Mar 13, 2011 - JP domain name validation everyday. ... Number of queries received by JP DNS servers ... JPRS collected t
JAPAN REGISTRY SERVICES
DNSSEC validation measurement --- How to count Validators --Kazunori Fujiwara, JPRS March 13, 2011 DNS-OARC Workshop Copyright © 2011 Japan Registry Services Co., Ltd.
1
JAPAN REGISTRY SERVICES
Contents • Assumption – Definition of diffusion rate of DNSSEC Validation
• • • •
JPRS’ data Result from full packet capture Result from 2 of 7 JP DNS servers Conclusion and future works
Copyright © 2011 Japan Registry Services Co., Ltd.
2
JAPAN REGISTRY SERVICES
Assumption
Copyright © 2011 Japan Registry Services Co., Ltd.
3
JAPAN REGISTRY SERVICES
Assumption: How to detect validators • JP DS RR has been introduced in root zone • JP DNSKEY TTL is 86400, 1 day • Thus, DNSSEC Validators send JP DNSKEY query once a day if the validators try to perform JP domain name validation everyday.
Copyright © 2011 Japan Registry Services Co., Ltd.
4
JAPAN REGISTRY SERVICES
Definition: Validators and Resolvers • Validators – IP addresses which send JP DNSKEY queries (at JP DNS servers)
• Resolvers – IP addresses which send JP zone queries (at JP DNS servers)
Copyright © 2011 Japan Registry Services Co., Ltd.
5
JAPAN REGISTRY SERVICES
Diffusion rate of DNSSEC Validation (Host based) • The diffusion rate of DNSSEC validation may be measured by counting number of Validators and counting number of Resolvers • (number of hosts based) Diffusion rate of DNSSEC Validation = Number of validators / Number of Resolvers
Copyright © 2011 Japan Registry Services Co., Ltd.
6
JAPAN REGISTRY SERVICES
Diffusion rate of DNSSEC Validation (Query count based) • Number of queries from Validators = Number of queries originated by Validators • Number of queries from all resolvers = Number of queries received by JP DNS servers • (Query count based) Diffusion rate of DNSSEC Validation = Number of queries from Validators / Number of queries from all Resolvers Copyright © 2011 Japan Registry Services Co., Ltd.
7
JAPAN REGISTRY SERVICES
JPRS’ data sets
Copyright © 2011 Japan Registry Services Co., Ltd.
8
JAPAN REGISTRY SERVICES
Overview of JP • .JP has 1,207,100 registered domain names (March 1, 2011) • JP DNS servers serve 1.6 billion queries per day • Collecting packet captures and query logs Name
Operator
Location
Address (IPv4:7, IPv6:6, total 13)
Capture
A.DNS.JP
JPRS
JP*2
203.119.1.1, 2001:dc4::1
Pcap/Log
B.DNS.JP
JPNIC
JP*1
202.12.30.131, 2001:dc2::1
Pcap
C.DNS.JP JPRS
Worldwide
156.154.100.5, 2001:502:ad09::5
Pcap
D.DNS.JP IIJ
JP*2, US*2
210.138.175.244, 2001:240::53
Pcap
E.DNS.JP
WIDE
JP*1,US*1, FR*1
192.50.43.53, 2001:200:c000::35
Pcap
F.DNS.JP
NII
JP*1
150.100.2.3, 2001:2f8:0:100::153
Pcap
JP*1
203.119.40.1
Pcap/Log
G.DNS.JP JPRS
Copyright © 2011 Japan Registry Services Co., Ltd.
9
JAPAN REGISTRY SERVICES
JPRS’ data sets • JPRS collected two days long full capture of DNS packets around JP DS was registered in root zone – JP’s DS RR was introduced into root zone at about 4:38, Dec. 10, 2010 (UTC) – JPRS collected From 22:00 Dec. 9 to 14:00 Dec. 12, 2010 (UTC) • 6.5 hours before JP DS was introduced • 48.5 hours after JP DS was introduced
• JPRS has been collecting DNS querylog from 2 of 7 JP DNS servers for 7 years – A.DNS.JP and G.DNS.JP are operated by JPRS and located in Japan, easy to collect. – A.DNS.JP query log is collected for over 7 years – G.DNS.JP query log is collected for over 2 years Copyright © 2011 Japan Registry Services Co., Ltd.
10
JAPAN REGISTRY SERVICES
Result of full packet capture
Copyright © 2011 Japan Registry Services Co., Ltd.
