by ROV. 75.06% is covered by a ROA. For IPv6, this is 39.20% and 79.76% respectively. The analysis also shows that IPv6 reachable domains are, in proportion, better protected than IPv4 reachable domains. That is 73.14% for IPv6 and 62.48% for IPv4 respectively.
This research shows more than only an answer to the questions at hand. Responses from individual authoritative name servers during the day are seen on both the valid and invalid collector. Thus, this shows that the Internet is a very dynamic place. The research also reveals the weakest-link problem.
To aid reproducibility, future research, and measurements the code is publicly available:
The planned presentation will include new measurements to compare if there are any differences over time.
|In-person at the workshop venue