Hello, I think this may be interesting for the members of this list: I'm developing an Open-Source tool called badkeys [1] that checks cryptographic public keys for known vulnerabilities. (Think of things like the Debian OpenSSL bug, ROCA, etc.)
As part of a project funded by NLnet, I am now doing regular scans of keys in the DNSSEC ecosystem. (Similar scans for DKIM will follow soon.) Those involve fetching DNSKEY and CDNSKEY records from domains in the Tranco Top 1 Million or DomCop Top 10 Million list (I'm alternating between different domain lists) and checking them with badkeys. You can find summary reports here: https://monitor.badkeys.info/dnssec/ If you check the reports, you will see that there aren't many findings. (Aka: not many people are using known-insecure keys in DNSSEC.) I've seen a small number of hosts using an example key from RFCs (tried reporting those to the affected hoster, but no reaction). There are also occasionally corrupted keys (parser issues or RSA keys with multiple small prime factors) to be found. If you want to try badkeys yourself with DNSSEC, you'd do something like this: host -t DNSKEY example.org | badkeys -a --dnssec - [1] https://badkeys.info/ [2] https://nlnet.nl/project/badkeys/ -- Hanno Böck - Independent security researcher https://itsec.hboeck.de/ https://badkeys.info/ _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