11
JAPAN REGISTRY SERVICES
When JP DS was introduced into root • Two day (55 hours) total – 1,831,434 IP addresses send 3,709,177,100 JP queries – 3,315 IP addresses send 55,920 JP DNSKEY queries – 75% of DNSKEY queries came from one IP address – 5.6% of DNSKEY queries came from JPRS’ monitors
• Calculated 4 time slot – – – –
Before JP DS was introduced: 6 hours Changing 1 hour First 24 hours after JP DS was introduced Second 24 hours after JP DS was introduced
Copyright © 2011 Japan Registry Services Co., Ltd.
12
JAPAN REGISTRY SERVICES
Result of 55 hours packet capture Total 55h
Before 6h
Changing 1h
First 24h
Second 24h
Begin Day/Time End Day/Time
9/22:00 12/04:00
9/22:00 10/04:00
10/04:00 10/05:00
10/05:00 11/05:00
11/05:00 12/05:00
Day of week
Fri-Sun
Friday
Friday
Fri-Sat
Sat-Sun
Num of Validators
3,315
280
118
2,468
2,277
Num of Resolvers
1,831,434
784,513
468,384
1,469,184
1,108,903
0.168 %
0.205 %
Ratio of Validators (%) Num of query: from validators
220,000,744
1,014,282
477,893
83,947,487
65,179,656
Num of query: from resolvers
3,709,177,1 00
429,276,877
83,736,527
1,670,176,896
1,525,986,800
0.24%
0.57%
5.03%
4.27%
Validator’s 5.93% share of queries
Copyright © 2011 Japan Registry Services Co., Ltd.
Date/Time is represented as UTC
13
JAPAN REGISTRY SERVICES
Result of 2 of 7 JP DNS servers
Copyright © 2011 Japan Registry Services Co., Ltd.
14
JAPAN REGISTRY SERVICES
Querylog from [AG].DNS.JP • JPRS has been collecting querylogs from A.DNS.JP and G.DNS.JP for several years – Diffusion rate of DNSSEC Validation may be calculated from the querylogs
• But full-resolvers have cache function – JP DNSKEY TTL is 86400 (1 day) – Resolvers can choose 13 IP addresses – Then, JPRS’ querylog does not contain full DNSKEY query
• How to adjust ? Copyright © 2011 Japan Registry Services Co., Ltd.
15
JAPAN REGISTRY SERVICES
DNSKEY queries from JPRS’ test Validator How many queries JPRS’ • The Validator sends JP test Validator send to zone query everyday, then it [AG].DNS.JP sends JP DNSKEY query 20110210 JPquery=62 DNSKEYquery=0 once a day. 20110211 JPquery=52 DNSKEYquery=1 20110212 JPquery=26 DNSKEYquery=1 • In the example, there are 20110213 JPquery=45 DNSKEYquery=0 continuous 6 days that our 20110214 JPquery=52 DNSKEYquery=0 query log cannot detect JP 20110215 JPquery=48 DNSKEYquery=0 20110216 JPquery=127 DNSKEYquery=0 DNSKEY query from the 20110217 JPquery=65 DNSKEYquery=0 server. 20110218 JPquery=28 DNSKEYquery=0 20110219 JPquery=41 DNSKEYquery=1 • Assumption: An IP address 20110220 JPquery=31 DNSKEYquery=1 is a validator if it sent JP 20110221 JPquery=27 DNSKEYquery=0 20110222 JPquery=27 DNSKEYquery=0 DNSKEY queries in the past 20110223 JPquery=25 DNSKEYquery=0 7 days. 20110224 JPquery=29 DNSKEYquery=1 Copyright © 2011 Japan Registry Services Co., Ltd.
16
JAPAN REGISTRY SERVICES
Number of IP addresses which send JP DNSKEY queries From Packet capture 1 Day
JP DS in root, Dec 10
Adjusted for 1 week
2468 at Dec 10 2277 at Dec 11
Number of IP addresses
4000 3500 3000 2500 2000 1500 1000 500
Date (JST)
From full packet capture,there are 2468 and 2277 IP addresses in both 24 hours. They are similar to the adjusted value 2400 at Dec 17 (7 days later from Dec 10). The Adjustment seems to fit for DNSKEY query. Copyright © 2011 Japan Registry Services Co., Ltd.
