DNSSEC in stats. GC-SEC Global Cyber Security Center. Andrea Rigoni. CENTR Bruxelles, 7th October Global Cyber Security Center Director General

Transcription

1 Global Cyber Security Center DNSSEC in stats CENTR Bruxelles, 7th October 2010 Andrea Rigoni Global Cyber Security Center Director General

2 On the 7 th of May 2010 Poste Italiane founded GC-SEC, the Global Cyber Security Center a not-for-profit Foundation entirely dedicated to Cyber Security Objectives of GC-SEC General Benefits of GC-SEC Contribute to international innovation and policy agenda on cyber security topics Develop and disseminate a culture of Cyber Security through International Cooperation, Education and Research Provision to national and international partners and other organizations awareness / knowledge on cyber security topics Contribute to enhance Security of Governments and Private Companies in Europe and Worldwide 2

3 Global Cyber Security Center - Introduction Rome, 30 june 2010 The Center is based on a Multi Stakeholder model. Many organizations are joining the Center as members or partners 3 Ministry of Interior / Postal Police Italian Ministry of Economic Development - ISCOM Other Accademia National Institutions George Mason University Royal Holloway University of London, Carnegie Mellon University RUSI - Royal United Services Institute (London) University of Rome University of Milan Università La Sapienza SANS Institute Polytechnic of Milan MIP Business School Global Cyber Security Center Develop and disseminate a culture of Cyber Security through International Cooperation, Education and Research Poste Italiane International Institutions Private Sector Partners US Secret Service Universal Postal Union Department of Homeland Security European Commission / ENISA / JRC NICC (the Netherlands) SEMA (Swedish Emergency Management Agency) Centre for Strategic International Telecomms Union ITU Switzerland IMPACT Policia/Guardia Civil (Spain) ENEL Microsoft SAP Mastercard IBM Cisco Systems Booz & Company Symantec

4 Global Cyber Security Center - Introduction Rome, 30 june 2010 The GC-SEC will perform various core activities International Policy and Cooperation Support to the formulation of new policies And support new initiatives On International Cooperation Education & Training Conduct of highly specialized training and Provide high-level Education program The International Center Information Sharing GC-SEC will promote information Sharing at International Level Between Governments, Academia and Private Sector Research Applied Research on members selected projects 4

5 Agenda Setting the context cctld adoption status DNSSEC zones and TLD situation Performance stats and issues DNSSEC query traffic pattern DNSSEC computing resource overhead Registrars preparedness and issues Future developments and conclusions 5

6 cctld adoption status dnssec-deployment.org Brazil, Bulgaria, Czech Republic, Puerto Rico and Sweden early adopters DNSSEC deployed at ROOT level on July 15,

7 DNSSEC zones and TLD situation 294 TLDs in the root zone in total, of which: 53 TLDs are signed 42 TLDs have trust anchors published as DS records in the root zone 9 TLDs have trust anchors published in the IANA ITAR 11 TLDs have trust anchors published in the ISC DLV Repository 7 SecSpider DNSSEC Monitoring

8 Signed TLDs: 53!! Unsigned: DS record in Root DS record in IANA ITAR DS record in ISC DLV Newly signed; not yet in any repository: 9 10/6/10 8

9 Interval between consecutive queries* for org's DNSKEY per IP 9 Courtesy of Shinkuro

10 Some stats from Comcast 1 Peak queries per second against our DNSSEC-validating resolvers: up 500% since July 2010 [Keep in mind, the query volumes are minuscule on a relative basis, which makes the % look better than reality.] 2 Queries hitting DNSSEC-validating resolvers represents % of our total peak recursive server query volume. This is a natural reflection of the fact that we have a huge network and we're only in trial phase. 3 Queries hitting our authoritative servers for DNSSEC-related records (DNSKEY, DS, NSEC, RRSIG) represents < % of queries of these servers. 10

11 DNSSEC query traffic patterns.uk 11 Still low volume of DNSKEY queries (about 2% resolvers do validation), but slowly increasing Estimated 100 unique individual validating resolvers worldwide

12 DNSSEC computing resource overhead Bandwidth estimation basedon key size RIPE NCC Little impact on CPU load Memory footprint can be considerable but not an issue for authoritative servers running on commodity hardware Bandwidth usage increase can be significant (possible increase by 2 or 3 times) 12

13 Registrars preparedness and issues 1 Factors that registrars say are impeding DNSSEC implementation: Lack of customer demand Developing a process of key management, including storage and rollover Lack of internal expertise Most registrars (69%) will not offer DNSSEC services until 2011 or beyond: 37% planned to offer DNSSEC in % have no plan to offer DNSSEC within the next 12 months. Approximately 15% are going to offer DNSSEC services by the end of AFILIAS Registrar DNSSEC Readiness Report

14 Conclusions DNS is a critical service for Internet and for modern ICT networks Some areas of DNS Security need to be further analyzed and developed, therefore there is a need for new research projects DNS Security Metrics and Governance model DNSSEC implementation business cases GCSEC is willing to invest on DNS Security through: Organization of a DNSSEC Training in December 2010 and/or February 2011 Application to EU Funds for a DNS Security Research Project 14

15 How to stay updated on GC-SEC GCSEC Global Cyber Security Center (GC-SEC) 15