[ksk-rollover] Post IETF - determining 5011 support - part 1

Michael StJohns msj at nthpermutation.com
Mon Nov 12 17:55:14 UTC 2018 

Paul asked me to drop a note to the list describing a few techniques 
that I think might be used to determine whether a querying entity 
supports 5011.  This email describes detection through the use of the 
REVOKE bit.   (Note that I haven't tested any of these - but they should 
work

1) Assume that non-5011 entities silently ignore the revoke bit

2) Per 5011, the revoke bit applies to ALL DNSKEY records, not just the 
root KSKs and you're not allowed to trace a chain of trust through a 
revoked key.

3) In a non-root zone, set up a delegations to two zones - "valid" and 
"invalid".

4) Set the valid zone up with the normal KSK/ZSK pair in the DNSKEY 
RRSet.  Set the invalid zone up but with the ZSK having the revoke bit 
set.  Create the RRSigs as appropriate and remember to have the ZSK in 
the invalid zone also sign the DNSKey RRSet (to cause the key to be 
revoked).

5) Seed both zones with various A/AAAA and CNAME records.

6) Place web servers at the location pointed to by each of the A/AAAA 
RRSets and at a place pointed to by the CNAME record.

7) Seed a popular web page (get Google or some other high traffic name 
to help) with URLs that point to items (say a JPG) served by each of the 
web servers - avoid having anything else at those servers but these items.

8) Collect logs on the DNS server and on the web servers over a period 
of a month or so.

9) Do the analysis.   Items retrieved from the server pointed to by the 
A/AAAA RRSet signed by the revoked ZSK are probably being pulled by 
clients served by resolvers that don't do 5011. Correlate the times of 
DNS query with times of web queries - you'll mostly pull up the first 
query from a given resolver before it caches the answer. Pairing an 
invalid URL (in the sense that DNSSEC should prevent its retrieval) with 
a valid URL allows for a check against false negatives.

If the correlation by log analysis doesn't work - have the dns server 
return dynamic addresses for the web server that encode the resolver's 
identity in some manner.  (For example, by twiddling the CNAME so that a 
browser generates an SNI with the resolver identity encoded for a TLS 
connection).


So:

Client that sees web pages pointed to by both valid and invalid zones is 
probably being served by a non-5011 resolver.

Client that sees only web pages pointed to by the valid zone is probably 
being served by a 5011 resolver.

Client that sees either neither of the web pages or only the invalid web 
page is probably being served by a broken resolver.

Mike

More information about the ksk-rollover mailing list