17
2011/2/28
2011/2/21
2011/2/14
2011/2/7
2011/1/31
2011/1/24
2011/1/17
2011/1/10
2011/1/3
2010/12/27
2010/12/20
2010/12/13
2010/12/6
2010/11/29
2010/11/22
2010/11/15
2010/11/8
0
JAPAN REGISTRY SERVICES
Number of IP addresses which send JP From packet capture queries JP DS in root
1 Day
1,469,184 at Dec 10 1,108,903 at Dec 11
Adjusted for 1 week
Number of IP addresses
3500000 3000000 2500000 2000000 1500000 1000000 500000
2011/2/28
2011/2/21
2011/2/14
2011/2/7
2011/1/31
2011/1/24
Date (JST)
2011/1/17
2011/1/10
2011/1/3
2010/12/27
2010/12/20
2010/12/13
2010/12/6
2010/11/29
2010/11/22
2010/11/15
2010/11/8
0
The adjusted value of Resolvers are between 2.2 million to 3.3 million From full packet dump, there are 1,469,184 and 1,108,903 IP addresses in a day. The adjustment does not fit for Resolvers. I chose number of Resolvers as fixed value 1,469,184 (Weekday value) Copyright © 2011 Japan Registry Services Co., Ltd.
18
JAPAN REGISTRY SERVICES
Diffusion rate of DNSSEC validator From packet capture (Host based) 0.168 at Dec 10 0.205 at Dec 11
JP DS in root
1 Day
Adjusted (1 week adjust + fixed resolver number)
Rate of DNSSEC validator
0.25 0.2
0.15 0.1
0.05
/2 /2 8
11
/2 /2 1 20
20
11
/2 /1 4
11
/2 /7 20
11
/1 /3 1
20
20
11
/1 /2 4
11
/1 /1 7 20
11
/1 /1 0 20
11
/1 /3 20
11
/2 7 20
/1 2
/2 0 10 20
20
10
/1 2
/1 2
/1 3
/6 10
/1 2 20
10
/2 9 20
/1 1 10
20
20
10
/1 1
/2 2
/1 5 /1 1
10
20
20
10
/1 1
/8
0
Date (JST)
0.23% of IP addresses send JP DNSKEY queries. Increment before Dec. 10 is 0.17%. It may be real DNSSEC validators. Copyright © 2011 Japan Registry Services Co., Ltd.
19
JAPAN REGISTRY SERVICES
JP DS in root
1 Day
Adjusted (1 week)
5.03% at Dec 10 4.27% at Dec 11
10 9 8 7 6 5 4 3 2 1
2011/2/28
2011/2/21
2011/2/14
2011/2/7
2011/1/31
2011/1/24
2011/1/17
2011/1/10
2011/1/3
2010/12/27
2010/12/20
2010/12/13
2010/12/6
2010/11/29
2010/11/22
2010/11/15
0
2010/11/8
Rate of queries which originated by DNSSEC Validators (%)
Diffusion rate of DNSSEC validation From packet capture (query based)
Date (JST)
2% of queries may come from DNSSEC monitors because it came before JP DS. Increment is 6%. 6% of queries may come from DNSSEC validators
Copyright © 2011 Japan Registry Services Co., Ltd.
20
JAPAN REGISTRY SERVICES
Cause of increase • 6% of queries may came from Validators • A large-scale organization might support DNSSEC validation. • Or, some users of some large-scale organization send “JP DNSKEY” queries to their resolvers – It can not be identified ….
Copyright © 2011 Japan Registry Services Co., Ltd.
21
JAPAN REGISTRY SERVICES
Who sent JP DNSKEY queries before JP DS was introduced in root • About 900 IP addresses • Why ? – There are many DNSSEC monitors – JPRS operates our service’s monitors – Someone set JP DNSKEY as a trust-anchor. (I did)
• IP addresses which send JP DNSKEY query before JP DS was introduced may not be real Validators. • Then, the increment after JP DS introduction might be real DNSSEC Validators. • There are 3,000 IP addresses which send JP DNSKEY periodically • Then number of real Validators are about 2,100 (0.17%) Copyright © 2011 Japan Registry Services Co., Ltd.
22
JAPAN REGISTRY SERVICES
Conclusion and future works
Copyright © 2011 Japan Registry Services Co., Ltd.
23
JAPAN REGISTRY SERVICES
Conclusion • Tried to define diffusion rate of DNSSEC validation • Calculated diffusion rate of DNSSEC validation using JPRS’ data • Number of Validators seems to be increasing – There seems to be about 2,100 Validators (0.17% of Resolvers) – They send 6% of queries
• Part of TLD DNS servers’ querylog is useful to calculate diffusion rate of DNSSEC validation Copyright © 2011 Japan Registry Services Co., Ltd.
24
JAPAN REGISTRY SERVICES
Future works and Questions • Improving accuracy – Excluding DNSSEC monitors or users’ interest
• More data: Let’s evaluate diffusion rate of DNSSEC Validation – Collecting DNS packet before and after TLD’s DS introduction into root is useful. – Or, root servers can collect complete data. – May I access to another data ?
• Comments & Questions ? Copyright © 2011 Japan Registry Services Co., Ltd.
25
