I. Introduction
An important capability of DNSSEC is the ability to authoritatively assert thata given domain name does NOT exist, as per Authenticated Denial of Existence in the DNS.
Originally this was done by leveraging NSEC records. However, as noted insection 3.4 of RFC7129:
There were two issues with NSEC (and NXT). The first is that it allows for zone walking. NSEC records point from one name to another; in our example: “example.org” points to “a.example.org”, which points to “d.example.org”,which points back to “example.org”. So, we can reconstruct the entire “example.org” zone, thus defeating attempts to administratively block zone transfers ([RFC2065], Section5.5).
The second issue is that when a large, delegation-centric([RFC5155], Section 1.1) zone deploys DNSSEC, every name inthe zone gets an NSEC plus RRSIG.
[continues]
NSEC3 records were introduced as an alternative to NSEC records, and provide away to (largely) mitigate this exposure.
The question we consider today is, “Do any zones still sign their zones withNSEC instead of NSEC3?”
Actually, yes, a surprisingly large number of them do.
II. Empirically Checking For NSEC Use
Beginning with the list of TLDs that’s available from IANA we used a tool called ldns-walk to check for TLDs using NSEC.
Once you’ve installed that software, the process of using it is trivial — youmerely say:
$ ldns-walk domainname
For example, if you were to walk the KY TLD (no, that’s not Kentucky orKyrgyzstan, dot KY is the Cayman Islands,you’d get output that looks like:
$ ldns-walk ky
ky. ky. NS SOA RRSIG NSEC DNSKEY
000.ky. NS RRSIG NSEC
100kids.ky. NS RRSIG NSEC
100men.ky. NS RRSIG NSEC
100women.ky. NS RRSIG NSEC
100womencayman.ky. NS RRSIG NSEC
1040.ky. NS RRSIG NSEC
111.ky. NS RRSIG NSEC
123.ky. NS RRSIG NSEC
1fifteen.ky. NS RRSIG NSEC
1rumpoint.ky. NS RRSIG NSEC
1uc.ky. NS RRSIG NSEC
200.ky. NS RRSIG NSEC
2017oldenbergltd.ky. NS RRSIG NSEC
[etc]
If we discovered that a TLD used NSEC records, we walked the entire TLD.
TLDs which we found with more than a hundred NSEC-using domains are listed inthe following table:
Table I. TLDs With One Hundred Or More NSEC-Secured Domains
2,557,983 us
2,118,203 co
2,070,537 biz
152,779 link
76,500 click
53,983 bg
29,354 lk
26,619 tn
24,784 help
24,768 lol
22,988 sexy
22,165 photo
10,768 pics
9,524 kg
8,107 audio
5,656 hosting
5,353 ky
3,451 mg
2,135 game
1,989 how
1,766 pr
1,373 hiphop
1,286 br
1,195 sl
392 auto
382 na
319 lr
[other TLDs with a 100 or fewer records omitted]
We found that to be a unexpectedly large number of domains.
III. “So Are You Suggesting That Domains Shouldn’t Do DNSSEC?”
No — the exact opposite in fact. Farsight strongly believe that all domainsshould use DNSSEC when possible, and Farsight uses DNSSEC for its own domainsand has strong support for DNSSEC in DNSDB (our flagship passive DNS product).Everyone really should have the protection that DNSSEC offers.
IV. “So If A TLD (or 2nd-Level Domain) Is Going to Use DNSSEC, Should It Be Using NSEC3 Instead of NSEC?”
Not necessarily — for example, Farsight itself uses NSEC (rather than NSEC3)to secure its domains, and yes, as a result, you can walk our domains. Thecompany’s perspective is that we’ve got nothing confidential in ourpublicly-available authoritative DNS, and so we make an informed decision touse NSEC rather than NSEC3.
You (or the TLDs you use) may feel differently — most TLDs block zonetransfers, for example, and in that case it might make sense to use NSEC3rather than NSEC to secure that TLD against being zone walked.
V. “What About Privacy? Zone Walking Feels As If It Encroaches on Domain Owner Privacy!”
Privacy is important, and something that Farsight takes very seriously.However, we agree with the fundamental conclusion quoted here — the mere ability to get a list ofdomain names does not compromise a domain owner’s privacy.
Given the contentious European General Data Protection Regulations, and its potential for catastrophic restrictions on access toWhois information, we will refrain from comment on the remainder of the NLnetLabs’ DNSSEC statement as it relates to Whois data, except to say that webelieve continued access to Domain Whois and IP Whois is absolutely criticalto maintaining a workable, transparent, accountable, and usable Internet.
VI. Conclusion
We hope you’ve found this an interesting topic to explore. If you’d like toknow more about how Farsight Security’s DNSDB service can help you leverage DNSdata in your investigations, including DNSSEC-related DNS records, feel free tocontact Farsight Security, Inc..
Joe St Sauver, Ph.D. is a Scientist with Farsight Security, Inc.
Heading
